CN112866270B - Intrusion detection defense method and system - Google Patents
Intrusion detection defense method and system Download PDFInfo
- Publication number
- CN112866270B CN112866270B CN202110130768.0A CN202110130768A CN112866270B CN 112866270 B CN112866270 B CN 112866270B CN 202110130768 A CN202110130768 A CN 202110130768A CN 112866270 B CN112866270 B CN 112866270B
- Authority
- CN
- China
- Prior art keywords
- signal
- message
- value
- intrusion detection
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
- H04L12/40006—Architecture of a communication node
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
- H04L2012/40208—Bus networks characterized by the use of a particular bus standard
- H04L2012/40215—Controller Area Network CAN
Abstract
The invention discloses an intrusion detection defense method and system, and belongs to the technical field of vehicle networks. The invention makes up the deficiency of the prior art by providing a brand-new system architecture. The invention mainly comprises five modules: the system comprises a database, a signal extractor, a rule parser, a detection unit and a message collector. The invention adopts a mode of combining preventive measures and intrusion detection, not only intrusion detection, but also data packets determined as absolutely illegal are directly discarded; meanwhile, in order to reduce the influence of preventive measures on normal communication, namely control the communication delay to a smaller degree, a message collector is arranged on the target device to carry out blocking processing.
Description
Technical Field
The invention relates to the technical field of vehicle networks, in particular to an intrusion detection and defense method, device, equipment and computer storage medium.
Background
With the integration of the internet of things technology and the automobile industry, vehicles are no longer isolated and closed mechanical products, but become an open system with a complex vehicle-mounted network. And because of the characteristic of openness, the network security problem is increasingly prominent, once a hacker invades the vehicle-mounted network, the hacker can implement attack, and can easily interfere with or even control the automobile. CAN (controller area network) is a key attack target of hackers as an on-vehicle control network which is most widely used at present. In recent years, hackers permeate into the CAN bus through different interfaces, and serious harm is caused to driving safety. Therefore, the research on the safety scheme of the CAN bus is significant.
Currently, the security scheme of the CAN bus is divided into three directions: cryptography-based message authentication, physical feature-based message authentication, and CAN bus anomaly detection. Anomaly detection of the CAN bus detects attacks by utilizing the characteristics of the communication network and data or by monitoring and detecting network anomalies on the CAN bus using big data analysis and machine learning.
The current main methods for intrusion detection of the CAN bus have certain defects. For example, a method for detecting the CAN negative interval time by learning the CAN message periodicity characteristics so as to detect the bus abnormality is simple and effective, but CAN only detect the DoS attack, the periodic message attack and the like; the method for establishing the conversion matrix of the adjacent models of different ID messages in the actual network CAN detect abnormal message sequences on a CAN bus without error alarm, but CAN miss the alarm which occurs, and the detection rate of the method is very relevant to the actual distribution and the attack type of the message, so that the high detection rate of the measurement CAN not be ensured.
Disclosure of Invention
The purpose of the invention is as follows: aiming at the problems in the prior art, the invention provides a vehicle-mounted CAN intrusion detection and defense method according to the characteristics of the vehicle CAN bus design, and further provides a system for realizing the method. The vehicle-mounted CAN bus is decomposed into a system consisting of a plurality of signals through a communication matrix file, network data and network states are monitored on a signal layer to identify illegal messages and detect network anomalies, and finally an intrusion detection and defense system is realized based on the CAN bus.
The technical scheme is as follows:
in a first aspect, a vehicle-mounted CAN intrusion detection and defense method is provided, which comprises the following specific operation steps:
(1) A message collector installed on the target equipment collects messages;
(2) The signal extractor performs data analysis operations on the collected messages and extracts the signals in the messages according to the methods provided by the signal library.
(3) The value of each signal is obtained by analyzing the communication matrix file of the corresponding network.
The values of the signals include:
(a) The start bit indicates where the signal starts;
(b) The length represents the length of the signal;
(c) The format indicates the format of the signal.
(4) Recording signal analysis data of the message according to the value of each signal obtained in the step (3) and the number of signals contained in the message, and obtaining message characteristics through the signal analysis data;
the signal analysis data of the message mainly includes: the number of signals to be extracted, the identifier of each signal and the associated attribute value of each signal.
(5) The rule extractor searches an index according to the characteristics of the message, sequentially analyzes all rule data corresponding to the message characteristics of the message from the signal range library and the signal relation library, and triggers the detection unit, wherein the signal range library records the range of each signal value and is used for checking whether the signal value of the message is legal or not; the signal relation library records the relation between the signal and the network system and is used for detecting whether the signal value is abnormal under the current network system.
(6) And after the detection unit is triggered by the rule extractor, calling a detection algorithm to detect the signal value according to the signal value extracted by the signal extractor and the rule analyzed by the rule extractor.
The detection algorithm mainly comprises the following steps:
(a) A signal range detection algorithm, which judges whether the starting position, length, range and other attributes of each signal in the message are in a legal range;
(b) And the signal value correlation detection algorithm judges whether the relation between the signals is abnormal or not, and the detected relation type comprises the signal change rate and the relation between the signals.
(7) The detection unit further judges whether the signal value is legal or not and whether an abnormality exists or not.
(8) If the data packet is illegal or abnormal, the data packet where the signal value is located is discarded.
In a second aspect, a vehicle-mounted CAN intrusion detection and defense device is provided, which mainly comprises a database, a message collector, a signal extractor, a rule resolver and a detection unit.
(1) Database with a plurality of databases
The database is the most basic part of the overall framework, and is a set of regular data used to record the signal composition and signal characteristics of the target CAN network. It provides data support for the signal extractor and rule parser modules. The entire database is subdivided into three databases: a signal library, a signal range library and a signal relationship library. The signal analysis data for each piece of information is recorded in a signal library, which provides a method for extracting message values from message data. The signal range library records the value range of each signal to check whether the signal value in the message is legal. The signal relation library records the relation between the signals and the network system, and is used for detecting whether the value of the next signal in the current network system is abnormal.
(2) Message collector
The message collector is used for blocking and collecting communication data of the CAN equipment and returning a rule check and bypass collected detection result.
(3) Signal extractor
The signal extractor is operative to perform data analysis operations on a message and to extract values for each signal from received message data according to methods provided in a signal library for subsequent examination of the message data.
(4) Rule parser
Each signal has its own unique characteristics that can be used in a particular anomaly detection method. We use data in a particular format to describe these features (called rule data), with a wide variety of rules. The role of the rule parser is to parse and recognize these rules and invoke the correct detection method to perform the detection.
(5) Detection unit
The detection unit is a detection algorithm and a collection of many signal values, which is also the core part of the CAN-IDP. The signal value extracted by the signal extractor and the data analyzed by the rule analyzer are sent to a detection unit for detecting the signal value, and then whether the signal value is legal or not is judged. The detection unit will also record the latest values of some necessary signals to record and describe the state of the network now and use them to detect signal values in subsequent information.
In a third aspect, an in-vehicle CAN intrusion detection and prevention device is provided, the device comprising: a processor, and a memory storing computer program instructions; the intrusion detection and prevention method of the first aspect is implemented when the processor reads and executes the computer program instructions.
In a fourth aspect, a computer storage medium is provided, on which computer program instructions are stored, which when executed by a processor implement the intrusion detection and prevention method of the first aspect.
Has the advantages that: the invention provides an intrusion detection and defense method and system for detecting and monitoring network data and network states in a vehicle-mounted CAN (controller area network) from a signal perspective. In the system framework design, the safety of a vehicle-mounted network is very important, and the mode of combining preventive measures and intrusion detection is adopted, so that the data packets determined as absolutely illegal are directly discarded instead of the intrusion detection; meanwhile, in order to reduce the influence of preventive measures on normal communication, namely control the communication delay to a smaller degree, a message collector is arranged on the target device to carry out blocking processing. Finally, illegal data packets can be identified and discarded at a prevention level, and communication delay is controlled to a small degree.
Drawings
Fig. 1 is an on-board CAN intrusion detection and prevention device framework.
FIG. 2 is a flow chart of a vehicle CAN intrusion detection and prevention method.
Detailed Description
The technical scheme of the invention is further explained by the embodiment and the corresponding attached drawings.
Fig. 1 is a device architecture provided by the present invention, and as shown in fig. 1, the system architecture module can be divided into: the system comprises a database, a signal extractor, a rule analyzer, a detector and a message collector, and the database and the signal extractor, the rule analyzer, the detector and the message collector mutually transmit messages with a CAN central gateway in a CAN frame mode.
(1) Database with a plurality of databases
The database is the most basic part of the overall framework, and is a set of regular data used to record the signal composition and signal characteristics of the target CAN network. It provides data support for the signal extractor and rule parser modules. The entire database is subdivided into three databases: a signal library, a signal range library and a signal relationship library. The signal analysis data for each piece of information is recorded in a signal library, which provides a method for extracting message values from message data. The signal range library records the value range of each signal to check whether the signal value in the message is legal. The signal relation library records the relation between the signal and the network system, and is used for detecting whether the value of the next signal in the current network system is abnormal.
(2) Message collector
The message collector is used for blocking and collecting communication data of the CAN equipment and returning a rule check and bypass collected detection result.
(3) Signal extractor
The signal extractor is operative to perform data analysis operations on a message and to extract values for each signal from received message data according to methods provided in a signal library for subsequent examination of the message data.
(4) Rule parser
Each signal has its own unique characteristics that can be used in a particular anomaly detection method. We use data in a particular format to describe these features (called rule data), with a wide variety of rules. The role of the rule parser is to parse and recognize these rules and invoke the correct detection method to perform the detection.
(5) Detection unit
The detection unit is a detection algorithm and a collection of many signal values, which is also the core part of the CAN-IDP. The signal value extracted by the signal extractor and the data analyzed by the rule analyzer are transmitted to a detection unit for detecting the signal value, and then whether the signal value is legal or abnormal is determined. The detection unit will also record the latest values of some necessary signals to record and describe the state of the network now and use them to detect signal values in subsequent information.
FIG. 2 is a flow chart of the steps of the present invention, explained in detail below;
(1) A message collector installed on the target equipment collects messages;
(2) After receiving the message, the signal extractor performs data analysis operation on the message, and extracts the signal in the message according to the method provided by the signal library.
(3) The value of each signal is obtained by analyzing the communication matrix file of the corresponding network.
The values of the signals include: start bit, length, and format (symbol type, endian).
(4) Signal analysis data for the message is recorded.
The signal analysis data of the message mainly includes: the number of signals to be extracted, the identifier of each signal and the associated attribute value of each signal. As shown in the following table;
TABLE 1 Signal analysis data
| Name (R) | Length of | Value of | Description of the invention |
| CID | 48Byte | - | CANID |
| SNUM | 1Byte | - | Number of signals to be extracted |
| SID1 | 1Byte | [0-63] | First signal identifier |
| Format1 | 1Byte | - | First signal format |
| Start1 | 1Byte | [0-63] | First signal start position |
| Length1 | 1Byte | [0-63] | First signal length, count unit: bit |
Where SID is a signal identifier used to distinguish different signals of the same message, and CAN id plus SID CAN identify a unique signal on a CAN bus.
The SID needs to be numbered manually, and the signal can be numbered and identified according to the signal sequence in the message.
(5) The rule extractor searches the index according to the characteristic (namely CANID) of the message, analyze all rule data of the message characteristic corresponding to the message sequentially from signal range library and signal relation library, and trigger the detecting element, wherein, the range of every signal value of said signal range library record, is used for checking whether the signal value of the message is legal; the signal relation library records the relation between the signal and the network system and is used for detecting whether the signal value is abnormal under the current network system.
(6) And after the detection unit is triggered by the rule extractor, calling a detection algorithm to detect the signal value according to the signal value extracted by the signal extractor and the rule analyzed by the rule extractor.
Detection algorithms fall into two categories: signal range detection and signal correlation detection. The working principle of the two detection methods will be described next.
Different signals have value ranges and practical meanings, so that whether the message is legal or not can be judged by checking whether the signal values in the message are in the normal value ranges or not, and whether network intrusion occurs or not can be detected by checking whether the relation among the values of a plurality of signals in the network is abnormal or not.
(a) Signal value range checking
Judging the validity of a message by checking whether the value of data in the message is valid is a common intrusion detection method, but in the current method, each byte is simply detected. This method is not accurate enough and can only rely on a large amount of normal data to calculate the value range for each byte. The on-board CAN network is a signal-based network in which the start position, length, range and other attributes of each signal in the message are determined in its communication matrix. We can extract the value of each signal in the communication from this information and then check if the signal values are within legal limits, i.e. check if the data in the message conforms to the rules of the communication matrix. By the method, whether the message is legal or not can be judged to effectively defend against partial tampering and injection attacks.
A unique signal is identified by the CANID and SID and sets its range of values. This range can be expressed in many ways, such as: < = Max, > = Max, [ min, max ], or a list of values, or a list of forbidden values, etc. These range information may be obtained in the DBC file. You can get the value range information of the signal by parsing the DBC file of the corresponding network or manually set a more accurate value range for a specific signal.
(b) Signal value dependent checking
Each signal of the on-board CAN network has its own practical significance, for example, some signals are indicative of engine speed, vehicle speed, door status, etc. These signals do not exist alone in the vehicle system and may have some particular relationship, such as engine speed and vehicle speed approaching a linear relationship during normal driving conditions, and the wipers must also be active when wiper wash is being dispensed. We can detect network intrusion by monitoring the relationship between these signals for anomalies. According to these types of relationships, signals can be divided into two types: the relationship between the new and old values of the same signal (the rate of change of the signal) and the relationship between the signals. For the relationship between signals, we only discuss the relationship between two signals, not the more complex relationship formed by three or more signals.
(I) Rate of change of signal
Since many signal values often represent actual physical parameters, the change in these signals tends to be a smooth curve or line. For example, the signal representing the speed of the vehicle cannot increase infinitely because of the limit of the acceleration of the vehicle, i.e. there is an upper limit to the rate of increase of the signal value. We can monitor the values of these signals and detect if the network is abnormal by calculating if their changes exceed their upper limits.
If we want to detect the rate of change of a signal we need to set a threshold for the rate of change per unit time. This time can be in standard time such as ms or s, or in a clock unit provided by the actual environment. Periodic messages may also use their period as a unit of time to facilitate recording and computation. In addition to recording the signal value, it is also necessary to collect the arrival time of the message to calculate the signal change rate of two adjacent messages (messages having the same ID), and then judge whether the network is abnormal by checking whether the value exceeds a set threshold.
(II) relationship between signals
We use the relationship between two signals as an example to illustrate the application of the relationship between signals in intrusion detection and prevention.
For signal a and signal b, we assume that they have the following relationship:
when the value of the signal a is in the range of [ a1, a2], the relationship between the signal a and the signal b satisfies:
f(a,b)<0(1)
where f is a binary expression containing two signals a and b.
This relationship is merely an example, and in practice the relationship may be more flexible: the precondition may be set according to the actual situation relationship between the two signals or may be set such that no check of the precondition is required. The relational expression is not limited to inequality, but may be an equation or a range of values.
For the above relationship, we can collect and record the updated value of signal a in real time. When a satisfies the condition of [ a1, a2], it starts to detect the signal b in real time, that is, it reads the value of the signal b each time a message carrying the signal b is received, and then checks whether the value of the signal b satisfies the formula (1). If not, it reports an exception.
There are two cases for the location of signal a and signal b:
a and b are in the same piece of information: in this case, it is not necessary to record the values of both signals. When a message is received, the values of the two signals are read to directly check whether the relation between the two signals is satisfied, and even the legality of the message can be judged through the detection result.
a and b are in different messages: in this case, the value of signal a needs to be recorded and updated in real time to check the value of signal b. An anomaly is detected when the relationship between a and b is not satisfied.
To check the relationship between the signals, the signals are identified by the CANID and SID, respectively, and a precondition check and a specific relationship f to the relationship are set. The test sample uses a linear relationship between two variables, the relational expression being as follows:
ma+mb+l≤0 (2)
in the formula, m, n and l are all known constants. Further, in order to prevent false alarm due to packet loss, it is necessary to record the arrival time of a signal and the effective time of one signal value in the signal relationship check set between different messages.
(7) The detection unit further judges whether the signal value is legal or not and whether an abnormality exists or not.
(8) And if the signal value is illegal or abnormal, discarding the data packet where the signal value is located.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (8)
1. An intrusion detection defense method, characterized by comprising the steps of:
step 1, collecting messages;
step 2, performing data analysis operation on the collected messages, and extracting signals in the messages;
step 3, obtaining the value of each signal by analyzing the communication matrix file of the network corresponding to the signal;
step 4, recording signal analysis data of the message based on the value of each signal and the number of the signals contained in the message, and acquiring message characteristics through the signal analysis data;
step 5, sequentially searching and comparing all rule data corresponding to the message characteristics of the message from a pre-configured signal range library and a signal relation library according to the message characteristics, and triggering a detection unit, wherein the signal range library records the range of each signal value and is used for checking whether the signal value of the message is legal or not; the signal relation library records the relation between the signal and the network system and is used for detecting whether the signal value is abnormal under the current network system;
step 6, acquiring a signal value of the signal, and detecting the signal value according to the signal value and a rule analyzed by a rule extractor;
step 7, judging whether the signal value is legal or not or whether the signal value is abnormal or not;
and 8, if the detection result is illegal or abnormal, discarding the message of the signal.
2. The method of claim 1, wherein the intrusion detection defense system,
the values of the signals include: a start bit indicating where the signal starts; a length, representing the length of the signal; a format indicating a format of the signal.
3. An intrusion detection defense method according to claim 1 or 2,
the signal analysis data of the message includes: the number of signals to be extracted, the identifier of each signal and the related attribute value of each signal.
4. The intrusion detection defense method according to claim 1, wherein the detection algorithm mainly comprises:
a signal range detection algorithm, which judges whether the starting position, length, range and other attributes of each signal in the message are in a legal range;
and the signal value correlation detection algorithm judges whether the relation between the signals is abnormal or not, and the detected relation type comprises the signal change rate and the relation between the signals.
5. An intrusion detection prevention apparatus applied to the intrusion detection prevention method according to any one of claims 1 to 4, comprising:
the database is used for recording a set of regular data of signal composition and signal characteristics of the target CAN network;
the message collector is used for collecting and blocking communication data of the CAN equipment and returning detection results of rule check and bypass collection;
a signal extractor for performing a data analysis operation on the message and extracting a signal value;
the rule analyzer is used for analyzing the identification rule and calling a correct detection method;
and the detection unit is used for detecting the signal value and judging whether the signal value is legal or not and whether the signal value is abnormal or not.
6. An intrusion detection defence apparatus according to claim 5, wherein:
the database is specifically subdivided into three databases:
the signal base records the signal analysis data of each message;
a signal range library recording the range of each signal value;
and the signal relation library records the relation between the signal and the network system.
7. An intrusion detection defense device, characterized in that the device comprises:
a processor and a memory storing computer program instructions;
the processor reads and executes the computer program instructions to implement the intrusion detection defense method according to any one of claims 1 to 4.
8. A computer-readable storage medium having computer program instructions stored thereon which, when executed by a processor, implement the intrusion detection defense method of any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110130768.0A CN112866270B (en) | 2021-01-29 | 2021-01-29 | Intrusion detection defense method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110130768.0A CN112866270B (en) | 2021-01-29 | 2021-01-29 | Intrusion detection defense method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112866270A CN112866270A (en) | 2021-05-28 |
| CN112866270B true CN112866270B (en) | 2023-03-24 |
Family
ID=75987107
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110130768.0A Active CN112866270B (en) | 2021-01-29 | 2021-01-29 | Intrusion detection defense method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112866270B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113923002B (en) * | 2021-09-29 | 2024-04-19 | 山石网科通信技术股份有限公司 | Computer network intrusion prevention method, device, storage medium and processor |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104428176A (en) * | 2012-07-10 | 2015-03-18 | 大成电气有限公司 | Vehicle intrusion detection system and vehicle intrusion detection method |
| CN106330964A (en) * | 2016-10-14 | 2017-01-11 | 成都信息工程大学 | Network intrusion detection and active defense linkage control device |
| CN108540473A (en) * | 2018-04-09 | 2018-09-14 | 华北理工大学 | A kind of data analysing method and data analysis set-up |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10498749B2 (en) * | 2017-09-11 | 2019-12-03 | GM Global Technology Operations LLC | Systems and methods for in-vehicle network intrusion detection |
| CN107508831B (en) * | 2017-09-21 | 2020-02-14 | 华东师范大学 | Bus-based intrusion detection method |
| CN111030962B (en) * | 2018-10-09 | 2023-03-24 | 厦门雅迅网络股份有限公司 | Vehicle-mounted network intrusion detection method and computer-readable storage medium |
| CN111683035A (en) * | 2020-02-12 | 2020-09-18 | 华东师范大学 | Vehicle-mounted ECU intrusion detection method and system based on CAN bus differential signal level characteristics |
-
2021
- 2021-01-29 CN CN202110130768.0A patent/CN112866270B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104428176A (en) * | 2012-07-10 | 2015-03-18 | 大成电气有限公司 | Vehicle intrusion detection system and vehicle intrusion detection method |
| CN106330964A (en) * | 2016-10-14 | 2017-01-11 | 成都信息工程大学 | Network intrusion detection and active defense linkage control device |
| CN108540473A (en) * | 2018-04-09 | 2018-09-14 | 华北理工大学 | A kind of data analysing method and data analysis set-up |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112866270A (en) | 2021-05-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111030962B (en) | Vehicle-mounted network intrusion detection method and computer-readable storage medium | |
| KR101371902B1 (en) | Apparatus for detecting vehicle network attcak and method thereof | |
| US20070257781A1 (en) | System and Method for Identifying Non-Event Profiles | |
| CN110120935B (en) | Method and device for identifying anomalies in data flows in a communication network | |
| CN111131247B (en) | Vehicle-mounted internal network intrusion detection system | |
| CN113691432B (en) | Method and device for monitoring automobile CAN network message, computer equipment and storage medium | |
| CN114374565A (en) | Intrusion detection method and device for vehicle CAN network, electronic equipment and medium | |
| CN1997017A (en) | A network worm detection method and its system | |
| CN114021040B (en) | Method and system for alarming and protecting malicious event based on service access | |
| EP3660719B1 (en) | Method for detecting intrusions in an audit log | |
| US20230109507A1 (en) | System and Method for Detecting Intrusion Into In-Vehicle Network | |
| CN112866270B (en) | Intrusion detection defense method and system | |
| Basile et al. | An approach for detecting and distinguishing errors versus attacks in sensor networks | |
| CN114826770A (en) | Big data management platform for intelligent analysis of computer network | |
| CN112787984B (en) | Vehicle-mounted network anomaly detection method and system based on correlation analysis | |
| CN114900331B (en) | Vehicle-mounted CAN bus intrusion detection method based on CAN message characteristics | |
| KR100901696B1 (en) | Apparatus of content-based Sampling for Security events and method thereof | |
| CN115348080A (en) | Network equipment vulnerability comprehensive analysis system and method based on big data | |
| CN111526109B (en) | Method and device for automatically detecting running state of web threat recognition defense system | |
| CN111903095A (en) | Detection device, method thereof, and program | |
| CN116112252A (en) | Vehicle-mounted CAN bus intrusion detection and defense system based on message clock period | |
| CN117201084A (en) | CAN bus intrusion detection method and device based on signals | |
| CN116980143A (en) | Vehicle intrusion detection method and vehicle thereof | |
| Zheng et al. | Segment detection algorithm: CAN bus intrusion detection based on bit constraint | |
| Qiu et al. | Research on vehicle network intrusion detection technology based on dynamic data set |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |