CN106899614A - In-vehicle network intrusion detection method and device based on the message cycle - Google Patents
In-vehicle network intrusion detection method and device based on the message cycle Download PDFInfo
- Publication number
- CN106899614A CN106899614A CN201710243012.0A CN201710243012A CN106899614A CN 106899614 A CN106899614 A CN 106899614A CN 201710243012 A CN201710243012 A CN 201710243012A CN 106899614 A CN106899614 A CN 106899614A
- Authority
- CN
- China
- Prior art keywords
- identification error
- electronic control
- message
- control unit
- vehicle
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention provides a kind of in-vehicle network intrusion detection method and device based on the message cycle, wherein, method includes:The time attribute of multiple periodically packet ID of one or more electronic control units output in collection vehicle internal network bus in the case of vehicle not communication with the outside world;The corresponding temporal characteristics of the electronic control unit are calculated according to the time attribute;The corresponding attribute of the conventional periodic message ID of the electronic control unit output of the temporal characteristics mark is gathered in the case of vehicle communication with the outside world, and calculates the identification error of the correspondence attribute;Judge whether the conventional periodic message is abnormal according to the identification error and predetermined threshold value.The present invention can detect whether network is subject to outside illegal invasion in vehicle, and then ensure the safety of driver and passenger.
Description
Technical field
The present invention relates to network safety filed, more particularly to a kind of vehicle internal networks safety detection method, specifically
It is exactly a kind of in-vehicle network intrusion detection method and device based on the message cycle.
Background technology
In recent years, vehicle shows intelligent, net connectionization development trend, increasing electronic control unit (ECU,
Electronic Control Unit) it is installed to the vehicle interior original mechanical structure of replacement.With the increasing of subsidiary sensor
Many, the software control system of intelligent component becomes more complicated;Interface along with correspondence with foreign country increases, and net connectionization component is same
When have also been introduced potential network security threats.The ECU installed in vehicle just can be remotely invaded by network, this invasion can
Vehicle trouble can be caused, so as to threaten the life security of driver or passenger.How to go to avoid or mitigate these networks peace
It is complete to threaten, it is the task of top priority of existing intelligent network connection driving skills art development.
Intelligent network connection car existing Prevention-Security measure is all carried out safely around high in the clouds safety and car-mounted terminal, but
Be, only these safety measures or not enough, intelligent network connection service pair as if vehicle, the traffic safety of vehicle is that we protect
It is basic.
Existing in-vehicle network Prevention-Security measure mainly has both direction:One be based on message authentication code (MAC,
Message Authentication Code) network security defensive measure and intrusion detection Prevention-Security measure.Based on message
The network security defensive measure of authentication code has safely provided effective guarantee to internet information, due to vehicle ECU resources and CAN
The limitation of bus protocol, the network security defensive measure based on message authentication code cannot be in the application in intelligent network connection car.Invasion
Detection Prevention-Security measure is entered by monitoring message content or monitoring that the means such as the periodicity of in-car message prevent network attack
Invade detection Prevention-Security measure and can solve the problem that most network attack, such as forgery attack, message injection attacks etc., but enter
Attack (for example rewrite control instruction) of the detection Prevention-Security measure to some complexity is invaded, can neither be detected, can not prevented, it is main
Want reason:In-car CAN data message does not carry destination address and source address, the datagram that recipient cannot acknowledge receipt of
Whether text is derived from sender, even if confirming that network data message is attack information, due to lacking the information of sender, still very
It is which ECU is subjected to that difficulty confirms bottom.
Therefore, those skilled in the art need a kind of intrusion detection for making up existing intrusion detection Prevention-Security leak of research and development badly
Method, so as to allow in-vehicle network from the attack of some complexity, it is ensured that the safety of driver and passenger.
The content of the invention
In view of this, the technical problem to be solved in the present invention is to provide a kind of in-vehicle network invasion based on the message cycle
Detection method and device, solve the problems, such as that prior art cannot detect whether network is subject to outside illegal invasion in vehicle.
In order to solve the above-mentioned technical problem, specific embodiment of the invention provides a kind of in-car net based on the message cycle
Network intrusion detection method, including:One in collection vehicle internal network bus in the case of vehicle not communication with the outside world or
The time attribute of multiple periodically packet ID of multiple electronic control unit outputs, wherein, the time attribute includes multiple weeks
The time interval of phase property message, the quantity of periodically packet;The electronic control unit correspondence is calculated according to the time attribute
Temporal characteristics, wherein, the temporal characteristics include clock skew;The time is gathered in the case of vehicle communication with the outside world
The corresponding attribute of the conventional periodic message ID of the electronic control unit output of signature identification, and calculate the knowledge of the correspondence attribute
Other error;Judge whether the conventional periodic message is abnormal according to predetermined threshold value and the identification error.
Another embodiment of the present invention also provides a kind of in-vehicle network invasion detecting device based on the message cycle,
Including:First collecting unit, for one in collection vehicle internal network bus in the case of vehicle not communication with the outside world
Or the time attribute of multiple periodically packet ID of multiple electronic control unit outputs, wherein, the time attribute includes multiple
The time interval of periodically packet, the quantity of periodically packet;Computing unit, for calculating the electricity according to the time attribute
The corresponding temporal characteristics of sub-control unit, wherein, the temporal characteristics include clock skew;Second collecting unit, in car
The conventional periodic message ID of the electronic control unit output of the temporal characteristics mark is gathered in the case of communication with the outside world
Corresponding attribute, and calculate it is described correspondence attribute identification error;Judging unit, for being missed according to predetermined threshold value and the identification
Difference judges whether the conventional periodic message is abnormal.
Above-mentioned specific embodiment of the invention understands, in-vehicle network intrusion detection method based on the message cycle and
Device at least has the advantages that:In the case of vehicle internal networks not communication with the outside world, in-vehicle network bus is gathered
Multiple periodically packets (being not affected by the periodically packet attacked) of upper electronic control unit (ECU) output;Further according to periodically
Message calculates the corresponding temporal characteristics of electronic control unit, so as to be marked to electronic control unit.Lead in vehicle and the external world
In the case of letter, the conventional periodic message for calculating the electronic control unit output of temporal characteristics mark (may be under attack
Periodically packet) identification error;Judge whether conventional periodic message is abnormal further according to identification error and predetermined threshold value.This hair
It is bright can allow in vehicle network insertion internet or connection peripheral hardware when, tackle complicated network attack, network is in detection vehicle
It is no by illegal invasion, and then ensure the safety of driver and passenger.
It is to be understood that above-mentioned general description and detailed description below are merely illustrative and illustrative, it is not
Can the limitation scope to be advocated of the invention.
Brief description of the drawings
Following appended accompanying drawing is a part for specification of the invention, and it depicts example embodiment of the invention, institute
Accompanying drawing is used for illustrating principle of the invention together with the description of specification.
A kind of in-vehicle network intrusion detection method based on the message cycle that Fig. 1 is provided for the specific embodiment of the invention
The flow chart of embodiment one;
A kind of in-vehicle network intrusion detection method based on the message cycle that Fig. 2 is provided for the specific embodiment of the invention
The flow chart of embodiment two;
A kind of in-vehicle network intrusion detection method based on the message cycle that Fig. 3 is provided for the specific embodiment of the invention
The flow chart of embodiment three;
A kind of in-vehicle network invasion detecting device based on the message cycle that Fig. 4 is provided for the specific embodiment of the invention
The schematic block diagram of embodiment one;
A kind of in-vehicle network invasion detecting device based on the message cycle that Fig. 5 is provided for the specific embodiment of the invention
The schematic block diagram of embodiment two;
A kind of in-vehicle network invasion detecting device based on the message cycle that Fig. 6 is provided for the specific embodiment of the invention
The schematic block diagram of embodiment three.
Specific embodiment
For the purpose, technical scheme and advantage for making the embodiment of the present invention become more apparent, below will with accompanying drawing and in detail
Narration clearly illustrates the spirit of disclosed content, and any skilled artisan is understanding present invention
After embodiment, when the technology that can be taught by present invention, it is changed and modifies, its essence without departing from present invention
God and scope.
Schematic description and description of the invention is for explaining the present invention but not as a limitation of the invention.
In addition, element/the component of the same or like label used in drawings and the embodiments is for representing same or like portion
Point.
On " first " used herein, " second " ... etc., not especially censure the meaning of order or cis-position,
Be not used to limit the present invention, its only for distinguish with constructed term describe element or operation.
On direction term used herein, for example:Upper and lower, left and right, front or rear etc., are only the sides of refer to the attached drawing
To.Therefore, the direction term for using is for illustrating not for limiting this creation.
On "comprising" used herein, " including ", " having ", " containing " etc., be the term of opening, i.e.,
Mean including but not limited to.
On it is used herein " and/or ", including the things any or all combinations.
On term used herein " substantially ", " about " etc., be used to modify it is any can be with the quantity of microvariations or mistake
Difference, but this slight variations or error can't change its essence.In general, the microvariations modified of such term or error
Scope in some embodiments can be 20%, in some embodiments can be 10%, can be in some embodiments 5% or its
His numerical value.It will be understood by those skilled in the art that the foregoing numerical value for referring to can be adjusted according to actual demand, it is not limited thereto.
Some are used to describe the word of the application by lower or discuss in the other places of this specification, to provide art technology
The extra guiding on about the description of the present application of personnel.
A kind of in-vehicle network intrusion detection method based on the message cycle that Fig. 1 is provided for the specific embodiment of the invention
The flow chart of embodiment one, as shown in figure 1, vehicle internal networks not with internet or external device communication in the case of, adopt
Multiple periodically packets of electronic control unit (ECU) output in collection in-vehicle network bus;Electricity is calculated further according to periodically packet
The corresponding temporal characteristics of sub-control unit (such as clock skew, clock skew), so as to be marked to electronic control unit.
(for example, network passes through TBOX platforms or joy in vehicle in the case of vehicle internal networks and internet or external device communication
Happy navigation platform is connected with external network), calculate the conventional periodic message of the electronic control unit output of temporal characteristics mark
Identification error;Judge whether the conventional periodic message is abnormal further according to identification error and predetermined threshold value.
The specific embodiment shown in the drawings includes:
Step 101:One or more in collection vehicle internal network bus in the case of vehicle not communication with the outside world
The time attribute of multiple periodically packet ID of electronic control unit output, wherein, the time attribute includes multiple periodicity
The time interval of message and the quantity of periodically packet.In specific embodiment of the invention, communication with the outside world is not specifically vehicle
Refer in vehicle network not with external network (including internet) or external equipment (including flash disk, mobile hard disk, mobile terminal
Deng) communication, now vehicle internal networks are safe.By vehicle internal networks bus, (such as CAN is total between electronic control unit
Line) communicated, therefore, it can be up-sampled in vehicle internal networks bus the cycle of one or more electronic control units output
Property message.Time attribute includes but is not limited to the time interval of multiple periodically packets and the quantity of periodically packet.
Step 102:The corresponding temporal characteristics of the electronic control unit are calculated according to the time attribute, wherein, it is described
Temporal characteristics include clock skew.In specific embodiment of the invention, the temporal characteristics of each electronic control unit are to differ
Sample, therefore, it can mark electronic control unit using temporal characteristics, to may thereby determine that be on earth which electronic control unit
The periodically packet of output.Temporal characteristics include but is not limited to clock skew.
Step 103:The electronic control unit is marked according to the temporal characteristics.Wherein, temporal characteristics and Electronic Control
Unit is corresponded, it is possible to use temporal characteristics mark electronic control unit.
Step 104:The Electronic Control of temporal characteristics mark (mark) is gathered in the case of vehicle communication with the outside world
The corresponding attribute of the conventional periodic message ID of unit output, and calculate the identification error of the correspondence attribute.Tool of the invention
In body embodiment, vehicle communication with the outside world can be vehicle internal networks by in-car TBOX platforms or entertain navigation platform with it is outer
Portion's network (including internet) communicates, and now vehicle internal networks are unsafe, and conventional periodic message may be subject to the external world
Attack.
Step 105:Judge whether the conventional periodic message is abnormal according to predetermined threshold value and the identification error.This hair
In bright specific embodiment, predetermined threshold value is usually 10~50.Accumulation identification error is obtained according to identification error, and then is tired out
The maximum and minimum value of product identification error, if the absolute value of the maximum of accumulation identification error or minimum value is more than default threshold
Value, then judge conventional periodic message exception.
Referring to Fig. 1, in vehicle network not communication with the outside world when, by periodically packet calculate electronic control unit correspondence
Temporal characteristics (such as clock skew, clock skew refer specifically to master clock input standard time clock, through buffering time delay and transmission
Line time delay, and cause the clock of different electronic control units different from standard time clock, when the clock of electronic control unit is with standard
The skew of clock is referred to as clock skew), so as to realize being marked electronic control unit;Carried out with the external world in vehicle internal networks
During communication, by the analysis of identification error, judge whether the conventional periodic message that electronic control unit is received is abnormal, Ke Yirang
In vehicle during network communication with the outside world, complicated external attack is tackled, whether detection vehicle internal networks are subject to illegal invasion, enter
And ensure the safety of driver and passenger.
In specific embodiment of the invention, the clock skew SiSpecific formula for calculation be:
Oi=Si×ti+ei
Wherein, i represents the periodically packet of electronic control unit output through the identification error data after algorithm computing
Sequence number;OiRepresent the accumulation clock skew of the periodically packet from electronic control unit sampling;SiExpression is adopted from electronic control unit
The clock skew of the periodically packet of sample;T represents run time;E is the identification error of conventional periodic message.
A kind of in-vehicle network intrusion detection method based on the message cycle that Fig. 2 is provided for the specific embodiment of the invention
The flow chart of embodiment two, as shown in Fig. 2 in order to improve accuracy of detection, preventing electronic control unit to conventional periodic message
Erroneous judgement, can further confirm that to abnormal conventional periodic message, but due to the data-handling capacity of electronic control unit
It is limited, in order to save data-handling capacity limited in vehicle, can will determine that abnormal conventional periodic message uploads cloud and puts down
Platform, is verified and is confirmed, last electronic control unit is anti-according to cloud platform by cloud platform to abnormal conventional periodic message
The conventional periodic message for confirming that information processing is abnormal of feedback.
In the specific embodiment shown in the drawings, after step 105, the method also includes:
Step 106:Abnormal conventional periodic message is uploaded into cloud platform.In specific embodiment of the invention, cloud platform
With stronger data processing function, cloud platform can be server, server cluster, computer, mobile terminal etc..
Step 107:According to the conventional periodic message for confirming that information processing is abnormal that cloud platform is returned.Electronic control unit
According to the conventional periodic message for confirming that information processing is abnormal that cloud platform is returned, for example, reject abnormal conventional periodic
Message, or abnormal conventional periodic message etc. is not performed.
Referring to Fig. 2, in order to improve the accuracy of detection of abnormal conventional periodic message, while in order to save Electronic Control list
The internal memory and CPU occupancies of unit, improve the reaction speed of electronic control unit, can upload abnormal conventional periodic message
To cloud platform, data processing is carried out by cloud platform, and then the regular period for confirming that information processing is abnormal returned according to cloud platform
Property message, so as to prevent erroneous judgement of the electronic control unit to conventional periodic message, further increases the detection of abnormal intrusion
Precision.Certainly, electronic control unit can also directly be processed and judge abnormal conventional periodic message, it is not necessary to which cloud platform enters one
Step judgement, improves treatment effeciency.
A kind of in-vehicle network intrusion detection method based on the message cycle that Fig. 3 is provided for the specific embodiment of the invention
The flow chart of embodiment three, as shown in figure 3, judging whether conventional periodic message has extremely according to identification error and predetermined threshold value
Body includes four steps.
In the specific embodiment shown in the drawings, step 105 is specifically included:
Step 1051:Calculate the average value mu of the identification error eiAnd variances sigmai。
Step 1052:Update the average value muiWith the variances sigmai, wherein,E is conventional periodic report
The identification error of text;μiIt is the average value of the identification error of periodically packet;σiIt is the variance of the identification error of periodically packet;M
It is constant, i represents the periodically packet of electronic control unit output through the sequence number of the identification error data after algorithm computing.This
In the specific embodiment of invention, whenWhen, update average value muiAnd variances sigmai。
Step 1053:According to the average value muiWith the variances sigmaiCalculate the maximum and minimum of accumulation identification error L
Value.
Step 1054:Described in absolute value, the absolute value of the minimum value and predetermined threshold value according to the maximum judge
Whether conventional periodic message is abnormal.
Referring to Fig. 3, judge whether conventional periodic message is abnormal according to identification error and predetermined threshold value, according to identification error
The maximum of accumulation identification error L and the absolute value of minimum value are calculated, if the absolute value of maximum or minimum value is more than default
Threshold value, then judge conventional periodic message exception.And the determination methods can exclude data transfer time delay and bus arbitration prolongs
When scene, be primarily due to data transfer time delay and the bus arbitration time delay duration be short, and the network attack duration is long, because
This data transfer time delay and bus arbitration time delay, do not interfere with the maximum of accumulation identification error L and the result of calculation of minimum value,
Therefore erroneous judgement is not resulted in.
In specific embodiment of the invention, the maximum L of the accumulation identification error+Computing formula be:
Wherein, i represents the periodically packet of electronic control unit output through the identification error data after algorithm computing
Sequence number;E is the identification error of conventional periodic message;μiIt is the average value of the identification error of periodically packet;σiFor periodicity is reported
The variance of the identification error of text;K is constant.
The minimum value L of the accumulation identification error-Computing formula be:
Wherein, i represents the periodically packet of electronic control unit output through the identification error data after algorithm computing
Sequence number;E is the identification error of conventional periodic message;μiIt is the average value of the identification error of periodically packet;σiFor periodicity is reported
The variance of the identification error of text;K is constant.
A kind of in-vehicle network invasion detecting device based on the message cycle that Fig. 4 is provided for the specific embodiment of the invention
The schematic block diagram of embodiment one, device as shown in Figure 4 may apply in the method shown in Fig. 1-Fig. 3, in vehicle interior net
Network not with internet or external device communication in the case of, collection in-vehicle network bus on electronic control unit (ECU) output
Multiple periodically packets;The corresponding temporal characteristics of electronic control unit (such as clock skew, clock are calculated further according to periodically packet
It is crooked etc.), so as to be marked to electronic control unit.In vehicle internal networks and internet or the situation of external device communication
Under (for example, in vehicle network by TBOX platforms or amusement navigation platform be connected with external network), calculating temporal characteristics mark
The identification error of the conventional periodic message of the electronic control unit output of note;Judge institute further according to identification error and predetermined threshold value
Whether abnormal state conventional periodic message.
In the specific embodiment shown in the drawings, in-vehicle network invasion detecting device includes:First collecting unit 11, meter
Unit 12, indexing unit 13, the second collecting unit 14 and judging unit 15 are calculated, wherein, the first collecting unit 11 is used in vehicle
The multiple that one or more electronic control units in the case of communication with the outside world in collection vehicle internal network bus are not exported
The time attribute of periodically packet ID, wherein, the time attribute includes the time interval of multiple periodically packets, periodically reports
The quantity of text;Computing unit 12 is used to calculate the corresponding temporal characteristics of the electronic control unit according to the time attribute, its
In, the temporal characteristics include clock skew;Indexing unit 13 is used to mark the Electronic Control list according to the temporal characteristics
Unit;Second collecting unit 14 is used to be gathered in the case of vehicle communication with the outside world the Electronic Control list of the temporal characteristics mark
The corresponding attribute of the conventional periodic message ID of unit's output, and calculate the identification error of the correspondence attribute;Judging unit 15 is used
In judging whether the conventional periodic message is abnormal according to predetermined threshold value and the identification error.
Referring to Fig. 4, in vehicle network not communication with the outside world when, by periodically packet calculate electronic control unit correspondence
Temporal characteristics (such as clock skew, clock skew refer specifically to master clock input standard time clock, through buffering time delay and transmission
Line time delay, and cause the clock of different electronic control units different from standard time clock, when the clock of electronic control unit is with standard
The skew of clock is referred to as clock skew), so as to realize being marked electronic control unit;Carried out with the external world in vehicle internal networks
During communication, by the analysis of identification error, judge whether the conventional periodic message that electronic control unit is received is abnormal, Ke Yirang
In vehicle during network communication with the outside world, complicated external attack is tackled, whether detection vehicle internal networks are subject to illegal invasion, enter
And ensure the safety of driver and passenger.
In specific embodiment of the invention, the clock skew SiSpecific formula for calculation be:
Oi=Si×ti+ei
Wherein, i represents the periodically packet of electronic control unit output through the identification error data after algorithm computing
Sequence number;OiRepresent the accumulation clock skew of the periodically packet from electronic control unit sampling;SiExpression is adopted from electronic control unit
The clock skew of the periodically packet of sample;T represents run time;E is the identification error of conventional periodic message.
A kind of in-vehicle network invasion detecting device based on the message cycle that Fig. 5 is provided for the specific embodiment of the invention
The schematic block diagram of embodiment two, as shown in figure 5, in order to improve accuracy of detection, preventing electronic control unit to conventional periodic report
Text erroneous judgement, can further confirm that to abnormal conventional periodic message, but due to the data processing energy of electronic control unit
Power is limited, in order to save data-handling capacity limited in vehicle, can will determine that abnormal conventional periodic message uploads cloud
Platform, is verified and is confirmed, last electronic control unit is according to cloud platform by cloud platform to abnormal conventional periodic message
The conventional periodic message for confirming that information processing is abnormal of feedback.
In the specific embodiment shown in the drawings, in-vehicle network invasion detecting device also includes:Uploading unit 16 and really
Recognize unit 17.Wherein, uploading unit 16 is used to for abnormal conventional periodic message to upload cloud platform;Confirmation unit 17 is used for root
The conventional periodic message for confirming that information processing is abnormal returned according to cloud platform.
Referring to Fig. 5, in order to improve the accuracy of detection of abnormal conventional periodic message, while in order to save Electronic Control list
The internal memory and CPU occupancies of unit, improve the reaction speed of electronic control unit, can upload abnormal conventional periodic message
To cloud platform, data processing is carried out by cloud platform, and then the regular period for confirming that information processing is abnormal returned according to cloud platform
Property message, so as to prevent erroneous judgement of the electronic control unit to conventional periodic message, further increases the detection of abnormal intrusion
Precision.Certainly, electronic control unit can also directly be processed and judge abnormal conventional periodic message, it is not necessary to which cloud platform enters one
Step judgement, improves treatment effeciency.
A kind of in-vehicle network invasion detecting device based on the message cycle that Fig. 6 is provided for the specific embodiment of the invention
The schematic block diagram of embodiment three, as shown in fig. 6, judging unit specifically includes the first computing module, update module, the second calculating mould
Block and judge module.
In the specific embodiment shown in the drawings, the judging unit 15 is specifically included:First computing module 151, more
New module 152, the second computing module 153 and judge module 154.Wherein, the first computing module 151 is used to calculating and described states identification
The average value and variance of error;Update module 152 is used to update the average value and the variance, wherein,e
It is the identification error of conventional periodic message;μiIt is the average value of the identification error of periodically packet;σiIt is the knowledge of periodically packet
The variance of other error;M is constant, and i represents that the periodically packet of electronic control unit output is missed through the identification after algorithm computing
The sequence number of difference data;Second computing module 153 is used to calculate accumulation identification error most according to the average value and the variance
Big value and minimum value;Judge module 154 is for the absolute value according to the maximum, the absolute value of the minimum value and default threshold
Value judges whether the conventional periodic message is abnormal.In specific embodiment of the invention, whenWhen, update module
152 update average value muiAnd variances sigmai。
Referring to Fig. 6, judge whether conventional periodic message is abnormal according to identification error and predetermined threshold value, according to identification error
The maximum of accumulation identification error L and the absolute value of minimum value are calculated, if the absolute value of maximum or minimum value is more than default
Threshold value, then judge conventional periodic message exception.And the determination methods can exclude data transfer time delay and bus arbitration prolongs
When scene, be primarily due to data transfer time delay and the bus arbitration time delay duration be short, and the network attack duration is long, because
This data transfer time delay and bus arbitration time delay, do not interfere with the maximum of accumulation identification error L and the result of calculation of minimum value,
Therefore erroneous judgement is not resulted in.
The specific embodiment of the invention provides a kind of in-vehicle network intrusion detection method and device based on the message cycle, in car
Internal network is in the case of communication with the outside world, the multiple of electronic control unit (ECU) output in collection in-vehicle network bus
Periodically packet (is not affected by the periodically packet attacked);The electronic control unit corresponding time is calculated further according to periodically packet
Feature, so as to be marked to electronic control unit.In the case of vehicle communication with the outside world, the electricity of temporal characteristics mark is calculated
The identification error of the conventional periodic message (periodically packet that may be under attack) of sub-control unit output;Further according to identification
Error and predetermined threshold value judge whether conventional periodic message is abnormal.The present invention can allow network insertion internet or company in vehicle
When connecing peripheral hardware, complicated network attack is tackled, whether network is subject to illegal invasion in detection vehicle, and then ensures driver and multiply
The safety of visitor.
The above-mentioned embodiment of the present invention can be implemented in various hardware, Software Coding or both combination.For example, this hair
Bright embodiment is alternatively and the above method is performed in data signal processor (Digital Signal Processor, DSP)
Program code.The present invention can also refer to computer processor, digital signal processor, microprocessor or field-programmable gate array
Various functions that row (Field Programmable Gate Array, FPGA) are performed.Can be according to the present invention above-mentioned treatment of configuration
Device performs particular task, and it passes through to perform machine-readable software code or the firmware generation of the ad hoc approach for defining present invention announcement
Code is completed.Software code or firmware code can be developed into different program languages from different forms or form.Or
Different target platform composing software codes.However, the software code according to execution task of the present invention configures generation with other types
The different code pattern of code, type and language do not depart from spirit and scope of the invention.
Schematical specific embodiment of the invention is the foregoing is only, before design of the invention and principle is not departed from
Put, the equivalent variations that any those skilled in the art is made with modification, the scope of protection of the invention all should be belonged to.
Claims (12)
1. a kind of in-vehicle network intrusion detection method based on the message cycle, it is characterised in that the method includes:
One or more electronic control units in collection vehicle internal network bus in the case of vehicle not communication with the outside world
The time attribute of multiple periodically packet ID of output, wherein, between the time attribute includes the time of multiple periodically packets
Every the quantity with periodically packet;
The corresponding temporal characteristics of the electronic control unit are calculated according to the time attribute, wherein, the temporal characteristics include
Clock skew;
The regular period of the electronic control unit output of the temporal characteristics mark is gathered in the case of vehicle communication with the outside world
Property message ID corresponding attribute, and calculate the identification error of the correspondence attribute;And
Judge whether the conventional periodic message is abnormal according to predetermined threshold value and the identification error.
2. as claimed in claim 1 based on the message cycle in-vehicle network intrusion detection method, it is characterised in that according to it is described when
Between attribute the step of calculate the electronic control unit corresponding temporal characteristics after, the method also includes:
The electronic control unit is marked according to the temporal characteristics.
3. the in-vehicle network intrusion detection method in message cycle is based on as claimed in claim 1, it is characterised in that the method is also wrapped
Include:
Abnormal conventional periodic message is uploaded into cloud platform;And
According to the conventional periodic message for confirming that information processing is abnormal that cloud platform is returned.
4. the in-vehicle network intrusion detection method in message cycle is based on as claimed in claim 1, it is characterised in that according to default threshold
Value and the identification error judge the conventional periodic message whether exception step, specifically include:
The average value and variance of identification error are stated described in calculating;
The maximum and minimum value of accumulation identification error are calculated according to the average value and the variance;And
Absolute value, the absolute value of the minimum value and predetermined threshold value according to the maximum judge the conventional periodic message
It is whether abnormal.
5. the in-vehicle network intrusion detection method in message cycle is based on as claimed in claim 4, it is characterised in that according to described flat
Before the step of average and the variance calculate the maximum and minimum value of accumulation identification error, also include:
The average value and the variance are updated, wherein,E is the identification error of conventional periodic message;μiFor
The average value of the identification error of periodically packet;σiIt is the variance of the identification error of periodically packet;M is constant, and i represents electronics
Control unit output periodically packet through the identification error data after algorithm computing sequence number.
6. the in-vehicle network intrusion detection method in message cycle is based on as claimed in claim 4, it is characterised in that
The maximum L of the accumulation identification error+Computing formula be:
Wherein, i represents the periodically packet of electronic control unit output through the sequence number of the identification error data after algorithm computing;
E is the identification error of conventional periodic message;μiIt is the average value of the identification error of periodically packet;σiIt is periodically packet
The variance of identification error;K is constant,
The minimum value L of the accumulation identification error-Computing formula be:
Wherein, i represents the periodically packet of electronic control unit output through the sequence number of the identification error data after algorithm computing;
E is the identification error of conventional periodic message;μiIt is the average value of the identification error of periodically packet;σiIt is periodically packet
The variance of identification error;K is constant.
7. the in-vehicle network intrusion detection method in message cycle is based on as claimed in claim 1, it is characterised in that the clock is inclined
Move SiSpecific formula for calculation be:
Oi=Si×t+e
Wherein, i represents the periodically packet of electronic control unit output through the sequence number of the identification error data after algorithm computing;
OiRepresent the accumulation clock skew of the periodically packet from electronic control unit sampling;SiRepresent from electronic control unit sampling
The clock skew of periodically packet;T represents run time;E is the identification error of conventional periodic message.
8. a kind of in-vehicle network invasion detecting device based on the message cycle, it is characterised in that the device includes:
First collecting unit, in collection vehicle internal network bus in the case of vehicle not communication with the outside world or
The time attribute of multiple periodically packet ID of multiple electronic control unit outputs, wherein, the time attribute includes multiple weeks
The time interval of phase property message, the quantity of periodically packet;
Computing unit, for calculating the corresponding temporal characteristics of the electronic control unit according to the time attribute, wherein, it is described
Temporal characteristics include clock skew;
Second collecting unit, the Electronic Control list for gathering the temporal characteristics mark in the case of vehicle communication with the outside world
The corresponding attribute of the conventional periodic message ID of unit's output, and calculate the identification error of the correspondence attribute;And
Judging unit, for judging whether the conventional periodic message is abnormal according to predetermined threshold value and the identification error.
9. the in-vehicle network invasion detecting device in message cycle is based on as claimed in claim 8, it is characterised in that the device is also
Including:
Indexing unit, for marking the electronic control unit according to the temporal characteristics.
10. the in-vehicle network invasion detecting device in message cycle is based on as claimed in claim 8, it is characterised in that the device
Also include:
Uploading unit, for abnormal conventional periodic message to be uploaded into cloud platform;And
Confirmation unit, for the conventional periodic message for confirming that information processing is abnormal returned according to cloud platform.
The 11. in-vehicle network invasion detecting devices based on the message cycle as claimed in claim 8, it is characterised in that described to sentence
Disconnected unit is specifically included:
First computing module, for calculating the average value and variance for stating identification error;
Second computing module, maximum and minimum for calculating accumulation identification error according to the average value and the variance
Value;And
Judge module, for described in the judgement of the absolute value according to the maximum, the absolute value of the minimum value and predetermined threshold value
Whether conventional periodic message is abnormal.
The 12. in-vehicle network invasion detecting devices based on the message cycle as claimed in claim 11, it is characterised in that described to sentence
Disconnected unit also includes:
Update module, for updating the average value and the variance, wherein,E is conventional periodic message
Identification error;μiIt is the average value of the identification error of periodically packet;σiIt is the variance of the identification error of periodically packet;M is normal
Number, i represents the periodically packet of electronic control unit output through the sequence number of the identification error data after algorithm computing.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710243012.0A CN106899614B (en) | 2017-04-14 | 2017-04-14 | In-vehicle network intrusion detection method and device based on the message period |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710243012.0A CN106899614B (en) | 2017-04-14 | 2017-04-14 | In-vehicle network intrusion detection method and device based on the message period |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106899614A true CN106899614A (en) | 2017-06-27 |
CN106899614B CN106899614B (en) | 2019-09-24 |
Family
ID=59196677
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710243012.0A Active CN106899614B (en) | 2017-04-14 | 2017-04-14 | In-vehicle network intrusion detection method and device based on the message period |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106899614B (en) |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107666476A (en) * | 2017-05-25 | 2018-02-06 | 国家计算机网络与信息安全管理中心 | A kind of CAN risk checking method and device |
CN108111510A (en) * | 2017-12-20 | 2018-06-01 | 北京航空航天大学 | A kind of in-vehicle network intrusion detection method and system |
CN109005678A (en) * | 2017-04-07 | 2018-12-14 | 松下电器(美国)知识产权公司 | Illegal communication detection method, Improper communication detection system and program |
CN109033829A (en) * | 2018-07-27 | 2018-12-18 | 北京梆梆安全科技有限公司 | Vehicle network intrusion detection householder method, apparatus and system |
CN109117639A (en) * | 2018-07-27 | 2019-01-01 | 北京梆梆安全科技有限公司 | A kind of detection method and device of intrusion risk |
CN109617764A (en) * | 2018-12-27 | 2019-04-12 | 百度在线网络技术(北京)有限公司 | CAN message detection method and device |
CN109688152A (en) * | 2019-01-03 | 2019-04-26 | 南京邮电大学 | A kind of detection method of the message injection attack towards vehicle-mounted CAN bus |
CN110691104A (en) * | 2019-11-11 | 2020-01-14 | 哈尔滨工业大学 | Vehicle-mounted CAN bus self-adaptive intrusion detection method based on message period characteristics |
CN110933121A (en) * | 2018-09-19 | 2020-03-27 | 阿里巴巴集团控股有限公司 | Connection establishing method, communication processing method and device and communication equipment |
CN112119392A (en) * | 2018-05-17 | 2020-12-22 | 欧姆龙株式会社 | Abnormality detection device and abnormality detection method |
CN112217785A (en) * | 2019-07-10 | 2021-01-12 | 罗伯特·博世有限公司 | Apparatus and method for anomaly identification in a communication network |
CN112550281A (en) * | 2020-12-29 | 2021-03-26 | 广州小鹏自动驾驶科技有限公司 | Automatic parking control method and device |
CN113163369A (en) * | 2020-01-20 | 2021-07-23 | 北京新能源汽车股份有限公司 | Vehicle intrusion prevention processing method and device and automobile |
CN114430308A (en) * | 2021-12-09 | 2022-05-03 | 西安昆仑工业(集团)有限责任公司 | Method for correcting time sequence accidental dislocation caused by software timing transmission time drift |
CN115102707A (en) * | 2022-04-27 | 2022-09-23 | 麦格纳斯太尔汽车技术(上海)有限公司 | Vehicle CAN network IDS safety detection system and method |
CN115484059A (en) * | 2022-08-09 | 2022-12-16 | 中汽创智科技有限公司 | Vehicle-mounted bus message processing method and device, vehicle-mounted terminal and storage medium |
WO2024051557A1 (en) * | 2022-09-07 | 2024-03-14 | 广州汽车集团股份有限公司 | Intrusion detection and protection apparatus and method for automotive bus network, and storage medium |
CN117955733A (en) * | 2024-03-21 | 2024-04-30 | 北京航空航天大学 | Vehicle-mounted CAN network intrusion detection method and system |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN202495957U (en) * | 2012-03-13 | 2012-10-17 | 中国汽车技术研究中心 | Alternating layer test system used for vehicle CAN network communication |
CN202710959U (en) * | 2012-07-13 | 2013-01-30 | 广州汽车集团股份有限公司 | Decision system of periodic CAN message loss fault |
CN103237308A (en) * | 2013-05-15 | 2013-08-07 | 西华大学 | Distributed intrusion detection method of vehicle ad hoc network |
CN103873319A (en) * | 2012-12-12 | 2014-06-18 | 现代自动车株式会社 | Apparatus and method for detecting in-vehicle network attack |
CN104025506A (en) * | 2011-10-31 | 2014-09-03 | 丰田自动车株式会社 | Message authentication method in communication system and communication system |
US20150020152A1 (en) * | 2012-03-29 | 2015-01-15 | Arilou Information Security Technologies Ltd. | Security system and method for protecting a vehicle electronic system |
US20160188396A1 (en) * | 2014-12-30 | 2016-06-30 | Battelle Memorial Institute | Temporal anomaly detection on automotive networks |
CN106059987A (en) * | 2015-04-17 | 2016-10-26 | 现代自动车株式会社 | In-vehicle network intrusion detection system and method for controlling the same |
-
2017
- 2017-04-14 CN CN201710243012.0A patent/CN106899614B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104025506A (en) * | 2011-10-31 | 2014-09-03 | 丰田自动车株式会社 | Message authentication method in communication system and communication system |
CN202495957U (en) * | 2012-03-13 | 2012-10-17 | 中国汽车技术研究中心 | Alternating layer test system used for vehicle CAN network communication |
US20150020152A1 (en) * | 2012-03-29 | 2015-01-15 | Arilou Information Security Technologies Ltd. | Security system and method for protecting a vehicle electronic system |
CN202710959U (en) * | 2012-07-13 | 2013-01-30 | 广州汽车集团股份有限公司 | Decision system of periodic CAN message loss fault |
CN103873319A (en) * | 2012-12-12 | 2014-06-18 | 现代自动车株式会社 | Apparatus and method for detecting in-vehicle network attack |
CN103237308A (en) * | 2013-05-15 | 2013-08-07 | 西华大学 | Distributed intrusion detection method of vehicle ad hoc network |
US20160188396A1 (en) * | 2014-12-30 | 2016-06-30 | Battelle Memorial Institute | Temporal anomaly detection on automotive networks |
CN106059987A (en) * | 2015-04-17 | 2016-10-26 | 现代自动车株式会社 | In-vehicle network intrusion detection system and method for controlling the same |
Non-Patent Citations (1)
Title |
---|
HYUN MIN SONG, HA RANG KIM AND HUY KANG KIM: "Intrusion Detection System Based on the Analysis of Time Intervals of CAN Messages for In-Vehicle Network", 《ICOIN 2016》 * |
Cited By (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109005678A (en) * | 2017-04-07 | 2018-12-14 | 松下电器(美国)知识产权公司 | Illegal communication detection method, Improper communication detection system and program |
CN109005678B (en) * | 2017-04-07 | 2022-05-27 | 松下电器(美国)知识产权公司 | Illegal communication detection method, illegal communication detection system, and recording medium |
CN107666476B (en) * | 2017-05-25 | 2021-06-04 | 国家计算机网络与信息安全管理中心 | CAN bus risk detection method and device |
CN107666476A (en) * | 2017-05-25 | 2018-02-06 | 国家计算机网络与信息安全管理中心 | A kind of CAN risk checking method and device |
CN108111510A (en) * | 2017-12-20 | 2018-06-01 | 北京航空航天大学 | A kind of in-vehicle network intrusion detection method and system |
CN112119392B (en) * | 2018-05-17 | 2024-02-13 | 欧姆龙株式会社 | Abnormality detection device and abnormality detection method |
CN112119392A (en) * | 2018-05-17 | 2020-12-22 | 欧姆龙株式会社 | Abnormality detection device and abnormality detection method |
CN109033829A (en) * | 2018-07-27 | 2018-12-18 | 北京梆梆安全科技有限公司 | Vehicle network intrusion detection householder method, apparatus and system |
CN109117639A (en) * | 2018-07-27 | 2019-01-01 | 北京梆梆安全科技有限公司 | A kind of detection method and device of intrusion risk |
CN110933121A (en) * | 2018-09-19 | 2020-03-27 | 阿里巴巴集团控股有限公司 | Connection establishing method, communication processing method and device and communication equipment |
CN109617764A (en) * | 2018-12-27 | 2019-04-12 | 百度在线网络技术(北京)有限公司 | CAN message detection method and device |
CN109688152A (en) * | 2019-01-03 | 2019-04-26 | 南京邮电大学 | A kind of detection method of the message injection attack towards vehicle-mounted CAN bus |
CN109688152B (en) * | 2019-01-03 | 2021-01-12 | 南京邮电大学 | Message injection type attack detection method facing vehicle-mounted CAN bus |
CN112217785A (en) * | 2019-07-10 | 2021-01-12 | 罗伯特·博世有限公司 | Apparatus and method for anomaly identification in a communication network |
CN110691104B (en) * | 2019-11-11 | 2021-08-31 | 哈尔滨工业大学 | Vehicle-mounted CAN bus self-adaptive intrusion detection method based on message period characteristics |
CN110691104A (en) * | 2019-11-11 | 2020-01-14 | 哈尔滨工业大学 | Vehicle-mounted CAN bus self-adaptive intrusion detection method based on message period characteristics |
CN113163369A (en) * | 2020-01-20 | 2021-07-23 | 北京新能源汽车股份有限公司 | Vehicle intrusion prevention processing method and device and automobile |
CN112550281A (en) * | 2020-12-29 | 2021-03-26 | 广州小鹏自动驾驶科技有限公司 | Automatic parking control method and device |
CN112550281B (en) * | 2020-12-29 | 2022-05-13 | 广州小鹏自动驾驶科技有限公司 | Automatic parking control method and device |
CN114430308A (en) * | 2021-12-09 | 2022-05-03 | 西安昆仑工业(集团)有限责任公司 | Method for correcting time sequence accidental dislocation caused by software timing transmission time drift |
CN115102707A (en) * | 2022-04-27 | 2022-09-23 | 麦格纳斯太尔汽车技术(上海)有限公司 | Vehicle CAN network IDS safety detection system and method |
CN115484059A (en) * | 2022-08-09 | 2022-12-16 | 中汽创智科技有限公司 | Vehicle-mounted bus message processing method and device, vehicle-mounted terminal and storage medium |
WO2024051557A1 (en) * | 2022-09-07 | 2024-03-14 | 广州汽车集团股份有限公司 | Intrusion detection and protection apparatus and method for automotive bus network, and storage medium |
CN117955733A (en) * | 2024-03-21 | 2024-04-30 | 北京航空航天大学 | Vehicle-mounted CAN network intrusion detection method and system |
Also Published As
Publication number | Publication date |
---|---|
CN106899614B (en) | 2019-09-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106899614A (en) | In-vehicle network intrusion detection method and device based on the message cycle | |
CN108401491B (en) | Information processing method, information processing system, and program | |
EP3598329B1 (en) | Information processing method, information processing system, and program | |
CN108028784B (en) | Abnormality detection method, monitoring electronic control unit, and vehicle-mounted network system | |
JP7327883B2 (en) | COMPUTING APPARATUS, COMPUTER PROGRAM AND COMPUTER READABLE STORAGE MEDIUM | |
Bhatia et al. | Evading Voltage-Based Intrusion Detection on Automotive CAN. | |
US9531750B2 (en) | Spoofing detection | |
US8983714B2 (en) | Failsafe communication system and method | |
CN107710657A (en) | Vehicle communication bus data safety | |
CN108965267B (en) | Network attack processing method and device and vehicle | |
WO2018173732A1 (en) | On-board communication device, computer program, and message determination method | |
WO2018168291A1 (en) | Information processing method, information processing system, and program | |
KR20220042408A (en) | CAN bus protection system and method | |
CN111447166B (en) | Vehicle attack detection method and device | |
CN113608483B (en) | Method for acquiring vehicle signal value, electronic equipment and electronic control unit | |
CN115412370A (en) | Vehicle communication data detection method and device, electronic equipment and readable medium | |
US11528284B2 (en) | Method for detecting an attack on a control device of a vehicle | |
CN114157469B (en) | Vehicle-mounted network variant attack intrusion detection method based on domain antagonism neural network | |
CN113938295B (en) | Method and system for detecting abnormal transmission behavior of internet automobile communication data, electronic equipment and readable medium | |
Rumez et al. | Anomaly detection for automotive diagnostic applications based on N-grams | |
CN116305129A (en) | Document detection method, device, equipment and medium based on VSTO | |
CN115208682A (en) | High-performance network attack feature detection method and device based on snort | |
Andreica et al. | Blockchain integration for in-vehicle CAN bus intrusion detection systems with ISO/SAE 21434 compliant reporting | |
Dini et al. | Design and Experimental Assessment of Real-Time Anomaly Detection Techniques for Automotive Cybersecurity | |
CN110868410A (en) | Method and device for acquiring webpage Trojan horse connection password, electronic equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: 100083 20 Floor, Block A, Tiangong Building, 30 College Road, Haidian District, Beijing Applicant after: Beijing Bang Bang Safety Technology Co. Ltd. Address before: 100083 20 Floor, Block A, Tiangong Building, 30 College Road, Haidian District, Beijing Applicant before: Yangpuweiye Technology Limited |
|
CB02 | Change of applicant information | ||
GR01 | Patent grant | ||
GR01 | Patent grant |