WO2017025316A1 - Dispositif et procédé de contrôle d'une transmission de données dans un réseau de données - Google Patents
Dispositif et procédé de contrôle d'une transmission de données dans un réseau de données Download PDFInfo
- Publication number
- WO2017025316A1 WO2017025316A1 PCT/EP2016/067758 EP2016067758W WO2017025316A1 WO 2017025316 A1 WO2017025316 A1 WO 2017025316A1 EP 2016067758 W EP2016067758 W EP 2016067758W WO 2017025316 A1 WO2017025316 A1 WO 2017025316A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- detection means
- detecting means
- transmission
- detecting
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
Definitions
- the safety responsibility lies with the signal boxes, in which personnel together with the safety devices installed there ensure safety.
- Route centers Radio Blog Center, RBC
- control units Element Control Computer, ECC
- Communication takes place here via data transmission, for example with Ethernet, Profibus or other technologies.
- VB Vehicle Bus
- a checksum value for example MD4
- a re-hash value is calculated for the transmitted data, which is compared with the transmitted Ardsum ⁇ menwert.
- this method does not identify whether the data transmitted has been deliberately and maliciously altered. A hidden manipulation would be possible if the transmitted checksum value is adapted to the changed data. It is the object of the present invention to provide a device and a method of the type mentioned, with which the security during data transmission can be increased.
- a device for Kontrol ⁇ lose a data transmission in a data network comprising a first detecting means for detecting the data point sent to a start, a second detecting means for detecting the receiving of an end point of data and a first with the Detection means and the second Erfas ⁇ means connected comparator, which is designed to compare the data detected by the first and second detection means.
- the object is achieved by a method for controlling a data transmission in a data network, in which the data sent at a starting point and the data received at an end point are respectively detected and compared with one another.
- the inventive solution has the advantage that it can be retrofitted to be ⁇ standing facilities, thereby improving the IT security of existing systems.
- the first detection means and the second detection means can each be designed to transmit the acquired data to the comparison device.
- This has the advantage that the verification of the collected data is done centrally in the comparator, which is particularly effective.
- the first detecting means and the second detecting means can in each case be formed to provide the collected data with a Se ⁇ quenz devis and / or time information.
- the first detection means and the second detection means may each be designed for a feedback-free detection of the transmitted data.
- an opening formed between the comparison means and the first detection means and / or the second detection means data connection can be, depending ⁇ wells at least in sections constructed as an Ethernet connection, or Internet connection.
- a data connection formed between the comparison device and the first detection means and / or the second detection means can each be designed as a glass fiber connection.
- data transmission between the starting point and the end point can be designed as an analog transmission or Digitalübertra ⁇ supply.
- the first detection means and / or the second detection means can each be designed as a network tap. This has the advantage that network tap are already available on the market at low cost and thereby the inventive solution can be provided cost ⁇ cost.
- the device may be formed separately from the data network.
- the data can each be detected without feedback.
- the invention can be so easily imple ⁇ ren.
- the data can be recorded separately from the data network.
- the acquired data can each be provided with a sequence number and / or time information and the matching data can be determined based on the sequence number and / or the time information and compared with each other.
- an alarm can be triggered if an inequality has been established when comparing the data. This has the advantage that, if necessary, can be reacted very quickly.
- a data network 1 here has a starting point 2 and a
- the inventive device 5 for controlling the data transmission 4 in the exemplary embodiment comprises a first detecting means 6, a second detecting means 7 and a comparator 8. It ⁇ acquisition means 6, 7 are each connected by a data link 9 to the comparing means. 8
- the first detection means 6 which is embodied as a network tap in the embodiment shown by way of example in the figure, detects the data 10 sent at the starting point 2.
- the data transmission 4 between the start point 2 and the end point 3 takes place in the exemplary case illustrated in FIG embodiment via an Ethernet connection 11.
- the first detection means 6 detects the starting point 2 ge ⁇ sent data 10 itself without using the data network 1 and to be connected to the data transfer. 4
- the second detecting means 7 is formed in the same manner as the first detecting means 6. With the difference that the second detection means 7 detects the data 10 received at the end point 3.
- the data 12 acquired by the detection means 6, 7, which are a copy of the data 10 of the data transmission 4, are respectively provided by the detection means 6, 7 with a sequence number and time information.
- the first detection means 6 and the second detection means 7 each have a clock 13 and a sequence number generator 14.
- the data 12 provided with the sequence number and the time information are transmitted by the detection means 6, 7 via the data connection 9 to the comparison device 8.
- the comparison device 8, which is formed, for example, by a microcontroller, determines the mutually matching acquired data 12 on the basis of their sequence number and their time information. It is sufficient to determine the appropriate data 12 based on one of them, the sequence number or the time information. These matched data 12 are compared and analyzed by the comparator 8.
- the comparison device 8 checks whether the data 10 sent at the starting point coincide with the data 10 received at the end point 3.
- various checking devices and analysis methods can be used by the comparing device 8. If, for example, a message-based transmission is monitored with checksum backup, an alerting of the comparison device 8 is triggered in the event of an inequality of the checksum values. However, if the checksum values at start point 2 and end point 3 are the same, but the message contents are different, it is a bit error due to the disturbance that the receiver system will discover and respond to according to specification.
- an analog transmission of the data transmission 4 it is possible, for example, to analyze the frequency and distribution of unequal detection values and to conclude either a random or a deliberate disturbance.
- the device 5 according to the invention for controlling the data transmission 4 is not connected directly to the data network 1 and the data transmission 4.
- the interception of the data 10 by the first and second detection means 6, 7 ge ⁇ happens completely without feedback.
- the data transmission 4 is therefore not influenced in any way. Therefore, in an implementation of the device 5 according to the invention in the data network 1 of systems already operating for years, no re-examination or regulatory approval is necessary.
- the function of the existing system is not affected and does not need to be changed.
- the control device 5 according to the invention is shown disjointly by the data network 1. Therefore, it does not have to meet any requirements according to, for example, the standard EN50159.
- the movement of such data ⁇ bond 9 between the detection means 6, 7 and the comparator 8 can be formed as an Ethernet connection, or even as an Internet connection, if this is possible in a reliable manner, without thereby the data network 1 would be compromised.
- the data link 9 is established on the basis of high data rate Ethernet.
- the transmission takes place in particular via glass fiber, since the distance between the detection means 6, 7 and the comparison device 8 here is greater than 50 m.
- the type of data transmission 4 is not of interest. Therefore, the data transmission 4 can be configured both as an analog transmission or as a digital transmission.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Small-Scale Networks (AREA)
Abstract
L'invention concerne un procédé et un dispositif (1) pour contrôler une transmission de données (4) dans un réseau de données (1). À cet effet, le dispositif selon l'invention comprend un premier moyen d'acquisition (6) pour acquérir des données (10) émises à un point initial (2), un second moyen d'acquisition (7) pour acquérir les données (10) reçues à un point final (3) et un dispositif de comparaison (8) qui est relié au premier moyen d'acquisition (6) et au second moyen d'acquisition (7) et qui est réalisé pour comparer les données (10) acquises par les premier et second moyens d'acquisition (6, 7).
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP16747878.3A EP3311546A1 (fr) | 2015-08-12 | 2016-07-26 | Dispositif et procédé de contrôle d'une transmission de données dans un réseau de données |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102015215370.3A DE102015215370A1 (de) | 2015-08-12 | 2015-08-12 | Einrichtung und Verfahren zum Kontrollieren einer Datenübertragung in einem Datennetzwerk |
DE102015215370.3 | 2015-08-12 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2017025316A1 true WO2017025316A1 (fr) | 2017-02-16 |
Family
ID=56609857
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2016/067758 WO2017025316A1 (fr) | 2015-08-12 | 2016-07-26 | Dispositif et procédé de contrôle d'une transmission de données dans un réseau de données |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP3311546A1 (fr) |
DE (1) | DE102015215370A1 (fr) |
WO (1) | WO2017025316A1 (fr) |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7548515B2 (en) * | 2005-03-24 | 2009-06-16 | Agilent Technologies, Inc. | Apparatus for monitoring a network |
US20070226804A1 (en) * | 2006-03-22 | 2007-09-27 | Method and system for preventing an unauthorized message |
-
2015
- 2015-08-12 DE DE102015215370.3A patent/DE102015215370A1/de not_active Withdrawn
-
2016
- 2016-07-26 WO PCT/EP2016/067758 patent/WO2017025316A1/fr active Application Filing
- 2016-07-26 EP EP16747878.3A patent/EP3311546A1/fr not_active Withdrawn
Non-Patent Citations (2)
Title |
---|
JIAN ZHANG ET AL: "Traffic Trace Artifacts due to Monitoring Via Port Mirroring", END-TO-END MONITORING TECHNIQUES AND SERVICES, 2007. E2EMON '07. WORKSHOP ON, IEEE, PI, 1 May 2007 (2007-05-01), pages 1 - 8, XP031183496, ISBN: 978-1-4244-1289-1 * |
LAMPING ULF ET AL: "Wireshark User's Guide: For Wireshark 2.1", 9 November 2014 (2014-11-09), XP055257007, Retrieved from the Internet <URL:https://www.wireshark.org/download/docs/user-guide-a4.pdf> [retrieved on 20160310] * |
Also Published As
Publication number | Publication date |
---|---|
DE102015215370A1 (de) | 2017-02-16 |
EP3311546A1 (fr) | 2018-04-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE69829526T2 (de) | System zur Detektion von Zügen | |
EP2019771B1 (fr) | Procédé et dispositif permettant de déterminer si une partie de voie ferrée est occupée ou libre | |
EP3295645B1 (fr) | Procédé et système de transmission sans effet rétroactif de données entre réseaux | |
DE102014111361A1 (de) | Verfahren zum Betreiben einer Sicherheitssteuerung und Automatisierungsnetzwerk mit einer solchen Sicherheitssteuerung | |
EP3027483A1 (fr) | Actualisation logicielle de composants non critiques dans des systèmes distribués doublement critiques pour la sécurité | |
EP1894069B1 (fr) | Appareil sur site | |
EP3688958B1 (fr) | Système et procédé de transmission sécurisée de données | |
EP1966776B1 (fr) | Système de signalisation de danger | |
EP3122016B1 (fr) | Reseau d'automatisation et procede de surveillance de la securite de la transmission de paquets de donnees | |
DE102008048930A1 (de) | Prüfung der Meldelinien einer Gefahrenmeldeanlage | |
EP2297998A1 (fr) | Liaison redondante d'éléments de réseau radio avec une centrale | |
EP3311546A1 (fr) | Dispositif et procédé de contrôle d'une transmission de données dans un réseau de données | |
EP1197936B1 (fr) | Système d'alarme | |
EP3699705A1 (fr) | Procédé de surveillance d'un réseau de communication industriel, système de sécurité, réseau de communication industriel, programme informatique et support lisible par ordinateur | |
WO2015062812A1 (fr) | Système à fonction de sécurité avec superviseur | |
EP3047610B1 (fr) | Procédé d'acquisition de données envoyées dans un réseau de calculateurs comprenant au moins un calculateur et système d'acquisition de données | |
WO2017178165A1 (fr) | Système de contrôle d'au moins un dispositif pare-feu et procédé de protection d'au moins un récepteur de données | |
DE102020208955A1 (de) | Verfahren zum Überwachen eines Gefahrenraumes und Überwachungsvorrichtung | |
DE102009037369A1 (de) | Verfahren zum Kalibrieren eines Radsensors einer Gleisfreimeldeanlage, Radsensor sowie Gleisfreimeldeanlage | |
EP3957033B1 (fr) | Calculateur et procédé pour faire fonctionner un calculateur | |
DE102013221164A1 (de) | System, Unterbrecher - Vorrichtung und Überwachungseinheit zur Unterbrechung einer Datenkommunikation | |
DE102007007537A1 (de) | Leitsystem einer technischen Anlage | |
EP0660285B1 (fr) | Procédé pour l'élévation de la sécurité contre les pertubations dans un système radio d'alarme | |
EP3661830B1 (fr) | Concept pour la surveillance d'un trafic réseau entrant dans un poste d'aiguillage | |
DE102017212757A1 (de) | Verfahren und Vorrichtung zum Schützen eines Feldbusses |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16747878 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2016747878 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |