DE112018002549T5 - Electronic control unit - Google Patents

Abstract

An electronic control unit is provided which can be used to implement security protection without complicating an on-board network and increasing costs. An electronic control unit (10), which is connected to a CAN bus (20), is characterized in that a CPU (100) of the electronic control unit (10) has normal data (D1) and then data via the communication bus (20) (D2 - D8) that have the same ID as the normal data (D1). If the frequency number with which the data (D2-D8) with the same ID was received within a certain period of time is greater than or equal to a predetermined frequency number (DC), the CPU (100) decides that the condition is abnormal and goes into a safety control state.

Description

Technical field

The present invention relates to an electronic control device which is particularly preferably applied to an electronic control device which is arranged in an on-board network.

background

In recent years, on-board networks (CAN network) have spread according to a communication standard called CAN (Controller Area Network). CAN networks are designed such that a plurality of electronic control units (ECU: Electronic Control Unit) arranged in a vehicle are connected to a communication bus (CAN bus) using CAN. The electronic control units can exchange data with each other via the CAN bus (CAN communication).

The CAN bus connects the electronic control units to each other to enable data exchange and is also equipped with a data link connector (DLC: Data Link Connector). By connecting a special device to the data connector, an error code can be read out, which is generated by a self-diagnosis function (OBD: On Board Diagnostics) that the electronic control unit has. Based on the error code z. B. a service technician can easily determine a defect.

If the data connection plug is now misused, in concrete terms, if fake data, which has the same ID but a different content than normal data, is sent to the CAN bus from outside via the data connection plug, the electronic data connected to the CAN bus could be used Control units that receive false data and cause a malfunction. In terms of security protection, a technique to defend against such falsified data is therefore necessary.

In addition, the transmission of the forged data to the CAN bus can take place both from a device that is connected to the data connection plug by wire and wirelessly via a device that can be connected to the data connection plug by radio.

Patent Document 1 discloses a technique for the data sent to the CAN bus, wherein a difference between a previous and a current transmission time is calculated as the transmission period, whereupon the transmission period is compared with a pre-stored transmission period to detect forged data. If, as a result of the comparison, the calculated transmission period is shorter than the transmission period for detecting falsified data, the data currently being transmitted is recognized as falsified data.

According to the technique of patent document 1, an electronic control device can monitor the CAN bus and, before another electronic control device completes the reception of counterfeit data, detect it and make it invalid. This means that all electronic control units connected to the on-board network can be defended against man-in-the-middle attacks, in which fake data with the same ID as normal data and a different content get into the CAN bus and a malfunction of the electronic control units connected to the CAN bus.

State of the art

Patent document (s)

Patent document 1: JP 2014-236248 A

Overview of the invention

Object of the invention to be achieved

For the technology according to Patent Document 1, however, an additional device is required that constantly monitors the data sent to the CAN bus. Specifically, in addition to a conventional communication line for connecting the electronic control units to the CAN bus, an additional communication line connected in parallel for connecting the electronic control units to the CAN bus is necessary. In addition, additional processing processes are required, such as. B. constant monitoring of data in the CAN bus, checking whether this is falsified data, and if so, invalidating the falsified data, etc.

The hardware and software structure of the on-board network are thus more complicated. Accordingly, the overall cost of realizing the on-board network is disadvantageously increased.

In view of the above problems, the present invention has for its object to provide an electronic control unit with which security protection can be implemented without complicating the on-board network and increasing costs.

Means to solve the task

In order to achieve the above object, an electronic control unit ( 10th ) provided with a CAN bus ( 20th ) is connected, one CPU ( 100 ) of the electronic control unit ( 10th ) via the communication bus ( 20th ) normal data ( D1 ) and then dates ( D2 - D8 ) which receives the same ID like the normal data ( D1 ) exhibit. If the number of times the data ( D2 - D8 ) with the same ID received within a certain period of time, greater than or equal to a predetermined frequency number ( DC ) decides CPU ( 100 ) that the condition is abnormal and goes into a safety control condition.

Effect of the invention

According to the invention, security protection can be implemented without complicating the on-board network and increasing the costs.

Figure list

• 1 shows the overall structure of the on-board network.
• 2nd shows the internal structure of the electronic control unit.
• 3rd is a flowchart of the reception processes.
• 4th is an overview of the reception processes.

Embodiment of the invention

In the following, the present invention is explained in detail according to an embodiment with reference to the drawings. It is noted that the following explanation is only one embodiment of the present invention, and the technical scope of the present invention is not limited to this.

1 shows the overall structure of the on-board network N1 of a vehicle 1 . The on-board network N1 is a network according to the communication standard called CAN (Controller Area Network) and with electronic control units (ECU: Electronic Control Unit) 10th and a CAN bus 20th Mistake.

The electronic control units 10th are used to control various operations of the vehicle 1 . Any electronic control device 10th is with one CPU (Central Processing Unit), one R.A.M. (Random Access Memory), one ROME (Read Only Memory), an input / output interface etc. Any electronic control device 10th is with the CAN bus 20th connected. The respective electronic control units 10th are thus via the CAN bus 20th interconnected to enable data exchange.

Among those with the CAN bus 20th connected electronic control units 10th there is an electronic control unit called an engine control unit 10th which is used to comprehensively control the operation of the vehicle 1 serves. The invention according to the present embodiment is thus applied to the engine control unit in order to implement the safety protection above all with regard to the driving-related control.

The CAN bus 20th is a communication bus using CAN and connects the respective electronic control units 10th with each other to enable data exchange. The CAN bus 20th is also provided with a data link connector (DLC: Data Link Connector) 30. The data connector 30th is a connector for connecting a scanning device 40 by wire or by radio with the CAN bus 30th .

Will the scanning agent 40 to the data connector 30th connected and operated accordingly, an error code can be read out which is generated by the self-diagnosis function (OBD: On Board Diagnostics), which is the electronic control unit 10th having. For example, a service technician can use the error code on the display screen of the scanning means 40 a defect in the vehicle 1 determine.

This could result in fake data from outside the vehicle 1 via the data connector 30th to the CAN bus 20th be sent. The falsified data here means the following data, at least with regard to the time of transmission to the CAN bus 20th are different from normal data.

If e.g. B. provided that normal data with a ID " 1 "Per" 100 ms "to the CAN bus 20th be sent, data with a ID " 1 "Per" 120 ms "to the CAN bus 20th are sent, the latter data is treated as fake data in the present embodiment. What the data with the ID "1", data with another ID or data that is the same ID , but have a different content, of course treated as fake data.

If such fake data through the data connector 30th to the CAN bus 20th can be sent and no means of defense is provided, this will be done with the CAN bus 20th connected electronic control unit 10th receive this data and in a computing process to process. The drive could get out of control, especially if the counterfeit data is received by the engine control unit and processed in the computing process.

According to the present embodiment, the CAN bus may be connected 20th fake data sent by the electronic control unit 10th excluded from the calculation process so that only normal data are processed in the calculation process. When increasing the frequency of reception with which the falsified data via the CAN bus 20th the electronic control unit also decides 10th that the state is abnormal and goes into a safety control state.

The safety control state includes e.g. B. a state in which an internal combustion engine is switched off (stopped), a state in which the reception of data of the CAN bus 20th is denied, and a state in which the transition to an emergency operating mode takes place, in which the drive in the lowest gear is maintained.

2nd shows the internal structure of the electronic control unit 10th . The electronic control unit 10th includes one CPU 100 in addition to the components not shown here, such as storage, ie one R.A.M. , one ROME ua, and an input / output interface. The CPU 100 comprises programs or memories for a data exchange unit 101 , a received data monitoring 102 , a CAN buffer 103 , a control-related assessment section 104 , a calculation section 105 among others

The data exchange unit 101 receives normal or fake data D0 - D8 from the CAN bus 20th and passes this on to the received data monitor 102 out. To the CAN bus 20th sends the data exchange unit 101 furthermore calculation results D21 , D22 for normal data in the data D0 - D8 or resilience data D23 to transition to a safety control state.

The calculation results D21 , D22 and the resilience data D23 are then used to operate the other electronic control units 10th and other facilities used. If the other electronic control units 10th and facilities the failover data D23 received, there is a safety control regardless of the driver's operation.

Receives the received data monitoring 102 normal or fake data D0 - D8 from the data exchange unit 101 , it sends this data to the CAN buffer 103 and at the same time counts the frequency of reception of the data D0 - D8 to check if the condition is abnormal.

Specifically receives the received data monitoring 102 the normal data used as a reference D0 , it sends this data to the CAN buffer 103 off and at the same time activates an internal timer T der CPU 100 to start measuring time.

The reception data monitoring 102 gives DT based on a predetermined time, each one in advance ID is associated with the data D0 - D8 , which were received before the predetermined time DT expired, to the CAN buffer 103 out. In addition, the frequency of reception of the data D0 - D8 counted by the counter C. The reception data monitoring 102 namely counts the frequency of reception of the data per unit of time.

The reception data monitoring 102 then checks against a predetermined frequency number DC whether the reception frequency counted by the counter C is greater than or equal to the predetermined number of frequencies DC is. If the frequency of reception is greater than / equal to the predetermined number of frequencies DC decides the received data monitoring 102 that the condition is abnormal. The reception data monitoring 102 then gives the result of the monitoring indicating the abnormal condition to the control-related judging section 104 out.

The CAN buffer 103 is a memory in which the data to be processed in the computing process are stored. The control-related assessment section 104 provides based on the result of monitoring the received data monitoring 102 determines whether the in the CAN buffer 103 stored data should be processed in the computing process or excluded from it. The control-related assessment section 104 then gives the result of the judgment to the calculation section 105 out.

Based on the result of the assessment of the control-related assessment section 104 the calculation section processes 105 those data among those in the CAN buffer 103 stored data D0 - D8 in the computing process, which were received within a predetermined period of time (window) after the predetermined time DT has elapsed, and generates computing results D21 , D22 . Otherwise, it excludes the data from the computing process and generates fail-safe data D23 .

If e.g. B. the data D0 a ID " 1 “And the ID The calculation section processes a predetermined time DT of “100 ms” in advance 105 regarding the data with the ID " 1 “Those data in the computing process that are within a window of 100 ms - 110 ms or 95 ms - 105 ms after receiving the data D0 were received and generates the calculation results D21 , D22 .

On the other hand, if the condition is abnormal, the calculation section closes 105 those in the CAN buffer 103 stored data D0 - D8 from the computing process and generates fail-safe data D23 to transition to a safety control state. The calculation section 105 gives the generated calculation results D21 , D22 or the resilience data D23 to the data exchange unit 101 out.

3rd 10 is a flowchart of the reception processes according to the present embodiment. The reception processes are through the CPU 100 of the electronic control unit 10th started from a time when counter C was activated and then carried out continuously. A time at which the electronic control unit is assumed to be the time for activating the counter C. 10th is switched on. However, there is no limitation to this.

In addition, only the processing processes in a certain period of time after receiving the normal data serving as a reference are explained here. All data explained here have the same ID (e.g .: "1"). The present processing processes are namely for each ID carried out. For the sake of explanation, it is assumed that the CPU 100 is the subject of processing.

First activated the CPU 100 the counter C to start counting the frequency of reception ( S1 ). If the CPU 100 then normal data from the CAN bus 20th receives ( S2 ), it activates the timer T to start measuring time ( S3 ).

After activating the timer T counts the CPU 100 that in step S2 has received the normal data, the frequency of reception i by +1 ( S4 ). The CPU 100 then checks whether the frequency of reception i is greater than / equal to the predetermined number of frequencies DC is ( S5 ).

The frequency of reception i at the time when the normal data was received once is “1”. If the predetermined frequency number DC is set to "6", the reception frequency i is therefore less than the predetermined frequency number DC . The result of the check in step S5 is negative.

Receives the CPU 100 a negative result of the check in step S5 (S5: N), it sends the received normal data to the CAN buffer 103 out ( S6 ). The CPU 100 then checks whether further data received after activating the timer T available ( S7 ). Receives the CPU 100 a positive result of the review in S7 (S7: J), the transition to step occurs S4 to repeat the above processing.

Receives the CPU 100 however, a negative result of the review in S7 (S7: N), checks them based on the predetermined time DT , the the ID the in step S2 received normal data was assigned, and based on a measured time from the start of the measurement in step S3 whether the measured time is the predetermined time DT has reached ( S8 ).

Receives the CPU 100 a negative result of the check in step S8 (S8: N), the transition to step occurs S4 to repeat said processing operations until the measured time is the predetermined time DT reached. Receives the CPU 100 a positive result of the check in step S5 (S5: J), she decides that the condition is abnormal (S9). The CPU 100 goes into a safety control state ( S10 ) about and ends the existing processing processes.

Receives the CPU 100 however, a positive result of the check in step S8 (S8: J), it sets by stopping and restarting the counter C. the counted frequency number back once and starts counting the reception frequency again ( S12 ).

Next, check out the CPU 100 whether it is among those in the CAN buffer 103 stored data gives such data within a predetermined period of time (window) after the predetermined time DT were received ( S13 ).

Receives the CPU 100 a negative result of the check in step S13 (S13: N), it ends the existing processing processes without those in the CAN buffer 103 to process stored data in the computing process. Receives the CPU 100 however a positive result ( S13 : J), it processes the data received within the window under that in the CAN buffer 103 stored data in the computing process ( S14 ) and ends the existing processing processes.

For data received afterwards with the same ID repeats the CPU 100 said processing operations by moving to step S4 .

4th is an overview of the reception processes according to 3rd . The following explains the processing of the data D0 - D8 in chronological order.

At time t0, the normal data serving as a reference D0 through the data exchange unit 101 receive. Furthermore, by receiving data monitoring 102 the timer T activated and the predetermined time DT considered. Furthermore, the frequency of reception of the counter C. counted up by +1.

After that, the data D0 to the CAN buffer 103 spent. After that in the CAN buffer 103 stored data D0 through the control-related assessment section 104 have been judged as a subject of calculation, they are evaluated by the calculation section 105 processed in the computing process. Accordingly, a calculation result D21 generated.

The received data are monitored by the received data monitoring in a period of t0 ≤ t <t1 102 . Time is concretized by the timer T and the frequency of reception by the counter C. counted. Because here only the data D0 received, the frequency of reception is " 1 ".

At time t1, the time switch T and the counter C. by receiving data monitoring 102 stopped and restarted to reset the measured time and frequency of reception. After resetting, counting takes place again. The timer T starts again measuring the time from the time t2 . The counter C. starts counting data again immediately after the reset.

The value range of t1 <t ≤ t3 represents a period in which the received data are to be processed in the computing process. This period is called a window W designated. With normal data D1 it is data at the time t2 and inside the window W were received.

The data D1 are then connected to the CAN buffer 103 spent. After the data D1 through the control-related assessment section 104 to be judged as a subject of calculation, they are evaluated by the calculation section 105 processed in the computing process. Accordingly, a calculation result D22 generated.

The received data are monitored again in a period of t2 t t <t5. In the meantime, this is falsified data several times D2 - D7 receive. Every time the fake data is received D2 - D7 the frequency of reception by the counter C. counted up by +1.

It has been shown that at time t4 the reception frequency is the predetermined frequency number DC reached. The monitoring result is the received data monitoring 102 to the control-related assessment section 104 spent. The data received thereafter is processed by the control-related judging section 104 excluded from the calculation process.

In a period of t5 <t ≤ t7 there is a second window W intended. The window W is in this way every time the predetermined time elapses DT provided regularly. Although doing normal data D8 at the time t6 and inside the window W received, they are excluded from the calculation process. Instead, resilience data D23 generated.

As mentioned above, according to the present embodiment, after receiving the reference data D0 counted the frequency of reception of the data received, the same ID like the data D0 exhibit. If the reception frequency does not reach the predetermined frequency number within a certain period of time DC reached, the data received after that D1 processed in the computing process. If the frequency of reception is greater than / equal to the predetermined number of frequencies DC , it is decided that the state is abnormal, and the transition to a safety control state is made.

Specifically, at the time of receiving normal data D0 the timer T activated and the frequency of reception of data counted during the measured time in a period up to reaching the predetermined time DT were received. If the reception frequency is not the predetermined frequency number DC are reached, then within the window W received normal data D1 processed in the computing process. If, on the other hand, the frequency of reception is the predetermined number of frequencies DC normal data is reached D8 excluded from the computing process and instead failsafe data D23 generated. The transition to a safety control state is based on this.

This eliminates the need for an additional device as a means of defense against man-in-the-middle attacks as well as complicated processing processes, e.g. B. the monitoring, the detection, the invalidation u. a. of fake reception data. Defense against counterfeit data is only possible by controlling the software. According to the present embodiment, security protection can thus be implemented without complicating the on-board network and increasing the costs.

According to the present embodiment, is a predetermined time DT one in advance ID assigned. In addition, the predetermined time DT a fixed width (corresponds to a period of time between times t1 and t3 in 4th ) be assigned.

It can e.g. B. assume that one ID " 1 “A predetermined time DT of "99 ms" and a window width of "10 ms" are assigned in advance, and one ID " 2nd “A predetermined time DT of "50 ms" and a window width of "5 ms". That is, the window width may vary depending on the frequency of reception per unit of time.

For data with a higher frequency of reception per unit of time, the window width can be reduced so that fake data can easily be excluded from the computing process. Security protection can thus be implemented more reliably.

According to the present embodiment, the reception frequency at the time when the measured time becomes the predetermined time DT reached, reset once. However, there is no limitation to this, so that it is also possible that the reset does not take place as long as the total amount of reception frequencies does not reach the predetermined number of frequencies DC reached. That is, the reception frequency reset can start from the start of the counter reception frequency count C. only take place at the time when the total amount of frequency of reception of the data outside the regularly scheduled window W were received, the predetermined frequency number DC reached.

The frequency of reception does not have to reach the predetermined time each time the measured time is reached DT be reset, so that a simplification of the processing processes is made possible. If fake data is not classified as an abnormal condition, but is received steadily, it can also be decided that the condition is abnormal.

Reference list

1

vehicle

10th

Electronic control unit

20th

CAN bus

30th

Data connector

40

Scanning means

100

CPU

101

Data exchange unit

102

Receive data monitoring

103

CAN buffer

104

Control-related assessment section

105

Calculation section

QUOTES INCLUDE IN THE DESCRIPTION

This list of documents listed by the applicant has been generated automatically and is only included for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Patent literature cited

• JP 2014236248 A [0008]

Claims (8)

Electronic control device (10) which is connected to a communication bus (20), characterized in that a CPU (100) of the electronic control device (10) via the communication bus (20) normal data (D1) and then data (D2 - D8) receives, which have the same ID as the normal data (D1) and if the frequency number with which the data (D2-D8) with the same ID were received within a period of time is greater than or equal to a predetermined frequency number (DC), that the condition is abnormal and goes into a safety control condition. Electronic control unit after Claim 1 , characterized in that if the frequency number with which the data (D2-D8) with the same ID were received within a period of time falls below the predetermined frequency number (DC), the CPU (100) the data (D1) within a regularly provided window (W) were received, processed in the computing process. Electronic control unit after Claim 1 or 2nd , characterized in that, when judging that the condition is abnormal, the CPU (100) excludes data (D8) received within a regularly scheduled window (W) from the computing process and generates fail-safe data for transitioning to a safety control state. Electronic control unit after Claim 2 or 3rd , characterized in that the CPU (100) regularly provides the window (W) each time a predetermined time (DT) expires, which is assigned in advance to the ID of the normal data (D1). Electronic control unit according to one of the Claims 2 - 4th , characterized in that the CPU (100) regularly provides the window (W) in that the CPU (100) starts measuring the time at the time of receiving the normal data (D1) and the window (W) for a period of time between a time (t5) at which a measured time reaches the predetermined time (DT) and a predetermined time (t7). Electronic control unit after Claim 4 or 5 , characterized in that the predetermined time (DT) differs depending on the ID of the normal data (D1). Electronic control unit according to one of the Claims 2 - 6 , characterized in that the window (W) has different widths depending on the ID of the normal data (D1). Electronic control unit according to one of the Claims 1 - 7 characterized in that the CPU (100), when judged that the condition is abnormal, thereby goes into a safety control state, a controller for stopping an internal combustion engine, a controller for refusing to receive data of the communication bus (20) or a controller for Maintaining a lowest gear ride.

Images