CN110040107A - Vehicle intrusion detection and prediction model training method, device and storage medium - Google Patents

Vehicle intrusion detection and prediction model training method, device and storage medium Download PDF

Info

Publication number
CN110040107A
CN110040107A CN201910204167.2A CN201910204167A CN110040107A CN 110040107 A CN110040107 A CN 110040107A CN 201910204167 A CN201910204167 A CN 201910204167A CN 110040107 A CN110040107 A CN 110040107A
Authority
CN
China
Prior art keywords
message
fragment
message fragment
adjacent
prediction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910204167.2A
Other languages
Chinese (zh)
Inventor
刘焱
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Baidu Online Network Technology Beijing Co Ltd
Original Assignee
Baidu Online Network Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Baidu Online Network Technology Beijing Co Ltd filed Critical Baidu Online Network Technology Beijing Co Ltd
Priority to CN201910204167.2A priority Critical patent/CN110040107A/en
Publication of CN110040107A publication Critical patent/CN110040107A/en
Pending legal-status Critical Current

Links

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R25/00Fittings or systems for preventing or indicating unauthorised use or theft of vehicles
    • B60R25/30Detection related to theft or to other events relevant to anti-theft systems
    • G06F17/5009
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. local area networks [LAN], wide area networks [WAN]
    • H04L12/40Bus networks
    • H04L12/40006Architecture of a communication node
    • H04L12/40013Details regarding a bus controller
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. local area networks [LAN], wide area networks [WAN]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN

Abstract

The invention discloses vehicle intrusion detection and prediction model training method, device and storage medium, wherein vehicle intrusion detection method can include: monitor the CAN message in vehicle operation in CAN bus;Message fragment is generated according to the CAN message listened to, continuous N number of CAN message is respectively included in each message fragment, N is the positive integer greater than one;For the message fragment generated every time, the prediction model obtained using preparatory training predicts next CAN message after the message fragment, is determined whether that vehicle intrusion behavior occurs according to next CAN message after the message fragment predicted.Using scheme of the present invention, the accuracy etc. of testing result can be improved.

Description

Vehicle intrusion detection and prediction model training method, device and storage medium
[technical field]
The present invention relates to Computer Applied Technologies, in particular to vehicle intrusion detection and prediction model training method, device And storage medium.
[background technique]
CAN is the abbreviation of controller local area network (CAN, Controller Area Network), and CAN bus agreement is Through the STD bus for becoming Computer Controlled System for Vehicle and built-in industrial control area net(CAN).
By CAN bus, engine, gearbox, anti-blocking brake system (ABS, Antilock Brake can control The vehicle bodies security module such as System), and revolving speed, speed, oil temperature etc. are shared to full vehicle, realize Vehicular intelligentization control, it is such as high Automatic blocking car door when fast automatically turns on the functions such as car door when air bag pops up.
Vehicle invasion typically refers to the behavior by invading CAN bus attack vehicle, such as controls steering wheel for vehicle and brake Deng seriously affecting vehicle safety, it is therefore desirable to vehicle intrusion detection is carried out, to find vehicle intrusion behavior in time.
Vehicle intrusion detection mode common at present is all based on rule and signature, the i.e. form of blacklist, holds very much Easily bypasses and fail to report, it is relatively low so as to cause the accuracy of testing result, and also the cost of maintenance regulation is very high, in addition, CAN is reported The format of text is usually not published, and each vehicle enterprise is all not exactly the same, rule-based and signature intrusion detection mode scalability It is excessively poor, it needs to customize respectively for different vehicles enterprise.
[summary of the invention]
In view of this, the present invention provides vehicle intrusion detection and prediction model training methods, device and storage medium.
Specific technical solution is as follows:
A kind of vehicle intrusion detection method, comprising:
Monitor the CAN message in vehicle operation in controller local area network's CAN bus;
Message fragment is generated according to the CAN message listened to, continuous N number of CAN report is respectively included in each message fragment Text, N are the positive integer greater than one;
For the message fragment generated every time, the prediction model obtained using preparatory training predicts the message fragment Next CAN message later determines whether to occur according to next CAN message after the message fragment predicted Vehicle intrusion behavior.
According to one preferred embodiment of the present invention, the CAN message that the basis listens to generates message fragment
According to the time by the sequence after arriving first, will listen to per continuous N number of CAN message as a message fragment, In, there is overlapping between the adjacent message fragment generated twice, alternatively, there is no weights between the adjacent message fragment generated twice It is folded.
According to one preferred embodiment of the present invention, there is overlapping between the adjacent message fragment generated twice includes:
First CAN message in second message fragment is appointing in addition to first CAN message in the first message fragment One CAN message, wherein second message fragment is the message fragment in the adjacent message fragment generated twice in rear generation, First message fragment is the message fragment being previously generated in the adjacent message fragment generated twice;
There is no overlappings between the adjacent message fragment generated twice includes:
The last one CAN in first CAN message and first message fragment in second message fragment is reported Text is adjacent CAN message;
Alternatively, first CAN message in second message fragment and the last one in first message fragment A CAN message is at least spaced between CAN message.
According to one preferred embodiment of the present invention, the prediction model includes: the depth based on shot and long term memory network LSTM Learning model.
According to one preferred embodiment of the present invention, next CAN report after the message fragment that the basis predicts Text determines whether that vehicle intrusion behavior, which occurs, includes:
Next CAN message after the message fragment that comparison prediction goes out with after the message fragment that listens to Next CAN message between difference;
If the difference is greater than predetermined threshold, it is determined that vehicle intrusion behavior occurs.
A kind of prediction model training method, comprising:
Monitor the CAN message in vehicle normal course of operation in controller local area network's CAN bus;
Message fragment is generated according to the CAN message listened to, continuous N number of CAN report is respectively included in each message fragment Text, N are the positive integer greater than one;
Next CAN message after message fragment based on generation and each message fragment listened to trains pre- Model is surveyed, so as to when carrying out vehicle intrusion detection, under being predicted after the message fragment of input using the prediction model One CAN message determines whether that vehicle intrusion behavior occurs according to the next CAN message predicted.
According to one preferred embodiment of the present invention, the CAN message that the basis listens to generates message fragment
According to the time by the sequence after arriving first, will listen to per continuous N number of CAN message as a message fragment, In, there is overlapping between the adjacent message fragment generated twice, alternatively, there is no weights between the adjacent message fragment generated twice It is folded.
According to one preferred embodiment of the present invention, there is overlapping between the adjacent message fragment generated twice includes:
First CAN message in second message fragment is appointing in addition to first CAN message in the first message fragment One CAN message, wherein second message fragment is the message fragment in the adjacent message fragment generated twice in rear generation, First message fragment is the message fragment being previously generated in the adjacent message fragment generated twice;
There is no overlappings between the adjacent message fragment generated twice includes:
The last one CAN in first CAN message and first message fragment in second message fragment is reported Text is adjacent CAN message;
Alternatively, first CAN message in second message fragment and the last one in first message fragment A CAN message is at least spaced between CAN message.
According to one preferred embodiment of the present invention, the prediction model includes: the depth based on shot and long term memory network LSTM Learning model.
According to one preferred embodiment of the present invention, the message fragment based on generation and each message fragment listened to Next CAN message later trains prediction model and includes:
In training process, after inputting a message fragment to the prediction model every time, by comparing the prediction model Next CAN message after the message fragment predicted and next CAN after the message fragment listened to Difference between message, back transfer adjust model parameter.
A kind of vehicle invasion detecting device, comprising: the first generation unit and intrusion detecting unit;
First generation unit, for monitoring the CAN report in vehicle operation in controller local area network's CAN bus Text generates message fragment according to the CAN message listened to, continuous N number of CAN message is respectively included in each message fragment, and N is Positive integer greater than one;
The intrusion detecting unit, for utilizing the preparatory prediction mould trained and obtained for the message fragment generated every time Type predicts next CAN message after the message fragment, according to next after the message fragment predicted CAN message determines whether that vehicle intrusion behavior occurs.
According to one preferred embodiment of the present invention, first generation unit will be monitored according to the time by the sequence after arriving first The every continuous N number of CAN message arrived is as a message fragment, wherein there is overlapping between the adjacent message fragment generated twice, Alternatively, there is no overlappings between the adjacent message fragment generated twice.
According to one preferred embodiment of the present invention, first CAN message in the second message fragment is in the first message fragment Any CAN message in addition to first CAN message, wherein second message fragment is the adjacent message generated twice point In the message fragment of rear generation in piece, first message fragment is the report being previously generated in the adjacent message fragment generated twice Literary fragment;
Alternatively, first CAN message in second message fragment and the last one in first message fragment CAN message is adjacent CAN message;
Alternatively, first CAN message in second message fragment and the last one in first message fragment A CAN message is at least spaced between CAN message.
According to one preferred embodiment of the present invention, the prediction model includes: the depth based on shot and long term memory network LSTM Learning model.
According to one preferred embodiment of the present invention, after the message fragment that the intrusion detecting unit comparison prediction goes out The difference between next CAN message after next CAN message and the message fragment listened to, if the difference is big In predetermined threshold, it is determined that vehicle intrusion behavior occurs.
A kind of prediction model training device, comprising: the second generation unit and model training unit;
Second generation unit, for monitoring in vehicle normal course of operation in controller local area network's CAN bus CAN message generates message fragment according to the CAN message listened to, and continuous N number of CAN report is respectively included in each message fragment Text, N are the positive integer greater than one;
The model training unit, after the message fragment based on generation and each message fragment listened to Next CAN message trains prediction model, to be predicted using the prediction model defeated when carrying out vehicle intrusion detection Next CAN message after the message fragment entered determines whether that vehicle, which occurs, to be entered according to the next CAN message predicted Invade behavior.
According to one preferred embodiment of the present invention, second generation unit will be monitored according to the time by the sequence after arriving first The every continuous N number of CAN message arrived is as a message fragment, wherein there is overlapping between the adjacent message fragment generated twice, Alternatively, there is no overlappings between the adjacent message fragment generated twice.
According to one preferred embodiment of the present invention, first CAN message in the second message fragment is in the first message fragment Any CAN message in addition to first CAN message, wherein second message fragment is the adjacent message generated twice point In the message fragment of rear generation in piece, first message fragment is the report being previously generated in the adjacent message fragment generated twice Literary fragment;
Alternatively, first CAN message in second message fragment and the last one in first message fragment CAN message is adjacent CAN message;
Alternatively, first CAN message in second message fragment and the last one in first message fragment A CAN message is at least spaced between CAN message.
According to one preferred embodiment of the present invention, the prediction model includes: the depth based on shot and long term memory network LSTM Learning model.
According to one preferred embodiment of the present invention, the model training unit in the training process, every time to the prediction mould Next CAN after type inputs a message fragment, after the message fragment predicted by the comparison prediction model The difference between next CAN message after message and the message fragment listened to, back transfer adjust model parameter.
A kind of computer equipment, including memory, processor and be stored on the memory and can be in the processor The computer program of upper operation, the processor realize method as described above when executing described program.
A kind of computer readable storage medium is stored thereon with computer program, real when described program is executed by processor Now method as described above.
It can be seen that based on above-mentioned introduction using scheme of the present invention, vehicle invasion inspection can be realized based on machine learning It surveys, is not need to rely on static rule and improves testing result to be avoided as much as the case where bypassing and failing to report Accuracy, and do not have to maintenance regulation, cost of implementation is reduced, further more, whole process does not need parsing CAN message format, from And it is applicable to the CAN message of variant vehicle enterprise, there is very strong scalability.
[Detailed description of the invention]
Fig. 1 is the flow chart of prediction model training method embodiment of the present invention.
Fig. 2 is the flow chart of vehicle intrusion detection method embodiment of the present invention.
Fig. 3 is the composed structure schematic diagram of vehicle invasion detecting device embodiment of the present invention.
Fig. 4 is the composed structure schematic diagram of prediction model training device embodiment of the present invention.
Fig. 5 shows the block diagram for being suitable for the exemplary computer system/server 12 for being used to realize embodiment of the present invention.
[specific embodiment]
In order to be clearer and more clear technical solution of the present invention, hereinafter, referring to the drawings and the embodiments, to institute of the present invention The scheme of stating is further described.
Obviously, described embodiments are some of the embodiments of the present invention, instead of all the embodiments.Based on the present invention In embodiment, those skilled in the art's all other embodiment obtained without creative efforts, all Belong to the scope of protection of the invention.
In addition, it should be understood that the terms "and/or", a kind of only incidence relation for describing affiliated partner, expression can With there are three kinds of relationships, for example, A and/or B, can indicate: individualism A exists simultaneously A and B, these three feelings of individualism B Condition.In addition, character "/" herein, typicallys represent the relationship that forward-backward correlation object is a kind of "or".
A kind of vehicle intrusion detection method is proposed in the present invention, can monitor the CAN in vehicle operation in CAN bus Message, and message fragment can be generated according to the CAN message listened to, continuous N number of CAN can be respectively included in each message fragment Message, N are the positive integer greater than one, for the message fragment generated every time, using the prediction model that preparatory training obtains, in advance Next CAN message after the message fragment is measured, and then can be according to next CAN after the message fragment predicted Message determines whether that vehicle intrusion behavior occurs.
It can be seen that the vehicle intrusion detection method to realize the present invention, need to train first to obtain prediction model.
Fig. 1 is the flow chart of prediction model training method embodiment of the present invention.As shown in Figure 1, including in detail below Implementation.
In 101, the CAN message in vehicle normal course of operation in CAN bus is monitored.
In 102, message fragment is generated according to the CAN message listened to, respectively includes continuous N in each message fragment A CAN message, N are the positive integer greater than one.
Next CAN message in 103, after message fragment based on generation and each message fragment listened to Prediction model is trained, so as to when carrying out vehicle intrusion detection, after the message fragment that input is predicted using prediction model Next CAN message, according to the next CAN message predicted determine whether occur vehicle intrusion behavior.
In machine learning field, it will usually Outlier Detection Algorithm is used, by study normal sample, learns white model out, Then reusing white model goes detection abnormal, if there is the behavior that white model is more than certain threshold value is deviateed, then can determine that be different Chang Hangwei is based on shot and long term memory network (LSTM, Long Short-Term than more typical anomalous identification model Memory deep learning model), the prediction model in scheme of the present invention are the deep learning model that may be based on LSTM.
LSTM is a kind of time recurrent neural network, is suitable for being spaced and postponing relatively in processing and predicted time sequence Long critical event.LSTM has many applications in sciemtifec and technical sphere, the system based on LSTM can execute control robot, The various tasks such as image analysis, documentation summary, speech recognition, image recognition, handwriting recognition, predictive disease, composite music.
The deep learning model based on LSTM is obtained for training, can be monitored in vehicle normal course of operation in CAN bus CAN message, and can will be listened to per continuous N number of CAN message as a message point according to the time by the sequence after arriving first Piece, wherein there is overlapping between the adjacent message fragment generated twice, alternatively, between the adjacent message fragment generated twice not There are overlappings.
N is the positive integer greater than one, and specific value can be determined according to actual needs, it is preferable that the value of N can be 10, i.e., Can be according to the time by the sequence after arriving first, it will be per continuous 10 CAN messages as a message fragment.
There is overlapping between the adjacent message fragment generated twice can include: first CAN report in the second message fragment Text is any CAN message in the first message fragment in addition to first CAN message, wherein the second message fragment is adjacent two In the message fragment of rear generation in the message fragment of secondary generation, the first message fragment be in the adjacent message fragment generated twice The message fragment first generated.
For example, numbering listen to first CAN message for CAN message 1, listen to second CAN message is compiled Number be CAN message 2, the third CAN message listened to is numbered as CAN message 3, and so on, then CAN can be reported respectively Literary 1-CAN message 10, CAN message 2-CAN message 11, CAN message 3-CAN message 12 etc. are used as a message fragment, alternatively, can It regard CAN message 1-CAN message 10, CAN message 3-CAN message 12, CAN message 5-CAN message 14 etc. as a message respectively Fragment.
The number of the second message fragment CAN message Chong Die with the first message fragment is unlimited, can be determined according to actual needs.
There is no overlappings between the adjacent message fragment generated twice can include: first CAN in the second message fragment The last one CAN message in message and the first message fragment is adjacent CAN message.
For example, numbering listen to first CAN message for CAN message 1, listen to second CAN message is compiled Number be CAN message 2, the third CAN message listened to is numbered as CAN message 3, and so on, then CAN can be reported respectively Literary 1-CAN message 10, CAN message 11-CAN message 20, CAN message 21-CAN message 30 etc. are used as a message fragment.
There is no be overlapped first may also include that in the second message fragment between the adjacent message fragment generated twice A CAN message, the CAN being specifically spaced at least are spaced between the last one CAN message in CAN message and the first message fragment Message number can be determined according to actual needs.
For example, numbering listen to first CAN message for CAN message 1, listen to second CAN message is compiled Number be CAN message 2, the third CAN message listened to is numbered as CAN message 3, and so on, then CAN can be reported respectively Literary 1-CAN message 10, CAN message 13-CAN message 22, CAN message 25-CAN message 34 etc. are used as a message fragment.
Based on next CAN after the message fragment generated in the manner described above and each message fragment listened to Message can train prediction model.For example, a certain message fragment is made of CAN message 11-CAN message 20, then the message point Next CAN message after piece is CAN message 21.For another example, a certain message fragment is by 14 groups of CAN message 5-CAN message At then next CAN message after the message fragment is CAN message 15.
In training process, every time to after one message fragment of deep learning mode input based on LSTM, comparison can be passed through Next CAN message after the message fragment that deep learning model prediction based on LSTM goes out is divided with the message listened to The difference between next CAN message after piece, under the action of optimizer, back transfer adjusts model parameter, reaches instruction Practice the purpose of model.By monitoring the CAN message generated in vehicle normal course of operation for a long time, Bai Mo is trained based on LSTM Type.
One CAN message is usually 8 bytes, can parse into instruction and corresponding parameter two parts, for example, " accelerating to 60 kilometers " this CAN message, it can parse for instruction " acceleration " and parameter " 60 ", but since the format of CAN message is usually unjust It opens, every vehicle enterprise is all not exactly the same, therefore is difficult accurately to parse the CAN message that different vehicles are looked forward to.
In the present embodiment, without carrying out the parsing of CAN message, directly the message fragment generated according to CAN message can be made For the input of the deep learning model based on LSTM, the output of model is next after the message fragment of the input predicted CAN message.
One CAN message is 8 bytes, then the input of the deep learning model based on LSTM is then that (N is a message to 8N CAN message number in fragment) size, output size 8.
After training obtains the deep learning model based on LSTM, i.e., it can be entered using the model to carry out online vehicle Invade detection.
Fig. 2 is the flow chart of vehicle intrusion detection method embodiment of the present invention.As shown in Fig. 2, including in detail below Implementation.
In 201, the CAN message in vehicle operation in CAN bus is monitored.
In 202, message fragment is generated according to the CAN message listened to, respectively includes continuous N in each message fragment A CAN message, N are the positive integer greater than one.
In 203, for the message fragment generated every time, the prediction model obtained using preparatory training predicts the report Next CAN message after literary fragment is determined whether according to next CAN message after the message fragment predicted Vehicle intrusion behavior occurs.
Preferably, the prediction model may be based on the deep learning model of LSTM.
To realize vehicle intrusion detection, the CAN message in vehicle operation in CAN bus can be monitored, and can according to when Between by the sequence after arriving first, will listen to per continuous N number of CAN message as a message fragment, wherein it is adjacent to generate twice Message fragment between exist overlapping, alternatively, between the adjacent message fragment generated twice there is no overlapping
N is the positive integer greater than one, and specific value can be determined according to actual needs, it is preferable that the value of N can be 10, i.e., Can be according to the time by the sequence after arriving first, it will be per continuous 10 CAN messages as a message fragment.
There is overlapping between the adjacent message fragment generated twice can include: first CAN report in the second message fragment Text is any CAN message in the first message fragment in addition to first CAN message, wherein the second message fragment is adjacent two In the message fragment of rear generation in the message fragment of secondary generation, the first message fragment be in the adjacent message fragment generated twice The message fragment first generated.
There is no overlappings between the adjacent message fragment generated twice can include: first CAN in the second message fragment The last one CAN message in message and the first message fragment is adjacent CAN message;Alternatively, in the second message fragment A CAN message is at least spaced between the last one CAN message in one CAN message and the first message fragment.
For each message fragment, can be based on respectively as the input of the deep learning model based on LSTM The deep learning model output of LSTM, predict the message fragment after next CAN message, later can be according to predicting The message fragment after next CAN message determine whether occur vehicle intrusion behavior.
Specifically, it may compare next CAN message (predicted value) after the message fragment that predicts and listen to The difference between next CAN message (true value) after the message fragment can determine hair if difference is greater than predetermined threshold Raw vehicle intrusion behavior.
For example, next CAN message after the message fragment predicted can be calculated and the message fragment listened to The Euclidean distance between next CAN message later can determine and vehicle invasion row occurs if distance is greater than threshold value For.The specific value of the threshold value can be determined according to actual needs.
Once detecting exception for any message fragment, that is, next CAN report after the message fragment predicted The difference between next CAN message after text and the message fragment listened to is greater than threshold value, then can determine generation vehicle Intrusion behavior is handled etc. so as to be reported to related personnel.
It should be noted that for the various method embodiments described above, for simple description, being all expressed as a series of Combination of actions, but those skilled in the art should understand that, the present invention is not limited by the sequence of acts described, because according to According to the present invention, certain steps can use other sequences or carry out simultaneously.Secondly, those skilled in the art should also know that, The embodiments described in the specification are all preferred embodiments, and not necessarily the present invention must for related actions and modules Must.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment Point, it may refer to the associated description of other embodiments.
In short, can realize vehicle intrusion detection using scheme described in embodiment of the present invention method based on machine learning, be not required to To be avoided as much as the case where bypassing and failing to report, and the attack other than rule can be found dependent on static rule Behavior improves the accuracy of testing result, and does not have to maintenance regulation, cost of implementation is reduced, further more, whole process is not required to CAN message format is parsed, so as to be suitable for the CAN message of variant vehicle enterprise, there is very strong scalability etc..
The introduction about embodiment of the method above, below by way of Installation practice, to scheme of the present invention carry out into One step explanation.
Fig. 3 is the composed structure schematic diagram of vehicle invasion detecting device embodiment of the present invention.As shown in Figure 3, comprising: First generation unit 301 and intrusion detecting unit 302.
First generation unit 301, for monitoring the CAN message in vehicle operation in CAN bus, according to what is listened to CAN message generates message fragment, and continuous N number of CAN message is respectively included in each message fragment, and N is the positive integer greater than one.
Intrusion detecting unit 302, for utilizing the preparatory prediction mould trained and obtained for the message fragment generated every time Type predicts next CAN message after the message fragment, according to next CAN after the message fragment predicted Message determines whether that vehicle intrusion behavior occurs.
Preferably, the prediction model may be based on the deep learning model of LSTM.
To realize vehicle intrusion detection, the first generation unit 301 can be according to the time by the sequence after arriving first, by what is listened to Per continuous N number of CAN message as a message fragment, wherein there is overlapping between the adjacent message fragment generated twice, or Person, there is no overlappings between the adjacent message fragment generated twice.N is the positive integer greater than one, and specific value can be according to reality Depending on needing, it is preferable that the value of N can be 10, can be according to the time by the sequence after arriving first, will be per continuous 10 CAN messages As a message fragment.
There is overlapping between the adjacent message fragment generated twice can include: first CAN report in the second message fragment Text is any CAN message in the first message fragment in addition to first CAN message, wherein the second message fragment is adjacent two In the message fragment of rear generation in the message fragment of secondary generation, the first message fragment be in the adjacent message fragment generated twice The message fragment first generated.
There is no overlappings between the adjacent message fragment generated twice can include: first CAN in the second message fragment The last one CAN message in message and the first message fragment is adjacent CAN message;Alternatively, in the second message fragment A CAN message is at least spaced between the last one CAN message in one CAN message and the first message fragment.
For each message fragment, intrusion detecting unit 302 can be respectively as the deep learning model based on LSTM Input, obtain based on LSTM deep learning model output, predict the message fragment after next CAN message, It can be determined whether that vehicle intrusion behavior occurs according to next CAN message after the message fragment predicted later.
Specifically, the next CAN message and prison after the comparable message fragment predicted of intrusion detecting unit 302 The difference between next CAN message after the message fragment heard can determine generation if difference is greater than predetermined threshold Vehicle intrusion behavior.For example, next CAN message after the message fragment predicted can be calculated and the message listened to The Euclidean distance between next CAN message after fragment can determine that vehicle, which occurs, to be entered if distance is greater than threshold value Invade behavior.The specific value of the threshold value can be determined according to actual needs.
Fig. 4 is the composed structure schematic diagram of prediction model training device embodiment of the present invention.As shown in Figure 4, comprising: Second generation unit 401 and model training unit 402.
Second generation unit 401, for monitoring the CAN message in vehicle normal course of operation in CAN bus, according to monitoring The CAN message arrived generates message fragment, and continuous N number of CAN message is respectively included in each message fragment, and N is just greater than one Integer.
Model training unit 402, after the message fragment based on generation and each message fragment listened to Next CAN message trains prediction model, to predict input using prediction model when carrying out vehicle intrusion detection Next CAN message after message fragment determines whether that vehicle invasion row occurs according to the next CAN message predicted For.
Preferably, the prediction model may be based on the deep learning model of shot and long term memory network LSTM.
The deep learning model based on LSTM is obtained for training, the second generation unit 401 can monitor vehicle and operate normally CAN message in journey in CAN bus, and can will be listened to per continuous N number of CAN message according to the time by the sequence after arriving first As a message fragment, wherein there is overlapping between the adjacent message fragment generated twice, generated twice alternatively, adjacent There is no overlappings between message fragment.N is the positive integer greater than one, and specific value can be determined according to actual needs, it is preferable that N Value can be 10, can be according to the time by the sequence after arriving first, will be per continuous 10 CAN messages as a message fragment.
There is overlapping between the adjacent message fragment generated twice can include: first CAN report in the second message fragment Text is any CAN message in the first message fragment in addition to first CAN message, wherein the second message fragment is adjacent two In the message fragment of rear generation in the message fragment of secondary generation, the first message fragment be in the adjacent message fragment generated twice The message fragment first generated.
There is no overlappings between the adjacent message fragment generated twice can include: first CAN in the second message fragment The last one CAN message in message and the first message fragment is adjacent CAN message, alternatively, the in the second message fragment A CAN message is at least spaced between the last one CAN message in one CAN message and the first message fragment, it is specific to be spaced CAN message number can be determined according to actual needs.
Model training unit 402 can be next after message fragment based on generation and each message fragment for listening to A CAN message trains the deep learning model based on LSTM.In training process, every time to the deep learning mould based on LSTM Type input a message fragment after, can by compare the deep learning model prediction based on LSTM go out the message fragment after The difference between next CAN message after next CAN message and the message fragment listened to, back transfer adjust mould Shape parameter.
The specific workflow of Fig. 3 and Fig. 4 shown device embodiment please refers to the related description in preceding method embodiment, It repeats no more.In practical applications, Fig. 3 and Fig. 4 shown device may respectively be independent device, and also combinable is a device.
In short, can realize vehicle intrusion detection using scheme described in apparatus of the present invention embodiment based on machine learning, be not required to To be avoided as much as the case where bypassing and failing to report, and the attack other than rule can be found dependent on static rule Behavior improves the accuracy of testing result, and does not have to maintenance regulation, cost of implementation is reduced, further more, whole process is not required to CAN message format is parsed, so as to be suitable for the CAN message of variant vehicle enterprise, there is very strong scalability etc..
Fig. 5 shows the block diagram for being suitable for the exemplary computer system/server 12 for being used to realize embodiment of the present invention. The computer system/server 12 that Fig. 5 is shown is only an example, should not function and use scope to the embodiment of the present invention Bring any restrictions.
As shown in figure 5, computer system/server 12 is showed in the form of universal computing device.Computer system/service The component of device 12 can include but is not limited to: one or more processor (processing unit) 16, memory 28, connect not homology The bus 18 of system component (including memory 28 and processor 16).
Bus 18 indicates one of a few class bus structures or a variety of, including memory bus or Memory Controller, Peripheral bus, graphics acceleration port, processor or the local bus using any bus structures in a variety of bus structures.It lifts For example, these architectures include but is not limited to industry standard architecture (ISA) bus, microchannel architecture (MAC) Bus, enhanced isa bus, Video Electronics Standards Association (VESA) local bus and peripheral component interconnection (PCI) bus.
Computer system/server 12 typically comprises a variety of computer system readable media.These media, which can be, appoints What usable medium that can be accessed by computer system/server 12, including volatile and non-volatile media, it is moveable and Immovable medium.
Memory 28 may include the computer system readable media of form of volatile memory, such as random access memory Device (RAM) 30 and/or cache memory 32.Computer system/server 12 may further include it is other it is removable/no Movably, volatile/non-volatile computer system storage medium.Only as an example, storage system 34 can be used for reading and writing Immovable, non-volatile magnetic media (Fig. 5 do not show, commonly referred to as " hard disk drive ").It, can although being not shown in Fig. 5 To provide the disc driver for reading and writing to removable non-volatile magnetic disk (such as " floppy disk "), and it is non-volatile to moving Property CD (such as CD-ROM, DVD-ROM or other optical mediums) read and write CD drive.In these cases, each drive Dynamic device can be connected by one or more data media interfaces with bus 18.Memory 28 may include at least one program Product, the program product have one group of (for example, at least one) program module, these program modules are configured to perform the present invention The function of each embodiment.
Program/utility 40 with one group of (at least one) program module 42 can store in such as memory 28 In, such program module 42 includes --- but being not limited to --- operating system, one or more application program, other programs It may include the realization of network environment in module and program data, each of these examples or certain combination.Program mould Block 42 usually executes function and/or method in embodiment described in the invention.
Computer system/server 12 can also be (such as keyboard, sensing equipment, aobvious with one or more external equipments 14 Show device 24 etc.) communication, it is logical that the equipment interacted with the computer system/server 12 can be also enabled a user to one or more Letter, and/or with the computer system/server 12 any is set with what one or more of the other calculating equipment was communicated Standby (such as network interface card, modem etc.) communicates.This communication can be carried out by input/output (I/O) interface 22.And And computer system/server 12 can also pass through network adapter 20 and one or more network (such as local area network (LAN), wide area network (WAN) and/or public network, such as internet) communication.As shown in figure 5, network adapter 20 passes through bus 18 communicate with other modules of computer system/server 12.It should be understood that although not shown in the drawings, computer can be combined Systems/servers 12 use other hardware and/or software module, including but not limited to: microcode, device driver, at redundancy Manage unit, external disk drive array, RAID system, tape drive and data backup storage system etc..
The program that processor 16 is stored in memory 28 by operation, at various function application and data Reason, such as realize the method in Fig. 1 or embodiment illustrated in fig. 2.
The present invention discloses a kind of computer readable storage mediums, are stored thereon with computer program, the program quilt Processor will realize the method in embodiment as shown in Figure 1 or 2 when executing.
It can be using any combination of one or more computer-readable media.Computer-readable medium can be calculating Machine readable signal medium or computer readable storage medium.Computer readable storage medium for example can be --- but it is unlimited In system, device or the device of --- electricity, magnetic, optical, electromagnetic, infrared ray or semiconductor, or any above combination.It calculates The more specific example (non exhaustive list) of machine readable storage medium storing program for executing includes: electrical connection with one or more conducting wires, just Taking formula computer disk, hard disk, random access memory (RAM), read-only memory (ROM), erasable type may be programmed read-only storage Device (EPROM or flash memory), optical fiber, portable compact disc read-only memory (CD-ROM), light storage device, magnetic memory device, Or above-mentioned any appropriate combination.In this document, computer readable storage medium can be it is any include or storage journey The tangible medium of sequence, the program can be commanded execution system, device or device use or in connection.
Computer-readable signal media may include in a base band or as carrier wave a part propagate data-signal, Wherein carry computer-readable program code.The data-signal of this propagation can take various forms, including --- but It is not limited to --- electromagnetic signal, optical signal or above-mentioned any appropriate combination.Computer-readable signal media can also be Any computer-readable medium other than computer readable storage medium, which can send, propagate or Transmission is for by the use of instruction execution system, device or device or program in connection.
The program code for including on computer-readable medium can transmit with any suitable medium, including --- but it is unlimited In --- wireless, electric wire, optical cable, RF etc. or above-mentioned any appropriate combination.
The computer for executing operation of the present invention can be write with one or more programming languages or combinations thereof Program code, described program design language include object oriented program language-such as Java, Smalltalk, C++, Further include conventional procedural programming language-such as " C " language or similar programming language.Program code can be with It fully executes, partly execute on the user computer on the user computer, being executed as an independent software package, portion Divide and partially executes or executed on a remote computer or server completely on the remote computer on the user computer.? Be related in the situation of remote computer, remote computer can pass through the network of any kind --- including local area network (LAN) or Wide area network (WAN)-be connected to subscriber computer, or, it may be connected to outer computer (such as mentioned using Internet service It is connected for quotient by internet).
In several embodiments provided by the present invention, it should be understood that disclosed device and method etc. can pass through Other modes are realized.For example, the apparatus embodiments described above are merely exemplary, for example, the division of the unit, Only a kind of logical function partition, there may be another division manner in actual implementation.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme 's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list Member both can take the form of hardware realization, can also realize in the form of hardware adds SFU software functional unit.
The above-mentioned integrated unit being realized in the form of SFU software functional unit can store and computer-readable deposit at one In storage media.Above-mentioned SFU software functional unit is stored in a storage medium, including some instructions are used so that a computer It is each that equipment (can be personal computer, server or the network equipment etc.) or processor (processor) execute the present invention The part steps of embodiment the method.And storage medium above-mentioned include: USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic or disk etc. it is various It can store the medium of program code.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the present invention.

Claims (22)

1. a kind of vehicle intrusion detection method characterized by comprising
Monitor the CAN message in vehicle operation in controller local area network's CAN bus;
Message fragment is generated according to the CAN message listened to, continuous N number of CAN message, N are respectively included in each message fragment For the positive integer greater than one;
For the message fragment generated every time, the prediction model obtained using preparatory training, after predicting the message fragment Next CAN message, according to next CAN message after the message fragment predicted determine whether occur vehicle Intrusion behavior.
2. the method according to claim 1, wherein
The CAN message that the basis listens to generates message fragment
According to the time by the sequence after arriving first, will listen to per continuous N number of CAN message as a message fragment, wherein phase There is overlapping between the message fragment that neighbour generates twice, alternatively, there is no overlappings between the adjacent message fragment generated twice.
3. according to the method described in claim 2, it is characterized in that,
There is overlapping between the adjacent message fragment generated twice includes:
First CAN message in second message fragment is any CAN in the first message fragment in addition to first CAN message Message, wherein second message fragment is the message fragment in the adjacent message fragment generated twice in rear generation, described the One message fragment is the message fragment being previously generated in the adjacent message fragment generated twice;
There is no overlappings between the adjacent message fragment generated twice includes:
First CAN message in second message fragment be with the last one CAN message in first message fragment Adjacent CAN message;
Alternatively, first CAN message in second message fragment is reported with the last one CAN in first message fragment A CAN message is at least spaced between text.
4. the method according to claim 1, wherein
The prediction model includes: the deep learning model based on shot and long term memory network LSTM.
5. the method according to claim 1, wherein
Next CAN message after the message fragment that the basis predicts determines whether that vehicle intrusion behavior occurs Include:
Next CAN message after the message fragment that comparison prediction goes out with after the message fragment that listens under Difference between one CAN message;
If the difference is greater than predetermined threshold, it is determined that vehicle intrusion behavior occurs.
6. a kind of prediction model training method characterized by comprising
Monitor the CAN message in vehicle normal course of operation in controller local area network's CAN bus;
Message fragment is generated according to the CAN message listened to, continuous N number of CAN message, N are respectively included in each message fragment For the positive integer greater than one;
Next CAN message after message fragment based on generation and each message fragment listened to trains prediction mould Type, it is next after the message fragment of input to be predicted using the prediction model when carrying out vehicle intrusion detection CAN message determines whether that vehicle intrusion behavior occurs according to the next CAN message predicted.
7. according to the method described in claim 6, it is characterized in that,
The CAN message that the basis listens to generates message fragment
According to the time by the sequence after arriving first, will listen to per continuous N number of CAN message as a message fragment, wherein phase There is overlapping between the message fragment that neighbour generates twice, alternatively, there is no overlappings between the adjacent message fragment generated twice.
8. the method according to the description of claim 7 is characterized in that
There is overlapping between the adjacent message fragment generated twice includes:
First CAN message in second message fragment is any CAN in the first message fragment in addition to first CAN message Message, wherein second message fragment is the message fragment in the adjacent message fragment generated twice in rear generation, described the One message fragment is the message fragment being previously generated in the adjacent message fragment generated twice;
There is no overlappings between the adjacent message fragment generated twice includes:
First CAN message in second message fragment be with the last one CAN message in first message fragment Adjacent CAN message;
Alternatively, first CAN message in second message fragment is reported with the last one CAN in first message fragment A CAN message is at least spaced between text.
9. according to the method described in claim 6, it is characterized in that,
The prediction model includes: the deep learning model based on shot and long term memory network LSTM.
10. according to the method described in claim 6, it is characterized in that,
Next CAN message after the message fragment based on generation and each message fragment listened to trains pre- Surveying model includes:
In training process, after inputting a message fragment to the prediction model every time, predicted by comparing the prediction model Next CAN message after the message fragment out and next CAN message after the message fragment listened to Between difference, back transfer adjust model parameter.
11. a kind of vehicle invasion detecting device characterized by comprising the first generation unit and intrusion detecting unit;
First generation unit, for monitoring the CAN message in vehicle operation in controller local area network's CAN bus, Message fragment is generated according to the CAN message listened to, continuous N number of CAN message is respectively included in each message fragment, N is big In one positive integer;
The intrusion detecting unit, for being directed to the message fragment generated every time, the prediction model obtained using preparatory training, in advance Next CAN message after the message fragment is measured, is reported according to next CAN after the message fragment predicted Text determines whether that vehicle intrusion behavior occurs.
12. device according to claim 11, which is characterized in that
First generation unit, by the sequence after arriving first, will be listened to per continuous N number of CAN message as one according to the time Message fragment, wherein there is overlapping between the adjacent message fragment generated twice, alternatively, the adjacent message fragment generated twice Between there is no overlapping.
13. device according to claim 12, which is characterized in that
First CAN message in second message fragment is any CAN in the first message fragment in addition to first CAN message Message, wherein second message fragment is the message fragment in the adjacent message fragment generated twice in rear generation, described the One message fragment is the message fragment being previously generated in the adjacent message fragment generated twice;
Alternatively, first CAN message in second message fragment is reported with the last one CAN in first message fragment Text is adjacent CAN message;
Alternatively, first CAN message in second message fragment is reported with the last one CAN in first message fragment A CAN message is at least spaced between text.
14. device according to claim 11, which is characterized in that
The prediction model includes: the deep learning model based on shot and long term memory network LSTM.
15. device according to claim 11, which is characterized in that
The intrusion detecting unit comparison prediction go out the message fragment after next CAN message with listen to it is described The difference between next CAN message after message fragment, if the difference is greater than predetermined threshold, it is determined that vehicle occurs and enters Invade behavior.
16. a kind of prediction model training device characterized by comprising the second generation unit and model training unit;
Second generation unit, for monitoring the CAN report in vehicle normal course of operation in controller local area network's CAN bus Text generates message fragment according to the CAN message listened to, continuous N number of CAN message is respectively included in each message fragment, and N is Positive integer greater than one;
The model training unit, for next after the message fragment based on generation and each message fragment listened to A CAN message trains prediction model, to predict input using the prediction model when carrying out vehicle intrusion detection Next CAN message after message fragment determines whether that vehicle invasion row occurs according to the next CAN message predicted For.
17. device according to claim 16, which is characterized in that
Second generation unit, by the sequence after arriving first, will be listened to per continuous N number of CAN message as one according to the time Message fragment, wherein there is overlapping between the adjacent message fragment generated twice, alternatively, the adjacent message fragment generated twice Between there is no overlapping.
18. device according to claim 17, which is characterized in that
First CAN message in second message fragment is any CAN in the first message fragment in addition to first CAN message Message, wherein second message fragment is the message fragment in the adjacent message fragment generated twice in rear generation, described the One message fragment is the message fragment being previously generated in the adjacent message fragment generated twice;
Alternatively, first CAN message in second message fragment is reported with the last one CAN in first message fragment Text is adjacent CAN message;
Alternatively, first CAN message in second message fragment is reported with the last one CAN in first message fragment A CAN message is at least spaced between text.
19. device according to claim 16, which is characterized in that
The prediction model includes: the deep learning model based on shot and long term memory network LSTM.
20. device according to claim 16, which is characterized in that
The model training unit in the training process, after inputting a message fragment to the prediction model every time, passes through ratio Next CAN message after the message fragment predicted to the prediction model and the message fragment that listens to it The difference between next CAN message afterwards, back transfer adjust model parameter.
21. a kind of computer equipment, including memory, processor and it is stored on the memory and can be on the processor The computer program of operation, which is characterized in that the processor is realized when executing described program as any in claim 1~10 Method described in.
22. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that described program is processed Such as method according to any one of claims 1 to 10 is realized when device executes.
CN201910204167.2A 2019-03-18 2019-03-18 Vehicle intrusion detection and prediction model training method, device and storage medium Pending CN110040107A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910204167.2A CN110040107A (en) 2019-03-18 2019-03-18 Vehicle intrusion detection and prediction model training method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910204167.2A CN110040107A (en) 2019-03-18 2019-03-18 Vehicle intrusion detection and prediction model training method, device and storage medium

Publications (1)

Publication Number Publication Date
CN110040107A true CN110040107A (en) 2019-07-23

Family

ID=67273837

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910204167.2A Pending CN110040107A (en) 2019-03-18 2019-03-18 Vehicle intrusion detection and prediction model training method, device and storage medium

Country Status (1)

Country Link
CN (1) CN110040107A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101638613B1 (en) * 2015-04-17 2016-07-11 현대자동차주식회사 In-vehicle network intrusion detection system and method for controlling the same
WO2018037397A1 (en) * 2016-08-23 2018-03-01 C2A-Sec, Ltd. Data bus protection device and method
CN108390869A (en) * 2018-02-08 2018-08-10 成都信息工程大学 The vehicle intelligent gateway apparatus and its command sequence detection method of integrated deep learning
CN108494746A (en) * 2018-03-07 2018-09-04 长安通信科技有限责任公司 A kind of network port Traffic anomaly detection method and system
CN108900546A (en) * 2018-08-13 2018-11-27 杭州安恒信息技术股份有限公司 The method and apparatus of time series Network anomaly detection based on LSTM

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101638613B1 (en) * 2015-04-17 2016-07-11 현대자동차주식회사 In-vehicle network intrusion detection system and method for controlling the same
WO2018037397A1 (en) * 2016-08-23 2018-03-01 C2A-Sec, Ltd. Data bus protection device and method
CN108390869A (en) * 2018-02-08 2018-08-10 成都信息工程大学 The vehicle intelligent gateway apparatus and its command sequence detection method of integrated deep learning
CN108494746A (en) * 2018-03-07 2018-09-04 长安通信科技有限责任公司 A kind of network port Traffic anomaly detection method and system
CN108900546A (en) * 2018-08-13 2018-11-27 杭州安恒信息技术股份有限公司 The method and apparatus of time series Network anomaly detection based on LSTM

Similar Documents

Publication Publication Date Title
CN107223332B (en) Audio visual scene analysis based on acoustic camera
Zhang et al. Deep learning algorithms for bearing fault Diagnosticsx—A comprehensive review
EP3239884A1 (en) Domain level threat detection for industrial asset control system
US10757114B2 (en) Systems and methods for detection of malicious activity in vehicle data communication networks
CN106168541B (en) Automobile, diagnostic system and the method for generating vehicle diagnosis data
US20190079725A1 (en) Stream-processing data
WO2018121675A1 (en) Vehicle attack detection method and device
Chen et al. Real-time detection of anomalous taxi trajectories from GPS traces
CN104908688B (en) The method and device of vehicle active noise reduction
CN105511944B (en) A kind of method for detecting abnormality of cloud system internal virtual machine
US9392431B2 (en) Automatic vehicle crash detection using onboard devices
Alheeti et al. An intrusion detection system against black hole attacks on the communication network of self-driving cars
US7471999B2 (en) Vehicle information-communication method, vehicle information-communication system, vehicle and control center
Müter et al. A structured approach to anomaly detection for in-vehicle networks
US10824720B2 (en) Security system and methods for identification of in-vehicle attack originator
Meng et al. A survey on machine learning for data fusion
Vu et al. Automatic video interpretation: A novel algorithm for temporal scenario recognition
JP2015501459A (en) Computing platform for the development and deployment of sensor-driven vehicle telemetry applications and services
US8954340B2 (en) Risk evaluation based on vehicle operator behavior
KR20160095856A (en) System and method for detecting intrusion intelligently based on automatic detection of new attack type and update of attack type
JP2006190248A (en) Vehicular software robot with sensitivity board
CN105045788A (en) Method of processing and analysing vehicle driving big data and system thereof
US9843594B1 (en) Systems and methods for detecting anomalous messages in automobile networks
US7711462B2 (en) Vehicle help system and method
Castignani et al. Driver behavior profiling using smartphones

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination