Method and device for intrusion detection in a computer network

Abstract

Device and method for intrusion detection in a computer network. A data packet is received at an input of a hardware switch unit, an output of the hardware switch unit being selected for sending the data packet or a copy as a function of data link layer information from the data packet and of a hardware address from a memory of the hardware switch unit. An actual value from a field of the data packet is compared by a hardware filter with a setpoint value for values from this field, the field including data link layer data or network layer data, and the data packet or a copy of the data packet being provided to a computing device as a function of a result of the comparison. The analysis for detecting an intrusion pattern in a network traffic in the computer network id carried out by the computing device.

Claims

1. A method for intrusion detection in a computer network, comprising the following steps: receiving a data packet at an input of a hardware switch that includes a plurality of ports to which a plurality of devices are network interconnectable by processing circuitry of the hardware switch, wherein the data packet includes a plurality of fields providing respective data link layer information and providing a hardware address; selecting, by the processing circuitry of the hardware switch, one of the plurality of ports via which to output from the hardware switch the data packet or a copy of the data packet as a function of the data link layer information and the hardware address; for each of the plurality of fields, comparing, by the processing circuitry of the hardware switch, a respective actual value of the respective field to a respective corresponding predefined setpoint value; and detecting, by the processing circuitry, whether there is an intrusion pattern in a network traffic in the computer network in response to satisfaction of a predefined condition that, for any individual one of the comparisons individually, a result of the respective comparison is that there is a predefined deviation of the respective actual value from the respective corresponding predefined setpoint value.

2. The method as recited in claim 1, wherein the hardware switch includes a Ternary Content Addressable Memory in which a mask for one of the setpoint values is stored, and wherein one of the comparisons is a comparison of one of the actual values with the mask stored in the Ternary Content Addressable Memory.

3. The method as recited in claim 1, wherein one of the setpoint values characterizes a hardware address from a memory of the hardware switch, and wherein the respective actual value that is compared to the hardware address characterizing setpoint value is determined by the processing circuitry from a hardware address field of the data packet.

4. The method as recited in claim 1, wherein one of the setpoint values characterizes a Medium Access Control address from a memory of the hardware switch, and wherein the respective actual value that is compared to the hardware address characterizing setpoint value is determined by the processing circuitry from a Medium Access Control address field of the data packet.

5. The method as recited in claim 1, wherein one of the setpoint values characterizes a Virtual Local Area Network and is determined by the processing circuitry from a memory of the hardware switch, and wherein the respective actual value that is compared to the setpoint value characterizing the Virtual Local Area Network characterizes an association of the data packet with the Virtual Local Area Network.

6. The method as recited in claim 1, wherein a result of one of the performed comparisons produces a result that indicates, as the deviation, presence of a tagged Virtual Logical Area Network data packet when the computer network is an untagged Virtual Logical Area Network, or presence of an untagged Virtual Logical Area Network data packet when the computer network is a tagged Virtual Logical Area Network.

7. The method as recited in claim 1, wherein a result of one of the performed comparisons produces a result that indicates, as the deviation, presence in the data packet of an unknown Ethernet type, or a false checksum, or a false packet length, or a false packet structure.

8. The method as recited in claim 1, wherein presence of the deviation is detected when: (i) the processing circuitry establishes that the data packet is a Dynamic Host Configuration Protocol packet for Internet Protocol Version 4 and/or for Internet Protocol Version 6 including Dynamic Host Configuration Protocol port 67 and/or port 68; or (ii) the processing circuitry establishes that the data packet provides a Transmission Control Protocol or User Datagram Protocol Broadcast message for Internet Protocol Version 4 and/or for Internet Protocol Version 6; or (iii) the processing circuitry establishes a Precision Time Protocol message, the content of which, including time stamp, sequence number, and correction field, is stored at least temporarily in a register for context information.

9. The method as recited in claim 1, wherein for each of at least one of the comparisons, the respective predefined deviation whose presence is determined is a predefined threshold amount of deviation.

10. A device for intrusion detection in a computer network, the device comprising: a system on a chip system, which includes a hardware switch, the hardware switch including processing circuitry and a plurality of ports to which a plurality of devices are network interconnectable by the processing circuitry of the hardware switch, wherein: in response to receipt, at an input of the hardware switch, of a data packet that includes a plurality of fields providing respective data link layer information and providing a hardware address, the processing circuitry is configured to select one of the plurality of ports via which to output from the hardware switch the data packet or a copy of the data packet as a function of the data link layer information and the hardware address; for each of the plurality of fields, the processing circuitry is configured to compare a respective actual value of the respective field to a respective corresponding predefined setpoint value; and the processing circuitry is configured to detect whether there is an intrusion pattern in a network traffic in the computer network in response to satisfaction of a predefined condition that, for any individual one of the comparisons individually, a result of the respective comparison is that there is a predefined deviation of the respective actual value from the respective corresponding predefined setpoint value.

11. The device as recited in claim 10, wherein the hardware switch includes a Ternary Content Addressable Memory, and/or an Address Translation Unit, and/or a Virtual Local Area Network Translation Unit, and/or a Dynamic Host Configuration Protocol filter, and/or a Transmission Control Protocol or User Datagram Protocol filter, and/or a Precision Time Protocol filter with which the processing circuitry is configured to check the data packet for the intrusion detection.

12. A non-transitory computer-readable memory medium on which is stored a computer program that is executable by a computer of a hardware switch, the hardware switch including a plurality if ports to which a plurality of devices are network interconnectable by the computer of the hardware switch, the computer program, when executed by the computer, causing the computer to perform a method for intrusion detection in a computer network, the method comprising the following steps: in response to receipt, at an input of the hardware switch, of a data packet that includes a plurality of fields providing respective data link layer information and providing a hardware address, selecting one of the plurality of ports via which to output from the hardware switch the data packet or a copy of the data packet as a function of the data link layer information and the hardware address; for each of the plurality of fields, comparing a respective actual value of the respective field to a respective corresponding predefined setpoint value; and detecting whether there is an intrusion pattern in a network traffic in the computer network in response to satisfaction of a predefined condition that, for any individual one of the comparisons individually, a result of the respective comparison is that there is a predefined deviation of the respective actual value from the respective corresponding predefined setpoint value.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) FIG. 1 schematically shows a representation of a device for intrusion detection in accordance with an example embodiment of the present invention.

(2) FIG. 2 shows a data flow in the device in accordance with an example embodiment of the present invention.

(3) FIG. 3 shows steps in a method for the intrusion detection in accordance with an example embodiment of the present invention.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENT

(4) FIG. 1 schematically shows a representation of a device 100 for intrusion detection in a computer network in accordance with an example embodiment of the present invention. Device 100 is designed as a system on a chip system.

(5) Device 100 includes a hardware switch unit 102, a hardware filter 104 and a computing device 106 for the intrusion detection. Computing device 106 is described below as an example of a microprocessor. A microcontroller may also be used instead of a microprocessor.

(6) The computer network in the example is an automotive Ethernet network. The automotive Ethernet described by way of example is based on Ethernet Standard IEEE 802.3-2018 and may include elements from IEEE 802.1Q, 100BASE-T1 or 1000BASE-T1. BroadR-Reach or 100BASE-T1/X specify the physical transport medium in layer 1. There are additional standards in the Ethernet Protocol stack, which are in part specific to the automotive context, for example, DoIP, SOME/IP and in part IPv4, TSN.

(7) In the automotive Ethernet context, only parts of a standard are utilized in part and others not, i.e., not the entire scope of the protocol is also utilized.

(8) Hardware switch unit 102 in the example includes an Ethernet switch.

(9) Hardware filter 104 in the example includes a Ternary Content Addressable Memory 108, an Address Translation Unit 110, a Virtual Local Area Network Translation unit 112 and additional hardware filters 114, for example, a Dynamic Host Configuration Protocol filter, a Transmission Control Protocol or User Datagram Protocol filter and/or a Precision Time Protocol filter.

(10) The hardware filters are designed to analyze a data packet for the intrusion detection and to provide the data packet or a copy of the data packet to microprocessor 106 for the intrusion detection as a function of the result of the check. For this purpose, hardware filter 104 and microprocessor 106 are connected to a data line 116. Microprocessor 106 in the example is part of a microcontroller, which includes a random access memory 118. Data packets are transmittable via data line 116 from hardware filter 104 into random access memory 118 for the intrusion detection.

(11) Device 100 includes at least one input and at least one output. These are implemented as ports 120 for hardware switch unit 102.

(12) Hardware switch unit 102 includes a memory 122 for hardware addresses of devices of the computer network, which are coupled to device 100. Memory 122 may include a register for context information relating to data packets. Memory 122 is a random access memory, for example. Memory 122 may also be a non-volatile read and write memory.

(13) Hardware switch unit 102 is designed to receive a data packet at an input. Hardware switch unit 102 is designed to select an output of device 100 for sending the data packet or a copy of the data packet as a function of security layer information from the data packet and as a function of a hardware address from memory 122.

(14) Microprocessor 106 is designed to carry out an analysis for detecting an intrusion pattern in a network traffic in the computer network as a function of information from the data packet.

(15) Hardware filter 104 is designed to compare in a comparison an actual value from a field of data packets with a setpoint value for values from this field. The field includes security layer data or network layer data. Hardware filter 104 is designed to provide the data packet or a copy of the data packet to microprocessor 106 for analysis as a function of a result of the comparison if a deviation between the actual value and the setpoint value is present, or exceeds a threshold value.

(16) Shapes of hardware filter 104 are described in the following.

(17) Hardware filter 104 includes, for example, a Ternary Content Addressable Memory 108, in which a mask for the setpoint value is stored. Hardware filter 104 in this case is designed to compare the actual value with the mask stored in the Ternary Content Addressable Memory, and to establish as a function of the result of the comparison whether or not the deviation is present.

(18) The setpoint value, for example, characterizes a hardware address from the memory. The hardware address is, in particular, a Medium Access Control address of the data link layer. Hardware filter 104 in this example includes Address Translation Unit 110, which is designed to determine the actual value as a function of data from a hardware address field of a data packet at an input or output of device 100, to compare the actual value in a comparison with the setpoint value, and to establish as a function of the result of the comparison whether or not the deviation is present.

(19) Address Translation Unit 110 is a unit in the data link layer, which selects the output in hardware switch unit 102 at which a received data packet or its copy is sent during operation.

(20) The setpoint value, for example, characterizes a Virtual Local Area Network. The setpoint value is stored in memory 122, for example. Hardware filter 104 includes a Virtual Local Area Network Translation Unit 112, which is designed to determine the actual value as a function of data, which characterize the association of a data packet at an input or output of device 100 with a Virtual Local Area Network, to compare the actual value in a comparison with the setpoint value, and to establish as a function of the result of the comparison whether not the deviation is present.

(21) Virtual Local Area Network Translation Unit 112 is a unit in the data link layer, which selects the output in hardware switch unit 102 at which a received data packet or its copy is sent during operation in a Virtual Local Area Network.

(22) Hardware filter 104 may be designed to detect the presence of a deviation, either when hardware filter 104 at an input or output of the device for a tagged Virtual Logical Area Network establishes an untagged Virtual Logical Area Network data packet, or when additional hardware filter 114 at an input or output of the device for an untagged Virtual Logical Area Network establishes a tagged Virtual Logical Area Network data packet.

(23) Hardware filter 104 may be designed to detect the presence of a deviation if additional hardware filter 114 at an input or output of device 100 establishes a data packet having an unknown Ethertype, a false checksum or a false packet structure.

(24) Hardware filter 104 may include a Dynamic Host Configuration Protocol filter as an additional hardware filter 114, which is designed to establish at the input or output of the device Dynamic Host Configuration Protocol packets for Internet Protocol Version 4 and/or for Internet Protocol Version 6 including Dynamic Host Configuration Protocol Port 67 and/or Port 68.

(25) Hardware filter 104 may include a Transmission Control Protocol or User Datagram Protocol filter as additional hardware filter 114, which is designed to establish at the input or output of the device Transmission Control Protocol or User Datagram Protocol Broadcast messages for Internet Protocol Version 4 and/or for Internet Protocol Version 6.

(26) Hardware filter 104 may include a Precision Time Protocol filter as additional hardware filter 114, which is designed to establish Precision Time Protocol messages at the input or output of the device, and to store their content, in particular, time stamp sequence number, correction field at least temporarily in a register for context information.

(27) The described shapes of hardware filter 104 may be situated in parallel or in succession in hardware switch unit 102. Not all shapes of hardware filter 104 need be provided.

(28) Hardware filter 104 is designed in one aspect to provide the data packet, the actual value of which has been compared, to microprocessor 106 if the deviation is present. In one aspect, hardware filter 104 is designed not to provide the data packet, the actual value of which has been compared, for analysis to microprocessor 106 if no deviation is present. In another aspect, hardware filter 104 is designed to compare the deviation with a threshold value and to provide the data packet, the actual value of which has been compared, to microprocessor 106 if the deviation exceeds the threshold value.

(29) FIG. 2 depicts an exemplary data flow in device 100 for an Ethernet data packet 200. Ethernet data packet 200 is received at an input of device 100, i.e., in the example, at one of ports 120. Ethernet data packet 200 is sent at an output of device 100, i.e., in the example, at one of ports 120.

(30) Between the input and the output, Ethernet data packet 200 runs through a first hardware filter 114a, which is designed to check the packet structure. First hardware filter 114a is designed to transmit the data packet via data line 116 for microprocessor 106 into random access memory 118 if the packet structure does not correspond to the setpoint structure for Ethernet data packet 200 and otherwise not to transmit Ethernet data packet 200.

(31) Between first hardware filter 114a and the output, Ethernet data packet 200 runs through a second hardware filter 114b, which is designed to check a checksum for Ethernet data packet 200. Second hardware filter 114b is designed to transmit Ethernet data packet 200 via data line 116 for microprocessor 106 into random access memory 118, if the checksum does not correspond to a setpoint checksum for Ethernet data packet 200 and otherwise not to transmit Ethernet data packet 200.

(32) Between second hardware filter 114b and the output, Ethernet data packet 200 runs through Address Translation Unit 110. Address Translation Unit 110 is designed to transmit the Ethernet data packet via data line 116 for microprocessor 106 into random access memory 118 if the deviation is detected and otherwise not to transmit Ethernet data packet 200. Address Translation Unit 110 in the example, also establishes port 120 for the output.

(33) Between Address Translation Unit 110 and the output, Ethernet data packet 200 runs through Virtual Local Network Translation Unit 112. Virtual Local Network Translation Unit 112 is designed to transmit Ethernet data packet 200 via data line 116 for microprocessor 106 into random access memory 118 if the deviation is detected and otherwise not to transmit Ethernet data packet 200. Virtual Local Area Network Translation Unit 112 in the example also establishes whether or not Ethernet data packet 200 may be sent via port 120, which is established as an output, according to the rules for the Virtual Local Area Network.

(34) The sending does not occur, for example, if port 120 for this Virtual Local Area Network is not allowed to be used.

(35) Between Virtual Local Area Network Translation Unit 112 and the output, Ethernet data packet 200 in the example runs through additional hardware filter 114. Ethernet data packet 200 is transmitted via data line 116 for microprocessor 106 into random access memory 118 if the deviation is detected. Ethernet data packet 200 is otherwise not transmitted.

(36) An optional first interface 202 between memory 122 and microprocessor 106, more precisely, processor core 204 of microprocessor 106 is also depicted in FIG. 2.

(37) A second optional interface 206 between an optional first interrupt controller 208 of hardware switch unit 102 and an optional second interrupt controller 210 in microprocessor 106 are also depicted in FIG. 2.

(38) First interrupt controller 208 is designed to send an interrupt via second interface 206 to second interrupt controller 210, if a deviation has been established in hardware filter 104.

(39) Second interrupt controller 210 is designed to activate processor core 204 to read context information from the register in memory 122 when the interrupt is received by second interrupt controller 210.

(40) In this case, microprocessor 106 may be designed to carry out the analysis for the detection by the microprocessor of an intrusion pattern in a network traffic in the computer network as a function of the context information.

(41) The sequence described here is an exemplary sequence. It makes no difference in terms of the function whether, for example, first additional hardware filter 114 and then Address Translation Unit 110 is run through or vice versa. This applies for all additional named components in the sequence depicted.

(42) Ternary Content Addressable Memory 108 may be designed for a check of the payload, i.e., for a check of a content, which goes beyond layers 2 and 3. In this aspect, payload may also be filtered.

(43) FIG. 3 depicts steps in a method for intrusion detection.

(44) In a step 302, Ethernet data packet 200 is received at a port 120. A step 304 is subsequently carried out.

(45) In a step 304, the packet structure or a packet length of the Ethernet data packet 200 is determined. A step 306 is subsequently carried out.

(46) In step 306, it is checked whether a deviation of the packet structure from the setpoint structure or a deviation of a packet length from a setpoint length is present. It is checked, for example, whether an irregularity with respect to the packet structure is present.

(47) If a deviation from the setpoint structure is present, a step 308 is carried out. If no deviation is present, a step 310 is carried out.

(48) In step 308, Ethernet data packet 200 is sent to microprocessor 106. Step 310 is subsequently carried out.

(49) In step 310, a checksum for Ethernet data packet 200 is determined. A step 312 is subsequently carried out.

(50) In step 312, it is checked whether a deviation of the checksum from a setpoint checksum is present. For example, it is checked whether an irregularity with respect to the checksum is present.

(51) If a deviation from the setpoint checksum is present, a step 314 is carried out. If no deviation is present, a step 316 is carried out.

(52) In step 314, Ethernet data packet 200 is sent to microprocessor 106. Step 316 is subsequently carried out.

(53) In step 316, an actual hardware address for Ethernet data packet 200 is determined. A step 318 is subsequently carried out.

(54) In step 318, it is checked whether the actual hardware address is known, in particular, matches a hardware address from memory 122. For example, it is checked whether a known Media Access Control address is present.

(55) If a deviation from, in particular, any hardware address known from the memory is present, a step 320 is carried out. If no such deviation is present, in particular, if the actual hardware address is known, a step 322 is carried out.

(56) In step 320, Ethernet data packet 200 is sent to microprocessor 106. Step 322 is subsequently carried out.

(57) In step 322, an actual value characterizing a Virtual Local Area Network is determined. A step 324 is subsequently carried out.

(58) In step 324, it is checked whether the actual value corresponds to a setpoint value characterizing a Virtual Local Area Network, into which Ethernet data packet 200 may be sent at port 120 determined with the aid of the actual hardware address. A match to a setpoint value from memory 122, in particular, is checked.

(59) If a deviation between actual value and setpoint value is present, a step 326 is carried out. If no such deviation is present, a step 328 is carried out.

(60) In step 326, Ethernet data packet 200 is sent to microprocessor 106. Step 328 is subsequently carried out.

(61) In step 328 an additional actual value for an analysis with one of the described other hardware filters is optionally determined.

(62) At the input or output, for example, for a tagged Virtual Logical Area, an untagged Virtual Logical Area Network Ethernet data packet 200 is established, or for an untagged Virtual Logical Area Network, a tagged Virtual Logical Area Network Ethernet data packet 200 is established.

(63) At the input or output, for example, a Dynamic Host Configuration Protocol packet for Internet Protocol Version 4 and/or for Internet Protocol Version 6 including Dynamic Host Configuration Protocol port 67 and/or port 68 is established. For example, a User Datagram Protocol Broadcast message for Internet Protocol Version 4 and/or for Internet Protocol Version 6 is established at the input or output. For example, a Precision Time Protocol message is established at the input or output, the content of which, in particular, time stamp, sequence number, correction field, being stored at least temporarily in a register for context information.

(64) A step 330 is subsequently carried out.

(65) In step 330, it is checked whether a deviation of the additional actual value from an additional setpoint value for the additional actual value is present. If a deviation is present, a step 332 is carried out. Otherwise, a step 334 is carried out.

(66) In step 332, Ethernet data packet 200 is sent to microprocessor 106. Step 334 is subsequently carried out.

(67) In step 334, a configured actual value for Ethernet data packet 200 is compared with a mask configured therefor stored in the Ternary Content Addressable Memory. A step 336 is subsequently carried out.

(68) In step 336, it is established as a function of the result of the comparison whether or not a deviation from the mask is present. If a deviation is present, a step 338 is carried out. If no deviation is present, a step 340 is carried out.

(69) In step 338, Ethernet data packet 200 is sent to microprocessor 106. Step 340 is subsequently carried out.

(70) In step 340, Ethernet data packet 200 is sent at the output.

(71) In microprocessor 106, a method additionally runs in parallel in which, after its start, it is checked in a step 350 whether an Ethernet data packet 200 is received by microprocessor 106.

(72) If an Ethernet data packet 200 is received, a step 352 is carried out. Otherwise, step 350 is carried out.

(73) In step 352, Ethernet data packet 200 is analyzed for detection of an intrusion pattern in the network traffic in the computer network as a function of information from Ethernet data packet 200. A step 354 is subsequently carried out.

(74) In step 354, a Stateless Intrusion Detection is carried out as a function of information from Ethernet data packet 200. A step 356 is subsequently carried out.

(75) In step 356, an analysis result of the Stateless Intrusion Detection is stored. A step 358 is subsequently carried out.

(76) In step 358, a Stateful Intrusion Detection is carried out as a function of information about stored analysis results. A step 360 is subsequently carried out.

(77) In step 360, it is checked whether Ethernet data packet 200 has been sent. If Ethernet data packet has been sent, the method is ended. Otherwise, step 350 is carried out.