FRAME INVALIDATION IN BUS SYSTEM VIA RECEIVE LINE

Abstract

A computer-implemented method for intercepting an intrusion into a bus system. The method includes detecting, by way of an intrusion detection system, a frame sent by a further node of the bus system on a bus of the bus system as an intrusion into the bus system; sending data on a receive line of a node device in order to manipulate a signal, which corresponds to the frame arriving over the bus, on the receive line, the receive line being arranged between a transceiver and a controller of the node device. A node device and a bus system for intercepting an intrusion into the bus system, are also described.

Claims

1-14. (canceled)

15. A computer-implemented method for intercepting an intrusion into a bus system, comprising the following steps: detecting, using an intrusion detection system, a frame sent by a further node of the bus system on a bus of the bus system as an intrusion into the bus system; and sending data on a receive line of a node device to manipulate a signal, which corresponds to the frame arriving over the bus on the receive line, the receive line being arranged between a transceiver and a controller of the node device.

16. The method as recited in claim 15, wherein the signal is manipulated in such a way that each one of a number of recessive bits arriving over the bus is overwritten with a dominant bit and/or a level on the receive line is set to a specific level over a period of time.

17. The method as recited in claim 16, wherein a sequence of directly successive dominant bits is generated, which is received by the controller of the node device.

18. The method as recited in claim 17, wherein, in accordance with a bus system protocol, the sequence of directly successive dominant bits triggers the controller of the node device of the bus system to send an error frame on the bus, causing transmission of the frame detected as an intrusion to be invalidated, and suppressed, and the intrusion into the bus system is thus intercepted.

19. The method as recited in claim 17, wherein the sequence of directly successive dominant bits in the controller of the node device leads to a negative result of a cyclic redundancy check and, in accordance with the bus system protocol, the controller is thus triggered to send the error frame on the bus.

20. The method as recited in claim 15, wherein the intrusion detection system is configured to detect an intrusion into the bus system.

21. The method as recited in claim 15, wherein the intrusion detection system is configured to detect an intrusion into the bus system where the further node of the bus system, sends a frame with an identifier that is assigned to a third node of the bus system on the bus, the third node of the bus system being arranged outside the node device.

22. The method as recited in claim 15, wherein the frame detected as an intrusion is invalidated before an end-of-frame field of the frame.

23. The method as recited in claim 15, wherein the sending of the data on the receive line originates from a processor of the node device, the processor being connected to the transceiver via a controller bypass line, the receive line and the controller bypass line having a common line segment.

24. The method as recited in claim 23, wherein the processor of the node device includes the intrusion detection system.

25. A node device for a bus system, comprising: a transceiver configured to be connected to a bus of the bus system; a controller, connected to the transceiver via a transmit line and via a receive line, the controller and the transceiver being configured to transmit data from the controller to the transceiver over the transmit line and from the transceiver to the controller over the receive line; a processor; wherein the node device is configured to intercept an intrusion into a bus system, the node device being configured to: detect, using an intrusion detection system, a frame sent by a further node of the bus system on a bus of the bus system as an intrusion into the bus system; and send data on a receive line of a node device to manipulate a signal, which corresponds to the frame arriving over the bus on the receive line, the receive line being arranged between a transceiver and a controller of the node device.

26. The node device as recited in claim 25, wherein the node device includes the intrusion detection system.

27. The node device as recited in claim 26, wherein the processor of the node device is configured to perform the detecting and sending.

28. A bus system, comprising: a bus; at least one node device each including: a transceiver connected to the bus of the bus system; a controller, connected to the transceiver via a transmit line and via a receive line, the controller and the transceiver being configured to transmit data from the controller to the transceiver over the transmit line and from the transceiver to the controller over the receive line; a processor; wherein the node device is configured to intercept an intrusion into a bus system, the node device being configured to: detect, using an intrusion detection system, a frame sent by a further node of the bus system on a bus of the bus system as an intrusion into the bus system, and send data on a receive line of a node device to manipulate a signal, which corresponds to the frame arriving over the bus on the receive line, the receive line being arranged between a transceiver and a controller of the node device; and at least one further node of the bus system, each further node of the bus system including a further transceiver, a further controller, and a further processor.

29. The bus system as recited in claim 28, further comprising at least one third node of the bus system.

30. The method as recited in claim 15, wherein the bus system is a Controller Area Network (CAN) or a Local Interconnect Network (LIN) or a FLEXRAY network.

31. The node device as recited in claim 25, wherein the bus system is a Controller Area Network (CAN) or a Local Interconnect Network (LIN) or a FLEXRAY network.

32. The bus system as recited in claim 28, wherein the bus system is a Controller Area Network (CAN) or a Local Interconnect Network (LIN) or a FLEXRAY network.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0017] FIG. 1A shows a node device for a bus system with a controller bypass line to the transmit line.

[0018] FIG. 1B shows a specific embodiment of a node device for a bus system with a controller bypass line to the receive line.

[0019] FIG. 2A shows a node device for a Controller Area Network (CAN) with a controller bypass line to the transmit line.

[0020] FIG. 2B shows a specific embodiment of a node device for a CAN with a controller bypass line to the receive line.

[0021] FIG. 3 shows a bus system.

[0022] FIG. 4 shows a CAN.

[0023] FIG. 5 shows a schematic illustration of a computer-implemented method for intercepting an intrusion into a bus system, according to an example embodiment of the present invention.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

[0024] The computer-implemented method 300, the node device 100, and the bus system 200 are aimed at detecting and intercepting an intrusion into the bus system 200. The bus systems of the present invention may be used in many mechatronic technical systems and in various fields (for example, in the systems or applications listed in the Background Information section, e.g., in a vehicle). A secure interaction between nodes of such a bus system is often critical for the (intended, specified) functionality of the technical system. For example, even in a non-autonomously driving vehicle, more than one hundred control units (e.g., engine control unit, transmission control unit, anti-lock braking system/electronic stability control, airbag, body control unit, driver assistance systems, car alarm systems, etc.) may be networked via a bus system. For example, if a control unit that had been infiltrated via a multimedia interface, for example, was able to send false signals (e.g., deliberately overly short distances to another road user in front) over the bus system to the other control units, an unintended and possibly damaging system response could be triggered (e.g., initiation of an emergency braking maneuver by an adaptive cruise control system). The growing digitization and also automation and networking of technical systems may lead to increasingly large bus systems (i.e., with more nodes). Intrusion detection system (IDS), as presented in the related art, may detect an intrusion into the bus system and may be used in the systems of the present disclosure.

[0025] According to an example embodiment of the present invention, a computer-implemented method 300 is provided for intercepting an intrusion into a bus system 200, said method comprising detecting 310, by way of an intrusion detection system (IDS) (e.g., one or more of the intrusion detection systems described in the Background Information section), a frame (message) sent by a further node 140 of bus system 200 on a bus 210 of bus system 200 as an intrusion into bus system 200. A tap into bus system 200 (even without a dedicated node device for the bus system), in particular into bus 210, may be regarded as a further node 140. Method 300 further comprises sending 320 data on a receive line 122 of a node device 100 to manipulate a signal, which corresponds to the frame arriving over bus 210, on receive line 122 (in order to intercept the intrusion, i.e., the external manipulation), receive line 122 being arranged between a transceiver 110 (transmitter-receiver) and a controller 120 (control unit) of node device 100.

[0026] In general, a manipulation may include feeding in a specific data sequence and/or a specific level (e.g., a specific level for a specific period of time) on receive line 122.

[0027] The signal that corresponds to the frame arriving over bus 210 may comprise a frame, i.e., a bit sequence, for example, wherein according to the bus system protocol, further bits not belonging to the frame may be inserted into the bit sequence, for example. In the case of a bit sequence, a manipulation of the signal may include changing (toggling) at least one bit of the bit sequence. A signal may be transformed into a bit sequence. The signal may be manipulated in such a way that each one of a number of recessive bits arriving over bus 210 is overwritten with a dominant bit. The incoming recessive bits may arrive in chronological order, but they do not have to arrive in direct chronological order because dominant bits may arrive between the recessive bits.

[0028] In addition or alternatively, the manipulation of the signal may involve setting receive line 122 to a dominant level over a period of time (the dominant level over this period of time corresponding for example to a sequence of one or more dominant bits). In this case, both the recessive and the dominant bits may then each be overwritten with a dominant bit. There is no need to check here whether incoming bits are dominant or recessive.

[0029] In this case, a sequence of directly successive dominant bits may be generated, which is received by controller 120 of node device 100. Method 300 is illustrated schematically in FIG. 5.

[0030] In accordance with a bus system protocol (e.g., CAN protocol), the sequence of directly successive dominant bits may trigger 330 controller 120 of node device 100 of bus system 200 to send an error frame on bus 210, causing the transmission of the frame detected as an intrusion to be invalidated, and in particular suppressed, and the intrusion into bus system 200 is thus intercepted. In other words, in contrast to conventional methods in the related art, the sending of the error frame does not have to be actively controlled, since it follows automatically from the bus system protocol. In a CAN protocol, for example, a level change must take place after five bits of the same value (e.g., stuffing rule). Otherwise, an error frame has to be output. For example, the sequence of directly successive dominant bits may be generated via controller bypass line 124, independently of the controller and the bus system protocol, and hence quickly. In this way, an intruder frame may be quickly intercepted/invalidated, in particular before the end-of-frame field of the intruder frame (and after arbitration, for example). Otherwise, i.e., if the bus system protocol were not bypassed, an error frame could be sent on the bus at the earliest with the end-of-frame field, and thus only after almost complete transmission (an end-of-frame field is usually towards the end of the frame) of the intruder frame, in order to notify the other nodes. The earlier an intruder frame may be detected and suppressed, the sooner, bearing in mind the (not insignificant) signal runtimes on bus 210, the other nodes of bus system 200 may be notified and protected from harm.

[0031] The sequence of directly successive dominant bits may lead to a negative result of a cyclic redundancy check (CRC) in controller 120 of node device 100. Consequently, controller 120 may be triggered 330 to send the error frame on bus 210 in accordance with the bus system protocol.

[0032] The intrusion detection system (IDS) may be designed to detect an intrusion into bus system 200. The intrusion detection system (IDS) may be designed to detect an intrusion into bus system 200 where a further node of bus system 200, in particular further node 140 of bus system 200, sends a frame with an identifier that is assigned to a third node 141 of bus system 200 on bus 210, the third node 141 of bus system 200 being arranged outside node device 100 (i.e., it does not correspond to the node of node device 100). The intrusion detection system (IDS) may (in addition) be designed to detect an intrusion into bus system 200 where a further node 140 of bus system 200 sends a frame with an identifier that is assigned to a third node 141 of bus system 200 on bus 210, the third node 141 of bus system 200 corresponding to the node of node device 100. In other words, the intrusion detection system (IDS) may also be designed to detect misuse of individual identifiers.

[0033] Method 300 may be designed in such a way that the frame detected as an intrusion may be invalidated before an end-of-frame field of the frame.

[0034] In method 300, the transmission 320 of the data on receive line 122 may originate from a processor 130 of node device 100, processor 130 being connected to transceiver 110 via a/the controller bypass line 124, receive line 122 and controller bypass line 124 having a common line segment. In other words, controller bypass line 124 (or part thereof) joins receive line 122.

[0035] Processor 130 of node device 100 may include the intrusion detection system (IDS).

[0036] Also provided according to an example embodiment of the present invention is a node device 100 for a bus system 200, comprising a/the transceiver 110, which is designed to be connected to a/the bus 210 of bus system 200. Node device 100 further comprises a/the controller 120, which is connected to the transceiver via a/the transmit line 121 and via a/the receive line 122, the controller and the transceiver being designed to transmit data from the controller to the transceiver over transmit line 121 and from the transceiver to the controller over receive line 122. Node device 100 further comprises a processor 130, which may be coupled to the controller. Node device 100 further comprises, optionally, an/the intrusion detection system (IDS). Node device 100 is designed to execute method 300 for intercepting an intrusion into bus system 200. Processor 130 of node device 100 may be designed to execute method 300 for intercepting an intrusion into bus system 200.

[0037] Processor 130 may be connected, as shown in FIGS. 1A-2B (e.g., via a general-purpose input/output port (GPIO port)), via at least one controller bypass line 123, 124 to transceiver 110, and may in addition be designed to intercept, by way of the at least one controller bypass line 123, 124, an intrusion into bus system 200 detected by the intrusion detection system (IDS). In particular, processor 130 may be connected to transceiver 110 by the at least one controller bypass line 123, 124 (i.e., via transmit line 121 and/or via receive line 122), controller bypass line 123, 124 bypassing controller 120. In method 300, if receive line 122 is not present, the transmission 320 of the data on the receive line (122) may originate from another processor (not shown in FIGS. 1A-2B), which in turn is connected to transceiver 110 and in particular to receive line 122 via another controller bypass line (likewise not shown in FIGS. 1A-2B). Such another processor may be a compare module, for example, which is arranged between transceiver 110 and controller 120 of node device 100, for example.

[0038] The advantage of at least one controller bypass line (e.g., 123, 124, other controller bypass line) may be considered to be that in the event of a detected intrusion, data (e.g., a signal corresponding to a frame arriving over bus 210 and/or a signal corresponding to a frame to be sent on bus 210) between transceiver 110 and controller 120 (i.e., on transmit line 121 and/or receive line 122) may be changed by processor 130 or by the other processor at any time. With method 300, an intruder message (frame) may be intercepted quickly in this way, and in particular before the end-of-frame field of the intruder message (and following arbitration, for example), because it is possible in particular also to bypass the bus system protocol by way of the at least one controller bypass line (e.g., 123, 124, other controller bypass line). In this way, a possible intentional damage and/or manipulation by way of the intruder message may be intercepted before it is able to occur.

[0039] Processor 130 may comprise all or part of the controller, i.e., the controller may be a logical sub-unit of processor 130. The part of processor 130 that is outside the logical sub-unit may then be connected to transceiver 110 via a controller bypass line 123, 124. Processor 130 may further comprise all or part of the intrusion detection system (IDS). For example, the intrusion detection system (IDS) may be implemented on processor 130, it also being possible for one or more parts (e.g., a repeater) of the intrusion detection system (IDS) to be arranged outside processor 130 (e.g., in bus 210).

[0040] Bus system 200 may be, for example, a Controller Area Network, i.e., a CAN (system) (now in various versions), and/or a CAN-inspired development. In this case, bus 210 may be referred to as a CAN bus, transceiver 110 as a CAN transceiver, and controller 120 as a CAN controller. The bus system protocol may in this case be a CAN protocol, e.g., in accordance with ISO 11898-1 or ISO/DIS 11898-1 (e.g., CAN, CAN FD, CAN FEFF, CAN FBFF protocols, etc.). As in the CAN system, for example, the data may correspond to serial bits. Alternatively, bus system 200 may be a Local Interconnect Network (LIN), for example. Alternatively, bus system 200 may be a FLEXRAY network, for example. Processor 130 may be a computer, a central processing unit (CPU) or a microprocessor, for example. In particular, a node may be a control unit (or a part thereof) in a technical system (e.g., in a vehicle).

[0041] In one specific embodiment (specific embodiment Tx), transmit line 121 and (the) at least one controller bypass line 123 may have a common line segment. In other words, processor 130 may be connected in this case to transmit line 121, circumventing controller 120. An example of such a specific embodiment is shown in FIG. 1A and, specifically for a CAN, etc., in FIG. 2A.

[0042] In a further specific embodiment (specific embodiment Rx), receive line 122 and (the) at least one controller bypass line 124 may have a common line segment. In other words, processor 130 may be connected in this case to receive line 122, circumventing controller 120. An example of such a specific embodiment is shown in FIG. 1B and, specifically for a CAN, etc., in FIG. 2B. Alternatively, a second controller bypass line 124, which has a line segment in common with receive line 122, may also be present. The at least one controller bypass line 123 may then have a line segment in common with transmit line 121, for example. In contrast to what is shown in FIGS. 1A-2B, all or part of the intrusion detection system (IDS) may also be arranged outside processor 130.

[0043] Also disclosed is a bus system 200, comprising a bus 210 and at least one node device 100, which is connected to bus 210 via transceiver 110 of the at least one node device 100. Bus system 200 further comprises at least one further node 140 of bus system 200, it being possible for each further node of bus system 200 to comprise a further transceiver, a further controller and a further processor. Optionally, bus system 200 may further comprise at least one further node as a third node 141 of bus system 200.

[0044] An example of a specific embodiment for bus system 200 is shown in FIG. 3 and, specifically for a CAN, etc., in FIG. 4. The at least one node device 100 may also be, for example, the node of an existing bus system, which is modified or added in order to be able to detect and intercept an intrusion into the existing bus system. In the case of a CAN, etc., in particular the two twisted wires (CAN_HIGH, CAN_LOW) of the CAN bus for symmetrical signal transmission are shown in FIG. 4. By contrast, bus 210 in FIG. 3 (regardless of what is shown) may comprise a set of one or more lines. For example, further node 140 may send a message with an identifier of the node implemented by the at least one node device 100 on bus 210. Alternatively, for example, further node 140 may send a message with an identifier of the (optional) third node 141 on bus 210.

[0045] In both cases, such an intrusion may be intercepted by the at least one node device 100 and method 300.

[0046] In a specific embodiment Tx of the at least one node device 100, which has already been described, a sequence of directly successive dominant bits (or another manipulation) may (additionally) be sent by transceiver 110 of the at least one node device 100 on bus 210 of bus system 200. Transceiver 110 is not in fact designed/intended to stop the transmission on bus 210. Thus, moreover, at least one controller of a node of bus system 200 may be triggered to send an error frame on the bus. The at least one controller of the node of bus system 200 that is triggered to send an error frame on the bus may be a further controller of further node 140 from which the frame detected as an intrusion (i.e., the intruder frame) is sent, the further controller of further node 140 terminating the transmission of the frame, in accordance with the bus system protocol, before it sends the error frame (likewise in accordance with the bus system protocol) on bus 210 of bus system 200. The error frame may consist, for example, of dominant and/or recessive bits and be dependent on the state of the internal error counter.

[0047] Alternatively or in addition, the at least one controller of the node of bus system 200 that is triggered to send an error frame on the bus may be controller 120 of the at least one node device 100 (via transceiver 110 and receive line 122) or a further controller of a further node of bus system 200. In this case, the sequence of directly successive dominant bits in the at least one controller may lead to a negative result of the cyclic redundancy check (CRC) and, in accordance with the bus system protocol, the at least one controller may be triggered to send an/the error frame on bus 210.

[0048] Specific embodiment Rx (without specific embodiment Tx), in which the at least one controller bypass line 124 has a line segment in common with receive line 122 and no further controller bypass line 123 has a line segment in common with transmit line 121, may be regarded as being especially secure insofar as it is not possible to write directly on bus 210 of bus system 200 (only via controller 120). Thus, in contrast to specific embodiment Tx, a manipulation with, for example, a constantly high level via the bypass would not be possible. Consequently, it is not possible for bus 210 to be blocked or shut down via the at least one controller bypass line 124, for example.

[0049] The frame detected as an intrusion may (but does not have to) be invalidated before an end-of-frame field of the frame. For example, a frame detected as an intrusion may be invalidated after arbitration and after transmission of an identifier. In this way, damage and/or a manipulation may be prevented before it is able to occur.

[0050] In node device 100 and/or in bus system 200, method 300 may be implemented in processor 130 of the at least one node device 100, and an intrusion into bus system 200 may thus be intercepted by the at least one node device 100. In particular, it is sufficient for method 300 to be implemented and applied in (only) one node of bus system 200. Method 300 may be a computer program which may be/is stored (as a signal sequence, for example) on a storage medium.

[0051] Method 300 for intercepting an intrusion into bus system 200, as presented in this disclosure, node device 100 and bus system 200 may relate to a Controller Area Network (CAN), a Local Interconnect Network (LIN) or a FLEXRAY network, it being possible in particular for the Controller Area Network to comprise a CAN (system) in one of the various versions and/or a CAN-inspired development. Method 300 for intercepting an intrusion into bus system 200 may be generalized to multibus systems, a multibus system comprising at least two bus systems, and the bus systems being coupled to one another by way of at least one gateway. From the perspective of each bus system of this type, the at least one gateway may be regarded as a node (e.g., with a plurality of receive lines and transmit lines, optionally with a plurality of controller bypass lines). Method 300 may be implemented, for example, in each gateway of the multibus system.