DE102018201718A1 - Method and device for detecting an anomaly in a data stream in a communication network - Google Patents

Abstract

The invention relates to a method for detecting an anomaly in a data stream in a communication network, wherein the data stream comprises data packets (P), comprising the following steps: - monitoring (S1) a network communication via a communication bus (3) to detect data packets of the data stream; depending on already detected data packets (P), predicting (S2) at least one future data packet based on a provided prediction model, and determining (S3) on the basis of the at least one predicated data packet if there is an anomaly.

Description

Technical area

The invention relates to attack detection techniques for monitoring data streams to detect an anomaly, i. to recognize incorrect or manipulated data.

Technical background

In systems with multiple controllers, data may be exchanged between the controllers over a communications network, such as a serial fieldbus. An example of such a fieldbus is the CAN bus (CAN: Controller Area Network). The CAN bus is mainly used in motor vehicles and enables a packet-bound data transmission from one control unit to one or more other connected control units.

In the transmission of data over the communication network deviations from a normal behavior can occur in real operation, which are referred to as anomaly. Causes of such deviations may be defective or failed subsystems or ECUs that provide erroneous or no data. Furthermore, systems can be manipulated by an external source, wherein manipulated via the communication network data packets or new data packets are introduced. In a properly operating system, data packets are communicated without error between ECUs that are connected to one another via the bus system, with the data packets generally being dependent on each other in specific, both stationary and temporal correlations.

For the operational safety of vehicle systems, it is essential to detect anomalies at an early stage, in particular anomalies that occur in connection with a manipulation of the vehicle system from the outside. For this, the data communication is monitored by an anomaly detection method.

One way known per se to detect anomalies in such data streams is to check each of the transmitted data packets using static rules. For example, the cycle time of a cyclically transmitted network message can be checked for an anomaly by defining a rule with the target cycle time of the corresponding message. If the actual cycle time deviates from the target cycle time, the rule is violated and an anomaly detected.

Although an anomaly can be recognized in principle, the recognition rate for other errors and / or manipulations in the data stream is insufficient because dynamic dependencies can only be checked with great effort by predetermined rules. As the complexity of the network architecture grows, so does the number of rules needed to provide sufficient recognition accuracy.

From the publication US 2015/5191135 A For example, a system is known in which a decision tree is learned by prior data analysis of network communication. Based on incoming network information serving as input to the decision tree, the learned decision tree is traversed with the current network data and output as to whether an anomaly has been detected.

From the publication US 2015/113638 A For example, a system is known that proposes anomaly detection based on a learning algorithm. In this case, data traffic with known meta-information, such as CAN-ID, cycle time, etc., is learned, and to detect known attacks in the vehicle network, the current network messages are compared with already known messages and patterns that indicate an error or a manipulation.

In the publication WO 2014/061021 A1 It is also proposed to identify an anomaly or a known attack pattern by means of a machine learning process through various network information.

Disclosure of the invention

According to the invention, a method for detecting an anomaly in a data stream in a communication network according to claim 1 and an apparatus for abnormality detection and a network system according to the independent claims are provided.

Further embodiments are specified in the dependent claims.

• - Überwachen einer Netzwerkkommunikation in einem Kommunikationsnetzwerk, um Datenpakete des Datenstroms zu erfassen;
• - abhängig von bereits erfassten Datenpaketen, Prädizieren mindestens eines künftigen Datenpakets basierend auf einem bereitgestellten Prädiktionsmodell, und
• - Ermitteln anhand des mindestens einen prädizierten Datenpakets, ob eine Anomalie vorliegt.

According to a first aspect, there is provided a method of detecting an anomaly in a data stream in a communication network, the data stream comprising data packets, comprising the steps of:

• Monitoring network communication in a communication network to capture data packets of the data stream;
• depending on already acquired data packets, predicting at least one future data packet based on a provided prediction model, and
• Determine whether there is an anomaly based on the at least one predicted data packet.

One idea of the above method is to predict data packets to be expected in the future on the basis of data packets already transmitted over a communication network between network components. The predicted data packets are then used to check for one or more subsequent data packets in terms of anomalies. The methods described in the prior art so far use only current or already observed network data for the detection of anomalies in transmitted data packets.

Anomalies are data traffic that deviates from normal behavior. In real operation, deviations from the normal behavior in network communication can occur for various reasons. Thus, defective sensors may provide false or no data, network components may be so damaged that the network communication of the network component concerned is impaired, or the communication network communication is being manipulated by an external source (eg, a hacker attack).

By checking future data packets based on their prediction, in particular an extended functionality with regard to the implementation of defense mechanisms as well as an improved detection of anomalies is achieved. In essence, the above method is to use the predicted data packets to detect anomalies and to detect a deviation and to close an anomaly by comparing predicated data packets and newly received data packets.

In particular, there must be no sample data of anomalies in order to derive generally valid rules for anomaly detection. With the above method, since the prediction of data packets is performed according to a normal behavior of network communication, the anomaly detection is based on an approach that allows an anomaly detection without knowledge of anomaly cases. Thus, anomalies can be detected that can not be detected by previously common rules for anomaly detection.

In particular, the method proposed here based on the predicated data packets is suitable for supplementing previous rule-based anomaly detection methods, so that the detection accuracy for the detection of anomalies can be improved.

Furthermore, based on the provided prediction model, several future data packets can be predicted from the data packets already acquired. This allows improved anomaly detection also based on sequences of future data packets.

It can be provided that an anomaly is detected when a predicted data packet deviates from a transmitted data packet.

In particular, a deviation between the predicted data packet and the transmitted data packet can be ascertained if time stamps and / or corresponding data sections of the data packet deviate from one another and / or the time intervals between data packets of a cyclic network message deviate from each other by more than a predetermined period of time.

According to one embodiment, an anomaly may be detected when a predicted data packet violates a predetermined static rule for checking a data packet. For example, an anomaly can be detected if a predicted data packet violates a static rule based on already received data packets.

Furthermore, a defense data packet can be injected into the communication bus if a predicted data packet is detected as the anomaly data packet.

It can be provided that the defense data packet is injected into the communication connection at a point in time which is indicated by the prediction of the predicated data packet.

Furthermore, the prediction model may be represented by a neural network, a Gaussian process model, a recurrent network, a Long-Short-Term Memory (LSTM) model, an HMM (Hidden Markov Model) model, a Seq2Seq Encoder and / or an auto-encoder can be provided and trained by means of a machine learning method and a period of anomalous communication over the communication network.

• - eine Netzwerkkommunikation in einem Kommunikationsnetzwerk zu überwachen, um Datenpakete des Datenstroms zu erfassen;
• - abhängig von bereits erfassten Datenpaketen mindestens ein künftiges Datenpaket basierend auf einem bereitgestellten Prädiktionsmodell zu prädizieren, und
• - anhand des mindestens einen prädizierten Datenpakets zu ermitteln, ob eine Anomalie vorliegt.

In another aspect, an apparatus, in particular an anomaly detection system, is for detecting an anomaly in a data stream on a communication bus, the data stream having data packets, the apparatus being configured to:

• to monitor a network communication in a communication network to acquire data packets of the data stream;
• predicate at least one future data packet based on a provided prediction model, depending on already acquired data packets, and
• - Determine whether an anomaly exists on the basis of the at least one predicted data packet.

list of figures

• 1 eine schematische Darstellung eines Kommunikationssystems mit einem Kommunikationsbus zur Übertragung von Datenpaketen eines Datenstroms;
• 2 ein Beispiel für einen Datenstrom aus aufeinanderfolgenden Datenpaketen; und
• 3 ein Flussdiagramm zur Veranschaulichung eines Verfahrens zum Erkennen von Anomalien von Datenpaketen des Datenstroms in Echtzeit.

Embodiments are explained below with reference to the accompanying drawings. Show it:

• 1 a schematic representation of a communication system with a communication bus for transmitting data packets of a data stream;
• 2 an example of a data stream of successive data packets; and
• 3 a flowchart illustrating a method for detecting anomalies of data packets of the data stream in real time.

Description of embodiments

1 shows a schematic representation of an overall system 1 with multiple network components 2 via a communication network in the form of a communication bus 3 connected to each other. The network components 2 can include ECUs, sensors and actuators. The communication bus 3 can a fieldbus or other data bus, such. B. a CAN bus (field bus in motor vehicles) correspond. Via the communication bus 3 a data stream consisting of a sequence of data packets can be transmitted. This will be a data packet from one of the network components 2 to at least one other of the network components 2 transfer.

With the communication bus 3 is an anomaly detection system 4 connected, separately or as part of one of the network components 2 can be trained. The anomaly detection system 4 reads over the communication bus 3 transmitted data and performs anomaly detection based on predetermined rules.

As in 2 by way of example, those are via the communication bus 3 transmitted data packets P defined by or contain a timestamp, ie the time from which the relevant data packet P is sent, an ID identifier that indicates the source and / or destination of the data packet P and a data segment S , The data segment S can each have one or more data sections B contained in an information to be transmitted. The data sections B may each comprise individual bits, groups of bits, one or more bytes.

A rule-based anomaly detection method is executed by applying a rule-specified anomaly condition to each of the data packets P is checked. Previous rules for anomaly detection provide queries for data packets, for example P a specific ID identifier, so that the value ranges for the data sections B the data segments S are defined. That's the rule specify that an anomaly is detected when, for example, a value of a data section B outside the predetermined range. Also, rules can be time-based, with z. For example, a particular ID identifier must occur at least once within a predetermined time period / time window, otherwise an anomaly is also detected. If the anomaly condition is not met, it will result in an unobtrusive data packet P went out.

In the following, as an alternative or in addition to the previous anomaly detection methods, anomalies in the network communication are proposed by means of a prediction of data packets P to recognize. Such an abnormality detection method will be described below with reference to the flowchart of FIG 3 explained in more detail.

In step S1 is the current communication over the communication bus 3 supervised. This data and information from transmitted data packets P in the anomaly detection system 4 captured and saved. The information of the data packets P can be through the data packets P transmitted information, such as the ID identifier ID, the data section B of the data packet P and / or the interpretation of the data in the data section B especially when it comes to sensor values or physical quantities.

Furthermore, for each data packet P the source or destination address protocol information, such as information about the data occupancy in a header section, the state information of the respective protocol, and the like, as well as time measurements such as latencies and difference times between data packets P and timestamps of the data packets P , to be collected. The information about the communication in the communication bus 3 are collected, are dependent on the respective network system 1 and the communication protocols used and therefore may vary. In the case of a CAN bus, the data can be recorded in the following form. These are arranged as time series information to be used as input variable vectors for a prediction method: [t ₀ = 0.007672, CAN-ID = 0xB1, S = 2C 74 FF FF3F FF 1F 8B], [t _0-1 = 0.007298, CAN-ID = 0x14B, S = 05 00 6B FC FF 7F 00 00], [t _0-2 ..., = 0.005058, CAN-ID = 0xB3, S = DD 01 78 00 FF 00 00 30], [t _0-x = X, CAN-ID = X, S = X]]

In step S2 are used as the basis for the prediction the data from a previous date t _0-x until the currently observed time t ₀ used to create a subsequent data packet at a future time t ₁ to predict. That is, the prediction allows prediction of the subsequent data packet at a future time t ₁ , The predicated indication of a data packet to be transmitted next P For example, the timestamp of the predicated data packet, the ID identifier of the predicated data packet, the destination and / or source address of the predicated data packet, the value of a data section B of the predicted data packet or the state of a protocol of the predicated data packet.

The prediction is performed on the basis of a trainable prediction model, which may be generated by a machine learning method based on a Gaussian process model, a neural network, or the like, based on a period of anomalous communication over the communication network 3 is trained. In particular, the prediction can be performed using RNN (Recurrent Neural Networks) and LSTM (Long Short-Term Memory), as well as an auto-encoder and / or by using other hardware accelerators, such as a GPU or a dedicated device for neural network operation , be performed.

It is also possible to use the prediction method to predict further future data packets assuming one or more previously predicted data packets. As a result, the data packets of the time already predicted by the prediction methods can be used t _1..n again be used as input to the prediction method to a data packet with timestamp tn _{+ 1} to predict.

The above prediction method is based on predicating the normal case of communication over the communication bus. Anomalies that are in the already received data packets P therefore affect the predicted data packets. The predicted data packets P can therefore in step S3 be used in an anomaly detection method. This can be done in several ways.

If the prediction is made based on already received data packets P that contain an anomaly that was not previously detected by the anomaly detection method, an erroneous prediction of the subsequent predicted data packets results. This error can be used, for example, to determine whether the set frequency of cyclic network messages and / or a specific target sequence of data packets is observed by testing by means of static rules. If the verification of the predicted data packets is negative on the basis of the given static rules, an anomaly is assumed. Thus, it is possible to detect anomalies that were previously unrecognized by means of a follow-up error in the predicated data packets before any static rules applied can also detect an anomaly when transmitting the anomaly data packet. Another (alternative or additional) possibility of using the predicted data packets for anomaly detection consists in comparing the predicted data packets with the data packets actually transmitted, in particular immediately after their transmission. For example, it can be determined whether and in which communication periods anomalies occur.

An anomaly can be detected, for example, if a significant deviation of the time sequence is detected, for example, by predicting the timestamps of the respective next data packet or a deviation of the frequency of data packets in a certain period of time. In this case, the predicted data packets are compared with the data packets occurring in the following. By comparing all available information on the data packets, such as ID ID, time stamp and data section B, thus deviations between predicated data packets and actually received data packets can be obtained, which signal a possible error or possible manipulation.

• - wenn die Zykluszeiten von sich wiederholenden Datenpaketen (mit gleicher ID-Kennung) voneinander abweichen,
• - wenn die Zykluszeit von prädizierten Datenpakete und die Zykluszeit von tatsächlich übertragenen korrespondierenden Datenpaketen voneinander abweichen, und/oder
• - wenn die Datenlänge (DLC bei CAN) eines prädizierten Datenpakets von der Datenlänge eines tatsächlich übertragenen Datenpakets abweicht.

Alternatively or additionally, an anomaly can be determined if a deviation between the predicted data packet and the currently transmitted data packet is detected. A deviation occurs when time stamps and / or corresponding data sections B of the data packet deviate from one another and / or the time intervals between data packets of a cyclic network message deviate from each other by more than a predetermined period of time. In particular, there are differences

• if the cycle times of repeating data packets (with the same ID identifier) differ from each other,
• if the cycle time of predicated data packets and the cycle time of corresponding data packets actually transmitted differ, and / or
• if the data length (DLC in the case of CAN) of a predicted data packet deviates from the data length of an actually transmitted data packet.

Another (alternative or additional) way to detect an anomaly is to use a given static rule to validate a predicated data packet. For example, an anomaly can be detected if a predicted data packet violates a static rule based on already received data packets. For example, a static rule can specify that "after CAN-ID 1 always follows CAN-ID 2". If a data packet with CAN-ID3 is predicated on a transmitted data packet with CAN-ID1 or if it is predicted that this will occur with a high probability, it can be decided that there is a violation of this static rule - ie an anomaly - although the one in question is Data packet has not yet been transferred.

In a further variant, the prediction component can be used in order to use the predicted data packets following states, eg. As a communication protocol or a state machine to determine. This is particularly useful for detecting attack patterns on a network system or for detecting anomaly on an operating system when the state changes or states, e.g. As a communication protocol or a state machine, for example in the form of a (Markow) chain / state machine can be modeled. By using the predicted data, the possible following state transitions can be calculated or predicated and specified. On the basis of the and / or the predicted state transitions, a comparison with the then actual state changes, for. As a communication protocol, to determine a deviation or anomaly.

By predicting the data packets and / or the results from the analysis measures can be taken in case of suspected anomaly. In particular, in step S4 queried if an anomaly was detected. If this is the case (alternative: yes), in step S5 signaled an anomaly. Otherwise, it will go to step S1 jumps back.

If an anomaly is detected, a defensive measure may be provided that uses the predicted data packets to execute defenses. A defense measure can in particular be based on a defense message in the communication bus 3 to be injected before or at the same time as an anomaly data packet. Such a defensive data packet should arrive before the anomaly data packet at the receiver or target controller of the potential attacker for the defense to succeed. For this purpose, it is necessary to determine the time of occurrence of the next anomaly data packet based on the history of transmitted anomaly data packets. By means of the prediction, it can be predicted when the manipulated data packet will be sent, provided that the manipulated data packet is a cyclically transmitted data packet and the data packet was previously recognized as being manipulated or compromised. For example, if a manipulated anomaly data packet was detected, the subsequent communication is predicted via the communication bus. If the previously identified anomaly data packet is found within the predicted data packets, the data packet from the time of the ID and the ID of the next manipulated data packets can be used to send the defensive data packet immediately before the anomaly data packet.

QUOTES INCLUDE IN THE DESCRIPTION

This list of the documents listed by the applicant has been generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Cited patent literature

• US 2015/5191135 A [0007]
• US 2015113638 A [0008]
• WO 2014/061021 A1 [0009]
• DD 017800 [0033]

Claims (11)

A method of detecting an anomaly in a data stream in a communications network, the data stream comprising data packets (P), comprising the steps of: - monitoring (S1) a network communication via a communication bus (3) to detect data packets of the data stream; depending on already acquired data packets (P), predicting (S2) at least one future data packet based on a provided prediction model, and Determine (S3) based on the at least one predicated data packet, if an anomaly exists. Method according to Claim 1 , wherein based on the provided prediction model from the already acquired data packets several future data packets are predicted. Method according to Claim 1 or 2 wherein an anomaly is detected when a predicted data packet deviates from a transmitted data packet. Method according to Claim 3 in which a deviation between the predicated data packet and the transmitted data packet is ascertained if time stamps and / or corresponding data sections (B) of the data packet (P) deviate from one another and / or the time intervals between data packets (P) of a cyclic network message by more than a predetermined one Duration differ. Method according to one of Claims 1 to 4 wherein an anomaly is detected when a predicted data packet violates a predetermined static rule for checking a data packet (P). Method according to Claim 5 wherein a defensive data packet is injected into the communication network when a predicted data packet is detected as an anomaly data packet. Method according to Claim 6 wherein the defensive data packet is injected into the communication network at a time indicated by the prediction of the predicated data packet. Method according to one of Claims 1 to 7 wherein the prediction model is provided by a neural network, a Gaussian process model, and / or an auto-encoder, and is trained via the communications network using a machine learning method and a period of anomalous communication. Apparatus, in particular anomaly detection system (4), for detecting an anomaly in a data stream on a communication bus (3), the data stream having data packets (P), the apparatus being designed to: to monitor a network communication in a communication network (3) to acquire data packets (P) of the data stream; to predict at least one future data packet based on a provided prediction model, depending on already acquired data packets (P), and - Determine whether an anomaly exists on the basis of the at least one predicted data packet. Computer program adapted to perform all steps of a method according to one of Claims 1 to 8th perform. Electronic storage medium on which a computer program is based Claim 10 is stored.

Images