Abstract: In various embodiments, methods, systems, and vehicle apparatuses are provided. A method for determining a trusted context of operation by an in-vehicle Network Intrusion Detection System (NIDS) for learning of a vehicle platform, including executing the NIDS to monitor a set of Electronic Control Units (ECUs) and vehicle state elements by receiving a set of vehicle derived inputs about a vehicle's operating state; in response to a determination about the vehicle's operating state, identifying the trusted window during which learning about network topology and whitelisted messages contained in a vehicle platform is allowable; creating a vehicle-specific configuration containing a list of networks of topologies and whitelisted messages in use by the ECUs in the vehicle platform, and preventing misconfiguring of at least one network in the list of network topologies and whitelisted messages of the vehicle-specific configuration in the vehicle platform outside the trusted window.

Abstract: In various embodiments, methods, systems, and vehicle apparatuses are provided. A method for determining a trusted context of operation by an in-vehicle Network Intrusion Detection System (NIDS) for learning of a vehicle platform, including executing the NIDS to monitor a set of Electronic Control Units (ECUs) and vehicle state elements by receiving a set of vehicle derived inputs about a vehicle's operating state; in response to a determination about the vehicle's operating state, identifying the trusted window during which learning about network topology and whitelisted messages contained in a vehicle platform is allowable; creating a vehicle-specific configuration containing a list of networks of topologies and whitelisted messages in use by the ECUs in the vehicle platform, and preventing misconfiguring of at least one network in the list of network topologies and whitelisted messages of the vehicle-specific configuration in the vehicle platform outside the trusted window.

Abstract: A system for in-vehicle network intrusion detection includes a microcontroller having first and second cores and memory. The first core may be configured to obtain one or more network messages from one or more communication buses of a vehicle describing one or more events associated with the vehicle. The memory may be configured to store the one or more network messages obtained by the first core. The second core may be configured to: (i) read the one or more network messages from the memory; (ii) detect whether at least some of the one or more events constitute an anomaly based on predefined rules; (iii) generate one or more resident incident logs including metadata associated with one or more detected anomalous events based on the detected anomaly event data; and (iv) generate one or more transmitted incident logs based on the one or more resident incident logs.

Abstract: A system for in-vehicle network intrusion detection includes: (i) an anomaly detection module configured to obtain one or more network messages from one or more communication buses of a vehicle describing one or more events associated with the vehicle and detect whether at least some of the one or more events constitute an anomaly based on predefined rules to provide detected anomaly event data; (ii) a resident log generation module configured to generate one or more resident incident logs based on the detected anomaly event data, wherein the one or more resident incident logs comprise metadata associated with one or more detected anomalous events; and (iii) a transmitted log generation module configured to generate one or more transmitted incident logs based on the one or more resident incident logs, wherein each of the one or more transmitted incident logs corresponds to a resident incident log.

Abstract: A system for in-vehicle network intrusion detection includes a microcontroller having first and second cores and memory. The first core may be configured to obtain one or more network messages from one or more communication buses of a vehicle describing one or more events associated with the vehicle. The memory may be configured to store the one or more network messages obtained by the first core. The second core may be configured to: (i) read the one or more network messages from the memory; (ii) detect whether at least some of the one or more events constitute an anomaly based on predefined rules; (iii) generate one or more resident incident logs including metadata associated with one or more detected anomalous events based on the detected anomaly event data; and (iv) generate one or more transmitted incident logs based on the one or more resident incident logs.

Abstract: A system for in-vehicle network intrusion detection includes: (i) an anomaly detection module configured to obtain one or more network messages from one or more communication buses of a vehicle describing one or more events associated with the vehicle and detect whether at least some of the one or more events constitute an anomaly based on predefined rules to provide detected anomaly event data; (ii) a resident log generation module configured to generate one or more resident incident logs based on the detected anomaly event data, wherein the one or more resident incident logs comprise metadata associated with one or more detected anomalous events; and (iii) a transmitted log generation module configured to generate one or more transmitted incident logs based on the one or more resident incident logs, wherein each of the one or more transmitted incident logs corresponds to a resident incident log.