WO2022135706A1 - Intrusion filter for an intrusion detection system - Google Patents
Intrusion filter for an intrusion detection system Download PDFInfo
- Publication number
- WO2022135706A1 WO2022135706A1 PCT/EP2020/087720 EP2020087720W WO2022135706A1 WO 2022135706 A1 WO2022135706 A1 WO 2022135706A1 EP 2020087720 W EP2020087720 W EP 2020087720W WO 2022135706 A1 WO2022135706 A1 WO 2022135706A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- anomaly
- intrusion
- indication
- anomaly indication
- detection
- Prior art date
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 167
- 238000011835 investigation Methods 0.000 claims abstract description 77
- 238000000034 method Methods 0.000 claims abstract description 40
- 238000004590 computer program Methods 0.000 claims abstract description 11
- 238000013473 artificial intelligence Methods 0.000 claims description 8
- 230000002265 prevention Effects 0.000 abstract description 5
- 238000012545 processing Methods 0.000 abstract description 4
- 238000004891 communication Methods 0.000 description 25
- 230000008901 benefit Effects 0.000 description 16
- 230000008713 feedback mechanism Effects 0.000 description 8
- 230000000903 blocking effect Effects 0.000 description 7
- 230000006399 behavior Effects 0.000 description 5
- 238000011156 evaluation Methods 0.000 description 4
- 230000001133 acceleration Effects 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000002485 combustion reaction Methods 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000116 mitigating effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000001902 propagating effect Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000009966 trimming Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Definitions
- Embodiments of the invention relates to an intrusion filter for an intrusion detection system and to a detection subsystem and a collection and investigation system comprising such an intrusion filter. Furthermore, embodiments of the invention also relate to corresponding methods and a computer program.
- Intrusion Prevention Systems and Intrusion Detection and Prevention Systems (I DPS) are network security system for detecting cyber-attacks on vehicles connected to the internet.
- DPS and I DPS are commonly run in embedded devices in the vehicle. Examples of vehicles are cars, buses and trucks.
- Al based detection is detecting anomaly when network traffic does not seem normal or is different from what the algorithm has previously learnt.
- One of the drawbacks of Al based anomaly detection is the level of false positives vs. false negatives, which is an optimization parameter when trimming the Al based anomaly detection algorithm.
- a false positive is a false alarm meaning that normal network traffic is categorized by the Al algorithm as an anomaly.
- a false negative represents a situation where a network attack is overlooked by the Al algorithm and categorized as normal network traffic but is not.
- the optimization goal of IPS and IDPS is on one hand to reduce number of false positives to avoid false alarms and on the other hand to optimize the detection rate or sensitivity, which represents the percentage of network attacks the system correctly detects.
- an intrusion filter for an intrusion detection system the intrusion filter being configured to obtain an anomaly indication from an anomaly detection device, wherein the anomaly indication indicates an incident detected by the anomaly detection device; and discard the anomaly indication upon identifying that the anomaly indication is a false positive anomaly indication, else provide the anomaly indication to a collection and investigation system.
- An advantage of the intrusion filter according to the first aspect is that the number of false positive anomaly indications may be reduced in the system.
- Another advantage of the intrusion filter according to the first aspect is that the computational load on the system may also be reduced compared to conventional systems.
- the intrusion filter being configured to identify that the anomaly indication is a false positive anomaly indication using an identification algorithm.
- the intrusion filter being configured to obtain metadata associated with the anomaly indication; and identify that the anomaly indication is a false positive anomaly indication using the identification algorithm and the metadata.
- An advantage with this implementation form is that the identification that the anomaly indication is a false positive anomaly indication may be improved with the additional use of the metadata.
- the intrusion filter being configured to obtain a first feedback message from the collection and investigation device, wherein the first feedback message indicates that the anomaly indication is a false positive anomaly indication; and update the identification algorithm to identify that the anomaly indication is a false positive anomaly indication.
- An advantage with this implementation form is that a feedback mechanism is provided.
- the identification algorithm may continuously be improved based on the received feedback thereby reducing the number of non-identified false positive anomaly indications in the system.
- the first feedback message comprises a part of or a complete identification algorithm; and configured to update or replace the identification algorithm based on the first feedback message.
- An advantage with this implementation form is that the part of or the complete identification algorithm is provided by the collection and investigation device. This means that depending on the intrusion filter algorithm or implementation type the most optimal algorithm updates can always be provided.
- the intrusion filter is an artificial intelligence intrusion filter and/or a rule-based intrusion filter.
- An advantage with this implementation form is that a given implementation can include the best suitable artificial intelligence and/or rule-based detection algorithm for a specific application.
- the above mentioned and other objectives are achieved with a detection subsystem for an intrusion detection system, wherein the detection subsystem comprises an intrusion filter according to the first aspect, and an anomaly detection device configured to: obtain network sensor output from one or more network sensors; and provide an anomaly indication indicating an incident to the intrusion filter upon identifying that the network sensor output comprises an incident.
- An advantage of the detection subsystem according to the second aspect is that the number of false positive anomaly indications may be reduced in the system.
- Another advantage of the detection subsystem according to the second aspect is that the computational load on the system may also be reduced compared to conventional systems.
- the anomaly detection device is configured to identify that the network sensor output comprises an incident using an incident detection algorithm.
- Any suitable incident detection algorithm may be employed.
- the anomaly detection device is further configured to obtain a second feedback message from a collection and investigation system, wherein the second feedback message indicates that the network sensor output does not comprise an incident; and update the incident detection algorithm to identify that the network sensor output does not comprise the incident.
- the second feedback message may also indicate corrections or feedback in respect of already detected incidents.
- An advantage with this implementation form is that a feedback mechanism is provided.
- the incident detection algorithm may continuously be improved based on the received feedback thereby reducing the number of identified false positive anomaly indications.
- the second feedback message comprises a part of or a complete incident detection algorithm; and configured to update or replace the incident detection algorithm based on the second feedback message.
- An advantage with this implementation form is that the part of or the complete identification algorithm is provided by the collection and investigation device. This means that depending on the detection subsystem algorithm or implementation type the most optimal algorithm updates can always be provided.
- the anomaly detection device is an artificial intelligence detection device and/or a rule-based detection device.
- An advantage with this implementation form is that a given implementation can include the best suitable artificial intelligence and/or rule-based detection algorithm for a specific application.
- the above mentioned and other objectives are achieved with a collection and investigation system for an intrusion detection system, the collection and investigation system being configured to obtain an anomaly indication from an intrusion filter; and upon determining that the anomaly indication is a false positive anomaly indication being configured to at least one of: provide a first feedback message to the intrusion filter, wherein the first feedback message indicates that the anomaly indication is a false positive anomaly indication, and provide a second feedback message to an anomaly detection device associated with the intrusion filter, wherein the second feedback message indicates that network sensor output associated with the anomaly indication does not comprise an incident.
- An advantage of the collection and investigation system according to the third aspect is that by providing a feedback mechanism comprising the first feedback message and/or the second feedback message the performance of the algorithms employed by the intrusion filter and the anomaly detection device can be improved.
- the first feedback message comprises a part of or a complete identification algorithm; and the second feedback message comprises a part of or a complete incident detection algorithm.
- the collection and investigation system comprises the intrusion filter.
- the above mentioned and other objectives are achieved with a method for an intrusion filter, the method comprising obtaining an anomaly indication from an anomaly detection device, wherein the anomaly indication indicates an incident detected by the anomaly detection device; and discarding the anomaly indication upon identifying that the anomaly indication is a false positive anomaly indication, else providing the anomaly indication to a collection and investigation system.
- an implementation form of the method comprises the feature(s) of the corresponding implementation form of the intrusion filter.
- the above mentioned and other objectives are achieved with a method for a collection and investigation system, the method comprising obtaining an anomaly indication from an intrusion filter; and upon determining that the anomaly indication is a false positive anomaly indication being further comprising at least one of: providing a first feedback message to the intrusion filter, wherein the first feedback message indicates that the anomaly indication is a false positive anomaly indication, and providing a second feedback message to an anomaly detection device associated with the intrusion filter, wherein the second feedback message indicates that network sensor output associated with the anomaly indication does not comprise an incident.
- an implementation form of the method comprises the feature(s) of the corresponding implementation form of the collection and investigation system.
- a vehicle comprising an intrusion filter and/or a detection subsystem according to the first and second aspect, respectively.
- the vehicle may be any vehicle having communication connection to one or more data networks possible via one or more intermediate wired and wireless communication systems.
- the invention also relates to a computer program, characterized in program code, which when run by at least one processor causes said at least one processor to execute any method according to embodiments of the invention. Further, the invention also relates to a computer program product comprising a computer readable medium and said mentioned computer program, wherein said computer program is included in the computer readable medium, and comprises of one or more from the group: ROM (Read-Only Memory), PROM (Programmable ROM), EPROM (Erasable PROM), Flash memory, EEPROM (Electrically EPROM) and hard disk drive.
- ROM Read-Only Memory
- PROM Programmable ROM
- EPROM Erasable PROM
- Flash memory Flash memory
- EEPROM Electrically EPROM
- FIG. 1 shows an intrusion filter according to an embodiment of the invention
- FIG. 2 shows a method for an intrusion filter according to an embodiment of the invention
- FIG. 3 shows a detection subsystem according to an embodiment of the invention
- FIG. 4 shows a collection and investigation system according to an embodiment of the invention
- FIG. 5 shows a method for a collection and investigation system according to an embodiment of the invention
- FIG. 6 shows an intrusion detection system according to an embodiment of the invention
- FIG. 7 shows an intrusion detection system according to a further embodiment of the invention.
- Fig. 8 shows vehicles connected to a collection and investigation system according to a cloud based implementation of embodiments of the invention
- Fig. 9 shows a vehicle comprising a system to monitor and a detection subsystem, where the latter is in communication with a collection and investigation system in a cloud based implementation.
- Al based detection algorithms for IPS or I DPS has been the recent trend for detecting network intrusions in vehicles.
- the Al based detection results in either accepting increased false positives or accepting increased level of false negatives with the disadvantage of reduced detection reliability.
- An improved compromise can be obtained by applying more advanced algorithms or increased parameterization or layers which however requires more computation load.
- STMs Systems To be Monitored
- a novel two-step solution mitigating or fully solving the drawbacks of conventional solutions as previously described.
- a conventional detection system may be employed for providing anomaly indications of a STM.
- a novel intrusion filter is introduced.
- the intrusion filter is configured to filter false positive anomaly indications from true positive anomaly indications.
- the present two step solution improves detection accuracy without additional load or computation power on IPS or I DPS.
- false positive detection rate may be reduced without compromising true positive detection rate. This may be done without increasing the required computation load, which is crucial for IPS and I DPS running on embedded devices in vehicles.
- the present intrusion filter can remove false positive anomaly indications, the overall detection result has a much higher level of true positives.
- FIG. 1 shows an intrusion filter 100 according to an embodiment of the invention.
- the intrusion filter 100 may be a stand-alone device or part of another device of an IPS or I DPS.
- the intrusion filter 100 comprises a processor 102, a transceiver 104 and a memory 106.
- the processor 102 may be coupled to the transceiver 104 and the memory 106 by communication means 108 known in the art.
- the transceiver 104 may as shown have an input and an output.
- the intrusion filter 100 may be configured for wireless and/or wired communications in a communication system, such as an IP based communication system. That the intrusion filter 100 may be configured to perform certain actions can in this disclosure be understood to mean that the intrusion filter 100 comprises suitable means, such as e.g. the processor 102 and the transceiver 104, configured to perform said actions.
- the processor 102 of the intrusion filter 100 may be referred to as one or more general-purpose central processing units (CPUs), one or more digital signal processors (DSPs), one or more application-specific integrated circuits (ASICs), one or more field programmable gate arrays (FPGAs), one or more programmable logic devices, one or more discrete gates, one or more transistor logic devices, one or more discrete hardware components, and one or more chipsets.
- the memory 106 of the intrusion filter 100 may be a read-only memory, a random access memory, or a non-volatile random access memory (NVRAM).
- NVRAM non-volatile random access memory
- the transceiver 104 of the intrusion filter 100 may be a transceiver circuit, a power controller, an antenna, or an interface which communicates with other modules or devices.
- the transceiver 104 of the intrusion filter 100 may be a separate chipset or being integrated with the processor 102 in one chipset. While in some embodiments, the processor 102, the transceiver 104, and the memory 106 of the intrusion filter 100 are integrated in one chipset.
- the intrusion filter 100 is configured to obtain an anomaly indication l n from an anomaly detection device 110.
- the anomaly indication l n indicates an incident detected by the anomaly detection device 110.
- the intrusion filter 100 is further configured to discard the anomaly indication l n upon identifying that the anomaly indication l n is a false positive anomaly indication.
- the intrusion filter 100 is configured provide or forward the anomaly indication l n to a collection and investigation system 400.
- the intrusion filter 100 may be configured to identify that the anomaly indication l n is a false positive anomaly indication using an identification algorithm which will be explained more in detail in the following disclosure.
- Fig. 2 shows a flow chart of a corresponding method 600 which may be executed in an intrusion filter 100, such as the one shown in Fig. 1.
- the method 600 comprises obtaining 602 an anomaly indication l n from an anomaly detection device 110.
- the anomaly indication l n indicates an incident detected by the anomaly detection device 110.
- the method 600 further comprises discarding 604 the anomaly indication l n upon identifying that the anomaly indication l n is a false positive anomaly indication, or else providing 606 the anomaly indication l n to a collection and investigation system 400.
- Fig. 3 shows a detection subsystem 300 for an intrusion detection system 500.
- the detection subsystem 300 comprises an intrusion filter 100 according to embodiments of the invention.
- the detection subsystem 300 also comprises an anomaly detection device 110 which is coupled to the intrusion filter 100.
- the anomaly detection device 110 is configured to obtain network sensor output from one or more network sensors 120a, 120b,... , 120n.
- the anomaly detection device 110 is further configured to provide or forward an anomaly indication l n indicating an incident to the intrusion filter 100 upon identifying that the network sensor output comprises an incident.
- the intrusion filter 100 upon reception of the anomaly indication l n from the anomaly detection device 110 will act as described above.
- the detection subsystem 300 may be a stand-alone device or integrated with other types of devices. For example, in the latter case the detection subsystem 300 may share one or more components with a STM or a vehicle, such as processor, memory and communication means.
- the network sensors may be of different types such as software sensors and hardware sensors.
- Software sensors may be configured to monitor network traffic and data and communication parameters such as packet headers and data, data protocol information, congestion parameters, etc.
- Hardware sensors may be configured to monitor hardware parameters of a STM and in a vehicle such as speed, spatial position, acceleration, deacceleration, etc.
- the detection subsystem 110 may be configured to identify that the network sensor output comprises an incident using an incident detection algorithm.
- the obtained network sensor output is used as an input into the incident detection algorithm possible with additional detection behaviour considerations to identify that the network sensor output comprises an incident.
- the behaviour considerations may e.g. relate to information for evaluating the sensor output which is not directly included in network data, such as operation mode, system mode, and spatial location.
- the network sensor output is analysed in the incident detection algorithm for identifying a possible intrusion or not.
- Non-limiting examples of network sensor output are system mode, operation mode, network package, system history information, intrusion criticality level, intrusion confidence level, physical or spatial location, and analysed network data such as mean, maximum, or minimum of certain network parameters.
- Fig. 4 shows a collection and investigation system 400 according to an embodiment of the invention.
- the collection and investigation system 400 comprises a processor 402, a transceiver 404 and a memory 406.
- the processor 402 is coupled to the transceiver 404 and the memory 406 by communication means 408 known in the art.
- the transceiver 404 may as shown have an input and an output.
- the collection and investigation system 400 may be configured for wireless and/or wired communications in a communication system. That the collection and investigation system 400 is configured to perform certain actions can in this disclosure be understood to mean that the collection and investigation system 400 comprises suitable means, such as e.g. the processor 402 and the transceiver 404, configured to perform said actions.
- the processor 402 of the collection and investigation system 400 may be referred to as one or more general-purpose CPUs, one or more DSPs, one or more ASICs, one or more FPGAs, one or more programmable logic devices, one or more discrete gates, one or more transistor logic devices, one or more discrete hardware components, and one or more chipsets.
- the memory 406 of the collection and investigation system 400 may be a read-only memory, a random access memory, or a NVRAM.
- the transceiver 404 of the collection and investigation system 400 may be a transceiver circuit, a power controller, an antenna, or an interface which communicates with other modules or devices.
- the transceiver 404 of the collection and investigation system 400 may be a separate chipset or being integrated with the processor 402 in one chipset. While in some embodiments, the processor 402, the transceiver 404, and the memory 406 of the collection and investigation system 400 are integrated in one chipset.
- the collection and investigation system 400 is configured to obtain an anomaly indication l n from an intrusion filter 100.
- the collection and investigation system 400 is further configured to upon determining that the anomaly indication l n is a false positive anomaly indication: provide a first feedback message F n to the intrusion filter 100, wherein the first feedback message F n indicates that the anomaly indication l n is a false positive anomaly indication, and/or provide a second feedback message F n ' to an anomaly detection device 110 associated with the intrusion filter 100, wherein the second feedback message F n ' indicates that network sensor output associated with the anomaly indication l n does not comprise an incident.
- the feedback may be provided using any suitable communication means. Fig.
- the method 700 comprises obtaining 702 an anomaly indication l n from an intrusion filter 100.
- the method 700 further comprises upon determining that the anomaly indication l n is a false positive anomaly indication: providing 704 a first feedback message F n to the intrusion filter 100, wherein the first feedback message F n indicates that the anomaly indication l n is a false positive anomaly indication, and/or providing 706 a second feedback message F n ' to an anomaly detection device 110 associated with the intrusion filter 100, wherein the second feedback message F n ' indicates that network sensor output associated with the anomaly indication l n does not comprise an incident.
- An anomaly indication herein may have different forms and formats.
- the anomaly indication may be a functional call or a communication message transmitted and received within the system 500.
- the anomaly indication may also comprise data about the detected anomaly as well as further data such as associated metadata.
- Fig. 6 shows an intrusion detection system 500 according to embodiments of the invention.
- a STM e.g. in a vehicle, which may be the target for validation is illustrated.
- the STM may be an Electronic Control Unit (ECU) in a vehicle having connection to a communication network (NW).
- the STM may as disclosed comprise applications 810, network (NW) protocols 820, device interfaces 830 and device drivers 840 as illustrated in Fig. 6.
- An application 810 may be seen as a functionality in a given ECU, such as an Electronic Stability Program (ESP) or an Anti-lock Brake System (ABS) in a vehicle.
- a network protocol 820 may define a communication procedure, such as IPv4, which an application 810 uses for communication.
- a device interface 830 may be considered as an intermediate layer acting as an interface between software layers and device drivers 840 of the STM.
- a device driver 840 may be considered as a software program configured to control one or more peripherals of the STM such as a network interface, etc
- the intrusion detection system 500 validates STM behaviour and therefore includes a sensor module comprising one or more network sensors 120a, 120b,... , 120n configured to be communicably coupled wired or wirelessly with the device interface of the STM.
- the one or more network sensors 120a, 120b,... , 120n are in turn in communication with an anomaly detection device 110 which is configured to receive network sensor output from one or more network sensors 120a, 120b,... , 120n.
- the STM 800 and the detection subsystem 300 may run on the same processors and hence be integrated in the same vehicle.
- the anomaly detection device 110 is configured to identify that the network sensor output comprises an incident using an incident detection algorithm.
- An incident detection algorithm is an algorithm that is able to detect illegal messages or traffic on a specific network. Also, more complex threats/errors may be detected such as too rapid change of physical parameters of the vehicle, such as a speed, an acceleration, a deacceleration, or conflicting network data such as wheels of a vehicle indicating movement of the vehicle but GPS data indicating that the vehicle is in standstill is an example of a complex threat.
- the anomaly detection device 110 is configured to provide an anomaly indication l n indicating an incident to the intrusion filter 100 upon identifying that the network sensor output comprises an incident. Else, the anomaly indication l n is discarded by the anomaly detection device 110.
- the anomaly detection device 110 may be an Al based detection device and/or a rule-based detection device depending on application.
- Rule-based detection is typically derived based on network specification and is more trustworthy but also more limited in error type complexity.
- Al based detection on the other hand detects anomalies based on statistic training/learning typically from network traffic logs and statistics. Due to the information source the Al based detection does have more information about typical usage and can therefore find anomalies which does not violate network specifications. It is noted that implementations herein may also include combined Al detection and rule-based detection.
- the intrusion filter 100 receives the anomaly indication l n from the anomaly detection device 110 and depending on an outcome of an identification procedure either discards the anomaly indication l n or provides the anomaly indication l n to a collection and investigation system 400 via a communication link.
- the intrusion filter 100 is configured to identify that the anomaly indication l n obtained from the anomaly detection device 110 is a false positive anomaly indication using any suitable identification algorithm.
- An example of such an identification algorithm is so called Local Outlier Factor (LOF) which could be used to distinguish false positive from true positive anomaly indications.
- LEF Local Outlier Factor
- KNN K Nearest Neighbouring
- Other identification algorithms may also be used in conjunction with the present solution.
- the intrusion filter 100 may be an artificial intelligence intrusion filter and/or a rule-based intrusion filter.
- the rule based intrusion filter uses clear defined rules, e.g. specify that any intrusions detected within 20s from engine start should be discarded.
- the Al based intrusion filter is based on previous training sequences from prior false positives. Hence, the behavior of an Al based intrusion filter is more statistical based - like if an indication is alike other indications which have previously been categorized as false positives.
- the intrusion filter 100 may in embodiments of the invention obtain metadata associated with the anomaly indication l n .
- the metadata may e.g. comprise:
- System mode which e.g. may be diagnostic, update or normal mode. Normal mode is every day driving mode. Update mode is software update mode. Diagnostic mode is for debugging or reading out logs from one or more STMs or the entire vehicle.
- Operation mode may e.g. be high performance mode or normal performance mode - which might impact the system behavior.
- Network package may in this case contain the entire network package with its header and data.
- System history information which can contain information about system speed, last message of the same communication session or other relevant historical system information.
- Intrusion criticality level a detected anomaly type might have a certain criticality level which might influence the likelihood of the intrusion filter 100 to discard the message and categorize it as a false positive message.
- Intrusion confidence level some Al networks does give a confidence level together with the detection result. Such confidence level indicates if the first level detection of the anomaly detection device 110 is sure about the result or not.
- the intrusion filter 100 may in embodiments obtain the metadata from the anomaly detection device 110 e.g. together with the anomaly indication l n .
- the metadata may originate from one or more network sensors configured to monitor network traffic and physical parameters.
- the metadata may be used as input parameters in the identification algorithm for improved identification that the anomaly indication l n is a false positive anomaly indication.
- the intrusion filter 100 does not identify that the anomaly indication l n is a false positive anomaly indication the anomaly indication l n is forwarded to the collection and investigation system 400.
- the collection and investigation system 400 may be implemented as a cloud based solution which implies that indications from a plurality of different STMs or vehicles are collected in a central network database remotely located from the STMs or vehicles.
- the collection and investigation system 400 serve as a collection and investigation platform and may comprise a cloud based incident collection device 410 in connection with an incident investigation device 420.
- the incident collection device 410 is configured to obtain the anomaly indication l n from the intrusion filter 100 but may in embodiments collect incoming anomaly indications from a plurality of intrusion filters associated with different STMs 800.
- the incident collection device 410 checks if the received anomaly indication l n from the intrusion filter 100 is a false positive anomaly indication. If that is the case the anomaly indication l n is discarded. Else the anomaly indication l n is forwarded to the incident investigation device 420 for further investigation.
- the incident collection device 410 may be part of a feedback mechanism according to embodiments of the invention. In this respect, the incident collection device 410 may transmit the first and/or the second feedback messages to the incident filter 100 and/or the anomaly detection device 110 via the transceiver 404.
- the incident investigation device 420 Upon reception of the anomaly indication l n the incident investigation device 420 will investigate if the anomaly indication l n received from the incident collection device 410 is a false positive or a true positive anomaly indication.
- the incident investigation device 420 may be considered as a set of tools or functions for analysing whether the anomaly indication l n is true or false.
- Tools may e.g. be data viewers, which presents network data in a certain informative way, so that it is clear what has happened, for example to convert error numbers to human readable format strings.
- the tools could, if possible, also highlight the actual data that triggered the incident detection.
- Next level of incident investigation tools may be tools that automatically can evaluate the network data and conclude the state of the system when an incident occurs - or evaluate the communication state between two ECUs. Finally, such incident investigation tool could draw references to similar incidents or even propose possible root-cause of the anomaly, which the security investigator would have to reverify.
- the outcome or output of the investigations and hence the incident investigation device 420 is a determination whether the anomaly indication l n is a false positive or a true positive anomaly indication, hence true or false.
- a feedback mechanism is provided as illustrated with the two feedback lines from the incident investigation device 420 in Fig. 6.
- the first feedback line 510 is configured for providing feedback from the collection and investigation system 400 to the intrusion filter 100 whilst the second feedback line 520 is configured for providing feedback from the collection and investigation system 400 to the anomaly detection device 110 of the detection subsystem 300.
- the feedback lines 510, 520 may be wired and/or wireless communication links depending on the communication system architecture.
- the first feedback message F n indicates that the anomaly indication l n is a false positive anomaly indication. Based on the first feedback message F n the intrusion filter 100 updates the identification algorithm to identify that the anomaly indication l n is a false positive anomaly indication.
- the first feedback message F n may comprise a part of or a complete identification algorithm which implies that the intrusion filter 100 updates or replaces the identification algorithm based on the first feedback message F n depending on its content. Therefore, the current version of the identification algorithm may always be updated for improved performance.
- the second feedback message F n ' indicates that the network sensor output does not comprise an incident. Based on the second feedback message F n ' the anomaly detection device 110 updates the incident detection algorithm to identify that the network sensor output does not comprise the incident.
- the second feedback message F n ' may comprise a part of or a complete incident detection algorithm. Therefore, the anomaly detection device 110 updates or replaces the incident detection algorithm based on the second feedback message F n '. Hence, also the current version of the incident detection algorithm is always updated for improved performance.
- the first F n and second F n ' feedback messages may in embodiments comprise updates to the algorithms used by intrusion filter 100 and anomaly detection device 110, respectively.
- the update may be in a form of a new version of a software possible including a configuration or in form of a delta update of the software and/or configuration.
- the delta update may be a file specifying the difference(s) to the existing software and/or configuration used by the intrusion filter 100 and the anomaly detection device 110, respectively.
- Applying the delta update to the existing software and configuration is an effective update procedure if only a limited update is needed. However, if the intrusion filter 100 and anomaly detection device 110 need to be completely updated a full update procedure is the better choice.
- the software and/or configuration may be updated on the run e.g. as soon as the vehicle receives an update indication.
- An alternative update procedure may be that an update is received by the vehicle and executed when the vehicle is parked and/or at the reception of a user input indicating an acceptance of the update.
- a network packet sent through the device interface 830 of the STM 800 may be blocked until a part or the entire detection subsystem 300 has been executed. If only a part of the detection subsystem 300 needs to be executed until a network packet is released, the detection subsystem 300 may take a copy of relevant data about the network packet for later evaluation.
- the present system 500 may be able to perform a blocking and a non-blocking procedure. If the system 500 needs to be able to discard a network packet due to the reason that the network packet is not allowed and it is assured that the network packet is part of a network attack, then a blocking procedure may be supported. However, assuming that the system 500 is running in a non-blocking procedure, which means that a network packet can be forwarded before it is validated by the anomaly detection device 110, in such case no matter what the anomaly detection device 110 concludes about the network packet (e.g. a normal or an anomaly network packet) it cannot block the network packet as it is already forwarded.
- An advantage of a non-blocking procedure is that an additional network packet transfer delay due to IDPS/IPS is minimal, as the network packet is forwarded before it is being evaluated.
- the steps in a blocking procedure may comprise:
- the device interface 830 of the STM receives a network packet, e.g., intended for an application or a remote connection point;
- Network sensors extract all data, such as the previously described metadata, needed for detection, categorization and evaluation by the anomaly detection device 110, intrusion filter 100 and collection and investigation system 400.
- the data is extracted from the network packet and other data sources of the system 500 such as GPS data, configuration data, etc.; 3.
- the anomaly detection device 110 analyzes the extracted data from the network sensors and determines if an anomaly indication should be sent to the intrusion filter 100 or not;
- the intrusion filter 100 evaluates an anomaly indication from the anomaly detection device 110 and if the intrusion filter 100 categorize the anomaly indication as a true positive it forwards the anomaly indication to the collection and investigation system 400; and
- the device interface 830 forwards a network packet if it has been assured that the network packet is not part of a network attack.
- the steps in a non-blocking procedure may comprise:
- the device interface 830 of the STM receives a network packet
- Network sensors takes a copy of relevant data
- the device interface 830 forwards the network packet to intended recipient such as an application or a remote connection point;
- Network sensors extract all data, such as the previously described metadata, needed for detection, categorization and evaluation by the anomaly detection device 110, intrusion filter 100 and collection and investigation system 400.
- the data is extracted from the network packet and other data sources of the system 500 such as GPS data, configuration data, etc.;
- the anomaly detection device 110 analyzes the extracted data from the network sensors and determines if an anomaly indication should be sent to the intrusion filter 100 or not;
- the intrusion filter 100 evaluates an anomaly indication from the anomaly detection device 110, and if intrusion filter 100 categorizes the anomaly indication as a true positive it is forwarded to the collection and investigation system 400.
- Fig. 7 shows an intrusion detection system 500 according to further embodiments of the invention.
- the intrusion filter 100 is comprised or a part of the collection and investigation system 400 instead of the detection subsystem 300 as in Fig. 6.
- a single intrusion filter 100 may be shared by multiple detection subsystems and hence multiple STMs or vehicles.
- the first feedback line 510 in this architecture also may be cloud based since the intrusion filter 100 itself is cloud based.
- first feedback message and second message may be targeted or addressed to more than one STM or vehicle.
- the intrusion filter 100 can be executed on a powerful serverand not in a locally embedded device. It means that the algorithm(s) used by the intrusion filter 100 can be more complex require more computational load, hence have larger code or data size and be more heavily to execute. It may further be noted that in such embodiments the intrusion filter 100 may share one or more processors of the collection and investigation system 400.
- Fig. 8 illustrates vehicles connected to a collection and investigation system in a cloud based implementation of the collection and investigation system 400.
- Fig. 9 illustrates a vehicle 900, in this case a car, comprising one or more STMs and a detection subsystem 300, where the latter is in communication with the collection and investigation system 400 in the cloud.
- a vehicle 900 comprising an intrusion filter 110 and/or a detection subsystem 300 according to embodiments of the invention.
- the vehicle 900 may be any vehicle comprising one or more STMs connected to one or more data networks, possible via one or more intermediate wired and wireless communication systems such as 3GPP LTE, NR, etc.
- the vehicle 900 may be a car, a bus or a truck and comprise any type of engines such as a combustion engine, an electrical engine, a hybrid engine, etc.
- any method according to embodiments of the invention may be implemented in a computer program, having code means, which when run by processing means causes the processing means to execute the steps of the method.
- the computer program is included in a computer readable medium of a computer program product.
- the computer readable medium may comprise essentially any memory, such as a ROM (Read-Only Memory), a PROM (Programmable Read-Only Memory), an EPROM (Erasable PROM), a Flash memory, an EEPROM (Electrically Erasable PROM), or a hard disk drive.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Alarm Systems (AREA)
- Burglar Alarm Systems (AREA)
Abstract
Embodiments of the invention relate to an intrusion filter (100) for Detection Prevention Systems (DPS) and Intrusion Detection Prevention Systems (IDPS). Embodiments of the invention also relate to a detection subsystem (300) and a collection and investigation system (400) comprising such an intrusion filter. The intrusion filter filters anomaly indications such that an anomaly indication identified as a false positive anomaly indication is discarded. Otherwise, the anomaly indication will be provided to a collection and investigation system (400) for further processing. Thereby, e.g. reduced computational load on the system is achieved. Furthermore, embodiments of the invention also relate to corresponding methods and a computer program.
Description
INTRUSION FILTER FOR AN INTRUSION DETECTION SYSTEM
Technical Field
Embodiments of the invention relates to an intrusion filter for an intrusion detection system and to a detection subsystem and a collection and investigation system comprising such an intrusion filter. Furthermore, embodiments of the invention also relate to corresponding methods and a computer program.
Background
Intrusion Prevention Systems (IPS) and Intrusion Detection and Prevention Systems (I DPS) are network security system for detecting cyber-attacks on vehicles connected to the internet. DPS and I DPS are commonly run in embedded devices in the vehicle. Examples of vehicles are cars, buses and trucks.
Traditionally, IPS and I DPS have used rule based algorithms however the current trend is to use Artificial Intelligence (Al) based algorithms for anomaly detection. Al based detection is detecting anomaly when network traffic does not seem normal or is different from what the algorithm has previously learnt. One of the drawbacks of Al based anomaly detection is the level of false positives vs. false negatives, which is an optimization parameter when trimming the Al based anomaly detection algorithm. A false positive is a false alarm meaning that normal network traffic is categorized by the Al algorithm as an anomaly. A false negative on the other hand represents a situation where a network attack is overlooked by the Al algorithm and categorized as normal network traffic but is not.
Generally, the optimization goal of IPS and IDPS is on one hand to reduce number of false positives to avoid false alarms and on the other hand to optimize the detection rate or sensitivity, which represents the percentage of network attacks the system correctly detects.
Summary
An objective of embodiments of the invention is to provide a solution which mitigates or solves the drawbacks and problems of conventional solutions.
Another objective of embodiments of the invention is to provide a solution reducing the number of false indications propagating in an intrusion prevention system.
The above and further objectives are solved by the subject matter of the independent claims. Further advantageous embodiments of the invention can be found in the dependent claims.
According to a first aspect of the invention, the above mentioned and other objectives are achieved with an intrusion filter for an intrusion detection system, the intrusion filter being configured to obtain an anomaly indication from an anomaly detection device, wherein the anomaly indication indicates an incident detected by the anomaly detection device; and discard the anomaly indication upon identifying that the anomaly indication is a false positive anomaly indication, else provide the anomaly indication to a collection and investigation system.
An advantage of the intrusion filter according to the first aspect is that the number of false positive anomaly indications may be reduced in the system. Another advantage of the intrusion filter according to the first aspect is that the computational load on the system may also be reduced compared to conventional systems.
In an implementation form of an intrusion filter according to the first aspect, the intrusion filter being configured to identify that the anomaly indication is a false positive anomaly indication using an identification algorithm.
Any suitable identification algorithm may be employed.
In an implementation form of an intrusion filter according to the first aspect, the intrusion filter being configured to obtain metadata associated with the anomaly indication; and identify that the anomaly indication is a false positive anomaly indication using the identification algorithm and the metadata.
An advantage with this implementation form is that the identification that the anomaly indication is a false positive anomaly indication may be improved with the additional use of the metadata.
In an implementation form of an intrusion filter according to the first aspect, the intrusion filter being configured to
obtain a first feedback message from the collection and investigation device, wherein the first feedback message indicates that the anomaly indication is a false positive anomaly indication; and update the identification algorithm to identify that the anomaly indication is a false positive anomaly indication.
An advantage with this implementation form is that a feedback mechanism is provided. By using the present feedback mechanism, the identification algorithm may continuously be improved based on the received feedback thereby reducing the number of non-identified false positive anomaly indications in the system.
In an implementation form of an intrusion filter according to the first aspect, the first feedback message comprises a part of or a complete identification algorithm; and configured to update or replace the identification algorithm based on the first feedback message.
An advantage with this implementation form is that the part of or the complete identification algorithm is provided by the collection and investigation device. This means that depending on the intrusion filter algorithm or implementation type the most optimal algorithm updates can always be provided.
In an implementation form of an intrusion filter according to the first aspect, the intrusion filter is an artificial intelligence intrusion filter and/or a rule-based intrusion filter.
An advantage with this implementation form is that a given implementation can include the best suitable artificial intelligence and/or rule-based detection algorithm for a specific application.
According to a second aspect of the invention, the above mentioned and other objectives are achieved with a detection subsystem for an intrusion detection system, wherein the detection subsystem comprises an intrusion filter according to the first aspect, and an anomaly detection device configured to: obtain network sensor output from one or more network sensors; and provide an anomaly indication indicating an incident to the intrusion filter upon identifying that the network sensor output comprises an incident.
An advantage of the detection subsystem according to the second aspect is that the number of false positive anomaly indications may be reduced in the system. Another advantage of the detection subsystem according to the second aspect is that the computational load on the system may also be reduced compared to conventional systems.
In an implementation form of a detection subsystem according to the second aspect, the anomaly detection device is configured to identify that the network sensor output comprises an incident using an incident detection algorithm.
Any suitable incident detection algorithm may be employed.
In an implementation form of a detection subsystem according to the second aspect, the anomaly detection device is further configured to obtain a second feedback message from a collection and investigation system, wherein the second feedback message indicates that the network sensor output does not comprise an incident; and update the incident detection algorithm to identify that the network sensor output does not comprise the incident.
The second feedback message may also indicate corrections or feedback in respect of already detected incidents.
An advantage with this implementation form is that a feedback mechanism is provided. By using the present feedback mechanism, the incident detection algorithm may continuously be improved based on the received feedback thereby reducing the number of identified false positive anomaly indications.
In an implementation form of a detection subsystem according to the second aspect, the second feedback message comprises a part of or a complete incident detection algorithm; and configured to update or replace the incident detection algorithm based on the second feedback message.
An advantage with this implementation form is that the part of or the complete identification algorithm is provided by the collection and investigation device. This means that depending on
the detection subsystem algorithm or implementation type the most optimal algorithm updates can always be provided.
In an implementation form of a detection subsystem according to the second aspect, the anomaly detection device is an artificial intelligence detection device and/or a rule-based detection device.
An advantage with this implementation form is that a given implementation can include the best suitable artificial intelligence and/or rule-based detection algorithm for a specific application.
According to a third aspect of the invention, the above mentioned and other objectives are achieved with a collection and investigation system for an intrusion detection system, the collection and investigation system being configured to obtain an anomaly indication from an intrusion filter; and upon determining that the anomaly indication is a false positive anomaly indication being configured to at least one of: provide a first feedback message to the intrusion filter, wherein the first feedback message indicates that the anomaly indication is a false positive anomaly indication, and provide a second feedback message to an anomaly detection device associated with the intrusion filter, wherein the second feedback message indicates that network sensor output associated with the anomaly indication does not comprise an incident.
An advantage of the collection and investigation system according to the third aspect is that by providing a feedback mechanism comprising the first feedback message and/or the second feedback message the performance of the algorithms employed by the intrusion filter and the anomaly detection device can be improved.
In an implementation form of a collection and investigation system according to the third aspect, the first feedback message comprises a part of or a complete identification algorithm; and the second feedback message comprises a part of or a complete incident detection algorithm.
In an implementation form of a collection and investigation system according to the third aspect, the collection and investigation system comprises the intrusion filter.
According to a fourth aspect of the invention, the above mentioned and other objectives are achieved with a method for an intrusion filter, the method comprising obtaining an anomaly indication from an anomaly detection device, wherein the anomaly indication indicates an incident detected by the anomaly detection device; and discarding the anomaly indication upon identifying that the anomaly indication is a false positive anomaly indication, else providing the anomaly indication to a collection and investigation system.
The method according to the fourth aspect can be extended into implementation forms corresponding to the implementation forms of the intrusion filter according to the first aspect. Hence, an implementation form of the method comprises the feature(s) of the corresponding implementation form of the intrusion filter.
The advantages of the methods according to the fourth aspect are the same as those for the corresponding implementation forms of the intrusion filter according to the first aspect.
According to a fifth aspect of the invention, the above mentioned and other objectives are achieved with a method for a collection and investigation system, the method comprising obtaining an anomaly indication from an intrusion filter; and upon determining that the anomaly indication is a false positive anomaly indication being further comprising at least one of: providing a first feedback message to the intrusion filter, wherein the first feedback message indicates that the anomaly indication is a false positive anomaly indication, and providing a second feedback message to an anomaly detection device associated with the intrusion filter, wherein the second feedback message indicates that network sensor output associated with the anomaly indication does not comprise an incident.
The method according to the fifth aspect can be extended into implementation forms corresponding to the implementation forms of the collection and investigation system according to the third aspect. Hence, an implementation form of the method comprises the feature(s) of the corresponding implementation form of the collection and investigation system.
The advantages of the methods according to the fifth aspect are the same as those for the corresponding implementation forms of the collection and investigation system according to the third aspect.
According to a sixth aspect of the invention, the above mentioned and other objectives are achieved with a vehicle comprising an intrusion filter and/or a detection subsystem according to the first and second aspect, respectively. The vehicle may be any vehicle having communication connection to one or more data networks possible via one or more intermediate wired and wireless communication systems.
The invention also relates to a computer program, characterized in program code, which when run by at least one processor causes said at least one processor to execute any method according to embodiments of the invention. Further, the invention also relates to a computer program product comprising a computer readable medium and said mentioned computer program, wherein said computer program is included in the computer readable medium, and comprises of one or more from the group: ROM (Read-Only Memory), PROM (Programmable ROM), EPROM (Erasable PROM), Flash memory, EEPROM (Electrically EPROM) and hard disk drive.
Further applications and advantages of the embodiments of the invention will be apparent from the following detailed description.
Brief Description of the Drawings
The appended drawings are intended to clarify and explain different embodiments of the invention, in which:
- Fig. 1 shows an intrusion filter according to an embodiment of the invention;
- Fig. 2 shows a method for an intrusion filter according to an embodiment of the invention;
- Fig. 3 shows a detection subsystem according to an embodiment of the invention;
- Fig. 4 shows a collection and investigation system according to an embodiment of the invention;
- Fig. 5 shows a method for a collection and investigation system according to an embodiment of the invention;
- Fig. 6 shows an intrusion detection system according to an embodiment of the invention;
- Fig. 7 shows an intrusion detection system according to a further embodiment of the invention;
- Fig. 8 shows vehicles connected to a collection and investigation system according to a cloud based implementation of embodiments of the invention; and
Fig. 9 shows a vehicle comprising a system to monitor and a detection subsystem, where the latter is in communication with a collection and investigation system in a cloud based implementation.
Detailed Description
As aforementioned Al based detection algorithms for IPS or I DPS has been the recent trend for detecting network intrusions in vehicles. The Al based detection results in either accepting increased false positives or accepting increased level of false negatives with the disadvantage of reduced detection reliability. An improved compromise can be obtained by applying more advanced algorithms or increased parameterization or layers which however requires more computation load. As Systems To be Monitored (STMs) often are realized in embedded devices such improvement would typically result in unacceptable detection time and therefore not suitable in practical implementations.
Currently, a compromise is to reduce algorithm load to a level where the response time of the embedded device is at an acceptable level and to reduce the false positive detection level to an acceptable low level, which does not burden a security analysis team too much with evaluation tasks that is in fact false alarms. The end result is reduced detection reliability, which means that a number of actual intrusions are not detected and reported by the Al based IPS or lDPS.
Therefore, it is herein disclosed a novel two-step solution mitigating or fully solving the drawbacks of conventional solutions as previously described. In a first step a conventional detection system may be employed for providing anomaly indications of a STM. In a second step, a novel intrusion filter is introduced. The intrusion filter is configured to filter false positive anomaly indications from true positive anomaly indications. The present two step solution improves detection accuracy without additional load or computation power on IPS or I DPS. Also, false positive detection rate may be reduced without compromising true positive detection rate. This may be done without increasing the required computation load, which is crucial for IPS and I DPS running on embedded devices in vehicles. As the present intrusion filter can remove false positive anomaly indications, the overall detection result has a much higher level of true positives. This also implies reduction in detection noise and ensures that security incident specialists or teams may spend time and resources on analyzing true security incidents and hence not wasting time on false positives. Furthermore, in embodiments of the invention a novel feedback mechanism is also herein introduced for improving the detectability of detection algorithms employed in conjunction with the present solution.
Fig. 1 shows an intrusion filter 100 according to an embodiment of the invention. The intrusion filter 100 may be a stand-alone device or part of another device of an IPS or I DPS. In the embodiment shown in Fig. 1 , the intrusion filter 100 comprises a processor 102, a transceiver 104 and a memory 106. The processor 102 may be coupled to the transceiver 104 and the memory 106 by communication means 108 known in the art. The transceiver 104 may as shown have an input and an output. The intrusion filter 100 may be configured for wireless and/or wired communications in a communication system, such as an IP based communication system. That the intrusion filter 100 may be configured to perform certain actions can in this disclosure be understood to mean that the intrusion filter 100 comprises suitable means, such as e.g. the processor 102 and the transceiver 104, configured to perform said actions.
The processor 102 of the intrusion filter 100 may be referred to as one or more general-purpose central processing units (CPUs), one or more digital signal processors (DSPs), one or more application-specific integrated circuits (ASICs), one or more field programmable gate arrays (FPGAs), one or more programmable logic devices, one or more discrete gates, one or more transistor logic devices, one or more discrete hardware components, and one or more chipsets. The memory 106 of the intrusion filter 100 may be a read-only memory, a random access memory, or a non-volatile random access memory (NVRAM). The transceiver 104 of the intrusion filter 100 may be a transceiver circuit, a power controller, an antenna, or an interface which communicates with other modules or devices. In embodiments, the transceiver 104 of the intrusion filter 100 may be a separate chipset or being integrated with the processor 102 in one chipset. While in some embodiments, the processor 102, the transceiver 104, and the memory 106 of the intrusion filter 100 are integrated in one chipset.
According to embodiments of the invention the intrusion filter 100 is configured to obtain an anomaly indication ln from an anomaly detection device 110. The anomaly indication ln indicates an incident detected by the anomaly detection device 110. The intrusion filter 100 is further configured to discard the anomaly indication ln upon identifying that the anomaly indication ln is a false positive anomaly indication. Else, the intrusion filter 100 is configured provide or forward the anomaly indication ln to a collection and investigation system 400.
The intrusion filter 100 may be configured to identify that the anomaly indication ln is a false positive anomaly indication using an identification algorithm which will be explained more in detail in the following disclosure.
Fig. 2 shows a flow chart of a corresponding method 600 which may be executed in an intrusion filter 100, such as the one shown in Fig. 1. The method 600 comprises obtaining 602 an
anomaly indication ln from an anomaly detection device 110. The anomaly indication ln indicates an incident detected by the anomaly detection device 110. The method 600 further comprises discarding 604 the anomaly indication ln upon identifying that the anomaly indication ln is a false positive anomaly indication, or else providing 606 the anomaly indication ln to a collection and investigation system 400.
Fig. 3 shows a detection subsystem 300 for an intrusion detection system 500. The detection subsystem 300 comprises an intrusion filter 100 according to embodiments of the invention. The detection subsystem 300 also comprises an anomaly detection device 110 which is coupled to the intrusion filter 100. The anomaly detection device 110 is configured to obtain network sensor output from one or more network sensors 120a, 120b,... , 120n. The anomaly detection device 110 is further configured to provide or forward an anomaly indication ln indicating an incident to the intrusion filter 100 upon identifying that the network sensor output comprises an incident. The intrusion filter 100 upon reception of the anomaly indication ln from the anomaly detection device 110 will act as described above.
The detection subsystem 300 may be a stand-alone device or integrated with other types of devices. For example, in the latter case the detection subsystem 300 may share one or more components with a STM or a vehicle, such as processor, memory and communication means. The network sensors may be of different types such as software sensors and hardware sensors. Software sensors may be configured to monitor network traffic and data and communication parameters such as packet headers and data, data protocol information, congestion parameters, etc. Hardware sensors may be configured to monitor hardware parameters of a STM and in a vehicle such as speed, spatial position, acceleration, deacceleration, etc.
The detection subsystem 110 may be configured to identify that the network sensor output comprises an incident using an incident detection algorithm. The obtained network sensor output is used as an input into the incident detection algorithm possible with additional detection behaviour considerations to identify that the network sensor output comprises an incident. The behaviour considerations may e.g. relate to information for evaluating the sensor output which is not directly included in network data, such as operation mode, system mode, and spatial location. Hence, the network sensor output is analysed in the incident detection algorithm for identifying a possible intrusion or not. Non-limiting examples of network sensor output are system mode, operation mode, network package, system history information, intrusion criticality level, intrusion confidence level, physical or spatial location, and analysed network data such as mean, maximum, or minimum of certain network parameters. These
network sensor outputs are explained more in detail in the following description relating to metadata.
Fig. 4 shows a collection and investigation system 400 according to an embodiment of the invention. In the embodiment shown in Fig. 3, the collection and investigation system 400 comprises a processor 402, a transceiver 404 and a memory 406. The processor 402 is coupled to the transceiver 404 and the memory 406 by communication means 408 known in the art. The transceiver 404 may as shown have an input and an output. The collection and investigation system 400 may be configured for wireless and/or wired communications in a communication system. That the collection and investigation system 400 is configured to perform certain actions can in this disclosure be understood to mean that the collection and investigation system 400 comprises suitable means, such as e.g. the processor 402 and the transceiver 404, configured to perform said actions.
The processor 402 of the collection and investigation system 400 may be referred to as one or more general-purpose CPUs, one or more DSPs, one or more ASICs, one or more FPGAs, one or more programmable logic devices, one or more discrete gates, one or more transistor logic devices, one or more discrete hardware components, and one or more chipsets. The memory 406 of the collection and investigation system 400 may be a read-only memory, a random access memory, or a NVRAM. The transceiver 404 of the collection and investigation system 400 may be a transceiver circuit, a power controller, an antenna, or an interface which communicates with other modules or devices. In embodiments, the transceiver 404 of the collection and investigation system 400 may be a separate chipset or being integrated with the processor 402 in one chipset. While in some embodiments, the processor 402, the transceiver 404, and the memory 406 of the collection and investigation system 400 are integrated in one chipset.
According to embodiments of the invention the collection and investigation system 400 is configured to obtain an anomaly indication ln from an intrusion filter 100. The collection and investigation system 400 is further configured to upon determining that the anomaly indication ln is a false positive anomaly indication: provide a first feedback message Fn to the intrusion filter 100, wherein the first feedback message Fn indicates that the anomaly indication ln is a false positive anomaly indication, and/or provide a second feedback message Fn' to an anomaly detection device 110 associated with the intrusion filter 100, wherein the second feedback message Fn' indicates that network sensor output associated with the anomaly indication ln does not comprise an incident. The feedback may be provided using any suitable communication means.
Fig. 5 shows a flow chart of a corresponding method 700 which may be executed in collection and investigation system 400, such as the one shown in Fig. 4. The method 700 comprises obtaining 702 an anomaly indication ln from an intrusion filter 100. The method 700 further comprises upon determining that the anomaly indication ln is a false positive anomaly indication: providing 704 a first feedback message Fn to the intrusion filter 100, wherein the first feedback message Fn indicates that the anomaly indication ln is a false positive anomaly indication, and/or providing 706 a second feedback message Fn' to an anomaly detection device 110 associated with the intrusion filter 100, wherein the second feedback message Fn' indicates that network sensor output associated with the anomaly indication ln does not comprise an incident.
An anomaly indication herein may have different forms and formats. For example, the anomaly indication may be a functional call or a communication message transmitted and received within the system 500. The anomaly indication may also comprise data about the detected anomaly as well as further data such as associated metadata.
Fig. 6 shows an intrusion detection system 500 according to embodiments of the invention. A STM, e.g. in a vehicle, which may be the target for validation is illustrated. The STM may be an Electronic Control Unit (ECU) in a vehicle having connection to a communication network (NW). The STM may as disclosed comprise applications 810, network (NW) protocols 820, device interfaces 830 and device drivers 840 as illustrated in Fig. 6. An application 810 may be seen as a functionality in a given ECU, such as an Electronic Stability Program (ESP) or an Anti-lock Brake System (ABS) in a vehicle. A network protocol 820 may define a communication procedure, such as IPv4, which an application 810 uses for communication. A device interface 830 may be considered as an intermediate layer acting as an interface between software layers and device drivers 840 of the STM. A device driver 840 may be considered as a software program configured to control one or more peripherals of the STM such as a network interface, etc.
Parts of the intrusion detection system 500 may be integrated in a vehicle. Generally, the intrusion detection system 500 validates STM behaviour and therefore includes a sensor module comprising one or more network sensors 120a, 120b,... , 120n configured to be communicably coupled wired or wirelessly with the device interface of the STM. The one or more network sensors 120a, 120b,... , 120n are in turn in communication with an anomaly detection device 110 which is configured to receive network sensor output from one or more network sensors 120a, 120b,... , 120n. In respect of system architecture the STM 800 and the
detection subsystem 300 may run on the same processors and hence be integrated in the same vehicle.
In embodiments of the invention, the anomaly detection device 110 is configured to identify that the network sensor output comprises an incident using an incident detection algorithm. An incident detection algorithm is an algorithm that is able to detect illegal messages or traffic on a specific network. Also, more complex threats/errors may be detected such as too rapid change of physical parameters of the vehicle, such as a speed, an acceleration, a deacceleration, or conflicting network data such as wheels of a vehicle indicating movement of the vehicle but GPS data indicating that the vehicle is in standstill is an example of a complex threat.
The anomaly detection device 110 is configured to provide an anomaly indication ln indicating an incident to the intrusion filter 100 upon identifying that the network sensor output comprises an incident. Else, the anomaly indication ln is discarded by the anomaly detection device 110.
The anomaly detection device 110 may be an Al based detection device and/or a rule-based detection device depending on application. Rule-based detection is typically derived based on network specification and is more trustworthy but also more limited in error type complexity. Al based detection on the other hand detects anomalies based on statistic training/learning typically from network traffic logs and statistics. Due to the information source the Al based detection does have more information about typical usage and can therefore find anomalies which does not violate network specifications. It is noted that implementations herein may also include combined Al detection and rule-based detection.
The intrusion filter 100 receives the anomaly indication ln from the anomaly detection device 110 and depending on an outcome of an identification procedure either discards the anomaly indication ln or provides the anomaly indication ln to a collection and investigation system 400 via a communication link.
In embodiments of the invention, the intrusion filter 100 is configured to identify that the anomaly indication ln obtained from the anomaly detection device 110 is a false positive anomaly indication using any suitable identification algorithm. An example of such an identification algorithm is so called Local Outlier Factor (LOF) which could be used to distinguish false positive from true positive anomaly indications. Another common algorithm is the so-called K Nearest Neighbouring (KNN) algorithm. Other identification algorithms may also be used in conjunction with the present solution.
The intrusion filter 100 may be an artificial intelligence intrusion filter and/or a rule-based intrusion filter. The rule based intrusion filter uses clear defined rules, e.g. specify that any intrusions detected within 20s from engine start should be discarded. The Al based intrusion filter is based on previous training sequences from prior false positives. Hence, the behavior of an Al based intrusion filter is more statistical based - like if an indication is alike other indications which have previously been categorized as false positives.
For improving the identification rate, the intrusion filter 100 may in embodiments of the invention obtain metadata associated with the anomaly indication ln. The metadata may e.g. comprise:
• System mode which e.g. may be diagnostic, update or normal mode. Normal mode is every day driving mode. Update mode is software update mode. Diagnostic mode is for debugging or reading out logs from one or more STMs or the entire vehicle.
• Operation mode may e.g. be high performance mode or normal performance mode - which might impact the system behavior.
• Network package may in this case contain the entire network package with its header and data.
• System history information which can contain information about system speed, last message of the same communication session or other relevant historical system information.
• Intrusion criticality level: a detected anomaly type might have a certain criticality level which might influence the likelihood of the intrusion filter 100 to discard the message and categorize it as a false positive message.
• Intrusion confidence level: some Al networks does give a confidence level together with the detection result. Such confidence level indicates if the first level detection of the anomaly detection device 110 is sure about the result or not.
• Physical or spatial location which is information about the location of the STM or vehicle.
The intrusion filter 100 may in embodiments obtain the metadata from the anomaly detection device 110 e.g. together with the anomaly indication ln. The metadata may originate from one or more network sensors configured to monitor network traffic and physical parameters.
The metadata may be used as input parameters in the identification algorithm for improved identification that the anomaly indication ln is a false positive anomaly indication.
When the intrusion filter 100 does not identify that the anomaly indication ln is a false positive anomaly indication the anomaly indication ln is forwarded to the collection and investigation system 400.
The collection and investigation system 400 may be implemented as a cloud based solution which implies that indications from a plurality of different STMs or vehicles are collected in a central network database remotely located from the STMs or vehicles.
The collection and investigation system 400 serve as a collection and investigation platform and may comprise a cloud based incident collection device 410 in connection with an incident investigation device 420. The incident collection device 410 is configured to obtain the anomaly indication ln from the intrusion filter 100 but may in embodiments collect incoming anomaly indications from a plurality of intrusion filters associated with different STMs 800. The incident collection device 410 checks if the received anomaly indication ln from the intrusion filter 100 is a false positive anomaly indication. If that is the case the anomaly indication ln is discarded. Else the anomaly indication ln is forwarded to the incident investigation device 420 for further investigation. It is also noted that the incident collection device 410 may be part of a feedback mechanism according to embodiments of the invention. In this respect, the incident collection device 410 may transmit the first and/or the second feedback messages to the incident filter 100 and/or the anomaly detection device 110 via the transceiver 404.
Upon reception of the anomaly indication ln the incident investigation device 420 will investigate if the anomaly indication ln received from the incident collection device 410 is a false positive or a true positive anomaly indication. The incident investigation device 420 may be considered as a set of tools or functions for analysing whether the anomaly indication ln is true or false. Tools may e.g. be data viewers, which presents network data in a certain informative way, so that it is clear what has happened, for example to convert error numbers to human readable format strings. The tools could, if possible, also highlight the actual data that triggered the incident detection. Next level of incident investigation tools may be tools that automatically can evaluate the network data and conclude the state of the system when an incident occurs - or evaluate the communication state between two ECUs. Finally, such incident investigation tool could draw references to similar incidents or even propose possible root-cause of the anomaly, which the security investigator would have to reverify.
Therefore, in this respect automated machine procedures may be used in combination with manual investigations performed by investigation personal or teams. The outcome or output
of the investigations and hence the incident investigation device 420 is a determination whether the anomaly indication ln is a false positive or a true positive anomaly indication, hence true or false.
In embodiments of the invention a feedback mechanism is provided as illustrated with the two feedback lines from the incident investigation device 420 in Fig. 6. The first feedback line 510 is configured for providing feedback from the collection and investigation system 400 to the intrusion filter 100 whilst the second feedback line 520 is configured for providing feedback from the collection and investigation system 400 to the anomaly detection device 110 of the detection subsystem 300. The feedback lines 510, 520 may be wired and/or wireless communication links depending on the communication system architecture.
The first feedback message Fn indicates that the anomaly indication ln is a false positive anomaly indication. Based on the first feedback message Fn the intrusion filter 100 updates the identification algorithm to identify that the anomaly indication ln is a false positive anomaly indication.
In embodiments of the invention, the first feedback message Fn may comprise a part of or a complete identification algorithm which implies that the intrusion filter 100 updates or replaces the identification algorithm based on the first feedback message Fn depending on its content. Therefore, the current version of the identification algorithm may always be updated for improved performance.
Correspondingly, the second feedback message Fn' indicates that the network sensor output does not comprise an incident. Based on the second feedback message Fn' the anomaly detection device 110 updates the incident detection algorithm to identify that the network sensor output does not comprise the incident.
In embodiments of the invention, also the second feedback message Fn' may comprise a part of or a complete incident detection algorithm. Therefore, the anomaly detection device 110 updates or replaces the incident detection algorithm based on the second feedback message Fn'. Hence, also the current version of the incident detection algorithm is always updated for improved performance.
Therefore, the first Fn and second Fn' feedback messages may in embodiments comprise updates to the algorithms used by intrusion filter 100 and anomaly detection device 110, respectively. The update may be in a form of a new version of a software possible including a
configuration or in form of a delta update of the software and/or configuration. The delta update may be a file specifying the difference(s) to the existing software and/or configuration used by the intrusion filter 100 and the anomaly detection device 110, respectively. Applying the delta update to the existing software and configuration is an effective update procedure if only a limited update is needed. However, if the intrusion filter 100 and anomaly detection device 110 need to be completely updated a full update procedure is the better choice. The software and/or configuration may be updated on the run e.g. as soon as the vehicle receives an update indication. An alternative update procedure may be that an update is received by the vehicle and executed when the vehicle is parked and/or at the reception of a user input indicating an acceptance of the update.
Moreover, a network packet sent through the device interface 830 of the STM 800 may be blocked until a part or the entire detection subsystem 300 has been executed. If only a part of the detection subsystem 300 needs to be executed until a network packet is released, the detection subsystem 300 may take a copy of relevant data about the network packet for later evaluation.
In embodiments of the invention the present system 500 may be able to perform a blocking and a non-blocking procedure. If the system 500 needs to be able to discard a network packet due to the reason that the network packet is not allowed and it is assured that the network packet is part of a network attack, then a blocking procedure may be supported. However, assuming that the system 500 is running in a non-blocking procedure, which means that a network packet can be forwarded before it is validated by the anomaly detection device 110, in such case no matter what the anomaly detection device 110 concludes about the network packet (e.g. a normal or an anomaly network packet) it cannot block the network packet as it is already forwarded. An advantage of a non-blocking procedure is that an additional network packet transfer delay due to IDPS/IPS is minimal, as the network packet is forwarded before it is being evaluated.
The steps in a blocking procedure may comprise:
1. The device interface 830 of the STM receives a network packet, e.g., intended for an application or a remote connection point;
2. Network sensors extract all data, such as the previously described metadata, needed for detection, categorization and evaluation by the anomaly detection device 110, intrusion filter 100 and collection and investigation system 400. The data is extracted from the network packet and other data sources of the system 500 such as GPS data, configuration data, etc.;
3. The anomaly detection device 110 analyzes the extracted data from the network sensors and determines if an anomaly indication should be sent to the intrusion filter 100 or not;
4. The intrusion filter 100 evaluates an anomaly indication from the anomaly detection device 110 and if the intrusion filter 100 categorize the anomaly indication as a true positive it forwards the anomaly indication to the collection and investigation system 400; and
5. The device interface 830 forwards a network packet if it has been assured that the network packet is not part of a network attack.
The steps in a non-blocking procedure may comprise:
1 . The device interface 830 of the STM receives a network packet;
2. Network sensors takes a copy of relevant data;
3. The device interface 830 forwards the network packet to intended recipient such as an application or a remote connection point;
4. Network sensors extract all data, such as the previously described metadata, needed for detection, categorization and evaluation by the anomaly detection device 110, intrusion filter 100 and collection and investigation system 400. The data is extracted from the network packet and other data sources of the system 500 such as GPS data, configuration data, etc.;
5. The anomaly detection device 110 analyzes the extracted data from the network sensors and determines if an anomaly indication should be sent to the intrusion filter 100 or not;
6. The intrusion filter 100 evaluates an anomaly indication from the anomaly detection device 110, and if intrusion filter 100 categorizes the anomaly indication as a true positive it is forwarded to the collection and investigation system 400.
Fig. 7 shows an intrusion detection system 500 according to further embodiments of the invention. In contrast to the embodiment shown in Fig. 6 the intrusion filter 100 is comprised or a part of the collection and investigation system 400 instead of the detection subsystem 300 as in Fig. 6. Thereby, a single intrusion filter 100 may be shared by multiple detection subsystems and hence multiple STMs or vehicles. It is also noted that the first feedback line 510 in this architecture also may be cloud based since the intrusion filter 100 itself is cloud based. Another aspect of such an implementation is that first feedback message and second message may be targeted or addressed to more than one STM or vehicle.
Furthermore, if the intrusion filter 100 is located in a remote collection and investigation system 400, the intrusion filter 100 can be executed on a powerful serverand not in a locally embedded device. It means that the algorithm(s) used by the intrusion filter 100 can be more complex require more computational load, hence have larger code or data size and be more heavily to execute. It may further be noted that in such embodiments the intrusion filter 100 may share one or more processors of the collection and investigation system 400.
Fig. 8 illustrates vehicles connected to a collection and investigation system in a cloud based implementation of the collection and investigation system 400. Furthermore, Fig. 9 illustrates a vehicle 900, in this case a car, comprising one or more STMs and a detection subsystem 300, where the latter is in communication with the collection and investigation system 400 in the cloud.
Therefore, a vehicle 900 is also herein disclosed comprising an intrusion filter 110 and/or a detection subsystem 300 according to embodiments of the invention. The vehicle 900 may be any vehicle comprising one or more STMs connected to one or more data networks, possible via one or more intermediate wired and wireless communication systems such as 3GPP LTE, NR, etc. The vehicle 900 may be a car, a bus or a truck and comprise any type of engines such as a combustion engine, an electrical engine, a hybrid engine, etc.
Furthermore, any method according to embodiments of the invention may be implemented in a computer program, having code means, which when run by processing means causes the processing means to execute the steps of the method. The computer program is included in a computer readable medium of a computer program product. The computer readable medium may comprise essentially any memory, such as a ROM (Read-Only Memory), a PROM (Programmable Read-Only Memory), an EPROM (Erasable PROM), a Flash memory, an EEPROM (Electrically Erasable PROM), or a hard disk drive.
Finally, it should be understood that the invention is not limited to the embodiments described above, but also relates to and incorporates all embodiments within the scope of the appended independent claims.
Claims
1 . An intrusion filter (100) for an intrusion detection system (500), the intrusion filter (100) being configured to obtain an anomaly indication (ln) from an anomaly detection device (110), wherein the anomaly indication (ln) indicates an incident detected by the anomaly detection device (110); and discard the anomaly indication (ln) upon identifying that the anomaly indication (ln) is a false positive anomaly indication, else provide the anomaly indication (ln) to a collection and investigation system (400).
2. The intrusion filter (100) according to claim 1 , configured to identify that the anomaly indication (ln) is a false positive anomaly indication using an identification algorithm.
3. The intrusion filter (100) according to claim 2, configured to obtain metadata associated with the anomaly indication (ln); and identify that the anomaly indication (ln) is a false positive anomaly indication using the identification algorithm and the metadata.
4. The intrusion filter (100) according to claim 2 or 3, configured to obtain a first feedback message (Fn) from the collection and investigation device (400), wherein the first feedback message (Fn) indicates that the anomaly indication (ln) is a false positive anomaly indication; and update the identification algorithm to identify that the anomaly indication (ln) is a false positive anomaly indication.
5. The intrusion filter (100) according to claim 4, wherein the first feedback message (Fn) comprises a part of or a complete identification algorithm; and configured to update or replace the identification algorithm based on the first feedback message (Fn).
6. The intrusion filter (100) according to any one of the preceding claims, wherein the intrusion filter (100) is an artificial intelligence intrusion filter and/or a rule-based intrusion filter.
7. A detection subsystem (300) for an intrusion detection system (500), wherein the detection subsystem (300) comprises an intrusion filter (100) according to any one of claims 1 to 6, and an anomaly detection device (110) configured to: obtain network sensor output from one or more network sensors (120a, 120b,... , 120n); and provide an anomaly indication (ln) indicating an incident to the intrusion filter (100) upon identifying that the network sensor output comprises an incident.
8. The detection subsystem (300) according to claim 7, wherein the anomaly detection device (110) is configured to identify that the network sensor output comprises an incident using an incident detection algorithm.
9. The detection subsystem (300) according to claim 8, wherein the anomaly detection device (110) is further configured to obtain a second feedback message (Fn') from a collection and investigation system (400), wherein the second feedback message (Fn') indicates that the network sensor output does not comprise an incident; and update the incident detection algorithm to identify that the network sensor output does not comprise the incident.
10. The detection subsystem (300) according to claim 9, wherein the second feedback message (Fn') comprises a part of or a complete incident detection algorithm; and configured to update or replace the incident detection algorithm based on the second feedback message (Fn').
11. The detection subsystem (300) according to any one of claims 7 to 10, wherein the anomaly detection device (110) is an artificial intelligence detection device and/or a rule-based detection device.
12. A collection and investigation system (400) for an intrusion detection system (500), the collection and investigation system (400) being configured to obtain an anomaly indication (ln) from an intrusion filter (100); and upon determining that the anomaly indication (ln) is a false positive anomaly indication being configured to at least one of:
provide a first feedback message (Fn) to the intrusion filter (100), wherein the first feedback message (Fn) indicates that the anomaly indication (ln) is a false positive anomaly indication, and provide a second feedback message (Fn') to an anomaly detection device (110) associated with the intrusion filter (100), wherein the second feedback message (Fn') indicates that network sensor output associated with the anomaly indication (ln) does not comprise an incident.
13. The collection and investigation system (400) according to claim 12, wherein the first feedback message (Fn) comprises a part of or a complete identification algorithm; and the second feedback message (Fn') comprises a part of or a complete incident detection algorithm.
14. The collection and investigation system (400) according to claim 12 or 13, wherein the collection and investigation system (400) comprises the intrusion filter (100).
15. A method (600) for an intrusion filter (100), the method (600) comprising obtaining (602) an anomaly indication (ln) from an anomaly detection device (110), wherein the anomaly indication (ln) indicates an incident detected by the anomaly detection device (110); and discarding (604) the anomaly indication (ln) upon identifying that the anomaly indication (ln) is a false positive anomaly indication, else providing (606) the anomaly indication (ln) to a collection and investigation system (400).
16. A method (700) for a collection and investigation system (400), the method (700) comprising obtaining (702) an anomaly indication (ln) from an intrusion filter (100); and upon determining that the anomaly indication (ln) is a false positive anomaly indication further comprising at least one of: providing (704) a first feedback message (Fn) to the intrusion filter (100), wherein the first feedback message (Fn) indicates that the anomaly indication (ln) is a false positive anomaly indication, and providing (706) a second feedback message (Fn') to an anomaly detection device (110) associated with the intrusion filter (100), wherein the second feedback message (Fn') indicates that network sensor output associated with the anomaly indication (ln) does not comprise an incident.
17. A computer program with a program code for performing a method according to claim 15 or 16 when the computer program runs on a computer.
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202080107762.5A CN116671066A (en) | 2020-12-22 | 2020-12-22 | Intrusion filter for intrusion detection systems |
EP20835841.6A EP4237975A1 (en) | 2020-12-22 | 2020-12-22 | Intrusion filter for an intrusion detection system |
PCT/EP2020/087720 WO2022135706A1 (en) | 2020-12-22 | 2020-12-22 | Intrusion filter for an intrusion detection system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/EP2020/087720 WO2022135706A1 (en) | 2020-12-22 | 2020-12-22 | Intrusion filter for an intrusion detection system |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022135706A1 true WO2022135706A1 (en) | 2022-06-30 |
Family
ID=74125226
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2020/087720 WO2022135706A1 (en) | 2020-12-22 | 2020-12-22 | Intrusion filter for an intrusion detection system |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP4237975A1 (en) |
CN (1) | CN116671066A (en) |
WO (1) | WO2022135706A1 (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130097706A1 (en) * | 2011-09-16 | 2013-04-18 | Veracode, Inc. | Automated behavioral and static analysis using an instrumented sandbox and machine learning classification for mobile security |
US20150047032A1 (en) * | 2013-08-07 | 2015-02-12 | Front Porch Communications, Inc. | System and method for computer security |
US20160328742A1 (en) * | 2015-05-05 | 2016-11-10 | Sentrant Security Inc. | Systems and methods for monitoring malicious software engaging in online advertising fraud or other form of deceit |
US20170013005A1 (en) * | 2015-06-29 | 2017-01-12 | Argus Cyber Security Ltd. | System and method for consistency based anomaly detection in an in-vehicle communication network |
US20170214701A1 (en) * | 2016-01-24 | 2017-07-27 | Syed Kamran Hasan | Computer security based on artificial intelligence |
-
2020
- 2020-12-22 WO PCT/EP2020/087720 patent/WO2022135706A1/en active Application Filing
- 2020-12-22 CN CN202080107762.5A patent/CN116671066A/en active Pending
- 2020-12-22 EP EP20835841.6A patent/EP4237975A1/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130097706A1 (en) * | 2011-09-16 | 2013-04-18 | Veracode, Inc. | Automated behavioral and static analysis using an instrumented sandbox and machine learning classification for mobile security |
US20150047032A1 (en) * | 2013-08-07 | 2015-02-12 | Front Porch Communications, Inc. | System and method for computer security |
US20160328742A1 (en) * | 2015-05-05 | 2016-11-10 | Sentrant Security Inc. | Systems and methods for monitoring malicious software engaging in online advertising fraud or other form of deceit |
US20170013005A1 (en) * | 2015-06-29 | 2017-01-12 | Argus Cyber Security Ltd. | System and method for consistency based anomaly detection in an in-vehicle communication network |
US20170214701A1 (en) * | 2016-01-24 | 2017-07-27 | Syed Kamran Hasan | Computer security based on artificial intelligence |
Also Published As
Publication number | Publication date |
---|---|
CN116671066A (en) | 2023-08-29 |
EP4237975A1 (en) | 2023-09-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11277427B2 (en) | System and method for time based anomaly detection in an in-vehicle communication | |
CN112204578B (en) | Detecting data anomalies on a data interface using machine learning | |
US11115433B2 (en) | System and method for content based anomaly detection in an in-vehicle communication network | |
US11217042B2 (en) | Vehicle monitoring apparatus, fraud detection server, and control methods | |
US11665178B2 (en) | Methods and arrangements for message time series intrusion detection for in-vehicle network security | |
WO2019142741A1 (en) | Vehicle abnormality detection server, vehicle abnormality detection system, and vehicle abnormality detection method | |
US11479263B2 (en) | Automotive network switch with anomaly detection | |
EP3951531B1 (en) | Anomaly sensing method and anomaly sensing system | |
CN111448787A (en) | System and method for providing a secure in-vehicle network | |
US11247696B2 (en) | Information processing device, information processing method, and recording medium | |
US20230283617A1 (en) | Attack analysis device, attack analysis method, and non-transitory computer-readable recording medium | |
CN118451481A (en) | Generic intrusion detection and prevention for a vehicle network | |
KR20220041137A (en) | Multi-mode messaging anomaly detection for broadcast network security | |
JP2019146145A (en) | Communication device, communication method, and program | |
EP4237975A1 (en) | Intrusion filter for an intrusion detection system | |
US12116001B2 (en) | Information collection device, information collection system, information collection method, and storage medium storing program | |
JP7509091B2 (en) | Attack analysis device, attack analysis method, and attack analysis program | |
WO2021019635A1 (en) | Security device, attack response processing method, computer program, and storage medium | |
JP7496431B2 (en) | Information processing device, method for controlling information processing device, and program | |
da Bernarda et al. | Automotive Controller Area Network Intrusion Detection Systems | |
CN112751822B (en) | Communication apparatus, operation method, abnormality determination apparatus, abnormality determination method, and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20835841 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 202080107762.5 Country of ref document: CN |
|
ENP | Entry into the national phase |
Ref document number: 2020835841 Country of ref document: EP Effective date: 20230602 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |