DE102017210787A1 - Method and apparatus for detecting anomalies in a communication network - Google Patents

Abstract

Method for determining whether there is an anomaly in a communication network (110, 120, 130, 300), in particular of a motor vehicle (100), wherein at least one message transmitted via the communication network (110, 120, 130, 300) is analyzed by depending on the, ie In particular, an input variable (x) of an encoder (1100) is determined from the transmitted message, an intermediate variable (h) of reduced dimensionality being determined by means of the encoder (1100), and depending on the intermediate variable (h) by means of a decoder (1200 ) an output quantity (y) is determined with the dimensionality of the input quantity (x), it being decided whether or not the anomaly is present, depending on the input quantity (x) and the output quantity (y).

Description

Technical area

The invention relates to a method and a device for determining whether there is an anomaly in a communication network, a computer program, and a machine-readable storage medium.

State of the art

In the DE 10 2009 026 995 A1 is a method for operating a bus system, in particular a CAN bus, described. Several stations can be connected to the bus system. A transmitted message has an identifier, whereby a specific identifier (eg IDENT2) may only ever be used by a single station. Each of the stations compares the identifier of a transmitted message with the identifiers used by itself (eg IDENT2). If there is a match, an error message is generated.

Advantage of the invention

The method with the features of independent claim 1 has the advantage that a simple and more effective detection of anomalies in a communication network is possible. Advantageous developments are the subject of the independent claims.

Disclosure of the invention

An important aspect of today's machines, devices and systems is their internal and external data exchange. Within a device, for example, data is exchanged between individual components to allow for their desired interaction (eg, between control devices in a motor vehicle). For example, external data exchange may occur between independent devices of the same type (eg, between multiple vehicles traveling together in the same traffic or between household devices communicating with each other within a networked home).

In a real union of communicating systems and devices, the data traffic can basically be subdivided into two groups: The first group, the "normal behavior", describes the type of data traffic in normal operation - ie. without errors, failures, external manipulations o. Ä. - incurs. In a properly operating system, only error-free data will occur and the individual data will generally depend on specific correlations (both stationary and time-varying).

1. (i) Defekte oder ganz ausgefallene Sensoren liefern falsche oder gar keine Daten,
2. (ii) Bauteile sind beschädigt,
3. (iii) das System wurde durch eine externe Quelle (z. B. durch einen Hackerangriff) manipuliert.

The second group, "anomalies", describes the type of traffic that differs from "normal behavior". For various reasons, deviations from normal behavior can occur in the data during real operation. Causes can be, for example, the following nature:

1. (i) Defective or failed sensors provide incorrect or no data
2. (ii) components are damaged,
3. (iii) the system was manipulated by an external source (e.g., by a hacker attack).

It is very important to identify such anomalies, as it might be possible to take control of a motor vehicle through such attacks.

It is possible to implement a method for detecting anomalies rule-based. This creates a list of queries, checks, and inferences for a selection of possible, non-normal behaviors that the system uses.

Another possible approach uses a set of sample data that contains additional information as to whether this is a normal or an abnormal state. Suitable systems such. B. Neural networks can then be trained on the basis of these labels (supervised learning), in order to recognize similar states later.

One difficulty with rule-based or training-based data-based techniques is that the nature of a possible anomaly should be known before it occurs. Just the specific case of a (hacker) attack on a system to manipulate its behavior makes it clear that such an assumption involves a great deal of effort.

Therefore, a data-based model of the normal behavior can be provided which is able to fully cover the space of possible system states occurring during the "normal behavior" in a reduced-dimensional space and reproduce the normal behavior therefrom, while anomalies , d. H. Deviations from normal behavior, can not be reproduced by the model. Based on the deviation between the actual data point and the model prediction, an "anomaly score" can then be calculated, which provides information on whether a test data point is to be regarded as normal or abnormal.

The basic idea of the procedure is therefore the following: The (physical or causal) cause of the accumulating data in the Normal behavior can be described in a relatively low-dimensional space. For example, the condition of a motor vehicle or its engine is determined by few physical variables such as speed, acceleration, temperature, air pressure, etc. The resulting amount of (measurement) data is much higher-dimensional and highly correlated with each other. (For example, in a motor vehicle, there may be several thousand sensor data associated with corresponding maps.)

It is thus possible, according to an encoder-decoder scheme, to project the high-dimensional (measurement) data space to a lower-dimensional space of latent variables substantially without loss of information, and vice versa. Normally, normal behavior data is mapped to itself, whereas data deviating from normal behavior can not be reproduced by this scheme. Based on a reconstruction error can thus be judged whether it is a data point to normal behavior or an anomaly.

In a first aspect, therefore, a method is presented which determines whether or not there is an anomaly in a communication network, in particular of a motor vehicle. Here, at least one message transmitted over the communication network is analyzed, depending on the, e.g. In particular from the transmitted message, an input variable of an encoder is determined, wherein by means of the encoder an intermediate variable (ie a latent variable) of reduced dimensionality (ie with a dimension smaller than that of the input variable) is determined, and wherein depending on the intermediate size means a decoder is determined an output variable with the dimensionality of the input, wherein it is decided whether or not the anomaly is present, depending on the input variable and the output variable.

It is an advantage of this method that anomalies in the traffic of the communication network can be independently recognized, with no prior knowledge of their nature and their occurrence is necessary. The anomaly detection is thus based exclusively on the knowledge of the normal behavior of the respective system.

In addition, this method is particularly easy to extend to other communication participants in the communication network.

Also, it is particularly easy to learn as compared to a method based on a supervised learning approach, since no labeled data is needed.

Furthermore, the method offers the advantage that categorical data can also be taken into account, for example by "one-hot encoding". The method is applicable both "online" and "offline". That The method may be run on a control unit which is installed in the motor vehicle, or on a diagnostic system outside the motor vehicle, for example on an external computer.

In addition, it is very easy to update the process (by updating the corresponding decoder / encoder functions) and it can continue to learn online based on newly accumulating data.

In a particularly simple development it can be provided that, depending on a variable characterizing a deviation between the input signal and the output signal, it is decided whether an anomaly exists or not. For example, this quantity may be an absolute value of a difference between the input signal and the output signal.

If the encoders and decoders have adaptable parameters, it can be provided in a further aspect that these parameters are set up such that the variable characterizing the deviation between the input signal and the output signal is smaller than a predefinable threshold value, in particular minimal, if the input variable is regular ( ie anomaly-free).

This can be done, for example, by adjusting the parameters such that over a training data set of messages corresponding to the "normal behavior" a deviation (or a variable characterizing this deviation) between the input signal and the output signal becomes minimal for the entire training data set.

In another aspect, it may be provided that encoders and decoders include an auto-encoder, i. Encoders and decoders include a neural network constructed as an autocoder. As a result, even complex, non-linear relationships between the input signal and the intermediate signal can be modeled. Furthermore, by using recurrent neural networks, it is possible to consider time dependencies in a particularly simple manner.

In particular, here parameters of the auto-encoder can be adjusted such that the variable characterizing the deviation between the input signal and the output signal is minimal if the input variable is regular.

Alternatively or additionally, it may be provided that the intermediate variable is determined as a function of a principal component analysis (PCA). Since the principal component analysis is an orthogonal transformation, an output of the principal component analysis has the same dimensionality as its input. The dimensional reduction for determining the intermediate size can therefore be carried out by projection onto a predefinable subspace (this is particularly simple).

In a further development of the previous aspects, provision can be made for the determination of the output variable to be determined as a function of an output variable of the auto-encoder, wherein an input variable of the auto-encoder is determined as a function of an output variable of the main component analysis.

Such a combination of principal component analysis and auto-encoder is particularly advantageous because the principal component analysis optimally transforms linear dependencies between the components of the input, and parameters of the auto-encoder can be adjusted such that the auto-encoder optimally detects the nonlinear devices.

Instead of the principal component analysis, an independent component analysis (ICA) can also be used.

In yet another aspect, it is possible to decide which type is a present anomaly, depending on a variable characterizing a deviation between a component of the input signal and a corresponding component of the output signal. Instead of an overall consideration of a deviation between a vector-valued input signal and a vector-valued output signal, it is exploited that further information about the nature of the anomaly is contained in which components of these vector-valued signals have a large and a small deviation.

In further aspects, the invention relates to a computer program which is adapted to carry out one of the aforementioned methods, when executed on a computer, a machine-readable storage medium, on which this computer program is stored (this storage medium, of course, can be spatially distributed, eg at parallel execution distributed over several computers), and a device, in particular a monitoring unit, which is configured to perform one of these methods (for example by playing the aforementioned computer program).

• 1 schematisch ein Kommunikationsnetzwerk in einem Kraftfahrzeug;
• 2 schematisch einen Signalfluss in der Überwachungseinheit;
• 3 einen beispielhaften Aufbau von Kodierer und Dekodierer;
• 4 einen weiteren beispielhaften Aufbau von Kodierer und Dekodierer;
• 5 in einem Flussdiagramm eine Ausführungsform des Verfahrens zum Detektieren von Anomalien;
• 6 zeitliche Verläufe eines Eingangssignals, eines Ausgangssignals und ihres Differenzsignals;
• 7 in einem Flussdiagramm eine Ausführungsform eines Verfahrens zum Trainieren eines Autoencoders.

Hereinafter, embodiments of the invention will be explained in more detail with reference to the accompanying drawings. In the drawings show:

• 1 schematically a communication network in a motor vehicle;
• 2 schematically a signal flow in the monitoring unit;
• 3 an exemplary structure of encoder and decoder;
• 4 another exemplary structure of encoder and decoder;
• 5 a flowchart of an embodiment of the method for detecting anomalies;
• 6 time profiles of an input signal, an output signal and their difference signal;
• 7 in a flowchart an embodiment of a method for training an auto-encoder.

Description of the embodiments

1 shows an exemplary communication network in a motor vehicle 100 , The communication network is in this example by a CAN bus 300 given, over the communication participant 110 . 120 and 130 communicate with each other by exchanging messages. The monitoring unit 200 is also on the CAN bus 300 connected and can messages that the communication participants 110 . 120 . 130 send each other also received and possibly even a message on the CAN bus 300 to take countermeasures if anomaly is detected. communication stations 110 . 120 . 130 and the network connecting them, here the CAN bus 300 , together make up the communication network.

Of course, the invention is not limited to a CAN bus. Instead, it can also be used in motor vehicles in which another bus or a combination of several bus systems are present, for example Ethernet. The method can also be used outside a motor vehicle, for example in a smart home.

The monitoring unit 200 has a computer 210 on, which is a machine-readable storage medium 220 having. On this machine-readable storage medium 220 can one Be stored in a computer program that includes instructions that when removed from the computer 210 be carried out to carry out the inventive method, in particular the in 6 illustrated method. Of course, it is also possible that parts of the method or the entire method are implemented in hardware.

2 illustrates the flow of signals within the monitoring unit 200 , An entrance block 1000 will be a message N fed to the monitoring unit 200 over the CAN bus 300 has received. The input block extracts an input from the message x , For example, a payload and / or metadata of the message N , This input is the encoder 1100 fed, which determines the intermediate size h from this. The dimension of the (vector-valued) intermediate variable h is smaller than the dimension of the (vector-valued) input variable x , The intermediate size h becomes the decoder 1200 fed, which determines the output variable y from the intermediate size h. The dimension of the (vector-valued) output y is equal to the dimension of the input variable x ,

The output y becomes as well as the input x a monitoring block 1300 fed, depending on these two sizes an error signal F determined. The error signal F characterized in whether in the communication network value, ie in the communication between the communication participants 110 . 120 . 130 over the CAN bus 300 or in the monitoring unit 200 there is an anomaly. The error signal F is optionally a control 1400 fed, which determines therefrom a Ansteuergröße A, via the CAN bus 300 one or more of the communication participants 110 . 120 . 130 the communication network is transmitted.

For example, it is possible that the motor vehicle 100 is converted into a secure state. Is it the motor vehicle 100 to an autonomously mobile motor vehicle 100 , a driver may be required to control the autonomous vehicle 100 to take over again. Alternatively or additionally, it is possible that the communication via the CAN bus 300 is restricted to essential messages.

If the error signal F already contains specific information about what is the cause of the anomaly, the control quantity A can initiate a specific countermeasure, such as one of the communication participants 110 . 120 . 130 from the traffic over the CAN bus.

3 shows by way of example the structure of coder 1100 and decoders 1200 according to a first embodiment. In this example are encoders 1100 and decoders 1200 together as a car encoder 1150 set up. The components of the input variable x are here with x1 . x2 . x3 designated. These become neurons a1 . a2 . a3 . a4 a first intermediate layer 1110 fed. From the output quantities of the neurons a1 . a2 . a3 . a4 becomes the intermediate size h with components h1 . h2 determined. These components become neurons b1 . b2 . b3 . b4 a second intermediate layer 1210 supplied, from which the output quantity y with components y1 . y2 . y3 be determined.

The car encoder 1150 For example, it can also be implemented as a stacked auto-encoder, denoising auto-encoder, variational auto-encoder, smooth auto-encoder, recurrent auto-encoder, or LSTM auto-encoder.

Of course, first intermediate layer 1110 and / or second intermediate layer 1210 each again consist of a plurality of layers, for example, when the auto-encoder 1150 is implemented as a "stacked auto-encoder" or as a "deep auto-encoder".

Concretely, such a car encoder 1150 For example, be implemented by three consecutive fully-connected layers, wherein the middle of the three fully-connected layer is smaller dimensioned than the two outer.

4 shows by way of example the structure of coder 1100 and decoders 1200 according to a second embodiment. The input quantity x with components x1 . x2 . x3 this is a block 1120 which performs a principal component analysis (by multiplying an appropriate matrix M by the input x ). As a result of this matrix multiplication becomes an encoder intermediate size k with components k1 . k2 . k3 determined, and a second block 1130 fed. The second block 1130 determines the intermediate size from this H with components h1 . h2 , for example, by only those N components k1 . k2 . k3 the encoder intermediate size k whose associated eigenvalues have the greatest value in the principal component analysis. N Here is a fixed predetermined number. That is to say, the intermediate coder k is mathematically projected onto a space which corresponds to the dimensionality of the intermediate variable h. blocks 1120 and 1130 together correspond to the encoder 1100 ,

The decoder 1200 includes a third block 1220 and a fourth block 1230 , The third block 1220 determines from intermediate variable h a decoder intermediate variable p with components p1 . p2 . p3 , from which the fourth block by means of an inverse principal component analysis (ie a Matrix multiplication of the (left) inverse M_inv of the matrix M with the decoder intermediate size p). As a result of this matrix multiplication, the output becomes y with components y1 . y2 . y3 determined.

Output size y and decoder intermediate size p have the same dimensionality. To the decoder intermediate size p From the intermediate size h to determine, the third block 1220 for example, canonically embed the vector-valued quantity h (ie, add the components of the "missing" dimensions to the value "zero").

Instead of a principal component analysis, in block 1120 also be carried out an independence analysis. In block 1230 then an inverse independence analysis is performed instead of an inverse principal component analysis.

Of course, it is also possible to carry out principal component analysis and independence analysis one after the other.

Still further, it is possible that instead of or in addition to the dimensional reduction in the second block 1130 and dimensional embedding in the third block 1220 a car encoder, as exemplified in 3 is illustrated is used.

5 shows in a flowchart by way of example a method, as in the monitoring unit 200 can be carried out.

First ( 2000 ) one or more CAN messages N are transmitted via the CAN bus 300 receive. Then ( 2100 ) extracts input block 1000 the payload data and thus generates the input variable x = (x1, x2, x3 ... xd) ^T , where d corresponds to the dimensionality of the input variable x.

Subsequently ( 2200 ) is coded 1100 and decoders 1200 the output quantity y = ( y1 , y2, y3 ... yd) ^T determined.

Well 2300 ) determines monitoring block 1300 the difference signal δ = || (δ1, δ2, δ3 ... δd) ^T || with δi = xi - yi for i = 1 ... d and checks whether the difference signal δ is greater than a predefinable threshold S. If this is not the case (output "n"), goes to step 2400 branches, in which the error signal F receives a value indicating that no error has been detected, and this passage of the method ends. Otherwise (output "j") will go to step 2500 branched. The error signal F receives a value indicating that an error has been detected. Then ( 2600 ) becomes the error signal F the control 1400 which optionally depends on the value of the error signal F the drive size A determined. This ends the procedure.

Alternatively or additionally, in steps 2300 - 2600 are also checked separately for each component δi of the difference signal δ whether it exceeds the predetermined threshold value S and, if necessary, an error signal F which can be predetermined individually for each of the components. Otherwise, the process can proceed as described above.

Alternatively or additionally, in the steps 2300 - 2600 also another error measure δ = δ (x, y) depending on input x and initial size y which is compared to a threshold S to determine if there is an anomaly.

In the above embodiments, the threshold S not necessarily be constant. He may also be dependent on the input size x are chosen, ie S = S (x) or depending on output y , ie S = S (y), or dependent on both, that is S = S (x, y).

6 shows exemplary time profiles of the (x for simplicity) input x, the (one-dimensionally illustrated for simplicity) input y and the difference signal δ. In the concrete example occurs before a first time interval T1 an error in an injection pump of the motor vehicle 100 on. This error causes in the first time interval T1 , in a second time interval T2 and in a third time interval T3 the difference signal δ exceeds the threshold value S, so that an error is detected here.

näherungsweise ermittelt, und der Autoencoder 1150 wird dann vorzugsweise mit diesen optimalen Parameterwerten P* eingesetzt. Mit „näherungsweiser Ermittlung“ ist gemeint, dass selbstverständlich im Allgemeinen die ermittelten optimalen Parameterwerte P* Gleichung (I) nicht exakt erfüllen, sondern einen numerischen Fehler aufweisen. Dieser numerische Fehler kann beispielsweise im Wesentlichen dadurch bestimmt sein, dass ein Konvergenzkriterium vor Erreichen des tatsächlichen Optimalwerts erfüllt ist und das numerische Verfahren beendet wird, und/oder dadurch bestimmt sein, dass das numerische Verfahren statt des globalen Minimums ein lokales Minimum erreicht hat. 7 shows by way of example a method for training the in 3 exemplified Autoencoders 1150 , First ( 3000 ) training data are generated, for example by input signals x are read from a file. Then ( 3100 ) are determined by means of the auto-encoder coded with current parameter values P. 1150 Output signals y determined and then ( 3200 ) Difference signals δ (P) are generated. Then ( 3300 ) (eg in a gradient descent process and backpropagation by repeated application of the steps 3000 . 3100 . 3200 ) optimal parameter values $$P*=\text{argmin}\delta \left(P\right)$$

approximately determined, and the auto-encoder 1150 is then preferably used with these optimal parameter values P *. By "approximate determination" is meant that, of course, in general, the determined optimal parameter values P * do not exactly satisfy equation (I) but have a numerical error. For example, this numerical error can essentially be determined by a convergence criterion Reaching the actual optimum value is met and the numerical method is terminated, and / or determined by the numerical method has reached a local minimum instead of the global minimum.

mit einem vorgebbaren Sicherheitsfaktor F (z.B. F = 1,2) gesetzt. Damit endet dieses Verfahren.In the optional step 3400 the difference signal δ (P *) is determined with the optimum parameter values P *, and the threshold value S is set to the value $$\text{S}=\text{F}*\mathrm{\delta }\left(\text{P *}\right)$$

with a predefinable safety factor F (eg F = 1.2). This ends this procedure.

QUOTES INCLUDE IN THE DESCRIPTION

This list of the documents listed by the applicant has been generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Cited patent literature

• DE 102009026995 A1 [0002]

Claims (10)

Method for determining whether there is an anomaly in a communication network (110, 120, 130, 300), in particular of a motor vehicle (100), wherein at least one message transmitted via the communication network (110, 120, 130, 300) is analyzed by depending on the, ie In particular, an input variable (x) of an encoder (1100) is determined from the transmitted message, an intermediate variable (h) of reduced dimensionality being determined by means of the encoder (1100), and depending on the intermediate variable (h) by means of a decoder (1200 ) an output quantity (y) is determined with the dimensionality of the input quantity (x), it being decided whether or not the anomaly is present, depending on the input quantity (x) and the output quantity (y). Method according to Claim 1 in which, depending on a variable (δ) characterizing a deviation between input signal (x) and output signal (y), it is decided whether an anomaly exists or not. Method according to Claim 2 wherein encoder (1100) and decoder (1200) are arranged such that the variable (δ) characterizing the deviation between input signal (x) and output signal (y) is smaller than a predefinable threshold value (S) when the input variable (x) is regular. Method according to one of Claims 1 to 3 wherein encoder (1100) and decoder (1200) comprise an auto-encoder (1150). Method according to one of the preceding claims, wherein the intermediate size (h) is determined as a function of a main component analysis or an independent component analysis (ICA). Method according to Claim 4 and 5 wherein the determination of the output quantity (y) is determined as a function of an output quantity (p) of the auto-encoder (1150), wherein an input quantity (k) of the auto-encoder (1150) depends on an output quantity (k) of the principal component analysis or the independence analysis (1120 ) is determined. Method according to one of the preceding claims, wherein the variable (δi) characterizing a deviation between a component of the input signal (xi) and a corresponding component of the output signal (yi) is decided which type is an existing anomaly. Computer program adapted to carry out the method according to one of the preceding steps. Machine-readable storage medium (220) on which the computer program is based Claim 8 is stored. Monitoring unit (200), which is adapted to the method according to one of Claims 1 to 7 perform.

Images