WO2020135755A1 - Vehicle attack detection method and apparatus - Google Patents

Vehicle attack detection method and apparatus Download PDF

Info

Publication number
WO2020135755A1
WO2020135755A1 PCT/CN2019/129315 CN2019129315W WO2020135755A1 WO 2020135755 A1 WO2020135755 A1 WO 2020135755A1 CN 2019129315 W CN2019129315 W CN 2019129315W WO 2020135755 A1 WO2020135755 A1 WO 2020135755A1
Authority
WO
WIPO (PCT)
Prior art keywords
vehicle
attack event
time period
physical
data message
Prior art date
Application number
PCT/CN2019/129315
Other languages
French (fr)
Chinese (zh)
Inventor
刘健皓
曹明革
Original Assignee
北京奇虎科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇虎科技有限公司 filed Critical 北京奇虎科技有限公司
Publication of WO2020135755A1 publication Critical patent/WO2020135755A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L12/40052High-speed IEEE 1394 serial bus
    • H04L12/40104Security; Encryption; Content protection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40267Bus for use in transportation systems
    • H04L2012/40273Bus for use in transportation systems the transportation system being a vehicle

Definitions

  • the present disclosure relates to the technical field of vehicle safety, and in particular to a method and device for vehicle attack detection.
  • a programmable or remotely controllable intelligent unit in a vehicle provides a new intrusion channel for illegal intruders, thereby posing a great threat to people’s property and life safety.
  • the detection of attacks against vehicles is limited to detecting whether there is an attack behavior against a vehicle in cyberspace. If there is an attack behavior against a vehicle in cyberspace, it is determined that the vehicle is under attack. However, the detection rate of vehicle attacks detected by this detection method is high, and the detection accuracy is low, which is not conducive to the safety protection of vehicles.
  • the present disclosure is proposed in order to provide a vehicle attack detection method and device that overcome the above problems or at least partially solve the above problems.
  • a vehicle attack detection method including:
  • a vehicle attack detection device including:
  • the network attack detection unit is adapted to determine the network attack event that occurred against the vehicle
  • the physical attack detection unit is adapted to determine the physical attack event that occurs against the vehicle
  • the determining unit is adapted to determine that the vehicle is attacked within the time period if a network attack event and a physical attack event occur to the vehicle within the same time period.
  • a computing device including: a processor, a memory, a communication interface, and a communication bus, and the processor, memory, and communication interface complete communication with each other through the communication bus;
  • the memory is used to store at least one executable instruction.
  • the executable instruction causes the processor to perform the operation corresponding to the vehicle attack detection method.
  • a non-volatile computer-readable storage medium having at least one executable instruction stored in the non-volatile computer-readable storage medium, the executable instruction causing the processor to execute as described above Operation corresponding to vehicle attack detection method.
  • a computer program product including a calculation program stored on the above-mentioned non-volatile computer-readable storage medium.
  • the vehicle attack detection method and device determine the network attack event that occurs to the vehicle; and, determine the physical attack event that occurs to the vehicle; if the network attack event occurs to the vehicle within the same time period and In the event of a physical attack, it is determined that the vehicle was attacked within this time period.
  • This solution detects attacks on vehicles in multiple dimensions according to the attack events received by the vehicle in cyberspace and physical space, which can greatly reduce the false alarm rate, improve the accuracy of attack detection, and provide the basis for achieving vehicle safety protection; and, This solution is simple and easy to implement, and easy to implement and apply on a large scale.
  • FIG. 1 shows a schematic flowchart of a vehicle attack detection method according to an embodiment of the present disclosure
  • FIG. 2 shows a schematic flowchart of a vehicle attack detection method according to another embodiment of the present disclosure
  • FIG. 3 shows a schematic flowchart of a vehicle attack detection method according to yet another embodiment of the present disclosure
  • FIG. 4 shows a schematic structural diagram of a vehicle attack detection device according to an embodiment of the present disclosure
  • FIG. 5 shows a schematic structural diagram of a computing device according to an embodiment of the present disclosure.
  • the vehicle attack detection method and device provided by the present disclosure can be specifically used for vehicle attack detection based on a CAN (Controller Area Network) bus structure.
  • CAN Controller Area Network
  • FIG. 1 shows a schematic flowchart of a vehicle attack detection method according to an embodiment of the present disclosure. As shown in Figure 1, the method includes:
  • step S110 it is determined that a network attack event occurred for the vehicle.
  • this step can be performed by the networked unit in the vehicle (such as on-board routing equipment, on-board entertainment unit, etc.); or, this step can also be performed by the cloud server, and the cloud server sends the determination result to the vehicle.
  • the networking unit receives the determination result.
  • the specific method for determining the network attack event received by the vehicle is not limited.
  • a whitelist, sandbox, behavior detection, and/or feature detection technology may be used to determine the network attack event that occurs to the vehicle. For example, it can be determined whether the network command issued to the vehicle is in the preset command white list by means of the command white list. If not, it is determined that a network attack event has occurred against the vehicle.
  • step S120 it is determined that the physical attack event occurred for the vehicle.
  • this embodiment further determines the physical attack event that occurs to the vehicle.
  • the physical attack event against the vehicle it is specifically determined according to the analog signal in the vehicle bus.
  • the legality of the source of the analog signal in the vehicle bus can be used to determine whether a physical attack event against the vehicle occurs .
  • This embodiment does not limit the specific implementation manner of determining the physical attack event that occurs for the vehicle.
  • this step may be performed by a physical attack detection unit provided in the vehicle, and the physical attack detection detection unit may be mounted on the vehicle CAN bus.
  • a physical attack detection unit can be installed in each CAN bus, or the physical attack detection unit can be installed in a gateway connected by each CAN bus, and set by The physical attack detection unit in the gateway monitors the physical attack events that occur on each CAN bus. This setting method can greatly reduce costs.
  • step S110 and step S120 are not limited, and the two may be executed sequentially or in parallel.
  • step S130 if a network attack event and a physical attack event occur to the vehicle within the same time period, it is determined that the vehicle is attacked within the time period.
  • This embodiment uses two dimensions of network space and physical space to detect attacks on vehicles, which can greatly reduce the false alarm rate of attack detection and improve the accuracy of attack detection.
  • the attack time corresponding to the network attack event and the physical attack event are recorded respectively.
  • Event and physical attack event it is determined that the vehicle was attacked within this time period.
  • the length of the same time period is not limited.
  • Those skilled in the art can set the corresponding time period length according to the accuracy requirements of attack detection; and/or, determine the length of the time period based on the big data analysis of historical attack events; and/or, according to the determined network attack event and The type of the attack event of the physical attack event determines the corresponding time period length, that is, this embodiment may pre-configure corresponding time period lengths for different attack event types.
  • the vehicle is attacked from the two dimensions of network space and physical space.
  • the network attack event and the physical attack event occur to the vehicle within the same time period, determine The vehicle is attacked within this time period, which can greatly reduce the attack false alarm rate and improve the accuracy of vehicle attack detection, thereby providing a basis for the realization of vehicle safety protection; moreover, this solution is simple and easy to implement and apply on a large scale.
  • FIG. 2 shows a schematic flowchart of a vehicle attack detection method according to another embodiment of the present disclosure. As shown in Figure 2, the method includes:
  • Step S210 it is determined whether a network attack event has occurred against the vehicle; if so, it is determined that the network attack event corresponds to a time period.
  • the specific method for determining the occurrence of a network attack event by a vehicle is not limited.
  • one or more combinations of the following embodiments may be used to determine whether a network attack event occurs for a vehicle:
  • a corresponding command whitelist can be configured in the networking unit of the vehicle.
  • the networking unit in the vehicle receives a network command, it is determined whether the received network command is in the command whitelist. If not, then It is determined that a network attack event has occurred in the vehicle; alternatively, a corresponding command blacklist can be configured in the vehicle's networking unit.
  • the networking unit in the vehicle receives a network command, it is determined whether the received network command is in the command blacklist, If yes, it is determined that a cyberattack occurred in the vehicle.
  • the instruction whitelist and/or instruction blacklist may be dynamically updated according to the data in the cloud server.
  • the cloud server can determine the corresponding command white list or command black list according to the analysis of the vehicle data in the IoV system, and deliver it to the vehicle, so that the vehicle can perform according to the command white list and/or command black list issued by the cloud server Decrement or incremental update.
  • the cloud server may further finely divide the instruction whitelist and/or instruction blacklist into different types of vehicles or different
  • the individual vehicles are configured with corresponding command whitelists and/or command blacklists, so as to realize the customization of the command whitelists or command blacklists for the vehicles and improve the attack detection effect of the vehicles.
  • a sandbox detection technique may be used to determine the network attack event that occurred against the vehicle.
  • the network instruction may be placed in a sandbox environment, and whether a network attack event has occurred in the vehicle may be determined according to the execution result of the network instruction in the sandbox.
  • this embodiment may be specifically used in combination with an instruction whitelist and/or an instruction blacklist, that is, when the network instruction is not on the instruction whitelist, the network instruction is further placed in a sandbox environment to determine whether the vehicle occurs Cyber attacks.
  • the method of determining whether a network attack event has occurred for a vehicle not only includes the above two methods or a combination of the two methods, for example, it can also be based on behavior detection technology and/or characteristics
  • the detection technology determines the network attack event that is directed against the vehicle.
  • a person skilled in the art may select a corresponding detection method according to the actual situation, and this embodiment is not limited herein.
  • the time period corresponding to the cyber attack event is further determined.
  • the time point corresponding to the network attack event in the process of determining the time period corresponding to the network attack event according to the time point corresponding to the network attack event and the preset time period length, can be used as the starting point of the time period, and the network attack event
  • the sum of the corresponding time point and the preset time period length is taken as the end point of the time period; or, the difference between the time point corresponding to the cyber attack event and the half of the preset time period length is taken as the starting point of the time period, Take the sum of the time point corresponding to the cyber attack event and half the length of the preset time period as the end point of the time period, for example, if the time point corresponding to the cyber attack event is a and the preset time period length is b, then
  • the time period corresponding to the network attack event can be (a, a+b), or (ab/2, a+b/2).
  • step S220 it is determined whether a physical attack event against the vehicle has occurred within the time period; if so, it is determined that the vehicle has been attacked within the time period.
  • step S210 It is determined whether a physical attack event against the vehicle has occurred within the time period determined in step S210. Among them, when it is determined that the physical attack event targeting the vehicle can be carried out by the physical attack detection and detection unit mounted on the vehicle bus, the data message in the vehicle bus can be monitored, and according to the monitoring result, it can be determined whether a target attack has occurred within the time period. Physical attacks on vehicles.
  • the data message in the vehicle bus can be monitored to determine whether the data message comes from a legal electronic control unit (ECU, Electronic Control Unit); if not, it is determined that the vehicle has occurred Physical attack event.
  • ECU Electronic Control Unit
  • the data message comes from a legitimate electronic control unit it is necessary to first determine the electronic control unit that sends the data message.
  • Different electronic control units in the vehicle send out the same data message corresponding to different analog signal voiceprints (
  • the analog signal voiceprint specifically refers to the characteristic data of the analog signal, for example, the data obtained after the corresponding mathematical conversion of the analog signal can be used as the analog signal voiceprint, such as the differential signal voltage of the analog signal, etc.
  • the data message can be analyzed to obtain the analog signal voiceprint corresponding to the data message, and the electronic control unit that sends the data message can be determined according to the analog signal voiceprint.
  • the electronic control unit in the vehicle can only send certain types or types of data messages. For example, the steering control message in the vehicle can only be sent by the steering control unit. Therefore, after determining the electronic control unit sending out the data message, determine whether the electronic control unit sending out the data message is in the white list of the electronic control unit corresponding to the data message; if not, it is determined that a physical attack has occurred against the vehicle event.
  • the data message in the vehicle bus can be monitored, the data message can be parsed, and the analog signal voiceprint corresponding to the data message can be obtained; and whether the analog signal voiceprint corresponding to the data message can be determined The voiceprint of the standard analog signal corresponding to the data packet matches; if not, it is determined that a physical attack event has occurred against the vehicle.
  • different electronic control units send out the same data message to analyze different analog signals, and different analog signals correspond to different analog signal voiceprints, indicating different The analog signal corresponding to the same data message sent by the electronic control unit has different voiceprints.
  • the legal electronic control unit sends the analog signal of the data message, and then the analog signal voiceprint of the data message sent by the legal electronic control unit is used as the data message.
  • Corresponding standard analog signal voiceprint thus, in determining the physical attack event directed to the vehicle, it can be determined whether the analog signal voiceprint corresponding to the data message matches the standard analog signal voiceprint corresponding to the data message ; If not, it is determined that a physical attack has occurred against the vehicle.
  • a corresponding warning message may be further issued, so that the attack behavior can be quickly blocked.
  • this embodiment detects the attack of the vehicle from two dimensions of network space and physical space.
  • a network attack event When it is determined that a network attack event has occurred for the vehicle, it is determined that the time period corresponds to the network attack event, and then when Within a certain period of time, when a physical attack event targeting the vehicle occurs, it is determined that the vehicle is under attack, which can greatly reduce the rate of attack false alarms and improve the accuracy of vehicle attack detection, thereby providing a basis for achieving vehicle safety protection; and, this
  • the embodiment is determined by determining whether the data message in the vehicle bus originates from a legitimate electronic control unit, and/or determining whether the analog signal voiceprint corresponding to the data message matches the standard analog signal voiceprint corresponding to the data message. For the physical attack events that occur in vehicles, the detection efficiency and accuracy of physical attack events can be greatly improved.
  • FIG. 3 shows a schematic flowchart of a vehicle attack detection method according to yet another embodiment of the present disclosure. As shown in Figure 3, the method includes:
  • Step S310 Determine whether a physical attack event occurs for the vehicle; if so, determine a time period corresponding to the physical attack event.
  • step S320 it is determined whether a network attack event targeting the vehicle has occurred within the time period; if so, it is determined that the vehicle has been attacked within the time period.
  • step S310 and step S320 For the specific implementation manners of step S310 and step S320, reference may be made to the corresponding description in step S210 and step S220, and this embodiment will not repeat them here.
  • this embodiment detects attacks on vehicles from two dimensions of network space and physical space.
  • the time period corresponding to the physical attack event is determined, and then the During a certain period of time, when a network attack event targeting a vehicle occurs, it is determined that the vehicle is under attack, which can greatly reduce the attack false alarm rate and improve the accuracy of vehicle attack detection, thereby providing a basis for achieving vehicle safety protection; and, this
  • the embodiment is determined by determining whether the data message in the vehicle bus originates from a legitimate electronic control unit, and/or determining whether the analog signal voiceprint corresponding to the data message matches the standard analog signal voiceprint corresponding to the data message. For the physical attack events that occur in vehicles, the detection efficiency and accuracy of physical attack events can be greatly improved.
  • FIG. 4 shows a schematic structural diagram of a vehicle attack detection device according to an embodiment of the present disclosure.
  • the device includes: a network attack detection unit 41, a physical attack detection unit 42 and a determination unit 43.
  • the network attack detection unit 41 is adapted to determine a network attack event that occurs against the vehicle.
  • the network attack detection unit 41 may be a networked unit in the vehicle.
  • the physical attack detection unit 42 is adapted to determine a physical attack event that occurs with respect to the vehicle.
  • the physical attack detection unit 42 may be mounted on the vehicle bus.
  • the physical attack detection unit 42 may be provided in a gateway connected by all vehicle buses, and the physical attack detection unit 42 provided in the gateway monitors the physical attack events occurring on each vehicle bus, which may be larger The cost is reduced to a certain extent; alternatively, a physical attack detection unit 42 may be installed in each vehicle bus, thereby avoiding the disadvantage that the physical attack event in the entire vehicle cannot be monitored when the gateway is invaded.
  • the determining unit 43 is adapted to determine that the vehicle is attacked within the time period if a network attack event and a physical attack event occur to the vehicle within the same time period.
  • the module can be executed by a special processing unit mounted on the vehicle bus, or can be integrated into the network attack detection unit 41 or the physical attack detection unit 42.
  • the physical attack detection unit 42 is further adapted to: monitor data packets in the vehicle bus to determine whether the data packets come from a legitimate electronic control unit; if not, determine that a physical attack event has occurred against the vehicle.
  • the physical attack detection unit 42 is further adapted to: determine the electronic control unit that sends the data message, and determine whether the electronic control unit that sends the data message is in the white list of the electronic control unit corresponding to the data message; if not, It is determined that a physical attack event occurred against the vehicle.
  • the physical attack detection unit 42 is further adapted to: analyze the data message to obtain an analog signal voiceprint corresponding to the data message; and determine the electronic control unit that sends the data message according to the analog signal voiceprint.
  • the physical attack detection unit 42 is further adapted to: monitor data packets in the vehicle bus, parse the data packets, and obtain analog signal voiceprints corresponding to the data packets; determine analog signals corresponding to the data packets Whether the voiceprint matches the standard analog signal voiceprint corresponding to the data message; if not, it is determined that a physical attack event has occurred against the vehicle.
  • analog signals corresponding to the same data message sent by different electronic control units have different voiceprints.
  • the network attack detection unit 41 is further adapted to: use a whitelist, sandbox, behavior detection, and/or feature detection technology to determine a network attack event that occurs with respect to the vehicle.
  • the network attack detection unit 41 is further adapted to: determine whether a network attack event has occurred for the vehicle; if so, determine a time period corresponding to the network attack event;
  • the physical attack detection unit 42 is further adapted to: determine whether a physical attack event targeting the vehicle has occurred within a certain period of time;
  • the determining unit 43 is further adapted to: if a physical attack event targeting the vehicle occurs within the determined time period, determine that the vehicle is attacked within the determined time period.
  • the physical attack detection unit 42 is further adapted to: determine whether a physical attack event occurs for the vehicle; if so, determine a time period corresponding to the physical attack event;
  • the network attack detection unit 41 is further adapted to: determine whether a network attack event targeting the vehicle has occurred within a certain period of time;
  • the determining unit 43 is further adapted to: if a network attack event targeting the vehicle occurs within the determined time period, determine that the vehicle is attacked within the determined time period.
  • the vehicle is attacked from the two dimensions of network space and physical space.
  • the network attack event and the physical attack event occur to the vehicle within the same time period, determine The vehicle is attacked within this time period, which can greatly reduce the attack false alarm rate and improve the accuracy of vehicle attack detection, thereby providing a basis for the realization of vehicle safety protection; moreover, this solution is simple and easy to implement and apply on a large scale.
  • a non-volatile computer-readable storage medium stores at least one executable instruction, and the computer-executable instruction can execute any of the foregoing method embodiments.
  • FIG. 5 shows a schematic structural diagram of a computing device according to an embodiment of the present disclosure. Specific embodiments of the present disclosure do not limit the specific implementation of the computing device.
  • the computing device may include: a processor 502, a communication interface 504, a memory 506, and a communication bus 508.
  • the processor 502, the communication interface 504, and the memory 506 communicate with each other through the communication bus 508.
  • the communication interface 504 is used to communicate with network elements of other devices such as clients or other servers.
  • the processor 502 is used to execute the program 510, and specifically can execute the relevant steps in the foregoing vehicle attack detection method embodiment.
  • the program 510 may include a program code, and the program code includes a computer operation instruction.
  • the processor 502 may be a central processing unit CPU, or a specific integrated circuit ASIC (Application Specific Integrated Circuit), or one or more integrated circuits configured to implement the embodiments of the present disclosure.
  • the one or more processors included in the computing device may be processors of the same type, such as one or more CPUs, or may be processors of different types, such as one or more CPUs and one or more ASICs.
  • the memory 506 is used to store the program 510.
  • the memory 506 may include a high-speed RAM memory, and may also include a non-volatile memory (non-volatile memory), for example, at least one magnetic disk memory.
  • the program 510 may specifically be used to cause the processor 502 to perform the following operations:
  • program 510 may specifically be used to cause the processor 502 to perform the following operations:
  • program 510 may specifically be used to cause the processor 502 to perform the following operations:
  • program 510 may specifically be used to cause the processor 502 to perform the following operations:
  • the electronic control unit that sends out the data message is determined according to the analog signal voiceprint.
  • program 510 may specifically be used to cause the processor 502 to perform the following operations:
  • analog signals corresponding to different electronic control units sending the same data message have different voiceprints.
  • program 510 may specifically be used to cause the processor 502 to perform the following operations:
  • program 510 may specifically be used to cause the processor 502 to perform the following operations:
  • program 510 may specifically be used to cause the processor 502 to perform the following operations:
  • a network attack event targeting the vehicle occurs within a certain period of time, it is determined that the vehicle is under attack within the certain period of time.
  • modules in the device in the embodiment can be adaptively changed and set in one or more devices different from the embodiment.
  • the modules or units or components in the embodiments may be combined into one module or unit or component, and in addition, they may be divided into a plurality of submodules or subunits or subcomponents. Except that at least some of such features and/or processes or units are mutually exclusive, all features disclosed in this specification (including the accompanying claims, abstract and drawings) and any methods so disclosed or All processes or units of equipment are combined. Unless expressly stated otherwise, each feature disclosed in this specification (including the accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose.
  • Various component embodiments of the present disclosure may be implemented in hardware, or implemented in software modules running on one or more processors, or implemented in a combination thereof.
  • a microprocessor or a digital signal processor (DSP) may be used in practice to implement some or all functions of some or all components in the vehicle attack detection device according to the embodiments of the present disclosure.
  • the present disclosure may also be implemented as a device or device program (eg, computer program and computer program product) for performing part or all of the method described herein.
  • Such a program implementing the present disclosure may be stored on a computer-readable medium, or may have the form of one or more signals.
  • Such a signal can be downloaded from an Internet website, or provided on a carrier signal, or provided in any other form.

Abstract

Disclosed are a vehicle attack detection method and apparatus. The method comprises: determining a network attack event occurring to a vehicle; determining a physical attack event occurring to the vehicle; and if the network attack event and the physical attack event occur to the vehicle in the same time period, determining that the vehicle is attacked in this time period.

Description

车辆攻击检测方法及装置Vehicle attack detection method and device
相关申请的交叉参考Cross-reference for related applications
本申请要求于2018年12月29日提交中国专利局、申请号为201811639337.1、名称为“车辆攻击检测方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application requires the priority of the Chinese patent application filed on December 29, 2018, with the application number 201811639337.1 and titled "Vehicle Attack Detection Method and Device", the entire contents of which are incorporated by reference in this application.
技术领域Technical field
本公开涉及车辆安全技术领域,具体涉及一种车辆攻击检测方法及装置。The present disclosure relates to the technical field of vehicle safety, and in particular to a method and device for vehicle attack detection.
背景技术Background technique
随着科技及社会的不断发展,各类智能化、自动化车辆的出现极大地方便了人们的工作与生活,但同时也催生了许多针对车辆的安全威胁。例如,车辆中的可编程化或可远程控制化的智能单元为非法入侵者提供了新的入侵渠道,从而对人们的财产及生命安全造成极大威胁。With the continuous development of technology and society, the emergence of various types of intelligent and automated vehicles has greatly facilitated people's work and life, but it has also spawned many security threats against vehicles. For example, a programmable or remotely controllable intelligent unit in a vehicle provides a new intrusion channel for illegal intruders, thereby posing a great threat to people’s property and life safety.
为保障车辆安全,实现对车辆的安全防护,首先需通过相应的检测方法检测车辆受到的攻击。目前,针对车辆的攻击检测仅仅局限于,在网络空间中检测是否存在针对车辆的攻击行为,若网络空间中存在针对车辆的攻击行为,则确定车辆受到攻击。然而,该检测方法检测到的车辆攻击误报率较高,检测准确度低,不利于对车辆的安全防护。In order to ensure the safety of the vehicle and realize the safety protection of the vehicle, it is first necessary to detect the attack on the vehicle through the corresponding detection method. At present, the detection of attacks against vehicles is limited to detecting whether there is an attack behavior against a vehicle in cyberspace. If there is an attack behavior against a vehicle in cyberspace, it is determined that the vehicle is under attack. However, the detection rate of vehicle attacks detected by this detection method is high, and the detection accuracy is low, which is not conducive to the safety protection of vehicles.
发明内容Summary of the invention
鉴于上述问题,提出了本公开以便提供一种克服上述问题或者至少部分地解决上述问题的车辆攻击检测方法及装置。In view of the above problems, the present disclosure is proposed in order to provide a vehicle attack detection method and device that overcome the above problems or at least partially solve the above problems.
根据本公开的一个方面,提供了一种车辆攻击检测方法,包括:According to an aspect of the present disclosure, a vehicle attack detection method is provided, including:
确定针对于车辆发生的网络攻击事件;以及,Identify cyber-attacks targeting vehicles; and,
确定针对于车辆发生的物理攻击事件;Identify the physical attacks that occurred against the vehicle;
若在同一时间段内,针对于车辆发生了网络攻击事件以及物理攻击事件,则确定车辆在该时间段内受到攻击。If a network attack event and a physical attack event occur to the vehicle within the same time period, it is determined that the vehicle was attacked within the time period.
根据本公开的另一方面,提供了一种车辆攻击检测装置,包括:According to another aspect of the present disclosure, a vehicle attack detection device is provided, including:
网络攻击检测单元,适于确定针对于车辆发生的网络攻击事件;The network attack detection unit is adapted to determine the network attack event that occurred against the vehicle;
物理攻击检测单元,适于确定针对于车辆发生的物理攻击事件;The physical attack detection unit is adapted to determine the physical attack event that occurs against the vehicle;
确定单元,适于若在同一时间段内,针对于车辆发生了网络攻击事件以及物理攻击事件,则确定车辆在该时间段内受到攻击。The determining unit is adapted to determine that the vehicle is attacked within the time period if a network attack event and a physical attack event occur to the vehicle within the same time period.
根据本公开的又一方面,提供了一种计算设备,包括:处理器、存储器、通信接口和通信总线,处理器、存储器和通信接口通过通信总线完成相互间的通信;According to yet another aspect of the present disclosure, a computing device is provided, including: a processor, a memory, a communication interface, and a communication bus, and the processor, memory, and communication interface complete communication with each other through the communication bus;
存储器用于存放至少一可执行指令,可执行指令使处理器执行上述车辆攻击检测方法对应的操作。The memory is used to store at least one executable instruction. The executable instruction causes the processor to perform the operation corresponding to the vehicle attack detection method.
根据本公开的再一方面,提供了一种非易失性计算机可读存储介质,该非易失性计算机可读存储介质中存储有至少一可执行指令,可执行指令使处理器执行如上述车辆攻击检测方法对应的操作。According to yet another aspect of the present disclosure, there is provided a non-volatile computer-readable storage medium having at least one executable instruction stored in the non-volatile computer-readable storage medium, the executable instruction causing the processor to execute as described above Operation corresponding to vehicle attack detection method.
根据本公开的再又一方面,还提供了一种计算机程序产品,该计算机程序产品包括存储在上述非易失性计算机可读存储介质上的计算程序。According to still another aspect of the present disclosure, there is also provided a computer program product including a calculation program stored on the above-mentioned non-volatile computer-readable storage medium.
根据本公开提供的车辆攻击检测方法及装置,确定针对于车辆发生的网络攻击事件;以及,确定针对于车辆发生的物理攻击事件;若在同一时间段内,针对于车辆发生了网络攻击事件以及物理攻击事件,则确定车辆在该时间段内受到攻击。本方案根据车辆在网络空间以及物理空间受到的攻击事件,多维度地对车辆进行攻击检测,从而可以大幅降低误报率,提升攻击检测的准确度,为实现车辆的安全防护提供基础;并且,本方案简单易行,易于大规模实施与应用。According to the vehicle attack detection method and device provided by the present disclosure, determine the network attack event that occurs to the vehicle; and, determine the physical attack event that occurs to the vehicle; if the network attack event occurs to the vehicle within the same time period and In the event of a physical attack, it is determined that the vehicle was attacked within this time period. This solution detects attacks on vehicles in multiple dimensions according to the attack events received by the vehicle in cyberspace and physical space, which can greatly reduce the false alarm rate, improve the accuracy of attack detection, and provide the basis for achieving vehicle safety protection; and, This solution is simple and easy to implement, and easy to implement and apply on a large scale.
上述说明仅是本公开技术方案的概述,为了能够更清楚了解本公开的技术手段,而可依照说明书的内容予以实施,并且为了让本公开的上述和其它目的、特征和优点能够更明显易懂,以下特举本公开的具体实施方式。The above description is only an overview of the technical solutions of the present disclosure. In order to better understand the technical means of the present disclosure, it can be implemented in accordance with the contents of the specification, and in order to make the above and other purposes, features and advantages of the present disclosure more obvious and understandable In the following, specific embodiments of the present disclosure are specifically mentioned.
附图概述Brief description of the drawings
通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的, 而并不认为是对本公开的限制。而且在整个附图中,用相同的参考符号表示相同的部件。在附图中:By reading the detailed description of the preferred embodiments below, various other advantages and benefits will become clear to those of ordinary skill in the art. The drawings are only for the purpose of showing the preferred embodiments, and are not considered to limit the present disclosure. Furthermore, throughout the drawings, the same reference symbols are used to denote the same components. In the drawings:
图1示出了根据本公开一个实施例提供的一种车辆攻击检测方法的流程示意图;FIG. 1 shows a schematic flowchart of a vehicle attack detection method according to an embodiment of the present disclosure;
图2示出了根据本公开另一个实施例提供的一种车辆攻击检测方法的流程示意图;FIG. 2 shows a schematic flowchart of a vehicle attack detection method according to another embodiment of the present disclosure;
图3示出了根据本公开的又一个实施例提供的一种车辆攻击检测方法的流程示意图;FIG. 3 shows a schematic flowchart of a vehicle attack detection method according to yet another embodiment of the present disclosure;
图4示出了根据本公开一个实施例提供的一种车辆攻击检测装置的结构示意图;4 shows a schematic structural diagram of a vehicle attack detection device according to an embodiment of the present disclosure;
图5示出了根据本公开一个实施例提供的一种计算设备的结构示意图。FIG. 5 shows a schematic structural diagram of a computing device according to an embodiment of the present disclosure.
本公开的较佳实施方式Preferred embodiments of the present disclosure
下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以各种形式实现本公开而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本公开,并且能够将本公开的范围完整的传达给本领域的技术人员。Hereinafter, exemplary embodiments of the present disclosure will be described in more detail with reference to the accompanying drawings. Although the exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure can be implemented in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided to enable a more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.
本公开所提供的车辆攻击检测方法及装置具体可用于,基于CAN(Controller Area Network,控制器局域网络)总线结构的车辆的攻击检测。The vehicle attack detection method and device provided by the present disclosure can be specifically used for vehicle attack detection based on a CAN (Controller Area Network) bus structure.
图1示出了根据本公开一个实施例提供的一种车辆攻击检测方法的流程示意图。如图1所示,该方法包括:FIG. 1 shows a schematic flowchart of a vehicle attack detection method according to an embodiment of the present disclosure. As shown in Figure 1, the method includes:
步骤S110,确定针对于车辆发生的网络攻击事件。In step S110, it is determined that a network attack event occurred for the vehicle.
其中,本步骤可由车辆中的联网单元(如车载路由设备、车载娱乐单元等等)来执行;或者,本步骤也可由云端服务器执行,并由云端服务器下发确定结果至车辆,由车辆中的联网单元接收确定结果。Among them, this step can be performed by the networked unit in the vehicle (such as on-board routing equipment, on-board entertainment unit, etc.); or, this step can also be performed by the cloud server, and the cloud server sends the determination result to the vehicle. The networking unit receives the determination result.
在实际的实施过程中,可确定车辆在网络空间中所受到的网络攻击事件。其中,本实施例对车辆受到的网络攻击事件的具体确定方法不做限定,例如,可利用白名单、沙箱、行为检测、和/或特征检测技术,确定针对于车 辆发生的网络攻击事件,如可通过指令白名单的方式,判断下发至车辆的网络指令是否位于预设的指令白名单中,若否,则确定针对于车辆发生了网络攻击事件。In the actual implementation process, it is possible to determine the network attack event that the vehicle has suffered in cyberspace. In this embodiment, the specific method for determining the network attack event received by the vehicle is not limited. For example, a whitelist, sandbox, behavior detection, and/or feature detection technology may be used to determine the network attack event that occurs to the vehicle. For example, it can be determined whether the network command issued to the vehicle is in the preset command white list by means of the command white list. If not, it is determined that a network attack event has occurred against the vehicle.
步骤S120,确定针对于车辆发生的物理攻击事件。In step S120, it is determined that the physical attack event occurred for the vehicle.
与现有技术不同的是,本实施例除了确定针对于车辆发生的网络攻击事件之外,还进一步确定针对于车辆发生的物理攻击事件。其中,在确定针对于车辆发生的物理攻击事件时,具体是根据车辆总线中的模拟信号进行确定,例如,可通过对车辆总线中模拟信号的来源合法性,判断是否发生针对车辆的物理攻击事件。本实施例对确定针对于车辆发生的物理攻击事件的具体实施方式不做限定。Different from the prior art, in addition to determining the network attack event that occurs to the vehicle, this embodiment further determines the physical attack event that occurs to the vehicle. Among them, when determining the physical attack event against the vehicle, it is specifically determined according to the analog signal in the vehicle bus. For example, the legality of the source of the analog signal in the vehicle bus can be used to determine whether a physical attack event against the vehicle occurs . This embodiment does not limit the specific implementation manner of determining the physical attack event that occurs for the vehicle.
其中,本步骤可由设置于车辆中的物理攻击检测单元执行,该物理攻击检测检测单元可搭载于车辆CAN总线中。可选地,为降低攻击检测的漏报率,可在每一路CAN总线中均搭载一物理攻击检测单元,也可以将物理攻击检测单元设置于各路CAN总线共同连接的网关中,并由设置于网关中的物理攻击检测单元监控每一路CAN总线发生的物理攻击事件,该设置方式可较大程度地降低成本。Wherein, this step may be performed by a physical attack detection unit provided in the vehicle, and the physical attack detection detection unit may be mounted on the vehicle CAN bus. Optionally, in order to reduce the false negative rate of attack detection, a physical attack detection unit can be installed in each CAN bus, or the physical attack detection unit can be installed in a gateway connected by each CAN bus, and set by The physical attack detection unit in the gateway monitors the physical attack events that occur on each CAN bus. This setting method can greatly reduce costs.
本实施例对步骤S110以及步骤S120的具体执行顺序不做限定,两者可以顺序或并行执行。In this embodiment, the specific execution order of step S110 and step S120 is not limited, and the two may be executed sequentially or in parallel.
步骤S130,若在同一时间段内,针对于车辆发生了网络攻击事件以及物理攻击事件,则确定车辆在该时间段内受到攻击。In step S130, if a network attack event and a physical attack event occur to the vehicle within the same time period, it is determined that the vehicle is attacked within the time period.
本实施例通过网络空间以及物理空间两个维度来对车辆进行攻击检测,可大幅降低攻击检测的误报率,提升攻击检测的准确率。This embodiment uses two dimensions of network space and physical space to detect attacks on vehicles, which can greatly reduce the false alarm rate of attack detection and improve the accuracy of attack detection.
具体地,本实施例在确定车辆发生网络攻击事件以及物理攻击事件时,分别记录有网络攻击事件以及物理攻击事各自对应的攻击时间,当确定在同一时间段内,针对于车辆发生了网络攻击事件以及物理攻击事件,则确定车辆在该时间段内受到攻击。Specifically, in this embodiment, when it is determined that a network attack event and a physical attack event have occurred in the vehicle, the attack time corresponding to the network attack event and the physical attack event are recorded respectively. When it is determined that a network attack has occurred against the vehicle within the same time period Event and physical attack event, it is determined that the vehicle was attacked within this time period.
其中,本实施对该同一时间段的时间段长度不做限定。本领域技术人员可根据攻击检测的精度需求设置相应的时间段长度;和/或,基于对历史的攻 击事件的大数据分析,确定时间段长度;和/或,可根据确定的网络攻击事件以及物理攻击事件的攻击事件的类型,确定相应的时间段长度,即本实施例可预先为不同的攻击事件类型配置对应的时间段长度。In this implementation, the length of the same time period is not limited. Those skilled in the art can set the corresponding time period length according to the accuracy requirements of attack detection; and/or, determine the length of the time period based on the big data analysis of historical attack events; and/or, according to the determined network attack event and The type of the attack event of the physical attack event determines the corresponding time period length, that is, this embodiment may pre-configure corresponding time period lengths for different attack event types.
由此可见,本实施例中从网络空间以及物理空间两个维度来对车辆进行攻击检测,当在同一时间段内,针对于车辆既发生了网络攻击事件,又发生了物理攻击事件时,确定车辆在该时间段内受到攻击,从而可大幅降低攻击误报率,提升车辆攻击检测精度,从而为实现车辆的安全防护提供基础;并且,本方案简单易行,易于大规模实施与应用。It can be seen that in this embodiment, the vehicle is attacked from the two dimensions of network space and physical space. When the network attack event and the physical attack event occur to the vehicle within the same time period, determine The vehicle is attacked within this time period, which can greatly reduce the attack false alarm rate and improve the accuracy of vehicle attack detection, thereby providing a basis for the realization of vehicle safety protection; moreover, this solution is simple and easy to implement and apply on a large scale.
图2示出了根据本公开另一个实施例提供的一种车辆攻击检测方法的流程示意图。如图2所示,该方法包括:FIG. 2 shows a schematic flowchart of a vehicle attack detection method according to another embodiment of the present disclosure. As shown in Figure 2, the method includes:
步骤S210,确定是否针对于车辆发生了网络攻击事件;若是,则确定该网络攻击事件对应的时间段。Step S210, it is determined whether a network attack event has occurred against the vehicle; if so, it is determined that the network attack event corresponds to a time period.
其中,本实施例对确定车辆发生网络攻击事件的具体方法不做限定,例如,可采用以下实施方式中的一种或多种的结合来确定是否针对于车辆发生了网络攻击事件:In this embodiment, the specific method for determining the occurrence of a network attack event by a vehicle is not limited. For example, one or more combinations of the following embodiments may be used to determine whether a network attack event occurs for a vehicle:
在一种实施方式中,可在车辆的联网单元中配置相应的指令白名单,当车辆中的联网单元接收到网络指令时,判断接收到的网络指令是否位于指令白名单中,若否,则确定车辆发生了网络攻击事件;或者,也可在车辆的联网单元中配置相应的指令黑名单,当车辆中的联网单元接收到网络指令时,判断接收到的网络指令是否位于指令黑名单中,若是,则确定车辆发生了网络攻击事件。可选地,指令白名单和/或指令黑名单可根据云端服务器中的数据进行动态更新。云端服务器可根据车联网系统中车辆数据的分析,确定出相应的指令白名单或指令黑名单,并下发至车辆,从而车辆可根据云端服务器下发的指令白名单和/或指令黑名单进行减量或增量更新。可选地,为进一步地提升车辆的攻击检测精度,以及减少车辆联网单元的存储压力,云端服务器可进一步对指令白名单和/或指令黑名单进行细粒度的划分,为不同类型的车辆或不同的车辆个体,配置相应的指令白名单和/或指令黑名单,从而实现针对于车辆的指令白名单或指令黑名单的定制化,提高车辆的攻击检测效果。In one embodiment, a corresponding command whitelist can be configured in the networking unit of the vehicle. When the networking unit in the vehicle receives a network command, it is determined whether the received network command is in the command whitelist. If not, then It is determined that a network attack event has occurred in the vehicle; alternatively, a corresponding command blacklist can be configured in the vehicle's networking unit. When the networking unit in the vehicle receives a network command, it is determined whether the received network command is in the command blacklist, If yes, it is determined that a cyberattack occurred in the vehicle. Optionally, the instruction whitelist and/or instruction blacklist may be dynamically updated according to the data in the cloud server. The cloud server can determine the corresponding command white list or command black list according to the analysis of the vehicle data in the IoV system, and deliver it to the vehicle, so that the vehicle can perform according to the command white list and/or command black list issued by the cloud server Decrement or incremental update. Optionally, in order to further improve the vehicle's attack detection accuracy and reduce the storage pressure of the vehicle networking unit, the cloud server may further finely divide the instruction whitelist and/or instruction blacklist into different types of vehicles or different The individual vehicles are configured with corresponding command whitelists and/or command blacklists, so as to realize the customization of the command whitelists or command blacklists for the vehicles and improve the attack detection effect of the vehicles.
在另一种实施方式中,可利用沙箱检测技术来确定针对于车辆发生的网络攻击事件。在具体的实施过程中,可将网络指令置于沙箱环境中,根据网络指令在沙箱中的执行结果来确定车辆是否发生网络攻击事件。可选地,本实施方式可具体与指令白名单和/或指令黑名单结合使用,即当网络指令未位于指令白名单时,进一步将该网络指令置于沙箱环境中,进而确定车辆是否发生网络攻击事件。In another embodiment, a sandbox detection technique may be used to determine the network attack event that occurred against the vehicle. In a specific implementation process, the network instruction may be placed in a sandbox environment, and whether a network attack event has occurred in the vehicle may be determined according to the execution result of the network instruction in the sandbox. Optionally, this embodiment may be specifically used in combination with an instruction whitelist and/or an instruction blacklist, that is, when the network instruction is not on the instruction whitelist, the network instruction is further placed in a sandbox environment to determine whether the vehicle occurs Cyber attacks.
在此,本领域技术人员应当理解的是,确定是否针对于车辆发生了网络攻击事件的方法不仅仅包含以上两种方式或两种方式的组合,例如,还可根据行为检测技术和/或特征检测技术确定针对于车辆发生的网络攻击事件。本领域技术人员可根据实际情况选择相应的检测方法,本实施例在此不做限定。Here, those skilled in the art should understand that the method of determining whether a network attack event has occurred for a vehicle not only includes the above two methods or a combination of the two methods, for example, it can also be based on behavior detection technology and/or characteristics The detection technology determines the network attack event that is directed against the vehicle. A person skilled in the art may select a corresponding detection method according to the actual situation, and this embodiment is not limited herein.
若通过相应的检测方法确定针对于车辆发生了网络攻击事件,则进一步确定发生的网络攻击事件对应的时间段。在确定网络攻击事件对应的时间段时,可首先确定网络攻击事件对应的时间点以及预设的时间段长度,并进一步根据网络攻击事件对应的时间点以及预设的时间段长度,确定网络攻击事件对应的时间段。其中,在根据网络攻击事件对应的时间点以及预设的时间段长度,确定网络攻击事件对应的时间段过程中,可以以网络攻击事件对应的时间点为该时间段的起点,以网络攻击事件对应的时间点与预设的时间段长度之和作为该时间段的终点;又或者,以网络攻击事件对应的时间点与预设的时间段长度的一半的差值作为该时间段的起点,以网络攻击事件对应的时间点与预设的时间段长度的一半的和作为该时间段的终点,例如,若网络攻击事件对应的时间点为a,而预设的时间段长度为b,则网络攻击事件对应的时间段可以为(a,a+b),或者,(a-b/2,a+b/2)。If it is determined through a corresponding detection method that a cyber attack event has occurred with respect to the vehicle, the time period corresponding to the cyber attack event is further determined. When determining the time period corresponding to the cyber attack event, you can first determine the time point corresponding to the network attack event and the preset time period length, and further determine the network attack according to the time point corresponding to the network attack event and the preset time period length The time period corresponding to the event. Among them, in the process of determining the time period corresponding to the network attack event according to the time point corresponding to the network attack event and the preset time period length, the time point corresponding to the network attack event can be used as the starting point of the time period, and the network attack event The sum of the corresponding time point and the preset time period length is taken as the end point of the time period; or, the difference between the time point corresponding to the cyber attack event and the half of the preset time period length is taken as the starting point of the time period, Take the sum of the time point corresponding to the cyber attack event and half the length of the preset time period as the end point of the time period, for example, if the time point corresponding to the cyber attack event is a and the preset time period length is b, then The time period corresponding to the network attack event can be (a, a+b), or (ab/2, a+b/2).
步骤S220,判断在该时间段内,是否发生了针对于车辆的物理攻击事件;若是,则确定在该时间段内车辆受到攻击。In step S220, it is determined whether a physical attack event against the vehicle has occurred within the time period; if so, it is determined that the vehicle has been attacked within the time period.
判断在步骤S210中确定的时间段内,是否发生了针对于车辆的物理攻击事件。其中,在确定针对于车辆发生的物理攻击事件时,可由搭载于车辆总线中的物理攻击检测检测单元对车辆总线中的数据报文进行监测,根据监测结果确定在该时间段内是否发生了针对于车辆的物理攻击事件。It is determined whether a physical attack event against the vehicle has occurred within the time period determined in step S210. Among them, when it is determined that the physical attack event targeting the vehicle can be carried out by the physical attack detection and detection unit mounted on the vehicle bus, the data message in the vehicle bus can be monitored, and according to the monitoring result, it can be determined whether a target attack has occurred within the time period. Physical attacks on vehicles.
在一种可选的实施方式中,可监测车辆总线中的数据报文,判断数据报文是否来自于合法的电子控制单元(ECU,Electronic Control Unit);若否,则确定针对于车辆发生了物理攻击事件。其中,在判断数据报文是否来自于合法的电子控制单元时,需先确定发出数据报文的电子控制单元,车辆中不同的电子控制单元发出同一数据报文所对应的模拟信号声纹不同(该模拟信号声纹具体是指模拟信号的特征数据,例如可将模拟信号进行相应的数学转换后获得的数据作为模拟信号声纹,如模拟信号的差分信号电压等等。其中,可通过机器学习等方法预先确定出至少一个电子控制单元发出的至少一条数据报文的模拟信号声纹)。所以,可对数据报文进行解析,获得与数据报文对应的模拟信号声纹,并根据模拟信号声纹确定发出数据报文的电子控制单元。进一步地,车辆中的电子控制单元仅可发出某类或某几类数据报文,例如,车辆中的转向控制报文仅能由转向控制单元发出。因此,在确定发出数据报文的电子控制单元之后,判断发出数据报文的电子控制单元是否位于该数据报文对应的电子控制单元白名单中;若否,则确定针对于车辆发生了物理攻击事件。In an alternative embodiment, the data message in the vehicle bus can be monitored to determine whether the data message comes from a legal electronic control unit (ECU, Electronic Control Unit); if not, it is determined that the vehicle has occurred Physical attack event. Among them, when judging whether the data message comes from a legitimate electronic control unit, it is necessary to first determine the electronic control unit that sends the data message. Different electronic control units in the vehicle send out the same data message corresponding to different analog signal voiceprints ( The analog signal voiceprint specifically refers to the characteristic data of the analog signal, for example, the data obtained after the corresponding mathematical conversion of the analog signal can be used as the analog signal voiceprint, such as the differential signal voltage of the analog signal, etc. Among them, machine learning can be used And other methods to pre-determine at least one analog signal voiceprint sent by at least one electronic control unit). Therefore, the data message can be analyzed to obtain the analog signal voiceprint corresponding to the data message, and the electronic control unit that sends the data message can be determined according to the analog signal voiceprint. Further, the electronic control unit in the vehicle can only send certain types or types of data messages. For example, the steering control message in the vehicle can only be sent by the steering control unit. Therefore, after determining the electronic control unit sending out the data message, determine whether the electronic control unit sending out the data message is in the white list of the electronic control unit corresponding to the data message; if not, it is determined that a physical attack has occurred against the vehicle event.
在又一种实施方式中,可监测车辆总线中的数据报文,对数据报文进行解析,获得与数据报文对应的模拟信号声纹;并判断与数据报文对应的模拟信号声纹是否与该数据报文对应的标准模拟信号声纹相匹配;若否,则确定针对于车辆发生了物理攻击事件。在具体的实施过程中,针对于同一数据报文,不同的电子控制单元发出同一数据报文所解析出的模拟信号不同,而不同的模拟信号所对应的模拟信号声纹不同,则表明不同的电子控制单元发出同一数据报文所对应的模拟信号声纹不同。因此,针对于数据报文,可预先确定出合法的电子控制单元发出该数据报文的模拟信号,进而将合法的电子控制单元发出的该数据报文的模拟信号声纹作为与该数据报文对应的标准模拟信号声纹,从而,在确定针对于车辆发生的物理攻击事件过程中,可判断与数据报文对应的模拟信号声纹是否与该数据报文对应的标准模拟信号声纹相匹配;若否,则确定针对于车辆发生了物理攻击事件。In yet another embodiment, the data message in the vehicle bus can be monitored, the data message can be parsed, and the analog signal voiceprint corresponding to the data message can be obtained; and whether the analog signal voiceprint corresponding to the data message can be determined The voiceprint of the standard analog signal corresponding to the data packet matches; if not, it is determined that a physical attack event has occurred against the vehicle. In the specific implementation process, for the same data message, different electronic control units send out the same data message to analyze different analog signals, and different analog signals correspond to different analog signal voiceprints, indicating different The analog signal corresponding to the same data message sent by the electronic control unit has different voiceprints. Therefore, for the data message, it can be determined in advance that the legal electronic control unit sends the analog signal of the data message, and then the analog signal voiceprint of the data message sent by the legal electronic control unit is used as the data message. Corresponding standard analog signal voiceprint, thus, in determining the physical attack event directed to the vehicle, it can be determined whether the analog signal voiceprint corresponding to the data message matches the standard analog signal voiceprint corresponding to the data message ; If not, it is determined that a physical attack has occurred against the vehicle.
若在确定的时间段内,发生了针对于车辆的物理攻击事件,则确定在该确定的时间段内车辆受到攻击。If a physical attack event against the vehicle occurs within a certain period of time, it is determined that the vehicle is under attack within the certain period of time.
可选地,在确定车辆受到攻击之后,可进一步地发出相应的告警信息,从而可供对攻击行为进行快速阻断。Optionally, after it is determined that the vehicle is under attack, a corresponding warning message may be further issued, so that the attack behavior can be quickly blocked.
由此可见,本实施例从网络空间以及物理空间两个维度来对车辆进行攻击检测,当确定针对于车辆发生了网络攻击事件后,判断在与该网络攻击事件对应的时间段,进而当在确定的时间段内,发生了针对于车辆的物理攻击事件时,确定车辆受到攻击,从而可大幅降低攻击误报率,提升车辆攻击检测精度,从而为实现车辆的安全防护提供基础;并且,本实施例通过确定车辆总线中数据报文是否来源于合法的电子控制单元,和/或,确定数据报文对应的模拟信号声纹是否与数据报文对应的标准模拟信号声纹相匹配,来确定针对于车辆发生的物理攻击事件,可大幅提升物理攻击事件的检测效率及检测精度。It can be seen that this embodiment detects the attack of the vehicle from two dimensions of network space and physical space. When it is determined that a network attack event has occurred for the vehicle, it is determined that the time period corresponds to the network attack event, and then when Within a certain period of time, when a physical attack event targeting the vehicle occurs, it is determined that the vehicle is under attack, which can greatly reduce the rate of attack false alarms and improve the accuracy of vehicle attack detection, thereby providing a basis for achieving vehicle safety protection; and, this The embodiment is determined by determining whether the data message in the vehicle bus originates from a legitimate electronic control unit, and/or determining whether the analog signal voiceprint corresponding to the data message matches the standard analog signal voiceprint corresponding to the data message. For the physical attack events that occur in vehicles, the detection efficiency and accuracy of physical attack events can be greatly improved.
图3示出了根据本公开又一个实施例提供的一种车辆攻击检测方法的流程示意图。如图3所示,该方法包括:FIG. 3 shows a schematic flowchart of a vehicle attack detection method according to yet another embodiment of the present disclosure. As shown in Figure 3, the method includes:
步骤S310,确定是否针对于车辆发生了物理攻击事件;若是,则确定该物理攻击事件对应的时间段。Step S310: Determine whether a physical attack event occurs for the vehicle; if so, determine a time period corresponding to the physical attack event.
步骤S320,判断在该时间段内,是否发生了针对于车辆的网络攻击事件;若是,则确定在该时间段内车辆受到攻击。In step S320, it is determined whether a network attack event targeting the vehicle has occurred within the time period; if so, it is determined that the vehicle has been attacked within the time period.
其中,步骤S310及步骤S320的具体实施方式可参照步骤S210及步骤S220中相应描述,本实施例在此不做赘述。For the specific implementation manners of step S310 and step S320, reference may be made to the corresponding description in step S210 and step S220, and this embodiment will not repeat them here.
由此可见,本实施例从网络空间以及物理空间两个维度来对车辆进行攻击检测,当确定针对于车辆发生了物理攻击事件后,判断在与该物理攻击事件对应的时间段,进而当在确定的时间段内,发生了针对于车辆的网络攻击事件时,确定车辆受到攻击,从而可大幅降低攻击误报率,提升车辆攻击检测精度,从而为实现车辆的安全防护提供基础;并且,本实施例通过确定车辆总线中数据报文是否来源于合法的电子控制单元,和/或,确定数据报文对应的模拟信号声纹是否与数据报文对应的标准模拟信号声纹相匹配,来确定针对于车辆发生的物理攻击事件,可大幅提升物理攻击事件的检测效率及检测精度。It can be seen that this embodiment detects attacks on vehicles from two dimensions of network space and physical space. When it is determined that a physical attack event has occurred for the vehicle, the time period corresponding to the physical attack event is determined, and then the During a certain period of time, when a network attack event targeting a vehicle occurs, it is determined that the vehicle is under attack, which can greatly reduce the attack false alarm rate and improve the accuracy of vehicle attack detection, thereby providing a basis for achieving vehicle safety protection; and, this The embodiment is determined by determining whether the data message in the vehicle bus originates from a legitimate electronic control unit, and/or determining whether the analog signal voiceprint corresponding to the data message matches the standard analog signal voiceprint corresponding to the data message. For the physical attack events that occur in vehicles, the detection efficiency and accuracy of physical attack events can be greatly improved.
图4示出了根据本公开一个实施例提供的一种车辆攻击检测装置的结构 示意图。如图4所示,该装置包括:网络攻击检测单元41、物理攻击检测单元42以及确定单元43。FIG. 4 shows a schematic structural diagram of a vehicle attack detection device according to an embodiment of the present disclosure. As shown in FIG. 4, the device includes: a network attack detection unit 41, a physical attack detection unit 42 and a determination unit 43.
网络攻击检测单元41,适于确定针对于车辆发生的网络攻击事件。可选的,网络攻击检测单元41可以为车辆中的联网单元。The network attack detection unit 41 is adapted to determine a network attack event that occurs against the vehicle. Optionally, the network attack detection unit 41 may be a networked unit in the vehicle.
物理攻击检测单元42,适于确定针对于车辆发生的物理攻击事件。其中,物理攻击检测单元42可搭载于车辆总线中。可选地,可将物理攻击检测单元42设置于各路车辆总线共同连接的网关中,并由设置于网关中的物理攻击检测单元42监控每一路车辆总线发生的物理攻击事件,从而可较大程度地降低成本;又或者,可在每一路车辆总线中均搭载一物理攻击检测单元42,从而避免当网关受到入侵时导致整个车辆中的物理攻击事件无法监控的弊端。The physical attack detection unit 42 is adapted to determine a physical attack event that occurs with respect to the vehicle. Among them, the physical attack detection unit 42 may be mounted on the vehicle bus. Optionally, the physical attack detection unit 42 may be provided in a gateway connected by all vehicle buses, and the physical attack detection unit 42 provided in the gateway monitors the physical attack events occurring on each vehicle bus, which may be larger The cost is reduced to a certain extent; alternatively, a physical attack detection unit 42 may be installed in each vehicle bus, thereby avoiding the disadvantage that the physical attack event in the entire vehicle cannot be monitored when the gateway is invaded.
确定单元43,适于若在同一时间段内,针对于车辆发生了网络攻击事件以及物理攻击事件,则确定车辆在该时间段内受到攻击。其中,该模块可由搭载于车辆总线中专门的处理单元执行,也可以集成于网络攻击检测单元41或物理攻击检测单元42中。The determining unit 43 is adapted to determine that the vehicle is attacked within the time period if a network attack event and a physical attack event occur to the vehicle within the same time period. The module can be executed by a special processing unit mounted on the vehicle bus, or can be integrated into the network attack detection unit 41 or the physical attack detection unit 42.
可选地,物理攻击检测单元42进一步适于:监测车辆总线中的数据报文,判断数据报文是否来自于合法的电子控制单元;若否,则确定针对于车辆发生了物理攻击事件。Optionally, the physical attack detection unit 42 is further adapted to: monitor data packets in the vehicle bus to determine whether the data packets come from a legitimate electronic control unit; if not, determine that a physical attack event has occurred against the vehicle.
可选地,物理攻击检测单元42进一步适于:确定发出数据报文的电子控制单元,并判断发出数据报文的电子控制单元是否位于数据报文对应的电子控制单元白名单中;若否,则确定针对于车辆发生了物理攻击事件。Optionally, the physical attack detection unit 42 is further adapted to: determine the electronic control unit that sends the data message, and determine whether the electronic control unit that sends the data message is in the white list of the electronic control unit corresponding to the data message; if not, It is determined that a physical attack event occurred against the vehicle.
可选地,物理攻击检测单元42进一步适于:对数据报文进行解析,获得与数据报文对应的模拟信号声纹;根据模拟信号声纹确定发出数据报文的电子控制单元。Optionally, the physical attack detection unit 42 is further adapted to: analyze the data message to obtain an analog signal voiceprint corresponding to the data message; and determine the electronic control unit that sends the data message according to the analog signal voiceprint.
可选地,物理攻击检测单元42进一步适于:监测车辆总线中的数据报文,对数据报文进行解析,获得与数据报文对应的模拟信号声纹;判断与数据报文对应的模拟信号声纹是否与数据报文对应的标准模拟信号声纹相匹配;若否,则确定针对于车辆发生了物理攻击事件。Optionally, the physical attack detection unit 42 is further adapted to: monitor data packets in the vehicle bus, parse the data packets, and obtain analog signal voiceprints corresponding to the data packets; determine analog signals corresponding to the data packets Whether the voiceprint matches the standard analog signal voiceprint corresponding to the data message; if not, it is determined that a physical attack event has occurred against the vehicle.
可选地,不同的电子控制单元发出同一数据报文所对应的模拟信号声纹不同。Optionally, the analog signals corresponding to the same data message sent by different electronic control units have different voiceprints.
可选地,网络攻击检测单元41进一步适于:利用白名单、沙箱、行为检测、和/或特征检测技术,确定针对于车辆发生的网络攻击事件。Optionally, the network attack detection unit 41 is further adapted to: use a whitelist, sandbox, behavior detection, and/or feature detection technology to determine a network attack event that occurs with respect to the vehicle.
可选地,网络攻击检测单元41进一步适于:确定是否针对于车辆发生了网络攻击事件;若是,则确定网络攻击事件对应的时间段;Optionally, the network attack detection unit 41 is further adapted to: determine whether a network attack event has occurred for the vehicle; if so, determine a time period corresponding to the network attack event;
物理攻击检测单元42进一步适于:判断在确定的时间段内,是否发生了针对于车辆的物理攻击事件;The physical attack detection unit 42 is further adapted to: determine whether a physical attack event targeting the vehicle has occurred within a certain period of time;
确定单元43进一步适于:若在确定的时间段内,发生了针对于车辆的物理攻击事件,则确定在确定的时间段内车辆受到攻击。The determining unit 43 is further adapted to: if a physical attack event targeting the vehicle occurs within the determined time period, determine that the vehicle is attacked within the determined time period.
可选地,物理攻击检测单元42进一步适于:确定是否针对于车辆发生了物理攻击事件;若是,则确定物理攻击事件对应的时间段;Optionally, the physical attack detection unit 42 is further adapted to: determine whether a physical attack event occurs for the vehicle; if so, determine a time period corresponding to the physical attack event;
网络攻击检测单元41进一步适于:判断在确定的时间段内,是否发生了针对于车辆的网络攻击事件;The network attack detection unit 41 is further adapted to: determine whether a network attack event targeting the vehicle has occurred within a certain period of time;
确定单元43进一步适于:若在确定的时间段内,发生了针对于车辆的网络攻击事件,则确定在确定的时间段内车辆受到攻击。The determining unit 43 is further adapted to: if a network attack event targeting the vehicle occurs within the determined time period, determine that the vehicle is attacked within the determined time period.
其中,本装置中各单元的具体实施过程可参照图1、图2、和/或图3方法实施例中相应步骤的描述,本实施例在此不做赘述。For the specific implementation process of each unit in the device, reference may be made to the description of the corresponding steps in the method embodiments in FIG. 1, FIG. 2, and/or FIG. 3, and this embodiment will not be described here.
由此可见,本实施例中从网络空间以及物理空间两个维度来对车辆进行攻击检测,当在同一时间段内,针对于车辆既发生了网络攻击事件,又发生了物理攻击事件时,确定车辆在该时间段内受到攻击,从而可大幅降低攻击误报率,提升车辆攻击检测精度,从而为实现车辆的安全防护提供基础;并且,本方案简单易行,易于大规模实施与应用。It can be seen that in this embodiment, the vehicle is attacked from the two dimensions of network space and physical space. When the network attack event and the physical attack event occur to the vehicle within the same time period, determine The vehicle is attacked within this time period, which can greatly reduce the attack false alarm rate and improve the accuracy of vehicle attack detection, thereby providing a basis for the realization of vehicle safety protection; moreover, this solution is simple and easy to implement and apply on a large scale.
根据本公开一个实施例提供了一种非易失性计算机可读存储介质,该非易失性计算机可读存储介质存储有至少一可执行指令,该计算机可执行指令可执行上述任意方法实施例中的车辆攻击检测方法。According to an embodiment of the present disclosure, a non-volatile computer-readable storage medium is provided. The non-volatile computer-readable storage medium stores at least one executable instruction, and the computer-executable instruction can execute any of the foregoing method embodiments. Vehicle attack detection method in
图5示出了根据本公开一个实施例提供的一种计算设备的结构示意图,本公开具体实施例并不对计算设备的具体实现做限定。FIG. 5 shows a schematic structural diagram of a computing device according to an embodiment of the present disclosure. Specific embodiments of the present disclosure do not limit the specific implementation of the computing device.
如图5所示,该计算设备可以包括:处理器(processor)502、通信接口(Communications Interface)504、存储器(memory)506、以及通信总线508。As shown in FIG. 5, the computing device may include: a processor 502, a communication interface 504, a memory 506, and a communication bus 508.
其中:among them:
处理器502、通信接口504、以及存储器506通过通信总线508完成相互间的通信。The processor 502, the communication interface 504, and the memory 506 communicate with each other through the communication bus 508.
通信接口504,用于与其它设备比如客户端或其它服务器等的网元通信。The communication interface 504 is used to communicate with network elements of other devices such as clients or other servers.
处理器502,用于执行程序510,具体可以执行上述车辆攻击检测方法实施例中的相关步骤。The processor 502 is used to execute the program 510, and specifically can execute the relevant steps in the foregoing vehicle attack detection method embodiment.
具体地,程序510可以包括程序代码,该程序代码包括计算机操作指令。Specifically, the program 510 may include a program code, and the program code includes a computer operation instruction.
处理器502可能是中央处理器CPU,或者是特定集成电路ASIC(Application Specific Integrated Circuit),或者是被配置成实施本公开实施例的一个或多个集成电路。计算设备包括的一个或多个处理器,可以是同一类型的处理器,如一个或多个CPU;也可以是不同类型的处理器,如一个或多个CPU以及一个或多个ASIC。The processor 502 may be a central processing unit CPU, or a specific integrated circuit ASIC (Application Specific Integrated Circuit), or one or more integrated circuits configured to implement the embodiments of the present disclosure. The one or more processors included in the computing device may be processors of the same type, such as one or more CPUs, or may be processors of different types, such as one or more CPUs and one or more ASICs.
存储器506,用于存放程序510。存储器506可能包含高速RAM存储器,也可能还包括非易失性存储器(non-volatile memory),例如至少一个磁盘存储器。The memory 506 is used to store the program 510. The memory 506 may include a high-speed RAM memory, and may also include a non-volatile memory (non-volatile memory), for example, at least one magnetic disk memory.
程序510具体可以用于使得处理器502执行以下操作:The program 510 may specifically be used to cause the processor 502 to perform the following operations:
确定针对于车辆发生的网络攻击事件;以及,Identify cyber-attacks targeting vehicles; and,
确定针对于车辆发生的物理攻击事件;Identify the physical attacks that occurred against the vehicle;
若在同一时间段内,针对于车辆发生了网络攻击事件以及物理攻击事件,则确定车辆在该时间段内受到攻击。If a network attack event and a physical attack event occur to the vehicle within the same time period, it is determined that the vehicle was attacked within the time period.
在一种可选的实施方式中,程序510具体可以用于使得处理器502执行以下操作:In an optional implementation manner, the program 510 may specifically be used to cause the processor 502 to perform the following operations:
监测车辆总线中的数据报文,判断数据报文是否来自于合法的电子控制单元;Monitor the data messages in the vehicle bus to determine whether the data messages come from a legal electronic control unit;
若否,则确定针对于车辆发生了物理攻击事件。If not, it is determined that a physical attack event has occurred against the vehicle.
在一种可选的实施方式中,程序510具体可以用于使得处理器502执行以下操作:In an optional implementation manner, the program 510 may specifically be used to cause the processor 502 to perform the following operations:
确定发出数据报文的电子控制单元,并判断发出数据报文的电子控制单元是否位于数据报文对应的电子控制单元白名单中;Determine the electronic control unit sending out the data message, and determine whether the electronic control unit sending out the data message is in the white list of the electronic control unit corresponding to the data message;
若否,则确定针对于车辆发生了物理攻击事件。If not, it is determined that a physical attack event has occurred against the vehicle.
在一种可选的实施方式中,程序510具体可以用于使得处理器502执行以下操作:In an optional implementation manner, the program 510 may specifically be used to cause the processor 502 to perform the following operations:
对数据报文进行解析,获得与数据报文对应的模拟信号声纹;Analyze the data message to obtain the voiceprint of the analog signal corresponding to the data message;
根据模拟信号声纹确定发出数据报文的电子控制单元。The electronic control unit that sends out the data message is determined according to the analog signal voiceprint.
在一种可选的实施方式中,程序510具体可以用于使得处理器502执行以下操作:In an optional implementation manner, the program 510 may specifically be used to cause the processor 502 to perform the following operations:
监测车辆总线中的数据报文,对数据报文进行解析,获得与数据报文对应的模拟信号声纹;Monitor the data message in the vehicle bus, analyze the data message, and obtain the analog signal voiceprint corresponding to the data message;
判断与数据报文对应的模拟信号声纹是否与数据报文对应的标准模拟信号声纹相匹配;Determine whether the analog signal voiceprint corresponding to the data message matches the standard analog signal voiceprint corresponding to the data message;
若否,则确定针对于车辆发生了物理攻击事件。If not, it is determined that a physical attack event has occurred against the vehicle.
在一种可选的实施方式中,不同的电子控制单元发出同一数据报文所对应的模拟信号声纹不同。In an optional embodiment, the analog signals corresponding to different electronic control units sending the same data message have different voiceprints.
在一种可选的实施方式中,程序510具体可以用于使得处理器502执行以下操作:In an optional implementation manner, the program 510 may specifically be used to cause the processor 502 to perform the following operations:
利用白名单、沙箱、行为检测、和/或特征检测技术,确定针对于车辆发生的网络攻击事件。Use whitelists, sandboxes, behavioral detection, and/or feature detection techniques to identify cyber-attack events that occur against vehicles.
在一种可选的实施方式中,程序510具体可以用于使得处理器502执行以下操作:In an optional implementation manner, the program 510 may specifically be used to cause the processor 502 to perform the following operations:
确定是否针对于车辆发生了网络攻击事件;Determine whether a cyber-attack occurred against the vehicle;
若是,则确定网络攻击事件对应的时间段;If yes, determine the time period corresponding to the cyber attack event;
判断在确定的时间段内,是否发生了针对于车辆的物理攻击事件;Determine whether a physical attack event targeting the vehicle has occurred within a certain period of time;
若在确定的时间段内,发生了针对于车辆的物理攻击事件,则确定在确定的时间段内车辆受到攻击。If a physical attack event against the vehicle occurs within a certain period of time, it is determined that the vehicle is under attack within the certain period of time.
在一种可选的实施方式中,程序510具体可以用于使得处理器502执行以下操作:In an optional implementation manner, the program 510 may specifically be used to cause the processor 502 to perform the following operations:
确定是否针对于车辆发生了物理攻击事件;Determine whether a physical attack has occurred against the vehicle;
若是,则确定物理攻击事件对应的时间段;If yes, determine the time period corresponding to the physical attack event;
判断在确定的时间段内,是否发生了针对于车辆的网络攻击事件;Determine whether a network attack event targeting the vehicle has occurred within a certain period of time;
若在确定的时间段内,发生了针对于车辆的网络攻击事件,则确定在确定的时间段内车辆受到攻击。If a network attack event targeting the vehicle occurs within a certain period of time, it is determined that the vehicle is under attack within the certain period of time.
在此提供的算法和显示不与任何特定计算机、虚拟系统或者其它设备固有相关。各种通用系统也可以与基于在此的示教一起使用。根据上面的描述,构造这类系统所要求的结构是显而易见的。此外,本公开也不针对任何特定编程语言。应当明白,可以利用各种编程语言实现在此描述的本公开的内容,并且上面对特定语言所做的描述是为了披露本公开的最佳实施方式。The algorithms and displays provided here are not inherently related to any particular computer, virtual system or other devices. Various general-purpose systems can also be used with the teaching based on this. From the above description, the structure required to construct such systems is obvious. Furthermore, this disclosure is not directed to any particular programming language. It should be understood that various programming languages may be used to implement the contents of the present disclosure described herein, and the description of specific languages above is for disclosing the best embodiments of the present disclosure.
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本公开的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。The specification provided here explains a lot of specific details. However, it can be understood that the embodiments of the present disclosure can be practiced without these specific details. In some instances, well-known methods, structures, and techniques have not been shown in detail so as not to obscure the understanding of this description.
类似地,应当理解,为了精简本公开并帮助理解各个公开方面中的一个或多个,在上面对本公开的示例性实施例的描述中,本公开的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本公开要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如下面的权利要求书所反映的那样,公开方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本公开的单独实施例。Similarly, it should be understood that in order to streamline the disclosure and help understand one or more of the various disclosed aspects, in the above description of exemplary embodiments of the disclosure, various features of the disclosure are sometimes grouped together into a single embodiment, Figure, or its description. However, the disclosed method should not be interpreted as reflecting the intention that the claimed disclosure requires more features than those explicitly recited in each claim. Rather, as reflected in the following claims, the disclosed aspects lie in less than all features of a single disclosed embodiment. Therefore, the claims that follow the specific implementation are hereby expressly incorporated into the specific implementation, where each claim itself serves as a separate embodiment of the present disclosure.
本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可 以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art can understand that the modules in the device in the embodiment can be adaptively changed and set in one or more devices different from the embodiment. The modules or units or components in the embodiments may be combined into one module or unit or component, and in addition, they may be divided into a plurality of submodules or subunits or subcomponents. Except that at least some of such features and/or processes or units are mutually exclusive, all features disclosed in this specification (including the accompanying claims, abstract and drawings) and any methods so disclosed or All processes or units of equipment are combined. Unless expressly stated otherwise, each feature disclosed in this specification (including the accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose.
此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本公开的范围之内并且形成不同的实施例。例如,在权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。In addition, those skilled in the art can understand that although some embodiments described herein include certain features included in other embodiments but not other features, the combination of features of different embodiments is meant to be within the scope of the present disclosure And form different embodiments. For example, in the claims, any one of the claimed embodiments can be used in any combination.
本公开的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本公开实施例中车辆攻击检测装置中的一些或者全部部件的一些或者全部功能。本公开还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本公开的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。Various component embodiments of the present disclosure may be implemented in hardware, or implemented in software modules running on one or more processors, or implemented in a combination thereof. Those skilled in the art should understand that a microprocessor or a digital signal processor (DSP) may be used in practice to implement some or all functions of some or all components in the vehicle attack detection device according to the embodiments of the present disclosure. The present disclosure may also be implemented as a device or device program (eg, computer program and computer program product) for performing part or all of the method described herein. Such a program implementing the present disclosure may be stored on a computer-readable medium, or may have the form of one or more signals. Such a signal can be downloaded from an Internet website, or provided on a carrier signal, or provided in any other form.
应该注意的是上述实施例对本公开进行说明而不是对本公开进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本公开可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。It should be noted that the above-mentioned embodiments illustrate rather than limit the present disclosure, and those skilled in the art may design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs between parentheses should not be constructed as limitations on the claims. The word "comprising" does not exclude the presence of elements or steps not listed in the claims. The word "a" or "one" before an element does not exclude the presence of multiple such elements. The present disclosure can be implemented by means of hardware including several different elements and by means of a suitably programmed computer. In the unit claims enumerating several devices, several of these devices may be embodied by the same hardware item. The use of the words first, second, and third does not indicate any order. These words can be interpreted as names.

Claims (21)

  1. 一种车辆攻击检测方法,包括:A vehicle attack detection method, including:
    确定针对于车辆发生的网络攻击事件;以及,Identify cyber-attacks targeting vehicles; and,
    确定针对于车辆发生的物理攻击事件;Identify the physical attacks that occurred against the vehicle;
    若在同一时间段内,针对于车辆发生了网络攻击事件以及物理攻击事件,则确定所述车辆在所述时间段内受到攻击。If the network attack event and the physical attack event occur to the vehicle within the same time period, it is determined that the vehicle is attacked within the time period.
  2. 根据权利要求1所述的方法,其中,所述确定针对于车辆发生的物理攻击事件进一步包括:The method of claim 1, wherein the determining that the physical attack event occurred for the vehicle further comprises:
    监测车辆总线中的数据报文,判断所述数据报文是否来自于合法的电子控制单元;Monitoring data messages in the vehicle bus to determine whether the data messages come from a legitimate electronic control unit;
    若否,则确定针对于车辆发生了物理攻击事件。If not, it is determined that a physical attack event has occurred against the vehicle.
  3. 根据权利要求2所述的方法,其中,所述判断所述数据报文是否来自于合法的电子控制单元;若否,则确定针对于车辆发生了物理攻击事件进一步包括:The method according to claim 2, wherein the determining whether the data message comes from a legitimate electronic control unit; if not, determining that a physical attack event has occurred against the vehicle further includes:
    确定发出所述数据报文的电子控制单元,并判断发出所述数据报文的电子控制单元是否位于所述数据报文对应的电子控制单元白名单中;Determine the electronic control unit that sends the data message, and determine whether the electronic control unit that sends the data message is in the white list of electronic control units corresponding to the data message;
    若否,则确定针对于车辆发生了物理攻击事件。If not, it is determined that a physical attack event has occurred against the vehicle.
  4. 根据权利要求3所述的方法,其中,所述确定发出所述数据报文的电子控制单元进一步包括:The method according to claim 3, wherein the electronic control unit that determines to issue the data message further comprises:
    对所述数据报文进行解析,获得与所述数据报文对应的模拟信号声纹;Parse the data message to obtain an analog signal voiceprint corresponding to the data message;
    根据所述模拟信号声纹确定发出所述数据报文的电子控制单元。The electronic control unit that sends out the data message is determined according to the analog signal voiceprint.
  5. 根据权利要求1-4中任一项所述的方法,其中,所述确定针对于车辆发生的物理攻击事件进一步包括:The method according to any one of claims 1 to 4, wherein the determining that the physical attack event occurred to the vehicle further comprises:
    监测车辆总线中的数据报文,对所述数据报文进行解析,获得与所述数据报文对应的模拟信号声纹;Monitoring data packets in the vehicle bus, parsing the data packets, and obtaining analog signal voiceprints corresponding to the data packets;
    判断与所述数据报文对应的模拟信号声纹是否与所述数据报文对应的标准模拟信号声纹相匹配;Judging whether the voiceprint of the analog signal corresponding to the data message matches the voiceprint of the standard analog signal corresponding to the data message;
    若否,则确定针对于车辆发生了物理攻击事件。If not, it is determined that a physical attack event has occurred against the vehicle.
  6. 根据权利要求4或5所述的方法,其中,不同的电子控制单元发出同一数据报文所对应的模拟信号声纹不同。The method according to claim 4 or 5, wherein the analog signals corresponding to the same data message sent by different electronic control units have different voiceprints.
  7. 根据权利要求1-6中任一项所述的方法,其中,所述确定针对于车辆发生的网络攻击事件进一步包括:The method according to any one of claims 1 to 6, wherein the determining that the network attack event occurred to the vehicle further includes:
    利用白名单、沙箱、行为检测、和/或特征检测技术,确定针对于车辆发生的网络攻击事件。Use whitelists, sandboxes, behavioral detection, and/or feature detection techniques to identify cyber-attack events that occur against vehicles.
  8. 根据权利要求1-7中任一项所述的方法,其中,所述确定针对于车辆发生的网络攻击事件;以及,确定针对于车辆发生的物理攻击事件;若在同一时间段内,针对于车辆发生了网络攻击事件以及物理攻击事件,则确定所述车辆在所述时间段内受到攻击进一步包括:The method according to any one of claims 1-7, wherein the determination is directed to a network attack event that occurred on the vehicle; and, the determination is directed to a physical attack event that occurred on the vehicle; if within the same time period, If a network attack event or a physical attack event occurs in the vehicle, determining that the vehicle is attacked within the time period further includes:
    确定是否针对于车辆发生了网络攻击事件;Determine whether a cyber-attack occurred against the vehicle;
    若是,则确定所述网络攻击事件对应的时间段;If yes, determine the time period corresponding to the cyber attack event;
    判断在确定的时间段内,是否发生了针对于所述车辆的物理攻击事件;Determine whether a physical attack event targeting the vehicle has occurred within a certain period of time;
    若在确定的时间段内,发生了针对于所述车辆的物理攻击事件,则确定在所述确定的时间段内车辆受到攻击。If a physical attack event targeting the vehicle occurs within the determined time period, it is determined that the vehicle was attacked within the determined time period.
  9. 根据权利要求1-7中任一项所述的方法,其中,所述确定针对于车辆发生的网络攻击事件;以及,确定针对于车辆发生的物理攻击事件;若在同一时间段内,针对于车辆发生了网络攻击事件以及物理攻击事件,则确定所述车辆在所述时间段内受到攻击进一步包括:The method according to any one of claims 1-7, wherein the determination is directed to a network attack event that occurred on the vehicle; and, the determination is directed to a physical attack event that occurred on the vehicle; if within the same time period, If a network attack event or a physical attack event occurs in the vehicle, determining that the vehicle is attacked within the time period further includes:
    确定是否针对于车辆发生了物理攻击事件;Determine whether a physical attack has occurred against the vehicle;
    若是,则确定所述物理攻击事件对应的时间段;If yes, determine the time period corresponding to the physical attack event;
    判断在确定的时间段内,是否发生了针对于所述车辆的网络攻击事件;Determine whether a network attack event targeting the vehicle has occurred within a certain period of time;
    若在确定的时间段内,发生了针对于所述车辆的网络攻击事件,则确定在所述确定的时间段内车辆受到攻击。If a network attack event targeting the vehicle occurs within the determined time period, it is determined that the vehicle was attacked within the determined time period.
  10. 一种车辆攻击检测装置,包括:A vehicle attack detection device, including:
    网络攻击检测单元,适于确定针对于车辆发生的网络攻击事件;The network attack detection unit is adapted to determine the network attack event that occurred against the vehicle;
    物理攻击检测单元,适于确定针对于车辆发生的物理攻击事件;The physical attack detection unit is adapted to determine the physical attack event that occurs against the vehicle;
    确定单元,适于若在同一时间段内,针对于车辆发生了网络攻击事件以 及物理攻击事件,则确定所述车辆在所述时间段内受到攻击。The determining unit is adapted to determine that the vehicle is attacked within the time period if a network attack event and a physical attack event occur to the vehicle within the same time period.
  11. 根据权利要求10所述的装置,其中,所述物理攻击检测单元进一步适于:The apparatus according to claim 10, wherein the physical attack detection unit is further adapted to:
    监测车辆总线中的数据报文,判断所述数据报文是否来自于合法的电子控制单元;Monitoring data messages in the vehicle bus to determine whether the data messages come from a legitimate electronic control unit;
    若否,则确定针对于车辆发生了物理攻击事件。If not, it is determined that a physical attack event has occurred against the vehicle.
  12. 根据权利要求11所述的装置,其中,所述物理攻击检测单元进一步适于:The apparatus according to claim 11, wherein the physical attack detection unit is further adapted to:
    确定发出所述数据报文的电子控制单元,并判断发出所述数据报文的电子控制单元是否位于所述数据报文对应的电子控制单元白名单中;Determine the electronic control unit that sends the data message, and determine whether the electronic control unit that sends the data message is in the white list of electronic control units corresponding to the data message;
    若否,则确定针对于车辆发生了物理攻击事件。If not, it is determined that a physical attack event has occurred against the vehicle.
  13. 根据权利要求12所述的装置,其中,所述物理攻击检测单元进一步适于:The apparatus according to claim 12, wherein the physical attack detection unit is further adapted to:
    对所述数据报文进行解析,获得与所述数据报文对应的模拟信号声纹;Parse the data message to obtain an analog signal voiceprint corresponding to the data message;
    根据所述模拟信号声纹确定发出所述数据报文的电子控制单元。The electronic control unit that sends out the data message is determined according to the analog signal voiceprint.
  14. 根据权利要求10-13中任一项所述的装置,其中,所述物理攻击检测单元进一步适于:The apparatus according to any one of claims 10-13, wherein the physical attack detection unit is further adapted to:
    监测车辆总线中的数据报文,对所述数据报文进行解析,获得与所述数据报文对应的模拟信号声纹;Monitoring data packets in the vehicle bus, parsing the data packets, and obtaining analog signal voiceprints corresponding to the data packets;
    判断与所述数据报文对应的模拟信号声纹是否与所述数据报文对应的标准模拟信号声纹相匹配;Judging whether the voiceprint of the analog signal corresponding to the data message matches the voiceprint of the standard analog signal corresponding to the data message;
    若否,则确定针对于车辆发生了物理攻击事件。If not, it is determined that a physical attack event has occurred against the vehicle.
  15. 根据权利要求13或14所述的装置,其中,不同的电子控制单元发出同一数据报文所对应的模拟信号声纹不同。The apparatus according to claim 13 or 14, wherein the analog signals corresponding to the same data message issued by different electronic control units have different voiceprints.
  16. 根据权利要求10-15中任一项所述的装置,其中,所述网络攻击检测单元进一步适于:The apparatus according to any one of claims 10-15, wherein the network attack detection unit is further adapted to:
    利用白名单、沙箱、行为检测、和/或特征检测技术,确定针对于车辆发生的网络攻击事件。Use whitelists, sandboxes, behavioral detection, and/or feature detection techniques to identify cyber-attack events that occur against vehicles.
  17. 根据权利要求10-16中任一项所述的装置,其中,所述网络攻击检测单元进一步适于:确定是否针对于车辆发生了网络攻击事件;若是,则确定所述网络攻击事件对应的时间段;The device according to any one of claims 10-16, wherein the network attack detection unit is further adapted to: determine whether a network attack event has occurred against the vehicle; if so, determine the time corresponding to the network attack event segment;
    所述物理攻击检测单元进一步适于:判断在确定的时间段内,是否发生了针对于所述车辆的物理攻击事件;The physical attack detection unit is further adapted to: determine whether a physical attack event targeting the vehicle has occurred within a determined time period;
    所述确定单元进一步适于:若在确定的时间段内,发生了针对于所述车辆的物理攻击事件,则确定在所述确定的时间段内车辆受到攻击。The determining unit is further adapted to: if a physical attack event targeting the vehicle occurs within a determined time period, determine that the vehicle was attacked within the determined time period.
  18. 根据权利要求10-16中任一项所述的装置,其中,The device according to any one of claims 10-16, wherein
    所述物理攻击检测单元进一步适于:确定是否针对于车辆发生了物理攻击事件;若是,则确定所述物理攻击事件对应的时间段;The physical attack detection unit is further adapted to: determine whether a physical attack event occurs for the vehicle; if so, determine a time period corresponding to the physical attack event;
    所述网络攻击检测单元进一步适于:判断在确定的时间段内,是否发生了针对于所述车辆的网络攻击事件;The network attack detection unit is further adapted to: determine whether a network attack event targeting the vehicle has occurred within a determined time period;
    所述确定单元进一步适于:若在确定的时间段内,发生了针对于所述车辆的网络攻击事件,则确定在所述确定的时间段内车辆受到攻击。The determining unit is further adapted to: if a network attack event targeting the vehicle occurs within a determined time period, determine that the vehicle was attacked within the determined time period.
  19. 一种计算设备,包括:处理器、存储器、通信接口和通信总线,所述处理器、所述存储器和所述通信接口通过所述通信总线完成相互间的通信;A computing device includes: a processor, a memory, a communication interface, and a communication bus, and the processor, the memory, and the communication interface complete communication with each other through the communication bus;
    所述存储器用于存放至少一可执行指令,所述可执行指令使所述处理器执行如权利要求1-9中任一项所述的车辆攻击检测方法对应的操作。The memory is used to store at least one executable instruction that causes the processor to perform the operation corresponding to the vehicle attack detection method according to any one of claims 1-9.
  20. 一种非易失性计算机可读存储介质,所述非易失性计算机存储介质中存储有至少一可执行指令,所述可执行指令使处理器执行如权利要求1-9中任一项所述的车辆攻击检测方法对应的操作。A non-volatile computer-readable storage medium, at least one executable instruction is stored in the non-volatile computer storage medium, and the executable instruction causes the processor to execute any one of claims 1-9 Corresponding to the vehicle attack detection method described above.
  21. 一种计算机程序产品,该计算机程序产品包括存储在非易失性计算机可读存储介质上的计算机程序,该计算机程序包括程序指令,当该程序指令被处理器执行时,使该处理器执行如权利要求1-9中任一项所述的车辆攻击检测方法对应的操作。A computer program product, the computer program product includes a computer program stored on a non-volatile computer-readable storage medium, the computer program includes program instructions, when the program instructions are executed by the processor, the processor is executed The operation corresponding to the vehicle attack detection method according to any one of claims 1-9.
PCT/CN2019/129315 2018-12-29 2019-12-27 Vehicle attack detection method and apparatus WO2020135755A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811639337.1A CN111447166B (en) 2018-12-29 2018-12-29 Vehicle attack detection method and device
CN201811639337.1 2018-12-29

Publications (1)

Publication Number Publication Date
WO2020135755A1 true WO2020135755A1 (en) 2020-07-02

Family

ID=71127697

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/129315 WO2020135755A1 (en) 2018-12-29 2019-12-27 Vehicle attack detection method and apparatus

Country Status (2)

Country Link
CN (1) CN111447166B (en)
WO (1) WO2020135755A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115277051A (en) * 2022-06-01 2022-11-01 北京邮电大学 Method and device for detecting attack of controller area network bus
CN116827713A (en) * 2023-06-30 2023-09-29 重庆大学 Simulation working system for new energy automobile

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112019512B (en) * 2020-07-30 2023-07-25 杭州安恒信息技术股份有限公司 Automobile network safety test system
CN114666214A (en) * 2021-12-21 2022-06-24 北京经纬恒润科技股份有限公司 System firewall configuration method and device for car in Internet of vehicles and T-BOX

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130347060A1 (en) * 2012-04-23 2013-12-26 Verint Systems Ltd. Systems and methods for combined physical and cyber data security
CN105357179A (en) * 2015-09-29 2016-02-24 深信服网络科技(深圳)有限公司 Network attack handling method and network attack handling device
CN106790153A (en) * 2016-12-29 2017-05-31 北京天融信网络安全技术有限公司 A kind of car networking safety control system and its method
CN109033829A (en) * 2018-07-27 2018-12-18 北京梆梆安全科技有限公司 Vehicle network intrusion detection householder method, apparatus and system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11044260B2 (en) * 2016-04-01 2021-06-22 The Regents Of The University Of Michigan Fingerprinting electronic control units for vehicle intrusion detection
CN106650505A (en) * 2016-12-28 2017-05-10 北京奇虎科技有限公司 Vehicle attack detection method and device
WO2018127816A1 (en) * 2017-01-03 2018-07-12 Karamba Security Mode-based controller security and malware prevention
US10757113B2 (en) * 2017-03-17 2020-08-25 Cylance Inc. Communications bus signal fingerprinting

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130347060A1 (en) * 2012-04-23 2013-12-26 Verint Systems Ltd. Systems and methods for combined physical and cyber data security
CN105357179A (en) * 2015-09-29 2016-02-24 深信服网络科技(深圳)有限公司 Network attack handling method and network attack handling device
CN106790153A (en) * 2016-12-29 2017-05-31 北京天融信网络安全技术有限公司 A kind of car networking safety control system and its method
CN109033829A (en) * 2018-07-27 2018-12-18 北京梆梆安全科技有限公司 Vehicle network intrusion detection householder method, apparatus and system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115277051A (en) * 2022-06-01 2022-11-01 北京邮电大学 Method and device for detecting attack of controller area network bus
CN116827713A (en) * 2023-06-30 2023-09-29 重庆大学 Simulation working system for new energy automobile

Also Published As

Publication number Publication date
CN111447166A (en) 2020-07-24
CN111447166B (en) 2022-11-04

Similar Documents

Publication Publication Date Title
WO2020135755A1 (en) Vehicle attack detection method and apparatus
US11934520B2 (en) Detecting data anomalies on a data interface using machine learning
Wu et al. Sliding window optimized information entropy analysis method for intrusion detection on in-vehicle networks
Lokman et al. Intrusion detection system for automotive Controller Area Network (CAN) bus system: a review
KR102264442B1 (en) Fingerprint recognition electronic control unit for vehicle intrusion detection
EP3668756B1 (en) Systems and methods for disabling a malicious ecu in a controller area network (can) bus
US9380070B1 (en) Intrusion detection mechanism
US20120096549A1 (en) Adaptive cyber-security analytics
JP2019536144A5 (en)
JP2021036419A (en) Context system for providing cyber security for connected vehicles
WO2019200944A1 (en) Physical intrusion attack detection method for industrial control system based on serial communication bus signal analysis
US9479528B2 (en) Signature rule processing method, server, and intrusion prevention system
Kalutarage et al. Context-aware anomaly detector for monitoring cyber attacks on automotive CAN bus
WO2013117148A1 (en) Method and system for detecting behaviour of remotely intruding into computer
KR102002880B1 (en) Method for detecting malcious packets based on machine learning model and apparatus using the same
CN111277561B (en) Network attack path prediction method and device and security management platform
US10931706B2 (en) System and method for detecting and identifying a cyber-attack on a network
WO2015024315A1 (en) Network intrusion alarm method and system for nuclear power station
US20220182404A1 (en) Intrusion path analysis device and intrusion path analysis method
Rajapaksha et al. Keep the moving vehicle secure: Context-aware intrusion detection system for in-vehicle CAN bus security
CN114666088A (en) Method, device, equipment and medium for detecting industrial network data behavior information
US11405411B2 (en) Extraction apparatus, extraction method, computer readable medium
WO2020075808A1 (en) Information processing device, log analysis method, and program
US20170318032A1 (en) System and method for detecting attacks on mobile ad hoc networks based on network flux
KR102538540B1 (en) Cyber attack detection method of electronic apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19905639

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 02/11/2021)

122 Ep: pct application non-entry in european phase

Ref document number: 19905639

Country of ref document: EP

Kind code of ref document: A1