DESC:INTRUSION DETECTION SYSTEM FOR CONNECTED VEHICLES
CROSS REFERENCE TO RELATED APPLICATIONS
The present application claims priority from Indian Provisional Patent Application No. 202421034487 filed on 01/05/2024, the entirety of which is incorporated herein by a reference.
TECHNICAL FIELD
Generally, the present disclosure relates to network security systems. Particularly, the present disclosure relates to a system and method for detecting and mitigating communication anomalies in network terminals.
BACKGROUND
With the increasing interconnectivity of devices and systems through networked communication, especially in industrial, vehicular, and enterprise domains, ensuring the security and reliability of communication paths has become critical. In such environments, multiple source network terminals exchange data with centralized systems or cloud-based services through a gateway, which serves as the central communication hub. However, the gateways often face significant challenges in maintaining the integrity, performance, and security of data transmission, particularly when delays or anomalies occur in communication patterns.
Conventionally, the approaches to network security typically rely on encryption protocols, such as but not limited to TLS (Transport Layer Security) or IPsec, and firewall configurations to protect data in transit between devices and networks. The encryption protocols run by encoding the data using cryptographic algorithms, which are only be decrypted by authorized recipients possessing the correct decryption keys, thereby ensuring confidentiality and integrity. The TLS is commonly used in application-layer communications, while IPsec operates at the network layer to secure IP packets. The firewalls serve as a barrier between trusted and untrusted networks, filtering incoming and outgoing traffic based on predetermined security rules such as IP address, port number, and protocol type. Further, together the above-mentioned approaches create a multi-layered security posture that helps prevent unauthorized access, data tampering, and eavesdropping.
However, there are certain problems associated with the existing or above-mentioned mechanism of network security. For instance, the existing approaches largely focus on securing the content of the communication rather than emphasizing the behavior or performance of the network participants. As a result, the conventional approaches ignore the issues arising from internal anomalies, compromised subsystems, or timing-based disruptions, particularly in complex, distributed environments such as electric vehicle ecosystems with multiple electronic control units and third-party modules that communicate over shared networks. The above-mentioned limitation underscores the need for behavior-based security mechanisms that monitor, analyze, and respond to real-time operational patterns such as delays in communication logs to provide an additional layer of protection against system faults and emerging cyber threats.
Therefore, there exists a need for a mechanism for network security that is efficient, accurate, and overcomes one or more problems as mentioned above.
SUMMARY
An object of the present disclosure is to provide an intrusion detection system for a connected network that enhances the security of connected networks by detecting communication anomalies based on a faulty source node.
Another object of the present disclosure is to provide a method for detecting an intrusion in a connected network that enhances the security of connected networks by detecting communication anomalies based on based on a faulty source node.
In accordance with an aspect of the present disclosure, there is provided an intrusion detection system for a connected network, the intrusion detection system comprises:
- at least one signal transmitting node;
- a network interface controller communicably connected to the signal transmitting node, wherein the network interface controller comprises:
- a data acquisition unit;
- a data analyzing unit; and
- a fault detection unit;
- a signal receiving node communicably connected to the network interface controller,
wherein the network interface controller is configured to identify a faulty source node based on the direction of data flow.
The system for detecting an intrusion in a connected network, as described in the present disclosure, is advantageous in terms of enhanced security and fault traceability in a connected network by integrating both directional data flow analysis and layered functional units within the network interface controller. Further, by incorporating a data acquisition unit, a data analyzing unit, and a fault detection unit, the system ensures that real-time communication data is collected, processed, and evaluated for anomalies across multiple layers. Consequently, a faster diagnostic, reduced system downtime, and precise isolation of malicious activity without affecting healthy components is achieved. Additionally, the modular structure of the system, comprising separate signal transmitting and receiving nodes, enables scalability and interoperability within complex connected networks.
In accordance with another aspect of the present disclosure, there is provided a method for detecting an intrusion in a connected network, the method comprises:
- obtaining data flow information of the connected network to the data acquisition unit;
- dividing the received data flow information into a plurality of data packets based on a predefined time interval, via a data flow unit;
- classifying received data packets based on an activity log of the received data packets, via a classification unit;
- comparing the classified data packets with historical threat data stored in a memory unit; and
- assigning identified data packets with a threat security code, via a threat identifying unit.
Additional aspects, advantages, features, and objects of the present disclosure would be made apparent from the drawings and the detailed description of the illustrative embodiments constructed in conjunction with the appended claims that follow.
It will be appreciated that features of the present disclosure are susceptible to being combined in various combinations without departing from the scope of the present disclosure as defined by the appended claims.
BRIEF DESCRIPTION OF DRAWINGS
The summary above, as well as the following detailed description of illustrative embodiments, is better understood when read in conjunction with the appended drawings. For the purpose of illustrating the present disclosure, exemplary constructions of the disclosure are shown in the drawings. However, the present disclosure is not limited to specific methods and instrumentalities disclosed herein. Moreover, those in the art will understand that the drawings are not to scale. Wherever possible, like elements have been indicated by identical numbers.
Embodiments of the present disclosure will now be described, by way of example only, with reference to the following diagrams wherein:
Figures 1 and 2 illustrate a block diagram of an intrusion detection system for a connected network, in accordance with an embodiment of the present disclosure.
Figure 3 illustrates a flow chart for detecting an intrusion in a connected network, in accordance with another embodiment of the present disclosure.
In the accompanying drawings, an underlined number is employed to represent an item over which the underlined number is positioned or an item to which the underlined number is adjacent. A non-underlined number relates to an item identified by a line linking the non-underlined number to the item. When a number is non-underlined and accompanied by an associated arrow, the non-underlined number is used to identify a general item at which the arrow is pointing.
DETAILED DESCRIPTION
The following detailed description illustrates embodiments of the present disclosure and ways in which they can be implemented. Although some modes of carrying out the present disclosure have been disclosed, those skilled in the art would recognize that other embodiments for carrying out or practicing the present disclosure are also possible.
As used herein, the terms “intrusion detection system”, “detection system,” and “IDS” are used interchangeably and refer to a security solution designed to monitor network or system activities for malicious activities or policy violations. The intrusion detection system analyzes data traffic, system events, and communications to identify patterns that indicate an intrusion or breach. The IDS provides real-time alerts and logs to security personnel, enabling timely responses to protect sensitive data and network resources. In connected networks, the IDS plays a crucial role in maintaining overall security by continuously scanning the environment for signs of potential threats. The types of IDS are based on the detection methodology and deployment architectures. The primary types include Network-Based IDS (NIDS), which monitors network traffic, Host-Based IDS (HIDS), which scrutinizes events on individual systems, and hybrid IDS that combine both approaches. The approaches used in IDS implementations vary from signature-based detection, which compares observed activities to known attack patterns, to anomaly-based detection, which leverages statistical or machine learning techniques to detect deviations from established behavioral baselines. The above-mentioned approaches work together to ensure that both known and unknown threats are identified and mitigated.
As used herein, the terms “signal transmitting node”,
“source node”, and “source terminal” are used interchangeably and refer to any originating node or device within a connected network that initiates data communication. The signal transmitting node transmits control messages, status updates, or diagnostic data to other nodes on cloud-connected networks. The source terminal also sometimes serves as an entry point for malicious commands or abnormal traffic patterns. Specifically, to ensure network security, source terminals are monitored for parameters such as transmission frequency, message ID conformity, data payload integrity, and communication timing (e.g., delays or jitter). The detection of anomalies in the characteristics mentioned above allows for real-time threat mitigation. In Electric Vehicles (EVs), source network terminals expand to include certain sub-systems such as Battery Management Systems (BMS), inverter controllers, charging communication interfaces, and high-voltage domain ECUs. The sub-systems exchange critical, high-frequency data related to powertrain performance, energy consumption, and thermal management. The security measures for such EV-specific terminals involve tighter monitoring of voltage/current signals embedded in message payloads, enforcing real-time behavior baselines, and isolating components upon detection of anomalies. The methodologies for security measures include rule-based filtering, AI-driven behavioral modeling, and physical or software-based path blocking via a centralized gateway. The security measures ensure that any compromised or malfunctioning source terminal is swiftly detected and neutralized, maintaining the integrity of the core operational network.
As used herein, the terms “network interface controller”, “gateway controller,” and “interface controller” are used interchangeably and refer to a central communication management unit that facilitates, filters, and regulates data exchange between multiple sub-networks within a connected network. The interface controller plays a vital role in cybersecurity by monitoring message flow, enforcing access policies, detecting anomalies, and initiating responses such as message filtering, node isolation, or traffic throttling. The types of interface controllers include centralized interface (handling all domain traffic), domain-specific interface (managing traffic within a particular function), and zonal interface (handling data within a specific physical region of the network). Each type of interface controller are equipped with firewall logic, Intrusion Detection Systems (IDS), and encryption modules to protect against internal faults or external attacks. Further, in electric vehicles, the role of the interface controller becomes more critical due to the presence of high-voltage domains and components such as battery management systems, inverters, and EV-specific telematics modules. The vehicles rely on high-speed protocols such as Automotive Ethernet, and the gateway securely manages both routine control data and high-frequency safety-critical communications. The security methods specific to EVs include monitoring for abnormal charging patterns, voltage/current anomalies in the BMS messages, or malicious commands targeting energy flow or regenerative braking systems. A secure interface controller employs real-time traffic analysis, adaptive threshold-based error detection, and direct intervention mechanisms such as blocking compromised ECUs or re-routing network traffic to preserve functionality. As the central decision-making node, the interface controller thus serves as both a communication hub and a frontline guard in ensuring secure, resilient network operation.
As used herein, the terms “data acquisition unit” and “acquisition unit” are used interchangeably and refer to the IDS is responsible for collecting raw data from various network sources and sensor interfaces. The data acquisition unit gathers a broad array of inputs such as network traffic, system logs, and activity metrics, which serve as the basis for further security analysis. The key function of the data acquisition unit is to ensure that the IDS has continuous, reliable streams of data to monitor for potential intrusions. The quality and integrity of the collected data directly impact the effectiveness of subsequent analysis and threat detection processes. The Data Acquisition Unit is implemented in several ways. In hardware-based units, dedicated devices or appliances are used to tap into network traffic (such as but not limited to via port mirroring or network taps). In software-based implementations, agents or collectors installed on various systems gather log data and performance metrics. The procedure often involves pre-filtering and normalizing data to reduce noise before sending data to the data analyzing unit for deeper inspection. A robust data acquisition improves situational awareness and the capacity to detect subtle anomalies, which ultimately enhances the overall security posture of the network by ensuring that all significant events are captured and processed accurately.
As used herein, the term “data analyzing unit” and “analyzing unit” are used interchangeably and refer to a core component of an IDS that processes, correlates, and analyses data received from various acquisition sources. The data analyzing unit interprets the raw data to identify patterns, anomalies, or signatures that indicate security threats. The data analyzing unit employs algorithms, statistical models, and machine learning techniques to discern normal from abnormal behavior within network traffic or system activities. Further, the analyzing unit provides actionable insights and triggers alerts when potential intrusions are detected. The types of analysis approaches used include signature-based analysis, which matches known attack patterns stored in a database, anomaly-based analysis, which uses models to determine deviations from expected behavior, and stateful protocol analysis, which understands the details and context of specific network protocols. The approaches involve collecting data, parsing the data through various analytical engines, and correlating events over time to determine when data meet criteria for malicious behavior. The comprehensive analysis enables the IDS to effectively reduce false positives and focus on genuine threats, thereby increasing the efficiency and accuracy of intrusion detection.
As used herein, the terms “fault detection unit” and “detection unit” are used interchangeably and refer to a module designed to monitor a network or system for any irregularities, malfunctions, or errors that compromise security or performance. The Fault Detection Unit examines internal failures, configuration errors, or hardware/software malfunctions that indirectly provide opportunities for intrusions. The Fault Detection Unit continuously monitors system logs, performance metrics, and error messages, thereby contributing to a holistic security environment by ensuring that both external and internal faults are addressed. The Fault Detection Unit includes various types of detectors such as threshold-based detectors (triggering alarms when metrics exceed predefined limits), pattern recognition systems (identifying recurrent error patterns), and machine learning algorithms that adapt to evolving system behaviors. The approach for monitoring involves real-time monitoring of system states and cross-referencing the collected data with normal operational baselines. The fault Detection Unit enables an increase in system robustness and reliability, as the unit prevents faults from cascading into larger failures, reduces downtime, and maintains the overall integrity of the network environment.
As used herein, the terms “faulty source node”, “malfunction terminal,” and “faulty node” are used interchangeably and refer to a specific network node or endpoint that is identified as the source of abnormal activity, errors, or potential security breaches within a connected network. The terminal may comprise, but not limited to, a computing device, an IoT device, or any endpoint that exhibits unusual behavior deviating from standard operational parameters, such as frequent connection drops, unusual data transmissions, or abnormal request patterns. The identification of a malfunction originating terminal is critical for isolating problems, mitigating potential threats, and ensuring the overall health of the network. The types of faulty source node are classified by the nature and the type of fault. For instance, some faulty source nodes are hardware failure nodes, misconfigured software terminals, or compromised devices due to malware or unauthorized access. The approach to identifying such terminals involves monitoring network traffic, analyzing system logs, and applying anomaly detection algorithms to flag deviations from normal behavior. As a faulty node is identified, the terminal is isolated or restricted by the network security system, thereby preventing the propagation of any potential security risks. The identification of the faulty source node provides a higher degree of containment for potential faults or breaches, leading to increased network resiliency, reduced risk of widespread compromise, and minimized impact on overall network operations.
As used herein, the term “data flow unit” refers to a module that manages and regulates the movement of data packets and information streams through the network. The data flow unit ensures that data flows in a controlled manner and that the transmission is monitored for irregularities or potential security threats. The data flow unit analyses traffic volumes, directions, and speeds, helping to detect sudden surges or drops that might indicate network attacks, such as distributed denial of service (DDoS) or data exfiltration activities. The data flow unit plays a critical role in maintaining network performance as well as security by offering a real-time overview of data movement. The types of data flow units are designed for different network environments and traffic loads. The types of data flow unit include hardware-based appliances that perform high-speed packet inspection, software-based flow analysers that operate on server systems, and hybrid solutions that combine both approaches. The approach involves capturing data packets using network taps or port mirroring and processing the packet headers and payload data through traffic analysis engines. The data flow unit enables an efficient data flow for rapid detection of anomalies, allowing for timely intervention to prevent potential security incidents.
As used herein, the term “classification unit” refers to a key component of an IDS that categorizes incoming data or events based on the characteristics and potential threat levels. The classification unit processes the analyzed data and assigns a predefined class, such as benign, suspicious, or malicious. The classification unit leverages both signature-based identification and behavior analysis to systematically classify network events. The classification helps in prioritizing alerts and ensuring that security responses are directed towards events that pose the highest risk. The types of classification approaches employed in IDS include rule-based classification, statistical classification, and machine learning-based classification. In rule-based systems, events are classified based on a set of pre-established criteria or signatures. In statistical methods, a probability model is used to determine the odds of an event being malicious, and machine learning approaches adaptively refine the classification process by learning from new data over time. The technique typically involves the pre-processing of data, feature extraction, and using algorithms to match the features against known patterns or models. The advantages of the classification unit include faster response times, more accurate threat categorization, and the ability to adapt to evolving attack patterns, thereby enhancing the overall effectiveness and precision of the IDS.
As used herein, the term “threat identifying unit” refers to a module designed to identify potential security threats by analyzing classified data and correlating events to known attack vectors. The threat identifying unit primary role is to detect signatures or behavioral patterns indicating cyber threats such as malware infections, unauthorized access attempts, or data breaches. The threat identifying unit continuously aggregates information from various sensors, classification engines, and historical threat databases to identify discrepancies that might signify a threat. The real-time identification process is essential for triggering prompt countermeasures that prevent or mitigate the impact of security breaches. The types of threat identification approaches used within such a unit include signature-based detection, for observed events against a database of known threat signatures; anomaly-based detection, which identifies deviations from normal behavior; and heuristic analysis, which infers potential threats based on pattern recognition and probabilistic reasoning. The technique generally involves receiving classified events from the classification unit, correlating the events with historical threat data, and then applying decision algorithms to label them as threats. The advantages of the threat identifying unit include proactive security measures, reduced risk of system compromise, and enhanced overall network resilience against evolving attack strategies.
As used herein, the terms “swappable battery”, “removable battery,” and “detachable battery” are used interchangeably and refer to a modular energy storage unit designed for quick removal and replacement within electric vehicles or network-connected machinery, enabling rapid energy replenishment without prolonged charging downtime. Within a connected network, especially in vehicle fleets or smart infrastructure, the swappable batteries are equipped with embedded communication modules that exchange status, authentication, and operational data with centralized systems. The batteries are uniquely identifiable and operate under strict power and data integrity protocols to prevent unauthorized access, spoofing, or physical tampering. In an intrusion detection system (IDS), the swappable battery becomes both a node and a vector, and the behavior and connection patterns are continuously monitored for anomalies. The swappable batteries are classified into standardized and proprietary types. The standardized batteries are designed for interoperability across multiple platforms and vendors, and proprietary batteries are tailored to specific manufacturers or ecosystems. The IDS employs a combination of signature-based detection (matching known malicious patterns) and anomaly-based detection (flagging deviations in energy usage, swap frequency, location data, or digital signature mismatches). The technique includes real-time monitoring of communication logs from the battery unit, correlation with expected usage profiles, and authentication handshakes during swap events.
As used herein, the term “inverter controller” refers to a component in electric vehicles and energy management systems that governs the conversion of DC (direct current) from batteries to AC (alternating current) used by electric motors or external loads. In a connected network, the inverter controller functions as a power control unit and also as a networked device that communicates operational data, control signals, and status reports to centralized monitoring systems. Due to the central role in energy flow and motor control, the inverter controller becomes a potential attack surface for cyber-physical threats. Within an intrusion detection system (IDS), the inverter controller is continuously monitored for unauthorized command injections, abnormal voltage or frequency variations, and unusual communication patterns that could indicate malicious activity. The inverter controllers are generally categorized into centralized and distributed types. The centralized controllers manage the entire energy conversion process from a single control unit, and distributed systems assign control across multiple modules for more granular or redundant control. The IDS leverages both behavioral modeling and protocol analysis methods to safeguard these controllers. Behavioral modeling involves learning the normal operation patterns (e.g., torque requests, voltage response curves, and timing intervals), and protocol analysis ensures that messages follow expected formats and timing. The system flags anomalies such as inconsistent power output relative to input, out-of-band command signals, or unauthorized firmware updates. Upon detection, the IDS logs the anomaly, alerts the system administrator, or initiates protective countermeasures such as isolating the controller from the network or reverting it to a safe operational state.
As used herein, the term “threat identifying unit” refers to a component of an intrusion detection system (IDS) responsible for detecting, classifying, and flagging malicious activities or security threats within a connected network. The threat identifying unit operates by analyzing communication data, system behavior, and control signals across various nodes such as ECUs, sensors, power units, or external interfaces and identifying patterns indicative of cyber intrusions, unauthorized access, or system misuse. The threat identifying unit uses both static and dynamic indicators of compromise (IOCs), relying on predefined rules as well as adaptive learning models to uncover potential attacks ranging from spoofing and replay to logic manipulation and data injection. The types of threat identifying unit are signature-based and anomaly-based. The signature-based units rely on a database of known attack patterns and flag any matching activity, and anomaly-based units use statistical models, machine learning, or behavioral baselines to detect deviations from expected norms. The detection method includes continuous log analysis, multi-layer protocol inspection, and real-time correlation of system states and network behavior. The unit also incorporates threat scoring to prioritize alerts based on severity and confidence. Once a threat is identified, the system triggers appropriate responses such as logging the event, notifying a base network terminal, or activating defensive modules such as path control or system isolation.
As used herein, the terms “signal receiving node”, “receiving node, “base node,” and “base terminal” are used interchangeably and refer to an endpoint for a communication channel and serve as an infrastructure critical node within a connected network. In general networks, the base network terminal includes central body controllers, telematics units, or diagnostic interfaces, which are essential for normal operation and security supervision. The types of base network terminals include, but not limited to, central gateways, zonal controllers, and cloud uplink modules. The base network terminals are pre-authenticated, have elevated privileges, and are prime targets for both monitoring and hardening. In electric vehicles, the base network terminals include the sub-systems such as Vehicle Control Unit (VCU), Battery Management System (BMS), and Charging Communication Interface, which initiate or regulate vital operations. Further, securing the above-mentioned sub-systems involves strict message authentication, watchdog mechanisms to detect inactivity or irregularity, and firmware integrity checks. Furthermore, mechanisms for securing include strengthening the base terminal firmware, whitelisting allowed message types, monitoring command patterns, and using redundant fallback paths to ensure safe operation in the event of terminal compromise.
As used herein, the terms “memory unit”, “storage unit”, “storage module,” and “memory storage” are used interchangeably and refer to a hardware component or embedded storage area designed to store data, instructions, and information for quick access by the gateway controller. The information includes, but not limited to, system firmware, configuration files, communication logs, error records, and runtime variables. The memory unit plays a vital role as the memory unit contains sensitive information protected from unauthorized access, tampering, or loss. The types of memory units include, but not limited to, non-volatile memory (Flash, Electrically Erasable Programmable Read-Only Memory (EEPROM)), volatile memory (Random Access Memory (RAM) for temporary storage), and hybrid secure memory modules that support cryptographic protection or write-once procedures. In electric vehicles, the memory units store high-priority data such as battery health logs, charging session history, inverter performance metrics, and safety-critical event traces. The methods for securing memory units in both conventional and EV platforms include encryption of stored data, secure boot validation of firmware images, memory partitioning (to isolate different functional domains), and logging memory access with source attribution. By securing the memory unit, the vehicle maintains reliable diagnostics, prevents malicious firmware injection, and enables forensic capabilities in the event of network failure or intrusion.
As used herein, the term “historical threat data” refers to a repository of past security incidents, including details such as attack signatures, system vulnerabilities exploited, and the contextual conditions under for the threats. The data is critical in enhancing an IDS’s ability to detect patterns and predict future threats. Further, by analyzing historical trends and correlating the data with current network activity, the security systems accurately identify emerging threat patterns and fine-tune the detection algorithms. The historical threat data forms the backbone of many signature-based and anomaly-based detection methods, providing a reference framework for recognizing potential security breaches. The types of historical threat data include logs of network intrusions, records of malware variants, vulnerability databases, and incident response reports. The approach of utilizing historical threat data involves storing and indexing the records in a secure repository, using the data to train machine learning models or update detection signatures within the IDS. The advantages of historical threat data include enhanced early warning capabilities, better-informed decision-making in threat mitigation, and the continual evolution of security protocols based on real-world incident data.
As used herein, the terms “node restricting library”, “library,” and “node repository” are used interchangeably and refer to a collection of rules, parameters, and procedures that define the restriction or management of the individual nodes or network endpoints in the event of identified security threats. The library serves as a reference for the IDS to enforce node-level restrictions, such as network segmentation, access control limitations, or temporary isolation of compromised devices. Further, by maintaining a centralized repository of restriction criteria, the system determines the appropriate response when a node exhibits suspicious behavior or falls below specified security thresholds. The Node Restricting Library includes various types of restriction guidelines such as IP address filtering rules, port blocking lists, device-specific behavioral constraints, or protocols for throttling network activity. The technique of using the library involves referencing the stored policies in real time as the IDS detects that a particular node’s behavior deviates from acceptable norms, the system consults the library and applies corresponding restrictions automatically. The advantages of node restricting library include improved network segmentation, enhanced containment of security incidents, and a reduction in the propagation of cyberattacks, which altogether contribute to a more secure and resilient network.
As used herein, the terms “data packets”, “packets,” and “network packets” are used interchangeably and refer to the fundamental units of data transmitted across network systems. Each packet contains a portion of the application data and control information such as source and destination addresses, error-checking codes, and sequencing information. In the context of an IDS for a connected network, the data packets are continuously captured and analyzed to detect anomalies, unauthorized access, or other suspicious activities. The detailed inspection enables the IDS to reconstruct communication sessions and understand traffic patterns, which is essential for accurate threat detection and network performance monitoring. The types of data packets are based on the functions and protocols, such as but not limited to TCP/IP packets, UDP packets, and ICMP packets, each serving specific roles in network communication. The method of handling data packets within an IDS involves packet capturing via network taps or mirror ports, followed by deep packet inspection (DPI) as both the header and payload are analyzed. The signature-based detection is applied to packets to identify known malware or attack patterns, and anomaly-based systems flag unusual packet sizes, rates, or structures that deviate from normal traffic baselines. The advantages of data packets include increased detection accuracy, faster response times to potential intrusions, and the overall enhancement of network security by ensuring that identification of the suspicious traffic is done early.
As used herein, the term “threat security code” refers to a unique identifier or set of coded instructions embedded within an IDS that corresponds to specific security threats or vulnerability signatures. The threat security code is used to identify, categorize, and respond to known attack patterns by matching observed behaviors and data to code stored in a threat signature database. The coded system is updated dynamically, enabling the IDS to recognize and react to emerging threats in a timely manner. Essentially, the threat Security Code acts as the operational blueprint for recognizing discrete security events and triggers appropriate response protocols when a threat is detected. The types of threat are security code signature-based codes that match predefined attack signatures, heuristic codes that infer potential threats based on behavioral patterns, and adaptive codes that leverage machine learning algorithms to evolve with new threat data. The method typically involves processing incoming data through analysis engines that cross-reference detected events with the stored Threat security codes. Further, as a match is identified, the IDS initiates a series of predefined actions such as issuing alerts, isolating affected nodes, or engaging automated countermeasures. The advantages of labelling as a threat security code include increased detection accuracy, the ability to swiftly neutralize threats, improved system resilience, and an adaptive security framework that can keep pace with the evolving landscape of cyber threats.
In accordance with an aspect of the present disclosure, there is provided an intrusion detection system for a connected network, the intrusion detection system comprises:
- at least one signal transmitting node;
- a network interface controller communicably connected to the signal transmitting node, wherein the network interface controller comprises:
- a data acquisition unit;
- a data analyzing unit; and
- a fault detection unit;
- a signal receiving node communicably connected to the network interface controller,
wherein the network interface controller is configured to identify a faulty source node based on the direction of data flow.
Referring to figure 1, in accordance with an embodiment, there is described an intrusion detection system 100 for a connected network. The intrusion detection system 100 comprises at least one signal transmitting node 102, a network interface controller 104 communicably connected to the signal transmitting node 102, and a signal receiving node 112 communicably connected to the network interface controller 104. The network interface controller 104 comprises a data acquisition unit 106, a data analyzing unit 108, and a fault detection unit 110. Further, the network interface controller 104 is configured to identify a faulty source node based on the direction of data flow.
The intrusion detection system 100 for a connected network comprises a series of interconnected nodes, as at least one signal transmitting node 102 provides network traffic, and a network interface controller 104 acts as the central processing hub. The network interface controller 104 is communicably connected to both the signal transmitting node 102 and the signal receiving node 112 and is further subdivided into specialized functional units the data acquisition unit 106 that continuously collects raw network traffic data, the data analyzing unit 108 that processes and correlates the data, and the fault detection unit 110 tasked with identifying anomalies or errors. The controller 104 is configured to monitor the direction of data flow, both inbound and outbound, to detect deviations from established communication patterns. Further, by examining the direction and associated metadata of data packets, the system 100 identifies the terminal acting as a source of a malfunction or intrusive activity. The procedures employed by the system 100 include a multi-step process that begins with the data acquisition unit 106 capturing detailed information from network traffic, such as packet headers, timestamps, and flow directions. The data is forwarded to the data analyzing unit 108, which uses signature-based detection algorithms and anomaly detection techniques to assess normal versus abnormal traffic patterns. Simultaneously, the fault detection unit 110 monitors for discrepancies such as unusual delays, error rates, or irregular packet directions. Subsequently, as an anomaly is detected, the network interface controller 104 leverages the directional data flow information to trace back and identify the malfunctioning originating terminal, effectively isolating the node that deviates from standard communication protocols. The targeted approach allows the system 100 to accurately distinguish between benign traffic fluctuations and genuine security threats or system malfunctions. The system 100 provides an enhanced ability to secure the connected network by rapidly detecting and isolating problematic nodes before they propagate disruptive or malicious behavior across the entire network. The advantages of the overall system include improved network reliability, heightened security through early intrusion detection, and minimized downtime by enabling swift corrective actions such as rerouting traffic or isolating compromised terminals. Further, by leveraging both real-time data acquisition and advanced analytic methods, the system 100 provides a robust intrusion detection capability and supports proactive network management, thereby ensuring that any security or performance issues are resolved with minimal impact on overall network functionality.
Referring to figure 2, in accordance with an embodiment, there is described an intrusion detection system 100 for a connected network. The intrusion detection system 100 comprises at least one signal transmitting node 102, a network interface controller 104 communicably connected to the signal transmitting node 102, and a signal receiving node 112 communicably connected to the network interface controller 104. The network interface controller 104 comprises a data acquisition unit 106, a data analyzing unit 108, and a fault detection unit 110. Further, the network interface controller 104 is configured to identify a faulty source node based on the direction of data flow. Furthermore, the data analyzing unit comprises a data flow unit 114, a classification unit 116, and a threat identifying unit 118. Furthermore, the network interface controller 104 comprises a memory unit 120 communicably coupled with the data flow unit 114, the classification unit 116, and the threat identifying unit 118. The data analyzing unit is structured as a multi-layered subsystem that integrates a data flow unit 114, a classification unit 116, and a threat identifying unit 118 to provide comprehensive processing and analysis of network traffic. Specifically, the data flow unit 114 continuously collects raw data streams from various sources within the connected network, parsing and segmenting the data into standardized packets based on predefined time intervals or event triggers. The segmentation helps to organize the incoming data for efficient processing. Further, the classification unit 116 receives the segmented data packets and utilizes both signature-based and anomaly-based methods to compare current traffic patterns against a baseline activity log and predefined threat profiles. The approaches involve the application of machine learning algorithms or rule-based heuristics that analyze packet metadata (such as, but not limited to, source/destination addresses, port numbers, and data payload features) to assign a preliminary classification to each packet, indicating the suspicious data. Subsequently, the threat identifying unit 118 consolidates the output from the classification unit 116 by cross-referencing the classified data with historical threat data stored in an associated memory unit 120, which includes known intrusion signatures and behavioral anomaly trends. The cross-referencing step leverages statistical analysis and pattern-matching techniques to identify deviations indicative of potential attacks or misconfigurations. The combination of the three units enables a robust, real-time intrusion detection capability that enhances network security by promptly identifying emerging threats and reducing false positives. The advantages of combining the three units include rapid identification and isolation of malicious activities, improved network reliability through early warning and proactive countermeasures, and the ability to dynamically update detection parameters based on evolving threat landscapes, thereby ensuring a resilient and adaptive security framework for connected networks.
In an embodiment, the at least one signal transmitting node 102 comprises at least one sub-system of an electric vehicle ecosystem, wherein the at least one sub-system comprises a swappable battery, an inverter controller, and at least one electronic control unit. In the configuration, each sub-system serves as an independent data and control source that communicates critical operational parameters to the central gateway 104. The swappable battery reports information related to charge state, voltage, and temperature; the inverter controller manages the conversion of DC to AC power required for motor operation. The ECU oversees various vehicle functions, including safety protocols, drive controls, and energy management, and the charging interface module facilitates interactions with external charging infrastructures. The data from the sub-systems is transmitted via a secure network to the network interface controller, which aggregates and processes the information to maintain a synchronized and responsive EV ecosystem. The integrated approach enables the system 100 to dynamically adjust operational parameters based on real-time input from each sub-system, delivering a robust method for fault detection and power management. Further, by correlating data from the battery, inverter, ECU, and charging module, the network terminal detects anomalies that indicate issues such as battery degradation, abnormal inverter performance, or inconsistencies in charging behavior. The presence of the sub-systems provides an enhanced ability to preemptively identify and mitigate faults in the EV inter-network connection of the sub-systems, ensuring that power flow remains optimized and that critical subsystems operate within safe performance thresholds. The advantages of the EV sub-systems include improved battery longevity through optimized charge/discharge cycles, increased overall vehicle reliability by isolating and addressing sub-system faults early, and a more efficient EV ecosystem that supports quick battery swaps, better energy distribution, and enhanced operational safety.
In an embodiment, the network interface controller 104 comprises a memory unit 120 communicably coupled with the data flow unit 114, the classification unit 116, and the threat identifying unit 118 and wherein the memory unit 120 comprises historical threat data and a node restricting library. The network interface controller 104 is enhanced with a dedicated memory unit 120 that is communicably coupled with the data flow unit 114, classification unit 116, and threat identifying unit 118. The memory unit 120 is configured to store a comprehensive set of historical threat data and a node-restricting library. The historical threat data comprises logs, signatures, and metadata from past security incidents that are detected and recorded over time, and the node restricting library includes a set of predefined rules, policies, and identifiers that denote potentially compromised or anomalous network nodes. The memory unit 120 facilitates rapid lookup and correlation of incoming data against historical events and known threat patterns, allowing the system to quickly determine that the current network behavior aligns with past incident indicators. Further, the data from the acquisition and classification stages is cross-referenced against the above-mentioned repositories, thereby enabling precise mapping of current anomalies to previously encountered threats and informing subsequent security actions. Furthermore, integrating a memory unit 120 with historical threat data and a node restricting library is a significant enhancement in threat detection accuracy and response speed. By leveraging previously recorded data, the system reduces false positives, streamlines the identification process, and dynamically updates the countermeasures in real time. The advantages of the integrated memory unit 120 include improved situational awareness, higher fidelity in detecting sophisticated or evolving intrusions, and the ability to automatically restrict or isolate nodes that have demonstrated recurrent anomalies. In effect, the memory unit 120 empowers the network interface controller to continuously adapt to emerging threats and apply targeted security policies, resulting in a more resilient, proactive, and efficient security architecture for the connected network.
In an embodiment, the data acquisition unit 106 is configured to obtain data flow information of the connected network and transfer the obtained data flow information to the data flow unit 114 of the data analyzing unit 108. The data acquisition unit 106 continuously captures real-time data flow information from various segments of the connected network. The data acquisition unit 106 enters into network traffic utilizing methods such as port mirroring, network taps, or inline monitoring to extract essential communication details including packet headers, timestamps, protocol information, and error flags. The gathered information is processed and normalized, ensuring that the information adheres to standardized data formats. Subsequently, the data is efficiently transferred to the data flow unit 114 within the data analyzing unit 108 via dedicated communication channels (high-speed buses or secure network links). The procedure employed here includes both synchronous and asynchronous transmission protocols, ensuring minimal latency and low overhead in capturing high-throughput network data, and simultaneously filtering out redundant or non-essential information. The transferring of the data to the data flow unit 114 provides a highly responsive and reliable foundation for subsequent traffic analysis and intrusion detection. By ensuring that accurate and timely data flow information is provided to the analysis engine, the system 100 enhances the ability to detect anomalies and threats at an early stage. The advantages of the data transfer include reduced data loss, lower processing latency, and improved overall efficiency of the intrusion detection process. Consequently, a more robust security posture for the network is obtained, as the timely detection of deviations from normal traffic patterns allows for rapid remedial actions, thereby minimizing potential damage from intrusions and maintaining the stability and integrity of the connected network.
In an embodiment, the data flow unit 114 is configured to receive the data flow information periodically and divide the received data flow information into a plurality of data packets based on a predefined time interval. The data flow unit 114 periodically receives data flow information from the data acquisition unit 106 and segments the information into a series of discrete data packets based on predefined time intervals. The segmentation process involves timestamping incoming data streams and dividing them into uniform temporal portions, facilitating synchronized analysis across the network. Further, by organizing data into time-bound packets, the system 100 ensures that each segment corresponds to a specific timeframe, enabling precise tracking of network activities and anomalies. The segmentation enhances the granularity of monitoring, allowing for the detection of transient issues that occur within specific time windows. The time-based segmentation provides a significant improvement in the system's ability to detect and analyze network anomalies with temporal precision. Furthermore, by correlating data packets to specific time intervals, the system 100 identifies patterns and deviations that indicate security threats or performance issues. The advantages of the time-based segmentation approach include enhanced detection of time-sensitive anomalies, improved synchronization between network components, and the ability to perform detailed temporal analyses. Consequently, a more responsive and accurate intrusion detection system is obtained, capable of addressing threats in real-time and maintaining the integrity of the connected network.
In an embodiment, the classification unit 116 is configured to receive the plurality of data packets and classify the received data packets based on an activity log of the received data packets. The classification unit 116 processes a plurality of data packets by analyzing the activity logs to determine the nature and potential threat level. Specifically, after receiving segmented data packets from the data flow unit 114, the classification unit 116 cross-references each packet's metadata, such as source and destination addresses, port numbers, protocols, and timestamps, with historical activity logs stored in the memory unit 120. The comparison enables the system 100 to identify patterns and behaviors that deviate from established norms. Further, advanced algorithms, including machine learning models such as, but not limited to, Support Vector Machines (SVMs) and Random Forests, are employed to enhance the accuracy of classification, allowing the system to adapt to evolving network behaviors and emerging threats. The classification of the data packets provides a significant improvement in the system's ability to detect and respond to network anomalies in real-time. Furthermore, by leveraging activity logs and advanced classification algorithms, the system accurately distinguishes between benign and malicious traffic, reducing false positives and ensuring timely alerts for genuine threats. The proactive approach of classification enhances the overall security posture of the network, allowing for swift mitigation of potential attacks and minimizing the risk of data breaches. Additionally, the continuous learning capability of the classification unit 116 ensures that the system remains effective against new and sophisticated cyber threats, providing a robust defense mechanism for the connected network.
In an embodiment, the threat identifying unit 118 is configured to receive the classified data packets and compare the classified data packets with historical threat data stored in the memory unit 120. The threat identification unit 118 operates by receiving classified data packets that are pre-processed and labeled based on communication attributes such as source, destination, protocol type, and behavior pattern. Subsequently, as the classified data packets are received, the threat identifying unit 118 executes a comparative analysis against a historical threat dataset stored within the memory unit 120. The dataset includes known malicious signatures, anomaly profiles, or previously encountered threat patterns. The threat identifying unit 118 applies pattern recognition techniques, such as hash-matching, behavioral correlation, or rule-based filtering, to detect similarities or matches. As the data packet’s characteristics align with a known threat record, the unit flags the packet for further response, logs the event, and generates a threat score or identifier for subsequent handling by other units (a mitigation or alerting unit). The threat identifying unit unit 118 also employs adaptive learning methods to refine the detection logic over time by incorporating new threats into the dataset. The threat identifying unit 118 enables the early-stage isolation of malicious communication before it reaches critical vehicle systems or disrupts normal network operation. The proactive filtering significantly reduces the risk of unauthorized access, injection of malicious commands, or service disruption in connected or autonomous vehicle environments. The advantages of threat identifying unit 118 include real-time threat correlation, ensuring up-to-date protection in dynamic attack scenarios, low computational overhead by focusing on already-classified packets rather than raw data, and scalability, as the system grows threat dataset without major redesign. Further, by integrating historical threat intelligence directly into the detection loop, the system enhances both accuracy and resilience, providing robust cybersecurity tailored to communication networks.
In an embodiment, the threat identifying unit 118 is configured to identify at least one deviation of the data packets based on the comparison and assign the identified data packets with a threat security code. The threat identifying unit 118 functions by analyzing incoming data packets and comparing the data with known patterns stored in the historical threat data repository. Further, the threat identifying unit 118 monitors for deviations that provide anomalies in packet structure, behavior, frequency, source-destination relations, or timing that differ from established normal or previously observed malicious communication patterns. The deviations are flagged based on predefined thresholds or dynamically learned baselines. Furthermore, as a deviation is detected, the unit 118 classifies the anomaly and assigns a threat security code to the corresponding data packet. The code represents the severity, type, and potential impact of the threat (such as, low-risk anomaly, a high-risk intrusion attempt, or protocol manipulation). Subsequently, the security code is forwarded with the packet metadata to downstream systems such as mitigation modules, alerting systems, or path control units for further action. The assigning of a threat security code enables automated, tiered threat response across the network, allowing different components of the system to prioritize and react based on the threat level. Further, the threat security code also provides a granular threat classification, which improves decision-making for defensive actions, adaptive security control, as responses are scaled based on real-time threat assessment and efficient resource allocation, as critical threats are handled with higher priority, as benign anomalies are logged for monitoring. The threat security code assigning process improves situational awareness and enhances the overall cybersecurity defense by providing both early detection and precise threat labelling.
In an embodiment, the fault detection unit 110 is configured to receive the assigned threat security code and identify the corresponding signal transmitting node 102 based on the assigned threat security code. The fault detection unit 110 plays a critical role in isolating malicious or compromised sources within the connected network. Subsequently, after receiving the assigned threat security code from the threat identifying unit 118, the fault detection unit 110 initiates a correlation process to trace the origin of the flagged data packet. Further, the use of metadata embedded in the packet, such as, but not limited to, source MAC address, IP address, or node identifier the fault detection unit to map the packet to a specific signal transmitting node 102. The correlation process involves querying routing tables, communication logs, or node registries stored within the system. Furthermore, in cases of dynamic or multi-hop networks (such as electric vehicles), the unit employs a traceback algorithm or network flow analysis to locate the exact node responsible for the transmission. After locating the faulty or suspicious node is tagged for continuous monitoring, further investigation, or immediate isolation depending on the severity of the threat security code. The identification of the faulty node enhances the system’s 100 ability to accurately localize the source of abnormal or harmful communication, enabling targeted responses rather than broad, disruptive countermeasures. The node-level granularity further enhances the efficiency and precision of network defense strategies. The advantages of identifying the faulty node include minimized network disruption, as only compromised nodes are isolated or mitigated, faster incident response, since source identification is automated and immediate, and improved threat accountability, with a clear mapping between data anomalies and physical or virtual network components.
In an embodiment, the fault detection unit 110 is configured to add the identified signal transmitting node 102 to the node restricting library based on the assigned threat security code. Specifically, as the faulty node is confirmed as the origin of the suspicious or malicious communication, the fault detection unit 110 evaluates the threat level encoded in the security code. Subsequently, based on predefined programs or dynamic security thresholds, the fault detection unit 110 categorizes the node as a potential security risk and adds the node restricted library. The library serves as a reference database of nodes that are to be limited, monitored, or fully restricted in their communication privileges. The process involves updating access control tables or node status flags that influence real-time routing and communication permissions within the network infrastructure. Maintaining and updating the node restricting library enables the establishment of a dynamic, threat-aware containment system that limits the influence of compromised or high-risk nodes. Further, by restricting only malicious or suspicious entities, the system 100 ensures that the broader network continues to function with minimal disruption. The key advantages of updating the node restricting library include proactive containment of threats, reducing the risk of lateral movement or system-wide compromise, efficient and scalable security management, as the library is updated in real time without requiring full network resets or reboots and context-sensitive node handling, enabling differentiated treatment (temporary quarantine vs. permanent ban) based on the threat code. Consequently, the mechanism strengthens the overall resilience and trustworthiness of dynamic as well as static communication networks.
In accordance with a second aspect, there is described a method for detecting an intrusion in a connected network, the method comprises:
- obtaining data flow information of the connected network to a data acquisition unit, via a data acquisition unit;
- dividing the received data flow information into a plurality of data packets based on a predefined time interval, via a data flow unit;
- classifying received data packets based on an activity log of the received data packets, via a classification unit;
- comparing the classified data packets with historical threat data stored in a memory unit; and
- assigning identified data packets with a threat security code, via a threat identifying unit.
Figure 3 describes a method 200 for detecting an intrusion in a connected network. The method 200 starts at a step 202. At the step 202, the method 200 comprises obtaining data flow information of the connected network to a data acquisition unit 106. At a step 204, the method 200 comprises dividing the received data flow information into a plurality of data packets based on a predefined time interval, via a data flow unit 114. At a step 206, the method 200 comprises classifying received data packets based on an activity log of the received data packets, via a classification unit 116. At a step 208, the method 200 comprises comparing the classified data packets with the historical threat data stored in a memory unit 120. At a step 210, the method 200 comprises assigning identified data packets with a threat security code, via a threat identifying unit 118.
In an embodiment, the method 200 comprises receiving the data flow information periodically and dividing the received data flow information into a plurality of data packets based on a predefined time interval, via the data flow unit 114.
In an embodiment, the method 200 comprises receiving the plurality of data packets and classifying the received data packets based on an activity log of the received data packets, via the classification unit 116.
In an embodiment, the method 200 comprises receiving the classified data packets and comparing the classified data packets with historical threat data stored in the memory unit 120.
In an embodiment, the method 200 comprises identifying at least one deviation of the data packets based on the comparison and assigning the identified data packets with a threat security code, via the threat identifying unit 118.
In an embodiment, the method 200 comprises receiving the assigned threat security code and identifying the corresponding signal transmitting node 102 based on the assigned threat security code.
In an embodiment, the method 200 comprises adding the identified signal transmitting node 102 to the node restricting library based on the assigned threat security code.
In an embodiment, the method 200 comprises receiving the data flow information periodically and dividing the received data flow information into a plurality of data packets based on a predefined time interval, via the data flow unit 114. Further, the method 200 comprises receiving the plurality of data packets and classifying the received data packets based on an activity log of the received data packets, via the classification unit 116. Furthermore, the method 200 comprises receiving the classified data packets and comparing the classified data packets with historical threat data stored in the memory unit 120. Furthermore, the method 200 comprises identifying at least one deviation of the data packets based on the comparison and assigning the identified data packets with a threat security code, via the threat identifying unit 118. Furthermore, the method 200 comprises receiving the assigned threat security code and identifying the corresponding signal transmitting node 102 based on the assigned threat security code. Furthermore, the method 200 comprises adding the identified signal transmitting node 102 to the node restricting library based on the assigned threat security code.
In an embodiment, the method 200 comprises obtaining data flow information of the connected network to a data acquisition unit 106. Furthermore, the method 200 comprises dividing the received data flow information into a plurality of data packets based on a predefined time interval, via the data flow unit 114. Furthermore, the method 200 comprises classifying received data packets based on an activity log of the received data packets, via a classification unit 116. Furthermore, the method 200 comprises comparing the classified data packets with historical threat data stored in a memory unit 120. Furthermore, the method 200 comprises assigning identified data packets with a threat security code, via a threat identifying unit 118.
Based on the above-mentioned embodiments, the present disclosure provides significant advantages of enhanced security and fault traceability in a connected network by integrating both directional data flow analysis and layered functional units within the network interface controller 104.
It would be appreciated that all the explanations and embodiments of the system 100 also apply mutatis-mutandis to the method 200.
In the description of the present invention, it is also to be noted that, unless otherwise explicitly specified or limited, the terms “disposed,” “mounted,” and “connected” are to be construed broadly, and may for example be fixedly connected, detachably connected, or integrally connected, either mechanically or electrically. They may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meaning of the above terms in the present invention can be understood in specific cases to those skilled in the art.
Modifications to embodiments and combinations of different embodiments of the present disclosure described in the foregoing are possible without departing from the scope of the present disclosure as defined by the accompanying claims. Expressions such as “including”, “comprising”, “incorporating”, “have”, and “is” used to describe and claim the present disclosure are intended to be construed in a non-exclusive manner, namely allowing for items, components or elements not explicitly described also to be present. Reference to the singular is also to be construed to relate to the plural where appropriate.
Although embodiments have been described with reference to a number of illustrative embodiments thereof, it should be understood that numerous other modifications and embodiments can be devised by those skilled in the art that will fall within the spirit and scope of the principles of this disclosure. More particularly, various variations and modifications are possible in the component parts and/or arrangements of the subject combination arrangement within the scope of the present disclosure, the drawings, and the appended claims. In addition to variations and modifications in the component parts and/or arrangements, alternative uses will also be apparent to those skilled in the art.
,CLAIMS:WE CLAIM:
1. An intrusion detection system (100) for a connected network, the intrusion detection system (100) comprises:
- at least one signal transmitting node (102);
- a network interface controller (104) communicably connected to the signal transmitting node (102), wherein the network interface controller (104) comprises:
- a data acquisition unit (106);
- a data analyzing unit (108); and
- a fault detection unit (110);
- a signal receiving node (112) communicably connected to the network interface controller (104),
wherein the network interface controller (104) is configured to identify a faulty source node based on the direction of data flow.

2. The system (100) as claimed in claim 1, wherein the data analyzing unit comprises a data flow unit (114), a classification unit (116), and a threat identifying unit (118).

3. The system (100) as claimed in claim 1, wherein the at least one signal transmitting node (102) comprises at least one sub-system of an electric vehicle ecosystem, wherein the at least one sub-system comprises a swappable battery, an inverter controller, and at least one electronic control unit.

4. The system (100) as claimed in claim 1, wherein the network interface controller (104) comprises a memory unit (120) communicably coupled with the data flow unit (114), the classification unit (116), and the threat identifying unit (118) and wherein the memory unit (120) comprises a historical threat data and a node restricting library.

5. The system (100) as claimed in claim 1, wherein the data acquisition unit (106) is configured to obtain data flow information of the connected network and transfer the obtained data flow information to the data flow unit (114) of the data analyzing unit (108).

6. The system (100) as claimed in claim 1, wherein the data flow unit (114) is configured to receive the data flow information periodically and divide the received data flow information into a plurality of data packets based on a predefined time interval.

7. The system (100) as claimed in claim 1, wherein the classification unit (116) is configured to receive the plurality of data packets and classify the received data packets based on an activity log of the received data packets.

8. The system (100) as claimed in claim 1, wherein the threat identifying unit (118) is configured to receive the classified data packets and compare the classified data packets with the historical threat data stored in the memory unit (120).

9. The system (100) as claimed in claim 1, wherein the threat identifying unit (118) is configured to identify at least one deviation of the data packets based on the comparison and assign the identified data packets with a threat security code.

10. The system (100) as claimed in claim 1, wherein the fault detection unit (110) is configured to receive the assigned threat security code and identify the corresponding signal transmitting node (102) based on the assigned threat security code.

11. The system (100) as claimed in claim 1, wherein the fault detection unit (110) is configured to add the identified signal transmitting node (102) to the node restricting library based on the assigned threat security code.
12. A method (200) for detecting an intrusion in a connected network, the method (200) comprising:
- obtaining data flow information of the connected network to a data acquisition unit (106);
- dividing the received data flow information into a plurality of data packets based on a predefined time interval, via a data flow unit (114);
- classifying received data packets based on an activity log of the received data packets, via a classification unit (116);
- comparing the classified data packets with a historical threat data stored in a memory unit (120); and
- assigning identified data packets with a threat security code, via a threat identifying unit (118).

13. The method (200) as claimed in claim 1, wherein identifying the corresponding signal transmitting node (102), based on the assigned threat security code, via a fault detection unit (110).