CN114374565A - Intrusion detection method and device for vehicle CAN network, electronic equipment and medium - Google Patents

Intrusion detection method and device for vehicle CAN network, electronic equipment and medium Download PDF

Info

Publication number
CN114374565A
CN114374565A CN202210114380.6A CN202210114380A CN114374565A CN 114374565 A CN114374565 A CN 114374565A CN 202210114380 A CN202210114380 A CN 202210114380A CN 114374565 A CN114374565 A CN 114374565A
Authority
CN
China
Prior art keywords
data
vehicle
abnormal
determining
rule set
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210114380.6A
Other languages
Chinese (zh)
Inventor
许传斌
李木犀
陈明
吴淼
刘毅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
FAW Group Corp
Original Assignee
FAW Group Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by FAW Group Corp filed Critical FAW Group Corp
Priority to CN202210114380.6A priority Critical patent/CN114374565A/en
Publication of CN114374565A publication Critical patent/CN114374565A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L12/40006Architecture of a communication node
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Small-Scale Networks (AREA)

Abstract

The embodiment of the invention discloses an intrusion detection method, an intrusion detection device, electronic equipment and a medium for a vehicle CAN network. The intrusion detection method of the vehicle CAN network comprises the following steps: acquiring CAN data transmitted on a CAN bus on a vehicle; determining a matching result of the information definition of the CAN data and the normal communication information definition included in a preset rule set; and if the matching is inconsistent, determining that the CAN data is abnormal data, and analyzing the abnormal data to obtain the abnormal behavior of the vehicle. The embodiment of the invention CAN detect the CAN network of the vehicle in real time, sense the CAN data and abnormal behaviors according to the preset rule set, realize network intrusion detection aiming at the bus type vehicle network, prevent malicious attacks and improve the safety of the vehicle network.

Description

Intrusion detection method and device for vehicle CAN network, electronic equipment and medium
Technical Field
The embodiment of the invention relates to the technical field of vehicle network security, in particular to an intrusion detection method, an intrusion detection device, electronic equipment and a medium for a vehicle CAN network.
Background
With the development of intellectualization and networking of vehicles, the number of Electronic Control Units (ECUs) on vehicles has increased rapidly to reach nearly a hundred, for example: vehicle infotainment control unit, automobile networking control unit, advanced driving assistance control unit, and the like. Meanwhile, with the development of networking, the number of external interfaces of the vehicle is increased, such as interfaces of WIFI, Bluetooth, 3G/4G communication, USB and the like. Due to the limitations of ECU computational resources and capabilities, it is difficult to design an effective security scheme, and the conventional security mechanism is difficult to deploy directly to the ECU. In addition, as the number of the ECU functions on the vehicle is increased, the realized code amount is increased, and potential information security holes are more and more prominent.
Communication among all ECUs in a vehicle is mainly a Controller Area Network (CAN) bus, however, a CAN Network protocol is designed to be applied to a closed automobile environment, and Network safety problems are not considered, so that a lot of information safety risks exist. Once the vehicle is provided with the external networking interface, a hacker CAN easily control the vehicle through the CAN network as long as the hacker breaks through the external interface and enters the vehicle, so that the problem of life and property safety is caused to a driver and passengers.
The common information safety risks faced by the vehicle-end ECU include a CAN (controller area network) protocol which is a network communication protocol in the vehicle, the CAN protocol has the transmission characteristics of real-time performance and reliability among nodes, and meanwhile, the CAN protocol has great potential information safety hazards due to the problems of length limitation, passive address domains and no authentication domains. A typical information security risk is that after receiving a CAN message, the ECU cannot identify the source of the CAN message, and the adopted measures are to directly respond to the CAN message, which may cause the situation that a control message is forged to illegally control the vehicle.
Disclosure of Invention
The embodiment of the invention provides an intrusion detection method, an intrusion detection device, electronic equipment and a medium for a vehicle CAN network, which CAN realize network intrusion detection aiming at a bus type vehicle network and effectively ensure the safety of a driver and passengers.
In a first aspect, an embodiment of the present invention provides an intrusion detection method for a vehicle CAN network, including:
acquiring CAN data transmitted on a CAN bus on a vehicle;
determining a matching result of the information definition of the CAN data and the normal communication information definition included in a preset rule set;
and if the matching is inconsistent, determining that the CAN data is abnormal data, and analyzing the abnormal data to obtain the abnormal behavior of the vehicle.
In a second aspect, an embodiment of the present invention further provides an intrusion detection device for a vehicle CAN network, including:
the data acquisition module is used for acquiring CAN data transmitted on a CAN bus on a vehicle;
the rule matching module is used for determining the matching result of the information definition of the CAN data and the normal communication information definition included in the preset rule set;
and the abnormal data determining module is used for determining that the CAN data are abnormal data if the matching is inconsistent, and analyzing the abnormal data to obtain the abnormal behavior of the vehicle.
In a third aspect, an embodiment of the present invention further provides an electronic device, including:
one or more processors;
a storage device for storing one or more programs,
when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement the intrusion detection method for the vehicle CAN network according to any embodiment of the present invention.
In a fourth aspect, the embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the intrusion detection method for the vehicle CAN network according to any embodiment of the present invention.
The embodiment of the invention obtains CAN data transmitted on a CAN bus on a vehicle; determining a matching result of the information definition of the CAN data and the normal communication information definition included in the preset rule set; and if the matching is inconsistent, determining that the CAN data is abnormal data, and analyzing the abnormal data to obtain the abnormal behavior of the vehicle. The embodiment of the invention CAN detect the CAN network of the vehicle in real time, sense the CAN data and abnormal behaviors according to the preset rule set, realize network intrusion detection aiming at the bus type vehicle network, prevent malicious attacks and improve the safety of the vehicle network.
Drawings
FIG. 1 is a flow chart of a method for intrusion detection in a CAN network of a vehicle according to a first embodiment of the present invention;
fig. 2 is a schematic structural diagram of an intrusion detection system of a vehicle CAN network according to a second embodiment of the present invention;
FIG. 3 is a diagram illustrating the detection of the IDS engine processing module in a second embodiment of the present invention;
fig. 4 is a schematic structural diagram of an intrusion detection device of a vehicle CAN network according to a third embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device in a fourth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a flowchart of an intrusion detection method for a vehicle CAN network according to an embodiment of the present invention, which is applicable to a case of detecting an intrusion attack on an in-vehicle CAN bus. The method may be performed by an intrusion detection device of a vehicle CAN network, which may be implemented in software and/or hardware and may be configured in an electronic device, which may be a central gateway controller in a vehicle, for example.
As shown in fig. 1, the method specifically includes:
step 101, acquiring CAN data transmitted on a CAN bus on a vehicle.
The method CAN be deployed in a central gateway controller, so that the acquired CAN data are all CAN message data in the vehicle, the intrusion detection of all transmitted CAN messages in the vehicle is ensured, and the safety of the vehicle network is further improved.
Specifically, the method is deployed in the vehicle gateway system, and all CAN data transmitted on the CAN bus on the vehicle CAN be acquired in real time because the method runs in the gateway system in real time.
And 102, determining a matching result of the information definition of the CAN data and the normal communication information definition included in the preset rule set.
The preset rule set is a vehicle normal behavior model and comprises a vehicle normal communication message rule, a signal rule and a diagnosis rule. The various rules include normal communication information definitions, that is, the definitions of the transmission information specified by each ECU of the vehicle during normal communication, including information transmission frequency definitions, information length definitions, normal value range definitions, and the like.
Specifically, the information definition in the received CAN data is matched with the communication information definition specified in the preset rule set when the vehicle normally runs, and if the information definition in the CAN data is consistent with the communication information definition included in any detection rule in the preset rule set, the matching result of the CAN data is the matching consistency; and if the information definition of the CAN data is inconsistent with the communication information definition included in all the detection rules in the preset rule set, indicating that the matching result of the CAN data is inconsistent.
In one possible embodiment, the preset rule set includes detection rules generated by parsing all CAN communication information definitions in the gateway DBC file, and detection rules generated by parsing complex signal states and reasonable signals.
The gateway DBC (Database Can, CAN Database) file comprises information definition of CAN communication, the whole communication of the CAN network is carried out according to the information definition description in the gateway DBC file, and the node controller of the whole CAN network Can be synchronously developed without errors by determining the gateway DBC file. Therefore, the detection rule generated by analyzing according to all CAN communication information definitions in the DBC file of the gateway comprises the CAN communication information definitions of the node controllers of the whole CAN network during normal communication.
The complex signal state is not formed by information definition including CAN communication in a gateway DBC file, the complex signal state CAN be a complex control signal sent according to the driving state of a vehicle, and CAN be combined by a plurality of common signals in a specific mode, wherein the common signals are determined according to the definition of the gateway DBC file. Legitimate signals are reasonable communication messages that can be transmitted on the in-vehicle bus, which are generally uncommon, signals that are not defined in the gateway DBC file, but which are recognizable by the vehicle. Complex signal conditions and reasonable signals are often caused by the increasing number of ECUs and the presence of external interfaces, which may give some signals that were not precisely defined but are legally communicated. The complex signal state and the reasonable signal can be pre-imported, namely the complex signal and the reasonable signal are artificially pre-determined, and then the determined complex signal state and the reasonable signal are imported to generate a detection rule according to the complex signal state and the reasonable signal.
Specifically, the CAN communication information definition included in the imported gateway DBC file, the complex signal state and the reasonable signal is analyzed, the information definition which is possibly generated by CAN data communicated on the bus in the vehicle is determined, and a detection rule, namely a normal information communication rule of the vehicle, is generated according to the information definition.
In one possible embodiment, step 102 includes at least one of:
determining a matching result of the bus definition of the CAN data and the bus normal communication information definition in the preset rule set;
determining a matching result of the message definition of the CAN data and the message normal communication message definition in the preset rule set;
determining a matching result of the signal definition of the CAN data and the signal normal communication information definition in the preset rule set;
and determining a matching result of the definition of the diagnosis signal of the CAN data and the definition of the normal communication information of the diagnosis signal in the preset rule set.
The preset rule set comprises a bus rule set, a message rule set, a signal rule set and a diagnosis rule set, the bus rule set comprises a bus normal communication information definition, the message rule set comprises a message normal communication information definition, the signal rule set comprises a signal normal communication information definition, and the diagnosis rule set comprises a diagnosis signal normal communication information.
Specifically, the gateway matches the CAN data on the bus with a bus rule set, a message rule set, a signal rule set and a diagnosis rule set in a preset rule set in sequence, determines matching results respectively, and determines that a final matching result is inconsistent if any rule set is inconsistent in matching. Firstly, detecting whether the CAN data has bus abnormality or not according to a bus rule set, if so, logging the abnormal data, and if not, continuing the next step; optionally, the bus exception includes an exception of the definition of the whole CAN data packet, including an exception of a preset byte of the packet, an exception of a length of the packet, and the like. Detecting whether the CAN data has message abnormality according to the message rule set, if so, logging the abnormal data, and if not, continuing the next step; optionally, the message exception includes a message cycle exception, a message length exception, a message value range exception, and the like. Detecting whether the CAN data has signal abnormality or not according to the signal rule set, if so, logging the abnormal data, and if not, continuing the next step; optionally, the signal exception includes an exception of a value range of a byte in the signal. Finally, detecting whether the CAN data has abnormal diagnosis signals according to the diagnosis rule set, and if so, logging the abnormal data; optionally, the diagnostic signal may be determined by a preset byte value, and the diagnostic signal has a fixed sending flow, and the diagnostic signal abnormality includes an abnormal diagnostic signal sending flow and the like. Optionally, the matching order of the bus rule set, the message rule set, the signal rule set, and the diagnosis rule set may also be adjusted according to the actual situation, which is not limited in the embodiment of the present invention.
In one possible embodiment, step 102 further includes:
and determining the matching result of the CAN data and the context state message of the vehicle.
The context state message of the vehicle refers to a message representing the current state of the vehicle, and the current state of the vehicle includes state information of each ECU and the like. In the process of determining the matching result of the information definition of the CAN data and the normal communication information definition included in the preset rule set, the comparison is carried out by combining the vehicle context state message, and when the CAN message conflicts with the vehicle state, the matching result is considered to be inconsistent, for example, the CAN data message for opening the vehicle door exists in normal driving.
Specifically, after determining the matching result between the information definition of the CAN data and the normal communication information definition included in the preset rule set, the matching result between the CAN data and the context state message of the vehicle is determined.
And 103, if the matching is inconsistent, determining that the CAN data is abnormal data, and analyzing the abnormal data to obtain the abnormal behavior of the vehicle.
And if the matching result of the information definition of the CAN data and the normal communication information definition included in the preset rule set is determined to be inconsistent, the CAN data is determined to be abnormal data if the CAN data conflicts with the normal behavior model of the vehicle and does not belong to the known normal communication information definition range. And analyzing the specific message content in the abnormal data to determine the abnormal behavior of the vehicle, namely analyzing the specific message content to obtain the specific behavior of the vehicle caused by the CAN data.
In one possible embodiment, analyzing the abnormal data to obtain the abnormal behavior of the vehicle includes:
determining the attack type of the abnormal data according to the matching result of the abnormal data and the preset rule set;
analyzing the abnormal data according to the attack type to obtain the abnormal behavior of the vehicle;
and determining an updating detection rule according to the abnormal behavior of the vehicle, and updating the preset rule set according to the updating detection rule.
The matching result of the abnormal data and the preset rule set indicates that the communication information definition of the abnormal data has the highest matching degree with which detection rule in the preset rule set, and then indicates that the attack type of the abnormal data is the type to which the detection rule belongs, for example, the attack type includes a bus attack type, a message attack type, a signal attack type or a diagnosis signal attack type, or the attack type is a subtype of each type, and can be determined according to the actual setting condition of the preset rule set.
Optionally, the method further includes performing reliable storage on the abnormal data to ensure reliability and safety of the data; illustratively, the abnormal data is classified and stored according to the attack type.
And after the abnormal data are classified according to the attack types, analyzing the abnormal data to obtain the abnormal behavior of the vehicle. And analyzing the specific message content in the abnormal data to determine the abnormal behavior of the vehicle, namely analyzing the specific message content to obtain the specific behavior of the vehicle caused by the CAN data. Since matching according to the preset rule set may also result in that the determined abnormal data may be reasonable data, it is necessary to determine whether the abnormal data is attack intrusion data according to the specific behavior of the vehicle, and if the abnormal behavior of the vehicle is determined to be normal behavior according to the abnormal CAN data, the matching detection rule in the preset data set is modified according to the specific communication definition of the CAN data, or a new detection rule is generated according to the CAN data and added into the preset data set to update the preset data set. And if the abnormal behavior of the vehicle is determined to be the intrusion behavior according to the abnormal CAN data, determining the abnormal CAN data to be the intrusion data.
And after the preset data set is determined to be updated, generating a new gateway updating package file, and updating the new rule set file to the gateway system in a remote updating or local updating mode to realize the perfection of the rule and the updating of the strategy.
In one possible embodiment, analyzing the abnormal data to obtain the abnormal behavior of the vehicle includes:
and sending the abnormal data to a cloud end, and analyzing the abnormal data by the cloud end to obtain the abnormal behavior of the vehicle.
Due to the limitation of the local computing power of the vehicle, the work of abnormal data analysis can be performed by the cloud. Specifically, after the vehicle end determines abnormal data, the vehicle gateway sends the abnormal data to the cloud end platform through networking application, and the cloud end platform analyzes the abnormal data to obtain abnormal behaviors of the vehicle. Exemplarily, the cloud platform determines the attack type of the abnormal data according to the matching result of the abnormal data and the preset rule set; analyzing the abnormal data according to the attack type to obtain the abnormal behavior of the vehicle; and determining an updating detection rule according to the abnormal behavior of the vehicle, and updating the preset rule set according to the updating detection rule.
In one possible embodiment, after analyzing the abnormal data to obtain the abnormal behavior of the vehicle, the method further includes:
counting the occurrence frequency of the abnormal behavior of the vehicle in a preset time period;
and determining the intrusion trend according to the occurrence times so as to predict the next intrusion.
According to the statistical principle, the times of abnormal data attacks in a preset time period are counted, so that an invasion trend is drawn, and the invasion of the next abnormal data is predicted according to the invasion trend, so that the detection accuracy of the next invasion is improved. Optionally, counting the occurrence frequency of the abnormal behavior of the vehicle within a preset time period; and determining an intrusion trend according to the occurrence frequency so as to predict the next intrusion, wherein the next intrusion can be executed by the cloud. And when predicting the next intrusion time and the intrusion attack type, the cloud end sends the prediction information to the vehicle end so as to improve the detection accuracy of the vehicle end.
The embodiment of the invention CAN detect the CAN network of the vehicle in real time, sense the CAN data and abnormal behaviors according to the preset rule set, realize network intrusion detection aiming at the bus type vehicle network, prevent malicious attacks and improve the safety of the vehicle network.
Example two
Fig. 2 is a schematic structural diagram of an intrusion detection system of a vehicle CAN network according to a second embodiment of the present invention, which is applicable to a case of detecting an intrusion attack on an in-vehicle CAN bus. As shown in fig. 2, the system includes: the system comprises an IDS rule set, a rule updating processing module, an abnormal data processing module, an IDS engine processing module and a situation perception module, wherein the IDS rule set, the rule updating processing module, the abnormal data processing module and the IDS engine processing module are deployed in a central gateway controller at a vehicle end, and the situation perception module is deployed at a cloud end.
The IDS engine processing module sends the abnormal data to the abnormal data processing module after determining the abnormal data, and the abnormal data is sent to the cloud situation perception module by the abnormal data processing module.
The situation awareness module of the cloud identifies security risks through abnormal data statistics, classification and analysis, and formulates a new rule set file to generate a new gateway upgrade package file; the gateway sends the new rule set file to a rule updating processing module of the vehicle end in a remote updating or local updating mode, and the rule updating processing module updates the new rule set file to an IDS rule set so as to complete the rules and update the strategy.
The detection principle diagram of the IDS engine processing module is shown in fig. 3, and the detection principle of the IDS engine processing module is as follows: an IDS engine processing module and an IDS rule set are deployed on the vehicle gateway, and the IDS engine processing module comprises a bus detection unit, a message detection unit, a signal detection unit and a diagnosis detection unit. The IDS rule set is a normal behavior model of the vehicle and records normal message rules, signal rules and diagnostic rules of the vehicle. When the IDS engine processing module receives CAN message data in the vehicle, the CAN message data in the vehicle is sequentially detected by each detection unit in the IDS engine processing module, and whether the CAN message is an abnormal message or not is determined according to the IDS rule set and the context data, and if the CAN message is a normal message, the CAN message passes; and if the message is an abnormal message, recording the message as abnormal data.
The detection flow of the IDS engine processing module is as follows: the gateway inputs CAN data on the bus to an IDS engine processing module in sequence, the IDS engine comprises a plurality of detection units and detects the CAN data in sequence: the system comprises a bus detection unit, a next step message detection unit, a next step signal detection unit, a diagnosis detection unit and a diagnosis detection unit, wherein the bus detection unit is used for detecting whether the CAN data has bus abnormity according to a bus detection rule in a bus rule set, if the CAN data has the bus abnormity, logging the abnormal data, if the CAN data has no abnormity, the next step message detection unit is used for continuing logging the abnormal data, if the CAN data has no abnormity according to a message detection rule in a message rule set, the next step signal detection unit is used for detecting whether the CAN data has the signal abnormity according to a signal detection rule in a signal rule set, if the CAN data has the abnormity, logging the abnormal data, if the CAN data has no abnormity, the next step diagnosis detection unit is used for continuing, and if the CAN data has the diagnosis detection rule in a diagnosis rule set, the CAN data is detected whether the diagnosis signal abnormity, and if the abnormal data has the abnormality, logging is carried out. After the detection of each unit is finished, comparing the CAN data by combining the vehicle context state message, and identifying the CAN data as abnormal when the CAN data is not matched with the vehicle state, for example, the CAN data is matched with the abnormal CAN data when the CAN data is opened in normal driving; this completes the abnormality detection of the CAN data.
The system provided by the embodiment of the invention also comprises an IDS rule set configuration module which is used for configuring the IDS rule set. The IDS rule set configuration module is divided into an automatic analysis unit and a function analysis unit, the automatic analysis unit mainly processes the DBC file of the gateway, and after the DBC file is imported, the automatic analysis unit can analyze the DBC file into a corresponding detection rule. And the function analysis unit is used for generating corresponding detection rules according to the complex state signals and the reasonable signals corresponding to the various introduced functions. Illustratively, the function analysis unit provides an interactive interface for manually introducing the function, and can manually introduce some complex signal states and rationality signals into the configuration module. And finally, the IDS rule set configuration module merges all the detection rules to generate an IDS rule set configuration file.
The situation awareness module is deployed in a cloud end and mainly used for processing and analyzing vehicle data. The situation perception module comprises a data storage unit, a data classification unit, a data analysis unit, a situation perception unit and a rule updating unit. The data storage unit is mainly used for reliably storing data uploaded by the vehicle end, so that the data are reliable and safe. The data classification unit is mainly used for classifying the data and classifying the data according to different attack types. The data analysis unit mainly analyzes the data and analyzes abnormal behaviors according to the attack type, the attack message and the detection rule. The situation sensing unit is mainly used for counting the times of attacks within a period of time according to a statistical principle, so that the attack trend is drawn. The rule updating unit is mainly used for processing the analysis result of the abnormal data, formulating a new rule through the IDS rule set configuration module and updating the new rule into the vehicle-end system.
According to the embodiment of the invention, CAN data CAN be detected in real time aiming at a vehicle CAN network, abnormal data and abnormal behaviors are sensed according to the preset rule set, the abnormal data are recorded and uploaded to the cloud end, the cloud end platform CAN analyze the attack abnormal data, so that real information security attack events are identified, a new rule set is formulated, the attack abnormal data are updated to the vehicle in a remote updating mode, and the accuracy of detecting the abnormal data is further improved. The embodiment of the invention can realize network intrusion detection aiming at the bus type vehicle network, prevent malicious attacks and improve the safety of the vehicle network.
EXAMPLE III
Fig. 4 is a schematic structural diagram of an intrusion detection device of a vehicle CAN network according to a third embodiment of the present invention, which is applicable to a case of detecting an intrusion attack on an in-vehicle CAN bus. As shown in fig. 4, the apparatus includes:
the data acquisition module 410 is used for acquiring CAN data transmitted on a CAN bus on a vehicle;
a rule matching module 420, configured to determine a matching result between the information definition of the CAN data and a normal communication information definition included in a preset rule set;
and the abnormal data determining module 430 is configured to determine that the CAN data is abnormal data if the matching is inconsistent, and analyze the abnormal data to obtain an abnormal behavior of the vehicle.
The embodiment of the invention CAN detect the CAN network of the vehicle in real time, sense the CAN data and abnormal behaviors according to the preset rule set, realize network intrusion detection aiming at the bus type vehicle network, prevent malicious attacks and improve the safety of the vehicle network.
Optionally, the rule matching module includes at least one of the following units:
the bus rule matching unit is used for determining a matching result of the bus definition of the CAN data and the bus normal communication information definition in a preset rule set;
the message rule matching unit is used for determining the matching result of the message definition of the CAN data and the message normal communication message definition in a preset rule set;
the signal rule matching unit is used for determining a matching result of the signal definition of the CAN data and the signal normal communication information definition in a preset rule set;
and the diagnostic signal rule matching unit is used for determining the matching result of the diagnostic signal definition of the CAN data and the diagnostic signal normal communication information definition in the preset rule set.
Optionally, the rule matching module further includes:
and the state matching unit is used for determining the matching result of the CAN data and the context state message of the vehicle.
Optionally, the preset rule set includes a detection rule generated by analyzing all CAN communication information definitions in the gateway DBC file, and a detection rule generated by analyzing a complex signal state and a reasonable signal.
Optionally, the abnormal data determining module includes an abnormal behavior detecting unit, configured to:
determining the attack type of the abnormal data according to the matching result of the abnormal data and the preset rule set;
analyzing the abnormal data according to the attack type to obtain abnormal behaviors of the vehicle;
and determining an updating detection rule according to the abnormal behavior of the vehicle, and updating the preset rule set according to the updating detection rule.
Optionally, the abnormal data determining module includes an abnormal data sending unit, configured to:
and sending the abnormal data to a cloud end, and analyzing the abnormal data by the cloud end to obtain the abnormal behavior of the vehicle.
Optionally, the device further includes a situation awareness module, configured to, after analyzing the abnormal data to obtain an abnormal behavior of the vehicle, specifically:
counting the occurrence frequency of the abnormal behavior of the vehicle in a preset time period;
and determining an intrusion trend according to the occurrence times so as to predict the next intrusion.
The intrusion detection device of the vehicle CAN network provided by the embodiment of the invention CAN execute the intrusion detection method of the vehicle CAN network provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of executing the intrusion detection method of the vehicle CAN network.
Example four
Fig. 5 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present invention. FIG. 5 illustrates a block diagram of an exemplary electronic device 12 suitable for use in implementing embodiments of the present invention. The electronic device 12 shown in fig. 5 is only an example and should not bring any limitation to the function and the scope of use of the embodiment of the present invention.
As shown in FIG. 5, electronic device 12 is embodied in the form of a general purpose computing device. The components of electronic device 12 may include, but are not limited to: one or more processors or processing units 16, a system memory device 28, and a bus 18 that couples various system components including the system memory device 28 and the processing unit 16.
Bus 18 represents one or more of any of several types of bus structures, including a memory device bus or memory device controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, micro-channel architecture (MAC) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
Electronic device 12 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by electronic device 12 and includes both volatile and nonvolatile media, removable and non-removable media.
The system storage 28 may include computer system readable media in the form of volatile storage, such as Random Access Memory (RAM)30 and/or cache storage 32. The electronic device 12 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 5, and commonly referred to as a "hard drive"). Although not shown in FIG. 5, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to bus 18 by one or more data media interfaces. Storage 28 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
A program/utility 40 having a set (at least one) of program modules 42 may be stored, for example, in storage 28, such program modules 42 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may comprise an implementation of a network environment. Program modules 42 generally carry out the functions and/or methodologies of the described embodiments of the invention.
Electronic device 12 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), with one or more devices that enable a user to interact with device 12, and/or with any devices (e.g., network card, modem, etc.) that enable device 12 to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface 22. Also, the electronic device 12 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet) via the network adapter 20. As shown in FIG. 5, the network adapter 20 communicates with the other modules of the electronic device 12 via the bus 18. It should be appreciated that although not shown in FIG. 5, other hardware and/or software modules may be used in conjunction with electronic device 12, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processing unit 16 executes various functional applications and data processing by running a program stored in the system storage device 28, for example, to implement the intrusion detection method for the vehicle CAN network provided by the embodiment of the present invention, including:
acquiring CAN data transmitted on a CAN bus on a vehicle;
determining a matching result of the information definition of the CAN data and the normal communication information definition included in a preset rule set;
and if the matching is inconsistent, determining that the CAN data is abnormal data, and analyzing the abnormal data to obtain the abnormal behavior of the vehicle.
EXAMPLE five
The fifth embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for detecting intrusion of the CAN network of the vehicle according to the fifth embodiment of the present invention, where the method includes:
acquiring CAN data transmitted on a CAN bus on a vehicle;
determining a matching result of the information definition of the CAN data and the normal communication information definition included in a preset rule set;
and if the matching is inconsistent, determining that the CAN data is abnormal data, and analyzing the abnormal data to obtain the abnormal behavior of the vehicle.
Computer storage media for embodiments of the invention may employ any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + +, or the like, as well as conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (10)

1. An intrusion detection method of a vehicle CAN network, comprising:
acquiring CAN data transmitted on a CAN bus on a vehicle;
determining a matching result of the information definition of the CAN data and the normal communication information definition included in a preset rule set;
and if the matching is inconsistent, determining that the CAN data is abnormal data, and analyzing the abnormal data to obtain the abnormal behavior of the vehicle.
2. The method of claim 1, wherein determining the matching result of the information definition of the CAN data and the normal communication information definition included in the preset rule set comprises at least one of:
determining a matching result of the bus definition of the CAN data and the bus normal communication information definition in a preset rule set;
determining a matching result of the message definition of the CAN data and the message normal communication message definition in a preset rule set;
determining a matching result of the signal definition of the CAN data and the signal normal communication information definition in a preset rule set;
and determining a matching result of the definition of the diagnosis signal of the CAN data and the definition of the normal communication information of the diagnosis signal in the preset rule set.
3. The method of claim 2, wherein determining a matching result between the information definition of the CAN data and the normal communication information definition included in the preset rule set further comprises:
and determining a matching result of the CAN data and the context state message of the vehicle.
4. The method of claim 1, wherein the predetermined rule set comprises detection rules generated by parsing all CAN communication information definitions in a gateway DBC file, and detection rules generated by parsing complex signal states and reasonable signals.
5. The method of claim 1, wherein analyzing the anomalous data to derive vehicle anomalous behavior comprises:
determining the attack type of the abnormal data according to the matching result of the abnormal data and the preset rule set;
analyzing the abnormal data according to the attack type to obtain abnormal behaviors of the vehicle;
and determining an updating detection rule according to the abnormal behavior of the vehicle, and updating the preset rule set according to the updating detection rule.
6. The method of claim 1, wherein analyzing the anomalous data to derive vehicle anomalous behavior comprises:
and sending the abnormal data to a cloud end, and analyzing the abnormal data by the cloud end to obtain the abnormal behavior of the vehicle.
7. The method of claim 1, wherein after analyzing the anomalous data for anomalous vehicle behavior, the method further comprises:
counting the occurrence frequency of the abnormal behavior of the vehicle in a preset time period;
and determining an intrusion trend according to the occurrence times so as to predict the next intrusion.
8. An intrusion detection device of a vehicle CAN network, comprising:
the data acquisition module is used for acquiring CAN data transmitted on a CAN bus on a vehicle;
the rule matching module is used for determining the matching result of the information definition of the CAN data and the normal communication information definition included in the preset rule set;
and the abnormal data determining module is used for determining that the CAN data are abnormal data if the matching is inconsistent, and analyzing the abnormal data to obtain the abnormal behavior of the vehicle.
9. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of intrusion detection for a vehicle CAN network according to any one of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out a method for intrusion detection of a vehicle CAN network according to any one of claims 1 to 7.
CN202210114380.6A 2022-01-30 2022-01-30 Intrusion detection method and device for vehicle CAN network, electronic equipment and medium Pending CN114374565A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210114380.6A CN114374565A (en) 2022-01-30 2022-01-30 Intrusion detection method and device for vehicle CAN network, electronic equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210114380.6A CN114374565A (en) 2022-01-30 2022-01-30 Intrusion detection method and device for vehicle CAN network, electronic equipment and medium

Publications (1)

Publication Number Publication Date
CN114374565A true CN114374565A (en) 2022-04-19

Family

ID=81145966

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210114380.6A Pending CN114374565A (en) 2022-01-30 2022-01-30 Intrusion detection method and device for vehicle CAN network, electronic equipment and medium

Country Status (1)

Country Link
CN (1) CN114374565A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114710372A (en) * 2022-06-08 2022-07-05 湖南师范大学 Vehicle-mounted CAN network intrusion detection system and method based on incremental learning
CN114978630A (en) * 2022-05-11 2022-08-30 重庆长安汽车股份有限公司 Safety event detection system and method for vehicle-mounted CAN network and storage medium
CN115102706A (en) * 2022-04-27 2022-09-23 麦格纳斯太尔汽车技术(上海)有限公司 HOST-IDS safety detection system and method for vehicle ECU
CN115102707A (en) * 2022-04-27 2022-09-23 麦格纳斯太尔汽车技术(上海)有限公司 Vehicle CAN network IDS safety detection system and method
CN115320538A (en) * 2022-07-20 2022-11-11 国汽智控(北京)科技有限公司 Intelligent network automobile intrusion detection system and method
CN115333938A (en) * 2022-07-19 2022-11-11 岚图汽车科技有限公司 Vehicle safety protection control method and related equipment
CN115603975A (en) * 2022-09-30 2023-01-13 北京天融信网络安全技术有限公司(Cn) Message intrusion detection method and device, electronic equipment and storage medium
CN115883226A (en) * 2022-12-07 2023-03-31 中国第一汽车股份有限公司 Vehicle network attack analysis method, device, equipment and storage medium
CN116915514A (en) * 2023-09-14 2023-10-20 鹏城实验室 Intrusion detection method and device based on bidirectional time convolution network and intelligent automobile

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106878130A (en) * 2017-03-14 2017-06-20 成都雅骏新能源汽车科技股份有限公司 A kind of electric automobile CAN network method for detecting abnormality and device
CN109033829A (en) * 2018-07-27 2018-12-18 北京梆梆安全科技有限公司 Vehicle network intrusion detection householder method, apparatus and system
CN110958271A (en) * 2019-12-24 2020-04-03 国家计算机网络与信息安全管理中心 Vehicle-mounted external network intrusion detection system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106878130A (en) * 2017-03-14 2017-06-20 成都雅骏新能源汽车科技股份有限公司 A kind of electric automobile CAN network method for detecting abnormality and device
CN109033829A (en) * 2018-07-27 2018-12-18 北京梆梆安全科技有限公司 Vehicle network intrusion detection householder method, apparatus and system
CN110958271A (en) * 2019-12-24 2020-04-03 国家计算机网络与信息安全管理中心 Vehicle-mounted external network intrusion detection system

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115102706A (en) * 2022-04-27 2022-09-23 麦格纳斯太尔汽车技术(上海)有限公司 HOST-IDS safety detection system and method for vehicle ECU
CN115102707A (en) * 2022-04-27 2022-09-23 麦格纳斯太尔汽车技术(上海)有限公司 Vehicle CAN network IDS safety detection system and method
CN115102706B (en) * 2022-04-27 2023-10-20 麦格纳斯太尔汽车技术(上海)有限公司 HOST-IDS safety detection system and method of vehicle ECU
CN114978630A (en) * 2022-05-11 2022-08-30 重庆长安汽车股份有限公司 Safety event detection system and method for vehicle-mounted CAN network and storage medium
CN114710372A (en) * 2022-06-08 2022-07-05 湖南师范大学 Vehicle-mounted CAN network intrusion detection system and method based on incremental learning
CN114710372B (en) * 2022-06-08 2022-09-06 湖南师范大学 Vehicle-mounted CAN network intrusion detection system and method based on incremental learning
CN115333938A (en) * 2022-07-19 2022-11-11 岚图汽车科技有限公司 Vehicle safety protection control method and related equipment
CN115333938B (en) * 2022-07-19 2024-03-26 岚图汽车科技有限公司 Vehicle safety protection control method and related equipment
CN115320538A (en) * 2022-07-20 2022-11-11 国汽智控(北京)科技有限公司 Intelligent network automobile intrusion detection system and method
CN115603975A (en) * 2022-09-30 2023-01-13 北京天融信网络安全技术有限公司(Cn) Message intrusion detection method and device, electronic equipment and storage medium
CN115603975B (en) * 2022-09-30 2023-06-09 北京天融信网络安全技术有限公司 Message intrusion detection method and device, electronic equipment and storage medium
CN115883226A (en) * 2022-12-07 2023-03-31 中国第一汽车股份有限公司 Vehicle network attack analysis method, device, equipment and storage medium
CN116915514A (en) * 2023-09-14 2023-10-20 鹏城实验室 Intrusion detection method and device based on bidirectional time convolution network and intelligent automobile
CN116915514B (en) * 2023-09-14 2023-12-12 鹏城实验室 Intrusion detection method and device based on bidirectional time convolution network and intelligent automobile

Similar Documents

Publication Publication Date Title
CN114374565A (en) Intrusion detection method and device for vehicle CAN network, electronic equipment and medium
US11277427B2 (en) System and method for time based anomaly detection in an in-vehicle communication
US11363045B2 (en) Vehicle anomaly detection server, vehicle anomaly detection system, and vehicle anomaly detection method
Wu et al. A survey of intrusion detection for in-vehicle networks
US11115433B2 (en) System and method for content based anomaly detection in an in-vehicle communication network
CN111064745B (en) Self-adaptive back-climbing method and system based on abnormal behavior detection
CN109033829A (en) Vehicle network intrusion detection householder method, apparatus and system
CN106559431B (en) Visual analysis method and device for automobile safety detection
US11924225B2 (en) Information processing apparatus, information processing method, and recording medium
CN110750790B (en) CAN bus vulnerability detection method and device, terminal equipment and medium
CN110035087B (en) Method, device, equipment and storage medium for recovering account information from traffic
US20230087540A1 (en) Communication permission list generation device, communication permission list generation method, and non-transitory computer readable-medium
CN110620760A (en) FlexRay bus fusion intrusion detection method and detection device for SVM (support vector machine) and Bayesian network
CN111903095B (en) Detection device and method thereof, and recording medium
CN111614614B (en) Safety monitoring method and device applied to Internet of things
EP4135261B1 (en) Information processing device, information processing method, and program
CN111145380A (en) Reported data processing method and device adaptive to vehicle-mounted equipment and electronic equipment
CN115296849A (en) Associated alarm method and system, storage medium and electronic equipment
CN113596043A (en) Attack detection method, attack detection device, storage medium and electronic device
CN112733151A (en) Embedded equipment firmware analysis method, device, medium and electronic equipment
CN113534772A (en) Fault code clearing method, electronic device and storage medium
Jadidbonab et al. A hardware-based soc monitoring in-life solution for automotive industry
WO2023233710A1 (en) Information processing method, information processing system, and program
WO2024007615A1 (en) Model training method and apparatus, and related device
WO2023223515A1 (en) Attack path estimation system, attack path estimation device, attack path estimation method, and program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination