Method and device for processing data of a technical system

Abstract

A method, in particular a computer-implemented method, for processing data of a technical system. The method includes the following steps: ascertaining first pieces of information which are associated with a data traffic of the system, and ascertaining metadata associated with the data traffic of the system based on the first pieces of information.

Claims

1. A computer-implemented method for processing data of a technical system, comprising the following steps: monitoring a data traffic of the technical system, thereby ascertaining first pieces of information; ascertaining, as metadata and based on the first pieces of information, at least one of an average frequency at which data transfers of the data traffic occur and an average duration of data transfer sessions of the data traffic; and influencing an operation of the technical system based on the ascertained metadata.

2. The method as recited in claim 1, wherein the ascertaining is of the average frequency at which the data transfers of the data traffic occur.

3. The method as recited in claim 2, wherein the data transfers of the data traffic are from the technical system to a receiver.

4. The method as recited in claim 1, wherein the ascertaining of the metadata includes recording and/or determining the metadata.

5. The method as recited in claim 1, furthermore comprising: ascertaining estimated metadata based on the data transfers of the technical system.

6. The method as recited in claim 5, wherein the ascertaining of the estimated metadata includes using at least one model, which is configured to ascertain the estimated metadata based on the data transfers of the technical system.

7. The method as recited in claim 5, further comprising: comparing the estimated metadata to the metadata.

8. The method as recited in claim 7, wherein the influencing of the operation of the technical system is performed based on a result of the comparison.

9. The method as recited in claim 7, wherein the influencing includes initiating an error reaction.

10. The method as recited in claim 1, further comprising at least one of the following steps: a) evaluating data of the technical system based on the ascertained metadata, b) recognizing attempted attacks or detecting an intrusion based on the ascertained metadata, c) carrying out a cloud-based intrusion detection method for the technical system based on the ascertained metadata, the technical system including at least one sensor or at least one sensor unit.

11. The method as recited in claim 1, wherein the ascertaining is of the average duration of the data transfer sessions.

12. The method as recited in claim 11, wherein the data transfer sessions are transport layer security sessions.

13. A device configured to process data of a technical system, the device comprising a processor, wherein the processor is configured to: monitor a data traffic of the technical system, thereby ascertaining first pieces of information; ascertain, as metadata and based on the first pieces of information, at least one of an average frequency at which data transfers of the data traffic occur and an average duration of data transfer sessions of the data traffic; and influence an operation of the technical system based on the ascertained metadata.

14. The device as recited in claim 13, further comprising a memory unit accessible by the processor, wherein the memory unit includes a volatile memory in which the first pieces of information are temporarily stored and a non-volatile memory in which is stored a computer program that the processor is configured to execute to carry out the monitoring, ascertainment, and the influencing.

15. A non-transitory computer-readable storage medium on which are stored commands for processing data of a technical system, the commands being executable by a computer and, when executed by the computer, causing the computer to perform the following steps: monitoring a data traffic of the technical system, thereby ascertaining first pieces of information; ascertaining, as metadata and based on the first pieces of information, at least one of an average frequency at which data transfers of the data traffic occur and an average duration of data transfer sessions of the data traffic; and influencing an operation of the technical system based on the ascertained metadata.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) FIG. 1 schematically shows a simplified flowchart of a method according to exemplary specific embodiments of the present invention.

(2) FIG. 2 schematically shows a simplified flowchart according to further exemplary specific embodiments of the present invention.

(3) FIG. 3 schematically shows a simplified flowchart according to further exemplary specific embodiments of the present invention.

(4) FIG. 4 schematically shows a simplified flowchart according to further exemplary specific embodiments of the present invention.

(5) FIG. 5 schematically shows a simplified block diagram of a device according to further exemplary specific embodiments of the present invention.

(6) FIG. 6 schematically shows aspects of uses according to further exemplary specific embodiments of the present invention.

(7) FIG. 7 schematically shows a simplified block diagram of a device according to further exemplary specific embodiments of the present invention.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

(8) FIG. 1 schematically shows a simplified flowchart of a method, in particular a computer-implemented method, for processing data of a technical system 200, for example a sensor system 200, as is shown by way of example in FIG. 5. Sensor system 200 includes, for example, at least one sensor unit 202, which sends, for example, sensor data, in the present case wirelessly by way of example, to a sensor data receiver 204, cf. the wireless data communication link 206. In further exemplary specific embodiments, sensor data receiver 204 sends the received sensor data, in the present case, for example, using a TCP/IP-based data transfer a1, to another unit, in the present case, for example, a gateway GW.

(9) The method, cf. FIG. 1, includes the following steps: ascertaining 100 first pieces of information Il, which are associated with a data traffic a1 (FIG. 5) of system 200, ascertaining 102 (FIG. 1) metadata MD associated with data traffic a1 of system 200 based on first pieces of information Il. Metadata MD enable, in further exemplary specific embodiments, monitoring of the communication behavior of system 200, for example also for unusual patterns, which is symbolized, for example, by optional block 104.

(10) In further exemplary specific embodiments, data traffic a1 (FIG. 5) of system 200 includes data transfers from system 200 to another unit GW, R1, and/or data transfers from one or the other unit GW, R1 (or at least one further unit) to system 200.

(11) In further exemplary specific embodiments, the other unit is a gateway GW, which is designed, for example, to pass on data a1 received from sensor system 200 to a further unit R1, for example, a public network (for example the Internet) or a (virtual) private network or an edge computing system or a cloud system.

(12) In further exemplary specific embodiments, data traffic a1, a2 may include wired and/or wireless data transfers. In further exemplary specific embodiments, data traffic a1, a2 may use, for example, TCP/IP as the protocol(s).

(13) In further exemplary specific embodiments, the ascertainment 102 (FIG. 1) of metadata MD includes at least one of the following elements, cf. FIG. 2: a) ascertaining 102a an average frequency dF, at which the data transfers of data traffic a1, a2 are transferred, for example data transfers a1 from system 200 to a receiver GW, for example gateway GW, b) ascertaining 102b an average duration dD of a data transfer session, for example a transport layer security (TLS) session (for example between system 200 and a communication partner (not shown), which has a data link to network R1), c) ascertaining 102c an amount of data DM which has been transferred in a time period, which is predefinable, for example, from system 200 and/or to system 200, the time period being, for example, one hour or one day.

(14) In further exemplary specific embodiments, ascertaining 102 (FIG. 1) the metadata includes, cf. FIG. 2: recording 102d and/or determining 102e metadata MD. For example, in further exemplary specific embodiments, metadata MD may form a part of first pieces of information Il, the ascertainment 102 of metadata MD having as the subject separating metadata MD, for example, from useful data (for example “payload”) of first pieces of information Il. For example, in further exemplary specific embodiments, metadata MD may be derivable from the first pieces of information.

(15) In further exemplary specific embodiments, cf. FIG. 3, the method furthermore includes: ascertaining 110 estimated metadata MD′ based on data transfers a1, a2 of system 200.

(16) In further exemplary specific embodiments, ascertaining 110 of estimated metadata MD′ includes: using at least one model (for example implemented in block 330 from FIG. 5), which is designed to ascertain estimated metadata MD′ based on the data transfers of the system. In contrast to the ascertainment 102 (FIG. 1) of metadata MD, for example, in the form of the recording or determining from first pieces of information Il, estimated metadata MD′ are accordingly obtained in further exemplary specific embodiments using at least one model based on data transfers a1, a2 of the system.

(17) In further exemplary specific embodiments, the method furthermore includes: comparing 120 estimated metadata MD′ to metadata MD. In further exemplary specific embodiments, for example, in the event of a deviation of metadata MD from estimated metadata MD′ exceeding a predefinable amount, an unusual behavior of system 200 with respect to its data traffic may be inferred, for example an attack or a manipulation. The inference of the manipulation may take place, for example, in optional step 122.

(18) In further exemplary specific embodiments, metadata MD may be transferred, for example, to a unit 320 (FIG. 5), which carries out the comparison of the estimated metadata to the metadata.

(19) In further exemplary specific embodiments, for example, a first functionality 310 (FIG. 5) may be provided, which may be referred to in further exemplary specific embodiments, for example, as a “monitor” and which is associated with, for example, one or the gateway GW (FIG. 5) or is implemented by gateway GW, to which system 200 is connected for data communication, cf. arrow a1. In further exemplary specific embodiments, the first functionality may detect or collect metadata MD.

(20) In further exemplary specific embodiments, for example, a second functionality 320, 330 may be provided, which is associated, for example, with an edge server or cloud server or a network R1 in general or is implemented thereby, with which system 200 may establish a data connection a2, for example via gateway GW. In further exemplary specific embodiments, second functionality 320, 330 or a part 330 thereof may ascertain estimated metadata MD′ and/or compare estimated metadata MD′ to the metadata detected or collected, for example, by the first functionality (block 320). In further exemplary specific embodiments, for example, the first functionality may send the metadata collected by it to the second functionality.

(21) In further exemplary specific embodiments, block 330 may also be understood as a digital twin of system 200, because it ascertains, for example, estimated metadata MD′.

(22) In further exemplary specific embodiments, block 320 may also be understood, for example, as a (part of an) intrusion detection system.

(23) Arrow a3 symbolizes a data connection between gateway GW and monitor functionality 310 according to further exemplary specific embodiments. Arrow a4 symbolizes a data connection between monitor functionality 310 and block 320 according to further exemplary specific embodiments. Arrow a5 symbolizes a data connection between block 320 and block 330 according to further exemplary specific embodiments.

(24) In further exemplary specific embodiments, a database DB may be provided, for example, in network R1, which at least partially records, for example, a data traffic a1, a2 of sensor system 200.

(25) In further exemplary specific embodiments, cf. FIG. 4, the method furthermore includes: a) Influencing 122a an operation of system 200 based on comparison 120 (FIG. 3), and/or b) initiating 122b (FIG. 4) an error reaction based on the comparison.

(26) Further exemplary specific embodiments, cf. FIG. 7, relate to a device 300 for carrying out the method according to the specific embodiments.

(27) In further exemplary specific embodiments, device 300 includes: A processing unit 302 including at least one processor core 302a, a memory unit 304 associated with processing unit 302 for at least temporarily storing at least one of the following elements: a) data DAT (for example data traffic of system 200 and/or metadata MD or estimated metadata MD′), b) computer program PRG, for example for carrying out the method according to the specific embodiments or at least one or some steps of the method according to the specific embodiments.

(28) In further exemplary specific embodiments, processing unit 302 includes at least one of the following elements: a microprocessor, a microcontroller, a digital signal processor (DSP), a programmable logic component (for example, FPGA (field programmable gate array)), an ASIC (application-specific integrated circuit), a graphic processor (GPU), a tensor processor, or a hardware circuit. Combinations thereof are also possible in further exemplary specific embodiments, as is a distributed arrangement of at least some components, for example on various elements of network R1 (FIG. 5).

(29) Memory unit 304 may include, for example, a volatile memory (304a (for example RAM (random-access memory)) and/or 304b a nonvolatile memory (for example flash EEPROM).

(30) Further exemplary specific embodiments relate to a computer-readable memory medium SM (for example magnetic and/or optical and/or semiconductor memory), including commands PRG′, which, when executed by a computer 302, prompt it to carry out the method according to the specific embodiments.

(31) Further exemplary specific embodiments relate to a computer program PRG, including commands which, when program PRG is executed by a computer 302, prompt it to carry out the method according to the specific embodiments.

(32) Further exemplary specific embodiments relate to a data carrier signal DCS, which characterizes and/or transmits computer program PRG according to the specific embodiments. For example, device 300 may include an optional data interface DCS for transmitting, for example, data carrier signal DCS and/or for transmitting other pieces of information I1, MD, MD′.

(33) In further exemplary specific embodiments, for example, at least one of blocks 310, 320, 330 from FIG. 5 may have the configuration specified by way of example in FIG. 7 or at least a similar configuration.

(34) Further exemplary specific embodiments, cf. FIG. 6, relate to a use 400 of the method according to the specific embodiments and/or the device according to the specific embodiments and/or the computer program according to the specific embodiments and/or the data carrier signal according to the specific embodiments for at least one of the following elements: a) evaluating 402 data of the technical system, b) recognizing 404 attempted attacks, for example carrying out a method for recognizing attacks, for example an intrusion detection method, c) carrying out 406 a cloud-based intrusion detection method, for example for a system 200 including at least one sensor or at least one sensor unit 202.

(35) Further exemplary specific embodiments relate to a cloud server or an edge computing server including at least one device 300 or at least one part 310, 320, 330 of the functionality of the device according to the specific embodiments. In this way, particularly efficient monitoring of one or multiple technical systems 200, for example, for attacks by third parties, is enabled, whereby, for example, an IDS may be provided, in particular, for example, for a plurality of systems, for example sensor systems or IoT systems.

(36) Further exemplary specific embodiments relate to a gateway GW or another element for network coupling to at least one device or at least a part of the functionality of the device according to the specific embodiments.

(37) The features according to exemplary specific embodiments may—also outside of edge and/or cloud computing systems—advantageously be used for efficiently providing a system for recognizing attacks (intrusion detection system (IDS)), for example for providing an IDS for IoT systems and/or industry 4.0 systems.