Abstract: In one embodiment, methods, systems, and apparatus are described in which data to be used by a processor is stored in a memory. Network communications with a data center are enabled via a network interface. The processor maintains a reporting policy for reporting anomalous events to the data center, the reporting policy having at least one rule for determining a reporting action to be taken by the processor in response to an anomalous event. The processor further monitors the IoT device for a report of an occurrence of the anomalous event. The processor performs the reporting action according to the at least one rule, in response to the report of the occurrence of the anomalous event. An episodic update to the reporting policy from the data center may be received at the processor, which modifies the reporting policy in accordance with the update. Related methods, systems, and apparatus are also described.

Abstract: In one embodiment, a sender node in a serial network identifies a message identifier for a packet to be sent by the sender node. The sender node selects a cyclical redundancy check (CRC) initialization vector associated with the message identifier. The sender node generates a CRC value for the packet, based on the selected initialization vector. The sender node sends the packet via the serial network. The sent packet includes the message identifier and the generated CRC value. In turn, a receiver node that receives the packet uses the generated CRC value to authenticate the sender node.

Abstract: Many modern devices and machines (e.g., Internet of Things (IoT) devices and connected vehicles (CV)) include wireless interfaces that permit external devices to communicate with the devices and machines. These wireless interfaces can be attacked by malicious actors who can affect the operation of the devices or machines. Embodiments herein describe a user controlled actuator (e.g., a knob, set of buttons, switches, etc.) for responding to a wireless attack. Using the actuator, the user can set a response level depending on the threat. Each threat level can elicit a predefined action or set of actions from a control system in the device or machine.

Abstract: In one embodiment, a device of a vehicle receives a packet comprising a source address, a destination address, an internet protocol (IP) encapsulated controller area network (CAN) message, and CAN message identifier information. The device compares the source address, the destination address, and the CAN message identifier information to an access control list (ACL). The device makes a determination that delivery of the CAN message to the destination address would be a policy violation based on the comparison. The device drops the packet based on the determination that delivery of the CAN message to the destination address would be a policy violation.

Abstract: In one embodiment, a sender node in a serial network identifies a message identifier for a packet to be sent by the sender node. The sender node selects a cyclical redundancy check (CRC) initialization vector associated with the message identifier. The sender node generates a CRC value for the packet, based on the selected initialization vector. The sender node sends the packet via the serial network. The sent packet includes the message identifier and the generated CRC value. In turn, a receiver node that receives the packet uses the generated CRC value to authenticate the sender node.

Abstract: In one example embodiment, a network-connected device provides or obtains one or more computer network communications protected by a key. The network-connected device determines a count of the one or more computer network communications according to one or more properties of the one or more computer network communications. Based on the count of the one or more computer network communications, the network-connected device computes an information entropy of the key. Based on the information entropy of the key, the network-connected device dynamically generates a predicted threat level of the key.

Abstract: In one embodiment, a device in a serial network determines that a suspicious event has occurred in the network. The suspicious event is identified based on timing information for one or more frames in the serial network. The device assesses whether the suspicious event is malicious by evaluating a sequence of events in the network that precede the suspicious event. The device causes a mitigation action to be performed in the network when the suspicious event is deemed malicious.

Abstract: A method includes receiving, by a processor of a data collector, a request for sensor data related to an event. The method also includes sending a plurality of requests for the sensor data to a plurality of on-board units (OBUs), respectively, where the plurality of OBUs is associated with a plurality of vehicles, respectively. The method further includes receiving a plurality of responses from the plurality of OBUs, respectively, wherein each response of the plurality of responses includes a sensor data item related to the event. In more specific embodiments the plurality of requests are sent to the plurality of OBUs based on the plurality of OBUs being located within a certain proximity to the event. In yet further embodiments, each sensor data item of the plurality of responses is encapsulated with a respective tag.

Abstract: In one embodiment, a router operating in a hierarchically routed computer network may receive collected data from one or more hierarchically lower devices in the network (e.g., hierarchically lower sensors or routers). The collected data may then be converted to aggregated metadata according to a dynamic schema, and the aggregated metadata is stored at the router. The aggregated metadata may also be transmitted to one or more hierarchically higher routers in the network. Queries may then be served by the router based on the aggregated metadata, accordingly.

Abstract: In one embodiment, a device of a vehicle receives a packet comprising a source address, a destination address, an internet protocol (IP) encapsulated controller area network (CAN) message, and CAN message identifier information. The device compares the source address, the destination address, and the CAN message identifier information to an access control list (ACL). The device makes a determination that delivery of the CAN message to the destination address would be a policy violation based on the comparison. The device drops the packet based on the determination that delivery of the CAN message to the destination address would be a policy violation.

Abstract: Many modern devices and machines (e.g., Internet of Things (IoT) devices and connected vehicles (CV)) include wireless interfaces that permit external devices to communicate with the devices and machines. These wireless interfaces can be attacked by malicious actors who can affect the operation of the devices or machines. Embodiments herein describe a user controlled actuator (e.g., a knob, set of buttons, switches, etc.) for responding to a wireless attack. Using the actuator, the user can set a response level depending on the threat. Each threat level can elicit a predefined action or set of actions from a control system in the device or machine.

Abstract: In one embodiment, methods, systems, and apparatus are described in which data to be used by a processor is stored in a memory. Network communications with a data center are enabled via a network interface. The processor maintains a reporting policy for reporting anomalous events to the data center, the reporting policy having at least one rule for determining a reporting action to be taken by the processor in response to an anomalous event. The processor further monitors the IoT device for a report of an occurrence of the anomalous event. The processor performs the reporting action according to the at least one rule, in response to the report of the occurrence of the anomalous event. An episodic update to the reporting policy from the data center may be received at the processor, which modifies the reporting policy in accordance with the update. Related methods, systems, and apparatus are also described.

Abstract: Information describing a rule to be applied to a traffic stream is received at an edge network device. The traffic stream is received at the edge network device. A schema is applied to the traffic stream at the edge network device. It is determined that a rule triggering condition has been met. The rule is applied to the traffic stream, at the edge network device, in response to the rule triggering condition having been met. At least one of determining that the rule triggering event has taken place or applying the rule is performed based on the applied schema.

Abstract: In one embodiment, a network device connected to an Internet Protocol (IP) network and a serial network scans an infrastructure of the serial network. Based on the scanning, the network device can determine one or more serial endpoints within the serial network infrastructure, and may then allocate an IP address to each of the one or more serial endpoints. The network device may then map received IP network traffic into serial protocol commands on the serial network for a destination serial endpoint having an allocated IP address corresponding to a destination IP address of the received IP network traffic, and may also bridge data present on the serial network from a sourcing serial endpoint into an IP message on the IP network with an indication of a corresponding allocated IP address of the sourcing serial endpoint, accordingly.

Abstract: In one example embodiment, a network-connected device provides or obtains one or more computer network communications protected by a key. The network-connected device determines a count of the one or more computer network communications according to one or more properties of the one or more computer network communications. Based on the count of the one or more computer network communications, the network-connected device computes an information entropy of the key. Based on the information entropy of the key, the network-connected device dynamically generates a predicted threat level of the key.

Abstract: In one embodiment, a device between a Controller Area Network (CAN)-based network and an Internet Protocol (IP)-based network receives a CAN message from a node in the CAN-based network. The CAN message comprises a CAN message identifier and a data field. The device determines an IP header based on the CAN message identifier and the CAN message. The device converts the data field of the CAN message into an IP message that includes the determined IP header. The device sends the IP message via the IP network to one or more eligible destinations for the IP message.

Abstract: In one embodiment, a device in a serial network determines that a suspicious event has occurred in the network. The suspicious event is identified based on timing information for one or more frames in the serial network. The device assesses whether the suspicious event is malicious by evaluating a sequence of events in the network that precede the suspicious event. The device causes a mitigation action to be performed in the network when the suspicious event is deemed malicious.

Abstract: Information describing a rule to be applied to a traffic stream is received at an edge network device. The traffic stream is received at the edge network device. A schema is applied to the traffic stream at the edge network device. It is determined that a rule triggering condition has been met. The rule is applied to the traffic stream, at the edge network device, in response to the rule triggering condition having been met. At least one of determining that the rule triggering event has taken place or applying the rule is performed based on the applied schema.

Abstract: In one embodiment, a network device connected to an Internet Protocol (IP) network and a serial network scans an infrastructure of the serial network. Based on the scanning, the network device can determine one or more serial endpoints within the serial network infrastructure, and may then allocate an IP address to each of the one or more serial endpoints. The network device may then map received IP network traffic into serial protocol commands on the serial network for a destination serial endpoint having an allocated IP address corresponding to a destination IP address of the received IP network traffic, and may also bridge data present on the serial network from a sourcing serial endpoint into an IP message on the IP network with an indication of a corresponding allocated IP address of the sourcing serial endpoint, accordingly.

Abstract: A method in one example embodiment includes identifying a power state and a battery level of a vehicle. The method also includes allocating power to critical applications (for example) in response to determining that the battery level is above a reserve threshold while the power state of the vehicle is engine-off. The method also includes allocating remaining power in excess of the reserve threshold to non-critical applications according to a power management policy. The power management policy may comprise at least one of a user power preference index and an application power preference index.