Search

US-12625960-B2 - Methods for filtering and for qualifying security events of an intrusion detection system

US12625960B2US 12625960 B2US12625960 B2US 12625960B2US-12625960-B2

Abstract

A method for filtering security events of an intrusion detection system of a computer system with a plurality of computing units connected for data communication. The intrusion detection system is configured to detect security events and to classify them according to a plurality of event types; wherein a type-specific counter is initialized for each event type; and wherein, in response to a detection of a security event by the intrusion detection system, the type-specific counter corresponding to the detected security event is in each case incremented until a threshold value is reached, and the detected security event is discarded if the type-specific counter corresponding to the detected security event has reached the threshold value.

Inventors

  • Jeremy Peters
  • Jens Kant
  • Marcel Kneib

Assignees

  • ROBERT BOSCH GMBH

Dates

Publication Date
20260512
Application Date
20240418
Priority Date
20230517

Claims (13)

  1. 1 . A method for filtering security events of an intrusion detection system of a computer system of a vehicle with a plurality of computing units connected by an ECU/CAN bus for data communication, wherein the intrusion detection system is configured to detect security events on the ECU/CAN bus and to classify the security events according to a plurality of event types, the method comprising the following steps: initializing a type-specific counter for each of the event types; and in response to a detection of a security event by the intrusion detection system: incrementing the type-specific counter corresponding to the detected security event unless a threshold value is reached, and discarding the detected security event if the type-specific counter corresponding to the detected security event has reached the threshold value, wherein the type-specific counters are reduced by a particular value when they are greater than an initial value.
  2. 2 . The method according to claim 1 , wherein: the type-specific counters are re-initialized, or are reset to the initial value, after a predetermined time period has elapsed.
  3. 3 . The method according to claim 1 , wherein, when an operation of the computer system is interrupted, the type-specific counters are stored in a non-volatile memory prior to the interruption and are read from the memory when the operation is resumed.
  4. 4 . The method according to claim 3 , wherein: the type-specific counters are re-initialized, or are reset to the initial value, after a predetermined time period has elapsed; and the operation of the computer system is interrupted, a running of the time period is interrupted and a value indicating an elapsed portion of the time period is stored in the memory and, when the operation is resumed, the value is read from the memory and the running of the time period continues.
  5. 5 . The method according to claim 1 , wherein the type-specific counters are initialized each time an operation of the computer system is started.
  6. 6 . The method according to claim 2 , wherein the time period is restarted each time an operation of the computer system is started.
  7. 7 . The method according to claim 1 , wherein different threshold values are provided for different event types.
  8. 8 . The method according to claim 1 , wherein, for each detected security event, the detected security event is qualified when the type-specific counter corresponding to the detected security event has not reached or is below the threshold value.
  9. 9 . The method according to claim 8 , wherein: security events classified as qualified are stored and/or evaluated; and/or data relating to security events classified as qualified are stored and/or evaluated.
  10. 10 . A method for qualifying security events in a computer system of a vehicle with a plurality of computing units connected by an ECU/CAN bus for data communication, in which computer system is provided an intrusion detection system configured to detect security events on the ECU/CAN bus and to classify the security events according to one or more event types, the method comprising the following steps: passing security events detected by the intrusion detection system to a filter chain including at least one filter configured to discard each respective detected security event or to classify the respective detected security event as qualified; passing each of the qualified security events to the next filter of the filter chain, wherein the next filter of the filter chain includes: initializing a type-specific counter for each of the event types, and incrementing the type-specific counter corresponding to the detected security event unless a threshold value is reached, and discarding the detected security event if the type-specific counter corresponding to the detected security event has reached the threshold value, wherein the type-specific counters are reduced by a particular value when they are greater than an initial value; and storing or analyzing data from the security events classified as qualified after passing through the filter chain.
  11. 11 . A computing unit for filtering security events of an intrusion detection system of a computer system of a vehicle with a plurality of computing units connected by an ECU/CAN bus for data communication, wherein the intrusion detection system is configured to detect security events on the ECU/CAN bus and to classify the security events according to a plurality of event types, the computing unit comprising a hardware processor configured to: initialize a type-specific counter for each of the event types; and in response to a detection of a security event by the intrusion detection system: increment the type-specific counter corresponding to the detected security event unless a threshold value is reached, and discard the detected security event if the type-specific counter corresponding to the detected security event has reached the threshold value, wherein the type-specific counters are reduced by a particular value when they are greater than an initial value.
  12. 12 . A non-transitory machine-readable storage medium on which is stored a computer program for filtering security events of an intrusion detection system of a computer system of a vehicle with a plurality of computing units connected by an ECU/CAN bus for data communication, wherein the intrusion detection system is configured to detect security events on the ECU/CAN bus and to classify the security events according to a plurality of event types, the computer program, when executed by a computer, causing the computer to perform the following steps: initializing a type-specific counter for each of the event types; and in response to a detection of a security event by the intrusion detection system: incrementing the type-specific counter corresponding to the detected security event unless a threshold value is reached, and discarding the detected security event if the type-specific counter corresponding to the detected security event has reached the threshold value, wherein the type-specific counters are reduced by a particular value when they are greater than an initial value.
  13. 13 . The non-transitory machine-readable storage medium of claim 12 , wherein the type-specific counters are re-initialized, or are reset to the initial value, after a predetermined time period has elapsed.

Description

CROSS REFERENCE The present application claims the benefit under 35 U.S.C. § 119 of German Patent Application No. DE 10 2023 204 621.0 filed on May 17, 2023, which is expressly incorporated herein by reference in its entirety. FIELD The present invention relates to a method for filtering security events of an intrusion detection system, to a method for qualifying security events, and to a computer program for performing them. BACKGROUND INFORMATION In computer systems or networks of computing units, intrusion detection systems (IDS) can be used in order to detect attacks on the computer system or on computing units included in the computer system. Detected attacks or attempted attacks can be stored for later analysis, or attempts can be made to prevent the attacks, i.e., attempts can be made to initiate measures that prevent attempted attacks from being successful. The latter can, for example, take place by means of an intrusion prevention system (IPS). DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS According to the present invention, a method for filtering security events of an intrusion detection system, a method for qualifying security events, and a computing unit and a computer program for performing them are provided. Advantageous embodiments of the present invention are disclosed herein. The present invention uses the measure of using type-specific counters for the event types for an intrusion detection system that classifies attacks as security events according to a plurality of event types, of incrementing the type-specific counter if a security event of the respective event type is detected, and of discarding security events of an event type if the corresponding type-specific counter exceeds a threshold value. This can prevent that frequent occurrence of security events of a particular event type leads to the further processing, e.g., the storing and/or analyzing, of security events of another event type being hindered or prevented. In particular, it is possible to stop an attack strategy in which numerous security events of a particular event type, e.g., of a low danger level, are generated (through corresponding attacks) in order to conceal an attack that leads to security events of another event type, e.g., of a higher danger level. The method for filtering security events is in particular a computer-implemented method. The method relates to a computer system comprising a plurality of computing units connected for data communication. In a machine, such as a vehicle, the computer system can, for example, be a bus system (for example, a CAN bus system) comprising a plurality of control devices (computing units) and comprising bus lines connecting the control devices to one another. It is assumed that an intrusion detection system is provided with which potential attacks on the computer system are to be detected (“potential” relates to the fact that the case can generally occur that the intrusion detection system detects an attack even though there is no actual attack, e.g., in the case of a malfunction in the computer system, so-called false positive detection). For example, intrusion detection systems detect events and/or patterns that are indicative of an attack, in the data traffic between the computing units and/or in the computing units themselves. For example, a potential attack could be detected if a message cannot be authenticated as part of a message authentication method that is used in the data communication. Voltage fluctuation on the bus lines could also be analyzed in order to detect that an attacker is physically connected to the bus lines. More generally, according to an example embodiment of the present invention, the intrusion detection system is configured to detect so-called security events and to classify them according to a plurality of event types. Each security event detected thus has a particular event type of the plurality of event types. As described above, a security event may be an event that is detected as a (potential) attack. Additionally, or alternatively, a security event may also be an event in which a security check has been successfully performed (i.e., no potential attack has been detected); e.g., a successful authentication of a message in a message authentication method. The intrusion detection system can include a plurality of security function modules (which can each be implemented as computer program modules and/or hardware module), wherein each security function module performs a particular security check and determines or detects security events accordingly. The event type of a security event can correspond to the security function module that has detected the security event; for example, an event type is assigned to each security function module. Such intrusion detection systems and the classification into event types are conventional to the person skilled in the art. For example, the AUTOSAR specification (AUTomotive Open System ARchitecture) mentions se