CN107666476B - CAN bus risk detection method and device - Google Patents

CAN bus risk detection method and device Download PDF

Info

Publication number
CN107666476B
CN107666476B CN201710378097.3A CN201710378097A CN107666476B CN 107666476 B CN107666476 B CN 107666476B CN 201710378097 A CN201710378097 A CN 201710378097A CN 107666476 B CN107666476 B CN 107666476B
Authority
CN
China
Prior art keywords
detection
task
data frame
data
target vehicle
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201710378097.3A
Other languages
Chinese (zh)
Other versions
CN107666476A (en
Inventor
云晓春
李政
王永建
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Computer Network and Information Security Management Center
Original Assignee
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Computer Network and Information Security Management Center filed Critical National Computer Network and Information Security Management Center
Priority to CN201710378097.3A priority Critical patent/CN107666476B/en
Publication of CN107666476A publication Critical patent/CN107666476A/en
Application granted granted Critical
Publication of CN107666476B publication Critical patent/CN107666476B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L12/40006Architecture of a communication node
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40267Bus for use in transportation systems
    • H04L2012/40273Bus for use in transportation systems the transportation system being a vehicle

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention provides a CAN bus risk detection method and a device, wherein the method is applied to a device connected to a CAN bus interface of a target vehicle and comprises the following steps: receiving vehicle type information of a target vehicle input by a user, and searching a private protocol corresponding to the vehicle type input by the user in the prestored private protocols of various vehicle types; receiving a new task request input by a user, and establishing a new detection task according to a private protocol corresponding to a vehicle type input by the user, a detection type carried by the new task request and a detection target; when a command for starting the detection task is received, constructing a data frame based on the detection task, and sending the constructed data frame to a CAN bus system of a target vehicle through a CAN bus interface of the target vehicle; and receiving response information returned by the CAN bus system of the target vehicle, generating a detection report according to the response information and outputting the detection report. The invention CAN detect the safety risk of the CAN bus system of the vehicle.

Description

CAN bus risk detection method and device
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method and an apparatus for detecting risk of a Controller Area Network (CAN) bus.
Background
In recent years, hackers at home and abroad successfully crack various vehicle types in sequence in a wireless and wired invasion mode. The attacker CAN control the vehicle-mounted system or the electric control unit by invading the wireless networks of 3G/4G, Wi-Fi, Bluetooth, radio frequency and the like, and CAN invade the CAN bus system of the vehicle by the modes of CAN bus access of the vehicle and the like.
No matter whether the attack is wired or wireless, the vehicle information is obtained by reading and writing the frame data on the CAN bus, the vehicle remote control is realized, even the vehicle usability is damaged, and the life and property safety of the vehicle owner is seriously threatened.
Disclosure of Invention
In view of this, the present invention provides a method and an apparatus for detecting a risk of a CAN bus, which CAN detect a security risk of the CAN bus system.
In order to achieve the purpose, the invention provides the following technical scheme:
a Controller Area Network (CAN) bus risk detection method is applied to a device connected to a CAN bus interface of a target vehicle and comprises the following steps:
receiving vehicle type information of a target vehicle input by a user, and searching a private protocol corresponding to the vehicle type input by the user in the prestored private protocols of various vehicle types;
receiving a new task request input by a user, and establishing a new detection task according to a private protocol corresponding to a vehicle type input by the user, a detection type carried by the new task request and a detection target;
when a command for starting the detection task is received, constructing a data frame based on the detection task, and sending the constructed data frame to a CAN bus system of a target vehicle through a CAN bus interface of the target vehicle;
and receiving response information returned by the CAN bus system of the target vehicle, generating a detection report according to the response information and outputting the detection report.
A controller area network, CAN, bus, risk detection device connected to a CAN bus interface of a target vehicle, comprising: the device comprises a storage module, a user interface module, a processing module and a bus interface module;
the storage module is used for storing the proprietary protocols of various vehicle types in advance;
the user interface module is used for receiving vehicle type information of a target vehicle input by a user and searching a private protocol corresponding to the vehicle type input by the user in the private protocols of various vehicle types stored in the storage module; the system comprises a task creating module, a task creating module and a task scheduling module, wherein the task creating module is used for receiving a new task request input by a user; the system is used for receiving a command for starting any detection task;
the processing module is used for establishing a new detection task according to a private protocol corresponding to a vehicle type input by a user, a detection type carried by a new task request and a detection target when the user interface module receives the new task request input by the user; the CAN bus system is used for constructing a data frame based on the detection task when the user interface module receives a command for starting the detection task, and informing the bus interface module to send the data frame to a target vehicle through a CAN bus interface of the target vehicle;
the bus interface module is used for sending the data frame constructed by the processing module to a CAN bus system of the target vehicle through a CAN bus interface of the target vehicle; and the CAN bus system is used for receiving response information returned by the CAN bus system of the target vehicle, generating a detection report according to the response information and outputting the detection report.
According to the technical scheme, the CAN bus risk detection device is connected to the CAN bus interface of the target vehicle; the working process of the CAN bus risk detection device is as follows: the method comprises the steps of firstly determining the vehicle type of a target vehicle and a corresponding private protocol, then establishing a detection task based on a new task request of a user, constructing a data frame according to the detection task and sending the data frame to a CAN bus system of the target vehicle through a CAN bus interface, and accordingly generating and outputting a detection report according to response information returned by the CAN bus system of the target vehicle, and enabling the user to determine the safety risk of the CAN bus system of the target vehicle according to the detection report and the change of the self state of the target vehicle in the risk detection process.
Drawings
FIG. 1 is a schematic structural diagram of a CAN bus risk monitoring device according to an embodiment of the present invention;
fig. 2 is a flow chart of a CAN bus risk monitoring method according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention are described in detail below with reference to the accompanying drawings according to embodiments.
In the invention, in order to realize the risk detection of the CAN bus system of the vehicle and provide theoretical and technical guidance for vehicle protection, the CAN bus risk detection device shown in figure 1 is provided, and the device CAN be connected to the CAN bus interface of the vehicle and reads and writes data of the CAN bus system through the CAN bus interface of the vehicle.
In one embodiment of the invention, the CAN bus interface is an OBD-II interface.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a CAN bus risk monitoring device according to an embodiment of the present invention, as shown in fig. 1, including: the device comprises a storage module, a user interface module, a processing module and a bus interface module. The storage module is mainly used for storing the proprietary protocols of various vehicle types; the user interface module is mainly used for processing various operation instructions related to the detection task of the user; the processing module is mainly used for constructing a data frame for risk detection based on a detection task of a user. The bus interface module is mainly used for sending the data frame for risk detection constructed by the processing module to the CAN bus system through the CAN bus interface.
The following describes in detail a CAN bus risk detection method implemented based on the apparatus shown in fig. 1:
referring to fig. 2, fig. 2 is a flowchart of a CAN bus risk detection method according to an embodiment of the present invention, and as shown in fig. 2, the method is applied to the CAN bus risk detection device shown in fig. 1, the device is connected to a CAN bus interface of a target vehicle, and the method mainly includes the following steps:
step 201, the user interface module receives vehicle type information of a target vehicle input by a user, and searches for a private protocol corresponding to the vehicle type input by the user from private protocols of all vehicle types stored in advance by the storage module.
In this embodiment, when a user needs to perform risk detection on a CAN bus system of a certain vehicle, the vehicle type of the vehicle to be detected needs to be selected first, and then all detection tasks are established for the CAN bus system of the vehicle type.
In a specific implementation, the CAN bus risk detection device CAN provide a user interface, and a user triggers various operation commands and information input through the operation of the user interface. For example, a user inputs a vehicle type in the user interface and clicks the submit button to trigger a vehicle type information input instruction, and after receiving the instruction, the user interface module determines vehicle type information carried in the instruction as the vehicle type information input by the user.
The storage module can store the proprietary protocol of part or all of the vehicle types in advance. If the proprietary protocol of a certain type of vehicle model has the requirements of addition, deletion and modification, the user can add, delete and modify the proprietary protocol by inputting a specific instruction. For example, a user may input a protocol adding instruction, and when the user interface module receives the instruction, the vehicle type carried in the instruction and the path information of the corresponding private protocol file thereof may be acquired, so that the private protocol file content (i.e., the protocol content) may be loaded according to the path information of the private protocol file and stored in the storage module; the user can also input a protocol deleting instruction, and when the user interface module receives the instruction, the private protocol corresponding to the vehicle type carried in the instruction can be searched in the storage module and deleted; the user can also input a protocol modification instruction, and when the user interface module receives the instruction, the content of the proprietary protocol file of the vehicle type carried by the instruction can be reloaded, and the proprietary protocol of the vehicle type, which is originally stored in the storage module, can be replaced.
In this embodiment, when the search for the private protocol corresponding to the vehicle type input by the user fails in the private protocols of all vehicle types stored in advance in the storage module, it is described that the private protocol of the vehicle type does not exist in the storage module, and at this time, it may be indicated that the private protocol of the vehicle type does not exist (a prompt is made by outputting text or sending an alarm message), so that the user may specify the private protocol file path information of the vehicle type by triggering a protocol addition instruction, and after the user interface module receives the protocol addition instruction of the user, the private protocol corresponding to the vehicle type may be loaded according to the private protocol file path information of the vehicle type carried in the instruction and stored in the storage module, so as to add the private protocol of the vehicle type.
Step 202, the user interface module receives a new task request input by a user, and establishes a new detection task based on a private protocol corresponding to a vehicle type input by the user, a detection type carried by the new task request and a detection target.
The detection information carried in the new task request comprises a detection type and a detection target. Wherein the detection types include: data forgery attacks, replay attacks, denial of service attacks, and fuzzy attacks. The detection target corresponds to a specific function of the CAN bus system.
After a user determines a vehicle type to be detected, detection tasks of various detection types CAN be established so as to realize risk detection of various possible risks of a CAN bus system of the vehicle.
When a detection task (which should have a unique task ID) needs to be newly created, a user can input a detection type and a detection target through a column of the newly created task in a user interface, so as to trigger a newly created task request instruction, and when a user interface module receives a newly created task request of the user, a new detection task can be created according to a private protocol corresponding to a vehicle type input by the user, the detection type and the detection target carried by the newly created task request, and the specific method is as follows: and allocating a task ID, and setting the task ID, the private protocol corresponding to the vehicle type input by the user, the detection type and the detection target carried by the newly-built task request as the task ID of the detection task, the private protocol corresponding to the target vehicle type, the detection type and the detection target respectively.
After a detection task is established, a user can select to start, pause, stop or delete the detection task, and in the specific implementation, the detection task is started, paused, stopped or deleted by inputting a specific instruction. For example, a user may input a task start instruction, and when the user interface module receives the instruction, a detection task corresponding to a task ID carried in the instruction may be started. The user may also input a task suspension instruction, and when the user interface module receives the instruction, the detection task corresponding to the task ID carried in the instruction may be suspended (specifically, the detection task may be represented as temporarily stopping sending the data frame constructed based on the detection task to the CAN bus system). The user can also input a task stopping instruction, and when the user interface module receives the instruction, the detection task corresponding to the task ID carried in the instruction can be stopped. The user can also input a task deleting instruction, and when the user interface module receives the instruction, the detection task corresponding to the task ID carried in the instruction can be deleted.
Step 203, the user interface module receives a command of starting the new detection task from the user, the processing module constructs a data frame based on the new detection task, and the bus interface module sends the data frame constructed by the processing module to the CAN bus system of the target vehicle through the CAN bus interface of the target vehicle.
When the user interface module receives a command of starting the new detection task from a user, the processing module CAN start to construct a data frame corresponding to the user detection based on the detection task, the bus interface module sends the data frame to the CAN bus system of the target vehicle according to a certain rule (for example, at a specific frequency), the CAN bus system of the target vehicle CAN make various responses after receiving the data frame, and response information is transmitted on the CAN bus and CAN be intercepted by the CAN bus risk detection device.
And step 204, the bus interface module receives response information returned by the CAN bus system of the target vehicle, and generates and outputs a detection report according to the response information.
The CAN bus system of the target vehicle CAN make various responses after receiving the data frame sent by the bus interface sending module, the responses CAN be correct or incorrect, and the bus interface module CAN generate and output a detection report according to the correct or incorrect response information, so that a user CAN determine whether the CAN bus system of the target vehicle gives the correct response according to the detection report, and CAN determine whether the CAN bus system of the target vehicle CAN correctly cope with various possible risk attacks, thereby accurately finding the possible safety risks of the CAN bus system of the target vehicle, and further improving or preventing in advance.
In practical applications, when the detection types are different, the method for constructing the data frame based on the detection task is also different, and the following description is respectively given:
data forgery attack:
the data forgery attack means that an attacker pretends to be a legal node and sends a data instruction or a data packet/frame with a certain specific function to the CAN bus, and cheats a target node to make a response.
When the detection type of the detection task is data forgery attack, the method for constructing the data frame based on the detection task comprises the following steps: and searching the identification ID of the detection target of the detection task and the length and default value of each field in the data frame corresponding to the detection type of the detection task from the private protocol corresponding to the target vehicle type in the detection task, and constructing the data frame of the user data forgery attack based on the detection target ID and the length and default value of each field in the data frame.
For risk detection of data forgery attacks, the user may set some detection parameters, such as the data frame transmission frequency. The detection parameters set by the user can be carried in a new task request triggered by the user.
After receiving a new task request of a user, the user interface module may add a detection parameter in the new task request to the new detection task when establishing the new detection task.
When the bus interface module sends the constructed data frame to the CAN bus system of the target vehicle through the CAN bus interface of the target vehicle, the constructed data frame CAN be sent to the CAN bus system of the target vehicle at the data frame sending frequency in the detection parameters.
Replay attacks:
replay attacks, i.e. all data frames transmitted on the CAN bus when the user performs a certain operation are transmitted on the CAN bus again one or more times.
When the detection type of the detection task is replay attack, the method for constructing the data frame based on the detection task comprises the following steps: in the process that a user executes a detection action based on the detection task, data on the CAN bus is acquired in real time, all data frames in the acquired data are analyzed and determined, and the analyzed data frames are written into a replay file; after a preset time, reading data frames one by one from the playback file, and regarding each read data frame as a constructed data frame.
When a replay attack is executed, the data needs to be transmitted according to the original data frame transmission interval, so when all the data frames in the acquired data are analyzed and determined, the transmission interval between two adjacent data frames needs to be further determined, and the transmission interval is written into a replay file. Thus, when the constructed data frames are transmitted to the CAN bus system of the target vehicle through the CAN bus interface of the target vehicle, the data frames CAN be read from the playback file one by one according to the transmission interval between two adjacent data frames in the playback file, and each data frame read from the playback file CAN be transmitted to the CAN bus system of the target vehicle through the CAN bus interface of the target vehicle.
Denial of service attacks:
denial of service attacks, i.e., by sending some high priority instructions, so that low priority instructions are blocked, the nodes corresponding to the low priority instructions lose normal functionality, thereby causing denial of service.
When the detection type of the detection task is denial of service attack, the method for constructing the data frame based on the detection task comprises the following steps: the method comprises the steps of searching the ID of a detection target of the detection task and the length and default value of each field in a data frame corresponding to the detection type of the detection task from a private protocol corresponding to a target vehicle type of the detection task, selecting the ID with the priority higher than the ID of the detection target, and constructing the data frame for rejecting service attack according to the selected ID, the length and default value of each field in the data frame, wherein the priority of the data frame is higher than that of the data frame corresponding to the ID of the test target.
When the denial of service attack is executed, in order to make the function of the test target unable to be normally executed, the constructed data frame needs to be sent at a faster frequency, and for this reason, when the ID of the detection target of the detection task and the length and default value of each field in the data frame corresponding to the detection type of the detection task are searched from the private protocol corresponding to the target vehicle type of the detection task, the sending frequency of the data frame corresponding to the detection type of the detection task can be further searched. Therefore, when the bus interface module sends the constructed data frame to the vehicle bus network system of the target vehicle through the bus interface of the target vehicle, the data frame sending frequency can be multiplied by a preset multiple (the preset multiple is larger than 1, for example, the value is 2, the greater the value is, the better the effect of denial of service attack is), and then the constructed frame is sent to the vehicle bus network system of the target vehicle by taking the product of the data frame sending frequency and the preset multiple as the sending frequency.
Fuzzy (fuzzy) attacks;
the fuzzy attack refers to generating and sending data messages (data frames) to a CAN bus system according to a specific rule, and the method for generating and sending the messages CAN discover functions which are not decoded in the system or potential security threats of the system.
In the invention, on the basis of a data message sent by a certain node on the CAN bus, the ID field and the data field of the data message are changed, so that a plurality of data frames with different ID or data field contents are generated and sent to the CAN bus system, thereby detecting the potential safety risk of the CAN bus system.
For the fuzzy attack, because a plurality of data frames with different contents need to be constructed, corresponding data change rules need to be set in advance for a part of content variable fields in the data frames, such as data content fields. The user can set some detection parameters when creating a detection task, and the data change rule is used as one of the test parameters. The detection parameters set by the user can be carried in a new task request triggered by the user.
After receiving a new task request of a user, the user interface module may add a detection parameter in the new task request to the new detection task when establishing the new detection task.
When the detection type of the detection task is fuzzy attack, the method for constructing the data frame based on the detection task comprises the following steps: searching the ID of the detection target of the newly-built task and the length and default value of each field in the data frame corresponding to the detection type of the detection task from the private protocol corresponding to the vehicle type in the newly-built task, determining the ID change range based on the ID of the detection target, constructing data frames for fuzzing attack one by one according to the ID change range and the data change rule included by the detection parameters of the detection task, and informing a bus interface module to send each constructed data frame to a CAN bus system of a target vehicle through a CAN bus interface of the target vehicle.
When data frames for fuzzing attack are constructed one by one according to the ID change range and the data change rule included by the detection parameters of the detection task, the data frames are used for: for each ID of the ID variation range, the following operations are performed: and determining a data field value set according to the default value of the data field and the data change rule, and constructing a data frame for the fuzzy attack according to the ID and each data field value in the data field value set.
In addition, the detection parameters also comprise data frame sending frequency; when the bus interface module sends each constructed data frame to the CAN bus system of the target vehicle through the CAN bus interface of the target vehicle, the data frame sending frequency CAN be adopted.
The method for detecting the risk of the CAN bus of the invention is explained in detail above, and the CAN bus risk detection device provided by the invention is explained in detail below.
The CAN bus risk detection apparatus as shown in fig. 1, which is connected to a CAN bus interface of a vehicle bus network system of a target vehicle, includes: the method specifically comprises the following steps: the device comprises a storage module, a user interface module, a processing module and a bus interface module; wherein the content of the first and second substances,
the storage module is used for pre-storing the proprietary protocols of various vehicle types;
the user interface module is used for receiving the vehicle type information of the target vehicle input by the user and searching the private protocol corresponding to the vehicle type input by the user in the private protocols of various vehicle types stored in the storage module; the system comprises a task creating module, a task creating module and a task scheduling module, wherein the task creating module is used for receiving a new task request input by a user; the system is used for receiving a command for starting any detection task;
the processing module is used for establishing a new detection task according to a private protocol corresponding to a vehicle type input by a user, a detection type carried by a new task request and a detection target when the user interface module receives the new task request input by the user; the CAN bus system is used for constructing a data frame based on the detection task when the user interface module receives a command for starting the detection task, and informing the bus interface module to send the data frame to the target vehicle through the CAN bus interface of the target vehicle;
the bus interface module is used for sending the data frame constructed by the processing module to a CAN bus system of the target vehicle through a CAN bus interface of the target vehicle; and the CAN bus system is used for receiving response information returned by the CAN bus system of the target vehicle, generating a detection report according to the response information and outputting the detection report.
In the device shown in figure 1 of the drawings,
the user interface module further indicates that the private protocol of the vehicle type does not exist when the private protocol corresponding to the vehicle type input by the user is found to fail, and loads the private protocol file content corresponding to the vehicle type and stores the content in the storage module according to the private protocol file path information corresponding to the vehicle type input by the user when the private protocol of the vehicle type does not exist.
In the device shown in figure 1 of the drawings,
the processing module is used for establishing a new detection task according to a private protocol corresponding to the vehicle type input by the user, the detection type carried by the new task request and the detection target: and allocating a task ID, and setting the task ID, the private protocol corresponding to the vehicle type input by the user, the detection type and the detection target carried by the newly-built task request as the task ID of the detection task, the private protocol corresponding to the target vehicle type, the detection type and the detection target respectively.
In the device shown in figure 1 of the drawings,
the detection type is data forgery attack;
the processing module, when constructing the data frame based on the detection task, is configured to: and searching the identification ID of the detection target of the detection task and the length and default value of each field in the data frame corresponding to the detection type of the detection task from a private protocol corresponding to the target vehicle type of the detection task, and constructing the data frame for data forgery attack according to the searched detection target ID, the length of each field in the data frame and the default value.
In the device shown in figure 1 of the drawings,
the new task request also carries detection parameters, and the detection parameters comprise data frame sending frequency;
the processing module is used for further taking a test parameter carried by the newly-built task request as a detection parameter of the detection task when the new detection task is established according to a private protocol corresponding to the vehicle type input by a user, the detection type carried by the newly-built task request and a detection target;
the bus interface module is used for sending the constructed data frame to a CAN bus system of the target vehicle through a CAN bus interface of the target vehicle: and transmitting the constructed data frame to a CAN bus system of the target vehicle through a CAN bus interface of the target vehicle at the data frame transmitting frequency in the detection parameters.
In the device shown in figure 1 of the drawings,
the detection type is replay attack;
the processing module, when constructing the data frame based on the detection task, is configured to: in the process that a user executes detection operation based on the detection type and the detection target of the detection task, data on the CAN bus are acquired in real time, all data frames in the acquired data are analyzed and determined, and the analyzed data frames are written into a replay file; after a preset time, reading data frames one by one from the playback file, and regarding each read data frame as a constructed data frame.
In the device shown in figure 1 of the drawings,
the processing module is used for further determining the sending interval between two adjacent data frames when analyzing and determining all the data frames in the acquired data, and writing the sending interval between the two adjacent data frames into a replay file;
the bus interface module is used for sending the constructed data frame to a CAN bus system of the target vehicle through a CAN bus interface of the target vehicle: and according to the transmission interval between two adjacent data frames in the replay file, transmitting each frame of data read from the replay file as a constructed data frame to the CAN bus system of the target vehicle through the CAN bus interface of the target vehicle.
In the device shown in figure 1 of the drawings,
the detection type is denial of service attack;
the processing module, when constructing the data frame based on the detection task, is configured to: and searching the ID of the detection target of the detection task and the length and default value of each field in the data frame corresponding to the detection type of the newly-built task from a private protocol corresponding to the target vehicle type of the detection task, selecting a pseudo detection target ID with priority higher than the detection target ID, and constructing the data frame for rejecting service attack according to the pseudo detection target ID, the length and default value of each field in the data frame.
In the device shown in figure 1 of the drawings,
the processing module is used for further searching the data frame sending frequency corresponding to the detection type of the detection task when searching the ID of the detection target of the detection task and the length and default value of each field in the data frame corresponding to the detection type of the newly-built task from the private protocol corresponding to the target vehicle type of the detection task;
the bus interface module is used for sending the constructed data frame to a CAN bus system of the target vehicle through a CAN bus interface of the target vehicle: and multiplying the data frame sending frequency by a preset multiple, and sending the constructed data frame to a CAN bus system of the target vehicle through a CAN bus interface of the target vehicle by taking the product of the data frame sending frequency and the preset multiple as the data frame sending frequency.
In the device shown in figure 1 of the drawings,
the detection type is fuzzy attacking;
the new task request also carries detection parameters, and the detection parameters comprise data change rules;
the processing module is used for further taking a test parameter carried by the newly-built task request as a detection parameter of the detection task when the new detection task is established according to a private protocol corresponding to the vehicle type input by a user, the detection type carried by the newly-built task request and a detection target;
the processing module is used for constructing a data frame based on the detection task and informing the bus interface module to send the constructed data frame to a CAN bus system of the target vehicle through a CAN bus interface of the target vehicle, and is used for:
searching the ID of the detection target of the detection task and the data length and default value of each field in the data frame corresponding to the detection type of the detection task from the private protocol corresponding to the target vehicle type of the detection task, determining the ID change range based on the ID of the detection target, constructing data frames for fuzzing attack one by one according to the ID change range and the data change rule included by the detection parameters of the detection task, and informing a bus interface module to send each constructed data frame to the CAN bus system of the target vehicle through the CAN bus interface of the target vehicle.
In the device shown in figure 1 of the drawings,
the detection parameters also comprise data frame sending frequency; the data change rule is a data change rule of a data field in a data frame;
the processing module is used for constructing data frames for fuzzing attack one by one according to the ID change range and the data change rule included by the detection parameters of the detection task: for each ID of the ID variation range, the following operations are performed: determining a data field value set according to default values of data fields and the data change rule, and constructing a data frame for fuzzy attack according to the ID and each data field value in the data field value set;
and the bus interface module is used for sending each constructed data frame to a CAN bus system of the target vehicle through a CAN bus interface of the target vehicle as the data frame sending frequency.
The frequency of the loop performing data frame construction and transmission operations is the data frame transmission frequency. The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (22)

1. A Controller Area Network (CAN) bus risk detection method is applied to a device connected to a CAN bus interface of a target vehicle, and comprises the following steps:
receiving vehicle type information of a target vehicle input by a user, and searching a private protocol corresponding to the vehicle type input by the user in the prestored private protocols of various vehicle types;
receiving a new task request input by a user, and establishing a new detection task according to a private protocol corresponding to a vehicle type input by the user, a detection type carried by the new task request and a detection target; wherein the detection type is a risk attack type for a CAN bus system of a target vehicle; the detection target is a function of a CAN bus system of the target vehicle;
when a command for starting the detection task is received, constructing a data frame based on the detection task, and sending the constructed data frame to a CAN bus system of a target vehicle through a CAN bus interface of the target vehicle;
and receiving response information returned by the CAN bus system of the target vehicle, generating a detection report according to the response information and outputting the detection report.
2. The method of claim 1,
when the private protocol corresponding to the vehicle type input by the user fails to be searched, the fact that the private protocol of the vehicle type does not exist is indicated to the user, and the private protocol file content corresponding to the vehicle type is loaded according to the private protocol file path information corresponding to the vehicle type input by the user when the fact that the private protocol of the vehicle type does not exist is determined.
3. The method of claim 1,
the method for establishing the new detection task according to the private protocol corresponding to the vehicle type input by the user, the detection type carried by the new task request and the detection target comprises the following steps: and allocating a task ID, and setting the task ID, the private protocol corresponding to the vehicle type input by the user, the detection type and the detection target carried by the newly-built task request as the task ID of the detection task, the private protocol corresponding to the target vehicle type, the detection type and the detection target respectively.
4. The method according to any one of claims 1 to 3,
the detection type is data forgery attack;
the method for constructing the data frame based on the detection task comprises the following steps: and searching the identification ID of the detection target of the detection task and the length and default value of each field in the data frame corresponding to the detection type of the detection task from a private protocol corresponding to the target vehicle type of the detection task, and constructing the data frame for data forgery attack according to the searched detection target ID, the length of each field in the data frame and the default value.
5. The method of claim 4,
the new task request also carries detection parameters, and the detection parameters comprise data frame sending frequency;
when a new detection task is established according to a private protocol corresponding to a vehicle type input by a user, a detection type carried by a newly-built task request and a detection target, further taking a test parameter carried by the newly-built task request as a detection parameter of the detection task;
the method for sending the constructed data frame to the CAN bus system of the target vehicle through the CAN bus interface of the target vehicle comprises the following steps: and transmitting the constructed data frame to a CAN bus system of the target vehicle through a CAN bus interface of the target vehicle at the data frame transmitting frequency in the detection parameters.
6. The method according to any one of claims 1 to 3,
the detection type is replay attack;
the method for constructing the data frame based on the detection task comprises the following steps: in the process that a user executes detection operation based on the detection type and the detection target of the detection task, data on the CAN bus are acquired in real time, all data frames in the acquired data are analyzed and determined, and the analyzed data frames are written into a replay file; after a preset time, reading data frames one by one from the playback file, and regarding each read data frame as a constructed data frame.
7. The method of claim 6,
when analyzing and determining all data frames in the acquired data, further determining a transmission interval between two adjacent data frames, and writing the transmission interval between the two adjacent data frames into a replay file;
the method for sending the constructed data frame to the CAN bus system of the target vehicle through the CAN bus interface of the target vehicle comprises the following steps: and according to the transmission interval between two adjacent data frames in the replay file, transmitting each frame of data read from the replay file as a constructed data frame to the CAN bus system of the target vehicle through the CAN bus interface of the target vehicle.
8. The method according to any one of claims 1 to 3,
the detection type is denial of service attack;
the method for constructing the data frame based on the detection task comprises the following steps: and searching the ID of the detection target of the detection task and the length and default value of each field in the data frame corresponding to the detection type of the newly-built task from a private protocol corresponding to the target vehicle type of the detection task, selecting a pseudo detection target ID with priority higher than the detection target ID, and constructing the data frame for rejecting service attack according to the pseudo detection target ID, the length and default value of each field in the data frame.
9. The method of claim 8,
when the ID of the detection target of the detection task and the length and default value of each field in the data frame corresponding to the detection type of the newly-built task are searched from the private protocol corresponding to the target vehicle type of the detection task, the data frame sending frequency corresponding to the detection type of the detection task is further searched;
the method for sending the constructed data frame to the CAN bus system of the target vehicle through the CAN bus interface of the target vehicle comprises the following steps: and multiplying the data frame sending frequency by a preset multiple, and sending the constructed data frame to a CAN bus system of the target vehicle through a CAN bus interface of the target vehicle by taking the product of the data frame sending frequency and the preset multiple as the data frame sending frequency.
10. The method according to any one of claims 1 to 3,
the detection type is fuzzy attacking;
the new task request also carries detection parameters, and the detection parameters comprise data change rules;
when a new detection task is established according to a private protocol corresponding to a vehicle type input by a user, a detection type carried by a newly-built task request and a detection target, further taking a test parameter carried by the newly-built task request as a detection parameter of the detection task;
the method for constructing the data frame based on the detection task and sending the constructed data frame to the CAN bus system of the target vehicle through the CAN bus interface of the target vehicle comprises the following steps:
searching the ID of the detection target of the detection task and the data length and default value of each field in the data frame corresponding to the detection type of the detection task from the private protocol corresponding to the target vehicle type of the detection task, determining the ID change range based on the ID of the detection target, constructing data frames for fuzzing attack one by one according to the ID change range and the data change rule included by the detection parameters of the detection task, and sending each constructed data frame to the CAN bus system of the target vehicle through the CAN bus interface of the target vehicle.
11. The method of claim 10,
the detection parameters also comprise data frame sending frequency; the data change rule is a data change rule of a data field in a data frame;
when data frames used for the fuzzy attack are constructed one by one according to the ID change range and the data change rule included by the detection parameters of the detection task, the data frames are used for: for each ID of the ID variation range, the following operations are performed: determining a data field value set according to default values of data fields and the data change rule, and constructing a data frame for fuzzy attack according to the ID and each data field value in the data field value set;
and transmitting each constructed data frame to a CAN bus system of the target vehicle through a CAN bus interface of the target vehicle, wherein the transmission frequency is the data frame transmission frequency.
12. A controller area network, CAN, bus, risk detection device, the device being connected to a CAN bus interface of a target vehicle, comprising: the device comprises a storage module, a user interface module, a processing module and a bus interface module;
the storage module is used for storing the proprietary protocols of various vehicle types in advance;
the user interface module is used for receiving vehicle type information of a target vehicle input by a user and searching a private protocol corresponding to the vehicle type input by the user in the private protocols of various vehicle types stored in the storage module; the system comprises a task creating module, a task creating module and a task scheduling module, wherein the task creating module is used for receiving a new task request input by a user; the system is used for receiving a command for starting any detection task;
the processing module is used for establishing a new detection task according to a private protocol corresponding to a vehicle type input by a user, a detection type carried by a new task request and a detection target when the user interface module receives the new task request input by the user, wherein the detection type is a risk attack type of a CAN bus system of a target vehicle; the detection target is a function of a CAN bus system of the target vehicle; the CAN bus system is used for constructing a data frame based on the detection task when the user interface module receives a command for starting the detection task, and informing the bus interface module to send the data frame to the target vehicle through the CAN bus interface of the target vehicle;
the bus interface module is used for sending the data frame constructed by the processing module to a CAN bus system of the target vehicle through a CAN bus interface of the target vehicle; and the CAN bus system is used for receiving response information returned by the CAN bus system of the target vehicle, generating a detection report according to the response information and outputting the detection report.
13. The apparatus of claim 12,
the user interface module further indicates that the private protocol of the vehicle type does not exist when the private protocol corresponding to the vehicle type input by the user is found to fail, and loads the private protocol file content corresponding to the vehicle type and stores the content in the storage module according to the private protocol file path information corresponding to the vehicle type input by the user when the private protocol of the vehicle type does not exist.
14. The apparatus of claim 12,
the processing module is used for establishing a new detection task according to a private protocol corresponding to the vehicle type input by the user, the detection type carried by the new task request and the detection target: and allocating a task ID, and setting the task ID, the private protocol corresponding to the vehicle type input by the user, the detection type and the detection target carried by the newly-built task request as the task ID of the detection task, the private protocol corresponding to the target vehicle type, the detection type and the detection target respectively.
15. The apparatus of any one of claims 11-14,
the detection type is data forgery attack;
the processing module, when constructing the data frame based on the detection task, is configured to: and searching the identification ID of the detection target of the detection task and the length and default value of each field in the data frame corresponding to the detection type of the detection task from a private protocol corresponding to the target vehicle type of the detection task, and constructing the data frame for data forgery attack according to the searched detection target ID, the length of each field in the data frame and the default value.
16. The apparatus of claim 15,
the new task request also carries detection parameters, and the detection parameters comprise data frame sending frequency;
the processing module is used for further taking a test parameter carried by the newly-built task request as a detection parameter of the detection task when the new detection task is established according to a private protocol corresponding to the vehicle type input by a user, the detection type carried by the newly-built task request and a detection target;
the bus interface module is used for sending the constructed data frame to a CAN bus system of the target vehicle through a CAN bus interface of the target vehicle: and transmitting the constructed data frame to a CAN bus system of the target vehicle through a CAN bus interface of the target vehicle at the data frame transmitting frequency in the detection parameters.
17. The apparatus of any one of claims 11-14,
the detection type is replay attack;
the processing module, when constructing the data frame based on the detection task, is configured to: in the process that a user executes detection operation based on the detection type and the detection target of the detection task, data on the CAN bus are acquired in real time, all data frames in the acquired data are analyzed and determined, and the analyzed data frames are written into a replay file; after a preset time, reading data frames one by one from the playback file, and regarding each read data frame as a constructed data frame.
18. The apparatus of claim 17,
the processing module is used for further determining the sending interval between two adjacent data frames when analyzing and determining all the data frames in the acquired data, and writing the sending interval between the two adjacent data frames into a replay file;
the bus interface module is used for sending the constructed data frame to a CAN bus system of the target vehicle through a CAN bus interface of the target vehicle: and according to the transmission interval between two adjacent data frames in the replay file, transmitting each frame of data read from the replay file as a constructed data frame to the CAN bus system of the target vehicle through the CAN bus interface of the target vehicle.
19. The apparatus of any one of claims 11-14,
the detection type is denial of service attack;
the processing module, when constructing the data frame based on the detection task, is configured to: and searching the ID of the detection target of the detection task and the length and default value of each field in the data frame corresponding to the detection type of the newly-built task from a private protocol corresponding to the target vehicle type of the detection task, selecting a pseudo detection target ID with priority higher than the detection target ID, and constructing the data frame for rejecting service attack according to the pseudo detection target ID, the length and default value of each field in the data frame.
20. The apparatus of claim 19,
the processing module is used for further searching the data frame sending frequency corresponding to the detection type of the detection task when searching the ID of the detection target of the detection task and the length and default value of each field in the data frame corresponding to the detection type of the newly-built task from the private protocol corresponding to the target vehicle type of the detection task;
the bus interface module is used for sending the constructed data frame to a CAN bus system of the target vehicle through a CAN bus interface of the target vehicle: and multiplying the data frame sending frequency by a preset multiple, and sending the constructed data frame to a CAN bus system of the target vehicle through a CAN bus interface of the target vehicle by taking the product of the data frame sending frequency and the preset multiple as the data frame sending frequency.
21. The apparatus of any one of claims 11-14,
the detection type is fuzzy attacking;
the new task request also carries detection parameters, and the detection parameters comprise data change rules;
the processing module is used for further taking a test parameter carried by the newly-built task request as a detection parameter of the detection task when the new detection task is established according to a private protocol corresponding to the vehicle type input by a user, the detection type carried by the newly-built task request and a detection target;
the processing module is used for constructing a data frame based on the detection task and informing the bus interface module to send the constructed data frame to a CAN bus system of the target vehicle through a CAN bus interface of the target vehicle, and is used for:
searching the ID of the detection target of the detection task and the data length and default value of each field in the data frame corresponding to the detection type of the detection task from the private protocol corresponding to the target vehicle type of the detection task, determining the ID change range based on the ID of the detection target, constructing data frames for fuzzing attack one by one according to the ID change range and the data change rule included by the detection parameters of the detection task, and informing a bus interface module to send each constructed data frame to the CAN bus system of the target vehicle through the CAN bus interface of the target vehicle.
22. The apparatus of claim 21,
the detection parameters also comprise data frame sending frequency; the data change rule is a data change rule of a data field in a data frame;
the processing module is used for constructing data frames for fuzzing attack one by one according to the ID change range and the data change rule included by the detection parameters of the detection task: for each ID of the ID variation range, the following operations are performed: determining a data field value set according to default values of data fields and the data change rule, and constructing a data frame for fuzzy attack according to the ID and each data field value in the data field value set;
and the bus interface module is used for sending each constructed data frame to a CAN bus system of the target vehicle through a CAN bus interface of the target vehicle as the data frame sending frequency.
CN201710378097.3A 2017-05-25 2017-05-25 CAN bus risk detection method and device Expired - Fee Related CN107666476B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710378097.3A CN107666476B (en) 2017-05-25 2017-05-25 CAN bus risk detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710378097.3A CN107666476B (en) 2017-05-25 2017-05-25 CAN bus risk detection method and device

Publications (2)

Publication Number Publication Date
CN107666476A CN107666476A (en) 2018-02-06
CN107666476B true CN107666476B (en) 2021-06-04

Family

ID=61122306

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710378097.3A Expired - Fee Related CN107666476B (en) 2017-05-25 2017-05-25 CAN bus risk detection method and device

Country Status (1)

Country Link
CN (1) CN107666476B (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108989319B (en) * 2018-07-27 2021-09-21 北京梆梆安全科技有限公司 Vehicle intrusion detection method and vehicle intrusion detection device based on CAN bus
CN109033829B (en) * 2018-07-27 2021-08-27 北京梆梆安全科技有限公司 Vehicle network intrusion detection auxiliary method, device and system
CN110896393B (en) * 2018-09-13 2023-02-17 北京奇虎科技有限公司 Intrusion detection method and device for automobile bus and computing equipment
CN109257261A (en) * 2018-10-17 2019-01-22 南京汽车集团有限公司 Anti- personation node attack method based on CAN bus signal physical features
CN109895849B (en) * 2019-03-22 2021-06-11 深圳市元征科技股份有限公司 Vehicle steering angle resetting method and related equipment
CN110191021B (en) * 2019-05-29 2021-04-30 北京百度网讯科技有限公司 Protocol testing method and device, electronic equipment and storage medium
CN110708227A (en) * 2019-09-29 2020-01-17 河海大学 Automatic replay attack testing method in field bus
CN111224951A (en) * 2019-12-24 2020-06-02 广州市中海达测绘仪器有限公司 Data processing method and device, vehicle-mounted terminal and storage medium
CN111106989B (en) * 2019-12-26 2020-10-20 国家计算机网络与信息安全管理中心 Vehicle CAN bus protocol determining method and device
CN111142504B (en) * 2019-12-30 2021-10-08 深圳移航通信技术有限公司 Bus detection device and method
WO2021142822A1 (en) * 2020-01-19 2021-07-22 深圳市元征科技股份有限公司 Vehicle diagnosis method, vehicle diagnosis device and storage medium
CN111999073A (en) * 2020-08-20 2020-11-27 工业和信息化部计算机与微电子发展研究中心(中国软件评测中心) Safety detection method and system for vehicle information transmission
CN114095405B (en) * 2022-01-21 2022-04-15 国汽智控(北京)科技有限公司 Vehicle function unit testing method and device, electronic equipment and storage medium
CN115378639A (en) * 2022-07-12 2022-11-22 中国第一汽车股份有限公司 Vehicle intrusion detection test method and device, storage medium and vehicle

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105128859A (en) * 2015-08-28 2015-12-09 芜湖伯特利汽车安全系统股份有限公司 Flameout anti-slipping protection and control method for engine starting and stopping system
CN106184068A (en) * 2016-06-30 2016-12-07 北京奇虎科技有限公司 Automotive interior network security detection method and device, automobile
KR101734505B1 (en) * 2016-04-29 2017-05-11 재단법인대구경북과학기술원 Method and apparatus for detecting attack in vehicle network
CN106899614A (en) * 2017-04-14 2017-06-27 北京洋浦伟业科技发展有限公司 In-vehicle network intrusion detection method and device based on the message cycle

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101714520B1 (en) * 2015-10-30 2017-03-09 현대자동차주식회사 In-Vehicle Network Attack Detection Method and Apparatus

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105128859A (en) * 2015-08-28 2015-12-09 芜湖伯特利汽车安全系统股份有限公司 Flameout anti-slipping protection and control method for engine starting and stopping system
KR101734505B1 (en) * 2016-04-29 2017-05-11 재단법인대구경북과학기술원 Method and apparatus for detecting attack in vehicle network
CN106184068A (en) * 2016-06-30 2016-12-07 北京奇虎科技有限公司 Automotive interior network security detection method and device, automobile
CN106899614A (en) * 2017-04-14 2017-06-27 北京洋浦伟业科技发展有限公司 In-vehicle network intrusion detection method and device based on the message cycle

Also Published As

Publication number Publication date
CN107666476A (en) 2018-02-06

Similar Documents

Publication Publication Date Title
CN107666476B (en) CAN bus risk detection method and device
CN111147504B (en) Threat detection method, apparatus, device and storage medium
CN111726774B (en) Method, device, equipment and storage medium for defending attack
CN109660502A (en) Detection method, device, equipment and the storage medium of abnormal behaviour
US20180307832A1 (en) Information processing device, information processing method, and computer readable medium
US11546295B2 (en) Industrial control system firewall module
US20200183373A1 (en) Method for detecting anomalies in controller area network of vehicle and apparatus for the same
JP6523582B2 (en) INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING METHOD, AND INFORMATION PROCESSING PROGRAM
CN111881460B (en) Vulnerability exploitation detection method, system, equipment and computer storage medium
CN114124476B (en) Sensitive information leakage vulnerability detection method, system and device for Web application
JP7176569B2 (en) Information processing device, log analysis method and program
CN102111400A (en) Trojan horse detection method, device and system
CN112600703A (en) Network equipment remote access fault positioning method and device
CN111552967A (en) Application software security vulnerability detection method
CN109462617B (en) Method and device for detecting communication behavior of equipment in local area network
JP6067195B2 (en) Information processing apparatus, information processing method, and program
US20220182260A1 (en) Detecting anomalies on a controller area network bus
CN105893845B (en) A kind of data processing method and device
CN109874140B (en) Network security protection method, device, equipment and storage medium
CN111092886B (en) Terminal defense method, system, equipment and computer readable storage medium
US10555217B2 (en) Terminal device, terminal-device control method, and terminal-device control program
CN111225378B (en) Intelligent wifi screening method, mobile terminal and terminal readable storage medium
KR102199088B1 (en) SYSTEM AND METHOD FOR DETECTING ABNORMAL BEHAVIOR OF IoT DEVICE
CN113515744A (en) Malicious document detection method, device and system, electronic device and storage medium
CN108259229B (en) Equipment management method, device and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20210604

CF01 Termination of patent right due to non-payment of annual fee