METHOD AND INTRUSION DETECTION UNIT FOR VERIFYING MESSAGE BEHAVIOR

Abstract

A method is provided for verifying a message behavior of a control unit for an automation system having a plurality of components, the control unit communicating with the components and the components communicating with each other via a communication network, with the steps being carried out on at least one component: receiving at least one message via the communication network, wherein the at least one message is provided by the controller analyzing the at least one received message according to a characteristic message description, and providing a verification message comprising a verification of the message behavior of the control unit as acceptable if the analyzed message matches the characteristic message description.

Claims

1. A method for verifying a message behavior of a control unit for an automation system having a plurality of components, the control unit communicating with the components and the components communicating with one another via a communication network, the method comprising the steps which are carried out on at least one component: receiving at least one message via the communication network, in particular from the control unit; analyzing the at least one received message according to a characteristic message description; and providing a verification message comprising a verification of the message behavior as acceptable if the analyzed message matches the characteristic message description.

2. The method according to claim 1, wherein the verification message is provided to the control unit and/or to a further component in the communication network and/or to a further system.

3. The method according to claim 1, wherein the provision of the verification message is done via an acyclic channel.

4. The method according to claim 1, wherein providing the verification message comprises providing a control signal to the control unit and/or to a further component and/or a further system.

5. The method according to claim 4, wherein the control signal comprises restricting or switching off a functionality of the component and/or the control unit and/or the further system.

6. The method according to claim 1, wherein providing the verification message is carried out if a plurality of the components of the communication network verify the message behavior of the control unit as not permissible.

7. The method according to claim 1, wherein the characteristic message description comprises an error-free and/or trustworthy message behavior between the control unit and the component.

8. The method according to claim 1, further comprising: providing at least one response message by said at least one component to said control unit as a result of said at least one received message.

9. The method according to claim 1, wherein the characteristic message description comprises a time period which comprises the time between receipt of the message and providing of the at least one response message on the component and/or a conversion of a command contained in the message on the component.

10. The method according to claim 1, wherein the characteristic message description is learned in a model.

11. The method according to claim 10, wherein the model is learned via a graphical decision tree and/or a neural network.

12. The method according to claim 10, wherein the learning of the model is performed on the component and/or the control unit and/or a further system.

13. The method according to claim 10, wherein the model is stored in the component.

14. The method according to claim 10, wherein the model is trained on the message behavior of the component in which the model is stored and/or wherein the model is trained on the message behavior of a component placed adjacent to the component storing the model.

15. The method according to claim 1, wherein the method for verifying is provisionally executed for an adjacent component and its messages

16. An intrusion detection unit in a component of an automation system, wherein the components of the automation system communicate with one another and with a control unit via a communication network, and wherein the intrusion detection unit is designed to verify a message behavior of the control unit locally, the intrusion detection unit comprising: a receiving unit adapted to receive at least one message via the communication network for the purpose of controlling the component; an analysis interface to an analysis unit adapted to analyze the at least one received message according to a characteristic message description stored in a component memory; and a verification interface to a verification unit which is adapted to verify the message behavior as permissible if the analysis message corresponds to the characteristic message description.

17. The intrusion detection unit according to claim 16, further comprising: an output unit adapted to output a verification message, the verification message being provided by the verification unit.

18. The intrusion detection unit according to claim 16, further comprising: an input unit adapted to receive a control signal for disabling the verification of the message behavior of the control unit.

19. An automation system comprising: a plurality of components driven by a control unit and communicating therewith via a communication network, wherein all or selected components comprise an intrusion detection unit according to claim 16.

20. A computer program with program code for executing the method according to claim 1, when the computer program is executed on a component.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0052] The disclosure will now be described with reference to the drawings wherein:

[0053] FIG. 1 shows a schematic view of a design of the automation system according to an exemplary embodiment of the disclosure,

[0054] FIG. 2 shows a schematic view of the automation system according to another exemplary embodiment of the disclosure,

[0055] FIG. 3 shows a flow chart of a method according to an exemplary embodiment of the disclosure,

[0056] FIG. 4 shows a schematic view of a component according to an exemplary embodiment of the disclosure,

[0057] FIG. 5 shows a schematic view of the component according to a further exemplary embodiment of the disclosure,

[0058] FIG. 6 shows a schematic view of the structure of a graphical decision tree according to an exemplary embodiment of the disclosure, and

[0059] FIG. 7 shows a schematic view of the learning of a neural network according to an exemplary embodiment of the disclosure.

DESCRIPTION OF EXEMPLARY EMBODIMENTS

[0060] In the following detailed description of the figures, non-restrictive design examples are discussed with their characteristics and further advantages based on the drawing.

[0061] FIG. 1 shows a schematic view of a design of the automation system according to an exemplary embodiment of the disclosure. In FIG. 1, reference number 50 indicates an automation system. The automation system 50 comprises a variety of components 30-1 to 30-i. The components 30-1 to 30-i of the automation system 50 communicate with each other via a communication network 20 and/or via the communication network 20 with a control unit 40. The components 30-i are electronic devices, e.g., an actuator or a sensor. The components 30-i have a communication interface for connecting to the communication network 20. The communication network 20 of FIG. 1 includes a bus topology. In the bus topology, all components 30-1 to 30-i are connected to a common transmission medium. The communication network 20 can be designed as a LAN network. Furthermore, a connection can be established by appropriate gateways via a serial connection or via a WLAN connection. Each of the components 30-1 to 30-i can communicate freely with any other component 30-1 to 30i. In an advantageous way, no master station is required to control the communication in the communication network 20. The messages transmitted via the communication network with a bus topology from the Control Unit to the components 30-1 to 30-i are received by all components 30-1 to 30-i connected to the communication network 20. Thus, for example, messages intended for component 30-1 and/or component 30-2 can also be received by a component 30-2—on a provisional basis, so to speak. This data not intended for component 30-1 can be analyzed but does not necessarily have to be evaluated for conversion in component 30-1. For this purpose, a broadcast is used in which all data packets are transmitted from control unit 40 to all components 30-1 to 30-i of automation system 50. A broadcast packet reaches all components 30-1 to 30-i of the communication network 20 without being explicitly specified as receiver. Each component 30-1 to 30-i of a broadcast decides for itself whether it will either process the received message in case of a responsibility or otherwise tacitly discard it.

[0062] In FIG. 1, component 30-2 includes an intrusion detection unit 10 for local verification of a message behavior of control unit 40. The intrusion detection unit 10 includes a receiving unit 11 (cf. 4). The receiving unit 11 is designed to receive at least one message from the control unit 40 via the communication network 20 for the purpose of controlling the component 30. Furthermore, the intrusion detection unit 10 comprises an analysis interface 12 to an analysis unit 13. The analysis unit 13 is designed to analyze at least one received message according to a characteristic message description stored in a component memory. The characteristic message description is taught in a model. In addition, the intrusion detection unit 10 comprises a verification interface 14 to a verification unit 15. The verification unit 15 is designed to verify the message behavior of the control unit 40 as permissible if the analysis message corresponds to the characteristic message description.

[0063] Components 30-1 to 30-i can store or access the learned model locally. The learned model can be trained using a graphical decision tree and/or a neural network. The recurring program sequence of the control unit 40 with the deterministic messages can be taught to the components 30-1 to 30-i via the graphical decision tree and/or the neural network. Also, the address range of those components can be learned, which is not relevant for the actual component. The learning of the characteristic message description in a model can be done on the control unit 40, on another system 60, for example an industrial PC or server, which communicate with the communication network 20 and/or on the component 30-1 to 30-i. The application of the trained model and thus the verification of the message behavior is performed on at least one component of the plurality of components 30-1 to 30-i of the automation system 50.

[0064] The message behavior describes the messages which are sent from a control unit 40 via the communication network 40 to the components 30-1 to 30-i. The messages can be damaged and/or manipulated by compromising the control unit, which can also cause the component 30-1 to 30-i to perform an unexpected reaction and/or damage and/or damage the automation system 50 or restrict its function. A trustworthy message behavior, which is verified as permissible by one of the components 30-1 to 30-i, includes messages or commands of the control unit 40, which are stored in a correct sequence of consecutive commands and/or a correct time interval between consecutive commands. In addition, the trusted message behavior may also include the component's response to the received message.

[0065] Since, in principle, components 30-1 to 30-i receive all messages sent via the communication network 20 in an advantageous way, component 30-2, for example, can also learn the message behavior and/or commands for the neighboring component 30-1 and/or the neighboring component 30-3 in a model to be stored locally. The selection of component 30-3 is only exemplary and does not represent a restriction for the disclosure. Rather, the automation system 50 can include further components 30-i, which store a model that has been taught to a message behavior for other components 30-i. Also, the arrangement of the components 30-1 to 30-i shown in FIG. 1 and the designation as adjacent and/or previous and/or subsequent component 30-i is an exemplary arrangement. A neighboring component 30-i can also comprise a neighboring address range but may be located locally away in the automation system 50. In one version the components 30-1 to 30-i are controlled by a fixed address designation by the control unit 40, for example by a programmable logic controller.

[0066] In the version shown in FIG. 1, the message behavior of component 30-1 and component 30-3 can be taught in the model of component 30-2. This is advantageous if component 30-1 and component 30-3 do not have the corresponding resources (computing power, storage capacity, energy, etc.) available to implement the program for verifying a message behavior and/or the units of the intrusion detection unit 10. It is advantageous to verify the admissibility of the messages sent by the control unit 40 to component 30-1 and component 30-3 via component 30-2. This protects the components against manipulation and/or damage by messages sent by a compromised control unit 40. Another advantage is that each component 30-i can be protected against attacks. If attacks on individual components are initiated, this is detected by a compromised control unit 40 and measures can be taken. Each component 30-i can thus actively or passively (as the selected target of the manipulation) detect abnormal command behavior and/or abnormal accesses of the control unit. An action can provide feedback to a user and/or to a control level. This can be done via an acyclic channel. Furthermore, the verification message can provide a control signal, a restriction and/or shutdown of a functionality of a component 30-1 to 30-i and/or the control unit 40 and/or a further system 60.

[0067] In order to minimize the rate of false alarms, in particular to minimize a malfunction and/or standstill of the automation system due to false alarms, a so-called majority decision of components 30-1 to 30-i can be implemented. The majority decision can include a defined number of components 30-1 to 30-i of the automation system 50. In an execution form, the verification message, comprising a control signal, is provided if 25% of the components 30-i, typically 51% of the components 30-i, particularly typically 75% of the components 30-i of the communication network 20 or the automation system 50 verify the message behavior of the control unit 40 as not permissible. The rate of false messages is minimized the more components 30-i are considered for the verification of the message behavior.

[0068] In a further exemplary embodiment, only preconfigured components can be designed with the intrusion detection unit 10. The selection of the components 30-i depends on the importance for the function of the automation system 50 or on the level. For example, an intrusion detection unit 10 can be provided for a critical component 30-1, 30-2, 30-3, while for another component 30- i the impairment for functions of this component and/or the entire automation system 50 would be negligible. In this way, the functions of the components and/or the automation system can be maintained until a critical level is reached.

[0069] FIG. 2 shows a schematic view of the automation system 50 according to another exemplary embodiment of the disclosure. The automation system 50 as shown in FIG. 2 comprises the components 30-1 to 30-i and a control unit 40. The components 30-1 to 30-i and the control unit 40 are connected to each other via a communication network 20. The communication network 20 of FIG. 2 is designed as a ring topology and represents the common transmission medium. The ring topology represents a closed transmission medium. The components 30-1 to 30-i hanging in the communication network 20 are an integral part of the transmission medium. Each of the components 30-1 to 30-i has a unique predecessor and a unique successor. The messages to be transmitted are transferred from one component 30-i to the other component 30-i. Each 30-i component tests whether the message is intended for it. If the message is not intended for this component 30-i, the message is forwarded to the next component 30-i. If the message is intended for this component 30-i, it is used by this component 30-i or the command is implemented by the component 30-i.

[0070] FIG. 3 shows a flow chart according to an exemplary embodiment of the inventive step. Method 1 comprises several steps for the design shown. In a first step S1 at least one message is received via the communication network 20. The at least one received message is provided by the control unit 40. In a second step the at least one received message is analyzed according to a characteristic message description. In a third step S3 a verification message is provided, comprising a verification of the message behavior of the control unit 40 as permissible, if the analyzed message corresponds to the characteristic message description.

[0071] FIG. 4 shows a schematic view of component 30-2 according to an exemplary embodiment of the disclosure. In FIG. 4, reference sign 10 designates an intrusion detection unit that is implemented in component 30-2 of an automation system 50 (cf. FIG. 1). The intrusion detection unit 10 is designed for local verification of a message behavior of the control unit 40. The intrusion detection unit 10 comprises a receiving unit 11 which is designed to receive at least one message from the control unit 40 via the communication network 20 for the purpose of controlling the component 30-2. The message comprises the setpoints of the control unit 40, for example of a programmable logic controller, which comprise the commands for actuating and/or controlling the component 30-2. The message is transmitted as a bit sequence via the communication network 20. In a non-compromised system, if the message behavior has been verified as permissible, actual values, so-called feedback messages, can be transmitted by component 30-2. The intrusion detection unit 10 also includes an analysis interface 12 to an analysis unit 13, which is designed to analyze at least one received message according to a characteristic message description stored in a component memory. In addition, the intrusion detection unit 10 comprises a verification interface 14 to a verification unit 15. The verification unit 15 is designed to verify the message behavior of the control unit 40 as permissible if the analysis message corresponds to the characteristic message description. The analysis unit 13 and the verification unit 15 can be implemented as one unit on a component 30-2 or as separate units on a component 30-2 or on two different components 30-i. Implementing them separately allows verification to be performed even if not enough resources can be provided in a single component 30-i.

[0072] The intrusion detection unit is advantageously implemented as a decentralized system in several components 30-i of the automation system 50. This increases the security and the degree of difficulty to manipulate the system. A compromise is detected, and countermeasures can be initiated and further manipulations and/or malfunctions and/or data theft can be excluded. Due to the decentralized implementation on a plurality of components 30-i in an automation system 50, the effort and/or the degree of difficulty is very high to manipulate all components in such a way, especially to manipulate them simultaneously, so that an attack and/or manipulation by the intrusion detection unit remains unnoticed. In addition, components 30-i, which cannot protect themselves, are protected by the components with an intrusion detection unit. An attempt at manipulation can be detected and repelled accordingly.

[0073] FIG. 5 shows a schematic view of the component 30 according to a further exemplary embodiment of the disclosure. The intrusion detection unit 10 according to the exemplary embodiment shown in FIG. 5 comprises the units of the embodiment shown in FIG. 4. Additionally, the intrusion detection unit 10 comprises an output unit 16. The output unit 16 is designed to output the verification message provided by the verification unit 15. Furthermore, the intrusion detection unit 10 comprises an input unit 17. The input unit 19 is designed to receive a control signal to switch off the verification of the message behavior of the control unit 40. The control signal can deactivate the verification and the provision of a verification message especially in case of a maintenance case, which also represents an abnormal behavior. This can minimize the number of false messages.

[0074] FIG. 6 shows a schematic view of the structure of a graphical decision tree according to an exemplary embodiment of the disclosure. The model of the present disclosure is taught via a graphical decision tree. The decision tree can be an ordered and/or directed tree. With the help of the ordered and/or directed tree, decision rules can be represented. In particular, hierarchically successive decisions can be defined via the graphically representable tree. In an execution form, only one bit sequence B of a command is considered. Here the ordered and/or directed tree is built purely from the bit sequence B. The first bit contains a logical “0” bit. Via the edges the corresponding probability W can be defined that the first bit with the logical “0” is followed by a bit with logical “0” or “1”.

[0075] If the components always see the same bit sequence B, the ordered and/or directed tree is deterministic. In a further execution form, response options in the return channel can be considered. Thus, a more complex tree can be formed. Thus, with a certain probability a corresponding response to a special command is expected, and to a corresponding response a suitable command is expected. It can be differentiated whether the answer to a command does not fit to the expectation. For example, if only a minor violation of the message behavior was detected, this may have been influenced by the direct environment. However, if the expected subsequent command does not match the previously sent response, this corresponds to a high-level violation and would thus be detected as an unexpected new command and thus as a manipulation of normal behavior.

[0076] FIG. 7 shows a schematic view of the learning of a neural network according to an exemplary embodiment of the disclosure. Neural networks can be used in more complex systems where a large number of unknown dependencies are present. A labelled data set of sufficient size is required for the learning process and the neural network must be trained on a powerful computing unit. Sufficient size means that enough data sets with corresponding labels are available to establish appropriate relationships and to teach decision criteria or to cover alternatives. The computing unit can be designed as a stand-alone PC, as a combination of a plurality of PCs in hardware and/or virtualized. The neural network can be applied to one or a plurality of components. The data set for learning the neural network N is the command and response sequence in the communication channel. The upper levels of the network could represent the individual components and their functions or relate them to each other. This would have the advantage that it might not be necessary to store the whole neural network N on a component 30-i, but only the part that becomes relevant for it. Alternatively, the neural network N can be distributed completely or in parts to all components 30-i that execute parts of it, which means that components 30-i can also be monitored by the network without the corresponding resources. In FIG. 7, two different bit sequences B are shown. The different bit sequences B can be identified for example with a label L1 and L2. In FIG. 7 the reference sign N designates the neural network, which was created for example from bit sequences B and corresponding labels L1 and L2. In one version, the neural network N can be completely distributed for use on one or all components 30-i of the automation system 50. In another version, only one specific power supply N1 of the neural network N can be relevant for a component 30-i. Only the power supply N1 is applied to this component 30-i. For another component 30-i or further components 30-i, for example, the power supply N2 is relevant. Thus, it can be planned to apply only this power supply N2 to the corresponding components 30-i.

[0077] In conclusion, it should be noted that the description of the disclosure and the examples of execution are basically not to be understood as restricting with regard to a certain physical realization of the disclosure. All features explained and shown in connection with individual embodiments of the disclosure may be provided in different combinations in the subject matter of the disclosure in order to realize its advantageous effects at the same time.

[0078] The scope of protection of the present disclosure is given by the claims and is not limited by the features explained in the description or shown to the figures.

LIST OF REFERENCE NUMERALS

[0079] 1 Procedure [0080] 10 Intrusion detection unit [0081] 11 Receiving unit [0082] 12 Analysis interface [0083] 13 Analysis unit [0084] 14 Verification interface [0085] 15 Verification Unit [0086] 16 Output unit [0087] 17 Input unit [0088] 20 Communication network [0089] 30-1, 30-2, 30-3 Component [0090] 30-i Large number of components/components [0091] 40 Control unit [0092] 50 Automation plant [0093] 60 additional system [0094] B Bit sequence [0095] N neural network [0096] N1, N2 Subnets of the neural network [0097] S1 to S4 Process steps [0098] W Probability