	US 12,261,857 B2
	Attack detection method, attack detection system, and recording medium
Takashi Ushio, Tokyo (JP); and Takamitsu Sasaki, Osaka (JP)
Assigned to Panasonic Intellectual Property Corporation of America, Torrance, CA (US)
Filed by Panasonic Intellectual Property Corporation of America, Torrance, CA (US)
Filed on Jun. 28, 2022, as Appl. No. 17/852,038.
Application 17/852,038 is a continuation of application No. PCT/JP2021/001545, filed on Jan. 18, 2021.
Claims priority of application No. 2020-007070 (JP), filed on Jan. 20, 2020.
Prior Publication US 2022/0329611 A1, Oct. 13, 2022
Int. Cl. H04L 9/40 (2022.01)

CPC H04L 63/1416 (2013.01) [H04L 63/1425 (2013.01); H04L 63/1441 (2013.01)]

13 Claims

1. An attack detection method for detecting an attack from sensor data that is transmitted and received for control of a mobility entity inside the mobility entity, the attack detection method comprising:

determining, for each of identifiers of sensor values included in the sensor data, a sampling rule that includes sampling intervals and sampling times in the sampling intervals, on a basis of at least one of a statistic or event information on the mobility entity, the sampling rule being a rule for selecting the sensor values that are used to detect the attack from the sensor data, the statistic indicating a variation in the sensor values included in the sensor data, and the event information indicating timing of a change in the sensor values;

generating sampling data that includes two or more sensor values, first order information, and second order information on a basis of the sampling intervals and the sampling times, the two or more sensor values having been selected from the sensor data, the first order information indicating a first temporal order of the two or more sensor values acquired during each of the sampling times, and the second order information indicating a second temporal order of the two or more sensor values acquired in the sampling intervals;

calculating a first anomaly score on a basis of a sensor value serving as evaluation target data included in the sampling data, the first order information, and a short-term sensor flow, the first anomaly score indicating a first degree of an anomaly in the evaluation target data, the short-term sensor flow indicating time series data including a past sensor value acquired prior to the sensor value serving as the evaluation target data during a sampling time in which the sensor value serving as the evaluation target data has been acquired, among the sampling times;

calculating a second anomaly score on a basis of the sensor value serving as the evaluation target data, the second order information, and a long-term sensor flow, the second anomaly score indicating a second degree of the anomaly in the evaluation target data, the long-term sensor flow indicating a change in sensor values acquired during a past sampling interval prior to a sampling interval in which the sensor value serving as the evaluation target data has been acquired among the sampling intervals;

determining whether the evaluation target data has resulted from the attack on a basis of the first anomaly score and the second anomaly score that have been calculated; and

outputting a determination result of whether the evaluation target has resulted from the attack to a device that at least one of visually outputs the determination result or audibly notifies of the determination result in response to the evaluation target data being determined to have resulted from the attack.