CN108965267B - Network attack processing method and device and vehicle - Google Patents
Network attack processing method and device and vehicle Download PDFInfo
- Publication number
- CN108965267B CN108965267B CN201810690119.4A CN201810690119A CN108965267B CN 108965267 B CN108965267 B CN 108965267B CN 201810690119 A CN201810690119 A CN 201810690119A CN 108965267 B CN108965267 B CN 108965267B
- Authority
- CN
- China
- Prior art keywords
- network data
- offensive
- target
- characteristic information
- target network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 24
- 238000000034 method Methods 0.000 claims abstract description 34
- 238000004458 analytical method Methods 0.000 claims description 26
- 238000001914 filtration Methods 0.000 claims description 21
- 238000004590 computer program Methods 0.000 claims description 18
- 230000008569 process Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 6
- 238000001514 detection method Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 239000013598 vector Substances 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000005538 encapsulation Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 238000004887 air purification Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a network attack processing method, a network attack processing device and a vehicle, wherein the method comprises the following steps: acquiring target network data of a vehicle passing machine; judging whether the target network data is the offensive network data or not according to the acquired characteristic information of the offensive network data; and if the target network data is determined to be the offensive network data, performing target processing on the target network data. By the network attack processing method, the probability that the vehicle is attacked by the network can be reduced, and the network security of the vehicle is improved.
Description
Technical Field
The present disclosure relates to the field of vehicles, and in particular, to a network attack processing method and apparatus, and a vehicle.
Background
Along with the popularization of vehicles, in order to enable users to be more convenient and faster in the using process of the vehicles, the functions integrated on the vehicles are more and more abundant, for example, intelligent driving, voice playing, intelligent navigation, air purification, communication and the like. With the increasing intellectualization and networking of vehicles, information interaction between devices inside the vehicles and information interaction between the vehicles and external devices are more and more frequent, for example, a cloud interacts with a vehicle machine through the internet, a CAN (Controller Area Network) gateway interacts with the vehicle machine, a user CAN control the vehicles through a mobile terminal, and the like, and accordingly, Network security attacks against the vehicles are more and more increased, for example, vehicle hackers CAN achieve the purposes of controlling vehicle information display and controlling a vehicle body power system and a brake system through attacks on a CAN gateway and attacks on an instrument panel. Therefore, how to enhance the vehicle network attack defense capability to improve the vehicle network security becomes important.
Disclosure of Invention
The embodiment of the disclosure provides a network attack processing method, a network attack processing device and a vehicle, so as to enhance the defense capability of vehicle network attack and improve the security of a vehicle network.
In a first aspect, the present disclosure provides a network attack processing method, including:
acquiring target network data of a vehicle passing machine;
judging whether the target network data is the offensive network data or not according to the acquired characteristic information of the offensive network data;
and if the target network data is determined to be the offensive network data, performing target processing on the target network data.
Optionally, the determining, according to the obtained feature information of the offensive network data, whether the target network data is the offensive network data includes:
carrying out protocol analysis on the target network data to obtain format characteristic information of the target network data;
and judging whether the target network data is the offensive network data or not according to the acquired format characteristic information of the offensive network data and the format characteristic information of the target network data.
Optionally, before determining whether the target network data is the offensive network data according to the obtained characteristic information of the offensive network data, the method further includes;
analyzing the target network data to obtain target information of the target network data, wherein the target information comprises source information and/or target information of the target network data;
the judging whether the target network data is the offensive network data according to the acquired characteristic information of the offensive network data includes:
and under the condition that the target information meets the preset filtering condition, judging whether the target network data is the offensive network data or not according to the acquired characteristic information of the offensive network data.
Optionally, if it is determined that the target network data is offensive network data, performing target processing on the target network data includes:
if the target network data is determined to be the first type of offensive network data, modifying the target network data into network data in a legal format;
and if the target network data is determined to be the second type of offensive network data, discarding the target network data.
Optionally, the target network data includes at least one of network data communicated between the car machine and a network node of an in-car network, network data communicated between the car machine and network equipment of the internet, and network data communicated between the car machine and external equipment.
Optionally, before determining whether the target network data is the offensive network data according to the characteristic information of the offensive network data, the method further includes:
receiving characteristic information of the offensive network data sent by the cloud server; and/or
After determining that the target network data is offensive network data, the method further comprises:
and reporting the target network data to the cloud server.
Optionally, the method further includes:
and if the loophole corresponding to the target characteristic information in the characteristic information of the offensive network data is repaired, deleting the target characteristic information.
In a second aspect, the present disclosure also provides a network attack processing apparatus, including:
the acquisition module is used for acquiring target network data passing through the vehicle machine;
the judging module is used for judging whether the target network data is the offensive network data according to the acquired characteristic information of the offensive network data;
and the processing module is used for carrying out target processing on the target network data if the target network data is determined to be the offensive network data.
Optionally, the determining module includes:
the analysis unit is used for carrying out protocol analysis on the target network data to obtain format characteristic information of the target network data;
and the judging unit is used for judging whether the target network data is the offensive network data or not according to the acquired format characteristic information of the offensive network data and the format characteristic information of the target network data.
Optionally, the apparatus further comprises;
the analysis module is used for analyzing the target network data before judging whether the target network data is the offensive network data according to the acquired characteristic information of the offensive network data to obtain target information of the target network data, wherein the target information comprises source information and/or target information of the target network data;
the judgment module is specifically configured to:
and under the condition that the target information meets the preset filtering condition, judging whether the target network data is the offensive network data or not according to the acquired characteristic information of the offensive network data.
Optionally, the processing module is specifically configured to:
if the target network data is determined to be the first type of offensive network data, modifying the target network data into network data in a legal format;
and if the target network data is determined to be the second type of offensive network data, discarding the target network data.
Optionally, the target network data includes at least one of network data communicated between the car machine and a network node of an in-car network, network data communicated between the car machine and network equipment of the internet, and network data communicated between the car machine and external equipment.
Optionally, the apparatus further comprises:
the receiving module is used for receiving the characteristic information of the offensive network data sent by the cloud server before judging whether the target network data is the offensive network data according to the characteristic information of the offensive network data; and/or
The device further comprises:
and the reporting module is used for reporting the target network data to the cloud server after determining that the target network data is the offensive network data.
Optionally, the apparatus further comprises:
and the deleting module is used for deleting the target characteristic information if the vulnerability corresponding to the target characteristic information in the characteristic information of the offensive network data is repaired.
In a third aspect, an embodiment of the present disclosure further provides a network attack processing apparatus, which includes a processor, a memory, and a computer program stored on the memory and executable on the processor, where the computer program, when executed by the processor, implements the steps of the network attack processing method described above.
In a fourth aspect, the disclosed embodiments also provide a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the network attack processing method are implemented.
In a fifth aspect, the embodiment of the present disclosure further provides a vehicle, where the vehicle includes the network attack processing apparatus described above.
In the embodiment of the disclosure, based on the characteristic information of the network attack data, whether the target network data passing through the vehicle machine is the aggressive network data is judged, and the target network data is processed under the condition that the target network data is determined to be the aggressive network data, so that the probability that the vehicle is attacked by the network can be reduced, and the vehicle network security is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings needed to be used in the description of the embodiments of the present disclosure will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
Fig. 1 is a flowchart of a network attack processing method provided by an embodiment of the present disclosure;
fig. 2 is a flowchart of a network attack processing method according to another embodiment of the disclosure;
fig. 3 is a schematic diagram of a network attack processing architecture provided by an embodiment of the present disclosure;
fig. 4 is a schematic diagram of a network attack processing architecture provided by yet another embodiment of the present disclosure;
fig. 5 is a structural diagram of a network attack processing apparatus provided in the embodiment of the present disclosure;
fig. 6 is a block diagram of a network attack processing apparatus according to still another embodiment of the present disclosure;
fig. 7 is a block diagram of a network attack processing apparatus according to still another embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are some, but not all embodiments of the present disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
The embodiment of the disclosure provides a network attack processing method. Referring to fig. 1, fig. 1 is a flowchart of a network attack processing method provided by an embodiment of the present disclosure, and as shown in fig. 1, the method includes the following steps:
and 101, acquiring target network data of the vehicle passing machine.
In the embodiment of the present disclosure, the car machine may include an In-Vehicle Infotainment (IVI). The target network data may include any network data passing through the vehicle machine.
In some embodiments, the target network data includes at least one of network data communicated between the car machine and a network node of an in-car network, network data communicated between the car machine and a network device of the internet, and network data communicated between the car machine and an external device.
In this embodiment of the disclosure, the Network node in the in-vehicle Network may include a Controller Area Network (CAN) gateway, a dashboard, and the like. The network device in the internet may include an internet gateway. The external Device may include a Mobile terminal, for example, a Mobile phone, a Tablet Personal Computer (Tablet Personal Computer), a Laptop Computer (Laptop Computer), a Personal Digital Assistant (PDA), a Mobile Internet Device (MID), a Wearable Device (Wearable Device), or the like.
And 102, judging whether the target network data is the offensive network data or not according to the acquired characteristic information of the offensive network data.
In this embodiment of the disclosure, the characteristic information of the offensive network data may be issued by the cloud server to the car machine, may also be pre-stored in the car machine, and may also be imported by the external device into the car machine.
In practical applications, the characteristic information of the offensive network data may be obtained by analyzing the offensive network data, for example, analyzing one or more items of format characteristic information (such as field type, field length, and the like), source information (such as source IP (Internet Protocol) address), destination information (such as destination IP address, an application receiving the network data), and a domain name of the offensive network data.
Specifically, the target network data may be analyzed based on the characteristic information of the aggressive network data to determine whether the target network data has characteristic information that matches the characteristic information of the aggressive network data. For example, when the characteristic information based on the offensive network data includes that the field lengths are illegal, the specified length of each field and the actual length of each field in the target network data may be analyzed, and if the actual length of one or more fields does not match the specified length, the target network data may be determined to be the offensive network data; or when the characteristic information based on the offensive network data includes field types which are not matched, analyzing the specified type of each field and the actual type of each field in the target network data, and if the actual type of one or more fields is not matched with the specified type, determining that the target network data is the offensive network data.
And 103, performing target processing on the target network data if the target network data is determined to be the offensive network data.
In this step, when it is determined that the target network data is the offensive network data, the target network data may be directly intercepted, modified, or sent to a server or the like for processing the offensive network data.
The network attack processing method of the embodiment of the disclosure judges whether the target network data passing through the vehicle machine is the offensive network data or not based on the characteristic information of the network attack data, and processes the target network data under the condition that the target network data is determined to be the offensive network data, thereby reducing the probability that the vehicle is attacked by the network and improving the network security of the vehicle.
Referring to fig. 2, fig. 2 is a flowchart of a network attack processing method provided by the embodiment of the disclosure. The difference between the embodiment of the present disclosure and the previous embodiment is mainly that whether the target network data is the offensive network data is further defined according to the acquired feature information of the offensive network data. In the implementation of the present disclosure, the determining whether the target network data is the offensive network data according to the obtained characteristic information of the offensive network data includes: carrying out protocol analysis on the target network data to obtain format characteristic information of the target network data; and judging whether the target network data is the offensive network data or not according to the acquired format characteristic information of the offensive network data and the format characteristic information of the target network data.
As shown in fig. 2, the network attack processing method provided by the embodiment of the present disclosure includes the following steps:
This step is the same as the step 101, and is not described herein again to avoid repetition.
In the embodiment of the present disclosure, the format characteristic information of the target network data, for example, a field type, a field length, and the like, is obtained by performing protocol analysis on the target network data.
In some embodiments, multi-layer protocol parsing may be performed on the target network data to obtain format characteristic information of the target network data at different protocol layers. For example, link layer protocol analysis may be performed on target network data to obtain format characteristic information of a link layer protocol; carrying out network layer protocol analysis on the target network data subjected to the link layer protocol stripping and packaging to obtain format characteristic information of a network layer protocol; and then carrying out transport layer protocol analysis on the target network data subjected to the network layer protocol stripping and encapsulation, and so on.
It should be noted that, in the embodiment of the present invention, after each layer of protocol analysis is performed, according to the characteristic information of the offensive network data, whether the target network data after the protocol analysis is the offensive network data is determined, and in a case that it is determined that the target network data after the protocol analysis is the offensive network data, the protocol analysis of a subsequent layer may not be performed; after the protocol analysis of all layers is completed, whether the target network data after the protocol analysis is the offensive network data can be judged according to the characteristic information of the offensive network data.
In the embodiment of the present disclosure, the characteristic information of the offensive network data includes format characteristic information of the offensive network data, for example, a field length is illegal, a field type is not matched, and the like.
In this step, the format characteristic information of the target network data after the protocol analysis may be matched with the format characteristic information of the offensive network data to determine whether the target network data is offensive network data. For example, the format characteristic information of the offensive network data includes field type mismatch, and if one or more field types of the target network data do not match, the target network data may be determined to be the offensive network data.
And 204, if the target network data is determined to be the offensive network data, performing target processing on the target network data.
This step is the same as step 103, and is not described herein again to avoid repetition.
According to the network attack processing method provided by the embodiment of the disclosure, the format characteristic information of the target network data is obtained by performing protocol analysis on the target network data, and whether the target network data is the offensive network data or not is judged according to the obtained format characteristic information of the offensive network data and the format characteristic information of the target network data, so that the accuracy of network attack detection can be improved, and the safety of a vehicle network can be improved.
In some embodiments, before determining whether the target network data is the offensive network data according to the acquired feature information of the offensive network data, the method further includes;
analyzing the target network data to obtain target information of the target network data, wherein the target information comprises source information and/or target information of the target network data;
the judging whether the target network data is the offensive network data according to the acquired characteristic information of the offensive network data includes:
and under the condition that the target information meets the preset filtering condition, judging whether the target network data is the offensive network data or not according to the acquired characteristic information of the offensive network data.
In the embodiment of the present disclosure, the source information may include a source IP address, and the destination information may include a destination IP address, an application that receives the network data, and the like. The preset filtering condition corresponds to the target information, for example, when the target information is a source IP address or a destination IP address, the preset filtering condition may be one or more IP addresses set based on historical network attacks; when the target information is an application receiving network data, the preset filtering condition may be one or more applications set based on historical network attacks.
In practical situations, some network attacks are usually originated from some specific IP addresses or sent to some specific applications, so that the network data that may be offensive network data can be preliminarily screened out through the source information and/or the destination information of the network data.
Specifically, under the condition that the target information meets the preset filtering condition, it is indicated that the current network data is likely to be the offensive network data, and at this time, whether the target network data is the offensive network data may be further determined according to the obtained characteristic information of the offensive network data, so as to improve the accuracy of network attack detection. And under the condition that the target information does not meet the preset filtering condition, the current network data is large and may not be the offensive network data, and at the moment, the network data can be processed according to the conventional flow.
According to the method and the device, whether the network data of which the target information meets the preset filtering condition is the offensive network data or not is judged only according to the acquired characteristic information of the offensive network data, so that the number of offensive network data detection can be reduced, the power consumption of a vehicle machine can be saved, and the reduction of the network data transmission efficiency caused by the offensive network data detection can be reduced.
In some embodiments, when the target information does not satisfy a preset filtering condition, whether the target network data is offensive network data or not may be determined according to the acquired feature information of the offensive network data, and when the target information satisfies the preset filtering condition, the target network data is determined to be offensive network data, and target processing may be further performed on the target network data, so that efficiency of detecting the offensive network data may be improved.
In some embodiments, the target processing includes discarding the target network data or modifying the target network data to network data in a legitimate format.
In the embodiment of the disclosure, under the condition that the target network data is determined to be the offensive network data, the target network data can be directly discarded, that is, the target network data is not forwarded any more; the target network data may also be modified to be network data in a legal format, for example, fields with unmatched field types are modified to fields with matched field types.
In some embodiments, the performing target processing on the target network data if it is determined that the target network data is offensive network data includes:
if the target network data is determined to be the first type of offensive network data, modifying the target network data into network data in a legal format;
and if the target network data is determined to be the second type of offensive network data, discarding the target network data.
In the embodiment of the present disclosure, the first type of offensive network data may refer to network data that may affect vehicle service processing, and the second type of offensive network data may be network data other than the first type of offensive network data.
Specifically, the types of the different types of network data may be respectively determined based on the format characteristic information of the different types of offensive network data, for example, when the target network data is determined to be offensive network data according to the characteristic information of the first type of offensive network data, the target network data is determined to be the first type of offensive network data, and when the target network data is determined to be offensive network data according to the characteristic information of the second type of offensive network data, the target network data is determined to be the second type of offensive network data.
In practical situations, there is an association between some network data packets and other network data packets, and if the network data packets are directly discarded when it is detected that the network data includes offensive network data, normal service processing may be affected. Therefore, the embodiment of the present disclosure can modify the network data packet into a network data packet with a legal format, so as to ensure normal service processing. And for some network data packets which have small influence on service processing, the network data packets can be directly discarded so as to improve the network data processing efficiency.
In some embodiments, before determining whether the target network data is the offensive network data according to the characteristic information of the offensive network data, the method further includes:
receiving characteristic information of the offensive network data sent by the cloud server; and/or
After determining that the target network data is offensive network data, the method further comprises:
and reporting the target network data to the cloud server.
In the embodiment of the disclosure, the cloud server may send the characteristic information of the offensive network data when receiving the request of the car machine, or may actively push the characteristic information of the offensive network data to the car machine. For example, the cloud server may push the feature information of the offensive network data to the car machine in an agreed format, and store the feature information in a storage medium of the car machine.
In some embodiments, after determining that the target network data is the offensive network data, the target network data may also be reported to the cloud server, so that the cloud server may analyze the characteristic information of the offensive network data based on the offensive network data reported by the vehicle machine, and issue the characteristic information to the vehicle machine.
According to the embodiment of the invention, the characteristic information of the offensive network data sent by the cloud server is received, so that the vehicle machine can update the characteristic information of the offensive network data more conveniently and quickly. By reporting the network data determined as the offensive network data to the cloud server, the cloud server can analyze and update the characteristic information of the offensive network data conveniently.
In some embodiments, the method further comprises: and if the loophole corresponding to the target characteristic information in the characteristic information of the offensive network data is repaired, deleting the target characteristic information.
In this embodiment of the present disclosure, the feature information of the offensive network data may include a plurality of feature information, and each feature information may correspond to one or more vulnerabilities. In practical application, the vehicle often repairs some known bugs each time the system is upgraded, and at this time, the characteristic information that the corresponding bugs have been repaired is deleted, so that not only can the storage space be saved, but also the efficiency of detecting the offensive network data can be prevented from being reduced by too much characteristic information of the offensive network data.
The network attack processing method provided by the embodiment of the invention is explained by combining the following examples:
step a1, acquiring a network data packet passing through the vehicle-mounted infotainment system, wherein the acquired network data packet comprises network data of communication between the Internet network equipment and the vehicle-mounted infotainment system as well as the vehicle-mounted infotainment system.
In some embodiments, when the operating system of the in-vehicle infotainment system is Linux, the network data may be obtained through an LSM (Linux Security Module) framework of a Linux kernel. Specifically, the LSM module for extracting network data may be customized and registered in the LSM framework to obtain the network data packet. In addition, the network data packet can be sent to the data analysis processing flow through a Netlink interface or other information exchange modes of a Linux kernel and a user space, and one or more items of network equipment (such as a source IP address), a destination IP address, a domain name and the like from which the network data packet comes can be marked.
Step a2, performing protocol analysis on the acquired network data packet, and extracting one or more items of source IP address, destination IP address and domain name of the network data, corresponding network interface device, specific network data packet content, and the like.
Step a3, judging whether the acquired network data packet is offensive network data or not through the characteristic information of the offensive network data sent by the cloud server and the data analyzed in the step a 2.
And a4, intercepting the network data packet which is judged to be the offensive network data, and reporting to the cloud server.
Correspondingly, the cloud server can receive the attack event in an agreed format and report the attack event to the security event management personnel. In addition, the cloud server can also issue the characteristic information of the offensive network data to the vehicle-mounted infotainment system in an agreed format and store the characteristic information into the vehicle-mounted infotainment system storage medium. Specifically, when feature information of the offensive network data needs to be pushed, the feature information can be directly pushed to the vehicle-mounted information entertainment system through the cloud server.
In practical application, the vehicle hacker controls the vehicle mainly by attacking the Can gateway and attacking the instrument panel to achieve the purposes of controlling the vehicle information display and controlling the vehicle body power system and the brake system. If the remote attack is to be achieved, the attack chain is achieved by utilizing the vulnerability of the in-vehicle remote network communication application. Therefore, filtering internet communication data and data through the Can gateway and dashboard is one means of intercepting attacks.
In addition, most of attack behaviors utilize formats in programs to check loose bugs (namely bugs), and the purpose of executing and claiming arbitrary codes is achieved by triggering overflow of a memory stack or a memory heap through a manually constructed data packet carrier. Therefore, the attack detection can be effectively carried out based on the format characteristic information.
Referring to fig. 3, the network data packet is transmitted to the packet filtering protocol stack 20 in the user space through the kernel layer 10 of the in-vehicle infotainment system, the protocol of the network data packet is analyzed layer by layer, the data reference of each layer is sent to the rule engine 30, and then the rule engine 30 is used for making an attack behavior determination (i.e. determining whether the network data packet is offensive network data) and processing, and then returning to the kernel layer for continuous processing.
Detailed description of the preferred embodimentsreferring to fig. 4, an attack model is used to identify offensive network packets and the processing logic of the network packets. The protocol identification module is used for receiving the data packet analyzed by the upper layer protocol identification module, analyzing and stripping the upper layer protocol encapsulation again, and then calling the rule engine to send the packet to the attack model concerned about the protocol for processing. The controller is responsible for receiving the attack model and the protocol identification module sent by the cloud server, registering the attack model to the rule engine, and registering the protocol identification module to the packet filtering protocol stack. The attack model and the protocol identification module can be issued by the cloud server at any time. The cloud server sends the feature information of the offensive network data to the corresponding attack model, and one attack model can process attack data with different feature details of the same feature type, for example, memory overflow is caused by illegal lengths of some fields or type conversion errors are caused by mismatching of some field types.
The protocol identification module in the packet filtering protocol stack is registered by the controller and can analyze the protocols of all layers of the network data packet in layers. And transmitting the reference of the data to an identification engine after the protocols of different layers are analyzed, calling the identification script in the corresponding attack model by the identification engine according to different protocols to identify the data, and if the data is identified to be the offensive network data, sending the offensive network data to a processing engine to reference the processing corresponding to the processing script in the corresponding attack model, wherein the processing mode can comprise discarding the data packet or modifying the data packet into a legal format.
The session management shown in fig. 4 is a program module responsible for processing the source and destination of network packets, and the attack model and protocol identification module may specify filtering network packets of a particular source and destination. In addition, the network data packet does not need to judge context logic, and the data packet for triggering the vulnerability is simple and direct and has outstanding characteristics.
In some embodiments, the attack model and the protocol identification module may be in an ELF (Executable and Linking Format) dynamic link library Format based on Linux, and the ELF library is compiled by the cloud server, then sent to the car machine, and loaded to the system by the car machine and registered in the rule engine and the packet filtering protocol stack. Each ELF library may contain specific executable script code segments that are responsible for specific functions, such as identifying protocols, identifying attacks, and handling attack packets. This design allows for maximum flexibility in ensuring accurate interception of each attack vector and maximizes analysis efficiency, since attack vectors are mostly binary-configured vectors, such as multimedia files, OTA (Over-the-Air Technology) upgrade packages, various data streams, etc., with little text.
In some embodiments, each ELF library of the attack model may correspond to one or several vulnerabilities, and each ELF library of the protocol recognition module may correspond to one protocol resolution of one level, so that the processing efficiency may be improved, but may be accumulated more and more. When the OTA system is upgraded next time, known bugs are repaired, and the ELF libraries can be cleaned once (for example, the ELF libraries with repaired bugs corresponding to the ELF libraries are deleted), so that the performance of the vehicle machine is not affected.
Referring to fig. 5, fig. 5 is a structural diagram of a network attack processing apparatus according to an embodiment of the present disclosure. As shown in fig. 5, the network attack processing apparatus 500 includes:
an obtaining module 501, configured to obtain target network data that passes through a vehicle;
a determining module 502, configured to determine whether the target network data is offensive network data according to the obtained feature information of the offensive network data;
a processing module 503, configured to perform target processing on the target network data if it is determined that the target network data is offensive network data.
In some embodiments, referring to fig. 6, the characteristic information of the offensive network data includes format characteristic information of the offensive network data; the determining module 502 includes:
the parsing unit 5021 is configured to perform protocol parsing on the target network data to obtain format feature information of the target network data;
a determining unit 5022, configured to determine whether the target network data is the offensive network data according to the acquired format feature information of the offensive network data and the format feature information of the target network data.
In some embodiments, the apparatus further comprises;
the analysis module is used for analyzing the target network data before judging whether the target network data is the offensive network data according to the acquired characteristic information of the offensive network data to obtain target information of the target network data, wherein the target information comprises source information and/or target information of the target network data;
the judgment module is specifically configured to:
and under the condition that the target information meets the preset filtering condition, judging whether the target network data is the offensive network data or not according to the acquired characteristic information of the offensive network data.
In some embodiments, the processing module is specifically configured to:
if the target network data is determined to be the first type of offensive network data, modifying the target network data into network data in a legal format;
and if the target network data is determined to be the second type of offensive network data, discarding the target network data.
In some embodiments, the target network data includes at least one of network data communicated between the car machine and a network node of an in-car network, network data communicated between the car machine and a network device of the internet, and network data communicated between the car machine and an external device.
In some embodiments, the apparatus further comprises:
the receiving module is used for receiving the characteristic information of the offensive network data sent by the cloud server before judging whether the target network data is the offensive network data according to the characteristic information of the offensive network data; and/or
The device further comprises:
and the reporting module is used for reporting the target network data to the cloud server after determining that the target network data is the offensive network data.
In some embodiments, the apparatus further comprises:
and the deleting module is used for deleting the target characteristic information if the vulnerability corresponding to the target characteristic information in the characteristic information of the offensive network data is repaired.
The network attack processing apparatus 500 can implement each process of the network attack processing method according to the method embodiments of fig. 1 to fig. 2, and achieve the same effect to avoid repetition, which is not described herein again.
The network attack processing apparatus 500 of the present disclosure includes an obtaining module 501, configured to obtain target network data that passes through a vehicle machine; a determining module 502, configured to determine whether the target network data is offensive network data according to the obtained feature information of the offensive network data; a processing module 503, configured to perform target processing on the target network data if it is determined that the target network data is offensive network data, so as to reduce the probability that the vehicle is attacked by the network and improve the security of the vehicle network
The embodiments of the present disclosure further provide a network attack processing apparatus, which includes a processor, a memory, and a computer program stored in the memory and capable of running on the processor, where the computer program, when executed by the processor, implements each process of the network attack processing method according to any of the above method embodiments, and can achieve the same technical effect, and in order to avoid repetition, details are not described here again.
The embodiments of the present disclosure further provide a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when executed by a processor, the computer program implements each process of the network attack processing method, and can achieve the same technical effect, and in order to avoid repetition, the details are not repeated here. The computer-readable storage medium may be a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.
Referring to fig. 7, fig. 7 is a block diagram of a network attack processing apparatus according to another embodiment of the present disclosure, and as shown in fig. 7, a network attack processing apparatus 700 includes: a processor 701, a memory 702, and a computer program stored on the memory 702 and operable on the processor, wherein the components of the cyber attack processing apparatus 700 are coupled together through a bus interface 703, and the computer program, when executed by the processor 701, implements the following steps:
acquiring target network data of a vehicle passing machine;
judging whether the target network data is the offensive network data or not according to the acquired characteristic information of the offensive network data;
and if the target network data is determined to be the offensive network data, performing target processing on the target network data.
Optionally, the characteristic information of the offensive network data includes format characteristic information of the offensive network data;
the computer program, when executed by the processor 701, is further configured to:
carrying out protocol analysis on the target network data to obtain format characteristic information of the target network data;
and judging whether the target network data is the offensive network data or not according to the acquired format characteristic information of the offensive network data and the format characteristic information of the target network data.
Optionally, the computer program, when executed by the processor 701, is further configured to:
analyzing the target network data before judging whether the target network data is the offensive network data according to the acquired characteristic information of the offensive network data to obtain target information of the target network data, wherein the target information comprises source information and/or target information of the target network data;
and under the condition that the target information meets the preset filtering condition, judging whether the target network data is the offensive network data or not according to the acquired characteristic information of the offensive network data.
Optionally, the computer program, when executed by the processor 701, is further configured to:
if the target network data is determined to be the first type of offensive network data, modifying the target network data into network data in a legal format;
and if the target network data is determined to be the second type of offensive network data, discarding the target network data.
Optionally, the target network data includes at least one of network data communicated between the car machine and a network node of an in-car network, network data communicated between the car machine and network equipment of the internet, and network data communicated between the car machine and external equipment.
Optionally, the computer program, when executed by the processor 701, is further configured to:
the characteristic information of the offensive network data sent by the cloud server is received before whether the target network data is the offensive network data is judged according to the characteristic information of the offensive network data; and/or
And after determining that the target network data is the offensive network data, reporting the target network data to the cloud server.
Optionally, the computer program, when executed by the processor 701, is further configured to:
and if the loophole corresponding to the target characteristic information in the characteristic information of the offensive network data is repaired, deleting the target characteristic information.
The embodiment of the present disclosure further provides a vehicle, including the network attack processing apparatus, where the network attack processing apparatus can implement each process implemented by the network attack processing apparatus in any of the embodiments, and can achieve the same technical effect, and details are not repeated here to avoid repetition.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiments of the present disclosure.
In addition, functional units in the embodiments of the present disclosure may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present disclosure may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present disclosure. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present disclosure, but the scope of the present disclosure is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present disclosure, and all the changes or substitutions should be covered within the scope of the present disclosure. Therefore, the protection scope of the present disclosure shall be subject to the protection scope of the claims.
Claims (12)
1. A network attack processing method, characterized in that the method comprises:
acquiring target network data of a vehicle passing machine;
judging whether the target network data is the offensive network data or not according to the acquired characteristic information of the offensive network data;
if the target network data is determined to be offensive network data, performing target processing on the target network data;
if the target network data is determined to be the offensive network data, performing target processing on the target network data, including:
if the target network data is determined to be the first type of offensive network data, modifying the target network data into network data in a legal format;
if the target network data is determined to be second-class aggressive network data, discarding the target network data;
the first type of offensive network data is network data which can affect vehicle service processing, and the second type of offensive network data is network data in the offensive network data except the first type of offensive network data.
2. The method of claim 1, wherein the characteristic information of the offensive network data includes format characteristic information of the offensive network data;
the judging whether the target network data is the offensive network data according to the acquired characteristic information of the offensive network data includes:
carrying out protocol analysis on the target network data to obtain format characteristic information of the target network data;
and judging whether the target network data is the offensive network data or not according to the acquired format characteristic information of the offensive network data and the format characteristic information of the target network data.
3. The method according to claim 1, wherein before determining whether the target network data is the offensive network data according to the acquired feature information of the offensive network data, the method further comprises;
analyzing the target network data to obtain target information of the target network data, wherein the target information comprises source information and/or target information of the target network data;
the judging whether the target network data is the offensive network data according to the acquired characteristic information of the offensive network data includes:
and under the condition that the target information meets the preset filtering condition, judging whether the target network data is the offensive network data or not according to the acquired characteristic information of the offensive network data.
4. The method according to any one of claims 1 to 3, wherein the target network data comprises at least one of network data communicated between the car machine and a network node of an in-car network, network data communicated between the car machine and a network device of the internet, and network data communicated between the car machine and an external device.
5. The method according to any one of claims 1 to 3,
before the determining whether the target network data is the offensive network data according to the acquired characteristic information of the offensive network data, the method further includes:
receiving characteristic information of the offensive network data sent by the cloud server; and/or
After determining that the target network data is offensive network data, the method further comprises:
and reporting the target network data to the cloud server.
6. The method according to any one of claims 1 to 3, further comprising:
and if the loophole corresponding to the target characteristic information in the characteristic information of the offensive network data is repaired, deleting the target characteristic information.
7. A network attack processing apparatus, the apparatus comprising:
the acquisition module is used for acquiring target network data passing through the vehicle machine;
the judging module is used for judging whether the target network data is the offensive network data according to the acquired characteristic information of the offensive network data;
the processing module is used for carrying out target processing on the target network data if the target network data is determined to be the offensive network data;
the processing module is specifically configured to:
if the target network data is determined to be the first type of offensive network data, modifying the target network data into network data in a legal format;
if the target network data is determined to be second-class aggressive network data, discarding the target network data;
the first type of offensive network data is network data which can affect vehicle service processing, and the second type of offensive network data is network data in the offensive network data except the first type of offensive network data.
8. The apparatus of claim 7, wherein the characteristic information of the offensive network data comprises format characteristic information of the offensive network data; the judging module comprises:
the analysis unit is used for carrying out protocol analysis on the target network data to obtain format characteristic information of the target network data;
and the judging unit is used for judging whether the target network data is the offensive network data or not according to the acquired format characteristic information of the offensive network data and the format characteristic information of the target network data.
9. The apparatus of claim 7, further comprising;
the analysis module is used for analyzing the target network data before judging whether the target network data is the offensive network data according to the acquired characteristic information of the offensive network data to obtain target information of the target network data, wherein the target information comprises source information and/or target information of the target network data;
the judgment module is specifically configured to:
and under the condition that the target information meets the preset filtering condition, judging whether the target network data is the offensive network data or not according to the acquired characteristic information of the offensive network data.
10. A cyber attack processing apparatus comprising a processor, a memory, and a computer program stored on the memory and executable on the processor, the computer program, when executed by the processor, implementing the steps of the cyber attack processing method according to any one of claims 1 to 6.
11. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a computer program which, when being executed by a processor, realizes the steps of the network attack processing method according to any one of claims 1 to 6.
12. A vehicle characterized by comprising the cyber attack processing apparatus according to any one of claims 7 to 9 or the cyber attack processing apparatus according to claim 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810690119.4A CN108965267B (en) | 2018-06-28 | 2018-06-28 | Network attack processing method and device and vehicle |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810690119.4A CN108965267B (en) | 2018-06-28 | 2018-06-28 | Network attack processing method and device and vehicle |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108965267A CN108965267A (en) | 2018-12-07 |
| CN108965267B true CN108965267B (en) | 2021-04-02 |
Family
ID=64487730
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810690119.4A Active CN108965267B (en) | 2018-06-28 | 2018-06-28 | Network attack processing method and device and vehicle |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108965267B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE102018221952A1 (en) * | 2018-12-17 | 2020-06-18 | Robert Bosch Gmbh | Method and device for operating a communication network |
| CN113992391B (en) * | 2018-12-28 | 2023-12-29 | 阿波罗智联(北京)科技有限公司 | Method and device for analyzing message |
| CN110460573B (en) * | 2019-07-08 | 2022-05-20 | 上海赫千电子科技有限公司 | ECU security upgrade management system and method applied to automobile |
| CN111181967B (en) * | 2019-12-30 | 2023-07-04 | 奇安信科技集团股份有限公司 | Data stream identification method, device, electronic equipment and medium |
| CN111669303A (en) * | 2020-06-08 | 2020-09-15 | 湖北阿桑奇汽车电子科技有限公司 | FOTA safety application process |
| CN111565202B (en) * | 2020-07-15 | 2020-10-27 | 腾讯科技(深圳)有限公司 | Intranet vulnerability attack defense method and related device |
| WO2022047617A1 (en) * | 2020-09-01 | 2022-03-10 | 华为技术有限公司 | Method and system for improving vehicle security |
| CN115883226A (en) * | 2022-12-07 | 2023-03-31 | 中国第一汽车股份有限公司 | Vehicle network attack analysis method, device, equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101945109A (en) * | 2010-09-16 | 2011-01-12 | 电子科技大学 | Method for carrying out path recording and source tracing on signaling No.7 network transmitting process |
| CN103780610A (en) * | 2014-01-16 | 2014-05-07 | 绵阳师范学院 | Network data recovery method based on protocol characteristics |
| CN105208040A (en) * | 2015-10-12 | 2015-12-30 | 北京神州绿盟信息安全科技股份有限公司 | Network attack detection method and device |
| CN107579995A (en) * | 2017-09-30 | 2018-01-12 | 北京奇虎科技有限公司 | The network protection method and device of onboard system |
| CN107634959A (en) * | 2017-09-30 | 2018-01-26 | 北京奇虎科技有限公司 | Means of defence, apparatus and system based on automobile |
| CN107835149A (en) * | 2017-09-13 | 2018-03-23 | 杭州安恒信息技术有限公司 | Network based on DNS flow analyses is stolen secret information behavioral value method and device |
| CN108011917A (en) * | 2017-09-29 | 2018-05-08 | 北京车和家信息技术有限公司 | The method, apparatus and system of data sharing |
| CN108200042A (en) * | 2017-12-28 | 2018-06-22 | 北京奇虎科技有限公司 | A kind of detection method of vehicle safety and vehicle safety management platform |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070136813A1 (en) * | 2005-12-08 | 2007-06-14 | Hsing-Kuo Wong | Method for eliminating invalid intrusion alerts |
-
2018
- 2018-06-28 CN CN201810690119.4A patent/CN108965267B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101945109A (en) * | 2010-09-16 | 2011-01-12 | 电子科技大学 | Method for carrying out path recording and source tracing on signaling No.7 network transmitting process |
| CN103780610A (en) * | 2014-01-16 | 2014-05-07 | 绵阳师范学院 | Network data recovery method based on protocol characteristics |
| CN105208040A (en) * | 2015-10-12 | 2015-12-30 | 北京神州绿盟信息安全科技股份有限公司 | Network attack detection method and device |
| CN107835149A (en) * | 2017-09-13 | 2018-03-23 | 杭州安恒信息技术有限公司 | Network based on DNS flow analyses is stolen secret information behavioral value method and device |
| CN108011917A (en) * | 2017-09-29 | 2018-05-08 | 北京车和家信息技术有限公司 | The method, apparatus and system of data sharing |
| CN107579995A (en) * | 2017-09-30 | 2018-01-12 | 北京奇虎科技有限公司 | The network protection method and device of onboard system |
| CN107634959A (en) * | 2017-09-30 | 2018-01-26 | 北京奇虎科技有限公司 | Means of defence, apparatus and system based on automobile |
| CN108200042A (en) * | 2017-12-28 | 2018-06-22 | 北京奇虎科技有限公司 | A kind of detection method of vehicle safety and vehicle safety management platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108965267A (en) | 2018-12-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108965267B (en) | Network attack processing method and device and vehicle | |
| US11082436B1 (en) | System and method for offloading packet processing and static analysis operations | |
| CN109951500B (en) | Network attack detection method and device | |
| US10924503B1 (en) | Identifying false positives in malicious domain data using network traffic data logs | |
| US9438623B1 (en) | Computer exploit detection using heap spray pattern matching | |
| CN106828362B (en) | Safety testing method and device for automobile information | |
| CN106936791B (en) | Method and device for intercepting malicious website access | |
| CN107979581B (en) | Detection method and device for zombie characteristics | |
| CN109889511B (en) | Process DNS activity monitoring method, equipment and medium | |
| CN109600362B (en) | Zombie host recognition method, device and medium based on recognition model | |
| CN104580133A (en) | Malicious program protection method and system and filtering table updating method thereof | |
| CN110888838A (en) | Object storage based request processing method, device, equipment and storage medium | |
| CN113315742A (en) | Attack behavior detection method and device and attack detection equipment | |
| CN111447166B (en) | Vehicle attack detection method and device | |
| CN112822291A (en) | Monitoring method and device for industrial control equipment | |
| CN111447167A (en) | Safety protection method and device for vehicle-mounted system | |
| CN114598512A (en) | Honeypot-based network security guarantee method and device and terminal equipment | |
| CN104067558A (en) | Network access apparatus having a control module and a network access module | |
| CN111756716A (en) | Flow detection method and device and computer readable storage medium | |
| CN111372077A (en) | Camera control method and device, terminal equipment and storage medium | |
| CN113987519A (en) | Vulnerability rule base generation method and device, electronic equipment, storage medium and system | |
| CN102905269A (en) | Method and device for detecting cellphone viruses | |
| CN114710356B (en) | Data processing method and device of vehicle-mounted firewall and vehicle-mounted firewall equipment | |
| CN115314319A (en) | Network asset identification method and device, electronic equipment and storage medium | |
| CN113965367B (en) | Policy object upper limit control method, system, computer and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20211122 Address after: Room 103, building 1, yard 4, Hengxing Road, Gaoliying Town, Shunyi District, Beijing Patentee after: Beijing Rockwell Technology Co.,Ltd. Address before: Room 801, 8 / F, building 3, No.10 courtyard, Wangjing street, Chaoyang District, Beijing 100102 Patentee before: BEIJING CHJ AUTOMOTIVE TECHNOLOGY Co.,Ltd. |