CN109150847B

CN109150847B - Method and device for detecting network intrusion risk of vehicle

Info

Publication number: CN109150847B
Application number: CN201810838190.2A
Authority: CN
Inventors: 阚志刚; 彭建芬; 卢佐华; 陈彪
Original assignee: Beijing Bangcle Technology Co ltd
Current assignee: Beijing Bangcle Technology Co ltd
Priority date: 2018-07-27
Filing date: 2018-07-27
Publication date: 2021-08-17
Anticipated expiration: 2038-07-27
Also published as: CN109150847A

Abstract

The application provides a method and a device for detecting network intrusion risks of vehicles, and relates to the field of network security. The method comprises the following steps: detecting a first anomalous event in an IVI system of the vehicle; detecting a second abnormal event on a CAN bus of the vehicle; analyzing a correlation between the occurrence time of the first exceptional event and the occurrence time of the second exceptional event; and determining the risk of the vehicle being invaded according to the correlation. The method detects abnormal events of the IVI system and the CAN bus respectively, compares the correlation of the two abnormal events in the occurrence time, and the higher the correlation is, the higher the risk of the vehicle being invaded is, thereby providing a simple and easy method for determining the risk of the vehicle being invaded.

Description

Method and device for detecting network intrusion risk of vehicle

Technical Field

The present application relates to the field of network security, and in particular, to a method and an apparatus for detecting a network intrusion risk of a vehicle.

Background

With the development of vehicle intelligence, especially the development of internet automobiles, the programming and remote control of vehicle-mounted components become a new trend, and more appear on the market. The trend of intellectualization and internetworking brings convenience to users and brings new intrusion opportunities to hackers. And because of the value and maneuverability of the vehicle itself, the intrusion will incur greater losses and risks than a personal computer. How to judge whether a vehicle is invaded by a hacker, how to avoid the invasion and how to handle the invasion is a problem which needs to be solved urgently at present.

An IVI (In-Vehicle Infotainment) system is a Vehicle-mounted comprehensive information processing system formed by adopting a Vehicle-mounted special central processing unit and based on a Vehicle body bus system and internet services. The IVI can realize a series of applications including three-dimensional navigation, real-time road conditions, IPTV (interactive network television), auxiliary driving, fault detection, vehicle information, vehicle body control, mobile office, wireless communication, online-based entertainment functions, TSP (automobile remote service provider) service and the like, and greatly improves the vehicle electronization, networking and intelligence levels.

The CAN (Controller Area Network) bus was developed by BOSCH (BOSCH) germany, well known for the development and production of automotive electronics, and finally became ISO 11898, one of the most widely used field buses internationally. In north america and western europe, the CAN bus protocol has become the standard bus for automotive computer control systems and embedded industrial control area networks, and possesses the J1939 protocol designed for large trucks and heavy work machinery vehicles with CAN as the underlying protocol.

Typically, the gateway is connected to a CAN bus. If an attacker obtains the root authority of gateway connection equipment, such as the authority of cid (center Information display) of tesla, the attacker further attacks the gateway and the vehicle intranet system, bypasses integrity check, writes an Electronic Control Unit (ECU) firmware, attacks the Control ECU, and CAN send data to the CAN network.

Disclosure of Invention

The purpose of this application is: a method and apparatus for detecting a risk of network intrusion of a vehicle is provided to address at least one of the above-mentioned problems.

In order to solve the above technical problem, in a first aspect, the present application provides a method for detecting a network intrusion risk of a vehicle, where the method includes:

detecting a first anomalous event in an IVI system of the vehicle;

detecting a second abnormal event on a CAN bus of the vehicle;

analyzing a correlation between the occurrence time of the first exceptional event and the occurrence time of the second exceptional event;

and determining the risk of the vehicle being invaded according to the correlation.

In a second aspect, the present application provides an apparatus for detecting a risk of network intrusion of a vehicle, the apparatus comprising:

a first detection module for detecting a first abnormal event in an IVI system of the vehicle;

the second detection module is used for detecting a second abnormal event on a CAN bus of the vehicle;

the analysis module is used for analyzing the correlation between the occurrence time of the first abnormal event and the occurrence time of the second abnormal event;

and the determining module is used for determining the risk of the vehicle being invaded according to the correlation.

In a third aspect, an apparatus for detecting a risk of network intrusion of a vehicle is provided, the apparatus comprising:

a memory for storing instructions;

a processor to execute the memory-stored instructions, the instructions to cause the processor to:

detecting a first anomalous event in an IVI system of the vehicle;

detecting a second abnormal event on a CAN bus of the vehicle;

In a fourth aspect, there is provided a computer-readable storage medium storing a computer program for causing a computer to execute the method of:

detecting a first anomalous event in an IVI system of the vehicle;

detecting a second abnormal event on a CAN bus of the vehicle;

According to the method and the device, the abnormal events of the IVI system and the CAN bus are respectively detected, the correlation of the two abnormal events in the occurrence time is compared, and the higher the correlation is, the higher the risk of the vehicle being invaded is, so that the method for simply and easily determining the risk of the vehicle being invaded is provided.

Drawings

FIG. 1 is a flow chart of a method for detecting a risk of network intrusion for a vehicle according to an embodiment of the present invention;

FIG. 2 is a flow chart of a method of determining the correlation in one embodiment of the invention;

FIG. 3 is a flow chart of a method of determining the correlation in another embodiment of the present invention;

FIG. 4 is a flow chart of a method of determining the correlation in another embodiment of the present invention;

FIG. 5 is a diagram illustrating the corresponding points of two sequences in calculating the dynamic time warping distance in one embodiment of the present invention;

FIG. 6 is a block diagram illustrating an exemplary embodiment of an apparatus for detecting a risk of network intrusion of a vehicle;

FIG. 7 is a block diagram of a first detection module according to an embodiment of the present invention;

FIG. 8 is a block diagram of a first detecting module according to another embodiment of the present invention;

FIG. 9 is a schematic block diagram of a first detecting module according to another embodiment of the present invention;

FIG. 10 is a block diagram of a second detection module according to an embodiment of the present invention;

FIG. 11 is a block diagram of a second detecting module according to another embodiment of the present invention;

FIG. 12 is a block diagram of an analysis module according to an embodiment of the present invention;

FIG. 13 is a block diagram of an analysis module according to another embodiment of the present invention;

FIG. 14 is a block diagram of an analysis module according to another embodiment of the present invention;

fig. 15 is a schematic structural diagram of an apparatus for detecting a network intrusion risk of a vehicle according to another embodiment of the present invention;

FIG. 16 is a schematic view of the distribution of the device in the vehicle according to one embodiment;

fig. 17 is a schematic view showing a distribution structure of the device in the vehicle in another embodiment.

Detailed Description

The following describes the embodiments of the present invention in further detail with reference to the drawings and examples. The following examples are intended to illustrate the invention but are not intended to limit the scope of the invention.

Those skilled in the art will understand that, in the embodiment of the present invention, the sequence numbers of the following steps do not mean the execution sequence, and the execution sequence of the steps should be determined by their functions and inherent logic, and should not constitute any limitation on the implementation process of the embodiment of the present invention.

In addition, the terms "first", "second", etc. in the present invention are only used for distinguishing different steps, devices or modules, etc., and do not represent any specific technical meaning or necessarily logical order therebetween.

The present invention provides a method for detecting a network intrusion risk of a vehicle, as shown in fig. 1, the method includes:

s120: detecting a first anomalous event in an IVI system of the vehicle;

s140: detecting a second abnormal event on a CAN bus of the vehicle;

s160: analyzing a correlation between the occurrence time of the first exceptional event and the occurrence time of the second exceptional event;

s180: and determining the risk of the vehicle being invaded according to the correlation.

According to the method, the abnormal events of the IVI system and the CAN bus are respectively detected, the correlation of the two abnormal events in the occurrence time is compared, and the higher the correlation is, the higher the risk of the vehicle being invaded is, so that the method for determining the risk of the vehicle being invaded is simple and easy to implement.

The functions of each step of the method will be described in detail below with reference to the accompanying drawings and detailed description.

S120: a first anomalous event in an IVI system of the vehicle is detected.

The first exception event is an exception event of the IVI system. During research, the inventor finds that the intrusion of a hacker to a vehicle is generally realized by a virus or a trojan horse program. When there is an intrusion, the IVI system of the vehicle often appears as an abnormal start of a process, an abnormal access of a file or a port, and the like. Therefore, the method and the device can perform corresponding detection to identify the abnormal event of the IVI system.

In one embodiment, the step S120 may include:

s120 a: and judging whether the IVI system of the vehicle is infected with the virus or not by comparing with a virus library, and if so, considering that the IVI system has a first abnormal event.

The virus library may be obtained from a network server, such as a server of some antivirus software provider. The judgment of whether the virus is infected can be realized by referring to the mature computer virus detection technology at present.

In another embodiment, the step S120 may include:

s120 b: and judging whether the network behavior of the IVI system of the vehicle is abnormal or not by contrasting a network behavior abnormal mode library, and if so, considering that a first abnormal event occurs in the IVI system.

Similar to the above embodiment, the network behavior abnormal pattern library may be obtained from a network server, and further, by comparing the network behaviors of the current IVI system, it is determined whether there is an abnormal network behavior.

In another embodiment, the step S120 may include:

s120 d: and judging whether an application program with unsatisfactory safety exists in the IVI system of the vehicle, and if so, determining that a first abnormal event occurs in the IVI system.

In this embodiment, for example, the non-secure application library may be obtained from a network server, and then compared with the currently running application, it may be determined whether there is an application running with unsatisfactory security.

However, with the above-described comparison, security risks may still exist due to the updating of applications and the constant emergence of new applications. Therefore, in one embodiment, the step S120 further includes:

s120 c: and judging the safety of the application program according to the software function description of the application program and the authority applied or used by the application program.

The authority in the computer system can be roughly divided into user space authority and equipment space authority, and an application program installed by a user only needs the user space authority under a normal condition and does not need the equipment space authority. Generally, the functions of an application and the rights to be applied or used correspond to each other, for example, a map program often applies access rights to a positioning result. An application may be considered insecure if its functionality is significantly unrelated to, or significantly outside the required scope of, its application's rights to be applied or used. For example, for a malicious application ZNIU, a "dirty cow" (DirtyCow) security vulnerability is used to obtain a right (subscription right) of a device space, and a value-added service is automatically subscribed in the background, which brings expense consumption to a user.

S140: detecting a second abnormal event on a CAN bus of the vehicle.

The CAN bus is a field bus widely applied to vehicles, and sensors and controllers of the vehicles are interconnected through the CAN bus. Therefore, when the vehicle is invaded, an abnormal event may occur on the CAN bus, such as an abnormal message transmission frequency on the vehicle or an abnormal message content. The second exception event is an exception event on the CAN bus.

In one embodiment, the step S140 may include:

s140 a: and judging whether the ID (identification) of the message transmitted on the CAN bus of the vehicle is in a white list or not, and if not, considering that a second abnormal event occurs on the CAN bus.

The ID of the message corresponds to the receiving equipment of the message, and if the ID of a certain message is not in the white list, the message is shown to have a great risk of being an attack message from the outside, so the message is an abnormal event on the CAN bus. The white list is preferably a white list corresponding to the message, that is, each message has a corresponding white list, thereby improving the security. Of course, in order to reduce the implementation complexity and the computation load, all messages may share a white list, which includes all known legal IDs.

In another embodiment, the step S140 may include:

s140 b: and judging whether the error between the period of a message and the period of the message of the safety baseline exceeds a first preset value, and if the error exceeds the first preset value, considering that a second abnormal event occurs on the CAN bus.

The message period of the safety baseline refers to the appearance period of a certain message obtained by detection or theoretical calculation when the system is in a safe state (or considered as a safe state). Some messages appear on the CAN bus and present periodicity, such as messages of engine rotation, and some messages appear without periodicity, and are carried out in an event type transmission mode, such as diagnosis and network management messages. The implementation is mainly based on those messages with periodicity.

Normally, the period of the periodic message of the CAN bus is substantially consistent with the message period of the security baseline, and the error of the period of the periodic message of the CAN bus does not exceed a threshold value, such as 0.1 second. If the error range exceeds the threshold, a second exception event on the CAN bus may be deemed to have occurred. Specifically, for the calculation of the error, the following may be made: calculating variance values of a plurality of measured periods of a certain message and the message periods of the corresponding safety baselines respectively, and then taking the expectation of the variance values as the calculation result of the error; or, calculating a period average value of the messages according to a plurality of message period measured values of the same ID, then calculating an actual measured variance value according to the measured values and the average value, and taking the difference between the actual measured variance value and the variance of the safety baseline as a calculation result of the error.

S160: and analyzing the correlation between the occurrence time of the first abnormal event and the occurrence time of the second abnormal event.

If an abnormal event occurs on the IVI system or the CAN bus alone, it may be caused by misjudgment of the system on the intrusion in addition to the intrusion of the vehicle. However, if both systems are experiencing an abnormal event and show significant correlation in time, or the correlation is above a certain threshold, then it may be declared that the vehicle has been intruded.

In one embodiment, to reduce the amount of computation, a time window may be selected and the correlation between the occurrence time of the first exceptional event and the occurrence time of the second exceptional event is analyzed within the time window. The length of the time window may be set according to the real-time requirement, or may also be set according to the system load, or may also be set according to the percentage of occupied system resources set by the user, for example, may be set to 5 seconds.

In one embodiment, the time window is preferably set as a sliding time window. In particular, it is assumed that a series of time slices of equal length extending indefinitely over time constitutes a sequence of time slices. Further assume that the sliding time window covers a second predetermined number of time segments, say 5. The sliding time window is slid one time segment back at each time of one time segment. The sequence numbers of the 5 time segments sequentially covered by the sliding time window according to the time sequence are as follows: 12345, 23456, 34567 … …. That is, as time passes, the sliding time window slides back when a new time slice is generated.

By using the sliding window, the system characteristic statistics can be carried out by using a time period with a proper length (namely the duration of the sliding time window), and the judgment can be carried out once after each time segment (namely the sensitivity of the system response) to determine whether to alarm or not. The length of the sliding time window can be flexibly adjusted in real time in order to better reflect the characteristics of the system, but the sensitivity of the system is maintained.

In one embodiment, a one-to-one decision may be used to determine the correlation. As shown in fig. 2, in this embodiment, the step S160 specifically includes:

s161 a: the time window is divided into second predetermined value sub-time windows.

Said second predetermined value is greater than 1, the size of which is related to the length of the above-mentioned time window, generally, the longer the time window, the greater said second predetermined value. On the other hand, the magnitude of the second predetermined value is also related to the accuracy of the method, and the larger the second predetermined value is, that is, the more the number of times the time window is divided into, the higher the accuracy of the method is, and the lower the probability of false detection is. In general, when the time window is 5 seconds, the second predetermined value may be set to 25, for example, that is, the length of each sub-time window is 0.2 seconds. In addition, when the time window is a sliding time window, the sub-time window is the above time slice.

S162 a: traversing each sub-time window, and counting the occurrence conditions of the first abnormal event and the second abnormal event:

in the currently counted sub-time window, if the first abnormal event and the second abnormal event both occur, the first count is increased by 1, the second count is increased by 1,

if neither the first nor the second exceptional event has occurred, the first count is incremented by 1, the second count is unchanged,

if only one of the first exception event and the second exception event occurs, neither the first count nor the second count is changed,

wherein the initial values of the first count and the second count are both zero.

In this step, the first count is a count reflecting synchronicity of the first exceptional event and the second exceptional event, and therefore, when both the first exceptional event and the second exceptional event occur or do not occur in a certain time window, the value of the first count is automatically increased by 1, and when only one of the first exceptional event and the second exceptional event occurs in a certain time window, the value of the first count is unchanged.

The second count reflects the number of times that the first and second exceptions occurred within a time window, and thus the second count is incremented by 1 only when both exceptions occur, and otherwise remains unchanged.

Specifically, assuming that the first count is X and the second count is Y, the initial values of X and Y are both 0. Assume that the number of sub-time windows is 10.

And if the first abnormal event and the second abnormal event do not occur in the 1 st sub-time window, increasing the number of the X by 1 and updating the X to be 1, and keeping the number of the Y to be 0.

Continuing to assume that in the 2 nd sub-time window, neither the first nor the second exception event has occurred, then X is incremented by 1 and updated to 2, and Y remains at 0.

And continuously assuming that the first abnormal event and the second abnormal event occur in the 3 rd sub-time window, increasing the X by 1 and updating to 3, and keeping the Y to be 1.

Continuing to assume that in the 4 th sub-time window, the first exception event occurred and the second exception event did not occur, then X remains at 3 and Y remains at 1.

Continuing to assume that in the 5 th sub-time window, the first exception event does not occur, and the second exception event occurs, then X remains at 3 and Y remains at 1.

Continuing to assume that in the 6 th sub-time window, the first exception event occurred, and the second exception event did not occur, then X remains at 3 and Y remains at 1.

Continuing to assume that in the 7 th sub-time window, the first exception event does not occur, and the second exception event occurs, then X remains at 3 and Y remains at 1.

Continuing to assume that in the 8 th sub-time window, the first exception event occurred, and the second exception event did not occur, then X remains at 3 and Y remains at 1.

And continuously assuming that the first abnormal event and the second abnormal event occur in the 9 th sub-time window, increasing X by 1 to update to 4, and increasing Y by 1 to update to 2.

Continuing to assume that in the 10 th sub-time window, the first exception event does not occur, and the second exception event occurs, then X remains at 4 and Y remains at 2. Wherein X and Y are statistical values of the first count and the second count at a final value.

S163 a: determining the correlation from the statistics of the first count and the second count.

In one embodiment, the step specifically includes, when the statistical value of the second count is not zero, taking a ratio of the statistical value of the first count and the second predetermined value as the representative value of the correlation. Continuing the above assumption, the statistical value of the first count, i.e., the final value of X, is 4, the statistical value of the second count, i.e., the final value of Y, is 2, and the second predetermined value N is 10, so that the representative value of the correlation can be obtained as R_-1＝4/10＝0.4。

It is understood by those skilled in the art that if the second predetermined value remains constant (for example, the length of the time window is constant and the requirement of accuracy is constant), in this step, the statistical value of the first count may also be used as the representative value of the correlation in the case where the statistical value of the second count is non-zero.

In addition, when the time window is a sliding time window, it may be set that the steps S161a to S163a are performed every predetermined time, which may be exactly the length of the sub-time window, that is, every time a sub-time window elapses, the sliding time window is slid forward by one sub-time window, while the steps S161a to S163a are performed once. Therefore, the risk detection result can well reflect the characteristics of the system and maintain the sensitivity of the system.

In another embodiment, a periodic decision method may be used to determine the correlation. As shown in fig. 3, in this embodiment, the step S160 specifically includes:

s161 b: the time window is divided into second predetermined value sub-time windows.

This step may be the same as the step S161a, and will not be described again.

S162 b: determining a first occurrence period for each type of exception event in the first exception event based on the sub-time windows.

In this step, first, the first abnormal events need to be classified, and first abnormal events of different categories are determined. The classification of the first exception event may be based on a trigger cause and/or trigger device of the respective event, and/or the like. For example, the first exception event may be simply classified into the following four categories: detecting the presence of a file with a virus in the file system, detecting the installation of unofficially licensed software, detecting unauthorized access to rights, detecting a user login with a wrong password entry.

And then counting the occurrence period of each type of first abnormal event, namely the first occurrence period. The first generation period is expressed in the number of the sub-time windows, for example, 3 sub-time windows. If there is more than one first generation cycle, this step may actually result in a list of said first generation cycles, which may be referred to as a first cycle list.

S163 b: determining a second period of occurrence for each of the second plurality of exceptions based on the sub-time window.

In this step, the second abnormal event needs to be classified first. The classification of the second abnormal event may also be based on a trigger cause and/or trigger means of the respective event, etc. For example, the second abnormal event may be simply classified into the following categories: and detecting a data packet with abnormal load data (each device corresponds to a type of abnormal event) sent by a certain device on the CAN bus and detecting a message with abnormal repetition frequency.

And then counting the occurrence period of each type of second abnormal event, namely the second occurrence period. The second generation period is also expressed in the number of sub-time windows. If there is more than one second generation period, this step may actually result in a list of said second generation periods, which may be referred to as the second period list.

S164 b: determining the correlation according to the first and second occurrence periods.

The abnormal events on the CAN bus CAN be caused by abnormal events in the IVI system, and when the intrusion behaviors exist, the abnormal events on the CAN bus and the occurrence cycles of the abnormal events in the IVI system show stronger correlation.

In one embodiment, this step may determine the correlation from the same logarithm of the first and second occurrence periods, the more the logarithm, the higher the correlation.

For example, if the initial log value is 0, the first generation cycle comprises a cycle values, may be considered as a first cycle list comprising a cycle values, the second generation cycle comprises B cycle values, may be considered as a second cycle list comprising B cycle values, assuming a is less than B, each of the a cycle values in the first cycle list may be compared to the B cycle values in turn, and if there is an identity, the log value is incremented by 1, otherwise the log value is unchanged. And after the A period values are traversed in sequence, the obtained logarithm value result is the logarithm of the same first generation period and the second generation period. It can be assumed that the logarithmic value ends up as S.

In one embodiment, S may be directly used to represent a representative value of the correlation. Alternatively, the type T of the first abnormal event and the type T of the second abnormal event may be considered in combination as (a + B)/2, and then the ratio S/T may be used as the representative value R of the correlation₂。

Those skilled in the art will appreciate that the calculation of the first occurrence period and the second occurrence period need not be based on the sub-time windows, but may of course be based on the absolute occurrence times of the first exceptional event and the second exceptional event. However, since it is too accurate, when the calculation is performed in terms of absolute occurrence time, the calculation result tends to be difficult to reflect the correlation. Experiments show that in the above embodiment, the occurrence period is determined based on the sub-time window, so that the tolerance of the method is improved, similar abnormal events with similar occurrence periods can be counted as abnormal events with the same occurrence period, and the final result can reflect the correlation better.

In another embodiment, the correlation may be determined using a probability distribution method. As shown in fig. 4, in this embodiment, the step S160 specifically includes:

s161 c: the time window is divided into second predetermined value sub-time windows.

This step may be the same as the step S161a, and will not be described again.

S162 c: and counting to obtain a first distribution law of the first abnormal event in each sub-time window according to the occurrence frequency of the first abnormal event in each sub-time window.

The first distribution law is a sequence of the occurrence times of the first abnormal events in the time window according to the time sequence. For example, assuming that the number of the sub-time windows is 10, and the number of occurrences of the first abnormal event in the sub-time windows from 1 st to 10 th is 0,1,3,5,2,1,7, 1,0,0, the first distribution law may be represented as a number sequence [0, 1,3,5,2,1,7, 1,0,0 ].

S163 c: and counting to obtain a second distribution law of the second abnormal event in each sub-time window according to the occurrence frequency of the second abnormal event in each sub-time window.

Similarly to the step S162c, by counting the occurrence number of the second abnormal event in each sub-time window, the sequence of the occurrence number of the second abnormal event in the time window can be obtained. Assuming that the number of occurrences of the second abnormal event in the sub-time windows from 1 st to 10 th is 0,0,0,1,3,5,2,1,7,2 in order, a number sequence [0,0,0,1,3,5,2,1,7, 2] representing the second distribution law can be obtained.

S164 c: and determining the correlation according to the first distribution law and the second distribution law.

In this step, the correlation between the first distribution law and the second distribution law may be determined according to the distance between the time series corresponding to the two distribution laws. The distance may e.g. be a minkowski distance or a dynamic time warping distance, etc. The smaller the distance, the higher the correlation. For simplicity, the present application only illustrates the calculation of the time series [0, 1,3,5,2,1,7, 1,0,0] and [0,0,0,1,3,5,2,1,7, 2] dynamic time warping distance.

For comparison with a threshold, the two order sequences are respectively normalized: the number of times over each sub-time window divided by the sum of the number of times of the entire sequence. After normalization processing, the value interval of the dynamic time warping distance finally obtained is [0, 1 ]. Similarly, when the distance is the minkowski distance, the value interval of the finally obtained minkowski distance is [0, 1] through similar processing.

[0,1,3,5,2,1,7,1,0,0]＝>[0,1/(1+3+5+2+1+7+1),3/20,5/20,…，0]＝>[0，0.0500,0.1500,0.2500,0.1000,0.0500,0.3500，0.0500,0,0]；

[0，0，0，1,3,5,2,1,7,2]＝>[0,0,0,1/21,3/21,…,2/21]＝>[0，0，0，0.0476，0.1429，0.2381,0.0952,0.0476,0.3333,0.0952]；

The corresponding points obtained by the dynamic time warping are shown in fig. 5.

The dynamic time warping distance is as follows:

D＝(0.05-0.0476)^2+(0.15-0.1429)^2+(0.25-0.2381)^2+(0.1-0.0952)^2+(0.05-0.0476)^2+(0.35-0.3333)^2+(0.05-0.0952)^2＝0.00254851

in one embodiment, the correlation may be represented by a value R₃1-D, apparently R₃The larger the value of (c), the higher the correlation.

In this step, the correlation may be compared with a threshold, and if the correlation is higher than the threshold, it may be determined that the vehicle is at risk of being intruded, otherwise, there is no risk of being intruded.

In one embodiment, the threshold may be directly set to 0, and for any one of the three methods of determining the correlation, the vehicle is at risk of being intruded as long as the representative value of the correlation is higher than 0; otherwise, if the representative value of the correlation is 0, the vehicle is not at risk of being invaded.

In another embodiment, the threshold may be set to a plurality of values, and different levels of intrusion risk may be determined.

For example, when the representative value R of the correlation is determined according to the ratio decision method₁Then, a first threshold value 0, a second threshold value 0.3, and a third threshold value 0.7 may be set, respectively. Correspondingly, if the representative value R of the correlation is₁0, the vehicle is not at risk of being intruded; if said R is₁Between 0 and 0.3, there is a low risk of invasion; if R is₁Between 0.3 and 0.7, there is a risk of intermediate intrusion; if R is₁Between 0.7 and 1, there is a high level of intrusion risk.

For another example, when the representative value R of the correlation is determined according to the period decision method₂In this case, the first threshold value 0, the second threshold value 0.3, and the third threshold value 0.7 may be set. Correspondingly, if the representative value R of the correlation is₂0, the vehicle is not at risk of being intruded; if said R is₂Between 0 and 0.3, there is a low risk of invasion; if R is₂Between 0.3 and 0.7, there is a risk of intermediate intrusion; if R is₂Between 0.7 and 1, there is a high level of intrusion risk.

Similarly, when the representative value R of the correlation is determined according to the probability distribution method₃In this case, the first threshold value 0, the second threshold value 0.3, and the third threshold value 0.7 may be set. Correspondingly, if the representative value R of the correlation is₃0, the vehicle is not at risk of being intruded; if said R is₃Between 0 and 0.3, there is a low risk of invasion; if R is₃Between 0.3 and 0.7, there is a risk of intermediate intrusion; if R is₂Between 0.7 and 1, there is a high level of intrusion risk.

In summary, in the method of the present application, a ratio decision method, a period decision method, or a probability distribution method may be used to analyze and determine a correlation between the occurrence time of the first abnormal event and the occurrence time of the second abnormal event, and according to the correlation, the risk of the vehicle being invaded may be determined, so that corresponding risk elimination processing, such as starting a antivirus program, may be performed according to the risk level or whether there is a risk.

In addition, the first exception event and the second exception event may exhibit other correlations in addition to temporal correlations when an intrusion is present. The person skilled in the art can develop new methods for detecting risks accordingly.

Fig. 6 is a schematic block diagram illustrating an apparatus for detecting a network intrusion risk of a vehicle according to the present application. As shown in fig. 6, the illustrated apparatus 600 includes:

a first detection module 620 for detecting a first abnormal event in an IVI system of the vehicle;

a second detection module 640 for detecting a second abnormal event on the CAN bus of the vehicle;

an analysis module 660 configured to analyze a correlation between the occurrence time of the first abnormal event and the occurrence time of the second abnormal event.

A determining module 680 configured to determine the risk of the vehicle being intruded based on the correlation.

The functions of the various modules are described in detail below with reference to the figures.

The first detecting module 620 is configured to detect a first abnormal event in an IVI system of the vehicle.

The first exception event is an exception event of the IVI system. During research, the inventor finds that the intrusion of a hacker to a vehicle is generally realized by a virus or a trojan horse program. Therefore, when there is an intrusion, the IVI system of the vehicle often appears as an abnormal start of a process, an abnormal access of a file or a port, and the like. Therefore, the method and the device can perform corresponding detection to identify the abnormal event of the IVI system.

In one embodiment, as shown in fig. 7, the first detection module 620 includes:

and a virus comparison unit 621, configured to compare a virus library to determine whether the IVI system of the vehicle is infected with a virus, and if so, consider that the IVI system has a first abnormal event.

In another embodiment, as shown in fig. 8, the first detection module 620 includes:

a mode comparing unit 622, configured to compare a network behavior abnormal mode library to determine whether the network behavior of the IVI system of the vehicle is abnormal, and if so, consider that the IVI system has a first abnormal event.

In another embodiment, as shown in fig. 9, the first detecting module 620 further includes:

an application determining unit 624 is configured to determine whether there is an application running in the IVI system of the vehicle that does not meet the safety requirement, and if so, consider that the IVI system has a first abnormal event.

However, with the above-described comparison, security risks may still exist due to the updating of applications and the constant emergence of new applications. Thus, in one embodiment, as shown in fig. 9, the first detection module 620 further includes:

and the security judgment unit 623 is used for judging the security of the application program according to the software function description of the application program and the authority applied or used by the application program.

The authority in the computer system can be roughly divided into user space authority and equipment space authority, and an application program installed by a user only needs the user space authority under a normal condition and does not need the equipment space authority. Generally, the functions of an application and the rights to be applied or used correspond to each other, for example, a map program often applies access rights to a positioning result. An application may be considered insecure if its functionality is significantly unrelated to, or significantly outside the required scope of, its application's rights to be applied or used.

The second detecting module 640 is configured to detect a second abnormal event on a CAN bus of the vehicle.

The CAN bus is a field bus widely applied to vehicles, and sensors and controllers of the vehicles are interconnected through the CAN bus. Therefore, when the vehicle is invaded, an abnormal event may occur on the CAN bus, such as an abnormal message transmission frequency or an abnormal message content on the vehicle. The second exception event is an exception event on the CAN bus.

In one embodiment, as shown in fig. 10, the second detection module 640 includes:

a white list unit 641, configured to determine whether an ID of a message transmitted on the CAN bus of the vehicle is in a white list, and if the ID is not in the white list, consider that a second abnormal event occurs on the CAN bus.

In another embodiment, as shown in fig. 11, the second detection module 640 includes:

a period determining unit 642, configured to determine whether an error between a period of a message and a message period of the security baseline exceeds a first predetermined value, and if the error exceeds the first predetermined value, consider that a second abnormal event occurs on the CAN bus.

The analysis module 660 is configured to analyze a correlation between the occurrence time of the first abnormal event and the occurrence time of the second abnormal event.

If an abnormal event occurs on the IVI system or the CAN bus alone, there is a possibility that a system misjudgment may be caused in addition to the intrusion of the vehicle. However, if both systems are experiencing an abnormal event and show significant correlation in time, or the correlation is above a certain threshold, then it may be declared that the vehicle has been intruded.

In one embodiment, to reduce the amount of computation, the analysis module 660 may select a time window and analyze the correlation between the occurrence time of the first abnormal event and the occurrence time of the second abnormal event within the time window. The length of the time window may be set according to the real-time requirement, or may also be set according to the system load, or may also be set according to the percentage of occupied system resources set by the user, for example, may be set to 5 seconds.

In one embodiment, the time window is preferably set as a sliding time window.

In one embodiment, a one-to-one decision may be used to determine the correlation. As shown in fig. 12, in this embodiment, the analysis module 660 includes:

a dividing unit 661a for dividing said time window into sub-time windows of a second predetermined value.

Said second predetermined value is greater than 1, the size of which is related to the length of the above-mentioned time window, generally, the longer the time window, the greater said second predetermined value. On the other hand, the magnitude of the second predetermined value is also related to the accuracy of the method, and the larger the second predetermined value is, that is, the more the number of times the time window is divided into, the higher the accuracy of the method is, and the lower the probability of false detection is. In general, when the time window is 5 seconds, the second predetermined value may be set to 25, for example, that is, the length of each sub-time window is 0.2 seconds.

A statistic unit 662a, configured to traverse each of the sub-time windows, and count occurrences of the first abnormal event and the second abnormal event:

In the statistical unit 662a, the first count is a count reflecting synchronicity of the first exceptional event and the second exceptional event, and therefore, when both the first exceptional event and the second exceptional event occur or do not occur within a certain time window, the value of the first count is automatically increased by 1, and when only one of the first exceptional event and the second exceptional event occurs within a certain time window, the value of the first count is unchanged.

A determining unit 663a, configured to determine the correlation according to the statistical value of the first count and the second count.

In one embodiment, in a case where the statistical value of the second count is non-zero, a ratio of the statistical value of the first count and the second predetermined value is used as the representative value of the correlation. Continuing the above assumption, the statistical value of the first count, i.e., the final value of X, is 4, the statistical value of the second count, i.e., the final value of Y, is 2, and the second predetermined value N is 10, so that the representative value of the correlation can be obtained as R₁＝4/10＝0.4。

It is understood by those skilled in the art that if the second predetermined value remains unchanged (e.g., the length of the time window is fixed and the requirement of accuracy is fixed), in the determining unit 663a, the statistical value of the first count may also be taken as the representative value of the correlation in the case where the statistical value of the second count is non-zero.

In another embodiment, a periodic decision method may be used to determine the correlation. As shown in fig. 13, in this embodiment, the analysis module 660 includes:

a dividing unit 661b for dividing said time window into second predetermined value sub-time windows.

The dividing unit 661b may be the same as the dividing unit 661a, and is not described in detail.

A first determining unit 662b, configured to determine a first occurrence period of each type of the first abnormal events based on the sub-time windows.

In this unit, first, the first abnormal events need to be classified, and first abnormal events of different categories are determined. The classification of the first exception event may be based on a trigger cause and/or trigger device of the respective event, and/or the like. For example, the first exception event may be simply classified into the following four categories: detecting the presence of a file with a virus in the file system, detecting the installation of unofficially licensed software, detecting unauthorized access to rights, detecting a user login with a wrong password entry.

A second determining unit 663b, configured to determine, based on the sub-time window, a second occurrence period of each type of exceptional event in the second exceptional events.

In this unit, the second abnormal event needs to be classified, and the classification of the second abnormal event may also be based on a trigger reason and/or a trigger device of the corresponding event. For example, the second abnormal event may be simply classified into the following categories: and detecting a data packet with abnormal load data (each device corresponds to a type of abnormal event) sent by a certain device on the CAN bus and detecting a message with abnormal repetition frequency.

A third determining unit 664b, configured to determine the correlation according to the first generating period and the second generating period.

In one embodiment, the third determining unit 664b may determine the correlation according to the same logarithm of the first and second occurrence periods, and the more the logarithm, the higher the correlation.

In another embodiment, the correlation may be determined using a probability distribution method. As shown in fig. 14, in this embodiment, the analysis module 660 specifically includes:

a dividing unit 661c for dividing said time window into second predetermined value sub-time windows.

The dividing unit 661c may be the same as the dividing unit 661a, and is not described in detail.

A first statistical unit 662c, configured to obtain a first distribution law of the first abnormal event in each of the sub time windows according to the occurrence frequency of the first abnormal event in each of the sub time windows.

And a second statistical unit 663c, configured to obtain a second distribution law of the second abnormal event in each of the sub-time windows according to the occurrence frequency of the second abnormal event in each of the sub-time windows.

Similarly, by counting the occurrence number of the second abnormal event in each sub-time window, the sequence of the occurrence number of the second abnormal event in the time window can be obtained. Assuming that the number of occurrences of the second abnormal event in the sub-time windows from 1 st to 10 th is 0,0,0,1,3,5,2,1,7,2 in order, a number sequence [0,0,0,1,3,5,2,1,7, 2] representing the second distribution law can be obtained.

A determining unit 664c, configured to determine the correlation according to the first distribution law and the second distribution law.

In this unit, the correlation between the first distribution law and the second distribution law may be determined according to the distance D between the time series corresponding to the two distribution laws. The distance D may e.g. be a minkowski distance or a dynamic time warping distance, etc. The value interval of the distance D may be [0, 1] by processing such as normalization]. Further, the correlation representative value R may be set₃1-D, apparently R₃The larger the value of (c), the higher the correlation.

The determining module 680 is configured to determine the risk of the vehicle being invaded according to the correlation.

In this module, the correlation may be compared to a threshold, and if above the threshold, it may be determined that the vehicle is at risk of intrusion, otherwise, there is no risk of intrusion.

For another example, when the representative value R of the correlation is determined according to the period decision method₂In this case, the first threshold value 0, the second threshold value 0.3, and the third threshold value 0.7 may be set. Accordingly, if the representative value R of the correlation is₂0, the vehicle is not at risk of being intruded; if said R is₂Between 0 and 0.3, there is a low risk of invasion; if R is₂Between 0.3 and 0.7, there is a risk of intermediate intrusion; if R is₂Between 0.7 and 1, there is a high level of intrusion risk.

Similarly, when the representative value R of the correlation is determined according to the probability distribution method₃In this case, the first threshold value 0, the second threshold value 0.3, and the third threshold value 0.7 may be set. Correspondingly, if the representative value R of the correlation is₃0, the vehicle is not at risk of being intruded; if it is atR is₃Between 0 and 0.3, there is a low risk of invasion; if R is₃Between 0.3 and 0.7, there is a risk of intermediate intrusion; if R is₂Between 0.7 and 1, there is a high level of intrusion risk.

One configuration of the device according to an embodiment of the invention is shown in fig. 15. The specific embodiment of the present invention does not limit the specific implementation of the apparatus, and referring to fig. 15, the apparatus 1500 may include:

a processor (processor)1510, a communication Interface 1520, a memory 1530, and a communication bus 1540. Wherein:

the processor 1510, communication interface 1520, and memory 1530 communicate with each other via a communication bus 1540.

Communication interface 1520 for communicating with a server.

The processor 1510, configured to execute the program 1532, may specifically perform the relevant steps in the method embodiment shown in fig. 1.

In particular, the program 1532 may include program code comprising computer operating instructions.

Processor 1510 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement embodiments of the present invention.

And a memory 1530 for storing a program 1532. Memory 1530 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory. The program 1532 may specifically perform the following steps:

detecting a first anomalous event in an IVI system of the vehicle;

detecting a second abnormal event on a CAN bus of the vehicle;

For specific implementation of each step in the program 1532, reference may be made to corresponding steps or modules in the foregoing embodiments, which are not described herein again. It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described devices and modules may refer to the corresponding process descriptions in the foregoing method embodiments, and are not described herein again.

Fig. 16 is a schematic diagram illustrating the distribution of the device in the vehicle according to an embodiment, and as shown in fig. 16, the device 600 may be integrally disposed in an IVI system 1610 of a vehicle 1600, and the IVI system 1610 and the CAN bus 1620 are connected by an inherent wired or wireless manner.

Fig. 17 is a schematic diagram of the distribution of the device in the vehicle according to another embodiment, as shown in fig. 17, in which there is no connection between the IVI system 1610 and the CAN bus 1620. The first detection module 620, the analysis module 660, and the determination module 680 of the apparatus 600 are disposed in the IVI system 1610 of the vehicle 1600, and the second detection module 640 is disposed in the CAN bus 1620. The first detection module 620 and the analysis module 660 are connected by wire or wirelessly.

Those of ordinary skill in the art will appreciate that the various illustrative elements and method steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a controller, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

The above embodiments are only for illustrating the invention and are not to be construed as limiting the invention, and those skilled in the art can make various changes and modifications without departing from the spirit and scope of the invention, therefore, all equivalent technical solutions also belong to the scope of the invention, and the scope of the invention is defined by the claims.

Claims

1. A method of detecting a risk of cyber intrusion of a vehicle, the method comprising:

detecting a first anomalous event in an IVI system of the vehicle;

detecting a second abnormal event on a CAN bus of the vehicle;

determining the risk of the vehicle being invaded according to the correlation;

the analyzing the correlation between the occurrence time of the first exceptional event and the occurrence time of the second exceptional event comprises:

analyzing a correlation between the occurrence time of the first exceptional event and the occurrence time of the second exceptional event within a time window;

said analyzing a correlation between the time of occurrence of the first exceptional event and the time of occurrence of the second exceptional event within a time window comprises:

dividing the time window into a second predetermined value sub-time window;

counting to obtain a first distribution law of the first abnormal event in each sub-time window according to the occurrence frequency of the first abnormal event in each sub-time window;

counting to obtain a second distribution law of the second abnormal event in each sub-time window according to the occurrence frequency of the second abnormal event in each sub-time window;

and determining the correlation according to the first distribution law and the second distribution law.

2. The method of claim 1, wherein the detecting the first anomalous event in the IVI system of the vehicle comprises:

and judging whether the IVI system of the vehicle is infected with the virus or not by comparing with a virus library, and if so, considering that the IVI system has a first abnormal event.

3. The method of claim 1, wherein the detecting the first anomalous event in the IVI system of the vehicle comprises:

and judging whether the network behavior of the IVI system of the vehicle is abnormal or not by contrasting a network behavior abnormal mode library, and if so, considering that a first abnormal event occurs in the IVI system.

4. The method of claim 1, wherein the detecting the first anomalous event in the IVI system of the vehicle comprises:

and judging whether an application program with unsatisfactory safety exists in the IVI system of the vehicle, and if so, determining that a first abnormal event occurs in the IVI system.

5. The method of claim 4, wherein the detecting the first anomalous event in the IVI system of the vehicle further comprises:

and judging the safety of the application program according to the software function description of the application program and the authority applied or used by the application program.

6. The method of claim 1, wherein the detecting the second abnormal event on the CAN bus of the vehicle comprises:

and judging whether the ID of the message transmitted on the CAN bus of the vehicle is in a white list or not, and if not, considering that a second abnormal event occurs on the CAN bus.

7. The method of claim 1, wherein the detecting the second abnormal event on the CAN bus of the vehicle comprises:

and judging whether the error between the period of a message and the period of the message of the safety baseline exceeds a first preset value, and if the error exceeds the first preset value, considering that a second abnormal event occurs on the CAN bus.

8. The method of claim 1, wherein the time window is a sliding time window.

9. The method of claim 1, wherein the determining the correlation according to the first distribution law and the second distribution law comprises:

and determining the representative value of the correlation according to the distance between the time series corresponding to the first distribution law and the time series corresponding to the second distribution law.

10. An apparatus for detecting a risk of cyber intrusion of a vehicle, the apparatus comprising:

a determining module for determining a risk of intrusion of the vehicle based on the correlation;

the analysis module is used for analyzing the correlation between the occurrence time of the first abnormal event and the occurrence time of the second abnormal event in a time window;

the analysis module includes:

the dividing unit is used for dividing the time window into a second preset value sub-time window;

the first statistical unit is used for counting to obtain a first distribution law of the first abnormal event in each sub-time window according to the occurrence frequency of the first abnormal event in each sub-time window;

a second statistical unit, configured to obtain a second distribution law of the second abnormal event in each of the sub-time windows according to the occurrence frequency of the second abnormal event in the sub-time window;

and the determining unit is used for determining the correlation according to the first distribution law and the second distribution law.

11. The apparatus of claim 10, wherein the first detection module comprises:

and the virus comparison unit is used for comparing a virus library to judge whether the IVI system of the vehicle is infected with the virus or not, and if so, the IVI system is considered to have a first abnormal event.

12. The apparatus of claim 10, wherein the first detection module comprises:

and the mode comparison unit is used for comparing a network behavior abnormal mode library to judge whether the network behavior of the IVI system of the vehicle is abnormal or not, and if the network behavior is abnormal, the IVI system is considered to have a first abnormal event.

13. The apparatus of claim 10, wherein the first detection module comprises:

and the application program judging unit is used for judging whether an application program with the safety not meeting the requirement exists in the IVI system of the vehicle or not, and if so, the IVI system is considered to have a first abnormal event.

14. The apparatus of claim 13, wherein the first detection module further comprises:

and the safety judgment unit is used for judging the safety of the application program according to the software function description of the application program and the authority applied or used by the application program.

15. The apparatus of claim 10, wherein the second detection module comprises:

and the white list unit is used for judging whether the ID of the message transmitted on the CAN bus of the vehicle is in a white list or not, and if not, considering that a second abnormal event occurs on the CAN bus.

16. The apparatus of claim 10, wherein the second detection module comprises:

and the period judging unit is used for judging whether the error between the period of a message and the period of the message of the safety baseline exceeds a first preset value or not, and if the error exceeds the first preset value, the CAN bus is considered to have a second abnormal event.

17. The apparatus according to claim 10, wherein the determining unit is configured to determine the representative value of the correlation according to a distance between the degree sequence corresponding to the first distribution law and the degree sequence corresponding to the second distribution law.

18. The device of claim 10, wherein the device is disposed in an IVI system of the vehicle.

19. The apparatus of claim 10, wherein the first detection module and the analysis module are disposed in an IVI system of the vehicle, and the second detection module is connected to the CAN bus.

20. An apparatus for detecting a risk of cyber intrusion of a vehicle, the apparatus comprising:

a memory for storing instructions;

detecting a first anomalous event in an IVI system of the vehicle;

detecting a second abnormal event on a CAN bus of the vehicle;

determining the risk of the vehicle being invaded according to the correlation;

dividing the time window into a second predetermined value sub-time window;

21. A computer-readable storage medium storing a computer program, the computer program causing a computer to execute a method of:

detecting a first anomalous event in an IVI system of a vehicle;

detecting a second abnormal event on a CAN bus of the vehicle;

determining the risk of the vehicle being invaded according to the correlation;

dividing the time window into a second predetermined value sub-time window;