| CPC G06F 21/556 (2013.01) [G06F 21/552 (2013.01); G06F 21/554 (2013.01); H04L 12/40026 (2013.01); H04L 2012/40215 (2013.01)] | 7 Claims |
|
1. An intrusion detection system for detecting masquerade attacks on CAN data communicated over a vehicle controller area network (CAN) of a vehicle, the intrusion detection system comprising: a CAN transceiver configured to receive CAN frames from the vehicle CAN, wherein each CAN frame includes an arbitration identifier (AID) and an up to 64-bit data payload; a CAN controller in communication with the CAN transceiver;
a processor in communication with the CAN controller, wherein the processor is configured to generate a signal definition for each AID mapping the up to 64-bit data payloads of CAN frames with that AID to a plurality of tokenized and translated signals defined by one or more sequences of bits of the up to 64-bit data payload, wherein the mapping accounts for start bit, length, endianness, and signedness of the signals; wherein the processor is configured to (1) learn inherent relationships between uninterpreted timeseries signals in decoded CAN training payload data without dependence upon CAN diagnostic inquiry; (2) learn inherent relationships between uninterpreted timeseries signals in decoded CAN test payload data without dependence upon CAN diagnostic inquiry; (3) detect masquerade attacks on CAN test payload data based on a contrast of the learned inherent relationships of timeseries signals in the decoded CAN training payload data and the learned inherent relationships of timeseries signals in the decoded CAN test payload data; and (4) upon detecting a masquerade attack on CAN test payload data, at least one of transmit an anomaly-notification message and log information relating to the detected masquerade attack.
|