CN115380510A - Method for monitoring data flow between controllers of a motor vehicle and correspondingly equipped motor vehicle - Google Patents

Method for monitoring data flow between controllers of a motor vehicle and correspondingly equipped motor vehicle Download PDF

Info

Publication number
CN115380510A
CN115380510A CN202180029783.4A CN202180029783A CN115380510A CN 115380510 A CN115380510 A CN 115380510A CN 202180029783 A CN202180029783 A CN 202180029783A CN 115380510 A CN115380510 A CN 115380510A
Authority
CN
China
Prior art keywords
data
packet
associative memory
network
motor vehicle
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202180029783.4A
Other languages
Chinese (zh)
Other versions
CN115380510B (en
Inventor
A·斯蒂雷丘
C·帕特拉斯库
K·施密特
B·斯坦格尔
J·A·穆诺兹塞皮洛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tttech Auto AG
Audi AG
Original Assignee
Tttech Auto AG
Audi AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tttech Auto AG, Audi AG filed Critical Tttech Auto AG
Publication of CN115380510A publication Critical patent/CN115380510A/en
Application granted granted Critical
Publication of CN115380510B publication Critical patent/CN115380510B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40267Bus for use in transportation systems
    • H04L2012/40273Bus for use in transportation systems the transportation system being a vehicle
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/44Star or tree networks
    • H04L2012/445Star or tree networks with switching in a hub, e.g. ETHERNET switch

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)
  • Medicines That Contain Protein Lipid Enzymes And Other Medicines (AREA)
  • Pharmaceuticals Containing Other Organic And Inorganic Compounds (AREA)
  • Acyclic And Carbocyclic Compounds In Medicinal Compositions (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention relates to a method for monitoring the data flow between controllers (12,13) of a motor vehicle (10), wherein at least one data pattern (23) of a packet type and/or data content to be monitored and/or detected is stored in an associative memory (22), so that an associated hit signal (27) is generated by the associative memory (22) in response to input data (25) containing the respective data pattern (23), and a network processor (21) reads probe data (31) from a received data packet (18) at a predetermined monitoring position, and thereby forms input data (25) for the associative memory (22), and checks whether a hit signal (27) is generated by inputting the input data (25) into the associative memory (22), and a microprocessor (29) identifies whether the hit signal (27) deviates from a transmission scheme by means of a predetermined calibration routine (32) in accordance with transmission scheme data (33) describing a controller (12,13).

Description

Method for monitoring data flow between controllers of a motor vehicle and correspondingly equipped motor vehicle
Technical Field
The invention relates to a method for monitoring a data flow (Dateverkehr) between controllers of a motor vehicle and to a correspondingly equipped motor vehicle. The monitoring takes place in a switching device which transmits data packets between network branches of the data network. In this case, without significant delays or delays in the transmission, it should be checked whether the data packet or at least some of the data packets are a predetermined, undesired data flow, which may be a component of a hacking attack or be caused by a manipulated or defective control unit of the motor vehicle, for example.
Background
Since in a motor vehicle such controllers can be coupled to one another via a data network or data network in order to exchange data packets, for example, a vehicle function comprising a plurality of controllers can be realized. An example for such a data network is an ethernet network. The network branches of such data networks may be interconnected via switching devices (also referred to simply as "switches" or data switches). To this end, each network branch may be coupled at a respective port of the switching device. Such ports may be physical couplings of network cables for network branches and circuits for sending and receiving data packets. If a data packet arrives at such a port from a network branch connected thereto, it is determined to which other network branch or branches the data packet has to be transmitted. The data packets are then transmitted or sent within the switching device to the respective destination port by means of a circuit, referred to herein as a switching circuit. By the transmission of such an exchange of data packets, the network branches can be kept logically separate from one another, whereby firewall functions can also be implemented.
In order to determine where a received data packet has to be transmitted, i.e. to which destination port the data packet has to be directed within the switching circuit, a so-called associative memory may be used. Another name for such an associative memory is a CAM filter (content addressable memory), such as a TCAM (ternary content addressable memory). By means of the associative memory, a so-called switch or route can be set in the switching circuit. In the case of an associative memory, however, only a limited number of bits or bytes from the respective received data packet can be input as input data in order to obtain destination port data which describe at least one destination port which should be used.
When analyzing the data traffic of the controllers to detect manipulations in one of the controllers and/or to detect unauthorized devices additionally connected to the data network, a costly analysis of the data packets transmitted in the network may be required. However, this may not lead to additional delays or waiting times in the transmission of the data packets, since otherwise the respective functions in the motor vehicle relating to the data packets may be influenced, for example the control of the reversing camera. On the other hand, the decoupling or copying of the data packets for detailed analysis is associated with such a large amount of data that the computing power required for this cannot be provided in the motor vehicle at a reasonable cost.
It is known from US 8 582 428 B1 that data packets of a specific packet type can be counted in a router by means of a counter by means of an associative memory TCAM. The data packets may additionally be time stamped in order to perform an analysis of the data traffic. The time stamp is also used to measure the age of the communication connection.
It is known from WO 2019/116973 A1 that unauthorized data traffic in a motor vehicle is recognized in that the controller generates more data per second than was originally provided. Thus, manipulations of the control unit which lead to only a small number of data packets causing damage in the motor vehicle cannot be recognized.
It is known from WO 2006/069041 A2 and US 2007/022474 A1 that, in the case of firewalls, a packet is always deleted if the number of packets of a certain type of a certain sender per given unit of time exceeds a threshold value. In this way, so-called denial-of-service attacks, which are based on the generation of large numbers of data packets, can only be prevented.
It is known from US 2020/304532 A1 to analyze data flows in a motor vehicle by means of a TCAM associative memory in order to monitor abnormally high data volumes from the device. In order that the microprocessor is not overloaded during the analysis of the abnormal data packets, all data packets are pre-filtered by means of a first rule, and only data packets which are abnormal according to the first rule are transmitted to the microprocessor for applying a second rule.
From US 2017/118041 A1 a firewall computer is known, which filters data packets by means of a plurality of distributed TCAM associative memories and in this case conveys certain data packets to a CPU. In conjunction with firewall rules, an ACL may count how many times which rule is applied in a firewall computer.
Disclosure of Invention
The aim of the invention is to detect an unplanned data flow of a control unit or an additionally connected device in a motor vehicle.
This object is achieved by the content of the independent patent claims. Advantageous embodiments of the invention are described by the dependent patent claims, the following description and the drawings.
A method for monitoring data traffic between controllers of a motor vehicle is provided, wherein at least one data pattern of a packet type and/or data content to be monitored and/or detected is stored in an associative memory (for example TCAM) in order to generate an associated hit signal via the associative memory in response to input data containing the respective data pattern, and a network processor reads probe data from received data packets at predetermined monitoring locations and thus forms input data for the associative memory and checks whether a hit signal is generated by inputting the input data into the associative memory, and a microprocessor recognizes a deviation of the hit signal from a transmission scheme by means of a predetermined calibration routine as a function of transmission planning data describing the prescribed transmission scheme of the controller. A defense routine may then be initiated. The data pattern may be a bit pattern or a byte pattern.
To this end, the invention describes a method for monitoring the data flow between controllers of a motor vehicle. The method is based on the following steps: the controllers are connected via a data network in which the switching devices interconnect physical ports for receiving and transmitting data packets via internal switching circuits or data switches. In the method, destination port data are determined by the network processor for a respective data packet received via one of the ports by means of the associative memory, and at least one of the (generally existing) ports is selected as a destination port as a function of the determined destination port data, and the received data packet or at least a part thereof is routed to the at least one destination port by means of the switching circuit.
The switching device therefore has, in a manner known per se, switching circuits within it for selectively transmitting received data packets from one port to at least one destination port, in order to thus transmit (switch or route) the data packets between the network branches. To this end, each port may have transceiver circuitry to receive and/or transmit data packets. The associative memory mentioned here can be implemented or provided as a CAM (content addressable memory), in particular as a TCAM (ternary content addressable memory). The target port data is derived in a manner known per se from the controller or device respectively coupled to the ports.
In order to achieve this, at least one data pattern of the packet type and/or data content to be monitored and/or detected is stored in the associative memory, so that the associative memory generates an associated hit signal in response to input data containing the respective data pattern. Accordingly, the network processor reads not only the data for determining the at least one target port from the respective received data packet, but additionally the network processor reads the probe data at predetermined monitoring positions of the data packet (i.e. at preset bit positions or byte positions) and combines these probe data into further input data for the associative memory and then checks whether a hit signal is generated by inputting these input data into the associative memory. The associative memory is therefore also used for detecting data packets of a predetermined packet type and/or data packets having a predetermined data content. In this case, the monitoring position (i.e. the bit position or the byte position) is preset to determine at which position in the data packet, i.e. at which location a bit or byte should be read from the data packet as probe data from which the input data for the associative memory is formed. These input data for the associative memory are then not used to find the target port, but rather should generate a hit signal by means of the associative memory, which indicates that the relevant data pattern is recognized. For example, such a hit signal may consist of an identification reporting that the corresponding data pattern has been recognized in the input data by the associative memory.
In addition, at least one counter is provided, the respective counter value of which indicates how many times the hit signal is generated for at least one predefined data pattern. The respective counter value and the respective last data packet via which the counter value was last incremented are provided as the analysis data in the read memory, and the microprocessor reads these analysis data currently via the data interface. Thus, it is achieved here that: the number of times at least one predetermined data pattern of monitoring data of certain monitoring locations at which the data packet is generated is identified or detected is counted. The counter can also be used for a plurality of different hit signals, i.e. for a plurality of different data patterns, by coupling a single counter to a plurality of entries of the associative memory. In the analysis data, information is present about which data packet was last incremented by a counter value, which is additionally also stored together with the analysis data in the read memory. This can then be actively read by the microprocessor when needed. Thus, the analysis data in the read memory can be updated with each counter change. A separate memory space may be provided for each counter, or a common memory space may be provided for analysis data of a plurality of counters or all counters.
In motor vehicles, it is peculiar that at least a part of the data traffic is generated by a controller following a fixedly programmed transmission scheme. Only a pre-known share of the data traffic is dynamic, such as the data traffic for a controller of a consumer electronics device. But the share may also be zero. The microprocessor now recognizes, on the basis of the transmission planning data describing the controller according to the defined transmission scheme, that the evaluation data deviate from the transmission scheme by means of a predetermined calibration routine, and in this case triggers a predetermined defence routine.
The invention is therefore based on the recognition that: in the event that the motor vehicle is not operated, i.e., if each of the controllers does not deviate from its transmission scheme and if no additional devices are connected to the data network and generate additional data traffic, then only the evaluation data corresponding to the transmission scheme as described by the transmission planning data, which can be specified, for example, by the manufacturer of the motor vehicle, can be obtained according to the calibration routine. The calibration routine may require strict agreement with these transmission schedule data or may allow tolerance on the counter values and/or data content of the final analysis data. The described method may be applied in particular to ethernet packets. Ethernet as a data network is based on packet-oriented data traffic, so that (unlike in the case of slot-oriented data networks) the transmission time point and/or the data quantity in the data traffic can vary, since no reserved time slot is set. By means of the counter value it can be recognized, independently of the exact transmission point in time, whether the number of data packets exceeds a threshold value for a certain data pattern. Since, in addition, the final analysis data also contains the relevant data packet that triggers the coverage threshold, a conclusion can be drawn about the transmitter that an actuated or defective controller is identified, or that a transmitter address is used, which does not belong to a provider-side controller of the motor vehicle but to a device that is additionally connected to the data network. As a defense routine or defense measure, for example, a limitation of functions in the motor vehicle can be performed, for example a reduction of the functional range or a disconnection of functions, for example media playback and/or telephone functions and/or internet connections. Depending on the TCAM entry or the data pattern for which deviations from the transmission scheme are identified, further functions of the motor vehicle can be restricted or switched off.
The corresponding Counter (Counter) and/or associative memory (TCAM), respectively, may be part of the network processor or the corresponding Counter and/or associative memory may be provided external to the network processor.
The invention also comprises the following embodiments, by means of which additional advantages are derived.
One embodiment includes: for each counter, a respective last-incremented time stamp of the counter value is stored in addition to the counter value and provided as part of reading the analysis data in the memory. The analysis data in the read memory thus contains the counter value, its time stamp and the last received associated data packet. Thus, the counter value used herein reports when a packet contained in the analysis data arrives and triggers a hit signal. It has been found that this, in conjunction with the transmission scheme of the controller, enables particularly sensitive fault and actuation detection. In this way, the microprocessor, which checks the analysis data by means of the calibration routine, can additionally also receive a respective activity signal of at least one vehicle component and/or controller and then check, depending on the time stamp, whether a data packet is transmitted on the basis of this reported activity of the vehicle component and/or controller and therefore, although it is recognized as being outside the transmission scheme, a data packet which is triggered by this activity and is therefore also classified as permissible, so that no defense routine has to be triggered. The activity signal may be received via a CAN bus, for example. It can be particularly important here that the microprocessor is not overloaded, since it can preferably be decided in the microprocessor itself whether a data packet is actually taken from the read memory/at the data interface, or whether a data packet is to be overwritten by a next data packet, since no resources for real-time processing are currently available for the microprocessor. Here, an overview is kept in the microprocessor, since for each data packet, the ordinal number (counter) and/or the time stamp of the data packet is available. The subject matter of the application thus provides a monitoring tool for a microprocessor, which can prevent overloading of the microprocessor and nevertheless provide detailed knowledge of "suspicious" or data packets selected by means of an associative memory (the data packets themselves are also provided at the data interface). It is therefore preferably provided that the data packets are only provided at the data interface, so that the microprocessor can always decide itself whether the microprocessor fetches a data packet when the corresponding computing capacity is on standby. If the microprocessor then accepts the data packet at the data interface, it is reported to the microprocessor by the counter value and the timestamp which data packet is present and/or how old the data packet is.
One embodiment includes: at least one counter counts the hit signals for at least two data patterns, respectively. That is to say, in the case of at least one counter, the hit signals for at least two different data patterns are each combined. Thus, the counter always increments when either of the two data patterns is identified by the associated memory. This yields the following advantages: it is also possible to identify a maneuver in which an attempt is made to divide the manipulated data traffic into a plurality of different packet types, for example by using two different sender addresses and/or MAC addresses (MAC-medium access control).
One embodiment includes: resetting, by the network processor and/or the microprocessor, a corresponding counter value of the at least one counter if a predetermined reset condition is met. In other words, since the start of the motor vehicle operation, the absolute number of all data packets of a certain data pattern is not counted, but rather a counting interval can be determined. The possible counting interval is a time unit, i.e. a reset condition may be set, i.e. the respective counter is reset after a predetermined duration has elapsed, e.g. after one second or after ten seconds or one minute. An own reset condition may be set for each data pattern. Other reset conditions can be the resetting of a counter for a data pattern associated with a component of the motor vehicle (for example in a reversing camera or in a media player) as a function of a switching process or an active signal in said component.
One embodiment includes: a plurality of position data items (i.e. data items having respective specification information for bit positions and/or byte positions) are provided for different monitoring positions, and packet characteristics of the respective data packets are determined from the data packets (header data and/or user data) by the network processor, and a position data item is selected from the position data items as a function of the packet characteristics, so that a transformed monitoring position is derived, and the probe data is read at the monitoring position specified by the selected position data item. In other words, it can be determined for different packet characteristics which bits or bytes, i.e. at which positions within the data packet (monitoring positions), the data content for the probe data is read, in order to thereby form the input data for the associative memory. This yields the advantage that different monitoring locations can be checked as a function of the packet properties. Which packet property has a data packet can be identified, for example, at its header data and/or user data. In this regard, the following embodiments are advantageous.
The embodiment includes: the packet characteristics specify the protocol type (TCP or UDP) and/or the packet type (first packet of a communication, subsequent packet) and/or the data content (sender address, receiver address). A distinction can be made between TCP (transmission control protocol) and UDP (user datagram protocol), for example, as protocol type, in order to list only two possible protocols for data traffic in a motor vehicle by way of example. For example, it can be distinguished as a packet type whether it is a first packet of a communication or a subsequent packet of a communication. For example, a so-called SYN flag may be evaluated here. Data content in the form of, for example, a sender address and/or a receiver address may also be advantageously used to form input data for the associated memory. For example, unregistered sender addresses may be detected.
One embodiment includes: disjoint data fields of the location description packet are monitored. Thus, the read of the probe data used to form the input data for the associated memory need not comprise a continuous sequence of bits or bytes from the data packet, but rather such bits or bytes may be read by determining disjoint data fields, with additional bits or bytes in between that are not part of the probe data. This makes the analysis of the data packets more flexible.
One embodiment includes: the forming of the input data comprises rearranging the detection data by means of a shift operation and/or combining the detection data by means of at least one combination rule. Thus, a pre-processing may be performed by applying a shift operation and/or a combination rule. The combination rule may for example comprise a logical operation, such as an AND (logical UND) OR an OR (logical odd). Thereby, bits or bytes of the probe data may be combined or compressed, for example to obtain a preset format. Furthermore, the first step of monitoring the data network for undesired data traffic can also already be carried out by means of shift operations and/or combining rules. Thus, for example, it may be checked whether two predetermined bits in the probe data have a predetermined logical combination (e.g., both are set or both are deleted). This can then be represented by a single bit, which can become part of the input data instead of the original bit.
The invention also provides a monitoring device or a switching device for a data network of a motor vehicle, wherein the switching device has a network processor and an associated memory and a computing unit, which are set up to carry out an embodiment of the method according to the invention. The associative memory can be a CAM, in particular a TCAM, in the manner described. The associative memory may be integrated in the network processor or provided in a separate memory element. The type of network processor known to the switching device can be configured as a network processor, which can be expanded with the method steps. As a computing unit for the described evaluation data processing, a so-called CPU (central processing unit) or microcontroller or, in general, a microprocessor can be provided, wherein the computing unit can be coupled to a network processor and/or an associated memory via a corresponding data interface. The network processor and the computing unit may each be a data processing device or a processor device, which may each have at least one microprocessor and/or at least one microcontroller and/or at least one FPGA (field programmable gate array) and/or at least one DSP (digital signal processor). The computation unit can be designed freely programmable. Furthermore, a program code may be provided, which is set up to carry out the method steps according to one embodiment of the method of the invention when the method steps are carried out. The program code may be stored in at least one data memory to which the computing unit and/or the network processor may be coupled.
The invention also provides a motor vehicle having a data network in which a plurality of network branches are interconnected via an embodiment of the monitoring device according to the invention. The motor vehicle according to the invention is preferably designed as a motor vehicle, in particular as a passenger or truck vehicle, or as a bus or motorcycle.
The invention also comprises a combination of features of the described embodiments. The invention therefore also includes implementations having respectively a combination of features of a plurality of the described embodiments, as long as these embodiments are not described as mutually exclusive.
Drawings
Embodiments of the present invention are described below. Wherein:
fig. 1 shows a schematic embodiment of a motor vehicle according to the invention;
FIG. 2 shows a diagram illustrating a TCAM that sends a hit signal to a counter; and
fig. 3 shows a schematic diagram of a read memory via which a TCAM can be coupled to a microprocessor.
Detailed Description
The examples set forth below are preferred embodiments of the invention. In the exemplary embodiments, the described parts of the embodiments are in each case individual features of the invention which are to be considered independently of one another and which in each case also improve the invention independently of one another. Therefore, the disclosure is intended to include other combinations of features than those set forth in the embodiments. Furthermore, the described embodiments can also be supplemented by other features of the invention which have already been described.
In the drawings, like reference numbers indicate functionally similar elements, respectively.
Fig. 1 shows a motor vehicle 10, which may be a motor vehicle, such as a passenger car or a truck. A data network 11, which may be an ethernet network, for example, may be provided in the motor vehicle 10. Controllers 12,13 for data communication or data exchange may be coupled to each other via data network 11. In order to interconnect the plurality of network branches 14 of the data network 11 with each other, a switching means 15 may be provided. The respective network cable of each network branch 14 can here be coupled in a manner known per se to a respective port 16,17 of the switching device 15. Fig. 1 shows an example of how the controller 12 can send data packets 18 to the controller 13. In this case, the switching device 15 can receive the data packet 18 at the port 16 to which the network branch 14 of the controller 12 is connected, and from a plurality of ports (and possibly further ports not shown) of the switching device 15, select the port 17 connected to the network branch 14 of the controller 13, so that the data packet 18 can be transmitted in this network branch 14 and in particular only in this network branch 14. The data packets 18 can be transmitted generally via the switching means 15, in particular only to those network branches or to that network branch in which the controller 13 is located, to which the data packets 18 are addressed in a manner known per se, for example via so-called IP addresses and/or MAC addresses.
In order to transmit the received data packet 18 to the correct port 17, i.e. the destination port 19, in the switching device 15, a switching circuit 20 (also referred to as a switching engine) can be provided in the switching device 15, which switching circuit can be designed in a manner known per se. The switching circuit 20 may be controlled by a network processor 21. In order to determine which destination port 19 is to be set in the switching circuit 20 for the received data packet 18, an associative memory 22, in particular a TCAM, can be provided. In the associative memory 22, output data 24 can be associated with the respective possible data patterns 23. The data or the data content thereof can be read from the data packets 18, for example by the network processor 21, at a preset selection position of the received data packet 18 and combined into input data 25, which can be delivered to the associative memory 22. If the input data 25 comprises one of the data patterns 23, the associative memory 22 may output the corresponding output data 24 as destination port data 26. For example, depending on the destination port data 26, the network processor 21 may set or select the corresponding destination port 19 in the switch circuit 20.
The associative memory may be integrated in the network processor or distinct from the network processor. It may be provided that the associative memory 22 is connected to the switching circuit 20 such that the target port data 26 can be evaluated directly, i.e. without the network processor 21, by the switching circuit 20 to select the target port 19.
In the motor vehicle 10, an IDS (intrusion detection system for software errors and/or malware) can also be implemented by means of the switching device 15, i.e. it can be recognized whether one of the controllers 12,13 (only two are shown here as an example) is manipulated or infected by a data virus in the data network 11 and/or whether an unauthorized device is connected to the data network 11 and transmits at least one data packet via the switching device 15.
For this purpose, the associative memory 22 can likewise be used in the switching device 15, without the associative memory having to have additional functions.
To this end, the network processor 21 can prepare at least one position data item 28 in which a monitoring position can be specified in each case, which monitoring position can specify, for a bit or at least one byte in the received data packet 18, the bit position or byte position at which the data or data content of the received data packet 18 is to be read. This results in read probe data 31. These probe data 31 may be used to generate input data 25 for monitoring the data network 11. Before this, at least one operation 31' may be applied to the detection data 31 in order to form the input data 25 for the associative memory 22, but the detection data 31 may also be provided directly as input data 25. The input data 25 may be fed into the associative memory 22 for checking against the at least one data pattern 23. If one of the data patterns 23 applies, the corresponding output data 24 is output via the associative memory 22. These output data 24 are then the hit data 27 of the hit signal 27', which can each be associated with a respective data pattern 23 and represented as a hit signal.
The corresponding tuple CT, which consists of the counter C and the time stamp T, can be updated each time the input data 25 for monitoring the data network triggers a hit signal in the associative memory 22. The tuples CT can be provided separately for the respective hit signals or a combination thereof, which in fig. 1 exemplarily set forth seven counters C0 to C6 and associated memories for the time stamps T0 to T6, wherein the number is here exemplarily selected. By means of the microprocessor 29, for each tuple CT (i.e. the respective combination of counter C and time stamp T) the respective values of counter C and time stamp T and at least a part of such a data packet 18, which is also stored in the read memory 30, provides or causes a trigger signal or a hit signal for the last increment of counter C at the point in time of the time stamp or time stamp T, can be read from the read memory 30. For this purpose, the respective last data packet 18 of the respective tuple CT can also be stored together in the read memory 30.
By means of the calibration routine 32, the microprocessor 29 can then check whether a certain number of hit signals (such as hit signals stored in the respective counters C0 to C6 for the respective data pattern 23 and for the transmission planning data 33 corresponding to the relevant time stamps T0 to T6, which describe the data traffic (in the non-manipulated state of the data network 11) as specified or programmed by the controller 12) satisfy the consistency criterion 34. If the consistency criterion 34 is not met, i.e. if a deviation occurs between the analysis data 30' from the read memory 30 and the transmission planning data 33, a defence routine 35 can be triggered or initiated by the microprocessor 29. For example, the functional range of the vehicle may be limited and/or a signal may be sent to the user of the vehicle to inform the user that the vehicle 10 must be checked in the workshop.
FIG. 2 illustrates how data patterns 23 can be set to corresponding entries TCAM _0 through TCAM _2^N-1 in associative memory 22, where 2^N-1 indicates that a power of 2 is the number of entries that are set as a whole. For example, N may be an integer ranging from 0 to 10. If the input data 25 are filtered by means of the associative memory 22, a coincidence of one of the data patterns 23 with the input data 25 can take place, followed by the generation of a relevant hit signal 27' as hit data 27. Each data pattern 23 can be assigned one of the counters C, which is incremented by the corresponding hit signal 27' so that the counter readings or counter values C _0 to C _2^N-1 are incremented. Additionally, for the last received packet 18 (which last triggered the hit signal 27 '), the associated timestamp T of the receiver or hit signal 27' may be stored as time values T _0 through T _2^N-1. Fig. 2 shows that the data patterns 23 of two entries 36 can also be evaluated by the same counter C as the counter value C _1 (exemplary). Thus, the distribution of manipulated data traffic over a plurality of data patterns 23 can also be recognized in the data network 11.
Fig. 3 shows how the counter values of the relevant data packet 18 and the counter C and the time stamp T can be stored in the read memory 30 only for the last triggered hit signal 27' from the associative memory 22', which can then be read by the microprocessor 29 as analysis data 30 '. Thus, only a single read memory 30 is required for one entry of the analysis data 30', the microprocessor 29 then being able to read the updated content of the analysis data 30' serially in each hit signal 27'.
For the analysis of the data flow, it may be advantageous to have time specification information and/or statistical evaluation in order to detect deviations from the transmission scheme of the control unit of the motor vehicle 10. Such deviations are indicative for possible manipulations or attacks involving the motor vehicle 10 and/or its data network 11. The efficiency of the detection can be increased by virtue of the fact that additional data patterns for generating a hit signal 27' relating to a possible deviation of the transmission scheme of the controller 12,12 are identified in the associative memory 22. The main idea here is to expand the existing associative memory 22 of the switching device 15, without the associative memory 22 itself having to be reconstructed or developed. To this end, an associative memory, in particular a TCAM filter, is combined with at least one counter and an associated register for a time stamp. This means that TCAM based hardware is not only used to probe or select target ports, but also TCAM based hardware can be used to generate statistics related to data traffic. If the TCAM filtering rules produce a hit, i.e., identify a data pattern and produce a correlation hit signal, the counter value of the correlation counter may be incremented and the timestamp of the event may be stored in the correlation register of the timestamp. The tuple of counter values and time stamps can be read by the microprocessor as a computing node, for which purpose so-called atomic access (exclusive access or access in the clock cycle of the computer) is performed. As an extension, it can also be provided for the filter rules that the data packets themselves (i.e., for example ethernet frames) are likewise provided as part of the analysis data, i.e., together with the tuples of counter values and time stamps, or transmitted to the microprocessor. The data pattern 23 leading to the detection and/or the specification information specifying which counter value is associated or combined with which hit signal may also be provided as part of the analysis data.
By the possibility of being able to specify or control the data pattern or in general the filter rules for the TCAM, the data pattern can also be specified optimally or adaptively for a specific motor vehicle, so that the transmission scheme that can be expected for the data network 11 that is not being operated can be taken into account. By transmitting the data packets and the counter values and the time stamps via the read memory to the microprocessor, a post-analysis or check of possible manipulations of the data network can be carried out without having to follow the transmission speed of the data network, i.e. the data packets leave the switching device again within a predetermined maximum permissible delay time. Here, the accuracy of the analysis can also be maintained by means of the time stamp, since the time point of the process is still known.
The invention can thus be implemented by providing a set of counters and registers for time stamping, which represents a low additional expenditure in the switching means. If the TCAM filtering rules trigger a hit signal, i.e. data pattern 23 is identified in input data 25, the prioritization of the data patterns may result for the case where multiple data patterns apply: only one hit signal 27' causes an increase of the corresponding counter value. In the described manner, a counter can also be associated with a plurality of different filter rules or hit signals 27'. The data analysis software can be executed using a microprocessor, wherein the reading of the tuples of counter values and time stamps can be performed by so-called atomic access (access in the clock cycle) or by means of a shadow buffer (Schattenpuffer). Thereby, unexpected deviations of the correlation of the counter value and the timestamp can be avoided.
The calibration routine may be based on machine learning methods, such as artificial neural networks or deep learning methods, whereby it may also be compensated that the controller may change its transmission scheme as the case may be.
In general, examples show how information for an IDS is provided through a TCAM and a static counter in a switching device.
The invention thus relates in general, inter alia, to the following aspects:
1. method for monitoring data traffic between controllers (12,13) of a motor vehicle (10), wherein the controllers (12,13) are connected via a data network (11) with switching devices (15) in which physical ports (16,17) for receiving and sending data packets (18) are interconnected via a switching circuit (20), and in which method destination port data (26) are assigned by means of an associative memory (22) to the respective data packets (18) received via one of the ports (16,17) by a network processor (21) and at least one of the ports (16,17) is selected as the respective destination port (19) depending on the destination port data (26) and the received data packets (18) are directed to the at least one destination port (19) by the switching circuit (20),
it is characterized in that the preparation method is characterized in that,
storing at least one predetermined data pattern (23) of the packet types to be monitored and/or detected and/or of the data content to be monitored in the associative memory (22), so that an associated hit signal (27) is generated by the associative memory (22) in response to input data (25) if the input data (25) contains a corresponding data pattern (23), and
the network processor (21) reads probe data (31) from the received data packet (18) at a predetermined monitoring position of the data packet (18) and forms input data (25) for the associative memory (22) from the probe data (31) and checks whether a hit signal (27) is generated by inputting the input data (25) into the associative memory (22), and
providing at least one counter (C) in which the number of times a hit signal (27) is generated for at least one predetermined data pattern (23) is specified by a corresponding counter value and providing the corresponding counter value and a corresponding last data packet (18) via which the counter value was last incremented as analysis data (30') in a read memory (30),
a microprocessor (29) reads the corresponding analysis data (30 ') via a data interface and, as a function of transmission planning data (33) which describe a defined transmission scheme of the controller (12,13), recognizes a deviation of the analysis data (30') from the transmission scheme by means of a predetermined calibration routine (32) and, in this case, triggers a predetermined defense routine (35).
2. The method according to aspect 1, wherein for each of the at least one counter (C), a respective last incremented timestamp (T) of the counter value is stored in addition to the counter value and provided as part of the analysis data (30') in the read memory (30).
3. The method according to aspect 1, wherein at least one counter (C) counts hit signals (27) for at least two data patterns.
4. The method according to any of the preceding aspects, wherein the respective counter value of the at least one counter (C) is reset by the network processor (21) and/or the microprocessor (29) if a predetermined reset condition is fulfilled.
5. The method according to any one of the preceding aspects, wherein a plurality of data items are provided for different monitoring locations, and a packet characteristic of the respective data packet (18) is determined from the data packet (18) by the network processor (21), and one data item is selected from the data items according to the packet characteristic, and the probe data (31) is read at the monitoring location specified by the selected data item (28).
6. The method of aspect 5, wherein the packet characteristics specify a protocol type and/or a packet type and/or data content.
7. The method according to any one of the preceding aspects, wherein the monitoring locations describe disjoint data fields of the data packets (18).
8. The method according to any one of the preceding aspects, wherein the forming of the input data (25) comprises rearranging the detection data (31) by means of a shift operation and/or combining the detection data by means of at least one combination rule.
9. Switching device (15) for a data network (11) of a motor vehicle (10), wherein the switching device (15) has a network processor (21) and an associated memory (22) and a microprocessor (29) which are together set up to carry out a method according to one of the preceding aspects.
10. Motor vehicle (10) having a data network (11) in which a plurality of network branches are interconnected via a switching device (15) according to aspect 9.

Claims (9)

1. Method for monitoring data traffic between controllers (12,13) of a motor vehicle (10), wherein the controllers (12,13) are connected via a data network (11) having a switching device (15) in which physical ports (16,17) for receiving and transmitting data packets (18) are interconnected via a switching circuit (20), and in which method a respective data packet (18) received via one of the ports (16,17) is associated by a network processor (21) with target port data (26) by means of an associative memory (22), and at least one of the ports (16,17) is selected as the respective target port (19) depending on the target port data (26), and the received data packet (18) is routed to the at least one target port (19) by the switching circuit (20),
storing at least one predetermined data pattern (23) of the packet types to be monitored and/or detected and/or the data content to be detected in the associative memory (22) in such a way that, in the event of input data (25) containing a corresponding data pattern (23), an associated hit signal (27) is generated by the associative memory (22) in response to the input data (25), and
the network processor (21) reads probe data (31) from the received data packet (18) at a predetermined monitoring position of the data packet (18) and forms input data (25) for the associative memory (22) from the probe data (31) and checks whether a hit signal (27) is generated by inputting the input data (25) into the associative memory (22),
it is characterized in that the preparation method is characterized in that,
providing at least one counter (C) in which it is specified by a respective counter value how many times a hit signal (27) is generated for at least one predetermined data pattern (23), and for each of the at least one counter (C) storing in addition to the counter value a respective last incremented timestamp (T) of the counter value, and
and providing the respective counter value and the respective last data packet (18) via which the counter value was last incremented and the time stamp (T) as analysis data (30') in a read memory (30), and
a microprocessor (29) reads the corresponding analysis data (30 ') via a data interface and, depending on transmission planning data (33) which describe a defined transmission scheme of the controller (12,13), recognizes a deviation of the analysis data (30') from the transmission scheme by means of a predetermined calibration routine (32) and, in this case, triggers a predetermined protection routine (35).
2. Method according to claim 1, wherein at least one counter (C) counts hit signals (27) for at least two data patterns.
3. The method according to any of the preceding claims, wherein the respective counter value of the at least one counter (C) is reset by the network processor (21) and/or the microprocessor (29) if a predetermined reset condition is fulfilled.
4. Method according to any of the preceding claims, wherein a plurality of data items are provided for different monitoring locations, and a packet characteristic of the respective data packet (18) is determined from the data packets (18) by the network processor (21), and one data item is selected from the data items according to the packet characteristic, and the probe data (31) is read at the monitoring location specified by the selected data item (28).
5. The method of claim 4, wherein the packet characteristics specify a protocol type and/or a packet type and/or data content.
6. The method according to any one of the preceding claims, wherein the monitoring locations describe disjoint data fields of the data packet (18).
7. Method according to any of the preceding claims, wherein the forming of the input data (25) comprises rearranging the detection data (31) by means of a shift operation and/or combining the detection data by means of at least one combination rule.
8. Switching device (15) for a data network (11) of a motor vehicle (10), wherein the switching device (15) has a network processor (21) and an associated memory (22) and a microprocessor (29) which are together set up to carry out a method according to one of the preceding claims.
9. A motor vehicle (10) having a data network (11) in which a plurality of network branches are interconnected via a switching device (15) according to claim 8.
CN202180029783.4A 2020-10-28 2021-10-22 Method for monitoring data flow between controllers of motor vehicle and motor vehicle equipped therewith Active CN115380510B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
DE102020128285.0 2020-10-28
DE102020128285.0A DE102020128285A1 (en) 2020-10-28 2020-10-28 Method for monitoring data traffic between control units of a motor vehicle and a motor vehicle equipped accordingly
PCT/EP2021/079303 WO2022090065A1 (en) 2020-10-28 2021-10-22 Method for monitoring data traffic between control devices of a motor vehicle and vehicle equipped accordingly

Publications (2)

Publication Number Publication Date
CN115380510A true CN115380510A (en) 2022-11-22
CN115380510B CN115380510B (en) 2024-05-28

Family

ID=

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6871265B1 (en) * 2002-02-20 2005-03-22 Cisco Technology, Inc. Method and apparatus for maintaining netflow statistics using an associative memory to identify and maintain netflows
US20130031037A1 (en) * 2002-10-21 2013-01-31 Rockwell Automation Technologies, Inc. System and methodology providing automation security analysis and network intrusion protection in an industrial environment
CN109391523A (en) * 2017-08-08 2019-02-26 罗伯特·博世有限公司 Method for monitoring the traffic between the network members in network
CN110024337A (en) * 2016-11-28 2019-07-16 奥迪股份公司 For the method for transmission message between the controller of motor vehicle and switch and motor vehicle
DE102018201718A1 (en) * 2018-02-05 2019-08-08 Robert Bosch Gmbh Method and device for detecting an anomaly in a data stream in a communication network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6871265B1 (en) * 2002-02-20 2005-03-22 Cisco Technology, Inc. Method and apparatus for maintaining netflow statistics using an associative memory to identify and maintain netflows
US20130031037A1 (en) * 2002-10-21 2013-01-31 Rockwell Automation Technologies, Inc. System and methodology providing automation security analysis and network intrusion protection in an industrial environment
CN110024337A (en) * 2016-11-28 2019-07-16 奥迪股份公司 For the method for transmission message between the controller of motor vehicle and switch and motor vehicle
CN109391523A (en) * 2017-08-08 2019-02-26 罗伯特·博世有限公司 Method for monitoring the traffic between the network members in network
DE102018201718A1 (en) * 2018-02-05 2019-08-08 Robert Bosch Gmbh Method and device for detecting an anomaly in a data stream in a communication network

Also Published As

Publication number Publication date
DE102020128285A1 (en) 2022-04-28
WO2022090065A1 (en) 2022-05-05
TW202224382A (en) 2022-06-16
TWI807454B (en) 2023-07-01

Similar Documents

Publication Publication Date Title
US7356599B2 (en) Method and apparatus for data normalization
US7401145B2 (en) In-line mode network intrusion detect and prevent system and method thereof
US9787556B2 (en) Apparatus, system, and method for enhanced monitoring, searching, and visualization of network data
EP1908219B1 (en) Active packet content analyzer for communications network
US7808897B1 (en) Fast network security utilizing intrusion prevention systems
JP5411134B2 (en) Method and mechanism for port redirection in a network switch
US8301802B2 (en) Systems and methods for detecting and preventing flooding attacks in a network environment
CN109657463B (en) Method and device for defending message flooding attack
US11479263B2 (en) Automotive network switch with anomaly detection
US11671463B2 (en) Device for processing data including at least two data interfaces, and operating method therefor
US11108812B1 (en) Data plane with connection validation circuits
US20080092222A1 (en) Router chip and method of selectively blocking network traffic in a router chip
US11700271B2 (en) Device and method for anomaly detection in a communications network
CN109937563A (en) Method and electronic monitoring unit for communication network
CN112350844B (en) Method and device for data transmission
CN115380510B (en) Method for monitoring data flow between controllers of motor vehicle and motor vehicle equipped therewith
CN115380510A (en) Method for monitoring data flow between controllers of a motor vehicle and correspondingly equipped motor vehicle
US20230262071A1 (en) Method for monitoring data traffic between control devices of a motor vehicle and vehicle equipped accordingly
TWI823161B (en) Verfahren zum ueberwachen eines datennetzwerks in einem kraftfahrzeug sowie switchvorrichtung und kraftfahrzeug
EP2929472A2 (en) Apparatus, system and method for enhanced network monitoring, data reporting, and data processing
CN112217784A (en) Apparatus and method for attack recognition in computer networks
WO2015105684A1 (en) Apparatus, system, and method for enhanced monitoring and interception of network data
WO2015105681A1 (en) Apparatus, system, and method for enhanced monitoring, searching, and visualization of network data
EP4170978A1 (en) Method for monitoring data traffic between control devices of a motor vehicle and corresponding motor vehicle
CN117938529A (en) Protection scheme for congestion related attacks based on queue diagnosis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant