CN112953723B - Vehicle-mounted intrusion detection method and device - Google Patents

Vehicle-mounted intrusion detection method and device Download PDF

Info

Publication number
CN112953723B
CN112953723B CN202110181127.8A CN202110181127A CN112953723B CN 112953723 B CN112953723 B CN 112953723B CN 202110181127 A CN202110181127 A CN 202110181127A CN 112953723 B CN112953723 B CN 112953723B
Authority
CN
China
Prior art keywords
message
time information
time
timestamp
new
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110181127.8A
Other languages
Chinese (zh)
Other versions
CN112953723A (en
Inventor
徐国胜
徐国爱
郑凯玄
王浩宇
王晨宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN202110181127.8A priority Critical patent/CN112953723B/en
Publication of CN112953723A publication Critical patent/CN112953723A/en
Application granted granted Critical
Publication of CN112953723B publication Critical patent/CN112953723B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40267Bus for use in transportation systems
    • H04L2012/40273Bus for use in transportation systems the transportation system being a vehicle

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Debugging And Monitoring (AREA)

Abstract

One or more embodiments of the present description provide a vehicle-mounted intrusion detection method and apparatus, including receiving a new message, extracting a new message identifier and a new timestamp of the new message; inquiring a time information queue according to the new message identifier, and determining time information corresponding to the new message identifier; judging whether the new message is an abnormal message or not according to the new timestamp and the time information and a preset detection condition; and outputting prompt information when the new message is judged to be the abnormal message. The embodiment CAN carry out light-weight abnormal intrusion detection on the messages received on the CAN bus, and has low complexity and high accuracy.

Description

Vehicle-mounted intrusion detection method and device
Technical Field
One or more embodiments of the present disclosure relate to the field of information security technologies, and in particular, to a vehicle-mounted intrusion detection method and apparatus.
Background
Currently, a vehicle-mounted network implements data communication of Electronic Control Units (ECUs) based on a CAN bus, and each ECU implements vehicle-mounted related functions by sending vehicle Control data, vehicle status data, and other data to the CAN bus. With the development of the vehicle-mounted network, the safety risk of the vehicle-mounted network is increased, and the safety detection of the vehicle-mounted network is a key technology for ensuring the safe driving of the vehicle.
Disclosure of Invention
In view of this, one or more embodiments of the present disclosure are directed to a method and an apparatus for vehicle-mounted intrusion detection, which can implement vehicle-mounted intrusion detection.
In view of the above, one or more embodiments of the present specification provide a vehicle-mounted intrusion detection method, including:
receiving a new message, and analyzing a new message identifier and a new timestamp of the new message;
inquiring a pre-constructed time information queue according to the new message identification, and determining time information corresponding to the new message identification;
judging whether the new message is an abnormal message or not according to the new timestamp and the time information and a preset detection condition;
and if the new message is an abnormal message, outputting prompt information.
Optionally, before receiving the new message, the method further includes:
and constructing the time information queue according to the received message.
Optionally, the constructing the time information queue according to the received message includes:
analyzing the message identification and the time stamp of the received message;
inquiring the time information queue according to the message identifier, and judging whether time information corresponding to the message identifier exists or not;
if the time stamp does not exist, the time stamp is taken as the time information corresponding to the message identifier, and the message identifier and the time information corresponding to the message identifier are added into the time information queue;
if the time information corresponding to the message identification exists, judging whether the time information reaches a preset quantity threshold value; if not, updating the time information corresponding to the message identification in the time information queue according to the timestamp; and if so, deleting the expiration time information corresponding to the message identifier, and updating the time information corresponding to the message identifier in the time information queue according to the timestamp.
Optionally, if the time stamp does not exist, adding the message identifier and the time information corresponding to the message identifier into the time information queue by using the time stamp as the time information corresponding to the message identifier, further including:
and outputting prompt information.
Optionally, the time information includes a timestamp of a message closest to the current time;
if not, updating the time information corresponding to the message identifier in the time information queue according to the timestamp, including:
calculating an intermediate time interval between the timestamp and the timestamp of the message closest to the current time;
deleting the timestamp of the message closest to the current time;
adding the timestamp and the intermediate time interval to the queue of time information.
Optionally, the time information includes a timestamp of a message closest to the current time and a time interval between every two adjacent messages in the messages received in time sequence and the number of which is the number threshold;
deleting the expiration time information corresponding to the message identifier, and updating the time information corresponding to the message identifier in the time information queue according to the timestamp, wherein the method comprises the following steps:
deleting the time interval of every two adjacent messages farthest away from the current time;
calculating an intermediate time interval between the timestamp and the timestamp of the message closest to the current time;
deleting the timestamp of the message closest to the current time;
adding the timestamp and the intermediate time interval to the queue of time information.
Optionally, the time information includes a timestamp of a message closest to the current time and at least one time interval, where the time interval is a time interval between every two adjacent messages received according to a time sequence;
judging whether the new message is an abnormal message according to the new timestamp and the time information and a preset detection condition, wherein the judging step comprises the following steps:
calculating interval average values of all time intervals;
calculating a new time interval between the new timestamp and the timestamp of the message closest to the current time:
and judging whether the new message is an abnormal message or not according to the relation between the interval average value and the new time interval.
Optionally, determining whether the new message is an abnormal message according to a relationship between the interval average value and the new time interval, including:
setting the interval average value as t1, the new time interval as t2 and the fluctuation threshold value as mu; when the following relation is satisfied, the new message is a normal message, otherwise, the new message is an abnormal message;
(1-μ)t1≤t2≤(1+μ)t1 (1)。
optionally, the method further includes:
detecting the transmission rate of the message;
detecting the message identification in the time information queue and the activity degree of the time information corresponding to the message identification;
and outputting prompt information when the transmission rate is judged to be greater than a preset rate threshold value and the activity degree is lower than a preset activity degree threshold value.
An embodiment of the present specification further provides a vehicle-mounted intrusion detection device, including:
the analysis module is used for receiving the new message and analyzing the new message identifier and the new timestamp of the new message;
the query module is used for querying the time information queue according to the new message identifier and determining the time information corresponding to the new message identifier;
the judging module is used for judging whether the new message is an abnormal message or not according to the new timestamp and the time information and a preset detection condition;
and the output module is used for outputting prompt information when the new message is judged to be the abnormal message.
As can be seen from the foregoing, in the vehicle-mounted intrusion detection method and apparatus provided in one or more embodiments of the present specification, by receiving a new message, a new message identifier and a new timestamp of the new message are extracted; inquiring a time information queue according to the new message identifier, and determining time information corresponding to the new message identifier; judging whether the new message is an abnormal message or not according to the new timestamp and the time information and a preset detection condition; and outputting prompt information when the new message is judged to be the abnormal message. The embodiment CAN carry out light-weight abnormal intrusion detection on the messages received on the CAN bus, and has low complexity and high accuracy.
Drawings
In order to more clearly illustrate one or more embodiments or prior art solutions of the present specification, the drawings that are needed in the description of the embodiments or prior art will be briefly described below, and it is obvious that the drawings in the following description are only one or more embodiments of the present specification, and that other drawings may be obtained by those skilled in the art without inventive effort from these drawings.
FIG. 1 is a schematic time window diagram of some embodiments;
FIG. 2 is a schematic flow diagram of a method in accordance with one or more embodiments of the present disclosure;
FIG. 3 is a schematic diagram of a time information queue according to one or more embodiments of the present disclosure;
FIG. 4 is a schematic diagram of an apparatus according to one or more embodiments of the present disclosure;
fig. 5 is a schematic structural diagram of an electronic device according to one or more embodiments of the present disclosure.
Detailed Description
To make the objects, technical solutions and advantages of the present disclosure more apparent, the present disclosure will be described in further detail below with reference to specific embodiments and the accompanying drawings.
It is to be understood that unless otherwise defined, technical or scientific terms used in one or more embodiments of the present disclosure should have the ordinary meaning as understood by one of ordinary skill in the art to which this disclosure belongs. The use of "first," "second," and similar terms in one or more embodiments of the specification is not intended to indicate any order, quantity, or importance, but rather is used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", and the like are used only to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.
As described in the background section, security risks suffered by the current vehicle-mounted network are aggravated, an attacker CAN control a vehicle-mounted system or an electronic control unit in a wireless access mode, and CAN also invade a vehicle bus in a bus access mode, and both the two modes are realized by reading and writing messages on a CAN bus.
In the process of implementing the present disclosure, the applicant finds that the intrusion detection function CAN be implemented by detecting a message on the CAN bus. For example, a detection model for identifying abnormal messages is trained in advance based on a machine learning algorithm, so that intrusion detection can be realized, but the realization is complex, the requirement on the performance of a vehicle-mounted terminal is high, and the cost is high; the detection complexity can be reduced by detecting the message content according to the time sequence, but the accuracy is lower, the false alarm rate is higher, and as shown in fig. 1, the reasons influencing the accuracy are mainly that the method generally needs to set time windows, the window sizes cannot be unified, and the messages of the same message identifier are possibly divided into different time windows due to different sending frequencies and sending times, so that when the messages in each time window are detected, the complete messages cannot be detected, and the false alarm or the false alarm is caused.
Hereinafter, the technical means of the present disclosure will be described in further detail with reference to specific examples.
As shown in fig. 2, one or more embodiments of the present specification provide a vehicle-mounted intrusion detection method, including:
s101: receiving a new message, and analyzing a new message identifier and a new timestamp of the new message;
in this embodiment, in the vehicle-mounted network, each electronic control unit accesses the CAN bus and sends a predetermined message to the CAN bus according to a predetermined frequency, and a message corresponding to each message identifier has a certain time interval.
In this embodiment, when a new message is received on the CAN bus, the information message identifier and the new timestamp are parsed from the new message. The message on the CAN bus is transmitted according to a preset packaging format, the message comprises data segments such as a message identifier, a timestamp and message content, and the message identifier, the timestamp and the like of the message CAN be acquired by analyzing the message.
S102: inquiring a pre-constructed time information queue according to the new message identifier, and determining time information corresponding to the new message identifier;
in this embodiment, the constructed time information queue is queried according to the new message identifier of the new message, and the time information corresponding to the new message identifier is obtained from the time information queue.
In some embodiments, the time information queue is constructed according to messages that have been received on the CAN bus, the time information queue includes at least one message identifier and recorded time information corresponding to each message identifier, the recorded time information includes a timestamp of a message closest to a current time, and if the number of messages is greater than one, the recorded time information further includes a time interval between every two adjacent messages received in time sequence.
S103: judging whether the new message is an abnormal message or not according to the new timestamp and the time information and a preset detection condition;
s104: and if the new message is an abnormal message, outputting prompt information.
In this embodiment, the judgment is performed according to the preset detection condition according to the new timestamp of the new message and the time information recorded corresponding to the new message identifier, and whether the new message is an abnormal message is judged according to the judgment result. And when the judgment result shows that the new message is the abnormal message, outputting prompt information to realize abnormal monitoring.
The vehicle-mounted intrusion detection method provided by the embodiment comprises the steps of receiving a new message, and extracting a new message identifier and a new timestamp of the new message; inquiring a time information queue according to the new message identifier, and determining time information corresponding to the new message identifier; judging whether the new message is an abnormal message or not according to the new timestamp and the time information and preset detection conditions; and outputting prompt information when the new message is judged to be the abnormal message. The method of the embodiment CAN be used for carrying out light-weight abnormal intrusion detection on the messages received on the CAN bus, and is low in complexity and high in accuracy.
It is to be appreciated that the method can be performed by any apparatus, device, platform, cluster of devices having computing and processing capabilities.
In some embodiments, before receiving the new message, the method further comprises: and constructing a time information queue according to the received messages. Namely, the message identifier and the time stamp of the message are analyzed according to the received message on the CAN bus, and the time information queue comprising the message identifier and the corresponding time information is constructed according to the message identifier and the time stamp of the message.
In some embodiments, constructing a time information queue from received messages includes:
analyzing the message identification and the time stamp of the received message;
inquiring a time information queue according to the message identifier, and judging whether time information corresponding to the message identifier exists or not;
if the message identifier does not exist, the timestamp is taken as the time information corresponding to the message identifier, and the message identifier and the time information corresponding to the message identifier are added into a time information queue;
if the time information exists, judging whether the time information corresponding to the message identification reaches a preset quantity threshold value; if not, updating the time information corresponding to the message identifier in the time information queue according to the timestamp; and if so, deleting the expiration time information corresponding to the message identifier, and updating the time information corresponding to the message identifier in the time information queue according to the timestamp.
In this embodiment, the method for constructing the time information queue specifically includes: for the messages received on the CAN bus, firstly analyzing message identifiers and timestamps, then inquiring a time information queue according to the message identifiers, and judging whether the message identifiers and time information corresponding to the message identifiers exist in the current time information queue or not; if the message identifier and the time information corresponding to the message identifier do not exist in the current time information queue, the message identifier and the time information are added to the time information queue, and the added time information is the timestamp of the message. If the message identifier is found, namely the message identifier and the time information corresponding to the message identifier already exist in the current time information queue, determining a method for updating the current time information queue further according to the recorded time information corresponding to the message identifier; one case is that the number of the recorded time information in the current time information queue does not reach a preset number threshold, and at this time, the analyzed timestamp is added into the time information queue; in another case, when the number of the recorded time information in the current time information queue reaches the number threshold, the expiration time information is deleted, and then the parsed timestamp is added to the time information queue. Therefore, the time information queue is established according to the received message, the time information queue is updated according to the message in the process of receiving the message by the CAN bus, whether the message is an abnormal message or not is judged by using the complete time information, and the detection accuracy CAN be ensured.
In some embodiments, querying the time information queue according to the message identifier, and when it is determined that there is no time information corresponding to the message identifier, adding the message identifier and the time information corresponding to the message identifier to the time information queue with the timestamp as the time information corresponding to the message identifier, further includes:
and outputting prompt information.
In this embodiment, for a message identifier that does not exist in the time information queue, the message identifier and the corresponding timestamp are added to the time information queue, and a prompt is required at the same time. One situation is that, under a condition that a vehicle state changes (for example, a state conversion process of converting a power-on state into an ignition state, converting the ignition state into a starting state, and the like), a part of new types of messages appear on the CAN bus, each type of message carries a corresponding message identifier, the message identifiers do not appear on the CAN bus before the state conversion, that is, time information of the message identifiers is not recorded in a time information queue, at this time, the message identifiers and the corresponding time information are added into the time information queue, prompt is performed, and combined with prompt, if the vehicle actually changes the state, the vehicle is not considered to be abnormal. In another case, the vehicle status is not changed, if a new type of message appears on the CAN bus, it CAN be determined that there is a possibility of an abnormality, for example, an injection attack against an unknown message identifier is generated, and thus, by means of the prompt information, it CAN be further checked in time whether an abnormality actually occurs and the cause of the abnormality.
In some embodiments, when adding the message identifier and the time information corresponding to the message identifier, first determining whether the time information corresponding to the message identifier has reached a quantity threshold, and if not, updating the time information corresponding to the message identifier in the time information queue according to the timestamp, including:
calculating an intermediate time interval between the timestamp and the timestamp of the message closest to the current time;
deleting the timestamp of the message closest to the current time;
adding a timestamp and the intermediate time interval in the queue of time information.
In this embodiment, if the message identifier and the time information corresponding to the message identifier already exist in the time information queue and the recorded time information does not reach the quantity threshold, the middle time interval between the timestamp corresponding to the message identifier and the timestamp of the recorded message closest to the current time is calculated first, then the timestamp of the recorded message closest to the current time is deleted, the timestamp and the middle time interval corresponding to the message identifier are added to the time information queue, the time information queue is updated, and in the updated time information queue, the timestamp corresponding to the message identifier is used as the timestamp of the recorded message closest to the current time. Therefore, the time information corresponding to the messages with the same message identification can be effectively recorded through the time information queue, a time window does not need to be set, the situations of missing report and false report caused by the fact that the messages with the same message identification are recorded respectively are avoided, and the detection accuracy is improved.
In some embodiments, when adding the message identifier and the time information corresponding to the message identifier, and when determining that the time information corresponding to the message identifier has reached the quantity threshold, deleting the expiration time information corresponding to the message identifier, and updating the time information corresponding to the message identifier in the time information queue according to the timestamp, the method includes:
deleting the time interval of every two adjacent messages farthest away from the current time;
calculating an intermediate time interval between the timestamp and the timestamp of the message closest to the current time;
deleting the timestamp of the message closest to the current time;
the time stamp and the intermediate time interval are added to the time information queue.
In this embodiment, if the message identifier and the time information corresponding to the message identifier already exist in the time information queue and the recorded time information reaches the quantity threshold, the time interval between every two adjacent messages which are recorded farthest from the current time is deleted, then the intermediate time interval between the timestamp corresponding to the message identifier and the timestamp of the message which is closest to the current time is calculated, then the timestamp of the message which is closest to the current time is deleted, the timestamp corresponding to the message identifier and the intermediate time interval are added to the time information queue, and the time information queue is updated. In this way, the timestamp recorded by the updated time information queue is the timestamp of the updated message closest to the current time, and the recorded time interval is the time interval between every two adjacent messages in the messages of which the number is the number threshold value from near to far from the current time. By setting the quantity threshold of the time information, the real-time performance of the time information of the message is ensured, the detection accuracy can be ensured, and the vehicle-mounted performance requirement can be reduced.
As shown in fig. 3, in some embodiments, the time information queue may be built based on a buffer queue. The time information queue comprises buffer queues corresponding to the message identifications, at least a timestamp of a message closest to the current time is stored in the buffer queue of each message identification, and if a plurality of messages with the same message identification are received on the CAN bus, the timestamp of the message closest to the current time and at least one time interval are stored in the buffer queue of the message identification according to a time sequence.
For example, the CAN bus receives m messages of the message identifier ID1 in time sequence, and the timestamps of the m messages are T 1 、T 2 、T 3 ……、T m Time stamp T 1 Farthest from the current time, timestamp T m Nearest to the current time, the calculated time interval T 2 -T 1 Time interval T in the buffer queue of the first incoming message ID1 3 -T 2 Then enters the buffer queue for \..., and the time interval T m-1 -T m-2 Into a buffer queue, T m And the timestamp which is the closest to the current time is stored at the tail of the buffering queue. When receiving the message with the message identification ID1, if the time stamp of the message is T m+1 Judging whether the quantity of the time intervals in the buffer queue reaches a quantity threshold value, if not, deleting the timestamp T at the tail of the queue m To separate the time interval T m+1 -T m Adding into a buffer queue, and adding the timestamp T m+1 Adding the buffer queue and forming the tail of the buffer queue; if the number threshold has been reached, the time interval T at the head of the buffer queue is deleted first 2 -T 1 Then delete the time stamp T at the end of the queue m To separate the time interval T m+l -T m Adding into a buffer queue, and adding the timestamp T m+1 And adding the buffer queue and becoming the tail of the buffer queue.
In some embodiments, determining whether the new message is an abnormal message according to a preset detection condition based on the new timestamp and the time information includes:
calculating interval average values of all time intervals;
calculating a new time interval between the new timestamp and the timestamp of the message closest to the current time;
and judging whether the new message is an abnormal message or not according to the relation between the interval average value and the new time interval.
In this embodiment, after a time information queue is constructed and updated based on a received message, when a new message is received, a new message identifier and a new timestamp of the new message are analyzed, the time information queue is queried according to the new message identifier of the new message, time information corresponding to the new message identifier recorded in the time information queue is obtained, according to the obtained time information, if the time information includes at least one time interval, an interval average value of all the time intervals is calculated, a new time interval between the new timestamp and a timestamp of a message recorded to be closest to the current time is calculated, and then, whether the new message is an abnormal message is determined according to a relationship between the new time interval and the interval average value. Because the vehicle is in different states, different electronic control units CAN send preset messages to the CAN bus according to preset frequency, and the condition that abnormal messages possibly occur CAN be detected by analyzing the time information change condition of the messages on the bus.
In some embodiments, determining whether the new message is an abnormal message according to the relationship between the interval average and the new time interval may be represented as:
(1-μ)t1≤t2≤(1+μ)t1 (1)
where t1 is the interval average, t2 is the new time interval, and μ is the fluctuation threshold. And when the relation between the interval average value and the new time interval shown in the formula (1) is met, determining that the new message is a normal message, otherwise, determining that the new message is an abnormal message. Optionally, the fluctuation threshold value is 0.5.
In some ways, for an exception message, when formula (2) is satisfied, the exception message is determined to be an injection attack exception message; when the formula (3) is satisfied, the exception message is determined to be a delayed exception message.
t2<(1-μ)t1 (2)
t2>(1+μ)t1 (3)
In some embodiments, the vehicle-mounted intrusion detection method further includes:
detecting the transmission rate of the message;
detecting message identifiers in a time information queue and the activity degrees of the corresponding time information;
and when the transmission rate is greater than a preset rate threshold and the activity degree is lower than an activity degree threshold, outputting prompt information.
In this embodiment, whether there is an abnormal message on the CAN bus is determined by detecting the transmission rate of the message on the CAN bus and the activity level of the message identifier in the time information queue and the corresponding time information thereof. And when the transmission rate is greater than the rate threshold value and the activity degree of the time information identified by the information in the time information queue is lower than the activity degree threshold value, judging that bus Dos attack occurs on the bus, outputting prompt information and timely performing exception prompt.
In some embodiments, the vehicle-mounted intrusion detection method further includes:
detecting the transmission rate of the message;
detecting message identifiers in a time information queue and the activity degrees of the corresponding time information;
and when the transmission rate is judged to be lower than a preset rate threshold value and/or the activity degree is judged to be lower than a preset activity degree threshold value, outputting state change prompt information.
In this embodiment, the change condition of the vehicle-mounted state is determined by detecting the transmission rate of the message on the CAN bus and the activity degree of the message identifier and the corresponding time information in the time information queue in real time. When the transmission rate of the messages on the CAN bus is lower than a rate threshold value and/or the activity degree of the time information corresponding to the message identification in the time information queue is lower than an activity degree threshold value, judging that the vehicle-mounted state changes, and outputting state change prompt information; for example, when the vehicle is converted from a driving state to a braking state, the number of messages on the CAN bus is reduced, some electronic control units do not generate messages to the bus any more, time information corresponding to message identification is not updated any more, and the change condition of the vehicle-mounted state CAN be judged through the transmission rate on the bus and the activity degree of the time information queue.
In some modes, the activity degree of the time information can be judged according to the updating frequency of the time information corresponding to the message identification, and for the time information of the message identification which is updated slowly and the activity degree of which is lower than the threshold value of the activity degree, the message identification and the time information corresponding to the message identification can be deleted, the real-time performance and the effectiveness of the time information queue are kept, and the occupied amount of vehicle-mounted resources is reduced.
In some embodiments, the vehicle-mounted intrusion detection method further includes:
and analyzing the abnormal message to determine the type of the abnormal message.
In this embodiment, after the abnormal message is determined by the detection, the abnormal message is further analyzed and counted, and the type of the abnormal message is determined according to the result of the analysis and the counting. In some modes, if the abnormal message is determined to be injection attack according to the formula (2), and the injection attack occurs on the message of the same message identifier within the preset time, the abnormal message type is judged to be the injection attack of the single message identifier; and if the injection attack occurs on a plurality of messages of the plurality of message identifiers within the preset time, judging that the abnormal message type is the injection attack of the plurality of message identifiers.
It should be noted that the method of one or more embodiments of the present disclosure may be executed by a single device, such as a computer or a server. The method of the embodiment can also be applied to a distributed scene and completed by the mutual cooperation of a plurality of devices. In such a distributed scenario, one of the devices may perform only one or more steps of the method of one or more embodiments of the present disclosure, and the devices may interact with each other to complete the method.
It should be noted that the above description describes certain embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
As shown in fig. 4, an embodiment of the present specification further provides an on-vehicle detection apparatus, including:
the analysis module is used for receiving the new message and analyzing the new message identifier and the new timestamp of the new message;
the query module is used for querying the time information queue according to the new message identifier and determining the time information corresponding to the new message identifier;
the judging module is used for judging whether the new message is an abnormal message or not according to the new timestamp and the time information and a preset detection condition;
and the output module is used for outputting the prompt message when the new message is judged to be the abnormal message.
For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, the functionality of the various modules may be implemented in the same one or more pieces of software and/or hardware in implementing one or more embodiments of the present description.
The apparatus of the foregoing embodiment is used to implement the corresponding method in the foregoing embodiment, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
Fig. 5 is a schematic diagram illustrating a more specific hardware structure of an electronic device according to this embodiment, where the electronic device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via a bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random Access Memory), a static Memory device, a dynamic Memory device, or the like. The memory 1020 may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called to be executed by the processor 1010.
The input/output interface 1030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. Wherein the input devices may include a keyboard, mouse, touch screen, microphone, various sensors, etc., and the output devices may include a display, speaker, vibrator, indicator light, etc.
The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, bluetooth and the like).
Bus 1050 includes a path that transfers information between various components of the device, such as processor 1010, memory 1020, input/output interface 1030, and communication interface 1040.
It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
The electronic device of the foregoing embodiment is used to implement the corresponding method in the foregoing embodiment, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
Computer-readable media of the present embodiments, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the spirit of the present disclosure, features from the above embodiments or from different embodiments may also be combined, steps may be implemented in any order, and there are many other variations of different aspects of one or more embodiments of the present description as described above, which are not provided in detail for the sake of brevity.
In addition, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown within the provided figures for simplicity of illustration and discussion, and so as not to obscure one or more embodiments of the description. Furthermore, devices may be shown in block diagram form in order to avoid obscuring the understanding of one or more embodiments of the present description, and this also takes into account the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the one or more embodiments of the present description are to be implemented (i.e., specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the disclosure, it should be apparent to one skilled in the art that one or more embodiments of the disclosure can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative instead of restrictive.
While the present disclosure has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. For example, other memory architectures, such as Dynamic RAM (DRAM), may use the discussed embodiments.
It is intended that the one or more embodiments of the present specification embrace all such alternatives, modifications and variations as fall within the broad scope of the appended claims. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of one or more embodiments of the present disclosure are intended to be included within the scope of the present disclosure.

Claims (9)

1. A vehicle-mounted intrusion detection method is characterized by comprising the following steps:
analyzing the message identification and the time stamp of the received message;
inquiring a pre-constructed time information queue according to the message identifier, and judging whether time information corresponding to the message identifier exists or not;
if the time stamp does not exist, the time stamp is taken as the time information corresponding to the message identifier, and the message identifier and the time information corresponding to the message identifier are added into the time information queue;
if the time information exists, judging whether the time information corresponding to the message identification reaches a preset quantity threshold value; if not, updating the time information corresponding to the message identifier in the time information queue according to the timestamp; if the time is up, deleting the expiration time information corresponding to the message identifier, and updating the time information corresponding to the message identifier in the time information queue according to the timestamp;
receiving a new message, and analyzing a new message identifier and a new timestamp of the new message;
inquiring the time information queue according to the new message identifier, and determining the time information corresponding to the new message identifier; the time information comprises a timestamp of a message closest to the current time and at least one time interval, wherein the time interval is a time interval between every two adjacent messages received according to a time sequence;
judging whether the new message is an abnormal message according to the new timestamp and the time information and a preset detection condition, wherein the judging step comprises the following steps: calculating interval average values t1 of all time intervals; calculating a new time interval t2 between the new timestamp and the timestamp of the message closest to the current time; setting the fluctuation threshold value as mu, judging the new message as a normal message when the following relation is met, and otherwise, judging the new message as an abnormal message;
(1-μ)t1 ≤t2 ≤(1+μ)t1 (1)
and if the new message is an abnormal message, outputting prompt information.
2. The method according to claim 1, wherein the adding the message identifier and the corresponding time information after adding the message identifier and the corresponding time information to the time information queue with the timestamp as the corresponding time information if not present, further comprises:
and outputting prompt information.
3. The method of claim 1, wherein the time information comprises a timestamp of a message closest to a current time;
if not, updating the time information corresponding to the message identifier in the time information queue according to the timestamp, including:
calculating an intermediate time interval between the timestamp and the timestamp of the message closest to the current time;
deleting the timestamp of the message closest to the current time;
adding the timestamp and the intermediate time interval to the queue of time information.
4. The method according to claim 1, wherein the time information includes a timestamp of a message closest to a current time and a time interval between two adjacent messages among the messages received in chronological order with the number being the number threshold;
deleting the expiration time information corresponding to the message identifier, and updating the time information corresponding to the message identifier in the time information queue according to the timestamp, wherein the method comprises the following steps:
deleting the time interval of every two adjacent messages farthest away from the current time;
calculating an intermediate time interval between the timestamp and the timestamp of the message closest to the current time;
deleting the timestamp of the message closest to the current time;
adding the timestamp and the intermediate time interval to the queue of time information.
5. The method of any of claims 1-4, further comprising:
detecting the transmission rate of the message;
detecting the message identification in the time information queue and the activity degree of the corresponding time information;
and when the transmission rate is judged to be greater than a preset rate threshold value and the activity degree is judged to be lower than a preset activity degree threshold value, outputting prompt information.
6. The method according to any one of claims 1-4, further comprising:
detecting the transmission rate of the message;
detecting the message identification in the time information queue and the activity degree of the corresponding time information;
and when the transmission rate is judged to be lower than a preset rate threshold value and/or the activity degree is judged to be lower than a preset activity degree threshold value, outputting state change prompt information.
7. The method according to claim 1, wherein when the new message is determined to be an abnormal message, if formula (2) is satisfied, the abnormal message is determined to be an injection attack abnormal message;
t2<(1-μ)t1 (2)。
8. the method according to claim 1, wherein when the new message is judged to be an abnormal message, if formula (3) is satisfied, the abnormal message is determined to be a delayed abnormal message;
t2>(1+μ)t1 (3)。
9. an on-vehicle intrusion detection device, comprising:
the analysis module is used for analyzing the message identifier and the time stamp of the received message; receiving a new message, and analyzing a new message identifier and a new timestamp of the new message;
the updating module is used for inquiring a pre-constructed time information queue according to the message identifier and judging whether time information corresponding to the message identifier exists or not; if the time stamp does not exist, the time stamp is taken as the time information corresponding to the message identifier, and the message identifier and the time information corresponding to the message identifier are added into the time information queue; if the time information exists, judging whether the time information corresponding to the message identification reaches a preset quantity threshold value; if not, updating the time information corresponding to the message identifier in the time information queue according to the timestamp; if the time is up, deleting the expiration time information corresponding to the message identifier, and updating the time information corresponding to the message identifier in the time information queue according to the timestamp;
the query module is used for querying the time information queue according to the new message identifier and determining the time information corresponding to the new message identifier; the time information comprises a timestamp of a message closest to the current time and at least one time interval, wherein the time interval is a time interval between every two adjacent messages received according to a time sequence;
a judging module, configured to judge whether the new message is an abnormal message according to the new timestamp and the time information and according to a preset detection condition, where the judging module includes: calculating interval average values t1 of all time intervals; calculating a new time interval t2 between the new timestamp and the timestamp of the message closest to the current time; setting the fluctuation threshold value as mu, judging the new message as a normal message when the following relation is met, and otherwise, judging the new message as an abnormal message;
(1-μ)t1 ≤t2 ≤(1+μ)t1 (1)
and the output module is used for outputting prompt information when the new message is judged to be the abnormal message.
CN202110181127.8A 2021-02-08 2021-02-08 Vehicle-mounted intrusion detection method and device Active CN112953723B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110181127.8A CN112953723B (en) 2021-02-08 2021-02-08 Vehicle-mounted intrusion detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110181127.8A CN112953723B (en) 2021-02-08 2021-02-08 Vehicle-mounted intrusion detection method and device

Publications (2)

Publication Number Publication Date
CN112953723A CN112953723A (en) 2021-06-11
CN112953723B true CN112953723B (en) 2023-04-18

Family

ID=76245110

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110181127.8A Active CN112953723B (en) 2021-02-08 2021-02-08 Vehicle-mounted intrusion detection method and device

Country Status (1)

Country Link
CN (1) CN112953723B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115277051A (en) * 2022-06-01 2022-11-01 北京邮电大学 Method and device for detecting attack of controller area network bus

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111464415A (en) * 2020-04-02 2020-07-28 昆易电子科技(上海)有限公司 Method for early warning of CAN bus message abnormity and electronic equipment

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101638613B1 (en) * 2015-04-17 2016-07-11 현대자동차주식회사 In-vehicle network intrusion detection system and method for controlling the same
CN105516186B (en) * 2015-12-31 2019-07-23 华为技术有限公司 A kind of method preventing Replay Attack and server
CN108111510A (en) * 2017-12-20 2018-06-01 北京航空航天大学 A kind of in-vehicle network intrusion detection method and system
CN111355714A (en) * 2020-02-20 2020-06-30 杭州电子科技大学 Attacker identification method based on fingerprint feature learning of vehicle control unit

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111464415A (en) * 2020-04-02 2020-07-28 昆易电子科技(上海)有限公司 Method for early warning of CAN bus message abnormity and electronic equipment

Also Published As

Publication number Publication date
CN112953723A (en) 2021-06-11

Similar Documents

Publication Publication Date Title
CN109739727B (en) Service monitoring method and device in micro-service architecture
CN111274583A (en) Big data computer network safety protection device and control method thereof
KR101853676B1 (en) Appratus and method for detecting vehicle intrusion
CN112636957B (en) Early warning method and device based on log, server and storage medium
EP2819015B1 (en) Method, terminal, and server for synchronizing terminal mirror
CN108390856B (en) DDoS attack detection method and device and electronic equipment
US20210036971A1 (en) Electronic control unit, abnormality determination program, and abnormality determination method
CN112953723B (en) Vehicle-mounted intrusion detection method and device
CN114710369B (en) Abnormal data detection method and device, computer equipment and storage medium
CN113791792B (en) Method, device and storage medium for acquiring application call information
CN112800061B (en) Data storage method, device, server and storage medium
US11694489B2 (en) Message monitoring system, message transmission electronic control unit, and monitoring electronic control unit
CN111460448B (en) Malicious software family detection method and device
JP2021196997A (en) Log transmission control device
CN108694107A (en) Backlog monitoring method, device, readable medium and the electronic equipment of message queue
CN108306865B (en) Modbus packet-sticking processing method and device based on Netty framework
CN111464637A (en) Unmanned vehicle data processing method, device, equipment and medium
CN114760087B (en) DDoS attack detection method and system in software defined industrial internet
WO2019207764A1 (en) Extraction device, extraction method, recording medium, and detection device
EP4375146A1 (en) Abnormality detection device, security system, and abnormality notification method
CN112702227B (en) Heartbeat event detection method, device, equipment and computer readable storage medium
CN112307475A (en) System detection method and device
CN108683716B (en) business logic learning and protecting method and learning and protecting device based on big data
CN113703996A (en) Access control method, device and medium based on user and YANG model grouping
CN110166421B (en) Intrusion control method and device based on log monitoring and terminal equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant