CN109257358B - Vehicle-mounted network intrusion detection method and system based on clock skew - Google Patents

Vehicle-mounted network intrusion detection method and system based on clock skew Download PDF

Info

Publication number
CN109257358B
CN109257358B CN201811137466.0A CN201811137466A CN109257358B CN 109257358 B CN109257358 B CN 109257358B CN 201811137466 A CN201811137466 A CN 201811137466A CN 109257358 B CN109257358 B CN 109257358B
Authority
CN
China
Prior art keywords
clock
message
ecu
association
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811137466.0A
Other languages
Chinese (zh)
Other versions
CN109257358A (en
Inventor
李飞
廖祖奇
张鹏飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu University of Information Technology
Original Assignee
Chengdu University of Information Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu University of Information Technology filed Critical Chengdu University of Information Technology
Priority to CN201811137466.0A priority Critical patent/CN109257358B/en
Publication of CN109257358A publication Critical patent/CN109257358A/en
Application granted granted Critical
Publication of CN109257358B publication Critical patent/CN109257358B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The invention belongs to the technical field of automobile network communication and automobile safety, and discloses a vehicle-mounted network intrusion detection method and system based on clock skew, wherein the association mode and association degree of each ECU in a vehicle-mounted network are mined, some association information of the ECUs is found, the rule of the association information is analyzed, and an association rule is established; adding the data with normal established association rules into an accumulative clock offset model of the automobile; when the ECU receives the message and is abnormal, the intrusion behavior is discovered by comparing the related associated data. The present invention detects a mutation from the cumulative sum of deviations of target values using a CUSUM (cumulative sum) algorithm; because the accumulation method is adopted, the accumulation value is continuously increased or decreased even if slightly deviated from the target value. Therefore, it is the best method for detecting small persistent changes, and is widely used for variable point detection at present.

Description

Vehicle-mounted network intrusion detection method and system based on clock skew
Technical Field
The invention belongs to the technical field of automobile network communication and automobile safety, and particularly relates to a vehicle-mounted network intrusion detection method and system based on clock skew.
Background
Currently, the current state of the art commonly used in the industry is such that:
with the integration of modern information science and technology and automotive technology, the Control of automobiles is based on the Control of an Electronic Control Unit (ECU), and the development trend of automobiles is more and more digital, intelligent and unmanned. Because the functions of each equipment device of the automobile are controlled by the ECU, the number of the ECUs is different according to different automobile models and requirements, but generally, the automobile contains 20 to 100 ECUs, and each ECU is responsible for the functions of the corresponding equipment device. At present, the bus which is dominant in the vehicle-mounted network of the automobile is the CAN bus, and since the development of the CAN bus communication protocol for the automobile by German Bosch company in 1986, the CAN bus becomes the standard of the vehicle-mounted network of the automobile. Because the standard vehicle-mounted network which is most commonly applied in the vehicle-mounted network is the CAN bus network, the invention is based on the research of the CAN bus network on the ECU intrusion detection.
The BOSCH company, at the beginning of the design of the CAN bus, only considers the functionality, but not the security issues with respect to the information of the on-board network. For example, the insecurity of the CAN bus network is shown in that the CAN bus protocol rule only specifies the protocol content and the message format of the CAN message, and the data on the CAN bus is transmitted in a plaintext manner without an encryption measure, and meanwhile, the CAN bus does not have a corresponding authentication mechanism, and CAN send messages to other devices as long as the device is mounted on the CAN bus, so that the CAN bus is easily attacked and monitored by hackers. In recent years, some white-cap hackers have proved by practical cases abroad against attacks on the vehicle-mounted network.
The in-vehicle T-Box system is a system that performs wireless communication and data exchange according to a communication protocol and a data exchange standard by integrating electronic components such as a GPS positioning module, an RFID (radio frequency identification) module, and a sensor module in the vehicle, and is also a key component for realizing vehicle intelligent control and intelligent dynamic information service. The hacker attacks the T-Box, so that local and remote control of the automobile CAN be realized, and the running vehicle CAN be cut off oil, accelerated, decelerated and braked by sending related commands to the CAN bus. The invention can discover the attack from the T-Box in time.
The vehicle-mounted entertainment system can comprise navigation, auxiliary driving, fault detection, vehicle body control, online-based entertainment functions and the like, and the electronization, networking and intelligentization levels of the automobile are greatly improved. The in-vehicle entertainment system is also a key object of hacking since it can be connected to the outside wirelessly. By attacking the vehicle-mounted entertainment system and then sending related commands to the CAN bus, the running vehicle CAN also be turned, cut off oil, accelerated, decelerated, braked and the like. Therefore, the invention can find the attack from the vehicle-mounted entertainment system in time
In summary, the problems of the prior art are as follows:
(1) in the prior art, the information security problem of the vehicle-mounted network is not considered.
Data on the CAN bus is transmitted only in a plaintext mode without encryption; meanwhile, the CAN bus does not have a corresponding authentication mechanism, and messages CAN be sent to other equipment as long as the equipment is mounted on the CAN bus, so that the CAN bus is easy to attack and monitor by hackers.
(2) In the prior art, the T-Box has no protection measures, so the T-Box is easy to be attacked by hackers from the Internet, and further attacks a CAN bus, so that abnormal phenomena occur in a running automobile.
(3) In the prior art, because the vehicle-mounted entertainment system has no protective measures, the vehicle-mounted entertainment system is easy to be attacked by hackers from the Internet, and further attacks a CAN bus, so that abnormal phenomena occur in a running automobile.
The difficulty and significance for solving the technical problems are as follows:
the difficulty lies in that the information security problem of the vehicle-mounted network of the automobile cannot be properly solved; the reason is that the above-mentioned materials are,
in the process of the traditional automobile evolving to a digital, intelligent and unmanned automobile, the information security problem of the automobile vehicle-mounted network cannot be ignored, because the information security problem of the automobile vehicle-mounted network is compared with the information security problem of the internet, the harm caused by the information security of the automobile vehicle-mounted network is more important, and once the automobile vehicle-mounted network is attacked, the property loss can be brought and the lives of people in the automobile can be threatened under severe conditions. Moreover, at present, the protection of external communication of many automobiles is basically not available, and the number of channels for external communication of automobiles is various.
After the problems in the prior art are solved, the significance is brought: aiming at the attack of the vehicle-mounted network of the automobile, the invention CAN find the attack behavior in time through the clock deviation of the data packet on the CAN bus to carry out intrusion detection, which is beneficial to ensuring the safety of the whole automobile carrier and further ensures the safety of life and property.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a vehicle-mounted network intrusion detection method and system based on clock skew, which well solve the problems, enhance the security of an automobile internal network and improve the intrusion detection capability in an automobile network.
The invention is realized in this way, a vehicle network intrusion detection method based on clock skew, the vehicle network intrusion detection method based on clock skew includes: mining the association mode and association degree among the ECUs in the vehicle-mounted network, finding some association information of the ECUs, analyzing the rule of the association information, and establishing an association rule; adding the data with normal established association rules into an accumulative clock offset model of the automobile;
when the ECU receives the message and is abnormal, the intrusion behavior is discovered by comparing the related associated data.
Further, in the method for establishing the association rule, the clock deviation of the transmitter is extracted and estimated by utilizing the periodicity of the message, and the clock deviation is used as a mark of the ECU; the method specifically comprises the following steps:
firstly, acquiring data from a safe standard network to obtain a data source; and excavating the association degree among the ECUs from the data source to obtain fixed clock deviations among the ECUs, and putting the fixed clock deviations of the ECUs into an association standard library as standards.
Furthermore, in the establishment of the association rule, before the fixed ECU clock deviations are taken as standards and put into an association standard library, the clock deviations need to be estimated and analyzed;
the method specifically comprises the following steps:
assuming that ECUA broadcasts a message every Tms, ECU R periodically receives the message; from the perspective of R, the clock at the moment the message arrives is seen as Ctrue(ii) a When t is 0, it indicates that the ECUA sends the first message, OiThe clock offset represents that ECUA sends the ith message when t is equal to 0;
delay d in a section of networkiAfter that, the ECU R will receive the corresponding message and record the arrival time stamp iT + Oi+di+niWherein n isiRepresents the noise generated when the timestamp of R is quantized; the clock interval of each arrival timestamp is Trx,i=T+ΔOi+Δdi+ΔniIs represented by, whereiniRepresents the ith and i-1 variablesXiDifference between and specifies O00; in a short time, OiThe variation is very small, neglected, niIs a zero-mean Gaussian noise term, T is a constant obtained by associated data mining, the data length D L C of the periodic message information is a constant, E [ Delta D ]i]The expected value of the interval is represented by equation (1) where 0:
based on the time stamp d of the arrival of the first message0+n0And expected value of time stamp interval muTrxDeducing the time stamp of the ith message as i mu when the message arrivesTrx+d0+n0The actual measurement arrival timestamp is iT + Oi+di+ni(ii) a By estimating the time of arrival, μTrxDetermined from past measurements; t is a constant and μTrxT, the expected value of the difference between the estimated value and the true measured value is represented by equation (2):
E[D]=E[i(T-μTrx)+Oi+Δd+Δn]≈E[Oi](2)
estimating the clock offset E [ O ] of different transmitters from the periodic point of view of the messagei]。
Further, when the ECU receives the message and is abnormal, the intrusion behavior is discovered by comparing the related associated data, which specifically includes:
constructing an accumulated clock offset model by using the quantitative values of the association rules in the association rule base, using the accumulated clock offset model as a proofreading standard of abnormal behaviors, detecting data in the vehicle-mounted network in real time, and judging whether an intrusion behavior exists or not;
for the message with given ID, running R L S algorithm to estimate the clock deviation of corresponding ECU transmitter, constructing corresponding standard clock behavior model and verifying whether the measured value deviates from the normal value, and detecting the sudden change from the accumulation and deviation of the target value by CUSUM accumulation and algorithm.
Further, the CUSUM cumulative sum algorithm includes:
the average value mu of the accumulated clock offset is updated separately during each step of the estimation of the clock offseteAnd variance of recognition errorμeAndonly when it is satisfiedUpdated, each resulting recognition error e and an upper bound L of the cumulative sum+Lower limit L-Updating is shown in formula (3);
where κ is a parameter reflecting the standard deviation and κ is derived by off-line training by monitoring normal on-board network conditions, if L+Or L-Exceeds the threshold valueLThe suddenly changed values are respectively perceived and reported to have intrusion; the mode threshold value of the accumulated sum is 4 or 5, or the threshold value is set according to the actual situation.
Another object of the present invention is to provide a computer program for implementing the clock skew-based intrusion detection method for an in-vehicle network.
Another object of the present invention is to provide an information data processing terminal for implementing the clock skew-based intrusion detection method for a vehicle network.
Another object of the present invention is to provide a computer-readable storage medium, which includes instructions that, when executed on a computer, cause the computer to execute the clock skew-based intrusion detection method for an in-vehicle network.
Another object of the present invention is to provide a clock skew-based intrusion detection system for implementing the clock skew-based intrusion detection method for a vehicle network, the clock skew-based intrusion detection system for a vehicle network comprising:
the association rule establishing module is used for mining association modes and association degrees among all ECUs in the vehicle-mounted network, finding some association information of the ECUs, analyzing rules of the association information and establishing association rules;
the accumulated clock skew model building module is used for adding the data with normal established association rules into an accumulated clock skew model of the automobile;
and the intrusion detection module is used for finding an intrusion behavior by comparing related associated data when the ECU receives the message and the message is abnormal.
Another object of the present invention is to provide a vehicle network change point detection device incorporating the system for detecting vehicle network intrusion based on clock skew.
In summary, the advantages and positive effects of the invention are:
in order to establish an effective intrusion detection method and to be able to identify various types of attacks, the system should be able to verify the sender of each message. However, the CAN message does not contain the transmitter information, so it must be marked with other information. The invention uses the periodicity of the messages to extract and estimate the clock bias of the transmitter, i.e. to use this clock bias as a signature for the ECU.
First, data is collected from a secure standard network to obtain a data source. And then, the association degree among the ECUs is mined from the data source to obtain the fixed clock deviation among the ECUs, and the fixed clock deviation of the ECUs is taken as a standard and is put into an association standard library, so that the design of a complete off-line part is realized.
Since the clock skew of the ECU is used for the marking, the clock skew needs to be estimated and analyzed first. Factors affecting clock skew in a real system include clock skew, network transmission delay, and noise generated during timestamp quantization, and these factors are small and negligible with respect to the period of a message.
Real-time part design
The off-line part has solved the problem of flagging the ECU transmitter, i.e. deriving the clock skew by the time interval between message messages can be used to flag the ECU transmitter. The invention designs two modules of an accumulative clock skew model and an intrusion detection unit by utilizing the characteristic, wherein the intrusion detection unit comprises an analysis engine for judging whether the intrusion behavior belongs to.
The real-time part is designed for adapting to the real-time requirement of the vehicle-mounted network on intrusion detection, and the function of the real-time part is to construct an accumulated clock offset model by utilizing the value of the association rule in the association rule base on quantity, such as the message time periodicity, as a proofreading standard with abnormal behaviors, so as to detect the data in the vehicle-mounted network in real time and judge whether the intrusion behaviors exist.
The accumulated clock skew model construction is equivalent to establishing a standard library, namely a commonly-called white list, and only expected data values which accord with the model can pass the intrusion detection.
The intrusion detection is to compare the real-time data with the excavated intrinsic value of the off-line part (i.e. the clock deviation of the ECU), and if the real-time data is greatly different from the expected clock deviation of the ECU, it can determine that there is an abnormal or intrusive behavior (e.g. injection attack, pause attack, masquerade attack, etc.).
Considering that a malicious attacker performs injection attack on the ECU which sends message information at a fixed period, the injection attack can significantly increase the absolute average difference between the estimated and measured arrival clocks. As a result, the rate of change of the cumulative clock offset suddenly increases, and the recognition error becomes large. Similarly, a pause attack will also increase the absolute average, and will also generate a high error. If there is a masquerading attack, because a malicious attacker sends a message through a malicious ECU instead of the original ECU, the cumulative clock skew, i.e., the rate of increase of the clock skew, changes suddenly, resulting in a very high recognition error. In summary, when an ECU is not malicious and it accordingly has a standard clock behaviour, its recognition error generally tends to mean 0, and its value suddenly changes to a non-0 value when there is an intrusion.
The intrusion detection method of the present invention detects a sudden change from the cumulative sum of deviations of target values using the CUSUM (cumulative sum) algorithm here. Because the accumulation method is adopted, the accumulation value is continuously increased or decreased even if slightly deviated from the target value. Therefore, it is the best method for detecting small persistent changes, and is widely used for variable point detection at present.
The simulation verification of the invention comprises the following steps:
in the stage of intrusion detection and verification, the experimental software adopted by the invention is CANoe7.1, and the software tool not only has the process of simulating the transmission and the reception of the vehicle-mounted network ECU, but also can be connected with a real vehicle-mounted network to carry out real operation.
Injection and pause attack intrusion detection verification:
in order to verify injection and suspend attacks, a simulation network such as that shown in fig. 5 is designed by using CANoe software, wherein, firstly, in order to verify injection attacks, ECU B is programmed to inject message messages with ID 0x11 at the time of clock 400s, but actually, if no injection attacks exist, the message messages with 0x11 should be periodically sent by ECU a, that is, ECU B performs injection attacks on ECU a. Meanwhile, the ECU R is also programmed with an intrusion detection program which is used as a detection point of an intrusion detection system to derive the cumulative clock offset (O) of the 0x11 messageacc) Identification error (e) and cumulative upper and lower limits L for the target value+,L-. For a pause attack, ECU a may program a pause to pause sending 0x11 messages at 400 s. FIG. 6(a) shows O with and without injection attackaccE, etc. whenever ECU B initiates an injection attack, the cumulative clock offset will have a discontinuity and thus also produce a large recognition error, due to such a change, the upper bound L on the cumulative sum of target values+Also suddenly increased and exceeded the thresholdLThereby, it can be determined that intrusion has occurred. Similarly, fig. 6(b) also shows that in the case of the pause attack, the accumulated clock skew also increases suddenly, so that the attack can be determinedAn intrusion action is generated.
Detection and verification of masquerading attack intrusion:
masquerading attacks a simulation network as shown in fig. 7 was designed with CANoe. Wherein, the ECU A plays the role of a strong attacker, the ECU B plays the role of a weak attacker, the ECU C plays the role of a non-attacker, and the ECU R is used as a detection point of an intrusion detection system. When the ECU A is not implanted with the malicious program, the ECU A sends a message of 0x11 by default, and the ECU A is programmed with the malicious program to enable the ECU A to be in TmasqAnd in 250 seconds, the ECU B which sends the message with the ID of 0x55 is disguised, namely the ECU B is interrupted from sending the message, and instead the ECU A is used for sending the message with the same ID instead of the ECU B.
Fig. 8(a) shows PMFs (probability mass functions) of message messages with IDs of 0x55 before and after the attack. After the ECU A pretends to be the same, the message is sent at the same frequency as the ECU B, so that the distribution is not obviously deviated before the attack. However, because at TmasqAt that time, ECU B sending a 0x55 message is blocked and instead of sending it, ECU a will have a delay in the ECU switching process. It can be seen from the figure that the clock interval between the message messages is 50ms when no masquerading attack is launched, whereas the clock interval of the message messages at the time when the first masquerading attack is launched is 51.04ms relative to the end of the message sent the previous time when the masquerading attack was launched. Due to the fact that at TmasqAnd if the masquerading attack occurs, the PMF graph displays abnormal message clock intervals deviating from the normal condition. Thus, this change also results in the detection of O tracking by the point ECU Racc,L+,L-As shown in fig. 8 (c). As can be seen from fig. 8(b), at 250 seconds, since a masquerading attack is launched, the slope of the clock offset accumulated in the 0x55 message is changed, that is, the clock offset is changed. Due to the fact that at TmasqAfter that, OaccMeasured value of (D) relative to TmasqThe previously normal expected value produces a significant deviation and the cumulative and lower limits of the target values also exceed the threshold value so that the intrusion detection system can report that this is an intrusion. Due to the fact that at TmasqThereafter, the ECU that transmits the message with ID 0x55 becomes a, and its clock skew is equal to that of 0x11, so that it can also be further determined that the attack source is a.
Drawings
Fig. 1 is a diagram illustrating an analysis of a message arrival timing according to an embodiment of the present invention.
FIG. 2 is a diagram of accumulated clock skew according to an embodiment of the present invention.
Fig. 3 is a flowchart of a clock skew estimation algorithm according to an embodiment of the present invention.
Fig. 4 is a flowchart of an intrusion detection method according to an embodiment of the present invention.
Fig. 5 is a simulation network diagram of injection attack and suspension attack provided by the embodiment of the present invention.
Fig. 6 is a diagram of detecting an injection attack and a suspension attack by an intrusion detection system according to an embodiment of the present invention.
In the figure: (a) injecting an attack; (b) the attack is buffered.
Fig. 7 is a network diagram of a masquerading attack network simulation provided in an embodiment of the present invention.
Fig. 8 is a diagram of detecting a masquerading attack by an intrusion detection system according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In the prior art, the information security problem of the vehicle-mounted network is not considered.
Data on the CAN bus is transmitted only in a plaintext mode without encryption; meanwhile, the CAN bus does not have a corresponding authentication mechanism, and messages CAN be sent to other equipment as long as the equipment is mounted on the CAN bus, so that the CAN bus is easy to attack and monitor by hackers.
The invention is further described below with reference to specific assays.
The vehicle-mounted network intrusion detection method based on clock skew provided by the embodiment of the invention comprises the following steps:
firstly, the association mode and the association degree among all ECUs in a vehicle-mounted network are mined, some association information of the ECUs is found, the rules of the association information are analyzed, association rules are established, and the normal data are added into a white list of the automobile. When the ECU receives the message and is abnormal, the intrusion behavior can be found by comparing the related associated data, thereby avoiding the occurrence of safety problems.
1) Wherein, the association rule comprises:
an accelerator pedal ECU, a throttle ECU, a rotational speed ECU, and a vehicle speed ECU are exemplified. From a practical viewpoint, the 4 ECUs have a correlation (a change in the accelerator pedal causes a change in the throttle, a change in the throttle causes a change in the engine speed, and a change in the engine speed causes a change in the vehicle speed). According to multiple experiments, the fact that most of ECUs in the vehicle-mounted network have a single linear correlation relation is found, and the ECU sends message information with a periodic characteristic of a time interval. Thereby devising association rules between each ECU.
2) The intrusion detection method principle comprises the following steps:
the frequency of message transmission to the ECUs mounted on the CAN bus network is determined by their own crystal clock. The invention uses NTP (network time protocol) naming specification and uses CtrueC is the expected time of the received signal obtained by the ECU through data correlation miningiIndicating the time at which the ECU actually receives the signal. Terms such as clock offset, clock increment, and clock skew are defined.
Clock skew: within a period of time, CtrueAnd CiThe difference in (a).
Clock increment: within a period of time, CiThe amount of change in (c).
Clock skew: the ratio of the clock skew to the period of time is accumulated over a period of time.
In order to establish an effective intrusion detection method and to be able to identify various types of attacks, the system should be able to verify the sender information of each message. However, the CAN message does not contain the transmission information, so it must be marked with other information. The invention uses the periodicity of the messages to extract and estimate the clock bias of the transmitter, i.e. to use this clock bias as a signature for the ECU.
As shown in fig. 1, assuming that ECU a broadcasts one message every Tms, ECU R periodically accepts that message. From the perspective of R, only the timestamp of the moment the message arrived at it is available, so the clock of the moment the message arrived can be seen as Ctrue. Due to clock skew, sometimes a slight clock offset from the ideal clock (T,2T,3T …) occurs when sending periodic message messages. When t is 0, it means that the ECU a sends the first message, OiIndicating the clock offset at which ECU a sends the i-th message from t equal to 0. Then, delay d in a networkiAfter that, the ECU R will receive the corresponding message and record the arrival time stamp iT + Oi+di+niWherein n isiRepresenting the noise generated when the timestamp of R is quantized. Thus, the clock interval for each arrival timestamp may be Trx,i=T+ΔOi+Δdi+ΔniIs represented by, whereiniDenotes the ith and i-1 variables XiDifference between and specifies O00. Since in a short time, OiThe variation is very small and negligible, niIs a zero-mean Gaussian noise term, T is a constant obtained by associated data mining, and the data length D L C of the periodic message information is a constant, namely E [ delta D ]i]0, so the expected value of the interval can be represented by equation (1):
based on the time stamp d of the arrival of the first message0+n0And expected value of time stamp interval muTrxTherefore, the time stamp of the ith message when the message arrives can be inferred to be i muTrx+d0+n0And the actual measurement arrival timestamp is iT + Oi+di+ni. As estimated time of arrival, μTrxIs determined by past measurements. Since T is a constant and μTrxT, so the expected value of the difference between the estimated value and the true measured value can be represented by equation (2):
E[D]=E[i(T-μTrx)+Oi+Δd+Δn]≈E[Oi](2)
that is, the invention can estimate the clock offset E [ O ] of different transmitters from the view point of the periodicity of the messagei]Because the clock skew becomes very slow and non-zero, E [ O ]i]Not equal to 0, and E [ Delta Oi]0. Thereby distinguishing different transmitters on the basis of this. If the average clock offset is estimated for n message messages received by the ECU R, it represents only the newly generated average clock offset, since the received message messages are derived from the first message. Therefore, to obtain the total generated clock skew, the average clock skew needs to be accumulated. By definition, the accumulated clock skew should be a constant and the degree of tilt of the accumulated clock skew indicates the corresponding clock skew.
As shown in the cumulative clock skew graph of fig. 2, the present invention uses clock skew estimation to verify the validity of the tag ECU, which is on the order of ppm (parts per million). The cumulative clock skew for the 0x11,0x13, and 0x55 message messages, respectively, is plotted, where the degree of curve skew represents the corresponding clock skew. It can be seen from the figure that all the curves obtained for the clock skew are a straight line, so that the corresponding clock skew should be a constant. The message messages 0x11,0x13 were both sent from ECU A, with their message clock offset curves nearly coincident and a clock bias of 11.4ppm (least squares). Message 0x55, on the other hand, was sent by ECU B and had a clock bias of 25.2 ppm. Thus, clock skew can indeed distinguish between different ECUs.
The problem of flagging the ECU transmitter has been solved above in that a clock skew derived from the time interval between message messages can be used to flag the ECU transmitter.
The invention designs two modules of an accumulative clock skew model and an intrusion detection unit by utilizing the characteristic, wherein the intrusion detection unit comprises an analysis engine for judging whether the intrusion behavior belongs to. These two large modules are described in detail below.
With the foregoing matting, for a given ID message, the corresponding accumulated clock skew can be derived by receiving the message timestamp. Since the clock skew is constant, the cumulative clock offset is distributed in a linear regression. Thus, the intrusion detection method may model the cumulative clock offset model as a linear regression model. Its corresponding linear regression model definition is expressed by equation (3):
Oacc[k]=S[k]·t[k]+e[k](3)
wherein k denotes k stages, Oacc[k]Denotes the accumulated clock skew at k stages, t k]Representing the time spent in k phases, Sk]The slope representing the linear regression model is also the clock bias to be estimated, e k]Representing the recognition error, i.e. the residual error that cannot be interpreted by the model. Wherein O isaccS, t, e are updated with the change in the number of messages per N messages until k is reached, as contemplated by the present invention.
In order to obtain the unknown parameters S of the accumulated clock offset model, a least square method (R L S) algorithm is used as a basis to design a clock offset estimation algorithm program and a clock offset estimation algorithm flow of FIG. 3, wherein residual errors are used as an objective function so as to minimize the square sum of modeling errors, therefore, in the R L S algorithm, the deviation of identification errors is preferably close to 0, and the model can be more accurately expressed.
The algorithm describes how to use the R L S algorithm to estimate the clock bias, first, the intrusion detection method measures the timestamp of the message given the ID at the time of receipt and uses the value of the time period between messages in the association rule base, if the expected message is not received for a long period of time, it is likely to be a pause attack, as shown in lines 13,14 of FIG. 3, it will tend to cause the remaining timestamp and time interval to increase.
The invention is further described below in connection with intrusion detection methods.
An intrusion detection method designed based on the above analysis is shown in fig. 4. The intrusion detection method separates line parts and real-time parts.
1. Off-line part design (Association establishment)
In order to establish an effective intrusion detection method and to be able to identify various types of attacks, the system should be able to authenticate the sender of each message. However, the CAN message does not contain the transmitter information, so it must be marked with other information. The invention uses the periodicity of the messages to extract and estimate the clock bias of the transmitter, i.e. to use this clock bias as a signature for the ECU.
First, data is collected from a secure standard network to obtain a data source. And then, the association degree among the ECUs is mined from the data source to obtain the fixed clock deviation among the ECUs, and the fixed clock deviation of the ECUs is taken as a standard and is put into an association standard library, so that the design of a complete off-line part is realized.
Since the clock skew of the ECU is used for the marking, the clock skew needs to be estimated and analyzed first. Factors affecting clock skew in a real system include clock skew, network transmission delay, and noise generated during timestamp quantization, and these factors are small and negligible with respect to the period of a message.
2. Real-time part design
The off-line part has solved the problem of flagging the ECU transmitter, i.e. deriving the clock skew by the time interval between message messages can be used to flag the ECU transmitter. The invention designs two modules of an accumulative clock skew model and an intrusion detection unit by utilizing the characteristic, wherein the intrusion detection unit comprises an analysis engine for judging whether the intrusion behavior belongs to.
The real-time part is designed for adapting to the real-time requirement of the vehicle-mounted network on intrusion detection, and the function of the real-time part is to construct an accumulated clock offset model by utilizing the value of the association rule in the association rule base on quantity, such as the message time periodicity, as a proofreading standard with abnormal behaviors, so as to detect the data in the vehicle-mounted network in real time and judge whether the intrusion behaviors exist.
The accumulated clock skew model construction is equivalent to establishing a standard library, namely a commonly-called white list, and only expected data values which accord with the model can pass the intrusion detection.
The intrusion detection is to compare the real-time data with the excavated intrinsic value of the off-line part (i.e. the clock deviation of the ECU), and if the real-time data is greatly different from the expected clock deviation of the ECU, it can determine that there is an abnormal or intrusive behavior (e.g. injection attack, pause attack, masquerade attack, etc.).
Considering that a malicious attacker performs injection attack on the ECU which sends message information at a fixed period, the injection attack can significantly increase the absolute average difference between the estimated and measured arrival clocks. As a result, the rate of change of the cumulative clock offset suddenly increases, and the recognition error becomes large. Similarly, a pause attack will also increase the absolute average, and will also generate a high error. If there is a masquerading attack, because a malicious attacker sends a message through a malicious ECU instead of the original ECU, the cumulative clock skew, i.e., the rate of increase of the clock skew, changes suddenly, resulting in a very high recognition error. In summary, when an ECU is not malicious and it accordingly has a standard clock behaviour, its recognition error generally tends to mean 0, and its value suddenly changes to a non-0 value when there is an intrusion.
3. Analysis engine
For a message with a given ID, the intrusion detection method runs the R L S algorithm to estimate the clock bias of the corresponding ECU transmitter, thereby also building a corresponding standard clock behavior model and verifying whether the measured value deviates from the normal value, i.e., intrusion.
Since the intrusion detection method updates the average value mu of the accumulated clock skew separately during each step of estimating the clock skeweAnd variance of recognition errorThese values represent the cumulative target value for e and therefore appropriate tracking of these variables is required. Therefore, as a countermeasure against an abnormal value generated from an attack, it is necessary to reflect it to the objectStandard value, mueAndonly when it is satisfiedThen, each resulting recognition error e and the upper bound L of the cumulative sum+Lower limit L-The update is shown in equation (3).
Where κ is a parameter reflecting the standard deviation and κ may be derived by off-line training by monitoring normal on-board network conditions, if L+Or L-Exceeds the threshold valueLThe suddenly changed values are respectively detected, so that the intrusion detection method can report the intrusion. In general, there is a threshold value in the way of accumulation sum, and the threshold value is usually 4 or 5, and the threshold value can be set according to the actual situation.
The invention is further described below in connection with simulation experiments.
In the stage of intrusion detection and verification, the experimental software adopted by the invention is CANoe7.1, and the software tool not only has the process of simulating the transmission and the reception of the vehicle-mounted network ECU, but also can be connected with a real vehicle-mounted network to carry out real operation.
1. Injection and pause attack intrusion detection verification
In order to verify injection and suspend attacks, a simulation network such as that shown in fig. 5 is designed by using CANoe software, wherein, firstly, in order to verify injection attacks, ECU B is programmed to inject message messages with ID 0x11 at the time of clock 400s, but actually, if no injection attacks exist, the message messages with 0x11 should be periodically sent by ECU a, that is, ECU B performs injection attacks on ECU a. Meanwhile, the ECU R is also programmed with an intrusion detection program which is used as a detection point of an intrusion detection system to be deducedCumulative clock offset (O) for 0x11 message messagesacc) Identification error (e) and cumulative upper and lower limits L for the target value+,L-. For a pause attack, ECU a may program a pause to pause sending 0x11 messages at 400 s. FIG. 6(a) shows O with and without injection attackaccE, etc. whenever ECU B initiates an injection attack, the cumulative clock offset will have a discontinuity and thus also produce a large recognition error, due to such a change, the upper bound L on the cumulative sum of target values+Also suddenly increased and exceeded the thresholdLThereby, it can be determined that intrusion has occurred. Similarly, fig. 6(b) also shows that in the case of the pause attack, the accumulated clock skew is also suddenly increased, so that it can be determined that the intrusion behavior has occurred.
Fig. 5 a simulation network diagram of injection and pause attacks.
FIG. 6 is a diagram of an intrusion detection system detecting injection attacks and halting attacks.
2. Spoofing attack intrusion detection verification
Masquerading attacks a simulation network as shown in fig. 7 was designed with CANoe. Wherein, the ECU A plays the role of a strong attacker, the ECU B plays the role of a weak attacker, the ECU C plays the role of a non-attacker, and the ECU R is used as a detection point of an intrusion detection system. When the ECU A is not implanted with the malicious program, the ECU A sends a message of 0x11 by default, and the ECU A is programmed with the malicious program to enable the ECU A to be in TmasqAnd in 250 seconds, the ECU B which sends the message with the ID of 0x55 is disguised, namely the ECU B is interrupted from sending the message, and instead the ECU A is used for sending the message with the same ID instead of the ECU B.
Fig. 8(a) shows PMFs (probability mass functions) of message messages with IDs of 0x55 before and after the attack. After the ECU A pretends to be the same, the message is sent at the same frequency as the ECU B, so that the distribution is not obviously deviated before the attack. However, because at TmasqAt that time, ECU B sending a 0x55 message is blocked and instead of sending it, ECU a will have a delay in the ECU switching process. It can be seen from the figure thatWhen the masquerading attack is not launched, the clock interval between the message messages is 50ms, however, when the masquerading attack is launched for the first time, the clock interval of the message messages is 51.04ms at the moment relative to the time when the message sent before the masquerading attack is launched is finished. Due to the fact that at TmasqAnd if the masquerading attack occurs, the PMF graph displays abnormal message clock intervals deviating from the normal condition. Thus, this change also results in the detection of O tracking by the point ECU Racc,L+,L-As shown in fig. 8 (c). As can be seen from fig. 8(b), at 250 seconds, since a masquerading attack is launched, the slope of the clock offset accumulated in the 0x55 message is changed, that is, the clock offset is changed. Due to the fact that at TmasqAfter that, OaccMeasured value of (D) relative to TmasqThe previously normal expected value produces a significant deviation and the cumulative and lower limits of the target values also exceed the threshold value so that the intrusion detection system can report that this is an intrusion. Due to the fact that at TmasqThereafter, the ECU that transmits the message with ID 0x55 becomes a, and its clock skew is equal to that of 0x11, so that it can also be further determined that the attack source is a.
FIG. 7 is a disguised attack network simulation network diagram. FIG. 8 an intrusion detection system detects a spoofed attack graph.
The computer instructions may be stored on or transmitted from one computer-readable storage medium to another computer-readable storage medium, e.g., from one website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, digital subscriber line (DS L) or wireless (e.g., infrared, wireless, microwave, etc.) means to another website site, computer, server, or data center via a solid state storage medium, such as a solid state Disk, or the like, (e.g., a solid state Disk, a magnetic storage medium, such as a DVD, a SSD, etc.), or any combination thereof.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.

Claims (7)

1. A vehicle network intrusion detection method based on clock skew is characterized in that the vehicle network intrusion detection method based on clock skew comprises the following steps: mining the association mode and association degree among all ECUs in the vehicle-mounted network, finding out the association information of the ECUs, analyzing the rule of the association information, and establishing an association rule; adding the data with normal established association rules into an accumulative clock offset model of the automobile;
when the ECU receives the message and is abnormal, the intrusion behavior is discovered by comparing the related associated data;
in the establishment of the association rule, the clock deviation of the transmitter is extracted and estimated by utilizing the periodicity of the message, and the clock deviation is used as a mark of the ECU; the method specifically comprises the following steps:
firstly, acquiring data from a safe standard network to obtain a data source;
then, the association degree between each ECU is mined from the data source to obtain the fixed clock deviation between the ECUs,
then putting the fixed ECU clock deviations into a relevant standard library as standards;
putting the fixed ECU clock deviation as a standard into a correlation standard library, and estimating and analyzing the clock deviation;
the method specifically comprises the following steps:
assuming that ECUA broadcasts a message every Tms, ECU R periodically receives the message; from the perspective of R, the clock at the moment the message arrives is seen as Ctrue(ii) a When t is 0, it indicates that the ECUA sends the first message, OiThe clock offset represents that ECUA sends the ith message when t is equal to 0;
delay d in a section of networkiAfter that, the ECU R will receive the corresponding message and record the arrival time stamp iT + Oi+di+niWherein n isiRepresents the noise generated when the timestamp of R is quantized; the clock interval of each arrival timestamp is Trx,i=T+ΔOi+Δdi+ΔniIs represented by, whereiniDenotes the ith and i-1 variables XiDifference between and specifies O00; in a short time, OiThe variation is very small, neglected, niIs a zero-mean Gaussian noise term, T is a constant obtained by associated data mining, the data length D L C of the periodic message information is a constant, E [ Delta di ]]The expected value of the interval is represented by equation (1) where 0:
based on the time stamp d of the arrival of the first message0+n0And expected value of time stamp interval muTrxDeducing the time stamp of the ith message as i mu when the message arrivesTrx+d0+n0The actual measurement arrival timestamp is iT + Oi+di+ni(ii) a By estimating the time of arrival, μTrxDetermined from past measurements; t is a constant and μTrxT, the expected value of the difference between the estimated value and the true measured value is represented by equation (2):
E[D]=E[i(T-μTrx)+Oi+Δd+Δn]≈E[Oi](2)
estimating the clock offset E [ O ] of different transmitters from the periodic point of view of the messagei]。
2. The method according to claim 1, wherein when the ECU receives the packet and is abnormal, the ECU finds the intrusion behavior by comparing the related associated data, and specifically includes:
constructing an accumulated clock offset model by using the quantitative values of the association rules in the association rule base, using the accumulated clock offset model as a proofreading standard of abnormal behaviors, detecting data in the vehicle-mounted network in real time, and judging whether an intrusion behavior exists or not;
for the message with given ID, running R L S algorithm to estimate the clock deviation of corresponding ECU transmitter, constructing corresponding standard clock behavior model and verifying whether the measured value deviates from the normal value, and detecting the sudden change from the accumulation and deviation of the target value by CUSUM accumulation and algorithm.
3. The clock skew-based intrusion detection method for an in-vehicle network according to claim 2,
the CUSUM cumulative sum algorithm includes:
the average value mu of the accumulated clock offset is updated separately during each step of the estimation of the clock offseteAnd variance of recognition errorμeAndonly when it is satisfiedIs updated, each resulting recognition error e and the upper bound L of the cumulative sum+Lower limit L-Updating is shown in formula (3);
where κ is a parameter reflecting the standard deviation and κ is derived by off-line training by monitoring normal on-board network conditions, if L+Or L-Exceeds the threshold valueLThe suddenly changed values are respectively perceived and reported to have intrusion; the mode threshold for the running sum is 4 or 5.
4. An information data processing terminal for implementing the clock skew-based vehicle network intrusion detection method according to any one of claims 1 to 3.
5. A computer-readable storage medium comprising instructions that, when executed on a computer, cause the computer to perform the clock skew-based in-vehicle network intrusion detection method according to any one of claims 1 to 3.
6. A vehicle network intrusion detection system based on clock skew for implementing the vehicle network intrusion detection method based on clock skew of any one of claims 1 to 3, wherein the vehicle network intrusion detection system based on clock skew comprises:
the association rule establishing module is used for mining association modes and association degrees among all ECUs in the vehicle-mounted network, finding some association information of the ECUs, analyzing rules of the association information and establishing association rules;
the accumulated clock skew model building module is used for adding the data with normal established association rules into an accumulated clock skew model of the automobile;
and the intrusion detection module is used for finding an intrusion behavior by comparing related associated data when the ECU receives the message and the message is abnormal.
7. An in-vehicle network change point detection device incorporating the in-vehicle network intrusion detection system based on clock skew of claim 6.
CN201811137466.0A 2018-09-28 2018-09-28 Vehicle-mounted network intrusion detection method and system based on clock skew Active CN109257358B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811137466.0A CN109257358B (en) 2018-09-28 2018-09-28 Vehicle-mounted network intrusion detection method and system based on clock skew

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811137466.0A CN109257358B (en) 2018-09-28 2018-09-28 Vehicle-mounted network intrusion detection method and system based on clock skew

Publications (2)

Publication Number Publication Date
CN109257358A CN109257358A (en) 2019-01-22
CN109257358B true CN109257358B (en) 2020-08-04

Family

ID=65048148

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811137466.0A Active CN109257358B (en) 2018-09-28 2018-09-28 Vehicle-mounted network intrusion detection method and system based on clock skew

Country Status (1)

Country Link
CN (1) CN109257358B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110173627B (en) * 2019-06-03 2020-09-25 山东建筑大学 Solar energy system
CN110752977A (en) * 2019-10-11 2020-02-04 中国海洋大学 Abnormal intrusion detection method and device for CAN bus of Internet of vehicles

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105871830A (en) * 2016-03-28 2016-08-17 成都信息工程大学 Firewall of vehicle-mounted information system of automobile
CN106059987A (en) * 2015-04-17 2016-10-26 现代自动车株式会社 In-vehicle network intrusion detection system and method for controlling the same
CN106792681A (en) * 2016-11-28 2017-05-31 北京洋浦伟业科技发展有限公司 For the intrusion detection method and device and equipment of car networking
WO2017173087A2 (en) * 2016-04-01 2017-10-05 The Regents Of The University Of Michigan Fingerprinting electronic control units for vehicle intrusion detection
CN107454117A (en) * 2017-09-30 2017-12-08 中国联合网络通信集团有限公司 The intrusion detection method and system of a kind of car networking
CN108200042A (en) * 2017-12-28 2018-06-22 北京奇虎科技有限公司 A kind of detection method of vehicle safety and vehicle safety management platform
CN108521410A (en) * 2018-03-19 2018-09-11 北京航空航天大学 The security architecture of vehicle-mounted Ethernet

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106059987A (en) * 2015-04-17 2016-10-26 现代自动车株式会社 In-vehicle network intrusion detection system and method for controlling the same
CN105871830A (en) * 2016-03-28 2016-08-17 成都信息工程大学 Firewall of vehicle-mounted information system of automobile
WO2017173087A2 (en) * 2016-04-01 2017-10-05 The Regents Of The University Of Michigan Fingerprinting electronic control units for vehicle intrusion detection
CN106792681A (en) * 2016-11-28 2017-05-31 北京洋浦伟业科技发展有限公司 For the intrusion detection method and device and equipment of car networking
CN107454117A (en) * 2017-09-30 2017-12-08 中国联合网络通信集团有限公司 The intrusion detection method and system of a kind of car networking
CN108200042A (en) * 2017-12-28 2018-06-22 北京奇虎科技有限公司 A kind of detection method of vehicle safety and vehicle safety management platform
CN108521410A (en) * 2018-03-19 2018-09-11 北京航空航天大学 The security architecture of vehicle-mounted Ethernet

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"一种应用于CAN总线的异常检测系统",;张子键等,;《信心安全与通信保密》;20150815(第8期);第92-96页 *

Also Published As

Publication number Publication date
CN109257358A (en) 2019-01-22

Similar Documents

Publication Publication Date Title
EP3393086B1 (en) Security processing method and server
Markovitz et al. Field classification, modeling and anomaly detection in unknown CAN bus networks
US10432645B2 (en) In-vehicle network system, fraud-detection electronic control unit, and fraud-detection method
US9648023B2 (en) Vehicle module update, protection and diagnostics
Kneib et al. Scission: Signal characteristic-based sender identification and intrusion detection in automotive networks
US20170174178A1 (en) Key module
US20190263357A1 (en) Localization And Passive Entry/Passive Start Systems And Methods For Vehicles
US9697355B1 (en) Cyber security for physical systems
US20170093866A1 (en) System and method for controlling access to an in-vehicle communication network
US20180337938A1 (en) Method for protecting a network against a cyberattack
US10104094B2 (en) On-vehicle communication system
KR101365114B1 (en) Method for securely communicating information about the location of a compromised computing device
EP2643985B1 (en) Method and device for fingerprinting of wireless communication devices
Lee et al. OTIDS: A novel intrusion detection system for in-vehicle network by using remote frame
EP2681901B1 (en) Vehicle network system
US9843597B2 (en) Controller area network bus monitor
KR101564901B1 (en) Protocol protection
US9471770B2 (en) Method and control unit for recognizing manipulations on a vehicle network
Palanca et al. A stealth, selective, link-layer denial-of-service attack against automotive networks
US7827610B2 (en) Wireless LAN intrusion detection based on location
US7636942B2 (en) Method and system for detecting denial-of-service attack
Nilsson et al. Simulated attacks on can buses: vehicle virus
Wu et al. A survey of intrusion detection for in-vehicle networks
CN101965573B (en) Method and apparatus for detecting unauthorized access to a computing device and securely communicating information about such unauthorized access
US20150270968A1 (en) Securing electronic control units using message authentication codes

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant