Method for monitoring a network for anomalies

Abstract

A method monitors a data transmission network having a plurality of devices connected to one another over fixedly prescribed signal transmission paths, for anomalies. One of the devices is a master device that has a counter and a trigger apparatus, by which a prescribed signal feature of a signal is acquired, and upon the acquisition, a master counter state corresponding thereto is read. The method provides for an evaluation apparatus to determine, under predetermined conditions, a setpoint value of at least one network-specific parameter defined by a physical property of the network, before an actual value of the network-specific parameter is determined from a difference between the master counter state and a further counter state, and an anomaly is indicated if a predetermined deviation criterion between the actual value and the setpoint value is met.

Claims

1. A method for monitoring a network for anomalies, the network provided for data transmission and having a plurality of devices connected to one another overfixedly prescribed signal transmission paths, which comprises the steps of: assigning one of the devices to be a master device having a counter and a trigger apparatus, and by said master device a prescribed signal feature of a signal transmitted via the network is acquired; reading, upon acquisition of the prescribed signal feature, a master counter state of the counter of the master device, corresponding to a time of the acquisition; determining via an evaluation apparatus, under predetermined anomaly-free conditions, a setpoint value of at least one network-specific parameter defined by a physical property of the network, wherein a frequency difference between a frequency of a clock generator of an actual source device, from which the signal was transmitted, and a clock generator of the master device, coupled to the counter of the master device, forms the network-specific parameter; determining a respective actual value of the at least one network-specific parameter by the evaluation apparatus from a difference between a read master counter state and a further counter state; indicating an anomaly if a predetermined deviation criterion between the respective actual value and the setpoint value is met; additionally acquiring a second prescribed signal feature of the signal by the trigger apparatus of the master device; reading a second master counter state, corresponding to a time of an acquisition of the second prescribed signal feature, wherein the actual value of the frequency difference is determined on a basis of a difference between the master counter state and the second master counter state and taking into account a prescribed data transmission rate and/or network clock frequency used in the network and/or a communication protocol used in the network and/or a type of modulation used in the network; calculating a relative frequency deviation as
f.sub.rel=C.sub.X/C.sub.XMM, wherein C.sub.X indicates a number of cycles awaited by the actual source device between the transmission of the first and second prescribed signal features; and C.sub.XMM indicates the difference between the master counter state and the second master counter state.

2. The method according to claim 1, wherein: a propagation time pattern of the signal in the network constitutes the at least one network-specific parameter and it is provided, for determining an actual value; one of the devices of the network is a client device that has a counter and a trigger apparatus; the signal is transmitted via the network both to the master device and to the client device; and the prescribed signal feature to be acquired by the trigger apparatus of the client device and a client counter state, corresponding to a time of an acquisition, of the counter of the client device to be read, wherein an actual value of the propagation time pattern is determined on a basis of the client counter state, which serves as the further counter state.

3. The method according to claim 2, which further comprises: transmitting a reference signal from the client device to the master device in which a read reference client counter state corresponding to a sending time of a prescribed signal feature of the reference signal is transmitted to the master device; acquiring the prescribed signal feature of the reference signal by the trigger apparatus of the master device and reading a reference master counter state, corresponding to a time of an acquisition of the prescribed signal feature of the reference signal; and using the reference client counter state and the reference master counter state to determine the actual value of a propagation time pattern.

4. The method according to claim 3, which further comprises calculating the actual value of the propagation time pattern PAT of the signal by:
PAT=[C.sub.XMC.sub.XC][C.sub.RMC.sub.RC]=[C.sub.XMC.sub.RM][C.sub.XCC.sub.RC], wherein: C.sub.XM indicates the master counter state corresponding to the prescribed signal feature; C.sub.XC indicates the client counter state corresponding t the prescribed signal feature; C.sub.RM indicates the reference master counter state; and C.sub.RC indicates the reference client counter state.

5. The method according to claim 2, which further comprises: additionally determining the actual value of the propagation time pattern by a client-side part of the evaluation apparatus that is configured so as to perform own calculations; and indicating the anomaly if the deviation criterion between a respective determined actual value and the setpoint value is recognized as being met by the evaluation apparatus and/or by the client-side part of the evaluation apparatus.

6. The method according to claim 1, which further comprises recognizing the anomaly in the network if the actual source device simulates being another purported source device of the network; and wherein in a check as to whether the deviation criterion is met, the evaluation apparatus takes into account a temperature, acquired by way of a respective temperature sensor, of the master device and of the another purported source device.

7. The method according to claim 1, which further comprises determining the master counter state corresponding to the prescribed signal feature, in order to improve a resolution, by way of an interpolating measurement method.

8. The method according to claim 1, wherein the master device has a selection logic unit, by way of which the signal feature is selected and/or prescribed automatically.

9. The method according to claim 1, which further comprises determining the master counter state corresponding to the prescribed signal feature, in order to improve a resolution, by way of an interpolating measurement method performed by a time-to-digital converter.

10. The method according to claim 1, wherein the master device has a selection logic unit, by way of which the signal feature is selected and/or prescribed automatically, depending on a line code used in the network and/or a type of modulation used in the network.

Description

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING

(1) An exemplary embodiment of the invention is described below. To this end, in the figures:

(2) FIG. 1 shows a schematic illustration of a network having a master device, a client device and two further devices;

(3) FIG. 2 shows a schematic illustration of another network having a master device and three further devices;

(4) FIG. 3 shows a schematic flowchart of an embodiment of the method according to the invention.

DESCRIPTION OF THE INVENTION

(5) The exemplary embodiment explained below is a preferred embodiment of the invention. In the exemplary embodiment, the described components of the embodiment each constitute individual features of the invention which should be considered independently of one another and which in each case also develop the invention independently of one another and should therefore also be regarded as a constituent part the invention individually or in a different combination to that shown. Furthermore, the embodiment described may also be supplemented by further features of the invention from among those that have already been described.

(6) In the figures, functionally identical elements are provided with the same reference signs in each case.

(7) FIG. 1 shows a schematic illustration of a first network 10 that consists of a bus 11, a master device 12, a client device 13, a first device 14 and a second device 15. The bus 11 serves as signal transmission path, via which signals, data, information and/or messages are able to be exchanged between the devices 12 to 15. The bus 11 may be for example a conventional electrical line or connection suitable for data transmission. The devices 12 to 15 are connected to the bus 11 via corresponding connections and/or connection lines. A signal 16 is also schematically illustrated and is formed in this case for example from a sequence of falling and rising edges, which are connected to one another by constant sections each having one of two different constant signal or voltage levels. In the present case, a rising edge is specifically characterized as a first signal feature SM1. This first signal feature SM1 and the use or significance thereof is described in more detail further below.

(8) The first network 10 may be for example part of a motor vehicle, the devices 12 to 15 then possibly being for example controllers and the bus 11 possibly being a CAN bus. However, this is just one example or case of application, and the first network 10 could also have another structure or architecture and a multiplicity of further devices, and, rather than a CAN bus, FlexRay, Ethernet or a MOST bus or the like could also be used, for example.

(9) In the present case, all of the devices 12 to 15 of the first network 10 are equipped with an interface 17, via which a signal or data exchange is performed over the bus 11. The master device 12 and the client device 13 additionally each have a selection logic unit 18, which is wired such that it receives signals arriving at the respective device 12 or 13. The selection logic unit 18 is configured so as to recognize at least one signal feature SM1, preferably several, for example including different, signal features SM1, SM2 (cf. FIG. 2). The selection logic unit 18 also comprises a trigger apparatus, by way of which, upon such recognition of a particular signal feature SM1, a further action may be executed or prompted. The selection logic unit 18 is furthermore configured so as to automatically select a particular signal feature SM1, which may be performed for example using or based on a line code used in the first network 10, a type of modulation used in the first network 10 or the like. In the present case, the selection logic unit 18 is configured so as to recognize the first signal feature SM1 and/or to respond to the first signal feature SM1. It may also be provided here for the signal feature SM1 to which the selection logic unit 18 should respond to already be prescribed. It may be provided for a signal feature SM1 to be selected automatically by the selection logic unit 18, for example upon a change of the line code that is used, of the type of modulation that is used or the like.

(10) The master device 12 in the present case has a master clock generator 19, which runs or is operated at a regular and constant local master frequency f.sub.CLM or prescribes this master frequency f.sub.CLM, which may be independent of a network clock frequency used on the bus 11. A master counter 20, which is likewise part of the master device 12, is connected to the master clock generator 19. A master counter state be read from the master counter 20 and stored, buffer-stored or filed in a master register 21 of the master device 12. In this case, the individual components or constituents of the master device 12 are wired such that this reading and storage of the master counter state by the selection logic unit 18, in particular by the trigger apparatus comprised thereby, is prompted or is able to be prompted when for example the first signal feature SM1 is acquired or recognized by the selection logic unit 18 at or on or in a signal 16 reaching the master device 12 via the bus 11. The master device 12 may also comprise further components, constituents and/or circuits, not shown here, including in particular an evaluation apparatus that may also have access to the master register 21 and possibly further registers or memories. Counter states read from a counter and stored in a register may also be referred to as captured values.

(11) The client device 13 comprises a client clock generator 22, which is operated at a local client frequency f.sub.CLC or prescribes this client frequency f.sub.CLC, which may be independent both of the network clock frequency used on the bus 11 and of the master frequency F.sub.CLM. In the same way as the structure of the master device, the client device 13 furthermore has a client counter 23 connected to the client clock generator 22, from or out of which a client counter state is able to be read and stored, buffer-stored or filed in a client register 24.

(12) Therefore, both the master device 12 and the client device 13 thus have particular and specific equipment features. The first device 14 and the second device 15 by contrast need to have only a basic or fundamental configuration of components and capabilities, as may be found in any normal network-capable device.

(13) The arrangement schematically illustrated in FIG. 1 makes it possible to monitor the first network 10 for anomalies, for which purpose, in the present case, a network-specific parameter is used, which may in this case in particular be a propagation time pattern of the signal 16 on the bus 11 in the first network 10. The method for detecting anomalies is described in more detail below with reference to FIG. 3, referring back to the components and arrangements described here in connection with FIG. 1.

(14) FIG. 2 shows a schematic illustration of a second network 25, which likewise comprises a bus 11, to which in this case however an alternatively designed master device 12b and, instead of the client device 13, a third device 29 are connected. The devices 14 and 15 likewise provided here may correspond to those from FIG. 1. The third device 29 may also be designed in this way, and thus likewise does not have to have any particular features or apparatuses that go beyond a basic or fundamental configuration. Further devices, not illustrated here, may additionally also be incorporated into the second network 25.

(15) The master device 12b essentially comprises the same components as the master device 12, in this case, however, in addition to the master counter 20, a second master counter 27 being connected to the master clock generator 19. In addition, the counter state of the master counter 20 is in this case read into a second master register 26 and a second master counter state of the second master counter 27 is read into or stored in a third master register 28. Reading of the respective counter states of the master counter 20 and of the second master counter 27 may likewise be prompted here by the selection logic unit 18 of the master device 12b. The signal 16 is additionally also schematically illustrated here, a second signal feature SM2 however being identified in addition to the first signal feature SM1. It is provided here, when the signal 16 is sent to the master device 12b via the bus 11 and received by said master device, when the first signal feature SM1 is acquired by the selection logic unit 18, for the master counter state of the master counter 20 to be read into the second master register 26. In the same way, when the second signal feature SM2 is acquired by the selection logic unit 18, the second master counter state of the second master counter 27 is read into the third master register 28, that is to say read from the second master counter 27 and stored in the third master register 28.

(16) By way of this arrangement and wiring described in connection with FIG. 2, is likewise possible to monitor the second network 25 for anomalies. In this case, only the master device 12b is equipped with features or apparatuses that go beyond a basic configuration. Against this background, it is provided here, in an arrangement according to FIG. 2, for the anomaly monitoring or anomaly detection to be performed on the basis of an evaluation of a frequency pattern. This procedure as well will be explained in more detail further below with reference to FIG. 3.

(17) It is however already pointed out at this juncture that the use, illustrated here, of two master counters 20, 27 in the master device 12b constitutes just one variant embodiment. As an alternative, it is also possible likewise for example to connect the third master register 28 to the master counter 20, such that the counter state of the master counter 20 that is then present at this time is used as second master counter state, which is read into this third master register 28 upon detection of the second signal feature SM2. The requirement in this case is however that the master counter 20 is free-running and the reading and storage of the respective master counter states does not have or exert any influence, in particular any time delay, on the master counter 20 or the respective master counter state.

(18) FIG. 3 shows a schematic flowchart 30 on the basis of which a method for detecting anomalies in the first network 10 is intended to be described below. In this case, both of the methods described in connection with FIG. 1 and FIG. 2 or with the first network 10 and the second network 25 are combined. That is to say, both a propagation time pattern and a frequency pattern are evaluated in order to achieve improved overall accuracy, reliability and safety in the anomaly detection and in the anomaly monitoring.

(19) At a start S1 of the method, it is assumed that the first network 10 is designed and configured completely on a hardware plane. The clock generators 19, 22 are in particular also already active and the counters 20, 23 may already be running or operating.

(20) In a method step S2, respective setpoint values of the network-specific parameters used further on are initially determined under predetermined or controlled conditions, that is to say for example under supervision, immediately after the construction or the configuration of the first network 10. To this end, the signal 16 may be sent for example from all of the other devices 13, 14, 15 to the master device 12 and additionally from the first device 14 and the second device 15 to the client device 13. Furthermore, a further signal may additionally also be sent from the client device 13 to the master device 12. In this operating phase, further signals may also be sent and/or the signal 16 may be sent multiple times, such that a sufficient database for determining the setpoint values is available. To determine the setpoint values, the method described below may be fully or partly run through, values determined in the process being able to be considered and used as setpoint values.

(21) At this time, it is assumed that no anomaly is present, such that the signals transmitted thereby under known, monitored conditions and their properties and for example respectively associated counter states may be assumed to be and used as anomaly-free setpoint or normal values and stored in the evaluation apparatus as comparison values in a method step S3.

(22) As soon as respective setpoint values of the network-specific parameters for all of the devices 12 to 15 of the first network 10 and/or all of the device pairs are determined and stored, the network-specific parameters or their setpoint values are thus trained or, in other words, the evaluation apparatus is trained with the parameters or setpoint values. A setpoint state of the first network 10 without anomalies is thus therefore known.

(23) After this training phase has ended, regular operation or normal operation of the first network 10 is then assumed in a method step S4. In this normal operation, no further additional external monitoring measures and no supervision is necessary, since any anomalies that occur are able to be recognized automatically by the further method steps.

(24) For the present example, it is assumed that, in a method step S5, the first device 14 transmits the signal 16 via the bus to all of the devices connected to the bus 11, and therefore in particular both to the master device 12 and to the client device 13. In this case, a message X is transmitted using the signal 16, the terms signal and message also being used interchangeably below.

(25) In method steps S6 and S6b, the first signal feature SM1 of the signal 16 is selected and prescribed by the selection logic units 18 of the client device 13 and of the master device 12. The second signal feature SM2 is additionally selected and prescribed by the master device 12. The signal features SM1, SM2 may also however have already taken place or have been provided at an earlier time, in particular prior to the transmission of the signal 16.

(26) In a following method step S7, prompted by the trigger apparatus of the client device 13, upon the acquisition or recognition of the first signal feature SM1or its arrival at the client device 13the client counter state C.sub.XC corresponding to this arrival, that is to say to an arrival time of the first signal feature SM1 of the message X, of the client counter 23 is read and stored in the client register 24. In parallel, as soon as the signal 16, more precisely the first signal feature SM1, has reached the master device 12, in a method step S7bprompted by the trigger apparatus of the master device 12the first master counter state C.sub.XM of the master counter 20 is read and stored in the first master register 21. This first master counter state C.sub.XM thus corresponds to an arrival time of the first signal feature SM1 at the master device 12. The first master counter state C.sub.XM may also be stored in parallel or subsequently in the second master register 26 as C.sub.XM1. As an alternative, it may also be ensured that the value C.sub.XM is also available at a later time in the first master register 21 for the frequency pattern evaluation described further below.

(27) At this point, the method follows two paths S7c and S7d in parallel, which will be described one after another below. The path S7c in this case corresponds to the use or evaluation of a propagation time pattern, whereas the journey S7d corresponds to the assessment or evaluation of a frequency pattern.

(28) Following the path S7c, in a subsequent step S8, after the signal 16 has run completely through the bus 11, the client device S13 transmits the client counter state C.sub.XC in a separate signal or a separate message to the master device 12 via the bus 11. The received client counter state C.sub.XC of the evaluation apparatus is forwarded or made available by or in the master device 12.

(29) In a method step S9, the client device 13 sends a reference message R or a corresponding reference signal to the master device 12 via the bus 11. The reference message R contains a reference client counter state C.sub.RC, which corresponds to a signal feature of the reference message R, as information. In other words, the reference client counter state C.sub.RC may for example have been read in a fixed, prescribed or known time interval at a time at which the signal feature of the reference message R was generated and/or transmitted by the client device 13.

(30) In a method step S10, the reference message R is received by the master device 12 and the signal feature of the reference message R is recognized or acquired. Furthermore, prompted by the trigger apparatus of the master device 12, the reference master counter state C.sub.RM corresponding to this recognition or acquisition of the signal feature of the reference message R is read from the master counter 20. The client reference counter state C.sub.RC transmitted with the reference message R to the master device 12 and the master reference counter state C.sub.RM are likewise transmitted by or made available to the evaluation apparatus.

(31) A propagation time of the signal 16 from the first device 14 to the master device 12 and to the client device 13 and a propagation time of the reference message R from the client device 13 to the master device 12 is given by physical boundary conditions, in particular a line length and a propagation constant for electromagnetic waves on electrical linesspecifically on the busand in connection with the specific spatial arrangement of the devices 12 to 15 and of the bus 11 thus characteristic for a particular network, here for the first network 10. The propagation constant may be for example 5 ns per meter. A pure propagation time or signal propagation time of the signal 16 on the bus 11 with a line length of 5 m is thus approximately 25 ns. Delay times or latencies may also additionally result due to respective reception electronics. These delay times may lie within the same order of magnitude and likewise be 25 ns, for example. It thus follows that different propagation times arise for the signal 16 depending on whether it was sent by the first device 14 as prescribed and expected or whether it was actually sent by another device, for example by a second device 15 or an external device. A propagation time difference
T.sub.X=T.sub.QMT.sub.QC(1)
is thus always the same or constant for each message X or each other signal that was actually transmitted by one and the same signal source Q, for example here by the first device 14. T.sub.QM in this case indicates the propagation time from the signal source Q to the master device 12 and T.sub.QC indicates the propagation time from the signal source Q to the client device 13. The propagation time difference T.sub.X may be determined for each individual message and for each individual signal that is sent in the first network 10.

(32) The propagation time difference T.sub.X is specific to the devices due to the fixed spatial positions and relationships in the first network 10. It may thus serve as a type of authentication of the respective signal source Q and, in a security-critical situationfor example upon an attack or a manipulation of the first network 10an external device would for example send a message Y that purportedly originates from the first device 14. When using a CAN bus 11, the external device could for example use a CAN identifier that is assigned, as intended, solely to the first device 14. In a conventional network, this improper use of the CAN identifier might not be recognized. Such a situation may also arise if a device, here for example the second device 15, had been manipulated. In principle, this security-critical abnormal situation is able to be recognized in the present case in that the propagation time difference T.sub.Y of the falsified or manipulated message Y sent by the external device is given by:
T.sub.Y=T.sub.YMT.sub.YC(2)

(33) Due to the different spatial positions and therefore the different propagation times for messages or signals transmitted by the first device 14 and by the external device, a deviation of the actual propagation time difference T.sub.Y from an expected propagation time difference is able to recognized and fudged or recognized as an anomaly in the first network 10.

(34) In principle, the respective propagation time differences T.sub.X, T.sub.Y have to be measured or determined in this case with sufficiently good resolution. In the example described here, this resolution must be roughly a few nanoseconds.

(35) Using the selection logic units 18, a particular signal edge of the signal 16 or of the message X or of the message Y, for example a first edge following a starting edge, may be established or determined as first signal feature SM1, for example. The counter states C.sub.XM and C.sub.XC, acquired in method steps S7, S7b, of the counters 20, 23 operated or supplied at the frequency f.sub.CLM, respectively f.sub.CLC, may then for example be acquired or captured when this set edge, that is thus to say the first signal feature SM1, arrives or is present at an output of the respective selection logic unit 18. The respective arrival time of the first signal feature SM1 at the master device 12 is thus determined in relation to the local clock of the master clock generator 19 and the time of arrival of the first signal feature SM1 at the client device 13 is determined in relation to the local clock of the client clock generator 23.

(36) These respective arrival times of the first signal feature SM1 at the master device 12 or at the client device 13 may be referred to as t.sub.XM, respectively as t.sub.XC, and be expressed by integer multiples of the respective counter states C.sub.X, respectively C.sub.XC:
t.sub.XM=C.sub.XM/f.sub.CLM and t.sub.XC=(C.sub.XC/f.sub.CLC)+t.sub.off(3)

(37) In this case, a time reference t=0 for a master counter state of zero may be set. The client device 13 then however has to proceed from an initially unknown time offset t.sub.off. From a combination of the propagation time difference T.sub.X for the message X and the arrival times t.sub.XM and t.sub.XC, it is possible to obtain the relationship
T.sub.X=t.sub.XMt.sub.XC=(C.sub.XM/f.sub.CLM)(C.sub.XC/f.sub.CLC)t.sub.off(4)

(38) The local clock frequency f.sub.CLC of the client clock generator 22 may be expressed by a relative frequency deviation f.sub.rel from the local clock frequency f.sub.CLM of the master clock generator 19:
f.sub.CLC=f.sub.CLM(1+f.sub.rel)f.sub.CLC

(39) In practice, the relative frequency deviation f.sub.rel may be small, and may be for example f.sub.rel10.sup.5 when using quartz oscillators or oscillating quartz crystals. The time difference (4) to the time offset t.sub.off is therefore able to be determined from the master counter state C.sub.X and the client counter state C.sub.XC.

(40) From the client reference counter state C.sub.RC transmitted with the reference message R, a time difference
T.sub.R=t.sub.RMt.sub.RC=(C.sub.RM/f.sub.CLC)(C.sub.RC/f.sub.CLC)t.sub.off(5)
may be determined as reference. This time difference (5) likewise contains the time offset t.sub.off, but with a known propagation time difference that depends on the physical distance between the client device 13 and the master device 12. This distance is known for the first network 10.

(41) Using the data that are now known, a propagation time pattern Pat (X) for the message X is able to be calculated in a following method step S11. In the present case, a difference between the relationship (4) and the time difference (5) is formed for this purpose, as a result of which the unknown time offset t.sub.off is able to be eliminated from the calculation. This thus gives the propagation time pattern
Pat(X)=f.sub.CLC.Math.(T.sub.XT.sub.R)=(C.sub.XMX.sub.XC(C.sub.RMC.sub.RC)=(C.sub.XMC.sub.RM)(C.sub.XCC.sub.RC)(6)

(42) The propagation time pattern Pat (X) thus calculated for the message X may then be compared, in a method step S12, with the expected setpoint value or setpoint propagation time pattern determined in method step S2. In this case, a threshold value for a deviation between the propagation time pattern Pat(X) of the message X and the propagation time pattern stored as setpoint value may be prescribed. An anomaly in the first network 10 is recognized in this case when this deviation reaches or exceeds the prescribed threshold value.

(43) The threshold value may be obtained or determined for example by determining a plausible value for the propagation time pattern Pat (X) using manufacturer hardware specifications of the devices used for the first network 10 and increasing this plausible value by 10%. Since the deviation is able to take place both upwardly and downwardly, it is provided in the present case for a magnitude of the difference between the propagation time pattern Pat (X) and the corresponding setpoint value to be formed, and for this magnitude to be compared with the threshold value.

(44) If no anomaly is detected, this means that the magnitude of the deviation is smaller than the threshold value, and normal operation 31 of the first network 10 is thus assumed or continued in a method step S13. This normal operation 31 is distinguished through the continued intended functioning and execution of functions in the first network 10 and all of the connected or participating devices 12 to 15.

(45) If however an anomaly is detected as the magnitude of the deviation is greater than the threshold value, then there is transition to anomaly operation 32 in a method step S14. The presence of an anomaly may be indicated for example in the anomaly operation 32. This may be performed for example acoustically, optically and/or electronically or electrically, for example by outputting a corresponding alarm signal from the evaluation apparatus that detected the anomaly. It is also possible to provide, when the anomaly is detected, for the signal or data transmission in the first network 10 to be fully or partly interrupted.

(46) To achieve a sufficient resolution when determining the respective propagation time patterns, a minimum propagation time or a minimum distance between two devices 12 to 15 in the first network 10 should lead to a propagation time pattern that is reliably able to be distinguished using the respective components and circuits that are used, in particular using the evaluation device that is respectively used. By way of example, a minimum distance between two devices 12 to 15 of 50 cm may be provided in the local first network 10, which corresponds to a propagation time or signal propagation time of around 2.5 ns and, at a used local clock frequency f.sub.CLM, respectively f.sub.CLC, of the master clock generator 19, respectively of the client clock generator 22, of 400 MHz, precisely a distance of 50 cm is thus able to be resolved.

(47) To improve this resolution, the local clock frequencies f.sub.CLM, f.sub.CLC of the clock generators 19, 22 may be increased.

(48) One alternative, which is generally connected with less expenditure, may consist in using an interpolating measurement method. To this end, a linear integrator may in each case be provided for example in the client device 13 and in the master device 12, the integration result of which linear integrator is converted using an analog-to-digital converter that is also provided there. In general, a known time-to-digital conversion method may be resorted to here. Using such a procedure, the achievable resolution may lie for example at up to a factor of 1000 below a period duration of the local clock frequencies f.sub.CLM and f.sub.CLC. At a local clock frequency f.sub.CLM, f.sub.CLC of the clock generators 19, 22, it is thus possible to achieve a resolution of 0.2 ns, which corresponds to a resolvable distance for two devices 12 to 15 of 4 cm.

(49) At this point, it is now intended to introduce the second method branch, carried out in parallel and following method step S7d. After the first master counter state C.sub.X corresponding to the first signal feature SM1 has already been acquired in method step S7b and also been stored in the form of the master counter state C.sub.XM1, when the second signal feature SM2 of the signal 16 arrives at the master device 12, in a method step S9b, a master counter state C.sub.XM2 corresponding to this arrival of the second signal feature SM2 is then acquired and stored for example in the third master register 28.

(50) A time interval between the two signal features SM1 and SM2 or between their respective arrivals or between the arrival times of the signal features SM1 and SM2 at the master device 12 may be determined in relation to the local master clock frequency F.sub.CLM. The arrival time t.sub.XM of the first signal feature SM1 at the master device 12 is also referred to below as t.sub.XM1. t.sub.XM1 and the time t.sub.XM2 of the arrival of the second signal feature SM2 are therefore given as:
t.sub.XM1=C.sub.XM1/f.sub.CLM and t.sub.XM2=C.sub.XM2/f.sub.CLM(8)

(51) The time interval between the signal features SM1 and SM2, that is to say the time difference
T.sub.XMM=t.sub.XM1t.sub.XM2=(C.sub.XM2/f.sub.CLM)(C.sub.XM1/f.sub.CLM)=C.sub.XMM/f.sub.CLM(9)
is a fixed variable for the message X, and the absolute time interval between the signal features SM1 and SM2 is thus independent of the local clock frequency f.sub.CLM or of a corresponding local clock frequency of the sending device, that is to say here of the first device 14, that transmitted the message X. C.sub.XMM denotes a difference between the counter states C.sub.XM2 and C.sub.XM1 and corresponds to a number of counter cycles that the master counter 20 has acquired or counted between the arrival of the first signal feature SM1 and the arrival of the second signal feature SM2.

(52) A number C.sub.X of cycles is calculated or determined in the master device 12 and/or by the evaluation apparatus in a subsequent method step S10b, these having been used by the first device 14 to send the message X. This number C.sub.X may be determined on the basis of the type of modulation used in the first network 10 or on the bus 11, a corresponding protocol, a bus system that is used and/or a similar variable that is fixedly prescribed and known in the first network 10. By way of example, the bus 11 may be operated as a CAN bus with a nominal or specified data rate of 500 000 bit/s, such that a cycle is intended to be 2 s long. The number C.sub.X may be determined from the difference between the two times t.sub.XM1 and t.sub.XM2 or from the master counter states corresponding to these times t.sub.XM1 and t.sub.XM2, the nominal cycle length, for example 2 s here, also being able to be taken into account. This procedure is however explicitly not restricted to the CAN bus, but may be used in the same way on other bus systems.

(53) C.sub.X may for example be an integer and thus indicate the number of entire or complete cycles that are awaited or used by the signal source, that is to say the device sending the message X, between the two signal features SM1 and SM2. It may also be possible, in a correspondingly variable or flexible network and/or transmission protocol, to determine C.sub.X by taking into account a cycle length actually used by the source device instead of the nominal or specified cycle length. This may be determined in relation to the master clock frequency f.sub.CLM. This actually used cycle length may be determined in the master device 12, for example by corresponding monitoring and evaluation of the arriving signal 16. In this case, for example, another known variable, such as for instance a data rate relating to the cycle, that is to say an amount of data per cycle, may also be taken into account, this possibly being independent of the actual cycle length.

(54) For the time difference T.sub.XQ in relation to the actual signal source Q of the message X, the following results:
T.sub.XQ=t.sub.XQ2t.sub.XQ1=C.sub.X/f.sub.CLQ=T.sub.XMM=C.sub.XMM/f.sub.CLM(10)

(55) In this, f.sub.CLQ is the local clock frequency of the actual signal source Q of the message X.

(56) A ratio of the number C.sub.X of cycles used between the signal features SM1 and SM2 by the signal source Qthat is to say here purportedly of the first device 14to the number C.sub.XMM of cycles of the master clock generator 19 counted by the master device 12 between the signal features SM1 and SM2 therefore depends on a relative clock frequency deviation f.sub.QMrel between the master device 12 and the signal source Q:
C.sub.X/C.sub.XMM=f.sub.CLQ/f.sub.CLM=f.sub.CLM.Math.(1+f.sub.QMrel)/f.sub.CLM=1+f.sub.QMrel(10)

(57) This relative clock frequency deviation
f.sub.QMrel=(C.sub.X/C.sub.XMM)1(11)
constitutes a characteristic variable for a particular configuration, that is to say for a particular combination between specific devices, and is therefore able to serve or to be used to identify the signal source of the message X to the master device 12.

(58) The relative clock frequency deviation f.sub.QMrel is calculated as a frequency pattern FPat(X) for the message X in a method step S11b. Since clock frequencies prescribed by clock generators may generally be temperature-dependent, that is to say may change as a temperature of the respective clock generator changes, respective temperature data T are taken into account in the calculation of the frequency pattern FPat(X). In the present case, the temperatures of the master clock generator 19 and a temperature of the first device 14 from which the message X purportedly originates would thus in this case be incorporated into the calculation and/or be taken into account in a further evaluation.

(59) This further evaluation includes a threshold value comparison, performed in a method step S12b, of a magnitude of a difference between the frequency pattern FPat(X) and the corresponding setpoint value determined in method step S2 for the signal source of the message X. Since here for example the message X, according to CAN identifier, originates from the first device 14, the setpoint frequency pattern would thus be used for a message sent from the first device 14 to the master device 12. This threshold value comparison may be performed in the same way as for method step S12. By way of example, a frequency deviation, specified in a corresponding data sheet, of an oscillating quartz crystal of the respective clock generator may be +/40 Hz, and in this case the threshold value would thus be set at a frequency deviation of 44 Hz, corresponding to the plausible frequency deviation plus 10%.

(60) In this case too, the local clock frequency f.sub.CLM must of course be high enough in order also to be able to measure relatively small frequency deviations, for example within the order of magnitude 10.sup.5 over a relatively short time of for example T.sub.XX10.sup.4 s. The alternative advantageously arises here of using an interpolating time-to-digital conversion method in order thus to keep the necessary magnitude or size of the clock frequency f.sub.CLM as low as possible and to be able to achieve this with as little expenditure as possible.

(61) If no anomaly is detected in the threshold value comparison in method step S12b, since the difference or deviation of the frequency pattern FPat (X) determined for the message X from the corresponding threshold value is smaller than the threshold value, then in this case too there is transition into normal operation 31 or normal operation 31 is continued in a method step S13b.

(62) If by contrast an anomaly is recognized in method step S12b, then in this case too there is a change to anomaly operation 32 in a method step S14b.

(63) In normal operation 31, monitoring of the first network 10 using the method described here may be performed continuously, that is to say for each message sent in the first network 10. It is also possible to perform the described anomaly checks only for particular messages or signals, which may be for example selected or defined randomly or according to a predetermined criterion.

(64) Overall, the example shows how propagation time and frequency difference monitoring in a network in order to detect anomalies is able to be provided by the invention.

LIST OF REFERENCE SIGNS

(65) 10 first network 11 bus 12, 12b master device 13 client device 14 first device 15 second device 16 signal 17 interface 18 selection logic unit 19 master clock generator 20 master counter 21 master register 22 client clock generator 23 client, counter 24 client register 25 second network 26 second master register 27 second master counter 28 third master register 29 third device 30 flowchart 31 normal operation 32 anomaly operation S1 start S2 to S14 method steps S6b to S14b method steps S7c, S7d paths SM1 first signal feature SM2 second signal feature T temperature data