CN110691104A - Vehicle-mounted CAN bus self-adaptive intrusion detection method based on message period characteristics - Google Patents

Vehicle-mounted CAN bus self-adaptive intrusion detection method based on message period characteristics Download PDF

Info

Publication number
CN110691104A
CN110691104A CN201911096398.2A CN201911096398A CN110691104A CN 110691104 A CN110691104 A CN 110691104A CN 201911096398 A CN201911096398 A CN 201911096398A CN 110691104 A CN110691104 A CN 110691104A
Authority
CN
China
Prior art keywords
message
attack
threshold value
vehicle
max
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911096398.2A
Other languages
Chinese (zh)
Other versions
CN110691104B (en
Inventor
李中伟
姜文淇
谭凯
关亚东
金显吉
佟为明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin Institute of Technology
Original Assignee
Harbin Institute of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Institute of Technology filed Critical Harbin Institute of Technology
Priority to CN201911096398.2A priority Critical patent/CN110691104B/en
Publication of CN110691104A publication Critical patent/CN110691104A/en
Application granted granted Critical
Publication of CN110691104B publication Critical patent/CN110691104B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40267Bus for use in transportation systems
    • H04L2012/40273Bus for use in transportation systems the transportation system being a vehicle

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses a self-adaptive intrusion detection algorithm of a vehicle-mounted CAN bus based on message periodic characteristics, which comprises the following overall implementation flow: first, the detecting node receives the identifier IDjThe message receiving time is recorded, n receiving periods are calculated, the mean value and the maximum value of the receiving periods are calculated, and an intrusion detection threshold value is determined; in order to prevent false alarm, a small amount of time margin is additionally added when a detection threshold value is set. Then receives the identifier IDjThe time interval between two adjacent messages is calculated, and if the time interval exceeds a set threshold value, an alarm is sent out. The method CAN detect whether the CAN bus in the vehicle is abnormally invaded or not and give early warning, thereby improving the safety of the vehicle in the driving process. The method of the invention optimizes the detection threshold value in the existing literature and formulates the determination rule of the detection threshold value, thereby further improving the detection precision and effectively detecting the CAN bus messageInjection type attacks and interrupt type attacks.

Description

Vehicle-mounted CAN bus self-adaptive intrusion detection method based on message period characteristics
Technical Field
The invention relates to a vehicle intrusion detection method, in particular to a vehicle-mounted CAN bus self-adaptive intrusion detection method based on message periodic characteristics.
Background
In recent years, vehicles have been developed to be intelligent and networked, and more Electronic Control Units (ECUs) are installed inside the vehicles to replace original mechanical structures. With the increase of interfaces for external communication, the networked automobile also introduces potential network security threats. An ECU installed in a vehicle may be remotely intruded through a network, and such intrusion may cause a malfunction of the vehicle, thereby threatening the life safety of a driver or passengers. How to avoid or alleviate these network security threats is a preoccupation in the development of the existing intelligent internet technology.
Unlike the conventional network security intrusion detection algorithm, the vehicle intrusion detection algorithm needs to use a lightweight detection algorithm due to the limitation of the computing capability of the electronic device ECU. And the real-time performance requirement of the in-vehicle network on detection is higher.
Unlike the conventional network security intrusion detection algorithm, the vehicle intrusion detection algorithm needs to use a lightweight detection algorithm due to the limitation of the computing capability of the electronic device ECU.
Disclosure of Invention
As most CAN messages in the vehicle are periodic messages, the invention mainly aims at the attack and intrusion detection of the periodic messages and provides a vehicle-mounted CAN bus self-adaptive intrusion detection method based on the periodic characteristics of the messages. The method is a lightweight intrusion detection algorithm aiming at a vehicle-mounted network, and solves the problem of limited calculation capacity of an ECU (electronic control unit) of equipment.
The purpose of the invention is realized by the following technical scheme:
a self-adaptive intrusion detection method of a vehicle-mounted CAN bus based on message periodic characteristics comprises the following steps:
step one, threshold value calibration:
first, receiving an identifier IDjAnd recording the message receiving time;
second, calculating message receiving period Ti
Third, calculating TiMaximum and average values of (1)max,Tmean
The fourth step, calculate TiIs different from the maximum by a value psimax=Tmax-Tmean
The fifth step, judge TiWhether or not the average value of (d) is greater than 3 ΨmaxIf yes, setting the threshold value mu of the injection type message attack as
Figure BDA0002268461870000021
Otherwise, the threshold value of the injection type message attack is set to be mu < T-psimax
Sixthly, setting the threshold lambda of the interrupt message attack as lambda ═ psimax+Tmean
Seventhly, adding a small amount of time margin to fine tune mu and lambda, and performing fine tuning by taking 5% of the time margin, wherein the fine tuned values mu 'and lambda' are as follows: μ '═ μ · (1-5%), λ' ═ λ · (1+ 5%);
step two, abnormality detection:
a first step of setting an initial count i to 0;
second, calculating the receiving time t of the ith messagei
Step three, judging whether the (i + 1) th message is received, if so, skipping to the step four, otherwise, judging that the attack is interrupted, and skipping to the step eight;
fourthly, recording the receiving time t of the (i + 1) th messagei+1
The fifth step, calculate Δ ti=ti+1-ti
Sixth, determining Δ tiIf the value is less than mu, judging that the injection attack is performed, and jumping to the eighth step, otherwise, jumping to the seventh step;
seventh, determine ΔiIf the number of the attack is larger than lambda, judging the attack is interrupted if the number of the attack is larger than lambdaAnd jumping to the eighth step, otherwise, directly jumping to the eighth step;
and step eight, judging whether i is less than n, if so, making i equal to i +1, and skipping to the step two, otherwise, ending the detection, wherein n represents the total number of the detected messages.
In the present invention, the injection type attack means: and injecting the CAN bus message into the CAN bus network in the vehicle for attack. Even if the message sent by the attacker accords with the protocol specification, the normal period of the communication message on the bus will change, so that the period of the communication message becomes smaller.
In the present invention, the interruption type attack means: a hacker performs an interruption attack on a certain message M, and the following two situations exist: (1) only the sending of a plurality of messages M is interrupted, and then the normal sending is recovered; (2) the transmission of the message is permanently interrupted. In either case, the reception time of M is greatly prolonged.
Compared with the prior art, the invention has the following advantages:
1. the method CAN detect whether the CAN bus in the vehicle is abnormally invaded or not and give early warning, thereby improving the safety of the vehicle in the driving process.
2. The method optimizes the detection threshold value in the existing literature, and formulates the determination rule of the detection threshold value, thereby further improving the detection precision and effectively detecting the injection type attack and the interruption type attack of the CAN bus message.
Drawings
FIG. 1 is a flow chart of threshold value calibration of the in-vehicle CAN bus network intrusion detection method based on message cycle characteristics according to the present invention;
fig. 2 is a detection flow chart of the in-vehicle CAN bus network intrusion detection method based on the message period characteristic.
Detailed Description
The technical solution of the present invention is further described below with reference to the accompanying drawings, but not limited thereto, and any modification or equivalent replacement of the technical solution of the present invention without departing from the spirit and scope of the technical solution of the present invention shall be covered by the protection scope of the present invention.
Hair brushThe invention provides a self-adaptive intrusion detection algorithm of a vehicle-mounted CAN bus based on message periodic characteristics, and the whole implementation flow of the method is as follows: first, the detecting node receives the identifier IDjThe message receiving time is recorded, n receiving periods are calculated, the mean value and the maximum value of the receiving periods are calculated, and an intrusion detection threshold value is determined; in order to prevent false alarm, a small amount of time margin is additionally added when a detection threshold value is set. Then receives the identifier IDjThe time interval between two adjacent messages is calculated, and if the time interval exceeds a set threshold value, an alarm is sent out. The method comprises the following specific steps:
step one, threshold value calibration:
as shown in fig. 1, the method comprises the following steps:
first, receiving an identifier IDjAnd recording the message receiving time;
second, calculating message receiving period Ti
Third, calculating TiMaximum and average values of (1)max,Tmean
The fourth step, calculate TiIs different from the maximum by a value psimax=Tmax-Tmean
The fifth step, judge TiWhether or not the average value of (d) is greater than 3 ΨmaxIf yes, setting the threshold value mu of the injection type message attack as
Figure BDA0002268461870000041
Otherwise, the threshold value of the injection type message attack is set to be mu < T-psimax
Sixthly, setting the threshold lambda of the interrupt message attack as lambda ═ psimax+Tmean
Seventhly, adding a small amount of time margin to fine tune mu and lambda, and performing fine tuning by taking 5% of the time margin, wherein the fine tuned values mu 'and lambda' are as follows: μ ═ μ · (1-5%), λ ═ λ · (1+ 5%).
In the prior art, for the injection type attack, the message receiving period is reduced to be less than half of T, so T/2 is taken as the detection threshold of the injection type attack. For the interrupt attack, the message receiving period is greatly prolonged, so that T is used as the detection threshold of the interrupt attack.
However, due to the fluctuation of the actual in-vehicle CAN bus messages, the adoption of the two detection thresholds of the attack CAN cause the false alarm and the false alarm. For the interrupt type attack, the adoption of the original threshold value T can generate false alarm. Let ΨmaxAnd the maximum deviation of the receiving time interval of two adjacent messages from the ideal period T is shown. The detection threshold for the breakout attack is set to T + Ψmax
The thresholds for injection type attacks are:
Figure BDA0002268461870000051
when mu > mu1The report missing can not occur. Wherein ΔmaxminRepresenting the maximum time and minimum time to delay transmission because the bus is occupied.
If false alarm does not occur, the following requirements are met:
T-Ψmax>μ。
the thresholds for the interrupt-type attack are: expressing the maximum value of μ as μ2Then, there are:
μ2=T-Ψmax
when mu is2>μ1When T > 3 Ψmax. Setting the threshold value mu so that mu2>μ>μ1And meanwhile, the detection algorithm cannot generate false alarm and false alarm.
When mu is1>μ2When there is T < 3 psimax. Setting the threshold value mu so that mu > mu1In time, false positives may occur but no false negatives occur. If the value range of the threshold value mu is mu1>μ>μ2And if so, the detection system has false alarm and false alarm. Considering that the quantity of malicious messages injected by hackers under non-DoS attack is far less than the quantity of normal messages, the detection threshold value is more suitable when no false alarm exists and the probability of missing alarm exists is small, and mu is slightly less than mu2The value of (c).
Step two, abnormality detection:
as shown in fig. 2, the method comprises the following steps:
a first step of setting an initial count i to 0;
second, calculating the receiving time t of the ith messagei
Step three, judging whether the (i + 1) th message is received, if so, skipping to the step four, otherwise, judging that the attack is interrupted, and skipping to the step eight;
fourthly, recording the receiving time t of the (i + 1) th messagei+1
The fifth step, calculate Δ ti=ti+1-ti
Sixth, determining Δ tiIf the value is less than mu, judging that the injection attack is performed, and jumping to the eighth step, otherwise, jumping to the seventh step;
seventh, determine ΔiIf the number of the attack is larger than the lambda, judging that the attack is interrupted and skipping to the eighth step, otherwise, directly skipping to the eighth step;
and step eight, judging whether i is less than n, if so, making i equal to i +1, and skipping to the step two, otherwise, ending the detection, wherein n represents the total number of the detected messages.
In order to verify the effectiveness of the method provided by the invention, three CAN communication nodes are adopted to simulate each node of CAN communication in a vehicle, STM32F407ZGT6 of ST company is taken as a main control chip, the chip adopts a Cortex M4 kernel, the main frequency is 168MHz, a CAN controller is integrated, data is sent to a CAN receiving and sending chip TJA1050 of a development board through an output pin, and then messages are sent to a bus.
Random numbers delta (delta is more than 0 and less than 1.9) are added on the basis of the original message sending period of each node. Under normal condition, A sends message M to B in the period of (10+ delta) ms1Sending message M to B in the period of (10+2 delta) ms2
(1) Detection algorithm validation for injection attacks
C is a malicious node which randomly injects 10000 forged messages M into the bus respectively1' and M2'. According to the proposed adaptive intrusion detection algorithm based on the periodic characteristics of the message, the messageM1Injection attack detection threshold mu of1Formula (1) should be satisfied:
Figure BDA0002268461870000071
thus, will mu1Setting the detection time to 5ms, 6.5ms, 7ms and 8.5ms respectively, wherein 5ms is a detection threshold set without considering the message period change, and comparing the injection M under different detection thresholds1The result of the detection of the point I.
Message M2Injection attack detection threshold mu of2Formula (2) should be satisfied:
μ2<(10-3.8)ms=6.2ms (2)。
thus, will mu2Setting the detection time to 5ms, 5.8ms and 6.5ms respectively, wherein 5ms is a detection threshold set without considering the message period change, and comparing the injection M under different detection thresholds2The result of the detection of the point I.
(2) Detection algorithm validation for interrupt attacks
Without adding node C, only A and B participate in communication, M1And M2The transmission was randomly interrupted 10000 times. By the method mentioned above, message M1And M2Is detected by the interrupt attack detection threshold lambda1、λ2The following formulas (3) and (4) should be satisfied:
λ1>(10+1.9)ms=11.9ms (3);
λ2>(10+3.8)ms=13.8ms (4)。
thus will be1Set as 11ms, 12ms, 13ms respectively, compare different lambda1Lower pair M1And carrying out the detection effect of the interruption attack. Thus will be2Respectively set as 13ms, 14ms and 15ms, compare different lambdas2Lower pair M2And carrying out the detection effect of the interruption attack.
The results are shown in Table 1, for the injection attack, due to M1Has a period T satisfying T > 3 DeltamaxSetting the threshold value within the interval of 5.95ms to 8.1ms without false alarm and false negative alarm; if the threshold value is set to be 5ms, 45 missing report injection messages appear; if the threshold is set to 8.5ms, there are 126 normal messagesIs misreported. M2Has a period T satisfying T < 3 DeltamaxWhen the threshold value is less than 6.2ms, false alarm can not occur, but false alarm exists, and the smaller the threshold value is, the more the number of false alarm is; if the threshold value is set to be T/2, namely 5ms, 67 messages which are not reported exist, and the number of the messages which are not reported is large; if the threshold is set to be T/2, namely 6.5ms, 15 missed report messages and 3 false report messages exist. Therefore, the self-adaptive intrusion detection method based on the message periodic characteristics has better effect on detecting injection attacks than the method for detecting by simply setting the threshold value to be T/2.
When detecting the interrupt attack, M is used1When the interrupt detection threshold value of (2) is set to 11ms, 137 false alarms occur; to mix M1When the interrupt detection threshold is set to 12ms or 13ms, there is no false alarm or no false alarm. Will M2When the interrupt detection threshold value of (2) is set to 13ms, 35 false alarms appear; to mix M2When the interrupt detection threshold is set to be 14ms and 15ms, no false alarm or false alarm is generated, namely, the effectiveness of the method for detecting the interrupt attack is verified.
TABLE 1 detection results of injection attacks and breakout attacks
Figure BDA0002268461870000091

Claims (2)

1. A self-adaptive intrusion detection method of a vehicle-mounted CAN bus based on message periodic characteristics is characterized by comprising the following steps:
step one, threshold value calibration:
first, receiving an identifier IDjAnd recording the message receiving time;
second, calculating message receiving period Ti
Third, calculating TiMaximum and average values of (1)max,Tmean
The fourth step, calculate TiOfDifference of mean and maximum Ψmax=Tmax-Tmean
The fifth step, judge TiWhether or not the average value of (d) is greater than 3 ΨmaxIf yes, setting the threshold value mu of the injection type message attack as
Figure FDA0002268461860000011
Otherwise, the threshold value of the injection type message attack is set to be mu < T-psimax
Sixthly, setting the threshold lambda of the interrupt message attack as lambda ═ psimax+Tmean
Step seven, adding a small amount of time margin to finely adjust mu and lambda;
step two, abnormality detection:
a first step of setting an initial count i to 0;
second, calculating the receiving time t of the ith messagei
Step three, judging whether the (i + 1) th message is received, if so, skipping to the step four, otherwise, judging that the attack is interrupted, and skipping to the step eight;
fourthly, recording the receiving time t of the (i + 1) th messagei+1
The fifth step, calculate Δ ti=ti+1-ti
Sixth, determining Δ tiIf the value is less than mu, judging that the injection attack is performed, and jumping to the eighth step, otherwise, jumping to the seventh step;
seventh, determine ΔiIf the number of the attack is larger than the lambda, judging that the attack is interrupted and skipping to the eighth step, otherwise, directly skipping to the eighth step;
and step eight, judging whether i is less than n, if so, making i equal to i +1, and skipping to the step two, otherwise, ending the detection, wherein n represents the total number of the detected messages.
2. The message period characteristic-based vehicle-mounted CAN bus adaptive intrusion detection method according to claim 1, wherein in the seventh step of the first step, the fine-tuned μ 'and λ' are as follows: μ ═ μ · (1-5%), λ ═ λ · (1+ 5%).
CN201911096398.2A 2019-11-11 2019-11-11 Vehicle-mounted CAN bus self-adaptive intrusion detection method based on message period characteristics Active CN110691104B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911096398.2A CN110691104B (en) 2019-11-11 2019-11-11 Vehicle-mounted CAN bus self-adaptive intrusion detection method based on message period characteristics

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911096398.2A CN110691104B (en) 2019-11-11 2019-11-11 Vehicle-mounted CAN bus self-adaptive intrusion detection method based on message period characteristics

Publications (2)

Publication Number Publication Date
CN110691104A true CN110691104A (en) 2020-01-14
CN110691104B CN110691104B (en) 2021-08-31

Family

ID=69116260

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911096398.2A Active CN110691104B (en) 2019-11-11 2019-11-11 Vehicle-mounted CAN bus self-adaptive intrusion detection method based on message period characteristics

Country Status (1)

Country Link
CN (1) CN110691104B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111311912A (en) * 2020-02-25 2020-06-19 北京天融信网络安全技术有限公司 Internet of vehicles detection data determination method and device and electronic equipment
CN111464415A (en) * 2020-04-02 2020-07-28 昆易电子科技(上海)有限公司 Method for early warning of CAN bus message abnormity and electronic equipment
CN111866017A (en) * 2020-07-29 2020-10-30 北京天融信网络安全技术有限公司 Method and device for detecting abnormal frame interval of CAN bus
CN114157492A (en) * 2021-12-02 2022-03-08 北京天融信网络安全技术有限公司 CAN bus intrusion detection method and device
CN114285633A (en) * 2021-12-23 2022-04-05 深圳供电局有限公司 Computer network security monitoring method and system
WO2022088160A1 (en) * 2020-10-31 2022-05-05 华为技术有限公司 Anomaly detection method and apparatus
CN114760163A (en) * 2022-04-22 2022-07-15 惠州华阳通用电子有限公司 CAN communication method
CN115664788A (en) * 2022-10-24 2023-01-31 惠州市德赛西威智能交通技术研究院有限公司 Communication data hijacking monitoring method and system, storage medium and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106899614A (en) * 2017-04-14 2017-06-27 北京洋浦伟业科技发展有限公司 In-vehicle network intrusion detection method and device based on the message cycle
CN108989319A (en) * 2018-07-27 2018-12-11 北京梆梆安全科技有限公司 CAN bus based vehicle intrusion detection method and vehicle invasion detecting device
CN109067773A (en) * 2018-09-10 2018-12-21 成都信息工程大学 A kind of vehicle-mounted CAN network inbreak detection method neural network based and system
US20190104149A1 (en) * 2017-10-03 2019-04-04 George Mason University Hardware module-based authentication in intra-vehicle networks
US20190332823A1 (en) * 2018-04-27 2019-10-31 Electronics And Telecommunications Research Institute Intrusion response apparatus and method for vehicle network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106899614A (en) * 2017-04-14 2017-06-27 北京洋浦伟业科技发展有限公司 In-vehicle network intrusion detection method and device based on the message cycle
US20190104149A1 (en) * 2017-10-03 2019-04-04 George Mason University Hardware module-based authentication in intra-vehicle networks
US20190332823A1 (en) * 2018-04-27 2019-10-31 Electronics And Telecommunications Research Institute Intrusion response apparatus and method for vehicle network
CN108989319A (en) * 2018-07-27 2018-12-11 北京梆梆安全科技有限公司 CAN bus based vehicle intrusion detection method and vehicle invasion detecting device
CN109067773A (en) * 2018-09-10 2018-12-21 成都信息工程大学 A kind of vehicle-mounted CAN network inbreak detection method neural network based and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ROBERTO MERCO 等: "Replay Attack Detection in a Platoon of Connected Vehicles with Cooperative Adaptive Cruise Control", 《2018 ANNUAL AMERICAN CONTROL CONFERENCE (ACC)》 *
盛铭 等: "一种基于时间序列的CAN总线异常检测方法", 《上海工程技术大学学报》 *

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111311912A (en) * 2020-02-25 2020-06-19 北京天融信网络安全技术有限公司 Internet of vehicles detection data determination method and device and electronic equipment
CN111311912B (en) * 2020-02-25 2021-08-24 北京天融信网络安全技术有限公司 Internet of vehicles detection data determination method and device and electronic equipment
CN111464415A (en) * 2020-04-02 2020-07-28 昆易电子科技(上海)有限公司 Method for early warning of CAN bus message abnormity and electronic equipment
CN111866017A (en) * 2020-07-29 2020-10-30 北京天融信网络安全技术有限公司 Method and device for detecting abnormal frame interval of CAN bus
CN111866017B (en) * 2020-07-29 2022-09-16 北京天融信网络安全技术有限公司 Method and device for detecting abnormal frame interval of CAN bus
WO2022088160A1 (en) * 2020-10-31 2022-05-05 华为技术有限公司 Anomaly detection method and apparatus
CN114157492A (en) * 2021-12-02 2022-03-08 北京天融信网络安全技术有限公司 CAN bus intrusion detection method and device
CN114285633A (en) * 2021-12-23 2022-04-05 深圳供电局有限公司 Computer network security monitoring method and system
CN114285633B (en) * 2021-12-23 2024-03-29 深圳供电局有限公司 Computer network security monitoring method and system
CN114760163A (en) * 2022-04-22 2022-07-15 惠州华阳通用电子有限公司 CAN communication method
CN114760163B (en) * 2022-04-22 2024-01-12 惠州华阳通用电子有限公司 CAN communication method
CN115664788A (en) * 2022-10-24 2023-01-31 惠州市德赛西威智能交通技术研究院有限公司 Communication data hijacking monitoring method and system, storage medium and electronic equipment

Also Published As

Publication number Publication date
CN110691104B (en) 2021-08-31

Similar Documents

Publication Publication Date Title
CN110691104B (en) Vehicle-mounted CAN bus self-adaptive intrusion detection method based on message period characteristics
Song et al. In-vehicle network intrusion detection using deep convolutional neural network
Lokman et al. Intrusion detection system for automotive Controller Area Network (CAN) bus system: a review
Lee et al. OTIDS: A novel intrusion detection system for in-vehicle network by using remote frame
Qin et al. Optimal denial-of-service attack scheduling with energy constraint over packet-dropping networks
Wang et al. An entropy analysis based intrusion detection system for controller area network in vehicles
CN108848072B (en) Vehicle-mounted CAN bus abnormality detection method based on relative entropy
Jin et al. Signature-based intrusion detection system (IDS) for in-vehicle CAN bus network
CN110505134B (en) Internet of vehicles CAN bus data detection method and device
CN107566402B (en) SOEKS-based intrusion detection method and implementation of vehicle-mounted electronic information system
CN111466107A (en) Ethernet profiling intrusion detection control logic and architecture for in-vehicle controllers
CN111147448B (en) CAN bus flood attack defense system and method
Zhang et al. A hybrid approach toward efficient and accurate intrusion detection for in-vehicle networks
De Araujo-Filho et al. An efficient intrusion prevention system for CAN: Hindering cyber-attacks with a low-cost platform
KR20180021287A (en) Appratus and method for detecting vehicle intrusion
CN114257986A (en) Vehicle CAN network attack identification method and device
CN112865752A (en) Filter design method based on adaptive event trigger mechanism under hybrid network attack
Tanksale Intrusion detection for controller area network using support vector machines
Olufowobi et al. Controller area network intrusion prevention system leveraging fault recovery
CN111133727B (en) Method and apparatus for identifying attacks on a serial communication system
CN111931252A (en) Vehicle-mounted CAN intrusion detection method based on sliding window and CENN
KR20220041137A (en) Multi-mode messaging anomaly detection for broadcast network security
He et al. A lightweight and intelligent intrusion detection system for integrated electronic systems
Lampe et al. Intrusion detection in the automotive domain: A comprehensive review
Wang et al. Vulnerability of deep learning model based anomaly detection in vehicle network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant