Search

EP-3669516-B1 - AUTOMOTIVE CYBERSECURITY

EP3669516B1EP 3669516 B1EP3669516 B1EP 3669516B1EP-3669516-B1

Inventors

  • Galula, Yaron
  • Ben Noon, Ofer
  • Lavi, Oron

Dates

Publication Date
20260506
Application Date
20180813

Claims (14)

  1. A method for providing security for an in-vehicle communication network (60) the method comprising: maintaining a global feature vector (52) comprising values for a selection of message attributes that characterize messages transmitted over the in-vehicle communication network; updating the global feature vector in real time (57) by incorporating latest values of the selected attributes that characterize the transmitted messages for all, or a subset of, message types; registering a message transmitted over the in-vehicle communication network; generating a message feature vector (table 56) comprising at least one value of at least one attribute of the registered message; generating a context feature vector (S i , table 58) for the vehicle comprising at least one value of at least one message attribute selected from the updated global feature vector; and determining a classifier (H(ID i ,S i ), table 58) responsive to at least one message attribute of the registered message and using the classifier to determine whether the registered message is valid based on the message feature vector and the context feature vector.
  2. The method according to claim 1 wherein the selection of message attributes comprises at least one or any combination of more than one attribute selected from: an ID of the message, identity of a source of the registered message; periodicity of the message; value of a field that the message contains; and/or a change in a value of a field that the message contains relative to a value of the field in another message having a same ID as the registered message.
  3. The method according to claim 1 or claim 2 wherein the selection of message attributes comprises at least one, or any combination of more than one, message attribute based on: location and/or movement generated by an operator of the given vehicle; a signal generated by a driver action transducer; and/or operation of a gesture recognition system.
  4. The method according to any of claims 1-3 wherein an attribute of the at least one message attribute used to determine the context feature vector and a message attribute of the plurality of the message attributes used to determine the message feature vector are the same.
  5. The method according to any of claims 1-3 wherein no attribute of the at least one message attribute used to determine the context feature vector and message attribute of the plurality of the message attributes used to determine the message feature vector are the same.
  6. The method according to any of the preceding claims wherein the at least one classifier comprises at least one, or any combination of more than of: a Support Vector Machine (SVM); a Random Forest classifier; a Nearest Neighbor classifier; and/or a decision tree.
  7. The method according to any of the preceding claims wherein the at least one classifier comprises a classifier configured by a machine learning process.
  8. The method according to claim 7 wherein the machine learning process is based on a plurality of messages registered from an in-vehicle network of at least one vehicle that is presumed not to have experienced a cyber-attack.
  9. The method according to claim 8 wherein the at least one vehicle comprises a vehicle other than the vehicle for which the context feature vector is determined.
  10. The method according to any of the preceding claims and comprising preprocessing the registered message to determine whether the message warrants classification by the at least one classifier based on at least one message attribute of the registered message.
  11. The method according to claim 10 and comprising determining that the message is valid if the message is determined not to warrant classifying by a classifier.
  12. The method according to claim 10 or claim 11 wherein the at least one message attribute used to determine whether the message warrants classification comprises the message ID of the registered message.
  13. The method according to claim 12 and comprising determining that registered messages identified by certain message IDs, but not others, warrant classification.
  14. A module for providing security to an in-vehicle communication network having a bus and at least one node connected to the bus, the module comprising: a memory storing a global feature vector having features that are values of message attributes characterizing messages transmitted over the in-vehicle communication network; a network interface for registering messages transmitted over the in-vehicle communications network; and a processor operable to process a registered message in accordance with any of claims 1-13.

Description

RELATED APPLICATIONS The present application claims benefit under 35 U.S.C. §120 of U.S. Application 15/675,829 filed on August 14, 2017. BACKGROUND Over the last half century the automotive industry has, initially slowly, and subsequently with great rapidity, been evolving from mechanical control systems for controlling a vehicle's functions to electronic "drive by wire" control systems for controlling the functions. In mechanical vehicular control systems a driver of a vehicle controls components of a vehicle that control vehicle functions by operating mechanical systems that directly couple the driver to the components via mechanical linkages. In drive by wire vehicle control systems a driver may be coupled directly, and/or very often indirectly, to vehicle control components that control vehicle functions by electronic control systems and electronic wire and/or wireless communication channels, rather than direct mechanical linkages. The driver controls the control components by generating electronic signals that are input to the communication channels and electronic control systems. Typically, a vehicular electronic control system comprises a driver interface for receiving driver actions intended to control a vehicle function and a plurality of driver action transducers (DATs) that convert driver actions to electronic driver control signals. Examples of DATs include an electronic accelerator pedal, an electronic brake pedal, an electronic steering wheel, electronic turn-signal levers, and cruise control buttons. An electronic control unit (ECU) of the control system receives the driver control signals, and responsive to these signals, operates to produce electronic control signals ("ECU output signals") that control one or more actuators involved in performing a desired vehicle function and/or provide information to other ECUs.. Generally, a vehicular electronic control system further comprises a plurality of sensors that generate signals ("sensor signals") relevant to the vehicle function, that the ECU may receive and process for generating appropriate ECU output signals. Driver control signals, ECU output signals, and sensor signals may be generically referred to herein as "control signals" or "signals". The ECU of a given vehicle control system may also receive and process control signals relevant to performance of a vehicle function that may be generated by, and/or by components in, other vehicle control systems. The sensors, actuators, and/or other control systems communicate with each other and the ECU of the given control system via a shared in-vehicle communication network, to cooperate in carrying out the function of the given control system. By way of example, a vehicle throttle by wire control system that replaces a conventional cable between an accelerator pedal and an engine throttle may comprise an electronic accelerator pedal as a DAT, an ECU also referred to as an engine control module (ECM), and an electronic throttle valve as an actuator that controls airflow into the engine and thereby power that the engine produces. The electronic accelerator pedal generates driver control signals responsive to positions to which a driver depresses the pedal. The ECM receives driver control signals from the electronic accelerator pedal, and in addition receives other signals that may be generated by various sensors, actuators, and electronic control systems in the vehicle that provide information relevant to the safe and efficient control of the engine via an in-vehicle communication network. The ECM processes the driver control signals and the other signals to generate ECM output signals that control the throttle valve. The various sensors, actuators, and electronic control systems , that may provide relevant signals to the ECM over the in-vehicle network include, but are not limited to, air-flow sensors, fuel injection sensors, engine speed sensors, vehicle speed sensors, brake force and other traction control sensors comprised in a brake by wire system, and cruise control sensors. In-vehicle communication networks of modem vehicles are typically required to support communications for a relatively large and increasing number of electronic control systems of varying degrees of criticality to the safe and efficient operation of the vehicles. A modem vehicle may for example be home to as many as seventy or more control system ECUs that communicate with each other and with sensors and actuators that monitor and control vehicle functions via the in-vehicle network. The ECUs may, by way of example, be used to control in addition to engine throttle described above, power steering, transmission, antilock braking (ABS), airbag deployment, cruise control, power windows, lights (headlights, brake lights, turn signals), doors, and mirror adjustment. In addition, an in-vehicle network typically supports on board diagnostic (OBD) systems and communication ports, various vehicle status warning systems, collision