CN109257358A - A kind of In-vehicle networking intrusion detection method and system based on clock skew - Google Patents
A kind of In-vehicle networking intrusion detection method and system based on clock skew Download PDFInfo
- Publication number
- CN109257358A CN109257358A CN201811137466.0A CN201811137466A CN109257358A CN 109257358 A CN109257358 A CN 109257358A CN 201811137466 A CN201811137466 A CN 201811137466A CN 109257358 A CN109257358 A CN 109257358A
- Authority
- CN
- China
- Prior art keywords
- ecu
- clock
- message
- vehicle networking
- accumulative
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 90
- 230000006855 networking Effects 0.000 title claims abstract description 52
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 19
- 238000013508 migration Methods 0.000 claims abstract description 15
- 230000005012 migration Effects 0.000 claims abstract description 15
- 230000002159 abnormal effect Effects 0.000 claims abstract description 12
- 230000035772 mutation Effects 0.000 claims abstract description 5
- 230000006399 behavior Effects 0.000 claims description 26
- 230000008859 change Effects 0.000 claims description 15
- 238000005259 measurement Methods 0.000 claims description 12
- 238000012937 correction Methods 0.000 claims description 4
- 238000013139 quantization Methods 0.000 claims description 4
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 3
- 238000012544 monitoring process Methods 0.000 claims description 2
- 238000012545 processing Methods 0.000 claims description 2
- 238000012549 training Methods 0.000 claims description 2
- 238000004364 calculation method Methods 0.000 claims 1
- 238000007689 inspection Methods 0.000 claims 1
- 238000000034 method Methods 0.000 abstract description 22
- 238000004891 communication Methods 0.000 abstract description 5
- 230000002688 persistence Effects 0.000 abstract description 3
- 238000002347 injection Methods 0.000 description 26
- 239000007924 injection Substances 0.000 description 26
- 238000009825 accumulation Methods 0.000 description 12
- 238000013461 design Methods 0.000 description 12
- 238000012417 linear regression Methods 0.000 description 9
- 230000005540 biological transmission Effects 0.000 description 7
- 238000004458 analytical method Methods 0.000 description 6
- 230000009545 invasion Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000004590 computer program Methods 0.000 description 4
- 238000012360 testing method Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 230000001186 cumulative effect Effects 0.000 description 2
- 230000003111 delayed effect Effects 0.000 description 2
- 238000002474 experimental method Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000004088 simulation Methods 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 1
- 238000009412 basement excavation Methods 0.000 description 1
- 230000003139 buffering effect Effects 0.000 description 1
- 239000013078 crystal Substances 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000012731 temporal analysis Methods 0.000 description 1
- 238000000700 time series analysis Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention belongs to automobile network communication and its technical field of vehicle safety, disclose a kind of In-vehicle networking intrusion detection method and system based on clock skew, excavate the interrelational form and the degree of association in In-vehicle networking between each ECU, find some related informations of these ECU, and the rule of related information is analyzed, establish correlation rule;The normal data of the correlation rule of foundation are added to the accumulative clock migration model of automobile;When ECU, which receives message, occurs abnormal, by comparing relevant associated data, intrusion behavior is found.The present invention is using CUSUM (accumulative and) algorithm, from the accumulative of the deviation of target value and to detect mutation;Because using accumulative method, even slightly deviateing target value also can constantly increase or decrease accumulated value.Therefore, it is the method for the small persistence variation of optimal detection, is widely used in detection of change-point at present.
Description
Technical field
The invention belongs to automobile network communication and its technical field of vehicle safety more particularly to a kind of based on clock skew
In-vehicle networking intrusion detection method and system.
Background technique
Currently, the prior art commonly used in the trade is such that
With the fusion of Modern information science technology and automotive engineering, the control of automobile is all based on ECU at present
The control of (Electronic Control Unit: electronic control unit), and the development trend of automobile is more and more digital
Change, is intelligent, unmanned.Since the function of each device element of automobile is controlled by ECU, different automobile models is according to need
The quantity of the difference asked, ECU is also different, but averagely contains 20 to 100 ECU, each ECU in automobile under normal conditions
It is responsible for the function of oneself corresponding device equipment.Currently, the bus that leading role is accounted in automobile mounted network is CAN bus, from
Company of German Bosch in 1986 develops the CAN bus communication protocol towards automobile and starts, and CAN bus becomes Automobile support grid
The standard of network.Due in In-vehicle networking it is commonly used it is most be standard In-vehicle networking be CAN bus network, so the present invention is
Based on CAN bus network for the research of ECU intrusion detection.
What BOSCH company considered at the beginning of designing CAN bus is intended merely to realize function, without considering In-vehicle networking
The safety issue of message context.Such as shown in terms of CAN bus network insecurity, CAN bus protocol rule is only advised
Determine the protocol contents and message format of CAN message, and the data in CAN bus are not over the measure of encryption, but it is logical
The mode of plaintext is crossed to be transmitted, while CAN bus is also without corresponding Authentication mechanism, as long as being mounted to CAN bus
On equipment, so that it may send message to other equipment, therefore CAN bus is easy to be attacked and monitored by hacker.Most
It was directed to the attack of In-vehicle networking in recent years, foreign countries have some white hats and carried out real example by real case.
Interior T-Box system is by being internally integrated GPS positioning module, RFID (radio-frequency technique) identification mould in automobile
The electronic components such as block, sensor module carry out wireless communication and data exchange according to the standard of communication protocol and data exchange
System, and realize the critical component of Vehicular intelligent control and Intelligent Dynamic information service.Hacker attack T-Box, Ke Yishi
The local and remote control to automobile is showed, by sending related command to CAN bus, the vehicle oil-break of traveling can have been made, added
Speed is slowed down and is braked.The present invention can have found the attack from T-Box in time.
Vehicle entertainment system may include navigation, auxiliary driving, fault detection, Body Control, based on online amusement function
Energy is equal, is greatly improved electronization, networking and the intelligent level of automobile.Vehicle entertainment system is due to by wirelessly can be with
Connection is external, therefore is also the key object of hacker attack.By attacking vehicle entertainment system, phase then is sent to CAN bus
Order is closed, vehicle deflecting, oil-break, acceleration, deceleration and the braking etc. of traveling can also be made.Therefore the present invention can have found to come in time
From the attack of vehicle entertainment system
In conclusion problem of the existing technology is:
(1) in the prior art, the safety issue of the message context of In-vehicle networking is not accounted for.
Data in CAN bus are transmitted not over the measure of encryption simply by the mode of plaintext;Simultaneously
CAN bus is also without corresponding Authentication mechanism, as long as being mounted to the equipment in CAN bus, so that it may to other equipment
Message is sent, therefore CAN bus is easy to be attacked and monitored by hacker.
(2) in the prior art since T-Box does not have safeguard procedures, it is subject to the hacker attack from internet, in turn
CAN bus is attacked, the automobile of traveling is caused abnormal phenomenon occur.
(3) it in the prior art since vehicle entertainment system does not have safeguard procedures, is subject to the hacker from internet and attacks
It hits, and then attacks CAN bus, the automobile of traveling is caused abnormal phenomenon occur.
Solve the difficulty and meaning of above-mentioned technical problem:
Difficulty is, not can be carried out adequate solution to automobile mounted Network Information Security Problem;The reason is that,
During developing from orthodox car to digitlization, intelligence, unmanned automobile, the information of automobile mounted network is pacified
Full problem is very important, because the information security issue of automobile mounted network compares with internet information safety problem, automobile
Harm caused by the information security of In-vehicle networking is more important, once automobile mounted network is attacked, can not only bring property loss
And the life of occupant can be threatened under serious conditions.Moreover, the protection of the correspondence with foreign country of many automobiles does not have substantially at present,
In addition there are many channels of automobile correspondence with foreign country.
After solving problem of the prior art, bring meaning are as follows:, for the attack of automobile mounted network, the present invention is in CAN
In bus, by the clock skew of data packet, attack can be found in time, is performed intrusion detection, help to ensure entire
The safety of truck carrier, and then ensure the safety of life and property.
Summary of the invention
In view of the problems of the existing technology, the In-vehicle networking intrusion detection based on clock skew that the present invention provides a kind of
Method and system, the very good solution of the present invention above problem, and enhance the safety of automotive interior network, also improve vapour
The ability of intrusion detection in vehicle network.
The invention is realized in this way a kind of In-vehicle networking intrusion detection method based on clock skew, it is described based on when
The In-vehicle networking intrusion detection method of clock offset includes: interrelational form and the association excavated in In-vehicle networking between each ECU
Degree, finds some related informations of these ECU, and analyze the rule of related information, establishes correlation rule;By the association of foundation
The accumulative clock migration model of automobile is added in regular normal data;
When ECU, which receives message, occurs abnormal, by comparing relevant associated data, intrusion behavior is found.
Further, it establishes in association rules method, goes to extract and estimate that the clock of transmitter is inclined using the periodicity of message
Difference, label of the clock jitter as ECU;It specifically includes:
Firstly, first acquiring data from the standard network of safety, a data source is obtained;It is excavated from data source again each
The degree of association between a ECU obtains the fixed clock deviation between ECU, then the ECU clock jitter that these are fixed as standard
It is put into association java standard library.
Further, it establishes in correlation rule, the ECU clock jitter that these are fixed is put into association java standard library as standard
Before, it needs that first clock jitter is estimated and analyzed;
It specifically includes:
Assuming that ECUA broadcasts a message every Tms, ECU R periodically receives that message;From the angle of R
The clock for that time that message reaches is regarded as C by degreetrue;As t=0, indicate that ECUA sends first message, Oi
The clock skew of i-th message is sent when indicating ECUA from t=0;
In one section of network delay diLater, ECU R will receive corresponding message and record the timestamp iT+ of arrival
Oi+di+ni, wherein niIndicate the noise generated when the timestamp quantization of R;The clock interval T of each arrival time stamprx,i=T+
ΔOi+Δdi+ΔniIt indicates, wherein Δ XiIndicate i-th and i-1 variable XiBetween difference and stipulated that O0=0;It is small one
In the section time, OiVariation is very small, ignores, niIt is a zero-mean Gaussian noise item, T is excavated by associated data
The constant arrived, the data length DLC of periodically packet information are a constant, E [Δ d againiThe desired value of]=0, interval is used
Formula (1) indicates:
The timestamp d reached based on first message0+n0With the desired value μ of interval of timestampsTrx, infer i-th report
Timestamp when literary information reaches is i μTrx+d0+n0, actual measurement arrival time stamp is iT+Oi+di+ni;It is reached by estimation
Time, μTrxIt is determined by past measured value;T is a constant and μTrx≈ T, difference between estimated value and true measurement
Desired value is indicated with formula (2):
E [D]=E [i (T- μTrx)+Oi+Δd+Δn]≈E[Oi] (2)
Go out the clock skew E [O of different transmitters from the periodical angle estimation of messagei]。
Further, when ECU, which receives message, occurs abnormal, by comparing relevant associated data, intrusion behavior, tool are found
Body includes:
Using value of the correlation rule in correlation rule library in amount, construct accumulative clock migration model, as with exception
The check and correction standard of behavior, in real time detects the data in In-vehicle networking, discriminates whether that there are intrusion behaviors;
For giving the message of ID, operation RLS algorithm goes to estimate the clock jitter of corresponding ECU transmitter, constructs phase
Whether the clock behavior model and confirmatory measurement value for the standard answered deviate normal value;Using CUSUM is accumulative and algorithm, from target value
Deviation accumulative and detection mutation.
Further, CUSUM is accumulative and algorithm includes:
During estimating each step of clock jitter, the average value mu of accumulative clock offset is respectively updatedeIt is missed with identification
The variance of differenceμeWithOnly work as satisfactionWhen, just it is updated;, the identification error e that each obtains and accumulative sum it is upper
Limit L+, lower limit L-It updates as shown in formula (3);
The parameter and κ that wherein κ is a reflection standard deviation are by monitoring normal vehicular network scenario to instruct offline
It gets out;If L+Or L-Any one have exceeded threshold value ΓL, the value of sudden change can all be noticeable out respectively, and report has
Invasion;The mode threshold value of accumulative sum is 4 or 5, or threshold value is arranged according to the actual situation.
Another object of the present invention is to provide the In-vehicle networking intrusion detection sides described in a kind of realize based on clock skew
The computer program of method.
Another object of the present invention is to provide the In-vehicle networking intrusion detection sides described in a kind of realize based on clock skew
The information data processing terminal of method.
Another object of the present invention is to provide a kind of computer readable storage mediums, including instruction, when it is in computer
When upper operation, so that computer executes the In-vehicle networking intrusion detection method based on clock skew.
Another object of the present invention is to provide the In-vehicle networking intrusion detection sides described in a kind of realize based on clock skew
The In-vehicle networking intruding detection system based on clock skew of method, the In-vehicle networking intruding detection system based on clock skew
Include:
Correlation rule establishes module, excavates interrelational form and the degree of association in In-vehicle networking between each ECU, finds this
Some related informations of a little ECU, and the rule of related information is analyzed, establish correlation rule;
Accumulative clock migration model constructs module, and the normal data of the correlation rule of foundation are added to the accumulative clock of automobile
Migration model;
Intrusion detection module, when ECU, which receives message, occurs abnormal, by comparing relevant associated data, discovery invasion
Behavior.
Another object of the present invention is to provide a kind of In-vehicle networking intrusion detections equipped with described based on clock skew
The In-vehicle networking detection of change-point equipment of system.
In conclusion advantages of the present invention and good effect are as follows:
The present invention is in order to establish an effective intrusion detection method and can recognize that various types of attacks, system
The transmitter of every message should be able to be verified.However, being not include transmitter information in CAN message information, so necessary
It is marked with other information.The present invention goes to extract and estimate the clock jitter of transmitter using the periodicity of message, i.e., this
Label of the clock jitter as ECU.
Firstly, first acquiring data from the standard network of safety, a data source is obtained.It is excavated from data source again each
The degree of association between a ECU obtains the fixed clock deviation between ECU, then the ECU clock jitter that these are fixed as standard
It is put into association java standard library, is thus the design of a complete offline part.
Because being marked with the clock jitter of ECU, firstly the need of being estimated clock jitter and analyzed.
The factor that clock jitter is influenced in real system has the noise generated when clock skew, network transmission delay, timestamp quantization,
Due to these factors for the period of message all very littles, can be ignored.
Real-time partial design
Offline part has solved the problems, such as label ECU transmitter, i.e., is obtained by the time interval between message
Clock jitter can be used to mark ECU transmitter out.The present invention is using this characteristic Design accumulative clock migration model and enters
The big module of detection unit two is invaded, wherein intrusion detecting unit contains the analysis engine for judging whether to belong to intrusion behavior.
Real-time partial is to adapt to automobile mounted network and required in real time intrusion detection and design, its effect is
It is periodical using value of the correlation rule in correlation rule library in amount such as message time, to construct accumulative clock offset mould
Type, as the check and correction standard with abnormal behaviour, to be detected in real time to the data in In-vehicle networking, to discriminate whether to deposit
In intrusion behavior.
The building of accumulative clock migration model, is equivalent to and establishes a java standard library, that is, the white list being commonly called as, only meet
The desired data value of this model could pass through intrusion detection.
Intrusion detection be then by the eigenvalue (i.e. the clock jitter of ECU) of real time data and offline part excavated into
Row compare, if there is larger difference with desired ECU clock jitter, can be determined that exception or have intrusion behavior (such as:
Injection attacks, pause attack, spoof attack etc.).
In view of malicious attacker carries out injection attacks, injection attacks meeting to the ECU for sending message information with the fixed cycle
Dramatically increase the absolute mean deviation value between estimation and measurement arrival clock.Its result is exactly the change rate of accumulative clock offset
It can increase suddenly, identification error also can be very big.Similarly pause attack can also allow absolute average to increase, and can also generate very high
Error.If there is spoof attack, because malicious attacker by the ECU of malice sends message rather than script
ECU sends message, and accumulative clock offset is the increment rate meeting suddenly change of clock jitter, to also lead to very high identification
Error.In short, if ECU is not malice, then it also accordingly has the clock behavior of standard, then its identification error
Average value normally tends to 0, and when there is invasion, its value can suddenly become non-zero value.
Intrusion detection method of the invention here with CUSUM (accumulative and) algorithm, from the accumulative of the deviation of target value and
To detect mutation.Because using accumulative method, even slightly deviate target value also can constantly increase or decrease it is cumulative
Value.Therefore, it is the method for the small persistence variation of optimal detection, is widely used in detection of change-point at present.
Simulating, verifying of the invention has:
This link is verified in intrusion detection, the experiment software that the present invention uses is CANoe7.1, this software tool is not
The process that only there is emulation In-vehicle networking ECU to send and receive, and the progress that can be connected with true In-vehicle networking is true
Operation.
Injection and pause attack intrusion detection verifying:
In order to verify injection and pause attack, with CANoe software design such artificial network as shown in Figure 5, wherein
First of all for verifying injection attacks, it is incorporated into program into ECU B, it is allowed to inject at the time of clock is 400s with ID for 0x11's
Message, but actually if being not injected into attack, the message of 0x11 should be by ECU A periodicity sending
, that is to say, that ECU B has carried out injection attacks to ECU A.Meanwhile the intrusion detection program for being incorporated into us also allowed in ECU R,
Using it as a test point of intruding detection system, let it be derives the accumulation clock skew (O of 0x11 messageacc), know
The accumulation bound L of other error (e) and target value+, L-.Word is come for pause attack, ECU A can be incorporated into pause
Program makes it suspend the message for sending 0x11 at the time of 400s.There are injection attacks as Fig. 6 (a) is illustrated and do not having
In the case where injection attacks, Oacc, how these values such as e change.As long as ECU B has started injection attacks, then when accumulation
Clock offset just has a catastrophe point, to can also generate a biggish identification error.Due to such variation, target value is tired
The upper limit L of product sum+Also it uprushes and has been more than threshold value ΓL, so as to determine to be invaded.Similarly, Fig. 6 (b) is also shown
In the case where pause attack, accumulation clock skew can also uprush, and intrusion behavior has occurred to also can be determined that.
Spoof attack intrusion detection verifying:
Spoof attack devises artificial network as shown in Figure 7 with CANoe.Wherein ECU A plays the part of the role of strong attacker,
ECU B plays the part of the role of weak attacker, role of the ECU C as non-attack person, detection of the ECU R as intruding detection system
Point.When wherein ECU A is not implanted rogue program, defaulting it is the message for sending 0x11, and ECU A, which is incorporated into rogue program, to be made
It is in TmasqCamouflage sends the ECU B that ID is 0x55 message when being 250 seconds, namely interrupts ECU B transmission message and disappear
Breath, the message for allowing ECU A that ECU B is replaced to send identical ID instead.
As Fig. 8 (a) illustrate attack before and attack after, ID for 0x55 message PMF (probability mass function).?
After ECU A pretends, or with the same frequency transmission message of ECU B, therefore, before being equivalent to attack, distribution is not bright
Aobvious deviation.However, because in TmasqWhen moment, the ECU B for sending the message of 0x55 is prevented from, by ECU A
Instead of sending, one section of delayed clock is had during ECU switching.As can be seen from the figure when not starting spoof attack,
Clock interval between message is 50ms, however when starting spoof attack for the first time, before starting spoof attack
At the end of the message once sent, the clock interval of message is 51.04ms at this time.Due in TmasqThere is camouflage
It attacks, the abnormal message clock interval deviateed under normal circumstances is just shown in PMF figure.This variation as a result,
Result in the O of test point ECU R trackingacc, L+, L-Variation, as shown in Fig. 8 (c).From Fig. 8 (b) as can be seen that at 250 seconds
When, due to having started spoof attack, so the slope for causing 0x55 message accumulation clock skew produces variation
I.e. clock jitter produces variation.Due in TmasqLater, OaccMeasured value relative to TmasqExpectation under normal circumstances before
Value produces apparent deviation and the accumulation of target value and lower limit also have exceeded threshold value, so that intruding detection system can be reported
This is once to invade.Due in TmasqLater, send the ECU of message that ID is 0x55 and become A, its clock jitter with
The clock jitter of 0x11 is equal, to can also further determine that attack source is A.
Detailed description of the invention
Fig. 1 is that message provided in an embodiment of the present invention reaches Time-Series analysis figure.
Fig. 2 is accumulative clock deflection graph provided in an embodiment of the present invention.
Fig. 3 is clock jitter algorithm for estimating flow chart provided in an embodiment of the present invention.
Fig. 4 is intrusion detection method flow chart provided in an embodiment of the present invention.
Fig. 5 is injection attacks provided in an embodiment of the present invention and pause attack artificial network figure.
Fig. 6 is intruding detection system detection injection attacks provided in an embodiment of the present invention and pause attack graph.
In figure: (a) injection attacks;(b) buffering attack.
Fig. 7 is spoof attack network simulation network provided in an embodiment of the present invention.
Fig. 8 is intruding detection system detection spoof attack figure provided in an embodiment of the present invention.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to embodiments, to the present invention
It is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not used to
Limit the present invention.
In the prior art, the safety issue of the message context of In-vehicle networking is not accounted for.
Data in CAN bus are transmitted not over the measure of encryption simply by the mode of plaintext;Simultaneously
CAN bus is also without corresponding Authentication mechanism, as long as being mounted to the equipment in CAN bus, so that it may to other equipment
Message is sent, therefore CAN bus is easy to be attacked and monitored by hacker.
Below with reference to concrete analysis, the invention will be further described.
In-vehicle networking intrusion detection method provided in an embodiment of the present invention based on clock skew, comprising:
The interrelational form and the degree of association in In-vehicle networking between each ECU are excavated first, find some passes of these ECU
Join information, and analyze rule therein, establish correlation rule, these normal data are added to the white list of automobile.Work as ECU
When receiving message and occurring abnormal, by comparing relevant associated data, then it can be found that intrusion behavior, to avoid safety problem
Generation.
1) wherein, correlation rule, comprising:
By taking gas pedal ECU, air throttle ECU, revolving speed ECU, speed ECU as an example.From actual horizon, this 4 ECU are deposited
In the relationship of being mutually related, (variation of gas pedal causes the variation of air throttle, and the variation of air throttle causes engine speed
Variation, the variation of engine speed cause the variation of speed).And according to multiple experiment, find inside In-vehicle networking mostly
There is single linear incidence relation in number ECU, and ECU sends the cyclophysis that message information all has time interval.To
Design the correlation rule between each ECU.
2) intrusion detection method principle:
Frequency for ECU transmitting message information of the carry on CAN bus network is the crystal oscillator clock by themselves
It is determined.Here present invention employs NTP (Network Time Protocol) Naming conventions, C is usedtrueIndicate that ECU passes through data correlation
The expected time of the reception signal obtained after excavation, use CiIndicate that ECU is an actually-received the time of signal.It is inclined to define clock
Shifting, clock increments, clock jitter these terms.
Clock skew: in a period of time, CtrueWith CiDifference.
Clock increments: in a period of time, CiKnots modification.
Clock jitter: in a period of time, the ratio of accumulative clock offset and this period.
In order to establish an effective intrusion detection method and can recognize that various types of attacks, system should be able to
Enough verify the sender information of every message.However, being not include to send information in CAN message information, so it must be used
His information marks.The present invention goes to extract and estimate the clock jitter of transmitter using the periodicity of message, i.e., this clock
Label of the deviation as ECU.
As shown in Figure 1, it is assumed that ECU A broadcasts a message every Tms, and ECU R periodically receives that message
Message.From the perspective of R, the timestamp that only message reaches its that moment be can use, it is possible to message
The clock for that time that message reaches regards C astrue.Due to clock jitter, sometimes when the message of sending cycle
Small clock skew can be generated with ideal clock (T, 2T, 3T ...).As t=0, indicate that ECU A sends first message
Message, OiThe clock skew of i-th message is sent when indicating ECU A from t=0.Then, in one section of network delay diLater,
ECU R will receive corresponding message and record the timestamp iT+O of arrivali+di+ni, wherein niIndicate the timestamp amount of R
The noise generated when change.Therefore, the clock interval of each arrival time stamp can use Trx,i=T+ Δ Oi+Δdi+ΔniIt indicates,
Wherein Δ XiIndicate i-th and i-1 variable XiBetween difference and stipulated that O0=0.Due within a bit of time, OiBecome
Change is very small, can be ignored, niA zero-mean Gaussian noise item, T be excavated by associated data it is normal
Number, the data length DLC of periodically packet information is a constant, i.e. E [Δ d againi]=0, so the desired value at interval can be with
It is indicated with formula (1):
The timestamp d reached based on first message0+n0With the desired value μ of interval of timestampsTrx, so as to push away
Timestamp when disconnected i-th message information reaches should be i μTrx+d0+n0, and actual measurement arrival time stamp is iT+Oi+di+
ni.As the time that estimation reaches, μTrxIt is to be determined by past measured value.Because T is a constant and μTrx≈ T, institute
It can be indicated with formula (2) with the desired value of the difference between estimated value and true measurement:
E [D]=E [i (T- μTrx)+Oi+Δd+Δn]≈E[Oi] (2)
Namely the clock skew E [O of different transmitters is estimated that from the periodical angle present invention of messagei], because
Clock skew becomes very slow and non-zero, E [Oi] ≠ 0, and E [Δ Oi]=0.To different as distinguishing on this basis
Transmitter.If the n message information that ECU R is received goes estimation average clock offset, only represent
Newly generated average clock offset, because the message information received is derived from by first message.Therefore, it is
The clock skew all generated is obtained, then needs average clock to deviate and adds up.According to definition, cumulative clock skew
It should be that the inclined degree of a constant and accumulative clock skew illustrates corresponding clock jitter.
As shown in Fig. 2 accumulative clock deflection graph, the present invention is gone to demonstrate the validity of label ECU with clock estimation of deviation,
The order of magnitude that verifying uses is ppm (a few millionths).0x11 has been used respectively, and the accumulative clock of 0x13,0x55 message are inclined
Mapping is removed, wherein the inclined degree of curve represents corresponding clock jitter in figure.By can be seen that all clocks in figure
Deviating obtained curve is all straight line, so that corresponding clock jitter should be a constant.Message 0x11,0x13
It is all to be sent from ECU A, their message clock skew curve is almost that be overlapped and clock jitter is 11.4ppm
(least square method obtains).On the other hand, message 0x55 be sent by ECU B and clock jitter be 25.2ppm.Cause
This, clock jitter can distinguish different ECU really.
Solves the problems, such as label ECU transmitter above, i.e., when obtaining by the time interval between message
Clock deviation can be used to mark ECU transmitter.
The present invention is using this characteristic Design accumulative clock migration model and the big module of intrusion detecting unit two, wherein entering
It invades detection unit and contains the analysis engine for judging whether to belong to intrusion behavior.This two big module is retouched in detail below
It states.
The message of given ID can be obtained by receiving message timestamp by the place mat of front
Corresponding accumulative clock offset.Since clock jitter is constant, so accumulative clock offset is linear to return distribution.Therefore,
Accumulative clock migration model can be modeled as linear regression model (LRM) by intrusion detection method.Its corresponding linear regression model (LRM) definition
It is expressed with formula (3):
Oacc[k]=S [k] t [k]+e [k] (3)
Wherein k indicates k stage, Oacc[k] indicates the accumulative clock offset k stage, and t [k] was indicated k stage
The time of consumption, S [k] indicate that the slope of linear regression model (LRM) is also intended to the clock jitter of estimation, and e [k] indicates that identification error is
It cannot be by the residual error of model explanation.Wherein Oacc, S, t, e can be updated with the change of every N number of message number, directly
Reach the k of the expected setting of the present invention.
For the present invention in order to obtain accumulative clock migration model unknown parameter S, having used least square method (RLS) algorithm is base
Plinth devises clock jitter algorithm for estimating program and the clock jitter algorithm for estimating process of Fig. 3.Wherein using residual error as objective function,
Purpose is to minimize the quadratic sum of modeling error.Therefore in RLS algorithm, the deviation of identification error preferably levels off to 0, such energy
More accurate expression model.
How algorithm description using RLS algorithm removes estimation clock jitter.Firstly, intrusion detection method measures given ID's
Timestamp when receiving of message and utilize the time cycle value between message in correlation rule library.If long-term
Expected message is not received, then pause attack is likely to, as shown in the 13 of Fig. 3,14 rows, then being bound to cause surplus
Remaining timestamp and time interval increase.Once N number of value has been measured, intrusion detection method can determine that accumulative clock deviates
With corresponding identification error.Based on derived value, then gain G and covariance P can be gone to update linear regression with RLS algorithm
Model parameter S, that is, clock jitter.This process of clock jitter estimation is the process of an iteration, if ECU is not attacked
If, then the identification error exported should level off to 0 and also clock jitter should also be a constant.In this way, ECU transmitter
Standard time clock behavior can be described as clock jitter be linear regression model (LRM) slope.In RLS algorithm, in order to guarantee sample
This freshness, provides forgetting factor λ, it is therefore an objective to give old sample less weight, value of the present invention λ in a manner of index
It is set as 0.9995.
Below with reference to intrusion detection method, the invention will be further described.
Design intrusion detection method is as shown in Figure 4 based on above-mentioned analysis.The intrusion detection method defiber part and in real time
Part.
1. offline part design (association is established)
In order to establish an effective intrusion detection method and can recognize that various types of attacks, system should be able to
Enough verify the transmitter of every message.However, being not include transmitter information in CAN message information, so other must be used
Information marks.The present invention goes to extract and estimate the clock jitter of transmitter using the periodicity of message, i.e., this clock is inclined
Label of the difference as ECU.
Firstly, first acquiring data from the standard network of safety, a data source is obtained.It is excavated from data source again each
The degree of association between a ECU obtains the fixed clock deviation between ECU, then the ECU clock jitter that these are fixed as standard
It is put into association java standard library, is thus the design of a complete offline part.
Because being marked with the clock jitter of ECU, firstly the need of being estimated clock jitter and analyzed.
The factor that clock jitter is influenced in real system has the noise generated when clock skew, network transmission delay, timestamp quantization,
Due to these factors for the period of message all very littles, can be ignored.
2. real-time partial designs
Offline part has solved the problems, such as label ECU transmitter, i.e., is obtained by the time interval between message
Clock jitter can be used to mark ECU transmitter out.The present invention is using this characteristic Design accumulative clock migration model and enters
The big module of detection unit two is invaded, wherein intrusion detecting unit contains the analysis engine for judging whether to belong to intrusion behavior.
Real-time partial is to adapt to automobile mounted network and required in real time intrusion detection and design, its effect is
It is periodical using value of the correlation rule in correlation rule library in amount such as message time, to construct accumulative clock offset mould
Type, as the check and correction standard with abnormal behaviour, to be detected in real time to the data in In-vehicle networking, to discriminate whether to deposit
In intrusion behavior.
The building of accumulative clock migration model, is equivalent to and establishes a java standard library, that is, the white list being commonly called as, only meet
The desired data value of this model could pass through intrusion detection.
Intrusion detection be then by the eigenvalue (i.e. the clock jitter of ECU) of real time data and offline part excavated into
Row compare, if there is larger difference with desired ECU clock jitter, can be determined that exception or have intrusion behavior (such as:
Injection attacks, pause attack, spoof attack etc.).
In view of malicious attacker carries out injection attacks, injection attacks meeting to the ECU for sending message information with the fixed cycle
Dramatically increase the absolute mean deviation value between estimation and measurement arrival clock.Its result is exactly the change rate of accumulative clock offset
It can increase suddenly, identification error also can be very big.Similarly pause attack can also allow absolute average to increase, and can also generate very high
Error.If there is spoof attack, because malicious attacker by the ECU of malice sends message rather than script
ECU sends message, and accumulative clock offset is the increment rate meeting suddenly change of clock jitter, to also lead to very high identification
Error.In short, if ECU is not malice, then it also accordingly has the clock behavior of standard, then its identification error
Average value normally tends to 0, and when there is invasion, its value can suddenly become non-zero value.
3. analysis engine
For giving the message of ID, intrusion detection method operation RLS algorithm goes to estimate the clock of corresponding ECU transmitter
Deviation is invaded to also construct the clock behavior model of corresponding standard and whether confirmatory measurement value deviates from normal value.
In view of malicious attacker carries out injection attacks to the ECU for sending message information with the fixed cycle, injection attacks can be dramatically increased
Estimation and measurement reach the absolute mean deviation value between clock.Its result is exactly that the change rate of accumulative clock offset can increase suddenly
Add, identification error also can be very big.Similarly pause attack can also allow absolute mean deviation value to increase, and can also generate very high mistake
Difference.If there is spoof attack, because malicious attacker sends message by the ECU of malice rather than the ECU of script is sent out
Message is sent, accumulative clock offset is the increment rate meeting suddenly change of clock jitter, to also lead to very high identification error.
In short, if ECU is not malice, then it is also accordingly with the clock behavior of standard, then its identification error is averaged
Value normally tends to 0, and when there is invasion, its value can suddenly become non-zero value.Intrusion detection method of the invention here with
CUSUM (accumulative and) algorithm, from the accumulative of the deviation of target value and to detect mutation.Because using accumulative method, even
Slightly deviateing target value also can constantly increase or decrease accumulated value.Therefore, it is the small persistence variation of optimal detection
Method, be widely used in detection of change-point at present.Intrusion detection method of the invention is performed intrusion detection by accumulative and mode
Mode it is as follows.
Since during estimating each step of clock jitter, it is inclined that intrusion detection method will respectively update accumulative clock
The average value mu of shiftingeWith the variance of identification errorSo these values represent the accumulative target value of e, it is therefore desirable to appropriate to chase after
These variables of track.Therefore, it is needed to reflect to target value, μ as the precautionary measures of the exceptional value generated from attackeWith
Only work as satisfactionWhen, just it is updated.Then, the upper limit L of the identification error e and accumulative sum that each obtain+, lower limit L-More
New such as formula (3) are shown.
Wherein κ be a reflection standard deviation parameter and κ can by monitor normal vehicular network scenario to from
Line training obtains.If L+Or L-Any one have exceeded threshold value ΓL, the value of sudden change can all be noticeable out respectively, because
This intrusion detection method can report invasion.The mode of universal law, accumulative sum has a threshold value, and threshold value is usual
It is 4 or 5, threshold value can be set according to the actual situation.
Below with reference to emulation experiment, the invention will be further described.
This link is verified in intrusion detection, the experiment software that the present invention uses is CANoe7.1, this software tool is not
The process that only there is emulation In-vehicle networking ECU to send and receive, and the progress that can be connected with true In-vehicle networking is true
Operation.
1, inject and suspend attack intrusion detection verifying
In order to verify injection and pause attack, with CANoe software design such artificial network as shown in Figure 5, wherein
First of all for verifying injection attacks, it is incorporated into program into ECU B, it is allowed to inject at the time of clock is 400s with ID for 0x11's
Message, but actually if being not injected into attack, the message of 0x11 should be by ECU A periodicity sending
, that is to say, that ECU B has carried out injection attacks to ECU A.Meanwhile the intrusion detection program for being incorporated into us also allowed in ECU R,
Using it as a test point of intruding detection system, let it be derives the accumulation clock skew (O of 0x11 messageacc), know
The accumulation bound L of other error (e) and target value+, L-.Word is come for pause attack, ECU A can be incorporated into pause
Program makes it suspend the message for sending 0x11 at the time of 400s.There are injection attacks as Fig. 6 (a) is illustrated and do not having
In the case where injection attacks, Oacc, how these values such as e change.As long as ECU B has started injection attacks, then when accumulation
Clock offset just has a catastrophe point, to can also generate a biggish identification error.Due to such variation, target value is tired
The upper limit L of product sum+Also it uprushes and has been more than threshold value ΓL, so as to determine to be invaded.Similarly, Fig. 6 (b) is also shown
In the case where pause attack, accumulation clock skew can also uprush, and intrusion behavior has occurred to also can be determined that.
Fig. 5 injection attacks and pause attack artificial network figure.
Fig. 6 intruding detection system detects injection attacks and pause attack graph.
2, spoof attack intrusion detection is verified
Spoof attack devises artificial network as shown in Figure 7 with CANoe.Wherein ECU A plays the part of the role of strong attacker,
ECU B plays the part of the role of weak attacker, role of the ECU C as non-attack person, detection of the ECU R as intruding detection system
Point.When wherein ECU A is not implanted rogue program, defaulting it is the message for sending 0x11, and ECU A, which is incorporated into rogue program, to be made
It is in TmasqCamouflage sends the ECU B that ID is 0x55 message when being 250 seconds, namely interrupts ECU B transmission message and disappear
Breath, the message for allowing ECU A that ECU B is replaced to send identical ID instead.
As Fig. 8 (a) illustrate attack before and attack after, ID for 0x55 message PMF (probability mass function).?
After ECU A pretends, or with the same frequency transmission message of ECU B, therefore, before being equivalent to attack, distribution is not bright
Aobvious deviation.However, because in TmasqWhen moment, the ECU B for sending the message of 0x55 is prevented from, by ECU A
Instead of sending, one section of delayed clock is had during ECU switching.As can be seen from the figure when not starting spoof attack,
Clock interval between message is 50ms, however when starting spoof attack for the first time, before starting spoof attack
At the end of the message once sent, the clock interval of message is 51.04ms at this time.Due in TmasqThere is camouflage
It attacks, the abnormal message clock interval deviateed under normal circumstances is just shown in PMF figure.This variation as a result,
Result in the O of test point ECU R trackingacc, L+, L-Variation, as shown in Fig. 8 (c).From Fig. 8 (b) as can be seen that at 250 seconds
When, due to having started spoof attack, so the slope for causing 0x55 message accumulation clock skew produces variation
I.e. clock jitter produces variation.Due in TmasqLater, OaccMeasured value relative to TmasqExpectation under normal circumstances before
Value produces apparent deviation and the accumulation of target value and lower limit also have exceeded threshold value, so that intruding detection system can be reported
This is once to invade.Due in TmasqLater, send the ECU of message that ID is 0x55 and become A, its clock jitter with
The clock jitter of 0x11 is equal, to can also further determine that attack source is A.
Fig. 7 spoof attack network simulation network.Fig. 8 intruding detection system detects spoof attack figure.
In the above-described embodiments, can come wholly or partly by software, hardware, firmware or any combination thereof real
It is existing.When using entirely or partly realizing in the form of a computer program product, the computer program product include one or
Multiple computer instructions.When loading on computers or executing the computer program instructions, entirely or partly generate according to
Process described in the embodiment of the present invention or function.The computer can be general purpose computer, special purpose computer, computer network
Network or other programmable devices.The computer instruction may be stored in a computer readable storage medium, or from one
Computer readable storage medium is transmitted to another computer readable storage medium, for example, the computer instruction can be from one
A web-site, computer, server or data center pass through wired (such as coaxial cable, optical fiber, Digital Subscriber Line (DSL)
Or wireless (such as infrared, wireless, microwave etc.) mode is carried out to another web-site, computer, server or data center
Transmission).The computer-readable storage medium can be any usable medium or include one that computer can access
The data storage devices such as a or multiple usable mediums integrated server, data center.The usable medium can be magnetic Jie
Matter, (for example, floppy disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as solid state hard disk Solid
State Disk (SSD)) etc..
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention
Made any modifications, equivalent replacements, and improvements etc., should all be included in the protection scope of the present invention within mind and principle.
Claims (10)
1. a kind of In-vehicle networking intrusion detection method based on clock skew, which is characterized in that the vehicle based on clock skew
Carrying network inbreak detection method includes: the interrelational form and the degree of association excavated in In-vehicle networking between each ECU, finds ECU
Related information, and analyze the rule of related information, establish correlation rule;The normal data of the correlation rule of foundation are added
The accumulative clock migration model of automobile;
When ECU, which receives message, occurs abnormal, by comparing relevant associated data, intrusion behavior is found.
2. the In-vehicle networking intrusion detection method based on clock skew as described in claim 1, which is characterized in that establish association
In rule, the clock jitter for extracting and estimating transmitter, label of the clock jitter as ECU are removed using the periodicity of message;Tool
Body includes:
Data first are acquired from the standard network of safety, obtain a data source;
Again from the degree of association excavated between each ECU in data source, the fixed clock deviation between ECU is obtained,
The ECU clock jitter that these are fixed again is put into association java standard library as standard.
3. the In-vehicle networking intrusion detection method based on clock skew as claimed in claim 2, which is characterized in that will be fixed
ECU clock jitter is put into association java standard library as standard, needs that first clock jitter is estimated and analyzed;
It specifically includes:
Assuming that ECUA broadcasts a message every Tms, ECU R periodically receives that message;From the angle of R,
The clock for that time that message reaches is regarded as Ctrue;As t=0, indicate that ECUA sends first message, OiTable
The clock skew of i-th message is sent when showing ECUA from t=0;
In one section of network delay diLater, ECU R will receive corresponding message and record the timestamp iT+O of arrivali+di
+ni, wherein niIndicate the noise generated when the timestamp quantization of R;The clock interval T of each arrival time stamprx,i=T+ Δ Oi
+Δdi+ΔniIt indicates, wherein Δ XiIndicate i-th and i-1 variable XiBetween difference and stipulated that O0=0;When a bit of
In, OiVariation is very small, ignores, niIt is a zero-mean Gaussian noise item, T is excavated by associated data
Constant, the data length DLC of periodically packet information is a constant, E [Δ d againi]=0, the desired value formula at interval
(1) it indicates:
The timestamp d reached based on first message0+n0With the desired value μ of interval of timestampsTrx, infer i-th message letter
Timestamp when breath reaches is i μTrx+d0+n0, actual measurement arrival time stamp is iT+Oi+di+ni;By estimation reach when
Between, μTrxIt is determined by past measured value;T is a constant and μTrx≈ T, the phase of the difference between estimated value and true measurement
Prestige value is indicated with formula (2):
E [D]=E [i (T- μTrx)+Oi+Δd+Δn]≈E[Oi] (2)
Go out the clock skew E [O of different transmitters from the periodical angle estimation of messagei]。
4. the In-vehicle networking intrusion detection method based on clock skew as described in claim 1, which is characterized in that when ECU connects
When receiving text occurs abnormal, by the relevant associated data of comparison, finds intrusion behavior, specifically includes:
Using value of the correlation rule in correlation rule library in amount, construct accumulative clock migration model, as with abnormal behaviour
Check and correction standard, the data in In-vehicle networking are detected in real time, discriminate whether that there are intrusion behaviors;
For giving the message of ID, operation RLS algorithm goes to estimate the clock jitter of corresponding ECU transmitter, and building is corresponding
Whether the clock behavior model and confirmatory measurement value of standard deviate normal value;Using CUSUM is accumulative and algorithm, from the inclined of target value
The accumulative and detection mutation of difference.
5. the In-vehicle networking intrusion detection method based on clock skew as claimed in claim 4, which is characterized in that
CUSUM is accumulative and algorithm includes:
During estimating each step of clock jitter, the average value mu of accumulative clock offset is respectively updatedeWith identification error
VarianceμeWithOnly work as satisfactionWhen, just it is updated;, the upper limit L of the identification error e and accumulative sum that each obtain+, lower limit L-It updates as shown in formula (3);
The parameter and κ that wherein κ is a reflection standard deviation are by monitoring normal vehicular network scenario to which off-line training obtains
Out;If L+Or L-Any one have exceeded threshold value ΓL, the value of sudden change can all be noticeable out respectively, report have into
It invades;The mode threshold value of accumulative sum is 4 or 5, or threshold value is arranged according to the actual situation.
6. a kind of realize described in Claims 1 to 5 any one based on the In-vehicle networking intrusion detection method of clock skew
Calculation machine program.
7. a kind of letter for realizing the In-vehicle networking intrusion detection method described in Claims 1 to 5 any one based on clock skew
Cease data processing terminal.
8. a kind of computer readable storage medium, including instruction, when run on a computer, so that computer is executed as weighed
Benefit requires the In-vehicle networking intrusion detection method described in 1-5 any one based on clock skew.
9. a kind of base for realizing the In-vehicle networking intrusion detection method described in Claims 1 to 5 any one based on clock skew
In the In-vehicle networking intruding detection system of clock skew, which is characterized in that the In-vehicle networking based on clock skew invades inspection
Examining system includes:
Correlation rule establishes module, excavates interrelational form and the degree of association in In-vehicle networking between each ECU, finds these
Some related informations of ECU, and the rule of related information is analyzed, establish correlation rule;
Accumulative clock migration model constructs module, and the accumulative clock that automobile is added in the normal data of the correlation rule of foundation is deviated
Model;
Intrusion detection module, by comparing relevant associated data, finds intrusion behavior when ECU, which receives message, occurs abnormal.
10. a kind of In-vehicle networking equipped with the In-vehicle networking intruding detection system described in claim 9 based on clock skew becomes
Point detection device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811137466.0A CN109257358B (en) | 2018-09-28 | 2018-09-28 | Vehicle-mounted network intrusion detection method and system based on clock skew |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811137466.0A CN109257358B (en) | 2018-09-28 | 2018-09-28 | Vehicle-mounted network intrusion detection method and system based on clock skew |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109257358A true CN109257358A (en) | 2019-01-22 |
| CN109257358B CN109257358B (en) | 2020-08-04 |
Family
ID=65048148
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811137466.0A Active CN109257358B (en) | 2018-09-28 | 2018-09-28 | Vehicle-mounted network intrusion detection method and system based on clock skew |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109257358B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110173627A (en) * | 2019-06-03 | 2019-08-27 | 山东建筑大学 | A kind of solar energy system |
| CN110602059A (en) * | 2019-08-23 | 2019-12-20 | 东南大学 | Method for accurately restoring clear text length fingerprint of TLS protocol encrypted transmission data |
| CN110752977A (en) * | 2019-10-11 | 2020-02-04 | 中国海洋大学 | Abnormal intrusion detection method and device for CAN bus of Internet of vehicles |
| CN112084185A (en) * | 2020-09-17 | 2020-12-15 | 杭州电子科技大学 | Damaged electronic control unit positioning method of vehicle-mounted edge equipment based on associated learning |
| CN112649675A (en) * | 2020-12-17 | 2021-04-13 | 深圳供电局有限公司 | PLC (programmable logic controller) anomaly detection method based on electromagnetic side channel |
| CN114615086A (en) * | 2022-04-14 | 2022-06-10 | 合肥工业大学 | Vehicle-mounted CAN network intrusion detection method |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105871830A (en) * | 2016-03-28 | 2016-08-17 | 成都信息工程大学 | Firewall of vehicle-mounted information system of automobile |
| CN106059987A (en) * | 2015-04-17 | 2016-10-26 | 现代自动车株式会社 | In-vehicle network intrusion detection system and method for controlling the same |
| CN106792681A (en) * | 2016-11-28 | 2017-05-31 | 北京洋浦伟业科技发展有限公司 | For the intrusion detection method and device and equipment of car networking |
| WO2017173087A2 (en) * | 2016-04-01 | 2017-10-05 | The Regents Of The University Of Michigan | Fingerprinting electronic control units for vehicle intrusion detection |
| CN107454117A (en) * | 2017-09-30 | 2017-12-08 | 中国联合网络通信集团有限公司 | The intrusion detection method and system of a kind of car networking |
| CN108200042A (en) * | 2017-12-28 | 2018-06-22 | 北京奇虎科技有限公司 | A kind of detection method of vehicle safety and vehicle safety management platform |
| CN108521410A (en) * | 2018-03-19 | 2018-09-11 | 北京航空航天大学 | The security architecture of vehicle-mounted Ethernet |
-
2018
- 2018-09-28 CN CN201811137466.0A patent/CN109257358B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106059987A (en) * | 2015-04-17 | 2016-10-26 | 现代自动车株式会社 | In-vehicle network intrusion detection system and method for controlling the same |
| CN105871830A (en) * | 2016-03-28 | 2016-08-17 | 成都信息工程大学 | Firewall of vehicle-mounted information system of automobile |
| WO2017173087A2 (en) * | 2016-04-01 | 2017-10-05 | The Regents Of The University Of Michigan | Fingerprinting electronic control units for vehicle intrusion detection |
| CN106792681A (en) * | 2016-11-28 | 2017-05-31 | 北京洋浦伟业科技发展有限公司 | For the intrusion detection method and device and equipment of car networking |
| CN107454117A (en) * | 2017-09-30 | 2017-12-08 | 中国联合网络通信集团有限公司 | The intrusion detection method and system of a kind of car networking |
| CN108200042A (en) * | 2017-12-28 | 2018-06-22 | 北京奇虎科技有限公司 | A kind of detection method of vehicle safety and vehicle safety management platform |
| CN108521410A (en) * | 2018-03-19 | 2018-09-11 | 北京航空航天大学 | The security architecture of vehicle-mounted Ethernet |
Non-Patent Citations (1)
| Title |
|---|
| 张子键等,: ""一种应用于CAN总线的异常检测系统",", 《信心安全与通信保密》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110173627A (en) * | 2019-06-03 | 2019-08-27 | 山东建筑大学 | A kind of solar energy system |
| CN110602059A (en) * | 2019-08-23 | 2019-12-20 | 东南大学 | Method for accurately restoring clear text length fingerprint of TLS protocol encrypted transmission data |
| CN110602059B (en) * | 2019-08-23 | 2021-09-07 | 东南大学 | Method for accurately restoring clear text length fingerprint of TLS protocol encrypted transmission data |
| CN110752977A (en) * | 2019-10-11 | 2020-02-04 | 中国海洋大学 | Abnormal intrusion detection method and device for CAN bus of Internet of vehicles |
| CN110752977B (en) * | 2019-10-11 | 2021-07-27 | 中国海洋大学 | Abnormal intrusion detection method and device for CAN bus of Internet of vehicles |
| CN112084185A (en) * | 2020-09-17 | 2020-12-15 | 杭州电子科技大学 | Damaged electronic control unit positioning method of vehicle-mounted edge equipment based on associated learning |
| CN112084185B (en) * | 2020-09-17 | 2022-05-31 | 杭州电子科技大学 | Damaged electronic control unit positioning method of vehicle-mounted edge equipment based on associated learning |
| CN112649675A (en) * | 2020-12-17 | 2021-04-13 | 深圳供电局有限公司 | PLC (programmable logic controller) anomaly detection method based on electromagnetic side channel |
| CN114615086A (en) * | 2022-04-14 | 2022-06-10 | 合肥工业大学 | Vehicle-mounted CAN network intrusion detection method |
| CN114615086B (en) * | 2022-04-14 | 2023-11-03 | 合肥工业大学 | Vehicle-mounted CAN network intrusion detection method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109257358B (en) | 2020-08-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109257358A (en) | A kind of In-vehicle networking intrusion detection method and system based on clock skew | |
| KR102601578B1 (en) | Method for protecting a network against a cyber attack | |
| US11380197B2 (en) | Data analysis apparatus | |
| EP3113529B1 (en) | System and method for time based anomaly detection in an in-vehicle communication network | |
| JP7056752B2 (en) | Analytical instruments, analytical systems, analytical methods and programs | |
| US20200213340A1 (en) | Detector, detection method and detection program | |
| CN108111510A (en) | A kind of in-vehicle network intrusion detection method and system | |
| US11647045B2 (en) | Monitoring a network connection for eavesdropping | |
| CN110120935B (en) | Method and device for identifying anomalies in data flows in a communication network | |
| CN109547407A (en) | A kind of the overall process method for tracing and block chain node of environmental monitoring data | |
| WO2018086025A1 (en) | Node identification in distributed adaptive networks | |
| Popa et al. | Ecuprint—physical fingerprinting electronic control units on can buses inside cars and sae j1939 compliant vehicles | |
| Großwindhager et al. | Dependable internet of things for networked cars | |
| CN115776383A (en) | Vehicle network attack protection method based on time analysis and corresponding device | |
| CN105873085B (en) | Node recognition methods is cloned based on physic channel information and the wireless sensor network of degree of belief | |
| Schell et al. | VALID: Voltage-based lightweight intrusion detection for the controller area network | |
| US10666671B2 (en) | Data security inspection mechanism for serial networks | |
| CN108965236A (en) | For protecting network from the method for network attack | |
| Niu et al. | A framework for joint attack detection and control under false data injection | |
| CN108965234B (en) | Method for protecting a network against network attacks | |
| Kneib | A survey on sender identification methodologies for the controller area network | |
| US20190229976A1 (en) | Alert throttling | |
| Wang et al. | Intrusion Device Detection in Fieldbus Networks based on Channel-State Group Fingerprint | |
| Zhou et al. | Temperature-sensitive fingerprinting on ECU clock offset for CAN intrusion detection and source identification | |
| Moltchanov | State description of wireless channels using change-point statistical tests |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240322 Address after: 230000 Anhui Hefei high tech Zone Innovation Industrial Park two phase J2 District C block 18 floor. Patentee after: HEFEI LONGTUTEM INFORMATION TECHNOLOGY Co.,Ltd. Country or region after: China Address before: 610225, No. 24, Section 1, Xuefu Road, Southwest Economic Development Zone, Chengdu, Sichuan Patentee before: CHENGDU University OF INFORMATION TECHNOLOGY Country or region before: China |