CN104301177A - CAN message abnormality detection method and system - Google Patents
CAN message abnormality detection method and system Download PDFInfo
- Publication number
- CN104301177A CN104301177A CN201410524934.5A CN201410524934A CN104301177A CN 104301177 A CN104301177 A CN 104301177A CN 201410524934 A CN201410524934 A CN 201410524934A CN 104301177 A CN104301177 A CN 104301177A
- Authority
- CN
- China
- Prior art keywords
- frame
- identifier
- index table
- judge
- police
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Small-Scale Networks (AREA)
Abstract
The invention provides a CAN message abnormality detection method. The method includes the following steps that connection with a gateway of a CAN bus and CAN subnets of a vehicle is built, and CAN frames are received from the gateway of the CAN bus and the CAN subnet; whether the frame format of the CAN frames is correct or not is judged, and if the frame format of the CAN frames is wrong, the CAN frames are dropped and an alarm is given out; if the frame format of the CAN frames is correct, the detection function is further called to conduct legitimacy detection on the CAN frames; if the CAN frames are illegal, the CAN frames are determined to be abnormal, and the CAN frames are dropped or/and the alarm is given out. If CAN frames are legal, the CAN frames are sent to the gateway or the CAN subnet. The CAN message abnormality detection method is simple and efficient and high in safety and practicability. The invention further provides a CAN message abnormality detection system.
Description
Technical field
The present invention relates to CAN technical field of communication safety and comprising, particularly relate to a kind of method for detecting abnormality and system of CAN message.
Background technology
The electronic system of automobile comprises multiple ECU (Electrical Control Unit) (electronic control unit, ECU), by controller local area network's (controller area network, CAN) bus and according to CAN communication protocol communication between ECU.Define cyclic redundancy check (CRC) code (cyclic redundancy check, the CRC) section of Frame in CAN communication agreement for strengthening the reliability of communication, but encryption and the verification process of Frame are not provided, the fail safe of communication cannot be strengthened.If assailant controls the ECU in automobile gateway or certain CAN subnet, just any one CAN subnet may send attack information to other, affect proper communication and the operation of ECU in whole CAN network.
And existing CAN abnormality detection scheme, normally design the gateway that is applied to CAN, CAN is divided into different subnets by gateway, detects for the Frame through different sub-network, and interception invalid data frame is also reported to the police.These CAN abnormality detection protocols call of current enforcement change the design of hardware and software of automobile gateway again, and cost is higher.
Summary of the invention
The present invention is intended to solve one of technical problem in correlation technique at least to a certain extent.
For this reason, first object of the present invention be to propose a kind ofly to be easy to realize, the method for detecting abnormality of CAN message that security performance is high.
Second object of the present invention is to propose a kind of abnormality detection system for CAN message.
To achieve these goals, the embodiment of the present invention proposes a kind of method for detecting abnormality of CAN message, comprise the following steps: set up and the gateway of CAN of vehicle and the connection of CAN subnet, CAN frame is received from described gateway and described CAN subnet, wherein, described CAN frame comprises identifier and data field; Judge that whether the frame format of described CAN frame is correct, if the frame format mistake of described CAN frame, then abandon described CAN frame and report to the police; If the frame format of described CAN frame is correct, then calls detection function further and legitimacy detection is carried out to described CAN frame; If described CAN frame is illegal, then judge that described CAN frame is abnormal, abandon described CAN frame and report to the police, wherein, described detection function comprises the detection of identifier, statistical property, semantic coverage and semantic dependency to described CAN frame; If described CAN frame is legal, then send described CAN frame to described gateway or described CAN subnet.
According to the method for detecting abnormality of the CAN message of the embodiment of the present invention, by setting up and the gateway of CAN of vehicle and the connection of CAN subnet, from gateway and the CAN subnet reception CAN frame of CAN; Judge that whether the frame format of CAN frame is correct, if the frame format mistake of CAN frame, then abandon CAN frame and report to the police; If the frame format of CAN frame is correct, then calls detection function further and legitimacy detection is carried out to CAN frame; If CAN frame is illegal, then judge that CAN frame is abnormal, abandons CAN frame and reports to the police.If CAN frame is legal, then send CAN frame to gateway or CAN subnet.The method for detecting abnormality of CAN message of the present invention is simple efficiently, fail safe is high, practical.
In some instances, described detection function detects described CAN frame according to the CAN frame index table preset and the 2nd CAN frame index table, and a described CAN frame index table comprises: the maximum of the data field semantic values that the identifier from the identifier of the described CAN frame of described gateway, described CAN frame is corresponding and minimum value, frame time interval threshold, threshold count value, the time of reception of previous frame, the semantic values of previous frame and relevance threshold; Described 2nd CAN frame index table comprises: the maximum of the data field semantic values that the identifier from the identifier of the described CAN frame of described CAN subnet, described CAN frame is corresponding and minimum value, frame time interval threshold, threshold count value, the time of reception of previous frame, the semantic values of previous frame and relevance threshold.
Further, in some instances, described identifier detects and comprises: by the identifier of described CAN frame correct for described frame format and a CAN frame index table or the 2nd CAN frame index table comparison, if there is not described identifier in a described CAN frame index table or described 2nd CAN frame index table, then abandon described CAN frame and report to the police, otherwise then judging that the identifier of described CAN frame is legal.
In some instances, described statistic mixed-state comprises: the transmission rate detecting the identical described CAN frame of described identifier, if described transmission rate is greater than or equal to predetermined threshold value and the number of times that described transmission rate is greater than or equal to predetermined threshold value continuously reaches predetermined value, then judge that described CAN frame illegally and report to the police, otherwise, then judge that described CAN frame is legal.
In some instances, described semantic coverage detects and comprises: the data field semantic values detecting described CAN frame, whether in preset range, if so, then judge that described CAN frame is legal, otherwise, then judge that described CAN frame is illegally and report to the police.
In some instances, described semantic dependency detects and comprises: whether the rate of change detecting the data field semantic values of described CAN frame is greater than default relevance threshold, if so, then judges that described CAN frame is illegally and report to the police, otherwise, then judge that described CAN frame is legal.
Propose a kind of abnormality detection system of CAN message in the embodiment of second aspect present invention, comprising: the first CAN transceiver, described CAN transceiver is connected with gateway, and receive CAN frame from gateway, described CAN frame comprises identifier and data field, first CAN controller, whether described first CAN controller is correct for judging the frame format of the described CAN frame from described gateway, second CAN transceiver, described CAN transceiver and CAN Subnetwork connection, receive CAN frame from described CAN subnet, described CAN frame comprises identifier and data field, second CAN controller, whether described second CAN controller is correct for judging the frame format of the described CAN frame from described CAN subnet, filter, described filter comprises described detection function, alarm, described alarm is used for reporting to the police, and microcontroller, described microcontroller respectively with described first CAN controller, described second CAN controller, described filter is connected with described alarm, for when described first CAN controller or described second CAN controller judge the frame format mistake of described CAN frame, abandon described CAN frame and control described alarm equipment alarm, and when the frame format of described CAN frame is correct, the detection function calling described filter carries out legitimacy detection to described CAN frame, if described CAN frame is illegal, then judge that described CAN frame is abnormal, abandon described CAN frame and report to the police, wherein, described detection function comprises the identifier to described CAN frame, statistical property, the detection of semantic coverage and semantic dependency.
According to the abnormality detection system of the CAN message of the embodiment of the present invention, set up the connection with the CAN network of vehicle by the first CAN transceiver and the second CAN transceiver, and receive CAN frame from the gateway of CAN network and CAN subnet.First CAN controller and the second CAN controller judge that whether the frame format of CAN frame is correct, if the frame format mistake of CAN frame, then microprocessor controls CAN controller abandons CAN frame and triggered alarm warning.If the frame format of CAN frame is correct, then the further controlling filter of microcontroller is called detection function and is carried out legitimacy detection to CAN frame.If CAN frame is illegal, then judge that CAN frame is abnormal, microprocessor controls filter abandons CAN frame and triggered alarm is reported to the police.If CAN frame is legal, then microprocessor controls first CAN transceiver or the second CAN transceiver send legal CAN frame to gateway or CAN subnet.The abnormality detection system of CAN message of the present invention is simple efficiently, fail safe is high, practical.
In some instances, described identifier detects and comprises: by the identifier of described CAN frame correct for described frame format and a CAN frame index table or the 2nd CAN frame index table comparison, if there is not described identifier in a described CAN frame index table or described 2nd CAN frame index table, then abandon described CAN frame and report to the police, otherwise then judging that the identifier of described CAN frame is legal.
In some instances, described statistic mixed-state comprises: the transmission rate detecting the identical described CAN frame of described identifier, if described transmission rate is greater than or equal to predetermined threshold value and the number of times that described transmission rate is greater than or equal to predetermined threshold value continuously reaches predetermined value, then judge that described CAN frame illegally and report to the police, otherwise, then judge that described CAN frame is legal.
In some instances, described semantic coverage detects and comprises: the data field semantic values detecting described CAN frame, whether in preset range, if so, then judge that described CAN frame is legal, otherwise, then judge that described CAN frame is illegally and report to the police.
In some instances, described semantic dependency detects and comprises: whether the rate of change detecting the data field semantic values of described CAN frame is greater than default relevance threshold, if so, then judges that described CAN frame is illegally and report to the police, otherwise, then judge that described CAN frame is legal.
In some instances, described first CAN transceiver also for, the legal described CAN frame from described CAN subnet is sent to described gateway.
In some instances, described second CAN transceiver also for, the legal described CAN frame from described gateway is sent to described CAN subnet.
The aspect that the present invention adds and advantage will part provide in the following description, and part will become obvious from the following description, or be recognized by practice of the present invention.
Accompanying drawing explanation
Fig. 1 is the flow chart of the method for detecting abnormality of CAN message according to an embodiment of the invention; With
Fig. 2 is the structured flowchart of the abnormality detection system of CAN message according to an embodiment of the invention.
Embodiment
Be described below in detail embodiments of the invention, the example of described embodiment is shown in the drawings, and wherein same or similar label represents same or similar element or has element that is identical or similar functions from start to finish.Be exemplary below by the embodiment be described with reference to the drawings, be intended to for explaining the present invention, and can not limitation of the present invention be interpreted as.
Method for detecting abnormality and the system of CAN message of the present invention is described in detail below in conjunction with diagram.
Consult Fig. 1, the method for detecting abnormality of the CAN message of the embodiment of the present invention, comprises the following steps: set up and the gateway of CAN of vehicle and the connection of CAN subnet, and receive CAN frame from gateway and CAN subnet, CAN frame comprises identifier and data field; Judge that whether the frame format of CAN frame is correct, if the frame format mistake of CAN frame, then abandon CAN frame and report to the police; If the frame format of CAN frame is correct, then calls detection function further and legitimacy detection is carried out to CAN frame; If CAN frame is illegal, then judge that CAN frame is abnormal, abandon CAN frame and report to the police, wherein, detection function comprises the detection of identifier, statistical property, semantic coverage and semantic dependency to CAN frame; If CAN frame is legal, then send CAN frame to gateway or CAN subnet.Concrete implementation procedure is as follows:
Step S101, sets up and the gateway of CAN of vehicle and the connection of CAN subnet, and receive CAN frame from gateway and CAN subnet, CAN frame comprises identifier and data field.
Step S102, judges that whether the frame format of CAN frame is correct, if the frame format mistake of CAN frame, then abandons CAN frame and report to the police.
Particularly, the object of the frame format detection of CAN frame is in order to judge whether CAN frame meets CAN communication agreement, the communication protocol of CAN, comprise identifier (identifier, ID) whether the various piece figure place such as territory, control domain, data field, verification territory, filling mode be correct, also carry out CRC check, if the frame format of CAN frame occurs that namely mistake abandons this CAN frame and report to the police simultaneously.
Especially, in step s 102 the CAN frame from gateway and CAN subnet is also carried out to the detection of affiliated frame type.That is, judge that the CAN frame received is the one of Frame, remote frame, erroneous frame, overload frame.It is to be noted that the difference of remote frame and Frame is not comprise data field part.For erroneous frame and overload frame, only carry out frame format detection.If the frame format of erroneous frame and overload frame is without exception, makes it pass through to detect, otherwise abandon and report to the police.
Step S103, if the frame format of CAN frame is correct, then calls detection function further and carries out legitimacy detection to CAN frame.
Particularly, if the frame format of CAN frame correctly, records and stores the time of reception of this CAN frame, identifier and data field semantic values.
Further, in one embodiment of the invention, detection function detects the CAN frame from gateway or CAN subnet according to the CAN frame index table preset and the 2nd CAN frame index table.One CAN frame index table comprises: the maximum of the data field semanteme that the identifier from ID, CAN frame of the CAN frame of gateway is corresponding and minimum value, frame time interval threshold, threshold count value, the time of reception of previous frame, the data field semantic values of previous frame and relevance threshold.2nd CAN frame index table comprises: the maximum of the data field semantic values that the identifier from the identifier of the CAN frame of CAN subnet, CAN frame is corresponding and minimum value, frame time interval threshold, threshold count value, the time of reception of previous frame, the data field semantic values of previous frame and relevance threshold.As shown in table 1, a CAN frame index table or the 2nd CAN frame index table comprise: the parameter such as maximum and minimum value, frame time interval threshold, threshold count value, the time of reception of previous frame, the data field semantic values of previous frame and relevance threshold of the data field semanteme that the legal ID of legal ID, CAN frame of CAN frame is corresponding.At the beginning of realizing CAN message method for detecting abnormality of the present invention, need carry out initialization to concordance list, wherein, threshold count value is initialized as 0.And in implementation process, detection function calls concordance list, the detection of one-period terminates rear renewal concordance list.Especially, for first CAN frame of the different legal ID of the correspondence received, upgrade the data field semantic values of previous frame, time of reception two parameters of previous frame in concordance list with the data field semantic values of first CAN frame, time of reception, but do not carry out the abnormality detection with these two parameter correlations.
Table 1 CAN frame index table
Detection function comprises the detection of ID, statistical property, semantic coverage and semantic dependency to CAN frame.Particularly,
1, the legitimacy detection for the CAN frame from gateway comprises:
(1) ID is detected as: by the ID of CAN frame correct for frame format and a CAN frame index table comparison, if there is not this ID in a CAN frame index table, then abandon this CAN frame and report to the police, otherwise then judges that the ID of CAN frame is legal.
Particularly, the input parameter of ID detection function is the ID of CAN frame, utilizes binary search the one CAN frame index table, if do not find this ID in a CAN frame index table, then judges that this CAN frame is as an attack frame, abandons and reports to the police; If find this ID, return the memory address of this ID in a CAN frame index table, and using memory address as presumptive address, when calling other parameter of CAN frame index table, directly can utilize the offset address of this memory address and other parameter.
(2) statistical property is detected as: the transmission rate detecting the identical CAN frame of ID, if transmission rate is greater than or equal to predetermined threshold value and the number of times that described transmission rate is greater than or equal to default threshold continuously reaches default value, namely threshold count value reaches a certain limit value and then judges that CAN frame illegally and report to the police, otherwise, then judge that CAN frame is legal.
Such as, whether the transmission rate detecting the identical CAN frame of ID is too high, can be judged by the time of reception interval of the CAN frame of more identical ID and frame time interval threshold.If time of reception interval is greater than frame time interval threshold, then threshold count value is updated to 0.If time of reception interval is less than frame time interval threshold, then threshold count value increases by 1 and upgrades in CAN concordance list.When threshold count value equals certain value n, the transmission rate of continuous n CAN frame is too high, judges attacked and report to the police, and threshold count value is updated to 0.If threshold count value is not 0 and is less than n, judge that this CAN frame is legal.
Further, can arrange different level of securitys by the n value in adjustment statistical property detection function, the less level of security of n is higher.
(3) semantic coverage detects: the data field semantic values detecting CAN frame, whether in preset range, if so, then judge that CAN frame is legal, otherwise, then judge that CAN frame is illegally and report to the police.
If the data field semantic values of CAN frame exceed the maximum of data field semantic values or the minimum value lower than data field semantic values in CAN concordance list corresponding to its ID, then judge that CAN frame is attacked and reports to the police, otherwise, then judge that CAN frame is legal.
(4) semantic dependency detects: whether the rate of change detecting the data field semantic values of CAN frame is greater than relevance threshold, if so, then judges that CAN frame is illegally and report to the police, otherwise, then judge that CAN frame is legal.
Particularly, the difference of data field semantic values of the rate of change of the data field semantic values that the ID of CAN frame is corresponding and CAN frame and a upper CAN frame of identical ID and the ratio at time of reception interval, if be greater than relevance threshold, judge that this CAN frame illegally and report to the police, otherwise, then judge that CAN frame is legal.
Especially, in actual motion, detect after terminating, data field semantic values two parameters of the time of reception of a upper CAN frame in a CAN frame index table, a upper CAN frame need be upgraded.
It is pointed out that because remote frame does not comprise data field part, therefore frame format detection is only carried out to remote frame, identifier (ID) detects and statistic mixed-state.
2, the legitimacy detection for the CAN frame from CAN subnet comprises:
(1) ID is detected as: by the ID of CAN frame correct for frame format and the 2nd CAN frame index table comparison, if there is not this ID in the 2nd CAN frame index table, then abandon this CAN frame and report to the police, otherwise then judges that the ID of CAN frame is legal.
Particularly, the input parameter of ID detection function is the ID of CAN frame, utilizes binary search the 2nd CAN frame index table, if do not find this ID in the 2nd CAN frame index table, then judges that this CAN frame is as an attack frame, abandons and reports to the police; If find this ID, return the memory address of this ID in the 2nd CAN frame index table, and using memory address as presumptive address, when calling the 2nd other parameter of CAN frame index table, directly can utilize the offset address of this memory address and other parameter.
(2) statistical property is detected as: the transmission rate detecting the identical CAN frame of ID, if transmission rate is greater than or equal to predetermined threshold value and the number of times that described transmission rate is greater than or equal to default threshold continuously reaches default value, namely threshold count value reaches a certain limit value, then judge that CAN frame illegally and report to the police, otherwise, then judge that CAN frame is legal.
Such as, whether the transmission rate detecting the CAN frame identical with ID is too high, can be judged by the time of reception interval of the CAN frame of more identical ID and frame time interval threshold.If time of reception interval is greater than frame time interval threshold, then threshold count value is updated to 0.If time of reception interval is less than frame time interval threshold, then threshold count value increases by 1 and upgrades in CAN concordance list.When threshold count value equals certain value n, the transmission rate of continuous n CAN frame is too high, judges attacked and report to the police, and threshold count value is updated to 0.If threshold count value is not 0 and is less than n, judge that this CAN frame is legal.
Further, can arrange different level of securitys by the n value in adjustment statistical property detection function, the less level of security of n is higher.
(3) semantic coverage detects: the data field semantic values detecting CAN frame, whether in preset range, if so, then judge that CAN frame is legal, otherwise, then judge that CAN frame is illegally and report to the police.
If the data field semantic values of CAN frame exceed the maximum of data field semantic values or the minimum value lower than data field semantic values in CAN concordance list corresponding to its ID, then judge that CAN frame is attacked and reports to the police, otherwise, then judge that CAN frame is legal.
(4) semantic dependency detects: whether the rate of change detecting the data field semantic values of CAN frame is greater than relevance threshold, if so, then judges that CAN frame is illegally and report to the police, otherwise, then judge that CAN frame is legal.
Particularly, the difference of data field semantic values of the rate of change of the data field semantic values that the ID of CAN frame is corresponding and CAN frame and a upper CAN frame of identical ID and the ratio of time of reception difference, if be greater than relevance threshold, judge that this CAN frame illegally and report to the police, otherwise, then judge that CAN frame is legal.
Especially, in actual motion, detect after terminating, data field semantic values two parameters of the time of reception of a upper CAN frame in the 2nd CAN frame index table, a upper CAN frame need be upgraded.
It is pointed out that because remote frame does not comprise data field part, therefore frame format detection is only carried out to remote frame, identifier (ID) detects and statistical property detects.
Step S104, if CAN frame is legal, then sends CAN frame to gateway or CAN subnet.
According to the method for detecting abnormality of the CAN message of the embodiment of the present invention, by setting up and the gateway of CAN of vehicle and the connection of CAN subnet, from gateway and the CAN subnet reception CAN frame of CAN; Judge that whether the frame format of CAN frame is correct, if the frame format mistake of CAN frame, then abandon CAN frame and report to the police; If the frame format of CAN frame is correct, then calls detection function further and legitimacy detection is carried out to CAN frame; If CAN frame is illegal, then judge that CAN frame is abnormal, abandons CAN frame and reports to the police.If CAN frame is legal, then send CAN frame to gateway or CAN subnet.The method for detecting abnormality of CAN message of the present invention is simple efficiently, fail safe is high, practical.
The embodiment of second aspect present invention proposes a kind of abnormality detection system 100 of CAN message, comprising: the first CAN transceiver 120, first CAN controller 122, second CAN transceiver 140, second CAN controller 142, filter 30, alarm 50, microcontroller 20, a CAN frame index table 42 and the 2nd CAN frame index table 44.
First CAN transceiver 120 is connected with gateway 200, receives CAN frame from gateway 200, and CAN frame comprises identifier and data field.Whether the first CAN controller 122 is correct for judging the frame format of the CAN frame from gateway 200.Second CAN transceiver 140 is connected with CAN subnet 300, receives CAN frame from CAN subnet 300, and CAN frame comprises identifier and data field.Whether the second CAN controller 142 is correct for judging the frame format of the CAN frame from CAN subnet 300.
Filter 30 comprises detection function.Alarm 50 is for reporting to the police.
Microcontroller 20 respectively with the first CAN controller 122, second CAN controller 142, filter 30 is connected with alarm 50, for when the first CAN controller 122 or the second CAN controller 142 judge the frame format mistake of CAN frame, abandon CAN frame and control alarm 50 and report to the police, and when the frame format of CAN frame is correct, the detection function calling filter 30 carries out legitimacy detection to CAN frame, if CAN frame is illegal, then judge that CAN frame is abnormal, abandon CAN frame and report to the police, wherein, detection function comprises the identifier to CAN frame, statistical property, the detection of semantic coverage and semantic dependency.
Especially, the CAN frame from gateway and CAN subnet is also carried out to the detection of affiliated frame type.That is, judge that the CAN frame received is the one of Frame, remote frame, erroneous frame, overload frame.It is to be noted that the difference of remote frame and Frame is not comprise data field part.For erroneous frame and overload frame, only carry out frame format detection.If the frame format of erroneous frame and overload frame is without exception, makes it pass through to detect, otherwise abandon and report to the police.
The CAN frame index table 42 be connected with microcontroller 20 and the 2nd CAN frame index table 44, detection function detects according to the CAN frame index table 42 preset and the 2nd CAN frame index table 44 pair CAN frame, wherein, a CAN frame index table 42 comprises: the maximum of the data field semantic values that the identifier from the identifier of the CAN frame of gateway 200, CAN frame is corresponding and minimum value, frame time interval threshold, threshold count value, the time of reception of previous frame, the semantic values of previous frame and relevance threshold.2nd CAN frame index table 44 comprises: the maximum of the data field semantic values that the identifier from the identifier of the CAN frame of CAN subnet 300, CAN frame is corresponding and minimum value, frame time interval threshold, threshold count value, the time of reception of previous frame, the semantic values of previous frame and relevance threshold.As shown in table 2, a CAN frame index table or the 2nd CAN frame index table comprise: the parameter such as maximum and minimum value, frame time interval threshold, threshold count value, the time of reception of previous frame, the data field semantic values of previous frame and relevance threshold of the data field semantic values that the legal ID of legal ID, CAN frame of CAN frame is corresponding.At the beginning of realizing CAN message method for detecting abnormality of the present invention, need carry out initialization to concordance list, wherein, threshold count value is initialized as 0.And in implementation process, detection function calls concordance list, the detection of one-period terminates rear renewal concordance list.Especially, for first CAN frame of the different legal ID of the correspondence received, upgrade the time of reception of previous frame, data field semantic values two parameters of previous frame in concordance list with the data field semantic values of first CAN frame, time of reception, but do not carry out the abnormality detection with these two parameter correlations.Use system 100 of the present invention to be connected with CAN network, after power supply, namely initialization is being carried out to a CAN frame index table 42 and the 2nd CAN frame index table 44.Wherein, threshold count value is initialized as 0.And in implementation process, the detection function of filter 30 calls a CAN frame index table 42 or the 2nd CAN frame index table 44, the detection of one-period terminates rear renewal the one CAN frame index table 42 or the 2nd CAN frame index table 44.Especially, for first CAN frame of the different legal ID of the correspondence received, upgrade the time of reception of previous frame, data field semantic values two parameters of previous frame in concordance list with the data field semantic values of first CAN frame, time of reception, but do not carry out the abnormality detection with these two parameter correlations.
Table 2 CAN frame index table
In one embodiment of the invention, the detection function of filter 30 comprises the detection of ID, statistical property, semantic coverage and semantic dependency to CAN frame.Particularly,
1, the legitimacy detection for the CAN frame from gateway 200 comprises:
(1) ID is detected as: by the ID of CAN frame correct for frame format and CAN frame index table 42 comparison, if there is not this ID in a CAN frame index table 42, then abandon this CAN frame and report to the police, otherwise then judges that the ID of CAN frame is legal.
Particularly, the input parameter of ID detection function is the ID of CAN frame, utilizes binary search the one CAN frame index table 42, if do not find this ID in a CAN frame index table 42, then judges that this CAN frame is as an attack frame, abandons and reports to the police; If find this ID, return the memory address of this ID in a CAN frame index table 42, and using memory address as presumptive address, when calling other parameter of CAN frame index table 42, directly can utilize the offset address of this memory address and other parameter.
(2) statistical property is detected as: the transmission rate detecting the identical CAN frame of ID, if transmission rate is greater than or equal to predetermined threshold value and the number of times that described transmission rate is greater than or equal to default threshold continuously reaches default value, namely threshold count value reaches a certain limit value, then judge that CAN frame illegally and report to the police, otherwise, then judge that CAN frame is legal.
Such as, whether the transmission rate detecting the identical CAN frame of ID is too high, can be judged by the time of reception interval of the CAN frame of more identical ID and time interval threshold value.If time of reception interval is greater than frame time interval threshold, then threshold count value is updated to 0.If time of reception interval is less than frame time interval threshold, then threshold count value increases by 1 and upgrades in CAN concordance list.When threshold count value equals certain value n, the transmission rate of continuous n CAN frame is too high, judges that CAN frame is attacked and reports to the police, and threshold count value is updated to 0.If threshold count value is not 0 and is less than n, judge that this CAN frame is legal.
Further, can arrange different level of securitys by the n value in adjustment statistic mixed-state function, the less level of security of n is higher.
(3) semantic coverage detects: the data field semantic values detecting CAN frame, whether in preset range, if so, then judge that CAN frame is legal, otherwise, then judge that CAN frame is illegally and report to the police.
If the data field semantic values of CAN frame exceed the maximum of data field semantic values or the minimum value lower than data field semantic values in CAN concordance list corresponding to its ID, then judge that CAN frame is attacked and reports to the police, otherwise, then judge that CAN frame is legal.
(4) semantic dependency detects: whether the rate of change detecting the data field semantic values of CAN frame is greater than relevance threshold, if so, then judges that CAN frame is illegally and report to the police, otherwise, then judge that CAN frame is legal.
Particularly, the difference of data field semantic values of the rate of change of the data field semantic values that the ID of CAN frame is corresponding and CAN frame and a upper CAN frame of identical ID and the ratio of time of reception difference, if be greater than relevance threshold, judge that this CAN frame illegally and report to the police, otherwise, then judge that CAN frame is legal.
Especially, in actual motion, detect after terminating, data field semantic values two parameters of the time of reception of a upper CAN frame in a CAN frame index table 42, a upper CAN frame need be upgraded.
It is pointed out that because remote frame does not comprise data field part, therefore frame format detection is only carried out to remote frame, identifier (ID) detects and statistical property detects.
2, the legitimacy detection for the CAN frame from CAN subnet 300 comprises:
(1) ID is detected as: by the ID of CAN frame correct for frame format and the 2nd CAN frame index table 44 comparison, if there is not this ID in the 2nd CAN frame index table 44, then abandon this CAN frame and report to the police, otherwise then judges that the ID of CAN frame is legal.
Particularly, the input parameter of ID detection function is the ID of CAN frame, utilizes binary search the 2nd CAN frame index table 44, if do not find this ID in the 2nd CAN frame index table 44, then judges that this CAN frame is as an attack frame, abandons and reports to the police; If find this ID, return the memory address of this ID in the 2nd CAN frame index table 44, and using memory address as presumptive address, when calling the 2nd other parameter of CAN frame index table 44, directly can utilize the offset address of this memory address and other parameter.
(2) statistical property is detected as: the transmission rate detecting the identical CAN frame of ID, if transmission rate is greater than or equal to predetermined threshold value and the number of times that described transmission rate is greater than or equal to default threshold continuously reaches default value, namely threshold count value reaches a certain limit value, then judge that CAN frame illegally and report to the police, otherwise, then judge that CAN frame is legal.
Such as, whether the transmission rate detecting the identical CAN frame of ID is too high, can be judged by the time of reception interval of the CAN frame of more identical ID and time interval threshold value.If time of reception interval is greater than frame time interval threshold, then threshold count value is updated to 0.If time of reception interval is less than frame time interval threshold, then threshold count value increases by 1 and upgrades in CAN concordance list.When threshold count value equals certain value n, the transmission rate of continuous n CAN frame is too high, judges attacked and report to the police, and threshold count value is updated to 0.If threshold count value is not 0 and is less than n, judge that this CAN frame is legal.
Further, can arrange different level of securitys by the n value in adjustment statistic mixed-state function, the less level of security of n is higher.
(3) semantic coverage detects: the data field semantic values detecting CAN frame, whether in preset range, if so, then judge that CAN frame is legal, otherwise, then judge that CAN frame is illegally and report to the police.
If the data field semantic values of CAN frame exceed the maximum of data field semantic values or the minimum value lower than data field semantic values in CAN concordance list corresponding to its ID, then judge that CAN frame is attacked and reports to the police, otherwise, then judge that CAN frame is legal.(4) semantic dependency detects: whether the rate of change detecting the data field semantic values of CAN frame is greater than relevance threshold, if so, then judges that CAN frame is illegally and report to the police, otherwise, then judge that CAN frame is legal.
Particularly, the difference of data field semantic values of the rate of change of the data field semantic values that the ID of CAN frame is corresponding and CAN frame and a upper CAN frame of identical ID and the ratio at time of reception interval, if be greater than relevance threshold, judge that this CAN frame illegally and report to the police, otherwise, then judge that CAN frame is legal.
Especially, in actual motion, detect after terminating, data field semantic values two parameters of the time of reception of a upper CAN frame in the 2nd CAN frame index table 44, a upper CAN frame need be upgraded.
It is pointed out that because remote frame does not comprise data field part, therefore frame format detection is only carried out to remote frame, identifier (ID) detects and statistical property detects.
Further, when filter 30 detect CAN frame from gateway 200 or CAN subnet 300 legal after, under the control of microcontroller 20, send legal CAN frame to gateway 200 or CAN subnet 300 by the first CAN transceiver 120 or the second CAN transceiver 140.
Particularly, for Fig. 2, illustrate the course of work of the abnormality detection system 100 for automobile CAN-bus of the present invention:
(1) when the first CAN transceiver 120 receives the CAN frame from gateway 200, microcontroller 20 controls the frame format detection that the first CAN controller 122 realizes CAN frame.
If the frame format of CAN frame is correct, then the first CAN controller 122 sends Frame to microcontroller 20.Otherwise, then abandon Frame and reported to the police by microcontroller 20 triggered alarm 50.CAN frame correct for frame format is sent to filter 30 by microcontroller 20.
Filter 30 receives the correct CAN frame of frame format and carries out ID detection, statistical property detection, semantic coverage detection and semantic dependency and detects.When wherein any one detection function detects that CAN frame is illegal, namely abandon CAN frame, and reported to the police by microcontroller 20 triggered alarm.
(2) when the second CAN transceiver 140 receives the CAN frame from CAN subnet 300, send a signal to microcontroller 20 by the second CAN controller 142, microcontroller 20 controls the frame format detection that the second CAN controller 142 realizes CAN frame.
If the frame format of CAN frame is correct, then the second CAN controller 142 sends Frame to microcontroller 20.Otherwise, then abandon Frame and reported to the police by microcontroller 20 triggered alarm 50.CAN frame correct for frame format is sent to filter 30 by microcontroller 20.Filter 30 receives the correct CAN frame of frame format and carries out ID detection, statistical property detection, semantic coverage detection and semantic dependency and detects.When wherein any one detection function detects that CAN frame is illegal, namely abandon CAN frame, and reported to the police by microcontroller 20 triggered alarm.
When above-mentioned legitimacy detect by after, legal CAN frame is sent to gateway 200 or CAN subnet 300 by microprocessor controls first CAN transceiver 120 or the second CAN transceiver 140.
According to the abnormality detection system of the CAN message of the embodiment of the present invention, set up the connection with the CAN network of vehicle by the first CAN transceiver and the second CAN transceiver, and receive CAN frame from the gateway of CAN network and CAN subnet.First CAN controller and the second CAN controller judge that whether the frame format of CAN frame is correct, if the frame format mistake of CAN frame, then microprocessor controls CAN controller abandons CAN frame and triggered alarm warning.If the frame format of CAN frame is correct, then the further controlling filter of microcontroller is called detection function and is carried out legitimacy detection to CAN frame.If CAN frame is illegal, then judge that CAN frame is abnormal, microprocessor controls filter abandons CAN frame and triggered alarm is reported to the police.If CAN frame is legal, then microprocessor controls first CAN transceiver or the second CAN transceiver send legal CAN frame to gateway or CAN subnet.The abnormality detection system of CAN message of the present invention is simple efficiently, fail safe is high, practical.
In describing the invention, it will be appreciated that, term " " center ", " longitudinal direction ", " transverse direction ", " length ", " width ", " thickness ", " on ", D score, " front ", " afterwards ", " left side ", " right side ", " vertically ", " level ", " top ", " end " " interior ", " outward ", " clockwise ", " counterclockwise ", " axis ", " radial direction ", orientation or the position relationship of the instruction such as " circumference " are based on orientation shown in the drawings or position relationship, only the present invention for convenience of description and simplified characterization, instead of indicate or imply that the device of indication or element must have specific orientation, with specific azimuth configuration and operation, therefore limitation of the present invention can not be interpreted as.
In addition, term " first ", " second " only for describing object, and can not be interpreted as instruction or hint relative importance or imply the quantity indicating indicated technical characteristic.Thus, be limited with " first ", the feature of " second " can express or impliedly comprise at least one this feature.In describing the invention, the implication of " multiple " is at least two, such as two, three etc., unless otherwise expressly limited specifically.
In the present invention, unless otherwise clearly defined and limited, the term such as term " installation ", " being connected ", " connection ", " fixing " should be interpreted broadly, and such as, can be fixedly connected with, also can be removably connect, or integral; Can be mechanical connection, also can be electrical connection; Can be directly be connected, also indirectly can be connected by intermediary, can be the connection of two element internals or the interaction relationship of two elements, unless otherwise clear and definite restriction.For the ordinary skill in the art, above-mentioned term concrete meaning in the present invention can be understood as the case may be.
In the present invention, unless otherwise clearly defined and limited, fisrt feature second feature " on " or D score can be that the first and second features directly contact, or the first and second features are by intermediary indirect contact.And, fisrt feature second feature " on ", " top " and " above " but fisrt feature directly over second feature or oblique upper, or only represent that fisrt feature level height is higher than second feature.Fisrt feature second feature " under ", " below " and " below " can be fisrt feature immediately below second feature or tiltedly below, or only represent that fisrt feature level height is less than second feature.
In the description of this specification, specific features, structure, material or feature that the description of reference term " embodiment ", " some embodiments ", " example ", " concrete example " or " some examples " etc. means to describe in conjunction with this embodiment or example are contained at least one embodiment of the present invention or example.In this manual, to the schematic representation of above-mentioned term not must for be identical embodiment or example.And the specific features of description, structure, material or feature can combine in one or more embodiment in office or example in an appropriate manner.In addition, when not conflicting, the feature of the different embodiment described in this specification or example and different embodiment or example can carry out combining and combining by those skilled in the art.
Although illustrate and describe embodiments of the invention above, be understandable that, above-described embodiment is exemplary, can not be interpreted as limitation of the present invention, and those of ordinary skill in the art can change above-described embodiment within the scope of the invention, revises, replace and modification.
Claims (14)
1. a method for detecting abnormality for CAN message, is characterized in that, comprises the following steps:
Set up and the gateway of CAN of vehicle and the connection of CAN subnet, receive CAN frame from described gateway and described CAN subnet, described CAN frame comprises identifier and data field;
Judge that whether the frame format of described CAN frame is correct, if the frame format mistake of described CAN frame, then abandon described CAN frame and report to the police;
If the frame format of described CAN frame is correct, then calls detection function further and legitimacy detection is carried out to described CAN frame;
If described CAN frame is illegal, then judge that described CAN frame is abnormal, abandon described CAN frame and report to the police, described detection function comprises the detection of identifier, statistical property, semantic coverage and semantic dependency to described CAN frame;
If described CAN frame is legal, then send described CAN frame to described gateway or described CAN subnet.
2. method according to claim 1, it is characterized in that, described detection function detects the described CAN frame from described gateway or described CAN subnet according to the CAN frame index table preset and the 2nd CAN frame index table, wherein, a described CAN frame index table comprises: the maximum of the data field semantic values that the identifier from the identifier of the described CAN frame of described gateway, described CAN frame is corresponding and minimum value, frame time interval threshold, threshold count value, the time of reception of previous frame, the semantic values of previous frame and relevance threshold;
Described 2nd CAN frame index table comprises: the maximum of the data field semantic values that the identifier from the identifier of the described CAN frame of described CAN subnet, described CAN frame is corresponding and minimum value, frame time interval threshold, threshold count value, the time of reception of previous frame, the semantic values of previous frame and relevance threshold.
3. the method as described in claim 1 or 2 any one, is characterized in that, described identifier detects and comprises:
By the identifier of described CAN frame correct for described frame format and a CAN frame index table or the 2nd CAN frame index table comparison, if there is not described identifier in a described CAN frame index table or described 2nd CAN frame index table, then abandon described CAN frame and report to the police, otherwise then judging that the identifier of described CAN frame is legal.
4. the method as described in claim 1 or 2 any one, it is characterized in that, described statistic mixed-state comprises:
Detect the transmission rate of the identical described CAN frame of described identifier, if described transmission rate is greater than or equal to predetermined threshold value and the number of times that described transmission rate is greater than or equal to predetermined threshold value continuously reaches predetermined value, then judge that described CAN frame illegally and report to the police, otherwise, then judge that described CAN frame is legal.
5. the method as described in claim 1 or 2 any one, is characterized in that, described semantic coverage detects and comprises:
The data field semantic values detecting described CAN frame, whether in preset range, if so, then judge that described CAN frame is legal, otherwise, then judge that described CAN frame is illegally and report to the police.
6. the method as described in claim 1 or 2 any one, is characterized in that, described semantic dependency detects and comprises:
Whether the rate of change detecting the data field semantic values of described CAN frame is greater than default relevance threshold, if so, then judges that described CAN frame is illegally and report to the police, otherwise, then judge that described CAN frame is legal.
7. an abnormality detection system for CAN message, is characterized in that, comprising:
First CAN transceiver, described CAN transceiver is connected with gateway, and receive CAN frame from described gateway, described CAN frame comprises identifier and data field;
First CAN controller, whether described first CAN controller is correct for judging the frame format of the described CAN frame from described gateway;
Second CAN transceiver, described CAN transceiver and CAN Subnetwork connection, receive CAN frame from described CAN subnet, wherein, described CAN frame comprises identifier and data field;
Second CAN controller, whether described second CAN controller is correct for judging the frame format of the described CAN frame from described CAN subnet;
Filter, described filter comprises detection function;
Alarm, described alarm is used for reporting to the police; With
Microcontroller, described microcontroller respectively with described first CAN controller, described second CAN controller, described filter is connected with described alarm, for when described first CAN controller or described second CAN controller judge the frame format mistake of described CAN frame, abandon described CAN frame and control described alarm equipment alarm, and when the frame format of described CAN frame is correct, the detection function calling described filter carries out legitimacy detection to described CAN frame, if described CAN frame is illegal, then judge that described CAN frame is abnormal, abandon described CAN frame and report to the police, wherein, described detection function comprises the identifier to described CAN frame, statistical property, the detection of semantic coverage and semantic dependency.
8. system according to claim 7, it is characterized in that, also comprise: the CAN frame index table be connected with described microcontroller and the 2nd CAN frame index table, described detection function detects described CAN frame according to the described CAN frame index table preset and described 2nd CAN frame index table, wherein, a described CAN frame index table comprises: from the identifier of the described CAN frame of described gateway, the maximum of the data field semantic values that the identifier of described CAN frame is corresponding and minimum value, frame time interval threshold, threshold count value, the time of reception of previous frame, the semantic values of previous frame and relevance threshold,
Described 2nd CAN frame index table comprises: the maximum of the data field semantic values that the identifier from the identifier of the described CAN frame of described CAN subnet, described CAN frame is corresponding and minimum value, frame time interval threshold, threshold count value, the time of reception of previous frame, the semantic values of previous frame and relevance threshold.
9. system as claimed in claim 7, it is characterized in that, described identifier detects and comprises: by the identifier of described CAN frame correct for described frame format and a CAN frame index table or the 2nd CAN frame index table comparison, if there is not described identifier in a described CAN frame index table or described 2nd CAN frame index table, then abandon described CAN frame and report to the police, otherwise then judging that the identifier of described CAN frame is legal.
10. system as claimed in claim 7, it is characterized in that, described statistic mixed-state comprises:
Detect the transmission rate of the identical described CAN frame of described identifier, if described transmission rate is greater than or equal to predetermined threshold value and the number of times that described transmission rate is greater than or equal to predetermined threshold value continuously reaches default value, then judge that described CAN frame illegally and report to the police, otherwise, then judge that described CAN frame is legal.
11. systems as claimed in claim 7, is characterized in that, described semantic coverage detects and comprises:
The data field semantic values detecting described CAN frame, whether in preset range, if so, then judge that described CAN frame is legal, otherwise, then judge that described CAN frame is illegally and report to the police.
12. systems as claimed in claim 7, is characterized in that, described semantic dependency detects and comprises:
Whether the rate of change detecting the data field semantic values of described CAN frame is greater than default relevance threshold, if so, then judges that described CAN frame is illegally and report to the police, otherwise, then judge that described CAN frame is legal.
13. systems as claimed in claim 7, is characterized in that, described first CAN transceiver also for, the legal described CAN frame from described CAN subnet is sent to described gateway.
14. systems as claimed in claim 7, is characterized in that, described second CAN transceiver also for, the legal described CAN frame from described gateway is sent to described CAN subnet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410524934.5A CN104301177B (en) | 2014-10-08 | 2014-10-08 | CAN message method for detecting abnormality and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410524934.5A CN104301177B (en) | 2014-10-08 | 2014-10-08 | CAN message method for detecting abnormality and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104301177A true CN104301177A (en) | 2015-01-21 |
| CN104301177B CN104301177B (en) | 2018-08-03 |
Family
ID=52320755
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410524934.5A Active CN104301177B (en) | 2014-10-08 | 2014-10-08 | CAN message method for detecting abnormality and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104301177B (en) |
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104767618A (en) * | 2015-04-03 | 2015-07-08 | 清华大学 | CAN bus authentication method and system based on broadcasting |
| CN104836636A (en) * | 2015-02-17 | 2015-08-12 | 华为技术有限公司 | Method, device and system for communication based on novel CAN frame |
| CN105893844A (en) * | 2015-10-20 | 2016-08-24 | 乐卡汽车智能科技(北京)有限公司 | Method and device for sending messages of vehicle bus networks |
| CN106031098A (en) * | 2015-01-20 | 2016-10-12 | 松下电器(美国)知识产权公司 | Invalid frame handling method, invalidity detection electronic-control unit and vehicle-mounted network system |
| CN107018122A (en) * | 2015-10-21 | 2017-08-04 | 本田技研工业株式会社 | communication system, control device and control method |
| CN107426285A (en) * | 2017-05-19 | 2017-12-01 | 北京软安科技有限公司 | A kind of vehicle-mounted CAN bus safety means of defence and device |
| CN107454107A (en) * | 2017-09-15 | 2017-12-08 | 中国计量大学 | A kind of controller LAN automobile bus alarm gateway for detecting injection attack |
| CN107948176A (en) * | 2017-12-03 | 2018-04-20 | 吴武飞 | A kind of information security Enhancement Method and controller towards CAN network |
| CN108353015A (en) * | 2015-08-31 | 2018-07-31 | 国立大学法人名古屋大学 | Relay |
| CN108650152A (en) * | 2018-05-21 | 2018-10-12 | 新华三技术有限公司 | Exception message determines method and device |
| CN109286547A (en) * | 2018-08-30 | 2019-01-29 | 百度在线网络技术(北京)有限公司 | Message processing method, device, electronic control unit and readable storage medium storing program for executing |
| CN110351295A (en) * | 2019-07-22 | 2019-10-18 | 百度在线网络技术(北京)有限公司 | Message detecting method and device, electronic equipment, computer-readable medium |
| CN110750790A (en) * | 2019-09-06 | 2020-02-04 | 深圳开源互联网安全技术有限公司 | CAN bus vulnerability detection method and device, terminal equipment and medium |
| CN110771099A (en) * | 2018-05-23 | 2020-02-07 | 松下电器(美国)知识产权公司 | Abnormality detection device, abnormality detection method, and program |
| CN111224917A (en) * | 2018-11-23 | 2020-06-02 | 广州汽车集团股份有限公司 | Automobile gateway firewall message health check method, gateway device and automobile |
| CN112153070A (en) * | 2020-09-28 | 2020-12-29 | 安徽江淮汽车集团股份有限公司 | Abnormality detection method, device, storage medium and apparatus for vehicle-mounted CAN bus |
| CN112261026A (en) * | 2015-08-31 | 2021-01-22 | 松下电器(美国)知识产权公司 | Abnormality detection method, abnormality detection electronic control unit, and abnormality detection system |
| CN112286763A (en) * | 2015-12-14 | 2021-01-29 | 松下电器(美国)知识产权公司 | Security device, network system, and attack detection method |
| CN112367318A (en) * | 2015-12-16 | 2021-02-12 | 松下电器(美国)知识产权公司 | Security processing method and computer |
| CN112637013A (en) * | 2020-12-21 | 2021-04-09 | 苏州三六零智能安全科技有限公司 | CAN bus message abnormity detection method and device, equipment and storage medium |
| CN113014464A (en) * | 2016-01-08 | 2021-06-22 | 松下电器(美国)知识产权公司 | Abnormality detection method, abnormality detection device, and abnormality detection system |
| CN113328919A (en) * | 2021-05-28 | 2021-08-31 | 江苏徐工工程机械研究院有限公司 | CAN bus identifier, communication method and communication system |
| CN113485284A (en) * | 2021-06-07 | 2021-10-08 | 东风汽车集团股份有限公司 | Message data processing method, device, equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102291334A (en) * | 2010-06-21 | 2011-12-21 | 哈尔滨工业大学 | Design of automotive body CAN-LIN (Control Area Network-Local Internet Protocol) gateway |
| CN104012065A (en) * | 2011-12-21 | 2014-08-27 | 丰田自动车株式会社 | Vehilce network monitoring method and apparatus |
| CN104079444A (en) * | 2013-03-27 | 2014-10-01 | 西门子公司 | Method and device for detecting depth of industrial Ethernet data frame |
-
2014
- 2014-10-08 CN CN201410524934.5A patent/CN104301177B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102291334A (en) * | 2010-06-21 | 2011-12-21 | 哈尔滨工业大学 | Design of automotive body CAN-LIN (Control Area Network-Local Internet Protocol) gateway |
| CN104012065A (en) * | 2011-12-21 | 2014-08-27 | 丰田自动车株式会社 | Vehilce network monitoring method and apparatus |
| CN104079444A (en) * | 2013-03-27 | 2014-10-01 | 西门子公司 | Method and device for detecting depth of industrial Ethernet data frame |
Non-Patent Citations (1)
| Title |
|---|
| ROLAND KAMMERER: "Enhancing Security in CAN Systems using a Star Coupling Router", 《7TH IEEE INTERNATIONAL SYMPOSIUM ON INDUSTRIAL EMBEDDED SYSTEMS (SIES"12)》 * |
Cited By (40)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106031098B (en) * | 2015-01-20 | 2020-06-19 | 松下电器(美国)知识产权公司 | Abnormal frame coping method, abnormal detection electronic control unit and vehicle-mounted network system |
| CN106031098A (en) * | 2015-01-20 | 2016-10-12 | 松下电器(美国)知识产权公司 | Invalid frame handling method, invalidity detection electronic-control unit and vehicle-mounted network system |
| CN104836636B (en) * | 2015-02-17 | 2019-02-26 | 华为技术有限公司 | The method, apparatus and system communicated based on novel CAN frame |
| CN104836636A (en) * | 2015-02-17 | 2015-08-12 | 华为技术有限公司 | Method, device and system for communication based on novel CAN frame |
| WO2016131404A1 (en) * | 2015-02-17 | 2016-08-25 | 华为技术有限公司 | New type can frame based communication method, device and system |
| CN104767618B (en) * | 2015-04-03 | 2018-02-09 | 清华大学 | A kind of CAN authentication method and system based on broadcast |
| CN104767618A (en) * | 2015-04-03 | 2015-07-08 | 清华大学 | CAN bus authentication method and system based on broadcasting |
| CN108353015B (en) * | 2015-08-31 | 2021-02-26 | 国立大学法人名古屋大学 | Relay device |
| CN112261026B (en) * | 2015-08-31 | 2023-02-28 | 松下电器(美国)知识产权公司 | Abnormality detection method, abnormality detection electronic control unit, and abnormality detection system |
| CN108353015A (en) * | 2015-08-31 | 2018-07-31 | 国立大学法人名古屋大学 | Relay |
| CN112261026A (en) * | 2015-08-31 | 2021-01-22 | 松下电器(美国)知识产权公司 | Abnormality detection method, abnormality detection electronic control unit, and abnormality detection system |
| CN105893844A (en) * | 2015-10-20 | 2016-08-24 | 乐卡汽车智能科技(北京)有限公司 | Method and device for sending messages of vehicle bus networks |
| CN107018122A (en) * | 2015-10-21 | 2017-08-04 | 本田技研工业株式会社 | communication system, control device and control method |
| CN112286763A (en) * | 2015-12-14 | 2021-01-29 | 松下电器(美国)知识产权公司 | Security device, network system, and attack detection method |
| CN112367318A (en) * | 2015-12-16 | 2021-02-12 | 松下电器(美国)知识产权公司 | Security processing method and computer |
| CN112367318B (en) * | 2015-12-16 | 2023-04-07 | 松下电器(美国)知识产权公司 | Security processing method and computer |
| CN113014464A (en) * | 2016-01-08 | 2021-06-22 | 松下电器(美国)知识产权公司 | Abnormality detection method, abnormality detection device, and abnormality detection system |
| CN113014464B (en) * | 2016-01-08 | 2022-07-26 | 松下电器(美国)知识产权公司 | Abnormality detection method, abnormality detection device, and abnormality detection system |
| CN107426285A (en) * | 2017-05-19 | 2017-12-01 | 北京软安科技有限公司 | A kind of vehicle-mounted CAN bus safety means of defence and device |
| CN107454107B (en) * | 2017-09-15 | 2020-11-06 | 中国计量大学 | Controller local area network automobile bus alarm gateway for detecting injection type attack |
| CN107454107A (en) * | 2017-09-15 | 2017-12-08 | 中国计量大学 | A kind of controller LAN automobile bus alarm gateway for detecting injection attack |
| CN107948176A (en) * | 2017-12-03 | 2018-04-20 | 吴武飞 | A kind of information security Enhancement Method and controller towards CAN network |
| CN108650152B (en) * | 2018-05-21 | 2020-08-11 | 新华三技术有限公司 | Abnormal message determination method and device and computer readable storage medium |
| CN108650152A (en) * | 2018-05-21 | 2018-10-12 | 新华三技术有限公司 | Exception message determines method and device |
| CN110771099A (en) * | 2018-05-23 | 2020-02-07 | 松下电器(美国)知识产权公司 | Abnormality detection device, abnormality detection method, and program |
| CN110771099B (en) * | 2018-05-23 | 2022-08-26 | 松下电器(美国)知识产权公司 | Abnormality detection device, abnormality detection method, and recording medium |
| CN109286547A (en) * | 2018-08-30 | 2019-01-29 | 百度在线网络技术(北京)有限公司 | Message processing method, device, electronic control unit and readable storage medium storing program for executing |
| US11362857B2 (en) | 2018-08-30 | 2022-06-14 | Apollo Intelligent Driving Technology (Beijing) Co., Ltd. | Message processing method, apparatus, electronic control unit and readable storage medium |
| CN111224917B (en) * | 2018-11-23 | 2021-11-23 | 广州汽车集团股份有限公司 | Automobile gateway firewall message health check method, gateway device and automobile |
| CN111224917A (en) * | 2018-11-23 | 2020-06-02 | 广州汽车集团股份有限公司 | Automobile gateway firewall message health check method, gateway device and automobile |
| CN110351295A (en) * | 2019-07-22 | 2019-10-18 | 百度在线网络技术(北京)有限公司 | Message detecting method and device, electronic equipment, computer-readable medium |
| CN110750790B (en) * | 2019-09-06 | 2021-09-24 | 深圳开源互联网安全技术有限公司 | CAN bus vulnerability detection method and device, terminal equipment and medium |
| CN110750790A (en) * | 2019-09-06 | 2020-02-04 | 深圳开源互联网安全技术有限公司 | CAN bus vulnerability detection method and device, terminal equipment and medium |
| CN112153070B (en) * | 2020-09-28 | 2021-11-26 | 安徽江淮汽车集团股份有限公司 | Abnormality detection method, device, storage medium and apparatus for vehicle-mounted CAN bus |
| CN112153070A (en) * | 2020-09-28 | 2020-12-29 | 安徽江淮汽车集团股份有限公司 | Abnormality detection method, device, storage medium and apparatus for vehicle-mounted CAN bus |
| CN112637013A (en) * | 2020-12-21 | 2021-04-09 | 苏州三六零智能安全科技有限公司 | CAN bus message abnormity detection method and device, equipment and storage medium |
| CN112637013B (en) * | 2020-12-21 | 2022-11-04 | 苏州三六零智能安全科技有限公司 | CAN bus message abnormity detection method and device, equipment and storage medium |
| CN113328919A (en) * | 2021-05-28 | 2021-08-31 | 江苏徐工工程机械研究院有限公司 | CAN bus identifier, communication method and communication system |
| CN113328919B (en) * | 2021-05-28 | 2023-10-10 | 江苏徐工工程机械研究院有限公司 | CAN bus identifier, communication method and communication system |
| CN113485284A (en) * | 2021-06-07 | 2021-10-08 | 东风汽车集团股份有限公司 | Message data processing method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104301177B (en) | 2018-08-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104301177A (en) | CAN message abnormality detection method and system | |
| CN104320295A (en) | CAN (Control Area Network) message anomaly detection method and system | |
| US11438355B2 (en) | In-vehicle network anomaly detection system and in-vehicle network anomaly detection method | |
| JP6888845B2 (en) | Software updater | |
| CN107431709B (en) | Attack recognition method, attack recognition device and bus system for automobile | |
| US9703955B2 (en) | System and method for detecting OBD-II CAN BUS message attacks | |
| US20160173505A1 (en) | On-vehicle communication system | |
| EP3319275B1 (en) | Method for monitoring data traffic in a motor-vehicle network | |
| US20190327130A1 (en) | Methods, control node, network element and system for handling network events in a telecomunications network | |
| KR100897557B1 (en) | Method, system and device for processing tasks in device management | |
| CN110865626A (en) | Method and system for detecting message injection anomalies | |
| CN105553794A (en) | Home gateway, smart home system and home anti-theft method | |
| KR101966345B1 (en) | Method and System for detecting bypass hacking attacks based on the CAN protocol | |
| CN105141756A (en) | Abnormity processing method and abnormity processing device | |
| JP2022545639A (en) | Method and Apparatus for Detecting and Defeating Intrusions on Controller Area Network Bus | |
| KR102423886B1 (en) | Appartus and method for detecting abnormal sign in vehicle ethernet network | |
| CN105652740B (en) | System and method for takeover protection for a security system | |
| US11057769B2 (en) | Detecting unauthorized access to a wireless network | |
| CN109560983B (en) | Data communication method and device for vehicle network | |
| EP3557838A1 (en) | Monitoring the behaviour of at least one communication device | |
| KR101952117B1 (en) | Can communication method and apparatus for vehicle | |
| CN105721334B (en) | Method and equipment for determining transmission path and updating ACL | |
| WO2020105657A1 (en) | Onboard relay device and relay method | |
| CN106714076A (en) | MTC equipment triggering method and device | |
| WO2022137661A1 (en) | Detection device, detection method, and detection program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |