CN114615086B - Vehicle-mounted CAN network intrusion detection method - Google Patents
Vehicle-mounted CAN network intrusion detection method Download PDFInfo
- Publication number
- CN114615086B CN114615086B CN202210394125.1A CN202210394125A CN114615086B CN 114615086 B CN114615086 B CN 114615086B CN 202210394125 A CN202210394125 A CN 202210394125A CN 114615086 B CN114615086 B CN 114615086B
- Authority
- CN
- China
- Prior art keywords
- vehicle
- sliding window
- deviation
- message
- sample
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 35
- 238000000034 method Methods 0.000 claims abstract description 23
- 230000008569 process Effects 0.000 claims abstract description 10
- 230000005540 biological transmission Effects 0.000 claims description 38
- 238000005457 optimization Methods 0.000 claims description 33
- 238000012360 testing method Methods 0.000 claims description 12
- 230000001186 cumulative effect Effects 0.000 claims description 8
- 238000000605 extraction Methods 0.000 claims description 5
- 230000003213 activating effect Effects 0.000 claims description 3
- 230000006870 function Effects 0.000 claims description 3
- 238000012544 monitoring process Methods 0.000 claims description 3
- 238000012549 training Methods 0.000 abstract description 6
- 238000004364 calculation method Methods 0.000 abstract description 5
- 230000002159 abnormal effect Effects 0.000 abstract description 2
- 238000004891 communication Methods 0.000 description 6
- 230000007246 mechanism Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000007405 data analysis Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000011897 real-time detection Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
- H04L2012/40208—Bus networks characterized by the use of a particular bus standard
- H04L2012/40215—Controller Area Network CAN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
- H04L2012/40267—Bus for use in transportation systems
- H04L2012/40273—Bus for use in transportation systems the transportation system being a vehicle
Abstract
The invention discloses a vehicle-mounted CAN network intrusion detection method, which comprises the following steps: 1, learning CAN message data under the normal condition of a vehicle by using a training model, and calculating threshold ranges of 3 features; 2, adjusting a sliding window of the training model, and determining the size of the sliding window through a skewness-kurtosis detection result; 3, the detection model collects and processes CAN message data of the vehicle operation according to the size of the sliding window; and 4, analyzing the data frames through the threshold range, judging abnormal data frames, counting, and sending out an alarm after the count reaches a certain threshold. The invention puts the complex training and learning process in an off-line stage, and the on-line intrusion detection CAN be judged and accumulated with small calculation force, thereby being easy to be deployed in a vehicle environment and being capable of rapidly and accurately realizing CAN network intrusion detection.
Description
Technical Field
The present invention relates to the field of network security, and in particular, to a method and apparatus for detecting vehicle intrusion.
Background
The vehicle-mounted CAN network is used for connecting various Electronic Control Units (ECU) installed on the automobile, and each electronic control unit is connected with various sensors or executing devices so as to collect various sensor signals or control the executing devices to complete a specific action. The information interaction situation exists between the electronic control units, and data is transmitted and received in a bus mode through the vehicle-mounted CAN network. In the environment of internet of vehicles, the vehicle-mounted CAN network is not a closed and isolated network, but is connected with the network outside the vehicle in various forms.
The vehicle CAN network itself lacks encryption and identity authentication mechanisms, and the sending of CAN messages follows an arbitration mechanism, which has been researched to prove that the vehicle CAN network has defects and CAN be invaded remotely. After the CAN network of the vehicle is invaded, the safety of lives and properties of passengers CAN be greatly threatened.
In the current stage, the intrusion detection of the vehicle-mounted CAN network is to analyze the CAN message data to find out the characteristics of the CAN message data under the normal condition of the vehicle, and when the data characteristics of the CAN message at a certain moment are detected to be different from the characteristics of the CAN message data under the normal condition of the vehicle, the vehicle is judged to be intruded. It CAN be understood that the requirement of real-time detection cannot be met by adopting a more complex data mining method, and the calculation power of an electronic control unit of the vehicle-mounted CAN network is limited, so that the more complex data analysis operation cannot be supported. The data acquisition is researched to be placed at a vehicle end, and the data analysis and processing is placed at a cloud server, so that the network communication is required to have higher real-time performance, and because of a plurality of vehicles, network channel resources are inevitably occupied greatly, and uploading of a plurality of normal vehicle data to the cloud is meaningless, and the data privacy of the vehicle is broken.
Disclosure of Invention
The invention aims to solve the defects in the prior art, and provides a vehicle-mounted CAN network intrusion detection method which CAN reduce the computational power requirement of vehicle-mounted CAN network intrusion detection, so that the vehicle-mounted CAN network intrusion CAN be deployed on an automobile and detected in real time on the premise of not changing the existing software and hardware architecture of the vehicle-mounted CAN network.
In order to achieve the aim of the invention, the invention adopts the following technical scheme:
the invention relates to a vehicle-mounted CAN network intrusion detection method which is characterized by comprising the following steps:
step 1, offline learning:
step 1.1, taking offline CAN message data collected under normal running of a vehicle as a data set, and numbering ID=P in the data set 1 The standard sending period of CAN message is recorded as t 0 ,
Step 1.2, the sliding window size during the optimization of the kth cycle is recorded as n k The method comprises the steps of carrying out a first treatment on the surface of the Continuously recording the current nth k Personal time stampN in a period of history k -1 number id=p 1 The actual transmission period of the CAN message is recorded as +.>And the timestamp actually transmitted is { T } i k |i=1,2,3...n k -a }; wherein (1)>Represents the ith actual transmission period, T, at the time of the kth cycle optimization i k A time stamp indicating the ith actual transmission at the time of the kth loop optimization;
step 1.3 sliding window n at the kth cycle optimization k In, calculate the current nth k Each actual transmission periodDeviation from the standard transmission period>Calculating a first cumulative deviation characteristic +/of each actual transmission period from the standard transmission period at the kth cycle optimization>Calculating the time stamp T of the ith actual transmission in the kth loop optimization i k Second cumulative deviation from standard prediction timestamp>Wherein T is i pre Representation and timestamp T i k Corresponding transmission period t according to standard 0 The predicted number id=p1 CAN message theoretical sent timestamp;
step 2, sliding window optimization:
step 2.1, calculating statistics of the jth sliding window in the kth loop optimizationObtaining statistics of all sliding windows in the kth cycle optimization and summarizing the statistics into a sample I; wherein (1)>For the j-th sliding window number id=p 1 Standard deviation of the actual transmission period of CAN message of (2), and +.>For the j-th sliding window number id=p 1 The average value of the actual sending period of the CAN message;
step 2.2, performing skewness-kurtosis test on the sample I:
step 2.2.1, calculating the v-order center distance B of the sample I by using the formula (1) v :
In the formula (1), n represents the total number of sliding windows in the kth cycle optimization,representing the mean value of sample I;
step 2.2.2 calculating the skewness of the sample I using formula (2)Kurtosis->
In the formula (2), B 2 Represents the 2 nd order center distance of sample I, B 3 Representing the 3 rd order center distance of sample I, B 4 Representing the 4-order center distance of the sample I;
step 2.2.3, let the bias variance be recorded asKurtosis variance is noted asKurtosis mean is recorded as->Thereby obtaining the deviation degree test quantity->Kurtosis test amount->
Step 2.2.4, if sample I satisfies |U when the confidence level is set to 1- α 1 |<u α/4 And |U 2 |<u α/4 Then it is shown that sample I obeys the standard normal distribution, the optimization of the sliding window ends, and the number id=p is obtained 1 The size of the optimal sliding window of the CAN message is recorded asOtherwise, assign k+1 tok,n k =n k-1 After +Δn, returning to step 1.2 for sequential execution, wherein 1- α represents the confidence of the test; u (u) α/4 The upper alpha/4 quantile of the standard normal distribution is represented, and delta n represents a fixed step size;
step 3, setting a threshold value:
step 3.1, according to the procedure of step 1.3, to optimize the size of the sliding windowSlide extraction number id=p 1 One deviation feature and two accumulated deviation features of the CAN message under each optimal sliding window, performing regularization operation on three features extracted by each sliding, and then activating the three features through a Tanh function to obtain processed deviation features and accumulated deviation features, and setting a threshold interval of the deviation features according to the maximum value and the minimum value of the processed deviation features; setting a threshold interval of the first accumulated deviation feature according to the maximum value and the minimum value of the processed first accumulated deviation feature; setting a threshold interval of the second accumulated deviation feature according to the maximum value and the minimum value of the processed second accumulated deviation feature;
step 3.2, respectively calculating threshold intervals of three characteristics of CAN messages of other serial numbers ID in the data set according to the process of the steps 1.1-3.1;
step 4, online monitoring:
collecting real-time CAN message data under the real running condition of the vehicle, and calculating three actual characteristic values of the CAN messages with the respective serial numbers ID under an optimal sliding window according to the process of the step 3;
and if the actual characteristic value exceeds the corresponding threshold value interval, starting counting, and when the accumulated count value exceeds the set limit value, indicating that the vehicle-mounted CAN network is invaded, and giving an alarm.
The invention relates to a vehicle-mounted CAN network intrusion detection device, which is characterized in that the device comprises: a memory, a processor; the memory has stored thereon a vehicle CAN network intrusion detection program configured to implement the steps of the vehicle CAN network intrusion detection method as described in claim 1 and run on the processor.
Compared with the prior art, the invention has the beneficial effects that:
1. the invention adopts an off-line learning method for CAN message data, thereby realizing the extraction and analysis of data characteristics by using an operation storage unit with higher calculation force.
2. The online detection algorithm adopts a method of threshold judgment and accumulated counting, has low calculation force requirement, and can realize the requirement of real-time detection.
3. The invention detects based on the message data characteristics of the vehicle-mounted CAN network, and CAN be deployed on the vehicle-mounted CAN network without changing the software and hardware environment of the vehicle-mounted CAN network.
Drawings
FIG. 1 is a schematic diagram of a vehicle-mounted CAN network intrusion detection device of a hardware operating environment according to an embodiment of the invention;
FIG. 2 is a schematic flow chart of an embodiment of intrusion detection of a vehicle-mounted CAN network according to the invention;
FIG. 3 is a block diagram of training and detection models of an embodiment of the present invention for in-vehicle CAN network intrusion detection.
Detailed Description
In this embodiment, as shown in fig. 1, the vehicle-mounted CAN network intrusion detection device may include: a processor 1001, such as a central processing unit (Central Processing Unit, CPU), a communication bus 1002, a user interface 1003, a network interface 1004, a memory 1005. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display, an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a WIreless interface (e.g., a WIreless-FIdelity (WI-FI) interface). The Memory 1005 may be a high-speed random access Memory (RandomAccess Memory, RAM) Memory or a stable nonvolatile Memory (NVM), such as a disk Memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.
Those skilled in the art will appreciate that the architecture shown in fig. 1 does not constitute a limitation of the in-vehicle CAN network intrusion detection device, and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.
As shown in fig. 1, an operating system, a data storage module, a network communication module, a user interface module, and an in-vehicle CAN network intrusion detection program may be included in the memory 1005 as one type of storage medium.
In the vehicle-mounted CAN network intrusion detection device shown in fig. 1, the network interface 1004 is mainly used for data communication with a network server; the user interface 1003 is mainly used for data interaction with a user; the processor 1001 and the memory 1005 in the vehicle-mounted CAN network intrusion detection device CAN be arranged in the vehicle-mounted CAN network intrusion detection device, and the vehicle-mounted CAN network intrusion detection device calls the vehicle-mounted CAN network intrusion detection program stored in the memory 1005 through the processor 1001 and executes the vehicle-mounted CAN network intrusion detection method provided by the embodiment of the invention.
Based on the above-mentioned vehicle-mounted CAN network intrusion detection device, the present embodiment provides a vehicle-mounted CAN network intrusion detection method, which places complex training and learning processes in an offline stage, and online intrusion detection CAN be determined and accumulated with only small calculation power, so that the vehicle-mounted CAN network intrusion detection device is easy to deploy in a vehicle environment and CAN rapidly and accurately implement CAN network intrusion detection, specifically, referring to fig. 2, the method comprises the following steps:
step 1, offline learning:
step 1.1, taking offline CAN message data collected under normal running of a vehicle as a data set, and numbering ID=P in the data set 1 The standard sending period of CAN message is recorded as t 0 The training model is constructed, as shown in fig. 3, and comprises modules of data acquisition, sliding window, feature extraction, regularization, activation and the like, and is used for calculating and analyzing normal CAN message data in an offline environment.
Step 1.2, extracting and analyzing the data of the data set by using a sliding window, wherein the initial value of the size of the sliding window is n 0 The sliding window size at the time of the kth cycle optimization is recorded as n k The method comprises the steps of carrying out a first treatment on the surface of the Continuously recording the current nth k Personal time stampN in a period of history k -1 number id=p 1 The actual transmission period of the CAN message is recorded as +.>And the timestamp actually transmitted is { T } i k |i=1,2,3...n k -a }; wherein (1)>Represents the ith actual transmission period, T, at the time of the kth cycle optimization i k A time stamp indicating the ith actual transmission at the time of the kth loop optimization;
step 1.3 sliding window n at the kth cycle optimization k In, calculate the current nth k Each actual transmission periodDeviation from the standard transmission period>Calculating a first cumulative deviation characteristic +/of each actual transmission period from the standard transmission period at the kth cycle optimization>Calculating the time stamp T of the ith actual transmission in the kth loop optimization i k Second cumulative deviation from standard prediction timestamp>Wherein T is i pre Representation and timeStamp T i k Corresponding transmission period t according to standard 0 The predicted number id=p1 CAN message theoretical sent timestamp;
it should be noted that the selection of 3 features is respectively emphasized. When a forged message is sent out, the sent time stamp is random, and the deviation characteristic can be greatly changed; the first accumulated deviation feature reflects the condition that the ID message is delayed to be sent due to an arbitration mechanism within a period of time, and the introduction of the first accumulated deviation feature is beneficial to reducing the false detection rate of the normal message; meaning interpretation of the second cumulative bias feature: the time stamp of normal message transmission should linearly return to a certain straight line L: y=wx+b, where x represents the xth transmission of the message and y represents the timestamp of the message corresponding to the xth transmission. w represents the slope of the line, i.e. the standard period of message transmission, b represents the intercept of the line on the y-axis, i.e. the last time stamp considered as the normal time of message transmission, and as the noise interference is unavoidable in the message transmission process, the regression characteristic of the line L becomes weaker and weaker along with the increase of the transmission times x, so that b is updated at intervals. At the same time, x is zeroed and the line L is reconstructed. Standard prediction period cumulative deviationI.e. the accumulated deviation of the timestamp indicating the actual transmission of the message and the straight line L within a sliding window.
Step 2, sliding window optimization:
step 2.1, calculating statistics of the jth sliding window in the kth loop optimizationObtaining statistics of all sliding windows in the kth cycle optimization and summarizing the statistics into a sample I; wherein (1)>For the j-th sliding window number id=p 1 CAN message actual of (c)Standard deviation of transmission period, and->For the j-th sliding window number id=p 1 The average value of the actual sending period of the CAN message;
step 2.2, performing skewness-kurtosis test on the sample I:
step 2.2.1, calculating the v-order center distance B of the sample I by using the formula (1) v :
In the formula (1), n represents the total number of sliding windows in the kth cycle optimization,representing the mean value of sample I;
step 2.2.2 calculating the skewness of the sample I using formula (2)Kurtosis->
In the formula (2), B 2 Represents the 2 nd order center distance of sample I, B 3 Representing the 3 rd order center distance of sample I, B 4 Representing the 4-order center distance of the sample I;
according to statistical theory, when n is sufficiently large
Step 2.2.3, let the bias variance be recorded asKurtosis variance is noted asKurtosis mean is recorded as->Thereby obtaining the deviation degree test quantity->Kurtosis test amount->
Step 2.2.4, if sample I satisfies |U when the confidence level is set to 1- α 1 |<u α/4 And |U 2 |<u α/4 Then it is shown that sample I obeys the standard normal distribution, the optimization of the sliding window ends, and the number id=p is obtained 1 The size of the optimal sliding window of the CAN message is recorded asOtherwise, assign k+1 to k, n k =n k-1 After +Δn, returning to step 1.2 for sequential execution, wherein 1- α represents the confidence of the test; u (u) α/4 The upper alpha/4 quantile of the standard normal distribution is represented, and delta n represents a fixed step size;
step 3, setting a threshold value:
step 3.1, according to the procedure of step 1.3, to optimize the size of the sliding windowSlide extraction number id=p 1 One deviation feature and two accumulated deviation features of the CAN message under each optimal sliding window, performing regularization operation on three features extracted by each sliding, and then activating the three features through a Tanh function to obtain processed deviation features and accumulated deviation features, and setting a threshold interval of the deviation features according to the maximum value and the minimum value of the processed deviation features; according to the maximum value sum of the processed first accumulated deviation characteristicsSetting a threshold interval of a first accumulated deviation feature at a minimum value; setting a threshold interval of the second accumulated deviation feature according to the maximum value and the minimum value of the processed second accumulated deviation feature;
step 3.2, respectively calculating threshold intervals of three characteristics of CAN messages of other serial numbers ID in the data set according to the process of the steps 1.1-3.1;
step 4, online monitoring:
collecting real-time CAN message data under the real running condition of the vehicle, and calculating three actual characteristic values of the CAN messages with the respective serial numbers ID under an optimal sliding window according to the process of the step 3;
and if the actual characteristic value exceeds the corresponding threshold value interval, starting counting, and when the accumulated count value exceeds the set limit value, indicating that the vehicle-mounted CAN network is invaded, and giving an alarm.
Specifically, a discriminator and a perceptron module are used in the online detection model, when the features extracted by the real-time detected CAN message exceed the threshold range, the discriminator outputs a discrimination result according to the number of the features exceeding the threshold range, and different weight values are reassigned, and the perceptron module analyzes the result to judge whether the currently acquired real-time CAN message data is normal or abnormal.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. read-only memory/random-access memory, magnetic disk, optical disk), comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.
Claims (2)
1. The vehicle-mounted CAN network intrusion detection method is characterized by comprising the following steps of:
step 1, offline learning:
step 1.1, taking offline CAN message data collected under normal running of a vehicle as a data set, and numbering ID=P in the data set 1 The standard sending period of CAN message is recorded as t 0 ,
Step 1.2, the sliding window size during the optimization of the kth cycle is recorded as n k The method comprises the steps of carrying out a first treatment on the surface of the Continuously recording the current nth k Personal time stampN in a period of history k -1 number id=p 1 The actual transmission period of the CAN message is recorded as +.>And the timestamp actually transmitted is { T } i k |i=1,2,3...n k -a }; wherein (1)>Represents the ith actual transmission period, T, at the time of the kth cycle optimization i k A time stamp indicating the ith actual transmission at the time of the kth loop optimization;
step 1.3 sliding window n at the kth cycle optimization k In, calculate the current nth k Each actual transmission periodDeviation from the standard transmission period>Calculating a first cumulative deviation characteristic +/of each actual transmission period from the standard transmission period at the kth cycle optimization>Calculating the time stamp T of the ith actual transmission in the kth loop optimization i k Second cumulative deviation from standard prediction timestamp>Wherein T is i pre Representation and timestamp T i k Corresponding transmission period t according to standard 0 The predicted number id=p1 CAN message theoretical sent timestamp;
step 2, sliding window optimization:
step 2.1, calculating statistics of the jth sliding window in the kth loop optimizationObtaining statistics of all sliding windows in the kth cycle optimization and summarizing the statistics into a sample I; wherein (1)>For the j-th sliding window number id=p 1 Standard deviation of the actual transmission period of CAN message of (2), and +.> For the j-th sliding window number id=p 1 The average value of the actual sending period of the CAN message;
step 2.2, performing skewness-kurtosis test on the sample I:
step 2.2.1, calculating the v-order center distance B of the sample I by using the formula (1) v :
In the formula (1), n represents the total number of sliding windows in the kth cycle optimization,representing the mean value of sample I;
step 2.2.2 calculating the skewness of the sample I using formula (2)Kurtosis->
In the formula (2), B 2 Represents the 2 nd order center distance of sample I, B 3 Representing the 3 rd order center distance of sample I, B 4 Representing the 4-order center distance of the sample I;
step 2.2.3, let the bias variance be recorded asKurtosis variance is noted asKurtosis mean is recorded as->Thereby obtaining the deviation degree test quantity->Kurtosis test amount->
Step 2.2.4, if sample I satisfies |U when the confidence level is set to 1- α 1 |<u α/4 And |U 2 |<u α/4 Then it is shown that sample I obeys the standard normal distribution, the optimization of the sliding window ends, and the number id=p is obtained 1 The size of the optimal sliding window of the CAN message is recorded asOtherwise, assign k+1 to k, n k =n k-1 After +Δn, returning to step 1.2 for sequential execution, wherein 1- α represents the confidence of the test; u (u) α/4 The upper alpha/4 quantile of the standard normal distribution is represented, and delta n represents a fixed step size;
step 3, setting a threshold value:
step 3.1, according to the procedure of step 1.3, to optimize the size of the sliding windowSlide extraction number id=p 1 One deviation feature and two accumulated deviation features of the CAN message under each optimal sliding window, performing regularization operation on three features extracted by each sliding, and then activating the three features through a Tanh function to obtain processed deviation features and accumulated deviation features, and setting a threshold interval of the deviation features according to the maximum value and the minimum value of the processed deviation features; setting a threshold interval of the first accumulated deviation feature according to the maximum value and the minimum value of the processed first accumulated deviation feature; setting a threshold interval of the second accumulated deviation feature according to the maximum value and the minimum value of the processed second accumulated deviation feature;
step 3.2, respectively calculating threshold intervals of three characteristics of CAN messages of other serial numbers ID in the data set according to the process of the steps 1.1-3.1;
step 4, online monitoring:
collecting real-time CAN message data under the real running condition of the vehicle, and calculating three actual characteristic values of the CAN messages with the respective serial numbers ID under an optimal sliding window according to the process of the step 3;
and if the actual characteristic value exceeds the corresponding threshold value interval, starting counting, and when the accumulated count value exceeds the set limit value, indicating that the vehicle-mounted CAN network is invaded, and giving an alarm.
2. An in-vehicle CAN network intrusion detection device, the device comprising: a memory, a processor; the memory has stored thereon a vehicle CAN network intrusion detection program configured to implement the steps of the vehicle CAN network intrusion detection method as described in claim 1 and run on the processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210394125.1A CN114615086B (en) | 2022-04-14 | 2022-04-14 | Vehicle-mounted CAN network intrusion detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210394125.1A CN114615086B (en) | 2022-04-14 | 2022-04-14 | Vehicle-mounted CAN network intrusion detection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114615086A CN114615086A (en) | 2022-06-10 |
| CN114615086B true CN114615086B (en) | 2023-11-03 |
Family
ID=81868635
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210394125.1A Active CN114615086B (en) | 2022-04-14 | 2022-04-14 | Vehicle-mounted CAN network intrusion detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114615086B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116915514B (en) * | 2023-09-14 | 2023-12-12 | 鹏城实验室 | Intrusion detection method and device based on bidirectional time convolution network and intelligent automobile |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101638613B1 (en) * | 2015-04-17 | 2016-07-11 | 현대자동차주식회사 | In-vehicle network intrusion detection system and method for controlling the same |
| CN108111510A (en) * | 2017-12-20 | 2018-06-01 | 北京航空航天大学 | A kind of in-vehicle network intrusion detection method and system |
| CN109257358A (en) * | 2018-09-28 | 2019-01-22 | 成都信息工程大学 | A kind of In-vehicle networking intrusion detection method and system based on clock skew |
| CN110149345A (en) * | 2019-06-11 | 2019-08-20 | 北京航空航天大学 | A kind of In-vehicle networking intrusion detection method based on sequence of message prediction |
| CN110275508A (en) * | 2019-05-08 | 2019-09-24 | 西安电子科技大学 | Vehicle-mounted CAN bus network method for detecting abnormality and system |
| CN110377465A (en) * | 2019-06-26 | 2019-10-25 | 江苏大学 | A kind of method for detecting abnormality of vehicle-mounted CAN bus |
| CN110826054A (en) * | 2019-11-05 | 2020-02-21 | 哈尔滨工业大学 | Vehicle-mounted CAN bus intrusion detection method based on message data field characteristics |
| CN113612786A (en) * | 2021-08-09 | 2021-11-05 | 上海交通大学宁波人工智能研究院 | Intrusion detection system and method for vehicle bus |
| CN114124472A (en) * | 2021-11-02 | 2022-03-01 | 华东师范大学 | Vehicle-mounted network CAN bus intrusion detection method and system based on GMM-HMM |
| CN114172686A (en) * | 2021-10-27 | 2022-03-11 | 北京邮电大学 | Vehicle-mounted CAN bus message intrusion detection method and related equipment |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9792435B2 (en) * | 2014-12-30 | 2017-10-17 | Battelle Memorial Institute | Anomaly detection for vehicular networks for intrusion and malfunction detection |
| KR20210026246A (en) * | 2019-08-29 | 2021-03-10 | 현대자동차주식회사 | Apparatus for detecting network intrusion of a vehicle, system having the same and method thereof |
| CN111818037A (en) * | 2020-07-02 | 2020-10-23 | 上海工业控制安全创新科技有限公司 | Vehicle-mounted network flow abnormity detection defense method and system based on information entropy |
-
2022
- 2022-04-14 CN CN202210394125.1A patent/CN114615086B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101638613B1 (en) * | 2015-04-17 | 2016-07-11 | 현대자동차주식회사 | In-vehicle network intrusion detection system and method for controlling the same |
| CN108111510A (en) * | 2017-12-20 | 2018-06-01 | 北京航空航天大学 | A kind of in-vehicle network intrusion detection method and system |
| CN109257358A (en) * | 2018-09-28 | 2019-01-22 | 成都信息工程大学 | A kind of In-vehicle networking intrusion detection method and system based on clock skew |
| CN110275508A (en) * | 2019-05-08 | 2019-09-24 | 西安电子科技大学 | Vehicle-mounted CAN bus network method for detecting abnormality and system |
| CN110149345A (en) * | 2019-06-11 | 2019-08-20 | 北京航空航天大学 | A kind of In-vehicle networking intrusion detection method based on sequence of message prediction |
| CN110377465A (en) * | 2019-06-26 | 2019-10-25 | 江苏大学 | A kind of method for detecting abnormality of vehicle-mounted CAN bus |
| CN110826054A (en) * | 2019-11-05 | 2020-02-21 | 哈尔滨工业大学 | Vehicle-mounted CAN bus intrusion detection method based on message data field characteristics |
| CN113612786A (en) * | 2021-08-09 | 2021-11-05 | 上海交通大学宁波人工智能研究院 | Intrusion detection system and method for vehicle bus |
| CN114172686A (en) * | 2021-10-27 | 2022-03-11 | 北京邮电大学 | Vehicle-mounted CAN bus message intrusion detection method and related equipment |
| CN114124472A (en) * | 2021-11-02 | 2022-03-01 | 华东师范大学 | Vehicle-mounted network CAN bus intrusion detection method and system based on GMM-HMM |
Non-Patent Citations (4)
| Title |
|---|
| J. Fabini ; TU Wien ; A. Morton ; AT amp ; amp ; amp ; T Labs ; .Guidelines for Defining Packet Timestampsdraft-ietf-ntp-packet-timestamps-06.IETF .2019,全文. * |
| T. Mizrahi ; Huawei Network.IO Innovation Lab * |
| 一种基于支持向量机的车载网络异常检测方法;龚子超;伊晓瑞;刘满山;;电脑与信息技术(第02期);全文 * |
| 基于机器学习的车载CAN网络入侵检测研究;谢浒;莫秀良;王春东;;天津理工大学学报(第02期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114615086A (en) | 2022-06-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11120127B2 (en) | Reconstruction-based anomaly detection | |
| US20190285517A1 (en) | Method for evaluating health status of mechanical equipment | |
| Yeung et al. | Parzen-window network intrusion detectors | |
| CN111436944B (en) | Falling detection method based on intelligent mobile terminal | |
| US8009041B2 (en) | Access monitoring and control system and method | |
| CN114615086B (en) | Vehicle-mounted CAN network intrusion detection method | |
| CN112478975A (en) | Elevator door fault detection method based on audio features | |
| CN109919066B (en) | Method and device for detecting density abnormality of passengers in rail transit carriage | |
| CN112820321A (en) | Remote intelligent audio diagnosis system, method, equipment and medium for oil pumping unit | |
| CN114229639B (en) | Elevator door fault judgment method, cloud platform and system | |
| CN114436087B (en) | Deep learning-based elevator passenger door-pulling detection method and system | |
| CN109900469B (en) | Stress relaxation fault detection device and method for high-voltage circuit breaker spiral spring | |
| CN101106487A (en) | A method and device for detecting exception of network traffic | |
| CN114330449A (en) | Vehicle collision detection method and system based on feature time domain matching | |
| CN113282920A (en) | Log abnormity detection method and device, computer equipment and storage medium | |
| CN112723075A (en) | Method for analyzing elevator vibration influence factors with unbalanced data | |
| CN116720073A (en) | Abnormality detection extraction method and system based on classifier | |
| CN115520741A (en) | Elevator operation monitoring and early warning method and system based on neural network and storage medium | |
| EP3837555A1 (en) | Method and system for damage classification | |
| CN114581230A (en) | Money laundering behavior detection method, device and medium in flow chart | |
| Luca et al. | Anomaly detection using the Poisson process limit for extremes | |
| CN114314243A (en) | Elevator overload alarm system and method based on video identification technology | |
| CN114358395A (en) | Attendance checking prediction method and device | |
| CN113781427A (en) | Elevator component state detection method and device, electronic equipment and storage medium | |
| CN113746668B (en) | Application process fault prediction method, device, equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |