CN116599723B - Vehicle-mounted CAN bus intrusion detection chip - Google Patents
Vehicle-mounted CAN bus intrusion detection chip Download PDFInfo
- Publication number
- CN116599723B CN116599723B CN202310562564.3A CN202310562564A CN116599723B CN 116599723 B CN116599723 B CN 116599723B CN 202310562564 A CN202310562564 A CN 202310562564A CN 116599723 B CN116599723 B CN 116599723B
- Authority
- CN
- China
- Prior art keywords
- bus
- intrusion
- module
- intrusion detection
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 154
- 238000012545 processing Methods 0.000 claims abstract description 19
- 238000001914 filtration Methods 0.000 claims abstract description 15
- 238000000034 method Methods 0.000 claims description 11
- 230000003068 static effect Effects 0.000 claims description 6
- 238000009825 accumulation Methods 0.000 claims description 4
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 16
- 238000004891 communication Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 238000007792 addition Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009472 formulation Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
- H04L2012/40208—Bus networks characterized by the use of a particular bus standard
- H04L2012/40215—Controller Area Network CAN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
- H04L2012/40267—Bus for use in transportation systems
- H04L2012/40273—Bus for use in transportation systems the transportation system being a vehicle
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Small-Scale Networks (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
Abstract
The invention relates to a vehicle-mounted CAN bus intrusion detection chip, which comprises a CAN controller and a CAN intrusion detector; the CAN controller outputs CAN frame end, frame category, frame identification and frame length information; the CAN intrusion detector comprises a detection filtering module, a characteristic generating module, an intrusion detection module, an intrusion processing module and a register set; the detection filter module is used for judging whether the CAN message received by the CAN controller is the CAN message required by intrusion detection according to the preset configuration of the register set; the characteristic generating module is used for generating CAN bus intrusion characteristics according to the output signals of the detection filtering module; the intrusion detection module is used for detecting the CAN bus intrusion characteristics by using a register set preset rule and judging whether the CAN bus intrusion is suffered or not; the intrusion processing module is used for providing control signals for the CAN controller to update the CAN bus intrusion receiving strategy. The CAN bus intrusion detection system has the beneficial effects of realizing the capability of CAN bus intrusion detection and providing data support and functional support for multistage intrusion detection.
Description
[ field of technology ]
The invention relates to the technical field of automobile electronics, in particular to a vehicle-mounted CAN bus intrusion detection chip.
[ background Art ]
CAN: controller Area Network, controller area network bus. Serial communication protocol bus for real-time applications. The communication device is widely used for communication among various devices in automobiles as a backbone network of a current vehicle-mounted network.
CAN FD and CAN, 1, CAN FD: it CAN be understood that the upgrading version of the CAN protocol only upgrades the protocol, and the physical layer is unchanged. 2. CAN is mainly distinguished from CAN-FD: different transmission rates, different data lengths, different frame formats, different ID lengths.
With the development of technology, in-vehicle networks face a number of safety hazards. An attacker invades the vehicle-mounted system through a wireless network or a wired access mode and the like, reads and writes CAN bus data to realize theft analysis and vehicle control of vehicle information, and causes serious threats to data safety, driving safety and the like.
The current vehicle-mounted CAN bus intrusion detection technology comprises the following steps: 1. for example, in the aspect of system architecture, devices are added and connected to a vehicle-mounted CAN bus to receive information on the CAN bus and realize intrusion detection, as in the Chinese patent document CN107666476B, a CAN bus risk detection method and device, CN109033829B, a vehicle network intrusion detection auxiliary method, device and system and the like; 2. for example, in chinese patent document CN107426285B, CN111931252B, CN intrusion detection method based on sliding window and CENN, CN112688901a, real-time CAN intrusion detection system of automotive gateway, etc., software is deployed on a corresponding domain controller to receive, analyze and process CAN bus data, so as to implement intrusion detection.
The intrusion detection technology has a part of limitation: the vehicle-mounted CAN bus is required to be connected with equipment, so that the cost of the whole vehicle is increased; or the deployed software has the defects of increased software migration cost and computing resource consumption, influence on network performance, system performance and the like.
The invention is technically improved aiming at a vehicle-mounted CAN bus intrusion detection chip in the automatic driving field.
[ invention ]
The invention aims to provide a chip which is applied to the field of automatic driving, realizes the capability of CAN bus intrusion detection on a chip level and provides data support and function support for multi-stage intrusion detection.
In order to achieve the purpose, the technical scheme adopted by the invention is that the vehicle-mounted CAN bus intrusion detection chip comprises a CAN controller and a CAN intrusion detector; the CAN controller comprises a CAN transceiver, a CAN protocol state machine and a receiving filter module, and CAN bus signals output CAN frame end, frame category, frame identification and frame length information after passing through the CAN transceiver, the CAN protocol state machine and the receiving filter module; the CAN intrusion detector comprises a detection filtering module, a characteristic generating module, an intrusion detection module, an intrusion processing module and a register set; the detection filter module is used for receiving CAN frame end, frame type, frame identification and frame length information, and judging whether a CAN message received by the CAN controller is a CAN message required by intrusion detection according to the preset configuration of the register group; the characteristic generating module is used for generating CAN bus intrusion characteristics according to the output signals of the detection filtering module; the intrusion detection module is used for detecting the CAN bus intrusion characteristics by using a register set preset rule, judging whether the CAN bus intrusion is suffered, generating a CAN bus intrusion mode and storing CAN bus intrusion level information into the register set; the intrusion processing module is used for providing a control signal for the CAN controller to update the CAN bus intrusion receiving strategy according to the CAN bus intrusion mode and the CAN bus intrusion grade information.
Preferably, the vehicle-mounted CAN bus intrusion detection chip further comprises a processor, wherein the processor is used for executing a CAN bus intrusion processing driver, and the CAN bus intrusion processing driver sends an interrupt when the intrusion detection module judges that the CAN bus intrusion is suffered, and provides the CAN bus intrusion mode and the CAN bus intrusion level information stored in the register set for upper software to realize a CAN bus intrusion software processing strategy.
Preferably, the updating the CAN bus intrusion receiving policy includes sending a suspend signal to a CAN protocol state machine of a CAN controller, notifying the CAN protocol state machine that the CAN protocol state machine has suffered from a CAN bus intrusion, suspending receiving the CAN bus signal, and starting to receive the CAN bus signal by an upper layer; and/or the method comprises the steps of sending a switching configuration to a CAN controller receiving filter module, informing the receiving filter module of switching to a configuration ensuring safety, and informing a CAN protocol state machine to pause receiving CAN bus signals when the switching configuration is found to suffer from CAN bus intrusion.
Preferably, the upper layer software realizes a CAN bus intrusion software processing strategy, including sending information to a CAN bus for other devices connected to the CAN bus to know that the device suffers from CAN bus intrusion; and/or sending information to the Ethernet for other devices connected to the Ethernet to learn of being subject to CAN bus intrusion; and/or include disconnecting the CAN controller and/or CAN intrusion detector portion.
Preferably, the detection filtering module judges whether the frame identifier output by the CAN controller is a CAN message required by intrusion detection according to the frame identifier preset and configured in the register group; the CAN message is divided into a frequency intrusion detection CAN message, a load rate and information entropy intrusion detection CAN message and a time interval intrusion detection CAN message; all the received CAN messages are used for intrusion detection of load rate and information entropy; the frequency intrusion detection and the time interval intrusion detection are determined by the preset configuration of a register set, and when the frequency detection ID or the interval detection ID cannot be acquired in the received CAN message, an error signal is output; the detection filtering module output signals comprise CAN message data signals containing frame identifiers, enabling signals, class signals containing frequencies and intervals and error signals.
Preferably, the feature generation module comprises a frequency feature generation sub-module, a load rate feature generation sub-module, a time interval feature generation sub-module and an information entropy feature generation sub-module; the intrusion detection module comprises a frequency characteristic intrusion detection sub-module, a load rate characteristic intrusion detection sub-module, a time interval characteristic intrusion detection sub-module and an information entropy characteristic intrusion detection sub-module.
Preferably, the frequency characteristic means that the frequency of the occurrence of the CAN message of the specific frame identifier on the CAN bus is fixed and unchanged under the specific scene; the frequency characteristic generation submodule comprises a last period specific frame identification accumulation counter and a current period specific frame identification accumulation counter; the frequency characteristic intrusion detection submodule judges whether the CAN bus intrusion is suffered or not by comparing the current period specific frame identification accumulated counter value with the last period specific frame identification accumulated counter value.
Preferably, the time interval characteristic means that under a certain working condition, the time interval between the multi-frame CAN messages of the specific frame identifier is relatively static and stable; the time interval characteristic generating submodule is used for capturing CAN messages in a certain time range, recording specific frame identification offset time, and recording the difference between the former specific frame identification offset time and the latter specific frame identification offset time as a time interval; and the time interval characteristic intrusion detection submodule judges whether the CAN bus intrusion is suffered or not by comparing whether the recorded time interval fluctuates or not.
Preferably, the load rate characteristic is that the load rate of the CAN bus is relatively static and stable under a certain working condition, and the load rate of the CAN bus is the ratio of the number of bits transmitted in unit time on the CAN bus to the total bandwidth of the network; the load rate characteristic intrusion detection submodule is used for accumulating the number of bits transmitted in unit time on the CAN bus under the set working condition; the load rate characteristic intrusion detection submodule compares the bit value transmitted in unit time on the CAN bus with the total bandwidth of the CAN bus network preset in the register group to judge whether the CAN bus intrusion occurs.
Preferably, the information entropy feature is used for representing uncertainty of the CAN bus network, and the information entropy of the CAN bus is stable under a certain working condition, and the information entropy is used for representing uncertainty of the CAN bus networkWherein p (x) i ) The frequency of occurrence of the specific frame identification in a certain time period in the CAN bus is identified; the information entropy feature generation submodule is used for accumulating CAN message data through the global counter when the CAN message data are input in a time interval, accumulating special frame identifiers through the local counter, and generating p (x) according to the global counter and the local counter after the time interval is finished i )、log(x i ) Calculate p (x i )·logp(x i ) Finally accumulating to obtain the information entropy in a certain time interval; the information entropy characteristic intrusion detection submodule judges whether the CAN bus intrusion is suffered or not by comparing the information entropy value in a certain time interval with a preset information entropy value in a register group.
The vehicle-mounted CAN bus intrusion detection chip has the following beneficial effects: 1. the capability of CAN bus intrusion detection CAN be provided on the chip level, the CAN bus intrusion detection is realized on the premise of not increasing equipment on the system level, and the network performance and the system performance are not affected; 2. the intelligent controller is cooperated with the CAN controller, and the receiving strategy, the working mode and the like of the CAN controller are updated, so that the intrusion prevention capability CAN be achieved; 3. meanwhile, the intrusion detection of the chip layer can be used as the basis of multi-stage (chip-level, domain control-level and whole car-level) intrusion detection, and data support and function support are provided.
[ description of the drawings ]
Fig. 1 is a diagram of a vehicle-mounted CAN bus intrusion detection chip.
Fig. 2 is a diagram of a vehicle-mounted CAN bus intrusion detection chip CAN controller architecture.
Fig. 3 is a diagram of an overall architecture of a vehicle-mounted CAN bus intrusion detection chip.
Fig. 4 is a schematic diagram of a detection filter module of the in-vehicle CAN bus intrusion detection chip.
Fig. 5 is a schematic diagram of a vehicle-mounted CAN bus intrusion detection chip feature generation module, in which fig. 5 (a) is a schematic diagram of a frequency feature generation module, fig. 5 (b) is a schematic diagram of a load factor feature generation module, fig. 5 (c) is a schematic diagram of a time interval feature generation module, and fig. 5 (d) is a schematic diagram of an information entropy feature generation module.
Fig. 6 is a schematic diagram of an intrusion processing module of the in-vehicle CAN bus intrusion detection chip.
[ detailed description ] of the invention
Features and exemplary embodiments of various aspects of the invention are described in detail below. In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the invention by showing examples of the invention. The present invention is in no way limited to any particular configuration and algorithm set forth below, but covers any modification, substitution, and improvement of elements, components, and algorithms without departing from the spirit of the invention. In the drawings and the following description, well-known structures and techniques have not been shown in order to avoid unnecessarily obscuring the present invention.
Examples
The embodiment realizes a vehicle-mounted CAN bus intrusion detection chip.
Important term explanation of this embodiment:
CAN: controller Area Network, controller area network bus. Serial communication protocol bus for real-time applications. The communication device is widely used for communication among various devices in automobiles as a backbone network of a current vehicle-mounted network.
The CAN intrusion detection method of the chip of the embodiment is described as follows:
the chip CAN intrusion detection of the embodiment mainly uses the following detection methods:
1. frequency: and detecting the occurrence frequency of the corresponding CAN message. In a specific scenario, the frequency of occurrence of CAN messages with specific identifications on the CAN bus is fixed. When the CAN bus is invaded, the frequency of certain identifications possibly changes, so that the invasion detection CAN be performed by the method.
2. Time interval: under certain working conditions, the time interval between the multi-frame CAN messages with specific marks is relatively static and relatively stable. When the CAN is invaded, the time interval between the multi-frame messages may fluctuate, so that the intrusion detection CAN be performed by judging whether the time interval between the multi-frame messages with specific identification fluctuates.
3. Load factor: the load factor of the CAN bus refers to the ratio of the number of bits transmitted per unit time over the CAN bus to the total bandwidth. Under certain working conditions, the load rate of a certain CAN bus is relatively static and relatively stable. When the CAN bus is invaded, the load possibly fluctuates, so that the intrusion detection CAN be performed by judging whether the load rate fluctuates or not.
4. Information entropy: information entropy is used to characterize the uncertainty of the network. Under certain working conditions, the information entropy of a certain CAN bus is stable. When CAN suffers from such attacks as flooding and injection, the index of the information entropy fluctuates. Intrusion detection can be performed by judging whether or not the entropy of information exceeds a normal range. The definition of the information entropy is as follows:
in the CAN bus, p (x i ) Is the frequency with which a particular identification occurs over a period of time.
Chip structure description of this embodiment:
fig. 1 is a diagram of a vehicle-mounted CAN bus intrusion detection chip. As shown in fig. 1, the chip of the embodiment comprises detection filtering, feature generation, intrusion detection, intrusion processing and the like. The detection filtering module judges whether the message received by the CAN controller is a message required for detection or not; the feature generation module generates relevant features such as time information, information entropy, interval information and counting information according to the signals output by the detection filtering module; the intrusion detection module detects characteristics generated by the vehicle by using a preset rule and judges whether the vehicle is intruded or not; the intrusion processing module updates the receiving strategy of the CAN controller according to the intrusion mode, the level and other information.
Fig. 2 is a diagram of a vehicle-mounted CAN bus intrusion detection chip CAN controller architecture. As shown in fig. 2, the chip architecture for intrusion detection in this embodiment needs the CAN controller to output information such as end of frame, category, identifier, length, etc. when receiving the CAN message. The frame is finished as a pulse signal with one bit, and is pulled up after receiving a CAN message of one frame, and is pulled down when the next frame starts to be received; 29 bits of data are marked, and if a CAN message is received instead of a CAN FD message, the first 18 bits are zero-padded; and the data with the length of 4 bits represents the data length in the CAN or CAN FD message. Meanwhile, the intrusion detection CAN provide a control signal for the CAN controller for changing the receiving rule, suspending the receiving and the like. Therefore, the CAN controller needs to add an external interface and update the architecture accordingly.
Fig. 3 is a diagram of an overall architecture of a vehicle-mounted CAN bus intrusion detection chip. As shown in fig. 3, the overall architecture of the CAN intrusion detection and CAN controller chip of this embodiment needs to be updated.
The chip detection filtering module of this embodiment:
fig. 4 is a schematic diagram of a detection filter module of the in-vehicle CAN bus intrusion detection chip. As shown in fig. 4, the detection filtering module determines whether the frame identifier output by the CAN controller is a message required for detection according to the frame identifier configured in the register. In intrusion detection, CAN messages are classified into three categories: one class is used as frequency intrusion detection; the method is used for intrusion detection of load rate and information entropy; one class is used as time interval intrusion detection; all received messages are used for intrusion detection of load rate and information entropy. Whereas frequency intrusion detection and time interval intrusion detection are determined by specific register configurations. When the frequency detection ID comparator and the interval detection ID comparator cannot acquire the corresponding ID from the input data, the module outputs a corresponding error signal. Thus, the signals of the detection filter outputs are in common: data signal (frame identification), enable signal, class signal (frequency, interval), error signal.
The chip feature generation module of this embodiment:
fig. 5 is a schematic diagram of a vehicle-mounted CAN bus intrusion detection chip feature generation module. As shown in fig. 5, the chip of this embodiment considers detection means such as frequency, load rate, time interval, information entropy, etc., and the feature generation module needs to generate corresponding information.
Frequency: and accumulating a counter corresponding to the specific frame identification in unit time. The counter corresponding to the frame identifier is designed as two: the count for the first 1 second is kept, as well as the count during the current period.
Time interval: and capturing a corresponding frame identification input signal in a certain time range, and recording a corresponding offset time. The time of the coming frame mark is recorded as the starting point. And so on, the time interval between each frame identification is recorded.
Load factor: under the set working condition, the characteristic generating module accumulates the input length information in unit time (1 second). The accumulated length information is designed as two: the first 1 second value is retained, as well as the accumulated value over the current period.
Information entropy: in a time range, when one data comes, the feature generation module accumulates the local counter corresponding to the frame identifier. When the time interval is over, p (x) is generated from the global counter and the local counter i ),log(x i ) Then calculate p (x) i )·logp(x i ) And finally accumulating to obtain the information entropy.
The chip intrusion detection module of this embodiment:
the chip intrusion detection module of the embodiment uses the data generated by the feature generation module to perform intrusion detection according to a preset rule, and generates a corresponding intrusion mode, intrusion level and the like.
Frequency: after the accumulated data of the first 1 second corresponding to the specific frame identifier is obtained, comparison can be performed according to the configuration in the register.
Time interval: the value of each time interval is compared with the value in the register.
Load factor: in the formulation of the load factor, the network bandwidth needs to be used to divide the number of bits actually transmitted. However, the bandwidth of a CAN bus is a fixed value, so that only the number of bits actually transmitted is compared with the value of the register configuration.
Information entropy: after the information entropy in a certain time period is obtained, the information entropy can be compared with a preset value in a register.
In each intrusion detection process, if a small amount of data deviates, a warning process is performed; if a large amount of data deviates from the normal range, it is considered a severity level. The offset interval is configured by a register. If some intrusion detection deviates, it will suffer an intrusion flag of 1.
The chip intrusion processing module of this embodiment:
fig. 6 is a schematic diagram of an intrusion processing module of the in-vehicle CAN bus intrusion detection chip. As shown in fig. 6, the intrusion processing module of the present embodiment provides necessary control signals for the CAN controller at the hardware layer; the results of intrusion detection are provided at the software level towards the interrupt service routine.
Hardware level: the intrusion processing module provides control information for the CAN controller according to the intrusion mode, the intrusion level and other information and controls the state machine module and the receiving filter module.
The control signal sent to the CAN protocol state machine is a pause signal used for informing the CAN protocol state machine that the CAN protocol state machine is invaded, the CAN controller is required to pause the receiving behavior, and the restarting of the receiving behavior is controlled by software.
The control signal sent to the CAN controller receiving filter module is in a switching configuration and is used for notifying the receiving filter module to switch to a configuration ensuring safety. The CAN controller uses the receiving filter configuration to determine that a CAN message conforming to the rule is received in the receiving process, when an intrusion is suffered, the message which means intrusion detection has a problem, and therefore the message should not be received, and the configuration CAN be switched to ensure the safety at the moment. When the switching is still found to be invaded for a plurality of times, the CAN protocol state machine CAN be informed to pause the receiving behavior.
Software layer: when the intrusion processing module finds out that the intrusion is suffered, the intrusion processing module sends out an interrupt, and stores information of the intrusion mode and the intrusion level in a register so as to realize a more flexible strategy on software. Such as: transmitting the related information to a CAN bus for other devices connected to the bus to know that the bus is invaded; sending out information of intrusion to each device through Ethernet; the chip or the controller realizes the operations of disconnecting part and the like.
The chip core of the embodiment is characterized in that:
1) The CAN bus intrusion detection is realized in the chip, and equipment is not required to be added in the whole vehicle electronic and electric architecture, so that the system cost is reduced on the whole vehicle. And the influence on network performance and system performance caused by the intrusion detection of software implementation is reduced.
2) The CAN intrusion detection and the CAN controller work cooperatively, the CAN intrusion detection module provides control information, the receiving strategy, the working mode and the like of the CAN controller are updated, and the closed loop of intrusion detection and intrusion defense is realized on hardware.
3) The CAN intrusion detection at the chip level CAN be used as the basis of a scheme of multi-level (chip level, domain control level and whole car level) intrusion detection, and provides data support and function support for a scheme at the system level.
It will be appreciated by those of ordinary skill in the art that all or part of the steps of implementing the above embodiments may be implemented by hardware, or may be implemented by a program to instruct related hardware, where the program may be stored in a computer readable storage medium, where the storage medium may be a magnetic disk, an optical disc, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), or the like.
The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and additions to the present invention may be made by those skilled in the art without departing from the principles of the present invention and such modifications and additions are to be considered as well as within the scope of the present invention.
Claims (7)
1. The utility model provides a on-vehicle CAN bus intrusion detection chip which characterized in that: the controller comprises a CAN controller and a CAN intrusion detector; the CAN controller comprises a CAN transceiver, a CAN protocol state machine and a receiving filter module, and CAN bus signals output CAN frame end, frame category, frame identification and frame length information after passing through the CAN transceiver, the CAN protocol state machine and the receiving filter module; the CAN intrusion detector comprises a detection filtering module, a characteristic generating module, an intrusion detection module, an intrusion processing module and a register set; the detection filter module is used for receiving CAN frame end, frame type, frame identification and frame length information, and judging whether a CAN message received by the CAN controller is a CAN message required by intrusion detection according to the preset configuration of the register group; the characteristic generating module is used for generating CAN bus intrusion characteristics according to the output signals of the detection filtering module; the intrusion detection module is used for detecting the CAN bus intrusion characteristics by using a register set preset rule, judging whether the CAN bus intrusion is suffered, generating a CAN bus intrusion mode and storing CAN bus intrusion level information into the register set; the intrusion processing module is used for providing a control signal for the CAN controller to update the CAN bus intrusion receiving strategy according to the CAN bus intrusion mode and the CAN bus intrusion grade information;
the detection filtering module judges whether the frame identifier output by the CAN controller is a CAN message required by intrusion detection according to the frame identifier preset and configured in the register group; the CAN message is divided into a frequency intrusion detection CAN message, a load rate and information entropy intrusion detection CAN message and a time interval intrusion detection CAN message; all the received CAN messages are used for intrusion detection of load rate and information entropy; the frequency intrusion detection and the time interval intrusion detection are determined by the preset configuration of a register set, and when the frequency detection ID or the interval detection ID cannot be acquired in the received CAN message, an error signal is output; the detection filtering module output signals comprise CAN message data signals containing frame identifiers, enabling signals, class signals containing frequencies and intervals and error signals;
the characteristic generation module comprises a frequency characteristic generation sub-module, a load rate characteristic generation sub-module, a time interval characteristic generation sub-module and an information entropy characteristic generation sub-module; the intrusion detection module comprises a frequency characteristic intrusion detection sub-module, a load rate characteristic intrusion detection sub-module, a time interval characteristic intrusion detection sub-module and an information entropy characteristic intrusion detection sub-module;
the information entropy feature is used for representing uncertainty of the CAN bus network, and the information entropy of the CAN bus is stable under the set working condition, and is used for representing the information entropy of the CAN bus networkWherein p (x) i ) The frequency of occurrence of a specific frame identifier in a time period in the CAN bus is marked; the information entropy feature generation submodule is used for accumulating CAN message data through the global counter when the CAN message data are input in a time interval, accumulating specific frame identifications through the local counter, and generating p (x) according to the global counter and the local counter after the time interval is finished i )、logp(x i ) Calculate p (x i )·logp(x i ) Finally, accumulating to obtain information entropy in a time interval; the information entropy characteristic intrusion detection submodule compares and judges the information entropy value in a time interval with the preset information entropy value in the register groupWhether the fault is suffered from CAN bus intrusion.
2. The in-vehicle CAN bus intrusion detection chip of claim 1, wherein: the controller is used for controlling the CAN bus intrusion detection module to execute the CAN bus intrusion processing driver, and the CAN bus intrusion processing driver is used for sending an interrupt when the intrusion detection module judges that the CAN bus intrusion is suffered, and providing the CAN bus intrusion mode and the CAN bus intrusion grade information stored in the register group for upper software to realize the CAN bus intrusion software processing strategy.
3. The in-vehicle CAN bus intrusion detection chip of claim 2, wherein: the method comprises the steps of updating a CAN bus intrusion receiving strategy, including sending a pause signal to a CAN protocol state machine of a CAN controller, informing the CAN protocol state machine that the CAN protocol state machine is suffered from CAN bus intrusion, stopping receiving the CAN bus signal, and starting to receive the CAN bus signal by an upper layer; and/or the method comprises the steps of sending a switching configuration to a CAN controller receiving filter module, informing the receiving filter module of switching to a configuration ensuring safety, and informing a CAN protocol state machine to pause receiving CAN bus signals when the switching configuration is found to suffer from CAN bus intrusion.
4. The in-vehicle CAN bus intrusion detection chip of claim 2, wherein: the upper layer software realizes a CAN bus intrusion software processing strategy and comprises the steps of sending information to a CAN bus for other devices connected to the CAN bus to know that the CAN bus is subjected to intrusion; and/or sending information to the Ethernet for other devices connected to the Ethernet to learn of being subject to CAN bus intrusion; and/or include disconnecting the CAN controller and/or CAN intrusion detector portion.
5. The in-vehicle CAN bus intrusion detection chip of claim 1, wherein: the frequency characteristic means that the frequency of the occurrence of the CAN message of the specific frame identification on the CAN bus is fixed and unchanged under the specific scene; the frequency characteristic generation submodule comprises a last period specific frame identification accumulation counter and a current period specific frame identification accumulation counter; the frequency characteristic intrusion detection submodule judges whether the CAN bus intrusion is suffered or not by comparing the current period specific frame identification accumulated counter value with the last period specific frame identification accumulated counter value.
6. The in-vehicle CAN bus intrusion detection chip of claim 1, wherein: the time interval characteristic is that under the set working condition, the time interval between the multi-frame CAN messages of the specific frame identification is relatively static and stable; the time interval characteristic generating submodule is used for capturing CAN messages in a time range, recording specific frame identification offset time, and recording the difference between the former specific frame identification offset time and the latter specific frame identification offset time as a time interval; and the time interval characteristic intrusion detection submodule judges whether the CAN bus intrusion is suffered or not by comparing whether the recorded time interval fluctuates or not.
7. The in-vehicle CAN bus intrusion detection chip of claim 1, wherein: the load rate characteristic is that the load rate of the CAN bus is relatively static and stable under the set working condition, and the load rate of the CAN bus is the ratio of the number of bits transmitted in unit time on the CAN bus to the total bandwidth of the network; the load rate characteristic intrusion detection submodule is used for accumulating the number of bits transmitted in unit time on the CAN bus under the set working condition; the load rate characteristic intrusion detection submodule compares the bit value transmitted in unit time on the CAN bus with the total bandwidth of the CAN bus network preset in the register group to judge whether the CAN bus intrusion occurs.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310562564.3A CN116599723B (en) | 2023-05-18 | 2023-05-18 | Vehicle-mounted CAN bus intrusion detection chip |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310562564.3A CN116599723B (en) | 2023-05-18 | 2023-05-18 | Vehicle-mounted CAN bus intrusion detection chip |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116599723A CN116599723A (en) | 2023-08-15 |
| CN116599723B true CN116599723B (en) | 2023-12-26 |
Family
ID=87607606
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310562564.3A Active CN116599723B (en) | 2023-05-18 | 2023-05-18 | Vehicle-mounted CAN bus intrusion detection chip |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116599723B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106094801A (en) * | 2016-07-12 | 2016-11-09 | 四川大学 | A kind of novel CAN FD controller |
| CN107566402A (en) * | 2017-10-13 | 2018-01-09 | 成都信息工程大学 | Vehicle electronics information system intrusion detection method based on SOEKS is with realizing |
| CN109688152A (en) * | 2019-01-03 | 2019-04-26 | 南京邮电大学 | A kind of detection method of the message injection attack towards vehicle-mounted CAN bus |
| CN110329271A (en) * | 2019-06-18 | 2019-10-15 | 北京航空航天大学杭州创新研究院 | A kind of multisensor vehicle driving detection system and method based on machine learning |
| CN113824619A (en) * | 2020-06-18 | 2021-12-21 | 恩智浦有限公司 | CAN transceiver |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10686815B2 (en) * | 2017-09-11 | 2020-06-16 | GM Global Technology Operations LLC | Systems and methods for in-vehicle network intrusion detection |
| US11665178B2 (en) * | 2019-12-26 | 2023-05-30 | Intel Corporation | Methods and arrangements for message time series intrusion detection for in-vehicle network security |
-
2023
- 2023-05-18 CN CN202310562564.3A patent/CN116599723B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106094801A (en) * | 2016-07-12 | 2016-11-09 | 四川大学 | A kind of novel CAN FD controller |
| CN107566402A (en) * | 2017-10-13 | 2018-01-09 | 成都信息工程大学 | Vehicle electronics information system intrusion detection method based on SOEKS is with realizing |
| CN109688152A (en) * | 2019-01-03 | 2019-04-26 | 南京邮电大学 | A kind of detection method of the message injection attack towards vehicle-mounted CAN bus |
| CN110329271A (en) * | 2019-06-18 | 2019-10-15 | 北京航空航天大学杭州创新研究院 | A kind of multisensor vehicle driving detection system and method based on machine learning |
| CN113824619A (en) * | 2020-06-18 | 2021-12-21 | 恩智浦有限公司 | CAN transceiver |
Non-Patent Citations (2)
| Title |
|---|
| 基于通信特征的CAN总线泛洪攻击检测方法;季一木;焦志鹏;刘尚东;吴飞;孙静;王娜;陈治宇;毕强;田鹏浩;;网络与信息安全学报(01);全文 * |
| 网络疑似入侵环境下的最优接口访问控制模型仿真;刘珏;王永;;计算机测量与控制(11);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116599723A (en) | 2023-08-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11438355B2 (en) | In-vehicle network anomaly detection system and in-vehicle network anomaly detection method | |
| US10693905B2 (en) | Invalidity detection electronic control unit, in-vehicle network system, and communication method | |
| CN108848072B (en) | Vehicle-mounted CAN bus abnormality detection method based on relative entropy | |
| JPWO2019107210A1 (en) | Electronic control device, fraud detection server, in-vehicle network system, in-vehicle network monitoring system and in-vehicle network monitoring method | |
| CN110691104B (en) | Vehicle-mounted CAN bus self-adaptive intrusion detection method based on message period characteristics | |
| CN111225834B (en) | Vehicle control device | |
| CN110865626A (en) | Method and system for detecting message injection anomalies | |
| CN111147448B (en) | CAN bus flood attack defense system and method | |
| CN104301177A (en) | CAN message abnormality detection method and system | |
| KR20180021287A (en) | Appratus and method for detecting vehicle intrusion | |
| CN112514351A (en) | Abnormality detection method and apparatus | |
| CN112823495B (en) | Detection device, gateway device, detection method, and detection program | |
| US20200014758A1 (en) | On-board communication device, computer program, and message determination method | |
| KR20200069852A (en) | Method for detecting anomalies of vehicle control network and apparatus using the same | |
| US20220094684A1 (en) | Electronic control unit and communication system | |
| WO2021065068A1 (en) | Detection device, vehicle, detection method, and detection program | |
| CN109076081B (en) | Method for monitoring the safety of a communication connection of a vehicle | |
| KR20220041137A (en) | Multi-mode messaging anomaly detection for broadcast network security | |
| CN116599723B (en) | Vehicle-mounted CAN bus intrusion detection chip | |
| CN107911229B (en) | Running state change reminding method and device, electronic equipment and storage medium | |
| WO2021111685A1 (en) | Detection device, vehicle, detection method, and detection program | |
| CN111114317B (en) | Vehicle speed control method, device and equipment | |
| CN110808890B (en) | Communication processing method, communication processing device, storage medium and CAN bus communication system | |
| JP6913869B2 (en) | Surveillance equipment, surveillance systems and computer programs | |
| CN116112252A (en) | Vehicle-mounted CAN bus intrusion detection and defense system based on message clock period |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240129 Address after: Room 1803, 18th Floor, Building 1, No. 2 Ronghua South Road, Beijing Economic and Technological Development Zone, Chaoyang District, Beijing, 100024 Patentee after: Beijing Huixi Intelligent Information Technology Co.,Ltd. Country or region after: China Address before: Room 1101, 11th Floor, No. 52 North Fourth Ring West Road, Haidian District, Beijing, 100080 Patentee before: Beijing Huixi Intelligent Technology Co.,Ltd. Country or region before: China |