Search

US-12627677-B2 - Techniques for detecting an intrusion into a bus system

US12627677B2US 12627677 B2US12627677 B2US 12627677B2US-12627677-B2

Abstract

A method for detecting the possibility of an intrusion into a bus system. The bus system includes a plurality of components which are able to transmit messages in the bus system. The method includes ascertaining a number of messages that are transmitted by a first component of the plurality of components in a specific time period; determining whether the number of messages in the specific time period satisfies a predefined first criterion; and detecting the possibility of an intrusion if the number of messages does not satisfy the predefined first criterion.

Inventors

  • Marcel Kneib
  • Oleg Schell

Assignees

  • ROBERT BOSCH GMBH

Dates

Publication Date
20260512
Application Date
20220909
Priority Date
20210929

Claims (16)

  1. 1 . A method for detecting a possibility of an intrusion into a bus system, the bus system including a plurality of components which are able to transmit messages in the bus system, the method comprising the following steps: ascertaining a number of one or more messages which are transmitted by a first component of the plurality of components in a specific time period, the ascertaining being performed by counting the number of the one or more messages in the specific time period; determining whether the ascertained number of messages in the specific time period satisfies a predefined first criterion; detecting the possibility of an intrusion based on the number of messages not satisfying the predefined first criterion; and dynamically adapting the predefined first criterion in response to a change in an operating state, wherein the predefined first criterion is defined during an initialization of a transmitter identification process in the bus system during which the first component transmits messages via a shared transmission path.
  2. 2 . The method as recited in claim 1 , wherein the predefined first criterion defines an expected number of messages in the predefined time period.
  3. 3 . The method as recited in claim 2 , wherein the predefined first criterion is not satisfied when the ascertained number of messages deviates from the expected number of messages in the specific time period.
  4. 4 . The method as recited in claim 1 , wherein the messages include messages of at least two different types, and every type of messages is provided with a unique identification.
  5. 5 . The method as recited in claim 1 , further comprising: defining the predefined first criterion in an initialization or start phase of one of the components of the bus system, or the bus system, or a device which includes the bus system.
  6. 6 . The method as recited in claim 1 , further comprising: determining whether an attack has occurred when the possibility of an intrusion was detected; and initiating a countermeasure when an attack has occurred.
  7. 7 . The method as recited in claim 1 , wherein the first component is an embedded system.
  8. 8 . The method as recited in claim 7 , wherein the embedded system is a control unit.
  9. 9 . The method as recited in claim 1 , wherein the bus system is a CAN bus system.
  10. 10 . The method as recited in claim 1 , the ascertaining being performed by counting only a subset of the number of the one or more messages that belong to one or more types in the specific time period and a remainder of the number of the one or more messages that do not belong to the one or more types being ignored by the counting.
  11. 11 . A device configured to detect a possibility of an intrusion into a bus system, the device comprising: a hardware processor; and a memory that stores instructions that when executed by the processor cause the device to: ascertain a number of one or more messages which are transmitted by a first component of the plurality of components in a specific time period, the ascertaining being performed by counting the number of the one or more messages in the specific time period; determine whether the ascertained number of messages in the specific time period satisfies a predefined first criterion; detect the possibility of an intrusion based on the number of messages not satisfying the predefined first criterion; and dynamically adapt the predefined first criterion in response to a change in an operating state, wherein the predefined first criterion is defined during an initialization of a transmitter identification process in the bus system during which the first component transmits messages via a shared transmission path.
  12. 12 . The device as recited in claim 11 , the ascertaining being performed by counting only a subset of the number of the one or more messages that belong to one or more types in the specific time period and a remainder of the number of the one or more messages that do not belong to the one or more types being ignored by the counting.
  13. 13 . A bus system, comprising: a plurality of hardware components which are able to transmit messages via a communication line of the bus system; and at least one device configured to detect a possibility of an intrusion into the bus system, the device comprising: a hardware processor; and a memory that stores instructions that when executed by the processor cause the device to: ascertain a number of one or more messages which are transmitted by a first component of the plurality of components in a specific time period, the ascertaining being performed by counting the number of the one or more messages in the specific time period, determine whether the ascertained number of messages in the specific time period satisfies a predefined first criterion, detect the possibility of an intrusion based on the number of messages not satisfying the predefined first criterion, and dynamically adapt the predefined first criterion in response to a change in an operating state, wherein the predefined first criterion is defined during an initialization of a transmitter identification process in the bus system during which the first component transmits messages via a shared transmission path.
  14. 14 . The bus system as recited in claim 13 , the ascertaining being performed by counting only a subset of the number of the one or more messages that belong to one or more types in the specific time period and a remainder of the number of the one or more messages that do not belong to the one or more types being ignored by the counting.
  15. 15 . A non-transitory memory medium on which is stored a computer program for detecting a possibility of an intrusion into a bus system, the bus system including a plurality of components which are able to transmit messages in the bus system, the computer program, when executed by a computer, causing the computer to perform the following steps: ascertaining a number of one or more messages which are transmitted by a first component of the plurality of components in a specific time period, the ascertaining being performed by counting the number of the one or more messages in the specific time period; determining whether the ascertained number of messages in the specific time period satisfies a predefined first criterion; detecting the possibility of an intrusion based on the number of messages not satisfying the predefined first criterion; and dynamically adapting the predefined first criterion in response to a change in an operating state, wherein the predefined first criterion is defined during an initialization of a transmitter identification process in the bus system during which the first component transmits messages via a shared transmission path.
  16. 16 . The non-transitory memory medium as recited in claim 15 , the ascertaining being performed by counting only a subset of the number of the one or more messages that belong to one or more types in the specific time period and a remainder of the number of the one or more messages that do not belong to the one or more types being ignored by the counting.

Description

CROSS REFERENCE The present application claims the benefit under 35 U.S.C. § 119 of German Patent Application No. DE 10 2021 210 902.0 filed on Sep. 29, 2021, which is expressly incorporated herein by reference in its entirety. BACKGROUND INFORMATION Modern vehicles (or other technical devices) are equipped to an ever greater degree with interfaces so that they can communicate with external systems during their operation or for updating purposes, for instance. At the same time, the complexity of the components grows steadily. Both make the vehicles more susceptible to attacks during which interference in the operation of the vehicle is possible in different ways. One target of the attacks may be a bus system of the vehicle (or another technical device), for instance in an attempt to interfere with the function of the vehicle or one of its components by transmitting messages via the bus system. Typical bus systems in vehicles such as the widely used CAN bus system are often not adequately equipped to detect and avert such attacks. In what is known as a ‘denial-of-service attack’, an intruder transmits messages, often in large numbers, via the bus system in order to interfere with a communication via the bus system. To detect attacks, and especially denial-of-service attacks, multiple approaches have been proposed. For one, an interval between two similar messages of a component of the bus system can be ascertained and compared to a reference value. This approach is based on the recognition that similar messages (i.e., messages of the same type) are typically transmitted in the bus system in a periodic fashion. If two messages of the same type are then detected in a shorter or a longer interval, a manipulation may be inferred. In a related approach, a transmission frequency is determined for a type of messages. In this approach as well, the basic assumption is that messages of a certain type are transmitted on a regular basis and thus at a specific transmission frequency. An attack may once again be inferred if an ascertained frequency deviates from an expected frequency. For instance, the insertion of messages of the specific type can increase the transmission frequency. So-called entropy-based approaches do not examine the transmission pattern of the messages across the bus system but their content. By determining an entropy of messages (or a part thereof), it is possible to ascertain the information content of the messages. Since an attacker often repeatedly transmits the same message or very similar messages, an entropy of the messages may drop during an attack. SUMMARY A first general aspect of the present disclosure relates to a method for detecting the possibility of an intrusion into a bus system. The bus system includes a plurality of components which are able to transmit messages in the bus system. According to an example embodiment of the present invention, the method includes an ascertainment of a number of messages transmitted by a first component of the plurality of components within a specific time period; determining whether the number of messages in the specific time period satisfies a predefined first criterion, and detecting the possibility of an intrusion if the number of messages does not satisfy the predefined first criterion. A second general aspect of the present disclosure relates to a device for detecting the possibility of an intrusion into a bus system, the device being designed to carry out the steps of the method according to the first general aspect. A third general aspect of the present invention relates to a bus system which includes a plurality of components which are able to transmit messages via the bus system, and to one or more devices for detecting the possibility of an intrusion into the bus system according to the second general aspect. In some example embodiments of the present invention, the techniques of the first to the third aspects may offer one or more of the following advantages: Firstly, the techniques of the present disclosure may make it possible to detect attacks on bus systems in some situations. For instance, the comparison of a number of messages transmitted by a component (e.g., a control unit) to an expected number (as predefined criterion) may point to the presence of an attack (in a deviation between the ascertained and the expected number), but it can also indicate the opposite (when the ascertained number corresponds to the expected number). Secondly, in some cases the techniques of the present disclosure may be superior to the previously mentioned techniques of the related art. In comparison with the approach of monitoring the intervals between messages of the same type, the techniques of the present disclosure may require less overhead insofar as there is no need to configure and ascertain permissible intervals between the messages for a possibly large number of types of messages (e.g., five and up to 100 types of messages). In the techniques of