CN108206826B - Lightweight intrusion detection method for integrated electronic system - Google Patents

Lightweight intrusion detection method for integrated electronic system Download PDF

Info

Publication number
CN108206826B
CN108206826B CN201711223284.0A CN201711223284A CN108206826B CN 108206826 B CN108206826 B CN 108206826B CN 201711223284 A CN201711223284 A CN 201711223284A CN 108206826 B CN108206826 B CN 108206826B
Authority
CN
China
Prior art keywords
electronic system
behavior
integrated electronic
subsystem
behavior specification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711223284.0A
Other languages
Chinese (zh)
Other versions
CN108206826A (en
Inventor
何道敬
郑佳佳
高甲豪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
East China Normal University
Original Assignee
East China Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by East China Normal University filed Critical East China Normal University
Priority to CN201711223284.0A priority Critical patent/CN108206826B/en
Publication of CN108206826A publication Critical patent/CN108206826A/en
Application granted granted Critical
Publication of CN108206826B publication Critical patent/CN108206826B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The invention discloses a lightweight intrusion detection method facing an integrated electronic system, which comprises the following steps: extracting characteristic information: monitoring and collecting data packets communicated in the integrated electronic system, and extracting message characteristics and subsystem characteristics; and (3) intrusion detection: firstly, a behavior specification is formulated according to the characteristics of an integrated electronic system and a supported communication protocol, the behavior specification is converted into a state machine form, whether the system behavior deviates from a defined normal specification is monitored in real time, and whether an abnormal behavior detected by the behavior specification state machine is an intrusion is judged by combining a distance measurement method and a probability model; and (3) intrusion response: and initiating an intrusion warning, responding and recording an intrusion event. The invention realizes the light-weight intrusion detection under the condition of considering the limitation of the resources of the comprehensive electronic system, and can effectively resist denial of service attacks and attack of destroying integrity, such as falsified data packet attacks, forged data packet attacks, counterattack subsystem attacks, forged subsystem attacks and the like.

Description

Lightweight intrusion detection method for integrated electronic system
Technical Field
The invention belongs to the technical field of information security of an integrated electronic system, and particularly relates to a lightweight intrusion detection method for the integrated electronic system.
Background
Integrated electronic systems (integrated electronic systems) are widely used in communication satellites, armored vehicles, civil aircraft, and the like. The integrated electronic system adopts computer network technology, and all the subsystems of the equipment are connected by using data bus to form a distributed data bus network. The integrated electronic system integrates various different functional modules to form a complete system. Under the condition of unified task scheduling and management, all information management functions of the whole equipment are completed, and information instruction resource sharing is realized.
Take a communication satellite as an example. The integrated electronic system is a core component of a communication satellite and is the key of a military information station. In the military, information advantages are crucial to both parties in the war. Communication satellites have poor security as intelligent devices that fly in a common medium. The vulnerability in terms of information technology is manifested as: the openness of channels, standardization of platforms, openness of technologies, popularity of components, and limitations of awareness.
At present, defense technologies for communication satellites at home and abroad are represented as channel anti-interference technologies, including spatial domain processing, time domain processing, frequency domain processing, modulation domain processing, coding domain processing and the like, an information hiding technology for instruction transmission, and access control, data encryption, firewall and other technologies of a network system. The satellite computer is provided with advanced safety devices such as a cipher machine, a cipher card, an electronic key injection device, a firewall, a high-safety protection device, an online high-speed network encryption machine and the like. These defense techniques are not sufficient to meet the security requirements of integrated electronic systems.
Intrusion detection is a dynamic security technique that can comprehensively detect internal attacks, external attacks, and misoperations within a comprehensive electronic system. However, the application of the intrusion detection security technology in the satellite only stays in the network level intrusion detection, and no intrusion detection technology for an internal system level and oriented to a comprehensive electronic system is provided.
The safety of the integrated electronic system is related to the safety of communication satellites, the safety of civil aircrafts, the safety of armored vehicles and the like, and is the key of national network space safety. The intrusion detection technology in these fields only stays at the network level, and cannot fundamentally improve the security of the integrated electronic system.
Disclosure of Invention
The invention provides a lightweight intrusion detection method for an integrated electronic system, which comprises the following steps:
step A1: monitoring and capturing transmission data in the integrated electronic system, and extracting the internal behavior characteristic information of the integrated electronic system;
step A2: according to the characteristics of the integrated electronic system and the supported bus protocol, establishing a normal behavior specification of the system, wherein the normal behavior specification comprises the following steps: a central management unit oriented behavior specification, a bus oriented behavior specification, a subsystem oriented behavior specification, a time oriented behavior specification, a frequency oriented behavior specification, and a packet length oriented behavior specification;
step A3: converting the normal behavior specification into a state machine form, and judging whether the extracted internal behavior characteristic information of the integrated electronic system meets the system normal behavior specification or not in real time by using the state machine, wherein if the extracted internal behavior characteristic information of the integrated electronic system does not meet the system normal behavior specification, the current behavior of the integrated electronic system is abnormal;
step A4: when the behavior specification state machine detects abnormal behaviors of the integrated electronic system, judging whether the abnormal behaviors are one-time invasion by combining a distance measurement method and a probability model;
step A5: if the intrusion behavior is one-time intrusion behavior, the system performs intrusion response, initiates warning and records logs.
The invention provides a lightweight intrusion detection method for an integrated electronic system, wherein the step A1 of extracting the internal behavior characteristic information of the integrated electronic system comprises the following steps:
step B1: extracting characteristics of a single data packet, including but not limited to a destination address of the data packet, an effective length of the data packet and an effective field of the data packet;
step B2: feature extraction between a plurality of data packets includes, but is not limited to, calculating transmission frequency of data packets on a bus and time interval between data packets of the same kind, for example: data packets of the control instruction class, and the like;
step B3: feature extraction on subsystems includes, but is not limited to, computing credit values for subsystems;
in the lightweight intrusion detection for the integrated electronic system, the behavior specification facing the central management unit in the step a2 is specifically as follows:
same sub-address: the behavior specification of the central management unit specifies that the same subsystem address, also called sub-address, does not exist in the integrated electronic system, and if the two equipment sub-addresses are the same, an alarm is initiated and a log is recorded;
and (3) continuous instruction detection: the behavior specification of the central management unit specifies that the central management unit is used as a bus controller and does not send an instruction without an interword interval, the minimum time interval for sending instruction words by the bus controller is 4us, and if the time interval for sending the instruction by the central management unit exceeds 4us, an alarm is sent out and a log is recorded;
and (3) detection of a transmission format: the behavior specification of the central management unit specifies that the form of a data packet sent by the central management unit is an instruction word plus a data word, or the instruction word is not added with the data word; the instruction word + data word mode is transmitted in a form without inter-word interval; if the rule is violated, an alarm is given out, and a log is recorded;
mode code: the behavior specification of the central management unit specifies that a mode code field in an instruction word sent by the central management unit has special meaning, a mode code defined in a 1553B protocol must be used, and the mode code field is regarded as an exception if the mode code field is not in a corresponding white list.
In the lightweight intrusion detection for the integrated electronic system, the specification of the bus-oriented behavior in the step a2 is specifically as follows:
and flow white list: the bus behavior specification specifies that only the flow of a bus protocol supported by the system is allowed in the integrated electronic system, otherwise, the flow is suspicious flow, and an alarm message is generated;
a label field: the bus behavior specification specifies that all fields of data words, instruction words and state words transmitted in the integrated electronic system conform to a 1553B bus protocol;
based on the non-response data packet: according to the bus protocol specification supported by the integrated electronic system, the time of the data packet sending out the response exceeds a certain threshold value and is called as a no-response data packet, and the bus-oriented behavior specification specifies that if the number of the no-response data packets sent out within a period of time exceeds a defined threshold value, an alarm is initiated and a log is recorded;
based on the transmission format: the bus-oriented behavior specification stipulates that the format of the data word transmitted by the subsystem through the primary bus is a status word + data word + · + data word or status word; in the state word + data word + · + data word format, the state word and the data word are transmitted according to the interval without word space; if the transmission format is not met, an alarm is initiated, and a log is recorded.
In the lightweight intrusion detection for the integrated electronic system, the subsystem behavior specification stipulates that the credit value of the subsystem is not less than 60% of the full score in the step A2, and the method comprises the following steps:
step C1: calculating subjective credit of the subsystem, including evaluation values of daily behaviors of the subsystem;
step C2: calculating indirect credit of the subsystem, wherein the indirect credit comprises an evaluation value of the subsystem on the subsystem when the subsystem generates communication behaviors;
step C3: and calculating the credit value of the subsystem by combining the subjective credit and the indirect credit of the subsystem:
Figure BDA0001486799120000031
wherein S is the full score of the Credit value, CreditiIs the credit value of the ith subsystem, CSiIs a subjective credit; CC (challenge collapsar)iThe evaluation value of a communicating subsystem for that subsystem.
In the lightweight intrusion detection for the integrated electronic system, the time-oriented behavior specification in the step a2 is as follows:
the time-oriented behavior specification stipulates the sending time interval of the control commands of the same type, defines a proper time interval, does not hinder the normal work of the integrated electronic system, and can prevent the replay attack of the data packet.
In the lightweight intrusion detection for the integrated electronic system, the frequency-oriented behavior specification in the step a2 is specifically as follows:
the frequency-oriented behavior specification defines an upper frequency limit for transmitting data packets in the integrated electronic system, i.e., the data packets transmitted on the bus cannot be too many in a period of time, thereby preventing denial of service attacks.
In the lightweight intrusion detection for the integrated electronic system, the specification of the subsystem-oriented behavior in the step a2 is specifically as follows:
the message length oriented behavior specification stipulates that the effective lengths of the data packets must be consistent when the data packets are sent out and received, if the effective lengths of the data packets are not consistent, an alarm is initiated, and a log is recorded.
The invention provides a lightweight intrusion detection method for an integrated electronic system, wherein the distance measurement method in the step A4 comprises the following steps:
step D1: setting the data security of a system normal behavior data packet to be 1;
step D2: measuring the distance between the abnormal behavior data packet detected by the behavior specification state machine and the normal behavior data packet of the system,
defining the data safety degree of the abnormal behavior data packet to be a value between 0 and 1, wherein the distance measurement method comprises the following steps
But not limited to manhattan distance, hamming distance methods.
In the lightweight intrusion detection oriented to the integrated electronic system, the probability model in the step a4 includes but is not limited to beta distribution and poisson distribution, the data security is modeled by using the probability model, and a statistical method is used, for example: the maximum likelihood estimation method estimates the parameters of the probability model so as to judge whether the abnormal behavior of the current system is primary intrusion.
The invention has the beneficial effects that:
the method improves the safety of the integrated electronic system, provides an intrusion detection method suitable for the interior of the integrated electronic system, and ensures the integrity and the usability of data transmission in the integrated electronic system.
The conditions that the subsystem inside the integrated electronic system is injected with malicious codes, the subsystem is prevented from being damaged, and the like can be effectively prevented: the credit evaluation is carried out on each subsystem in the integrated electronic system, wherein the credit evaluation comprises an evaluation value of daily behaviors of the subsystem and an evaluation value of a system with communication behaviors of the subsystem on the subsystem, the credit degree of each subsystem is generated by integrating two evaluation standards, and whether the subsystem works normally is judged according to the credit degree.
The time-oriented behavior specification and the frequency-oriented behavior specification effectively prevent denial of service attacks and replay attacks inside the integrated electronic system.
Unknown attacks can be effectively prevented: the method has the potential of detecting unknown attacks by researching the internal structure of the integrated electronic system, formulating the normal behavior specification which accords with the integrated electronic system by combining the characteristics and the supported protocol, and comparing the current behavior with the normal behavior to identify abnormal deviation.
The method can distinguish whether the abnormal behavior of the integrated electronic system is failure or invasion: and judging whether the abnormal behavior is one-time intrusion or not by combining a data packet distance measurement method and a probability model.
Drawings
FIG. 1 is a flow chart of the present invention;
FIG. 2 is a normal behavior specification diagram for an integrated electronic system;
fig. 3 is a diagram of subsystem credit rating.
Detailed Description
The present invention will be described in further detail with reference to the following specific examples and the accompanying drawings. The procedures, conditions, experimental methods and the like for carrying out the present invention are general knowledge and common general knowledge in the art except for the contents specifically mentioned below, and the present invention is not particularly limited.
The integrated electronic system of the invention includes but not limited to communication satellite, civil aviation aircraft, tank, armoured vehicle; the structure of the system comprises but not limited to a Central Management Unit (CMU) (also called a main control terminal and a satellite Management Unit), a primary bus (including but not limited to a 1553B bus and a Space Wire bus), an integrated service Unit (also called a subsystem of the primary bus), a secondary bus (including but not limited to a UART bus and a CAN bus), and a sensing Unit.
The technical terms in connection with the present invention have the following meanings:
ModeCodewa representation mode code white list;
numberresindicating the number of non-response packets in time;
Creditirepresenting the credit value of the ith subsystem;
CSirepresenting the subjective reputation of the ith subsystem;
CCiindicating an evaluation value of a subsystem communicating with the ith subsystem to the subsystem;
s represents the full score of the credit value.
Examples
Taking a 1553B bus-based integrated electronic system suitable for a communication satellite platform as an example, the steps of detecting the lightweight intrusion facing the integrated electronic system are specifically explained as follows:
extracting characteristic information: extracting six characteristic information in the integrated electronic system: the destination address of the packet, the effective length of the packet, the time interval between packets, the number of packets sent over a period of time (i.e., the frequency of the packets), the packet field, and the credit value of the subsystem. The data packet fields are extracted from the data packet on the 1553B bus, and are used for confirming whether each field of the data packet is within the range specified by the 1553B protocol, such as: mode code, a protocol specifies a specific mode code, representing functions such as synchronization, status words, start-up self-test, etc.
And (3) intrusion detection:
(1) firstly, a behavior specification is formulated according to a 1553B protocol inside the integrated electronic system:
a) CMU-oriented behavior specification
Same sub-address: the CMU behavior specification specifies that the same subsystem address (also called sub-address) does not exist in the integrated electronic system, if two devices have the same sub-address, an alarm is initiated, and a log is recorded;
and (3) continuous instruction detection: the CMU is specified as a bus controller facing the CMU behavior specification, no instruction without an interword interval is sent out, the minimum time interval of sending out instruction words by the bus controller is 4us, if the instruction sending time interval of the CMU exceeds 4us, an alarm is sent out, and a log is recorded;
and (3) detection of a transmission format: the CMU-oriented behavior specification specifies that the CMU sends data packets in the form of instruction words plus data words or without adding data words to the instruction words. The instruction word + data word pattern is transmitted without an inter-word interval. If the rule is violated, an alarm is given out, and a log is recorded;
mode code: the CMU behavior specification specifies that a mode code field in an instruction word sent by the CMU has special meaning, a mode code defined in a 1553B protocol must be used, and the mode code field is regarded as one-time exception if the mode code field is not in a corresponding white list;
Figure BDA0001486799120000061
b) bus-oriented behavior specification
The bus behavior specification-oriented method comprises the steps of formulating a normal behavior mode of a data packet on a bus according to a bus protocol supported by an integrated electronic system, and detecting an abnormal data packet on the bus inside the integrated electronic system to prevent the attacks of counterfeiting the data packet and tampering the data packet;
and flow white list: the IDS only allows the traffic of the bus protocol supported by the integrated electronic system, otherwise an alarm message is generated for the suspicious traffic;
a label field: all fields of a data packet within an integrated electronic system should comply with the corresponding bus protocol, e.g. threshold, address. According to the specification of a 1553B bus protocol, data is transmitted in the form of a state word, an instruction word and a data word, the format of the corresponding word needs to meet the 1553B protocol specification, and the remote terminal addresses of the instruction word and the state word are as follows: the remote terminal decimal addresses 0 to 30 are available, and the decimal address 31(11111) is assigned to be a public address for all the remote terminals and is used in broadcasting. Detecting an improper combination of a remote terminal field, a transmit/receive bit, a sub-address/mode field, a data word count/mode code field of an instruction word that would result in an invalid transmission, logging; message error bits of the status word: the message error bit is in the ninth bit of the status word, and the number of data packets with the message error bit of 1 on the bus is detected. If the number of the data packets with the message error position of 1 exceeds a certain threshold value within a period of time, data packet tampering attack and Dos attack may occur, and an alarm is given;
based on the non-response data packet: according to the specification of a 1553B bus protocol, a bus controller starts transmission, and if the interval time from the last word sent by the bus controller to the first bit of the received state word exceeds a defined threshold value of 14us, the data packet is treated as a non-response data packet; limiting the number of non-responsive packets and detecting the subsystem that sent out the non-responsive packetsAddress, if the number of non-responsive packets sent out over a period of time exceeds a defined threshold
Figure BDA0001486799120000062
An alarm is initiated and a log is recorded, including the subsystem address from which the packet originated:
Figure BDA0001486799120000063
based on the transmission format: the transmission mode of a data packet inside the integrated electronic system should meet the corresponding bus protocol specification, the 1553B bus protocol specifies that the format of a data word transmitted by the subsystem through a primary bus is a status word + a data word + … + a data word or a status word. In the status word + data word + … + data word format, the status word and the data word are transmitted without an inter-word interval; if the transmission format is not met, an alarm is initiated, and a log is recorded;
invalid data packet: according to the specification of a 1553B protocol, the interval time of the remote terminal responding to the valid command word is 4us-12us, and the command word is regarded as an invalid data packet when exceeding the time interval; if the number of invalid data packets exceeds a defined threshold for a period of time
Figure BDA0001486799120000064
An alarm is initiated and a log is recorded, including the address of the subsystem that issued the packet, etc.:
Figure BDA0001486799120000065
c) subsystem-oriented behavior specification
The subsystem-oriented behavior specification is used for detecting the abnormal behavior of the subsystem and preventing the subsystem from being counterfeited, damaged and forged. The subsystem-oriented behavior specification specifies that the subsystem credit value must not fall below 60% of full score. The credit value of the subsystem is extracted by combining subjective credit and indirect credit. If the credit value of the subsystem is below a defined threshold, it is determined to be an invalid terminal. Specifically, a credit rating is applied to each subsystem, including a rating of the daily behavior of the subsystem (the rate of alarms generated) and a rating of the subsystem by the system where the communication behavior of the subsystem has occurred. Synthesizing the two evaluation values to generate a credit value of each subsystem, and if the credit value is lower than a certain threshold value, giving an alarm and not using the credit value; it is worth noting that: if a subsystem has a high credit value, it is more trustworthy to evaluate other subsystems with which it communicates. Namely:
Figure BDA0001486799120000071
wherein S is the full score of the Credit value, CreditiIs the credit value of the ith subsystem, CSiIs a subjective credit. CC (challenge collapsar)iEvaluating the subsystem for communication;
d) time-oriented behavior specification
The time-oriented behavior specification stipulates the sending time interval of the control commands of the same type, defines a proper time interval, does not hinder the normal work of the integrated electronic system, and can prevent the replay attack of the data packet;
e) frequency-oriented behavior specification
The frequency behavior oriented specification prescribes the upper limit of the frequency of data packet transmission in the integrated electronic system, namely, in a period of time, the data packet transmitted on the bus cannot be too many, so that the denial of service attack is prevented;
f) message length oriented behavior specification
The message length oriented behavior specification stipulates that the effective length of a data packet must be consistent when the data packet is sent out and received, if the effective length of the data packet is inconsistent, an alarm is initiated, and a log is recorded;
(2) converting the normal behavior specification to a state machine:
each specification of the equipment is converted into a form of a behavior specification state machine, and whether the behavior of the equipment deviates from the behavior specification set by the item can be easily monitored through the behavior specification state machine. A state machine is a mathematical model used to track the behavior of a system and thereby monitor it in real time. The current behavior of the system is used as input in the state machine to detect whether the behavior deviates from the expected behavior specified by the behavior specification set. The set of behavior specifications specifies the expected normal behavior of each device, so deviations from normal behavior can be detected regardless of the pattern of the attacker. The method must indicate a threshold range for some rule in advance, for example, some specific behavior specifications of the satellite integrated electronic system must specify different acceptable parameter ranges, for example, the response time of the data packet must be 4us-12us to reflect normal data packets and abnormal data packets.
(3) Judging whether the abnormal behavior detected by the behavior specification state machine is primary invasion or not by combining a distance measurement method and a probability model, wherein the distance measurement method is specifically realized by firstly setting the data security of a system normal behavior data packet to be 1; then measuring the distance between the abnormal behavior data packet detected by the behavior specification state machine and the normal behavior data packet of the system by using a distance measurement method of a Manhattan distance or Hamming distance method, defining the data security of the abnormal behavior data packet as a certain value between 0 and 1, finally modeling the data security by using Poisson distribution or beta distribution, and using a statistical method, such as: estimating parameters of Poisson distribution or beta distribution by a maximum likelihood estimation method so as to judge whether the current system abnormal behavior is primary intrusion;
and (3) intrusion response: and initiating an intrusion warning, responding and recording an intrusion event.

Claims (10)

1. A lightweight intrusion detection method for an integrated electronic system is characterized by comprising the following steps:
step A1: monitoring and capturing transmission data in the integrated electronic system, and extracting the internal behavior characteristic information of the integrated electronic system;
step A2: according to the characteristics of the integrated electronic system and the supported bus protocol, establishing a normal behavior specification of the system, wherein the normal behavior specification comprises the following steps: a central management unit oriented behavior specification, a bus oriented behavior specification, a subsystem oriented behavior specification, a time oriented behavior specification, a frequency oriented behavior specification, and a packet length oriented behavior specification;
step A3: converting the normal behavior specification into a state machine form, and judging whether the extracted internal behavior characteristic information of the integrated electronic system meets the system normal behavior specification or not in real time by using the state machine, wherein if the extracted internal behavior characteristic information of the integrated electronic system does not meet the system normal behavior specification, the current behavior of the integrated electronic system is abnormal;
step A4: when the behavior specification state machine detects abnormal behaviors of the integrated electronic system, judging whether the abnormal behaviors are one-time invasion by combining a distance measurement method and a probability model;
step A5: if the intrusion behavior is one-time intrusion behavior, the system performs intrusion response, initiates warning and records logs.
2. The method for detecting lightweight intrusion into an integrated electronic system according to claim 1, wherein the step a1 of extracting the internal behavior feature information of the integrated electronic system comprises the following steps:
step B1: extracting characteristics of a single data packet, including but not limited to a destination address of the data packet, an effective length of the data packet and an effective field of the data packet;
step B2: feature extraction between a plurality of data packets includes, but is not limited to, calculating transmission frequency of data packets on a bus and time interval between data packets of the same kind, for example: a data packet of a control instruction class;
step B3: feature extraction on subsystems includes, but is not limited to, computing credit values for subsystems;
3. the method for detecting lightweight intrusion into an integrated electronic system according to claim 1, wherein the behavior specification facing the central management unit in step a2 is specifically:
same sub-address: the behavior specification of the central management unit specifies that the same subsystem address, also called sub-address, does not exist in the integrated electronic system, and if the two equipment sub-addresses are the same, an alarm is initiated and a log is recorded;
and (3) continuous instruction detection: the behavior specification of the central management unit specifies that the central management unit is used as a bus controller and does not send an instruction without an interword interval, the minimum time interval for sending instruction words by the bus controller is 4us, and if the time interval for sending the instruction by the central management unit exceeds 4us, an alarm is sent out and a log is recorded;
and (3) detection of a transmission format: the behavior specification of the central management unit specifies that the form of a data packet sent by the central management unit is an instruction word plus a data word, or the instruction word is not added with the data word; the instruction word + data word mode is transmitted in a form without inter-word interval; if the rule is violated, an alarm is given out, and a log is recorded;
mode code: the behavior specification of the central management unit specifies that a mode code field in an instruction word sent by the central management unit has special meaning, a mode code defined in a 1553B protocol must be used, and the mode code field is regarded as an exception if the mode code field is not in a corresponding white list.
4. The method for detecting lightweight intrusion into an integrated electronic system according to claim 1, wherein the specification of bus-facing behavior in step a2 is specifically:
and flow white list: the bus behavior specification specifies that only the flow of a bus protocol supported by the system is allowed in the integrated electronic system, otherwise, the flow is suspicious flow, and an alarm message is generated;
a label field: the bus behavior specification specifies that all fields of data words, instruction words and state words transmitted in the integrated electronic system conform to a 1553B bus protocol;
based on the non-response data packet: according to the bus protocol specification supported by the integrated electronic system, the time of the data packet sending out the response exceeds a certain threshold value and is called as a no-response data packet, and the bus-oriented behavior specification specifies that if the number of the no-response data packets sent out within a period of time exceeds a defined threshold value, an alarm is initiated and a log is recorded;
based on the transmission format: the bus-oriented behavior specification stipulates that the format of the data word transmitted by the subsystem through the primary bus is a status word + data word + · + data word or status word; in the state word + data word + · + data word format, the state word and the data word are transmitted according to the interval without word space; if the transmission format is not met, an alarm is initiated, and a log is recorded.
5. The integrated electronic system-oriented lightweight intrusion detection method according to claim 1, wherein the subsystem-oriented behavior specification of step a2 specifies that the subsystem credit value should not be less than 60% of full score, comprising the steps of:
step C1: calculating subjective credit of the subsystem, including evaluation values of daily behaviors of the subsystem;
step C2: calculating indirect credit of the subsystem, wherein the indirect credit comprises an evaluation value of the subsystem on the subsystem when the subsystem generates communication behaviors;
step C3: and calculating the credit value of the subsystem by combining the subjective credit and the indirect credit of the subsystem:
Figure FDA0002463452630000021
wherein S is the full score of the credit value, Crediti is the credit value of the ith subsystem, CSiIs a subjective credit; CC (challenge collapsar)iThe evaluation value of a communicating subsystem for that subsystem.
6. The method for detecting lightweight intrusion into an integrated electronic system according to claim 1, wherein the time-oriented behavior specification in step a2 is specifically:
the time-oriented behavior specification stipulates the sending time interval of the control commands of the same type, defines a proper time interval, does not hinder the normal work of the integrated electronic system, and can prevent the replay attack of the data packet.
7. The method for detecting lightweight intrusion into an integrated electronic system according to claim 1, wherein the frequency-oriented behavior specification in step a2 is specifically:
the frequency-oriented behavior specification defines an upper frequency limit for transmitting data packets in the integrated electronic system, i.e., the data packets transmitted on the bus cannot be too many in a period of time, thereby preventing denial of service attacks.
8. The method for detecting lightweight intrusion into an integrated electronic system according to claim 1, wherein the message-oriented length behavior specification in step a2 is specifically:
the message length oriented behavior specification stipulates that the effective lengths of the data packets must be consistent when the data packets are sent out and received, if the effective lengths of the data packets are not consistent, an alarm is initiated, and a log is recorded.
9. The integrated electronic system-oriented lightweight intrusion detection method according to claim 1, wherein the distance measurement method in step a4 comprises the following steps:
step D1: setting the data security of a system normal behavior data packet to be 1;
step D2: measuring the distance between the abnormal behavior data packet detected by the behavior specification state machine and the normal behavior data packet of the system, and defining the data safety degree of the abnormal behavior data packet to be a certain value between 0 and 1, wherein the distance measurement method comprises but is not limited to a Manhattan distance method and a Hamming distance method.
10. The method for detecting lightweight intrusion into an integrated electronic system according to claim 1, wherein the probability model in step a4 includes but is not limited to beta distribution and poisson distribution, the data security is modeled by the probability model, and the parameters of the probability model are estimated by using a statistical method, so as to determine whether the current system abnormal behavior is an intrusion; wherein the statistical method employs a maximum likelihood estimation method.
CN201711223284.0A 2017-11-29 2017-11-29 Lightweight intrusion detection method for integrated electronic system Active CN108206826B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711223284.0A CN108206826B (en) 2017-11-29 2017-11-29 Lightweight intrusion detection method for integrated electronic system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711223284.0A CN108206826B (en) 2017-11-29 2017-11-29 Lightweight intrusion detection method for integrated electronic system

Publications (2)

Publication Number Publication Date
CN108206826A CN108206826A (en) 2018-06-26
CN108206826B true CN108206826B (en) 2020-07-14

Family

ID=62604556

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711223284.0A Active CN108206826B (en) 2017-11-29 2017-11-29 Lightweight intrusion detection method for integrated electronic system

Country Status (1)

Country Link
CN (1) CN108206826B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109784040B (en) * 2018-12-10 2023-05-12 华东师范大学 Misuse detection method for integrated electronic system
CN111431895B (en) * 2020-03-20 2022-04-22 宁波和利时信息安全研究院有限公司 System exception handling method, device and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101127761A (en) * 2006-08-16 2008-02-20 北京城市学院 Unidirectional protocol isolation method and device in network
CN101174285A (en) * 2006-11-03 2008-05-07 北京航空航天大学 Bus line fire wall of embedded system
CN101599963A (en) * 2009-06-10 2009-12-09 电子科技大学 Suspected network threat information screener and Screening Treatment method
CN102546524A (en) * 2010-12-09 2012-07-04 中国科学院沈阳计算技术研究所有限公司 Detection method aiming at SIP (Session Initiation Protocol) single-source flooding attacks and SIP intrusion-detection system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8775393B2 (en) * 2011-10-03 2014-07-08 Polytechniq Institute of New York University Updating a perfect hash data structure, such as a multi-dimensional perfect hash data structure, used for high-speed string matching

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101127761A (en) * 2006-08-16 2008-02-20 北京城市学院 Unidirectional protocol isolation method and device in network
CN101174285A (en) * 2006-11-03 2008-05-07 北京航空航天大学 Bus line fire wall of embedded system
CN101599963A (en) * 2009-06-10 2009-12-09 电子科技大学 Suspected network threat information screener and Screening Treatment method
CN102546524A (en) * 2010-12-09 2012-07-04 中国科学院沈阳计算技术研究所有限公司 Detection method aiming at SIP (Session Initiation Protocol) single-source flooding attacks and SIP intrusion-detection system

Also Published As

Publication number Publication date
CN108206826A (en) 2018-06-26

Similar Documents

Publication Publication Date Title
US11411681B2 (en) In-vehicle information processing for unauthorized data
CN107508831B (en) Bus-based intrusion detection method
CN108111510A (en) A kind of in-vehicle network intrusion detection method and system
US20200302054A1 (en) Method for detecting physical intrusion attack in industrial control system based on analysis of signals on serial communication bus
US20230109507A1 (en) System and Method for Detecting Intrusion Into In-Vehicle Network
CN113839935B (en) Network situation awareness method, device and system
CN108206826B (en) Lightweight intrusion detection method for integrated electronic system
CN103607291A (en) Alarm analysis merging method for power secondary system intranet security monitoring platform
CN112953971A (en) Network security traffic intrusion detection method and system
CN114666088A (en) Method, device, equipment and medium for detecting industrial network data behavior information
CN113411295A (en) Role-based access control situation awareness defense method and system
Sun et al. Analysis of id sequences similarity using DTW in intrusion detection for CAN bus
Lee et al. Ttids: Transmission-resuming time-based intrusion detection system for controller area network (can)
CN113660216B (en) Password attack detection method, device, electronic device and storage medium
CN114124450A (en) Network security system and method for remote storage battery capacity checking
CN107277070A (en) A kind of computer network instrument system of defense and intrusion prevention method
Zhou et al. A model-based method for enabling source mapping and intrusion detection on proprietary can bus
CN109766229B (en) Anomaly detection method for integrated electronic system
US20200312060A1 (en) Message monitoring system, message transmission electronic control unit, and monitoring electronic control unit
CN112968869A (en) Information safety monitoring system of electric power production control large area
CN109756483B (en) Safety protection method aiming at MELASEC protocol
CN116668078A (en) Internet intrusion security defense system
CN114401103B (en) SMB remote transmission file detection method and device, electronic equipment and storage medium
CN114285633B (en) Computer network security monitoring method and system
CN108924129A (en) One kind being based on computer network instrument system of defense and intrusion prevention method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant