Method For Protection From Cyber Attacks To A Vehicle, And Corresponding Device

Abstract

A method for protecting against cyber attacks in a communication network of a vehicle, including the steps of acquiring dominant voltage measurements; obtaining an electrical characteristic of nodes that transmit messages by acquiring consecutive groups of voltage measurements at receiving nodes and calculating a distribution thereof; calculating values of distribution statistics; calculating a cumulative voltage deviation for each value of statistic; and obtaining a voltage profile by adding the cumulative voltage deviations of each statistic, executing a malicious-node detection procedure and then executing a transmitting-node identification procedure including comparing the at least one characteristic parameter against all the corresponding characteristic parameters of all the messages, defining a range of variation of the characteristic parameter with respect to a given number of previous samples; and evaluating whether the value of the parameter falls within the range of variation of one of the messages and identifying as malicious the node that transmits the message.

Claims

1. A method for protection from cyber attacks in a communication network of a vehicle, that comprises: a communication bus comprising a high bus line, on which high logic voltages pass, and a low bus line, on which low logic voltages pass; and a plurality of nodes associated to said communication bus in a signal-exchange relationship and associated at least in part to control units for controlling functions of the vehicle, said nodes exchanging messages passing between nodes of said plurality of nodes to identify illicit messages, said messages being coded in data frames through dominant and recessive bits, said method including the steps of: acquiring dominant voltage measurements; and obtaining an electrical characteristic of nodes that transmit messages, execution of executing a malicious-node detection procedure that comprises: extracting at least one characteristic parameter of said voltage profile for each group; comparing said at least one characteristic parameter of a current group with a corresponding characteristic parameter extracted from a previous group; and if said comparison operation indicates that said at least one characteristic parameter of the current group differs from the at least one characteristic parameter of the previous group by at least one given difference value, supplying an identifier of the corresponding message and calculating a time of settling of the at least one characteristic parameter on a constant value, executing a transmitting-node identification procedure, which includes: comparing said at least one characteristic parameter evaluated at the settling time against all the corresponding characteristic parameters of all the messages received up to said settling time, said identification procedure comprising: defining, for each of said messages received, a range of variation of said at least one characteristic parameter with respect to a given number of previous samples; and evaluating whether the value of said at least one characteristic parameter falls within the range of variation of one of said messages and, if so, identifying as malicious node the node that transmits said message.

2. The method as set forth in claim 1, wherein supplying said identifier and computing the settling time if said at least one characteristic parameter of the current group differs from the at least one characteristic parameter of the previous group for a given number of executions of the comparison operation.

3. The method as set forth in claim 1, further including the step of calculating a proximity coefficient of the at least one characteristic parameter with respect to each of the at least one characteristic parameter of said messages, and if the value of the at least one characteristic parameter falls within the range of variation of more than one of said messages, identifying as malicious node the node that transmits said message to which the lowest value of proximity coefficient is associated.

4. The method as set forth in claim 1, further including the step of identifying as malicious node an external node if the value of the at least one characteristic parameter of the message under analysis does not fall within the range of variation of any of said messages.

5. The method as set forth in claim 1, wherein the extremes of said range of variation (limsup, liminf) correspond to the value of the characteristic parameter of each of said messages received evaluated at the settling time added to or subtracted from which is a value of standard deviation of the values of the same parameter calculated on a number (k.sub.past) of samples prior to the settling time.

6. The method as set forth in claim 5, wherein said proximity coefficient is calculated as the difference between the characteristic parameter of the node identified as malicious and the characteristic parameter of the respective message divided by said standard deviation.

7. The method as set forth in claim 1, wherein said characteristic parameter is a slope of the straight line representing the voltage profile.

8. The method as set forth in claim 1, wherein said characteristic parameter is a constant value of the straight line representing the voltage profile.

9. The method as set forth in claim 1, further including the step of obtaining an electrical characteristic of nodes that transmit messages by the further steps of: acquiring consecutive groups of voltage measurements on the high bus line and on the low bus line during reception of messages at receiving nodes and calculating a distribution thereof; calculating values of distribution statistics; calculating a cumulative voltage deviation for each value of statistic; and obtaining a voltage profile by adding the cumulative voltage deviations of each statistic.

10. The method as set forth in claim 9, wherein said consecutive groups are formed via a sliding window of voltage measurements in which one or more older voltage measurements are replaced with corresponding new voltage measurements.

11. The method as set forth in claim 1, further including the steps of: acquiring dominant voltage measurements via the steps of measuring voltages on the high line and on the low line for a given message; and filtering said voltage measurements to obtain measurements corresponding to just the dominant bits of the message by carrying out elimination of the voltage measurements corresponding to message acknowledgement bits, by setting for the high bus line and the low bus line lower and upper thresholds, respectively, for the recessive bits, and upper and lower thresholds, respectively, for eliminating the acknowledgement bits to obtain non-ACK dominant voltage measurements for the message.

12. A device for protection from cyber attacks in a communication network of a vehicle, that comprises: a communication bus on which high logic voltages pass, and a low bus line, on which low logic voltages pass; and a plurality of nodes associated to said communication bus in a signal-exchange relationship and associated at least in part to control units for controlling functions of the vehicle, said nodes exchanging messages passing between nodes of said plurality of nodes to identify illicit messages, said messages being coded in data frames through dominant and recessive bits, said device configured for operating as set forth in the method of claim 1.

13. The protection device as set forth in claim 12, further including a node that comprises: a feature-extraction block, configured to acquire dominant voltage measurements; a feature-processing block, configured to obtain an electrical characteristic of nodes that transmit messages (M) and to execute said malicious-node detection procedure and said malicious-node identification procedure; and an alarm block, which is performed by the control interface of the control unit and activated by the feature-processing block, and is configured to produce a warning alarm comprising the identifier of the malicious message and the name of the node from which it comes, and, preferably, also the times, such as the settling time.

14. The protection device as set forth in claim 13, wherein said node comprises a status memory, configured to store the voltage profiles, which is updated by the feature-processing block, which stores therein a new, updated, voltage profile and can download therefrom a voltage profile stored therein.

15. The protection device as set forth in claim 12, wherein the control unit comprises a nonvolatile memory, stored in which is a map of the message identifiers and the corresponding voltage profiles calculated the last time that the vehicle was turned on (key-on).

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0029] The invention will be described with reference to the annexed drawings, which are provided purely by way of non-limiting example and in which:

[0030] FIGS. 1, 2A, and 2B have already been described previously;

[0031] FIG. 3 illustrates a general diagram of the method described herein;

[0032] FIG. 4A and FIG. 4B show diagrams of quantities evaluated by the method described herein;

[0033] FIG. 4C shows a flowchart that represents a first step of operation of the method;

[0034] FIG. 5 shows a flowchart that represents a second step of operation of the method described herein;

[0035] FIG. 6A and FIG. 6B are time plots that represent quantities obtained using the method described herein;

[0036] FIG. 7 shows a flowchart that represents schematically a further step of the method described herein;

[0037] FIG. 8 shows a flowchart that represents schematically a final step of the method described herein;

[0038] FIG. 9A and FIG. 9B are time plots that represent quantities evaluated by said final step of the method described herein; and

[0039] FIG. 10 is a schematic representation of a circuit arrangement for implementing the method described herein.

DETAILED DESCRIPTION OF THE INVENTION

[0040] According to the solution described herein, each electronic control unit (ECU) or node is characterized by its hardware and constructional peculiarities, or inconsistencies, present at a physical level (voltage signals), considering that two ECUs produced by one and the same manufacturer, using the same components, are never identical in terms of measurements of the voltage levels VL present on the high bus line and the low bus line.

[0041] Represented schematically in FIG. 3 is the method for protection from cyber attacks in a vehicle communication CAN (Controller Area Network) that comprises a CAN-bus and a plurality of nodes or ECUs associated to said CAN-bus.

[0042] The above method, designated as a whole by the reference 100 comprises a first step 130 of building dominant measurements and a second step 170 of generating a voltage profile, which form part of a so-called fingerprinting procedure 110, i.e., a procedure for detecting the fingerprint of the ECU 11 that sends a message M. This fingerprinting procedure 110 obtains a unique fingerprint or signature for each ECU 11, exploiting voltage measurements read on the two lines of the CAN-bus 10, CAN-high 10H and CAN-low 10L, at the moment when the ECU 11 sends a message M.

[0043] In particular, in this regard, illustrated by way of example in FIG. 3 are a first ECU 111, which generates two messages M.sub.1 and M.sub.2, distinguished by respective message identifiers ID.sub.1, and ID.sub.2, and a second ECU 112 that generates a third message M.sub.3, distinguished by the message identifier ID.sub.3. Denoted by the subscript i is the generic i-th message M.sub.i, which corresponds to the message identifier ID.sub.i.

[0044] It is important that the above first two steps 130 and 170 manage to distinguish which voltage measurements read on the CAN-bus 10 effectively come from the ECU 11 that is sending the message M.

[0045] The method described is designed so as to be able to be easily integrated as a low-cost software application, which hence does not require any modification to the CAN, so that the rate of sampling of the voltage measurements is kept relatively low. This means that it is not known in which slot of the message the voltage values are measured, but only their values are known. Moreover, the method considers only the dominant measurements, because they are the ones effectively representative of the ECU 11 in so far as they regard switching-on of the MOSFET 12H, 12L of the respective transceiver 12.

[0046] Hence, also with reference to the flowchart of FIG. 4C that details the operation 130, the voltages VL.sub.i on the high line CAN-high 10H and on the low line CAN-low 10L are initially measured 132 for a given message M.sub.i. If i the index of the message, j may denote the index of the voltage measurements in the sequence of measurements, which are hence more specifically VL.sub.i,j, where j is an integer that ranges from 1 to J.

[0047] It is then envisaged to carry out an operation of filtering 134 of the voltage measurements of the message VL.sub.i to obtain measurements DV.sub.i corresponding to just the dominant bits of the message.

[0048] In this context, all the measurements VL.sub.ij lower than 2.75 V on the high bus line CAN-high 10H and higher than 2.25 V on the low bus line CAN-low 10L are discarded in order to obtain a set of just dominant measurements DV.sub.i,k, where k is an integer that ranges from 1 to K smaller than or equal to J, for a given message M.sub.i. The operation of voltage measurement proceeds until the message M.sub.i is received completely and appears in the buffer of the transceiver 12, where, by reading the respective identifier ID.sub.i of the message M.sub.i, it is possible to determine to which message the above dominant voltage measurements DV.sub.i,k belong.

[0049] Since, however, it may happen that a number of ECUs 11 communicate simultaneously, for example in the arbitration stage or during the ACK bit, it is useful to manage to discard the measurements that do not identify the legitimate ECU.

[0050] Hence, the filtering operation 134 may additionally comprise a procedure 136 of elimination of the measurements corresponding to the ACK bit. This is obtained by setting an upper threshold γ.sub.H above which the measurements on the bus line CAN-high 10H are discarded and a lower threshold γ.sub.L below which the measurements on the low bus line CAN-low 10L are discarded. These thresholds are characteristic of each ECU 11 and are created in the first step 130 of the method.

[0051] For instance, in order to define the above thresholds, given the distribution of the measurements values, specifically of the dominant voltage values DV.sub.i,k, for the high bus line CAN-high 10H, the kernel density is calculated, and the upper discarding threshold γ.sub.H is set where the kernel density of the distribution of the most frequent values goes to zero, as represented in the diagram of FIG. 4A, which shows the kernel density of the dominant voltage values DV.sub.i,k for the most frequent values (solid line) and for the maximum values (dashed line) on the CAN-high 10H. For the CAN-low 10L, the kernel density is calculated, and the lower discarding threshold γ.sub.L is set where the kernel density of the distribution of the most frequent values goes to zero, as represented in the diagram of FIG. 4B, which shows the kernel density of the dominant voltage values DV.sub.i,k for the most frequent values (solid line) and for the minimum values (dashed line) on the CAN-low 10L.

[0052] For the acknowledgement bits ACK, which are rewritten after the message has been received with dominant bits, higher voltages, e.g., VH of approximately 4 V and VL of approximately 0.5 V, are measured so that they fall outside the discarding thresholds. The different voltage level for the ACK is due to the fact that during the ACK slot all the nodes except for the transmitting one carry out acknowledgement, transmitting a dominant bit and switching on their own MOSFETs in parallel. This leads to a reduction in the resistances between VCC-10H and 10L-GND, with consequent reduction of the corresponding voltage drop. Hence, the voltages measured during reception of ACK are respectively higher and lower than the ones corresponding to the non-ACK dominant bits, and can be discriminated using the procedure of definition of thresholds based upon the distribution of the most frequent values.

[0053] Hence, via the above operation only the following values are considered:

2.75V<DV<γ.sub.H

where the dominant voltage values DV correspond to the CAN-high line 10H, and:

γ.sub.L<DV<2.25V

where the dominant voltage values DV correspond to the CAN-low line 10L.

[0054] In other words, in general, it is envisaged, in the operation 130, to measure the voltages on the bus lines and exclude the values associated to the recessive bits and to the acknowledgement bits ACK. These values correspond to non-ACK dominant voltage measurements NV.sub.i,k for the message M.sub.i, where the index k ranges from 1 to NK, which is smaller than or equal to the integer K. Such an operation of elimination of the measurements corresponding to the ACK bit 136 hence comprises fixing for the high bus line and the low bus line respective lower and upper thresholds for the recessive bits, and respective upper and lower thresholds for eliminating the acknowledgement bits ACK.

[0055] It should be noted that the operations of block 130, which enable acquisition of the non-ACK dominant voltage measurements NV.sub.i,k for the message M.sub.i, envisage in their implementation that the non-ACK dominant voltage measurements NV.sub.i,k for the message M.sub.i be stored temporarily in memory, it being possible, however, to say which message identifier ID.sub.i is available as information that can be used by the node only when the message M.sub.i has been received completely.

[0056] It should moreover be noted that the method 100, and hence the operation 130, may in some embodiments be started once a voltage measurement VL on the high bus line, CAN-high 10H, exceeds a respective threshold after a given period where the bus is free because this case is representative of sending of a 0-bit on the bus by an ECU (ISO 11898-2). This threshold is, for example, 2.75 V. Consequently, with reference also to what has been detailed previously, sampling of the voltage values VL can be performed without stopping, discarding from the sampled values the recessive ones, whereas the non-ACK dominant voltage measurements NV.sub.i,k are temporarily stored in memory. Usually, at this point, it is not possible to say to which i-th message identifier ID.sub.i they refer because this information is made available as information that can be used by the node only when the message M.sub.i has been received completely. This applies even though in effect the voltage values that define the i-th message identifier ID.sub.i are the first to be transmitted on the bus 10.

[0057] Then, in the step of generation of a voltage profile 170, the non-ACK dominant voltage measurements NV.sub.i,k are stored for each message identifier ID.sub.i so as to be sufficient in number to represent effectively the behaviour of the ECU 11 and used for obtaining features in terms of probabilistic distributions of the voltages, thus characterizing the physical behaviour of the ECU 11, both the instantaneous behaviour and the behaviour over time.

[0058] In FIG. 5, which shows a flowchart that represents in greater detail the step of generation of a voltage profile 170, in a step 171 a given integer number of non-ACK dominant voltage measurements NV.sub.i,k acquired in a given number of successive instants for a given i-th message identifier ID.sub.i is stored in a corresponding set of stored measurements A.sub.i.

[0059] In a step 172 a voltage distribution VD, in particular a percentile distribution, of the above set of stored measurements A.sub.i is calculated. Step 172 comprises calculating a distribution of the non-ACK dominant voltage values NV.sub.i,k in the set of stored measurements A.sub.i, hence calculating some specific features of the aforesaid distribution, such as the most frequent value on the high line 10H, feature F1, and on the low line 10L, feature F2, as well as a certain number of percentiles, for example the 75th and 90th percentile on the high line 10H (F3, F4) and the 25th and 10th percentile on the low line 10L (F5, F6).

[0060] In a step 173, on the basis of the aforesaid voltage distribution VD, i.e., the most frequent values and percentiles for the high line and the low line, a sum of the cumulative voltage deviations DC is calculated.

[0061] In particular, in step 173, for the features selected from among the features F1, . . . , F6 obtained in step 172, the CVD (Cumulative Voltage Deviation) with respect to an expected ideal value is calculated. For instance, the CVD of the feature F1 at a given iteration, i.e., an execution of steps 171, 172 on a given group, corresponds to the CVD calculated at the previous iteration incremented by the product of the time elapsed from the previous iteration and 1 minus the ratio between the value of the feature F1 measured v(F1) and the expected value v*(F1), i.e., (1−v(F1))/v*(F1). Then, if v(F1) always differs by the same amount from the expected value v*(F1) at each iteration, i.e., in the group comprising the given number of measurements, the CVD increases linearly.

[0062] Hence, preferably, in step 173 the values of CVD of features taken from among the various features F1, . . . , F6 are added together.

[0063] Consequently, in steps 171 and 172, when the voltage measurements NV.sub.i,k are received, they are grouped together in groups of a given number of voltage measurements NV.sub.i,k that make up the set of measurements A.sub.i. For each set of measurements A.sub.i, there are, for example, calculated the mean or most frequent value for the low line 10L and the high line 10H and one or more percentiles for the voltage measurements in the group of voltage measurements NV.sub.i,k. A cumulative deviation of the mean or most frequent value of the voltage measurements is then calculated, together with a cumulative deviation for each of the percentiles of the voltage measurements NV.sub.i,k. A value of sum DC can then be obtained by adding the cumulative deviation of the mean of the voltage measurements NV.sub.i,k to the cumulative deviation of one or more percentiles of the voltage measurements NV.sub.i,k.

[0064] It should be noted that, according to one aspect of the solution described, in some embodiments the set of measurements A.sub.i may comprise N groups of Z measurements obtained by using of a sliding window of samples. For each message identifier ID.sub.i, as the samples, namely, voltage measurements NV.sub.i,k, are stored, as soon as a new group is formed that comprises a number Z of measurements, the oldest group from among the N groups is discarded, whereas the group that has just been formed comes to form part of the set of data, i.e., the set of measurements A.sub.i, to be processed. Hence, the characteristics of the sliding window can be defined by setting the number of groups N that make it up and the number of measurements Z that make up a group. Consequently, by using the sliding window respective profiles DC are produced, which are added together in the operation 174. This renders the method adaptive, i.e., able to adapt to changes of operating conditions, which in general can derive from temperature or from influences on the voltage.

[0065] The values of sum DC for each group of measurements, or sliding window, used for an iteration of the steps 171, 172, 173, are stored. Hence, in general, with the subsequent iterations a number of values DC are stored, which increase following a substantially linear pattern, which can be described as:

Ψ[n]=Γ[n]t[n]+e[n]

where n is the index of the iteration, i.e., the calculation of a value of CVD in step 172, in particular the sum DC in step 173.

[0066] Consequently, on the basis of the values of Ψ[n], in step 174 it is possible to calculate a voltage profile VP as a function of time. To obtain the voltage profile VP, in step 174, on the basis of the values DC available at a given instant, a fitting is carried as a function of time t, for example through the RLS (Recursive Least Square) algorithm.

[0067] Hence, via the procedure 170, the messages sent by one and the same ECU 11 are represented by a sheaf of straight lines that have substantially the same angular coefficient m, i.e., an angular coefficient that falls within a given interval or corresponds to a given value but for a tolerance, and the same constant value or y-intercept q, which represents the fingerprint or signature, referred to as total voltage profile VP.

[0068] In particular, the angular coefficient m is determined at each step with a technique of adaptive signal processing that also enables calculation of the identification error e[n] of the problem of identification of the linear parameters:

Ψ[n]=Γ[n]t[n]+e[n]

which can be rewritten as the straight-line equation:

y(x.sub.k)=mx.sub.k+q

where x.sub.k is the value of the temporal abscissa associated to the k-th sample measured NV.sub.i,k, which may be the time of acquisition of the last sample of the set A.sub.i.

[0069] More specifically, the straight line y(x.sub.k) is constructed on the values stored in this way: the last Z samples belonging to a group are taken and with these the stored value associated to the i-th message identifier ID.sub.i is updated, and to this new stored value there is associated, as time, the time at which the last of the Z samples x.sub.k has been obtained. A distribution is obtained, which, through a fitting, is approximated to a straight line, from which the slope m and the constant value q are extracted.

[0070] Thus x.sub.k is the abscissa value associated to formation of the last set or group of Z samples.

[0071] In this regard, illustrated, for example, in FIG. 6A is the construction of the straight lines, i.e., voltage profiles VP, for each message identifier ID. For each message M.sub.i received from eight ECUs, 11.sub.1, . . . , 11.sub.8, the straight line of the value of the cumulated voltage deviation as a function of time t is represented. As may be seen, the angular coefficients of the straight lines of each sheaf corresponding to the ECUs 11.sub.1, . . . , 11.sub.8 lie in distinct intervals, which in general do not have values in common. In FIG. 6B, once again represented as a function of time t is, instead, the plot of the angular coefficient m. The data of FIGS. 6A-6B regard an acquisition of a duration of sixty seconds carried out on a motor vehicle for a subnetwork of eight ECUs and a traffic of seventy different message identifiers ID.

[0072] As has been said, according to an important aspect of the solution described herein, the fingerprint VP of the ECU is updated in time via the use of a sliding window of samples, which comprises a given number of samples or non-ACK dominant voltage measurements NV, but discards at each instant t the older measurements, introducing the most recent non-ACK dominant voltage measurements NV.sub.i,k. This renders the method adaptive, i.e., able to adapt to changes of operating conditions, which in general can derive from the temperature or influences on the voltage.

[0073] The above updating at each measurement instant is exploited by the subsequent steps of detection 200 and identification 300 of the attacker. In particular, after the identification of the attacker, e.g., the malicious node, tracking thus the source itself of the attack, the necessary measures are taken. In particular such measures may include one or more of forensic, isolation, security patch.

[0074] Illustrated in FIG. 7 is a block diagram that represents in detail the detection step 200.

[0075] In a step 210 for a given ECU 11 a value of angular coefficient m is acquired every Z measurements NV using the sliding window. Preferably, a number ni of initial measurements is excluded in order not to consider the initial transient during which the differences between the slopes of the straight lines are great, with the consequent risk of false positives.

[0076] In a step 220, it is evaluated whether the difference of the value of angular coefficient m acquired in step 210 with respect to the value acquired in the interval, in particular currently acquired, of Z measurements exceeds a fixed variation threshold ATH. In particular it is acquired 210 every Z measurements NV a value of angular coefficient m and computed the difference between the values of angular coefficient acquired every Z measurements NV, in particular between a preceding interval of Z measurements and the following interval of Z measurements. If, for a given number of consecutive intervals of Z measurements NV.sub.i,k the aforesaid variation threshold is exceeded, it is determined that there is an attack in progress. Step 220 returns a time when the attack occurred, i.e., the time when the condition of step 210 is met, and the corresponding message identifier ID, which hence corresponds to a compromised message.

[0077] Since, after start of the attack, associated to a change in the angular coefficient or slope m of the straight line, the voltage profile VP settles on the voltage profile of the compromised ECU 11 that is effectively sending the compromised message, in a step 230 it is envisaged to supply the aforesaid settling time k.sub.st, calculated as the last instant at which the difference between two values of slope m calculated on consecutive intervals of Z measurements NV exceeds the variation threshold ATH. The settling time k.sub.st indicates the time at which the compromised ECU has been recognized, and in step 230 the new profile VP* reached is moreover supplied, i.e., the voltage profile VP of the compromised ECU 11, in particular its new slope m*.

[0078] It may be noted that in variant embodiments, instead of the slope m, the constant value q of the straight line may be used, i.e., the identification error e[n], which also itself varies considerably at the moment when there is an attack in progress. In that case, it may be necessary to vary the configurable parameters, for example the parameters limsup, liminf, Z described hereinafter.

[0079] Consequently, in general, the method described herein envisages, once the straight line representing the voltage profile is obtained, carrying out the detection step 200 and the following step 300 of identification of the ECU 11 as a function of one of the parameters of the straight line, either the slope m or the constant value (or y-intercept) q.

[0080] At the end of the detection step 200, it is hence possible to proceed to the step 300 of identification of the attacker ECU 11. The parameters of the new voltage profile VP* at the settling time k.sub.st are compared with those of all the other profiles of the message IDs calculated up to that moment, in particular all the other profiles m.sub.I corresponding to respective message identifiers ID calculated up to that moment, which in particular may correspond to the settling time k.sub.st From this analysis, there are preferably excluded the message identifiers ID that have a number of past voltage profiles VP lower than a given value, for example 2Z, so as not to consider those message identifiers ID that have not yet settled.

[0081] For this purpose, as illustrated in FIG. 8, which represents schematically step 300, in the first place it is envisaged, in a step 310, to define, for each message identifier ID, a range of variation that has an upper limit limsup and a lower limit liminf:

limsup=m.sub.i(k.sub.st)+σ(m.sub.i(k.sub.st−k.sub.past),m.sub.i(k.sub.st−k.sub.past+1), . . . ,m.sub.i(k.sub.st))

liminf=m.sub.i(k.sub.st)−σ(m.sub.i(k.sub.st−k.sub.past),m.sub.i(k.sub.st−k.sub.past+1), . . . ,m.sub.i(k.sub.st))

where m.sub.i is the parameter, specifically, the slope of the voltage profile of the i-th message identifier ID considered, k.sub.st is the settling time (denoted by its index k, in particular corresponding to the index of voltage measurements NV.sub.i,k, or samples), k.sub.past indicates the past samples of the slope, and σ is the standard deviation. Hence, the upper limit limsup corresponds in the example to the slope m.sub.i of the voltage profile of the i-th message identifier calculated at the settling time k.sub.st, added to which is the standard deviation of the values of the same slope m.sub.i calculated on a number k.sub.past of samples that precede the settling time k.sub.st. The lower limit liminf corresponds to the slope m.sub.i of the voltage profile of the i-th message identifier at the settling time k.sub.st, subtracted from which is the standard deviation of the values of the same slope m.sub.i calculated on a number k.sub.past of samples that precede the settling time k.sub.st.

[0082] For each i-th identifier ID.sub.i, in the times and modes explained previously for steps 171-174, R+1 successive values of the i-th profile m.sub.i are calculated and gathered, i.e., m.sub.i(0), m.sub.i(1), . . . , m.sub.i(R), m.sub.i(R+1). Every R values of the profile m.sub.i a check is made on the value of the difference of the profile m.sub.i with respect to the value of the profile R samples before. Namely, a check is made on the difference in absolute value between m.sub.i(R) and m.sub.i(0), and then on the difference between m.sub.i(2.Math.R) and m.sub.i(R+1), i.e., on the next interval of length R of samples, and so forth. If this difference exceeds a threshold T for a number of consecutive checks, then the message identifier ID.sub.i in question is declared to be under attack.

[0083] Subsequently, the profile m.sub.i of that message identifier ID.sub.i is expected to settle, after the variation, at a new value, and hence the difference |m.sub.i(R.Math.i)−m.sub.i(R.Math.(i−1))| is expected to return below the threshold T.

[0084] The settling time k.sub.st is determined as the instant corresponding to the last sample of profile m.sub.i that exceeds the threshold T before it returns below the threshold.

[0085] Once the settling time k.sub.st is known, which corresponds, for example, to the sample S*R, the standard deviation σ is calculated on the last R samples of profile m.sub.i before S*R, i.e., m.sub.i(S*R−R), m.sub.i(S*R−R+1), . . . , m.sub.i(S*R). Then, an interval around the profile value m.sub.i is determined, defined by

liminf=m.sub.i(S.Math.R)−σ

limsup=m.sub.i(S.Math.R)+σ

[0086] Then, in a step 320, it is evaluated in what range associated to a respective message identifier ID the profile m* of the attacker determined in the detection step 200 falls.

[0087] If it is evaluated 321 that the profile of the attacker, hence in the example the slope m*, falls within a range associated to a message identifier ID, i.e., between the corresponding upper limit limsup and the corresponding lower limit liminf, in a subsequent step 324 the name of the corresponding ECU is returned as name of the attacker, in particular along with an associated proximity coefficient PC, in terms of how many times the value of standard deviation σ the slope m* of the attacker node is close to the one identified:

PC=|m*(k.sub.st)−m.sub.i(k.sub.st)|/σ(m.sub.i(k.sub.st−k.sub.past),m.sub.i(k.sub.st−k.sub.past+1), . . . ,m.sub.i(k.sub.st))

i.e., the proximity coefficient is equal to the difference, in absolute value, between the slope m* of the attacker node and the slope m.sub.i of the voltage profile of the i-th message identifier, calculated at the settling time k.sub.st, divided by the standard deviation of the values of the same slope m.sub.i calculated on a number k.sub.past of samples that precede the settling time k.sub.st.

[0088] Since it may happen that the profile m* of the attacker obtained in step 230 falls in more than one range, in this case in a step 322 all the names of the ECUs identified are stored with the corresponding proximity coefficient PC, and a warning signal is displayed. In a subsequent step 325, the ECU whose name is associated to the lowest proximity coefficient PC is selected as attacker ECU.

[0089] If, in a step 323, it is evaluated that the profile m* does not fall within any range, in a step 326 the attacker is identified as “external” attacker; i.e., the attacker ECU is external to the network of the vehicle.

[0090] Hence, the method proposed continues to update the profile of each message identifier ID, via the sliding window, even though the identifier is compromised. In this way, if the corresponding message is sent by another (attacked) ECU, there may be noted a change in the voltage profile, and this variation of profile determines the instant of start of the attack.

[0091] The above behaviour is clearly visible in FIGS. 9A and 9B, which show diagrams similar to those of FIG. 6A and 6B, in the case of a masquerade attack via a device external to the network that for five seconds sends the identifiers ID of the ECUs 11.sub.7 and 11.sub.8 at two different times. It may be noted how in FIG. 6A the straight lines change their own slope m a lot at the start of the attack for the aforesaid two ECUs, and then settle at a characteristic value of the attacked ECU. It is at this precise instant, i.e., at settling time k.sub.st, that the algorithm proceeds to identification of the ECU. Next, once the attack terminates and the legitimate ECU returns to communicating normally, the profile returns to its characteristic value.

[0092] In FIG. 9B, which shows the slope m, it may be noted how the slopes m of the two ECUs 11.sub.7 and 11.sub.8 at the moment when the attack occurs go to one and the same value precisely because the attacker device is the same for both ECUs.

[0093] The method described may be installed in a standard ECU so as to be easily integrated in the vehicle network without modifying it.

[0094] FIG. 10 is a schematic representation of a possible implementation architecture.

[0095] The ECU or node 11 comprises, in addition to the blocks illustrated in FIG. 1, a feature-extraction block 111, which receives at input both the digital data via a digital data interface DDI and the physical levels VL from the CAN-bus 10, via a physical interface PI, and is configured for calculating the features necessary for the subsequent processing operations, i.e., the non-dominant measurements.

[0096] The ECU 11 further comprises a feature-processing block 112, configured for setting some parameters for the block 111, for example the discarding thresholds of the procedure 130, and for calculating the voltage profiles, also identifying the malicious message and corresponding ECU. Also provided is a configuration interface CI for receiving configuration information. Basically, the block 112 is configured for executing the procedure 170, 200, 300, supplying at output the identifier of the malicious message M*.sub.i and the name of the malicious node CN.

[0097] Then, an alarm block 114 is envisaged, which may be a simple switch, for example implementing an AND logic function, performed by the control interface of the ECU 11 and activated [by the feature-processing block 112, and is configured to produce a warning alarm ALW, comprising the identifier of the malicious message and the name CN of the ECU from which it comes, preferably, also in addition to the times such as the settling time k.sub.st.

[0098] The blocks 111 and 112 comprise respective RAMs for saving all the measurements necessary for them.

[0099] Hence, in general, described herein is a node 11 or ECU comprising:

[0100] a feature-extraction block 111, configured to acquire 130 the dominant voltage measurements NV.sub.i,k; and

[0101] a feature-processing block 112, configured to obtain 170 an electrical characteristic VP, in particular a voltage profile VP, of nodes that transmit messages M and to execute said malicious-node detection procedure 200 and said malicious-node identification procedure 300, in particular such obtaining 170 an electrical characteristic VP of nodes that transmit messages M being obtained via the steps of:

[0102] acquiring 171 consecutive groups of voltage measurements VL on the high bus line 10H and on the low bus line 10L during reception of messages (M) at receiving nodes and calculating a distribution thereof;

[0103] calculating 172 values of distribution statistics;

[0104] calculating 173 a cumulative voltage deviation for each value of statistic; and

[0105] obtaining a voltage profile VP by adding the cumulative voltage deviations of each statistic

[0106] the node 11 further comprising an alarm block 114, performed by the control interface of the ECU 11, for example the microcontroller 14, and activated by the feature-processing block 112, configured to produce a warning alarm ALW that comprises the identifier of the malicious message and the name CN of the node 11 from which it comes, and, preferably, also the times such as the settling time k.sub.st.

[0107] Furthermore, the ECU comprises a status memory 113, configured to store at each step the status of the system, i.e., the voltage profiles. This status memory 113 is updated by the feature-processing block 112 (where the features are the voltage profiles) that stores therein the new updated voltage profile and can download therefrom the voltage profile stored therein.

[0108] Moreover present (not shown in FIG. 10) is a nonvolatile memory, stored in which is a map of the identifiers ID and the corresponding voltage profiles calculated the last time that the vehicle was turned on (key-on) so that these values can be considered as starting point for the next key on. This is because the method carries out real-time updating so as not to have obsolete profiles that would jeopardize the outcome of identification of the attacker. The model considered is always the most recent one.

[0109] Thus, the protection method from cyber attacks here described substantially corresponds to a procedure of monitoring the messages exchanged among the network nodes carrying out an anomaly-detection operation, e.g. 200, and carrying out a transmitting node identification operation, e.g. 300. Tracking the source of malicious messages is indeed a protection procedure in itself as the above anomaly detection and malicious node recognition operations have outputs which may already interpreted as alarms or alert in themselves. Also, the protection method may include specific alarm, as using block 114. Also, other form of measures against the attacks can be used, corresponding to the identified attack, as mentioned such measures may include one or more of forensic, isolation, security patch operations.

[0110] Hence, from what has been described above, the advantages of the solution proposed emerge clearly.

[0111] The solution here presented, renders the technique of ECU fingerprinting capable of recognizing autonomously the presence of an attack and identifying from which ECU the malicious message is coming simply by exploiting the continuous updating of the voltage profile and its variation that is visible during an attack. Hence, as compared to the prior art of WO2018013171A1 the solution proposed enables independent implementations of external IDS s (Intrusion-Detection Systems) and consequently is more easily implementable on embedded automotive systems.

[0112] Unlike other techniques that envisage the use of an underlying IDS that detects the presence of an attack and then identifies the ECU attacked, or else classifies it on the basis of machine-learning techniques, the algorithm presented here manages to do both of these things in a simple way and at low cost in computational terms and with a continuous and constantly updated monitoring of the voltage profiles. It likewise manages to return also the times at which the attack has been detected (times corresponding to starting of the algorithm, and hence upon turning on the vehicle and at which the attacker ECU has been identified, this being information that is useful for evaluating the performance and reliability of the system.

[0113] The attack-detection technique, based upon continuous updating of the voltage profile, enables determination of the presence of an attack without a further IDS (Intrusion-Detection System), thus guaranteeing autonomy for the fingerprinting procedure. It moreover returns the corresponding time (corresponding to starting of the method, and hence to turning on the vehicle at the start of the attack, in addition to the identifier of the malicious message.

[0114] The attacker-identification technique is able to determine in a short time from which ECU the attack comes by exploiting the knowledge of the unique fingerprinting of each ECU of the CAN. Thanks to a dedicated logic, it manages to distinguish cases in which the attacked ECU is external or internal to the network, supplying in each case a proximity measurement indicative of the confidence with which it is established that that particular ECU has been attacked.

[0115] The technique proposed (combination of attack detection and attacker identification) does not require the knowledge of the field of the message to which the voltage values measured belong.

[0116] The technique proposed (combination of attack detection and attacker identification) does not require modifications of the network or of the protocol used in the system in which it is included.

[0117] The technique proposed (combination of attack detection and attacker identification) can operate with CAN messages in standard or extended format and at any communication rate of the CAN.

[0118] The technique proposed (combination of attack detection and attacker identification) may be applied also to protocols other than the CAN protocol.

[0119] The invention has been described in an illustrative manner. It is to be understood that the terminology which has been used is intended to be in the nature of words of description rather than of limitation. Many modifications and variations of the invention are possible in light of the above teachings. Therefore, within the scope of the appended claims, the invention may be practiced other than as specifically described.