WO2017025316A1 - Dispositif et procédé de contrôle d'une transmission de données dans un réseau de données - Google Patents

Dispositif et procédé de contrôle d'une transmission de données dans un réseau de données Download PDF

Info

Publication number
WO2017025316A1
WO2017025316A1 PCT/EP2016/067758 EP2016067758W WO2017025316A1 WO 2017025316 A1 WO2017025316 A1 WO 2017025316A1 EP 2016067758 W EP2016067758 W EP 2016067758W WO 2017025316 A1 WO2017025316 A1 WO 2017025316A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
detection means
detecting means
transmission
detecting
Prior art date
Application number
PCT/EP2016/067758
Other languages
German (de)
English (en)
Inventor
Matthias Seifert
Christian Paulsen
Original Assignee
Siemens Aktiengesellschaft
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Aktiengesellschaft filed Critical Siemens Aktiengesellschaft
Priority to EP16747878.3A priority Critical patent/EP3311546A1/fr
Publication of WO2017025316A1 publication Critical patent/WO2017025316A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity

Definitions

  • the safety responsibility lies with the signal boxes, in which personnel together with the safety devices installed there ensure safety.
  • Route centers Radio Blog Center, RBC
  • control units Element Control Computer, ECC
  • Communication takes place here via data transmission, for example with Ethernet, Profibus or other technologies.
  • VB Vehicle Bus
  • a checksum value for example MD4
  • a re-hash value is calculated for the transmitted data, which is compared with the transmitted Ardsum ⁇ menwert.
  • this method does not identify whether the data transmitted has been deliberately and maliciously altered. A hidden manipulation would be possible if the transmitted checksum value is adapted to the changed data. It is the object of the present invention to provide a device and a method of the type mentioned, with which the security during data transmission can be increased.
  • a device for Kontrol ⁇ lose a data transmission in a data network comprising a first detecting means for detecting the data point sent to a start, a second detecting means for detecting the receiving of an end point of data and a first with the Detection means and the second Erfas ⁇ means connected comparator, which is designed to compare the data detected by the first and second detection means.
  • the object is achieved by a method for controlling a data transmission in a data network, in which the data sent at a starting point and the data received at an end point are respectively detected and compared with one another.
  • the inventive solution has the advantage that it can be retrofitted to be ⁇ standing facilities, thereby improving the IT security of existing systems.
  • the first detection means and the second detection means can each be designed to transmit the acquired data to the comparison device.
  • This has the advantage that the verification of the collected data is done centrally in the comparator, which is particularly effective.
  • the first detecting means and the second detecting means can in each case be formed to provide the collected data with a Se ⁇ quenz devis and / or time information.
  • the first detection means and the second detection means may each be designed for a feedback-free detection of the transmitted data.
  • an opening formed between the comparison means and the first detection means and / or the second detection means data connection can be, depending ⁇ wells at least in sections constructed as an Ethernet connection, or Internet connection.
  • a data connection formed between the comparison device and the first detection means and / or the second detection means can each be designed as a glass fiber connection.
  • data transmission between the starting point and the end point can be designed as an analog transmission or Digitalübertra ⁇ supply.
  • the first detection means and / or the second detection means can each be designed as a network tap. This has the advantage that network tap are already available on the market at low cost and thereby the inventive solution can be provided cost ⁇ cost.
  • the device may be formed separately from the data network.
  • the data can each be detected without feedback.
  • the invention can be so easily imple ⁇ ren.
  • the data can be recorded separately from the data network.
  • the acquired data can each be provided with a sequence number and / or time information and the matching data can be determined based on the sequence number and / or the time information and compared with each other.
  • an alarm can be triggered if an inequality has been established when comparing the data. This has the advantage that, if necessary, can be reacted very quickly.
  • a data network 1 here has a starting point 2 and a
  • the inventive device 5 for controlling the data transmission 4 in the exemplary embodiment comprises a first detecting means 6, a second detecting means 7 and a comparator 8. It ⁇ acquisition means 6, 7 are each connected by a data link 9 to the comparing means. 8
  • the first detection means 6 which is embodied as a network tap in the embodiment shown by way of example in the figure, detects the data 10 sent at the starting point 2.
  • the data transmission 4 between the start point 2 and the end point 3 takes place in the exemplary case illustrated in FIG embodiment via an Ethernet connection 11.
  • the first detection means 6 detects the starting point 2 ge ⁇ sent data 10 itself without using the data network 1 and to be connected to the data transfer. 4
  • the second detecting means 7 is formed in the same manner as the first detecting means 6. With the difference that the second detection means 7 detects the data 10 received at the end point 3.
  • the data 12 acquired by the detection means 6, 7, which are a copy of the data 10 of the data transmission 4, are respectively provided by the detection means 6, 7 with a sequence number and time information.
  • the first detection means 6 and the second detection means 7 each have a clock 13 and a sequence number generator 14.
  • the data 12 provided with the sequence number and the time information are transmitted by the detection means 6, 7 via the data connection 9 to the comparison device 8.
  • the comparison device 8, which is formed, for example, by a microcontroller, determines the mutually matching acquired data 12 on the basis of their sequence number and their time information. It is sufficient to determine the appropriate data 12 based on one of them, the sequence number or the time information. These matched data 12 are compared and analyzed by the comparator 8.
  • the comparison device 8 checks whether the data 10 sent at the starting point coincide with the data 10 received at the end point 3.
  • various checking devices and analysis methods can be used by the comparing device 8. If, for example, a message-based transmission is monitored with checksum backup, an alerting of the comparison device 8 is triggered in the event of an inequality of the checksum values. However, if the checksum values at start point 2 and end point 3 are the same, but the message contents are different, it is a bit error due to the disturbance that the receiver system will discover and respond to according to specification.
  • an analog transmission of the data transmission 4 it is possible, for example, to analyze the frequency and distribution of unequal detection values and to conclude either a random or a deliberate disturbance.
  • the device 5 according to the invention for controlling the data transmission 4 is not connected directly to the data network 1 and the data transmission 4.
  • the interception of the data 10 by the first and second detection means 6, 7 ge ⁇ happens completely without feedback.
  • the data transmission 4 is therefore not influenced in any way. Therefore, in an implementation of the device 5 according to the invention in the data network 1 of systems already operating for years, no re-examination or regulatory approval is necessary.
  • the function of the existing system is not affected and does not need to be changed.
  • the control device 5 according to the invention is shown disjointly by the data network 1. Therefore, it does not have to meet any requirements according to, for example, the standard EN50159.
  • the movement of such data ⁇ bond 9 between the detection means 6, 7 and the comparator 8 can be formed as an Ethernet connection, or even as an Internet connection, if this is possible in a reliable manner, without thereby the data network 1 would be compromised.
  • the data link 9 is established on the basis of high data rate Ethernet.
  • the transmission takes place in particular via glass fiber, since the distance between the detection means 6, 7 and the comparison device 8 here is greater than 50 m.
  • the type of data transmission 4 is not of interest. Therefore, the data transmission 4 can be configured both as an analog transmission or as a digital transmission.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)

Abstract

L'invention concerne un procédé et un dispositif (1) pour contrôler une transmission de données (4) dans un réseau de données (1). À cet effet, le dispositif selon l'invention comprend un premier moyen d'acquisition (6) pour acquérir des données (10) émises à un point initial (2), un second moyen d'acquisition (7) pour acquérir les données (10) reçues à un point final (3) et un dispositif de comparaison (8) qui est relié au premier moyen d'acquisition (6) et au second moyen d'acquisition (7) et qui est réalisé pour comparer les données (10) acquises par les premier et second moyens d'acquisition (6, 7).
PCT/EP2016/067758 2015-08-12 2016-07-26 Dispositif et procédé de contrôle d'une transmission de données dans un réseau de données WO2017025316A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP16747878.3A EP3311546A1 (fr) 2015-08-12 2016-07-26 Dispositif et procédé de contrôle d'une transmission de données dans un réseau de données

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102015215370.3A DE102015215370A1 (de) 2015-08-12 2015-08-12 Einrichtung und Verfahren zum Kontrollieren einer Datenübertragung in einem Datennetzwerk
DE102015215370.3 2015-08-12

Publications (1)

Publication Number Publication Date
WO2017025316A1 true WO2017025316A1 (fr) 2017-02-16

Family

ID=56609857

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2016/067758 WO2017025316A1 (fr) 2015-08-12 2016-07-26 Dispositif et procédé de contrôle d'une transmission de données dans un réseau de données

Country Status (3)

Country Link
EP (1) EP3311546A1 (fr)
DE (1) DE102015215370A1 (fr)
WO (1) WO2017025316A1 (fr)

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7548515B2 (en) * 2005-03-24 2009-06-16 Agilent Technologies, Inc. Apparatus for monitoring a network
US20070226804A1 (en) * 2006-03-22 2007-09-27 Method and system for preventing an unauthorized message

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
JIAN ZHANG ET AL: "Traffic Trace Artifacts due to Monitoring Via Port Mirroring", END-TO-END MONITORING TECHNIQUES AND SERVICES, 2007. E2EMON '07. WORKSHOP ON, IEEE, PI, 1 May 2007 (2007-05-01), pages 1 - 8, XP031183496, ISBN: 978-1-4244-1289-1 *
LAMPING ULF ET AL: "Wireshark User's Guide: For Wireshark 2.1", 9 November 2014 (2014-11-09), XP055257007, Retrieved from the Internet <URL:https://www.wireshark.org/download/docs/user-guide-a4.pdf> [retrieved on 20160310] *

Also Published As

Publication number Publication date
DE102015215370A1 (de) 2017-02-16
EP3311546A1 (fr) 2018-04-25

Similar Documents

Publication Publication Date Title
DE69829526T2 (de) System zur Detektion von Zügen
EP2019771B1 (fr) Procédé et dispositif permettant de déterminer si une partie de voie ferrée est occupée ou libre
EP3295645B1 (fr) Procédé et système de transmission sans effet rétroactif de données entre réseaux
DE102014111361A1 (de) Verfahren zum Betreiben einer Sicherheitssteuerung und Automatisierungsnetzwerk mit einer solchen Sicherheitssteuerung
EP3027483A1 (fr) Actualisation logicielle de composants non critiques dans des systèmes distribués doublement critiques pour la sécurité
EP1894069B1 (fr) Appareil sur site
EP3688958B1 (fr) Système et procédé de transmission sécurisée de données
EP1966776B1 (fr) Système de signalisation de danger
EP3122016B1 (fr) Reseau d&#39;automatisation et procede de surveillance de la securite de la transmission de paquets de donnees
DE102008048930A1 (de) Prüfung der Meldelinien einer Gefahrenmeldeanlage
EP2297998A1 (fr) Liaison redondante d&#39;éléments de réseau radio avec une centrale
EP3311546A1 (fr) Dispositif et procédé de contrôle d&#39;une transmission de données dans un réseau de données
EP1197936B1 (fr) Système d&#39;alarme
EP3699705A1 (fr) Procédé de surveillance d&#39;un réseau de communication industriel, système de sécurité, réseau de communication industriel, programme informatique et support lisible par ordinateur
WO2015062812A1 (fr) Système à fonction de sécurité avec superviseur
EP3047610B1 (fr) Procédé d&#39;acquisition de données envoyées dans un réseau de calculateurs comprenant au moins un calculateur et système d&#39;acquisition de données
WO2017178165A1 (fr) Système de contrôle d&#39;au moins un dispositif pare-feu et procédé de protection d&#39;au moins un récepteur de données
DE102020208955A1 (de) Verfahren zum Überwachen eines Gefahrenraumes und Überwachungsvorrichtung
DE102009037369A1 (de) Verfahren zum Kalibrieren eines Radsensors einer Gleisfreimeldeanlage, Radsensor sowie Gleisfreimeldeanlage
EP3957033B1 (fr) Calculateur et procédé pour faire fonctionner un calculateur
DE102013221164A1 (de) System, Unterbrecher - Vorrichtung und Überwachungseinheit zur Unterbrechung einer Datenkommunikation
DE102007007537A1 (de) Leitsystem einer technischen Anlage
EP0660285B1 (fr) Procédé pour l&#39;élévation de la sécurité contre les pertubations dans un système radio d&#39;alarme
EP3661830B1 (fr) Concept pour la surveillance d&#39;un trafic réseau entrant dans un poste d&#39;aiguillage
DE102017212757A1 (de) Verfahren und Vorrichtung zum Schützen eines Feldbusses

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16747878

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2016747878

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE