CN108989319B - Vehicle intrusion detection method and vehicle intrusion detection device based on CAN bus - Google Patents
Vehicle intrusion detection method and vehicle intrusion detection device based on CAN bus Download PDFInfo
- Publication number
- CN108989319B CN108989319B CN201810838176.2A CN201810838176A CN108989319B CN 108989319 B CN108989319 B CN 108989319B CN 201810838176 A CN201810838176 A CN 201810838176A CN 108989319 B CN108989319 B CN 108989319B
- Authority
- CN
- China
- Prior art keywords
- current
- time period
- preset time
- parameter
- vehicle
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 66
- 238000000034 method Methods 0.000 claims abstract description 42
- 230000007613 environmental effect Effects 0.000 claims description 18
- 230000004044 response Effects 0.000 claims description 6
- 230000009545 invasion Effects 0.000 claims 2
- 230000002159 abnormal effect Effects 0.000 abstract description 10
- 238000004891 communication Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 238000013507 mapping Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000001133 acceleration Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 239000000523 sample Substances 0.000 description 2
- 241001025261 Neoraja caerulea Species 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000003745 diagnosis Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
- H04L12/40052—High-speed IEEE 1394 serial bus
- H04L12/40104—Security; Encryption; Content protection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
- H04L2012/40208—Bus networks characterized by the use of a particular bus standard
- H04L2012/40215—Controller Area Network CAN
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Small-Scale Networks (AREA)
Abstract
The application discloses a vehicle intrusion detection method and a vehicle intrusion detection device based on a CAN bus. The method comprises the following steps: acquiring at least one parameter which is transmitted on a Controller Area Network (CAN) bus and is associated with the state of a vehicle in a current first preset time period and environment information of the vehicle in the current first preset time period; determining a constraint condition corresponding to the at least one parameter in the current first preset time period according to the environment information; and determining whether an intrusion event occurs in the current first preset time period according to the at least one parameter and the constraint condition corresponding to the at least one parameter in the current first preset time period. According to the method and the device provided by the embodiment of the application, the occurrence of the vehicle intrusion event CAN be detected in the early stage of intrusion by detecting the abnormal CAN data frame containing unreasonable state parameters.
Description
Technical Field
The application belongs to the technical field of automobile safety, and particularly relates to a vehicle intrusion detection method and a vehicle intrusion detection device based on a CAN bus.
Background
With the development of vehicle intelligence, the programming and remote control of vehicle-mounted components become new trends, and more appear on the market. This intelligent trend brings convenience to users and also brings new intrusion opportunities to hackers. And because of the value and maneuverability of the vehicle itself, the intrusion will incur greater losses and risks than a personal computer.
CAN is a short name for Controller Area Network (CAN), is a serial communication protocol of ISO international standardization, developed by BOSCH company of germany, which is known to research and produce automotive electronics, and finally becomes international standard (ISO 11898), and CAN is one of the most widely used field buses internationally. In north america and western europe, the CAN bus protocol has become the standard bus for automotive computer control systems and embedded industrial control area networks, and possesses the J1939 protocol designed for large trucks and heavy work machinery vehicles with CAN as the underlying protocol.
Illegal intruders often detect the characteristics of the CAN data packets of an intruded vehicle by heuristically sending a series of CAN data packets, and then attack by simulating these normal CAN data packets.
Disclosure of Invention
The embodiment of the application provides a vehicle intrusion detection method and a vehicle intrusion detection device based on a CAN bus.
In one possible embodiment, a method for vehicle intrusion detection based on a CAN bus is provided, the method comprising:
acquiring at least one parameter which is transmitted on a Controller Area Network (CAN) bus and is associated with the state of a vehicle in a current first preset time period and environment information of the vehicle in the current first preset time period;
determining a constraint condition corresponding to the at least one parameter in the current first preset time period according to the environment information;
and determining whether an intrusion event occurs in the current first preset time period according to the at least one parameter and the constraint condition corresponding to the at least one parameter in the current first preset time period.
In another possible embodiment, there is provided a CAN bus-based vehicle intrusion detection apparatus, the apparatus including:
the system comprises a first acquisition module, a second acquisition module and a control module, wherein the first acquisition module is used for acquiring at least one parameter which is transmitted on a Controller Area Network (CAN) bus and is related to the state of a vehicle in a current first preset time period and environment information of the vehicle in the current first preset time period;
a first determining module, configured to determine, according to the environment information, a constraint condition corresponding to the at least one parameter within the current first preset time period;
and the intrusion detection module is used for determining whether an intrusion event occurs in the current first preset time period according to the at least one parameter and the constraint condition corresponding to the at least one parameter in the current first preset time period.
In another possible implementation, a computer-readable medium is provided having stored therein a plurality of instructions adapted to be loaded and executed by a processor to:
acquiring at least one parameter which is transmitted on a Controller Area Network (CAN) bus and is associated with the state of a vehicle in a current first preset time period and environment information of the vehicle in the current first preset time period;
determining a constraint condition corresponding to the at least one parameter in the current first preset time period according to the environment information;
and determining whether an intrusion event occurs in the current first preset time period according to the at least one parameter and the constraint condition corresponding to the at least one parameter in the current first preset time period.
In another possible embodiment, there is provided a CAN bus-based vehicle intrusion detection apparatus, the server including:
a memory for storing instructions;
a processor for executing the memory-stored instructions, the instructions causing the processor to perform the steps of:
acquiring at least one parameter which is transmitted on a Controller Area Network (CAN) bus and is associated with the state of a vehicle in a current first preset time period and environment information of the vehicle in the current first preset time period;
determining a constraint condition corresponding to the at least one parameter in the current first preset time period according to the environment information;
and determining whether an intrusion event occurs in the current first preset time period according to the at least one parameter and the constraint condition corresponding to the at least one parameter in the current first preset time period.
According to the method and the device provided by the embodiment of the application, the occurrence of the vehicle intrusion event CAN be detected in the early stage of intrusion by detecting the abnormal CAN data frame containing unreasonable state parameters.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application.
FIG. 1 is a schematic flow diagram of an example of a CAN bus based vehicle intrusion detection method according to one embodiment of the present application;
fig. 2(a) -2 (e) are block diagrams of various examples of a CAN bus-based vehicle intrusion detection apparatus according to an embodiment of the present application;
fig. 3 is a block diagram illustrating a further example of a vehicle intrusion detection apparatus based on a CAN bus according to an embodiment of the present application.
Detailed Description
In order to make the objects, features and advantages of the present invention more apparent and understandable, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It will be understood by those within the art that the terms "first", "second", etc. in this application are used only to distinguish one device, module, parameter, etc., from another, and do not denote any particular technical meaning or necessary order therebetween.
SAE J1939 describes a network application of the CAN bus, which is the recommended standard of the american Society of Automotive Engineering (SAE), for providing a standardized architecture for communication between electronic components on medium and heavy road vehicles, including CAN network physical layer definition, data link layer definition, application layer definition, network layer definition, fault diagnosis, and network management. In the SAE J1939 protocol, not only the transmission type, the message structure and its segments, etc. are specified, but also the message content itself is precisely defined. The J1939 application layer (based on J1939-71) among others describes the actual data (parameters or network variables with value ranges, resolution, physical units and transmission types). Each message unambiguously corresponds to a number (SPN). Terms that may appear in various embodiments of the present application may be defined with reference to SAE J1939. The CAN data frame refers to a sequential bit field which is necessary for forming a CAN protocol frame, and starts with a start of frame (SOF) and ends with an end of frame (EOF); CAN data packet: a single CAN data frame is a packet, but a message contains a parameter group with a data length less than or equal to 8 bytes, and the message is also called a packet; message (Message): refers to one or more (PGN) data frames having the same reference group number.
Under different situations (contexts), states of a vehicle including the speed, the rotating speed, the temperature and the like often have a reasonable restricted range, the technical scheme of the application detects intrusion by detecting the rationality described about a single state of the vehicle in the CAN data packet load and/or the rationality after mutually referring a plurality of related states, and detects the occurrence of an intrusion event in the early stage of an attack.
Fig. 1 is a schematic flow chart of a method for detecting vehicle intrusion based on a CAN bus according to an embodiment of the present application. The method may be implemented by the Vehicle itself, for example, by an Electronic Control Unit (ECU) of the Vehicle, an In-Vehicle Infotainment (IVI) system, or by other devices independent of the Vehicle, or by remotely deployed devices. As shown in fig. 1, the method of the present embodiment includes:
s120, acquiring at least one parameter which is transmitted on the CAN bus and is associated with the state of the vehicle in a current first preset time period and the environmental information of the vehicle in the current first preset time period.
In the method of this embodiment, to avoid the vehicle from being intruded, the CAN data frames transmitted on the CAN bus are continuously detected, and the detected data frames in each preset time period (hereinafter referred to as a first preset time period, which may be arbitrarily set, for example, set to 0.5 second, 2 seconds, etc., according to the need of intrusion detection) are analyzed to detect abnormal state parameters. The payload portion of the CAN data frame will typically carry parameters describing the state of some aspect of the vehicle, such parameters including, but not limited to: vehicle speed, engine speed, accelerator pedal position, window status, etc.
In one possible implementation, the CAN data frames transmitted on the CAN bus may be acquired by one or more probes disposed on the CAN bus of the vehicle. Specifically, step S120 may further include:
s122, reading at least one data frame transmitted on the CAN bus through at least one detector arranged on the CAN bus of the vehicle.
And S124, analyzing the at least one data frame to obtain the at least one parameter.
For example, the parameters, the data types of the parameters, and the values of the parameters contained in the payload of the CAN data frame may be extracted and parsed according to the SAE J1939 protocol in a format specified by the protocol.
The environment of the vehicle includes, but is not limited to: weather, road conditions, driving conditions of other vehicles at all sides, front, rear, left and right, and the like. The environmental information includes, but is not limited to, relevant parameter values of the front, rear, left and right vehicles of the current vehicle, the states of brake tail lamps of the front vehicle, the distance from the front and rear vehicles, the distance from the next red light, speed limit information of the road, and the like.
S140, determining a corresponding constraint condition of the at least one parameter in the current first preset time period according to the environment information.
And S160, determining whether an intrusion event occurs in the current first preset time period according to the at least one parameter and the constraint condition corresponding to the at least one parameter in the current first preset time period.
The constraint condition may be at least one reasonable value range of the parameter, may be a set of reasonable values, and may also be a set including at least one reasonable value range and reasonable values. The constraints may be stored in any form in the device implementing the method of the present embodiment, for example, a mapping table of parameters and constraints. In the method of the embodiment, reasonable constraint conditions CAN be set for parameters related to vehicle states under different situations according to the environmental information of the vehicle, and whether an abnormal CAN data frame containing unreasonable parameters and sent by an intruder exists or not CAN be determined according to the parameters detected in the first preset time period and the corresponding constraint conditions (the parameters do not accord with the corresponding constraint conditions). For example, if the distance from the vehicle to the current red light is less than 20m, the second constraint condition for the vehicle speed may be set to (0, 5 km/h). For another example, if the acquired speed of the preceding vehicle in the previous first preset time period is 5km/h, the mass of the preceding vehicle is 1.5 tons, the maximum power of the engine of the preceding vehicle is 50kw, and the distance from the preceding vehicle is 5m, the first constraint condition of the speed of the preceding vehicle may be determined to be (0, 13.33km/h) according to the method of the embodiment, and then the first constraint condition may be directly used as the second constraint condition of the own vehicle.
In summary, the method of the present embodiment CAN detect the occurrence of the intrusion event in the early stage of the intrusion by detecting the abnormal CAN data frame containing the unreasonable state parameters.
In the method of this embodiment, a detection threshold is further preset, and whether an intrusion event occurs is determined according to whether the number of the abnormal CAN data frames detected in each first preset time period exceeds the preset detection threshold. Specifically, step S160 may further include:
and S162, comparing the at least one parameter with a constraint condition corresponding to the at least one parameter in the current first preset time period.
S164, responding to the fact that the number of the parameters which do not meet the corresponding constraint conditions exceeds a preset detection threshold value, and determining that an intrusion event occurs in the current first preset time period.
For example, if the acquired at least one parameter includes a plurality of vehicle speed values, and a part of the vehicle speed values is 100km/h, the constraint condition of the vehicle speed in the current first preset time period is as follows: the reasonable vehicle speed is within the range of 0-40 km, and if the vehicle speed value which does not fall within the reasonable vehicle speed range is determined to exceed 60%, the intrusion event can be determined to occur.
In one possible implementation, different weights may also be set for different status parameters, for example, higher weights may be given to vehicle dynamics related parameters and lower weights may be given to entertainment and comfort related parameters. Under the condition of having the weight, the sum of products of all the parameters which do not meet the constraint condition and the weight thereof can be calculated, the sum of products of all the parameters acquired in the current first preset time period and the weight thereof can be compared with a preset detection threshold value, and then whether the intrusion event occurs in the current first preset time period or not can be judged.
It should be noted that, in the method of this embodiment, the environment information may be obtained from at least one sensor (e.g., a vehicle-mounted camera) provided on the vehicle, may also be obtained from outside the vehicle (e.g., a central server) through a network, and/or may be obtained from a direct communication network established between the vehicles.
Furthermore, in the method of the present embodiment, the constraint condition determination also requires reference to at least one nominal performance parameter of the vehicle. At least one nominal performance parameter refers to an inherent performance parameter of a vehicle component, including but not limited to: power performance parameters such as output power, torque and the like of the engine under different speeds within 100 kilometer of acceleration time; comfort equipment performance parameters such as time spent for a window from a closed state to a fully opened state, time required for complete opening of an electric tailgate, an air conditioner fan speed level list and the like; and the weight of the similar vehicle, how many windows and doors are, etc. The constraints of the vehicle state parameters are set with reference to at least one nominal performance parameter. For example, the vehicle speed constraint may not exceed the maximum vehicle speed that the vehicle can reach, and so on. In such an embodiment, in step S140, a constraint condition corresponding to the at least one parameter within the current first preset time period may be determined according to the environmental information and at least one rated performance parameter of the vehicle.
In addition, since the method of this embodiment may be implemented by a remote device or other device independent of the vehicle, considering that the transmission delay of the information causes the information to be unequal, so that a detection error occurs, the method of this embodiment further includes:
and S180, recording the at least one parameter, the environment information and the corresponding constraint condition of the at least one parameter in the current first preset time period.
Specifically, in one possible implementation, a mapping table of vehicle state parameters, a first preset time period, environmental information, and corresponding constraints may be stored.
In addition, in order to further improve the accuracy of intrusion detection and reduce false alarms, the method of the embodiment may further collect feedback information of the user on intrusion detection. Specifically, the method of the present embodiment may include:
and S190, responding to the determined intrusion event, and prompting the user to generate the intrusion event.
And S192, obtaining the feedback of the user to the intrusion event.
And S194, determining the preset detection threshold value according to the feedback.
For example, if the user ignores a large portion (e.g., 95%) of the intrusion events, the preset detection threshold may be adjusted to be larger (to reduce false alarm conditions). Conversely, if the user has processed most (90%) of the intrusion events, the detection threshold will be set smaller (to reduce the instances of missed alarms).
In conclusion, the method of the embodiment can accurately detect the occurrence of the vehicle intrusion event.
It is understood by those skilled in the art that, in the method according to the embodiments of the present application, the sequence numbers of the steps do not mean the execution sequence, and the execution sequence of the steps should be determined by their functions and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.
Further, embodiments of the present application also provide a storage device, e.g., a computer-readable medium, comprising computer-readable instructions that when executed perform the following: the operations of the steps of the method in the embodiment shown in fig. 1 described above are performed.
Fig. 2(a) is a block diagram illustrating a configuration of a CAN bus based vehicle intrusion detection apparatus according to an embodiment of the present application. The device may be at least partially within the Vehicle itself, for example, a Vehicle Electronic Control Unit (ECU), In-Vehicle Infotainment (IVI) system, or other device independent of the Vehicle, or a remotely deployed device. As shown in fig. 2(a), the apparatus 200 of the present embodiment includes: a first acquisition module 220, a first determination module 240, and an intrusion detection module 260. Wherein,
the first obtaining module 120 is configured to obtain at least one parameter, which is transmitted on the CAN bus and is associated with a state of a vehicle in a current first preset time period, and environment information of the vehicle in the current first preset time period.
In the apparatus of this embodiment, to prevent the vehicle from being intruded, the first obtaining module 120 continuously detects the CAN data frames transmitted on the CAN bus, and analyzes the detected data frames within each preset time period (hereinafter referred to as a first preset time period, which may be arbitrarily set, for example, set to 0.5 second, 2 seconds, etc., according to the need of intrusion detection) to detect abnormal status parameters. The payload portion of the CAN data frame will typically carry parameters describing the state of some aspect of the vehicle, such parameters including, but not limited to: vehicle speed, engine speed, accelerator pedal position, window status, etc.
In one possible implementation, the first obtaining module 120 may read at least one data frame transmitted on a CAN bus of the vehicle through one or more probes disposed on the CAN bus. Specifically, as shown in fig. 2(b), the first obtaining module 220 may further include:
an obtaining unit 222, configured to read at least one data frame transmitted on the CAN bus through at least one detector disposed on the CAN bus of the vehicle.
The parsing unit 224 is configured to parse the at least one data frame to obtain the at least one parameter.
For example, the parsing unit 224 may extract and parse the parameters, the data types of the parameters, and the values of the parameters included in the payload of the CAN data frame according to the SAE J1939 protocol, in a format specified by the protocol.
The environment of the vehicle includes, but is not limited to: weather, road conditions, driving conditions of other vehicles at all sides, front, rear, left and right, and the like. The environmental information includes, but is not limited to, relevant parameter values of the front, rear, left and right vehicles of the current vehicle, the states of brake tail lamps of the front vehicle, the distance from the front and rear vehicles, the distance from the next red light, speed limit information of the road, and the like.
The first determining module 240 is configured to determine, according to the environment information, a constraint condition corresponding to the at least one parameter within the current first preset time period.
The intrusion detection module 260 is configured to determine whether an intrusion event occurs within the current first preset time period according to the at least one parameter and a constraint condition corresponding to the at least one parameter within the current first preset time period.
The constraint condition may be at least one reasonable value range of the parameter, may be a set of reasonable values, and may also be a set including at least one reasonable value range and reasonable values. The constraints may be stored in any form in the device implementing the method of the present embodiment, for example, a mapping table of parameters and constraints. In the device of the embodiment, reasonable constraint conditions CAN be set for parameters related to vehicle states under different situations according to the environmental information of the vehicle, and whether an abnormal CAN data frame containing unreasonable parameters and sent by an intruder exists or not CAN be determined according to the parameters detected in the first preset time period and the corresponding constraint conditions (the parameters do not accord with the corresponding constraint conditions). For example, if the distance from the vehicle to the current red light is less than 20m, the second constraint condition for the vehicle speed may be set to (0, 5 km/h). For another example, if the acquired speed of the preceding vehicle in the previous first preset time period is 5km/h, the mass of the preceding vehicle is 1.5 tons, the maximum power of the engine of the preceding vehicle is 50kw, and the distance from the preceding vehicle is 5m, the first constraint condition of the speed of the preceding vehicle may be determined to be (0, 13.33km/h) according to the method of the embodiment, and then the first constraint condition may be directly used as the second constraint condition of the own vehicle.
In summary, the apparatus of this embodiment CAN detect the occurrence of the intrusion event in the early stage of the intrusion by detecting the abnormal CAN data frame containing the unreasonable status parameters.
In the apparatus of this embodiment, a detection threshold is further preset, and whether an intrusion event occurs is determined according to whether the number of the abnormal CAN data frames detected in each first preset time period exceeds the preset detection threshold. Specifically, as shown in fig. 2(c), the intrusion detection module 240 may further include
A comparing unit 262, configured to compare the at least one parameter with a constraint condition corresponding to the at least one parameter in the current first preset time period.
And the intrusion detection unit 264 is configured to determine that an intrusion event occurs within the current first preset time period in response to that the number of parameters that do not satisfy the corresponding constraint conditions exceeds a preset detection threshold.
For example, if the acquired at least one parameter includes a plurality of vehicle speed values, and a part of the vehicle speed values is 100km/h, the constraint condition of the vehicle speed in the current first preset time period is as follows: the reasonable vehicle speed is within the range of 0-40 km, and if the vehicle speed value which does not fall within the reasonable vehicle speed range is determined to exceed 60%, the intrusion event can be determined to occur.
In one possible implementation, different weights may also be set for different status parameters, for example, higher weights may be given to vehicle dynamics related parameters and lower weights may be given to entertainment and comfort related parameters. Under the condition of having the weight, the sum of products of all the parameters which do not meet the constraint condition and the weight thereof can be calculated, the sum of products of all the parameters acquired in the current first preset time period and the weight thereof can be compared with a preset detection threshold value, and then whether the intrusion event occurs in the current first preset time period or not can be judged.
It should be noted that, in the apparatus of this embodiment, the first obtaining module 220 may obtain the environmental information from at least one sensor (e.g., an on-board camera) disposed on the vehicle, may also obtain the environmental information from outside the vehicle (e.g., a central server) through a network, and/or may obtain the environmental information from a direct communication network established between the vehicles.
Furthermore, in the device of the present embodiment, the constraint condition determination also requires reference to at least one rated performance parameter of the vehicle. At least one nominal performance parameter refers to an inherent performance parameter of a vehicle component, including but not limited to: power performance parameters such as output power, torque and the like of the engine under different speeds within 100 kilometer of acceleration time; comfort equipment performance parameters such as time spent for a window from a closed state to a fully opened state, time required for complete opening of an electric tailgate, an air conditioner fan speed level list and the like; and the weight of the similar vehicle, how many windows and doors are, etc. The constraints of the vehicle state parameters are set with reference to at least one nominal performance parameter. For example, the vehicle speed constraint may not exceed the maximum vehicle speed that the vehicle can reach, and so on. In such an embodiment, the first determining module 240 may determine the constraint condition corresponding to the at least one parameter within the current first preset time period according to the environmental information and at least one rated performance parameter of the vehicle.
In addition, since the apparatus of this embodiment may be implemented by a remote device or other apparatus independent of the vehicle, considering that the transmission delay of the information causes the information to be unequal, so that a detection error occurs, as shown in fig. 2(d), the apparatus 200 of this embodiment further includes:
a recording module 280, configured to record the at least one parameter, the environment information, and a constraint condition corresponding to the at least one parameter in the current first preset time period.
Specifically, in one possible implementation, the recording module 280 may store a mapping table of vehicle state parameters, a first preset time period, environmental information, and corresponding constraints.
In addition, in order to further improve the accuracy of intrusion detection and reduce false alarms, the device of the embodiment may further collect feedback information of the user on intrusion detection. Specifically, as shown in fig. 2(e), the apparatus 200 of the present embodiment may include:
and a prompt module 290 for prompting the user of the intrusion event in response to determining that the intrusion event occurs.
A second obtaining module 292, configured to obtain feedback of the user on the intrusion event.
A second determining module 294, configured to determine the preset detection threshold according to the feedback.
For example, if the user ignores a large portion (e.g., 95%) of the intrusion events, the preset detection threshold may be adjusted to be larger (to reduce false alarm conditions). Conversely, if the user has processed most (90%) of the intrusion events, the detection threshold will be set smaller (to reduce the instances of missed alarms).
In conclusion, the device of the embodiment can accurately detect the occurrence of the vehicle intrusion event.
Fig. 3 is a schematic structural diagram of an example of a vehicle intrusion detection device based on a CAN bus according to another embodiment of the present application, and the specific embodiment of the present application does not limit the specific implementation of the intrusion detection device. As shown in fig. 3, the CAN bus-based vehicle intrusion detection apparatus 300 may include:
a processor (processor)310, a communication Interface (Communications Interface)320, a memory (memory)330, and a communication bus 340. Wherein:
the processor 310, communication interface 320, and memory 330 communicate with each other via a communication bus 340.
A communication interface 320 for communicating with network elements such as clients and the like.
The processor 310 is configured to execute the program 332, and may specifically perform the relevant steps in the foregoing method embodiments.
In particular, the program 332 may include program code comprising computer operating instructions.
The processor 310 may be a central processing unit CPU, or an application Specific Integrated circuit asic, or one or more Integrated circuits configured to implement embodiments of the present application.
And a memory 330 for storing a program 332. Memory 330 may comprise high-speed RAM memory and may also include non-volatile memory (non-volatile memory), such as at least one disk memory. The program 332 may be specifically configured to enable the CAN bus-based vehicle intrusion detection apparatus 300 to perform the following steps:
acquiring at least one parameter which is transmitted on a Controller Area Network (CAN) bus and is related to the state of a vehicle in a current first preset time period;
and determining whether an intrusion event occurs in the current first preset time period according to the at least one parameter, the constraint condition corresponding to the at least one parameter in the current first preset time period and a preset detection threshold.
For specific implementation of each step in the program 332, reference may be made to corresponding steps and corresponding descriptions in units in the foregoing embodiments, which are not described herein again. It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described devices and modules may refer to the corresponding process descriptions in the foregoing method embodiments, and are not described herein again.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described apparatuses and modules may refer to the corresponding descriptions in the foregoing device embodiments, and are not repeated herein.
While the subject matter described herein is provided in the general context of execution in conjunction with the execution of an operating system and application programs on a computer system, those skilled in the art will recognize that other implementations may also be performed in combination with other types of program modules. Generally, program modules include routines, programs, components, data structures, and other types of structures that perform particular tasks or implement particular abstract data types. Those skilled in the art will appreciate that the subject matter described herein may be practiced with other computer system configurations, including hand-held devices, multiprocessor systems, microprocessor-based or programmable consumer electronics, minicomputers, mainframe computers, and the like, as well as distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote memory storage devices.
Those of ordinary skill in the art will appreciate that the various illustrative elements and method steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to perform all or part of the steps of the method according to the embodiments of the present application. Such computer-readable storage media include physical volatile and nonvolatile, removable and non-removable media implemented in any manner or technology for storage of information such as computer-readable instructions, data structures, program modules or other data. The computer-readable storage medium specifically includes, but is not limited to, a USB flash drive, a removable hard drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), an erasable programmable Read-Only Memory (EPROM), an electrically erasable programmable Read-Only Memory (EEPROM), flash Memory or other solid state Memory technology, a CD-ROM, a Digital Versatile Disk (DVD), an HD-DVD, a Blue-Ray or other optical storage, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer.
The above embodiments are only for illustrating the invention and are not to be construed as limiting the invention, and those skilled in the art can make various changes and modifications without departing from the spirit and scope of the invention, therefore, all equivalent technical solutions also belong to the scope of the invention, and the scope of the invention is defined by the claims.
Claims (14)
1. A vehicle intrusion detection method based on a CAN bus is characterized by comprising the following steps:
acquiring at least one parameter which is transmitted on a Controller Area Network (CAN) bus and is associated with the state of a vehicle in a current first preset time period and environment information of the vehicle in the current first preset time period;
determining a constraint condition corresponding to the at least one parameter in the current first preset time period according to the environment information;
determining whether an intrusion event occurs in the current first preset time period according to the at least one parameter and a constraint condition corresponding to the at least one parameter in the current first preset time period;
the determining whether an intrusion event occurs within the current first preset time period further comprises:
determining whether an intrusion event occurs in the current first preset time period according to the at least one parameter, the constraint condition corresponding to the at least one parameter in the current first preset time period and the weight of the at least one parameter, wherein the method comprises the steps of calculating the sum of products of all parameters which do not meet the constraint condition and the weight of the parameters, comparing the sum of products of all parameters which are acquired in the current first preset time period and the weight of the parameters with a preset detection threshold value, and further judging whether the intrusion event occurs in the current first preset time period;
the method further comprises the following steps:
prompting a user for an intrusion event in response to determining that the intrusion event occurs;
obtaining the feedback of the user to the intrusion event;
and determining the preset detection threshold according to the feedback.
2. The method of claim 1, wherein the obtaining at least one parameter associated with a status of a vehicle during a current first predetermined period and environmental information of the vehicle during the current first predetermined period transmitted over a Controller Area Network (CAN) bus further comprises:
reading at least one data frame transmitted on the CAN bus by at least one detector arranged on the CAN bus of the vehicle;
and analyzing the at least one data frame to obtain the at least one parameter.
3. The method of claim 1, wherein the determining whether an intrusion event occurs within the current first preset time period further comprises:
comparing the at least one parameter with a constraint condition corresponding to the at least one parameter in the current first preset time period;
and determining that the intrusion event occurs within the current first preset time period in response to the number of the parameters which do not meet the corresponding constraint condition exceeding a preset detection threshold.
4. The method of claim 1, wherein the obtaining at least one parameter associated with a status of a vehicle during a current first predetermined period and environmental information of the vehicle during the current first predetermined period transmitted over a Controller Area Network (CAN) bus further comprises:
the environmental information is obtained from at least one sensor provided on the vehicle and/or from outside the vehicle.
5. The method of claim 1, wherein the determining the constraint condition that the at least one parameter corresponds to within the current first preset time period further comprises:
and determining a constraint condition corresponding to the at least one parameter in the current first preset time period according to the environmental information and at least one rated performance parameter of the vehicle.
6. The method according to any one of claims 1 to 5, further comprising:
and recording the at least one parameter, the environment information and the constraint condition corresponding to the at least one parameter in the current first preset time period.
7. A CAN bus based vehicle intrusion detection device, the device comprising:
the system comprises a first acquisition module, a second acquisition module and a control module, wherein the first acquisition module is used for acquiring at least one parameter which is transmitted on a Controller Area Network (CAN) bus and is related to the state of a vehicle in a current first preset time period and environment information of the vehicle in the current first preset time period;
a first determining module, configured to determine, according to the environment information, a constraint condition corresponding to the at least one parameter within the current first preset time period;
the intrusion detection module is used for determining whether an intrusion event occurs in the current first preset time period according to the at least one parameter and the constraint condition corresponding to the at least one parameter in the current first preset time period;
the intrusion detection module is used for determining whether an intrusion event occurs in the current first preset time period according to the at least one parameter, the constraint condition corresponding to the at least one parameter in the current first preset time period and the weight of the at least one parameter, wherein the intrusion detection module calculates the sum of products of all parameters which do not meet the constraint condition and the weight of the parameters, compares the sum of products of all parameters which are obtained in the current first preset time period and the weight of the parameters with a preset detection threshold value, and further judges whether the intrusion event occurs in the current first preset time period;
the device further comprises:
the recording module is used for responding to the determined invasion event and prompting the user to generate the invasion event;
the second acquisition module is used for acquiring the feedback of the user to the intrusion event;
and the second determining module is used for determining the preset detection threshold according to the feedback.
8. The apparatus of claim 7, wherein the first obtaining module further comprises:
the acquisition unit is used for reading at least one data frame transmitted on the CAN bus through at least one detector arranged on the CAN bus of the vehicle;
and the analysis unit is used for analyzing the at least one data frame to obtain the at least one parameter.
9. The apparatus of claim 7, wherein the first determining module further comprises:
the comparison unit is used for comparing the at least one parameter with a constraint condition corresponding to the at least one parameter in the current first preset time period;
and the intrusion detection unit is used for responding to the condition that the quantity of the parameters which do not meet the corresponding constraint conditions exceeds a preset detection threshold value, and determining that an intrusion event occurs in the current first preset time period.
10. The apparatus of claim 7, wherein the first obtaining module is configured to obtain the environmental information from at least one sensor disposed on the vehicle and/or outside the vehicle.
11. The apparatus of claim 7, wherein the first determining module is configured to determine a constraint condition corresponding to the at least one parameter within the current first preset time period according to the environmental information and at least one rated performance parameter of the vehicle.
12. The apparatus of any one of claims 7 to 11, further comprising:
and the recording module is used for recording the at least one parameter, the environment information and the corresponding constraint condition of the at least one parameter in the current first preset time period.
13. A computer readable medium having stored therein a plurality of instructions adapted to be loaded and executed by a processor:
acquiring at least one parameter which is transmitted on a Controller Area Network (CAN) bus and is associated with the state of a vehicle in a current first preset time period and environment information of the vehicle in the current first preset time period;
determining a constraint condition corresponding to the at least one parameter in the current first preset time period according to the environment information;
determining whether an intrusion event occurs in the current first preset time period according to the at least one parameter and a constraint condition corresponding to the at least one parameter in the current first preset time period;
the determining whether an intrusion event occurs within the current first preset time period further comprises:
determining whether an intrusion event occurs in the current first preset time period according to the at least one parameter, the constraint condition corresponding to the at least one parameter in the current first preset time period and the weight of the at least one parameter, wherein the method comprises the steps of calculating the sum of products of all parameters which do not meet the constraint condition and the weight of the parameters, comparing the sum of products of all parameters which are acquired in the current first preset time period and the weight of the parameters with a preset detection threshold value, and further judging whether the intrusion event occurs in the current first preset time period;
prompting a user for an intrusion event in response to determining that the intrusion event occurs;
obtaining the feedback of the user to the intrusion event;
and determining the preset detection threshold according to the feedback.
14. A vehicle intrusion detection device based on a CAN bus is characterized in that a server comprises:
a memory for storing instructions;
a processor for executing the memory-stored instructions, the instructions causing the processor to perform the steps of:
acquiring at least one parameter which is transmitted on a Controller Area Network (CAN) bus and is associated with the state of a vehicle in a current first preset time period and environment information of the vehicle in the current first preset time period;
determining a constraint condition corresponding to the at least one parameter in the current first preset time period according to the environment information;
determining whether an intrusion event occurs in the current first preset time period according to the at least one parameter and a constraint condition corresponding to the at least one parameter in the current first preset time period;
the determining whether an intrusion event occurs within the current first preset time period further comprises:
determining whether an intrusion event occurs in the current first preset time period according to the at least one parameter, the constraint condition corresponding to the at least one parameter in the current first preset time period and the weight of the at least one parameter, wherein the method comprises the steps of calculating the sum of products of all parameters which do not meet the constraint condition and the weight of the parameters, comparing the sum of products of all parameters which are acquired in the current first preset time period and the weight of the parameters with a preset detection threshold value, and further judging whether the intrusion event occurs in the current first preset time period;
prompting a user for an intrusion event in response to determining that the intrusion event occurs;
obtaining the feedback of the user to the intrusion event;
and determining the preset detection threshold according to the feedback.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810838176.2A CN108989319B (en) | 2018-07-27 | 2018-07-27 | Vehicle intrusion detection method and vehicle intrusion detection device based on CAN bus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810838176.2A CN108989319B (en) | 2018-07-27 | 2018-07-27 | Vehicle intrusion detection method and vehicle intrusion detection device based on CAN bus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108989319A CN108989319A (en) | 2018-12-11 |
| CN108989319B true CN108989319B (en) | 2021-09-21 |
Family
ID=64551608
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810838176.2A Active CN108989319B (en) | 2018-07-27 | 2018-07-27 | Vehicle intrusion detection method and vehicle intrusion detection device based on CAN bus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108989319B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109688030B (en) * | 2019-02-26 | 2020-11-03 | 百度在线网络技术(北京)有限公司 | Message detection method, device, equipment and storage medium |
| CN110149348A (en) * | 2019-06-20 | 2019-08-20 | 北京经纬恒润科技有限公司 | The means of defence and device of In-vehicle networking |
| CN110750790B (en) * | 2019-09-06 | 2021-09-24 | 深圳开源互联网安全技术有限公司 | CAN bus vulnerability detection method and device, terminal equipment and medium |
| CN110691104B (en) * | 2019-11-11 | 2021-08-31 | 哈尔滨工业大学 | Vehicle-mounted CAN bus self-adaptive intrusion detection method based on message period characteristics |
| CN112491865A (en) * | 2020-04-11 | 2021-03-12 | 吴媛媛 | Intrusion detection method and device for data flow detection and time sequence feature extraction |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105893844A (en) * | 2015-10-20 | 2016-08-24 | 乐卡汽车智能科技(北京)有限公司 | Method and device for sending messages of vehicle bus networks |
| CN106162521A (en) * | 2015-05-15 | 2016-11-23 | 现代自动车美国技术研究所 | Detect the unlawful practice in vehicle-to-vehicle communication |
| CN106184068A (en) * | 2016-06-30 | 2016-12-07 | 北京奇虎科技有限公司 | Automotive interior network security detection method and device, automobile |
| CN106781692A (en) * | 2016-12-01 | 2017-05-31 | 东软集团股份有限公司 | The method of vehicle collision prewarning, apparatus and system |
| CN107117130A (en) * | 2017-04-01 | 2017-09-01 | 奇瑞汽车股份有限公司 | VATS Vehicle Anti-Theft System and method |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140310379A1 (en) * | 2013-04-15 | 2014-10-16 | Flextronics Ap, Llc | Vehicle initiated communications with third parties via virtual personality |
| US9866542B2 (en) * | 2015-01-28 | 2018-01-09 | Gm Global Technology Operations | Responding to electronic in-vehicle intrusions |
| CN107666476B (en) * | 2017-05-25 | 2021-06-04 | 国家计算机网络与信息安全管理中心 | CAN bus risk detection method and device |
-
2018
- 2018-07-27 CN CN201810838176.2A patent/CN108989319B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106162521A (en) * | 2015-05-15 | 2016-11-23 | 现代自动车美国技术研究所 | Detect the unlawful practice in vehicle-to-vehicle communication |
| CN105893844A (en) * | 2015-10-20 | 2016-08-24 | 乐卡汽车智能科技(北京)有限公司 | Method and device for sending messages of vehicle bus networks |
| CN106184068A (en) * | 2016-06-30 | 2016-12-07 | 北京奇虎科技有限公司 | Automotive interior network security detection method and device, automobile |
| CN106781692A (en) * | 2016-12-01 | 2017-05-31 | 东软集团股份有限公司 | The method of vehicle collision prewarning, apparatus and system |
| CN107117130A (en) * | 2017-04-01 | 2017-09-01 | 奇瑞汽车股份有限公司 | VATS Vehicle Anti-Theft System and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108989319A (en) | 2018-12-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108989319B (en) | Vehicle intrusion detection method and vehicle intrusion detection device based on CAN bus | |
| CN110226310B (en) | Electronic control device, fraud detection server, in-vehicle network system, in-vehicle network monitoring system, and method | |
| US11934520B2 (en) | Detecting data anomalies on a data interface using machine learning | |
| CN110494330B (en) | Vehicle monitoring device, fraud detection server, and control method | |
| EP3726782B1 (en) | Detecting unauthorized messages in a vehicle network | |
| RU2725033C2 (en) | System and method of creating rules | |
| US11451579B2 (en) | System and method for protecting electronics systems of a vehicle from cyberattacks | |
| CN111311914B (en) | Vehicle driving accident monitoring method and device and vehicle | |
| CN109150846B (en) | Vehicle intrusion detection method and vehicle intrusion detection device | |
| EP3951531B1 (en) | Anomaly sensing method and anomaly sensing system | |
| WO2017024078A1 (en) | A method for detecting, blocking and reporting cyber-attacks against automotive electronic control units | |
| US20200053113A1 (en) | Data analysis apparatus | |
| CN111147448B (en) | CAN bus flood attack defense system and method | |
| CN109845219B (en) | Authentication device for a vehicle | |
| CN115102707A (en) | Vehicle CAN network IDS safety detection system and method | |
| JP2021140460A (en) | Security management apparatus | |
| CN109117639B (en) | Intrusion risk detection method and device | |
| CN109117632B (en) | Method and device for determining risk of vehicle intrusion | |
| KR101791786B1 (en) | Vehicle security system and operation method | |
| CN117544410A (en) | Determination method of CAN bus attack type, processor and computer equipment | |
| CN109150847B (en) | Method and device for detecting network intrusion risk of vehicle | |
| CN114237995B (en) | Bus abnormity detection method, device, equipment and readable storage medium | |
| JP7160206B2 (en) | SECURITY DEVICE, ATTACK RESPONSE PROCESSING METHOD, COMPUTER PROGRAM AND STORAGE MEDIUM | |
| Mukherjee | SAE J1939-specific cyber security for medium and heavy-duty vehicles | |
| CN115220973B (en) | Method, system and equipment for detecting vehicle-mounted CAN bus information security abnormality based on Tsallis entropy |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |