CN111901307B - Encrypted traffic identification method, device, equipment and medium - Google Patents

Encrypted traffic identification method, device, equipment and medium Download PDF

Info

Publication number
CN111901307B
CN111901307B CN202010607947.4A CN202010607947A CN111901307B CN 111901307 B CN111901307 B CN 111901307B CN 202010607947 A CN202010607947 A CN 202010607947A CN 111901307 B CN111901307 B CN 111901307B
Authority
CN
China
Prior art keywords
data
probability
data unit
vehicle bus
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010607947.4A
Other languages
Chinese (zh)
Other versions
CN111901307A (en
Inventor
杨威
陈强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202010607947.4A priority Critical patent/CN111901307B/en
Publication of CN111901307A publication Critical patent/CN111901307A/en
Application granted granted Critical
Publication of CN111901307B publication Critical patent/CN111901307B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40267Bus for use in transportation systems
    • H04L2012/40273Bus for use in transportation systems the transportation system being a vehicle

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)

Abstract

The embodiment of the disclosure relates to a method, a device, equipment and a medium for identifying encrypted traffic, wherein the method comprises the following steps: collecting vehicle bus data; determining the occurrence probability of each data unit value in the vehicle bus data as a set value; matching the occurrence probability of each data unit with the corresponding probability range to determine a target data unit; and carrying out encryption identification on the vehicle bus data according to the comparison result of the number of the target data units and the set number threshold. By adopting the technical scheme, the encryption condition of the bus data flow in the vehicle can be accurately analyzed under the condition of not knowing the message protocol format, the implementation difficulty is reduced, and the identification efficiency and the universality of vehicle network data encryption identification are improved.

Description

Encrypted traffic identification method, device, equipment and medium
Technical Field
The present disclosure relates to the field of vehicle communication security technologies, and in particular, to a method, an apparatus, a device, and a medium for encrypted traffic identification.
Background
With the development of the internet of vehicles, the information security of vehicles is receiving more and more attention. At present, Controller Area Network (CAN) bus communication is a main communication mode in a present vehicle, and a mandatory uniform encryption mode is not set, and needs to be realized by a manufacturer. Therefore, whether data on the CAN bus is protected by an encryption method is a security test item concerned by many host factories and detection mechanisms.
At present, two ways are generally adopted for encrypting and identifying network traffic, one is Deep Packet analysis (DPI) technology, and the other is extracting firmware of an Electronic Control Unit (ECU) to perform reverse analysis, and identifying whether to encrypt from reverse code logic. However, in the two methods, the deep packet analysis technology is mainly based on matching of data formats and features, effective identification cannot be performed due to great differences of vehicle encryption methods, and the method of firmware extraction and then reverse analysis has the defects of great difficulty, long time consumption and poor universality.
Disclosure of Invention
To solve the technical problem or at least partially solve the technical problem, the present disclosure provides an encrypted traffic identification method, apparatus, device, and medium.
The embodiment of the disclosure provides an encrypted traffic identification method, which comprises the following steps:
collecting vehicle bus data;
determining the occurrence probability of each data unit value in the vehicle bus data as a set value;
matching the occurrence probability of each data unit with the corresponding probability range to determine a target data unit;
and carrying out encryption identification on the vehicle bus data according to the comparison result of the number of the target data units and a set number threshold.
The embodiment of the present disclosure further provides an encrypted traffic identification apparatus, where the apparatus includes:
the data acquisition module is used for acquiring vehicle bus data;
the probability determination module is used for determining the occurrence probability of the value of each data unit in the vehicle bus data as a set value;
the probability matching module is used for matching the occurrence probability of each data unit with the corresponding probability range to determine a target data unit;
and the encryption identification module is used for carrying out encryption identification on the vehicle bus data according to the comparison result of the number of the target data units and a set number threshold.
An embodiment of the present disclosure further provides an electronic device, which includes: a processor; a memory for storing the processor-executable instructions; the processor is used for reading the executable instructions from the memory and executing the instructions to realize the encrypted traffic identification method provided by the embodiment of the disclosure.
The embodiment of the disclosure also provides a computer-readable storage medium, which stores a computer program for executing the encrypted traffic identification method provided by the embodiment of the disclosure.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages: the encrypted traffic identification scheme provided by the embodiment of the disclosure collects vehicle bus data, determines the occurrence probability of each data unit value in the vehicle bus data as a set value, matches the occurrence probability of each data unit with a corresponding probability range, determines a target data unit, and encrypts and identifies the vehicle bus data according to the comparison result of the number of the target data unit and a set number threshold. By adopting the technical scheme, the encryption condition of the bus data flow in the vehicle can be accurately analyzed under the condition of not knowing the message protocol format, the implementation difficulty is reduced, and the identification efficiency and the universality of vehicle network data encryption identification are improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present disclosure, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a schematic flowchart of an encrypted traffic identification method according to an embodiment of the present disclosure;
fig. 2 is a schematic flow chart of another encrypted traffic identification method according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram of encrypted traffic identification according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of an encrypted traffic identification apparatus according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, aspects of the present disclosure will be further described below. It should be noted that the embodiments and features of the embodiments of the present disclosure may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced in other ways than those described herein; it is to be understood that the embodiments disclosed in the specification are only a few embodiments of the present disclosure, and not all embodiments.
The traditional detection method for network traffic usually adopts a deep packet analysis technology, which is mainly based on matching of data formats and characteristics, so that the identification of private protocols and encrypted traffic cannot be solved. In the automobile industry, the message protocol format on the in-vehicle CAN bus belongs to the completely privatized category, and each vehicle enterprise and each vehicle type have great difference, so the deep message analysis technology cannot be used for analyzing the in-vehicle CAN bus data flow. The firmware of the electronic control unit is extracted for reverse direction, an adopted encryption mode is searched from reverse code logic, reverse implementation difficulty is high, time consumption is long, and universality is poor, the reverse direction of a single electronic control unit only can analyze whether encryption measures are adopted for a message sent by the current electronic control unit or not, and the encryption conditions of all messages on a bus cannot be analyzed, so that the firmware of the electronic control unit is extracted for reverse analysis, and workload is huge. Based on the above defects, the embodiment of the present disclosure provides an encrypted traffic identification method.
Fig. 1 is a schematic flowchart of an encrypted traffic identification method according to an embodiment of the present disclosure, where the method may be executed by an encrypted traffic identification apparatus, where the apparatus may be implemented by software and/or hardware, and may be generally integrated in an electronic device. As shown in fig. 1, the method includes:
step 101, vehicle bus data are collected.
The vehicle bus data refers to network communication data on a vehicle CAN bus, and may include a plurality of CAN message data.
Specifically, the collecting vehicle bus data may include: vehicle bus data is collected based on the data frame identification classification. The data frame identification is a data frame ID, the data frame in the CAN bus of the vehicle is monitored in real time, different types of CAN message data CAN be distinguished by the data frame identification, a plurality of corresponding CAN message data CAN be collected based on each data frame identification, and then the data encryption condition of the different types of CAN message data is detected.
And 102, determining the occurrence probability of each data unit value in the vehicle bus data as a set value.
In the disclosed embodiment, each CAN message data has a data field length of less than or equal to 8 bytes (Byte), one Byte of 8 bits (bit), and various signal values within the vehicle are represented by a single bit or a combination of bits. The bit is also called a bit, which is the minimum unit of information quantity, the data unit is a bit, the value of the bit is 0 or 1, and the setting value can be set to 1 or 0.
In general, the data field value change range of the same type of CAN message data is not too large, and the data change range processed by the encryption algorithm is enlarged, so that the encryption scheme is excellent enough, and the encrypted result is close to a random number. Therefore, in the embodiment of the present disclosure, encryption identification is performed based on the occurrence probability that each bit takes a value of 1.
Specifically, determining the occurrence probability that each data unit value in the vehicle bus data is a set value may include: determining the occurrence probability of each data unit value in the vehicle bus data as a set value by adopting a probability formula, wherein the probability formula is qi di/N (i 1,2,3, …, M), wherein N represents the number of CAN message data in the vehicle bus data, qi represents the occurrence probability of the ith data unit value as a, a represents the set value, M represents the number of data units included in each CAN message data, and di represents the number of the ith data unit value as a. When each CAN message data is 8 bytes, M is 64. And calculating the occurrence probability of each bit value of 1 in the vehicle bus data, namely q1, q2, q3... qM based on the probability formula.
And 103, matching the occurrence probability of each data unit with the corresponding probability range to determine a target data unit.
The probability range is a threshold range between the minimum probability and the maximum probability of a preset data unit value as a set value, and the random number requirement is met in the probability range. The probability ranges for different data units may be different. The target data unit is a data unit which is successfully matched with the probability range, namely a data unit with a value meeting the requirement of a random number.
Specifically, matching the occurrence probability of each data unit with the corresponding probability range to determine the target data unit may include: and determining the data unit with the occurrence probability successfully matched with the corresponding probability range as a target data unit, wherein the probability ranges corresponding to different data units are different. Matching the occurrence probability of each data unit with the corresponding probability range in sequence, and if the occurrence probability of a data unit with a value of a set value is within the probability range of the data unit, the matching is successful, and the data unit is a target data unit; otherwise, the matching fails.
And 104, encrypting and identifying the vehicle bus data according to the comparison result of the number of the target data units and the set number threshold.
The set number threshold may be a number threshold of data units meeting the requirement of the random number, which is determined in advance according to an actual test result, and is used for performing encryption identification.
Specifically, the encrypting and identifying the vehicle bus data according to the comparison result between the number of the target data units and the set number threshold may include: if the number of the target data units is greater than or equal to the set number threshold, determining that the vehicle bus data is encrypted; otherwise, it is determined that the vehicle bus data is not encrypted. After the target data unit is determined, the number of the target data unit can be counted and compared with a set number threshold value to realize encryption identification.
The encrypted traffic identification scheme provided by the embodiment of the disclosure collects vehicle bus data, determines the occurrence probability of each data unit value in the vehicle bus data as a set value, matches the occurrence probability of each data unit with a corresponding probability range, determines a target data unit, and encrypts and identifies the vehicle bus data according to the comparison result of the number of the target data unit and a set number threshold. By adopting the technical scheme, the encryption condition of the bus data flow in the vehicle can be accurately analyzed under the condition of not knowing the message protocol format, the implementation difficulty is reduced, and the identification efficiency and the universality of vehicle network data encryption identification are improved.
In some embodiments, the encrypted traffic identification method may further include: and determining the average probability and the average variance of each data unit value as a set value based on the sample probability of each data unit value as the set value in the sample random data, and determining the probability range corresponding to each data unit based on the average probability and the average variance.
Wherein the sample random data is a computer generated pseudo random number used to simulate the encrypted data traffic. Assuming that the sample random data may include K CAN message data, the value of K is as large as possible, the set value is 1, each CAN message data is 8 bytes, and the specific data format may be: message 1 is b1b2b3b4b5b6b8b9.. b 64; message 2 is b1b2b3b4b5b6b7b8b9.. b 64; the message 3 is b1b2b3b4b5b6b8b9.. b 64; message 4 is b1b2b3b4b5b6b8b9.. b 64; message 5 is b1b2b3b4b5b6b7b8b9... b 64; .... b64, the message K is b1b2b3b4b5b6b7b8b9.. b 64.
Calculating the probability that each bit value in the sample random data is 1, taking the first bit as an example, calculating the probability that the first bit value in the K pieces of CAN message data is 1 and recording the probability as p1, and calculating the probability that each bit value is 1 in turn, namely p1, p2, p3... p 64. The sample random data can be in L groups, the larger the value of L is, the better the value of L is, and the step of calculating the probability that each bit value is 1 is repeated. Then, the average probability P1, P2, P3.. P64 and the average variance α 1, α 2, α 3.. α 64 for each bit value of 1 are calculated. The probability range corresponding to each bit is set to X-times the confidence interval of the average probability of the bit, i.e., the probability ranges Φ 1 ═ P1-X α 1, P1 + X α 1], Φ 2 ═ P2-X α 2, P2+ X α 2, Φ 3 ═ P3-X α 3, P3+ X α 3.. Φ 64 ═ P64-X α 64, P64+ X α 64, respectively. The X may be set according to actual conditions, for example, X may be set to 10.
The method has the advantages that based on the similarity between the encrypted data flow and the random number, the probability range of each data unit value as a set value can be determined by taking the pseudo random number as a sample for subsequent encryption identification, and the identification efficiency is improved.
Fig. 2 is a schematic flow chart of another encrypted traffic identification method according to the embodiment of the present disclosure, and the embodiment further optimizes the encrypted traffic identification method on the basis of the foregoing embodiment. As shown in fig. 2, the method includes:
step 201, determining a probability range corresponding to each data unit based on the sample random data.
Specifically, based on the sample probability that each data unit in the sample random data takes the value as the set value, the average probability and the average variance that each data unit takes the value as the set value are determined, and the probability range corresponding to each data unit is determined based on the average probability and the average variance.
Step 202, vehicle bus data is collected.
And step 203, determining the occurrence probability of each data unit value in the vehicle bus data as a set value.
And 204, matching the occurrence probability of each data unit with the corresponding probability range, and determining the target data unit.
Step 205, determining whether the number of the target data units is greater than or equal to a set number threshold, if yes, executing step 206; otherwise, step 207 is performed.
Step 206, determining that the vehicle bus data is encrypted.
Step 207, determining that the vehicle bus data is not encrypted.
For example, fig. 3 is a schematic diagram of encrypted traffic identification provided in an embodiment of the present disclosure, and assuming that an occurrence probability of each data unit in the vehicle bus data taking a set value is qi, i is 1,2,3, …, and 64, the occurrence probabilities are q1, q2, q3... q64, a probability range of each data unit taking a set value is Φ i, a number of target data units is n, and a set number threshold is Y. And starting from the first occurrence probability of 64 bits obtained by calculation, sequentially comparing whether qi of each bit is within a corresponding probability range phi i, if so, adding 1 to a counter n, then judging whether the counter n exceeds a set number threshold value Y, if so, determining that the data flow is encrypted flow, otherwise, determining that the data flow is unencrypted flow.
Referring to fig. 3, the specific process may be: initially, data is collected and qi is calculated. And judging whether i is smaller than 64, if so, judging i +1, judging whether qi belongs to phi i, and if so, judging n + 1. If not, returning to continuously judge whether i is less than 64. And when i is equal to 64, the occurrence probability qi of each data unit is matched with the corresponding probability range phi i, whether n is larger than or equal to Y is judged, if yes, the data flow is encrypted flow, and otherwise, the data flow is unencrypted flow.
In the scheme, a large amount of CAN message data of the same type are collected, the occurrence probability of each bit value of 1 in a data field is calculated, the calculated occurrence probability is compared with the average probability calculated by sample random data in advance, when the calculated occurrence probability is within a confidence interval of the average probability, the data flow is considered to be encrypted, otherwise, the data flow is not encrypted.
The embodiment of the disclosure provides an encrypted flow detection method for a private message format on an in-vehicle CAN network, which realizes accurate analysis of the encryption condition of in-vehicle bus data flow without knowing a message protocol format, and has high identification efficiency and accuracy. Compared with the traditional deep message analysis technology, the method does not need to know the details of the protocol, and can analyze any private protocol; compared with the reverse firmware, the method has strong universality and low implementation difficulty.
The encrypted flow identification scheme provided by the embodiment of the disclosure determines a probability range corresponding to each data unit based on sample random data, collects vehicle bus data, determines an occurrence probability of each data unit value in the vehicle bus data as a set value, matches the occurrence probability of each data unit with the corresponding probability range, determines a target data unit, and encrypts and identifies the vehicle bus data according to a comparison result of the number of the target data unit and a set number threshold. By adopting the technical scheme, the encryption condition of the bus data flow in the vehicle can be accurately analyzed under the condition of not knowing the message protocol format, the implementation difficulty is reduced, and the identification efficiency and the universality of vehicle network data encryption identification are improved.
Fig. 4 is a schematic structural diagram of an encrypted traffic identification apparatus provided in an embodiment of the present disclosure, where the apparatus may be implemented by software and/or hardware, and may be generally integrated in an electronic device, and may implement encrypted identification of vehicle network data by executing an encrypted traffic identification method. As shown in fig. 4, the apparatus includes:
the data acquisition module 301 is used for acquiring vehicle bus data;
a probability determination module 302, configured to determine occurrence probability that each data unit in the vehicle bus data takes a value as a set value;
a probability matching module 303, configured to match the occurrence probability of each data unit with a corresponding probability range, and determine a target data unit;
and the encryption identification module 304 is configured to perform encryption identification on the vehicle bus data according to a comparison result between the number of the target data units and a set number threshold.
The encrypted traffic identification scheme provided by the embodiment of the disclosure collects vehicle bus data, determines the occurrence probability of each data unit value in the vehicle bus data as a set value, matches the occurrence probability of each data unit with a corresponding probability range, determines a target data unit, and encrypts and identifies the vehicle bus data according to the comparison result of the number of the target data unit and a set number threshold. By adopting the technical scheme, the encryption condition of the bus data flow in the vehicle can be accurately analyzed under the condition of not knowing the message protocol format, the implementation difficulty is reduced, and the identification efficiency and the universality of vehicle network data encryption identification are improved.
Optionally, the data acquisition module 301 is specifically configured to:
the vehicle bus data is collected based on a data frame identification classification.
Optionally, the probability determining module 302 is specifically configured to:
determining the occurrence probability of each data unit value in the vehicle bus data as a set value by adopting a probability formula, wherein the probability formula is qi=diN (i ═ 1,2,3, …, M), where N denotes the number of CAN message data in the vehicle bus data, q denotes the number of CAN message data in the vehicle bus dataiThe occurrence probability that the value of the ith data unit is a is shown, a is a set value, M is the number of the data units included in each CAN message data, and diThe number of the ith data unit which takes the value of a is shown.
Optionally, the data unit is a bit, and the setting value is 1.
Optionally, the probability matching module 303 is specifically configured to:
and determining the data unit with the occurrence probability successfully matched with the corresponding probability range as a target data unit, wherein the probability ranges corresponding to different data units are different.
Optionally, the encryption identification module 304 is specifically configured to:
determining that the vehicle bus data is encrypted if the number of target data units is greater than or equal to a set number threshold; otherwise, determining that the vehicle bus data is not encrypted.
Optionally, the apparatus further includes a probability unit determining module, specifically configured to:
and determining the average probability and the average variance of each data unit value as a set value based on the sample probability of each data unit value as the set value in the sample random data, and determining the probability range corresponding to each data unit based on the average probability and the average variance.
The encrypted traffic identification device provided by the embodiment of the disclosure can execute the encrypted traffic identification method provided by any embodiment of the disclosure, and has the corresponding functional modules and beneficial effects of the execution method.
Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure. As shown in fig. 5, the electronic device 400 includes one or more processors 401 and memory 402.
The processor 401 may be a Central Processing Unit (CPU) or other form of processing unit having data processing capabilities and/or instruction execution capabilities, and may control other components in the electronic device 400 to perform desired functions.
Memory 402 may include one or more computer program products that may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. The volatile memory may include, for example, Random Access Memory (RAM), cache memory (cache), and/or the like. The non-volatile memory may include, for example, Read Only Memory (ROM), hard disk, flash memory, etc. One or more computer program instructions may be stored on the computer-readable storage medium and executed by processor 401 to implement the encrypted traffic identification method of the embodiments of the present disclosure described above and/or other desired functions. Various contents such as an input signal, a signal component, a noise component, etc. may also be stored in the computer-readable storage medium.
In one example, the electronic device 400 may further include: an input device 403 and an output device 404, which are interconnected by a bus system and/or other form of connection mechanism (not shown).
The input device 403 may also include, for example, a keyboard, a mouse, and the like.
The output device 404 may output various information to the outside, including the determined distance information, direction information, and the like. The output devices 404 may include, for example, a display, speakers, a printer, and a communication network and its connected remote output devices, among others.
Of course, for simplicity, only some of the components of the electronic device 400 relevant to the present disclosure are shown in fig. 5, omitting components such as buses, input/output interfaces, and the like. In addition, electronic device 400 may include any other suitable components depending on the particular application.
In addition to the above methods and apparatus, embodiments of the present disclosure may also be a computer program product comprising computer program instructions that, when executed by a processor, cause the processor to perform the encrypted traffic identification method provided by embodiments of the present disclosure.
The computer program product may write program code for carrying out operations for embodiments of the present disclosure in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server.
Furthermore, embodiments of the present disclosure may also be a computer-readable storage medium having stored thereon computer program instructions that, when executed by a processor, cause the processor to perform the encrypted traffic identification method provided by embodiments of the present disclosure.
The computer-readable storage medium may take any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may include, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The foregoing are merely exemplary embodiments of the present disclosure, which enable those skilled in the art to understand or practice the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (8)

1. An encrypted traffic identification method, comprising:
collecting vehicle bus data;
determining the occurrence probability of each data unit value in the vehicle bus data as a set value;
matching the occurrence probability of each data unit with the corresponding probability range to determine a target data unit;
according to the comparison result of the number of the target data units and a set number threshold, carrying out encryption identification on the vehicle bus data;
the determining the occurrence probability that each data unit value in the vehicle bus data is a set value includes: determining the occurrence probability of each data unit value in the vehicle bus data as a set value by adopting a probability formula, wherein the probability formula is qi=diN, i ═ 1,2,3, …, M, where N denotes the number of CAN message data in the vehicle bus data, q denotes the number of CAN message data in the vehicle bus dataiThe occurrence probability that the value of the ith data unit is a is shown, a is a set value, M is the number of the data units included in each CAN message data, and diThe number of the ith data unit which takes the value as a is represented;
the matching the occurrence probability of each data unit with the corresponding probability range to determine the target data unit includes: determining the data unit with the occurrence probability successfully matched with the corresponding probability range as a target data unit;
the encrypting and identifying the vehicle bus data according to the comparison result of the number of the target data units and the set number threshold comprises the following steps: determining that the vehicle bus data is encrypted if the number of target data units is greater than or equal to a set number threshold; otherwise, determining that the vehicle bus data is not encrypted.
2. The method of claim 1, wherein the collecting vehicle bus data comprises:
the vehicle bus data is collected based on a data frame identification classification.
3. The method of claim 1, wherein the data unit is a bit and the set value is 1.
4. The method of claim 1, wherein the probability ranges for different data units are different.
5. The method of claim 1, further comprising:
and determining the average probability and the average variance of each data unit value as a set value based on the sample probability of each data unit value as the set value in the sample random data, and determining the probability range corresponding to each data unit based on the average probability and the average variance.
6. An encrypted traffic identification device, comprising:
the data acquisition module is used for acquiring vehicle bus data;
the probability determination module is used for determining the occurrence probability of the value of each data unit in the vehicle bus data as a set value;
the probability matching module is used for matching the occurrence probability of each data unit with the corresponding probability range to determine a target data unit;
the encryption identification module is used for carrying out encryption identification on the vehicle bus data according to the comparison result of the number of the target data units and a set number threshold;
the probability determination module is specifically configured to: determining the occurrence probability of each data unit value in the vehicle bus data as a set value by using a probability formula, wherein the probability formula is qi di/N, i 1,2,3, …, M, wherein N represents the number of the CAN message data in the vehicle bus data, qi represents the occurrence probability of the ith data unit value as a, a represents the set value, M represents the number of the data units included in each CAN message data, and di represents the number of the ith data unit value as a;
the probability matching module is specifically configured to: determining the data unit with the occurrence probability successfully matched with the corresponding probability range as a target data unit;
the encryption identification module is specifically configured to: determining that the vehicle bus data is encrypted if the number of target data units is greater than or equal to a set number threshold; otherwise, determining that the vehicle bus data is not encrypted.
7. An electronic device, characterized in that the electronic device comprises:
a processor;
a memory for storing the processor-executable instructions;
the processor is used for reading the executable instructions from the memory and executing the instructions to realize the encrypted traffic identification method of any one of the claims 1 to 5.
8. A computer-readable storage medium, characterized in that the storage medium stores a computer program for executing the encrypted traffic identification method according to any one of claims 1 to 5.
CN202010607947.4A 2020-06-29 2020-06-29 Encrypted traffic identification method, device, equipment and medium Active CN111901307B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010607947.4A CN111901307B (en) 2020-06-29 2020-06-29 Encrypted traffic identification method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010607947.4A CN111901307B (en) 2020-06-29 2020-06-29 Encrypted traffic identification method, device, equipment and medium

Publications (2)

Publication Number Publication Date
CN111901307A CN111901307A (en) 2020-11-06
CN111901307B true CN111901307B (en) 2021-09-10

Family

ID=73207201

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010607947.4A Active CN111901307B (en) 2020-06-29 2020-06-29 Encrypted traffic identification method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN111901307B (en)

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8799671B2 (en) * 2009-05-06 2014-08-05 Empire Technology Development Llc Techniques for detecting encrypted data
CN102164049B (en) * 2011-04-28 2013-04-17 中国人民解放军信息工程大学 Universal identification method for encrypted flow
CN105721242B (en) * 2016-01-26 2018-10-12 国家信息技术安全研究中心 A kind of encryption method for recognizing flux based on comentropy
CN108011708B (en) * 2016-10-28 2021-05-25 长城汽车股份有限公司 Message encryption method based on automobile bus, vehicle controller and vehicle
CN110012029B (en) * 2019-04-22 2020-05-26 中国科学院声学研究所 Method and system for distinguishing encrypted and non-encrypted compressed flow

Also Published As

Publication number Publication date
CN111901307A (en) 2020-11-06

Similar Documents

Publication Publication Date Title
TW201730766A (en) Method and apparatus for abnormal access detection
CN110716868B (en) Abnormal program behavior detection method and device
CN112866023B (en) Network detection method, model training method, device, equipment and storage medium
CN111277606B (en) Detection model training method, detection method and device, and storage medium
US20100169973A1 (en) System and Method For Detecting Unknown Malicious Code By Analyzing Kernel Based System Actions
US11741132B2 (en) Cluster-based scheduling of security operations
CN114374565A (en) Intrusion detection method and device for vehicle CAN network, electronic equipment and medium
CN110912908B (en) Network protocol anomaly detection method and device, computer equipment and storage medium
CN113469366A (en) Encrypted flow identification method, device and equipment
CN111813845A (en) ETL task-based incremental data extraction method, device, equipment and medium
CN113472803A (en) Vulnerability attack state detection method and device, computer equipment and storage medium
CN112839055B (en) Network application identification method and device for TLS encrypted traffic and electronic equipment
CN110955890B (en) Method and device for detecting malicious batch access behaviors and computer storage medium
CN112800061B (en) Data storage method, device, server and storage medium
CN112671614B (en) Method, system, device and storage medium for testing connectivity of association system
CN113723555A (en) Abnormal data detection method and device, storage medium and terminal
US11102082B1 (en) System and method for inferring operating systems using transmission control protocol fingerprints
CN113709147A (en) Network security event response method, device and equipment
CN111901307B (en) Encrypted traffic identification method, device, equipment and medium
CN115309796A (en) Similarity query method, database updating method, device and system
CN114168610B (en) Distributed storage and query method and system based on line sequence division
CN115442109A (en) Method, device, equipment and storage medium for determining network attack result
CN113901455A (en) Abnormal operation behavior detection method, device, equipment and medium
CN109508541B (en) Credible behavior library generation method based on semantic analysis
CN112597498A (en) Webshell detection method, system and device and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant