CN110896393A

CN110896393A - Intrusion detection method and device for automobile bus and computing equipment

Info

Publication number: CN110896393A
Application number: CN201811069397.4A
Authority: CN
Inventors: 谭晓生; 刘健皓; 曹明革
Original assignee: Beijing Qihoo Technology Co Ltd
Current assignee: Anxinxing (Beijing) Technology Co.,Ltd.
Priority date: 2018-09-13
Filing date: 2018-09-13
Publication date: 2020-03-20
Anticipated expiration: 2038-09-13
Also published as: CN110896393B

Abstract

The invention discloses an intrusion detection method, an intrusion detection device and computing equipment for an automobile bus, wherein the method comprises the following steps: acquiring a level signal on an automobile bus, and decoding the level signal to obtain a signal waveform corresponding to the level signal; extracting real-time signal features of at least one feature dimension according to the signal waveform; and matching the real-time signal characteristic of at least one characteristic dimension with a reference signal characteristic of a pre-recorded automobile controller accessed to an automobile bus, and determining whether the event corresponding to the level signal is an intrusion event or not according to a matching result. According to the scheme of the invention, the extracted real-time signal characteristics are matched with the reference signal characteristics of the automobile controller accessed to the automobile bus, whether the real-time level signal is sent by a legal signal source or not is determined, namely, the real-time level signal is sent by the automobile controller accessed to the automobile bus, and then the intrusion event of the automobile bus can be accurately detected.

Description

Intrusion detection method and device for automobile bus and computing equipment

Technical Field

The invention relates to the technical field of security detection, in particular to an intrusion detection method and device for an automobile bus and computing equipment.

Background

A Controller Area Network (CAN) is an ISO international standardized serial communication protocol. The appearance of the CAN provides powerful technical support for realizing real-time and reliable data communication among all nodes of a distributed control system. Meanwhile, in the automobile industry, various Electronic control systems have been developed, for example, various automobile controllers (Electronic control units, abbreviated as ECUs) have been developed for the requirements of safety, comfort, convenience, low pollution and low cost, and in the industry, a CAN bus is generally used to implement real-time and reliable data transmission between these Electronic control systems.

However, with the popularization of information control technology in the automobile industry, the problem of control safety comes along, and a typical control safety problem is as follows: when the control message is received, whether the control message is sent by the pseudo control system or not cannot be distinguished, and the control message is directly responded, so that the situation that the pseudo control system illegally controls the automobile is caused.

Disclosure of Invention

In view of the above, the present invention is proposed in order to provide an intrusion detection method, apparatus and computing device for a car bus that overcome or at least partially solve the above problems.

According to one aspect of the invention, an intrusion detection method for an automobile bus is provided, which comprises the following steps:

acquiring a level signal on an automobile bus, and decoding the level signal to obtain a signal waveform corresponding to the level signal;

extracting real-time signal features of at least one feature dimension according to the signal waveform;

and matching the real-time signal characteristic of at least one characteristic dimension with a reference signal characteristic of a pre-recorded automobile controller accessed to an automobile bus, and determining whether the event corresponding to the level signal is an intrusion event or not according to a matching result.

According to another aspect of the present invention, there is provided an intrusion detection device for a vehicle bus, including:

the acquisition module is suitable for acquiring a level signal on an automobile bus, and decoding the level signal to obtain a signal waveform corresponding to the level signal;

the extraction module is suitable for extracting real-time signal features of at least one feature dimension according to the signal waveform;

and the matching module is suitable for matching the real-time signal characteristic of the at least one characteristic dimension with a reference signal characteristic of a pre-recorded automobile controller accessed to an automobile bus, and determining whether the event corresponding to the level signal is an intrusion event or not according to a matching result.

According to yet another aspect of the present invention, there is provided a computing device comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;

the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the intrusion detection method of the automobile bus.

According to still another aspect of the present invention, there is provided a computer storage medium having at least one executable instruction stored therein, the executable instruction causing a processor to perform operations corresponding to the intrusion detection method for a vehicle bus as described above.

According to the intrusion detection method, the intrusion detection device and the computing equipment of the automobile bus, level signals on the automobile bus are collected and decoded to obtain signal waveforms corresponding to the level signals; extracting real-time signal features of at least one feature dimension according to the signal waveform; and matching the real-time signal characteristic of at least one characteristic dimension with a reference signal characteristic of a pre-recorded automobile controller accessed to an automobile bus, and determining whether the event corresponding to the level signal is an intrusion event or not according to a matching result. According to the scheme of the invention, the extracted real-time signal characteristics are matched with the reference signal characteristics of the automobile controller accessed to the automobile bus, and whether the real-time level signal is sent by a legal signal source (namely the automobile controller accessed to the automobile bus) or not is determined, so that the intrusion event of the automobile bus can be accurately detected, and the condition that the automobile is illegally controlled by the pseudo-automobile controller is avoided.

The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.

Drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:

FIG. 1 shows a flow diagram of a method of intrusion detection for a vehicle bus according to one embodiment of the invention;

FIG. 2 is a flow chart illustrating a method of intrusion detection for a vehicle bus according to another embodiment of the present invention;

FIG. 3 shows a functional block diagram of an intrusion detection device for a car bus according to one embodiment of the present invention;

FIG. 4 shows a schematic structural diagram of a computing device according to an embodiment of the invention.

Detailed Description

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.

Fig. 1 shows a flow chart of an intrusion detection method for a car bus according to an embodiment of the invention. As shown in fig. 1, the method includes:

and S101, acquiring a level signal on the automobile bus, and decoding the level signal to obtain a signal waveform corresponding to the level signal.

Specifically, level signals output by two data lines (a high-bit data line CAN-H and a low-bit data line CAN-L) on an automobile bus are collected and decoded in real time to obtain a signal waveform, and the signal waveform comprises signal characteristics of a signal source which correspondingly generates the level signals. For example, including the frequency characteristics of the message signal from the signal source.

It should be noted that the intrusion detection method for the vehicle bus according to the present invention is an intrusion detection scheme for one bus. In an automobile, because the data types used for communication between the automobile controllers and the requirements on reliability are different, a plurality of automobile buses may exist, and at the moment, each automobile bus needs to be subjected to intrusion detection by using the scheme of the invention.

And S102, extracting real-time signal characteristics of at least one characteristic dimension according to the signal waveform.

Wherein, at least one characteristic dimension comprises a dimension only related to the attribute of the signal source, and the signal characteristic of the dimension is not related to the message content. Optionally, at least one feature dimension may be selected from feature dimensions corresponding to signal features not related to the message content. For example, if the amplitude and harmonic characteristics of the signal waveform are independent of the message content, the amplitude dimension and/or harmonic characteristic dimension may be determined as at least one characteristic dimension.

Specifically, the signal waveform is analyzed and real-time signal features of at least one feature dimension are extracted. The extraction mode is not limited in the invention, and in the concrete implementation, the skilled person can flexibly determine the extraction mode according to different feature dimensions.

And S103, matching the real-time signal characteristics of at least one characteristic dimension with the reference signal characteristics of a pre-recorded automobile controller accessed to the automobile bus, and determining whether the event corresponding to the level signal is an intrusion event or not according to the matching result.

The pre-recorded reference signal characteristics of the automobile controller connected to the automobile bus comprise signal characteristics corresponding to the extracted real-time signal characteristics of at least one characteristic dimension.

Specifically, the real-time signal features of at least one feature dimension are subjected to feature matching with the reference signal features, further, the whole real-time signal features and the whole reference signal features can be matched, or the feature dimensions are sequentially selected from the at least one feature dimension, and the real-time signal features and the reference signal features of the feature dimensions are subjected to feature matching, or the real-time signal features of each feature dimension and the reference signal features are subjected to feature matching, whether the real-time level signals are sent by a legal signal source (namely, an automobile controller connected to an automobile bus) or not is determined according to matching results, and then intrusion events of the automobile bus can be accurately detected.

The intrusion detection scheme of the automobile bus can be executed by an independent intrusion detection device, and the independent intrusion detection device needs to be connected with two data lines of the automobile bus to be detected. Or, the hardware circuit board module can be embedded into the periphery of the automobile bus to be detected and connected with two data lines of the automobile bus.

According to the intrusion detection method of the automobile bus provided by the embodiment, level signals on the automobile bus are collected and decoded to obtain signal waveforms corresponding to the level signals; extracting real-time signal features of at least one feature dimension according to the signal waveform; and matching the real-time signal characteristic of at least one characteristic dimension with a reference signal characteristic of a pre-recorded automobile controller accessed to an automobile bus, and determining whether the event corresponding to the level signal is an intrusion event or not according to a matching result. In the scheme of the embodiment, the extracted real-time signal characteristics are matched with the reference signal characteristics of the automobile controller accessed to the automobile bus, and whether the real-time level signal is generated by a legal signal source (namely, the automobile controller accessed to the automobile bus) or not is determined, so that the intrusion event of the automobile bus can be accurately detected, and the condition that the automobile is illegally controlled by the pseudo-automobile controller is avoided.

Fig. 2 is a flowchart illustrating an intrusion detection method for a car bus according to another embodiment of the present invention. As shown in fig. 2, the method includes:

step S201, under a preset working condition, determining reference signal characteristics of at least one characteristic dimension of an automobile controller according to the signal waveform of the automobile controller connected to an automobile bus corresponding to the preset working condition.

In this step, the reference signal characteristic of at least one specific dimension of the automobile controller is determined, so as to determine whether the real-time signal characteristic corresponds to the signal characteristic of the message signal generated by a legal signal source (i.e., the automobile controller connected to the automobile bus) according to the reference signal characteristic.

The reference signal characteristic of at least one characteristic dimension is a signal characteristic which is irrelevant to message content and is only relevant to the attribute of a signal source (namely, an automobile controller). Accordingly, for the convenience of matching, the real-time signal features of at least one feature dimension extracted in real time hereinafter also correspond to the reference signal features of at least one feature dimension here. For example, due to different circuit designs or types of the ECUs, when a level signal jumps high and low, reflection waveforms generated by signal reflection caused by the jump are different; there are also differences in the frequencies of the signals produced by the different ECUs, as well as in the interfering harmonics that appear after the levels have settled. Therefore, before a message signal of a legal ECU (i.e., an automobile controller connected to an automobile bus) is entered, signal features (i.e., reference signal features of at least one characteristic dimension) describing waveform similarities and differences need to be extracted according to a signal waveform to qualify the ECU. Optionally, the at least one feature dimension includes: a frequency characteristic dimension, an amplitude characteristic dimension, an edge transition time characteristic dimension, an edge transition waveform characteristic dimension, and/or a harmonic characteristic dimension.

Specifically, under a preset working condition, when the automobile controller sends a message signal, level signals on an automobile bus are collected, the level signals are decoded to obtain signal waveforms corresponding to the preset working condition, and different feature extraction modes are adopted to extract reference signal features corresponding to feature dimensions according to the signal waveforms corresponding to the preset working condition. The preset working condition refers to a preset specific operating environment of the automobile controller. Wherein the operating environment comprises at least one of the following environments: the working voltage of the automobile controller, the electromagnetic interference strength of the arrangement position of the automobile controller, a chip related to the CAN adopted by the automobile controller, the fatigue degree of the automobile controller, the wire harness distance between the automobile controller and a signal detection point, the ambient temperature or humidity, the quality of the CAN cable and the total load of the CAN bus. Preferably, the preset working condition is an ideal operating environment.

The following describes exemplary reference signal feature extraction processes for the above-mentioned frequency feature dimension, amplitude feature dimension, edge transition time feature dimension, edge transition waveform feature dimension, and/or harmonic feature dimension, respectively:

frequency characteristic dimension: under a preset working condition, aiming at a signal waveform of the automobile controller corresponding to the preset working condition, calculating the duration period of each bit level according to the signal waveform, and determining the reference signal characteristic of the frequency characteristic dimension of the automobile controller according to the duration period of each bit level. Further, the signal waveform is processed digitally to obtain signals represented by a dominant bit and an invisible bit, and the continuous period of each bit level is calculated by setting a trigger point; and then, calculating the period of the signal waveform under the preset working condition according to the continuous period of each bit level, calculating the frequency according to the period, and determining the calculated frequency as the reference signal characteristic of the frequency characteristic dimension of the automobile controller.

Amplitude characteristic dimension: under a preset working condition, filtering interference harmonic waves of dominant positions aiming at signal waveforms of the automobile controller corresponding to the preset working condition to obtain signal waveforms after filtering; and calculating the amplitude average value of the signal waveform after filtering processing, and determining the reference signal characteristic of the amplitude characteristic dimension of the automobile controller according to the amplitude average value.

Edge jump time characteristic dimension: under a preset working condition, aiming at a signal waveform of the automobile controller corresponding to the preset working condition, the jump time of the edge jump is calculated, and the reference signal characteristic of the edge jump time characteristic dimension of the automobile controller is determined according to the fluctuation time. Alternatively, the transition time may be calculated by software by setting a trigger point.

Edge jump waveform characteristic dimension: under a preset working condition, calculating a waveform variance corresponding to the edge jump aiming at a signal waveform of the automobile controller under the preset working condition, and determining the reference signal characteristic of the edge jump waveform characteristic dimension of the automobile controller according to the waveform variance corresponding to the edge jump. Further, the waveform characteristics at the time of edge jump can describe the vibration amplitude at the time of jump by calculating the waveform variance at the time of waveform transition after rotating the coordinate system.

Harmonic characteristic dimension: under a preset working condition, aiming at the signal waveform of the automobile controller corresponding to the preset working condition, calculating the waveform variance of the signal waveform after the corresponding level stabilization, and determining the reference signal characteristic of the harmonic characteristic dimension of the automobile controller according to the waveform variance of the signal waveform after the corresponding level stabilization.

In the feature extraction process of each feature dimension, the signal waveform may be sampled by an AD converter to obtain a digital description of the signal waveform, and then a mathematical description (i.e., a reference signal feature) of a corresponding feature may be obtained by a corresponding extraction method or software.

It should be noted that, the above-mentioned process of determining the reference signal feature is a process of determining a reference signal feature of at least one feature dimension of one vehicle controller, and in an actual situation, there are often a plurality of vehicle controllers on one vehicle bus, and at this time, one of the vehicle controllers is controlled to send a message signal each time, and the reference signal feature of at least one feature dimension of the vehicle controller is determined, and the reference signal feature of at least one feature dimension of each vehicle controller is determined through multiple times of control.

Step S202, recording the reference signal characteristics of at least one characteristic dimension of the automobile controller.

Specifically, the reference signal characteristics of at least one characteristic dimension of the determined automobile controller are recorded into an intrusion detection device memory so as to carry out real-time detection.

In some optional embodiments of the present invention, the intrusion detection device has a self-learning capability to update the mathematical description of the signal source characteristics, that is, to update the reference signal characteristics of at least one characteristic dimension of the vehicle controller, so as to avoid detection result errors caused by changes in real-time signal characteristics due to differences in operating conditions. Specifically, the reference signal characteristic of at least one characteristic dimension of the automobile controller is updated according to the difference between the current working condition and the preset working condition when the level signal is collected. For example, the absolute values of the high and low levels in the message signals sent by the ECUs are different due to different power supply voltages of the ECUs, so that the voltage values of the differential values of the CAN signals of different ECUs are also different, and the difference caused by the change of the working condition CAN be made up by using the self-learning capability of the intrusion detection device. Correspondingly, after the updating, the reference signal characteristic of at least one characteristic dimension of the updated automobile controller is recorded, so that the updated reference signal characteristic is utilized to perform characteristic matching in a real-time working condition, and the accuracy of an intrusion detection result is further improved.

Step S203, when detecting that the level state of the automobile bus is the dominant level state, acquiring a level signal on the automobile bus; and decoding the level signal to obtain a signal waveform corresponding to the level signal.

When the level state of the bus is the invisible level state, the bus is in an idle state; when the level state of the bus is a dominant level state, the bus is in a busy state; meanwhile, the protocol of the CAN bus stipulates that only one automobile controller CAN transmit data on the bus in the same time period. Based on the method, whether the level state of the automobile bus is the dominant level state or not is detected, when the dominant level state is detected, level signals are collected, and the collected signals correspond to message signals sent by a signal source.

Step S204, extracting real-time signal characteristics of at least one characteristic dimension according to the signal waveform.

The principle and process of extracting the implementation signal feature are the same as those in step S201, and reference may be specifically made to the description in step S201, which is not described herein again.

In addition, it should be noted that, in the process of determining the reference signal characteristics in step S201, one vehicle controller is controlled to send out a message signal each time, so that it can be ensured that the determined reference signal characteristics are the reference signal characteristics of the corresponding vehicle controller. In the real-time acquisition process, although only one vehicle controller CAN transmit data on the bus in the same time period, in the arbitration field and the response field of the message, there may be a situation where a plurality of ECUs share the CAN bus, so that the area needs to be avoided when the real-time signal features are extracted in step S204. Specifically, determining an interference waveform interval of an arbitration field and a response field of a corresponding message in a signal waveform; removing the waveform of the corresponding interference waveform interval from the signal waveform to obtain an effective signal waveform; real-time signal features of at least one feature dimension are extracted from the valid signal waveform.

Step S205, decoding the signal waveform to obtain the message identifier of the message corresponding to the level signal.

Specifically, the signal waveform is decoded to obtain carrier data, and a message corresponding to the signal waveform and a message identifier of the message are obtained.

And step S206, judging whether the preset message identification of the automobile bus contains the message identification of the message corresponding to the level signal. If yes, go to step S207; if not, step S209 is executed.

In general, a car manufacturer will divide the message identifier and the message content of each message into a corresponding car controller, in other words, each message corresponds to a car controller, and the preset message identifier of the car bus is the message identifier of the message allocated to the car controller accessing the car bus.

Specifically, if the preset message identifier of the automobile bus includes the message identifier of the message corresponding to the level signal, step S207 is executed to further detect whether the signal source that sends the message content corresponding to the message identifier is a legal signal source. If the preset message identifier of the automobile bus does not contain the message identifier of the message corresponding to the level signal, step S209 is executed to directly determine the intrusion event.

Step S207, determining a preset message identifier corresponding to the message identifier of the message corresponding to the level signal, which is contained in the preset message identifier of the automobile bus, as a target message identifier; and determining the automobile controller corresponding to the target message identifier obtained by query as a target controller.

The target controller is an automobile controller which is divided by an automobile factory and corresponds to the target message identifier.

Optionally, in order to determine the target message identifier and the target controller in this step, after the vehicle manufacturer divides the message identifier and the message content of each message into corresponding vehicle controllers, the intrusion detection device correspondingly inputs and stores the preset message identifier of the vehicle bus and the reference signal characteristic in step S202 according to the identifier of the vehicle controller according to the division condition; in this step, the target message identifier and the target controller are determined by querying the correspondingly stored identifier.

The steps S204 to S207 may be executed according to the sequence of fig. 2, or the step S204 may be executed at the same time when the steps S205 to S207 are executed, or the step S204 is executed after the step S207 is executed, which is not limited in the present invention.

And step S208, matching the real-time signal characteristic of at least one characteristic dimension with the reference signal characteristic of at least one characteristic dimension of the target controller, and determining whether the event corresponding to the level signal is an intrusion event according to a matching result.

Specifically, the reference signal characteristic of at least one characteristic dimension of the target controller is selected from the reference signal characteristics of at least one characteristic dimension of a plurality of pre-recorded automobile controllers, namely, the matching range is narrowed, and the accuracy of the intrusion detection result is improved; matching the real-time signal features of at least one feature dimension with the reference signal features of at least one feature dimension of the target controller, and classifying different ECUs through a signal classification algorithm, for example, according to abstract features of signals of the ECUs during matching; or, a confidence threshold may be set, and the magnitude of the matched difference value and the confidence threshold is compared to determine whether the signal source generating the real-time level signal belongs to a legal signal source (i.e., a target controller), if so, it is determined that the event corresponding to the level signal is not an intrusion event, otherwise, it is an intrusion event.

Further, when at least one feature dimension is a plurality of feature dimensions, the signal features of the corresponding feature dimensions in the real-time signal feature and the reference signal feature are respectively matched. Specifically, for each feature dimension, extracting a real-time signal sub-feature corresponding to the feature dimension and contained in the real-time signal feature, and matching the extracted real-time signal sub-feature corresponding to the feature dimension with a reference signal sub-feature corresponding to the feature dimension and contained in the reference signal feature to obtain a matching value corresponding to the feature dimension; and determining whether the event corresponding to the level signal is an intrusion event according to each matching value corresponding to each characteristic dimension. Furthermore, detection weights can be preset for each feature dimension, and after the matching values corresponding to each feature dimension are obtained, the sum of products of the matching values of the plurality of feature dimensions and the detection weights is calculated to obtain an overall matching value; then, comparing the overall matching degree value with a preset overall matching degree threshold value, determining whether a signal source which correspondingly generates the real-time level signal is a legal signal source (namely a target controller) according to a comparison result, and if the overall matching degree value exceeds the preset overall matching degree threshold value, determining that the real-time level signal is generated by the target controller, and further determining that an event corresponding to the level signal is not an intrusion event; otherwise, the event is an intrusion event.

In step S209, the event corresponding to the level signal is determined to be an intrusion event.

In this embodiment, after the intrusion event is determined, the intrusion event is blocked in real time.

According to the intrusion detection method of the automobile bus provided by the embodiment, the reference signal characteristic of at least one characteristic dimension of the automobile controller is predetermined and recorded, so that the matching standard of intrusion detection is obtained; in addition, according to the difference between the current working condition and the preset working condition when the level signal is acquired, the reference signal characteristic of at least one characteristic dimension of the automobile controller is updated, so that the intrusion detection result obtained after the updated reference signal characteristic is used for matching is more accurate; then, acquiring a level signal in real time, decoding to obtain a signal waveform, and determining a target controller theoretically generating the level signal according to carrier data corresponding to the signal waveform, so that the matching range is narrowed, and the accuracy of an intrusion detection result is improved; and then, the real-time signal characteristics extracted from the real-time signal waveform are matched with the reference signal characteristics of the target controller, and whether the real-time level signal is generated by a legal signal source (namely the target controller) or not is determined, so that the intrusion event of the automobile bus can be accurately detected, the blocking processing is timely carried out, and the condition that the automobile is illegally controlled by a pseudo-automobile controller is avoided.

Fig. 3 shows a functional block diagram of an intrusion detection device for a car bus according to an embodiment of the present invention. As shown in fig. 3, the apparatus includes: the system comprises an acquisition module 301, an extraction module 302 and a matching module 303. Optionally, the apparatus further comprises: a first determination module 304, a logging module 305, an updating module 306, a second determination module 307, and a detection module 308.

The acquisition module 301 is adapted to acquire a level signal on an automobile bus, and decode the level signal to obtain a signal waveform corresponding to the level signal;

an extraction module 302 adapted to extract real-time signal features of at least one feature dimension from the signal waveforms;

the matching module 303 is adapted to match the real-time signal feature of the at least one feature dimension with a reference signal feature of a pre-recorded automobile controller connected to an automobile bus, and determine whether an event corresponding to the level signal is an intrusion event according to a matching result.

In an alternative embodiment, the apparatus further comprises:

the first determining module 304 is adapted to determine, under a preset working condition, a reference signal feature of at least one feature dimension of an automobile controller connected to an automobile bus according to a signal waveform of the automobile controller corresponding to the preset working condition; wherein the reference signal characteristic of the at least one characteristic dimension is a signal characteristic irrelevant to the message content;

a logging module 305 adapted to log a reference signal feature of the at least one feature dimension of the automotive controller.

In an alternative embodiment, the at least one feature dimension includes: a frequency characteristic dimension, an amplitude characteristic dimension, an edge transition time characteristic dimension, an edge transition waveform characteristic dimension, and/or a harmonic characteristic dimension;

the first determination module 304 is further adapted to:

under a preset working condition, aiming at a signal waveform of the automobile controller corresponding to the preset working condition, calculating a continuous period of each bit level according to the signal waveform, and determining a reference signal characteristic of a frequency characteristic dimension of the automobile controller according to the continuous period of each bit level; and/or the presence of a gas in the gas,

under a preset working condition, filtering interference harmonic waves of dominant positions aiming at signal waveforms of the automobile controller corresponding to the preset working condition to obtain signal waveforms after filtering; calculating an amplitude average value of the signal waveform after filtering processing, and determining the reference signal characteristic of the amplitude characteristic dimension of the automobile controller according to the amplitude average value; and/or the presence of a gas in the gas,

under a preset working condition, aiming at a signal waveform of the automobile controller corresponding to the preset working condition, calculating the jump time when the edge jumps, and determining the reference signal characteristic of the edge jump time characteristic dimension of the automobile controller according to the fluctuation time; and/or the presence of a gas in the gas,

under a preset working condition, calculating a waveform variance corresponding to the edge jump aiming at a signal waveform of the automobile controller under the preset working condition, and determining a reference signal characteristic of an edge jump waveform characteristic dimension of the automobile controller according to the waveform variance corresponding to the edge jump; and/or the presence of a gas in the gas,

under a preset working condition, aiming at a signal waveform of the automobile controller corresponding to the preset working condition, calculating a waveform variance corresponding to the signal waveform after the level stabilization, and determining a reference signal characteristic of a harmonic characteristic dimension of the automobile controller according to the waveform variance corresponding to the signal waveform after the level stabilization.

In an alternative embodiment, the apparatus further comprises:

the updating module 306 is adapted to update the reference signal feature of the at least one feature dimension of the automobile controller according to the difference between the current working condition and the preset working condition when the level signal is acquired;

the logging module 305 is further adapted to: recording the reference signal characteristics of the at least one characteristic dimension of the updated automobile controller.

In an alternative embodiment, the apparatus further comprises: a second determining module 307, adapted to decode the signal waveform to obtain a packet identifier of a packet corresponding to the level signal;

judging whether the preset message identification of the automobile bus contains the message identification of the message corresponding to the level signal or not;

if the preset message identification of the automobile bus contains the message identification of the message corresponding to the level signal, determining the preset message identification of the message corresponding to the level signal contained in the preset message identification of the automobile bus as a target message identification; determining the automobile controller corresponding to the target message identifier obtained by query as a target controller;

the matching module 303 is further adapted to:

selecting reference signal features of the at least one feature dimension of a target controller from pre-recorded reference signal features of the at least one feature dimension of a plurality of automobile controllers;

matching the real-time signal features of the at least one feature dimension with reference signal features of the at least one feature dimension of the target controller.

In an alternative embodiment, the second determining module 307 is further adapted to: and if the preset message identification of the automobile bus does not contain the message identification of the message corresponding to the level signal, determining that the event corresponding to the level signal is an intrusion event.

In an alternative embodiment, the at least one feature dimension is a plurality of feature dimensions;

the matching module 303 is further adapted to:

respectively aiming at each characteristic dimension, extracting real-time signal sub-features corresponding to the characteristic dimension contained in the real-time signal features, and matching the extracted real-time signal sub-features corresponding to the characteristic dimension with reference signal sub-features corresponding to the characteristic dimension contained in the reference signal features to obtain a matching value corresponding to the characteristic dimension;

and determining whether the event corresponding to the level signal is an intrusion event according to each matching value corresponding to each characteristic dimension.

In an alternative embodiment, the extraction module 302 is further adapted to:

determining interference waveform intervals of an arbitration field and a response field of a corresponding message in the signal waveform;

removing the waveform corresponding to the interference waveform interval from the signal waveform to obtain an effective signal waveform;

extracting real-time signal features of at least one feature dimension from the effective signal waveform.

In an alternative embodiment, the apparatus further comprises: the detection module 308 is adapted to detect whether the level state of the automobile bus is a dominant level state;

the acquisition module 301 is further adapted to: and when the level state of the automobile bus is detected to be the dominant level state, acquiring a level signal on the automobile bus.

The specific structure and operation principle of each module described above may refer to the description of the corresponding step in the method embodiment, and are not described herein again.

The embodiment of the application provides a nonvolatile computer storage medium, wherein the computer storage medium stores at least one executable instruction, and the computer executable instruction can execute the intrusion detection method of the automobile bus in any method embodiment.

Fig. 4 is a schematic structural diagram of a computing device according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the computing device.

As shown in fig. 4, the computing device may include: a processor (processor)402, a Communications Interface 404, a memory 406, and a Communications bus 408.

Wherein:

the processor 402, communication interface 404, and memory 406 communicate with each other via a communication bus 408.

A communication interface 404 for communicating with network elements of other devices, such as clients or other servers.

The processor 402 is configured to execute the program 410, and may specifically execute relevant steps in the above-described embodiment of the intrusion detection method for the vehicle bus.

In particular, program 410 may include program code comprising computer operating instructions.

The processor 402 may be a central processing unit CPU, or an application specific Integrated circuit asic, or one or more Integrated circuits configured to implement an embodiment of the present invention. The computing device includes one or more processors, which may be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.

And a memory 406 for storing a program 410. Memory 406 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.

The program 410 may specifically be configured to cause the processor 402 to perform the following operations:

In an alternative embodiment, the program 410 may be further specifically configured to cause the processor 402 to perform the following operations:

under a preset working condition, determining a reference signal characteristic of at least one characteristic dimension of an automobile controller according to a signal waveform of the automobile controller connected to an automobile bus corresponding to the preset working condition; wherein the reference signal characteristic of the at least one characteristic dimension is a signal characteristic irrelevant to the message content;

recording the reference signal characteristic of the at least one characteristic dimension of the vehicle controller.

the program 410 may be further specifically configured to cause the processor 402 to perform the following operations:

updating the reference signal characteristic of the at least one characteristic dimension of the automobile controller according to the difference between the current working condition and the preset working condition when the level signal is acquired;

recording the reference signal characteristics of the at least one characteristic dimension of the updated automobile controller.

decoding the signal waveform to obtain a message identifier of a message corresponding to the level signal;

In an alternative embodiment, the program 410 may be further specifically configured to cause the processor 402 to perform the following operations: and if the preset message identification of the automobile bus does not contain the message identification of the message corresponding to the level signal, determining that the event corresponding to the level signal is an intrusion event.

detecting whether the level state of the automobile bus is an explicit level state;

and when the level state of the automobile bus is detected to be the dominant level state, acquiring a level signal on the automobile bus.

The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.

In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.

Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.

Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.

The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. It will be appreciated by those skilled in the art that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components of an intrusion detection device for a vehicle bus according to an embodiment of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.

It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.

The invention discloses: A1. an intrusion detection method for an automobile bus comprises the following steps:

A2. The method according to a1, wherein, prior to the matching of the real-time signal features of the at least one feature dimension with pre-entered reference signal features, the method further comprises:

A3. The method of a2, wherein the at least one feature dimension includes: a frequency characteristic dimension, an amplitude characteristic dimension, an edge transition time characteristic dimension, an edge transition waveform characteristic dimension, and/or a harmonic characteristic dimension;

under the preset working condition, determining the reference signal characteristic of at least one characteristic dimension of the automobile controller according to the signal waveform of the automobile controller connected to the automobile bus corresponding to the preset working condition further comprises the following steps:

A4. The method according to A2 or A3, wherein after the reference signal characteristic of at least one characteristic dimension of the automobile controller is determined according to the signal waveform of the automobile controller connected to the automobile bus corresponding to the preset working condition, the method further comprises the following steps:

the recording of the reference signal characteristic of the at least one characteristic dimension of the vehicle controller further comprises: recording the reference signal characteristics of the at least one characteristic dimension of the updated automobile controller.

A5. The method according to any one of A1-A4, wherein the number of the automobile controllers is multiple, and after the signal waveform corresponding to the level signal is obtained, the method further comprises the following steps:

the matching of the real-time signal characteristic of the at least one characteristic dimension with the reference signal characteristic of the pre-recorded automobile controller accessed to the automobile bus specifically comprises the following steps:

A6. The method according to a5, wherein if the preset message identifier of the automobile bus does not include the message identifier of the message corresponding to the level signal, determining that the event corresponding to the level signal is an intrusion event.

A7. The method of any one of a1-a6, wherein the at least one feature dimension is a plurality of feature dimensions;

the step of matching the real-time signal characteristic of the at least one characteristic dimension with a reference signal characteristic of a pre-recorded automobile controller accessed to an automobile bus, and the step of determining whether the event corresponding to the level signal is an intrusion event according to a matching result further comprises the steps of:

A8. The method of any one of a1-a7, wherein the extracting real-time signal features of at least one feature dimension from the signal waveform further comprises:

A9. The method of any one of a1-A8, wherein, prior to the collecting level signals on the vehicle bus, the method further comprises:

the acquiring of the level signal on the automobile bus specifically comprises: and when the level state of the automobile bus is detected to be the dominant level state, acquiring a level signal on the automobile bus.

The invention also discloses: B10. an intrusion detection device for an automotive bus, comprising:

B11. The apparatus of B10, wherein the apparatus further comprises:

the first determining module is suitable for determining the reference signal characteristics of at least one characteristic dimension of an automobile controller connected to an automobile bus according to the signal waveform of the automobile controller corresponding to the preset working condition under the preset working condition; wherein the reference signal characteristic of the at least one characteristic dimension is a signal characteristic irrelevant to the message content;

a logging module adapted to log a reference signal feature of the at least one feature dimension of the automotive controller.

B12. The apparatus of B11, wherein the at least one feature dimension includes: a frequency characteristic dimension, an amplitude characteristic dimension, an edge transition time characteristic dimension, an edge transition waveform characteristic dimension, and/or a harmonic characteristic dimension;

the first determination module is further adapted to:

B13. The apparatus of B11 or B12, wherein the apparatus further comprises:

the updating module is suitable for updating the reference signal characteristic of the at least one characteristic dimension of the automobile controller according to the difference between the current working condition and the preset working condition when the level signal is acquired;

the logging module is further adapted to: recording the reference signal characteristics of the at least one characteristic dimension of the updated automobile controller.

B14. The apparatus of any one of B10-B13, wherein the apparatus further comprises: the second determining module is suitable for decoding the signal waveform to obtain a message identifier of a message corresponding to the level signal;

the matching module is further adapted to:

B15. The apparatus of B14, wherein the second determining module is further adapted to: and if the preset message identification of the automobile bus does not contain the message identification of the message corresponding to the level signal, determining that the event corresponding to the level signal is an intrusion event.

B16. The apparatus of any one of B10-B15, wherein the at least one feature dimension is a plurality of feature dimensions;

the matching module is further adapted to:

B17. The apparatus of any one of B10-B16, wherein the extraction module is further adapted to:

B18. The apparatus of any one of B10-B17, wherein the apparatus further comprises: the detection module is suitable for detecting whether the level state of the automobile bus is an explicit level state;

the acquisition module is further adapted to: and when the level state of the automobile bus is detected to be the dominant level state, acquiring a level signal on the automobile bus.

The invention also discloses: C19. a computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;

the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the intrusion detection method of the automobile bus according to any one of A1-A9.

The invention also discloses: D20. a computer storage medium having at least one executable instruction stored therein, the executable instruction causing a processor to perform operations corresponding to the intrusion detection method for a vehicle bus according to any one of a1-a 9.

Claims

1. An intrusion detection method for an automobile bus comprises the following steps:

2. The method of claim 1, wherein prior to said matching real-time signal features of said at least one feature dimension with pre-entered reference signal features, the method further comprises:

3. The method of claim 2, wherein the at least one feature dimension comprises: a frequency characteristic dimension, an amplitude characteristic dimension, an edge transition time characteristic dimension, an edge transition waveform characteristic dimension, and/or a harmonic characteristic dimension;

4. The method according to claim 2 or 3, wherein after determining the reference signal characteristic of at least one characteristic dimension of the vehicle controller according to the signal waveform of the vehicle controller connected to the vehicle bus corresponding to the preset working condition, the method further comprises:

5. The method according to any one of claims 1-4, wherein the number of the automobile controllers is plural, and after the obtaining of the signal waveform corresponding to the level signal, the method further comprises:

6. The method according to claim 5, wherein if the preset message identifier of the automobile bus does not contain the message identifier of the message corresponding to the level signal, determining that the event corresponding to the level signal is an intrusion event.

7. The method of any of claims 1-6, wherein the at least one feature dimension is a plurality of feature dimensions;

8. An intrusion detection device for an automotive bus, comprising:

9. A computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;

the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the intrusion detection method of the automobile bus according to any one of claims 1-7.

10. A computer storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the method for intrusion detection on a vehicle bus according to any one of claims 1 to 7.