TW202224382A - Verfahren zum ueberwachen eines datenverkehrs zwischen steuergeraeten eines kraftfahrzeugs sowie entsprechend ausgestattetes kraftfahrzeug - Google Patents

Abstract

The invention relates to a method for monitoring data traffic between control devices (12, 13) of a motor vehicle (10), wherein at least one data pattern (23) of a packet type to be monitored and/or detected and/or data content is stored in a content addressable memory (22) such that by means of the content addressable memory (22), an assigned hit signal (27) is generated in response to input data (25) which contains the relevant data pattern (23), and a network processor (21) reads detection data (31) from received data packages (18) at predetermined monitoring positions (31) and therefrom forms input data (25) for the content addressable memory (22) and by inputting the input data (25) into the content addressable memory (22), checks whether a hit signal (27) is produced, and a microprocessor (29) detects, by means of a predetermined comparison routine (32) and on the basis of transmission plan data (33) which describe a correct transmission scheme of the control devices (12, 13), whether the hit signals (27) deviate from the transmission scheme.

Description

Method for monitoring data flow between control units of a motor vehicle and suitably equipped motor vehicle

The present invention relates to a method for monitoring data flow between control units of a motor vehicle and to a suitably equipped motor vehicle. The monitoring is carried out in a switching device which transmits data packets between several network branches of the data network. It is necessary to check whether the data packets or at least parts thereof involve predetermined undesired data traffic, for example, which may be part of a hacking attack or caused by a maliciously manipulated or damaged control unit of a motor vehicle, without causing significant forwarding Delay or dive time.

In motor vehicles, such control units can be coupled to one another via a data network (Datannetzwerk) or data network (Datannetz) in order to exchange data packets, for example to implement vehicle functions comprising a plurality of control units. An example for such a data network is Ethernet. The network branches of such a data network can be connected through a switching device (also referred to as "Switch" or a data distributor). For this purpose, each network branch can be connected to a corresponding port of the switching device. Such a port can refer to the physical connector of the network cable of the network branch and the circuit used to send and receive data packets. If a data packet arrives on a port from a connected network branch, it is determined to which other network branch or other network branches the data packet must be forwarded. Then, within the switching device, the data packet is forwarded or sent to the corresponding target port by a circuit, which is referred to as a switching circuit herein. By switching the forwarding of data packets in the above-mentioned manner, the network branches can be kept logically separated, thereby realizing the firewall function.

In order to determine where the received data packets need to be forwarded, ie to which destination port is directed inside the switching circuit, a so-called associative memory can be used. Another name for this type of associative memory is a CAM filter (CAM – content addressable memory), such as TCAM (ternary content addressable memory, ternary content addressable memory). So-called switching or routing can be performed in such switching circuits by associative memory. In associative memory, however, only a limited number of bits or bytes can be input as input data from the corresponding received data packets in order to obtain target port data describing the at least one to-be-used target port.

When analyzing the data traffic of the control units to detect malicious manipulation in one of the control units and/or to detect additional unauthorized devices connected to the data network, it may be necessary to laboriously analyze the data packets transmitted in the network. However, this should not cause additional latency or waiting time during the transmission of the data packets, otherwise, the corresponding functions in the motor vehicle related to the data packets (such as controlling the backup camera) may be affected. On the other hand, exporting or duplicating data packets for detailed analysis results in a large amount of data, making it impossible to provide the required computing power at a reasonable cost in a motor vehicle.

US 8 582 428 B1 discloses that data packets of a certain packet type can be counted by a counter in a router using an associative memory TCAM. Additional timestamps can be assigned to data packets for analysis of data traffic. Timestamps are also used to measure the age of communication links.

WO 2019/116973 A1 discloses that unauthorized data traffic in a motor vehicle is identified by the following way: the control unit generates more data per second than is initially set. Thus, malicious manipulation of the control unit, which only causes a few data packets that cause damage in the motor vehicle, cannot be identified.

WO 2006/069041 A2 and US 2007/022474 A1 disclose that data packets in the firewall are always deleted if the number of data packets of a specific type from a specific sender per unit time is above a threshold. But this method can only prevent so-called denial-of-service attacks based on mass-producing data packets.

US 2020/304532 A1 disclosed that the data traffic in motor vehicles is analyzed by TCAM associative memory to detect excessive data traffic in equipment. In order to prevent the microprocessor from being overloaded when analyzing abnormal data packets, all data packets are pre-filtered by the first rule, and only abnormal data packets according to the first rule are forwarded to the microprocessor for applying the second rule.

US 2017/118 041 A1 discloses a firewall operator that filters data packets through a plurality of distributed TCAM associative memories, and sends some data packets to the CPU. Combined with firewall rule ACLs (Access Control Lists) it is possible to count which rule is applied how many times in Firewall Calculator.

The object of the invention is to detect abnormal data traffic of control units or additionally connected devices in motor vehicles.

The solution of the present invention to achieve the above-mentioned objects is the subject of an independent item. Advantageous embodiments of the invention refer to the appendix, the description below and the drawings.

Provided herein is a method for monitoring data traffic between control units of a motor vehicle, wherein at least one data pattern of packet types to be monitored and/or probed and/or data content is stored in an associative memory (eg TCAM) , so that the associative memory generates an assigned hit signal in response to the input data containing the corresponding data pattern, and accordingly, the network processor reads the probe data at the preset monitoring position from the received data packet , and form input data for the associative memory from it, and check whether a hit signal is generated by inputting these input data into the associative memory, and the microprocessor combines the description of the conventional transmission scheme of the control units. Send planning data, identify whether the analysis data is different from the sending plan by a preset matching routine. A defense routine can then be initiated. The data pattern can be either a bit pattern or a byte pattern.

The present invention describes a method for monitoring data flow between control units of a motor vehicle. According to the method, the control units are connected through a data network in which the switching device connects a number of physical ports for receiving and sending data packets through switching circuits or data distributors. In this method, each data packet received through one of the ports is assigned target port data through the network processor through associative memory, and according to the ports from the (entirely existing) ports According to the determined target port data, at least one port is selected as the target port, and the received data packet or at least a part thereof is directed to the at least one target port through the switching circuit.

That is, the switching device has a switching circuit inside in a conventional manner, which is used to selectively transmit the received data packets from a certain port to at least one destination port, thereby transmitting the data packets between the network branches (to switch or route). To this end, each port may have a transceiver circuit to receive and/or transmit data packets. The associative memory referred to here may be implemented or provided as CAM (content addressable memory), in particular TCAM (ternary content addressable memory). Target port data originates from the corresponding control unit or device connected to the port in a conventional manner.

In order to achieve the above object, the present invention proposes to store at least one data pattern of the packet type and/or data content to be monitored and/or detected in the associative memory, so that the associative memory is used as a pair of data patterns containing the corresponding data pattern. The response to the input data produces an assigned hit signal. Accordingly, the network processor reads not only the data for determining the at least one target port from the received data packets, but also at a predetermined monitoring position of the data packet (ie, at a predetermined bit position or byte group). position) read the probe data and summarize it into more input data for the associative memory, and then check whether a hit signal is generated by feeding these input data into the associative memory. Thus, the associative memory is also used to detect data packets of a predetermined packet type and/or data packets with a predetermined data content. Among them, by predetermining these monitoring positions (ie, bit positions or byte positions), it is specified where in the data packet, that is, at which position, the bits or bytes in the data packet are used to form The probe data for the input data of the associative memory is read. In this case, the input data for the associative memory is not used to find the target port, but for the associative memory to generate a hit signal, which indicates that the corresponding data pattern has been identified. Such a hit signal may, for example, consist of a flag indicating that the associative memory has identified a corresponding data pattern in the input data.

In addition, at least one counter is provided, with its corresponding counter value indicating how many times a hit signal has been generated with respect to the at least one predetermined data pattern. The corresponding counter value and the last data packet used to increase the counter value for the last time are provided in the read memory as analysis data, and the microprocessor reads out the latest analysis data through the data interface. In this way, it is possible to count how many times at least one predetermined data pattern was identified or detected, which resulted in monitoring data for a particular monitoring location of a data packet. Counters can also be applied to multiple different hits, ie to multiple different data patterns, where a single counter is coupled to multiple entries of the associative memory. In the analysis data there is information about which data packet finally increased the counter value, wherein the counter value is additionally also stored in the analysis data in the read-out memory. It can be actively read by the microprocessor as required. That is, the analysis data in the read-out memory can be updated every time the counter changes. A separate storage space may be provided for each counter, or a common storage space may be provided for the analysis data of multiple or all counters.

It is characteristic in motor vehicles that at least a part of the data flow is generated by a control unit following a fixed programmed transmission scheme. Only a certain known proportion of the data traffic is dynamic, eg the data traffic of a control unit for entertainment electronics. The ratio can also be zero. In the case where the analysis data is different from the transmission scheme, combined with the transmission planning data describing the conventional transmission scheme of the control unit, the microprocessor can identify such a situation through the preset matching routine, thereby triggering the preset defense case Procedure.

That is, the invention is based on the recognition that in a non-maliciously manipulated motor vehicle, i.e. without any control unit different from the transmission scheme, and without any additional equipment connected to the data network and generating additional data traffic, only According to the matching routine, the analysis data of the transmission scheme, such as the transmission scheme described by the transmission planning data, can be specified by the manufacturer of the motor vehicle, for example. Matching routines may require complete agreement with these transmit planning data, and may also allow for tolerances in the counter values and/or data content of the final analysis data. The methods described herein are particularly applicable to Ethernet data packets. Ethernet as a data network is based on packet-related data traffic, so (unlike time-slot-related data networks), the time of transmission and/or the amount of data in the data traffic may change because no reserved time slots are set. The counter value can identify whether the number of data packets for a certain data pattern exceeds the threshold, which has nothing to do with the exact time of sending. The analysis data also includes data packets that trigger an overwrite of the threshold, so that it is possible to infer the transmitter, i.e. to identify a maliciously manipulated or damaged control unit, or to identify that the address of the transmitter used does not belong to the motor vehicle. The control unit on the supplier side, but is an additional device connected to the data network. Defensive routines or defensive measures may for example refer to functional limitations implemented in the motor vehicle, such as reducing the functional scope or disconnecting functions, such as disconnecting media playback and/or calling functions and/or international network connections. Depending on the TCAM entries or data packets used to identify deviations from the transmission scheme, another function of the motor vehicle can be restricted or disabled.

The corresponding counter (Counter) and/or associative memory (TCAM) may be part of the network processor, respectively, or the corresponding counter and/or associative memory may be provided external to the network processor.

The present invention also includes embodiments that provide further advantages.

According to one embodiment, for each counter, a timestamp of the last increment of the counter value is stored in addition to the counter value and provided as part of the analysis data in the read memory. That is, the analysis data in the read-out memory includes the counter value, its time stamp and the related data packet finally received. That is, the counter value used here indicates when a data packet contained in the analysis data arrives and triggers a hit signal. Practice has shown that this point achieves very sensitive fault identification and malicious manipulation identification in combination with the transmission scheme of the control unit. In this way, the microprocessor checking the analysis data by means of the matching routine can also receive the activity signal of at least one vehicle component and/or the control unit and, in combination with the time stamp, check whether the data packet is based on the data of the vehicle component and/or the control unit. The indicated activity is sent and checks that although it is outside the scope of the sending scheme, the data packets triggered by the activity are acknowledged and thus classified as permissible without triggering a defense routine. The active signal can be received, for example, via a CAN bus. It is especially important that the microprocessor is not overloaded by this, preferably in the microprocessor it is up to the microprocessor to decide whether the data packet is actually obtained from the read memory/on the data interface, or whether it should be used by the next data packet Override because the microprocessor does not currently have the resources available for immediate processing. An overview can be maintained in the microprocessor because for each data packet its ordinal (counter) and/or time stamp is available. Thus, the subject matter of the present application provides a monitoring tool for microprocessors that prevents overloading the microprocessor and still provides detailed insight in "suspicious" or associative memory selected data packets (the data packets themselves also provided on the data interface). Preferably, the data packets are only provided on one data interface, so that the microprocessor can always decide whether to retrieve the data packets if the corresponding computing capability is available. In the event that the microprocessor accepts a data packet on the data interface, the counter value and the time stamp are used to indicate to the microprocessor which data packet exists and/or how long the data packet has been.

According to one embodiment, at least one counter counts hit signals for at least two data patterns. That is, hit signals for at least two different data patterns are summarized in at least one counter. That is, in the event that either of the two data patterns is recognized by the associative memory, the counter is always incremented. The advantage of this is that malicious manipulations that attempt to transfer malicious manipulations, eg by using two different sender addresses and/or MAC addresses (MAC-medium access control), are also identified. The data traffic is distributed among a number of different packet types.

According to one embodiment, the corresponding counter value of the at least one counter is reset by the network processor and/or the microprocessor, when a certain reset condition is met. In other words, instead of counting the absolute number of all data packets of a certain data mode when the motor vehicle is started, the counting interval can also be specified. The possible counting intervals are time units, ie reset conditions can be set such that after the expiration of a certain time period, eg after one second or ten seconds or one minute, the corresponding counter is reset. It is possible to set its own reset conditions for each data mode. Another reset condition may be associated with a signal to reset the counter for a data pattern assigned to a certain gear shift operation or action in a component of a motor vehicle (eg, a reversing camera or media playback device).

According to one embodiment, multiple location data sets (ie data sets giving bit positions and/or byte positions, respectively) are provided for different monitoring locations and the data packets (header) are combined by the network processor. data and/or valid data) to determine the packet characteristics of the corresponding data packets, and select a position data set from the position data sets according to the packet characteristics, thereby generating alternate monitoring positions, and at the selected position data Read out the detection data at the monitoring position given by the set. In other words, which bits or groups of bytes are read for different packet characteristics, that is, at which positions (monitoring positions) in the data packet the data content for the detection data is read, and then the data content for the association is formed therefrom. Memory input data. This results in the advantage that different monitoring positions can be checked according to the packet characteristics. In this way, the packet characteristic of the data packet can be identified on the header data and/or the valid data. Therefore, the following embodiments are advantageous.

According to one embodiment, the packet properties give the protocol type (TCP or UDP) and/or the packet type (initial packet of the communication, subsequent packets) and/or the data content (sender address, receiver address). The protocol types can be distinguished, for example, between TCP (transport control protocol, transmission control protocol) and UDP (user datagram protocol, user datagram protocol), so that for example only two possible protocols are listed for data traffic in motor vehicles. Packet types can be distinguished, for example, by whether they refer to the initial packet of the communication or the subsequent packets of the communication. Here, for example, the so-called SYN flag can be evaluated. The input data for the associative memory may also preferably be formed using data content, eg in the form of sender addresses and/or receiver addresses. In this way, for example, non-registered sender addresses can be identified.

According to one embodiment, the monitoring locations describe disjoint data fields of the data packet. That is, reading probe data in order to form input data for associative memory need not include a contiguous sequence of bits or bytes in a data packet, but can also be read by specifying disjoint data fields. Certain bits or groups of bytes have more bits or groups of bytes in between that are not part of the probe data. Therefore, it is beneficial to analyze the data packets flexibly.

According to one embodiment, forming the input data from the probe data of the data packet includes rearranging the probe data by a shift operation and/or combining them together by at least one combining rule. This enables preprocessing to be performed using shift operations and/or combining rules. Combination rules may include, for example, logical operations such as AND (logical "and") or OR (logical "or"). In this way, the bits or groups of bytes of the probe data can be summarized or compressed, eg to obtain a prescribed format. In addition, the first step of detecting undesired data traffic can be implemented in the data network through shift operations and/or combination rules. For example, it can be checked whether two predetermined bits in the probe data have a predetermined logical combination (eg, two are set or two are deleted). This can be represented by a single bit, which can be part of the input data, rather than the original bits.

The present invention also provides a monitoring device or switching device for a data network of a motor vehicle, wherein the switching device has a network processor and associated memory and computing unit configured to carry out an implementation of the method of the invention Way. The associative memory can be a CAM, in particular a TCAM, in the aforementioned manner. The associative memory can be integrated in the network processor or provided in a separate storage element. The network processor may refer to the type of network processor known in the context of switching devices, which adds the aforementioned method steps. The computing unit used to process the analysis data in the aforementioned manner may refer to a so-called CPU (central processing unit, central processing unit) or a microcontroller or a microprocessor in general, wherein the computing unit and the network processor and/or the phase Link memories can be coupled through corresponding data interfaces. The network processor and the computing unit can be a data processing device or a processor device, respectively, which have at least one microprocessor and/or at least one microcontroller and/or at least one FPGA (Field Programmable Gate Array, Field Programmable Gate Array, respectively). Programmable gate array) and/or at least one DSP (Digital Signal Processor). The computing unit can be designed to be freely programmable. In addition, program code may be provided that is configured to implement, during execution, the method steps of an embodiment of the method of the present invention. The programming code can be stored in at least one data memory that can be coupled to a computing unit and/or a network processor.

The invention also relates to a motor vehicle having a data network in which network branches are connected by an embodiment of the monitoring device of the invention. The motor vehicle of the invention is preferably designed as a motor vehicle, in particular as a passenger car or a truck, or as a passenger car or a locomotive.

The present invention also includes combinations of features of the embodiments described herein. That is, to the extent that the various embodiments described herein are not mutually exclusive, the invention also includes embodiments having combinations of the features of such embodiments.

The examples to be described below are preferred embodiments of the present invention. In these examples, the described components of the embodiments are individual features of the invention that are independent of each other, which improve the invention in a way that is independent of each other. Accordingly, this disclosure also includes combinations of features of these embodiments that differ from those shown. Furthermore, the described embodiments may also be supplemented by other aforementioned inventive features.

Identical reference numerals in the figures denote functionally identical elements.

FIG. 1 shows a motor vehicle 10, which may be an automobile, such as a passenger car or a truck. A data network 11 may be provided in the motor vehicle 10, which may be Ethernet, for example. The control units 12 and 13 can be coupled to each other through the data network 11 for data communication or data exchange. In order to connect a plurality of network branches 14 of the data network 11 to each other, switching means 15 may be provided. The corresponding network cable of each network branch 14 may be connected to the corresponding ports 16, 17 of the switching device 15 in a known manner. FIG. 1 shows by way of example how the control unit 12 sends the data packets 18 to the control unit 13 . During this process, the switching device 15 can receive the data packet 18 on the port 16 connected to the network branch 14 of the control unit 12, and select a connection from a plurality of ports (more ports are not shown) of the switching device 15 There is a port 17 of the network branch 14 of the control unit 13 so that the data packets 18 can be forwarded in this network branch 14 and in particular only in this network branch 14 . In general, the data packets 18 can be forwarded by the switching device 15 in particular only to the network branch provided with the control unit 13, the data packets 18 being addressed in a known manner, for example by means of so-called IP addresses and/or MAC addresses to the control unit.

In order to forward the received data packets 18 to the correct port 17, that is, the target port 19 in the switching device 15, a switching circuit 20 (also known as a Switch-Engine) may be provided in the switching device 15, which can use learned structure. The switching circuit 20 may be controlled by the network processor 21 . In order to determine which target port 19 in the switching circuit 20 is intended for a received data packet 18, an associative memory 22, in particular a TCAM, may be provided. In associative memory 22, each corresponding data pattern 23 may be assigned output data 24. For example, the network processor 21 can read data or its data content from the data packet 18 at a preset selected position of the received data packet 18 and combine it into the input data 25 which can be transmitted to the associative memory 22 . If the input data 25 includes one of the data patterns 23 , the associative memory 22 can output the corresponding output data 24 as the target port data 26 . With the target port data 26 , the network processor 21 can, for example, set or select the corresponding target port 19 in the switching circuit 20 .

The associative memory may be integrated in the network processor or separate from the network processor. The associative memory 22 can be connected to the switching circuit 20 so that the target port data 26 can be evaluated by the switching circuit 20 directly, ie without the use of the network processor 21, to select the target port 19,

In the motor vehicle 10 , an IDS (Intrusion Detection System for Software Errors and/or Malware) can also be implemented by means of the switching circuit 15 , ie it can be detected whether there is a control unit 12 , 13 in the data network 11 . (Here, only two control units are shown by way of example) maliciously manipulated or invaded by a data virus, and/or whether an unauthorized device is connected to the data network 11 and sends at least one data packet through the switching device 15 .

The associative memory 22 can also be used in the switching device 15 to achieve this without having to provide it with additional functionality.

For this purpose, the network processor 21 can provide at least one location data set 28, in which the monitoring location can be given correspondingly, and a bit or at least one byte in the received data packet 18 can be given a useful to read the bit position or byte position of the data or data content of the received data packet 18. Thereby, the read probe data 31 is produced. These probe data 31 may be used to generate input data 25 for monitoring data network 11 . Previously, at least one operation 31 ′ could be applied to the probe data 31 to form the input data 25 for the associative memory 22 , but the probe data 31 could also be provided directly as the input data 25 . The input data 25 may be fed into the associative memory 22 to be checked for at least one data pattern 23 . If one of the data patterns 23 is applicable, the corresponding output data 24 is output through the associative memory 22 . In this case, the output data 24 refer to the hit data 27 of the hit signal 27', which can be assigned to a corresponding data pattern 23 and displayed as a hit signal.

Whenever input data 25 for monitoring the data network triggers a hit signal in associative memory 22, a corresponding tuple CT consisting of counter C and timestamp T may be updated. One tuple CT can be provided for each hit signal or a combination thereof. FIG. 1 shows by way of example seven counters C0 to C6 and the associated memory for the time stamps T0 to T6, wherein the number may be, for example, select. Through the microprocessor 29, for each tuple CT, that is, the corresponding combination of the counter C and the time stamp T, the corresponding values of the counter C and the time stamp T and at least one of the data packets 18 can be read from the read memory 30 The portion also stored in the read memory 30 which is used for or causes the last increment of the counter C with respect to the time stamp or the point in time of the time stamp T for the trigger or hit signal. For this purpose, the last data packet 18 of the corresponding tuple CT can be stored in the read memory 30 together.

The matching routine 32 can then be used by the microprocessor 29 to check: a certain number of hit signals, such as those stored for the respective data patterns 23 in the respective counters C0 to C6, and corresponding to the respective time stamps T0 to T6 The description of whether conventional or programmatic data traffic (in a non-malicious state of manipulation of the data network 11 ) sending planning data 33 to the control units 12 , 13 , complies with the conformance criteria 34 . If the consistency criterion 34 is not met, there is a discrepancy between the analysis data 30 ′ from the read memory 30 and the transmission planning data 33 , so that the defense routine 35 can be triggered or activated by the microprocessor 29 . For example, the functional range of the motor vehicle can be limited and/or the user of the motor vehicle can be signaled that the motor vehicle 10 must be checked in the workshop.

2 shows that the data mode 23 in the associative memory 22 can be set to the corresponding entries TCAM_0 to TCAM_2^N-1, where 2^N-1 means that a power of 2 is the total number of entries. N may be an integer of 0 to 10, for example. If associative memory 22 is used to filter input data 25, it is possible that one of the data patterns 23 coincides with input data 25, resulting in a corresponding hit signal 27' as hit data 27. Each data pattern 23 can be assigned to one of the counters C, which is incremented by the corresponding hit signal 27', such that the counter readings or counter values C-0 to C_2^N-1 are incremented. Furthermore, for the last received data packet 18 that finally triggered the hit signal 27', the corresponding timestamp T of the reception or the hit signal 27' may be stored as time values T_0 to T_2^N-1. As shown in FIG. 2, the data patterns 23 of the two entries 36 can also be evaluated by the same counter C_1 (exemplary). Thereby, malicious manipulation of malicious manipulation of data traffic distributed over a plurality of data patterns 23 is identified in the data network 11 .

FIG. 3 shows that, in the read memory 30, the counter value and the time stamp T corresponding to the data packet 18 and the counter C can be stored in the read memory 30 from the associative memory 22 only for the hit signal 27' that is finally triggered, and are stored by the associative memory 22. The microprocessor 29 reads this out as analysis data 30'. In this way, only a single read memory 30 is required to input the analysis data 30', in this case, the microprocessor 29 can sequentially read the updated content of the analysis data 30' in each hit signal 27'.

For the analysis of the data flow, preferably temporal information and/or statistical evaluation can be provided in order to identify deviations from the transmission scheme of the control unit of the motor vehicle 10 . Such deviations indicate a possible malicious manipulation or attack on the motor vehicle 10 and/or its data network 11 . The detection efficiency can be improved by the method described above, wherein in the associative memory 22, additional data patterns 23 for generating hit signals 27' which may deviate from the transmission scheme of the control units 12, 12 are identified. The main idea of the present invention is to expand the existing associative memory 22 of the switching device 15 without rebuilding or developing the associative memory 22 itself. For this purpose, an associative memory, in particular a TCAM filter, is combined with at least one counter and a corresponding scratchpad for time stamping. This point means that not only TCAM based hardware is used to detect or select target ports, but also TCAM based hardware is used to generate statistics about data traffic. In the event that the TCAM filter generates a hit, that is, a data pattern is identified and a corresponding hit signal is generated, the counter value of the corresponding counter can be incremented, and the timestamp of the event can be stored in the corresponding temporary storage of the timestamp. in the device. The tuple consisting of the counter value and the timestamp can be read out by the microprocessor as a computing node to implement so-called atomic accesses (exclusive accesses or accesses within one clock cycle of the computer). The filter rules can also be extended so that the data packets themselves, i.e. Ethernet frames for example, are also provided or transmitted to the microprocessor as part of the parsed data, i.e. together with tuples of counter values and timestamps device. The data pattern 23 that caused the probe and/or information indicating which counter value is associated or combined with which hit signal may also be provided as part of the analysis data.

By specifying or controlling data patterns or general filtering rules for TCAM, data patterns can be specified in a way that is optimized or adjusted for a particular motor vehicle, so that transmission schemes for non-malicious manipulation of the data network 11 are taken into account. Inside. The data packets and counter values and timestamps are transmitted to the microprocessor by reading the memory, so that the possible malicious manipulation of the data network can be analyzed or checked afterwards without having to follow the transmission speed of the data network, that is, , the data packet leaves the switching device again within a certain maximum latency range. Analytical accuracy is still maintained through timestamps because the point in time of the operation is known.

Thus, the present invention is realized by providing a set of counters and registers for time stamps, thereby reducing the additional cost in the switching device. In the event that a TCAM filter rule triggers a hit signal, ie, a data pattern 23 in the input data 25 is identified, if multiple data patterns are applicable, the data patterns can be prioritized so that there is only one hit signal 27' Causes the corresponding counter value to increase. In this way, one counter can be assigned to a plurality of different filter rules or hit signals 27'. The microprocessor enables the data analysis hardware to work, in which tuples consisting of counter values and timestamps can be read out through so-called atomic accesses (accesses within one clock cycle) or through shadow buffers . This prevents deviations in the correlation between the counter value and the timestamp.

The matching routine may be based on machine learning methods, such as artificial neural network methods or deep learning methods, so as to compensate for situations in which the control unit may change its transmission scheme as appropriate.

In general, it is disclosed how to provide information for IDS through static counters in TCAM and switching devices.

In summary, the present invention particularly relates to the following aspects:

1. A method for monitoring data flow between control units (12, 13) of a motor vehicle (10), wherein the control units (12, 13) are connected via a data network (11) having switching A device (15) in which a number of physical ports (16, 17) for receiving and sending data packets (18) are connected through a switching circuit (20), and in the method, through the ports ( Each data packet (18) received by one of 16, 17) is assigned a number of destination port data (26) through the network processor (21) through the associative memory (22), and according to these target port data (26), select at least one of the ports (16, 17) as the corresponding target port (19), and direct the received data packet (18) through the switching circuit (20) to the at least one destination port (19), It is characterized in that, Store in the associative memory (22) at least one preset data pattern (23) of the packet type to be monitored and/or to be detected and/or the content of the data to be detected, so that the input data (25) contains the corresponding In the case of the data mode (23), the associative memory (22) generates an assigned hit signal (27) in response to the input data (25), and The network processor (21) reads out probe data (31) from the received data packet (18) at a preset monitoring position of the data packet (18), and forms a function from the probe data (31). input data (25) to the associative memory (22), and checking whether a hit signal (27) is generated by inputting the input data (25) into the associative memory (22), and providing at least one counter (C) in which the number of times a hit signal (27) has been generated with respect to at least one preset data pattern (23) is given by means of a corresponding counter value, and providing the corresponding counter value and the last data packet (18) causing the final increment of the counter value as analysis data (30') in the read memory (30), and The microprocessor (29) reads out the corresponding latest analysis data (30') through the data interface and combines with the transmission planning data (33) describing the conventional transmission scheme of the control units (12, 13), by default matching Routine (32) to recognize that the analysis data (30') are different from the transmission scheme, and in this case trigger the default defense routine (35).

2. The method of aspect 1, wherein for each of the at least one counter (C), a timestamp (T) of the last increment of the counter value is stored in addition to the counter value and used as the Provided by reading the portion of the analysis data (30') in the memory (30).

3. The method of any of the preceding aspects, wherein at least one counter (C) counts hit signals (27) for at least two data patterns.

4. The method of any one of the preceding aspects, wherein by means of the network processor (21) and/or the microprocessor (29), the at least one counter is The corresponding counter value of (C) is reset.

5. The method of any of the preceding aspects, wherein multiple data sets for different monitoring locations are provided, and Determining the packet characteristics of the corresponding data packets (18) by the network processor (21) in conjunction with the data packets (18), and A data set is selected from the data sets according to the packet characteristics, and the probe data (31) are read at the monitoring positions given by the selected data set (28).

6. The method of aspect 5, wherein the packet characteristic gives the protocol type and/or the packet type and/or the data content.

7. The method of any preceding aspect, wherein the monitoring locations describe disjoint data fields of the data packet (18).

8. The method of any one of the preceding aspects, wherein forming the input data (25) comprises: rearranging the probe data (31) by shift operations and/or by at least one combination rule its combined together.

9. A switching device (15) for a data network (11) of a motor vehicle (10), wherein the switching device (15) has a network processor (21) and an associated memory (22) and a microprocessor (29), which are collectively configured to implement the method of any of the preceding aspects.

10. A motor vehicle (10) having a data network (11) in which a plurality of network branches are connected through a switching device (15) as in aspect 9.

10: Motor Vehicles 11: Data Network 12: Control unit 13: Control unit 14: Network branch 15: Switching device 16: port 17: port 18: Data packet 19: target port 20: Switching circuit 21: Network Processor 22: Associative memory 23: Data Mode 24: Output data 25: Enter information 26: Target port information 27, 27': hit signal, hit data 28: Datasets 29: Microprocessor 30: read memory 30': Analysis data 31: Detection data 31': operation 32: Matching routines 33: Send planning information 34: Conformance Standards 35: Defense Routines 36: Record Item C: counter T: timestamp

Embodiments of the present invention are described below. In the picture: [Fig. 1] is a schematic embodiment of the motor vehicle of the present invention; [FIG. 2] is a schematic diagram of the TCAM sending the hit signal to the counter; and [FIG. 3] is a schematic diagram of a read memory used to couple the TCAM and the microprocessor.

10: Motor Vehicles

11: Data Network

12: Control unit

13: Control unit

14: Network branch

15: Switching device

16: port

17: port

18: Data packet

19: target port

20: Switching circuit

21: Network Processor

22: Associative memory

23: Data Mode

24: Output data

25: Enter information

26: Target port information

27: Hit Signal

28: Datasets

29: Microprocessor

30: read memory

30': Analysis data

31: Detection data

31': operation

32: Matching routines

33: Send planning information

34: Conformance Standards

35: Defense Routines

C: counter

T: timestamp

Claims (9)

A method for monitoring data flow between control units (12, 13) of a motor vehicle (10), wherein the control units (12, 13) are connected via a data network (11) having switching means ( 15), in the switching device, a number of physical ports (16, 17) for receiving and sending data packets (18) are connected through a switching circuit (20), and in the method, through the ports (16, 17) Each data packet (18) received by one of 17) is assigned a number of destination port data (26) through the network processor (21) through the associative memory (22), and according to the destination ports data (26), select at least one of the ports (16, 17) as the corresponding target port (19), and direct the received data packet (18) to the corresponding target port (19) through the switching circuit (20) At least one destination port (19), where Store in the associative memory (22) at least one preset data pattern (23) of the packet type to be monitored and/or to be detected and/or the content of the data to be detected, so that the input data (25) contains the corresponding In the case of the data mode (23), the associative memory (22) generates an assigned hit signal (27) in response to the input data (25), and The network processor (21) reads out probe data (31) from the received data packet (18) at a preset monitoring position of the data packet (18), and forms a function from the probe data (31). input data (25) in the associative memory (22), and check whether a hit signal (27) is generated by inputting these input data (25) into the associative memory (22), It is characterized in that, at least one counter (C) is provided in which it is given, by means of the corresponding counter value, how many times a hit signal (27) has been generated with respect to at least one preset data pattern (23), and for which at least one counter (C ) each of which stores, in addition to the counter value, the timestamp (T) of the last increment of the counter value, and And the corresponding counter value and the last data packet ( 18 ) that will eventually increase the counter value, as well as the timestamp (T), are provided as analysis data ( 30 ′) in the read memory ( 30 ) ,and The microprocessor (29) reads out the corresponding latest analysis data (30') through the data interface, and combines with the transmission planning data (33) describing the conventional transmission scheme of the control units (12, 13), by default A matching routine (32) recognizes that the analysis data (30') differ from the sending scheme, and in this case triggers a preset defense routine (35). The method of claim 1, wherein at least one counter (C) counts hit signals (27) for at least two data patterns. The method of any one of the preceding claims, wherein the at least one counter (C ) is reset to the corresponding counter value. The method of any of the preceding claims, wherein a plurality of data sets for different monitoring locations are provided, and Determining the packet characteristics of the corresponding data packets (18) by the network processor (21) in conjunction with the data packets (18), and A data set is selected from the data sets according to the packet characteristics, and the probe data (31) are read at the monitoring positions given by the selected data set (28). The method of claim 4, wherein the packet characteristic gives the protocol type and/or the packet type and/or the data content. The method of any preceding claim, wherein the monitoring locations describe disjoint data fields of the data packet (18). The method of any one of the preceding claims, wherein forming the input data (25) comprises: rearranging the probe data (31) by shifting operations and/or combining them by at least one combining rule together. A switching device (15) for a data network (11) of a motor vehicle (10), wherein the switching device (15) has a network processor (21) and an associated memory (22) and a microprocessor (29) ), which are collectively configured to implement the method of any of the preceding claims. A motor vehicle (10) having a data network (11) in which a plurality of network branches are connected through a switching device (15) as claimed in claim 8.

Images