1. Patent Search
  2. Details

METHOD FOR OPERATING A MONITORING DEVICE FOR A DATA NETWORK OF A MOTOR VEHICLE AND MONITORING DEVICE, CONTROL UNIT AND MOTOR VEHICLE

20190342115 · 2019-11-07

    Inventors

    Cpc classification

    International classification

    Abstract

    Method for operating a monitoring apparatus of a data network in a motor vehicle, and monitoring apparatus, control device and motor vehicle

    The invention relates to a method for operating a monitoring apparatus (23) of a data network (11) in a motor vehicle (10), wherein the monitoring apparatus (23) receives a data message (19) comprising at least one electrical signal (20, 21) from the data network (11) at a network connection (12). The invention provides for the monitoring apparatus (23) to determine at least one level value of a respective signal level of the at least one electrical signal (20, 21) in a predetermined message section of the message (19) and to generate a test value on the basis of the at least one level value and to determine, for the data message (19), an item of sender information indicating an alleged sender device of the data message (19) and to determine a reference value on the basis of the sender information, and to generate a warning signal (28) if a difference between the test value and the reference value is greater, in terms of absolute value, than a predetermined threshold value. The signal level of the electrical signal is attenuated or generally changed by the impedance which results for the line section connecting the sender device and the monitoring apparatus (23). Use is made of the fact that characteristic attenuations on the lines between the individual control devices (ECUs), which are largely fixed and therefore deterministic in static networks, apply in a network. The monitoring apparatus therefore provides a method and an apparatus in which amplitudes or amplitude differences of bus signals from a transmitting station ECU X (14, 15, 16) are captured in a network at a receiving station ECU M (13), are compared with an expected amplitude or amplitude difference and are used to detect an anomaly. This makes it difficult for a sender device to conceal an incorrect item of sender information.

    Claims

    1. A method for operating a monitoring apparatus of a data network in a motor vehicle, wherein the monitoring apparatus receives a data message comprising at least one electrical signal from the data network at a network connection, wherein the monitoring apparatus: determines at least one level value of a respective signal level of the at least one electrical signal in a predetermined message section of the data message, generates a test value based on the at least one level value, determines, for the data message, an item of sender information indicating an alleged sender device of the data message, determines a reference value based on the sender information, and generates a warning signal if a difference between the test value and the reference value is greater, in terms of absolute value, than a predetermined threshold value.

    2. The method as claimed in claim 1, wherein the data message comprises two electrical signals, the two electrical signals comprising a first signal and a second signal, the second signal being other than the first signal, of a differential transmission, and the monitoring apparatus calculates a first level difference value of a level difference between the first signal and the second signal, and the test value is determined based on the first level difference value.

    3. The method as claimed in claim 2, wherein the monitoring apparatus receives, via the data network, a second level difference value of a further level difference of the at least one electrical signal in the data message, as determined at another network connection, and determines the test value based on a quotient of the first and second level difference values.

    4. The method as claimed in claim 1, wherein the monitoring apparatus reads the sender information from the data message or determines the sender information it from a predefined configuration plan of the data network based on a message type of the data message.

    5. The method as claimed in claim 1, wherein the respective signal level is a voltage level or a current level.

    6. The method as claimed in claim 1, wherein the reference value is generated in a calibration phase by virtue of the monitoring apparatus receiving, via the data network, a reference message from a known sender device, the sender information of which is known, and calculating the test value for the reference message and storing the calculated test value as the reference value, or wherein the reference value is calculated based on an impedance value of a line segment of the data network, which line segment electrically connects the monitoring apparatus to the known sender device.

    7. The method as claimed in claim 1, wherein the monitoring apparatus determines a predetermined signal bit of the data message as the predetermined message section.

    8. The method as claimed in claim 1, wherein the monitoring apparatus generates the at least one level value by a sample-and-hold circuit and an analog/digital converter connected downstream of the sample-and-hold circuit.

    9. The method as claimed in claim 1, wherein the monitoring apparatus is operated as an additional circuit in a control device of the motor vehicle, wherein an application circuit of the control device receives the data message for providing a vehicle function via same network connection independently of the monitoring apparatus.

    10. A monitoring apparatus for a data network in a motor vehicle, wherein the monitoring apparatus has an electronic circuit which is configured to carry out a method as claimed in claim 1.

    11. A control device for a data network in a motor vehicle, wherein the control device has a network connection for connecting the control device to the data network, and an application circuit for providing a vehicle function and, independently thereof, a monitoring apparatus as claimed in claim 10 are connected to the network connection.

    12. A motor vehicle having a data network, to which a control device as claimed in claim 11 and at least one network subscriber configured to emit data messages are connected.

    Description

    [0025] An exemplary embodiment of the invention is described below. To this end, in the figures:

    [0026] FIG. 1 shows a schematic illustration of an embodiment of the motor vehicle according to the invention;

    [0027] FIG. 2 shows a schematic illustration of two control devices which communicate via a data network in the motor vehicle from FIG. 1;

    [0028] FIG. 3 shows a schematic illustration of an internal structure of one of the control devices which has a monitoring apparatus for the data network.

    [0029] The exemplary embodiment explained below is a preferred embodiment of the invention. In the exemplary embodiment, the described components of the embodiment each constitute individual features of the invention which should be considered independently of one another and which in each case also develop the invention independently of one another and should therefore also be regarded as a constituent part of the invention individually or in a different combination to that shown. Furthermore, the embodiment described may also be supplemented by further features of the invention from among those that have already been described.

    [0030] In the figures, functionally identical elements are provided with the same reference signs in each case.

    [0031] FIG. 1 shows a motor vehicle 10 which may be an automobile, in particular a passenger vehicle or a truck. The motor vehicle 10 may have a data network 11 which may be a CAN bus or a FlexRay bus, for example. A control device 13, 14, 15, 16 can be respectively connected to the data network 11 via a respective network connection 12. The control devices 13, 14, 15, 16 are distinguished from one another by a respective individual designation (ECU M, ECU 1, ECU 2, ECU C). The control device 13 (ECU M) may be, for example, a bus master for the data network 11. The control devices ECU 1, ECU 2 may each provide a sensor device and/or actuator control, for example. The control device 16 may be a further network subscriber (Cclient).

    [0032] FIG. 1 illustrates that a respective line segment 17 having a line length 1_1M can electrically connect the control device ECU 1 to the control device ECU M and a line segment 18 having a line length 1_1C can electrically connect the control device ECU 1 to the control device ECU C.

    [0033] In order to transmit a data message 19, the control device ECU 1, for example, can generate electrical signals in the respective line segment 17, 18, which signals can be received via the respective network connection 12 of the control devices ECU M and ECU C (and also ECU 2).

    [0034] In this case, FIG. 2 illustrates the influence of the line segment 17 when transmitting the data message 19 from the control device ECU 1 to the control device ECU M. Provision may be made for two electrical signals 20, 21 to be generated in a high line H and a low line L for the differential transmission of a data message 19, as is known in connection with the technology of the CAN bus and the FlexRay bus.

    [0035] FIG. 3 illustrates how, in addition to the actual application circuit 22, a monitoring apparatus 23 can be provided, for example, in the control device ECU M and can capture the electrical signals 20, 21 received via the network connection independently of the application circuit 22. For this purpose, the monitoring apparatus 23 may have selection logic 24, a sample-and-hold circuit 25, an analog/digital converter 26 and a processor device 27, for example a microcontroller. The processor device 27 may be a constituent part of the application circuit 22. The analog/digital converter 26 may already be a constituent part of a microcontroller which constitutes the processor device 27.

    [0036] If the control device ECU M receives a data message 19 which was not emitted by the respective control device 14, 15 intended to generate the specific data message 19 of the corresponding message type, the monitoring apparatus 23 identifies this data message 19 as falsified or incorrect and can then generate a warning signal 28 which can indicate this falsified data message 19.

    [0037] For this purpose, the monitoring apparatus 23 can carry out a method for detecting anomalies in a network. In this case, the source of a message 19 in the network 11 is verified by means of a characteristic pattern which is given only by physical boundary conditions such as the attenuation on a propagation medium, for instance on an electrical line, and can therefore be falsified only with great difficulty. The network may be the CAN bus, FlexRay, Ethernet, MOST, to illustrate the broad possible use of the approach.

    [0038] Amplitudes or amplitude differences of the bus signal are captured at suitable times and, after successful reception, are compared with the expected pattern of the authorized sender device. If these patterns correspond, the normal situation is present, that is to say the message therefore originates from the authorized sender device. In the other case, an anomaly can be determined; it was detected that a message was not transmitted by the authorized sender device as the source of the message 19. Attacks can be effectively detected with the aid of anomaly detection and can be averted in a further step. In the monitoring apparatus 23, the voltage (possibly also the current) on the bus line is immediately checked under signal, that is to say the message contents are not decoded in the anomaly detection described here, apart from the identifier which is used as the sender information in order to assign the characteristic pattern to a signal source.

    [0039] No periodicity of the messages to be examined is expected for the method. No cooperation whatsoever of the transmitting network subscriber is presupposed either, that is to say the transmitting sender device need not transmit any additional information, for instance time stamps. Furthermore, the method is used to strive to keep the additional outlay low, for instance by virtue of the fact that the vast majority of the electronic control devices do not require any modification whatsoever.

    [0040] Use is made of the fact that characteristic attenuations on the lines between the individual ECUs, which are largely fixed and therefore deterministic in static networks, apply in a network.

    [0041] If, as illustrated in FIG. 2, the ECU 1 transmits a message, this is carried out by means of differential line transmission, for example in the case of the CAN bus or in the case of FlexRay. One of the two symmetrical bus lines is modulated with a level U.sub.1H and the other line is modulated with an opposite level U.sub.1L. Only a single, ideally terminated line segment 17 is illustrated here by way of example.

    [0042] According to FIG. 2, the voltage U.sub.1H(t,l) or U.sub.1L(t,l) propagates on the line as an attenuated wave, and said voltages are received by ECU M as attenuated, smaller voltages U.sub.MH and U.sub.ML, thus resulting in the differences


    U1=U.sub.1HU.sub.1L (1)


    UM=U.sub.MHU.sub.ML (2)


    U.sub.M=U.sub.1.Math.10.sup.(0.1.Math..Math.1_1M) (3)

    [0043] The coefficient here expresses the attenuation of the line in dB/m, and l_1M=l.sub.1M expresses the line length between ECU 1 and ECU M in the case of low-reflection termination (low-reflection termination should always be ensured here).

    [0044] The amplitude difference at the receiving ECU is therefore initially determined by the transmitting ECU and then decreases exponentially over the line length l.sub.1M. Typical absolute values for are of the order of magnitude of 0.1 to 0.3 dB/m.

    [0045] It is now assumed that a control device ECU X emits, at any desired time, a message which is received by all ECUs connected to the data network, in particular by the ECU M. In this case, X may be 1 or 2, for example. For the data message 19 from the as yet unknown control device ECU X, the monitoring apparatus 23 determines a level difference of U.sub.M=U.sub.X.

    [0046] For particular identifiers of safety-critical messages, for instance the steering angle or the throttle valve position, ECU M can now compare the currently determined amplitude difference U.sub.X (actual) of the bus levels with an expected amplitude difference U.sub.X (expected) according to the method and can assess a deviation as an anomaly


    Apat(X)=U.sub.X (actual)U.sub.X (expected) (4)

    [0047] In an undesirable, that is to say safety-critical, situation, ECU Y would now transmit a message 28 which allegedly originates from ECU X (Y not equal to X). In the case of the CAN bus, this would be the case, for example, if ECU Y uses a CAN identifier which is normally assigned exclusively to ECU X. In a conventional network, this improper use of a CAN identifier might not be recognized. Such a situation arises, for instance, during hacking of an ECU Y from which falsified CAN messages are emitted


    if (|Apat(x)|>Limit).fwdarw.Anomaly (5)

    [0048] In order to determine a characteristic amplitude difference according to (2), a suitable time must be selected. This can be carried out with the aid of the selection logic for determining a suitable signal property, for example a particular bit of a message 19 after the starting edge.

    [0049] In a network having any desired number of ECUs, a master ECU M is preferably provided with the monitoring apparatus 23 which allows the amplitude difference UX of the bus signal from the unknown source ECU X to be captured by selection logic 24 at the time at which a previously stipulated bit arrives, here by means of the sample-and-hold 25 and the downstream AD converter 26. The other ECUs do not require such an apparatus.

    [0050] According to (3), the amplitude difference at a receiving ECU 1 is also dependent on the amplitude difference U.sub.1 available to the transmitting ECU 1. This voltage can vary greatly under the influence of series variation, ageing and the temperature. In contrast, the attenuation on the line is rather constant. An improvement is therefore obtained if amplitude or amplitude difference patterns are captured at two separate ECUs, for instance at ECU M and ECU U, and attenuation-dependent D(X) is therefore captured as a characteristic pattern of a transmitting ECU X by means of (6):


    U.sub.M (X)=U.sub.X.Math.10.sup.(0.1.Math..Math.l_MX)


    U.sub.C (X)=U.sub.X.Math.10.sup.(0.1.Math..Math.l_CX)


    D(X)=U.sub.M (X)/U.sub.C (X)=10.sup.(0.1.Math..Math.l_MX-l_CX)

    [0051] where l_MX 32 l.sub.MX is the length of the line segment between ECU M and ECU X and l_CX=l.sub.CX is the length of the line segment between ECU C and ECU X.

    [0052] For particular identifiers of safety-critical messages, for instance the steering angle or the throttle valve position, ECU M can compare the currently determined attenuation pattern D (X,actual) with the expected attenuation pattern D (X,expected), with knowledge of the amplitude difference determined in a second ECU C, according to the method for message X and can assess a deviation as an anomaly


    Dpat(X)=D(X, actual)D(X, expected) (7)

    [0053] In a safety-critical situation, ECU Y would now transmit a message Y which allegedly originates from ECU X. In the case of the CAN bus, this would be the case, for example, if ECU Y uses a CAN identifier which is normally assigned exclusively to ECU X. In a conventional network, this improper use of a CAN identifier might not be recognized. Such a situation arises, for instance, during hacking of an ECU Y from which falsified CAN messages are emitted


    if (|Dpat(X)|>Limit)->Anomaly (8)

    [0054] The monitoring apparatus therefore provides a method and an apparatus in which amplitudes or amplitude differences of bus signals from a transmitting station ECU X are captured in a network at a receiving ECU M, are compared with an expected amplitude or amplitude difference and are used to detect an anomaly. Network signals are preferably evaluated at a point in the network, referred to here as ECU M, with regard to the bus level (voltage or current) of a particular bit of the message. The bus level or signal level is preferably captured (sampled) in ECU M and is assigned to a network message X, for instance its identifier. The bus levels of a message X which are captured in ECU M are preferably calculated to form a level difference. The captured bus levels of a reference message R transmitted by a known station ECU C (or ECU M) are preferably calculated with the bus levels for the message X to form an attenuation or amplitude pattern or amplitude difference pattern. The determined level difference or attenuation pattern is preferably compared with an expected pattern, and a deviation is assessed as an anomaly by means of a threshold value decision. The bus level is preferably captured at the time at which a particular bit arrives in ECU M or ECU C and an analog filter having a peak-hold circuit (as a sample-and-hold circuit) is used for the purpose of interpolation, this interpolated value is likewise captured by an analog/digital converter and is assigned to a network message X.

    [0055] Overall, the example shows how amplitude monitoring in a network can be provided by the invention.

    LIST OF REFERENCE SIGNS

    [0056] 10 Motor vehicle

    [0057] 11 Data network

    [0058] 12 Network connection

    [0059] 13 Control device

    [0060] 14 Control device

    [0061] 15 Control device

    [0062] 16 Control device

    [0063] 17 Line segment

    [0064] 18 Line segment

    [0065] 19 Data message

    [0066] 20 Electrical signal

    [0067] 21 Electrical signal

    [0068] 22 Application circuit

    [0069] 23 Monitoring apparatus

    [0070] 24 Selection logic

    [0071] 25 Sample-and-hold circuit

    [0072] 26 Analog/digital converter

    [0073] 27 Processor device

    [0074] 28 Warning signal