CN109076081B - Method for monitoring the safety of a communication connection of a vehicle - Google Patents

Abstract

Translated fromChinese

本发明涉及一种用于监视车辆(12)的通信连接(18)的安全性的方法，其中，车辆(12)通过至少一个移动无线电协议和/或至少一个因特网协议通信。设置了如下步骤：建立用于通过至少一个移动无线电协议和/或至少一个因特网协议的允许的通信的规则(26)；监视在车辆(12)使用的至少一个移动无线电协议和/或至少一个因特网协议中针对规则的规则违反；以及触发动作，例如在确定了一个或多个规则违反时，创建包含所确定的规则违反的报告(28)和/或采取至少一个措施。本发明要解决的技术问题是，进一步提高车辆的通信连接的安全性。

The invention relates to a method for monitoring the security of a communication link (18) of a vehicle (12), wherein the vehicle (12) communicates via at least one mobile radio protocol and/or at least one Internet protocol. The following steps are provided: establishing rules (26) for permitted communication via at least one mobile radio protocol and/or at least one Internet protocol; monitoring at least one mobile radio protocol and/or at least one Internet protocol used in the vehicle (12) Rule violations for rules in the protocol; and triggering actions, such as creating a report (28) containing the determined rule violations and/or taking at least one action when one or more rule violations are determined. The technical problem to be solved by the present invention is to further improve the security of the communication connection of the vehicle.

Description

Translated fromChinese

用于监视车辆的通信连接的安全性的方法Method for monitoring the security of a communication connection of a vehicle

技术领域technical field

本发明涉及一种用于监视车辆的通信连接的安全性的方法、具有通信连接的车辆和具有至少一个通信连接的控制设备。The invention relates to a method for monitoring the security of a communication link of a vehicle, a vehicle with a communication link, and a control device with at least one communication link.

背景技术Background technique

车辆联网在汽车工业中变得越来越重要。现代车辆现今大量联网，并且由于不同的传感器和入口而提供各种各样的使汽车的内部系统遭受恶意黑客攻击的可能性。中心挑战是彼此区分正常和不正常的通信流，并且因此对操纵和攻击进行追踪。Vehicle networking is becoming increasingly important in the automotive industry. Modern vehicles are now heavily networked and offer a wide variety of possibilities for exposing the car's internal systems to malicious hacking due to different sensors and access points. A central challenge is to distinguish normal and abnormal communication flows from each other, and thus track manipulation and attacks.

DE 10 2013 016 096 A1公开了一种用于显示机动车的当前运行状态的方法，其中，产生机动车的外部区域的图像数据，并且机动车向机动车的部件请求参数值，然后以图形进行显示。DE 10 2013 016 096 A1 discloses a method for displaying the current operating state of a motor vehicle, wherein image data of an external area of the motor vehicle are generated and the motor vehicle requests parameter values from components of the motor vehicle, which are then graphically carried out show.

DE 10 2011 076 350 A1公开了一种用于在至少一个车辆内部的车辆网络上基于车辆网络的数字指纹进行操纵识别的方法。DE 10 2011 076 350 A1 discloses a method for detecting manipulation on a vehicle network within at least one vehicle based on a digital fingerprint of the vehicle network.

US 2014/0257624A1公开了一种对车辆的电能产生系统的监视，其中，从节点调取数据并且馈送到报告系统。US 2014/0257624 A1 discloses a monitoring of an electrical energy generation system of a vehicle, wherein data is retrieved from nodes and fed to a reporting system.

发明内容Contents of the invention

现在，本发明要解决的技术问题是，进一步提高车辆的通信连接的安全性。Now, the technical problem to be solved by the invention is to further increase the security of the communication connection of the vehicle.

上述技术问题通过根据权利要求1的方法、根据权利要求9的车辆和根据权利要求10的控制设备来解决。The above-mentioned technical problem is solved by a method according to claim 1 , a vehicle according to claim 9 and a control device according toclaim 10 .

根据本发明的用于监视车辆的通信连接的安全性的方法包括如下步骤，其中，车辆通过至少一个移动无线电协议和/或至少一个因特网协议通信：The method according to the invention for monitoring the safety of a communication connection of a vehicle comprises the steps, wherein the vehicle communicates via at least one mobile radio protocol and/or at least one Internet protocol:

-建立用于通过至少一个移动无线电协议和/或至少一个因特网协议允许的通信的规则；- establishing rules for communications permitted by at least one mobile radio protocol and/or at least one internet protocol;

-监视在车辆使用的至少一个移动无线电协议和/或至少一个因特网协议中针对规则的规则违反；以及- monitoring for rule violations against rules in at least one mobile radio protocol and/or at least one internet protocol used by the vehicle; and

-触发动作，例如在确定了一个或多个规则违反时，创建包含所确定的规则违反的报告(28)和/或采取至少一个措施。- triggering an action, eg creating a report (28) containing the determined rule violation and/or taking at least one action when one or more rule violations are determined.

在此设想的方法基于自动化地评估网络事件并且在车辆中显示其结果或者在有危害的情况下主动作出反应的思想。也就是说，在有危害之前，不仅能够警告驾驶员，而且还能够主动保护驾驶员以免受到影响。原则上，使用两个指标并且使其相互进行补偿。一个指标涉及事件或规则违反，而另一指标涉及要触发的动作、例如创建报告或者采取措施、例如密集的观察和/或限制通信连接。提出，一方面根据严重性对可能的事件进行分类。为此可以使用车辆技术以及IT中的已知方法。另一方面，还根据其介入的严重性对可能的动作进行排序。针对所确定的事件适当地触发动作。The method envisaged here is based on the idea of automatically evaluating cyber events and displaying the results in the vehicle or reacting proactively in the event of a hazard. That is to say, not only can the driver be warned before there is a hazard, but it can also actively protect the driver from being affected. In principle, two indicators are used and compensated for each other. One indicator relates to an event or rule violation, while another indicator relates to an action to be triggered, such as creating a report or taking a measure, such as intensive observation and/or limiting of the communication connection. proposed, on the one hand, possible events are classified according to their severity. Known methods in vehicle technology as well as in IT can be used for this purpose. On the other hand, possible actions are also ranked according to the severity of their intervention. Actions are triggered appropriately for the determined events.

根据本发明的方法具有如下优点：向驾驶员给出关于其车辆的安全状态的信息。如果在该报告或状态中显示问题，则在网络侧采取措施，使得客户能够在同一报告中获得措施的影响。网络侧的功能减少不影响行驶安全。网络断开和带宽波动是移动无线电中的日常现象。这意味着，开发车辆的所有在线系统，使得即使在网络中断的情况下，所有基本车辆功能也能够继续使用。由于网络侧的这些措施，对于制造商系统来说，能够继续访问车辆。因此，例如能够继续进行诊断和介入、例如进行更新。因此，可以专门针对车辆排除安全事故。在任何时候都可以向(授权)驾驶员提供安全报告。一个可能的扩展方案是，当车辆建立数据连接时，总是调取报告或汇报。然后，信息娱乐单元可以指出存在新的消息。这种首先在网络侧实现的方案比在车辆中引入新的技术系统明显更容易实现。此外，因此也可以提高现有车辆的安全性。这种方法使得车辆用户和制造商能够调取关于车辆的安全状态的信息，因此得到关于发生的攻击和其影响的情况报告。这些情况信息形成采取应对措施的基础。The method according to the invention has the advantage that the driver is given information about the safety state of his vehicle. If a problem is shown in this report or status, action is taken on the network side so that the customer can get the impact of the action in the same report. The reduction of functions on the network side does not affect driving safety. Network drops and bandwidth fluctuations are everyday phenomena in mobile radio. This means that all online systems of the vehicle are developed so that even in the event of a network outage, all essential vehicle functions can continue to be used. Due to these measures on the network side, it is possible for the manufacturer system to continue to have access to the vehicle. Thus, for example, diagnostics and interventions, for example updates, can be continued. Therefore, safety incidents can be ruled out specifically for the vehicle. A safety report can be provided to the (authorized) driver at any time. A possible development is to always call up reports or reports when the vehicle establishes a data connection. The infotainment unit can then indicate that there are new messages. Such a solution, which is first implemented on the network side, is significantly easier to implement than introducing new technical systems in the vehicle. Furthermore, the safety of existing vehicles can thus also be increased. This approach enables vehicle users and manufacturers to call up information on the vehicle's security status and thus get situational reports on attacks that have occurred and their impact. This situational information forms the basis for response measures.

可以设置为，至少临时在车辆中向驾驶员显示报告。因此，驾驶员可以直接被告知其车辆的安全情况。可以选择例如信号灯形式的易于阅读的显示。可以设置为，报告显示的持续时间与规则违反的严重性有关。因此，轻微的规则违反例如可以作为短暂的弹出窗口来显示。可以随后在需要时调取详细的报告。Provision can be made, at least temporarily, to display the report to the driver in the vehicle. Drivers can thus be directly informed about the safety situation of their vehicle. An easy-to-read display, for example in the form of a signal light, can be selected. It can be set that the duration of the report display is related to the severity of the rule violation. Thus, minor rule violations may be displayed as short pop-up windows, for example. A detailed report can then be called up when required.

可以进一步设置为，在后端中创建报告。后端在此由通过网络连接可进入的、提供关于网络连接的服务的IT基础设施构成。这具有如下优点：在车辆中不需要设置硬件或者存在的硬件可以用于其它任务。在后端中存在计算能力，或者使得计算能力能够更简单地使用。此外，在后端中可以更简单地以不同的网络或协议与多个车辆和多个网络部件进行通信。It can be further set up to create reports in the backend. The backend here consists of an IT infrastructure accessible via the Internet connection, which provides Internet-connected services. This has the advantage that no hardware needs to be provided in the vehicle or existing hardware can be used for other tasks. Computational power exists in the backend, or is made simpler to use. Furthermore, communication with multiple vehicles and multiple network components over different networks or protocols can be done more easily in the backend.

此外，可以设置为，将多个车辆的报告组合为数据集。以这种方式，车辆制造商、车队运营商或服务提供商可以得到整个车队的概览，并且例如检查和评估规则违反或基于规则违反的问题或攻击的分布范围或严重性。因此，可以更快速和更有针对性地执行应对措施。Furthermore, provision can be made to combine reports from several vehicles into a dataset. In this way, a vehicle manufacturer, fleet operator or service provider can get an overview of the entire fleet and, for example, check and evaluate the extent or severity of the distribution or severity of rule violations or problems or attacks based on rule violations. As a result, countermeasures can be implemented more quickly and in a more targeted manner.

根据所确定的规则违反的数量和/或安全风险，可以进行密集的观察和/或至少临时限制车辆的网络能力。因此，例如可以阻止或限制地址范围或协议，以最小化或防止安全风险。限制网络能力可以逐步进行。限制可以从限制连接直到断开或停用通信连接的各个部件、例如智能电话或SIM卡。这使得能够在保持尽可能多的功能的情况下针对性地进行保护。此外，可以设置为，不太严重的事件首先触发密集的观察，之后才采取措施。这使得能够更好地区分错误和错误估计(“false positives(误报)”)与真正的攻击。Depending on the number of rule violations and/or security risks identified, intensive observation and/or at least temporary restriction of the vehicle's network capabilities may be performed. Thus, for example address ranges or protocols can be blocked or restricted in order to minimize or prevent security risks. Limiting network capacity can be done incrementally. Restrictions can range from restricting connections up to disconnecting or deactivating individual components of the communication connection, such as smartphones or SIM cards. This enables targeted protection while maintaining as much functionality as possible. Furthermore, it can be set up so that less serious events first trigger intensive observation and only afterward are measures taken. This makes it possible to better distinguish false and false estimates (“false positives”) from real attacks.

对规则违反的监视可以在车辆的网络接口处进行。因此，例如可以直接在车辆上观察进入和离开的通信。这使得能够对规则违反作出非常快速的反应。Monitoring for rule violations can take place at the vehicle's network interface. Thus, for example incoming and outgoing communications can be observed directly on the vehicle. This enables a very fast reaction to rule violations.

对规则违反的监视可以在实现至少一个移动无线电协议和/或至少一个因特网协议的网络的网络部件处进行。这些网络部件可以是车辆的通信的目标点或终点，或者是通信路径的中间点或中继站。在网络内部监视规则违反可能更简单，因为在那里通常存在所需的基础设施。因此，得到与车辆的硬件、软件和型号的不相关性。The monitoring for rule violations can take place at network components of the network implementing at least one mobile radio protocol and/or at least one Internet protocol. These network components may be destination points or end points of the vehicle's communication, or intermediate points or relay stations of the communication path. It may be simpler to monitor for rule violations inside the network, since the required infrastructure usually exists there. Thus, independence from the hardware, software and model of the vehicle is obtained.

可以在不同的网络部件处检查规则违反的收敛性和/或可信度。在这种情况下，不同的数据源可以相互补偿，以便因此得到对情况的更准确的估计并且可以对数据进行可信度测试。The convergence and/or confidence of rule violations can be checked at different network components. In this case, the different data sources can compensate each other, so that a more accurate estimate of the situation can thus be obtained and a plausibility test can be performed on the data.

可以设置为，监视车辆内部的通信的规则违反。以这种方式，不仅可以监视与外部伙伴的通信，而且可以监视与内部伙伴、例如控制设备的通信，这进一步提高了安全性。车辆内部的监视的结果同样可以包含在报告中。It can be set up to monitor communication inside the vehicle for rule violations. In this way, not only communications with external partners but also communications with internal partners, eg control devices, can be monitored, which further increases security. The results of the monitoring inside the vehicle can likewise be included in the report.

根据本发明的具有针对至少一个移动无线电协议和/或至少一个因特网协议的通信连接的车辆，被配置为执行前面描述的用于监视通信连接的安全性的方法。适用与前面所描述的相同的优点和修改。车辆可以具有显示设备，其被配置为用于显示包含所确定的规则违反的报告。显示设备可以是已经存在的单元、例如信息娱乐系统，这使得能够在车辆中简单地实现。可以设置为，存在车辆内部的通信网络并且设置监视单元，监视单元被配置为用于在车辆内部的通信网络中监视车辆内部的通信是否违反规则。车辆内部的通信网络可以是总线系统、例如CAN总线(Controller Area Network，控制器区域网络)或者本地数据网络、例如以太网。例如可以通过控制设备将与安全相关的事件告知后端，以来自车辆系统的诊断信息扩展报告或安全报告。附加的车辆内部的监视可以进一步提高安全性。A vehicle according to the invention having a communication link for at least one mobile radio protocol and/or at least one Internet protocol is configured to carry out the method described above for monitoring the security of the communication link. The same advantages and modifications as previously described apply. The vehicle may have a display device configured to display a report containing the determined rule violation. The display device can be an already existing unit, for example an infotainment system, which enables simple implementation in the vehicle. It can be provided that a vehicle-internal communication network is present and a monitoring unit is provided which is configured to monitor the vehicle-internal communication in the vehicle-internal communication network for violations of regulations. The communication network within the vehicle can be a bus system, such as a CAN bus (Controller Area Network, Controller Area Network), or a local data network, such as Ethernet. For example, safety-relevant events can be communicated to the backend by the control device, extended reporting or safety reports with diagnostic information from vehicle systems. Additional monitoring of the vehicle interior can further increase safety.

根据本发明的具有至少一个通信连接的控制设备被配置为用于执行前面描述的用于监视通信连接的安全性的方法。适用与前面所描述的相同的优点和修改。控制设备可以是独立的控制设备，或者可以将该功能集成到存在的控制设备中，例如用于通信。A control device according to the invention having at least one communication link is configured to carry out the above-described method for monitoring the security of a communication link. The same advantages and modifications as previously described apply. The control device can be a separate control device, or the functionality can be integrated into an existing control device, for example for communication.

本发明的其它优选设计方案从在从属权利要求中提到的其余特征中得到。Further advantageous embodiments of the invention result from the remaining features mentioned in the dependent claims.

除非在个别情况下另外说明，否则在本申请中提到的本发明的不同的实施方式可以有利地相互组合。Unless stated otherwise in individual cases, the different embodiments of the invention mentioned in this application can be advantageously combined with one another.

附图说明Description of drawings

下面，借助附图在实施例中说明本发明。In the following, the invention is explained in an exemplary embodiment with reference to the drawings.

图1示出了用于监视车辆的通信连接的安全性的系统的示意图。FIG. 1 shows a schematic diagram of a system for monitoring the security of a communication link of a vehicle.

具体实施方式Detailed ways

图1示出了用于监视车辆12的通信的安全性的系统10。示出了在此为轿车形式的车辆12的示意图。此外，陆地车辆、例如货车、巴士、摩托车、轨道车辆以及飞机和船舶也视为车辆。FIG. 1 shows asystem 10 for monitoring the security of communications of avehicle 12 . A schematic diagram of avehicle 12 , here in the form of a sedan, is shown. Furthermore, land vehicles such as trucks, buses, motorcycles, rail vehicles as well as aircraft and ships are also considered vehicles.

车辆12包括用于与移动无线电网络16通信的接口14，其与一个或多个标准、例如UMTS、GSM和/或协议兼容。协议例如在UMTS中被称为层级(Strata)，并且可以被划分为涉及无线电接入的协议层以及涉及核心网络中的服务和参与者管理的特殊协议层。通过接口14可以建立一个或多个通信连接18，其使得车辆12能够与外部伙伴进行通信。接口14和必要时车辆的其它组成部分、例如相应的控制设备是通信连接18或至少一个通信连接18的组成部分。Vehicle 12 includes aninterface 14 for communicating with amobile radio network 16 , which is compatible with one or more standards, such as UMTS, GSM and/or protocols. The protocols are referred to as strata, for example in UMTS, and can be divided into protocol layers relating to radio access and specific protocol layers relating to service and participant management in the core network. One ormore communication links 18 can be established viainterface 14 , which enablevehicle 12 to communicate with external partners.Interface 14 and possibly other vehicle components, such as corresponding control units, are components ofcommunication link 18 or at least onecommunication link 18 .

通信连接18经常使用移动无线电网络16作为载体，其中，外部通信伙伴、例如服务器20布置在计算机网络22中。计算机网络22和移动无线电网络16相应地相互连接。在计算机网络22中，多个协议、例如以太网又可以是活动的。通信连接18例如可以从车辆12的接口14通过移动无线电网络16和计算机网络22延伸至服务器20。通信连接18可以是单向或双向的。Thecommunication link 18 often uses amobile radio network 16 as a carrier, wherein an external communication partner, for example aserver 20 , is arranged in acomputer network 22 . Thecomputer network 22 and themobile radio network 16 are correspondingly interconnected. Multiple protocols, for example Ethernet, can again be active incomputer network 22 . Acommunication link 18 can extend, for example, from aninterface 14 of thevehicle 12 to aserver 20 via amobile radio network 16 and acomputer network 22 .Communication link 18 may be unidirectional or bidirectional.

针对每个网络使用多个协议。通过此外还在不同的网络中观察多个协议，借助检查收敛性和/或可信度可以执行准确的分析。通常，监视或处理通信连接18使用的一个协议、多个或所有协议中的一个或多个规则违反。在此，所监视或处理的协议可能在通信连接18使用的一个、多个或所有网络上延伸。Use multiple protocols for each network. By additionally observing a plurality of protocols in different networks, a precise analysis can be carried out by checking the convergence and/or plausibility. Typically, one or more rule violations in one, several or all protocols used bycommunication connection 18 are monitored or handled. In this case, the monitored or processed protocol may extend over one, several or all networks used bycommunication link 18 .

监视单元24监视通过至少一个移动无线电协议和/或至少一个因特网协议的根据规则或规则集26允许的通信。当确定了一个或多个规则违反时，监视单元24创建报告28。报告28包含所确定的规则违反。根据规则违反的数量和/或严重性，可以调整报告或报告的显示或者过滤内容。Themonitoring unit 24 monitors communications permitted according to a rule or rule set 26 via at least one mobile radio protocol and/or at least one Internet protocol. Monitoringunit 24 createsreport 28 when one or more rule violations are determined.Report 28 contains the determined rule violations. Depending on the number and/or severity of rule violations, the report or the display of reports may be adjusted or the content filtered.

监视单元24可以布置在后端30中。后端30可以是计算机网络22的组成部分或参与者。监视单元24也可以布置在车辆12中。此外，监视单元24可以被构造为分布在多个单元上。例如，监视单元24也可以监视车辆内部的通信网络32。这可以通过与移动无线电网络16的接口14或通过例如特定于制造商的另外的接口34进行。Themonitoring unit 24 may be arranged in thebackend 30 .Backend 30 may be an integral part or participant ofcomputer network 22 . Monitoringunit 24 may also be arranged invehicle 12 . Furthermore, themonitoring unit 24 can be configured to be distributed over several units. For example, themonitoring unit 24 can also monitor thecommunication network 32 inside the vehicle. This can take place via theinterface 14 to themobile radio network 16 or via afurther interface 34 , eg manufacturer-specific.

下面，详细描述对车辆12使用的移动无线电协议和/或因特网协议中的针对规则26的规则违反的监视，以及当确定了一个或多个规则违反时包含所确定的规则违反的报告28的创建。In the following, the monitoring of rule violations againstrules 26 in the mobile radio protocol and/or Internet protocol used by thevehicle 12 and the creation of areport 28 containing the determined rule violations when one or more rule violations are determined are described in detail. .

在此描述的技术方案基于如下思想：位于车辆12中的对网络16、22的基于规则的观察在异常时导致定义的动作、例如创建报告28和/或采取措施。通过为了进行安全性分析而记录网络事件，可以明显减小部分可能具有显著影响的安全事故对驾驶员和车辆的影响。通过车辆的联网，得到各种各样的处理可能性。The solution described here is based on the idea that a rule-based observation of thenetwork 16 , 22 located in thevehicle 12 leads to defined actions in the event of anomalies, such as creating areport 28 and/or taking measures. By recording cyber events for safety analysis, the impact of some potentially significant safety incidents on drivers and vehicles can be significantly reduced. Various processing possibilities are obtained through the networking of vehicles.

在此，采取动作的前提条件是：不仅在移动无线电协议的层面，而且对计算机网络的协议，针对规则违反，对联网的车辆的通信行为进行检查。在此应当注意，可以进行这种检测，使得仅检测规则违反，以符合适用的数据保护条件。这可以以DNS解析为例进行显示。联网的车辆12针对服务调取网络地址(URL)。因为现在针对车辆12释放的服务是已知的，所以网络22可以识别出何时从车辆12调取了异常的地址。这种类型的调取触发相应的动作。(授权)车辆用户现在可以通过车辆12中的显示器识别出存在规则违反。可选地，同样可以针对驾驶员显示采取的措施以及其影响。A prerequisite for taking action here is that the communication behavior of the networked vehicles be checked for rule violations not only at the level of the mobile radio protocol but also at the protocol level of the computer network. It should be noted here that this detection can be performed such that only rule violations are detected in order to comply with applicable data protection conditions. This can be shown using DNS resolution as an example. Networkedvehicle 12 calls up an Internet address (URL) for the service. Since the service released forvehicle 12 is now known,network 22 can recognize when an unusual address has been called fromvehicle 12 . This type of call triggers the corresponding action. The (authorized) vehicle user can now identify via a display in thevehicle 12 that there is a rule violation. Optionally, the measures taken and their effects can likewise be displayed for the driver.

显示器将检测到的规则违反压缩为易于识别的类别、例如信号灯颜色，并且根据需要提供详细的安全性报告。该报告由在车辆12外部运行的网络元件、例如监视单元24产生。也就是说，仅用于显示报告28的系统、例如信息娱乐构件中的浏览器位于车辆12中。报告28可以通过与移动无线电网络16的接口14或通过另外的接口34传递至车辆12。The monitor condenses detected rule violations into easily identifiable categories, such as traffic light colors, and provides detailed security reports on demand. This report is generated by a network element operating outsidevehicle 12 , forexample monitoring unit 24 . That is to say, a system solely for displayingreport 28 , such as a browser in an infotainment component, is located invehicle 12 . Thereport 28 can be transmitted to thevehicle 12 via theinterface 14 to themobile radio network 16 or via afurther interface 34 .

下面的列举包含监控在网络16和22中没有遵守的规则26的示例。The enumeration below contains examples ofmonitoring rules 26 that are not being followed in thenetworks 16 and 22 .

在计算机网络22中可以想到如下规则，例如使用不准许的网络协议，例如允许HTTPs协议，禁止HTTP和/或FTP。作为规则，可以监控对未释放的URL/地址的调取。作为规则，也可以在协议、例如ICMP(Internet Control Message Protocol，因特网控制消息协议)内实现对消息类型的限制。Rules are conceivable in thecomputer network 22 , such as the use of impermissible network protocols, eg the HTTPs protocol is allowed, HTTP and/or FTP is prohibited. As a rule, calls to unreleased URLs/addresses can be monitored. As a rule, a limitation of the message type can also be implemented within a protocol, for example ICMP (Internet Control Message Protocol, Internet Control Message Protocol).

在移动无线电网络20中，作为要监视的规则，例如可以实现尝试与不允许的号码建立连接、向未授权的参与者发送SMS/从其接收SMS和/或改变IMEI(InternationalMobile Station Equipment Identity，国际移动站设备识别码)的组合、检查车辆12的位置(例如离开EU)和ICCID(Integrated Circuit Card Identifier，集成电路卡标识符)，这表明SIM卡被盗。In themobile radio network 20, as rules to be monitored, for example attempts to establish a connection with an impermissible number, sending/receiving SMS to/from unauthorized participants and/or changing the IMEI (International Mobile Station Equipment Identity, International Mobile Station Equipment Identification Code), check the location of the vehicle 12 (for example leaving the EU) and ICCID (Integrated Circuit Card Identifier, Integrated Circuit Card Identifier), which shows that the SIM card is stolen.

规则违反可以由网络16和22的不同的部件、例如移动无线电网络16中的HLR(HomeLocation Register，归属位置寄存器)、MSC(Mobile Switching Center，移动交换中心)、SGSN(Serving GPRS Support Node，服务GPRS支持节点)和/或计算机网络22中的DNS(Domain Name System，域名系统)服务器、防火墙、网关、服务器来监视和检测。Rule violations can be caused by different components of thenetworks 16 and 22, such as HLR (HomeLocation Register, Home Location Register), MSC (Mobile Switching Center, Mobile Switching Center), SGSN (Serving GPRS Support Node, Serving GPRS) in themobile radio network 16. Support node) and/or DNS (Domain Name System, Domain Name System) server, firewall, gateway, server incomputer network 22 to monitor and detect.

此外，监视单元24可以将规则、规则集、更新等发送至网络16和22以及其部件。网络16和22直接向监视单元24或者向监视单元24同样可以访问的数据库进行反馈。Additionally, monitoringunit 24 may send rules, rule sets, updates, etc. tonetworks 16 and 22 and components thereof. Thenetworks 16 and 22 feed back directly to themonitoring unit 24 or to a database to which themonitoring unit 24 also has access.

根据所确定的规则违反，在监视单元24中采取动作，例如创建包含所确定的规则违反的报告28和/或采取措施。该报告为了通知驾驶员而发送至车辆12，并且在那里至少暂时向驾驶员显示。此外，可以对多个车辆、例如公司的车队、相同的车辆型号、制造商的所有车辆或任意查询请求的车辆的报告28进行分组并且一起进行评估，以便因此得到例如关于威胁状况的单个车辆之外的信息。这种评估可以在监视单元24中或者在制造商或服务提供商的后端中实施，报告28或组合的评估被发送至该后端。Depending on the determined rule violation, actions are taken in themonitoring unit 24, such as creating areport 28 containing the determined rule violation and/or taking measures. This report is sent tovehicle 12 for the purpose of informing the driver and is displayed there at least temporarily to the driver. Furthermore, thereports 28 of multiple vehicles, such as a company's fleet, the same vehicle model, all vehicles of a manufacturer, or vehicles requested by any query, can be grouped and evaluated together in order to thus obtain, for example, information about the threat situation for individual vehicles. outside information. This evaluation can be carried out in themonitoring unit 24 or in the manufacturer's or service provider's backend to which thereport 28 or combined evaluation is sent.

除了创建报告28之外，还可以基于报告结果采取措施。这里提出的解决方案对规则违反提供不同的反应。反应的类型与规则违反的严重性有关。所有反应在此在技术上由网络16和22的网络元件触发，而不通过车辆系统触发。In addition to creatingreports 28, actions may be taken based on the report results. The solutions proposed here provide different responses to rule violations. The type of reaction is related to the severity of the rule violation. All reactions are technically triggered here by network elements ofnetworks 16 and 22 and not by vehicle systems.

最简单的反应是采集车辆12的附加网络数据。对网络数据的评估形成判断是否存在安全事故的基础。评估在网络元件上或在监视单元24中进行。如果存在安全事故，则可以逐步地限制车辆12的网络能力。这同样用于减弱对驾驶员和车辆的影响以及用于限制相关车辆。The simplest response is to collect additional network data for thevehicle 12 . The evaluation of network data forms the basis for determining whether a security incident has occurred. The evaluation takes place on the network element or in themonitoring unit 24 . If there is a security incident, the network capabilities of thevehicle 12 may be gradually limited. This is also used to reduce the influence on the driver and the vehicle and to restrain the vehicle involved.

限制例如可以包括：Restrictions can include, for example:

-限制网络资源的可达到性(例如地址范围)；- Restricting the reachability of network resources (e.g. address ranges);

-针对性地关闭各个服务(协议和地址的组合)；- Targeted shutdown of individual services (combination of protocols and addresses);

-阻断所有进行的数据连接；- block all ongoing data connections;

-分离客户设备(例如智能电话、USB盘)；- separation of client devices (e.g. smartphones, USB sticks);

-撤销所使用的SIM卡的数据资费(不再能够进行数据连接)；- revoke the data tariff for the SIM card used (data connection is no longer possible);

-永久停用SIM卡(车辆持续离线)。- Permanent deactivation of the SIM card (vehicle is continuously offline).

在上面描述的措施的级联中，根据措施的介入的影响或严重性对可能的措施进行分类，其中，最简单的措施处于第一位。这种级联在此至少可选地被设置为与规则违反的数量和/或相关性相互作用。因此，例如在规则违反非常相关的情况下，可以直接应用该级联的最后一级中的措施。在规则违反轻微或没有被完全弄清的情况下，也可以首先进行密集的观察。In the cascade of measures described above, the possible measures are sorted according to the impact or severity of their intervention, where the simplest measure comes first. This cascading is provided at least optionally in interaction with the number and/or relevance of rule violations. Thus, for example in the case of very relevant rule violations, measures in the last level of the cascade can be applied directly. Intensive observation can also be done first in cases where rule violations are minor or not fully understood.

可以对所描述的措施进行分组，以便因此形成对于用户来说容易解释的状态。可能的特征

或概况(Profile)可以是：没有问题、在观察中、功能受限、离线。The described measures can be grouped in order to thus form states that are easy to explain for the user. possible features

Or a Profile could be: No Problems, Under Observation, Limited Functionality, Offline.

因此，与用于估计安全事故的严重性的信号灯显示一起，始终明确地向用户告知其车辆的安全状态。所描述的措施在计算中心或监视单元24中作为功能实现，因此也可以在客户服务的过程中使用。这意味着，因此可以根据客户要求限制车辆12的网络能力。The user is therefore always clearly informed about the safety status of his vehicle, together with the signal light display for estimating the severity of the safety incident. The described measures are implemented as functions in the computing center ormonitoring unit 24 and can therefore also be used during customer service. This means that the network capabilities of thevehicle 12 can therefore be limited according to customer requirements.

所描述的发明能够以简单的方式实现通过基于规则地监视通信使用的协议来监视与车辆的通信。在确定了规则违反时，执行动作，例如创建报告和/或采取优选分级的应对措施。The described invention makes it possible in a simple manner to monitor the communication with the vehicle by means of a rules-based monitoring of the protocol used by the communication. When a rule violation is determined, an action is taken, such as creating a report and/or taking a preferably graded countermeasure.

附图标记列表List of reference signs

10      系统10 system

12      车辆12 vehicles

14      接口14 interface

16      移动无线电网络16 Mobile radio networks

18      通信连接18 Communication connection

20      服务器20 servers

22      计算机网络22 computer network

24      监视单元24 Surveillance unit

26      规则集26 rule set

28      报告28 report

30      后端30 Backend

32      车辆内部的通信网络32 Communication network inside the vehicle

34      接口34 interface

Claims (10)

1. A method for monitoring the safety of a communication connection (18) of a vehicle (12), wherein the vehicle (12) communicates via at least one mobile radio protocol and/or at least one internet protocol, having the following steps:

-establishing rules (26) for permitted communication via at least one mobile radio protocol and/or at least one internet protocol;

-monitoring for a rule violation against a rule in at least one mobile radio protocol and/or at least one internet protocol used by the vehicle (12);

-first making intensive observations and at least gradually limiting the network capacity of the vehicle (12) according to the determined number of rule violations and/or security risks;

-upon determination of one or more rule violations during a dense observation, triggering the creation of a report (28) containing the determined rule violations; and

-taking at least one action when one or more rule violations are determined during the intensive observation.

2. The method according to claim 1, characterized in that the report (28) is displayed to the driver at least temporarily in the vehicle (12).

3. The method of claim 1, wherein the reports (28) of a plurality of vehicles (12) are combined into a data set.

4. The method according to claim 1, characterized in that the network capacity of the vehicle (12) is at least temporarily limited depending on the determined number of rule violations and/or security risks.

5. The method of claim 1, wherein the monitoring of the rule violation is performed at a network interface (14, 34) of the vehicle (12).

6. Method according to claim 1, characterized in that the monitoring of the rule violation is performed at a network component of a network (16, 22) implementing at least one mobile radio protocol and/or at least one internet protocol.

7. Method according to claim 6, characterized in that the convergence and/or trustworthiness of a rule violation is checked at different network components.

8. The method according to any one of claims 1 to 7, characterized by monitoring whether a communication inside the vehicle violates a rule.

9. A vehicle having a communication connection for at least one mobile radio protocol and/or at least one internet protocol, characterized in that the vehicle (12) is configured for carrying out a method for monitoring the security of a communication connection (18) according to any one of claims 1 to 8.

10. A control device having at least one communication connection, characterized in that the control device is configured for carrying out the method for monitoring the security of a communication connection according to any one of claims 1 to 8.

Images