CN106899614A - In-vehicle network intrusion detection method and device based on the message cycle - Google Patents

In-vehicle network intrusion detection method and device based on the message cycle Download PDF

Info

Publication number
CN106899614A
CN106899614A CN201710243012.0A CN201710243012A CN106899614A CN 106899614 A CN106899614 A CN 106899614A CN 201710243012 A CN201710243012 A CN 201710243012A CN 106899614 A CN106899614 A CN 106899614A
Authority
CN
China
Prior art keywords
identification error
electronic control
message
control unit
vehicle
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710243012.0A
Other languages
Chinese (zh)
Other versions
CN106899614B (en
Inventor
阚志刚
卢佐华
叶威
彭建芬
陈彪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
YANGPUWEIYE TECHNOLOGY Ltd
Original Assignee
YANGPUWEIYE TECHNOLOGY Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by YANGPUWEIYE TECHNOLOGY Ltd filed Critical YANGPUWEIYE TECHNOLOGY Ltd
Priority to CN201710243012.0A priority Critical patent/CN106899614B/en
Publication of CN106899614A publication Critical patent/CN106899614A/en
Application granted granted Critical
Publication of CN106899614B publication Critical patent/CN106899614B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention provides a kind of in-vehicle network intrusion detection method and device based on the message cycle, wherein, method includes:The time attribute of multiple periodically packet ID of one or more electronic control units output in collection vehicle internal network bus in the case of vehicle not communication with the outside world;The corresponding temporal characteristics of the electronic control unit are calculated according to the time attribute;The corresponding attribute of the conventional periodic message ID of the electronic control unit output of the temporal characteristics mark is gathered in the case of vehicle communication with the outside world, and calculates the identification error of the correspondence attribute;Judge whether the conventional periodic message is abnormal according to the identification error and predetermined threshold value.The present invention can detect whether network is subject to outside illegal invasion in vehicle, and then ensure the safety of driver and passenger.

Description

In-vehicle network intrusion detection method and device based on the message cycle
Technical field
The present invention relates to network safety filed, more particularly to a kind of vehicle internal networks safety detection method, specifically It is exactly a kind of in-vehicle network intrusion detection method and device based on the message cycle.
Background technology
In recent years, vehicle shows intelligent, net connectionization development trend, increasing electronic control unit (ECU, Electronic Control Unit) it is installed to the vehicle interior original mechanical structure of replacement.With the increasing of subsidiary sensor Many, the software control system of intelligent component becomes more complicated;Interface along with correspondence with foreign country increases, and net connectionization component is same When have also been introduced potential network security threats.The ECU installed in vehicle just can be remotely invaded by network, this invasion can Vehicle trouble can be caused, so as to threaten the life security of driver or passenger.How to go to avoid or mitigate these networks peace It is complete to threaten, it is the task of top priority of existing intelligent network connection driving skills art development.
Intelligent network connection car existing Prevention-Security measure is all carried out safely around high in the clouds safety and car-mounted terminal, but Be, only these safety measures or not enough, intelligent network connection service pair as if vehicle, the traffic safety of vehicle is that we protect It is basic.
Existing in-vehicle network Prevention-Security measure mainly has both direction:One be based on message authentication code (MAC, Message Authentication Code) network security defensive measure and intrusion detection Prevention-Security measure.Based on message The network security defensive measure of authentication code has safely provided effective guarantee to internet information, due to vehicle ECU resources and CAN The limitation of bus protocol, the network security defensive measure based on message authentication code cannot be in the application in intelligent network connection car.Invasion Detection Prevention-Security measure is entered by monitoring message content or monitoring that the means such as the periodicity of in-car message prevent network attack Invade detection Prevention-Security measure and can solve the problem that most network attack, such as forgery attack, message injection attacks etc., but enter Attack (for example rewrite control instruction) of the detection Prevention-Security measure to some complexity is invaded, can neither be detected, can not prevented, it is main Want reason:In-car CAN data message does not carry destination address and source address, the datagram that recipient cannot acknowledge receipt of Whether text is derived from sender, even if confirming that network data message is attack information, due to lacking the information of sender, still very It is which ECU is subjected to that difficulty confirms bottom.
Therefore, those skilled in the art need a kind of intrusion detection for making up existing intrusion detection Prevention-Security leak of research and development badly Method, so as to allow in-vehicle network from the attack of some complexity, it is ensured that the safety of driver and passenger.
The content of the invention
In view of this, the technical problem to be solved in the present invention is to provide a kind of in-vehicle network invasion based on the message cycle Detection method and device, solve the problems, such as that prior art cannot detect whether network is subject to outside illegal invasion in vehicle.
In order to solve the above-mentioned technical problem, specific embodiment of the invention provides a kind of in-car net based on the message cycle Network intrusion detection method, including:One in collection vehicle internal network bus in the case of vehicle not communication with the outside world or The time attribute of multiple periodically packet ID of multiple electronic control unit outputs, wherein, the time attribute includes multiple weeks The time interval of phase property message, the quantity of periodically packet;The electronic control unit correspondence is calculated according to the time attribute Temporal characteristics, wherein, the temporal characteristics include clock skew;The time is gathered in the case of vehicle communication with the outside world The corresponding attribute of the conventional periodic message ID of the electronic control unit output of signature identification, and calculate the knowledge of the correspondence attribute Other error;Judge whether the conventional periodic message is abnormal according to predetermined threshold value and the identification error.
Another embodiment of the present invention also provides a kind of in-vehicle network invasion detecting device based on the message cycle, Including:First collecting unit, for one in collection vehicle internal network bus in the case of vehicle not communication with the outside world Or the time attribute of multiple periodically packet ID of multiple electronic control unit outputs, wherein, the time attribute includes multiple The time interval of periodically packet, the quantity of periodically packet;Computing unit, for calculating the electricity according to the time attribute The corresponding temporal characteristics of sub-control unit, wherein, the temporal characteristics include clock skew;Second collecting unit, in car The conventional periodic message ID of the electronic control unit output of the temporal characteristics mark is gathered in the case of communication with the outside world Corresponding attribute, and calculate it is described correspondence attribute identification error;Judging unit, for being missed according to predetermined threshold value and the identification Difference judges whether the conventional periodic message is abnormal.
Above-mentioned specific embodiment of the invention understands, in-vehicle network intrusion detection method based on the message cycle and Device at least has the advantages that:In the case of vehicle internal networks not communication with the outside world, in-vehicle network bus is gathered Multiple periodically packets (being not affected by the periodically packet attacked) of upper electronic control unit (ECU) output;Further according to periodically Message calculates the corresponding temporal characteristics of electronic control unit, so as to be marked to electronic control unit.Lead in vehicle and the external world In the case of letter, the conventional periodic message for calculating the electronic control unit output of temporal characteristics mark (may be under attack Periodically packet) identification error;Judge whether conventional periodic message is abnormal further according to identification error and predetermined threshold value.This hair It is bright can allow in vehicle network insertion internet or connection peripheral hardware when, tackle complicated network attack, network is in detection vehicle It is no by illegal invasion, and then ensure the safety of driver and passenger.
It is to be understood that above-mentioned general description and detailed description below are merely illustrative and illustrative, it is not Can the limitation scope to be advocated of the invention.
Brief description of the drawings
Following appended accompanying drawing is a part for specification of the invention, and it depicts example embodiment of the invention, institute Accompanying drawing is used for illustrating principle of the invention together with the description of specification.
A kind of in-vehicle network intrusion detection method based on the message cycle that Fig. 1 is provided for the specific embodiment of the invention The flow chart of embodiment one;
A kind of in-vehicle network intrusion detection method based on the message cycle that Fig. 2 is provided for the specific embodiment of the invention The flow chart of embodiment two;
A kind of in-vehicle network intrusion detection method based on the message cycle that Fig. 3 is provided for the specific embodiment of the invention The flow chart of embodiment three;
A kind of in-vehicle network invasion detecting device based on the message cycle that Fig. 4 is provided for the specific embodiment of the invention The schematic block diagram of embodiment one;
A kind of in-vehicle network invasion detecting device based on the message cycle that Fig. 5 is provided for the specific embodiment of the invention The schematic block diagram of embodiment two;
A kind of in-vehicle network invasion detecting device based on the message cycle that Fig. 6 is provided for the specific embodiment of the invention The schematic block diagram of embodiment three.
Specific embodiment
For the purpose, technical scheme and advantage for making the embodiment of the present invention become more apparent, below will with accompanying drawing and in detail Narration clearly illustrates the spirit of disclosed content, and any skilled artisan is understanding present invention After embodiment, when the technology that can be taught by present invention, it is changed and modifies, its essence without departing from present invention God and scope.
Schematic description and description of the invention is for explaining the present invention but not as a limitation of the invention. In addition, element/the component of the same or like label used in drawings and the embodiments is for representing same or like portion Point.
On " first " used herein, " second " ... etc., not especially censure the meaning of order or cis-position, Be not used to limit the present invention, its only for distinguish with constructed term describe element or operation.
On direction term used herein, for example:Upper and lower, left and right, front or rear etc., are only the sides of refer to the attached drawing To.Therefore, the direction term for using is for illustrating not for limiting this creation.
On "comprising" used herein, " including ", " having ", " containing " etc., be the term of opening, i.e., Mean including but not limited to.
On it is used herein " and/or ", including the things any or all combinations.
On term used herein " substantially ", " about " etc., be used to modify it is any can be with the quantity of microvariations or mistake Difference, but this slight variations or error can't change its essence.In general, the microvariations modified of such term or error Scope in some embodiments can be 20%, in some embodiments can be 10%, can be in some embodiments 5% or its His numerical value.It will be understood by those skilled in the art that the foregoing numerical value for referring to can be adjusted according to actual demand, it is not limited thereto.
Some are used to describe the word of the application by lower or discuss in the other places of this specification, to provide art technology The extra guiding on about the description of the present application of personnel.
A kind of in-vehicle network intrusion detection method based on the message cycle that Fig. 1 is provided for the specific embodiment of the invention The flow chart of embodiment one, as shown in figure 1, vehicle internal networks not with internet or external device communication in the case of, adopt Multiple periodically packets of electronic control unit (ECU) output in collection in-vehicle network bus;Electricity is calculated further according to periodically packet The corresponding temporal characteristics of sub-control unit (such as clock skew, clock skew), so as to be marked to electronic control unit. (for example, network passes through TBOX platforms or joy in vehicle in the case of vehicle internal networks and internet or external device communication Happy navigation platform is connected with external network), calculate the conventional periodic message of the electronic control unit output of temporal characteristics mark Identification error;Judge whether the conventional periodic message is abnormal further according to identification error and predetermined threshold value.
The specific embodiment shown in the drawings includes:
Step 101:One or more in collection vehicle internal network bus in the case of vehicle not communication with the outside world The time attribute of multiple periodically packet ID of electronic control unit output, wherein, the time attribute includes multiple periodicity The time interval of message and the quantity of periodically packet.In specific embodiment of the invention, communication with the outside world is not specifically vehicle Refer in vehicle network not with external network (including internet) or external equipment (including flash disk, mobile hard disk, mobile terminal Deng) communication, now vehicle internal networks are safe.By vehicle internal networks bus, (such as CAN is total between electronic control unit Line) communicated, therefore, it can be up-sampled in vehicle internal networks bus the cycle of one or more electronic control units output Property message.Time attribute includes but is not limited to the time interval of multiple periodically packets and the quantity of periodically packet.
Step 102:The corresponding temporal characteristics of the electronic control unit are calculated according to the time attribute, wherein, it is described Temporal characteristics include clock skew.In specific embodiment of the invention, the temporal characteristics of each electronic control unit are to differ Sample, therefore, it can mark electronic control unit using temporal characteristics, to may thereby determine that be on earth which electronic control unit The periodically packet of output.Temporal characteristics include but is not limited to clock skew.
Step 103:The electronic control unit is marked according to the temporal characteristics.Wherein, temporal characteristics and Electronic Control Unit is corresponded, it is possible to use temporal characteristics mark electronic control unit.
Step 104:The Electronic Control of temporal characteristics mark (mark) is gathered in the case of vehicle communication with the outside world The corresponding attribute of the conventional periodic message ID of unit output, and calculate the identification error of the correspondence attribute.Tool of the invention In body embodiment, vehicle communication with the outside world can be vehicle internal networks by in-car TBOX platforms or entertain navigation platform with it is outer Portion's network (including internet) communicates, and now vehicle internal networks are unsafe, and conventional periodic message may be subject to the external world Attack.
Step 105:Judge whether the conventional periodic message is abnormal according to predetermined threshold value and the identification error.This hair In bright specific embodiment, predetermined threshold value is usually 10~50.Accumulation identification error is obtained according to identification error, and then is tired out The maximum and minimum value of product identification error, if the absolute value of the maximum of accumulation identification error or minimum value is more than default threshold Value, then judge conventional periodic message exception.
Referring to Fig. 1, in vehicle network not communication with the outside world when, by periodically packet calculate electronic control unit correspondence Temporal characteristics (such as clock skew, clock skew refer specifically to master clock input standard time clock, through buffering time delay and transmission Line time delay, and cause the clock of different electronic control units different from standard time clock, when the clock of electronic control unit is with standard The skew of clock is referred to as clock skew), so as to realize being marked electronic control unit;Carried out with the external world in vehicle internal networks During communication, by the analysis of identification error, judge whether the conventional periodic message that electronic control unit is received is abnormal, Ke Yirang In vehicle during network communication with the outside world, complicated external attack is tackled, whether detection vehicle internal networks are subject to illegal invasion, enter And ensure the safety of driver and passenger.
In specific embodiment of the invention, the clock skew SiSpecific formula for calculation be:
Oi=Si×ti+ei
Wherein, i represents the periodically packet of electronic control unit output through the identification error data after algorithm computing Sequence number;OiRepresent the accumulation clock skew of the periodically packet from electronic control unit sampling;SiExpression is adopted from electronic control unit The clock skew of the periodically packet of sample;T represents run time;E is the identification error of conventional periodic message.
A kind of in-vehicle network intrusion detection method based on the message cycle that Fig. 2 is provided for the specific embodiment of the invention The flow chart of embodiment two, as shown in Fig. 2 in order to improve accuracy of detection, preventing electronic control unit to conventional periodic message Erroneous judgement, can further confirm that to abnormal conventional periodic message, but due to the data-handling capacity of electronic control unit It is limited, in order to save data-handling capacity limited in vehicle, can will determine that abnormal conventional periodic message uploads cloud and puts down Platform, is verified and is confirmed, last electronic control unit is anti-according to cloud platform by cloud platform to abnormal conventional periodic message The conventional periodic message for confirming that information processing is abnormal of feedback.
In the specific embodiment shown in the drawings, after step 105, the method also includes:
Step 106:Abnormal conventional periodic message is uploaded into cloud platform.In specific embodiment of the invention, cloud platform With stronger data processing function, cloud platform can be server, server cluster, computer, mobile terminal etc..
Step 107:According to the conventional periodic message for confirming that information processing is abnormal that cloud platform is returned.Electronic control unit According to the conventional periodic message for confirming that information processing is abnormal that cloud platform is returned, for example, reject abnormal conventional periodic Message, or abnormal conventional periodic message etc. is not performed.
Referring to Fig. 2, in order to improve the accuracy of detection of abnormal conventional periodic message, while in order to save Electronic Control list The internal memory and CPU occupancies of unit, improve the reaction speed of electronic control unit, can upload abnormal conventional periodic message To cloud platform, data processing is carried out by cloud platform, and then the regular period for confirming that information processing is abnormal returned according to cloud platform Property message, so as to prevent erroneous judgement of the electronic control unit to conventional periodic message, further increases the detection of abnormal intrusion Precision.Certainly, electronic control unit can also directly be processed and judge abnormal conventional periodic message, it is not necessary to which cloud platform enters one Step judgement, improves treatment effeciency.
A kind of in-vehicle network intrusion detection method based on the message cycle that Fig. 3 is provided for the specific embodiment of the invention The flow chart of embodiment three, as shown in figure 3, judging whether conventional periodic message has extremely according to identification error and predetermined threshold value Body includes four steps.
In the specific embodiment shown in the drawings, step 105 is specifically included:
Step 1051:Calculate the average value mu of the identification error eiAnd variances sigmai
Step 1052:Update the average value muiWith the variances sigmai, wherein,E is conventional periodic report The identification error of text;μiIt is the average value of the identification error of periodically packet;σiIt is the variance of the identification error of periodically packet;M It is constant, i represents the periodically packet of electronic control unit output through the sequence number of the identification error data after algorithm computing.This In the specific embodiment of invention, whenWhen, update average value muiAnd variances sigmai
Step 1053:According to the average value muiWith the variances sigmaiCalculate the maximum and minimum of accumulation identification error L Value.
Step 1054:Described in absolute value, the absolute value of the minimum value and predetermined threshold value according to the maximum judge Whether conventional periodic message is abnormal.
Referring to Fig. 3, judge whether conventional periodic message is abnormal according to identification error and predetermined threshold value, according to identification error The maximum of accumulation identification error L and the absolute value of minimum value are calculated, if the absolute value of maximum or minimum value is more than default Threshold value, then judge conventional periodic message exception.And the determination methods can exclude data transfer time delay and bus arbitration prolongs When scene, be primarily due to data transfer time delay and the bus arbitration time delay duration be short, and the network attack duration is long, because This data transfer time delay and bus arbitration time delay, do not interfere with the maximum of accumulation identification error L and the result of calculation of minimum value, Therefore erroneous judgement is not resulted in.
In specific embodiment of the invention, the maximum L of the accumulation identification error+Computing formula be:
Wherein, i represents the periodically packet of electronic control unit output through the identification error data after algorithm computing Sequence number;E is the identification error of conventional periodic message;μiIt is the average value of the identification error of periodically packet;σiFor periodicity is reported The variance of the identification error of text;K is constant.
The minimum value L of the accumulation identification error-Computing formula be:
Wherein, i represents the periodically packet of electronic control unit output through the identification error data after algorithm computing Sequence number;E is the identification error of conventional periodic message;μiIt is the average value of the identification error of periodically packet;σiFor periodicity is reported The variance of the identification error of text;K is constant.
A kind of in-vehicle network invasion detecting device based on the message cycle that Fig. 4 is provided for the specific embodiment of the invention The schematic block diagram of embodiment one, device as shown in Figure 4 may apply in the method shown in Fig. 1-Fig. 3, in vehicle interior net Network not with internet or external device communication in the case of, collection in-vehicle network bus on electronic control unit (ECU) output Multiple periodically packets;The corresponding temporal characteristics of electronic control unit (such as clock skew, clock are calculated further according to periodically packet It is crooked etc.), so as to be marked to electronic control unit.In vehicle internal networks and internet or the situation of external device communication Under (for example, in vehicle network by TBOX platforms or amusement navigation platform be connected with external network), calculating temporal characteristics mark The identification error of the conventional periodic message of the electronic control unit output of note;Judge institute further according to identification error and predetermined threshold value Whether abnormal state conventional periodic message.
In the specific embodiment shown in the drawings, in-vehicle network invasion detecting device includes:First collecting unit 11, meter Unit 12, indexing unit 13, the second collecting unit 14 and judging unit 15 are calculated, wherein, the first collecting unit 11 is used in vehicle The multiple that one or more electronic control units in the case of communication with the outside world in collection vehicle internal network bus are not exported The time attribute of periodically packet ID, wherein, the time attribute includes the time interval of multiple periodically packets, periodically reports The quantity of text;Computing unit 12 is used to calculate the corresponding temporal characteristics of the electronic control unit according to the time attribute, its In, the temporal characteristics include clock skew;Indexing unit 13 is used to mark the Electronic Control list according to the temporal characteristics Unit;Second collecting unit 14 is used to be gathered in the case of vehicle communication with the outside world the Electronic Control list of the temporal characteristics mark The corresponding attribute of the conventional periodic message ID of unit's output, and calculate the identification error of the correspondence attribute;Judging unit 15 is used In judging whether the conventional periodic message is abnormal according to predetermined threshold value and the identification error.
Referring to Fig. 4, in vehicle network not communication with the outside world when, by periodically packet calculate electronic control unit correspondence Temporal characteristics (such as clock skew, clock skew refer specifically to master clock input standard time clock, through buffering time delay and transmission Line time delay, and cause the clock of different electronic control units different from standard time clock, when the clock of electronic control unit is with standard The skew of clock is referred to as clock skew), so as to realize being marked electronic control unit;Carried out with the external world in vehicle internal networks During communication, by the analysis of identification error, judge whether the conventional periodic message that electronic control unit is received is abnormal, Ke Yirang In vehicle during network communication with the outside world, complicated external attack is tackled, whether detection vehicle internal networks are subject to illegal invasion, enter And ensure the safety of driver and passenger.
In specific embodiment of the invention, the clock skew SiSpecific formula for calculation be:
Oi=Si×ti+ei
Wherein, i represents the periodically packet of electronic control unit output through the identification error data after algorithm computing Sequence number;OiRepresent the accumulation clock skew of the periodically packet from electronic control unit sampling;SiExpression is adopted from electronic control unit The clock skew of the periodically packet of sample;T represents run time;E is the identification error of conventional periodic message.
A kind of in-vehicle network invasion detecting device based on the message cycle that Fig. 5 is provided for the specific embodiment of the invention The schematic block diagram of embodiment two, as shown in figure 5, in order to improve accuracy of detection, preventing electronic control unit to conventional periodic report Text erroneous judgement, can further confirm that to abnormal conventional periodic message, but due to the data processing energy of electronic control unit Power is limited, in order to save data-handling capacity limited in vehicle, can will determine that abnormal conventional periodic message uploads cloud Platform, is verified and is confirmed, last electronic control unit is according to cloud platform by cloud platform to abnormal conventional periodic message The conventional periodic message for confirming that information processing is abnormal of feedback.
In the specific embodiment shown in the drawings, in-vehicle network invasion detecting device also includes:Uploading unit 16 and really Recognize unit 17.Wherein, uploading unit 16 is used to for abnormal conventional periodic message to upload cloud platform;Confirmation unit 17 is used for root The conventional periodic message for confirming that information processing is abnormal returned according to cloud platform.
Referring to Fig. 5, in order to improve the accuracy of detection of abnormal conventional periodic message, while in order to save Electronic Control list The internal memory and CPU occupancies of unit, improve the reaction speed of electronic control unit, can upload abnormal conventional periodic message To cloud platform, data processing is carried out by cloud platform, and then the regular period for confirming that information processing is abnormal returned according to cloud platform Property message, so as to prevent erroneous judgement of the electronic control unit to conventional periodic message, further increases the detection of abnormal intrusion Precision.Certainly, electronic control unit can also directly be processed and judge abnormal conventional periodic message, it is not necessary to which cloud platform enters one Step judgement, improves treatment effeciency.
A kind of in-vehicle network invasion detecting device based on the message cycle that Fig. 6 is provided for the specific embodiment of the invention The schematic block diagram of embodiment three, as shown in fig. 6, judging unit specifically includes the first computing module, update module, the second calculating mould Block and judge module.
In the specific embodiment shown in the drawings, the judging unit 15 is specifically included:First computing module 151, more New module 152, the second computing module 153 and judge module 154.Wherein, the first computing module 151 is used to calculating and described states identification The average value and variance of error;Update module 152 is used to update the average value and the variance, wherein,e It is the identification error of conventional periodic message;μiIt is the average value of the identification error of periodically packet;σiIt is the knowledge of periodically packet The variance of other error;M is constant, and i represents that the periodically packet of electronic control unit output is missed through the identification after algorithm computing The sequence number of difference data;Second computing module 153 is used to calculate accumulation identification error most according to the average value and the variance Big value and minimum value;Judge module 154 is for the absolute value according to the maximum, the absolute value of the minimum value and default threshold Value judges whether the conventional periodic message is abnormal.In specific embodiment of the invention, whenWhen, update module 152 update average value muiAnd variances sigmai
Referring to Fig. 6, judge whether conventional periodic message is abnormal according to identification error and predetermined threshold value, according to identification error The maximum of accumulation identification error L and the absolute value of minimum value are calculated, if the absolute value of maximum or minimum value is more than default Threshold value, then judge conventional periodic message exception.And the determination methods can exclude data transfer time delay and bus arbitration prolongs When scene, be primarily due to data transfer time delay and the bus arbitration time delay duration be short, and the network attack duration is long, because This data transfer time delay and bus arbitration time delay, do not interfere with the maximum of accumulation identification error L and the result of calculation of minimum value, Therefore erroneous judgement is not resulted in.
The specific embodiment of the invention provides a kind of in-vehicle network intrusion detection method and device based on the message cycle, in car Internal network is in the case of communication with the outside world, the multiple of electronic control unit (ECU) output in collection in-vehicle network bus Periodically packet (is not affected by the periodically packet attacked);The electronic control unit corresponding time is calculated further according to periodically packet Feature, so as to be marked to electronic control unit.In the case of vehicle communication with the outside world, the electricity of temporal characteristics mark is calculated The identification error of the conventional periodic message (periodically packet that may be under attack) of sub-control unit output;Further according to identification Error and predetermined threshold value judge whether conventional periodic message is abnormal.The present invention can allow network insertion internet or company in vehicle When connecing peripheral hardware, complicated network attack is tackled, whether network is subject to illegal invasion in detection vehicle, and then ensures driver and multiply The safety of visitor.
The above-mentioned embodiment of the present invention can be implemented in various hardware, Software Coding or both combination.For example, this hair Bright embodiment is alternatively and the above method is performed in data signal processor (Digital Signal Processor, DSP) Program code.The present invention can also refer to computer processor, digital signal processor, microprocessor or field-programmable gate array Various functions that row (Field Programmable Gate Array, FPGA) are performed.Can be according to the present invention above-mentioned treatment of configuration Device performs particular task, and it passes through to perform machine-readable software code or the firmware generation of the ad hoc approach for defining present invention announcement Code is completed.Software code or firmware code can be developed into different program languages from different forms or form.Or Different target platform composing software codes.However, the software code according to execution task of the present invention configures generation with other types The different code pattern of code, type and language do not depart from spirit and scope of the invention.
Schematical specific embodiment of the invention is the foregoing is only, before design of the invention and principle is not departed from Put, the equivalent variations that any those skilled in the art is made with modification, the scope of protection of the invention all should be belonged to.

Claims (12)

1. a kind of in-vehicle network intrusion detection method based on the message cycle, it is characterised in that the method includes:
One or more electronic control units in collection vehicle internal network bus in the case of vehicle not communication with the outside world The time attribute of multiple periodically packet ID of output, wherein, between the time attribute includes the time of multiple periodically packets Every the quantity with periodically packet;
The corresponding temporal characteristics of the electronic control unit are calculated according to the time attribute, wherein, the temporal characteristics include Clock skew;
The regular period of the electronic control unit output of the temporal characteristics mark is gathered in the case of vehicle communication with the outside world Property message ID corresponding attribute, and calculate the identification error of the correspondence attribute;And
Judge whether the conventional periodic message is abnormal according to predetermined threshold value and the identification error.
2. as claimed in claim 1 based on the message cycle in-vehicle network intrusion detection method, it is characterised in that according to it is described when Between attribute the step of calculate the electronic control unit corresponding temporal characteristics after, the method also includes:
The electronic control unit is marked according to the temporal characteristics.
3. the in-vehicle network intrusion detection method in message cycle is based on as claimed in claim 1, it is characterised in that the method is also wrapped Include:
Abnormal conventional periodic message is uploaded into cloud platform;And
According to the conventional periodic message for confirming that information processing is abnormal that cloud platform is returned.
4. the in-vehicle network intrusion detection method in message cycle is based on as claimed in claim 1, it is characterised in that according to default threshold Value and the identification error judge the conventional periodic message whether exception step, specifically include:
The average value and variance of identification error are stated described in calculating;
The maximum and minimum value of accumulation identification error are calculated according to the average value and the variance;And
Absolute value, the absolute value of the minimum value and predetermined threshold value according to the maximum judge the conventional periodic message It is whether abnormal.
5. the in-vehicle network intrusion detection method in message cycle is based on as claimed in claim 4, it is characterised in that according to described flat Before the step of average and the variance calculate the maximum and minimum value of accumulation identification error, also include:
The average value and the variance are updated, wherein,E is the identification error of conventional periodic message;μiFor The average value of the identification error of periodically packet;σiIt is the variance of the identification error of periodically packet;M is constant, and i represents electronics Control unit output periodically packet through the identification error data after algorithm computing sequence number.
6. the in-vehicle network intrusion detection method in message cycle is based on as claimed in claim 4, it is characterised in that
The maximum L of the accumulation identification error+Computing formula be:
Wherein, i represents the periodically packet of electronic control unit output through the sequence number of the identification error data after algorithm computing; E is the identification error of conventional periodic message;μiIt is the average value of the identification error of periodically packet;σiIt is periodically packet The variance of identification error;K is constant,
The minimum value L of the accumulation identification error-Computing formula be:
Wherein, i represents the periodically packet of electronic control unit output through the sequence number of the identification error data after algorithm computing; E is the identification error of conventional periodic message;μiIt is the average value of the identification error of periodically packet;σiIt is periodically packet The variance of identification error;K is constant.
7. the in-vehicle network intrusion detection method in message cycle is based on as claimed in claim 1, it is characterised in that the clock is inclined Move SiSpecific formula for calculation be:
Oi=Si×t+e
Wherein, i represents the periodically packet of electronic control unit output through the sequence number of the identification error data after algorithm computing; OiRepresent the accumulation clock skew of the periodically packet from electronic control unit sampling;SiRepresent from electronic control unit sampling The clock skew of periodically packet;T represents run time;E is the identification error of conventional periodic message.
8. a kind of in-vehicle network invasion detecting device based on the message cycle, it is characterised in that the device includes:
First collecting unit, in collection vehicle internal network bus in the case of vehicle not communication with the outside world or The time attribute of multiple periodically packet ID of multiple electronic control unit outputs, wherein, the time attribute includes multiple weeks The time interval of phase property message, the quantity of periodically packet;
Computing unit, for calculating the corresponding temporal characteristics of the electronic control unit according to the time attribute, wherein, it is described Temporal characteristics include clock skew;
Second collecting unit, the Electronic Control list for gathering the temporal characteristics mark in the case of vehicle communication with the outside world The corresponding attribute of the conventional periodic message ID of unit's output, and calculate the identification error of the correspondence attribute;And
Judging unit, for judging whether the conventional periodic message is abnormal according to predetermined threshold value and the identification error.
9. the in-vehicle network invasion detecting device in message cycle is based on as claimed in claim 8, it is characterised in that the device is also Including:
Indexing unit, for marking the electronic control unit according to the temporal characteristics.
10. the in-vehicle network invasion detecting device in message cycle is based on as claimed in claim 8, it is characterised in that the device Also include:
Uploading unit, for abnormal conventional periodic message to be uploaded into cloud platform;And
Confirmation unit, for the conventional periodic message for confirming that information processing is abnormal returned according to cloud platform.
The 11. in-vehicle network invasion detecting devices based on the message cycle as claimed in claim 8, it is characterised in that described to sentence Disconnected unit is specifically included:
First computing module, for calculating the average value and variance for stating identification error;
Second computing module, maximum and minimum for calculating accumulation identification error according to the average value and the variance Value;And
Judge module, for described in the judgement of the absolute value according to the maximum, the absolute value of the minimum value and predetermined threshold value Whether conventional periodic message is abnormal.
The 12. in-vehicle network invasion detecting devices based on the message cycle as claimed in claim 11, it is characterised in that described to sentence Disconnected unit also includes:
Update module, for updating the average value and the variance, wherein,E is conventional periodic message Identification error;μiIt is the average value of the identification error of periodically packet;σiIt is the variance of the identification error of periodically packet;M is normal Number, i represents the periodically packet of electronic control unit output through the sequence number of the identification error data after algorithm computing.
CN201710243012.0A 2017-04-14 2017-04-14 In-vehicle network intrusion detection method and device based on the message period Active CN106899614B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710243012.0A CN106899614B (en) 2017-04-14 2017-04-14 In-vehicle network intrusion detection method and device based on the message period

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710243012.0A CN106899614B (en) 2017-04-14 2017-04-14 In-vehicle network intrusion detection method and device based on the message period

Publications (2)

Publication Number Publication Date
CN106899614A true CN106899614A (en) 2017-06-27
CN106899614B CN106899614B (en) 2019-09-24

Family

ID=59196677

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710243012.0A Active CN106899614B (en) 2017-04-14 2017-04-14 In-vehicle network intrusion detection method and device based on the message period

Country Status (1)

Country Link
CN (1) CN106899614B (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107666476A (en) * 2017-05-25 2018-02-06 国家计算机网络与信息安全管理中心 A kind of CAN risk checking method and device
CN108111510A (en) * 2017-12-20 2018-06-01 北京航空航天大学 A kind of in-vehicle network intrusion detection method and system
CN109005678A (en) * 2017-04-07 2018-12-14 松下电器(美国)知识产权公司 Illegal communication detection method, Improper communication detection system and program
CN109033829A (en) * 2018-07-27 2018-12-18 北京梆梆安全科技有限公司 Vehicle network intrusion detection householder method, apparatus and system
CN109117639A (en) * 2018-07-27 2019-01-01 北京梆梆安全科技有限公司 A kind of detection method and device of intrusion risk
CN109617764A (en) * 2018-12-27 2019-04-12 百度在线网络技术(北京)有限公司 CAN message detection method and device
CN109688152A (en) * 2019-01-03 2019-04-26 南京邮电大学 A kind of detection method of the message injection attack towards vehicle-mounted CAN bus
CN110691104A (en) * 2019-11-11 2020-01-14 哈尔滨工业大学 Vehicle-mounted CAN bus self-adaptive intrusion detection method based on message period characteristics
CN110933121A (en) * 2018-09-19 2020-03-27 阿里巴巴集团控股有限公司 Connection establishing method, communication processing method and device and communication equipment
CN112119392A (en) * 2018-05-17 2020-12-22 欧姆龙株式会社 Abnormality detection device and abnormality detection method
CN112217785A (en) * 2019-07-10 2021-01-12 罗伯特·博世有限公司 Apparatus and method for anomaly identification in a communication network
CN112550281A (en) * 2020-12-29 2021-03-26 广州小鹏自动驾驶科技有限公司 Automatic parking control method and device
CN113163369A (en) * 2020-01-20 2021-07-23 北京新能源汽车股份有限公司 Vehicle intrusion prevention processing method and device and automobile
CN114430308A (en) * 2021-12-09 2022-05-03 西安昆仑工业(集团)有限责任公司 Method for correcting time sequence accidental dislocation caused by software timing transmission time drift
CN115102707A (en) * 2022-04-27 2022-09-23 麦格纳斯太尔汽车技术(上海)有限公司 Vehicle CAN network IDS safety detection system and method
CN115484059A (en) * 2022-08-09 2022-12-16 中汽创智科技有限公司 Vehicle-mounted bus message processing method and device, vehicle-mounted terminal and storage medium
WO2024051557A1 (en) * 2022-09-07 2024-03-14 广州汽车集团股份有限公司 Intrusion detection and protection apparatus and method for automotive bus network, and storage medium
CN117955733A (en) * 2024-03-21 2024-04-30 北京航空航天大学 Vehicle-mounted CAN network intrusion detection method and system

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN202495957U (en) * 2012-03-13 2012-10-17 中国汽车技术研究中心 Alternating layer test system used for vehicle CAN network communication
CN202710959U (en) * 2012-07-13 2013-01-30 广州汽车集团股份有限公司 Decision system of periodic CAN message loss fault
CN103237308A (en) * 2013-05-15 2013-08-07 西华大学 Distributed intrusion detection method of vehicle ad hoc network
CN103873319A (en) * 2012-12-12 2014-06-18 现代自动车株式会社 Apparatus and method for detecting in-vehicle network attack
CN104025506A (en) * 2011-10-31 2014-09-03 丰田自动车株式会社 Message authentication method in communication system and communication system
US20150020152A1 (en) * 2012-03-29 2015-01-15 Arilou Information Security Technologies Ltd. Security system and method for protecting a vehicle electronic system
US20160188396A1 (en) * 2014-12-30 2016-06-30 Battelle Memorial Institute Temporal anomaly detection on automotive networks
CN106059987A (en) * 2015-04-17 2016-10-26 现代自动车株式会社 In-vehicle network intrusion detection system and method for controlling the same

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104025506A (en) * 2011-10-31 2014-09-03 丰田自动车株式会社 Message authentication method in communication system and communication system
CN202495957U (en) * 2012-03-13 2012-10-17 中国汽车技术研究中心 Alternating layer test system used for vehicle CAN network communication
US20150020152A1 (en) * 2012-03-29 2015-01-15 Arilou Information Security Technologies Ltd. Security system and method for protecting a vehicle electronic system
CN202710959U (en) * 2012-07-13 2013-01-30 广州汽车集团股份有限公司 Decision system of periodic CAN message loss fault
CN103873319A (en) * 2012-12-12 2014-06-18 现代自动车株式会社 Apparatus and method for detecting in-vehicle network attack
CN103237308A (en) * 2013-05-15 2013-08-07 西华大学 Distributed intrusion detection method of vehicle ad hoc network
US20160188396A1 (en) * 2014-12-30 2016-06-30 Battelle Memorial Institute Temporal anomaly detection on automotive networks
CN106059987A (en) * 2015-04-17 2016-10-26 现代自动车株式会社 In-vehicle network intrusion detection system and method for controlling the same

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
HYUN MIN SONG, HA RANG KIM AND HUY KANG KIM: "Intrusion Detection System Based on the Analysis of Time Intervals of CAN Messages for In-Vehicle Network", 《ICOIN 2016》 *

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109005678A (en) * 2017-04-07 2018-12-14 松下电器(美国)知识产权公司 Illegal communication detection method, Improper communication detection system and program
CN109005678B (en) * 2017-04-07 2022-05-27 松下电器(美国)知识产权公司 Illegal communication detection method, illegal communication detection system, and recording medium
CN107666476B (en) * 2017-05-25 2021-06-04 国家计算机网络与信息安全管理中心 CAN bus risk detection method and device
CN107666476A (en) * 2017-05-25 2018-02-06 国家计算机网络与信息安全管理中心 A kind of CAN risk checking method and device
CN108111510A (en) * 2017-12-20 2018-06-01 北京航空航天大学 A kind of in-vehicle network intrusion detection method and system
CN112119392B (en) * 2018-05-17 2024-02-13 欧姆龙株式会社 Abnormality detection device and abnormality detection method
CN112119392A (en) * 2018-05-17 2020-12-22 欧姆龙株式会社 Abnormality detection device and abnormality detection method
CN109033829A (en) * 2018-07-27 2018-12-18 北京梆梆安全科技有限公司 Vehicle network intrusion detection householder method, apparatus and system
CN109117639A (en) * 2018-07-27 2019-01-01 北京梆梆安全科技有限公司 A kind of detection method and device of intrusion risk
CN110933121A (en) * 2018-09-19 2020-03-27 阿里巴巴集团控股有限公司 Connection establishing method, communication processing method and device and communication equipment
CN109617764A (en) * 2018-12-27 2019-04-12 百度在线网络技术(北京)有限公司 CAN message detection method and device
CN109688152A (en) * 2019-01-03 2019-04-26 南京邮电大学 A kind of detection method of the message injection attack towards vehicle-mounted CAN bus
CN109688152B (en) * 2019-01-03 2021-01-12 南京邮电大学 Message injection type attack detection method facing vehicle-mounted CAN bus
CN112217785A (en) * 2019-07-10 2021-01-12 罗伯特·博世有限公司 Apparatus and method for anomaly identification in a communication network
CN110691104B (en) * 2019-11-11 2021-08-31 哈尔滨工业大学 Vehicle-mounted CAN bus self-adaptive intrusion detection method based on message period characteristics
CN110691104A (en) * 2019-11-11 2020-01-14 哈尔滨工业大学 Vehicle-mounted CAN bus self-adaptive intrusion detection method based on message period characteristics
CN113163369A (en) * 2020-01-20 2021-07-23 北京新能源汽车股份有限公司 Vehicle intrusion prevention processing method and device and automobile
CN112550281A (en) * 2020-12-29 2021-03-26 广州小鹏自动驾驶科技有限公司 Automatic parking control method and device
CN112550281B (en) * 2020-12-29 2022-05-13 广州小鹏自动驾驶科技有限公司 Automatic parking control method and device
CN114430308A (en) * 2021-12-09 2022-05-03 西安昆仑工业(集团)有限责任公司 Method for correcting time sequence accidental dislocation caused by software timing transmission time drift
CN115102707A (en) * 2022-04-27 2022-09-23 麦格纳斯太尔汽车技术(上海)有限公司 Vehicle CAN network IDS safety detection system and method
CN115484059A (en) * 2022-08-09 2022-12-16 中汽创智科技有限公司 Vehicle-mounted bus message processing method and device, vehicle-mounted terminal and storage medium
WO2024051557A1 (en) * 2022-09-07 2024-03-14 广州汽车集团股份有限公司 Intrusion detection and protection apparatus and method for automotive bus network, and storage medium
CN117955733A (en) * 2024-03-21 2024-04-30 北京航空航天大学 Vehicle-mounted CAN network intrusion detection method and system

Also Published As

Publication number Publication date
CN106899614B (en) 2019-09-24

Similar Documents

Publication Publication Date Title
CN106899614A (en) In-vehicle network intrusion detection method and device based on the message cycle
CN108401491B (en) Information processing method, information processing system, and program
EP3598329B1 (en) Information processing method, information processing system, and program
CN108028784B (en) Abnormality detection method, monitoring electronic control unit, and vehicle-mounted network system
JP7327883B2 (en) COMPUTING APPARATUS, COMPUTER PROGRAM AND COMPUTER READABLE STORAGE MEDIUM
Bhatia et al. Evading Voltage-Based Intrusion Detection on Automotive CAN.
US9531750B2 (en) Spoofing detection
US8983714B2 (en) Failsafe communication system and method
CN107710657A (en) Vehicle communication bus data safety
CN108965267B (en) Network attack processing method and device and vehicle
WO2018173732A1 (en) On-board communication device, computer program, and message determination method
WO2018168291A1 (en) Information processing method, information processing system, and program
KR20220042408A (en) CAN bus protection system and method
CN111447166B (en) Vehicle attack detection method and device
CN113608483B (en) Method for acquiring vehicle signal value, electronic equipment and electronic control unit
CN115412370A (en) Vehicle communication data detection method and device, electronic equipment and readable medium
US11528284B2 (en) Method for detecting an attack on a control device of a vehicle
CN114157469B (en) Vehicle-mounted network variant attack intrusion detection method based on domain antagonism neural network
CN113938295B (en) Method and system for detecting abnormal transmission behavior of internet automobile communication data, electronic equipment and readable medium
Rumez et al. Anomaly detection for automotive diagnostic applications based on N-grams
CN116305129A (en) Document detection method, device, equipment and medium based on VSTO
CN115208682A (en) High-performance network attack feature detection method and device based on snort
Andreica et al. Blockchain integration for in-vehicle CAN bus intrusion detection systems with ISO/SAE 21434 compliant reporting
Dini et al. Design and Experimental Assessment of Real-Time Anomaly Detection Techniques for Automotive Cybersecurity
CN110868410A (en) Method and device for acquiring webpage Trojan horse connection password, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 100083 20 Floor, Block A, Tiangong Building, 30 College Road, Haidian District, Beijing

Applicant after: Beijing Bang Bang Safety Technology Co. Ltd.

Address before: 100083 20 Floor, Block A, Tiangong Building, 30 College Road, Haidian District, Beijing

Applicant before: Yangpuweiye Technology Limited

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant