CN114697135B - Method and system for detecting intrusion of regional network of automobile controller and automobile - Google Patents
Method and system for detecting intrusion of regional network of automobile controller and automobile Download PDFInfo
- Publication number
- CN114697135B CN114697135B CN202210491623.8A CN202210491623A CN114697135B CN 114697135 B CN114697135 B CN 114697135B CN 202210491623 A CN202210491623 A CN 202210491623A CN 114697135 B CN114697135 B CN 114697135B
- Authority
- CN
- China
- Prior art keywords
- message
- legal
- conditional entropy
- value
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
- H04L2012/40208—Bus networks characterized by the use of a particular bus standard
- H04L2012/40215—Controller Area Network CAN
Abstract
The invention discloses a method and a system for detecting regional network intrusion of an automobile controller and an automobile. Acquiring a corresponding conditional entropy reference value of each legal electronic control unit in the automobile controller area network, wherein the conditional entropy reference value comprises an ID (identity), a maximum conditional entropy value and a minimum conditional entropy value of the electronic control unit; acquiring a message of a CAN network in real time, analyzing and calculating a time entropy value of the current message, and judging whether the time entropy value of the current message exceeds the maximum condition entropy value and the minimum condition entropy value; and judging that the current message is an intrusion message when the time entropy value of the current message exceeds the maximum conditional entropy value or the minimum conditional entropy value. The intrusion detection system based on interval condition entropy has the anti-interference capability and can respond and detect attacks in various forms in real time.
Description
Technical Field
The invention relates to the field of automobile electronic control, in particular to an automobile controller area network intrusion detection system based on time interval conditional entropy and an automobile.
Background
A Controller Area Network (CAN) bus system is an in-vehicle network bus standard that allows electronic control units (ecus) and devices to communicate with each other without a host. The CAN protocol CAN be effectively used for in-vehicle network communication because of its low overhead and centralized architecture. As shown in fig. 1, a plurality of electronic control units (Electronic Control Unit, ECU) are mounted on the same CAN bus. The different CAN buses are connected through the central control unit, and the architecture balances the problems of power consumption, cost, and the like in an automobile on-board network.
Modern automobiles typically have 70-100 ECUs, most of which communicate via a CAN bus connection. However, the CAN protocol is originally designed for vehicle network communication, lacks a security mechanism, and is vulnerable to malicious network attacks. The main security problem with CAN buses is that an attacker CAN now access the in-car network via a physical wired connection, even a remote wireless connection, without authorization.
According to the definition of the international organization for standardization (ISO), the CAN bus system uses a broadcast mechanism for all message exchanges without encryption and authentication. Thus, the network system is vulnerable to various hacking techniques, such as insertion and denial of service (DoS) attacks, which may lead to an attacker controlling the automotive electronics system and to a disaster scenario. Security holes in car safe driving have been the focus of research. Due to limitations of computational power and real-time requirements of the ECU, conventional computer network security methods (e.g., public key infrastructure or information authentication codes) are difficult to apply directly to the on-board CAN network. In view of hardware cost and real-time requirements, an intrusion detection system (intrusion detection system, abbreviated as "IDS") shows good advantages in solving the car CAN bus security problem. For example, many ids are able to detect various types of attacks based on characteristics of physical (e.g., frequency, voltage) or digital (e.g., CAN-Identifier) information. However, the modern Automotive Electronics System (AES) has evolved rapidly into a complex distributed embedded system, presenting additional challenges when using existing network security countermeasures.
First, the real-time requirements of AES make many complex security mechanisms unsuitable for in-vehicle network systems. Most authentication methods require shared keys or additional key exchanges, which CAN introduce additional computational and communication overhead and further impact the real-time and predictability requirements of the CAN network. Intrusion detection systems based on physical information such as voltage typically rely on data sets sampled from successive physical signals. The higher signal sampling rate improves the accuracy of intrusion detection, and simultaneously brings more data exchange and calculation cost, thereby further affecting the real-time performance. Thus, the security method used in AES must be lightweight and practical.
Second, a common method of identification systems is to monitor the digital level information (e.g., identification sequence, entropy) of AES. For example, information entropy is used for monitoring data frames of the CAN bus, or a transmission time model between signals is established by accurately detecting CAN bus injection attack. However, these identifications only consider periodic frames and classify malicious attacks based on unexpected changes in the frame transmission frequency. In addition, the method is poor in robustness of detecting intrusion based on the frame ID only, and can not classify several attack types such as analog attack. An efficient, comprehensive IDS should not depend entirely on the frame ID.
Therefore, there is a need for an intrusion detection system for a vehicle controller area network based on time interval conditional entropy to solve the above-mentioned technical problems.
Disclosure of Invention
The invention mainly aims to provide a vehicle-mounted heterogeneous network system and a vehicle which take TSN as a main network, so that the reliability of the network and lower time delay of key flow are ensured, and meanwhile, the synchronization of multiple sensor nodes can be ensured by the related characteristics.
In order to achieve the above object, the present invention provides a method for detecting intrusion of an area network of an automobile controller, comprising the steps of:
s1, acquiring a corresponding conditional entropy reference value of each legal electronic control unit in an automobile controller area network, wherein the conditional entropy reference value comprises an ID (identity), a maximum conditional entropy value and a minimum conditional entropy value of the electronic control unit;
s2, acquiring a message of the CAN network in real time, and analyzing the current message to acquire an ID, a data block and a time interval of the current message;
s3, calculating the time entropy value of the current message according to the data block and the time interval, and judging whether the time entropy value of the current message exceeds the maximum conditional entropy value and the minimum conditional entropy value;
and S4, judging that the current message is an intrusion message when the time entropy value of the current message exceeds the maximum conditional entropy value or the minimum conditional entropy value.
Preferably, the step S2 further includes the step of:
judging whether the ID of the current message is legal ID or not;
when the ID of the current message is legal ID, entering the step S3;
and when the ID of the current message is not legal ID, judging that the current message is an intrusion message.
Preferably, the step S1 includes:
s11, acquiring legal message data sent by each electronic control unit;
s12, according to the message data, recording the ID of the message data as the legal ID.
Preferably, the method further comprises the steps of:
s13, obtaining message data with the same legal ID;
s14, acquiring time intervals between message data with the same legal ID;
and S15, calculating a conditional entropy reference value of a data set consisting of the time interval between the message data with the same legal ID and the message data blocks with the same legal ID according to a conditional entropy calculation function to obtain a corresponding conditional entropy reference value of each legal electronic control unit in the automobile controller area network in the step S1.
The invention also provides an intrusion detection system of the regional network of the automobile controller, which comprises the following steps:
the acquisition unit is used for acquiring a corresponding conditional entropy reference value of each legal electronic control unit in the automobile controller area network, wherein the conditional entropy reference value comprises an ID (identity), a maximum conditional entropy value and a minimum conditional entropy value of the electronic control unit;
the CAN network message analysis unit is used for acquiring CAN network messages in real time, analyzing the current messages to acquire the ID, the data block and the time interval of the current messages;
the calculating unit is used for calculating the time entropy value of the current message according to the data block and the time interval and judging whether the time entropy value of the current message exceeds the maximum condition entropy value and the minimum condition entropy value;
and the judging unit is used for judging that the current message is an intrusion message when the time entropy value of the current message exceeds the maximum conditional entropy value or the minimum conditional entropy value.
Preferably, the CAN network message analysis unit is further configured to:
judging whether the ID of the current message is legal ID or not;
when the ID of the current message is legal ID, entering an execution step of the computing unit;
and when the ID of the current message is not legal ID, judging that the current message is an intrusion message.
Preferably, the acquiring unit is further configured to:
acquiring legal message data sent by each electronic control unit;
and recording the ID of the message data as the legal ID according to the message data.
Preferably, the computing unit is further configured to:
acquiring message data with the same legal ID;
acquiring a time interval between message data with the same legal ID;
and calculating a conditional entropy reference value of a data set consisting of the time interval between the message data with the same legal ID and the message data blocks with the same legal ID according to a conditional entropy calculation function to obtain a corresponding conditional entropy reference value of each legal electronic control unit in the automobile controller area network in the step S1.
The invention also provides an automobile, comprising an automobile body and the automobile controller area network intrusion detection system.
In the technical scheme of the invention, the method comprises the following steps: s1, acquiring a corresponding conditional entropy reference value of each legal electronic control unit in an automobile controller area network, wherein the conditional entropy reference value comprises an ID (identity), a maximum conditional entropy value and a minimum conditional entropy value of the electronic control unit; s2, acquiring a message of the CAN network in real time, and analyzing the current message to acquire an ID, a data block and a time interval of the current message; s3, calculating the time entropy value of the current message according to the data block and the time interval, and judging whether the time entropy value of the current message exceeds the maximum conditional entropy value and the minimum conditional entropy value; and S4, judging that the current message is an intrusion message when the time entropy value of the current message exceeds the maximum conditional entropy value or the minimum conditional entropy value. The intrusion detection system based on interval condition entropy has the anti-interference capability and can respond and detect attacks in various forms in real time. The automobile controller area network intrusion detection system based on the time interval conditional entropy reduces the complexity of data conversion by continuously improving and optimizing the algorithm, and has lower demand on calculation resources. The present example designed and built a real CAN network platform and a number of experiments to evaluate and verify the proposed method. Experimental results show that the TCE-IDS method has the advantages of high response speed, high accuracy, low requirement, easy deployment and capability of effectively coping with various attacks. This also demonstrates that the TCE-IDS of this example meets all conditions for deployment onto a car. In the future, this example will consider deploying and verifying the effectiveness and practicality of TCE-IDS on real automotive CAN networks.
Drawings
Fig. 1 is a diagram of a conventional vehicle-mounted network architecture in the background art;
FIG. 2 shows the entropy of normal communication conditions of an ECU device for a vehicle in accordance with one embodiment of the present invention;
FIG. 3 is a flowchart of an intrusion detection method for an automotive controller area network based on time interval conditional entropy according to an embodiment of the present invention;
FIG. 4 is a message transmission sequence of a DoS attack in an embodiment of the present invention;
FIG. 5 is a message transmission sequence of a fuzzy attack in an embodiment of the present invention;
FIG. 6 is a message transmission sequence simulating an attack in an embodiment of the present invention;
FIG. 7 is a diagram showing a method for analyzing time intervals in the case of different simulated attacks according to the present invention, wherein a is the time effect of the attack on the transmission of a communication message, and b is the locally amplified communication time interval under attack;
FIG. 8 is actual KIA simulated attack data that exists between conventional communications;
FIG. 9 is data for conditional entropy calculation in one embodiment of the invention;
FIG. 10 is a time interval conditional entropy value of a normal message in one embodiment of the invention;
FIG. 11 is a CAN-BUS network platform used in experiments in accordance with an embodiment of the present invention;
fig. 12 is a time difference conditional entropy value of messages sent by all ECU devices in an embodiment of the present invention;
FIG. 13 is a schematic diagram of an Arduino experiment result debugging window in an embodiment of the present invention, wherein a is a TCE-IDS function test, and b is a TCE-IDS response test;
figure 14 is a schematic diagram of TCE-IDS detection in accordance with one embodiment of the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
In the following description, suffixes such as "module", "component", or "unit" for representing elements are used only for facilitating the description of the present invention, and have no specific meaning per se. Thus, "module," "component," or "unit" may be used in combination.
Aiming at the problems of high calculation cost and low detection precision of the traditional automobile controller area network intrusion detection method, a conditional entropy method is introduced into an automobile controller area network intrusion detection system TCE-IDS (intrusion detection system, abbreviated as IDS) based on time interval conditional entropy, so as to optimize the in-vehicle network intrusion detection performance. The basic components of TCE-IDS include both calculation of conditional entropy reference value and real-time detection of intrusion attack. Firstly, establishing a time interval conditional entropy model, and calculating a conditional entropy value according to the transmission condition of no-attack information on a vehicle network; based on the model, a TCE-IDS detection technology is provided for detecting the validity of the message in the CAN network.
Details of the calculation of the conditional entropy reference value are shown in fig. 2. A conventional CAN dataset is presented. The present example classifies messages according to their ID numbers and extracts data with the same ID to form a new data set. The time interval of the message is then calculated and added to the data set. And then calculating the conditional entropy reference value of the obtained new data set by using the conditional entropy calculation function. The result provides maximum and minimum conditional entropy values classified according to identification card number.
Figure 3 depicts the CAN network detection detailed procedure of TCE-IDS, where intrusion detection is performed using the ID, data block and time interval of the message. First, the ID of the message must be checked to determine if the message is legitimate. If the ID card number is illegal, an intrusion alarm is issued. The present example will then calculate the conditional entropy value of the message and compare it to the corresponding ID reference value. When the conditional entropy value is out of the normal range, an attack warning is issued.
Specifically, the method for detecting intrusion of the regional network of the automobile controller in an embodiment of the invention comprises the following steps:
s1, acquiring a corresponding conditional entropy reference value of each legal electronic control unit in an automobile controller area network, wherein the conditional entropy reference value comprises an ID (identity), a maximum conditional entropy value and a minimum conditional entropy value of the electronic control unit;
s2, acquiring a message of the CAN network in real time, and analyzing the current message to acquire an ID, a data block and a time interval of the current message;
s3, calculating the time entropy value of the current message according to the data block and the time interval, and judging whether the time entropy value of the current message exceeds the maximum conditional entropy value and the minimum conditional entropy value;
and S4, judging that the current message is an intrusion message when the time entropy value of the current message exceeds the maximum conditional entropy value or the minimum conditional entropy value.
Preferably, the step S2 further includes the step of:
judging whether the ID of the current message is legal ID or not;
when the ID of the current message is legal ID, entering the step S3;
and when the ID of the current message is not legal ID, judging that the current message is an intrusion message.
Preferably, the step S1 includes:
s11, acquiring legal message data sent by each electronic control unit;
s12, according to the message data, recording the ID of the message data as the legal ID.
Preferably, the method further comprises the steps of:
s13, obtaining message data with the same legal ID;
s14, acquiring time intervals between message data with the same legal ID;
and S15, calculating a conditional entropy reference value of a data set consisting of the time interval between the message data with the same legal ID and the message data blocks with the same legal ID according to a conditional entropy calculation function to obtain a corresponding conditional entropy reference value of each legal electronic control unit in the automobile controller area network in the step S1.
The invention also provides an intrusion detection system of the regional network of the automobile controller, which comprises the following steps:
the acquisition unit is used for acquiring a corresponding conditional entropy reference value of each legal electronic control unit in the automobile controller area network, wherein the conditional entropy reference value comprises an ID (identity), a maximum conditional entropy value and a minimum conditional entropy value of the electronic control unit;
the CAN network message analysis unit is used for acquiring CAN network messages in real time, analyzing the current messages to acquire the ID, the data block and the time interval of the current messages;
the calculating unit is used for calculating the time entropy value of the current message according to the data block and the time interval and judging whether the time entropy value of the current message exceeds the maximum condition entropy value and the minimum condition entropy value;
and the judging unit is used for judging that the current message is an intrusion message when the time entropy value of the current message exceeds the maximum conditional entropy value or the minimum conditional entropy value.
Preferably, the CAN network message analysis unit is further configured to:
judging whether the ID of the current message is legal ID or not;
when the ID of the current message is legal ID, entering an execution step of the computing unit;
and when the ID of the current message is not legal ID, judging that the current message is an intrusion message.
Preferably, the acquiring unit is further configured to:
acquiring legal message data sent by each electronic control unit;
and recording the ID of the message data as the legal ID according to the message data.
Preferably, the computing unit is further configured to:
acquiring message data with the same legal ID;
acquiring a time interval between message data with the same legal ID;
and calculating a conditional entropy reference value of a data set consisting of the time interval between the message data with the same legal ID and the message data blocks with the same legal ID according to a conditional entropy calculation function to obtain a corresponding conditional entropy reference value of each legal electronic control unit in the automobile controller area network in the step S1.
The invention also provides an automobile, comprising an automobile body and the automobile controller area network intrusion detection system.
The following is a specific example:
1. vehicle CAN network and attack description
The CAN bus is a serial communication protocol for enabling data exchange between control devices and instruments in the on-board network. The protocol supports buses for a variety of different communication media including fiber optic, coaxial, and twisted pair. The data transmission speed of the CAN bus CAN reach 1mbps/s. The method is mainly characterized by eliminating the traditional site coding, and adopting communication data block coding, so that the number of nodes in the network is theoretically unlimited. Fig. 3 shows a standard CAN message, which consists of a synchronous start bit and an identifier (11 or 29 bits). The data blocks of the CAN message are the actual information transmitted between the devices. Other portions of the data frame include request or response status of the node, cyclic redundancy check, acknowledgement bits, etc. The CAN bus protocol adopts a broadcasting mechanism for message communication. Messages transmitted on the CAN bus are prioritized in a predefined order for each node. The communication mechanism of CAN is to transmit high priority messages first, and low priority messages CAN not be sent until the network is idle.
Table 1: standard CAN message frame
The CAN bus standard protocol has been used for more than 30 years in automotive and industrial equipment. The CAN is connected with a plurality of systems, and a safety mechanism is not provided, so that the whole network is easy to be attacked by malicious network. Standard CAN buses typically have security holes in the following respects.
Broadcast propagation. Throughout the network, devices send messages by broadcast, which means that all devices can receive transmitted messages over the bus.
There is no authentication mechanism. All ECU devices in the CAN network CAN send messages without device verification and message validity verification.
There is no encryption mechanism. The information transmitted on the CAN bus is not encrypted due to the limitation of real-time performance and low cost, and is designed for improving the network utilization in the information transmission process.
Priority based. The messages transmitted in the network are prioritized according to the level of the ECU device. Messages generated by high-level devices are delivered on the bus with high priority.
Because of these vulnerabilities listed, network attackers have employed a variety of approaches to increasing potential threats to the vehicle network. An attacker may interfere with and control the network through bluetooth, physical access, or various intrusion patterns of the mobile network. On the CAN bus, the injected malicious messages are difficult to discern and detect. Existing common CAN attacks include DoS attacks, fuzzy attacks and simulated attacks.
DoS attackers typically inject high priority messages (e.g., messages with id=000) into the network in order to block low priority messages. Such attacks can occupy bandwidth, preventing other devices from sending messages. Fig. 4 shows a message transmission sequence of a DoS attack. Red squares are injected information flooding the network. Thus, no node can send messages for periods 10 to 20 and periods 40 to 50 in fig. 4.
Figure 5 shows a fuzzy attack where an attacker injects a large number of malicious messages into the network. Some of the messages (red blocks) are normal communication messages that are directly simulated and duplicated, while others are fictitious messages generated by an attacker. A large number of unwanted messages flood the network, occupying network bandwidth. This can seriously affect the transmission of conventional information over the network.
Fig. 6 shows an example of a simulated attack in which an attacker duplicates a message sent by an ECU and then simulates the device to send repeated messages, which can intercept messages sent by legitimate ECU devices. Thus, some ecus cannot be used or damaged.
In the case where no valid characteristic value is found, it is difficult to accurately distinguish these attacks by only analyzing the communication interval in the CAN network. To address this problem, the present example first analyzes a communication data set obtained from the CAN network of a car from the state through an OBD-II port, including DoS attacks, fuzzy attacks, and impersonation attacks. The present example employs a time interval intrusion detection method that distinguishes intrusions based on analyzing time intervals between information. Then, the present example calculates the time interval between the information of each device from the ID, as shown in fig. 7.
The present example classifies CAN information according to device ID and observes the change in time interval for each category. In fig. 7 (a), the present example can see that the frequency of messages transmitted by each ECU device is fixed during normal communication. But after attack injection, the frequency of each ECU device becomes unstable. The red dots in the figure are time interval waveforms formed by an attacker impersonating the device with ID number 316. By partially enlarging the view, the present example can see that messages sent by legitimate devices are mixed in these high frequency messages, as shown in fig. 7 (b). If an attack is identified only by the operating frequency of the ECU device, normal communication messages will be misclassified as attacks. Therefore, in the experiments of the present example, the use of only the time interval analysis method is insufficient to achieve high-precision intrusion detection.
Intrusion detection techniques have been widely studied in the field of automobile CAN network security. Some studies have proposed a sliding window method based on information entropy analysis, which determines attacks by adjusting the sliding window size and analyzing its information entropy. This probability distribution can be measured in terms of the probability of occurrence of the information. The high probability of information occurrence results in low uncertainty and vice versa. However, this sliding window information entropy method cannot effectively detect counterfeit attacks, and the detection accuracy is not high. To this end, the present example extracts the simulated attack with ID number 316 from the dataset for analysis to find its attack signature. Fig. 8 shows the presence mode between conventional communications. For example, the communication interval between messages is 10ms, and the data bits d1, d2, d4, d5 vary little. In contrast, data with an attack activity requires an attacker to send a large number of messages in a short time, resulting in a legal ECU device operating abnormally.
2. TCE-IDS method description
The goal of this example is to design a high-precision, low-latency intrusion detection method for a vehicle CAN network. The proposed method of deploying and launching on an existing can-bus may be used in the form of a software plug-in or hardware. The method detects all communication messages in the network by calculating conditional entropy values.
First, the present example must acquire a message transmitted by each legal ECU device and extract the message according to the ID number. The conditional entropy value of the time interval is then calculated from the extracted data and compared with the maximum and minimum values as references. The data is stored according to the category ID, and a reference data set is constructed. The specific time interval conditional entropy algorithm is shown in algorithm 1.
The main objective of algorithm 1 is to calculate the conditional entropy of legitimate messages transmitted in CAN. Rid represents the ID number of the legally classified message, tmax represents the maximum value of the message conditional entropy, and Tmin represents the minimum value of the message conditional entropy. The calculation is described below. First, the present example specifies input and output. The input includes a time interval, an ID number, and data. The output is a class ID, and maximum and minimum conditional entropy reference values. Then, the present example specifies values of x and y to test-data (line 1). In lines 2-5, the present example calculates the conditional entropy value for each message. Finally, the return ID and the maximum and minimum conditional entropy values are obtained.
In the proposed TCE-IDS, each transmitted message will be validated in the order of transmission. First, the identification card number is verified to determine its legitimacy. If the ID number is legal, then the conditional entropy value will be verified to determine if it is within normal range. If both verifications are passed, the message will be classified as a legitimate message. When the conditional entropy value is out of range, the message will be identified as an attack message. Details of the conditional entropy detection method are found in algorithm 2.
As seen in algorithm 2 in this example, the messages are validated and sent sequentially. First, the validity of the message is verified by the message ID number. If the ID number is legal, the conditional entropy of the message is calculated and checked to determine if it is within normal range. Any out-of-range value is classified as a malicious message. The calculation is described below.
The first step in algorithm 2 is to specify the inputs and outputs in the system. The input of the CAN message includes a list of legal ids Rid and maximum and minimum conditional entropy values Tmax and Tmin of the respective ids. In line 1, the present example obtains the ID number of the legal ECU device Rid and the corresponding maximum and minimum conditional entropy values. The ID number of the data stream is then obtained and the data stream is converted to x and y as shown in lines 2 and 3. In lines 5 through 7, the present example determines whether the ID of the message is legal. If not, the present example issues an attack alert. On lines 8 to 9, the present example assigns entropy of the conditional probability distribution of Y to the mathematical expectation of X and assigns the calculated value to T. Finally, the present example compares the value of T with the same ID reference to the data-reference. If the value of T is out of range, an attack alarm is sent (lines 10 to 12).
3. Description of the experiments
Since each ECU device requires a different data bit length when transmitting information, the length of the data frame also varies accordingly. Thus, in the experiments of this example, the present example first uniformly aligns the data frames and replaces the null bit with 0. The present example extracts and pre-processes a total of 50000 messages from the Lee dataset as experimental data to simulate three different types of attacks. The detailed distribution of the experimental data of this example is shown in table 2.
Table 2: experimental data set
To calculate the conditional entropy of a message with a time interval, the present example takes the communication interval of the message as data 1; the identity card number is used as data 2; using the information conveyed in the message as the next 8 data (i.e., data 3 through data 10); finally, a new array containing 10 data is obtained. The 10 data selected are converted to decimal, split into X and Y for TCE-IDS verification. The data structure and description are shown in fig. 9.
The present example constructs a conditional entropy calculation function using Python to obtain the reference value of the rule message. And classifying the maximum value and the minimum value of the conditional entropy value according to the message ID. The reference data is then used in the TCE-IDS to make anomaly determination. The reference data is shown in fig. 10.
In order to verify the practicability of the detection method of the example, the example constructs a CAN-BUS network communication platform based on an Arduino unor3 development board and a CAN-BUS Shield industrial BUS expansion module board. Arduino unor3 used an Atmel ATmega 328 microprocessor controller. The CAN-BUS Shield adopts MCP2515 and MCP2551 chips, and the transmission speed is 1mbps/s. Ensuring the normal communication among the ECU devices in the network.
The present example then implements TCE-IDS on a CAN-BUS Shield board to evaluate the reliability and accuracy of the proposed method. In the established CAN-BUS network, device a is used to send normal network communication messages. TCE-IDS is deployed on device b, while device C injects DoS attacks, fuzzy attacks, and impersonation attacks into the network. During the whole system operation, device B will be responsible for detecting attacks and issuing alerts. The CAN-BUS network platform used in the experiment is shown in FIG. 11.
4. Experimental results
The present study employs a communication dataset containing normal data, doS attacks, fuzzy attacks, and impersonation attacks collected from a real vehicle network. The present example evaluates the conditional entropy values of all the normal ECU devices in the data set and presents them in the form of a graph, as shown in fig. 12.
In the experiments of this example, this example runs a normal operation on the apparatus shown in fig. 11. Device a sends a normal communication message. Device B is a TCE-IDS detection device. The device C injects an attack into the CAN network. The TCE-IDS detection results are shown in FIG. 13 (a).
The proposed ICE-IDS is able to detect attacks in CAN communication networks, but still needs to meet the high real-time requirements of AES. This example further tested the response time of the TCE-IDS in detecting attacks. The present example obtains the system time between receipt of the verification completion by the message. In the test of this example, the time required for TCE-IDS to complete detection is only 2ms, and the detection feedback is shown in fig. 13 (b).
The example designs a real-time TCE-IDS visual detection interface for observing CAN network communication and attack information. To distinguish between normal messages and attack messages, the present example unifies the normal information curve values detected by TCE-IDS to 1. As shown in fig. 14, when the TCE-IDS detects abnormal information, an actual detection result is captured.
And finally, carrying out statistical analysis on detection results of the TCE-IDS on DoS attack, fuzzy attack and simulation attack. In the experiment, the present example tests the above three attacks respectively, and 10000 normal messages and 1000 attack messages are sent respectively in the CAN network, and the detection efficiency of TCE-IDS is calculated. The test results of all tests are shown in Table 3.
The three CAN network intrusion detection methods are compared with the detection rate data of TCE-IDS as shown in table 3. The TCE-IDS of the example has higher attack detection rate and anti-interference capability. In addition, the TCE-IDS can be embedded into the can network as a software plug-in module without affecting normal operation. Alternatively, the TCE-IDS may be deployed as a stand-alone module into the can network. Experimental results show that the TCE-IDS of the example has high availability, and network intrusion detection can be realized on the existing can bus at low cost.
Table 3: intrusion detection results
Table 4: correlation study comparison
In the description of the present specification, the descriptions of the terms "one embodiment," "another embodiment," "other embodiments," or "first through X-th embodiments," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, method steps or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.
Claims (5)
1. An intrusion detection method for an area network of an automobile controller is characterized by comprising the following steps:
s1, acquiring a corresponding conditional entropy reference value of each legal electronic control unit in an automobile controller area network, wherein the conditional entropy reference value comprises an ID (identity), a maximum conditional entropy value and a minimum conditional entropy value of the electronic control unit;
s2, acquiring a message of the CAN network in real time, and analyzing the current message to acquire an ID, a data block and a time interval of the current message;
s3, calculating the time entropy value of the current message according to the data block and the time interval, and judging whether the time entropy value of the current message exceeds the maximum conditional entropy value and the minimum conditional entropy value;
s4, judging that the current message is an intrusion message when the time entropy value of the current message exceeds the maximum conditional entropy value or the minimum conditional entropy value;
the step S2 further includes the steps of:
judging whether the ID of the current message is legal ID or not;
when the ID of the current message is legal ID, entering the step S3;
when the ID of the current message is not legal ID, judging that the current message is an intrusion message;
the step S1 includes:
s11, acquiring legal message data sent by each electronic control unit;
s12, according to the message data, recording the ID of the message data as the legal ID.
2. The method for intrusion detection of an automotive controller area network according to claim 1, further comprising the steps of:
s13, obtaining message data with the same legal ID;
s14, acquiring time intervals between message data with the same legal ID;
and S15, calculating a conditional entropy reference value of a data set consisting of the time interval between the message data with the same legal ID and the message data blocks with the same legal ID according to a conditional entropy calculation function to obtain a corresponding conditional entropy reference value of each legal electronic control unit in the automobile controller area network in the step S1.
3. An automotive controller area network intrusion detection system, comprising the steps of:
the acquisition unit is used for acquiring a corresponding conditional entropy reference value of each legal electronic control unit in the automobile controller area network, wherein the conditional entropy reference value comprises an ID (identity), a maximum conditional entropy value and a minimum conditional entropy value of the electronic control unit;
the CAN network message analysis unit is used for acquiring CAN network messages in real time, analyzing the current messages to acquire the ID, the data block and the time interval of the current messages;
the calculating unit is used for calculating the time entropy value of the current message according to the data block and the time interval and judging whether the time entropy value of the current message exceeds the maximum condition entropy value and the minimum condition entropy value;
the judging unit is used for judging that the current message is an intrusion message when the time entropy value of the current message exceeds the maximum conditional entropy value or the minimum conditional entropy value;
the CAN network message analysis unit is also used for:
judging whether the ID of the current message is legal ID or not;
when the ID of the current message is legal ID, entering an execution step of the computing unit;
when the ID of the current message is not legal ID, judging that the current message is an intrusion message;
the acquisition unit is further configured to:
acquiring legal message data sent by each electronic control unit;
and recording the ID of the message data as the legal ID according to the message data.
4. The vehicle controller area network intrusion detection system according to claim 3, wherein the computing unit is further configured to:
acquiring message data with the same legal ID;
acquiring a time interval between message data with the same legal ID;
and calculating a conditional entropy reference value of a data set consisting of the time interval between the message data with the same legal ID and the message data blocks with the same legal ID according to a conditional entropy calculation function so as to obtain a corresponding conditional entropy reference value of each legal electronic control unit in the automobile controller area network.
5. An automobile comprising an automobile body and an automobile controller area network intrusion detection system according to any one of claims 3 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210491623.8A CN114697135B (en) | 2022-05-07 | 2022-05-07 | Method and system for detecting intrusion of regional network of automobile controller and automobile |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210491623.8A CN114697135B (en) | 2022-05-07 | 2022-05-07 | Method and system for detecting intrusion of regional network of automobile controller and automobile |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114697135A CN114697135A (en) | 2022-07-01 |
| CN114697135B true CN114697135B (en) | 2023-04-25 |
Family
ID=82145517
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210491623.8A Active CN114697135B (en) | 2022-05-07 | 2022-05-07 | Method and system for detecting intrusion of regional network of automobile controller and automobile |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114697135B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106453226A (en) * | 2016-07-21 | 2017-02-22 | 柳州龙辉科技有限公司 | Method for detection of address entropy |
| CN109361673A (en) * | 2018-10-26 | 2019-02-19 | 电子科技大学 | Network anomaly detection method based on data on flows sample statistics and balance comentropy estimation |
| CN113395296A (en) * | 2021-08-18 | 2021-09-14 | 湖南师范大学 | FPGA-based vehicle-mounted network intrusion detection system and message bit time acquisition method |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101638613B1 (en) * | 2015-04-17 | 2016-07-11 | 현대자동차주식회사 | In-vehicle network intrusion detection system and method for controlling the same |
| CN108848072B (en) * | 2018-05-25 | 2021-04-27 | 东南大学 | Vehicle-mounted CAN bus abnormality detection method based on relative entropy |
| CN110275508B (en) * | 2019-05-08 | 2021-09-28 | 西安电子科技大学 | Vehicle-mounted CAN bus network anomaly detection method and system |
| CN111131185B (en) * | 2019-12-06 | 2022-12-09 | 中国电子科技网络信息安全有限公司 | CAN bus network anomaly detection method and device based on machine learning |
| CN111818037A (en) * | 2020-07-02 | 2020-10-23 | 上海工业控制安全创新科技有限公司 | Vehicle-mounted network flow abnormity detection defense method and system based on information entropy |
| CN112153070B (en) * | 2020-09-28 | 2021-11-26 | 安徽江淮汽车集团股份有限公司 | Abnormality detection method, device, storage medium and apparatus for vehicle-mounted CAN bus |
-
2022
- 2022-05-07 CN CN202210491623.8A patent/CN114697135B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106453226A (en) * | 2016-07-21 | 2017-02-22 | 柳州龙辉科技有限公司 | Method for detection of address entropy |
| CN109361673A (en) * | 2018-10-26 | 2019-02-19 | 电子科技大学 | Network anomaly detection method based on data on flows sample statistics and balance comentropy estimation |
| CN113395296A (en) * | 2021-08-18 | 2021-09-14 | 湖南师范大学 | FPGA-based vehicle-mounted network intrusion detection system and message bit time acquisition method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114697135A (en) | 2022-07-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Young et al. | Survey of automotive controller area network intrusion detection systems | |
| Marchetti et al. | Evaluation of anomaly detection for in-vehicle networks through information-theoretic algorithms | |
| Seo et al. | GIDS: GAN based intrusion detection system for in-vehicle network | |
| Stabili et al. | Detecting attacks to internal vehicle networks through Hamming distance | |
| Marchetti et al. | Anomaly detection of CAN bus messages through analysis of ID sequences | |
| Foruhandeh et al. | SIMPLE: Single-frame based physical layer identification for intrusion detection and prevention on in-vehicle networks | |
| Qin et al. | Application of controller area network (CAN) bus anomaly detection based on time series prediction | |
| Ning et al. | Attacker identification and intrusion detection for in-vehicle networks | |
| Xun et al. | VehicleEIDS: A novel external intrusion detection system based on vehicle voltage signals | |
| CN111770069B (en) | Vehicle-mounted network simulation data set generation method based on intrusion attack | |
| Stan et al. | Intrusion detection system for the MIL-STD-1553 communication bus | |
| CN111885060B (en) | Internet of vehicles-oriented nondestructive information security vulnerability detection system and method | |
| Yu et al. | TCE-IDS: Time interval conditional entropy-based intrusion detection system for automotive controller area networks | |
| Xu et al. | Voltage based authentication for controller area networks with reinforcement learning | |
| Sun et al. | Analysis of id sequences similarity using DTW in intrusion detection for CAN bus | |
| Abd et al. | Intelligent Intrusion Detection System in Internal Communication Systems for Driverless Cars. | |
| US20220166787A1 (en) | Link anomaly detector | |
| Park et al. | G-idcs: Graph-based intrusion detection and classification system for can protocol | |
| Zhao et al. | GVIDS: A reliable vehicle intrusion detection system based on generative adversarial network | |
| Boumiza et al. | An efficient hidden Markov model for anomaly detection in can bus networks | |
| CN114697135B (en) | Method and system for detecting intrusion of regional network of automobile controller and automobile | |
| Zhang et al. | A convolutional encoder network for intrusion detection in controller area networks | |
| Liu et al. | vProfile: Voltage-based anomaly detection in controller area networks | |
| Dupont et al. | Network intrusion detection systems for in-vehicle network-Technical report | |
| Dong et al. | Multiple observation HMM-based CAN bus intrusion detection system for in-vehicle network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |