CN112514351A

CN112514351A - Abnormality detection method and apparatus

Info

Publication number: CN112514351A
Application number: CN202080004306.8A
Authority: CN
Inventors: 郭志鹏; 彭建芬
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2020-10-31
Filing date: 2020-10-31
Publication date: 2021-03-16
Also published as: WO2022088160A1

Abstract

The embodiment of the application provides an anomaly detection method and device, relates to the technical field of information safety, and CAN improve the information safety of a CAN bus network. The method comprises the following steps: acquiring a sending condition which needs to be met when a CAN message of a first type of controller area network is sent; and detecting whether a first message transmitted on the CAN bus is abnormal or not according to the sending condition, wherein the first message belongs to a first type of CAN message.

Description

Abnormality detection method and apparatus

Technical Field

The embodiment of the application relates to the technical field of information security, in particular to an abnormality detection method and device for a Controller Area Network (CAN) bus of a vehicle-mounted controller.

Background

With the development of automobile intellectualization and networking, the intelligent networking automobile becomes the development direction of automobile informatization. In recent years, aiming at the frequent information security incidents of automobiles and the obvious problem of internet automobile information security, the research on the information security problems of internet automobiles and vehicle-mounted network systems is urgent. The CAN bus is the most widely used vehicle bus network technology at present, and along with the occurrence of the problem of vehicle information safety, malicious attacks directly permeate the vehicle CAN bus network through an external interface, thereby seriously harming the personal and property safety of drivers and passengers. The CAN bus lacks a basic information safety mechanism, and has very important significance in researching the information safety problem of a vehicle-mounted CAN bus network and being suitable for an abnormality detection technology of the CAN bus.

Disclosure of Invention

The embodiment of the application provides an anomaly detection method and device, which are used for solving the information safety problem of a CAN bus network.

In order to achieve the above purpose, the embodiment of the present application adopts the following technical solutions:

in a first aspect, an anomaly detection method is provided, the method comprising: acquiring a sending condition which needs to be met when a CAN message of a first type of controller area network is sent; and detecting whether a first message transmitted on the CAN bus is abnormal or not according to the sending condition, wherein the first message belongs to a first type of CAN message.

Based on the method of the first aspect, the abnormal detection of the first type of CAN message (such as the period enable type and the period event type) CAN be realized, once the first type of CAN message appears on the CAN bus, the IDS system CAN detect the abnormal message according to the method of the first aspect, so as to ensure that the vehicle is not attacked by the abnormal CAN message sent by the CAN message, and improve the safety of the vehicle.

In one possible design, the first type of CAN message is a period-enabled message; the transmission conditions include: fixed transmission period, fast transmission period, minimum transmission interval and signal value.

In one possible design, detecting whether a first message transmitted on a CAN bus is abnormal according to a sending condition includes: if the sending frequency of the first message does not meet the minimum sending interval, determining that the first message is abnormal in sending; and if the sending frequency of the first message meets the minimum sending interval, determining whether the first message is abnormal according to the fixed sending period, the quick sending period and the signal value.

In one possible design, determining whether the first packet is abnormal according to a fixed sending period, a fast sending period, and a signal value includes: determining that the first message belongs to a first type of CAN message; if the first message is determined to be in an enabling state according to the signal value, and if the sending frequency of the first message does not meet the rapid sending period, the first message is determined to be an abnormal message; and if the first message is determined to be in a non-enabled state according to the signal value, and if the sending frequency of the first message does not meet the fixed sending period, determining that the first message is an abnormal message.

Based on the possible design, aiming at the period enabling type message, acquiring the normal sending period, the rapid sending period, the signal value and the minimum sending interval of the message in the enabling state; when the CAN bus is monitored in real time, the signal value of the CAN message and the sending frequency of the CAN message are monitored simultaneously for the CAN message belonging to the period enabling type message. And when the abnormity is detected, comprehensively judging whether the abnormity occurs according to the CAN message period, the CAN message sending type and the signal value of the CAN message. Therefore, the condition of false alarm can not occur when the period enabling type message occurs, and the abnormal frequency of the period enabling type message can be detected, so that the attack aiming at the period enabling type message can be found.

In one possible design, the first type of CAN message is a periodic event type message; the transmission conditions include: a fixed transmission period, a fast transmission period, a minimum transmission interval, and a maximum number of consecutive transmissions N, N being an integer greater than or equal to 1.

In one possible design, detecting whether a first message transmitted on a CAN bus is abnormal according to a sending condition includes: determining that the first message belongs to a first type of CAN message; under the condition that the corresponding signal values of the first message and the previous message of the first message (such as the last message in (N-1) periodic event type messages before the first message) are different, if the sending frequency of the first message does not meet the minimum sending interval, determining that the first message is abnormal in sending, and if the sending frequency of the first message meets the minimum sending interval, determining that the first message is normal in sending; under the condition that the signal values corresponding to (N-1) periodic event type messages before the first message is sent are different, if the sending frequency of the first message does not meet the quick sending interval, the first message is determined to be an abnormal message.

In one possible design, detecting whether a first message transmitted on a CAN bus is abnormal according to a sending condition includes: determining that the first message belongs to a first type of CAN message; if the transmission of the first message does not meet the minimum transmission interval, determining that the first message is abnormal in transmission; if the sending frequency of the first message does not meet the fixed sending period under the condition that the sending of the first message meets the minimum sending interval and the signal values corresponding to the N continuously sent CAN messages including the first message are not changed before the sending of the first message, the first message is determined to be an abnormal message, otherwise, if the sending frequency of the first message meets the fixed sending period, the first message is determined to be normally sent.

Based on the possible design, for the periodic event type message, the normal sending period, the rapid sending period, the continuous sending times and the minimum sending interval corresponding to the periodic event type message are obtained. When the CAN bus is monitored in real time, the signal value of the CAN message and the sending frequency of the CAN message are monitored for the CAN message belonging to the periodic event type message. And when the abnormity is detected, comprehensively judging whether the abnormity occurs according to the CAN message period, the CAN message sending type and the signal value of the CAN message. Therefore, the condition of false alarm can not occur when the periodic event type message occurs, and the abnormal frequency of the periodic event type message can be detected, so that the attack to the periodic event type message can be found.

In a second aspect, the present application provides a device, which may be an IDS system or a chip or system-on-chip in the IDS system, a module or a unit in the IDS system for implementing the anomaly detection method described in the embodiments of the present application, or another module or unit capable of implementing the method performed by the IDS system. The apparatus may implement the functions performed by the IDS system of the first aspect or of each possible design described above. In one design, the apparatus may include a module unit or means (means) corresponding to one for performing the method/operation/step/action described in the first aspect, and the module, unit or means may be implemented by hardware, software, or hardware to perform corresponding software. The hardware or software includes one or more modules or units corresponding to the above functions. Such an apparatus may include: a processing unit;

the processing unit is used for acquiring the sending conditions which need to be met when the CAN message of the first type of controller area network is sent; and detecting whether a first message transmitted on the CAN bus is abnormal or not according to the sending condition, wherein the first message belongs to a first type of CAN message.

For example, the specific implementation manner of the apparatus may refer to the first aspect or the behavioral function of the IDS system in the anomaly detection method provided by any possible design of the first aspect, and will not be described repeatedly herein. Thus, the apparatus provided may achieve the same advantageous effects as the first aspect or any of the possible designs of the first aspect.

In a third aspect, an apparatus is provided, which may be an IDS system or a chip or system-on-a-chip in an IDS system, or other module or unit capable of implementing an IDS system-side method. The apparatus may implement the functions performed by the IDS system of the first aspect or of each possible design described above, which functions may be implemented in hardware. In one possible design, the apparatus may include: the processor is used for acquiring sending conditions which need to be met when a CAN message of a first type of controller area network is sent; and detecting whether a first message transmitted on the CAN bus is abnormal or not according to the sending condition, wherein the first message belongs to a first type of CAN message.

In yet another possible design, the apparatus of the third aspect may further include a memory for storing computer instructions and/or data. When the apparatus is operating, the processor executes the computer instructions stored in the memory to cause the apparatus to perform the anomaly detection method of the first aspect or any one of the possible designs of the first aspect.

In a fourth aspect, there is provided a computer-readable storage medium having stored therein instructions which, when run on a computer, cause the computer to perform the anomaly detection method of the first aspect or any of the possible designs of the above aspects.

In a fifth aspect, there is provided a computer program product comprising instructions, which may include program instructions, when the computer program product is run on a computer, to make the computer execute the anomaly detection method of the first aspect or any possible design of the above aspect.

In a sixth aspect, there is provided a system-on-chip comprising a processor and a communication interface, the system-on-chip being operable to implement the functions performed by the IDS system in the first aspect or any of the possible designs of the first aspect. In one possible design, the system-on-chip further includes a memory, where the memory is used to store program instructions and/or data, and when the system-on-chip is running, the processor executes the program instructions stored in the memory, so as to enable the system-on-chip to perform the anomaly detection method according to the first aspect or any one of the possible designs of the first aspect. Alternatively, the abnormality detection method described in the second aspect or any one of the possible designs of the second aspect described above is performed. The chip system may be formed by a chip, and may also include a chip and other discrete devices, without limitation.

Drawings

Fig. 1a is a schematic diagram of a communication system architecture according to an embodiment of the present application;

FIG. 1b is a schematic structural diagram of a vehicle according to an embodiment of the present disclosure;

fig. 2a to fig. 2e are schematic diagrams of several types of CAN messages provided in the embodiment of the present application;

fig. 3 is a first schematic flowchart of an anomaly detection method according to an embodiment of the present application;

fig. 4 is a schematic flowchart illustrating a second method for detecting an anomaly according to an embodiment of the present application;

fig. 5 is a schematic flowchart illustrating a third method for detecting an anomaly according to an embodiment of the present application;

fig. 6 is a fourth schematic flowchart of an anomaly detection method according to an embodiment of the present application;

FIG. 7 is a schematic diagram of an apparatus 70 according to an embodiment of the present disclosure;

fig. 8 is a schematic structural diagram of an apparatus 80 according to an embodiment of the present disclosure.

Detailed Description

With the development of vehicle intellectualization and networking, network attacks on vehicles are more frequent, and remote attacks become a main attack mode. For example, an illegal user or a lawbreaker CAN use a leak In an In-Vehicle entertainment (IVI) system of a part of Vehicle types to send any CAN information (including legal CAN information, illegal CAN information, and the like) to a Controller Area Network (CAN) bus of the IVI system, and then the aim of controlling a central screen, a speaker, a microphone, and the like of a Vehicle CAN be achieved through the illegal CAN information.

The vehicle can be an intelligent internet automobile. The vehicle may comprise components as shown in fig. 1 b. The vehicles may communicate with other network devices to transfer information and/or data to and from each other. The network device may be a user terminal, a smart phone, a personal computer, a server, or the like. For example, as shown in fig. 1a, the network architecture 10 includes a vehicle 11, a personal computer 12, a server 13, and a server 14, and the vehicle 11 can perform network communication with any one of the network devices of the personal computer 12, the server 13, and the server 14. When the vehicle 11 performs network communication with other network devices, a problem of network attack on the vehicle 11 by an illegal user or a lawbreaker inevitably occurs.

Therefore, how to protect the data bus flow from malicious manipulation after the vehicle boundary is broken through and ensure the personal safety of the driver is one of the main factors considered for the network safety in the vehicle at present. In order to improve the safety of vehicles, the current in-vehicle network safety is divided into static means and dynamic means, and the static means mainly comprises advanced encryption authentication, digital signature technology and the like through a cryptographic algorithm. Dynamic approaches include deploying an Intrusion Detection System (IDS) system in a vehicle. The IDS system is an active network security defense means, finds out network intrusion behavior in time by continuously monitoring the flow of the CAN bus in the vehicle in real time, and takes corresponding treatment measures according to the influence of the network intrusion behavior.

For example, fig. 1b shows the components included in the vehicle 10, and as shown in fig. 1b, the vehicle 11 may include a vehicle-mounted communication Box (T-Box) 101, a gateway (or referred to as a vehicle-mounted gateway) 102, an OBD103, a plurality of Electronic Control Units (ECUs) 104, an IVI system 105, an IDS system 106, and the like. Wherein components within the vehicle 10 may be interconnected via a CAN bus. The ECU104 may be a control unit with different functions, for example, the ECU104 may be a Mobile Data Center (MDC), a cockpit area controller (CDC), a Vehicle Control Unit (VCU), or the like.

In FIG. 1b, the T-Box101 may be capable of communicating with devices external to the vehicle 11 and devices internal to the vehicle 11. The external device of the vehicle 11 may be described as a device outside the vehicle 11, for example, the external device of the vehicle 11 may include a server, a terminal device of a user, a cloud, or the like as shown in fig. 1 a.

The gateway 102 is a core component of the vehicle 11, and the gateway 102 CAN route the message data on the CAN bus in different networks. The OBD103 may be capable of monitoring the operating state of the vehicle and generating a fault code when a problem occurs with the vehicle.

The ECU104 may be a microcomputer controller of the vehicle 11, and may have the capability of performing preset control functions, for example, may be used to control engine operation, protect vehicle safety, and the like. The IVI system 105 may be an infotainment system of the vehicle 11. The MDC may be, among other things, an intelligent in-vehicle computing platform for the vehicle 11.

IDS system 106 may be capable of diagnosing vehicle faults, such as detecting anomalies in message data transmitted over the CAN bus. IDS system 106 may be deployed in an in-vehicle component, such as in a T-box101, gateway 102, MDC, CDC, or VCU.

It should be understood that the architecture of the vehicle 11 shown in fig. 1b is for example only, and not for limiting the technical solution of the present application. It will be appreciated by those skilled in the art that the vehicle 11 may include other devices, and the number of gateways and ECUs may be determined according to particular needs, in particular implementations.

Optionally, each component in fig. 1b in the embodiment of the present application, for example, the T-Box101, the gateway 102, the ECU104, or the IDS system, may be a physical device, or may be a physical device or a functional module in a device. The functional module may be an element in a hardware device, a software function running on dedicated hardware, or a virtualization function instantiated on a platform (e.g., a cloud platform).

IDS systems in vehicles mainly employ rule-based, signature-based, and behavior analysis and machine learning techniques-based on-board IDS technology to discover intrusions into the vehicle. Wherein, the rule-based intrusion detection system may include: the method comprises the steps of presetting or standardizing rules capable of ensuring the safety of the network in the vehicle according to some experiences and designs, monitoring the behavior of the network or the system in real time, determining the behavior of the network or the system to be abnormal behavior once the fact that the behavior of the network or the system deviates from the preset rules is found, and reporting that the behavior of the network or the system is an intrusion event.

For example, a sending frequency rule of the message data that CAN be normal on the CAN bus of the vehicle may be preconfigured or specified, and if it is detected that the sending frequency of the message data sent on the CAN bus deviates from the preconfigured or specified sending frequency rule, it is determined that the message data sent this time may be an abnormal message, and an abnormal event record is performed.

Among them, manufacturers of finished vehicles (OEMs) define several types of CAN messages as follows: the CAN message transmitting frequency rules of different types are different. The following describes these types of CAN messages separately:

first, a periodic message.

The periodic message may be a CAN message (or referred to as message data) that is always transmitted at a fixed transmission period.

For example, as shown in fig. 2a, the message data S0, S1, S2 are sent at equal intervals, and the sending intervals between any two adjacent message data are the same. The transmission interval may also be referred to as a transmission period or a normal transmission period or a fixed transmission period, which is pre-configured.

And secondly, event type messages.

The event type message is: message data is only sent when the value of the signal changes. In order to avoid communication congestion of the CAN messages transmitted on the CAN bus, a minimum transmission interval is generally defined for the event-type messages, and the interval between two adjacent event-type messages is not allowed to be smaller than the minimum transmission interval.

For example, as shown in fig. 2b, when the signal value jumps from S-0 to S-1, the message data S1 is transmitted, when the signal value jumps from S-1 to S-2, the message data S2 is transmitted, and when the signal value jumps from S-2 to S-0, the message data S0 is transmitted.

And fourthly, enabling the message.

The enabled message may refer to: and only sending the message when the signal value is in an enabling state, and sending the enabling message in a fixed sending period in the enabling state.

The specific value of the enable state may be predefined by an OEM manufacturer of the vehicle, for example, the specific value may be preset when the vehicle leaves a factory. For example, as shown in fig. 2c, the enable state is that the signal value S is not zero, and when the signal value jumps from S-0 to S-1, the message data starts to be transmitted in a fixed transmission period, for example, S-1 starts to be transmitted, and S-2 is transmitted after a fixed transmission period.

In the embodiments of the present application, the transmission period may also be referred to as a fixed transmission period, and the transmission period may be preset according to needs, for example, may be predefined by an OEM manufacturer when the vehicle leaves a factory.

And fifthly, periodic event type messages.

The periodic event type message may refer to: and when the signal value is constant for a long time, sending the signal in a fixed sending period, and recording as a normal sending period. If the signal value changes, a plurality of message data are continuously sent in a quick sending period. If the signal value changes again during the fast transmission, counting is restarted. If the sending times of sending the message data in the rapid sending period reaches the preset maximum times, continuing to send the message data in the normal sending period, namely the originally set fixed sending period.

The sending times for continuously sending several pieces of message data in the fast sending period may be defined by an OEM manufacturer, for example, may be defined as 3 times, 4 times, and the like.

For example, the maximum number of times of transmission in the fast transmission period is set to 3, as shown in fig. 2d, when the signal value is S ═ 0, the message data S0 is transmitted in the fixed transmission period first, when the signal value jumps from S ═ 0 to S ═ 1, the message data S1 is continuously transmitted in the fast transmission period, before the number of times of continuous transmission S1 does not reach 3 times, the signal value jumps from S ═ 1 to S ═ 2, the message data S2 is continuously transmitted in the fast transmission period, after the message data S2 is continuously transmitted three times, the signal value is not yet changed, the message data S2 is transmitted in the fixed transmission period, and when the signal value jumps from S ═ 2 to S ═ 0, the message data S1 is continuously transmitted in the fast transmission period.

And sixthly, enabling the messages periodically.

The cycle enabled type may refer to: and transmitting in a fast transmission cycle only when the signal value is in an enabling state. The message data is transmitted in a fixed transmission cycle (alternatively referred to as a normal transmission cycle) in an disabled state.

The specific value of the enable state may be predefined by an OEM manufacturer of the vehicle, for example, the specific value may be preset when the vehicle leaves a factory. The sending times of continuously sending several pieces of message data in the fast sending period may be defined by an OEM manufacturer, for example, may be defined as 3 times, 4 times, etc.

For example, as shown in fig. 2e, the enabling state is that the signal value S is non-zero, and when the signal value jumps from S-0 to S-1, the message data S-1 starts to be transmitted in the fast transmission period. When the signal value jumps from S-1 to S-2, the message data S-2 is transmitted in a fast transmission period. When the signal value jumps from S-2 to S-0, the signal state is zero, and the message data S-0 is transmitted in a fixed transmission period.

In this embodiment of the present application, the naming of each period is not limited, for example, the fixed sending period may also be named as a first sending period, the fast sending period may also be named as a second sending period, and the time length of the fixed sending period is greater than the time length of the fast sending period. In addition, the embodiment of the present application does not limit the naming of each type of message, and each type of message described herein may also be named as other names, without limitation.

Taking periodic messages and event messages as examples, when the vehicle-mounted IDS system CAN detect the communication of the CAN bus in the vehicle by using the method shown in fig. 3, whether the periodic messages or the event messages sent on the CAN bus are abnormal, if the sending frequency deviates from the predefined sending frequency requirement, the abnormal messages are determined, otherwise, the normal sending is determined, and the periodic messages or the event messages are legal CAN messages and will not attack the vehicle.

Specifically, as shown in fig. 3, the detection method includes steps 301 to 303:

step 301: and analyzing the communication matrix file to generate a rule.

Wherein the communication matrix file is defined by an OEM vendor. The communication matrix file may include some preconfigured parameters, which are related definitions of the OEM for the in-vehicle CAN bus communication, for example, the communication matrix file may include information such as a CAN message definition, a CAN message transmission type definition, and a CAN message state definition. The CAN message definition describes some characteristics of the CAN message, such as a message Identifier (ID) of the CAN message, a total length of the CAN message, a signal length of each signal included in the CAN message, and a related definition of the signal (e.g., a bit position (e.g., a start position of the signal) of the signal in the CAN message, a value range (e.g., a maximum value and a minimum value of the signal), and the like).

The CAN message sending type definition describes several types of CAN messages, such as periodic messages, event messages, periodic enable messages, periodic event messages and the like. The CAN message state definition describes a signal and a corresponding value when message data corresponding to the CAN message is triggered to be sent (i.e., the CAN message is in an enabled state).

Wherein the communication matrix file may be pre-configured in the vehicle, such as in the MDC of the vehicle. For example, the IDS system may retrieve and parse a communication matrix file from the MDC of the vehicle, reading the definitions of the message types of the messages in the communication matrix file. For example, the communication matrix may define the message type corresponding to each message, which is periodic, event, hybrid, and the like. If the message is a non-periodic message, such as an event message, the minimum sending interval of the event message is recorded. If the message is a periodic message, recording the sending period (or called as a normal sending period or a fixed sending period) and the minimum sending interval of the periodic message.

Further, the minimum sending interval of the predefined event type message, the normal sending period of the predefined periodic message and the minimum sending interval obtained from the communication matrix file are recorded in a rule database. As a rule for anomaly detection.

Step 302: and monitoring the CAN messages transmitted on the CAN bus.

For example, the IDS system may monitor the CAN bus in real time or periodically, and count the transmission frequency of the CAN messages transmitted on the CAN bus. The transmission frequency may include a transmission interval of the CAN messages transmitted consecutively back and forth, the number of the CAN messages transmitted per unit time, and the like.

Step 303: and based on the sending frequency of the CAN message and the abnormal detection rule recorded in the step 301, performing abnormal detection on the CAN message transmitted on the CAN bus.

For example, the IDS system may read the predefined minimum transmission interval of the event-type packet, the predefined transmission period and the predefined minimum transmission interval of the periodic packet from the rule database, compare the transmission frequency of the CAN packet with the predefined minimum transmission interval of the event-type packet, the predefined transmission period and the predefined minimum transmission interval of the periodic packet, obtained in step 301, and determine whether the time is abnormal, and if the time is abnormal, record the IDS event.

For example, for a periodic message, if it is detected that the transmission period of the CAN message is smaller than the minimum transmission interval or the difference between the transmission period of the CAN message and a predefined fixed transmission period exceeds a certain threshold, it is considered that the detection time is abnormal, and an IDS event is generated for recording. And regarding the event type message, if the sending period of the CAN message is detected to be smaller than the minimum sending interval, the time is considered to be abnormal, and an IDS event is generated and recorded. Furthermore, the IDS event can be processed correspondingly by vehicle management personnel, and the vehicle is prevented from being attacked.

Fig. 3 shows how the IDS system performs anomaly detection on a periodic message or an event message, where the detection method shown in fig. 3 cannot detect anomalies of a hybrid CAN message (such as a period enable type and a period event type), and once the hybrid CAN message appears on a CAN bus, the IDS system cannot detect the anomalous hybrid message, which may cause false alarm or false alarm, and cause a vehicle to be attacked by the hybrid CAN message with abnormal CAN message transmission.

In order to solve the attack to the vehicle when the hybrid CAN message is abnormally sent, an embodiment of the present application provides an abnormality detection method for the hybrid CAN message, where the method may include: and acquiring sending logic (such as whether a quick sending period exists) and period information corresponding to the hybrid CAN message (such as a period enabling message and a period event message). When monitoring the CAN message sent on the CAN bus aiming at the sending logic and the cycle information of the cycle event type message and the cycle enabling type message, if the CAN message is the cycle event type message or the cycle enabling type message, monitoring the signal value of the CAN message and the sending frequency of the CAN message. When the abnormal condition is detected, the sending period (such as normal sending period, rapid sending period and the like) and the signal value are combined to comprehensively judge whether the CAN message sending frequency is abnormal or not for the periodic event type message or the periodic enabling type message.

Specifically, a method for detecting an abnormality of a hybrid CAN packet may be as shown in fig. 4.

Fig. 4 is an anomaly detection method provided by an embodiment of the present application, which may be executed by an IDS system or some functional module or device in a vehicle, as shown in fig. 4, and the method may include:

step 401: and acquiring the sending conditions which need to be met when the CAN message of the first type of controller area network is sent.

The first type of CAN message may be a hybrid CAN message, for example, the first type of CAN message may be the above-mentioned periodic event type message, and/or the periodic enable type message. The sending condition to be met when the first type of CAN message is sent may be a condition corresponding to a CAN message which is defined by an OEM manufacturer in advance and CAN be normally transmitted (or allowed to be transmitted) in a vehicle, and if the sending period and the signal value when the first type of CAN message is sent on the CAN bus satisfy the sending condition, the first type of CAN message is a normally sent message. On the contrary, if the transmission cycle and the signal value of the first type of CAN message transmitted on the CAN bus cannot satisfy the above transmission condition, the first type of CAN message is an abnormal message.

If the CAN message of the first type is a period enabling type message; the transmission conditions include: fixed transmission period, fast transmission period, minimum transmission interval and signal value. The signal value may be a signal value corresponding to a message non-enabled state, or may be a signal value corresponding to a message enabled state, which is not limited. In the embodiment of the present application, a signal value is taken as an example to be described, and is uniformly described herein, and the same parts are not described again below.

If the CAN message of the first type is a periodic event type message; the transmission conditions include: a fixed transmission period, a fast transmission period, a minimum transmission interval, and a maximum number of consecutive transmissions N, N being an integer greater than or equal to 1.

For example, the communication matrix file may be obtained and parsed from the MDC of the vehicle, and the definition of the message type of the message in the communication matrix file may be read. For example, the communication matrix may define the message type corresponding to each message, which is periodic, event, hybrid, and the like. If the message is a period enabling message, recording the fixed sending period, the rapid sending period, the minimum sending interval and the signal value of the period enabling message. If the message is a periodic event type message, recording the fixed sending period, the quick sending period, the minimum sending interval and the maximum continuous sending times N of the periodic event type message.

Further, the sending conditions corresponding to the predefined period enabling type messages and the sending conditions corresponding to the period event type messages acquired from the communication matrix file are recorded in a rule database. As a rule for anomaly detection of mixed messages.

Step 402: and detecting whether the first message transmitted on the CAN bus is abnormal or not according to the sending condition.

The first message belongs to a first type of CAN message.

In one example, the first type of CAN packet is a period-enabled packet, and detecting whether the first packet transmitted on the CAN bus is abnormally transmitted according to the transmission condition may include: if the sending frequency of the first message does not meet the minimum sending interval, determining that the first message is abnormal in sending; and if the sending frequency of the first message meets the minimum sending interval, determining whether the first message is abnormal according to the fixed sending period, the quick sending period and the signal value.

Determining whether the first message is abnormal according to the fixed sending period, the fast sending period, and the signal value may include: determining that the first message belongs to a first type of CAN message; and if the value is taken according to the signal, determining that the first message is in an enabling state, judging whether the sending frequency of the first message meets the rapid sending period, and if the sending frequency of the first message does not meet the rapid sending period, determining that the first message is an abnormal message. And if the first message is determined to be in a non-enabled state according to the signal value, judging whether the sending frequency of the first message meets a fixed sending period, and if the sending frequency of the first message does not meet the fixed sending period, determining that the first message is an abnormal message.

Specifically, this example can be seen with reference to fig. 5 described below.

In yet another example, the first type of CAN message is a periodic event type message. Detecting whether the first message transmitted on the CAN bus is abnormal according to the sending condition may include: and determining whether the first message is abnormal according to the rapid sending period and the minimum sending interval when the sending of the first message meets the minimum sending interval and the signal values corresponding to the continuously sent N CAN messages including the first message are changed before the sending of the first message. For example, if the first message and the last message in (N-1) periodic event type messages before the first message (i.e., the previous message of the first message) correspond to different signal values, that is, the first message is the first different message in N messages, if the sending frequency of the first message does not satisfy the minimum sending interval, and if the time interval between the first message and the last message in (N-1) periodic event type messages is greater than the minimum time interval, it is determined that the first message is abnormal to send, and if the sending frequency of the first message satisfies the minimum sending interval, it is determined that the first message is normal to send;

under the condition that the signal values corresponding to (N-1) periodic event type messages before the first message is sent are different, and the signal values corresponding to the first message in the first message and the (N-1) periodic event type messages are the same, namely the first message is not the first different message in the N messages, if the sending frequency of the first message does not meet the fast sending interval, the first message is determined to be abnormal in sending, otherwise, the sending frequency of the first message meets the fast sending interval, and the first message is determined to be normal in sending.

When the sending of the first message meets the minimum sending interval and the signal values corresponding to the continuously sent N CAN messages including the first message are not changed before the sending of the first message, if the sending of the first message does not meet the minimum sending interval, the first message is determined to be abnormal; and if the sending frequency of the first message does not meet the fixed sending period, determining that the first message is an abnormal message, otherwise, if the sending frequency of the first message meets the fixed sending period, determining that the first message is normally sent.

Specifically, this further example can be seen with reference to fig. 6 described below.

Based on the method shown in fig. 4, the IDS system CAN additionally obtain information (e.g., a signal value corresponding to the period enable message in the enable state, a fast transmission period of the period event message, a fast transmission frequency, etc.), and detect the hybrid CAN message according to the additionally obtained information. The method and the device realize that the mixed type CAN message (the periodic event type and the periodic enable type) is not mistakenly reported when appearing, and detect the frequency abnormity appearing in the mixed type CAN message, thereby discovering the attack aiming at the mixed type CAN message.

The frequency anomaly detection flow of the IDS system for the period-enabled packet is described below with reference to fig. 5:

fig. 5 provides an abnormality detection method according to an embodiment of the present application, and as shown in fig. 5, the abnormality detection method may include:

step 501: and analyzing the communication matrix file and establishing a rule.

Specifically, step 501 may include steps a) to c):

a) reading the message definition, the message type and the message minimum sending interval in the communication matrix file.

b) Judging the message type, and performing different operations according to different message types: i. if the message type is a period enabling type message, searching the attribute definition of the message from the communication matrix file, wherein the attribute definition comprises signal values corresponding to a normal sending period, a quick sending period and a message non-enabling state. And if the message type is a periodic message, searching the transmission period of the message from the communication matrix file.

c) And recording the message information, generating a rule for anomaly detection, and storing the rule in a rule database.

Wherein, the rules of different types of CAN messages are different. For example, the rule of the period-enabled packet includes a minimum transmission interval, a normal transmission period, a fast transmission period, and a signal value. The rules of the periodic messages and the enabled messages include minimum sending intervals and sending periods. The rules for event type messages include a minimum transmission interval.

Step 502: the CAN bus is monitored.

Specifically, step 502 may include: a) and monitoring the CAN bus in real time and counting the sending frequency of the CAN message. b) And judging the message type of the CAN message according to the CAN message ID. And if the CAN message is a periodic message, an event message or an enabling message, directly performing an abnormality detection step. And if the CAN message is a periodic enabling message, reading a signal value of a signal included in the CAN message. Then, abnormality detection is performed.

Step 503: and (4) detecting the abnormality.

Specifically, step 503 may include the following steps a) to c):

a) firstly, judging whether the message sending frequency of the CAN message meets the minimum message sending interval, if not, detecting the abnormal CAN message sending, and recording the intrusion event.

b) And if the message sending frequency meets the minimum message sending interval, carrying out abnormal detection in different modes according to the message type of the CAN message.

For example, if the CAN message is a periodic message and an enabled message, the sending frequency of the CAN message is compared with the normal sending period in the rule database, and if the difference between the sending frequency of the CAN message and the normal sending period exceeds a reasonable range, the sending abnormality of the CAN message is detected, and the intrusion event is recorded.

If the CAN message is a period enabling message, the following different operations are carried out according to the signal value of the signal included in the CAN message: and if the signal value of the signal included in the CAN message is different from the signal value recorded by the rule database, determining that the CAN message is in an enabled state, comparing the sending frequency of the CAN message with the rapid sending period, and if the difference value between the sending frequency of the CAN message and the rapid sending period exceeds a reasonable range, detecting that the CAN message is abnormally sent and recording an intrusion event.

If the signal value of the signal included in the CAN message is the same as the signal value recorded by the rule database, determining that the CAN message is in a non-enabled state, comparing the sending frequency of the CAN message with the normal sending period, and if the difference value between the sending frequency of the CAN message and the normal sending period exceeds a reasonable range, detecting that the CAN message is abnormally sent and recording an intrusion event.

And if the CAN message is an event message, directly entering the next step and executing the step c).

c) And if the CAN message is not abnormally sent, the CAN bus is continuously monitored.

Based on the method shown in fig. 5, when the IDS system parses the communication matrix file, the CAN message transmission type, the CAN message transmission logic, and the period information are additionally acquired. Reading a normal sending period, a quick sending period, a signal value and a minimum sending interval of the message aiming at the period enabling type message; when the CAN bus is monitored in real time, the signal value of the CAN message and the sending frequency of the CAN message are monitored simultaneously for the CAN message belonging to the period enabling type message. And when the abnormity is detected, comprehensively judging whether the abnormity occurs according to the CAN message period, the CAN message sending type and the signal value of the CAN message. Therefore, the IDS system can not generate false alarm when the period enabling type message appears, and can detect the frequency abnormity appearing in the period enabling type message, thereby discovering the attack aiming at the period enabling type message.

The following describes the processing flow of the IDS system for detecting the anomaly of the periodic event type packet with reference to fig. 6:

fig. 6 is a flowchart of an anomaly detection method according to an embodiment of the present application, and as shown in fig. 6, the anomaly detection method may include:

step 601: and analyzing the communication matrix file and establishing a rule.

Specifically, step 601 may include steps a) to c):

b) Judging the message type, and performing different operations according to different message types: i. if the message type is a periodic event type message, searching the attribute definition of the message from the communication matrix file, wherein the attribute definition comprises a normal sending period, a quick sending period and a continuous sending frequency N. And if the message type is a periodic message or an enabled message, searching the transmission period of the message from the communication matrix file.

Wherein the rules for different types of CAN are different. For example, the rule of the periodic event type packet includes a minimum transmission interval, a normal transmission period, a fast transmission period, and a continuous transmission number N. The rules of the periodic messages and the enabled messages include a minimum sending interval and a normal sending period. The rules for event type messages include a minimum transmission interval.

Step 602: the CAN bus is monitored.

Specifically, step 602 may include: a) and monitoring the CAN bus in real time and counting the sending frequency of the CAN message. b) And judging the message type of the CAN message according to the CAN message ID. And if the CAN message is a periodic message, an event message or an enabling message, directly performing an abnormality detection step. And if the CAN message is a periodic event type message, reading the signal value of the signal of the CAN message. Then, abnormality detection is performed.

Step 603: and (4) detecting the abnormality.

Specifically, step 603 may include the following steps a) to c):

a) firstly, judging whether the sending frequency of the CAN message meets the minimum sending interval of message sending, if not, detecting the abnormal sending of the CAN message, and recording the intrusion event.

b) And if the sending frequency of the CAN message meets the minimum sending interval of message sending, carrying out abnormal detection in different modes according to the message type of the CAN message.

For example, if the CAN message is a periodic message and an enabled message, the sending frequency of the CAN message is compared with the normal sending period, and if the difference between the sending frequency of the CAN message and the normal sending period exceeds a reasonable range, the abnormal sending of the CAN message is detected, and an intrusion event is recorded.

If the CAN message is a periodic event type message, counting the serial number of the current CAN message as M, and the serial number of the previous CAN message of the CAN message as M-1, and so on. Firstly, judging whether the signal values of the current CAN message M and the last CAN message M-1 are changed, and if so, directly entering the step c). If the signal values of the current CAN message M and the last CAN message M-1 are not changed, judging whether the signal values are changed from the CAN message M-N +1 to the message M (N continuously received messages);

if the signal values of N continuous messages from M-N +1 to M are unchanged, comparing the counted sending frequency of the CAN message with the normal sending period, if the difference value between the sending frequency of the CAN message and the normal sending period exceeds a reasonable range, detecting that the CAN message is abnormally sent, and recording an intrusion event;

if the signal values of N continuous messages from M-N +1 to M are changed, comparing the counted sending frequency of the CAN message with the rapid sending period, if the difference value between the sending frequency of the CAN message and the rapid sending period exceeds a reasonable range, detecting that the CAN message is abnormally sent, and recording an intrusion event.

And if the CAN message is an event message, directly entering the next step c).

c) And if no abnormity is found, the CAN bus is continuously monitored.

Based on the method shown in fig. 6, when the IDS system parses the communication matrix file, the normal transmission cycle, the fast transmission cycle, the number of continuous transmissions, and the minimum transmission interval of the message are read for the periodic event type message. When the CAN bus is monitored in real time, the signal value of the CAN message and the sending frequency of the CAN message are monitored for the CAN message belonging to the periodic event type message. And when the abnormity is detected, comprehensively judging whether the abnormity occurs according to the CAN message period, the CAN message sending type and the signal value of the CAN message. Therefore, the IDS system can not generate the condition of false alarm when the periodic event type message occurs, and can detect the frequency abnormality of the periodic event type message, thereby finding the attack aiming at the periodic event type message.

The above-mentioned scheme provided by the embodiments of the present application is mainly introduced from the perspective of interaction between the nodes. It will be appreciated that each node, such as an IDS system, for example, contains the corresponding hardware structures and/or software modules that perform the respective functions in order to implement the functions described above. Those skilled in the art will readily appreciate that the methods of the embodiments of the present application can be implemented in hardware, software, or a combination of hardware and computer software, in conjunction with the exemplary algorithm steps described in connection with the embodiments disclosed herein. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

The present application embodiment may perform functional module division on the IDS system according to the above method examples, for example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation.

Figure 7 shows a block diagram of a device 70, which device 70 can be an IDS system, a chip in an IDS system, a system on a chip or other device capable of implementing the functionality of an IDS system in the above-described method, etc., which device 70 can be used to implement the functionality of an IDS system involved in the above-described method embodiments. As one way of accomplishing this, the apparatus 70 shown in fig. 7 comprises: a processing unit 701.

A receiving unit 701, configured to receive a first communication message, where the first communication message includes first call signaling, and an originator or a recipient of the first call signaling is an roaming user equipment of the IDS system. For example, the receiving unit 701 may be used to support the apparatus 70 to perform S401, S802, S902.

A processing unit 702, configured to cause the first call signaling to be routed to a roaming-site AS of the roaming-in user equipment based on the first communication message, the roaming-site AS being an AS in a home area of the IDS system that has a capability of providing a call value added service for the user equipment. For example, the processing unit 702 may be used to support the apparatus 70 in performing S402, S802-S804, and S902-S904.

Specifically, all relevant contents of each step related to the method embodiments shown in fig. 3 to fig. 6 may be referred to the functional description of the corresponding functional module, and are not described herein again. The device 70 is used to perform the function of the IDS system in the anomaly detection method shown in the methods of fig. 3-6, and thus can achieve the same effect as the anomaly detection method described above.

In this embodiment, the apparatus 70 may also be presented in a form of dividing each functional module in an integrated manner. As used herein, a "functional block" may refer to an Application Specific Integrated Circuit (ASIC), an electronic circuit, a processor and memory that execute one or more software or firmware programs, an integrated logic circuit, and/or other devices that provide the described functionality. In a simple embodiment, one skilled in the art may realize that the functions/implementation procedures of the processing unit 701 in the apparatus 70 may be implemented by the processor calling the computer-executable instructions stored in the memory. The functions/implementation procedures of the transceiving unit 702 in fig. 7 may be implemented through a communication interface. For example, as yet another implementation, the apparatus 70 may employ the composition shown in fig. 8.

As yet another implementation, the IDS system described above may employ the components shown in fig. 8, or include the components shown in fig. 8. Fig. 8 is a schematic diagram of a device 80 according to an embodiment of the present application, where the device 80 may be a chip in an IDS system, a system on a chip, or another device capable of implementing the functions of the IDS system in the above-described method. As shown in fig. 8, the apparatus 80 may include a processor 801, a communication line 802, and a communication interface 803. Further, the apparatus 80 may further include a memory 804. The processor 801, the memory 804 and the communication interface 803 may be connected by a communication line 802. The processor 801 may integrate the functions of the processing unit 701. The communication interface 803 may integrate the functions of the transceiving unit 702 described above.

The processor 801 may be a Central Processing Unit (CPU), a general purpose processor, a Network Processor (NP), a Digital Signal Processor (DSP), a microprocessor, a microcontroller, a Programmable Logic Device (PLD), or any combination thereof. The processor 801 may also be other devices with processing functions, such as, without limitation, a circuit, a device, or a software module.

A communication line 802 for communicating information between the various components included in the apparatus 80.

A communication interface 803 is used for communicating with other devices or other communication networks (e.g., ethernet, Radio Access Network (RAN), Wireless Local Area Networks (WLAN)), etc. The communication interface 803 may be a module, a circuit, a transceiver, a network interface, or any device capable of enabling communication.

A memory 804 for storing instructions. Wherein the instructions may be a computer program.

The memory 804 may be a read-only memory (ROM) or other types of static storage devices that can store static information and/or instructions, a Random Access Memory (RAM) or other types of dynamic storage devices that can store information and/or instructions, an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disc storage, optical disc storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc), a magnetic disc storage medium, other magnetic storage devices, and is not limited.

It is to be noted that the memory 804 may exist independently of the processor 801 or may be integrated with the processor 801. The memory 804 may be used for storing instructions or program code or some data or the like. The memory 804 may be located within the apparatus 80 or external to the apparatus 80, without limitation.

The processor 801 is configured to execute the instructions stored in the memory 804 to implement the anomaly detection method provided in the following embodiments of the present application. In one example, the processor 801 may include one or more CPUs, and as an alternative implementation, the apparatus 80 includes a plurality of processors.

As an alternative implementation, the apparatus 80 further comprises an output device 805 and an input device 806. Illustratively, the input device 806 is a keyboard, mouse, microphone, or joystick like device, and the output device 805 is a display screen, speaker (spaker) like device.

It should be noted that the apparatus 80 may be a desktop computer, a portable computer, a network server, a mobile phone, a tablet computer, a wireless terminal, an embedded device, a chip system or a device with a similar structure as that in fig. 8. Further, the constituent structure shown in fig. 8 does not constitute a limitation of the communication apparatus, and the communication apparatus may include more or less components than those shown in fig. 8, or combine some components, or a different arrangement of components, in addition to the components shown in fig. 8.

In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices.

The embodiment of the application also provides a computer readable storage medium. All or part of the processes in the above method embodiments may be performed by relevant hardware instructed by a computer program, which may be stored in the above computer-readable storage medium, and when executed, may include the processes in the above method embodiments. The computer readable storage medium may be the terminal device of any of the foregoing embodiments, such as: including internal storage units of the data transmitting end and/or the data receiving end, such as a hard disk or a memory of the terminal device. The computer readable storage medium may also be an external storage device of the terminal device, such as a plug-in hard disk, a Smart Memory Card (SMC), a Secure Digital (SD) card, a flash memory card (flash card), and the like, which are provided on the terminal device. Further, the computer-readable storage medium may include both an internal storage unit and an external storage device of the terminal apparatus. The computer-readable storage medium stores the computer program and other programs and data required by the terminal device. The above-described computer-readable storage medium may also be used to temporarily store data that has been output or is to be output.

The embodiment of the application also provides a computer instruction. All or part of the flow of the above method embodiments may be performed by computer instructions to instruct relevant hardware (such as a computer, a processor, a network device, a terminal, and the like). The program may be stored in the computer-readable storage medium described above.

It should be understood that in the embodiment of the present application, "B corresponding to a" means that B is associated with a. For example, B may be determined from A. It should also be understood that determining B from a does not mean determining B from a alone, but may also be determined from a and/or other information. In addition, the term "connect" in the embodiment of the present application refers to various connection manners, such as direct connection or indirect connection, to implement communication between devices, and this is not limited in this embodiment of the present application.

In the description of the present application, a "/" indicates a relationship in which the objects associated before and after are an "or", for example, a/B may indicate a or B; in the embodiment of the present application, "and/or" is only one kind of association relation describing an association object, and indicates that three kinds of relations may exist, for example, a and/or B may indicate: a exists alone, A and B exist simultaneously, and B exists alone, wherein A and B can be singular or plural. Also, in the description of the present application, "a plurality" means two or more than two unless otherwise specified. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or multiple. In addition, in order to facilitate clear description of technical solutions of the embodiments of the present application, in the embodiments of the present application, terms such as "first" and "second" are used to distinguish the same items or similar items having substantially the same functions and actions. Those skilled in the art will appreciate that the terms "first," "second," etc. do not denote any order or quantity, nor do the terms "first," "second," etc. denote any order or importance. Also, in the embodiments of the present application, words such as "exemplary" or "for example" are used to mean serving as examples, illustrations or illustrations. Any embodiment or design described herein as "exemplary" or "e.g.," is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present relevant concepts in a concrete fashion for ease of understanding.

Through the above description of the embodiments, it is clear to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device may be divided into different functional modules to complete all or part of the above described functions.

In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described device embodiments are merely illustrative, and for example, the division of the modules or units is only one logical functional division, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another device, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may be one physical unit or a plurality of physical units, that is, may be located in one place, or may be distributed in a plurality of different places. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present application may be substantially or partially implemented in the form of software products, which are stored in a storage medium and include instructions for causing a device, such as: the method can be a single chip, a chip, or a processor (processor) for executing all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.

The above description is only an embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions within the technical scope of the present disclosure should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. An anomaly detection method, characterized in that it comprises:

acquiring a sending condition which needs to be met when a CAN message of a first type of controller area network is sent;

and detecting whether a first message transmitted on the CAN bus is abnormal or not according to the sending condition, wherein the first message belongs to the first type of CAN message.

2. The method of claim 1,

the first type of CAN message is a period enabling type message;

the transmission conditions include: fixed transmission period, fast transmission period, minimum transmission interval and signal value.

3. The method according to claim 2, wherein the detecting whether the first packet transmitted on the CAN bus is abnormally transmitted according to the transmission condition comprises:

if the sending frequency of the first message does not meet the minimum sending interval, determining that the first message is abnormal in sending;

and if the sending frequency of the first message meets the minimum sending interval, determining whether the first message is abnormal according to the fixed sending period, the quick sending period and the signal value.

4. The method according to claim 3, wherein the determining whether the first packet is abnormal according to the fixed sending period, the fast sending period, and a signal value comprises:

determining that the first message belongs to the first type of CAN message;

if the first message is determined to be in an enabling state according to the signal value, and if the sending frequency of the first message does not meet the rapid sending period, the first message is determined to be an abnormal message;

and if the first message is determined to be in a non-enabled state according to the signal value, and if the sending frequency of the first message does not meet the fixed sending period, determining that the first message is an abnormal message.

5. The method of claim 1,

the first type of CAN message is a periodic event type message;

the transmission conditions include: the method comprises a fixed sending period, a quick sending period, a minimum sending interval and a maximum continuous sending time N, wherein N is an integer greater than or equal to 1.

6. The method according to claim 5, wherein the detecting whether the first packet transmitted on the CAN bus is abnormally transmitted according to the transmission condition comprises:

determining that the first message belongs to the first type of CAN message;

under the condition that the signal value corresponding to the first message is different from the signal value corresponding to the last message in the (N-1) periodic event type messages before the first message is sent, if the sending frequency of the first message does not meet the minimum sending interval, determining that the first message is abnormal in sending, and if the sending frequency of the first message meets the minimum sending interval, determining that the first message is normal in sending;

and under the condition that the signal values corresponding to the (N-1) periodic event type messages before the first message is sent are different, if the sending frequency of the first message does not meet the quick sending interval, determining whether the first message is abnormal.

7. The method according to claim 5, wherein the detecting whether the first packet transmitted on the CAN bus is abnormally transmitted according to the transmission condition comprises:

determining that the first message belongs to the first type of CAN message;

if the sending of the first message does not meet the minimum sending interval, determining that the sending of the first message is abnormal;

and if the sending frequency of the first message does not meet the fixed sending period under the condition that the sending of the first message meets the minimum sending interval and the signal values corresponding to the continuously sent N CAN messages including the first message are not changed before the sending of the first message, determining that the first message is an abnormal message, otherwise, if the sending frequency of the first message meets the fixed sending period, determining that the sending of the first message is normal.

8. An apparatus, characterized in that the apparatus comprises:

the processing unit is used for acquiring sending conditions which need to be met when the CAN messages of the first type are sent;

the processing unit is further configured to detect whether a first message transmitted on the CAN bus is abnormal according to the sending condition, where the first message belongs to the first type of CAN message.

9. The apparatus of claim 8,

the first type of CAN message is a period enabling type message;

10. The apparatus according to claim 9, wherein the processing unit is specifically configured to:

11. The apparatus according to claim 10, wherein the determining whether the first packet is abnormal according to the fixed sending period, the fast sending period, and the signal value comprises:

determining that the first message belongs to the first type of CAN message;

12. The apparatus of claim 8,

the first type of CAN message is a periodic event type message;

13. The apparatus according to claim 12, wherein the processing unit is specifically configured to:

determining that the first message belongs to the first type of CAN message;

14. The apparatus according to claim 13, wherein the processing unit is specifically configured to:

determining that the first message belongs to the first type of CAN message;

15. An apparatus, characterized in that the apparatus is adapted to perform the method of any of claims 1-7.

16. An apparatus comprising a processor and a memory, the memory coupled with the processor, the processor configured to perform the method of any of claims 1-7.

17. A computer-readable storage medium, wherein the computer-readable storage medium stores computer instructions that, when executed on a computer, cause the computer to perform the method of any one of claims 1-7.

18. A computer program product, wherein the computer program product comprises computer instructions which, when run on a computer, cause the computer to perform the method according to any one of claims 1-7.