KR20180067446A - Device for detecting anomaly of vehicle networks based on hazard model - Google Patents

Abstract

An apparatus for detecting an abnormal symptom of a vehicle is disclosed. The apparatus for detecting an abnormal symptom of a vehicle includes a message receiving unit for receiving a plurality of messages sequentially generated in a vehicle network, an ID extraction unit for extracting an ID of each of the plurality of messages, a survival rate calculating unit for calculating a section survival rate for each ID by using a plurality of IDs which have been extracted, and an abnormal symptom detecting unit for determining the presence or absence of an abnormal symptom based on the calculated section survival rate. Accordingly, the present invention can provide an abnormal symptom detection technique independent of a CAN ID which does not require CAN ID analysis.

Description

TECHNICAL FIELD [0001] The present invention relates to a vehicular network abnormality detection apparatus based on a hazard model,

The present invention relates to an apparatus for detecting an anomaly in a vehicle or a vehicle network, and more particularly, to an apparatus for detecting anomaly in a vehicle network using a hazard model, will be.

Technologies for vehicles are converging with Information and Communication Technologies (ICT) and are changing to a connected car environment. In addition, the importance of vehicle security is increasing as technologies for autonomous driving rapidly develop. Many parts and devices mounted on the vehicle are connected to an electronically controlled ECU (Electronic Control Unit), whereby the vehicle is controlled and managed efficiently. However, these ECUs require security measures because they send and receive messages through various communication protocols such as CAN (Controller Area Network) and LIN (Local Interconnect Network) with other sensors and components in the vehicle.

Especially, autonomous driving vehicle requires less research on attacks that may occur in the outside and inside because the driver 's intervention is less unlike ordinary vehicles. In the case of autonomous vehicles, technologies for self-detection and avoidance of external obstacles have been developed and are being further developed. We are also developing technologies to avoid obstacles and sudden incoming vehicles on the road in various ways.

Korean Patent Publication No. 1998-0038543 (published on Aug. 5, 1998) Korean Patent Publication No. 1994-0011939 (published on June 22, 1994) Korean Patent Publication No. 2016-0014026 (published Feb. 2016)

It is a technical object of the present invention to provide a method and apparatus for detecting abnormality in a CAN ID that is not required to analyze each CAN ID in order to detect an abnormal symptom of a vehicle.

An apparatus for detecting an anomaly of a vehicle according to an exemplary embodiment of the present invention includes a message receiving unit for receiving a plurality of messages sequentially generated in a vehicle network, an ID extracting unit for extracting IDs of the plurality of messages, A survival rate calculating unit for calculating a survival rate of each ID by using IDs and an abnormal symptom detecting unit for determining whether or not an abnormal symptom is present based on the calculated interval survival rate.

According to the present invention, it is possible to solve the difficulty of analyzing the CAN message which is differently configured according to the manufacturer and the year of manufacture of the vehicle, so that it is possible to provide an abnormal symptom detection technique that is not dependent on the CAN ID, which does not require the CAN ID analysis.

In addition, since the survival rate for each CAN network is obtained, it can be used for a communication protocol having an ID. In the case of a vehicle using a CAN network communication, an effect that can detect an abnormal symptom .

In addition, it is possible to promptly process information necessary for decision making and inform the driver and the passenger of whether the current vehicle is normal or abnormal, and notify the vehicle control center or the vehicle control company A specific response can be made possible.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS In order to more fully understand the drawings recited in the detailed description of the present invention, a detailed description of each drawing is provided.
Figure 1 illustrates a system according to an embodiment of the present invention.
2 is a functional block diagram of the detection apparatus shown in Fig.
FIG. 3 is a diagram for explaining a section divided by the survival rate calculating unit shown in FIG. 2. FIG. 3 (a) shows a CAN ID generated in normal traveling, and FIG. 3 (b) shows a CAN ID generated in abnormal traveling.
FIG. 4A is a diagram illustrating a section survival rate when there is a DoS attack, FIG. 4B is a section survival ratio when there is a fuzzing attack, and FIG. 4c shows the zone survival rate in the case of RPM attack, and FIG. 4d shows the zone survival rate in the case of the Gear attack.
5 is a diagram showing a CAN ID cycle of a sonata produced in 2010 by Hyundai Motor.
FIG. 6 shows the result of measuring the detection accuracy of attack type for Hyundai's 2010 type Sonata vehicle.

It is to be understood that the specific structural or functional description of embodiments of the present invention disclosed herein is for illustrative purposes only and is not intended to limit the scope of the inventive concept But may be embodied in many different forms and is not limited to the embodiments set forth herein.

The embodiments according to the concept of the present invention can make various changes and can take various forms, so that the embodiments are illustrated in the drawings and described in detail herein. It should be understood, however, that it is not intended to limit the embodiments according to the concepts of the present invention to the particular forms disclosed, but includes all modifications, equivalents, or alternatives falling within the spirit and scope of the invention.

The terms first, second, etc. may be used to describe various elements, but the elements should not be limited by the terms. The terms may be named for the purpose of distinguishing one element from another, for example, without departing from the scope of the right according to the concept of the present invention, the first element may be referred to as a second element, The component may also be referred to as a first component.

It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that no other element exists in between. Other expressions that describe the relationship between components, such as "between" and "between" or "neighboring to" and "directly adjacent to" should be interpreted as well.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In this specification, the terms "comprises" or "having" and the like are used to specify that there are features, numbers, steps, operations, elements, parts or combinations thereof described herein, But do not preclude the presence or addition of one or more other features, integers, steps, operations, components, parts, or combinations thereof.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the meaning of the context in the relevant art and, unless explicitly defined herein, are to be interpreted as ideal or overly formal Do not.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings attached hereto.

The present invention is a method for detecting an abnormal vehicle condition that may occur in an autonomous driving environment or a vehicle IoT (Internet of Things) environment from a client side, and can determine safety of the vehicle state by applying a hazard model technique I suggest how to do it.

The vehicle carries out communication using CAN (Controller Area Network) protocol to communicate with various vehicle parts and sensors mounted on the vehicle. The CAN messages are continuously generated from each sensor and components and collected by the ECU, and the vehicle performs its functions using these data.

Vehicle status information and vehicle control information are routed through the CAN network to the inside of the vehicle. Detecting these anomalies and attacking of these CAN messages is an essential element for vehicle safety and driver safety.

In the case of raw data, the CAN message transmitted in the CAN network is different for each vehicle manufacturer and year of manufacture, and the parts to be generated and applied are different for each part in the vehicle. That is, even if the same CAN ID is used, different functions can be performed depending on the vehicle.

Particularly, in the autonomous driving environment, the CAN message data generated during driving will be periodically and repeatedly generated. On the driver's side, in a passive and passive driving environment, the vehicle's condition is periodically monitored, You will need an immediate system.

Further, in the present invention, a hazard symbol of a vehicle is detected using a hazard model. The hazard model is a statistical method for estimating the survival function or survival curve by analyzing the survival period and analyzing the time period until the occurrence of the event. Survival period and current status information are needed. The current status is to check whether the target to be measured is alive or not at the time of measurement of the survival period.

There are three methods for estimating the survival function or the survival curve as the life table method, the Kaplan-Meier method, and the Cox proportional hazard model. In the present invention, the Kaplan-Meier concept is applied to detect abnormal symptoms.

)을 측정할 수 있다.In the Kaplan-Meier estimation method, the data are arranged in the order of observation period (time or chunk unit), and the survival rate

) Can be measured.

In the case where the vehicle is traveling normally, the probability of survival of the individual CAN IDs occurring at the time of driving is maintained substantially constant. However, when a DoS (Denial of Service) attack, a fuzzing attack, or a spoofing attack occurs during the running of the vehicle, A pattern in which the probability of survival varies is generated.

Table 1 shows the types of attacks that can occur in vehicles using the CAN protocol.

Attack type Contents DoS · A DoS attack occupies all the resources allocated to the CAN bus in the vehicle, limiting the communication between the ECUs in the vehicle and delaying or blocking the transmission of CAN messages to perform the original function of the attacking vehicle, which interferes with normal driving.
· Set the Arbitration ID of the CAN message to 0 or lower than the value used in the target vehicle to inject unlimited CAN messages into the vehicle Fuzzing Attack Arbitration ID, data, and DLC to be included in the CAN message are arbitrarily determined each time and transmitted to the vehicle
Injection messages of totally random CAN ID and DATA values every 0.5 milliseconds. Spoofing Attack
(RPM / Gear) · Injecting messages of certain CAN ID related to RPM / gear information every 1 millisecond.

Figure 1 illustrates a system according to an embodiment of the present invention.

Referring to FIG. 1, a system 10, which may be a vehicle system, includes a plurality of ECUs (Electronic Control Units, ECU A to ECU D) and a detection device 100. Each of the ECUs (ECU A to ECUD) or the detection device 100 can communicate via a CAN (Controller Area Network). That is, each of the ECUs (ECU A through ECUD) or the detection device 100 can send and receive messages or data by broadcasting a CAN message to the CAN bus. It should be apparent to those skilled in the art that the scope of the present invention is not limited to the number of ECUs included in the system 10.

Detector 100 may receive CAN messages broadcast on the CAN bus and may use the CAN ID of each of the CAN messages to detect anomalies in the vehicle. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The present invention will now be described more fully hereinafter with reference to the accompanying drawings, in which exemplary embodiments of the invention are shown. Message.

In addition, the system 10 is not limited to a CAN network system, and the communication protocol or network used in the system 10 according to an embodiment may be a FlexRay, a Local Interconnect Network (LIN), a CAN FD Flexible Data) or a Media Oriented Systems Transport (MOST). In this case, the detection apparatus 100 can detect an abnormal symptom of the vehicle or an abnormal symptom of the vehicle network by extracting the ID of a message generated in each network.

2 is a functional block diagram of the detection apparatus shown in Fig.

1 and 2, the detection apparatus 100 includes a message reception unit 110, an ID extraction unit 130, a survival rate calculation unit 150, and an abnormal symptom detection unit 170. The detection device 100 may further include a storage unit 190 according to an embodiment.

The message reception unit 110 can receive a plurality of CAN messages broadcasted via the CAN bus. The message receiving unit 110 may be directly connected to the CAN bus to receive the plurality of CAN messages or to receive the plurality of CAN messages via the OBD-2 terminal. The plurality of CAN messages received by the message receiving unit 110 may be stored in the storage unit 190.

The ID extracting unit 130 may extract the CAN IDs of the plurality of messages received by the message receiving unit 110 or the plurality of messages stored in the storage unit 190. [ The ID extracted by the ID extracting unit 130 may be stored in the storage unit.

)을 산출할 수 있다. 생존율 산출부(150)에 의해 산출된 각 CAN ID의 구간 생존율(

)은 저장부(190)에 저장될 수 있다. 생존율 산출부(150)의 구체적인 동작은 후술하기로 한다.The survival rate calculation unit 150 divides the sequentially generated CAN IDs or the sequentially broadcasted CAN IDs into predetermined intervals and calculates a survival rate of each of the predetermined at least one CAN ID

) Can be calculated. The survival rate of each CAN ID calculated by the survival rate calculating unit 150

May be stored in the storage unit 190. The specific operation of the survival rate calculating unit 150 will be described later.

)에 기초하여 차량의 이상 징후 여부(또는 차량 네트워크의 이상 징후 여부)를 탐지할 수 있다. 구체적으로, CAN ID의 미리 정해진 범위를 벗어나는 경우 차량에 이상 징후가 발생한 것으로 판단할 수 있다. 일 예로, CAN ID "4f0"의 구간 생존율이 0.1~0.3을 벗어나는 경우 이상 징후로 판단할 수 있다.The abnormality symptom detection unit 170 calculates the interval survival rate of each of the calculated CAN IDs (

(Or an abnormality of the vehicle network) based on the vehicle speed and the vehicle speed. Specifically, when the vehicle is out of a predetermined range of the CAN ID, it can be determined that an anomaly has occurred in the vehicle. For example, if the survival rate of the interval of the CAN ID "4f0" is out of the range of 0.1 to 0.3, it can be judged as an abnormal symptom.

In addition, the anomalous symptom detection unit 170 may transmit a notification message when an anomaly occurs in the vehicle. According to an embodiment, the abnormality symptom detection unit may broadcast the notification message through the CAN bus or transmit the notification message to a separate server via a wired / wireless communication network. In addition, since the abnormality of the vehicle is determined based on the section survival rate of the individual CAN ID, a warning message can be specifically provided as to which CAN ID the problem occurred.

The storage unit 190 stores a plurality of CAN messages received by the message receiving unit 110, a plurality of CAN IDs extracted by the ID extracting unit 130, and / or a plurality of CAN IDs calculated by the survival rate calculating unit 150 The interval survival rate of the CAN ID can be stored.

Each of the configurations of the detection apparatus 100 shown in FIG. 2 indicates that it is functionally and logically separable, and does not necessarily mean that each configuration is divided into separate physical devices or written in separate codes The average expert in the field of the invention will readily be able to deduce.

Also, in this specification, "part" may mean a functional and structural combination of hardware for carrying out the technical idea of the present invention and software for driving the hardware. For example, the above-mentioned "part" may mean a logical unit of a predetermined code and a hardware resource for executing the predetermined code, and it does not necessarily mean a physically connected code or a kind of hardware .

FIG. 3 is a diagram for explaining a section divided by the survival rate calculating unit shown in FIG. 2. FIG. 3 (a) shows a CAN ID generated in normal traveling, and FIG. 3 (b) shows a CAN ID generated in abnormal traveling.

1 to 3, the survival rate calculating unit 150 may set a chunk such that a predetermined number of a plurality of CAN messages (or CAN IDs) sequentially generated (or broadcasted or received) are included. The chunk referred to herein means a section including a predetermined CAN ID, and the time period may be different for each chunk.

For example, the survival rate calculating unit 150 may set a section, that is, a chunk such that 20 CAN IDs are included. 3, each of the chunks may be set so as not to include the CAN IDs redundantly. However, according to the embodiment, each of the chunks may be set to include a predetermined ratio or a predetermined number of CAN IDs have.

As another example, the survival rate calculating unit 150 may set the interval based on time. Specifically, the survival rate calculating unit 150 may set the interval so that a (a is a real number equal to or greater than zero) seconds. In this case, the number of CAN IDs included in each section may be different from each other. At this time, an arbitrary section may be set to each section so that a predetermined ratio or a predetermined time overlaps with the previous section.

In addition, the survival rate calculation unit 150 can calculate the interval survival rate of at least one predetermined CAN ID in each section.

In the case of normal running (FIG. 3A), the section survival rate of the CAN ID "4f0" in the first chunk (chunk 1) to the fourth chunk (chunk 4) is as follows.

The interval survival rate P (t) of CAN ID 4f0 in chunk1 = 5/20 = 0.25

The segment survival rate P (t) of CAN ID 4f0 in chunk2 = 5/20 = 0.25

The segment survival rate P (t) of CAN ID 4f0 in chunk 3 = 4/20 = 0.2

The interval survival rate P (t) of CAN ID 4f0 in chunk4 = 4/20 = 0.2

As described above, the interval survival rate of the CAN ID in normal driving is kept constant, but when the injection attack such as DoS is performed, the survival rate is different from that of the CAN ID.

In the case of abnormal traveling (Fig. 3B), the coverage rate of the CAN ID "4f0" in the first to fourth chunks (chunk 1 to chunk 4) is as follows.

The interval survival rate P (t) of CAN ID 4f0 in chunk1 = 5/20 = 0.25

The segment survival rate P (t) of CAN ID 4f0 in chunk2 = 5/20 = 0.25

The segment survival rate P (t) of CAN ID 4f0 in chunk3 = 1/20 = 0.05

The interval survival rate P (t) of CAN ID 4f0 in chunk4 = 1/20 = 0.05

FIG. 4A is a diagram illustrating a section survival rate when there is a DoS attack, FIG. 4B is a section survival ratio when there is a fuzzing attack, and FIG. 4c shows the zone survival rate in the case of RPM attack, and FIG. 4d shows the zone survival rate in the case of the Gear attack.

It is confirmed that the survival rate is different according to the attack type applied to the actual vehicle. When one chunk is divided into 100 CAN IDs, the survival rate of the CAN IDs corresponding to each attack is sequentially measured up to a total of 300.

Referring to FIG. 4A, when the DoS attack is performed with the CAN ID of "0000", the survival rate (red) of the CAN ID "04f0" and the survival rate (gray) of the CAN ID "04f0" .

Referring to FIG. 4B, it can be seen that the survival rate (red color) of CAN ID "04f0" and the survival rate (gray color) of CAN ID "04f0" are clearly different when the fuzzing attack is performed.

Referring to FIG. 4C, when the RPM attack is performed with the CAN ID "0316", the survival rate (red) of the CAN ID "0316" and the survival rate (gray) of the CAN ID "0316" .

Referring to FIG. 4D, it can be seen that the survival rate (red color) of CAN ID "0329" and the survival rate (gray) of CAN ID "0329" when there is no attack are clearly different when a Gear attack is performed with CAN ID "0329" .

The lower the CAN ID number, the higher the priority of the CAN message cycle. The high priority means that a CAN ID with a higher priority is executed first in the broadcast-oriented communication protocol CAN. 5 showing the CAN ID cycle of the Sonata produced by Hyundai Motor in 2010, it can be seen that the cycle is very constant except for some CAN IDs (690, 5a0, 5a2, 5f0, etc.). In view of the constantity of the CAN ID cycle, the inventor of the present invention has proposed a method of detecting an abnormal state of the vehicle with only the survival rate of the CAN ID.

Referring to FIG. 6, which is a result of measuring the detection accuracy of the attack type for the 2010 type Sonata of Hyundai Motor, it can be seen that the present invention provides a very high accuracy.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is evident that many alternatives, modifications and variations will be apparent to those skilled in the art. Accordingly, the true scope of the present invention should be determined by the technical idea of the appended claims.

10: System
100: Detector
110:
130: ID extracting unit
150: Survival rate calculating unit
170: abnormal symptom detection unit
190:

Claims (7)

A message receiver for receiving a plurality of messages sequentially occurring in a vehicle network;
An ID extractor for extracting an ID of each of the plurality of messages;
A survival rate calculation unit for calculating a survival rate of each ID by using the extracted IDs; And
And an abnormality symptom detection unit for determining whether or not the abnormality symptom is present based on the calculated interval survival rate.
The method according to claim 1,
The vehicle network is a CAN (Controller Area Network)
Wherein each of the plurality of messages is a CAN message,
An apparatus for detecting an anomaly of a vehicle.
The method according to claim 1,
The survival rate calculation unit divides the plurality of IDs into predetermined sections,
Calculating a section survival rate of at least one ID determined in advance in each of the divided sections,
An apparatus for detecting an anomaly of a vehicle.
The method of claim 3,
Wherein the survival rate calculator divides the plurality of IDs so that each of the divided intervals has the same time period,
An apparatus for detecting an anomaly of a vehicle.
The method of claim 3,
Wherein the survival rate calculation unit divides the plurality of IDs so that the same number of IDs are included in each of the divided intervals,
An apparatus for detecting an anomaly of a vehicle.
The method according to claim 4 or 5,
Wherein the abnormality symptom detection unit determines that an abnormal symptom occurs when the calculated interval survival rate is out of a predetermined range,
An apparatus for detecting an anomaly of a vehicle.
The method according to claim 1,
The vehicle network may be a Flexible Data (FD), a FlexRay, a Local Interconnect Network (LIN) or a Media Oriented Systems Transport (MOST)
An apparatus for detecting an anomaly of a vehicle.

Images