WO2020020437A1 - Method indicating unexpected behaviour and vehicle, system, and storage medium comprising the same - Google Patents

Method indicating unexpected behaviour and vehicle, system, and storage medium comprising the same Download PDF

Info

Publication number
WO2020020437A1
WO2020020437A1 PCT/EP2018/069971 EP2018069971W WO2020020437A1 WO 2020020437 A1 WO2020020437 A1 WO 2020020437A1 EP 2018069971 W EP2018069971 W EP 2018069971W WO 2020020437 A1 WO2020020437 A1 WO 2020020437A1
Authority
WO
WIPO (PCT)
Prior art keywords
sensor
data
correlating
state
identifying
Prior art date
Application number
PCT/EP2018/069971
Other languages
French (fr)
Inventor
Philipp OBERGFELL
Christoph Segler
Original Assignee
Bayerische Motoren Werke Aktiengesellschaft
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bayerische Motoren Werke Aktiengesellschaft filed Critical Bayerische Motoren Werke Aktiengesellschaft
Priority to PCT/EP2018/069971 priority Critical patent/WO2020020437A1/en
Priority to DE112018007851.5T priority patent/DE112018007851T5/en
Publication of WO2020020437A1 publication Critical patent/WO2020020437A1/en

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C5/00Registering or indicating the working of vehicles
    • G07C5/08Registering or indicating performance data other than driving, working, idle, or waiting time, with or without registering driving, working, idle or waiting time
    • G07C5/0808Diagnosing performance data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3013Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is an embedded system, i.e. a combination of hardware and software dedicated to perform a certain function in mobile devices, printers, automotive or aircraft systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3055Monitoring arrangements for monitoring the status of the computing system or of the computing system component, e.g. monitoring if the computing system is on, off, available, not available
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3065Monitoring arrangements determined by the means or processing involved in reporting the monitored data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3438Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment monitoring of user actions
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C5/00Registering or indicating the working of vehicles
    • G07C5/006Indicating maintenance
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C5/00Registering or indicating the working of vehicles
    • G07C5/08Registering or indicating performance data other than driving, working, idle, or waiting time, with or without registering driving, working, idle or waiting time
    • G07C5/0816Indicating performance data, e.g. occurrence of a malfunction

Definitions

  • the present application is directed towards a method for generating a signal indicating unexpected vehicle behaviour, a respective vehicle, system and storage medium.
  • US patent application publication US 2016/0272113 A1 relates to a monitoring system aimed at determining that a vehicle is not being operated by a driver. Based on the vehicle not being operated, the monitoring system can analyse data from one or more sensors of the vehicle to monitor a passenger compartment of the vehicle. With data from the one or more sensors, the monitoring system can detect an anomaly within the passenger compartment of the vehicle. Based, at least in part, on detecting the anomaly, the monitoring system can transmit a signal corresponding to an alert to a computing device of the driver, the alert indicating the anomaly.
  • a further objective of the present invention is to indicate a potential threat to the safety of a vehicle.
  • it is an objective of the present invention to shorten development cycles, e.g. by providing more reliable simulations and/or software.
  • it is an objective of the present invention to facilitate the update of vehicle models with real-time sensor data, in particular where the number of sensors in each vehicle and/or the number of vehicles is large. Even more, it is an objective of the present invention to reduce the data signalling needed to update vehicle models from real-time sensor data.
  • the object of the present invention is solved by a method for generating a signal indicating unexpected behaviour, the method comprising the following steps:
  • each entry in the nominal data comprising an origin value, a sensor value and a timestamp, the origin value identifying the sensor from which the sensor value originates from;
  • the method improves the safety of vehicle use by indicating unexpected behaviour that could be unsafe.
  • the method further allows an unexpected state to be identified so that appropriate measures can be taken.
  • a scoring algorithm such as the supervised feature selection algorithm fisher score, may be used to identify features of relevant correlations between different car functions.
  • Other suitable feature selection algorithms include: T-test, Auto- Encoder, Las Vegas filter, Mutual Information based Feature Selection (MIFS), and Minimum Redundancy Maximum Relevance (MRMR).
  • the one or more functions applied to generate a normal state may generate one or more outputs of the one or more functions that are used to generate one or more criteria for the normal state, such as one or more boundary conditions or criteria for the normal state.
  • Such functions might be a minimum function used to generate a minimum criterion for the normal state, and/or a maximum function, used to generate a maximum criterion for the normal state.
  • a value is in one embodiment considered to be in the normal state when it complies with the one or more criteria.
  • the normal state might also include all sensor values from a correlated sensor in the nominal data, but not include other sensor values.
  • the normal state may also be defined by a range derived by the sensor values from a correlated sensor in the nominal data.
  • the normal state may include all combinations of sensor values in the nominal data from two or more sensors, but not include a combination of sensor values that are not in the nominal data.
  • the function may be a function outputting a maximum or minimum value from a correlated sensor in the nominal data.
  • the normal state may then be defined by boundaries defined by the minimum and/or maximum values.
  • a fit-function such as a polynomial fit function, e.g. a first degree polynomial fit function, may be applied to data from two or more sensors and the boundary criteria may be defined as a distance from the fit function.
  • Boundary criteria for the normal state might also take the form of a channel with an upper boundary functional dependence and/or a lower boundary functional dependence.
  • the functional dependence might be a first order dependence derived from the sensor values in the nominal data.
  • a timestamp may be used to identify dependence between two sensors.
  • Correlation may then be based on sensor values measured within a time interval, or based on entries closest in time to each other or other suitable criteria depending on the content and structure of the data.
  • the method may further comprise: receiving a selection of a state of interest, the state of interest indicating at least one sensor value from the selected sensor within the nominal data;
  • step of applying at least one function comprises applying at least one function to the correlating data of interest to generate a normal state
  • step of identifying an unexpected state further requires the sensor value from the selected sensor to be equal to or within the state of interest in order to identify an unexpected state.
  • the embodiment allows the narrowing of the normal state to within a certain state of interest. By narrowing the normal state, processing power for monitoring and data signalling may be reduced.
  • the method may comprise, before the step of selecting the state or states of interest or value or value range or interest, a further step of: removing from the definition of correlated sensors, functional dependent sensors and remove from the correlated data, data read from the functional dependent sensors;
  • functional dependent sensors are sensors of the correlated sensors which have a dependence with the selected sensor without involving a user interference.
  • the embodiment allows monitoring to be limited to unexpected driver/human behaviour.
  • Functionally dependent features are correlated, without the involvement of the driver's interaction with the car.
  • Functional dependent sensors can be removed automatically based on information of the car included in a design model, or based on the correlation pattern between sensor values, such as a correlation being too precise.
  • the method may further comprise the following steps:
  • a developer, or a security expert By transmitting the unexpected state to a design-time architecture, a developer, or a security expert, can be alerted to the unexpected state without delay, and take appropriate actions.
  • the design-time model reflects the occurrence of an unexpected behaviour by means of a transition between two states in a state machine.
  • the human-machine interface of the vehicle model environment is substantially improved.
  • the step of monitoring of the selected sensor and the at least one sensor of the correlating sensor is performed at run-time in the vehicle, wherein the memory is located in the vehicle, and/or wherein the step of identifying an unexpected state is executed by an Electronic Control Unit (ECU) of the vehicle.
  • ECU Electronic Control Unit
  • the method may comprise the following steps:
  • deactivate hardware e.g. by physically deactivate hardware such as by burning a fuse, by turning of a power supply to the hardware, and/or by sending a signal switching off the hardware.
  • Updating the software of the vehicle may be done in response to the unexpected state, so as to mitigate a security threat that is indicated by the unexpected state.
  • the system update may affect one vehicle, or a range of vehicles.
  • the step of receiving sensor data from sensors is done at run-time by a gateway located in the vehicle.
  • the step of identifying at least one correlating sensor may also be executed in the gateway.
  • Wireless networks could restrict the amount of data being processed and/or pose a security risk.
  • One or more of the described gateway functions may also be distributed among several components, such as among one or more ECUs.
  • the functions may be distributed on a per bus basis.
  • the functions may also be distributed on a per bus member bases.
  • a bus may be a CAN bus of the vehicle and the functions may be distributed among CAN bus nodes.
  • the step of identifying at least one correlating sensor comprises applying a feature selection algorithm, such as fisher score algorithm.
  • Applying a feature selection algorithm reduces the dimensionality of the nominal data to relevant correlating data.
  • Fig. 1 shows a system for monitoring unexpected states, updating design- time models, and updating control software according to an aspect of the invention.
  • Fig. 2 shows steps of a method for generating a signal indicating
  • Fig. 3 shows additional steps of a method for generating a signal
  • FIG. 4 shows a system for generating a signal indicating unexpected behaviour over a network according to an embodiment of the invention.
  • Fig. 1 depicts a framework for synchronization between run-time 102 and design- time 104 in automotive system architectures.
  • the run-time component may be implemented in a vehicle, while the design-time component may be implemented outside the vehicle, typically in the vehicle development facility.
  • the real-time view 102 comprises sensors 103, a gateway 106, and an ECU 108 wherein each sensor of the sensors 103 may generate a signal 130 including a sensor value corresponding to a sensed feature.
  • the signal 130 may be received by the ECU 108, wherein the ECU 108 forwards sensor data 130 to the gateway 106, the sensor data comprising an origin value, a sensor value, and a timestamp, the origin value identifying the sensor 103 from which the sensor value originates.
  • the timestamp and/or the origin value may be added by the ECU 108 or originate from the sensor 103.
  • the gateway 106 may apply a feature selection algorithm to the sensor data to identify correlating features and correlating data.
  • the unexpected or anomalous state may be sent to a design-time architecture to update a design-time model.
  • the developer of the corresponding function is notified and is in charge of assessing the anomaly.
  • This assessment includes the expertise of safety as well as security engineers.
  • the safety engineers have to classify if the anomalous state still illustrates a safe state.
  • the task for the security engineers is to derive whether possible security attacks lead to the transition into the anomalous state.
  • Both assessments may result in the selection of mitigation approaches.
  • the anomaly is assessed to be safe, the normal state may be updated to include the anomalous state.
  • the mitigation approach may also result in software updates that are deployed in one or more vehicles, typically in all vehicles considered to be exposed to the same threat.
  • the unexpected state is preferably automatically imported in a model-based tool that creates design-time models in the form of state machines.
  • Fig. 2 depicts a method for generating a signal indicating unexpected behaviour according to the present invention.
  • the depicted method involves receiving 202 sensor data from sensor of one or more vehicles. Receiving sensor data from more than one vehicle is preferable to including data from a wider range of drivers. It also involves storing 203 the data from the sensors (nominal data) in a memory, preferably in the vehicle.
  • the depicted method further involves receiving 204 a selection of a selected sensor.
  • the selection may be received over a network connection, such as a wireless network connection.
  • the depicted method also involves identifying 205 as selected data, data of the nominal data generated from the selected sensor. This is typically performed by extracting data entries where the origin value identifies the selected sensor.
  • the depicted method also involves identifying 208 sensors, the sensor values correlating with the with the sensor values from the selected sensor.
  • identifying correlation a timestamp in the entries of the nominal data and the selected data might be used. Depending on precision of the timestamp, and the frequency of measurement, the timestamp might not be identical between data entries from different sensors. Correlation might then be
  • the feature selection and/or normal state definition might be based on data from a range of vehicle and/or drivers, to cover a wider range of driving and usage behaviour, or based on a single vehicle and/or driver, in order to assess unexpected vehicle or driver behaviour specific to that driver and/or vehicle.
  • a scoring algorithm such as the supervised feature selection algorithm fisher score, may be used to identify features of relevant correlations between different car functions.
  • Other suitable feature selection algorithms include: T-test, Auto- Encoder; Las Vegas filter, Mutual Information based Feature Selection (MIFS), and Minimum Redundancy Maximum Relevance (MRMR).
  • the depicted method also involves applying 212 one or more functions to at least some of the correlating data to generate a normal state.
  • the one or more functions applied to generate a normal state may generate one or more outputs of the one or more functions that are used to generate one or more criteria for the normal state, such as one or more boundary criteria.
  • Such functions might be a minimum function used to generate a minimum criterion for the normal stat, and/or a maximum function, used to generate a maximum criterion for the normal state. A value is in then considered to be in the normal state when it complies with the one or more criteria.
  • An unexpected state may be values from a sensor that previously has not been read.
  • the unexpected state may be sensor values from two or more sensors that are not previously read within the same time interval, where the time interval typically depends on the frequency of reading values from sensors.
  • the function may be a function outputting a maximum or minimum value from the data, so that the normal state is defined by the minimum and/or maximum values in the data.
  • a function may extract an expected value, mean, or weighted average relating to a statistical distribution, such as a normal distribution, a binomial distribution, or a chi-squared distribution and one or more boundary criteria generated from the distance to such expected value, such as based on a one, two, or three standard deviation, or within a confidence interval, such as 90%, 95%, 99%, or 99,9%.
  • a fit-function such as a polynomial fit function, such as a first-degree polynomial fit function may be applied to data from two or more sensors and the boundary criteria may be defined as a distance from the fit function, such as based on a covariance.
  • Boundary criteria might also take the form of a channel with an upper boundary functional dependence and/or a lower boundary functional dependence.
  • the functional dependence might be a first order dependence.
  • the channel may be identified so that all sensor values from the selected sensor and the one or more correlating sensors lies within the channel.
  • the channel may have two or more dimensions.
  • the depicted method also involves monitoring 216 the selected sensor and the one or more correlating sensors.
  • a state is identified that deviates from the defined normal state 252
  • an unexpected state is identified 218.
  • a state is identified, that is in the normal state, an unexpected state is not identified 250. If an unexpected state is identified, a signal indicating the unexpected state is generated 220.
  • Nominal data, identifications of sensors for monitoring, and normal state for the monitored sensors might have to be stored in a memory; 203 and 214.
  • a second embodiment may include further steps of receiving 206 a selection of state of interest, indicating one or more sensor values from the selected sensor within the nominal data.
  • the state of interest might also be a value range that might be less than the value range defined by the maximum and minimum sensor values in the selected data.
  • the second embodiment may also include identifying 207 a data of interest subset in the nominal data, by selecting the data entries where the sensor value equates to the state of interest within the selected data.
  • the state of interest comprises several values
  • the data of interest may be entries within the selected data where the sensor value equates to the values.
  • the selected state is a value range
  • sensor values are equated to the state of interest, when the sensor value is within the values range.
  • the second embodiment may also include extracting 210 from the correlating data, entries where the origin value is identifying at least one of the one or more correlating sensors identified as received within a same time period as the data of interest. These one or more entries may be known as correlating data of interest.
  • the step of applying 212 at least one function to generate a normal state comprises applying one or more functions to the correlating data of interest to generate a normal state.
  • the function may be a minimum and/or maximum function applied to the correlating data of interest for each correlating sensor.
  • the step of identifying 218 an unexpected state comprises identifies an unexpected when the sensor value from the at least one correlating sensor deviates from the normal state and the sensor value from the selected sensor is equal to the state of interest or within a value range defined by the state of interest.
  • only driver behaviour might be of interest.
  • functionally dependent features may be discarded, i.e.
  • Functional dependent sensors can be removed automatically based on information in the design model of the car, or based on the correlation being too precise, indicating a functional dependence and not a behavioural dependence.
  • the sensor of interest, the one or more correlating sensors, the normal state, and preferably the state of interest may be stored in a memory, preferably in the ECU, to facilitate monitoring of unexpected states.
  • An embodiment of the invention also involves transmitting 150 the unexpected state to a design-time architecture 110 for amending 152 the design-time model 116.
  • the unexpected state might be reflected in the design-time model by means of a transition between two states in a state-machine.
  • the unexpected state may be an anomalous state highlighting to a developer that an unexpected state has occurred in a vehicle.
  • the unexpected state may indicate an unknown threat that highlights a need for an update of the vehicle control instructions.
  • the unexpected state may be used to update vehicle control software, preferably the software of the ECU. If the unexpected state is considered safe, the nominal data may be amended with the unexpected state and/or the normal state updated accordingly.
  • identifying correlating features and learning of the normal states may be performed in a lab on traces of sensor values previously collected.
  • the identifying correlating features and learning of the normal states are performed in the vehicle in run-time.
  • Fig. 4 depicts a network 405, such the Internet, and a first vehicle 410 and a second vehicle 410' connected to the network 405, such as via a wireless connection.
  • Server 410 may also be connected to the network 405.
  • the first vehicle 410 may signal to the driver to transport the first vehicle 410 to a repair shop for service.
  • the service may include replacing hardware and/or updating software.
  • the first vehicle 410 may also trigger automatic software update over the network 405 from the server 420.
  • the server 420 may retrieve software update packages from a database 430.
  • the first vehicle 410 may, in response to sending the signal indicating the unexpected behaviour to the server 420, receive a response signal from the server 420.
  • the response signal may result in a software update of the first vehicle 410, an update of at least one the normal state in the memory of the first vehicle 410, an update of the nominal data of the first vehicle 410, a deactivation of a component or function in the first vehicle 410, and/or a deactivation of hardware, e.g. by physically deactivating the hardware such as by burning a fuse, by turning of a power supply to the hardware, and/or by sending a signal switching off the hardware.
  • the server 420 may additionally or alternatively, in response to receiving the signal indicating the unexpected behaviour from vehicle 410, initiate a second response signal to one or more other vehicles (depicted in Fig. 4 as second vehicle 410').
  • the second response signal may result in a software update of the second vehicle 410', an update of at least one the normal state in the memory of the second vehicle 410', an update of the nominal data of the second vehicle 410', a deactivation of a component or function in the second vehicle 410', and/or a deactivation of hardware, e.g. by physically deactivating the hardware such as by burning a fuse, by turning of a power supply to the hardware, and/or by sending a signal switching off the hardware.
  • the server 420 may receive sensor data (e.g. over the network 405) from sensors in step 202 and the steps 203 to 212 performed on the server 420 using the received sensor data.
  • steps 202 to 208 may be performed on the vehicle, and the correlating data and/or selected data in a further step sent (e.g. over network 405) to the server 420, the server 420 performing step of applying 212 at least one function.
  • the server 420 may send (e.g. over the network 405) an identification of the selected sensor, the state of interest, the correlating sensor and/or the normal state, as the case may be, to the vehicle for monitoring 216.
  • All steps may also be performed on the server 420 using traces of previously collected sensor data.
  • the ECU 108 depicted in Fig. 1 may be one or a plurality of ECUs wherein the sensor data may be received 202 by several ECUs 108 and the monitoring of step 216 may be distributed and/or redundant, such as per bus basis or per bus member basis.
  • the gateway 106 depicted in Fig. 1 may be implemented in one or a plurality of ECUs.
  • the step of identifying 205 selected data, identifying 208 at least one correlating sensors and correlating data, and applying 212 at least one function, may be performed on a plurality of ECUs in a distributed and/or redundant manner.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Quality & Reliability (AREA)
  • Software Systems (AREA)
  • Mathematical Physics (AREA)
  • Traffic Control Systems (AREA)

Abstract

A method generating a signal indicating unexpected behaviour comprising receiving (202) sensor data from sensors of at least one vehicle during vehicle use, storing (203) at least some of the sensor data as nominal data in a memory, each entry in the nominal data comprising an origin value, a sensor value and a timestamp, the origin value identifying the sensor from which the sensor value originates from, receiving (204) a selection of one of the sensors to select the sensor as selected sensor, identifying (205) selected data as entries of the nominal data originating from the selected sensor, identifying (208) at least one correlating sensor and correlating data as entries of the nominal data with origin values identifying the at least one correlating sensor, applying (212) at least one function to at least some of the correlating data and/or selected data to generate a normal state as preferably a function of the sensor value of the selected sensor, for the at least one correlating sensor, monitoring (216) the sensor values of the selected sensor and the at least one correlating sensor, identifying (218) an unexpected state, when a monitored sensor value from the at least one correlating sensor deviates from the normal state, and generating (220), when identifying the unexpected state (252), a signal indicating the unexpected behaviour.

Description

Method Indicating Unexpected Behaviour and Vehicle, System, and Storage
Medium Comprising the Same
Description
The present application is directed towards a method for generating a signal indicating unexpected vehicle behaviour, a respective vehicle, system and storage medium.
US patent application publication US 2016/0272113 A1 relates to a monitoring system aimed at determining that a vehicle is not being operated by a driver. Based on the vehicle not being operated, the monitoring system can analyse data from one or more sensors of the vehicle to monitor a passenger compartment of the vehicle. With data from the one or more sensors, the monitoring system can detect an anomaly within the passenger compartment of the vehicle. Based, at least in part, on detecting the anomaly, the monitoring system can transmit a signal corresponding to an alert to a computing device of the driver, the alert indicating the anomaly.
It is an objective of the present invention to improve the safety of vehicles. A further objective of the present invention is to indicate a potential threat to the safety of a vehicle. Moreover, it is an objective of the present invention to shorten development cycles, e.g. by providing more reliable simulations and/or software. Further, it is an objective of the present invention to facilitate the update of vehicle models with real-time sensor data, in particular where the number of sensors in each vehicle and/or the number of vehicles is large. Even more, it is an objective of the present invention to reduce the data signalling needed to update vehicle models from real-time sensor data.
The objectives of the present invention are solved by the subject matter of claims 1, 14, 16, and 17. In particular, the object of the present invention is solved by a method for generating a signal indicating unexpected behaviour, the method comprising the following steps:
receiving sensor data from sensors of at least one vehicle during vehicle use;
storing at least some of the sensor data as nominal data in a memory, each entry in the nominal data comprising an origin value, a sensor value and a timestamp, the origin value identifying the sensor from which the sensor value originates from;
receiving a selection of one of the sensors to select the sensor as selected sensor;
identifying selected data as entries of the nominal data originating from the selected sensor;
identifying at least one correlating sensor and correlating data as entries of the nominal data with origin values identifying the at least one correlating sensor;
applying at least one function to at least some of the correlating data and/or selected data to generate a normal state as preferably a function of the sensor value of the selected sensor, for the at least one correlating sensor;
monitoring the sensor values of the selected sensor and the at least one correlating sensor;
identifying an unexpected state, when a monitored sensor value from the at least one correlating sensor deviates from the normal state; and
generating, when identifying the unexpected state, the signal indicating the unexpected behaviour.
The method improves the safety of vehicle use by indicating unexpected behaviour that could be unsafe. The method further allows an unexpected state to be identified so that appropriate measures can be taken.
A scoring algorithm, such as the supervised feature selection algorithm fisher score, may be used to identify features of relevant correlations between different car functions. Other suitable feature selection algorithms include: T-test, Auto- Encoder, Las Vegas filter, Mutual Information based Feature Selection (MIFS), and Minimum Redundancy Maximum Relevance (MRMR). The one or more functions applied to generate a normal state may generate one or more outputs of the one or more functions that are used to generate one or more criteria for the normal state, such as one or more boundary conditions or criteria for the normal state.
Such functions might be a minimum function used to generate a minimum criterion for the normal state, and/or a maximum function, used to generate a maximum criterion for the normal state. A value is in one embodiment considered to be in the normal state when it complies with the one or more criteria.
The normal state might also include all sensor values from a correlated sensor in the nominal data, but not include other sensor values. The normal state may also be defined by a range derived by the sensor values from a correlated sensor in the nominal data. The normal state may include all combinations of sensor values in the nominal data from two or more sensors, but not include a combination of sensor values that are not in the nominal data.
The function may be a function outputting a maximum or minimum value from a correlated sensor in the nominal data. The normal state may then be defined by boundaries defined by the minimum and/or maximum values. A fit-function, such as a polynomial fit function, e.g. a first degree polynomial fit function, may be applied to data from two or more sensors and the boundary criteria may be defined as a distance from the fit function.
Boundary criteria for the normal state might also take the form of a channel with an upper boundary functional dependence and/or a lower boundary functional dependence. The functional dependence might be a first order dependence derived from the sensor values in the nominal data.
A timestamp may be used to identify dependence between two sensors.
Depending on precision of the timestamp, and the frequency of measurement, the timestamps from two sensors might not be identical. Correlation may then be based on sensor values measured within a time interval, or based on entries closest in time to each other or other suitable criteria depending on the content and structure of the data.
In one embodiment, the method may further comprise: receiving a selection of a state of interest, the state of interest indicating at least one sensor value from the selected sensor within the nominal data;
identifying a data of interest subset in the nominal data, by selecting the data entries where the sensor value equate to the state of interest and the origin value identifying to the selected sensor; and
extracting, for the at least one correlating sensors, correlating data of interest as a subset of the correlating data identified as received within a same time period as the data of interest subset;
wherein the step of applying at least one function comprises applying at least one function to the correlating data of interest to generate a normal state; and
wherein the step of identifying an unexpected state further requires the sensor value from the selected sensor to be equal to or within the state of interest in order to identify an unexpected state.
The embodiment allows the narrowing of the normal state to within a certain state of interest. By narrowing the normal state, processing power for monitoring and data signalling may be reduced.
In one embodiment, the method may comprise, before the step of selecting the state or states of interest or value or value range or interest, a further step of: removing from the definition of correlated sensors, functional dependent sensors and remove from the correlated data, data read from the functional dependent sensors;
wherein functional dependent sensors are sensors of the correlated sensors which have a dependence with the selected sensor without involving a user interference.
By removing functionally correlated sensors, the embodiment allows monitoring to be limited to unexpected driver/human behaviour. Functionally dependent features are correlated, without the involvement of the driver's interaction with the car. By discarding functional dependent data processing, monitoring, and signalling needs can be reduced. Functional dependent sensors can be removed automatically based on information of the car included in a design model, or based on the correlation pattern between sensor values, such as a correlation being too precise. In one embodiment, the method may further comprise the following steps:
transmitting the unexpected state to a design-time architecture; and amending a design-time model with the unexpected state.
By transmitting the unexpected state to a design-time architecture, a developer, or a security expert, can be alerted to the unexpected state without delay, and take appropriate actions.
In one embodiment, the design-time model reflects the occurrence of an unexpected behaviour by means of a transition between two states in a state machine.
By generating a transition between two states in a state machine reflecting the unexpected state, the human-machine interface of the vehicle model environment is substantially improved.
In one embodiment, the step of monitoring of the selected sensor and the at least one sensor of the correlating sensor is performed at run-time in the vehicle, wherein the memory is located in the vehicle, and/or wherein the step of identifying an unexpected state is executed by an Electronic Control Unit (ECU) of the vehicle.
In one embodiment, the method may comprise the following steps:
updating a software for vehicle control;
updating at least one normal state in the memory;
updating the nominal data;
replace hardware;
deactivate a component or a function of the vehicle; and/or
deactivate hardware, e.g. by physically deactivate hardware such as by burning a fuse, by turning of a power supply to the hardware, and/or by sending a signal switching off the hardware.
Updating the software of the vehicle may be done in response to the unexpected state, so as to mitigate a security threat that is indicated by the unexpected state. The system update may affect one vehicle, or a range of vehicles. In one embodiment, the step of receiving sensor data from sensors is done at run-time by a gateway located in the vehicle. The step of identifying at least one correlating sensor may also be executed in the gateway.
By executing the steps in a gateway in the vehicle, no data needs to be signalled over a wireless network while the vehicle is in motion. Wireless networks could restrict the amount of data being processed and/or pose a security risk.
One or more of the described gateway functions may also be distributed among several components, such as among one or more ECUs. The functions may be distributed on a per bus basis. The functions may also be distributed on a per bus member bases. A bus may be a CAN bus of the vehicle and the functions may be distributed among CAN bus nodes.
In one embodiment, the step of identifying at least one correlating sensor comprises applying a feature selection algorithm, such as fisher score algorithm.
Applying a feature selection algorithm reduces the dimensionality of the nominal data to relevant correlating data.
The benefits and advantages of the aforementioned vehicle, storage medium and system are equal or similar to the advantages of the above-mentioned method.
In the following, embodiments of the invention are described with respect to the figures, wherein
Fig. 1 shows a system for monitoring unexpected states, updating design- time models, and updating control software according to an aspect of the invention.
Fig. 2 shows steps of a method for generating a signal indicating
unexpected behaviour according to an embodiment of the invention.
Fig. 3 shows additional steps of a method for generating a signal
according to another embodiment of the invention. Fig. 4 shows a system for generating a signal indicating unexpected behaviour over a network according to an embodiment of the invention.
Fig. 1 depicts a framework for synchronization between run-time 102 and design- time 104 in automotive system architectures. The run-time component may be implemented in a vehicle, while the design-time component may be implemented outside the vehicle, typically in the vehicle development facility.
The real-time view 102 comprises sensors 103, a gateway 106, and an ECU 108 wherein each sensor of the sensors 103 may generate a signal 130 including a sensor value corresponding to a sensed feature.
The signal 130 may be received by the ECU 108, wherein the ECU 108 forwards sensor data 130 to the gateway 106, the sensor data comprising an origin value, a sensor value, and a timestamp, the origin value identifying the sensor 103 from which the sensor value originates. The timestamp and/or the origin value may be added by the ECU 108 or originate from the sensor 103. The gateway 106 may apply a feature selection algorithm to the sensor data to identify correlating features and correlating data.
The unexpected or anomalous state may be sent to a design-time architecture to update a design-time model. The developer of the corresponding function is notified and is in charge of assessing the anomaly. This assessment includes the expertise of safety as well as security engineers. The safety engineers have to classify if the anomalous state still illustrates a safe state. The task for the security engineers is to derive whether possible security attacks lead to the transition into the anomalous state. Both assessments may result in the selection of mitigation approaches. In case the anomaly is assessed to be safe, the normal state may be updated to include the anomalous state. The mitigation approach may also result in software updates that are deployed in one or more vehicles, typically in all vehicles considered to be exposed to the same threat. The unexpected state is preferably automatically imported in a model-based tool that creates design-time models in the form of state machines.
Fig. 2 depicts a method for generating a signal indicating unexpected behaviour according to the present invention. The depicted method involves receiving 202 sensor data from sensor of one or more vehicles. Receiving sensor data from more than one vehicle is preferable to including data from a wider range of drivers. It also involves storing 203 the data from the sensors (nominal data) in a memory, preferably in the vehicle.
The depicted method further involves receiving 204 a selection of a selected sensor. The selection may be received over a network connection, such as a wireless network connection. The depicted method also involves identifying 205 as selected data, data of the nominal data generated from the selected sensor. This is typically performed by extracting data entries where the origin value identifies the selected sensor.
The depicted method also involves identifying 208 sensors, the sensor values correlating with the with the sensor values from the selected sensor. In order to perform identifying correlation, a timestamp in the entries of the nominal data and the selected data might be used. Depending on precision of the timestamp, and the frequency of measurement, the timestamp might not be identical between data entries from different sensors. Correlation might then be
considered within a certain time interval, or based on the entries closest in time to each other or other suitable criteria depending on the content and structure of the data.
The feature selection and/or normal state definition might be based on data from a range of vehicle and/or drivers, to cover a wider range of driving and usage behaviour, or based on a single vehicle and/or driver, in order to assess unexpected vehicle or driver behaviour specific to that driver and/or vehicle.
A scoring algorithm, such as the supervised feature selection algorithm fisher score, may be used to identify features of relevant correlations between different car functions. Other suitable feature selection algorithms include: T-test, Auto- Encoder; Las Vegas filter, Mutual Information based Feature Selection (MIFS), and Minimum Redundancy Maximum Relevance (MRMR).
The depicted method also involves applying 212 one or more functions to at least some of the correlating data to generate a normal state. The one or more functions applied to generate a normal state may generate one or more outputs of the one or more functions that are used to generate one or more criteria for the normal state, such as one or more boundary criteria.
Such functions might be a minimum function used to generate a minimum criterion for the normal stat, and/or a maximum function, used to generate a maximum criterion for the normal state. A value is in then considered to be in the normal state when it complies with the one or more criteria.
An unexpected state may be values from a sensor that previously has not been read. The unexpected state may be sensor values from two or more sensors that are not previously read within the same time interval, where the time interval typically depends on the frequency of reading values from sensors.
The function may be a function outputting a maximum or minimum value from the data, so that the normal state is defined by the minimum and/or maximum values in the data. A function may extract an expected value, mean, or weighted average relating to a statistical distribution, such as a normal distribution, a binomial distribution, or a chi-squared distribution and one or more boundary criteria generated from the distance to such expected value, such as based on a one, two, or three standard deviation, or within a confidence interval, such as 90%, 95%, 99%, or 99,9%.
A fit-function, such as a polynomial fit function, such as a first-degree polynomial fit function may be applied to data from two or more sensors and the boundary criteria may be defined as a distance from the fit function, such as based on a covariance.
Boundary criteria might also take the form of a channel with an upper boundary functional dependence and/or a lower boundary functional dependence. The functional dependence might be a first order dependence. The channel may be identified so that all sensor values from the selected sensor and the one or more correlating sensors lies within the channel. The channel may have two or more dimensions.
The depicted method also involves monitoring 216 the selected sensor and the one or more correlating sensors. When a state is identified that deviates from the defined normal state 252, an unexpected state is identified 218. When a state is identified, that is in the normal state, an unexpected state is not identified 250. If an unexpected state is identified, a signal indicating the unexpected state is generated 220.
Nominal data, identifications of sensors for monitoring, and normal state for the monitored sensors might have to be stored in a memory; 203 and 214.
In a second embodiment, depicted in Fig. 3, only certain values, or even one value, of the selected sensor are of interest (state of interest). The monitoring can then be targeted at only this state of interest. A second embodiment may include further steps of receiving 206 a selection of state of interest, indicating one or more sensor values from the selected sensor within the nominal data. The state of interest might also be a value range that might be less than the value range defined by the maximum and minimum sensor values in the selected data.
The second embodiment may also include identifying 207 a data of interest subset in the nominal data, by selecting the data entries where the sensor value equates to the state of interest within the selected data. Where the state of interest comprises several values, the data of interest may be entries within the selected data where the sensor value equates to the values. Where the selected state is a value range, sensor values are equated to the state of interest, when the sensor value is within the values range.
The second embodiment may also include extracting 210 from the correlating data, entries where the origin value is identifying at least one of the one or more correlating sensors identified as received within a same time period as the data of interest. These one or more entries may be known as correlating data of interest.
In the second embodiment, the step of applying 212 at least one function to generate a normal state, comprises applying one or more functions to the correlating data of interest to generate a normal state. The function may be a minimum and/or maximum function applied to the correlating data of interest for each correlating sensor. In the second embodiment, the step of identifying 218 an unexpected state comprises identifies an unexpected when the sensor value from the at least one correlating sensor deviates from the normal state and the sensor value from the selected sensor is equal to the state of interest or within a value range defined by the state of interest. In a third embodiment, only driver behaviour might be of interest. In a third embodiment, functionally dependent features may be discarded, i.e. features that have a dependence that is based on the physical design of the vehicle, without the involvement of the driver's hand. By discarding functional dependent data processing, monitoring, and transmission, can be reduced. Functional dependent sensors can be removed automatically based on information in the design model of the car, or based on the correlation being too precise, indicating a functional dependence and not a behavioural dependence.
The sensor of interest, the one or more correlating sensors, the normal state, and preferably the state of interest may be stored in a memory, preferably in the ECU, to facilitate monitoring of unexpected states.
An embodiment of the invention also involves transmitting 150 the unexpected state to a design-time architecture 110 for amending 152 the design-time model 116. The unexpected state might be reflected in the design-time model by means of a transition between two states in a state-machine. The unexpected state may be an anomalous state highlighting to a developer that an unexpected state has occurred in a vehicle.
The unexpected state may indicate an unknown threat that highlights a need for an update of the vehicle control instructions. The unexpected state may be used to update vehicle control software, preferably the software of the ECU. If the unexpected state is considered safe, the nominal data may be amended with the unexpected state and/or the normal state updated accordingly.
Certain aspects of the invention, identifying correlating features and learning of the normal states may be performed in a lab on traces of sensor values previously collected. Preferably, the identifying correlating features and learning of the normal states are performed in the vehicle in run-time.
The normal state might continuously be improved with new driving behaviour. It is expected, that the number of unexpected states will initially be high, but will decrease as the vehicle collects new, previously unexperienced states and these, under the supervision of experts, are handled by the software and/or
incorporated in the nominal data. Fig. 4 depicts a network 405, such the Internet, and a first vehicle 410 and a second vehicle 410' connected to the network 405, such as via a wireless connection. Server 410 may also be connected to the network 405. When a signal indicating an unexpected behaviour is generated in the first vehicle 410, e.g. by generating step 220 of Fig. 2B, the first vehicle 410 may signal to the driver to transport the first vehicle 410 to a repair shop for service. The service may include replacing hardware and/or updating software. The first vehicle 410 may also trigger automatic software update over the network 405 from the server 420. The server 420 may retrieve software update packages from a database 430.
The first vehicle 410 may, in response to sending the signal indicating the unexpected behaviour to the server 420, receive a response signal from the server 420. The response signal may result in a software update of the first vehicle 410, an update of at least one the normal state in the memory of the first vehicle 410, an update of the nominal data of the first vehicle 410, a deactivation of a component or function in the first vehicle 410, and/or a deactivation of hardware, e.g. by physically deactivating the hardware such as by burning a fuse, by turning of a power supply to the hardware, and/or by sending a signal switching off the hardware.
The server 420, may additionally or alternatively, in response to receiving the signal indicating the unexpected behaviour from vehicle 410, initiate a second response signal to one or more other vehicles (depicted in Fig. 4 as second vehicle 410'). The second response signal may result in a software update of the second vehicle 410', an update of at least one the normal state in the memory of the second vehicle 410', an update of the nominal data of the second vehicle 410', a deactivation of a component or function in the second vehicle 410', and/or a deactivation of hardware, e.g. by physically deactivating the hardware such as by burning a fuse, by turning of a power supply to the hardware, and/or by sending a signal switching off the hardware.
In one embodiment, the server 420 may receive sensor data (e.g. over the network 405) from sensors in step 202 and the steps 203 to 212 performed on the server 420 using the received sensor data. Alternatively, steps 202 to 208 may be performed on the vehicle, and the correlating data and/or selected data in a further step sent (e.g. over network 405) to the server 420, the server 420 performing step of applying 212 at least one function. In a further step, the server 420 may send (e.g. over the network 405) an identification of the selected sensor, the state of interest, the correlating sensor and/or the normal state, as the case may be, to the vehicle for monitoring 216.
All steps may also be performed on the server 420 using traces of previously collected sensor data.
The ECU 108 depicted in Fig. 1 may be one or a plurality of ECUs wherein the sensor data may be received 202 by several ECUs 108 and the monitoring of step 216 may be distributed and/or redundant, such as per bus basis or per bus member basis. The gateway 106 depicted in Fig. 1 may be implemented in one or a plurality of ECUs. The step of identifying 205 selected data, identifying 208 at least one correlating sensors and correlating data, and applying 212 at least one function, may be performed on a plurality of ECUs in a distributed and/or redundant manner.
Reference numerals:
102 Run-time view
103 Sensors
104 Design-time view
106 Gateway
108 ECU
110 Design-time system
112 Developer
114 Feature selection unit
116 Design-time model
130 Nominal data
132 Sensors identifier and normal state for monitoring
150 Unexpected state
152 System and/or nominal data update
202 Receive data from sensors
203 Store nominal data
204 Receive sensor selection
205 Identify selected data
206 Receive state of interest
207 Identify data of interest
208 Identify correlating sensors and correlated data
210 Extract correlating data of interest
212 Apply function to generate normal state
214 Store normal state
216 Monitor sensors
218 Identify unexpected state
220 Generate signal indicating unexpected behaviour
250 State is normal
252 State is unexpected
405 Network
410 First Vehicle ' Second Vehicle Server
Database

Claims

1. Method for generating a signal indicating unexpected behaviour, the method comprising : receiving (202) sensor data from sensors of at least one vehicle during vehicle use; storing (203) at least some of the sensor data as nominal data in a memory, each entry in the nominal data comprising an origin value, a sensor value and a timestamp, the origin value identifying the sensor from which the sensor value originates from; receiving (204) a selection of one of the sensors to select the sensor as selected sensor; identifying (205) selected data as entries of the nominal data originating from the selected sensor; identifying (208) at least one correlating sensor and correlating data as entries of the nominal data with origin values identifying the at least one correlating sensor; applying (212) at least one function to at least some of the correlating data and/or selected data to generate a normal state as preferably a function of the sensor value of the selected sensor, for the at least one correlating sensor; monitoring (216) the sensor values of the selected sensor and the at least one correlating sensor; identifying (218) an unexpected state, when a monitored sensor value from the at least one correlating sensor deviates from the normal state; and generating (220), when identifying the unexpected state (252), the signal indicating the unexpected behaviour.
2. The method of claim 1, further comprising : storing (214), in the memory, the normal state for the at least one correlating sensor.
3. The method of claims 1 or 2, wherein the method further comprises: receiving (206) a selection of a state of interest, the state of interest indicating at least one sensor value from the selected sensor within the nominal data; identifying (207) a data of interest subset in the nominal data, by selecting the data entries where the sensor value equate to the state of interest and the origin value identifying the selected sensor; and extracting (210), for the at least one correlating sensors, correlating data of interest as a subset of the correlating data identified as received within a same time period as the data of interest subset; wherein the step of applying (212) at least one function comprises applying at least one function to the correlating data of interest to generate a normal state; and wherein the step of identifying (218) an unexpected state further requires the sensor value from the selected sensor to be equal to or within the state of interest in order to identify an unexpected state.
4. The method of any of the preceding claims, wherein the method comprises, before the step of selecting the state or states of interest or value or value range or interest, a further step of: removing from the definition of correlated sensors, functional dependent sensors and remove from the correlated data, data read from the functional dependent sensors; wherein functional dependent sensors are sensors of the correlated sensors which have a dependence with the selected sensor without involving a user interference.
5. The method of any of the preceding claims, wherein the normal state is dependent on the sensor value of the selected sensor.
6. The method of any of the preceding claims, wherein the step of applying (212) comprises applying a max and/or a min function to sensor values of the correlating data, and/or wherein the output of the one or more function is used to generate at least one boundary criteria for the normal state, such as a maximum criterion and/or a minimum criterion.
7. The method of any of the preceding claims, further comprising : transmitting (150) the unexpected state to a design-time architecture (110); and amending (152) a design-time model (116) with the unexpected state.
8. The method of claim 7, wherein the design-time model (116) is reflecting the occurrence of an unexpected behaviour by means of a transition between two states in a state machine.
9. The method of any of the preceding claims, wherein the step of monitoring (216) of the selected sensor and the at least one sensor of the correlating sensor is performed run-time (102) in the vehicle, wherein the memory is located in the vehicle, and/or wherein the step of identifying (218) an unexpected state is executed by an ECU (108) of the vehicle.
10. The method of any of claims 7 to 9, wherein in response to analysing, by a developer (112), the method further comprising : updating a software for vehicle control; updating at least one the normal state in the memory; updating the nominal data; replace hardware; deactivate a component or function; and/or deactivate hardware, e.g. by physically deactivate the hardware such as by burning a fuse, by turning of a power supply to the hardware, and/or by sending a signal switching off the hardware.
11. The method of any of the preceding claims, wherein the step of receiving (202) sensor data from sensors is done run-time (102) by a gateway (106) located in the vehicle.
12. The method of claim 11, wherein the step of identifying (208) is executed in the gateway (106).
13. The method of any of the preceding claims, wherein the step of identifying (208) at least one correlating sensor comprises applying a feature selection algorithm (114), such as fisher score algorithm.
14. A vehicle comprising means for carrying out the steps of the method of one of the claims 1 to 13.
15. The vehicle of claim 14, wherein the signal indicating the unexpected behaviour is used to update the software controlling the vehicle.
16. A system comprising : a vehicle implementing a run-time view (102) comprising sensors (103), a gateway (106), an ECU (108); and a design-time view (104) comprising a design-time architecture; wherein the gateway (106) is configured to: receiving (202) sensor data from sensors of at least one vehicle during vehicle use; storing at least some of the sensor data as nominal data in a memory, each entry in the nominal data comprising an origin value, a sensor value and a timestamp, the origin value identifying the sensor from which the sensor value originates from; receiving a selection (204) of one of the sensors to select the sensor as selected sensor; identifying selected data as entries of the nominal data originating from the selected sensor; identifying (208) at least one correlating sensor and correlating data as entries of the nominal data with origin values identifying the at least one correlating sensor; applying (212) at least one function to at least some of the correlating data and/or selected data to generate a normal state; the ECU (108) is configured to: monitoring (216) the sensor values of the selected sensor and/or the at least one correlating sensor; identifying (218) an unexpected state, when a monitored sensor value from the at least one correlating sensor deviates from the normal state; generating (220), when identifying the unexpected state (252), a signal indicating the unexpected behaviour; and the design-time architecture is configured to: receiving the signal indicating the unexpected state; amending (152) a design-time model (116) with the unexpected state; updating a software for vehicle control in the ECU of the vehicle.
17. Computer readable storage medium containing instructions which, when executed by at least one processor, cause the processor to carry out the steps of the method of one of the claims 1 to 13.
PCT/EP2018/069971 2018-07-24 2018-07-24 Method indicating unexpected behaviour and vehicle, system, and storage medium comprising the same WO2020020437A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/EP2018/069971 WO2020020437A1 (en) 2018-07-24 2018-07-24 Method indicating unexpected behaviour and vehicle, system, and storage medium comprising the same
DE112018007851.5T DE112018007851T5 (en) 2018-07-24 2018-07-24 Method for indicating unexpected behavior and that comprehensive vehicle, system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2018/069971 WO2020020437A1 (en) 2018-07-24 2018-07-24 Method indicating unexpected behaviour and vehicle, system, and storage medium comprising the same

Publications (1)

Publication Number Publication Date
WO2020020437A1 true WO2020020437A1 (en) 2020-01-30

Family

ID=63047328

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2018/069971 WO2020020437A1 (en) 2018-07-24 2018-07-24 Method indicating unexpected behaviour and vehicle, system, and storage medium comprising the same

Country Status (2)

Country Link
DE (1) DE112018007851T5 (en)
WO (1) WO2020020437A1 (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140277910A1 (en) * 2013-03-14 2014-09-18 The Goodyear Tire & Rubber Company Predictive peer-based tire health monitoring
US20160217627A1 (en) * 2013-04-23 2016-07-28 B. G. Negev Technologies And Applications Ltd. Sensor fault detection and diagnosis for autonomous systems
US20160272113A1 (en) 2015-03-18 2016-09-22 Brennan T. Lopez-Hinojosa Methods and systems for providing alerts to a driver of a vehicle via condition detection and wireless communications
US20170067764A1 (en) * 2015-08-28 2017-03-09 Robert Bosch Gmbh Method and device for detecting at least one sensor malfunction of at least one first sensor of at least one first vehicle
US20170169627A1 (en) * 2015-12-09 2017-06-15 Hyundai Motor Company Apparatus and method for failure diagnosis and calibration of sensors for advanced driver assistance systems
US20170221279A1 (en) * 2016-02-02 2017-08-03 Toyota Jidosha Kabushiki Kaisha Automobile modification system providing security and fault tolerance support

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140277910A1 (en) * 2013-03-14 2014-09-18 The Goodyear Tire & Rubber Company Predictive peer-based tire health monitoring
US20160217627A1 (en) * 2013-04-23 2016-07-28 B. G. Negev Technologies And Applications Ltd. Sensor fault detection and diagnosis for autonomous systems
US20160272113A1 (en) 2015-03-18 2016-09-22 Brennan T. Lopez-Hinojosa Methods and systems for providing alerts to a driver of a vehicle via condition detection and wireless communications
US20170067764A1 (en) * 2015-08-28 2017-03-09 Robert Bosch Gmbh Method and device for detecting at least one sensor malfunction of at least one first sensor of at least one first vehicle
US20170169627A1 (en) * 2015-12-09 2017-06-15 Hyundai Motor Company Apparatus and method for failure diagnosis and calibration of sensors for advanced driver assistance systems
US20170221279A1 (en) * 2016-02-02 2017-08-03 Toyota Jidosha Kabushiki Kaisha Automobile modification system providing security and fault tolerance support

Also Published As

Publication number Publication date
DE112018007851T5 (en) 2021-04-15

Similar Documents

Publication Publication Date Title
JP7247089B2 (en) Vehicle anomaly detection server, vehicle anomaly detection system, and vehicle anomaly detection method
US11875612B2 (en) Vehicle monitoring apparatus, fraud detection server, and control methods
US11838314B2 (en) Electronic control device, fraud detection server, in-vehicle network system, in-vehicle network monitoring system, and in-vehicle network monitoring method
EP3113529B1 (en) System and method for time based anomaly detection in an in-vehicle communication network
US10798114B2 (en) System and method for consistency based anomaly detection in an in-vehicle communication network
KR100748011B1 (en) Method for identifying the condition of an energy accumulator
KR20010108191A (en) Method for recognition of faults on a motor vehicle
US20220006821A1 (en) Information processing apparatus, data analysis method and program
CN113691432A (en) Automobile CAN network message monitoring method and device, computer equipment and storage medium
US20210326677A1 (en) Determination device, determination program, determination method and method of generating neural network model
EP4096232B1 (en) Attack detection method, attack detection system and program
CN111447173A (en) Device and method for classifying data of controller area network or automobile Ethernet
CN111989678A (en) Information processing apparatus, information processing method, and program
US11411761B2 (en) Detection device, detection method, and program
US20230283617A1 (en) Attack analysis device, attack analysis method, and non-transitory computer-readable recording medium
WO2020020437A1 (en) Method indicating unexpected behaviour and vehicle, system, and storage medium comprising the same
KR102204655B1 (en) A mitigation method against message flooding attacks for secure controller area network by predicting attack message retransfer time
JP7176564B2 (en) Monitoring device and monitoring method
JPWO2022107378A5 (en)
US20230005308A1 (en) Fault sign detection device, fault sign detection system, fault sign method, and fault sign detection program
US20230031972A1 (en) Safeguarding a system against false positives
US20230025819A1 (en) Safeguarding a system against false negatives
US11765191B2 (en) Information processing device and information processing method
WO2022190408A1 (en) Analysis device
KR20230131412A (en) Apparatus for controlling autonomous driving and method thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18746873

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 18746873

Country of ref document: EP

Kind code of ref document: A1