WO2015057979A1 - System and method for detecting malicious activity and harmful hardware/software modifications to a vehicle - Google Patents

System and method for detecting malicious activity and harmful hardware/software modifications to a vehicle Download PDF

Info

Publication number
WO2015057979A1
WO2015057979A1 PCT/US2014/060926 US2014060926W WO2015057979A1 WO 2015057979 A1 WO2015057979 A1 WO 2015057979A1 US 2014060926 W US2014060926 W US 2014060926W WO 2015057979 A1 WO2015057979 A1 WO 2015057979A1
Authority
WO
WIPO (PCT)
Prior art keywords
vehicle
system
artificial intelligence
intelligence engine
emergency state
Prior art date
Application number
PCT/US2014/060926
Other languages
French (fr)
Inventor
Tommy XAYPANYA
Richard E. MALINOWSKI
Original Assignee
REMTCS Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US201361891587P priority Critical
Priority to US61/891,587 priority
Application filed by REMTCS Inc. filed Critical REMTCS Inc.
Publication of WO2015057979A1 publication Critical patent/WO2015057979A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity ; Protecting confidentiality; Key management; Integrity; Mobile application security; Using identity modules; Secure pairing of devices; Context aware security; Lawful interception
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity ; Protecting confidentiality; Key management; Integrity; Mobile application security; Using identity modules; Secure pairing of devices; Context aware security; Lawful interception
    • H04W12/12Fraud detection or prevention
    • H04W12/1208Anti-malware arrangements, e.g. protecting against SMS fraud or mobile malware
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/40Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]
    • H04W4/44Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for communication between vehicles and infrastructures, e.g. vehicle-to-cloud [V2C] or vehicle-to-home [V2H]

Abstract

An Artificial Intelligence (AI) interface and engine is described that enables the monitoring and analysis of vehicle information to determine if the vehicle has had at least one of hardware and software maliciously changed, added, or removed. The AI interface may determine the presence of the maliciously changed, added, or removed hardware and/or software such as by receiving an emergency condition from at least one sensor that is in disagreement with another sensor.

Description

SYSTEM AND METHOD FOR DETECTING MALICIOUS ACTIVITY AND HARMFUL HARDWARE/SOFTWARE MODIFICATIONS TO A VEHICLE

CROSS-REFERENCE TO RELATED APPLICATIONS

[0001] The present application is a Continuation-in-Part and claims the benefit of U.S. Non-Provisional Patent Applications Nos. 14/163,186; 14/216,665; 14/216,345;

14/216,634; and 14/199,917 filed January 24, 2014; March 17, 2014; March 17, 2014; March 17, 2014; and March 6, 2014, respectively, certain of the forgoing in turn claim priority to U.S. Provisional Patent Application Nos. 61/756,573; 61/794,430; 61/794,472; 61/794,505; 61/794,547; 61/891,598; 61/897,745; and 61/891,595 filed on January 25, 2013; March 15, 2013; March 15, 2013; March 15, 2013; March 15, 2013; October 16, 2013; October 30, 2013; and October 16, 2013, respectively. Each of the foregoing provisional and non-provisional applications are hereby incorporated herein by reference in their entirety.

FIELD OF THE DISCLOSURE

[0002] The present disclosure is generally directed toward vehicles and more particularly to the electronics therein.

BACKGROUND

[0003] Vehicles have benefited from the advancement in electronics and computing technology. Vehicles now comprise an extensive array of electronics to support and enable navigation, entertainment, comfort, efficiency, reliability, and security.

[0004] The complexity of vehicle electronics often requires updates to the vehicle's hardware and/ or software. Unfortunately, the ability to provide such updates also provides an avenue for malware. The malware may be a deliberate act to tamper with the vehicle or extract information from the vehicle. However, malware may have only beneficial intentions but have undesirable consequences. For example, replacing a hardware/software component in an automobile to allow for greater acceleration, as compared to the factory-intended performance, may inadvertently cause the vehicle's transmission to operate outside of the parameters for which it was engineered. Such an event may only occur with a certain other set of operating parameters, which may be rarely encountered.

[0005] Through debugging and testing processes are often employed to account for most or even all known conditions that may cause a vehicle to be vulnerable to malware.

However, as every owner of a computer knows, malware always seems to find a way and frequent security updates, such as anti-virus data files, are required as one way to protect such systems from malware.

[0006] While externally induced malware may be the most common means for malware to become installed in a vehicle, it is not inconceivable that hardware or software installed during manufacturing or assembly of the vehicle may be compromised by malware, either deliberately malicious or that, under some previously unknown circumstances, cause the vehicle to operate in a manner that is undesired.

SUMMARY

[0007] The systems of a vehicle, if compromised, may pose a more serious threat to persons and property, as compared to a personal computer. For example, disengaging an automobile's safety systems (e.g., antilock brakes, airbags, traction control, etc.) has a clear potential to cause harm. However, seemingly innocuous systems, since they are in a vehicle, may distract an operator or cause an operator to take an action that is

inappropriate. For example, malware that causes an automobile's entertainment system to play at full volume may cause the operator to direct their attention away from driving in an attempt to address the problem.

[0008] It is with respect to the above issues and other problems that the embodiments presented herein were contemplated.

[0009] The present disclosure provides the ability to proactively monitor a vehicle (e.g., car, truck, van, SUV, motorcycle, bicycle, boat, aircraft, etc.), a user's interaction with a vehicle, a vehicle's interaction with other vehicle's and/or other systems, and/or actions of a vehicle to determine if the vehicle has had harmful, undesirable, and/or unauthorized hardware and/or software modifications ("malware"). Malware may include a computer virus, and/or unauthorized hardware modification made thereto that could be harmful to the vehicle, provide unauthorized access to the vehicle or systems thereof, and/or perform undesired operations (e.g., report faults when none exist, fail to report faults, indicate an emergency condition when none exists, alter settings and/or preferences, track the vehicle without authorization, etc.).

[0010] Many of the embodiments disclosed herein are directed specifically to an automobile for the sake of simplicity only. Such embodiments are for convenience to avoid unnecessarily complicating the disclosure and are in no way intended to be limiting to any particular vehicle or type of vehicle. Furthermore, embodiments disclosed may apply to autonomous vehicles or vehicles capable of operating, at least partially, in an autonomous mode. Embodiments that utilize an interaction or the presence of a human operator may apply to autonomous vehicles whereby the operator is a computer system, a remote human operator, and/or a human operator interacting with the vehicle at a later time.

[0011] In one embodiment, a machine learning system is disclosed to detect the presence of malware. Systems are provided to allow an untrusted hardware and/or software component to operate in a "sandbox" such that any behavior that is determined to be undesired may be mitigated or even prevented.

[0012] In one embodiment, a vehicle monitoring and analysis system is disclosed, comprising: a computing device configured to receive an emergency state from one emergency reporting sensor and to receive one or more data inputs from a plurality of sensors from a vehicle under analysis; an artificial intelligence engine configured to analyze the emergency state with the one or more data inputs to confirm that an emergency state exists; the computing device being configured to, upon the artificial intelligence engine determining that an emergency state is not in error, processing the emergency state; and the computing device being configured to, upon the artificial intelligence engine determining that an emergency state is in error, processing a false emergency state.

[0013] In another embodiment, a vehicle monitoring and analysis system is disclosed comprising: a computing device configured to receive one or more data inputs from a vehicle under analysis; an artificial intelligence engine configured to receive and analyze the one or more data inputs to determine if the vehicle has had at least one of an unauthorized hardware and software modification; and a reporting system configured to alert a user if the artificial intelligence engine determines that the vehicle has had at least one of an unauthorized hardware and software modification.

[0014] In yet another embodiment, a vehicle monitoring and analysis system is disclosed, comprising: a computing device configured to receive data inputs from a plurality of vehicles under analysis; an artificial intelligence engine configured to receive and analyze the data inputs to determine if at least one of the plurality of vehicles indicates the presence of malware; and a reporting system configured to issue an alert upon the artificial intelligence engine determining that the vehicle does indicate the presence of malware.

[0015] In particular, embodiments of the present disclosure provide the ability to determine whether a vehicle has had malware, the phrases "at least one", "one or more", and "and/or" are open-ended expressions that are both conjunctive and disjunctive in operation. For example, each of the expressions "at least one of A, B and C", "at least one of A, B, or C", "one or more of A, B, and C", "one or more of A, B, or C" and "A, B, and/or C" means A alone, B alone, C alone, A and B together, A and C together, B and C together, or A, B and C together.

[0016] The term "a" or "an" entity refers to one or more of that entity. As such, the terms "a" (or "an"), "one or more" and "at least one" can be used interchangeably herein. It is also to be noted that the terms "comprising," "including," and "having" can be used interchangeably.

[0017] The term "automatic" and variations thereof, as used herein, refers to any process or operation done without material human input when the process or operation is performed. However, a process or operation can be automatic, even though performance of the process or operation uses material or immaterial human input, if the input is received before performance of the process or operation. Human input is deemed to be material if such input influences how the process or operation will be performed. Human input that consents to the performance of the process or operation is not deemed to be "material."

[0018] The term "computer-readable medium" as used herein refers to any tangible storage that participates in providing instructions to a processor for execution. Such a medium may take many forms, including but not limited to, non-volatile media, volatile media, and transmission media. Non-volatile media includes, for example, NVRAM, or magnetic or optical disks. Volatile media includes dynamic memory, such as main memory. Common forms of computer-readable media include, for example, a floppy disk, a flexible disk, hard disk, magnetic tape, or any other magnetic medium, magneto-optical medium, a CD-ROM, any other optical medium, punch cards, paper tape, any other physical medium with patterns of holes, a RAM, a PROM, and EPROM, a FLASH- EPROM, a solid state medium like a memory card, any other memory chip or cartridge, or any other medium from which a computer can read. When the computer-readable media is configured as a database, it is to be understood that the database may be any type of database, such as relational, hierarchical, object-oriented, and/or the like. Accordingly, the disclosure is considered to include a tangible storage medium and prior art-recognized equivalents and successor media, in which the software implementations of the present disclosure are stored. [0019] The terms "determine," "calculate," and "compute," and variations thereof, as used herein, are used interchangeably and include any type of methodology, process, mathematical operation or technique.

[0020] The term "module" as used herein refers to any known or later developed hardware, software, firmware, artificial intelligence, fuzzy logic, or combination of hardware and software that is capable of performing the functionality associated with that element.

[0021] It shall be understood that the term "means" as used herein shall be given its broadest possible interpretation in accordance with 35 U.S.C., Section 112, Paragraph 6. Accordingly, a claim incorporating the term "means" shall cover all structures, materials, or acts set forth herein, and all of the equivalents thereof. Further, the structures, materials or acts and the equivalents thereof shall include all those described in the summary of the invention, brief description of the drawings, detailed description, abstract, and claims themselves.

[0022] Also, while the disclosure is described in terms of exemplary embodiments, it should be appreciated that individual aspects of the disclosure can be separately claimed. The present disclosure will be further understood from the drawings and the following detailed description. Although this description sets forth specific details, it is understood that certain embodiments of the disclosure may be practiced without these specific details. It is also understood that in some instances, well-known circuits, components and techniques have not been shown in detail in order to avoid obscuring the understanding of the invention

[0023] The preceding is a simplified summary of the disclosure to provide an understanding of some aspects of the disclosure. This summary is neither an extensive nor exhaustive overview of the disclosure and its various aspects, embodiments, and/or configurations. It is intended neither to identify key or critical elements of the disclosure nor to delineate the scope of the disclosure but to present selected concepts of the disclosure in a simplified form as an introduction to the more detailed description presented below. As will be appreciated, other aspects, embodiments, and/or

configurations of the disclosure are possible utilizing, alone or in combination, one or more of the features set forth above or described in detail below. BRIEF DESCRIPTION OF THE DRAWINGS

[0024] The present disclosure is described in conjunction with the appended figures:

[0025] Fig. 1 depicts an illustrative vehicle monitoring system in accordance with embodiments of the present disclosure;

[0026] Fig. 2 depicts an illustrative vehicle fleet monitoring system in accordance with embodiments of the present disclosure;

[0027] Fig. 3 depicts a first process in accordance with embodiments of the present disclosure;

[0028] Fig. 4 depicts a second process in accordance with embodiments of the present disclosure; and

[0029] Fig. 5 depicts a third process in accordance with embodiments of the present disclosure.

DETAILED DESCRIPTION

[0030] The ensuing description provides embodiments only, and is not intended to limit the scope, applicability, or configuration of the claims. Rather, the ensuing description will provide those skilled in the art with an enabling description for implementing the embodiments. It being understood that various changes may be made in the function and arrangement of elements without departing from the spirit and scope of the appended claims.

[0031] The identification in the description of element numbers without a subelement identifier, when a subelement identifiers exist in the figures, when used in the plural, is intended to reference any two or more elements with a like element number. A similar usage in the singular, is intended to reference any one of the elements with the like element number. Any explicit usage to the contrary or further qualification shall take precedence.

[0032] The exemplary systems and methods of this disclosure will also be described in relation to analysis software, modules, and associated analysis hardware. However, to avoid unnecessarily obscuring the present disclosure, the following description omits well- known structures, components and devices that may be shown in block diagram form, and are well known, or are otherwise summarized.

[0033] For purposes of explanation, numerous details are set forth in order to provide a thorough understanding of the present disclosure. It should be appreciated, however, that the present disclosure may be practiced in a variety of ways beyond the specific details set forth herein. [0034] Fig. 1 shows an illustrative vehicle monitoring system in accordance with at least some embodiments of the present disclosure. In one embodiment, vehicle 100 includes a number of sensors 102, processor 104, memory 106, display 108, and communication module 110. An intra- vehicle communication system (not shown) allows data to be exchanged between two or more components within vehicle 100. In one embodiment, the intra-vehicle communication system is, or is compliant with, a controller area network data bus ("CAN BUS").

[0035] Sensors 102 are provided. Sensors 102 may comprise sensors utilized by the vehicle itself to monitor operational parameters (e.g., oxygen sensor, throttle position, tire pressure, etc.) and/or sensors having a primary purpose of monitoring at least one aspect of the vehicle that may be affected by malware. Two or more of sensors 102 may be redundant. For example, one sensor 102 may be a factory-installed throttle position detector that is utilized to control operational conditions of the engine and transmission and a second sensor 102 may be a duplicate throttle position sensor operational to output data solely to a malware detection process (discussed more completely below with respect to processor 104). One of sensors 102 may operate as if it were two or more sensors. For example, a throttle position sensor may output a processed value (e.g., idle, one-quarter, 38%, full, etc.). The raw data, such as a voltage or register value, may be available such that the one physical sensor 102 may provide two or more sets of data. As a benefit, malware that attempts to modify the processed output (e.g., throttle position=idle when it is actually full) of the one of physical sensor 102 and but may not have the ability to affect the unprocessed signal such as an observed or input value to the sensor 102 (e.g., "line_03 = -1.7 v"). Therefore, a malware detection process may compare the processed output value of one of sensors 102 to an accessed unprocessed observed value and determine if a discrepancy exists, without requiring two sensors, and respond accordingly.

[0036] Processor 104 executes instructions to detect malware. Processor 104 is variously embodied and may comprise one or more dedicated processors, shared processors, and/or distributed processors. Processor 104 is in communication with one or more of sensors 102, memory 106, display 108, and communications 110. As is known in the art of processors, processor 104 may be embodied as two or more microprocessors, single or multi-core microprocessors, instructions distributed to a plurality of microprocessors, and/or integrated into or co-integrated with one or more of the aforementioned

components. Other processor 104 configurations may be implemented without departing from the disclosure provided herein. [0037] Memory 106 comprises electronic storage accessible/usable by processor 104 and/or other components. Memory 106, similar to certain embodiments of processor 104, may be embodied as a stand-alone device and/or integrated and/or co-integrated into one or more other components. Memory 106 may comprise one or more of volatile, nonvolatile, magnetic, optical, solid state, fixed, removable, and/or other electronic storage medium.

[0038] Display 108 provides information related to the state of vehicle 100, such as the presence of malware and/or steps to take to mitigate and/or remove the effects of any detected malware. Display 108 may be optical (e.g., CCD, LCD, etc.) intended to be read by a human observer. Display 108 may also accept inputs (e.g., touch screen,

pushbuttons, pointing device interface, etc.) to enable a human to interact with instructions executed by processor 104. Display 108 may be a simple indicator (e.g., "Service soon" indicator) or even omitted, such as by utilizing communication module 1 10 and a display associated with a linked device or system.

[0039] Communication module 110 provides wired and/or wireless connectivity to one or more other devices and systems. In one embodiment, mobile communications device 120 connects to communication module 110. Mobile communications device 120 may be a wired or wireless diagnostic device or other specialty computer, general purpose computer (e.g., laptop, terminal, tablet, etc.), and/or communication device (e.g., smart phone). In another embodiment, cloud system 112 via communication module 114 connects to communication module 110. Cloud system 112 comprises communication module 114, processor 116, and storage 118. Cloud system 112 may process data from sensors 102 or otherwise duplicate, supplement, and/or replace certain tasks of processor 104. In a further embodiment, communication device 110 may be in communication with cloud system 112 via mobile communications device 120 (e.g., Blue Tooth to WiFi, WiFi to cellular, etc.).

[0040] Cloud computing generally refers to computing services (e.g., processing and/or storage) available to a client device via a connection to a network. Most commonly the "cloud" is the Internet whereby a client device is authorized to access a website or other interface of a service provider to access computing services. In addition to the Internet, private networks may also be utilized (e.g., intranet, VPN, etc.). Often the maintenance and security is provided as a service of the cloud such that the user of the client device need not be concerned with security, updates, hardware failure, up-time, and other administrative issues. [0041] Cloud system 112 is variously embodied and generally comprises a cloud computing platform. Cloud system 112 may comprise one or more of public networks (e.g., Internet), private networks (e.g., telephone, cellular, WiFi, satellite, etc.), wired, wireless, and/or portions thereof to communicate externally, such as to and from communications module 110 of vehicle 100, as well as between components within cloud system 112. Furthermore cloud system 112 may comprise one or more networks of the foregoing or other configuration. Storage 118 and/or processor 116 may generally be transparent to users of the embodiments described herein, such as by the implementation of distributed computing and storage capacity provided by network attached devices.

[0042] The components of Fig. 1 provide various configurations to implement malware detection and attenuation strategies. In one embodiment, vehicle 100 may, without benefit of other systems, detect, diagnose, notify and/or attenuate malware. In another

embodiment, vehicle 100 may utilize mobile communications device 120 for any one or more of the detecting, diagnosing, notifying, and/or attenuating malware. In another embodiment, vehicle 100 may utilize cloud system 112 for one or more of detecting, diagnosing, notifying, and/or attenuating malware. In yet another embodiment, at least a portion of vehicle 100 internal components (e.g., processor 104), mobile communications device 120, and cloud system 112 are utilized for at least one of the detecting, diagnosing, notifying, and/or attenuating malware.

[0043] One or more of processor 104, process 116, and/or a processor in mobile communications device 120 (not shown) provide the logic to process malware detection and/or attenuation instructions. Processing may be shared, duplicated, verified by any one processor 104, processor 116, and or mobile communications device 120 processor for the benefit of validating, confirming, or diagnosing any other one of processor 104, processor 116, and or mobile communications device 120 processor. As those skilled in the art will appreciate, additional processors may be implemented without departing from the embodiments provided herein.

[0044] Fig. 2 shows an illustrative vehicle fleet monitoring system in accordance with at least some embodiments of the present disclosure. Vehicles 202 comprise fleet 200. Each of vehicles 202 comprises sensors, processors, communication module 110 and other malware detection and/or attenuation systems as described with respect to Fig. 1.

However, to avoid unnecessarily complicating the figures, vehicle 202A is shown with only communication module 110 illustrated and vehicles 202B-202n are not show with components thereof. [0045] In one embodiment, fleet 200 comprises n-number of vehicles 202. Vehicles 202 each communicate with cloud system 112. The frequency by which one or more of vehicles 202 may communicate with cloud system 112 will vary from continuous, or nearly so, to infrequently, even never. Vehicles 202 that never connect to cloud system 112 may require other means to detect and attenuate malware, such as those described with respect to Fig. 1, and be effectively excluded from fleet 200. Vehicles excluded from fleet 200 may rejoin fleet 200 upon connecting to cloud system 112.

[0046] Cloud system 112 may utilize communication module 114 to collect raw data, processed data, settings, configurations, results of prior malware attenuations, user data, and/or other information associated with ones of vehicles 202. Collected data may then be stored in storage 118 and processed by processor 116. As a benefit, processor 116 has a larger pool of data to determine what behavior is and is not a concern. For example, vehicle 202A may be operated entirely within a tropical climate. Malware that disengages the vehicle's traction control may never be detected by the systems of vehicle 202A.

However, vehicle 202B may be operated in a climate subject to ice and snow and have an opportunity to quickly detect any issue associated with traction control and, accordingly, the presence of malware.

[0047] In another embodiment, data from fleet 200 provides a larger pool of trusted data. For example, a subset of vehicles 202 have had a modification. The effect on the modified vehicles 202 versus the unmodified vehicles 202 may indicate that the modification is benign and otherwise trust the modification. Any vehicle 202 subsequently having the same modification may be subject to less scrutiny or be immediately trusted.

[0048] In another embodiment, updates to anti-malware systems (e.g., virus signature files, known compromised components, etc.) may be provided to vehicles 202 via communication module 114, 110. Should any one or more vehicles 202 be unable to communicate with communication module 114, such as due to inaccessibility of a communication signal (e.g., out of cellular telephone or sideband radio range) or due to damage, vehicle 202 may still be able to respond to a malware without access to cloud system 112.

[0049] Fig. 3 shows process 300 in accordance with at least some embodiments of the present disclosure. A number of sensors 102 are provided to monitor a vehicle 100.

Vehicle 100 may be monitored perpetually, periodically, and/or on-demand. A processor, such as one or more of mobile communications device 120 and/or processors 104, 116, may then receive the data events from the number of sensors 102 directly and/or via memory 106, storage 118, and/or other storage medium. The processor executing instructions of an artificial intelligence engine 302 to analyze the data events received from sensors 102. Artificial intelligence engine 302, as a separate process or as integrated into artificial intelligence engine 302, performs event processing 304.

[0050] In one embodiment, event processing 304 reports 306 to a user a summary conduction, such as when all systems are working normally, expert assistance is required, etc., or more detailed, such as an itemization of systems, tests, conditions, and results. Reporting 306 may be detailed Reporting 306 may be visual, such as to display 108. Reporting 306 may also be electronic to mobile communications device 120 and/or cloud system 112.

[0051] In another embodiment, event processing 304 may incorporate or call

countermeasures 308 such that malware detected by artificial intelligence engine 302 may be attenuated or even removed entirely. Countermeasures 308 may relay, in whole or in part, on stored countermeasures 310. Countermeasures 308 may be automatic and/or manual. In a further embodiment, countermeasures 308 may be passive, such as by not allowing an isolated hardware or software modification to become trusted.

[0052] Fig. 4 shows process 400 in accordance with at least some embodiments of the present disclosure. As can be appreciated, emergency reporting may have more serious consequences if affected by malware. Reporting emergencies, when none exist, result in the allocation of resources that may become unavailable to respond to a true emergency. Similarly, not reporting an emergency may also result in serious consequences. In addition to the reporting of an emergency when none exists, and vice versa, under and over reporting an emergency may similarly result in serious consequences. For example, a low-speed collision resulting in no injured parties, but reported as life threatening injuries present risks emergency personnel and others who may attempt to respond to a nonexistent situation. Conversely, a high-speed reported as inconsequential may cause delays in responding and exacerbating an already critical situation.

[0053] In one embodiment, step 402 detects an emergency. Step 404 validates the emergency via the artificial intelligence engine 302. Step 406 confirms or disproves the emergency state. If no emergency state is confirmed, processing continues to step 410 wherein a false emergency state is processed. If step 406 is true, processing continues and step 408 processes the emergency state.

[0054] Step 404 may perform a number of preprogrammed and/or learned processes in which the emergency may be validated. For example, if one sensor 102 reports an airbag deployment validation may be performed with respect to another sensor 102, such as an inertial or GPS navigation system. Should step 404 conclude that the vehicle is being operated normally, such as no drastic change in speed or direction, that would indicate a collision, step 406 may then indicate that no emergency exists and step 410 processes the false emergency. Step 410 may utilize vehicle 100 communication module 110 to report the condition, report the condition to handheld computer 120, and/or display 108. In such a manner the malware may be addressed appropriately. In another example, step 404 may access another sensor 102 and determine the vehicle made an unusual change in speed and/or direction and/or a sensor 102 may indicate the coolant pressure has suddenly dropped to zero, any one or more may further indicate a collision and the presence of an emergency. In such circumstances step 406 may confirm the emergency condition and step 408 processes the emergency.

[0055] Step 404 may implement learned behavior. For example, one vehicle 202 may be operated by a "lead foot" and be subject to high g-force readings for acceleration, deceleration, and/or lateral acceleration (e.g., turning). Another vehicle 202 may be driven more conservatively. As a benefit, step 404 may consider such learned operating parameters into consideration when validating the emergency.

[0056] Fig. 5 shows process 500 in accordance with at least some embodiments of the present disclosure. Validation of an emergency state, such as by step 404, is variously embodied. In one embodiment, step 502 determines if the occupant state is needed. For example, one emergency state may indicate a tire failure, however, other sensors 102 may indicate the vehicle gradually decelerated to a stop and after a few minutes the engine was turned off by the operator. Under such circumstances, it may be determined that the occupant's state may be assumed to be a non-emergency, wherein process 500 may terminate. However, if step 502 determines the occupant's condition is needed, processing may continue to step 504, wherein voice cues are presented to the occupant.

[0057] The presenting of voice cues in step 504 may be via a live operator and/or a signal generated by processor 104, such as a sound file and/or text-to-speech program utilizing text data retrieved from memory 106 and/or storage 118. Step 506 determines if a response is received from at least one occupant. If no, processing continues to step 508 wherein visual cues are presented. Visual cues may be to flash the interior lights, console lights, and/or present a prompt on a display, such as display 108. Step 510 may determine if an answer is received via a manual input, such as by touching at least a portion of touch screen 108, hitting a button associated with the prompt (e.g., "Hit any button you can reach twice if you can see this."). For example, a passenger in the rear seat may be able to hit "window down" twice in response to such a prompt.

[0058] In a further embodiment, artificial intelligence engine 404 may utilize learned behavior, such as, by learning that the person who uses this vehicle may speak German and possibly not English— respond in German first, try English if no satisfactory response.

[0059] In the foregoing description, for the purposes of illustration, methods were described in a particular order. It should be appreciated that in alternate embodiments, the methods may be performed in a different order than that described. It should also be appreciated that the methods described above may be performed by hardware components or may be embodied in sequences of machine-executable instructions, which may be used to cause a machine, such as a general-purpose or special-purpose processor (GPU or CPU) or logic circuits programmed with the instructions to perform the methods (FPGA). These machine-executable instructions may be stored on one or more machine readable mediums, such as CD-ROMs or other type of optical disks, floppy diskettes, ROMs, RAMs, EPROMs, EEPROMs, magnetic or optical cards, flash memory, or other types of machine-readable mediums suitable for storing electronic instructions. Alternatively, the methods may be performed by a combination of hardware and software.

[0060] Specific details were given in the description to provide a thorough understanding of the embodiments. However, it will be understood by one of ordinary skill in the art that the embodiments may be practiced without these specific details. For example, circuits may be shown in block diagrams in order not to obscure the embodiments in unnecessary detail. In other instances, well-known circuits, processes, algorithms, structures, and techniques may be shown without unnecessary detail in order to avoid obscuring the embodiments.

[0061] Also, it is noted that the embodiments were described as a process which is depicted as a flowchart, a flow diagram, a data flow diagram, a structure diagram, or a block diagram. Although a flowchart may describe the operations as a sequential process, many of the operations can be performed in parallel or concurrently. In addition, the order of the operations may be re-arranged. A process is terminated when its operations are completed, but could have additional steps not included in the figure. A process may correspond to a method, a function, a procedure, a subroutine, a subprogram, etc. When a process corresponds to a function, its termination corresponds to a return of the function to the calling function or the main function. [0062] Furthermore, embodiments may be implemented by hardware, software, firmware, middleware, microcode, hardware description languages, or any combination thereof. When implemented in software, firmware, middleware or microcode, the program code or code segments to perform the necessary tasks may be stored in a machine readable medium such as storage medium. A processor(s) may perform the necessary tasks. A code segment may represent a procedure, a function, a subprogram, a program, a routine, a subroutine, a module, a software package, a class, or any combination of instructions, data structures, or program statements. A code segment may be coupled to another code segment or a hardware circuit by passing and/or receiving information, data, arguments, parameters, or memory contents. Information, arguments, parameters, data, etc. may be passed, forwarded, or transmitted via any suitable means including memory sharing, message passing, token passing, network transmission, etc.

[0063] While illustrative embodiments of the disclosure have been described in detail herein, it is to be understood that the inventive concepts may be otherwise variously embodied and employed, and that the appended claims are intended to be construed to include such variations, except as limited by the prior art.

Claims

What Is Claimed Is:
1. A vehicle monitoring and analysis system, comprising:
a computing device configured to receive an emergency state from one emergency reporting sensor and to receive one or more data inputs from a plurality of sensors from a vehicle under analysis;
an artificial intelligence engine configured to analyze the emergency state with the one or more data inputs to confirm that an emergency state exists;
the computing device being configured to, upon the artificial intelligence engine determining that an emergency state is not in error, processing the emergency state; and the computing device being configured to, upon the artificial intelligence engine determining that an emergency state is in error, processing a false emergency state.
2. The system of claim 1, wherein the artificial intelligence engine determines the emergency state is associated with occupant injuries and confirmation of the emergency state comprises, causing the vehicle to present a voice prompt to be played to the occupant and processing the response.
3. The system of claim 2, wherein the artificial intelligence engine confirms the emergency state upon receiving, while waiting for a response to the voice prompt, a timeout indicator associated with a previously determined wait time duration.
4. The system of claim 3, wherein the artificial intelligence engine receives the timeout indicator and causes the vehicle to present a prompt to solicit a response from a vehicle occupant via at least one physical input device of the vehicle.
5. The system of claim 3, wherein the artificial intelligence engine receives the timeout indicator and presents a visual prompt on a display of the vehicle.
6. The system of claim 1 , wherein at least a portion of at least one of the computer device and the artificial intelligence engine is located externally to the vehicle and in communication with the vehicle via a communications link.
7. The system of claim 1, wherein the artificial intelligence engine receives the input from the emergency reporting sensor and determines at least one value of at least one of the plurality of sensors that would at least one of confirm the emergency state and confirm a false emergency state;
accessing the input from the at least one of the plurality of sensors;
upon at least one value of the at least one of the plurality of sensors confirming the emergency state, processing the emergency state; and upon at least one value of the at least one of the plurality of sensors confirming the false emergency state, processing the false emergency state.
8. The system of claim 1, wherein processing the false emergency condition comprises presenting a notification to at least one of a viewer of a display within the vehicle, an operator of a handheld computer in communication with the vehicle, and a centralized reporting system in communication with the vehicle, that the vehicle has had a false emergency condition.
9. The system of claim 8, at least one of the viewer of a display within the vehicle, the operator of the handheld computer in communication with the vehicle, and the centralized reporting system in communication with the vehicle, is notified that the vehicle indicates malware.
10. The system of claim 1, wherein the emergency reporting sensor is one of the plurality of sensors.
11. A vehicle monitoring and analysis system, comprising:
a computing device configured to receive one or more data inputs from a vehicle under analysis;
an artificial intelligence engine configured to receive and analyze the one or more data inputs to determine if the vehicle has had at least one of an unauthorized hardware and software modification; and
a reporting system configured to alert a user if the artificial intelligence engine determines that the vehicle has had at least one of an unauthorized hardware and software modification.
12. The system of claim 11, the computing device comprises a mobile communications device.
13. The system of claim 12, wherein the mobile communications device comprises a smartphone that includes the artificial intelligence engine.
14. The system of claim 12, wherein the artificial intelligence engine is provided on a device other than the mobile communications device.
15. The system of claim 11, wherein the one or more data inputs includes at least one input from a CAN BUS system.
16. The system of claim 15, wherein the CAN BUS system comprises a vehicle bus standard designed to allow microcontrollers and devices to communicate with each other within the vehicle without a host computer.
17. The system of claim 15, wherein the one or more data inputs include at least one of vehicle brake information, vehicle information, vehicle traction information, vehicle diagnostics information, fluid level information, and tire pressure information.
18. A vehicle monitoring and analysis system, comprising:
a computing device configured to receive data inputs from a plurality of vehicles under analysis;
an artificial intelligence engine configured to receive and analyze the data inputs to determine if at least one of the plurality of vehicles indicates the presence of malware; and a reporting system configured to issue an alert upon the artificial intelligence engine determining that the vehicle does indicate the presence of malware.
19. The system of claim 18, wherein the artificial intelligence engine analyzes the data inputs by comparing a first set of data inputs to a trusted collection of data inputs; and
upon determining the first set of data inputs associated with one of the plurality of vehicles is outside of threshold deviation from the trusted collection of data inputs, indicate the presence of malware for the one of the plurality of vehicles.
20. The system of claim 18, wherein the computing device is configured to receive the data inputs via a communication module associated with ones of the plurality of vehicles and a communication module associated with the computing device.
PCT/US2014/060926 2013-10-16 2014-10-16 System and method for detecting malicious activity and harmful hardware/software modifications to a vehicle WO2015057979A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US201361891587P true 2013-10-16 2013-10-16
US61/891,587 2013-10-16

Publications (1)

Publication Number Publication Date
WO2015057979A1 true WO2015057979A1 (en) 2015-04-23

Family

ID=52828702

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2014/060926 WO2015057979A1 (en) 2013-10-16 2014-10-16 System and method for detecting malicious activity and harmful hardware/software modifications to a vehicle

Country Status (1)

Country Link
WO (1) WO2015057979A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017046805A1 (en) * 2015-09-17 2017-03-23 Tower-Sec Ltd. Systems and methods for detection of malicious activity in vehicle data communication networks
WO2018035442A1 (en) * 2016-08-19 2018-02-22 Xsync Technologies Llc Systems and methods for multimedia tactile augmentation
US10275955B2 (en) 2016-03-25 2019-04-30 Qualcomm Incorporated Methods and systems for utilizing information collected from multiple sensors to protect a vehicle from malware and attacks

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7891004B1 (en) * 1999-10-06 2011-02-15 Gelvin David C Method for vehicle internetworks
US20130145065A1 (en) * 2011-11-16 2013-06-06 Flextronics Ap, Llc Control of device features based on vehicle state
WO2013147903A1 (en) * 2012-03-31 2013-10-03 Intel Corporation Service of an emergency event based on proximity
US20130332026A1 (en) * 2012-06-12 2013-12-12 Guardity Technologies, Inc. Qualifying Automatic Vehicle Crash Emergency Calls to Public Safety Answering Points
US20140215621A1 (en) * 2013-01-25 2014-07-31 REMTCS Inc. System, method, and apparatus for providing network security

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7891004B1 (en) * 1999-10-06 2011-02-15 Gelvin David C Method for vehicle internetworks
US20130145065A1 (en) * 2011-11-16 2013-06-06 Flextronics Ap, Llc Control of device features based on vehicle state
US20130145482A1 (en) * 2011-11-16 2013-06-06 Flextronics Ap, Llc Vehicle middleware
WO2013147903A1 (en) * 2012-03-31 2013-10-03 Intel Corporation Service of an emergency event based on proximity
US20130332026A1 (en) * 2012-06-12 2013-12-12 Guardity Technologies, Inc. Qualifying Automatic Vehicle Crash Emergency Calls to Public Safety Answering Points
US20140215621A1 (en) * 2013-01-25 2014-07-31 REMTCS Inc. System, method, and apparatus for providing network security

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017046805A1 (en) * 2015-09-17 2017-03-23 Tower-Sec Ltd. Systems and methods for detection of malicious activity in vehicle data communication networks
EP3350742A4 (en) * 2015-09-17 2019-05-15 Tower-Sec Ltd. Systems and methods for detection of malicious activity in vehicle data communication networks
US10275955B2 (en) 2016-03-25 2019-04-30 Qualcomm Incorporated Methods and systems for utilizing information collected from multiple sensors to protect a vehicle from malware and attacks
WO2018035442A1 (en) * 2016-08-19 2018-02-22 Xsync Technologies Llc Systems and methods for multimedia tactile augmentation

Similar Documents

Publication Publication Date Title
US10356122B2 (en) Device for detection and prevention of an attack on a vehicle
US9185526B2 (en) Systems, methods, and devices for policy-based control and monitoring of use of mobile devices by vehicle operators
CN101548506B (en) Apparatus and a security node for use in determining security attacks
US8881292B2 (en) Evaluating whether data is safe or malicious
Petit et al. Potential cyberattacks on automated vehicles
US8413230B2 (en) API checking device and state monitor
US20150324586A1 (en) Methods and apparatus for control and detection of malicious content using a sandbox environment
US20080201778A1 (en) Intrusion detection using system call monitors on a bayesian network
US9813897B2 (en) Systems and methods for vehicle policy enforcement
Zhang et al. Defending connected vehicles against malware: Challenges and a solution framework
US9338170B2 (en) On board vehicle media controller
US9840212B2 (en) Bus watchman
US10235524B2 (en) Methods and apparatus for identifying and removing malicious applications
KR101737726B1 (en) Rootkit detection by using hardware resources to detect inconsistencies in network traffic
DE112012004770T5 (en) Vehicle Middleware
US7594269B2 (en) Platform-based identification of host software circumvention
US8750904B2 (en) Detecting, identifying, reporting and discouraging unsafe device use within a vehicle or other transport
WO2015081034A1 (en) Cloud-assisted threat defense for connected vehicles
US9703955B2 (en) System and method for detecting OBD-II CAN BUS message attacks
US9401923B2 (en) Electronic system for detecting and preventing compromise of vehicle electrical and control systems
DE102014209613A1 (en) Method and device for recognizing and reporting driver impairment
CN104023034B (en) Security defensive system and defensive method based on software-defined network
CA2874651A1 (en) Control of device features based on vehicle state
US20070118646A1 (en) Preventing the installation of rootkits on a standalone computer
WO2007007326A2 (en) System and method for detection and recovery of malfunction in mobile devices

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14854167

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14854167

Country of ref document: EP

Kind code of ref document: A1