CN106899614B - In-vehicle network intrusion detection method and device based on the message period - Google Patents

In-vehicle network intrusion detection method and device based on the message period Download PDF

Info

Publication number
CN106899614B
CN106899614B CN201710243012.0A CN201710243012A CN106899614B CN 106899614 B CN106899614 B CN 106899614B CN 201710243012 A CN201710243012 A CN 201710243012A CN 106899614 B CN106899614 B CN 106899614B
Authority
CN
China
Prior art keywords
identification error
electronic control
control unit
message
vehicle
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710243012.0A
Other languages
Chinese (zh)
Other versions
CN106899614A (en
Inventor
阚志刚
卢佐华
叶威
彭建芬
陈彪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Bang Bang Safety Technology Co Ltd
Original Assignee
Beijing Bang Bang Safety Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Bang Bang Safety Technology Co Ltd filed Critical Beijing Bang Bang Safety Technology Co Ltd
Priority to CN201710243012.0A priority Critical patent/CN106899614B/en
Publication of CN106899614A publication Critical patent/CN106899614A/en
Application granted granted Critical
Publication of CN106899614B publication Critical patent/CN106899614B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Abstract

The present invention provides a kind of in-vehicle network intrusion detection methods and device based on the message period, wherein, method includes: that the time attribute of multiple periodically packet ID of one or more electronic control units output in vehicle internal networks bus is acquired in the case where vehicle not communication with the outside world;The corresponding temporal characteristics of the electronic control unit are calculated according to the time attribute;The correspondence attribute of the conventional periodic message ID of the electronic control unit output of the temporal characteristics mark is acquired in the case where vehicle communication with the outside world, and calculates the identification error of the corresponding attribute;Judge whether the conventional periodic message is abnormal according to the identification error and preset threshold.Whether the present invention can detecte in vehicle network by external illegal invasion, and then guarantee the safety of driver and passenger.

Description

In-vehicle network intrusion detection method and device based on the message period
Technical field
The present invention relates to network safety filed more particularly to a kind of vehicle internal networks safety detection methods, specifically It is exactly a kind of in-vehicle network intrusion detection method and device based on the message period.
Background technique
In recent years, vehicle shows intelligent, net connectionization development trend, more and more electronic control units (ECU, Electronic Control Unit) it is installed to the original mechanical structure of vehicle interior replacement.With the increasing of subsidiary sensor More, the software control system of intelligent component becomes more complicated;Increase along with the interface of correspondence with foreign country, net connectionization component is same When potential network security threats have also been introduced.The ECU installed in vehicle can be remotely invaded by network, this invasion can It can lead to vehicle trouble, to threaten the life security of driver or passenger.How to go to avoid or mitigate these networks peace It is complete to threaten, it is the task of top priority of existing intelligent network connection driving skills art development.
The intelligent network connection existing Prevention-Security measure of vehicle all carries out safely around cloud safety and car-mounted terminal, but It is, only these safety measures or inadequate that the object of intelligent network connection service is vehicle, the traffic safety of vehicle is that we protect It is basic.
Existing in-vehicle network Prevention-Security measure is mainly there are two direction: one be based on message authentication code (MAC, Message Authentication Code) network security defensive measure and intrusion detection Prevention-Security measure.Based on message The network security defensive measure of authentication code provides safely effective guarantee to internet information, due to vehicle ECU resource and CAN The limitation of bus protocol, the network security defensive measure based on message authentication code can not join the application in vehicle in intelligent network.Invasion Detection Prevention-Security measure is by monitoring message content or monitors that the means such as periodical of interior message prevent network attack, enters It invades detection Prevention-Security measure and is able to solve most network attack, such as forgery attack, message injection attacks etc., but enter Attack (such as rewrite control instruction) of the detection Prevention-Security measure to some complexity is invaded, can neither detect, can not prevent, it is main Want reason: interior CAN bus data message does not carry destination address and source address, the datagram that recipient can not acknowledge receipt of Whether text is derived from sender, even if confirmation network data message is attack information, due to lacking the information of sender, still very Difficulty confirm bottom be which ECU by.
Therefore, those skilled in the art need to research and develop a kind of intrusion detection for making up existing intrusion detection Prevention-Security loophole Method guarantees the safety of driver and passenger to allow in-vehicle network from the attack of some complexity.
Summary of the invention
In view of this, the technical problem to be solved in the present invention is that providing a kind of in-vehicle network invasion based on the message period Detection method and device solve the problems, such as that whether the prior art can not detect in vehicle network by external illegal invasion.
In order to solve the above-mentioned technical problem, a specific embodiment of the invention provides a kind of in-vehicle network based on the message period Network intrusion detection method, comprising: in the case where vehicle not communication with the outside world acquire vehicle internal networks bus on one or The time attribute of multiple periodically packet ID of multiple electronic control unit outputs, wherein the time attribute includes multiple weeks Time interval, the quantity of periodically packet of phase property message;It is corresponding that the electronic control unit is calculated according to the time attribute Temporal characteristics, wherein the temporal characteristics include clock skew;The time is acquired in the case where vehicle communication with the outside world The correspondence attribute of the conventional periodic message ID of the electronic control unit output of signature identification, and calculate the knowledge of the corresponding attribute Other error;Judge whether the conventional periodic message is abnormal according to preset threshold and the identification error.
Another embodiment of the present invention also provides a kind of in-vehicle network invasion detecting device based on the message period, It include: the first acquisition unit, for acquiring one in vehicle internal networks bus in the case where vehicle not communication with the outside world Or the time attribute of multiple periodically packet ID of multiple electronic control unit outputs, wherein the time attribute includes multiple Time interval, the quantity of periodically packet of periodically packet;Computing unit, for calculating the electricity according to the time attribute The corresponding temporal characteristics of sub-control unit, wherein the temporal characteristics include clock skew;Second acquisition unit, in vehicle The conventional periodic message ID of the electronic control unit output of the temporal characteristics mark is acquired in the case where communication with the outside world Correspondence attribute, and calculate the identification error of the corresponding attribute;Judging unit, for being missed according to preset threshold and the identification Difference judges whether the conventional periodic message is abnormal.
Above-mentioned specific embodiment according to the present invention it is found that in-vehicle network intrusion detection method based on the message period and Device at least has the advantages that network is not in the case where communication with the outside world inside the vehicle, acquires in-vehicle network bus Multiple periodically packets (periodically packet for being not affected by attack) of upper electronic control unit (ECU) output;Further according to periodicity Message calculates the corresponding temporal characteristics of electronic control unit, so that electronic control unit be marked.It is logical in vehicle and the external world In the case where letter, the conventional periodic message for calculating the electronic control unit output of temporal characteristics label (may be under attack Periodically packet) identification error;Judge whether conventional periodic message is abnormal further according to identification error and preset threshold.This hair It is bright can allow in vehicle network insertion internet or connection peripheral hardware when, cope with complicated network attack, detecting network in vehicle is It is no by illegal invasion, and then guarantee the safety of driver and passenger.
It is to be understood that above-mentioned general description and following specific embodiments are merely illustrative and illustrative, not The range of the invention to be advocated can be limited.
Detailed description of the invention
Following appended attached drawing is part of specification of the invention, depicts example embodiments of the present invention, institute Attached drawing is used to illustrate the principle of the present invention together with the description of specification.
Fig. 1 is a kind of in-vehicle network intrusion detection method based on the message period that the specific embodiment of the invention provides The flow chart of embodiment one;
Fig. 2 is a kind of in-vehicle network intrusion detection method based on the message period that the specific embodiment of the invention provides The flow chart of embodiment two;
Fig. 3 is a kind of in-vehicle network intrusion detection method based on the message period that the specific embodiment of the invention provides The flow chart of embodiment three;
Fig. 4 is a kind of in-vehicle network invasion detecting device based on the message period that the specific embodiment of the invention provides The schematic block diagram of embodiment one;
Fig. 5 is a kind of in-vehicle network invasion detecting device based on the message period that the specific embodiment of the invention provides The schematic block diagram of embodiment two;
Fig. 6 is a kind of in-vehicle network invasion detecting device based on the message period that the specific embodiment of the invention provides The schematic block diagram of embodiment three.
Specific embodiment
Understand in order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below will with attached drawing and in detail Narration clearly illustrates the spirit of disclosed content, and any skilled artisan is understanding the content of present invention After embodiment, when the technology that can be taught by the content of present invention, it is changed and modifies, without departing from the essence of the content of present invention Mind and range.
The illustrative embodiments of the present invention and their descriptions are used to explain the present invention, but not as a limitation of the invention. In addition, in the drawings and embodiments the use of element/component of same or like label is for representing same or like portion Point.
About " first " used herein, " second " ... etc., not especially censure the meaning of order or cis-position, It is non-to limit the present invention, only for distinguish with same technique term description element or operation.
About direction term used herein, such as: upper and lower, left and right, front or rear etc. are only the sides with reference to attached drawing To.Therefore, the direction term used is intended to be illustrative and not intended to limit this creation.
It is open term, i.e., about "comprising" used herein, " comprising ", " having ", " containing " etc. Mean including but not limited to.
About it is used herein " and/or ", including any of the things or all combination.
About term used herein " substantially ", " about " etc., to modify it is any can be with the quantity or mistake of microvariations Difference, but this slight variations or error can't change its essence.In general, microvariations that such term is modified or error Range in some embodiments can be 20%, in some embodiments can be 10%, can be in some embodiments 5% or its His numerical value.It will be understood by those skilled in the art that the aforementioned numerical value referred to can be adjusted according to actual demand, it is not limited thereto.
It is certain to describe the word of the application by lower or discuss in the other places of this specification, to provide art technology Personnel's guidance additional in relation to the description of the present application.
Fig. 1 is a kind of in-vehicle network intrusion detection method based on the message period that the specific embodiment of the invention provides The flow chart of embodiment one, as shown in Figure 1, being adopted in the case that network is not with internet or external device communication inside the vehicle Collect multiple periodically packets of electronic control unit (ECU) output in in-vehicle network bus;Electricity is calculated further according to periodically packet The corresponding temporal characteristics of sub-control unit (such as clock skew, clock skew), so that electronic control unit be marked.? (for example, network passes through TBOX platform or joy in vehicle in the case where vehicle internal networks and internet or external device communication Happy navigation platform is connect with external network), calculate the conventional periodic message of the electronic control unit output of temporal characteristics label Identification error;Judge whether the conventional periodic message is abnormal further according to identification error and preset threshold.
The specific embodiment shown in the drawings includes:
Step 101: the one or more in vehicle internal networks bus is acquired in the case where vehicle not communication with the outside world The time attribute of multiple periodically packet ID of electronic control unit output, wherein the time attribute includes multiple periodicity The time interval of message and the quantity of periodically packet.In specific embodiments of the present invention, communication with the outside world is not specifically vehicle Refer in vehicle network not with external network (including internet) or external equipment (including flash disk, mobile hard disk, mobile terminal Deng) communication, vehicle internal networks are safe at this time.By vehicle internal networks bus, (such as CAN is total between electronic control unit Line) it is communicated, therefore, the period that one or more electronic control units export can be up-sampled by network-bus inside the vehicle Property message.Time attribute includes but is not limited to the time interval of multiple periodically packets and the quantity of periodically packet.
Step 102: the corresponding temporal characteristics of the electronic control unit being calculated according to the time attribute, wherein described Temporal characteristics include clock skew.In specific embodiments of the present invention, the temporal characteristics of each electronic control unit are different Sample, therefore, it can use temporal characteristics label electronic control unit, may thereby determine that it is which electronic control unit on earth The periodically packet of output.Temporal characteristics include but is not limited to clock skew.
Step 103: marking the electronic control unit according to the temporal characteristics.Wherein, temporal characteristics and electronic control Unit corresponds, and can use temporal characteristics label electronic control unit.
Step 104: the electronic control of the temporal characteristics mark (label) is acquired in the case where vehicle communication with the outside world The correspondence attribute of the conventional periodic message ID of unit output, and calculate the identification error of the corresponding attribute.Tool of the invention In body embodiment, vehicle communication with the outside world can be vehicle internal networks by car TBOX platform or amusement navigation platform with outside Portion's network (including internet) communication, vehicle internal networks are unsafe at this time, and conventional periodic message may be by the external world Attack.
Step 105: judging whether the conventional periodic message is abnormal according to preset threshold and the identification error.This hair In bright specific embodiment, preset threshold is usually 10~50.Accumulation identification error is obtained according to identification error, and then is tired out The maximum value and minimum value of product identification error, if the maximum value of accumulation identification error or the absolute value of minimum value are greater than default threshold Value then judges that conventional periodic message is abnormal.
Referring to Fig. 1, in vehicle network not communication with the outside world when, passing through periodically packet, to calculate electronic control unit corresponding Temporal characteristics (such as clock skew, clock skew refer specifically to the standard time clock of master clock input, are delayed by buffering and transmission Line delay, and causes the clock of different electronic control units different from standard time clock, when the clock and standard of electronic control unit The offset of clock is known as clock skew), electronic control unit is marked to realize;Network and extraneous progress inside the vehicle When communication, by the analysis of identification error, judge whether the received conventional periodic message of electronic control unit is abnormal, Ke Yirang In vehicle when network communication with the outside world, cope with complicated external attack, detection vehicle internal networks whether by illegal invasion, into And guarantee the safety of driver and passenger.
In a specific embodiment of the invention, the clock skew SiSpecific formula for calculation are as follows:
Oi=Si×t+e
Wherein, i indicates identification error data of the periodically packet of electronic control unit output after algorithm operation Serial number;OiIndicate the accumulation clock skew of the periodically packet sampled from electronic control unit;SiExpression is adopted from electronic control unit The clock skew of the periodically packet of sample;T indicates runing time;E is the identification error of conventional periodic message.
Fig. 2 is a kind of in-vehicle network intrusion detection method based on the message period that the specific embodiment of the invention provides The flow chart of embodiment two, as shown in Fig. 2, preventing electronic control unit to conventional periodic message to improve detection accuracy It judges by accident, abnormal conventional periodic message can be further confirmed that, but due to the data-handling capacity of electronic control unit It is limited, in order to save limited data-handling capacity in vehicle, the abnormal conventional periodic message of judgement can be uploaded into cloud and put down Platform is verified and is confirmed to abnormal conventional periodic message by cloud platform, and last electronic control unit is anti-according to cloud platform The conventional periodic message of the confirmation information processing exception of feedback.
In the specific embodiment shown in the drawings, after step 105, this method further include:
Step 106: abnormal conventional periodic message is uploaded into cloud platform.In specific embodiments of the present invention, cloud platform With stronger data processing function, cloud platform can be server, server cluster, computer, mobile terminal etc..
Step 107: according to the conventional periodic message for the confirmation information processing exception that cloud platform returns.Electronic control unit According to the conventional periodic message for the confirmation information processing exception that cloud platform returns, such as reject abnormal conventional periodic Message, or abnormal conventional periodic message etc. is not executed.
Referring to fig. 2, in order to improve the detection accuracy of abnormal conventional periodic message, while list is controlled electronically in order to save The memory and CPU occupancy of member, improve the reaction speed of electronic control unit, abnormal conventional periodic message can be uploaded To cloud platform, data processing, and then the regular period of the confirmation information processing exception returned according to cloud platform are carried out by cloud platform Property message further improves the detection of abnormal intrusion to prevent erroneous judgement of the electronic control unit to conventional periodic message Precision.Certainly, electronic control unit can also directly handle the abnormal conventional periodic message of judgement, not need cloud platform into one Step determines, improves treatment effeciency.
Fig. 3 is a kind of in-vehicle network intrusion detection method based on the message period that the specific embodiment of the invention provides The flow chart of embodiment three, as shown in figure 3, judging whether conventional periodic message has extremely according to identification error and preset threshold Body includes four steps.
In the specific embodiment shown in the drawings, step 105 is specifically included:
Step 1051: calculating the average value mu of the identification error eiAnd variances sigmai
Step 1052: updating the average value muiWith the variances sigmai, whereinE is conventional periodic report The identification error of text;μiFor the average value of the identification error of periodically packet;σiFor the variance of the identification error of periodically packet;M For constant, i indicates the serial number of identification error data of the periodically packet of electronic control unit output after algorithm operation.This In the specific embodiment of invention, whenWhen, update average value muiAnd variances sigmai
Step 1053: according to the average value muiWith the variances sigmaiCalculate the maximum value and minimum of accumulation identification error L Value.
Step 1054: according to the judgement of the absolute value of the maximum value, the absolute value of the minimum value and preset threshold Whether conventional periodic message is abnormal.
Referring to Fig. 3, judge whether conventional periodic message is abnormal according to identification error and preset threshold, according to identification error The maximum value of accumulation identification error L and the absolute value of minimum value are calculated, is preset if the absolute value of maximum value or minimum value is greater than Threshold value then judges that conventional periodic message is abnormal.And the judgment method can exclude data transmission delay and bus arbitration prolongs When scene, be primarily due to data transmission delay and the bus arbitration delay duration be short, and the network attack duration is long, because This data transmission delay and bus arbitration delay, will not influence the maximum value of accumulation identification error L and the calculated result of minimum value, Therefore erroneous judgement is not will cause.
In a specific embodiment of the invention, the maximum value L of the accumulation identification error+Calculation formula are as follows:
Wherein, i indicates identification error data of the periodically packet of electronic control unit output after algorithm operation Serial number;E is the identification error of conventional periodic message;μiFor the average value of the identification error of periodically packet;σiFor periodical report The variance of the identification error of text;K is constant.
The minimum value L of the accumulation identification error-Calculation formula are as follows:
Wherein, i indicates identification error data of the periodically packet of electronic control unit output after algorithm operation Serial number;E is the identification error of conventional periodic message;μiFor the average value of the identification error of periodically packet;σiFor periodical report The variance of the identification error of text;K is constant.
Fig. 4 is a kind of in-vehicle network invasion detecting device based on the message period that the specific embodiment of the invention provides The schematic block diagram of embodiment one, device as shown in Figure 4 can be applied in Fig. 1-method shown in Fig. 3, inside the vehicle net In the case that network is not with internet or external device communication, electronic control unit (ECU) output in in-vehicle network bus is acquired Multiple periodically packets;Electronic control unit corresponding temporal characteristics (such as clock skew, clock are calculated further according to periodically packet Skew etc.), so that electronic control unit be marked.The case where network is with internet or external device communication inside the vehicle Under (for example, in vehicle network by TBOX platform or amusement navigation platform connect with external network), calculating temporal characteristics mark The identification error of the conventional periodic message of the electronic control unit output of note;Institute is judged further according to identification error and preset threshold Whether abnormal state conventional periodic message.
In the specific embodiment shown in the drawings, in-vehicle network invasion detecting device includes: the first acquisition unit 11, meter Calculate unit 12, marking unit 13, the second acquisition unit 14 and judging unit 15, wherein the first acquisition unit 11 is used in vehicle The multiple of one or more electronic control units output in vehicle internal networks bus are not acquired in the case where communication with the outside world The time attribute of periodically packet ID, wherein the time attribute includes the time interval of multiple periodically packets, periodically reports The quantity of text;Computing unit 12 is used to calculate the corresponding temporal characteristics of the electronic control unit according to the time attribute, In, the temporal characteristics include clock skew;Marking unit 13 is used to mark the electronic control single according to the temporal characteristics Member;Second acquisition unit 14 is used to acquire the electronic control list of the temporal characteristics mark in the case where vehicle communication with the outside world The correspondence attribute of the conventional periodic message ID of member output, and calculate the identification error of the corresponding attribute;Judging unit 15 is used In judging whether the conventional periodic message is abnormal according to preset threshold and the identification error.
Referring to fig. 4, in vehicle network not communication with the outside world when, passing through periodically packet, to calculate electronic control unit corresponding Temporal characteristics (such as clock skew, clock skew refer specifically to the standard time clock of master clock input, are delayed by buffering and transmission Line delay, and causes the clock of different electronic control units different from standard time clock, when the clock and standard of electronic control unit The offset of clock is known as clock skew), electronic control unit is marked to realize;Network and extraneous progress inside the vehicle When communication, by the analysis of identification error, judge whether the received conventional periodic message of electronic control unit is abnormal, Ke Yirang In vehicle when network communication with the outside world, cope with complicated external attack, detection vehicle internal networks whether by illegal invasion, into And guarantee the safety of driver and passenger.
In a specific embodiment of the invention, the clock skew SiSpecific formula for calculation are as follows:
Oi=Si×t+e
Wherein, i indicates identification error data of the periodically packet of electronic control unit output after algorithm operation Serial number;OiIndicate the accumulation clock skew of the periodically packet sampled from electronic control unit;SiExpression is adopted from electronic control unit The clock skew of the periodically packet of sample;T indicates runing time;E is the identification error of conventional periodic message.
Fig. 5 is a kind of in-vehicle network invasion detecting device based on the message period that the specific embodiment of the invention provides The schematic block diagram of embodiment two, as shown in figure 5, preventing electronic control unit to conventional periodic report to improve detection accuracy Text is judged by accident, can be further confirmed that abnormal conventional periodic message, but due to the data processing energy of electronic control unit Power is limited, in order to save limited data-handling capacity in vehicle, the abnormal conventional periodic message of judgement can be uploaded cloud Platform is verified and is confirmed to abnormal conventional periodic message by cloud platform, and last electronic control unit is according to cloud platform The conventional periodic message of the confirmation information processing exception of feedback.
In the specific embodiment shown in the drawings, in-vehicle network invasion detecting device further include: uploading unit 16 and really Recognize unit 17.Wherein, uploading unit 16 is used to abnormal conventional periodic message uploading cloud platform;Confirmation unit 17 is used for root According to the conventional periodic message for the confirmation information processing exception that cloud platform returns.
Referring to Fig. 5, in order to improve the detection accuracy of abnormal conventional periodic message, and meanwhile it is single in order to save electronic control The memory and CPU occupancy of member, improve the reaction speed of electronic control unit, abnormal conventional periodic message can be uploaded To cloud platform, data processing, and then the regular period of the confirmation information processing exception returned according to cloud platform are carried out by cloud platform Property message further improves the detection of abnormal intrusion to prevent erroneous judgement of the electronic control unit to conventional periodic message Precision.Certainly, electronic control unit can also directly handle the abnormal conventional periodic message of judgement, not need cloud platform into one Step determines, improves treatment effeciency.
Fig. 6 is a kind of in-vehicle network invasion detecting device based on the message period that the specific embodiment of the invention provides The schematic block diagram of embodiment three, as shown in fig. 6, judging unit specifically includes the first computing module, update module, the second calculating mould Block and judgment module.
In the specific embodiment shown in the drawings, the judging unit 15 is specifically included: the first computing module 151, more New module 152, the second computing module 153 and judgment module 154.Wherein, the first computing module 151 described states identification for calculating The average value and variance of error;Update module 152 is for updating the average value and the variance, whereine For the identification error of conventional periodic message;μiFor the average value of the identification error of periodically packet;σiFor the knowledge of periodically packet The variance of other error;M is constant, and i indicates that identification of the periodically packet of electronic control unit output after algorithm operation misses The serial number of difference data;Second computing module 153 is used to calculate accumulation identification error most according to the average value and the variance Big value and minimum value;Judgment module 154 is used for according to the absolute value of the maximum value, the absolute value of the minimum value and default threshold Value judges whether the conventional periodic message is abnormal.In specific embodiments of the present invention, whenWhen, update module 152 update average value muiAnd variances sigmai
Referring to Fig. 6, judge whether conventional periodic message is abnormal according to identification error and preset threshold, according to identification error The maximum value of accumulation identification error L and the absolute value of minimum value are calculated, is preset if the absolute value of maximum value or minimum value is greater than Threshold value then judges that conventional periodic message is abnormal.And the judgment method can exclude data transmission delay and bus arbitration prolongs When scene, be primarily due to data transmission delay and the bus arbitration delay duration be short, and the network attack duration is long, because This data transmission delay and bus arbitration delay, will not influence the maximum value of accumulation identification error L and the calculated result of minimum value, Therefore erroneous judgement is not will cause.
The specific embodiment of the invention provides a kind of in-vehicle network intrusion detection method and device based on the message period, in vehicle Internal network is in the case where communication with the outside world, acquires the multiple of electronic control unit (ECU) output in in-vehicle network bus Periodically packet (periodically packet for being not affected by attack);The electronic control unit corresponding time is calculated further according to periodically packet Feature, so that electronic control unit be marked.In the case where vehicle communication with the outside world, the electricity of temporal characteristics label is calculated The identification error of the conventional periodic message (periodically packet that may be under attack) of sub-control unit output;Further according to identification Error and preset threshold judge whether conventional periodic message is abnormal.The present invention can allow network insertion internet or company in vehicle When connecing peripheral hardware, complicated network attack is coped with, whether network is by illegal invasion in detection vehicle, and then guarantees driver and multiply The safety of visitor.
The above-mentioned embodiment of the present invention can be implemented in various hardware, Software Coding or both combination.For example, this hair Bright embodiment can also be the execution above method in data signal processor (Digital Signal Processor, DSP) Program code.The present invention can also refer to computer processor, digital signal processor, microprocessor or field-programmable gate array Arrange the multiple functions that (Field Programmable Gate Array, FPGA) is executed.Above-mentioned processing can be configured according to the present invention Device executes particular task, and machine-readable software code or the firmware generation of the ad hoc approach that the present invention discloses are defined by executing Code is completed.Software code or firmware code can be developed as different program languages and different formats or form.Can also be Different target platform composing software codes.However, executing software code and the other types configuration generation of task according to the present invention Different code pattern, type and the language of code do not depart from spirit and scope of the invention.
The foregoing is merely the schematical specific embodiments of the present invention, before not departing from conceptions and principles of the invention It puts, the equivalent changes and modifications that any those skilled in the art is made should belong to the scope of protection of the invention.

Claims (9)

1. a kind of in-vehicle network intrusion detection method based on the message period, which is characterized in that this method comprises:
One or more electronic control units in vehicle internal networks bus are acquired in the case where vehicle not communication with the outside world The time attribute of multiple periodically packet ID of output, wherein the time attribute includes between the time of multiple periodically packets Every the quantity with periodically packet;
The corresponding temporal characteristics of the electronic control unit are calculated according to the time attribute, and according to the temporal characteristics to institute It states electronic control unit to be marked, wherein the temporal characteristics include clock skew;
The regular period of the electronic control unit output of the temporal characteristics label is acquired in the case where vehicle communication with the outside world The correspondence attribute of property message ID, and the identification error of the corresponding attribute is calculated, the calculation formula of the identification error are as follows:
Oi=Si×t+e
Wherein, the serial number of the identification error after the periodically packet of i expression electronic control unit output is computed;OiIndicate from The accumulation clock skew of the periodically packet of electronic control unit sampling;SiIndicate the periodical report sampled from electronic control unit The clock skew of text;T indicates runing time;E is the identification error of conventional periodic message;And
Judge whether the conventional periodic message is abnormal according to preset threshold and the identification error.
2. as described in claim 1 based on the in-vehicle network intrusion detection method in message period, which is characterized in that this method is also wrapped It includes:
Abnormal conventional periodic message is uploaded into cloud platform;And
According to the conventional periodic message for the confirmation information processing exception that cloud platform returns.
3. as described in claim 1 based on the in-vehicle network intrusion detection method in message period, which is characterized in that according to default threshold Value and the identification error judge the conventional periodic message whether Yi Chang step, specifically include:
The average value and variance of identification error are stated described in calculating;
The maximum value and minimum value of accumulation identification error are calculated according to the average value and the variance;And
The conventional periodic message is judged according to the absolute value of the maximum value, the absolute value of the minimum value and preset threshold It is whether abnormal.
4. as claimed in claim 3 based on the in-vehicle network intrusion detection method in message period, which is characterized in that according to described flat Mean value and the variance calculated before the step of maximum value and minimum value of accumulation identification error, further includes:
WhenWhen, update the average value and the variance, wherein e is the identification error of conventional periodic message; μiFor the average value of the identification error of periodically packet;σiFor the variance of the identification error of periodically packet;M is constant, and i is indicated Electronic control unit output periodically packet be computed after identification error serial number.
5. as claimed in claim 3 based on the in-vehicle network intrusion detection method in message period, which is characterized in that
The maximum value L of the accumulation identification error+Calculation formula are as follows:
Wherein, the serial number of the identification error after the periodically packet of i expression electronic control unit output is computed;E is conventional The identification error of periodically packet;μiFor the average value of the identification error of periodically packet;σiFor the identification error of periodically packet Variance;K is constant,
The minimum value L of the accumulation identification error-Calculation formula are as follows:
Wherein, the serial number of the identification error after the periodically packet of i expression electronic control unit output is computed;E is conventional The identification error of periodically packet;μiFor the average value of the identification error of periodically packet;σiFor the identification error of periodically packet Variance;K is constant.
6. a kind of in-vehicle network invasion detecting device based on the message period, which is characterized in that the device includes:
First acquisition unit, in the case where vehicle not communication with the outside world acquire vehicle internal networks bus on one or The time attribute of multiple periodically packet ID of multiple electronic control unit outputs, wherein the time attribute includes multiple weeks Time interval, the quantity of periodically packet of phase property message;
Computing unit, for calculating the corresponding temporal characteristics of the electronic control unit according to the time attribute, and according to institute It states temporal characteristics the electronic control unit is marked, wherein the temporal characteristics include clock skew;
Second acquisition unit, for acquiring the electronic control list of the temporal characteristics label in the case where vehicle communication with the outside world The correspondence attribute of the conventional periodic message ID of member output, and calculate the identification error of the corresponding attribute, the identification error Calculation formula are as follows:
Oi=Si×t+e
Wherein, the serial number of the identification error after the periodically packet of i expression electronic control unit output is computed;OiIndicate from The accumulation clock skew of the periodically packet of electronic control unit sampling;SiIndicate the periodical report sampled from electronic control unit The clock skew of text;T indicates runing time;E is the identification error of conventional periodic message;And
Judging unit, for judging whether the conventional periodic message is abnormal according to preset threshold and the identification error.
7. as claimed in claim 6 based on the in-vehicle network invasion detecting device in message period, which is characterized in that the device is also Include:
Uploading unit, for abnormal conventional periodic message to be uploaded cloud platform;And
Confirmation unit, the conventional periodic message of the confirmation information processing exception for being returned according to cloud platform.
8. as claimed in claim 6 based on the in-vehicle network invasion detecting device in message period, which is characterized in that the judgement Unit specifically includes:
First computing module, for calculating the average value and variance for stating identification error;
Second computing module, for calculating the maximum value and minimum of accumulation identification error according to the average value and the variance Value;And
Judgment module, for according to the judgement of the absolute value of the maximum value, the absolute value of the minimum value and preset threshold Whether conventional periodic message is abnormal.
9. as claimed in claim 8 based on the in-vehicle network invasion detecting device in message period, which is characterized in that the judgement Unit further include:
Update module, for working asWhen, update the average value and the variance, wherein e is conventional periodic report The identification error of text;μiFor the average value of the identification error of periodically packet;σiFor the variance of the identification error of periodically packet;M For constant, i indicates the serial number of the identification error after the periodically packet of electronic control unit output is computed.
CN201710243012.0A 2017-04-14 2017-04-14 In-vehicle network intrusion detection method and device based on the message period Active CN106899614B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710243012.0A CN106899614B (en) 2017-04-14 2017-04-14 In-vehicle network intrusion detection method and device based on the message period

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710243012.0A CN106899614B (en) 2017-04-14 2017-04-14 In-vehicle network intrusion detection method and device based on the message period

Publications (2)

Publication Number Publication Date
CN106899614A CN106899614A (en) 2017-06-27
CN106899614B true CN106899614B (en) 2019-09-24

Family

ID=59196677

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710243012.0A Active CN106899614B (en) 2017-04-14 2017-04-14 In-vehicle network intrusion detection method and device based on the message period

Country Status (1)

Country Link
CN (1) CN106899614B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107666476A (en) * 2017-05-25 2018-02-06 国家计算机网络与信息安全管理中心 A kind of CAN risk checking method and device
CN108111510A (en) * 2017-12-20 2018-06-01 北京航空航天大学 A kind of in-vehicle network intrusion detection method and system
CN109033829A (en) * 2018-07-27 2018-12-18 北京梆梆安全科技有限公司 Vehicle network intrusion detection householder method, apparatus and system
CN109117639B (en) * 2018-07-27 2021-03-16 北京梆梆安全科技有限公司 Intrusion risk detection method and device
CN109617764A (en) * 2018-12-27 2019-04-12 百度在线网络技术(北京)有限公司 CAN message detection method and device
CN109688152B (en) * 2019-01-03 2021-01-12 南京邮电大学 Message injection type attack detection method facing vehicle-mounted CAN bus

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN202495957U (en) * 2012-03-13 2012-10-17 中国汽车技术研究中心 Alternating layer test system used for vehicle CAN network communication
CN202710959U (en) * 2012-07-13 2013-01-30 广州汽车集团股份有限公司 Decision system of periodic CAN message loss fault
CN103237308A (en) * 2013-05-15 2013-08-07 西华大学 Distributed intrusion detection method of vehicle ad hoc network
CN103873319A (en) * 2012-12-12 2014-06-18 现代自动车株式会社 Apparatus and method for detecting in-vehicle network attack
CN104025506A (en) * 2011-10-31 2014-09-03 丰田自动车株式会社 Message authentication method in communication system and communication system
CN106059987A (en) * 2015-04-17 2016-10-26 现代自动车株式会社 In-vehicle network intrusion detection system and method for controlling the same

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013144962A1 (en) * 2012-03-29 2013-10-03 Arilou Information Security Technologies Ltd. Security system and method for protecting a vehicle electronic system
US10083071B2 (en) * 2014-12-30 2018-09-25 Battelle Memorial Institute Temporal anomaly detection on automotive networks

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104025506A (en) * 2011-10-31 2014-09-03 丰田自动车株式会社 Message authentication method in communication system and communication system
CN202495957U (en) * 2012-03-13 2012-10-17 中国汽车技术研究中心 Alternating layer test system used for vehicle CAN network communication
CN202710959U (en) * 2012-07-13 2013-01-30 广州汽车集团股份有限公司 Decision system of periodic CAN message loss fault
CN103873319A (en) * 2012-12-12 2014-06-18 现代自动车株式会社 Apparatus and method for detecting in-vehicle network attack
CN103237308A (en) * 2013-05-15 2013-08-07 西华大学 Distributed intrusion detection method of vehicle ad hoc network
CN106059987A (en) * 2015-04-17 2016-10-26 现代自动车株式会社 In-vehicle network intrusion detection system and method for controlling the same

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Intrusion Detection System Based on the Analysis of Time Intervals of CAN Messages for In-Vehicle Network;Hyun Min Song, Ha Rang Kim and Huy Kang Kim;《ICOIN 2016》;20161231;第63-68 *

Also Published As

Publication number Publication date
CN106899614A (en) 2017-06-27

Similar Documents

Publication Publication Date Title
US10951631B2 (en) In-vehicle network system, fraud-detection electronic control unit, and fraud-detection method
Taylor et al. Anomaly detection in automobile control network data with long short-term memory networks
JP6079768B2 (en) In-vehicle communication system
US20190369624A1 (en) Action Planning Device Having a Trajectory Generation and Determination Unit
JP6594732B2 (en) Fraud frame handling method, fraud detection electronic control unit, and in-vehicle network system
JP2018190465A (en) Security processing method and server
Choi et al. Identifying ecus using inimitable characteristics of signals in controller area networks
JP6668360B2 (en) Autonomous transporter, automated delivery system, method of controlling autonomous transporter, automated delivery method, and computer program product for controlling autonomous transporter (autonomous delivery of goods)
US9914460B2 (en) Contextual scoring of automobile drivers
US9558347B2 (en) Detecting anomalous user behavior using generative models of user actions
US9361409B2 (en) Automatic driver modeling for integration of human-controlled vehicles into an autonomous vehicle network
CN105637803B (en) Vehicle netbios, abnormal detection electronic control unit and abnormal countermeasure
JP6063606B2 (en) Network communication system, fraud detection electronic control unit, and fraud handling method
US10757114B2 (en) Systems and methods for detection of malicious activity in vehicle data communication networks
CA2852387C (en) Methods and systems for selecting target vehicles for occupancy detection
US20180122155A1 (en) Determining vehicle occupancy using sensors
US20210034745A1 (en) Security system and methods for identification of in-vehicle attack originator
Wang et al. A forward collision warning algorithm with adaptation to driver behaviors
US20150070178A1 (en) Real-Time Vehicle Driver Performance Monitoring
US8725395B2 (en) System for constructing a spanning forest in a vehicular network
CN103748853B (en) For the method and system that the protocol message in data communication network is classified
CN102624696B (en) Network security situation evaluation method
US20200195472A1 (en) Security device, network system, and fraud detection method
US9275547B2 (en) Prediction of free parking spaces in a parking area
JP5657677B2 (en) Traffic sign identification method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 100083 20 Floor, Block A, Tiangong Building, 30 College Road, Haidian District, Beijing

Applicant after: Beijing Bang Bang Safety Technology Co. Ltd.

Address before: 100083 20 Floor, Block A, Tiangong Building, 30 College Road, Haidian District, Beijing

Applicant before: Yangpuweiye Technology Limited

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant