EP4237975A1 - Intrusion filter for an intrusion detection system - Google Patents

Intrusion filter for an intrusion detection system

Info

Publication number
EP4237975A1
EP4237975A1 EP20835841.6A EP20835841A EP4237975A1 EP 4237975 A1 EP4237975 A1 EP 4237975A1 EP 20835841 A EP20835841 A EP 20835841A EP 4237975 A1 EP4237975 A1 EP 4237975A1
Authority
EP
European Patent Office
Prior art keywords
anomaly
intrusion
indication
anomaly indication
detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP20835841.6A
Other languages
German (de)
French (fr)
Inventor
Bent Jepsen
Karsten Gjorup
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of EP4237975A1 publication Critical patent/EP4237975A1/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Definitions

  • Embodiments of the invention relates to an intrusion filter for an intrusion detection system and to a detection subsystem and a collection and investigation system comprising such an intrusion filter. Furthermore, embodiments of the invention also relate to corresponding methods and a computer program.
  • Intrusion Prevention Systems and Intrusion Detection and Prevention Systems (I DPS) are network security system for detecting cyber-attacks on vehicles connected to the internet.
  • DPS and I DPS are commonly run in embedded devices in the vehicle. Examples of vehicles are cars, buses and trucks.
  • Al based detection is detecting anomaly when network traffic does not seem normal or is different from what the algorithm has previously learnt.
  • One of the drawbacks of Al based anomaly detection is the level of false positives vs. false negatives, which is an optimization parameter when trimming the Al based anomaly detection algorithm.
  • a false positive is a false alarm meaning that normal network traffic is categorized by the Al algorithm as an anomaly.
  • a false negative represents a situation where a network attack is overlooked by the Al algorithm and categorized as normal network traffic but is not.
  • the optimization goal of IPS and IDPS is on one hand to reduce number of false positives to avoid false alarms and on the other hand to optimize the detection rate or sensitivity, which represents the percentage of network attacks the system correctly detects.
  • An objective of embodiments of the invention is to provide a solution which mitigates or solves the drawbacks and problems of conventional solutions.
  • Another objective of embodiments of the invention is to provide a solution reducing the number of false indications propagating in an intrusion prevention system.
  • an intrusion filter for an intrusion detection system the intrusion filter being configured to obtain an anomaly indication from an anomaly detection device, wherein the anomaly indication indicates an incident detected by the anomaly detection device; and discard the anomaly indication upon identifying that the anomaly indication is a false positive anomaly indication, else provide the anomaly indication to a collection and investigation system.
  • An advantage of the intrusion filter according to the first aspect is that the number of false positive anomaly indications may be reduced in the system.
  • Another advantage of the intrusion filter according to the first aspect is that the computational load on the system may also be reduced compared to conventional systems.
  • the intrusion filter being configured to identify that the anomaly indication is a false positive anomaly indication using an identification algorithm.
  • the intrusion filter being configured to obtain metadata associated with the anomaly indication; and identify that the anomaly indication is a false positive anomaly indication using the identification algorithm and the metadata.
  • An advantage with this implementation form is that the identification that the anomaly indication is a false positive anomaly indication may be improved with the additional use of the metadata.
  • the intrusion filter being configured to obtain a first feedback message from the collection and investigation device, wherein the first feedback message indicates that the anomaly indication is a false positive anomaly indication; and update the identification algorithm to identify that the anomaly indication is a false positive anomaly indication.
  • An advantage with this implementation form is that a feedback mechanism is provided.
  • the identification algorithm may continuously be improved based on the received feedback thereby reducing the number of non-identified false positive anomaly indications in the system.
  • the first feedback message comprises a part of or a complete identification algorithm; and configured to update or replace the identification algorithm based on the first feedback message.
  • An advantage with this implementation form is that the part of or the complete identification algorithm is provided by the collection and investigation device. This means that depending on the intrusion filter algorithm or implementation type the most optimal algorithm updates can always be provided.
  • the intrusion filter is an artificial intelligence intrusion filter and/or a rule-based intrusion filter.
  • An advantage with this implementation form is that a given implementation can include the best suitable artificial intelligence and/or rule-based detection algorithm for a specific application.
  • the above mentioned and other objectives are achieved with a detection subsystem for an intrusion detection system, wherein the detection subsystem comprises an intrusion filter according to the first aspect, and an anomaly detection device configured to: obtain network sensor output from one or more network sensors; and provide an anomaly indication indicating an incident to the intrusion filter upon identifying that the network sensor output comprises an incident.
  • An advantage of the detection subsystem according to the second aspect is that the number of false positive anomaly indications may be reduced in the system.
  • Another advantage of the detection subsystem according to the second aspect is that the computational load on the system may also be reduced compared to conventional systems.
  • the anomaly detection device is configured to identify that the network sensor output comprises an incident using an incident detection algorithm.
  • Any suitable incident detection algorithm may be employed.
  • the anomaly detection device is further configured to obtain a second feedback message from a collection and investigation system, wherein the second feedback message indicates that the network sensor output does not comprise an incident; and update the incident detection algorithm to identify that the network sensor output does not comprise the incident.
  • the second feedback message may also indicate corrections or feedback in respect of already detected incidents.
  • An advantage with this implementation form is that a feedback mechanism is provided.
  • the incident detection algorithm may continuously be improved based on the received feedback thereby reducing the number of identified false positive anomaly indications.
  • the second feedback message comprises a part of or a complete incident detection algorithm; and configured to update or replace the incident detection algorithm based on the second feedback message.
  • An advantage with this implementation form is that the part of or the complete identification algorithm is provided by the collection and investigation device. This means that depending on the detection subsystem algorithm or implementation type the most optimal algorithm updates can always be provided.
  • the anomaly detection device is an artificial intelligence detection device and/or a rule-based detection device.
  • An advantage with this implementation form is that a given implementation can include the best suitable artificial intelligence and/or rule-based detection algorithm for a specific application.
  • the above mentioned and other objectives are achieved with a collection and investigation system for an intrusion detection system, the collection and investigation system being configured to obtain an anomaly indication from an intrusion filter; and upon determining that the anomaly indication is a false positive anomaly indication being configured to at least one of: provide a first feedback message to the intrusion filter, wherein the first feedback message indicates that the anomaly indication is a false positive anomaly indication, and provide a second feedback message to an anomaly detection device associated with the intrusion filter, wherein the second feedback message indicates that network sensor output associated with the anomaly indication does not comprise an incident.
  • An advantage of the collection and investigation system according to the third aspect is that by providing a feedback mechanism comprising the first feedback message and/or the second feedback message the performance of the algorithms employed by the intrusion filter and the anomaly detection device can be improved.
  • the first feedback message comprises a part of or a complete identification algorithm; and the second feedback message comprises a part of or a complete incident detection algorithm.
  • the collection and investigation system comprises the intrusion filter.
  • the above mentioned and other objectives are achieved with a method for an intrusion filter, the method comprising obtaining an anomaly indication from an anomaly detection device, wherein the anomaly indication indicates an incident detected by the anomaly detection device; and discarding the anomaly indication upon identifying that the anomaly indication is a false positive anomaly indication, else providing the anomaly indication to a collection and investigation system.
  • an implementation form of the method comprises the feature(s) of the corresponding implementation form of the intrusion filter.
  • the above mentioned and other objectives are achieved with a method for a collection and investigation system, the method comprising obtaining an anomaly indication from an intrusion filter; and upon determining that the anomaly indication is a false positive anomaly indication being further comprising at least one of: providing a first feedback message to the intrusion filter, wherein the first feedback message indicates that the anomaly indication is a false positive anomaly indication, and providing a second feedback message to an anomaly detection device associated with the intrusion filter, wherein the second feedback message indicates that network sensor output associated with the anomaly indication does not comprise an incident.
  • an implementation form of the method comprises the feature(s) of the corresponding implementation form of the collection and investigation system.
  • a vehicle comprising an intrusion filter and/or a detection subsystem according to the first and second aspect, respectively.
  • the vehicle may be any vehicle having communication connection to one or more data networks possible via one or more intermediate wired and wireless communication systems.
  • the invention also relates to a computer program, characterized in program code, which when run by at least one processor causes said at least one processor to execute any method according to embodiments of the invention. Further, the invention also relates to a computer program product comprising a computer readable medium and said mentioned computer program, wherein said computer program is included in the computer readable medium, and comprises of one or more from the group: ROM (Read-Only Memory), PROM (Programmable ROM), EPROM (Erasable PROM), Flash memory, EEPROM (Electrically EPROM) and hard disk drive.
  • ROM Read-Only Memory
  • PROM Programmable ROM
  • EPROM Erasable PROM
  • Flash memory Flash memory
  • EEPROM Electrically EPROM
  • FIG. 1 shows an intrusion filter according to an embodiment of the invention
  • FIG. 2 shows a method for an intrusion filter according to an embodiment of the invention
  • FIG. 3 shows a detection subsystem according to an embodiment of the invention
  • FIG. 4 shows a collection and investigation system according to an embodiment of the invention
  • FIG. 5 shows a method for a collection and investigation system according to an embodiment of the invention
  • FIG. 6 shows an intrusion detection system according to an embodiment of the invention
  • FIG. 7 shows an intrusion detection system according to a further embodiment of the invention.
  • Fig. 8 shows vehicles connected to a collection and investigation system according to a cloud based implementation of embodiments of the invention
  • Fig. 9 shows a vehicle comprising a system to monitor and a detection subsystem, where the latter is in communication with a collection and investigation system in a cloud based implementation.
  • Al based detection algorithms for IPS or I DPS has been the recent trend for detecting network intrusions in vehicles.
  • the Al based detection results in either accepting increased false positives or accepting increased level of false negatives with the disadvantage of reduced detection reliability.
  • An improved compromise can be obtained by applying more advanced algorithms or increased parameterization or layers which however requires more computation load.
  • STMs Systems To be Monitored
  • a novel two-step solution mitigating or fully solving the drawbacks of conventional solutions as previously described.
  • a conventional detection system may be employed for providing anomaly indications of a STM.
  • a novel intrusion filter is introduced.
  • the intrusion filter is configured to filter false positive anomaly indications from true positive anomaly indications.
  • the present two step solution improves detection accuracy without additional load or computation power on IPS or I DPS.
  • false positive detection rate may be reduced without compromising true positive detection rate. This may be done without increasing the required computation load, which is crucial for IPS and I DPS running on embedded devices in vehicles.
  • the present intrusion filter can remove false positive anomaly indications, the overall detection result has a much higher level of true positives.
  • FIG. 1 shows an intrusion filter 100 according to an embodiment of the invention.
  • the intrusion filter 100 may be a stand-alone device or part of another device of an IPS or I DPS.
  • the intrusion filter 100 comprises a processor 102, a transceiver 104 and a memory 106.
  • the processor 102 may be coupled to the transceiver 104 and the memory 106 by communication means 108 known in the art.
  • the transceiver 104 may as shown have an input and an output.
  • the intrusion filter 100 may be configured for wireless and/or wired communications in a communication system, such as an IP based communication system. That the intrusion filter 100 may be configured to perform certain actions can in this disclosure be understood to mean that the intrusion filter 100 comprises suitable means, such as e.g. the processor 102 and the transceiver 104, configured to perform said actions.
  • the processor 102 of the intrusion filter 100 may be referred to as one or more general-purpose central processing units (CPUs), one or more digital signal processors (DSPs), one or more application-specific integrated circuits (ASICs), one or more field programmable gate arrays (FPGAs), one or more programmable logic devices, one or more discrete gates, one or more transistor logic devices, one or more discrete hardware components, and one or more chipsets.
  • the memory 106 of the intrusion filter 100 may be a read-only memory, a random access memory, or a non-volatile random access memory (NVRAM).
  • NVRAM non-volatile random access memory
  • the transceiver 104 of the intrusion filter 100 may be a transceiver circuit, a power controller, an antenna, or an interface which communicates with other modules or devices.
  • the transceiver 104 of the intrusion filter 100 may be a separate chipset or being integrated with the processor 102 in one chipset. While in some embodiments, the processor 102, the transceiver 104, and the memory 106 of the intrusion filter 100 are integrated in one chipset.
  • the intrusion filter 100 is configured to obtain an anomaly indication l n from an anomaly detection device 110.
  • the anomaly indication l n indicates an incident detected by the anomaly detection device 110.
  • the intrusion filter 100 is further configured to discard the anomaly indication l n upon identifying that the anomaly indication l n is a false positive anomaly indication.
  • the intrusion filter 100 is configured provide or forward the anomaly indication l n to a collection and investigation system 400.
  • the intrusion filter 100 may be configured to identify that the anomaly indication l n is a false positive anomaly indication using an identification algorithm which will be explained more in detail in the following disclosure.
  • Fig. 2 shows a flow chart of a corresponding method 600 which may be executed in an intrusion filter 100, such as the one shown in Fig. 1.
  • the method 600 comprises obtaining 602 an anomaly indication l n from an anomaly detection device 110.
  • the anomaly indication l n indicates an incident detected by the anomaly detection device 110.
  • the method 600 further comprises discarding 604 the anomaly indication l n upon identifying that the anomaly indication l n is a false positive anomaly indication, or else providing 606 the anomaly indication l n to a collection and investigation system 400.
  • Fig. 3 shows a detection subsystem 300 for an intrusion detection system 500.
  • the detection subsystem 300 comprises an intrusion filter 100 according to embodiments of the invention.
  • the detection subsystem 300 also comprises an anomaly detection device 110 which is coupled to the intrusion filter 100.
  • the anomaly detection device 110 is configured to obtain network sensor output from one or more network sensors 120a, 120b,... , 120n.
  • the anomaly detection device 110 is further configured to provide or forward an anomaly indication l n indicating an incident to the intrusion filter 100 upon identifying that the network sensor output comprises an incident.
  • the intrusion filter 100 upon reception of the anomaly indication l n from the anomaly detection device 110 will act as described above.
  • the detection subsystem 300 may be a stand-alone device or integrated with other types of devices. For example, in the latter case the detection subsystem 300 may share one or more components with a STM or a vehicle, such as processor, memory and communication means.
  • the network sensors may be of different types such as software sensors and hardware sensors.
  • Software sensors may be configured to monitor network traffic and data and communication parameters such as packet headers and data, data protocol information, congestion parameters, etc.
  • Hardware sensors may be configured to monitor hardware parameters of a STM and in a vehicle such as speed, spatial position, acceleration, deacceleration, etc.
  • the detection subsystem 110 may be configured to identify that the network sensor output comprises an incident using an incident detection algorithm.
  • the obtained network sensor output is used as an input into the incident detection algorithm possible with additional detection behaviour considerations to identify that the network sensor output comprises an incident.
  • the behaviour considerations may e.g. relate to information for evaluating the sensor output which is not directly included in network data, such as operation mode, system mode, and spatial location.
  • the network sensor output is analysed in the incident detection algorithm for identifying a possible intrusion or not.
  • Non-limiting examples of network sensor output are system mode, operation mode, network package, system history information, intrusion criticality level, intrusion confidence level, physical or spatial location, and analysed network data such as mean, maximum, or minimum of certain network parameters.
  • Fig. 4 shows a collection and investigation system 400 according to an embodiment of the invention.
  • the collection and investigation system 400 comprises a processor 402, a transceiver 404 and a memory 406.
  • the processor 402 is coupled to the transceiver 404 and the memory 406 by communication means 408 known in the art.
  • the transceiver 404 may as shown have an input and an output.
  • the collection and investigation system 400 may be configured for wireless and/or wired communications in a communication system. That the collection and investigation system 400 is configured to perform certain actions can in this disclosure be understood to mean that the collection and investigation system 400 comprises suitable means, such as e.g. the processor 402 and the transceiver 404, configured to perform said actions.
  • the processor 402 of the collection and investigation system 400 may be referred to as one or more general-purpose CPUs, one or more DSPs, one or more ASICs, one or more FPGAs, one or more programmable logic devices, one or more discrete gates, one or more transistor logic devices, one or more discrete hardware components, and one or more chipsets.
  • the memory 406 of the collection and investigation system 400 may be a read-only memory, a random access memory, or a NVRAM.
  • the transceiver 404 of the collection and investigation system 400 may be a transceiver circuit, a power controller, an antenna, or an interface which communicates with other modules or devices.
  • the transceiver 404 of the collection and investigation system 400 may be a separate chipset or being integrated with the processor 402 in one chipset. While in some embodiments, the processor 402, the transceiver 404, and the memory 406 of the collection and investigation system 400 are integrated in one chipset.
  • the collection and investigation system 400 is configured to obtain an anomaly indication l n from an intrusion filter 100.
  • the collection and investigation system 400 is further configured to upon determining that the anomaly indication l n is a false positive anomaly indication: provide a first feedback message F n to the intrusion filter 100, wherein the first feedback message F n indicates that the anomaly indication l n is a false positive anomaly indication, and/or provide a second feedback message F n ' to an anomaly detection device 110 associated with the intrusion filter 100, wherein the second feedback message F n ' indicates that network sensor output associated with the anomaly indication l n does not comprise an incident.
  • the feedback may be provided using any suitable communication means. Fig.
  • the method 700 comprises obtaining 702 an anomaly indication l n from an intrusion filter 100.
  • the method 700 further comprises upon determining that the anomaly indication l n is a false positive anomaly indication: providing 704 a first feedback message F n to the intrusion filter 100, wherein the first feedback message F n indicates that the anomaly indication l n is a false positive anomaly indication, and/or providing 706 a second feedback message F n ' to an anomaly detection device 110 associated with the intrusion filter 100, wherein the second feedback message F n ' indicates that network sensor output associated with the anomaly indication l n does not comprise an incident.
  • An anomaly indication herein may have different forms and formats.
  • the anomaly indication may be a functional call or a communication message transmitted and received within the system 500.
  • the anomaly indication may also comprise data about the detected anomaly as well as further data such as associated metadata.
  • Fig. 6 shows an intrusion detection system 500 according to embodiments of the invention.
  • a STM e.g. in a vehicle, which may be the target for validation is illustrated.
  • the STM may be an Electronic Control Unit (ECU) in a vehicle having connection to a communication network (NW).
  • the STM may as disclosed comprise applications 810, network (NW) protocols 820, device interfaces 830 and device drivers 840 as illustrated in Fig. 6.
  • An application 810 may be seen as a functionality in a given ECU, such as an Electronic Stability Program (ESP) or an Anti-lock Brake System (ABS) in a vehicle.
  • a network protocol 820 may define a communication procedure, such as IPv4, which an application 810 uses for communication.
  • a device interface 830 may be considered as an intermediate layer acting as an interface between software layers and device drivers 840 of the STM.
  • a device driver 840 may be considered as a software program configured to control one or more peripherals of the STM such as a network interface, etc
  • the intrusion detection system 500 validates STM behaviour and therefore includes a sensor module comprising one or more network sensors 120a, 120b,... , 120n configured to be communicably coupled wired or wirelessly with the device interface of the STM.
  • the one or more network sensors 120a, 120b,... , 120n are in turn in communication with an anomaly detection device 110 which is configured to receive network sensor output from one or more network sensors 120a, 120b,... , 120n.
  • the STM 800 and the detection subsystem 300 may run on the same processors and hence be integrated in the same vehicle.
  • the anomaly detection device 110 is configured to identify that the network sensor output comprises an incident using an incident detection algorithm.
  • An incident detection algorithm is an algorithm that is able to detect illegal messages or traffic on a specific network. Also, more complex threats/errors may be detected such as too rapid change of physical parameters of the vehicle, such as a speed, an acceleration, a deacceleration, or conflicting network data such as wheels of a vehicle indicating movement of the vehicle but GPS data indicating that the vehicle is in standstill is an example of a complex threat.
  • the anomaly detection device 110 is configured to provide an anomaly indication l n indicating an incident to the intrusion filter 100 upon identifying that the network sensor output comprises an incident. Else, the anomaly indication l n is discarded by the anomaly detection device 110.
  • the anomaly detection device 110 may be an Al based detection device and/or a rule-based detection device depending on application.
  • Rule-based detection is typically derived based on network specification and is more trustworthy but also more limited in error type complexity.
  • Al based detection on the other hand detects anomalies based on statistic training/learning typically from network traffic logs and statistics. Due to the information source the Al based detection does have more information about typical usage and can therefore find anomalies which does not violate network specifications. It is noted that implementations herein may also include combined Al detection and rule-based detection.
  • the intrusion filter 100 receives the anomaly indication l n from the anomaly detection device 110 and depending on an outcome of an identification procedure either discards the anomaly indication l n or provides the anomaly indication l n to a collection and investigation system 400 via a communication link.
  • the intrusion filter 100 is configured to identify that the anomaly indication l n obtained from the anomaly detection device 110 is a false positive anomaly indication using any suitable identification algorithm.
  • An example of such an identification algorithm is so called Local Outlier Factor (LOF) which could be used to distinguish false positive from true positive anomaly indications.
  • LEF Local Outlier Factor
  • KNN K Nearest Neighbouring
  • Other identification algorithms may also be used in conjunction with the present solution.
  • the intrusion filter 100 may be an artificial intelligence intrusion filter and/or a rule-based intrusion filter.
  • the rule based intrusion filter uses clear defined rules, e.g. specify that any intrusions detected within 20s from engine start should be discarded.
  • the Al based intrusion filter is based on previous training sequences from prior false positives. Hence, the behavior of an Al based intrusion filter is more statistical based - like if an indication is alike other indications which have previously been categorized as false positives.
  • the intrusion filter 100 may in embodiments of the invention obtain metadata associated with the anomaly indication l n .
  • the metadata may e.g. comprise:
  • System mode which e.g. may be diagnostic, update or normal mode. Normal mode is every day driving mode. Update mode is software update mode. Diagnostic mode is for debugging or reading out logs from one or more STMs or the entire vehicle.
  • Operation mode may e.g. be high performance mode or normal performance mode - which might impact the system behavior.
  • Network package may in this case contain the entire network package with its header and data.
  • System history information which can contain information about system speed, last message of the same communication session or other relevant historical system information.
  • Intrusion criticality level a detected anomaly type might have a certain criticality level which might influence the likelihood of the intrusion filter 100 to discard the message and categorize it as a false positive message.
  • Intrusion confidence level some Al networks does give a confidence level together with the detection result. Such confidence level indicates if the first level detection of the anomaly detection device 110 is sure about the result or not.
  • the intrusion filter 100 may in embodiments obtain the metadata from the anomaly detection device 110 e.g. together with the anomaly indication l n .
  • the metadata may originate from one or more network sensors configured to monitor network traffic and physical parameters.
  • the metadata may be used as input parameters in the identification algorithm for improved identification that the anomaly indication l n is a false positive anomaly indication.
  • the intrusion filter 100 does not identify that the anomaly indication l n is a false positive anomaly indication the anomaly indication l n is forwarded to the collection and investigation system 400.
  • the collection and investigation system 400 may be implemented as a cloud based solution which implies that indications from a plurality of different STMs or vehicles are collected in a central network database remotely located from the STMs or vehicles.
  • the collection and investigation system 400 serve as a collection and investigation platform and may comprise a cloud based incident collection device 410 in connection with an incident investigation device 420.
  • the incident collection device 410 is configured to obtain the anomaly indication l n from the intrusion filter 100 but may in embodiments collect incoming anomaly indications from a plurality of intrusion filters associated with different STMs 800.
  • the incident collection device 410 checks if the received anomaly indication l n from the intrusion filter 100 is a false positive anomaly indication. If that is the case the anomaly indication l n is discarded. Else the anomaly indication l n is forwarded to the incident investigation device 420 for further investigation.
  • the incident collection device 410 may be part of a feedback mechanism according to embodiments of the invention. In this respect, the incident collection device 410 may transmit the first and/or the second feedback messages to the incident filter 100 and/or the anomaly detection device 110 via the transceiver 404.
  • the incident investigation device 420 Upon reception of the anomaly indication l n the incident investigation device 420 will investigate if the anomaly indication l n received from the incident collection device 410 is a false positive or a true positive anomaly indication.
  • the incident investigation device 420 may be considered as a set of tools or functions for analysing whether the anomaly indication l n is true or false.
  • Tools may e.g. be data viewers, which presents network data in a certain informative way, so that it is clear what has happened, for example to convert error numbers to human readable format strings.
  • the tools could, if possible, also highlight the actual data that triggered the incident detection.
  • Next level of incident investigation tools may be tools that automatically can evaluate the network data and conclude the state of the system when an incident occurs - or evaluate the communication state between two ECUs. Finally, such incident investigation tool could draw references to similar incidents or even propose possible root-cause of the anomaly, which the security investigator would have to reverify.
  • the outcome or output of the investigations and hence the incident investigation device 420 is a determination whether the anomaly indication l n is a false positive or a true positive anomaly indication, hence true or false.
  • a feedback mechanism is provided as illustrated with the two feedback lines from the incident investigation device 420 in Fig. 6.
  • the first feedback line 510 is configured for providing feedback from the collection and investigation system 400 to the intrusion filter 100 whilst the second feedback line 520 is configured for providing feedback from the collection and investigation system 400 to the anomaly detection device 110 of the detection subsystem 300.
  • the feedback lines 510, 520 may be wired and/or wireless communication links depending on the communication system architecture.
  • the first feedback message F n indicates that the anomaly indication l n is a false positive anomaly indication. Based on the first feedback message F n the intrusion filter 100 updates the identification algorithm to identify that the anomaly indication l n is a false positive anomaly indication.
  • the first feedback message F n may comprise a part of or a complete identification algorithm which implies that the intrusion filter 100 updates or replaces the identification algorithm based on the first feedback message F n depending on its content. Therefore, the current version of the identification algorithm may always be updated for improved performance.
  • the second feedback message F n ' indicates that the network sensor output does not comprise an incident. Based on the second feedback message F n ' the anomaly detection device 110 updates the incident detection algorithm to identify that the network sensor output does not comprise the incident.
  • the second feedback message F n ' may comprise a part of or a complete incident detection algorithm. Therefore, the anomaly detection device 110 updates or replaces the incident detection algorithm based on the second feedback message F n '. Hence, also the current version of the incident detection algorithm is always updated for improved performance.
  • the first F n and second F n ' feedback messages may in embodiments comprise updates to the algorithms used by intrusion filter 100 and anomaly detection device 110, respectively.
  • the update may be in a form of a new version of a software possible including a configuration or in form of a delta update of the software and/or configuration.
  • the delta update may be a file specifying the difference(s) to the existing software and/or configuration used by the intrusion filter 100 and the anomaly detection device 110, respectively.
  • Applying the delta update to the existing software and configuration is an effective update procedure if only a limited update is needed. However, if the intrusion filter 100 and anomaly detection device 110 need to be completely updated a full update procedure is the better choice.
  • the software and/or configuration may be updated on the run e.g. as soon as the vehicle receives an update indication.
  • An alternative update procedure may be that an update is received by the vehicle and executed when the vehicle is parked and/or at the reception of a user input indicating an acceptance of the update.
  • a network packet sent through the device interface 830 of the STM 800 may be blocked until a part or the entire detection subsystem 300 has been executed. If only a part of the detection subsystem 300 needs to be executed until a network packet is released, the detection subsystem 300 may take a copy of relevant data about the network packet for later evaluation.
  • the present system 500 may be able to perform a blocking and a non-blocking procedure. If the system 500 needs to be able to discard a network packet due to the reason that the network packet is not allowed and it is assured that the network packet is part of a network attack, then a blocking procedure may be supported. However, assuming that the system 500 is running in a non-blocking procedure, which means that a network packet can be forwarded before it is validated by the anomaly detection device 110, in such case no matter what the anomaly detection device 110 concludes about the network packet (e.g. a normal or an anomaly network packet) it cannot block the network packet as it is already forwarded.
  • An advantage of a non-blocking procedure is that an additional network packet transfer delay due to IDPS/IPS is minimal, as the network packet is forwarded before it is being evaluated.
  • the steps in a blocking procedure may comprise:
  • the device interface 830 of the STM receives a network packet, e.g., intended for an application or a remote connection point;
  • Network sensors extract all data, such as the previously described metadata, needed for detection, categorization and evaluation by the anomaly detection device 110, intrusion filter 100 and collection and investigation system 400.
  • the data is extracted from the network packet and other data sources of the system 500 such as GPS data, configuration data, etc.; 3.
  • the anomaly detection device 110 analyzes the extracted data from the network sensors and determines if an anomaly indication should be sent to the intrusion filter 100 or not;
  • the intrusion filter 100 evaluates an anomaly indication from the anomaly detection device 110 and if the intrusion filter 100 categorize the anomaly indication as a true positive it forwards the anomaly indication to the collection and investigation system 400; and
  • the device interface 830 forwards a network packet if it has been assured that the network packet is not part of a network attack.
  • the steps in a non-blocking procedure may comprise:
  • the device interface 830 of the STM receives a network packet
  • Network sensors takes a copy of relevant data
  • the device interface 830 forwards the network packet to intended recipient such as an application or a remote connection point;
  • Network sensors extract all data, such as the previously described metadata, needed for detection, categorization and evaluation by the anomaly detection device 110, intrusion filter 100 and collection and investigation system 400.
  • the data is extracted from the network packet and other data sources of the system 500 such as GPS data, configuration data, etc.;
  • the anomaly detection device 110 analyzes the extracted data from the network sensors and determines if an anomaly indication should be sent to the intrusion filter 100 or not;
  • the intrusion filter 100 evaluates an anomaly indication from the anomaly detection device 110, and if intrusion filter 100 categorizes the anomaly indication as a true positive it is forwarded to the collection and investigation system 400.
  • Fig. 7 shows an intrusion detection system 500 according to further embodiments of the invention.
  • the intrusion filter 100 is comprised or a part of the collection and investigation system 400 instead of the detection subsystem 300 as in Fig. 6.
  • a single intrusion filter 100 may be shared by multiple detection subsystems and hence multiple STMs or vehicles.
  • the first feedback line 510 in this architecture also may be cloud based since the intrusion filter 100 itself is cloud based.
  • first feedback message and second message may be targeted or addressed to more than one STM or vehicle.
  • the intrusion filter 100 can be executed on a powerful serverand not in a locally embedded device. It means that the algorithm(s) used by the intrusion filter 100 can be more complex require more computational load, hence have larger code or data size and be more heavily to execute. It may further be noted that in such embodiments the intrusion filter 100 may share one or more processors of the collection and investigation system 400.
  • Fig. 8 illustrates vehicles connected to a collection and investigation system in a cloud based implementation of the collection and investigation system 400.
  • Fig. 9 illustrates a vehicle 900, in this case a car, comprising one or more STMs and a detection subsystem 300, where the latter is in communication with the collection and investigation system 400 in the cloud.
  • a vehicle 900 comprising an intrusion filter 110 and/or a detection subsystem 300 according to embodiments of the invention.
  • the vehicle 900 may be any vehicle comprising one or more STMs connected to one or more data networks, possible via one or more intermediate wired and wireless communication systems such as 3GPP LTE, NR, etc.
  • the vehicle 900 may be a car, a bus or a truck and comprise any type of engines such as a combustion engine, an electrical engine, a hybrid engine, etc.
  • any method according to embodiments of the invention may be implemented in a computer program, having code means, which when run by processing means causes the processing means to execute the steps of the method.
  • the computer program is included in a computer readable medium of a computer program product.
  • the computer readable medium may comprise essentially any memory, such as a ROM (Read-Only Memory), a PROM (Programmable Read-Only Memory), an EPROM (Erasable PROM), a Flash memory, an EEPROM (Electrically Erasable PROM), or a hard disk drive.

Abstract

Embodiments of the invention relate to an intrusion filter (100) for Detection Prevention Systems (DPS) and Intrusion Detection Prevention Systems (IDPS). Embodiments of the invention also relate to a detection subsystem (300) and a collection and investigation system (400) comprising such an intrusion filter. The intrusion filter filters anomaly indications such that an anomaly indication identified as a false positive anomaly indication is discarded. Otherwise, the anomaly indication will be provided to a collection and investigation system (400) for further processing. Thereby, e.g. reduced computational load on the system is achieved. Furthermore, embodiments of the invention also relate to corresponding methods and a computer program.

Description

INTRUSION FILTER FOR AN INTRUSION DETECTION SYSTEM
Technical Field
Embodiments of the invention relates to an intrusion filter for an intrusion detection system and to a detection subsystem and a collection and investigation system comprising such an intrusion filter. Furthermore, embodiments of the invention also relate to corresponding methods and a computer program.
Background
Intrusion Prevention Systems (IPS) and Intrusion Detection and Prevention Systems (I DPS) are network security system for detecting cyber-attacks on vehicles connected to the internet. DPS and I DPS are commonly run in embedded devices in the vehicle. Examples of vehicles are cars, buses and trucks.
Traditionally, IPS and I DPS have used rule based algorithms however the current trend is to use Artificial Intelligence (Al) based algorithms for anomaly detection. Al based detection is detecting anomaly when network traffic does not seem normal or is different from what the algorithm has previously learnt. One of the drawbacks of Al based anomaly detection is the level of false positives vs. false negatives, which is an optimization parameter when trimming the Al based anomaly detection algorithm. A false positive is a false alarm meaning that normal network traffic is categorized by the Al algorithm as an anomaly. A false negative on the other hand represents a situation where a network attack is overlooked by the Al algorithm and categorized as normal network traffic but is not.
Generally, the optimization goal of IPS and IDPS is on one hand to reduce number of false positives to avoid false alarms and on the other hand to optimize the detection rate or sensitivity, which represents the percentage of network attacks the system correctly detects.
Summary
An objective of embodiments of the invention is to provide a solution which mitigates or solves the drawbacks and problems of conventional solutions.
Another objective of embodiments of the invention is to provide a solution reducing the number of false indications propagating in an intrusion prevention system. The above and further objectives are solved by the subject matter of the independent claims. Further advantageous embodiments of the invention can be found in the dependent claims.
According to a first aspect of the invention, the above mentioned and other objectives are achieved with an intrusion filter for an intrusion detection system, the intrusion filter being configured to obtain an anomaly indication from an anomaly detection device, wherein the anomaly indication indicates an incident detected by the anomaly detection device; and discard the anomaly indication upon identifying that the anomaly indication is a false positive anomaly indication, else provide the anomaly indication to a collection and investigation system.
An advantage of the intrusion filter according to the first aspect is that the number of false positive anomaly indications may be reduced in the system. Another advantage of the intrusion filter according to the first aspect is that the computational load on the system may also be reduced compared to conventional systems.
In an implementation form of an intrusion filter according to the first aspect, the intrusion filter being configured to identify that the anomaly indication is a false positive anomaly indication using an identification algorithm.
Any suitable identification algorithm may be employed.
In an implementation form of an intrusion filter according to the first aspect, the intrusion filter being configured to obtain metadata associated with the anomaly indication; and identify that the anomaly indication is a false positive anomaly indication using the identification algorithm and the metadata.
An advantage with this implementation form is that the identification that the anomaly indication is a false positive anomaly indication may be improved with the additional use of the metadata.
In an implementation form of an intrusion filter according to the first aspect, the intrusion filter being configured to obtain a first feedback message from the collection and investigation device, wherein the first feedback message indicates that the anomaly indication is a false positive anomaly indication; and update the identification algorithm to identify that the anomaly indication is a false positive anomaly indication.
An advantage with this implementation form is that a feedback mechanism is provided. By using the present feedback mechanism, the identification algorithm may continuously be improved based on the received feedback thereby reducing the number of non-identified false positive anomaly indications in the system.
In an implementation form of an intrusion filter according to the first aspect, the first feedback message comprises a part of or a complete identification algorithm; and configured to update or replace the identification algorithm based on the first feedback message.
An advantage with this implementation form is that the part of or the complete identification algorithm is provided by the collection and investigation device. This means that depending on the intrusion filter algorithm or implementation type the most optimal algorithm updates can always be provided.
In an implementation form of an intrusion filter according to the first aspect, the intrusion filter is an artificial intelligence intrusion filter and/or a rule-based intrusion filter.
An advantage with this implementation form is that a given implementation can include the best suitable artificial intelligence and/or rule-based detection algorithm for a specific application.
According to a second aspect of the invention, the above mentioned and other objectives are achieved with a detection subsystem for an intrusion detection system, wherein the detection subsystem comprises an intrusion filter according to the first aspect, and an anomaly detection device configured to: obtain network sensor output from one or more network sensors; and provide an anomaly indication indicating an incident to the intrusion filter upon identifying that the network sensor output comprises an incident. An advantage of the detection subsystem according to the second aspect is that the number of false positive anomaly indications may be reduced in the system. Another advantage of the detection subsystem according to the second aspect is that the computational load on the system may also be reduced compared to conventional systems.
In an implementation form of a detection subsystem according to the second aspect, the anomaly detection device is configured to identify that the network sensor output comprises an incident using an incident detection algorithm.
Any suitable incident detection algorithm may be employed.
In an implementation form of a detection subsystem according to the second aspect, the anomaly detection device is further configured to obtain a second feedback message from a collection and investigation system, wherein the second feedback message indicates that the network sensor output does not comprise an incident; and update the incident detection algorithm to identify that the network sensor output does not comprise the incident.
The second feedback message may also indicate corrections or feedback in respect of already detected incidents.
An advantage with this implementation form is that a feedback mechanism is provided. By using the present feedback mechanism, the incident detection algorithm may continuously be improved based on the received feedback thereby reducing the number of identified false positive anomaly indications.
In an implementation form of a detection subsystem according to the second aspect, the second feedback message comprises a part of or a complete incident detection algorithm; and configured to update or replace the incident detection algorithm based on the second feedback message.
An advantage with this implementation form is that the part of or the complete identification algorithm is provided by the collection and investigation device. This means that depending on the detection subsystem algorithm or implementation type the most optimal algorithm updates can always be provided.
In an implementation form of a detection subsystem according to the second aspect, the anomaly detection device is an artificial intelligence detection device and/or a rule-based detection device.
An advantage with this implementation form is that a given implementation can include the best suitable artificial intelligence and/or rule-based detection algorithm for a specific application.
According to a third aspect of the invention, the above mentioned and other objectives are achieved with a collection and investigation system for an intrusion detection system, the collection and investigation system being configured to obtain an anomaly indication from an intrusion filter; and upon determining that the anomaly indication is a false positive anomaly indication being configured to at least one of: provide a first feedback message to the intrusion filter, wherein the first feedback message indicates that the anomaly indication is a false positive anomaly indication, and provide a second feedback message to an anomaly detection device associated with the intrusion filter, wherein the second feedback message indicates that network sensor output associated with the anomaly indication does not comprise an incident.
An advantage of the collection and investigation system according to the third aspect is that by providing a feedback mechanism comprising the first feedback message and/or the second feedback message the performance of the algorithms employed by the intrusion filter and the anomaly detection device can be improved.
In an implementation form of a collection and investigation system according to the third aspect, the first feedback message comprises a part of or a complete identification algorithm; and the second feedback message comprises a part of or a complete incident detection algorithm.
In an implementation form of a collection and investigation system according to the third aspect, the collection and investigation system comprises the intrusion filter. According to a fourth aspect of the invention, the above mentioned and other objectives are achieved with a method for an intrusion filter, the method comprising obtaining an anomaly indication from an anomaly detection device, wherein the anomaly indication indicates an incident detected by the anomaly detection device; and discarding the anomaly indication upon identifying that the anomaly indication is a false positive anomaly indication, else providing the anomaly indication to a collection and investigation system.
The method according to the fourth aspect can be extended into implementation forms corresponding to the implementation forms of the intrusion filter according to the first aspect. Hence, an implementation form of the method comprises the feature(s) of the corresponding implementation form of the intrusion filter.
The advantages of the methods according to the fourth aspect are the same as those for the corresponding implementation forms of the intrusion filter according to the first aspect.
According to a fifth aspect of the invention, the above mentioned and other objectives are achieved with a method for a collection and investigation system, the method comprising obtaining an anomaly indication from an intrusion filter; and upon determining that the anomaly indication is a false positive anomaly indication being further comprising at least one of: providing a first feedback message to the intrusion filter, wherein the first feedback message indicates that the anomaly indication is a false positive anomaly indication, and providing a second feedback message to an anomaly detection device associated with the intrusion filter, wherein the second feedback message indicates that network sensor output associated with the anomaly indication does not comprise an incident.
The method according to the fifth aspect can be extended into implementation forms corresponding to the implementation forms of the collection and investigation system according to the third aspect. Hence, an implementation form of the method comprises the feature(s) of the corresponding implementation form of the collection and investigation system.
The advantages of the methods according to the fifth aspect are the same as those for the corresponding implementation forms of the collection and investigation system according to the third aspect. According to a sixth aspect of the invention, the above mentioned and other objectives are achieved with a vehicle comprising an intrusion filter and/or a detection subsystem according to the first and second aspect, respectively. The vehicle may be any vehicle having communication connection to one or more data networks possible via one or more intermediate wired and wireless communication systems.
The invention also relates to a computer program, characterized in program code, which when run by at least one processor causes said at least one processor to execute any method according to embodiments of the invention. Further, the invention also relates to a computer program product comprising a computer readable medium and said mentioned computer program, wherein said computer program is included in the computer readable medium, and comprises of one or more from the group: ROM (Read-Only Memory), PROM (Programmable ROM), EPROM (Erasable PROM), Flash memory, EEPROM (Electrically EPROM) and hard disk drive.
Further applications and advantages of the embodiments of the invention will be apparent from the following detailed description.
Brief Description of the Drawings
The appended drawings are intended to clarify and explain different embodiments of the invention, in which:
- Fig. 1 shows an intrusion filter according to an embodiment of the invention;
- Fig. 2 shows a method for an intrusion filter according to an embodiment of the invention;
- Fig. 3 shows a detection subsystem according to an embodiment of the invention;
- Fig. 4 shows a collection and investigation system according to an embodiment of the invention;
- Fig. 5 shows a method for a collection and investigation system according to an embodiment of the invention;
- Fig. 6 shows an intrusion detection system according to an embodiment of the invention;
- Fig. 7 shows an intrusion detection system according to a further embodiment of the invention;
- Fig. 8 shows vehicles connected to a collection and investigation system according to a cloud based implementation of embodiments of the invention; and Fig. 9 shows a vehicle comprising a system to monitor and a detection subsystem, where the latter is in communication with a collection and investigation system in a cloud based implementation.
Detailed Description
As aforementioned Al based detection algorithms for IPS or I DPS has been the recent trend for detecting network intrusions in vehicles. The Al based detection results in either accepting increased false positives or accepting increased level of false negatives with the disadvantage of reduced detection reliability. An improved compromise can be obtained by applying more advanced algorithms or increased parameterization or layers which however requires more computation load. As Systems To be Monitored (STMs) often are realized in embedded devices such improvement would typically result in unacceptable detection time and therefore not suitable in practical implementations.
Currently, a compromise is to reduce algorithm load to a level where the response time of the embedded device is at an acceptable level and to reduce the false positive detection level to an acceptable low level, which does not burden a security analysis team too much with evaluation tasks that is in fact false alarms. The end result is reduced detection reliability, which means that a number of actual intrusions are not detected and reported by the Al based IPS or lDPS.
Therefore, it is herein disclosed a novel two-step solution mitigating or fully solving the drawbacks of conventional solutions as previously described. In a first step a conventional detection system may be employed for providing anomaly indications of a STM. In a second step, a novel intrusion filter is introduced. The intrusion filter is configured to filter false positive anomaly indications from true positive anomaly indications. The present two step solution improves detection accuracy without additional load or computation power on IPS or I DPS. Also, false positive detection rate may be reduced without compromising true positive detection rate. This may be done without increasing the required computation load, which is crucial for IPS and I DPS running on embedded devices in vehicles. As the present intrusion filter can remove false positive anomaly indications, the overall detection result has a much higher level of true positives. This also implies reduction in detection noise and ensures that security incident specialists or teams may spend time and resources on analyzing true security incidents and hence not wasting time on false positives. Furthermore, in embodiments of the invention a novel feedback mechanism is also herein introduced for improving the detectability of detection algorithms employed in conjunction with the present solution. Fig. 1 shows an intrusion filter 100 according to an embodiment of the invention. The intrusion filter 100 may be a stand-alone device or part of another device of an IPS or I DPS. In the embodiment shown in Fig. 1 , the intrusion filter 100 comprises a processor 102, a transceiver 104 and a memory 106. The processor 102 may be coupled to the transceiver 104 and the memory 106 by communication means 108 known in the art. The transceiver 104 may as shown have an input and an output. The intrusion filter 100 may be configured for wireless and/or wired communications in a communication system, such as an IP based communication system. That the intrusion filter 100 may be configured to perform certain actions can in this disclosure be understood to mean that the intrusion filter 100 comprises suitable means, such as e.g. the processor 102 and the transceiver 104, configured to perform said actions.
The processor 102 of the intrusion filter 100 may be referred to as one or more general-purpose central processing units (CPUs), one or more digital signal processors (DSPs), one or more application-specific integrated circuits (ASICs), one or more field programmable gate arrays (FPGAs), one or more programmable logic devices, one or more discrete gates, one or more transistor logic devices, one or more discrete hardware components, and one or more chipsets. The memory 106 of the intrusion filter 100 may be a read-only memory, a random access memory, or a non-volatile random access memory (NVRAM). The transceiver 104 of the intrusion filter 100 may be a transceiver circuit, a power controller, an antenna, or an interface which communicates with other modules or devices. In embodiments, the transceiver 104 of the intrusion filter 100 may be a separate chipset or being integrated with the processor 102 in one chipset. While in some embodiments, the processor 102, the transceiver 104, and the memory 106 of the intrusion filter 100 are integrated in one chipset.
According to embodiments of the invention the intrusion filter 100 is configured to obtain an anomaly indication ln from an anomaly detection device 110. The anomaly indication ln indicates an incident detected by the anomaly detection device 110. The intrusion filter 100 is further configured to discard the anomaly indication ln upon identifying that the anomaly indication ln is a false positive anomaly indication. Else, the intrusion filter 100 is configured provide or forward the anomaly indication ln to a collection and investigation system 400.
The intrusion filter 100 may be configured to identify that the anomaly indication ln is a false positive anomaly indication using an identification algorithm which will be explained more in detail in the following disclosure.
Fig. 2 shows a flow chart of a corresponding method 600 which may be executed in an intrusion filter 100, such as the one shown in Fig. 1. The method 600 comprises obtaining 602 an anomaly indication ln from an anomaly detection device 110. The anomaly indication ln indicates an incident detected by the anomaly detection device 110. The method 600 further comprises discarding 604 the anomaly indication ln upon identifying that the anomaly indication ln is a false positive anomaly indication, or else providing 606 the anomaly indication ln to a collection and investigation system 400.
Fig. 3 shows a detection subsystem 300 for an intrusion detection system 500. The detection subsystem 300 comprises an intrusion filter 100 according to embodiments of the invention. The detection subsystem 300 also comprises an anomaly detection device 110 which is coupled to the intrusion filter 100. The anomaly detection device 110 is configured to obtain network sensor output from one or more network sensors 120a, 120b,... , 120n. The anomaly detection device 110 is further configured to provide or forward an anomaly indication ln indicating an incident to the intrusion filter 100 upon identifying that the network sensor output comprises an incident. The intrusion filter 100 upon reception of the anomaly indication ln from the anomaly detection device 110 will act as described above.
The detection subsystem 300 may be a stand-alone device or integrated with other types of devices. For example, in the latter case the detection subsystem 300 may share one or more components with a STM or a vehicle, such as processor, memory and communication means. The network sensors may be of different types such as software sensors and hardware sensors. Software sensors may be configured to monitor network traffic and data and communication parameters such as packet headers and data, data protocol information, congestion parameters, etc. Hardware sensors may be configured to monitor hardware parameters of a STM and in a vehicle such as speed, spatial position, acceleration, deacceleration, etc.
The detection subsystem 110 may be configured to identify that the network sensor output comprises an incident using an incident detection algorithm. The obtained network sensor output is used as an input into the incident detection algorithm possible with additional detection behaviour considerations to identify that the network sensor output comprises an incident. The behaviour considerations may e.g. relate to information for evaluating the sensor output which is not directly included in network data, such as operation mode, system mode, and spatial location. Hence, the network sensor output is analysed in the incident detection algorithm for identifying a possible intrusion or not. Non-limiting examples of network sensor output are system mode, operation mode, network package, system history information, intrusion criticality level, intrusion confidence level, physical or spatial location, and analysed network data such as mean, maximum, or minimum of certain network parameters. These network sensor outputs are explained more in detail in the following description relating to metadata.
Fig. 4 shows a collection and investigation system 400 according to an embodiment of the invention. In the embodiment shown in Fig. 3, the collection and investigation system 400 comprises a processor 402, a transceiver 404 and a memory 406. The processor 402 is coupled to the transceiver 404 and the memory 406 by communication means 408 known in the art. The transceiver 404 may as shown have an input and an output. The collection and investigation system 400 may be configured for wireless and/or wired communications in a communication system. That the collection and investigation system 400 is configured to perform certain actions can in this disclosure be understood to mean that the collection and investigation system 400 comprises suitable means, such as e.g. the processor 402 and the transceiver 404, configured to perform said actions.
The processor 402 of the collection and investigation system 400 may be referred to as one or more general-purpose CPUs, one or more DSPs, one or more ASICs, one or more FPGAs, one or more programmable logic devices, one or more discrete gates, one or more transistor logic devices, one or more discrete hardware components, and one or more chipsets. The memory 406 of the collection and investigation system 400 may be a read-only memory, a random access memory, or a NVRAM. The transceiver 404 of the collection and investigation system 400 may be a transceiver circuit, a power controller, an antenna, or an interface which communicates with other modules or devices. In embodiments, the transceiver 404 of the collection and investigation system 400 may be a separate chipset or being integrated with the processor 402 in one chipset. While in some embodiments, the processor 402, the transceiver 404, and the memory 406 of the collection and investigation system 400 are integrated in one chipset.
According to embodiments of the invention the collection and investigation system 400 is configured to obtain an anomaly indication ln from an intrusion filter 100. The collection and investigation system 400 is further configured to upon determining that the anomaly indication ln is a false positive anomaly indication: provide a first feedback message Fn to the intrusion filter 100, wherein the first feedback message Fn indicates that the anomaly indication ln is a false positive anomaly indication, and/or provide a second feedback message Fn' to an anomaly detection device 110 associated with the intrusion filter 100, wherein the second feedback message Fn' indicates that network sensor output associated with the anomaly indication ln does not comprise an incident. The feedback may be provided using any suitable communication means. Fig. 5 shows a flow chart of a corresponding method 700 which may be executed in collection and investigation system 400, such as the one shown in Fig. 4. The method 700 comprises obtaining 702 an anomaly indication ln from an intrusion filter 100. The method 700 further comprises upon determining that the anomaly indication ln is a false positive anomaly indication: providing 704 a first feedback message Fn to the intrusion filter 100, wherein the first feedback message Fn indicates that the anomaly indication ln is a false positive anomaly indication, and/or providing 706 a second feedback message Fn' to an anomaly detection device 110 associated with the intrusion filter 100, wherein the second feedback message Fn' indicates that network sensor output associated with the anomaly indication ln does not comprise an incident.
An anomaly indication herein may have different forms and formats. For example, the anomaly indication may be a functional call or a communication message transmitted and received within the system 500. The anomaly indication may also comprise data about the detected anomaly as well as further data such as associated metadata.
Fig. 6 shows an intrusion detection system 500 according to embodiments of the invention. A STM, e.g. in a vehicle, which may be the target for validation is illustrated. The STM may be an Electronic Control Unit (ECU) in a vehicle having connection to a communication network (NW). The STM may as disclosed comprise applications 810, network (NW) protocols 820, device interfaces 830 and device drivers 840 as illustrated in Fig. 6. An application 810 may be seen as a functionality in a given ECU, such as an Electronic Stability Program (ESP) or an Anti-lock Brake System (ABS) in a vehicle. A network protocol 820 may define a communication procedure, such as IPv4, which an application 810 uses for communication. A device interface 830 may be considered as an intermediate layer acting as an interface between software layers and device drivers 840 of the STM. A device driver 840 may be considered as a software program configured to control one or more peripherals of the STM such as a network interface, etc.
Parts of the intrusion detection system 500 may be integrated in a vehicle. Generally, the intrusion detection system 500 validates STM behaviour and therefore includes a sensor module comprising one or more network sensors 120a, 120b,... , 120n configured to be communicably coupled wired or wirelessly with the device interface of the STM. The one or more network sensors 120a, 120b,... , 120n are in turn in communication with an anomaly detection device 110 which is configured to receive network sensor output from one or more network sensors 120a, 120b,... , 120n. In respect of system architecture the STM 800 and the detection subsystem 300 may run on the same processors and hence be integrated in the same vehicle.
In embodiments of the invention, the anomaly detection device 110 is configured to identify that the network sensor output comprises an incident using an incident detection algorithm. An incident detection algorithm is an algorithm that is able to detect illegal messages or traffic on a specific network. Also, more complex threats/errors may be detected such as too rapid change of physical parameters of the vehicle, such as a speed, an acceleration, a deacceleration, or conflicting network data such as wheels of a vehicle indicating movement of the vehicle but GPS data indicating that the vehicle is in standstill is an example of a complex threat.
The anomaly detection device 110 is configured to provide an anomaly indication ln indicating an incident to the intrusion filter 100 upon identifying that the network sensor output comprises an incident. Else, the anomaly indication ln is discarded by the anomaly detection device 110.
The anomaly detection device 110 may be an Al based detection device and/or a rule-based detection device depending on application. Rule-based detection is typically derived based on network specification and is more trustworthy but also more limited in error type complexity. Al based detection on the other hand detects anomalies based on statistic training/learning typically from network traffic logs and statistics. Due to the information source the Al based detection does have more information about typical usage and can therefore find anomalies which does not violate network specifications. It is noted that implementations herein may also include combined Al detection and rule-based detection.
The intrusion filter 100 receives the anomaly indication ln from the anomaly detection device 110 and depending on an outcome of an identification procedure either discards the anomaly indication ln or provides the anomaly indication ln to a collection and investigation system 400 via a communication link.
In embodiments of the invention, the intrusion filter 100 is configured to identify that the anomaly indication ln obtained from the anomaly detection device 110 is a false positive anomaly indication using any suitable identification algorithm. An example of such an identification algorithm is so called Local Outlier Factor (LOF) which could be used to distinguish false positive from true positive anomaly indications. Another common algorithm is the so-called K Nearest Neighbouring (KNN) algorithm. Other identification algorithms may also be used in conjunction with the present solution. The intrusion filter 100 may be an artificial intelligence intrusion filter and/or a rule-based intrusion filter. The rule based intrusion filter uses clear defined rules, e.g. specify that any intrusions detected within 20s from engine start should be discarded. The Al based intrusion filter is based on previous training sequences from prior false positives. Hence, the behavior of an Al based intrusion filter is more statistical based - like if an indication is alike other indications which have previously been categorized as false positives.
For improving the identification rate, the intrusion filter 100 may in embodiments of the invention obtain metadata associated with the anomaly indication ln. The metadata may e.g. comprise:
• System mode which e.g. may be diagnostic, update or normal mode. Normal mode is every day driving mode. Update mode is software update mode. Diagnostic mode is for debugging or reading out logs from one or more STMs or the entire vehicle.
• Operation mode may e.g. be high performance mode or normal performance mode - which might impact the system behavior.
• Network package may in this case contain the entire network package with its header and data.
• System history information which can contain information about system speed, last message of the same communication session or other relevant historical system information.
• Intrusion criticality level: a detected anomaly type might have a certain criticality level which might influence the likelihood of the intrusion filter 100 to discard the message and categorize it as a false positive message.
• Intrusion confidence level: some Al networks does give a confidence level together with the detection result. Such confidence level indicates if the first level detection of the anomaly detection device 110 is sure about the result or not.
• Physical or spatial location which is information about the location of the STM or vehicle.
The intrusion filter 100 may in embodiments obtain the metadata from the anomaly detection device 110 e.g. together with the anomaly indication ln. The metadata may originate from one or more network sensors configured to monitor network traffic and physical parameters.
The metadata may be used as input parameters in the identification algorithm for improved identification that the anomaly indication ln is a false positive anomaly indication. When the intrusion filter 100 does not identify that the anomaly indication ln is a false positive anomaly indication the anomaly indication ln is forwarded to the collection and investigation system 400.
The collection and investigation system 400 may be implemented as a cloud based solution which implies that indications from a plurality of different STMs or vehicles are collected in a central network database remotely located from the STMs or vehicles.
The collection and investigation system 400 serve as a collection and investigation platform and may comprise a cloud based incident collection device 410 in connection with an incident investigation device 420. The incident collection device 410 is configured to obtain the anomaly indication ln from the intrusion filter 100 but may in embodiments collect incoming anomaly indications from a plurality of intrusion filters associated with different STMs 800. The incident collection device 410 checks if the received anomaly indication ln from the intrusion filter 100 is a false positive anomaly indication. If that is the case the anomaly indication ln is discarded. Else the anomaly indication ln is forwarded to the incident investigation device 420 for further investigation. It is also noted that the incident collection device 410 may be part of a feedback mechanism according to embodiments of the invention. In this respect, the incident collection device 410 may transmit the first and/or the second feedback messages to the incident filter 100 and/or the anomaly detection device 110 via the transceiver 404.
Upon reception of the anomaly indication ln the incident investigation device 420 will investigate if the anomaly indication ln received from the incident collection device 410 is a false positive or a true positive anomaly indication. The incident investigation device 420 may be considered as a set of tools or functions for analysing whether the anomaly indication ln is true or false. Tools may e.g. be data viewers, which presents network data in a certain informative way, so that it is clear what has happened, for example to convert error numbers to human readable format strings. The tools could, if possible, also highlight the actual data that triggered the incident detection. Next level of incident investigation tools may be tools that automatically can evaluate the network data and conclude the state of the system when an incident occurs - or evaluate the communication state between two ECUs. Finally, such incident investigation tool could draw references to similar incidents or even propose possible root-cause of the anomaly, which the security investigator would have to reverify.
Therefore, in this respect automated machine procedures may be used in combination with manual investigations performed by investigation personal or teams. The outcome or output of the investigations and hence the incident investigation device 420 is a determination whether the anomaly indication ln is a false positive or a true positive anomaly indication, hence true or false.
In embodiments of the invention a feedback mechanism is provided as illustrated with the two feedback lines from the incident investigation device 420 in Fig. 6. The first feedback line 510 is configured for providing feedback from the collection and investigation system 400 to the intrusion filter 100 whilst the second feedback line 520 is configured for providing feedback from the collection and investigation system 400 to the anomaly detection device 110 of the detection subsystem 300. The feedback lines 510, 520 may be wired and/or wireless communication links depending on the communication system architecture.
The first feedback message Fn indicates that the anomaly indication ln is a false positive anomaly indication. Based on the first feedback message Fn the intrusion filter 100 updates the identification algorithm to identify that the anomaly indication ln is a false positive anomaly indication.
In embodiments of the invention, the first feedback message Fn may comprise a part of or a complete identification algorithm which implies that the intrusion filter 100 updates or replaces the identification algorithm based on the first feedback message Fn depending on its content. Therefore, the current version of the identification algorithm may always be updated for improved performance.
Correspondingly, the second feedback message Fn' indicates that the network sensor output does not comprise an incident. Based on the second feedback message Fn' the anomaly detection device 110 updates the incident detection algorithm to identify that the network sensor output does not comprise the incident.
In embodiments of the invention, also the second feedback message Fn' may comprise a part of or a complete incident detection algorithm. Therefore, the anomaly detection device 110 updates or replaces the incident detection algorithm based on the second feedback message Fn'. Hence, also the current version of the incident detection algorithm is always updated for improved performance.
Therefore, the first Fn and second Fn' feedback messages may in embodiments comprise updates to the algorithms used by intrusion filter 100 and anomaly detection device 110, respectively. The update may be in a form of a new version of a software possible including a configuration or in form of a delta update of the software and/or configuration. The delta update may be a file specifying the difference(s) to the existing software and/or configuration used by the intrusion filter 100 and the anomaly detection device 110, respectively. Applying the delta update to the existing software and configuration is an effective update procedure if only a limited update is needed. However, if the intrusion filter 100 and anomaly detection device 110 need to be completely updated a full update procedure is the better choice. The software and/or configuration may be updated on the run e.g. as soon as the vehicle receives an update indication. An alternative update procedure may be that an update is received by the vehicle and executed when the vehicle is parked and/or at the reception of a user input indicating an acceptance of the update.
Moreover, a network packet sent through the device interface 830 of the STM 800 may be blocked until a part or the entire detection subsystem 300 has been executed. If only a part of the detection subsystem 300 needs to be executed until a network packet is released, the detection subsystem 300 may take a copy of relevant data about the network packet for later evaluation.
In embodiments of the invention the present system 500 may be able to perform a blocking and a non-blocking procedure. If the system 500 needs to be able to discard a network packet due to the reason that the network packet is not allowed and it is assured that the network packet is part of a network attack, then a blocking procedure may be supported. However, assuming that the system 500 is running in a non-blocking procedure, which means that a network packet can be forwarded before it is validated by the anomaly detection device 110, in such case no matter what the anomaly detection device 110 concludes about the network packet (e.g. a normal or an anomaly network packet) it cannot block the network packet as it is already forwarded. An advantage of a non-blocking procedure is that an additional network packet transfer delay due to IDPS/IPS is minimal, as the network packet is forwarded before it is being evaluated.
The steps in a blocking procedure may comprise:
1. The device interface 830 of the STM receives a network packet, e.g., intended for an application or a remote connection point;
2. Network sensors extract all data, such as the previously described metadata, needed for detection, categorization and evaluation by the anomaly detection device 110, intrusion filter 100 and collection and investigation system 400. The data is extracted from the network packet and other data sources of the system 500 such as GPS data, configuration data, etc.; 3. The anomaly detection device 110 analyzes the extracted data from the network sensors and determines if an anomaly indication should be sent to the intrusion filter 100 or not;
4. The intrusion filter 100 evaluates an anomaly indication from the anomaly detection device 110 and if the intrusion filter 100 categorize the anomaly indication as a true positive it forwards the anomaly indication to the collection and investigation system 400; and
5. The device interface 830 forwards a network packet if it has been assured that the network packet is not part of a network attack.
The steps in a non-blocking procedure may comprise:
1 . The device interface 830 of the STM receives a network packet;
2. Network sensors takes a copy of relevant data;
3. The device interface 830 forwards the network packet to intended recipient such as an application or a remote connection point;
4. Network sensors extract all data, such as the previously described metadata, needed for detection, categorization and evaluation by the anomaly detection device 110, intrusion filter 100 and collection and investigation system 400. The data is extracted from the network packet and other data sources of the system 500 such as GPS data, configuration data, etc.;
5. The anomaly detection device 110 analyzes the extracted data from the network sensors and determines if an anomaly indication should be sent to the intrusion filter 100 or not;
6. The intrusion filter 100 evaluates an anomaly indication from the anomaly detection device 110, and if intrusion filter 100 categorizes the anomaly indication as a true positive it is forwarded to the collection and investigation system 400.
Fig. 7 shows an intrusion detection system 500 according to further embodiments of the invention. In contrast to the embodiment shown in Fig. 6 the intrusion filter 100 is comprised or a part of the collection and investigation system 400 instead of the detection subsystem 300 as in Fig. 6. Thereby, a single intrusion filter 100 may be shared by multiple detection subsystems and hence multiple STMs or vehicles. It is also noted that the first feedback line 510 in this architecture also may be cloud based since the intrusion filter 100 itself is cloud based. Another aspect of such an implementation is that first feedback message and second message may be targeted or addressed to more than one STM or vehicle. Furthermore, if the intrusion filter 100 is located in a remote collection and investigation system 400, the intrusion filter 100 can be executed on a powerful serverand not in a locally embedded device. It means that the algorithm(s) used by the intrusion filter 100 can be more complex require more computational load, hence have larger code or data size and be more heavily to execute. It may further be noted that in such embodiments the intrusion filter 100 may share one or more processors of the collection and investigation system 400.
Fig. 8 illustrates vehicles connected to a collection and investigation system in a cloud based implementation of the collection and investigation system 400. Furthermore, Fig. 9 illustrates a vehicle 900, in this case a car, comprising one or more STMs and a detection subsystem 300, where the latter is in communication with the collection and investigation system 400 in the cloud.
Therefore, a vehicle 900 is also herein disclosed comprising an intrusion filter 110 and/or a detection subsystem 300 according to embodiments of the invention. The vehicle 900 may be any vehicle comprising one or more STMs connected to one or more data networks, possible via one or more intermediate wired and wireless communication systems such as 3GPP LTE, NR, etc. The vehicle 900 may be a car, a bus or a truck and comprise any type of engines such as a combustion engine, an electrical engine, a hybrid engine, etc.
Furthermore, any method according to embodiments of the invention may be implemented in a computer program, having code means, which when run by processing means causes the processing means to execute the steps of the method. The computer program is included in a computer readable medium of a computer program product. The computer readable medium may comprise essentially any memory, such as a ROM (Read-Only Memory), a PROM (Programmable Read-Only Memory), an EPROM (Erasable PROM), a Flash memory, an EEPROM (Electrically Erasable PROM), or a hard disk drive.
Finally, it should be understood that the invention is not limited to the embodiments described above, but also relates to and incorporates all embodiments within the scope of the appended independent claims.

Claims

1 . An intrusion filter (100) for an intrusion detection system (500), the intrusion filter (100) being configured to obtain an anomaly indication (ln) from an anomaly detection device (110), wherein the anomaly indication (ln) indicates an incident detected by the anomaly detection device (110); and discard the anomaly indication (ln) upon identifying that the anomaly indication (ln) is a false positive anomaly indication, else provide the anomaly indication (ln) to a collection and investigation system (400).
2. The intrusion filter (100) according to claim 1 , configured to identify that the anomaly indication (ln) is a false positive anomaly indication using an identification algorithm.
3. The intrusion filter (100) according to claim 2, configured to obtain metadata associated with the anomaly indication (ln); and identify that the anomaly indication (ln) is a false positive anomaly indication using the identification algorithm and the metadata.
4. The intrusion filter (100) according to claim 2 or 3, configured to obtain a first feedback message (Fn) from the collection and investigation device (400), wherein the first feedback message (Fn) indicates that the anomaly indication (ln) is a false positive anomaly indication; and update the identification algorithm to identify that the anomaly indication (ln) is a false positive anomaly indication.
5. The intrusion filter (100) according to claim 4, wherein the first feedback message (Fn) comprises a part of or a complete identification algorithm; and configured to update or replace the identification algorithm based on the first feedback message (Fn).
6. The intrusion filter (100) according to any one of the preceding claims, wherein the intrusion filter (100) is an artificial intelligence intrusion filter and/or a rule-based intrusion filter.
7. A detection subsystem (300) for an intrusion detection system (500), wherein the detection subsystem (300) comprises an intrusion filter (100) according to any one of claims 1 to 6, and an anomaly detection device (110) configured to: obtain network sensor output from one or more network sensors (120a, 120b,... , 120n); and provide an anomaly indication (ln) indicating an incident to the intrusion filter (100) upon identifying that the network sensor output comprises an incident.
8. The detection subsystem (300) according to claim 7, wherein the anomaly detection device (110) is configured to identify that the network sensor output comprises an incident using an incident detection algorithm.
9. The detection subsystem (300) according to claim 8, wherein the anomaly detection device (110) is further configured to obtain a second feedback message (Fn') from a collection and investigation system (400), wherein the second feedback message (Fn') indicates that the network sensor output does not comprise an incident; and update the incident detection algorithm to identify that the network sensor output does not comprise the incident.
10. The detection subsystem (300) according to claim 9, wherein the second feedback message (Fn') comprises a part of or a complete incident detection algorithm; and configured to update or replace the incident detection algorithm based on the second feedback message (Fn').
11. The detection subsystem (300) according to any one of claims 7 to 10, wherein the anomaly detection device (110) is an artificial intelligence detection device and/or a rule-based detection device.
12. A collection and investigation system (400) for an intrusion detection system (500), the collection and investigation system (400) being configured to obtain an anomaly indication (ln) from an intrusion filter (100); and upon determining that the anomaly indication (ln) is a false positive anomaly indication being configured to at least one of: provide a first feedback message (Fn) to the intrusion filter (100), wherein the first feedback message (Fn) indicates that the anomaly indication (ln) is a false positive anomaly indication, and provide a second feedback message (Fn') to an anomaly detection device (110) associated with the intrusion filter (100), wherein the second feedback message (Fn') indicates that network sensor output associated with the anomaly indication (ln) does not comprise an incident.
13. The collection and investigation system (400) according to claim 12, wherein the first feedback message (Fn) comprises a part of or a complete identification algorithm; and the second feedback message (Fn') comprises a part of or a complete incident detection algorithm.
14. The collection and investigation system (400) according to claim 12 or 13, wherein the collection and investigation system (400) comprises the intrusion filter (100).
15. A method (600) for an intrusion filter (100), the method (600) comprising obtaining (602) an anomaly indication (ln) from an anomaly detection device (110), wherein the anomaly indication (ln) indicates an incident detected by the anomaly detection device (110); and discarding (604) the anomaly indication (ln) upon identifying that the anomaly indication (ln) is a false positive anomaly indication, else providing (606) the anomaly indication (ln) to a collection and investigation system (400).
16. A method (700) for a collection and investigation system (400), the method (700) comprising obtaining (702) an anomaly indication (ln) from an intrusion filter (100); and upon determining that the anomaly indication (ln) is a false positive anomaly indication further comprising at least one of: providing (704) a first feedback message (Fn) to the intrusion filter (100), wherein the first feedback message (Fn) indicates that the anomaly indication (ln) is a false positive anomaly indication, and providing (706) a second feedback message (Fn') to an anomaly detection device (110) associated with the intrusion filter (100), wherein the second feedback message (Fn') indicates that network sensor output associated with the anomaly indication (ln) does not comprise an incident.
17. A computer program with a program code for performing a method according to claim 15 or 16 when the computer program runs on a computer.
EP20835841.6A 2020-12-22 2020-12-22 Intrusion filter for an intrusion detection system Pending EP4237975A1 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2020/087720 WO2022135706A1 (en) 2020-12-22 2020-12-22 Intrusion filter for an intrusion detection system

Publications (1)

Publication Number Publication Date
EP4237975A1 true EP4237975A1 (en) 2023-09-06

Family

ID=74125226

Family Applications (1)

Application Number Title Priority Date Filing Date
EP20835841.6A Pending EP4237975A1 (en) 2020-12-22 2020-12-22 Intrusion filter for an intrusion detection system

Country Status (3)

Country Link
EP (1) EP4237975A1 (en)
CN (1) CN116671066A (en)
WO (1) WO2022135706A1 (en)

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9672355B2 (en) * 2011-09-16 2017-06-06 Veracode, Inc. Automated behavioral and static analysis using an instrumented sandbox and machine learning classification for mobile security
US20150047032A1 (en) * 2013-08-07 2015-02-12 Front Porch Communications, Inc. System and method for computer security
US10621613B2 (en) * 2015-05-05 2020-04-14 The Nielsen Company (Us), Llc Systems and methods for monitoring malicious software engaging in online advertising fraud or other form of deceit
US10798114B2 (en) * 2015-06-29 2020-10-06 Argus Cyber Security Ltd. System and method for consistency based anomaly detection in an in-vehicle communication network
US20170214701A1 (en) * 2016-01-24 2017-07-27 Syed Kamran Hasan Computer security based on artificial intelligence

Also Published As

Publication number Publication date
CN116671066A (en) 2023-08-29
WO2022135706A1 (en) 2022-06-30

Similar Documents

Publication Publication Date Title
US11277427B2 (en) System and method for time based anomaly detection in an in-vehicle communication
CN112204578B (en) Detecting data anomalies on a data interface using machine learning
US11115433B2 (en) System and method for content based anomaly detection in an in-vehicle communication network
US11217042B2 (en) Vehicle monitoring apparatus, fraud detection server, and control methods
WO2019142741A1 (en) Vehicle abnormality detection server, vehicle abnormality detection system, and vehicle abnormality detection method
US11665178B2 (en) Methods and arrangements for message time series intrusion detection for in-vehicle network security
EP3951531B1 (en) Anomaly sensing method and anomaly sensing system
US11595431B2 (en) Information processing apparatus, moving apparatus, and method
CN111448787B (en) System and method for providing a secure in-vehicle network
JPWO2019216306A1 (en) Anomaly detection electronic control unit, in-vehicle network system and anomaly detection method
US11479263B2 (en) Automotive network switch with anomaly detection
US11247696B2 (en) Information processing device, information processing method, and recording medium
JP2019008618A (en) Information processing apparatus, information processing method, and program
KR20220041137A (en) Multi-mode messaging anomaly detection for broadcast network security
JP2019146145A (en) Communication device, communication method, and program
US20230283617A1 (en) Attack analysis device, attack analysis method, and non-transitory computer-readable recording medium
WO2022135706A1 (en) Intrusion filter for an intrusion detection system
JP7408033B2 (en) In-vehicle control device
WO2022091754A1 (en) Information processing device, method for controlling information processing device, and program
WO2021019635A1 (en) Security device, attack response processing method, computer program, and storage medium

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20230602

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)