CN107454107B - Controller local area network automobile bus alarm gateway for detecting injection type attack - Google Patents

Controller local area network automobile bus alarm gateway for detecting injection type attack Download PDF

Info

Publication number
CN107454107B
CN107454107B CN201710837695.2A CN201710837695A CN107454107B CN 107454107 B CN107454107 B CN 107454107B CN 201710837695 A CN201710837695 A CN 201710837695A CN 107454107 B CN107454107 B CN 107454107B
Authority
CN
China
Prior art keywords
data
frame
time
data frame
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710837695.2A
Other languages
Chinese (zh)
Other versions
CN107454107A (en
Inventor
谭劲
杨红
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Jiliang University
Original Assignee
China Jiliang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Jiliang University filed Critical China Jiliang University
Priority to CN201710837695.2A priority Critical patent/CN107454107B/en
Publication of CN107454107A publication Critical patent/CN107454107A/en
Application granted granted Critical
Publication of CN107454107B publication Critical patent/CN107454107B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40267Bus for use in transportation systems
    • H04L2012/40273Bus for use in transportation systems the transportation system being a vehicle

Abstract

The invention discloses a method for generating a controller area network CAN automobile bus alarm gateway for detecting injection type attack, which CAN not prevent the injection type attack due to the multi-main characteristic of a CAN bus (any equipment accessed to the CAN bus CAN send messages).

Description

Controller local area network automobile bus alarm gateway for detecting injection type attack
Technical Field
The invention relates to a method for generating a Controller Area Network (CAN) (controller area network) automobile bus alarm gateway for detecting injection type attacks, in particular to an application of judging whether Dos exists or not and imitating the injection type attacks of existing ECUs or newly added ECUs for sending fake data by only modifying software of a CAN bus gateway under the condition of not changing hardware and software of an Electronic Control Unit (ECU) (electronic Control unit) on a CAN bus and utilizing the IDs of data frames sent by the ECUs in a CAN bus protocol, time for responding other ECU request frames, the maximum value and the minimum value of data and a period generated by the data.
Background
The controller area network CAN was first developed by Bosch corporation in 1985 to build an in-vehicle network, and is an effective, reliable and fast serial transmission bus between ECUs in an automobile, and becomes an international standard (ISO 11898) in 1993.
Most automobiles have two CAN buses, one of which is high-speed and has the speed of 500kbps (the highest speed CAN reach 1M), and the CAN bus mainly transmits relevant data of a transmission system unit of the automobile in running, such as an engine, a steering wheel, a brake, a gearbox and the like; the other is low-speed, the speed reaches 125kbps, and the device is mainly used for transmitting data of a vehicle body unit, such as data of a radio, a vehicle door lock, vehicle window control, temperature (air conditioner) and the like; the two buses are connected through a gateway, and the main functions of the gateway are speed matching, format conversion with other buses and the like, as shown in fig. 1.
One of the biggest characteristics of the CAN protocol is that the traditional station address coding is abandoned, the sent message is coded, the number of ECUs accessing the bus is not limited explicitly, and the identifier ID of the message is composed of 11-bit (CAN 2.0A) or 29-bit (CAN2.0b) binary numbers, and the main technical characteristics are as follows:
(1) the CAN bus is not provided with a master/slave ECU, the sent data frame does not indicate the address of a sending node, nor does the address of a receiving node, and all nodes CAN send data and receive the capability of sending data by other nodes, namely the sending ECU does not know who the sending ECU sends, and the receiving ECU does not know who the sending ECU sends;
(2) when a plurality of nodes send data simultaneously, bus arbitration enables messages with lower value IDs to acquire the use right of the bus, and messages with higher value IDs are sent again when waiting for the bus to be idle;
(3) all other ECUs can simultaneously receive data sent by one ECU, and all the ECUs have filtering capacity to limit the receiving of data which is not needed by the ECUs;
(4) the CAN bus is serial and asynchronous, and the ECUs on the bus do not need to synchronize their clocks;
(5) the data length range in the data frame is 0-8 bytes;
(6) there are four different frames on the CAN bus, namely a data frame, a request frame, an error frame and an overload frame. The data frames are sent out by the ECU periodically, and the interval period of sending out the data by different ECUs is different and is usually between 10 and 10000 milliseconds; the request frame is used for requesting data (same as the data frame ID) sent by other ECUs, but the data section has no content, the requested ECU needs to respond to the request, and the format of the CAN 2.0A data frame and the request frame is shown in FIG. 2; the error frame is sent out when the sending and receiving meet the error (the sending and receiving ECU can both send out) for correcting the error, the overload frame is used for sending data too fast, and the receiving ECU can not catch up with the sending speed;
(7) the CAN bus has no security components, it assumes that all ECUs are legitimate, trustworthy and operate according to their parameter settings.
However, research and experiments show that vehicles are easy to be damaged by malicious opponents (car thieves, self-refitting, competitors, etc.), all ECUs in automobiles are easy to be attacked by using a CAN bus as an entry point (an attacker CAN access equipment to the CAN through an on-line diagnostic interface OBD or modify and replace the original ECU by itself), most typically, injection type attacks, which mainly include the following three types:
(1) denial of service attack DoS (dental of service): due to a bus arbitration mechanism, the low ID message can obtain the bus use right, an attacker can stop sending the low ID (such as 00) message, all other normal ECUs can be prevented from sending the message, and the automobile cannot be started;
(2) impersonation attacks: impersonating an original ECU (message ID is the same, original ECU is removed), such as a vehicle retrofit to obtain more engine power or speed;
(3) fuzzy attack: a randomly generated message ID is sent to the CAN bus, which ID message may not be available on the bus (an attack with the same ID on the bus is similar to a spoofing attack), with the purpose of disrupting the normal operation of the car (data going out of the way, out of the normal range), which may seriously lead to an accident.
Due to the multi-master characteristics of the CAN bus (any device accessing the CAN bus CAN send messages), the injection type attack cannot be prevented, but the attack CAN be detected and the alarm CAN be given in time.
Disclosure of Invention
In order to solve the technical problems in the existing CAN bus, the invention discloses a method for generating a Controller Area Network (CAN) automobile bus alarm gateway for detecting injection type attacks, under the condition of not changing hardware and software of an Electronic Control Unit (ECU) on a CAN bus, whether the injection type attacks exist or not is judged according to the ID, the period, the maximum/minimum value of data, the response time of a response request frame and the like of messages (data) sent by each ECU by modifying the software of the bus gateway and giving an alarm in time. The specific technical scheme is as follows:
a method for generating a Controller Area Network (CAN) automotive bus alarm gateway for detecting injection attacks, the gateway having two tables stored therein: the system comprises a static table and a dynamic table, wherein the static table records IDs (identity) of messages sent by all ECUs on a CAN bus, a period T, a maximum value Max minimum value Min of data and response time R of a response request frame, and the IDs are sorted from small to large; the dynamic table records the sending time and the value of all the two data frames on the CAN bus, the sending time of the request frame and the time and the size of the corresponding response frame, and the data frames are sorted from small to large according to the ID; the method is characterized by comprising the following steps:
(1) the gateway circularly receives the data frame or the request frame;
(2) if the data frame is the data frame, firstly detecting whether the ID of the data frame is in a static table or not, and if not, alarming; detecting whether the Value (Value) is between the maximum Value Max and the minimum Value Min, and if not, alarming; otherwise, searching the ID with the type of the periodic data frame in the dynamic table; if there is no request frame in front of the data frame, it shows that the ECU sends out data periodically, the date and size of the data received for the second time are stored in the field corresponding to the Current in the dynamic table, then compares whether the period T sent out by the data is normal, and alarms abnormally; otherwise, replacing the corresponding field of Previous (Previous) with the receiving time and size in the Current (Current), turning to the step (1), waiting for the Next (Next) data frame, and repeating the steps in a circulating way; if the data frame is preceded by a request frame, indicating that other ECU request data exist, storing the received time and size into an ID in the dynamic table after receiving the data frame, and the type of the ID is the Current corresponding field in the request frame record, comparing whether the response time R is normal or not, and alarming abnormally, otherwise deleting the ID in the dynamic table and the record of the type of the request frame, and turning to the step (1);
(3) if the frame is a request frame, firstly detecting whether the ID of the frame is in a static table or not, and if not, alarming; secondly, establishing an ID in the dynamic table, wherein the type of the ID is a record of the request frame, filling the request time into a time field (the size is 0) in a corresponding field before (Previous), and turning to the step (1).
Further, in the second step of the step (2), if the dynamic table does not have the ID with the type of the periodic data frame, the periodic data frame is newly created, and the date and size of the first data reception are stored in the corresponding Previous field in the dynamic table.
Drawings
Fig. 1 is a diagram of a general CAN architecture.
Fig. 2 is a diagram showing a structure of a data frame and a request frame.
Detailed Description
The invention will be further explained with reference to the drawings.
Because each CAN bus is provided with a gateway with matched speed, all messages on the CAN bus CAN be monitored, and the software function of the CAN bus CAN be modified to judge whether injection type attack exists or not.
(1) Two tables
Two tables are maintained in the memory of the gateway, one is a static table and the other is a dynamic table.
Static table: the table records the ID of all the messages sent by the ECU on the CAN bus, the period T, the maximum value Max minimum value Min of the data and the response time R of the response request frame, and the table is sorted from small to large according to the ID, as shown in the table 1:
ECU ID T Max Min R
ECU1 ID1 T1 Max1 Min1 R1
ECU2 ID2 T2 Max2 Min2 R2
…… …… …… …… …… ……
ECUN IDN TN MaxN MinN RN
TABLE 1
In the table of table 1, the first 4 items, i.e., ID, T, Max, and Min, are intrinsic parameters of each ECU, and are easily obtained during vehicle production, and the request response time R is obtained after the vehicle is started, and the obtaining method is as follows:
the gateway sends the request message to the CAN bus as IDiAnd recording the time of the request, and then waiting for having the message IDiIn response to the data frame, waits for a response time Ri(ii) a The received data frame ID after the request frame is equal to the received IDiThe time difference between the time of sending the request frame and the time of sending the request frame is the accurate response time Ri
RiReceived data frame IDiTime-issue request data ID ofiTime (1)
Table 1 in the gateway CAN already detect DoS attacks and partial fuzzy attacks (message IDs not on the bus), and the gateway listens to all data frames and request frames on the CAN bus, and if its ID is not in the table in which table 1 is located, it is determined that DoS attacks or partial fuzzy attacks.
Dynamic table: the table records the time and the value of sending out all the two data frames on the CAN bus, the time of sending out the request frame and the time and the size of the corresponding response frame, and the data frames are sorted from small to large according to the ID, as shown in the table 2.
Figure BDA0001409558250000051
TABLE 2
In Table 2, the record of the type "periodic data frame" is ECU2Data sent out periodically by self with the period of T in Table 12All ECUs (including gateways) can receive the data, and the data values Value1 and Value2 are only in Min2、Max2In between, belonging to normal data; if the data is normal, when the Next (Next) data frame is received, replacing the Previous value with the Current value (time and size) and replacing the Current value with the Next value, and the process is repeated. The first half of the record, of type "request frame" (italic + underlined), is that other ECUs request ECUs2Is requested (there may be no, or many, only one is listed for simplicity), has a value of 0, and a request time rt2>rt1(ii) a The rear half part of the engine is provided with an ECU2Data in response to the request, its response time rt3<rt1+ T in Table 12The value3 is only in Min2、Max2In between, belonging to normal data; if the data is normal, the data item is deleted.
In a gatewayTable 2 of (a) can detect a partial spoofing attack and a partial blurring attack as long as the period of the "periodic data frame" is erroneous (increased or decreased) or the size of data (data including a response request frame) is not Min2、Max2And directly alarming.
The rest of the attacks are fuzzy attacks, the message ID of which belongs to the CAN bus, the value of which is also between Min and Max, but the value is not an accurate value. This type of attack can be detected from the response time parameter in Table 1, namely rt in Table 23-rt2Whether or not it is equal to R2And unequal to the condition that the attack needs to be alarmed.
1. Modifying gateway software according to the invention content;
2. obtaining the message ID of each ECU on the vehicle when the vehicle leaves the factory, and generating a period T, a maximum/minimum value Max/Min and response time R; if a new ECU is added or an old ECU is replaced, the upper parameters of the replaced ECU must be acquired in a safe environment (a production plant or a 4S shop);
3. the injection attack is detected according to the following algorithm:
(1) the gateway circularly receives the data frame or the request frame;
(2) if the data frame is the data frame, firstly detecting whether the ID of the data frame is in the table 1, and if not, alarming; detecting whether the Value is between Max and Min, and if not, alarming; otherwise, the ID of the type "periodic data frame" is searched in table 2 (new is not created, and the date and size of the first data reception is stored in the field corresponding to Previous in table 2); if there is no request frame in front of the data frame, it shows that the ECU sends out data periodically, the date and size of the data received for the second time are stored in the field corresponding to the Current in table 2, then compares whether the period T sent out by the data is normal, and alarms abnormally; otherwise, replacing the field corresponding to Previous with the receiving time and size in the Current, turning to the step (1), waiting for the Next data frame, and repeating the steps; if the data frame is preceded by a request frame, indicating that other ECU request data exist, storing the received time and size into the corresponding field of the ID in the table 2 and the type of the Current in the record of the request frame after receiving the data frame, comparing whether the response time R is normal or not, and alarming abnormally, otherwise deleting the record of the ID in the table 2 and the type of the request frame, and turning to the step (1);
(3) if the frame is a request frame, firstly detecting whether the ID is in the table 1, and if not, alarming; secondly, a record with the ID and the type of the request frame is newly built in the table 2, the request time is filled into a time field (the size is 0) in Previous, and the step (1) is carried out.

Claims (2)

1. A method for detecting injection attacks for a controller area network automotive bus alarm gateway, the gateway having two tables held in memory: a static table and a dynamic table, wherein the static table records the IDs of all the messages sent by the ECUs on the CAN bus, the maximum value Max and the minimum value Min of the data in the messages sent by the period T, ECU and the response time R of the response request frame, and the IDs are sorted from small to large; the dynamic table records the sending time of all the two data frames on the CAN bus, the numerical value of data in the data frames, the sending time of the request frame and the time and the size of the corresponding response frame, and the data frames are sorted from small to large according to the ID; the method is characterized by comprising the following steps:
(1) the gateway circularly receives the data frame or the request frame;
(2) if the data frame is the data frame, firstly detecting whether the ID of the data frame is in a static table or not, and if not, alarming; if yes, detecting whether the Value (Value) of the data in the data frame is between the maximum Value Max and the minimum Value Min, and if not, alarming; otherwise, searching the data frame of the ID with the type of the periodic data frame in the dynamic table; if there is no request frame in front of the periodic data frame, it shows that the ECU sends out data periodically, the time and size of the data received for the second time are stored in the field of the time and the data value of the data frame sent out this time or the response data frame of the periodic data frame in the dynamic table, then the period T sent out by the data is compared whether normal, abnormal alarm is given; otherwise, replacing the last sending or requesting time of the periodic data frame and the numerical value field of the data by the receiving time and the receiving size in the numerical value field of the time and the data of the sending or responding data frame of the periodic data frame, turning to the step (1), waiting for the Next (Next) data frame, and repeating in a circulating way; if the data frame is preceded by a request frame, indicating that other ECU request data exist, storing the received time and size into an ID in the dynamic table after receiving the data frame, comparing whether the response time R is normal or not and giving an abnormal alarm if the type of the ID in the dynamic table is a field of the time and the size of a numerical value of the data frame sent or responded in the request frame record, and if not, deleting the ID in the dynamic table and recording the type of the ID in the request frame, and turning to the step (1);
(3) if the frame is a request frame, firstly detecting whether the ID of the frame is in a static table or not, and if not, alarming; if yes, establishing ID in the dynamic table and the type is the record of the request frame, filling the request time into the time field in the last sending or request time of the request frame and the numerical value field of the data, the size is 0, and turning to the step (1).
2. The method for detecting an injection attack for a controller area network automotive bus alarm gateway of claim 1, wherein: and (2) in the second step, if the dynamic table does not find the ID of the periodic data frame, newly establishing the periodic data frame, and storing the date and the size of the first data received into the last sending or requesting time of the periodic data frame and the data value size field in the dynamic table.
CN201710837695.2A 2017-09-15 2017-09-15 Controller local area network automobile bus alarm gateway for detecting injection type attack Active CN107454107B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710837695.2A CN107454107B (en) 2017-09-15 2017-09-15 Controller local area network automobile bus alarm gateway for detecting injection type attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710837695.2A CN107454107B (en) 2017-09-15 2017-09-15 Controller local area network automobile bus alarm gateway for detecting injection type attack

Publications (2)

Publication Number Publication Date
CN107454107A CN107454107A (en) 2017-12-08
CN107454107B true CN107454107B (en) 2020-11-06

Family

ID=60496654

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710837695.2A Active CN107454107B (en) 2017-09-15 2017-09-15 Controller local area network automobile bus alarm gateway for detecting injection type attack

Country Status (1)

Country Link
CN (1) CN107454107B (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU2706887C2 (en) * 2018-03-30 2019-11-21 Акционерное общество "Лаборатория Касперского" System and method for blocking computer attack on vehicle
CN108790822B (en) * 2018-06-14 2021-05-25 苏州途驰安电子科技有限公司 Vehicle speed data acquisition method and device based on monitoring mode
CN111030962B (en) * 2018-10-09 2023-03-24 厦门雅迅网络股份有限公司 Vehicle-mounted network intrusion detection method and computer-readable storage medium
CN109257261A (en) * 2018-10-17 2019-01-22 南京汽车集团有限公司 Anti- personation node attack method based on CAN bus signal physical features
US10958470B2 (en) * 2018-11-06 2021-03-23 Lear Corporation Attributing bus-off attacks based on error frames
CN110098990A (en) * 2019-05-07 2019-08-06 百度在线网络技术(北京)有限公司 Safety protecting method, device, equipment and the storage medium of controller LAN
US11165794B2 (en) * 2019-09-30 2021-11-02 Infineon Technologies Ag Alert system for controller area networks
CN111147448B (en) * 2019-12-06 2022-06-07 中科曙光(南京)计算技术有限公司 CAN bus flood attack defense system and method
CN111371777B (en) * 2020-02-28 2022-06-24 北京天融信网络安全技术有限公司 Attack detection method, device, detector and storage medium for vehicle network
CN111596570B (en) * 2020-05-26 2023-09-12 杭州电子科技大学 Vehicle CAN bus simulation and attack system and method
CN113467332B (en) * 2021-07-28 2022-05-20 南京市初仁智能科技有限公司 Design method of event trigger controller of information physical system under denial of service attack
CN114422181A (en) * 2021-12-11 2022-04-29 浙江吉利控股集团有限公司 Vehicle data message safety communication method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104301177A (en) * 2014-10-08 2015-01-21 清华大学 CAN message abnormality detection method and system
CN104320295A (en) * 2014-10-08 2015-01-28 清华大学 CAN (Control Area Network) message anomaly detection method and system
CN104767618A (en) * 2015-04-03 2015-07-08 清华大学 CAN bus authentication method and system based on broadcasting
CN106878130A (en) * 2017-03-14 2017-06-20 成都雅骏新能源汽车科技股份有限公司 A kind of electric automobile CAN network method for detecting abnormality and device
US10320836B2 (en) * 2017-01-03 2019-06-11 Karamba Security Ltd. Automotive ECU controller and data network having security features for protection from malware transmission

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016094703A1 (en) * 2014-12-10 2016-06-16 Battelle Energy Alliance, Llc Apparatuses and methods for security in broadcast serial buses

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104301177A (en) * 2014-10-08 2015-01-21 清华大学 CAN message abnormality detection method and system
CN104320295A (en) * 2014-10-08 2015-01-28 清华大学 CAN (Control Area Network) message anomaly detection method and system
CN104767618A (en) * 2015-04-03 2015-07-08 清华大学 CAN bus authentication method and system based on broadcasting
US10320836B2 (en) * 2017-01-03 2019-06-11 Karamba Security Ltd. Automotive ECU controller and data network having security features for protection from malware transmission
CN106878130A (en) * 2017-03-14 2017-06-20 成都雅骏新能源汽车科技股份有限公司 A kind of electric automobile CAN network method for detecting abnormality and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Anomaly detection of CAN bus messages through analysis of ID sequences;Mirco Marchetti et al;《2017 IEEE Intelligent Vehicles Symposium (IV)》;20170614;全文 *
一种应用于CAN总线的异常检测系统;张子键等;《信息安全与通信保密》;20150831;全文 *

Also Published As

Publication number Publication date
CN107454107A (en) 2017-12-08

Similar Documents

Publication Publication Date Title
CN107454107B (en) Controller local area network automobile bus alarm gateway for detecting injection type attack
Song et al. Intrusion detection system based on the analysis of time intervals of CAN messages for in-vehicle network
EP3319275B1 (en) Method for monitoring data traffic in a motor-vehicle network
CN110505134B (en) Internet of vehicles CAN bus data detection method and device
CN111147448B (en) CAN bus flood attack defense system and method
CN108848072B (en) Vehicle-mounted CAN bus abnormality detection method based on relative entropy
CN106656705B (en) Vehicle-mounted MOST/CAN security gateway and intrusion detection method thereof
US10958470B2 (en) Attributing bus-off attacks based on error frames
DE102019001978A1 (en) Method for monitoring communication on a communication bus, electronic device for connection to a communication bus and vehicle
CN114257986A (en) Vehicle CAN network attack identification method and device
KR101734505B1 (en) Method and apparatus for detecting attack in vehicle network
CN107770176B (en) SAE-J1939 automobile bus node authentication ECU (electronic control unit) generation method
CN115102707A (en) Vehicle CAN network IDS safety detection system and method
Kneib et al. On the fingerprinting of electronic control units using physical characteristics in controller area networks
Boumiza et al. An efficient hidden Markov model for anomaly detection in can bus networks
US20230239158A1 (en) Message chain-based can security sytem and method with hash function
CN109462607B (en) Method for implementing safe UDS diagnosis on CAN
US20220232022A1 (en) Method and system for detecting intrusion in a vehicle system
Hafeez A robust, reliable and deployable framework for in-vehicle security
US20240073201A1 (en) Vehicle network security
CN107896214A (en) A kind of Lin bus host node production methods for taking precautions against false data injection
CN116319146A (en) Implementation method and storage medium for function management of vehicle-mounted CAN (controller area network) message
Lin Analysis and modeling of a priority inversion scheme for starvation free controller area networks
CN111314354B (en) Intelligent vehicle communication method and device, electronic equipment and readable storage medium
US20240129301A1 (en) Vehicle network security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant