1. Patent Search
  2. Details

Tracking and management method for responding to a cyber-attack

20230072068 ยท 2023-03-09

    Inventors

    Cpc classification

    International classification

    Abstract

    The invention relates to a device/method a tracking and management method for responding to a cyber-attack directed to at least one attacked vehicle of a fleet including a plurality of vehicles, each vehicle comprising an intrusion detection and prevention system (IDPS) configured to track data wirelessly received by said vehicle for identifying the cyber-attack, the method comprising the following steps: identifying the cyber-attack in said at least one attacked vehicle, the identification corresponding to the discovery, by the intrusion detection and prevention system (IDPS) of the at least one attacked vehicle, of at least one piece of malicious data among the wirelessly received data and the definition of a report update that characterizes said at least one piece of malicious data; broadcasting the report update to at least one non-attacked vehicle of the fleet from the at least one attacked vehicle according to a short range communication protocol.

    Claims

    1. A tracking and management method for responding to a cyber-attack directed to at least one attacked vehicle of a fleet including a plurality of vehicles, each vehicle of the fleet comprising an intrusion detection and prevention system (IDPS) configured to track data wirelessly received by said vehicle for identifying the cyber-attack, the method comprising the following steps: (E1) identifying the cyber-attack in said at least one attacked vehicle, the identification corresponding to the discovery, by the intrusion detection and prevention system (IDPS) of the at least one attacked vehicle, of at least one piece of malicious data among the wirelessly received data and the definition of a report update that characterizes said at least one piece of malicious data; and (E2) broadcasting the report update to at least one non-attacked vehicle of the fleet from the at least one attacked vehicle according to a short range communication protocol.

    2. The tracking and management method according to claim 1, wherein the step of broadcasting (E2) of the report update is realized according to a direct communication between two vehicles of the fleet.

    3. The tracking and management method according to claim 1, wherein the fleet includes a central system configured to exchange data with said plurality of vehicles according to a long range communication protocol, the method comprising the following steps realized after the identification step (E1) of the cyber-attack by said at least one attacked vehicle: (E11) sending the report update to the central system from the at least one attacked vehicle according to the long range communication protocol; and (E12) further sending the report update to the plurality of vehicles of the fleet from the central system according to the long range communication protocol.

    4. The tracking and management method according to claim 3, wherein the at least one attacked vehicle is configured to filter data intended to be sent to the central system and/or to at least one non-attacked vehicle so as to exclude the unaltered at least one piece of malicious data.

    5. The tracking and management method according to claim 1, wherein data wirelessly received originate from any wireless network the at least one attacked vehicle is adapted to be connected to.

    6. The tracking and management method according to claim 5, wherein the intrusion detection and prevention system (IDPS) of each vehicle of the fleet is configured to spot and prioritize any report update received via the short range communication protocol for updating a prevention strategy of the intrusion detection and prevention system (IDPS).

    7. The tracking and management method according claim 1, wherein any vehicle of the fleet having the report update realizes following steps: (E3) detecting a nearby vehicle according to the short range communication protocol configured to exchange information with said vehicle having the report update; and (E5) sending the report update to the nearby vehicle according to the short range communication protocol.

    8. The tracking and management method according to claim 1, wherein the discovery of the at least one piece of malicious data is realized further to a detection of an abnormal resource usage and/or abnormal network activity of the at least one vehicle, the abnormality being statistically determined with respect to a resource usage baseline and/or network activity baseline.

    9. The tracking and management method according to claim 8, wherein the report update contains data related to the detected abnormality, said data including a trained machine learning model, a state machine information resulting of the cyber-attack and/or a list of IP addresses and ports from which the cyber-attack was launched.

    10. The tracking and management method according to claim 1, wherein the step of (E1) identifying the cyber-attack is followed by a protection step (E20) wherein the at least one attacked vehicle stops receiving at least a part of the data from where the cyber-attack is launched, modifies its security preferences with regards to wirelessly received data and/or inhibits the received malicious data.

    11. The tracking and management method according to claim 10, wherein the protection step (E20) further includes a configuration of the at least one attacked vehicle in a limpo mode wherein displacement capabilities of the vehicle are limited.

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0059] With reference to the appended drawings, below follows a more detailed description of embodiments of the invention cited as examples.

    [0060] In the drawings:

    [0061] FIG. 1 is a scheme of a fleet comprising a plurality of vehicles and a central system,

    [0062] FIG. 2 is a diagram of the steps of a tracking and management method for responding to a cyber-attack, and

    [0063] FIG. 3 is a scheme of a management system of a vehicle of the fleet.

    DETAILED DESCRIPTION

    [0064] As illustrated in FIGS. 1 and 2, there is a tracking and management method for responding to a cyber-attack 2 directed to at least one attacked vehicle 1 of a fleet 3 including a plurality of vehicles 1.

    [0065] Each vehicle 1 of the fleet 3 comprises an intrusion detection and prevention system IDPS configured to track data wirelessly received by said vehicle 1 for identifying the cyber-attack 2.

    [0066] The method comprises a step E1 of identifying the cyber-attack 2 in said at least one attacked vehicle 1. The identification corresponds to the discovery, by the intrusion detection and prevention system IDPS of the at least one attacked vehicle 1, of at least one piece of malicious data among the wirelessly received data and the definition of a report update that characterizes said at least one piece of malicious data.

    [0067] Then, the method comprises a step E2 of broadcasting the report update to at least one non-attacked vehicle 1 of the fleet 3 from the at least one attacked vehicle 1 according to a short range communication protocol 5.

    [0068] Each attacked vehicle 1 can directly inform a nearby vehicle 1 according to a short range communication protocol 5 without needing to use a long range communication protocol 7.

    [0069] In other words, a first vehicle 1 of the fleet 3 that is attacked establishes a report update characterising the cyber-attack 2. This report update is sent to any vehicle 1 in proximity (i.e., within range 8) thanks to the short range communication protocol 5 enabling a direct communication.

    [0070] Even if the at least one attacked vehicle 1 and the nearby vehicles 1 are or get in an area isolated from long range communication networks, communication is still possible with the short range communication protocol 5. For example, a fleet 3 of trucks can contend with cyber-attacks 2 in coal mines.

    [0071] The step of transmission E2 of the report update is realized according to a direct communication between two vehicles of the fleet 1.

    [0072] The transmission of the report update realized according to the short range communication protocol 5 is propagated from one vehicle 1 to the other. This implies that the short range communication is faster and more reliable than a communication from long range communication networks.

    [0073] The fleet 3 includes a central system 9 configured to exchange data with said plurality of vehicles 1 according to the long range communication protocol 7. The method comprises the following steps realized after the identification step E1 of the cyber-attack by said at least one attacked vehicle 1:

    [0074] E11 sending the report update to the central system 9 from the at least one attacked vehicle 1 according to the long range communication protocol 7, and

    [0075] E12 further sending the report update to the plurality of vehicles 1 of the fleet 3 from the central system 9 according to the long range communication protocol 7.

    There is a redundancy when dispatching the report update: the short range communication protocol 5 enables a direct transmission to vehicles 1 in proximity and the long range communication protocol 7 enables a centralized communication to the plurality of vehicles 1.

    [0076] If the attacked vehicle 1 is in a location wherein the long range communication protocol 7 does not work, the short range communication protocol 5 is a means to inform a nearby vehicle 1 about the cyber-attack 2 to anticipate it.

    [0077] Conversely, an isolated vehicle 1 able to communicate with the central system 9 can report about a cyber-attack 2 and share the report update.

    [0078] Communication can then be maintained according to both protocols when a cyber-attack 2 is detected without increasing a risk of spreading the malicious data.

    [0079] The at least one attacked vehicle 1 is configured to filter data intended to be sent to the central system 9 and/or to at least one non-attacked vehicle 1 so as to exclude the unaltered at least one piece of malicious data.

    [0080] In order to avoid the cyber-attack 2 from spreading through the central system 9, the information that is broadcasted by an attacked vehicle 1 to the central system 9 can be filtered so as not to transmit malicious data. The same filtering procedure can be realized for short range communication with nearby vehicles of the fleet 3.

    [0081] Data wirelessly received may originate from any wireless network the at least one attacked vehicle 1 is adapted to be connected to.

    [0082] Cyber-attacks 2 can be launched when the computer system of the vehicle 1 connects to any Wi-Fi network 11 or connect to the internet using mobile data. In details, the router could be compromised and attack may originate from known Wi-Fi network or a rogue router can be put to simulate a malicious known Wi-Fi network. In that situation, a cyber-attack 2 can be launched directly to the vehicle 1 without spreading to the central system 9 or other vehicles 1.

    [0083] The at least one piece of malicious data can be transmitted to the at least one attacked vehicle 1 via the short range communication protocol 5 or the long range communication protocol 7.

    [0084] In some cases, the at least one piece of malicious data can come from the central system 9. The tracking and management method is therefore also adapted in case a cyber-attack 2 has infested the central system 9 and tries to spread to the fleet 9.

    [0085] Thus, the short range communication protocol 5 is independent from the central system 9.

    [0086] The intrusion detection and prevention system IDPS of each vehicle 1 of the fleet 3 is configured to spot and prioritize any report update received via the short range communication protocol for updating a prevention strategy of the intrusion detection and prevention system IDPS.

    [0087] In other words, priority is given to the report update received from nearby vehicles 1 via the short range communication protocol 5.

    [0088] Data transmitted through the central system 9 can still be considered to complete the prevention strategy implemented by other vehicles 1 of the fleet 3.

    [0089] Thus, the deprioritization of centralized network communication over short range communication will take place only if the centralized server or network, the so-called central system 9, was itself sending some update at the same time when the nearby vehicle 9 is transmitting the report update through short range communication. The short-range communication gets priority over long range communication through central system 9. Communication through central system 9 acts as a backup (in queue) to the information already transmitted directly through short range communication. Any vehicle 1 of the fleet 3 having the report update can realize following steps if needed:

    [0090] E3 detecting a nearby vehicle 1 according to the short range communication protocol 5 configured to exchange information with said vehicle 1 having the report update,

    [0091] E4 The vehicle receiving the update will, on receiving update, check whether it has already received similar update and discard it if has already received same update. The sender will not know if the report was earlier received by receiver, it will simply broadcast)

    [0092] E5 sending the report update to the nearby vehicle 1 according to the short range communication protocol 5.

    [0093] The affected vehicle 5 using short range communication broadcasts the report update and, so, it will reach to not just one specific vehicle 1, rather all of them that are accessible through short range communication. It is a broadcast. Therefore, the sequence of transmitting report from first vehicle 1 to second vehicle 1 and second to third will happen only if third vehicle 1 is not reachable, through short range communication, directly from the first vehicle 1.

    [0094] The discovery of the at least one piece of malicious data is realized further to a detection of an abnormal resource usage and/or abnormal network activity of the at least one vehicle 1, the abnormality being statistically determined with respect to a resource usage baseline and/or network activity baseline.

    [0095] As illustrated in FIG. 3, each vehicle 1 of the fleet comprises a management system 13 configured to manage electronic commands of the vehicle 1 and including the intrusion detection and prevention system IDPS, a short range communication module 15 and a long range communication module 17.

    [0096] The management system 13 includes a processor. The term resource usage concerns the activity of the management system 13 and the term network activity concerns the information exchange thanks to the short range communication module 15 and the long range communication module 17.

    [0097] The report update contains data related to the detected abnormality, said data including a trained machine learning model, a state machine information resulting of the cyber-attack 2 and/or a list of IP addresses and ports from which the cyber-attack 2 was launched. The report update is meant to share the attack information with the other vehicles 1.

    [0098] The report update would comprise of a trained Machine Learning model that can detect anomalous behavior. The first vehicle can train a Machine Learning model to detect the attack in first vehicle and then send it to other to enable them to detect the same.

    [0099] The report update would also contain a state machine information that is created by tracking the abnormal protocol states that were a result of attack and send that to other vehicles 1 to detect the attack.

    [0100] The report update would also contain a list of IP addresses and port from which attack was launched on the first vehicle 1 and the system configurations that the attack leads to, and other information for easy detection of malicious data.

    [0101] The step E1 of identifying the cyber-attack 2 can be followed by a protection step E20 wherein the at least one attacked vehicle 1 stops receiving at least a part of the data from where the cyber-attack 2 is launched, modifies its security preferences with regards to wirelessly received data and/or inhibits the received malicious data.

    [0102] The primary preventive actions could be to block the IP address that is sending malicious code to execute or carrying out manual attack or the other way around is to block the IP Port from which attack is being launched.

    [0103] The intrusion detection and prevention system IDPS can also do changes to the security environment. The intrusion detection and prevention system can change the configuration of other security controls to disrupt an attack.

    [0104] The protection step E20 further includes a configuration of the at least one attacked vehicle in a limpo mode wherein displacement capabilities of the vehicle are limited.

    [0105] The last resort, when all other mechanisms fail to block the attack, would be to put the vehicle 1 in limpo mode i.e., reducing the vehicle 1 to a low speed so that the even if the attacker gains control of the vehicle 1 he/she cannot cause any accident.

    [0106] It is to be understood that the present invention is not limited to the embodiments described above and illustrated in the drawings; rather, the skilled person will recognize that many changes and modifications may be made within the scope of the appended claims.