CN109150847A

CN109150847A - A kind of method and apparatus for the network intrusions risk detecting vehicle

Info

Publication number: CN109150847A
Application number: CN201810838190.2A
Authority: CN
Inventors: 阚志刚; 彭建芬; 卢佐华; 陈彪
Original assignee: Beijing Bang Bang Safety Technology Co Ltd
Current assignee: Beijing Bang Bang Safety Technology Co Ltd
Priority date: 2018-07-27
Filing date: 2018-07-27
Publication date: 2019-01-04
Anticipated expiration: 2038-07-27
Also published as: CN109150847B

Abstract

This application provides a kind of method and apparatus of network intrusions risk for detecting vehicle, are related to network safety filed.The described method includes: detecting the first anomalous event in the IVI system of the vehicle；Detect the second anomalous event in the CAN bus of the vehicle；Analyze the correlation between the time of origin of first anomalous event and the time of origin of second anomalous event；The risk that the vehicle is invaded is determined according to the correlation.The method detects the anomalous event of IVI system and CAN bus respectively, and compare correlation of two kinds of anomalous events on time of origin, correlation is higher, then the risk that the vehicle is invaded is higher, to propose the simple and easy determination vehicle of one kind by the method for intrusion risk.

Description

A kind of method and apparatus for the network intrusions risk detecting vehicle

Technical field

This application involves network safety filed more particularly to a kind of methods and dress of the network intrusions risk for detecting vehicle It sets.

Background technique

With the development of Vehicular intelligent, the especially development of internet automobile, the programmable of on-vehicle parts and can be remote Process control chemical conversion is new trend, more and more to occur on the market.This intelligent, interconnection networking trend is to user While offering convenience, new invasion chance is also brought to hacker.And due to the value and mobility of vehicle itself, invasion The loss and risk bigger than PC will be brought afterwards.Whether how to judge vehicle by hacker attacks, how to avoid into It invades, how to dispose invasion, be the urgent problem faced at present.

IVI (In-Vehicle Infotainment, vehicle-mounted information and entertainment system) system is using vehicle-mounted dedicated center Processor is based on Vehicle Body Bus system and Internet service, the vehicle integrated information processing system of formation.IVI can be realized packet Include three-dimensional navigation, real-time road, IPTV (Interactive Internet TV), auxiliary driving, fault detection, information of vehicles, vehicle body control System, wireless telecommunications, services etc. a system based on online amusement function and TSP (telematics service provider) at mobile office Column application, Cartronic, networking and the intelligent level greatly promoted.

CAN (Controller Area Network, controller local area network) bus is by research and develop and produce automobile Famous German BOSCH (Bosch) the company exploitation of electronic product, and eventually become international standard ISO (International Standards Organization) 11898, it is one of most widely used fieldbus in the world.In North America and West Europe, CAN bus agreement has become automobile The STD bus of computer control system and built-in industrial control area net(CAN), and possess and aimed at by underlying protocol of CAN The J1939 agreement of large-sized truck and the design of heavy industry motor vehicles and machines.

In general, gateway is connected to CAN bus.If attacker obtains the root authority of gateway connection equipment, such as special The permission of this CID (Centre Information Display) drawn, and then attack gateway and in-vehicle network system, later around Completeness check to be crossed, ECU (Electronic Control Unit, electronic control unit) firmware is write with a brush dipped in Chinese ink, attack controls ECU, And CAN network can be sent data to.

Summary of the invention

The purpose of the application is: a kind of method and apparatus of network intrusions risk detecting vehicle are provided, it is above-mentioned to solve At least one of problem.

In order to solve the above technical problems, in a first aspect, this application provides a kind of network intrusions risks for detecting vehicle Method, which comprises

Detect the first anomalous event in the IVI system of the vehicle；

Detect the second anomalous event in the CAN bus of the vehicle；

Analyze the correlation between the time of origin of first anomalous event and the time of origin of second anomalous event Property；

The risk that the vehicle is invaded is determined according to the correlation.

Any possible implementation with reference to first aspect, in the second possible implementation, the detection The first anomalous event in the IVI system of the vehicle includes:

Compare a virus base judge the vehicle IVI system whether virus infection, if virus infection, it is believed that described There is the first anomalous event in IVI system.

Any possible implementation with reference to first aspect, in the third possible implementation, the detection The first anomalous event in the IVI system of the vehicle includes:

It compares a network behavior abnormal patterns library and judges whether the network behavior of the IVI system of the vehicle is abnormal, if It is abnormal, it is believed that the first anomalous event occurs in the IVI system.

Any possible implementation with reference to first aspect, in the fourth possible implementation, the detection The first anomalous event in the IVI system of the vehicle includes:

Judge with the presence or absence of the undesirable application program operation of safety in the IVI system of the vehicle, if deposited , it is believed that there is the first anomalous event in the IVI system.

Any possible implementation with reference to first aspect, in a fifth possible implementation, the detection The first anomalous event in the IVI system of the vehicle further include:

The permission applied or used according to the software functional description of the application program and the application program judges institute State the safety of application program.

Any possible implementation with reference to first aspect, in a sixth possible implementation, the detection The second anomalous event in the CAN bus of the vehicle includes:

The ID of the message transmitted in the CAN bus of the vehicle is judged whether in white list, if not in the white name Dan Zhong, it is believed that occur the second anomalous event in the CAN bus.

Any possible implementation with reference to first aspect, in the 7th kind of possible implementation, the detection The second anomalous event in the CAN bus of the vehicle includes:

Judge whether the error between the period that a message occurs and the message period of security baseline is predetermined more than one first Value, if it exceeds the first predetermined value, it is believed that occur the second anomalous event in the CAN bus.

Any possible implementation with reference to first aspect, in the 8th kind of possible implementation, the analysis Correlation between the time of origin of first anomalous event and the time of origin of second anomalous event includes:

In a time window, analyze first anomalous event time of origin and second anomalous event Correlation between time of origin.

Any possible implementation with reference to first aspect, in the 9th kind of possible implementation, the time Window is sliding time window.

Any possible implementation with reference to first aspect, it is described one in the tenth kind of possible implementation In a time window, analyze between the time of origin of first anomalous event and the time of origin of second anomalous event Correlation include:

The time window is divided into the sub- time window of second predetermined value；

According to frequency of first anomalous event in each sub- time window, statistics obtains described the First distribution law of one anomalous event in the time window；

According to frequency of second anomalous event in each sub- time window, statistics obtains described the Second distribution law of two anomalous events in the time window；

The correlation is determined according to first distribution law and second distribution law.

Any possible implementation with reference to first aspect, in a kind of the tenth possible implementation, described Determine that the correlation includes: according to first distribution law and second distribution law

According between the corresponding secondary Number Sequence of first distribution law and the corresponding secondary Number Sequence of second distribution law Distance determines the typical value of the correlation.

Second aspect, the application provide a kind of device of network intrusions risk for detecting vehicle, and described device includes:

One first detection module, the first anomalous event in IVI system for detecting the vehicle；

One second detection module, the second anomalous event in CAN bus for detecting the vehicle；

One analysis module, for analyzing the time of origin of first anomalous event and the hair of second anomalous event Correlation between the raw time；

One determining module, for determining risk that the vehicle is invaded according to the correlation.

In conjunction with any possible implementation of second aspect, in the second possible implementation, described first Detection module includes:

One virus control unit, for compare a virus base judge the vehicle IVI system whether virus infection, such as Fruit virus infection, it is believed that the first anomalous event occurs in the IVI system.

In conjunction with any possible implementation of second aspect, in the third possible implementation, described first Detection module includes:

One pattern collation unit, the net for judging the IVI system of the vehicle for compareing a network behavior abnormal patterns library Whether network behavior is abnormal, if abnormal, it is believed that the first anomalous event occurs in the IVI system.

In conjunction with any possible implementation of second aspect, in the fourth possible implementation, described first Detection module includes:

One application program judging unit does not meet in the IVI system for judging the vehicle with the presence or absence of safety and wants The application program operation asked, if there is, it is believed that there is the first anomalous event in the IVI system.

In conjunction with any possible implementation of second aspect, in a fifth possible implementation, described first Detection module further include:

One security judgment unit, for according to the application program software functional description and application program institute Apply or the permission that uses judges the safety of the application program.

In conjunction with any possible implementation of second aspect, in a sixth possible implementation, described second Detection module includes:

One white list unit, whether the ID of the message transmitted in the CAN bus for judging the vehicle is in white list In, if not in the white list, it is believed that occur the second anomalous event in the CAN bus.

In conjunction with any possible implementation of second aspect, in the 7th kind of possible implementation, described second Detection module includes:

One period judging unit, for judging the mistake between the period that a message occurs and the message period of security baseline Whether difference is more than a first predetermined value, if it exceeds the first predetermined value, it is believed that it is abnormal to occur second in the CAN bus Event.

In conjunction with any possible implementation of second aspect, in the 8th kind of possible implementation, the analysis Module, in a time window, analyze first anomalous event time of origin and second anomalous event Correlation between time of origin.

In conjunction with any possible implementation of second aspect, in the 9th kind of possible implementation, the analysis Module includes:

One division unit, for the time window to be divided into the sub- time window of second predetermined value；

One first statistic unit, for the generation according to first anomalous event in each sub- time window Number, statistics obtain first distribution law of first anomalous event in the time window；

One second statistic unit, for the generation according to second anomalous event in each sub- time window Number, statistics obtain second distribution law of second anomalous event in the time window；

One determination unit, for determining the correlation according to first distribution law and second distribution law.

In conjunction with any possible implementation of second aspect, in the tenth kind of possible implementation, the determination Unit, for according between the corresponding secondary Number Sequence of first distribution law and the corresponding secondary Number Sequence of second distribution law Distance determine the typical value of the correlation.

In conjunction with any possible implementation of second aspect, in a kind of the tenth possible implementation, the dress It installs and is placed in the IVI system of the vehicle.

In conjunction with any possible implementation of second aspect, in the 12nd kind of possible implementation, described One detection module and the analysis module are arranged in the IVI system of the vehicle, second detection module and the CAN Bus is connected.

The third aspect, provides a kind of device of network intrusions risk for detecting vehicle, and described device includes:

One memory, for storing instruction；

One processor, for executing the instruction of the memory storage, it is following that described instruction executes the processor Operation:

Detect the first anomalous event in the IVI system of the vehicle；

Detect the second anomalous event in the CAN bus of the vehicle；

Fourth aspect provides a kind of computer readable storage medium, is stored with computer program, the computer journey Sequence makes computer execute following methods:

Detect the first anomalous event in the IVI system of the vehicle；

Detect the second anomalous event in the CAN bus of the vehicle；

The method and device, detect the anomalous event of IVI system and CAN bus respectively, and compare two kinds of anomalous events Correlation on time of origin, correlation is higher, then the risk that the vehicle is invaded is higher, to propose one kind Simple and easy determination vehicle is by the method for intrusion risk.

Detailed description of the invention

Fig. 1 is the method flow diagram that the network intrusions risk of vehicle is detected described in one embodiment of the invention；

Fig. 2 is the method flow diagram that the correlation is determined in one embodiment of the invention；

Fig. 3 is the method flow diagram that the correlation is determined in another embodiment of the present invention；

Fig. 4 is the method flow diagram that the correlation is determined in another embodiment of the present invention；

Fig. 5 is the corresponding points schematic diagram of two sequences when calculating dynamic time warping distance in one embodiment of the invention；

Fig. 6 is the modular structure signal that the device of network intrusions risk of vehicle is detected described in one embodiment of the invention Figure；

Fig. 7 is the modular structure schematic diagram of first detection module described in one embodiment of the invention；

Fig. 8 is the modular structure schematic diagram of first detection module described in another embodiment of the present invention；

Fig. 9 is the modular structure schematic diagram of first detection module described in another embodiment of the present invention；

Figure 10 is the modular structure schematic diagram of the second detection module described in one embodiment of the invention；

Figure 11 is the modular structure schematic diagram of the second detection module described in another embodiment of the present invention；

Figure 12 is the modular structure schematic diagram of analysis module described in one embodiment of the invention；

Figure 13 is the modular structure schematic diagram of analysis module described in another embodiment of the present invention；

Figure 14 is the modular structure schematic diagram of analysis module described in another embodiment of the present invention；

Figure 15 is the structural representation that the device of network intrusions risk of vehicle is detected described in another embodiment of the present invention Figure；

Figure 16 is distributed architecture schematic diagram of the device described in an embodiment in the vehicle；

Figure 17 is distributed architecture schematic diagram of the device described in another embodiment in the vehicle.

Specific embodiment

With reference to the accompanying drawings and examples, specific embodiments of the present invention will be described in further detail.Implement below Example is not intended to limit the scope of the invention for illustrating the present invention.

It will be appreciated by those skilled in the art that in an embodiment of the present invention, the size of the serial number of following each steps is not intended to Execution sequence it is successive, the execution of each step sequence should be determined by its function and internal logic, and implement without coping with the present invention The implementation process of example constitutes any restriction.

In addition, the terms such as " first ", " second " in the present invention are only used for difference different step, equipment or module etc., both Any particular technology meaning is not represented, does not indicate the inevitable logical order between them yet.

The present invention provides a kind of method of network intrusions risk for detecting vehicle, as shown in Figure 1, which comprises

S120: the first anomalous event in the IVI system of the vehicle is detected；

S140: the second anomalous event in the CAN bus of the vehicle is detected；

S160: between the time of origin of analysis first anomalous event and the time of origin of second anomalous event Correlation；

S180: the risk that the vehicle is invaded is determined according to the correlation.

The method, detects the anomalous event of IVI system and CAN bus respectively, and compares two kinds of anomalous events and occurring Temporal correlation, correlation is higher, then the risk that the vehicle is invaded is higher, to propose a kind of simple easy Capable determination vehicle is by the method for intrusion risk.

The function of each step of the method is described in detail below with reference to the drawings and specific embodiments.

S120: the first anomalous event in the IVI system of the vehicle is detected.

The anomalous event of first anomalous event i.e. IVI system.Inventor has found in the course of the research, hacker Invasion to vehicle is typically all to realize by virus or trojan horse program.When there are intrusion behavior, the IVI system of vehicle Often show as the abnormal starting of process, file or the abnormal access of port etc..Therefore, the application can carry out accordingly Detection, to identify the anomalous event of IVI system.

In one embodiment, the step S120 may include:

S120a: one virus base of control judges the IVI system of the vehicle, and whether virus infection is recognized if virus infection There is the first anomalous event for the IVI system.

The virus base can be obtained from a network server, such as from the server of some antivirus software providers It obtains.For whether the judgement of virus infection, the computer virus detection technology for being referred to current maturation realizes.

In another embodiment, the step S120 may include:

S120b: one network behavior abnormal patterns library of control judges whether the network behavior of the IVI system of the vehicle is different Often, if abnormal, it is believed that the first anomalous event occurs in the IVI system.

A similar upper embodiment can obtain network behavior abnormal patterns library from a network server, and pass through in turn The network behavior for comparing current IVI system, judges whether there is abnormal network behavior.

In another embodiment, the step S120 may include:

S120d: judging to run in the IVI system of the vehicle with the presence or absence of the undesirable application program of safety, If there is, it is believed that there is the first anomalous event in the IVI system.

In this embodiment, non-security application library such as can be obtained from a network server, and then compares and works as The application program of preceding operation judges whether there is the undesirable application program operation of safety.

But since the update of application program and new application program continue to bring out, by above-mentioned to analogy Formula, still there may be security risks.Therefore, in one embodiment, above-mentioned steps S120 further comprises:

S120c: the permission applied or used according to the software functional description of the application program and the application program Judge the safety of the application program.

Permission in computer system can substantially be divided into user's space permission and device space permission, user installation Application program only needs user's space permission under normal circumstances, does not need device space permission.Generally, an application program Function and it is applied or permission for using is corresponding, for example a mapping program often applies to positioning result Access authority.If the function of some application program and its permission applied or used are obviously uncorrelated, or obvious super Its required extent of competence out, the then accordingly it is considered that application program is unsafe.It answers With program ZNIU, " dirty ox " (DirtyCow) security breaches is utilized to obtain the permission (subscribing to permission) of the device space, backstage from It is dynamic to subscribe to value-added service, rate consumption is brought to user.

S140: the second anomalous event in the CAN bus of the vehicle is detected.

CAN bus is widely applied fieldbus on vehicle, and the sensor and controller of vehicle pass through CAN bus Interconnection.Therefore, it when vehicle is invaded, also will appear anomalous event in CAN bus, for example show as message on vehicle and send out Send frequency anomaly or message content exception etc..Anomalous event in second anomalous event i.e. CAN bus.

In one embodiment, the step S140 may include:

S140a: judge the ID (identification) of the message transmitted in the CAN bus of the vehicle whether white In list, if not in the white list, it is believed that occur the second anomalous event in the CAN bus.

The ID of the message is corresponding with the receiving device of the message, if the ID of some message is not in white list It is interior, then it represents that it is from external attack message that the message, which has great risk, therefore this is the exception in a kind of CAN bus Event.Wherein, the white list is preferentially white list corresponding with message, that is to say, that each message has a correspondence White list, to improve safety.Certainly, in order to reduce implementation complexity and reduce operand, report that can also be all Text shares a white list, which includes all known legal ID.

In another embodiment, the step S140 may include:

S140b: judge the error between the period that a message occurs and the message period of security baseline whether the more than 1 One predetermined value, if it exceeds the first predetermined value, it is believed that the second anomalous event occur in the CAN bus.

The message period of security baseline refers to that in the case where system is in a safe condition, (or in the state of thinking safety) detects Obtain or calculate according to theory the appearance period of obtained a certain message.The appearance of some messages can be presented in CAN bus Periodically, such as the message of engine rotation, the appearance of some messages then without periodically, be with event mode transmission mode into Capable, such as diagnosis, network management message.Those are based primarily upon in the embodiment to realize with periodic message.

Under normal circumstances, the message period in the period and security baseline that there is CAN bus periodic message to occur is base This is consistent, and error does not exceed a threshold value, such as 0.1 second generally.It, can be with if the error range exceeds the threshold value Think occur the second anomalous event in the CAN bus.Specifically, it for the calculating of the error, can be such that certain Multiple period from practical measurement of one message calculate variance yields with the message period of corresponding security baseline respectively, then by multiple variances Calculated result of the expectation of value as error；Alternatively, calculating the period of message according to multiple message period measured values of same ID Then average value surveys variance yields according to measured value and mean value calculation, will survey the difference between the variances of variance yields and security baseline Calculated result as error.

S160: between the time of origin of analysis first anomalous event and the time of origin of second anomalous event Correlation.

If individually there is anomalous event in the IVI system or the CAN bus, in addition to vehicle is invaded, also It may be caused by erroneous judgement of the system to invasion.But if anomalous event all occur in two systems, and showed on the time Apparent correlation out, correlation is higher than a certain threshold value in other words, then it can be asserted that vehicle is invaded.

In one embodiment, in order to reduce operand, it can choose a time window, and in the time window It is interior, analyze the correlation between the time of origin of first anomalous event and the time of origin of second anomalous event.Institute The length for stating time window can be configured according to the requirement of real-time, or can also be configured according to system load, Or it is configured according to the percentage of occupying system resources set by user, for example can be set to 5 seconds.

In one embodiment, the time window is preferably arranged to sliding time window.Specifically, it is assumed that have one Endless extended isometric time slice forms a time slice sequence to series at any time.It is further assumed that time slip-window Mouth covering second predetermined value time slice, for example be 5.The time of every one time slice of mistake, sliding time window is backward Slide a time slice.The sliding time window is according to time order and function, and the serial number of 5 time slices successively covered is such as It is: 12345,23456,34567 ....That is, as time goes by, it is sliding when thering is a new time slice to generate Dynamic time window just slides backward.

Using sliding window, can be with a period being of convenient length (i.e. the duration of sliding time window) The characteristic statistics of system, and can be with one time slice of every mistake (i.e. the sensitivity of system response) with regard to once being judged and being determined Whether alarm.In order to preferably reflect the feature of system, the length of sliding time window can be adjusted flexibly in real time, still The sensitivity of system is kept again.

In one embodiment, the correlation can be determined using ratio judgement method.As shown in Fig. 2, in the reality It applies in mode, the step S160 is specifically included:

S161a: the time window is divided into the sub- time window of second predetermined value.

The second predetermined value is greater than 1, and size is related to the length of above-mentioned time window, in general, the time window Mouth is longer, then the second predetermined value is bigger.On the other hand, the size of the second predetermined value is also accurate with the method Degree is related, and the second predetermined value is bigger, and the number for also dividing the time window is more, then the method is accurate Degree is higher, and the probability of erroneous detection is lower.Generally, when the time window is 5 seconds, the second predetermined value can such as be set 25 are set to, that is, the length of each sub- time window is 0.2 second.In addition, when the time window is sliding time window When, the sub- time window i.e. time slice above.

S162a: each sub- time window of traversal counts first anomalous event and second anomalous event A situation arises:

In the sub- time window currently counted, if first anomalous event and second anomalous event are equal Occur, then first counts increase by 1, second counts increase by 1,

If first anomalous event and second anomalous event do not occur, described first counts increase by 1, Second counting is constant,

If only one in first anomalous event and second anomalous event occurs, described first is counted It is constant with second counting,

Wherein, the initial value of first counting and second counting is zero.

In the step, first counting is that reaction first anomalous event is synchronous with second anomalous event Property counting, therefore, when shown first anomalous event and second anomalous event occur or in sometime window When not occurring, the described first value counted can all add 1 automatically, and when only one occurs in sometime window, it is described The value of first counting is constant.

Second counting is to react first anomalous event and second anomalous event in a time window The number occurred, therefore, only when two class anomalous events occur, described second counts just increase by 1, in the case of other Remain unchanged.

Specifically, it is assumed that described first is counted as X, and the described second initial value for being counted as Y, X and Y is 0.Assuming that institute The quantity for stating sub- time window is 10.

Assuming that first anomalous event and second anomalous event do not occur in the 1st sub- time window, Then X increase by 1 is updated to 1, Y and remains 0.

Continue to assume in the 2nd sub- time window, first anomalous event and second anomalous event are not sent out Raw, then X increases by 1 and is updated to 2, Y to still maintain to be 0.

Continue to assume in the 3rd sub- time window, first anomalous event and second anomalous event are sent out Raw, then X increases by 1 and is updated to 3, Y to still maintain to be 1.

Continue to assume in the 4th sub- time window, first anomalous event occurs, and second anomalous event is not Occur, then it is 1 that X, which remains 3, Y and still maintains,.

Continue to assume in the 5th sub- time window, first anomalous event does not occur, second anomalous event Occur, then X is maintained as 3, Y to still maintain being 1.

Continue to assume in the 6th sub- time window, first anomalous event occurs, and second anomalous event is not Occur, then X is maintained as 3, Y to still maintain being 1.

Continue to assume in the 7th sub- time window, first anomalous event does not occur, second anomalous event Occur, then X is maintained as 3, Y to still maintain being 1.

Continue to assume in the 8th sub- time window, first anomalous event occurs, and second anomalous event is not Occur, then X is maintained as 3, Y to still maintain being 1.

Continue to assume in the 9th sub- time window, first anomalous event and second anomalous event are sent out Raw, then X increase by 1 is updated to 4, Y increase by 1 and is updated to 2.

Continue to assume in the 10th sub- time window, first anomalous event does not occur, second anomalous event Occur, then it is 2 that X, which remains 4, Y and still maintains,.Wherein X and Y is exactly that first counting and described second count in end value Statistical value.

S163a: it is counted according to described first and the statistical value of second counting determines the correlation.

In one embodiment, which specifically includes, in the case where the statistical value non-zero that described second counts, The ratio of statistical value and the second predetermined value that described first is counted is as the typical value of the correlation.Continue above-mentioned It is assumed that the end value of the described first statistical value counted i.e. X are 4, the described second statistical value counted i.e. Y are most Final value is 2, and the second predetermined value N is 10, is R so as to obtain the typical value of the correlation_-1=4/10=0.4.

It will be appreciated by those skilled in the art that if the second predetermined value remains unchanged (such as the length of the time window Immobilize and the requirement of accuracy immobilize), in the step, the statistical value non-zero that can also be counted described second In the case of, the statistical value that described first is counted is as the typical value of the correlation.

In addition, can be set primary described every predetermined time execution when the time window is sliding time window Step S161a~S163a, the predetermined time such as can just be the length of the sub- time window, that is to say, that when Between one sub- time window of every passage, one sub- time window of the sliding time window forward slip, while the step S161a~S163a executes primary.It is thus possible to make the feature of the result of risk supervision not only reflected well system, but also protect Hold the sensitivity of system.

In another embodiment, the correlation can be determined using period judgement method.As shown in figure 3, in the reality It applies in mode, the step S160 is specifically included:

S161b: the time window is divided into the sub- time window of second predetermined value.

The step can be identical as the step S161a, repeats no more.

S162b: the first hair of every one kind anomalous event in first anomalous event is determined based on the sub- time window The raw period.

In the step, it is necessary first to classify to first anomalous event, determine the abnormal thing of different classes of first Part.It can be based on the triggering reason of corresponding event and/or trigger device etc. to the classification of first anomalous event.For example, institute Following four classes can be simply divided by stating the first anomalous event: detect that viruliferous file is appeared in file system, detected The installation of software without official's license, detects that the user of Password Input mistake steps at the permission access for detecting unauthorized Record.

Then the generating period of every the first anomalous event of class, i.e., described first generating period are counted.Described first occurs week Phase is indicated with the quantity of the sub- time window, for example is 3 sub- time windows.Occur if there is more than one first Period, the step can actually obtain the list of first generating period, can be denoted as period 1 list.

S163b: the second hair of every one kind anomalous event in second anomalous event is determined based on the sub- time window The raw period.

In the step, it is necessary first to classify to second anomalous event.Classification to second anomalous event It can also be based on the triggering reason of corresponding event and/or trigger device etc..For example, second anomalous event can simply divide For following multiclass: detecting that some device sending load data has abnormal data packet (each device correspondence in CAN bus A kind of anomalous event), detect the message of repetition rate exception.

Then the generating period of every the second anomalous event of class, i.e., described second generating period are counted.Described second occurs week Phase is also indicated with the quantity of the sub- time window.If there is the second more than one generating period, which actually may be used To obtain the list of second generating period, second round list can be denoted as.

S164b: the correlation is determined according to first generating period and second generating period.

Anomalous event in CAN bus may be caused by the anomalous event in IVI system, when there are intrusion behavior, The generating period of anomalous event in CAN bus and the anomalous event in IVI system shows stronger correlation.

In one embodiment, which can occur according to identical first generating period and described second The logarithm in period determines the correlation, and the logarithm is more, then the correlation is higher.

For example, if initial logarithm is 0, first generating period includes A periodic quantity, it is believed that It is the period 1 list for including A periodic quantity, second generating period includes B periodic quantity, it is believed that being includes B The second round list of a periodic quantity, it is assumed that A is less than B, then can be by each of the A periodic quantity in period 1 list It is successively compared with B periodic quantity, if there is identical, then the logarithm increases by 1, and otherwise, logarithm is constant.Successively After traversing the A periodic quantity, the result of obtained logarithm is exactly identical first generating period and second hair The logarithm in raw period.It assume that the logarithm is finally S.

In a kind of embodiment, the typical value of the correlation can be directly indicated with S.Alternatively, can also comprehensively consider The type T=(A+B)/2 of first anomalous event and second anomalous event, then uses ratio S/T as the correlation The typical value R of property₂。

It will be appreciated by those skilled in the art that the calculating for first generating period and second generating period, not It has to based on the sub- time window, naturally it is also possible to based on first anomalous event and second anomalous event Absolute time of origin calculates.But due to excessively accurate, when calculating according to absolute time of origin, calculated result is often difficult to Reflect the correlation.Experiment shows in above embodiment, determines the generating period based on the sub- time window, The tolerance of the method is improved, the similar anomalous event that script generating period can be close counts as generating period phase Same anomalous event, final result can more reflect the correlation.

In another embodiment, the correlation can be determined using probability distribution method.As shown in figure 4, in the reality It applies in mode, the step S160 is specifically included:

S161c: the time window is divided into the sub- time window of second predetermined value.

The step can be identical as the step S161a, repeats no more.

S162c: according to frequency of first anomalous event in each sub- time window, statistics is obtained First distribution law of first anomalous event in the time window.

First distribution law i.e. first anomalous event are in the time window according to chronological order Frequency sequence.As an example it is assumed that the quantity of the sub- time window be 10, first anomalous event from Frequency in 1st to the 10th sub- time window is followed successively by 0,1,3,5,2,1,7,1,0,0, then first distribution law It can be expressed as time Number Sequence [0,1,3,5,2,1,7,1,0,0].

S163c: according to frequency of second anomalous event in each sub- time window, statistics is obtained Second distribution law of second anomalous event in the time window.

Similar to the step S162c, by the generation for counting second anomalous event in each sub- time window Number, the sequence of frequency of available second anomalous event in the time window.Assuming that the second abnormal thing Frequency of the part in the from the 1st to the 10th sub- time window is followed successively by 0,0,0,1,3,5,2,1,7,2, available table Show the secondary Number Sequence [0,0,0,1,3,5,2,1,7,2] of the second distribution law.

S164c: the correlation is determined according to first distribution law and second distribution law.

In the step, can be determined according to the distance of secondary Number Sequence of corresponding two distribution laws first distribution law with The correlation of second distribution law.The distance can such as be Minkowski distance or dynamic time warping distance etc.. It is described apart from smaller, then the correlation is higher.For the sake of simplicity, the application only to the secondary Number Sequence [0,1,3,5,2,1,7, 1,0,0] it is illustrated with the calculating of [0,0,0,1,3,5,2,1,7,2] dynamic time warping distance.

It is compared, first two Number Sequences is normalized respectively: every height with a threshold value for convenience Number on time window, divided by the sum of the number of entire sequence.After normalized, finally obtained dynamic time The value interval of deflection distance is [0,1].Similar, when the distance is that Minkowski distance can also pass through similarity Reason is so that the value interval of finally obtained Minkowski distance is [0,1].

[0,1,3,5,2,1,7,1,0,0]=> [0,1/ (1+3+5+2+1+7+1), 3/20,5/20 ..., 0]=> [0, 0.0500,0.1500,0.2500,0.1000,0.0500,0.3500,0.0500,0,0]；

[0,0,0,1,3,5,2,1,7,2]=> [0,0,0,1/21,3/21 ..., 2/21]=> [0,0,0,0.0476, 0.1429,0.2381,0.0952,0.0476,0.3333,0.0952]；

The corresponding points that dynamic time warping obtains are as shown in Figure 5.

Dynamic time warping distance is as follows:

D=(0.05-0.0476) ^2+ (0.15-0.1429) ^2+ (0.25-0.2381) ^2+ (0.1-0.0952) ^2+ (0.05-0.0476) ^2+ (0.35-0.3333) ^2+ (0.05-0.0952) ^2=0.00254851

In one embodiment, the typical value R of the correlation can be enabled₃=1-D, it is clear that R₃Value it is bigger, it is related Property is higher.

In the step, correlation can be compared with a threshold value, if being higher than the threshold value, can determine institute It states vehicle and there is the risk invaded, otherwise, there is no the risks invaded.

In one embodiment, 0 directly can be set by above-mentioned threshold value, for above-mentioned three kinds of determinations correlation Property any one of method, as long as the typical value of the correlation is higher than 0, there is the risk invaded in the vehicle；It is no Then, if the typical value of the correlation is 0, the risk that the vehicle is not invaded.

In another embodiment, the threshold value can be set to it is multiple, and can determine it is different grades of enter blepharoptosis Danger.

For example, as the typical value R for determining the correlation according to ratio judgement method₁When, first can be respectively set Threshold value 0, second threshold 0.3 and third threshold value 0.7.Correspondingly, if the typical value R of the correlation₁It is 0, then the vehicle The risk that do not invaded；If the R₁Between 0 to 0.3, then there is rudimentary intrusion risk；If R₁Between 0.3 to 0.7, Then there is intermediate intrusion risk；If R₁Between 0.7 to 1, then there is advanced intrusion risk.

For another example, as the typical value R for determining the correlation according to period judgement method₂When, it can also be respectively set First threshold 0, second threshold 0.3 and third threshold value 0.7.Correspondingly, if the typical value R of the correlation₂It is 0, then it is described The risk that vehicle is not invaded；If the R₂Between 0 to 0.3, then there is rudimentary intrusion risk；If R₂Between 0.3 to 0.7, then there is intermediate intrusion risk；If R₂Between 0.7 to 1, then there is advanced intrusion risk.

Similarly, as the typical value R for determining the correlation according to the probability distribution method₃When, it can also be respectively set First threshold 0, second threshold 0.3 and third threshold value 0.7.Correspondingly, if the typical value R of the correlation₃It is 0, then it is described The risk that vehicle is not invaded；If the R₃Between 0 to 0.3, then there is rudimentary intrusion risk；If R₃Between 0.3 to 0.7, then there is intermediate intrusion risk；If R₂Between 0.7 to 1, then there is advanced intrusion risk.

To sum up, herein described method, can be using ratio judgement method, period judgement method or probability distribution method analysis Determine the correlation between the time of origin of first anomalous event and the time of origin of second anomalous event, according to The correlation can determine the risk that the vehicle is invaded, so can according to risk class or with the presence or absence of risk into Row corresponding risk exclusion processing, such as starting antivirus applet etc..

In addition, in addition to temporal between the first anomalous event and second anomalous event described in when there is invasion Correlation, it is also possible to show as otherwise correlation.Those skilled in the art can expand out new detection wind accordingly The method of danger.

Fig. 6 is a kind of modular structure schematic diagram of the device for the network intrusions risk for detecting vehicle of the application.Such as Fig. 6 institute Show, shown device 600 includes:

One first detection module 620, the first anomalous event in IVI system for detecting the vehicle；

One second detection module 640, the second anomalous event in CAN bus for detecting the vehicle；

One analysis module 660, for analyze first anomalous event time of origin and second anomalous event Correlation between time of origin.

One determining module 680, for determining risk that the vehicle is invaded according to the correlation.

The function of modules is described in detail below in conjunction with attached drawing specific embodiment.

The first detection module 620, the first anomalous event in IVI system for detecting the vehicle.

The anomalous event of first anomalous event i.e. IVI system.Inventor has found in the course of the research, hacker Invasion to vehicle is typically all to realize by virus or trojan horse program.Therefore, when there are intrusion behavior, the IVI of vehicle System often shows as the abnormal starting of process, file or the abnormal access of port etc..Therefore, the application can carry out phase The detection answered, to identify the anomalous event of IVI system.

In one embodiment, as shown in fig. 7, the first detection module 620 includes:

One virus control unit 621, for compare a virus base judge the vehicle IVI system whether virus infection, If virus infection, it is believed that the first anomalous event occurs in the IVI system.

In another embodiment, as shown in figure 8, the first detection module 620 includes:

One pattern collation unit 622 judges the IVI system of the vehicle for compareing a network behavior abnormal patterns library Network behavior it is whether abnormal, if abnormal, it is believed that the first anomalous event occurs in the IVI system.

In another embodiment, as shown in figure 9, the first detection module 620 further include:

One application program judging unit 624 is not inconsistent in the IVI system for judging the vehicle with the presence or absence of safety Desired application program operation is closed, if there is, it is believed that there is the first anomalous event in the IVI system.

But since the update of application program and new application program continue to bring out, by above-mentioned to analogy Formula, still there may be security risks.Therefore, in one embodiment, as shown in figure 9, the first detection module 620 Further include:

One security judgment unit 623, for according to the application program software functional description and the application program Apply or the permission that uses judges the safety of the application program.

Permission in computer system can substantially be divided into user's space permission and device space permission, user installation Application program only needs user's space permission under normal circumstances, does not need device space permission.Generally, an application program Function and it is applied or permission for using is corresponding, for example a mapping program often applies to positioning result Access authority.If the function of some application program and its permission applied or used are obviously uncorrelated, or obvious super Its required extent of competence out, the then accordingly it is considered that application program is unsafe.

Second detection module 640, the second anomalous event in CAN bus for detecting the vehicle.

CAN bus is widely applied fieldbus on vehicle, and the sensor and controller of vehicle pass through CAN bus Interconnection.Therefore, when vehicle is invaded, it also will appear anomalous event in CAN bus, for example show as the message on vehicle Send frequency anomaly or message content exception etc..Anomalous event in second anomalous event i.e. CAN bus.

In one embodiment, as shown in Figure 10, second detection module 640 includes:

One white list unit 641, whether the ID of the message transmitted in the CAN bus for judging the vehicle is in white name Dan Zhong, if not in the white list, it is believed that occur the second anomalous event in the CAN bus.

In another embodiment, as shown in figure 11, second detection module 640 includes:

One period judging unit 642, for judging between the period that a message occurs and the message period of security baseline Whether error is more than a first predetermined value, if it exceeds the first predetermined value, it is believed that it is different to occur second in the CAN bus Ordinary affair part.

The analysis module 660, for analyze first anomalous event time of origin and second anomalous event Time of origin between correlation.

If individually there is anomalous event in the IVI system or the CAN bus, in addition to vehicle is invaded, also It may be caused by system erroneous judgement.But if anomalous event all occur in two systems, and shown on the time apparent Correlation, correlation is higher than a certain threshold value in other words, then it can be asserted that vehicle is invaded.

In one embodiment, in order to reduce operand, the analysis module 660 can choose a time window, And in the time window, the time of origin of first anomalous event and the time of origin of second anomalous event are analyzed Between correlation.The length of the time window can be configured according to the requirement of real-time, or can also be according to being System load is configured, or is configured according to the percentage of occupying system resources set by user, for example can be set It is 5 seconds.

In one embodiment, the time window is preferably arranged to sliding time window.

In one embodiment, the correlation can be determined using ratio judgement method.As shown in figure 12, at this In embodiment, the analysis module 660 includes:

One division unit 661a, for the time window to be divided into the sub- time window of second predetermined value.

The second predetermined value is greater than 1, and size is related to the length of above-mentioned time window, in general, the time window Mouth is longer, then the second predetermined value is bigger.On the other hand, the size of the second predetermined value is also accurate with the method Degree is related, and the second predetermined value is bigger, and the number for also dividing the time window is more, then the method is accurate Degree is higher, and the probability of erroneous detection is lower.Generally, when the time window is 5 seconds, the second predetermined value can such as be set 25 are set to, that is, the length of each sub- time window is 0.2 second.

One statistic unit 662a counts first anomalous event and institute for traversing in each sub- time window Stating the second anomalous event, a situation arises:

Wherein, the initial value of first counting and second counting is zero.

In statistic unit 662a, first counting is reaction first anomalous event and second exception The counting of the synchronism of event, therefore, when shown first anomalous event and second anomalous event are in sometime window Occur or when not occurring, the described first value counted all can automatically plus 1, and when in sometime window only one When generation, the value of first counting is constant.

One determination unit 663a determines the phase for counting the statistical value counted with described second according to described first Guan Xing.

In one embodiment, in the case where the statistical value non-zero that described second counts, described first is counted The typical value of statistical value and the ratio of the second predetermined value as the correlation.Continue above-mentioned it is assumed that described first counts Statistical value i.e. the end value of X be 4, the end value of the described second statistical value counted i.e. Y are 2, and described second is pre- Definite value N is 10, is R so as to obtain the typical value of the correlation₁=4/10=0.4.

It will be appreciated by those skilled in the art that if the second predetermined value remains unchanged (such as the length of the time window Immobilize and the requirement of accuracy immobilize), in the determination unit 663a, it can also be counted described second In the case where statistical value non-zero, the statistical value that described first is counted is as the typical value of the correlation.

In another embodiment, the correlation can be determined using period judgement method.As shown in figure 13, at this In embodiment, the analysis module 660 includes:

One division unit 661b, for the time window to be divided into the sub- time window of second predetermined value.

Division unit 661b can be identical as the division unit 661a, repeats no more.

One first determination unit 662b, it is each in first anomalous event for being determined based on the sub- time window First generating period of class anomalous event.

In the unit, it is necessary first to classify to first anomalous event, determine the abnormal thing of different classes of first Part.It can be based on the triggering reason of corresponding event and/or trigger device etc. to the classification of first anomalous event.For example, institute Following four classes can be simply divided by stating the first anomalous event: detect that viruliferous file is appeared in file system, detected The installation of software without official's license, detects that the user of Password Input mistake steps at the permission access for detecting unauthorized Record.

One second determination unit 663b, it is each in second anomalous event for being determined based on the sub- time window Second generating period of class anomalous event.

In the unit, need to classify to second anomalous event, it can also to the classification of second anomalous event With triggering reason and/or trigger device etc. based on corresponding event.For example, second anomalous event can simply be divided into Lower multiclass: detect that some device sending load data has abnormal data packet (corresponding one kind of each device in CAN bus Anomalous event), detect the message of repetition rate exception.

One third determination unit 664b, for determining institute according to first generating period and second generating period State correlation.

In one embodiment, third determination unit 664b can according to identical first generating period and The logarithm of second generating period determines the correlation, and the logarithm is more, then the correlation is higher.

In another embodiment, the correlation can be determined using probability distribution method.As shown in figure 14, at this In embodiment, the analysis module 660 is specifically included:

One division unit 661c, for the time window to be divided into the sub- time window of second predetermined value.

Division unit 661c can be identical as the division unit 661a, repeats no more.

One first statistic unit 662c, for according to first anomalous event in each sub- time window Frequency, statistics obtain first distribution law of first anomalous event in the time window.

One second statistic unit 663c, for according to second anomalous event in each sub- time window Frequency, statistics obtain second distribution law of second anomalous event in the time window.

Similarly, available by counting the frequency of second anomalous event in each sub- time window The sequence of frequency of second anomalous event in the time window.Assuming that the second anomalous event is from the 1st to Frequency in 10 sub- time windows is followed successively by 0,0,0,1,3,5,2,1,7,2, the second distribution law of available expression Secondary Number Sequence [0,0,0,1,3,5,2,1,7,2].

One determination unit 664c, for determining the correlation according to first distribution law and second distribution law.

In the unit, can be determined according to the distance D of secondary Number Sequence of corresponding two distribution laws first distribution law with The correlation of second distribution law.The distance D can such as be Minkowski distance or dynamic time warping distance Deng.By the processing such as such as normalizing, the value interval [0,1] of the distance D can be made.In turn, the correlation can be made The typical value R of property₃=1-D, it is clear that R₃Value it is bigger, correlation is higher.

The determining module 680, for determining risk that the vehicle is invaded according to the correlation.

In the module, correlation can be compared with a threshold value, if being higher than the threshold value, can determine institute It states vehicle and there is the risk invaded, otherwise, there is no the risks invaded.

A kind of structure of described device of the embodiment of the present invention is as shown in figure 15.The specific embodiment of the invention is not to described The specific implementation of device limits, and referring to Figure 15, described device 1500 may include:

Processor (processor) 1510,1520, memory communication interface (Communications Interface) (memory) 1530 and communication bus 1540.Wherein:

Processor 1510, communication interface 1520 and memory 1530 complete mutual lead to by communication bus 1540 Letter.

Communication interface 1520, is used for and server communication.

Processor 1510 can specifically execute in above-mentioned embodiment of the method shown in FIG. 1 for executing program 1532 Correlation step.

Specifically, program 1532 may include program code, and said program code includes computer operation instruction.

Processor 1510 may be a central processor CPU or specific integrated circuit ASIC (Application Specific Integrated Circuit), or be arranged to implement the embodiment of the present invention one or more it is integrated Circuit.

Memory 1530, for storing program 1532.Memory 1530 may include high speed RAM memory, it is also possible to also Including nonvolatile memory (non-volatile memory), for example, at least a magnetic disk storage.Program 1532 is specific Following steps can be executed:

Detect the first anomalous event in the IVI system of the vehicle；

Detect the second anomalous event in the CAN bus of the vehicle；

The specific implementation of each step may refer to corresponding steps or module in above-described embodiment in program 1532, herein It does not repeat.It is apparent to those skilled in the art that for convenience and simplicity of description, the equipment of foregoing description With the specific work process of module, description can refer to corresponding processes in the foregoing method embodiment, details are not described herein.

Figure 16 is distributed architecture schematic diagram of the device described in an embodiment in the vehicle, as shown in figure 16, Described device 600 can be wholy set in the IVI system 1610 of vehicle 1600, and the IVI system 1610 and the CAN are total Line 1620 is connected by intrinsic wired or wireless way.

Figure 17 is distributed architecture schematic diagram of the device described in another embodiment in the vehicle, such as Figure 17 institute Show, in the embodiment, itself is connectionless between the IVI system 1610 and the CAN bus 1620.Described device 600 First detection module 620, analysis module 660 and determining module 680 are set in the IVI system 1610 of vehicle 1600, described Second detection module 640 is set in CAN bus 1620.The first detection module 620 and the analysis module 660 pass through Wired or wireless way is connected.

Those of ordinary skill in the art may be aware that described in conjunction with the examples disclosed in the embodiments of the present disclosure Unit and method and step can be realized with the combination of electronic hardware or computer software and electronic hardware.These functions It is implemented in hardware or software actually, the specific application and design constraint depending on technical solution.Professional technique Personnel can use different methods to achieve the described function each specific application, but this realization should not be recognized It is beyond the scope of this invention.

It, can if the function is realized in the form of SFU software functional unit and when sold or used as an independent product To be stored in a computer readable storage medium.Based on this understanding, technical solution of the present invention substantially or Say that the part of the part that contributes to existing technology or the technical solution can be embodied in the form of software products, The computer software product is stored in a storage medium, including some instructions are used so that a computer equipment (can To be personal computer, controller or the network equipment etc.) execute the whole or portion of each embodiment the method for the present invention Step by step.And storage medium above-mentioned include: USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), with Machine access memory (RAM, Random Access Memory), magnetic or disk etc. be various to can store program code Medium.

The above embodiments are only used to illustrate the present invention, and not limitation of the present invention, in relation to the common of technical field Technical staff can also make a variety of changes and modification without departing from the spirit and scope of the present invention, therefore institute There is equivalent technical solution to also belong to scope of the invention, scope of patent protection of the invention should be defined by the claims.

Claims

1. a kind of method for the network intrusions risk for detecting vehicle, which is characterized in that the described method includes:

Detect the first anomalous event in the IVI system of the vehicle；

Detect the second anomalous event in the CAN bus of the vehicle；

Analyze the correlation between the time of origin of first anomalous event and the time of origin of second anomalous event；

2. the method as described in claim 1, which is characterized in that the time of origin of analysis first anomalous event and institute The correlation stated between the time of origin of the second anomalous event includes:

In a time window, analyze first anomalous event time of origin and second anomalous event generation when Between between correlation.

3. method according to claim 2, which is characterized in that the time window is sliding time window.

4. method as claimed in claim 2 or claim 3, which is characterized in that it is described in a time window, it is different to analyze described first Correlation between the time of origin of ordinary affair part and the time of origin of second anomalous event includes:

According to frequency of first anomalous event in each sub- time window, it is abnormal that statistics obtains described first First distribution law of the event in the time window；

According to frequency of second anomalous event in each sub- time window, it is abnormal that statistics obtains described second Second distribution law of the event in the time window；

5. a kind of device for the network intrusions risk for detecting vehicle, which is characterized in that described device includes:

One analysis module, for analyzing the time of origin of first anomalous event and the time of origin of second anomalous event Between correlation；

6. device as claimed in claim 5, which is characterized in that the analysis module, for analyzing in a time window Correlation between the time of origin of first anomalous event and the time of origin of second anomalous event.

7. device as claimed in claim 6, which is characterized in that the analysis module includes:

One first statistic unit, for the frequency according to first anomalous event in each sub- time window, Statistics obtains first distribution law of first anomalous event in the time window；

One second statistic unit, for the frequency according to second anomalous event in each sub- time window, Statistics obtains second distribution law of second anomalous event in the time window；

8. device as claimed in claim 7, which is characterized in that the determination unit, for according to first distribution law pair The distance between secondary Number Sequence and the corresponding secondary Number Sequence of second distribution law for answering determine the typical value of the correlation.

9. a kind of device for the network intrusions risk for detecting vehicle, which is characterized in that described device includes:

One memory, for storing instruction；

One processor, for executing the instruction of the memory storage, described instruction makes the processor execute following operation:

Detect the first anomalous event in the IVI system of the vehicle；

Detect the second anomalous event in the CAN bus of the vehicle；

10. a kind of computer readable storage medium, is stored with computer program, which is characterized in that the computer program makes Computer executes following methods:

Detect the first anomalous event in the IVI system of the vehicle；

Detect the second anomalous event in the CAN bus of the vehicle；