CN111030962A - Vehicle-mounted network intrusion detection method and computer-readable storage medium - Google Patents
Vehicle-mounted network intrusion detection method and computer-readable storage medium Download PDFInfo
- Publication number
- CN111030962A CN111030962A CN201811170994.6A CN201811170994A CN111030962A CN 111030962 A CN111030962 A CN 111030962A CN 201811170994 A CN201811170994 A CN 201811170994A CN 111030962 A CN111030962 A CN 111030962A
- Authority
- CN
- China
- Prior art keywords
- identifier
- frequency
- message information
- bus message
- hamming distance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention discloses a vehicle-mounted network intrusion detection method and a computer readable storage medium, wherein the method comprises the following steps: collecting CAN bus message information of a vehicle in a preset time period; counting the frequency of each identifier in each time period according to the acquisition time sequence of the CAN bus message information and the preset time period, and calculating to obtain frequency threshold data of each identifier; calculating the Hamming distance of the adjacent CAN bus message information with the same identifier, and acquiring the Hamming distance threshold data of each identifier; determining the adjacent relation among the identifiers according to the acquisition time sequence of the CAN bus message information, and establishing an adjacent relation matrix; and detecting whether the vehicle-mounted network is invaded or not according to the frequency threshold data, the Hamming distance threshold data and the adjacency relation matrix of each identifier. The invention can detect various invasion attack types and has lower false alarm rate.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a vehicle-mounted network intrusion detection method and a computer-readable storage medium.
Background
With the development of automobile intellectualization and network technology, more and more functions are provided for managing and controlling operation of an automobile through an electronic control unit, and meanwhile, the function of remotely operating and controlling the automobile through a wireless network through a smart phone or other equipment is widely popularized. The connection to the external network environment increases the security risk of the on-board network. Vehicle failure caused by network intrusion is extremely dangerous to the driver and passengers.
The vehicle network problem has attracted much attention, and at present, various IDS (intrusion detection system)/IPS (intrusion prevention system) technologies and corresponding solutions have been proposed, but some of these methods are too complex to be implemented in a vehicle terminal, and some of them have a limited detection range although the calculation is simple, or have a high false alarm rate of the detection result.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: a vehicle network intrusion detection method and a computer readable storage medium are provided, which can detect a plurality of intrusion attack types and have a low false alarm rate.
In order to solve the technical problems, the invention adopts the technical scheme that: a vehicle network intrusion detection method comprises the following steps:
collecting CAN bus message information of a vehicle in a preset time period, wherein the CAN bus message information comprises an identifier corresponding to the type of the CAN bus message information and a data field with 8 bytes;
counting the frequency of each identifier in each time period according to the acquisition time sequence of the CAN bus message information and the preset time period, and calculating to obtain frequency threshold data of each identifier, wherein the frequency threshold data comprises a frequency maximum value, a frequency minimum value, a frequency difference maximum value and a frequency difference minimum value;
calculating the Hamming distance of adjacent CAN bus message information with the same identifier according to the acquisition time sequence of the CAN bus message information, and acquiring Hamming distance threshold data of each identifier, wherein the Hamming distance threshold data comprises a maximum Hamming distance value and a minimum Hamming distance value;
determining the adjacent relation among the identifiers according to the acquisition time sequence of the CAN bus message information, and establishing an adjacent relation matrix according to the adjacent relation;
and detecting whether the vehicle-mounted network is invaded or not according to the frequency threshold data, the Hamming distance threshold data and the adjacency relation matrix of each identifier.
The invention also relates to a computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps as described above.
The invention has the beneficial effects that: by collecting a large amount of normal CAN bus message information, analyzing, calculating and statistically learning the CAN bus message information aiming at three characteristics of identifier frequency, message content and adjacent relation, and carrying out real-time abnormal detection on the vehicle-mounted network state by using the obtained bus normal behavior model. The invention has lower detection complexity and less memory occupation, can be easily realized on low-end electronic equipment, and is suitable for being implemented in a vehicle-mounted equipment system; meanwhile, the three characteristics are complementary, various intrusion attack types can be detected, and the false alarm rate is low.
Drawings
Fig. 1 is a flowchart of a vehicle-mounted network intrusion detection method according to a first embodiment of the present invention;
fig. 2 is a flowchart of a method for detecting intrusion according to frequency threshold data in step S5 according to a first embodiment of the present invention;
FIG. 3 is a flowchart of a method for detecting intrusion according to Hamming distance threshold data in step S5 according to a first embodiment of the present invention;
fig. 4 is a flowchart of a method for detecting intrusion according to the adjacency matrix in step S5 according to a first embodiment of the present invention.
Detailed Description
In order to explain technical contents, objects and effects of the present invention in detail, the following detailed description is given with reference to the accompanying drawings in conjunction with the embodiments.
The most key concept of the invention is as follows: and analyzing, calculating and statistically learning the three characteristics of the identifier frequency, the message content and the adjacent relation of the message, and performing real-time anomaly detection on the vehicle-mounted network state by using the obtained bus normal behavior model.
Referring to fig. 1, a method for detecting vehicle network intrusion includes:
collecting CAN bus message information of a vehicle in a preset time period, wherein the CAN bus message information comprises an identifier corresponding to the type of the CAN bus message information and a data field with 8 bytes;
counting the frequency of each identifier in each time period according to the acquisition time sequence of the CAN bus message information and the preset time period, and calculating to obtain frequency threshold data of each identifier, wherein the frequency threshold data comprises a frequency maximum value, a frequency minimum value, a frequency difference maximum value and a frequency difference minimum value;
calculating the Hamming distance of adjacent CAN bus message information with the same identifier according to the acquisition time sequence of the CAN bus message information, and acquiring Hamming distance threshold data of each identifier, wherein the Hamming distance threshold data comprises a maximum Hamming distance value and a minimum Hamming distance value;
determining the adjacent relation among the identifiers according to the acquisition time sequence of the CAN bus message information, and establishing an adjacent relation matrix according to the adjacent relation;
and detecting whether the vehicle-mounted network is invaded or not according to the frequency threshold data, the Hamming distance threshold data and the adjacency relation matrix of each identifier.
From the above description, the beneficial effects of the present invention are: the detection complexity is low, the memory occupation is small, and the method can be easily realized on low-end electronic equipment; meanwhile, various intrusion attack types can be detected, and the false alarm rate is low.
Further, the counting the frequency of each identifier in each time period according to the collection time sequence of the CAN bus message information and the preset time period, and calculating the frequency threshold data of each identifier specifically includes:
sequentially extracting identifiers in the CAN bus message information according to the acquisition time sequence of the CAN bus message information to obtain an identifier sequence;
respectively counting the frequency of each identifier in the identifier sequence in each time period according to a preset time period;
acquiring the frequency maximum value and the frequency minimum value of each identifier according to the frequency of each identifier in each time period;
respectively calculating the frequency difference value of each identifier in the adjacent time period according to the frequency of each identifier in each time period;
and respectively acquiring the maximum value and the minimum value of the frequency difference of each identifier according to the frequency difference.
Further, the step of detecting whether the vehicle-mounted network is invaded according to the frequency threshold data of each identifier specifically comprises the following steps:
counting the frequency of each identifier in the current time period in real time according to the received CAN bus message information;
respectively calculating the frequency difference value of each identifier according to the frequency of each identifier in the current time period and the frequency of each identifier in the last time period;
and if the frequency of one identifier is greater than the maximum frequency of the identifier or less than the minimum frequency of the identifier, and the frequency difference value of the identifier is greater than the maximum frequency difference value of the identifier or less than the minimum frequency difference value of the identifier, judging that the vehicle-mounted network is invaded.
As can be seen from the above description, it can be used to detect flooding attacks and replay attacks.
Further, the calculating the hamming distance of the adjacent CAN bus message information with the same identifier according to the collecting time sequence of the CAN bus message information, and the obtaining of the hamming distance threshold data of each identifier specifically includes:
according to the acquisition time sequence of the CAN bus message information, carrying out exclusive OR calculation on data fields in the adjacent CAN bus message information with the same identifier according to bits, and counting the number of 1 in the calculation result to obtain the Hamming distance corresponding to each identifier;
and respectively obtaining the maximum value and the minimum value of the Hamming distance corresponding to each identifier according to the Hamming distance corresponding to each identifier.
Further, the step of detecting whether the vehicle-mounted network is invaded according to the hamming distance threshold data of each identifier specifically comprises the following steps:
acquiring last CAN bus message information with the same identifier as the current CAN bus message information;
calculating to obtain the Hamming distance between the current CAN bus message information and the last CAN bus message information;
acquiring a Hamming distance maximum value and a Hamming distance minimum value corresponding to an identifier of the current CAN bus message information;
and if the Hamming distance is greater than the maximum Hamming distance or less than the minimum Hamming distance, judging that the vehicle-mounted network is invaded.
The above description shows that the method can be used for detecting the fuzzy attack, and has a good message information detection effect on the message information with periodic variation or almost no variation in some data domains.
Further, the determining, according to the collection time sequence of the CAN bus message information, an adjacent relationship between the identifiers, and establishing, according to the adjacent relationship, an adjacent relationship matrix specifically includes:
establishing an N-order matrix, wherein N is the category number of the CAN bus message information;
initializing the N-order matrix to 0;
respectively associating each identifier with N index numbers in a one-to-one correspondence manner, wherein the N index numbers are 0 to N-1;
and acquiring two identifiers with adjacent relation in the identifier sequence, and setting the element value of the corresponding position in the N-order matrix as 1 according to the index numbers corresponding to the two identifiers to obtain an adjacency relation matrix.
Further, the associating each identifier with N index numbers one to one, where the N index numbers from 0 to N-1 specifically are:
sorting the identifiers from high to low according to the frequency of the identifiers in the identifier sequence;
each identifier is associated with its sorted sequence number, starting with 0.
From the above description, the overall speed of searching the index number according to the identifier subsequently can be improved, thereby improving the overall efficiency of positioning the matrix position.
Further, the obtaining of the two identifiers having an adjacent relationship in the identifier sequence, and setting the element value of the corresponding position in the N-th order matrix to 1 according to the index numbers corresponding to the two identifiers, to obtain the adjacency relation matrix specifically includes:
acquiring two identifiers with adjacent relation in the identifier sequence, and respectively marking the two identifiers as a prior identifier and a subsequent identifier according to the sequence;
and setting the element value of the position of the N-order matrix with the row number as the index number corresponding to the prior identifier and the column number as the index number corresponding to the subsequent identifier as 1 to obtain an adjacency relation matrix.
Further, the step of detecting whether the vehicle-mounted network is invaded according to the adjacency relation matrix specifically comprises the following steps:
acquiring an index number corresponding to an identifier of the current CAN bus message information as a first index number;
acquiring an index number corresponding to an identifier of the last CAN bus message information adjacent to the current CAN bus message information as a second index number;
and if the row number in the adjacency relation matrix is the first index number, and the column number is the element value of the position of the second index number and is 0, judging that the vehicle-mounted network is invaded.
As can be seen from the above description, it can be used to detect both bad injection attacks and mixed injection attacks.
The invention also proposes a computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps as described above.
Example one
Referring to fig. 1-4, a first embodiment of the present invention is: a method for detecting vehicle network intrusion, as shown in fig. 1, includes the following steps:
s1: the method comprises the steps that CAN bus message information of vehicles in different driving states in a preset time period is collected, wherein the CAN bus message information mainly comprises identifiers and 8-byte data fields, the identifiers are used for marking the categories of the CAN bus message information, and each category corresponds to different identifiers; the data in the data field is the payload. Preferably, the preset time period is greater than one hour.
The payload in the data field may be influenced by the driving state of the vehicle, such as the speed of the vehicle, the rotational speed of the engine, the driving direction of the vehicle, the accelerator pedal position, etc. Therefore, in order to obtain the maximum variation amount of the message content as much as possible to cover various traffic running conditions, in the present embodiment, the running states include stop (i.e., stop but engine start), normal acceleration and deceleration running, low speed, high speed, rapid acceleration and rapid deceleration.
S2: according to the collection time sequence of the CAN bus message information and a preset time period, counting the frequency of each identifier in each time period, and calculating to obtain frequency threshold data of each identifier, wherein the frequency threshold data comprises a frequency maximum value, a frequency minimum value, a frequency difference maximum value and a frequency difference minimum value.
Specifically, according to the collection time sequence of the CAN bus message information, identifiers in the CAN bus message information are sequentially extracted to obtain an identifier sequence, namely the identifiers in the message are extracted according to the receiving sequence of the message. Then respectively counting the frequency of each identifier in the identifier sequence in each time period according to a preset time period; and then acquiring the frequency maximum value and the frequency minimum value of each identifier according to the frequency of each identifier in each time period. For example, assuming that the preset time period may be divided into x time periods, x frequencies of the x time periods corresponding to each identifier are obtained, and then the maximum value and the minimum value are obtained from the x frequencies corresponding to one identifier, that is, the frequency maximum value and the frequency minimum value of the identifier.
Meanwhile, respectively calculating the frequency difference value of each identifier in the adjacent time period according to the frequency of each identifier in each time period; and finally, respectively acquiring the maximum value and the minimum value of the frequency difference of each identifier according to the frequency difference. For example, the absolute value of the difference between the first frequency and the second frequency in x frequencies corresponding to an identifier is calculated, that is, the frequency difference of the identifier in the first time period and the second time period is obtained, and so on, the x-1 frequency differences of the identifier are obtained, and then the maximum value and the minimum value are obtained, that is, the maximum value and the minimum value of the frequency difference of the identifier are obtained.
Furthermore, the time period can be adjusted according to data of different vehicle types, and the fluctuation change of the data acquisition is most stable, generally about 10 seconds. The value of the time period may be updated to the in-vehicle terminal through the configuration function.
S3: according to the collecting time sequence of the CAN bus message information, calculating the Hamming distance of the adjacent CAN bus message information with the same identifier, and obtaining the Hamming distance threshold data of each identifier, wherein the Hamming distance threshold data comprises the maximum value of the Hamming distance and the minimum value of the Hamming distance.
The method comprises the steps of carrying out XOR calculation on 8-byte data fields in two CAN bus message information according to bits, and then counting the number of 1 in a calculation result to obtain the Hamming distance of the two CAN bus message information.
Therefore, in this step, CAN obtain the CAN bus message information corresponding to the same identifier in sequence according to the collection time sequence of the CAN bus message information, obtain the message sequence corresponding to the identifier, then traverse the CAN bus message information in the message sequence in sequence, calculate the hamming distance of the current message and its next message, and add to the hamming distance set corresponding to the identifier, until the traversal is finished, CAN obtain the hamming distance set corresponding to the identifier, then obtain the maximum value and the minimum value from the hamming distance set, namely the hamming distance maximum value and the hamming distance minimum value corresponding to the identifier.
S4: and determining the adjacent relation among the identifiers according to the acquisition time sequence of the CAN bus message information, and establishing an adjacent relation matrix according to the adjacent relation.
Specifically, an N-order matrix is first established and initialized to 0, where N is the number of identifiers, i.e., the number of categories of CAN bus message information. Then respectively associating each identifier with N index numbers in a one-to-one correspondence manner, wherein the N index numbers are 0 to N-1; for example, assume that N is 6, the identifiers are A, B, C, D, E, F and the indices are 0-5, respectively, i.e., a-F are associated with a one-to-one correspondence of 0-5, respectively.
And then acquiring two identifiers with adjacent relation in the identifier sequence, and setting the element value of the corresponding position in the matrix as 1 according to the index numbers corresponding to the two identifiers to obtain an adjacency relation matrix. In this embodiment, the identifier sequence may be sequentially traversed to obtain the current identifier and the next identifier, then a row number is found in the matrix as the index number corresponding to the current identifier, a column number is the position of the index number corresponding to the next identifier, if the element value of the position is 0, the element value of the position is set to 1, if the element value of the position is 1, the change is not performed, and so on until the traversal is completed, or when no new element is set to 1, and the adjacency relation matrix model is basically stable, the adjacency relation matrix may be obtained.
For example, after receiving the message with the identifier a, the message with the identifier B is received next to the message with the identifier a, and assuming that the index number corresponding to the identifier a is i and the index number corresponding to the identifier B is j, the element value of the position with the row number i and the column number j in the matrix is set to 1.
Further, in the underlying implementation, when the corresponding index number is found according to the identifier, the index number is traversed from 0. Therefore, preferably, when associating the identifiers with the index numbers, the identifiers may be sorted from high to low according to the frequency in the identifier sequence, and then each identifier is associated with its sorted sequence number, wherein the sequence number starts from 0. For example, assuming that the identifiers are sorted from high to low in order B, C, D, A, E, F, B is associated with 0, C is associated with 1, and so on. By associating the identifiers with high frequency and the index numbers with low numerical values, the overall efficiency can be improved when the corresponding index numbers are searched.
S5: and detecting whether the vehicle-mounted network is invaded or not according to the frequency threshold data, the Hamming distance threshold data and the adjacency relation matrix of each identifier. When CAN bus message information is received, the frequency detection of the identifier is carried out in real time according to frequency threshold data, the content detection of the message is carried out in real time according to Hamming distance threshold data, and the adjacent relation detection is carried out in real time according to an adjacent relation matrix; the three detections can be processed in parallel, and any one of the detections does not pass, namely the network intrusion is considered to exist.
Specifically, as shown in fig. 2, the method for detecting whether intrusion occurs in the vehicular network according to the frequency threshold data of each identifier includes the following steps:
s101: and counting the frequency of each identifier in the current time period in real time according to the received CAN bus message information.
S102: and respectively calculating the frequency difference value of each identifier according to the frequency of each identifier in the current time period and the frequency of each identifier in the last time period.
S103: and judging whether the frequency of an identifier exceeds the frequency threshold range of the identifier and the frequency difference value exceeds the frequency difference value threshold range of the identifier, if so, executing the step S104, and if not, executing the step S105. Judging whether the frequency of an identifier exceeds a frequency threshold range, namely judging whether the frequency of the identifier is greater than the maximum frequency of the identifier or less than the minimum frequency of the identifier; and judging whether the frequency difference value of one identifier exceeds the frequency difference value threshold range, namely judging whether the frequency difference value of one identifier is larger than the maximum value of the frequency difference value of one identifier or smaller than the minimum value of the frequency difference value of one identifier.
S104: and (5) judging that the network is abnormal, namely judging that the vehicle-mounted network is invaded. The vehicle-mounted network is stable and closed, and due to the closing property of the vehicle-mounted network, the initial design has no perfect consideration in the aspect of safety, and the vehicle-mounted network is abnormal only when being invaded by the network.
S105: and (4) judging that the network is normal, namely judging that the vehicle-mounted network is not invaded.
For example, assume that the frequency maximum value of identifier a is 1113, the frequency minimum value is 1000, the frequency difference maximum value is 13, and the frequency difference minimum value is 0. In the real-time detection process, the frequency of the identifier A in the current time period is 1025, the frequency of the previous time period is 1010, and since the frequency 1025 in the current time period is greater than the maximum frequency 1113 and the frequency difference 1025 and 1010 is greater than the maximum frequency difference 13, the intrusion of the vehicle-mounted network at the moment is considered to occur.
The method has good effect on detecting the flooding attack and the replay attack.
As shown in fig. 3, the method for detecting whether the vehicle-mounted network is invaded according to the hamming distance threshold data of each identifier includes the following steps:
s201: and acquiring the last CAN bus message information with the same identifier as the current CAN bus message information.
S202: calculating to obtain the Hamming distance between the current CAN bus message information and the last CAN bus message information; namely, the data fields of 8 bytes in the two CAN bus message messages are subjected to exclusive OR calculation according to bits, and then the number of 1 in the calculation result is counted.
S203: and acquiring the maximum value and the minimum value of the Hamming distance corresponding to the identifier of the current CAN bus message information.
S204: and judging whether the Hamming distance is larger than the maximum Hamming distance or smaller than the minimum Hamming distance, if so, executing the step S205, and if not, executing the step S206.
S205: and (5) judging that the network is abnormal, namely judging that the vehicle-mounted network is invaded.
S206: and (4) judging that the network is normal, namely judging that the vehicle-mounted network is not invaded.
For example, assuming that the maximum hamming distance of the identifier a is 2 and the minimum hamming distance is 0, if the normal change is changed from (1d 000000 ff ff ff ff ff ff ff) to (1c 000000 ff ff ff ff ff ff ff ff ff ff), if the identifier of the CAN bus message information received at a certain time is a, the data field is (10015000 ff ff ff ff ff ff), the data field of the CAN bus message information with the last identifier being a is (1d 000000 ff ff ff ff ff ff ff ff), and the hamming distance is 6 and is greater than the maximum hamming distance 2, it is considered that the vehicle-mounted network has been invaded at that time.
The method has a good effect on detecting the fuzzy attack, and particularly, certain data domains have message information which changes periodically or hardly.
As shown in fig. 4, the method for detecting whether the vehicle-mounted network is invaded according to the adjacency relation matrix includes the following steps:
s301: acquiring an index number corresponding to an identifier of the current CAN bus message information as a first index number;
s302: acquiring an index number corresponding to an identifier of the last CAN bus message information adjacent to the current CAN bus message information as a second index number;
s303: and judging whether the element value of the position of which the row number is the first index number and the column number is the second index number in the adjacency relation matrix is 0, if so, executing the step S304, and if not, executing the step S305.
S304: and (5) judging that the network is abnormal, namely judging that the vehicle-mounted network is invaded.
S305: and (4) judging that the network is normal, namely judging that the vehicle-mounted network is not invaded.
The method detects whether the adjacent relation of the CAN bus message information exists in the adjacent relation matrix in real time, if so, the network is considered to be normal, otherwise, the network is considered to be abnormal.
The method has a good effect on detecting the bad injection attack and the mixed injection attack.
The embodiment provides an effective vehicle-mounted network intrusion detection method according to the characteristics of the vehicle-mounted network CAN bus messages. From the view of time sequence change and correlation of data, three kinds of special characteristic information of sequence, frequency and content change of CAN bus information are extracted, corresponding calculation analysis, statistics and learning are carried out according to the characteristics, an effective message period transformation rule, a Hamming distance change rule of adjacent message contents of the same identifier and an adjacency relation matrix are obtained, a vehicle CAN bus network normal behavior model is established according to the rule, then the model is applied to carry out real-time abnormal detection on the state of a vehicle-mounted network, and when the three kinds of characteristics deviate from the normal behavior model, network intrusion behavior is considered to occur. The method has the advantages of simple detection process of the terminal, low calculation complexity, less resource consumption, extremely low false alarm rate and complementation of three characteristics, can effectively detect various network intrusion behaviors in real time, and is suitable for being implemented in a vehicle-mounted equipment system.
Example two
The present embodiment is a computer-readable storage medium corresponding to the above-mentioned embodiments, on which a computer program is stored, which when executed by a processor, performs the steps of:
collecting CAN bus message information of a vehicle in a preset time period, wherein the CAN bus message information comprises an identifier corresponding to the type of the CAN bus message information and a data field with 8 bytes;
counting the frequency of each identifier in each time period according to the acquisition time sequence of the CAN bus message information and the preset time period, and calculating to obtain frequency threshold data of each identifier, wherein the frequency threshold data comprises a frequency maximum value, a frequency minimum value, a frequency difference maximum value and a frequency difference minimum value;
calculating the Hamming distance of adjacent CAN bus message information with the same identifier according to the acquisition time sequence of the CAN bus message information, and acquiring Hamming distance threshold data of each identifier, wherein the Hamming distance threshold data comprises a maximum Hamming distance value and a minimum Hamming distance value;
determining the adjacent relation among the identifiers according to the acquisition time sequence of the CAN bus message information, and establishing an adjacent relation matrix according to the adjacent relation;
and detecting whether the vehicle-mounted network is invaded or not according to the frequency threshold data, the Hamming distance threshold data and the adjacency relation matrix of each identifier.
Further, the counting the frequency of each identifier in each time period according to the collection time sequence of the CAN bus message information and the preset time period, and calculating the frequency threshold data of each identifier specifically includes:
sequentially extracting identifiers in the CAN bus message information according to the acquisition time sequence of the CAN bus message information to obtain an identifier sequence;
respectively counting the frequency of each identifier in the identifier sequence in each time period according to a preset time period;
acquiring the frequency maximum value and the frequency minimum value of each identifier according to the frequency of each identifier in each time period;
respectively calculating the frequency difference value of each identifier in the adjacent time period according to the frequency of each identifier in each time period;
and respectively acquiring the maximum value and the minimum value of the frequency difference of each identifier according to the frequency difference.
Further, the step of detecting whether the vehicle-mounted network is invaded according to the frequency threshold data of each identifier specifically comprises the following steps:
counting the frequency of each identifier in the current time period in real time according to the received CAN bus message information;
respectively calculating the frequency difference value of each identifier according to the frequency of each identifier in the current time period and the frequency of each identifier in the last time period;
and if the frequency of one identifier is greater than the maximum frequency of the identifier or less than the minimum frequency of the identifier, and the frequency difference value of the identifier is greater than the maximum frequency difference value of the identifier or less than the minimum frequency difference value of the identifier, judging that the vehicle-mounted network is invaded.
Further, the calculating the hamming distance of the adjacent CAN bus message information with the same identifier according to the collecting time sequence of the CAN bus message information, and the obtaining of the hamming distance threshold data of each identifier specifically includes:
according to the acquisition time sequence of the CAN bus message information, carrying out exclusive OR calculation on data fields in the adjacent CAN bus message information with the same identifier according to bits, and counting the number of 1 in the calculation result to obtain the Hamming distance corresponding to each identifier;
and respectively obtaining the maximum value and the minimum value of the Hamming distance corresponding to each identifier according to the Hamming distance corresponding to each identifier.
Further, the step of detecting whether the vehicle-mounted network is invaded according to the hamming distance threshold data of each identifier specifically comprises the following steps:
acquiring last CAN bus message information with the same identifier as the current CAN bus message information;
calculating to obtain the Hamming distance between the current CAN bus message information and the last CAN bus message information;
acquiring a Hamming distance maximum value and a Hamming distance minimum value corresponding to an identifier of the current CAN bus message information;
and if the Hamming distance is greater than the maximum Hamming distance or less than the minimum Hamming distance, judging that the vehicle-mounted network is invaded.
Further, the determining, according to the collection time sequence of the CAN bus message information, an adjacent relationship between the identifiers, and establishing, according to the adjacent relationship, an adjacent relationship matrix specifically includes:
establishing an N-order matrix, wherein N is the category number of the CAN bus message information;
initializing the N-order matrix to 0;
respectively associating each identifier with N index numbers in a one-to-one correspondence manner, wherein the N index numbers are 0 to N-1;
and acquiring two identifiers with adjacent relation in the identifier sequence, and setting the element value of the corresponding position in the N-order matrix as 1 according to the index numbers corresponding to the two identifiers to obtain an adjacency relation matrix.
Further, the associating each identifier with N index numbers one to one, where the N index numbers from 0 to N-1 specifically are:
sorting the identifiers from high to low according to the frequency of the identifiers in the identifier sequence;
each identifier is associated with its sorted sequence number, starting with 0.
Further, the obtaining of the two identifiers having an adjacent relationship in the identifier sequence, and setting the element value of the corresponding position in the N-th order matrix to 1 according to the index numbers corresponding to the two identifiers, to obtain the adjacency relation matrix specifically includes:
acquiring two identifiers with adjacent relation in the identifier sequence, and respectively marking the two identifiers as a prior identifier and a subsequent identifier according to the sequence;
and setting the element value of the position of the N-order matrix with the row number as the index number corresponding to the prior identifier and the column number as the index number corresponding to the subsequent identifier as 1 to obtain an adjacency relation matrix.
Further, the step of detecting whether the vehicle-mounted network is invaded according to the adjacency relation matrix specifically comprises the following steps:
acquiring an index number corresponding to an identifier of the current CAN bus message information as a first index number;
acquiring an index number corresponding to an identifier of the last CAN bus message information adjacent to the current CAN bus message information as a second index number;
and if the row number in the adjacency relation matrix is the first index number, and the column number is the element value of the position of the second index number and is 0, judging that the vehicle-mounted network is invaded.
In summary, in view of the time sequence change and the correlation of data, the method for detecting vehicle network intrusion and the computer readable storage medium provided by the invention extract three special feature information of the sequence, the frequency and the content change of the CAN bus message, perform corresponding calculation analysis, statistics and learning according to the features to obtain an effective message period transformation rule, a hamming distance change rule of adjacent message contents of the same identifier and an adjacency relation matrix, establish a normal behavior model of the vehicle CAN bus network according to the rule, then apply the model to perform real-time anomaly detection on the vehicle network state, and consider that network intrusion behavior occurs when the three features deviate from the normal behavior model. The method has the advantages of simple detection process of the terminal, low calculation complexity, less resource consumption, extremely low false alarm rate and complementation of three characteristics, can effectively detect various network intrusion behaviors in real time, and is suitable for being implemented in a vehicle-mounted equipment system.
The above description is only an embodiment of the present invention, and not intended to limit the scope of the present invention, and all equivalent changes made by using the contents of the present specification and the drawings, or applied directly or indirectly to the related technical fields, are included in the scope of the present invention.
Claims (10)
1. A vehicle network intrusion detection method is characterized by comprising the following steps:
collecting CAN bus message information of a vehicle in a preset time period, wherein the CAN bus message information comprises an identifier corresponding to the type of the CAN bus message information and a data field with 8 bytes;
counting the frequency of each identifier in each time period according to the acquisition time sequence of the CAN bus message information and the preset time period, and calculating to obtain frequency threshold data of each identifier, wherein the frequency threshold data comprises a frequency maximum value, a frequency minimum value, a frequency difference maximum value and a frequency difference minimum value;
calculating the Hamming distance of adjacent CAN bus message information with the same identifier according to the acquisition time sequence of the CAN bus message information, and acquiring Hamming distance threshold data of each identifier, wherein the Hamming distance threshold data comprises a maximum Hamming distance value and a minimum Hamming distance value;
determining the adjacent relation among the identifiers according to the acquisition time sequence of the CAN bus message information, and establishing an adjacent relation matrix according to the adjacent relation;
and detecting whether the vehicle-mounted network is invaded or not according to the frequency threshold data, the Hamming distance threshold data and the adjacency relation matrix of each identifier.
2. The intrusion detection method for the vehicle-mounted network according to claim 1, wherein the step of counting the frequency of each identifier in each time period according to the collection time sequence and the preset time period of the message information of the CAN bus, and the step of calculating the frequency threshold data of each identifier specifically comprises the steps of:
sequentially extracting identifiers in the CAN bus message information according to the acquisition time sequence of the CAN bus message information to obtain an identifier sequence;
respectively counting the frequency of each identifier in the identifier sequence in each time period according to a preset time period;
acquiring the frequency maximum value and the frequency minimum value of each identifier according to the frequency of each identifier in each time period;
respectively calculating the frequency difference value of each identifier in the adjacent time period according to the frequency of each identifier in each time period;
and respectively acquiring the maximum value and the minimum value of the frequency difference of each identifier according to the frequency difference.
3. The intrusion detection method for the vehicle-mounted network according to claim 1 or 2, wherein the step of detecting whether the vehicle-mounted network is intruded according to the frequency threshold data of each identifier specifically comprises the steps of:
counting the frequency of each identifier in the current time period in real time according to the received CAN bus message information;
respectively calculating the frequency difference value of each identifier according to the frequency of each identifier in the current time period and the frequency of each identifier in the last time period;
and if the frequency of one identifier is greater than the maximum frequency of the identifier or less than the minimum frequency of the identifier, and the frequency difference value of the identifier is greater than the maximum frequency difference value of the identifier or less than the minimum frequency difference value of the identifier, judging that the vehicle-mounted network is invaded.
4. The method according to claim 1, wherein the step of calculating hamming distances of the CAN bus message information of adjacent CAN bus messages with the same identifier according to the collection time sequence of the CAN bus message information, and the step of obtaining hamming distance threshold data of each identifier specifically comprises:
according to the acquisition time sequence of the CAN bus message information, carrying out exclusive OR calculation on data fields in the adjacent CAN bus message information with the same identifier according to bits, and counting the number of 1 in the calculation result to obtain the Hamming distance corresponding to each identifier;
and respectively obtaining the maximum value and the minimum value of the Hamming distance corresponding to each identifier according to the Hamming distance corresponding to each identifier.
5. The intrusion detection method for the vehicle-mounted network according to claim 1 or 4, wherein the step of detecting whether the vehicle-mounted network is intruded according to the hamming distance threshold data of each identifier specifically comprises the following steps:
acquiring last CAN bus message information with the same identifier as the current CAN bus message information;
calculating to obtain the Hamming distance between the current CAN bus message information and the last CAN bus message information;
acquiring a Hamming distance maximum value and a Hamming distance minimum value corresponding to an identifier of the current CAN bus message information;
and if the Hamming distance is greater than the maximum Hamming distance or less than the minimum Hamming distance, judging that the vehicle-mounted network is invaded.
6. The method according to claim 1, wherein the adjacent relationship between the identifiers is determined according to the collection time sequence of the CAN bus message information, and the establishing of the adjacent relationship matrix according to the adjacent relationship specifically comprises:
establishing an N-order matrix, wherein N is the category number of the CAN bus message information;
initializing the N-order matrix to 0;
respectively associating each identifier with N index numbers in a one-to-one correspondence manner, wherein the N index numbers are 0 to N-1;
and acquiring two identifiers with adjacent relation in the identifier sequence, and setting the element value of the corresponding position in the N-order matrix as 1 according to the index numbers corresponding to the two identifiers to obtain an adjacency relation matrix.
7. The method according to claim 6, wherein the associating each identifier with N index numbers one-to-one respectively, where the N index numbers from 0 to N-1 are specifically:
sorting the identifiers from high to low according to the frequency of the identifiers in the identifier sequence;
each identifier is associated with its sorted sequence number, starting with 0.
8. The method according to claim 6, wherein the obtaining of the two identifiers having the adjacent relationship in the identifier sequence and the setting of the element value of the corresponding position in the N-th order matrix to 1 according to the index numbers corresponding to the two identifiers are to obtain an adjacency relation matrix specifically:
acquiring two identifiers with adjacent relation in the identifier sequence, and respectively marking the two identifiers as a prior identifier and a subsequent identifier according to the sequence;
and setting the element value of the position of the N-order matrix with the row number as the index number corresponding to the prior identifier and the column number as the index number corresponding to the subsequent identifier as 1 to obtain an adjacency relation matrix.
9. The intrusion detection method for the vehicle-mounted network according to claim 6, wherein the step of detecting whether the vehicle-mounted network is intruded according to the adjacency matrix specifically comprises the steps of:
acquiring an index number corresponding to an identifier of the current CAN bus message information as a first index number;
acquiring an index number corresponding to an identifier of the last CAN bus message information adjacent to the current CAN bus message information as a second index number;
and if the row number in the adjacency relation matrix is the first index number, and the column number is the element value of the position of the second index number and is 0, judging that the vehicle-mounted network is invaded.
10. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, carries out the steps of any of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811170994.6A CN111030962B (en) | 2018-10-09 | 2018-10-09 | Vehicle-mounted network intrusion detection method and computer-readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811170994.6A CN111030962B (en) | 2018-10-09 | 2018-10-09 | Vehicle-mounted network intrusion detection method and computer-readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111030962A true CN111030962A (en) | 2020-04-17 |
| CN111030962B CN111030962B (en) | 2023-03-24 |
Family
ID=70190282
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811170994.6A Active CN111030962B (en) | 2018-10-09 | 2018-10-09 | Vehicle-mounted network intrusion detection method and computer-readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111030962B (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111131247A (en) * | 2019-12-24 | 2020-05-08 | 国家计算机网络与信息安全管理中心 | Vehicle-mounted internal network intrusion detection system |
| CN111757329A (en) * | 2020-06-23 | 2020-10-09 | 国汽(北京)智能网联汽车研究院有限公司 | Safe driving prompting method and device and computer equipment |
| CN111885060A (en) * | 2020-07-23 | 2020-11-03 | 上海交通大学 | Internet of vehicles-oriented nondestructive information security vulnerability detection system and method |
| CN112286969A (en) * | 2020-10-29 | 2021-01-29 | 广州汽车集团股份有限公司 | Low-frequency data continuity determination method and device |
| CN112532495A (en) * | 2020-11-16 | 2021-03-19 | 中国汽车技术研究中心有限公司 | Vehicle-mounted CAN bus delay optimization method |
| CN112866270A (en) * | 2021-01-29 | 2021-05-28 | 中汽创智科技有限公司 | Intrusion detection defense method and system |
| CN113301020A (en) * | 2021-04-23 | 2021-08-24 | 暨南大学 | Vehicle bus attack detection method based on RGB image coding |
| CN113589793A (en) * | 2021-07-30 | 2021-11-02 | 中汽院(重庆)汽车检测有限公司 | Automobile bus network design safety detection method |
| CN113625681A (en) * | 2021-07-19 | 2021-11-09 | 湖南大学 | CAN bus abnormality detection method, system and storage medium |
| CN113627215A (en) * | 2020-05-07 | 2021-11-09 | 厦门雅迅网络股份有限公司 | ECU identification method based on CAN signal characteristics and storage medium |
| CN114157492A (en) * | 2021-12-02 | 2022-03-08 | 北京天融信网络安全技术有限公司 | CAN bus intrusion detection method and device |
| CN114172686A (en) * | 2021-10-27 | 2022-03-11 | 北京邮电大学 | Vehicle-mounted CAN bus message intrusion detection method and related equipment |
| CN115277051A (en) * | 2022-06-01 | 2022-11-01 | 北京邮电大学 | Method and device for detecting attack of controller area network bus |
| WO2023078243A1 (en) * | 2021-11-02 | 2023-05-11 | 中汽创智科技有限公司 | Intrusion detection method and system for can bus of in-vehicle network |
| CN116915589A (en) * | 2023-09-12 | 2023-10-20 | 延锋伟世通电子科技(南京)有限公司 | Vehicle-mounted CAN bus network message anomaly detection method |
| CN113627215B (en) * | 2020-05-07 | 2024-04-23 | 厦门雅迅网络股份有限公司 | ECU (electronic control unit) identification method based on CAN (controller area network) signal characteristics and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012168798A2 (en) * | 2011-06-08 | 2012-12-13 | Taylor-Muetzelfeldt Emma | Systems and methods for pattern and anomaly pattern analysis |
| CN104956626A (en) * | 2013-01-28 | 2015-09-30 | 日立汽车系统株式会社 | Network device and data sending and receiving system |
| US20150350241A1 (en) * | 2014-06-02 | 2015-12-03 | Infineon Technologies Ag | Data frame for protected data transmissions |
| CN106411956A (en) * | 2016-12-02 | 2017-02-15 | 北京奇虎科技有限公司 | Method and device for analyzing automobile bus safety |
| US20170126711A1 (en) * | 2015-10-30 | 2017-05-04 | Hyundai Motor Company | In-vehicle network attack detection method and apparatus |
| CN107454107A (en) * | 2017-09-15 | 2017-12-08 | 中国计量大学 | A kind of controller LAN automobile bus alarm gateway for detecting injection attack |
-
2018
- 2018-10-09 CN CN201811170994.6A patent/CN111030962B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012168798A2 (en) * | 2011-06-08 | 2012-12-13 | Taylor-Muetzelfeldt Emma | Systems and methods for pattern and anomaly pattern analysis |
| CN104956626A (en) * | 2013-01-28 | 2015-09-30 | 日立汽车系统株式会社 | Network device and data sending and receiving system |
| US20150350241A1 (en) * | 2014-06-02 | 2015-12-03 | Infineon Technologies Ag | Data frame for protected data transmissions |
| US20170126711A1 (en) * | 2015-10-30 | 2017-05-04 | Hyundai Motor Company | In-vehicle network attack detection method and apparatus |
| CN106411956A (en) * | 2016-12-02 | 2017-02-15 | 北京奇虎科技有限公司 | Method and device for analyzing automobile bus safety |
| CN107454107A (en) * | 2017-09-15 | 2017-12-08 | 中国计量大学 | A kind of controller LAN automobile bus alarm gateway for detecting injection attack |
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111131247B (en) * | 2019-12-24 | 2020-12-25 | 国家计算机网络与信息安全管理中心 | Vehicle-mounted internal network intrusion detection system |
| CN111131247A (en) * | 2019-12-24 | 2020-05-08 | 国家计算机网络与信息安全管理中心 | Vehicle-mounted internal network intrusion detection system |
| CN113627215A (en) * | 2020-05-07 | 2021-11-09 | 厦门雅迅网络股份有限公司 | ECU identification method based on CAN signal characteristics and storage medium |
| CN113627215B (en) * | 2020-05-07 | 2024-04-23 | 厦门雅迅网络股份有限公司 | ECU (electronic control unit) identification method based on CAN (controller area network) signal characteristics and storage medium |
| CN111757329A (en) * | 2020-06-23 | 2020-10-09 | 国汽(北京)智能网联汽车研究院有限公司 | Safe driving prompting method and device and computer equipment |
| CN111885060A (en) * | 2020-07-23 | 2020-11-03 | 上海交通大学 | Internet of vehicles-oriented nondestructive information security vulnerability detection system and method |
| CN112286969A (en) * | 2020-10-29 | 2021-01-29 | 广州汽车集团股份有限公司 | Low-frequency data continuity determination method and device |
| CN112286969B (en) * | 2020-10-29 | 2024-03-15 | 广州汽车集团股份有限公司 | Low frequency data continuity determination method and device |
| CN112532495A (en) * | 2020-11-16 | 2021-03-19 | 中国汽车技术研究中心有限公司 | Vehicle-mounted CAN bus delay optimization method |
| CN112532495B (en) * | 2020-11-16 | 2022-03-15 | 中国汽车技术研究中心有限公司 | Vehicle-mounted CAN bus delay optimization method |
| CN112866270A (en) * | 2021-01-29 | 2021-05-28 | 中汽创智科技有限公司 | Intrusion detection defense method and system |
| CN113301020B (en) * | 2021-04-23 | 2022-02-22 | 暨南大学 | Vehicle bus attack detection method based on RGB image coding |
| CN113301020A (en) * | 2021-04-23 | 2021-08-24 | 暨南大学 | Vehicle bus attack detection method based on RGB image coding |
| CN113625681A (en) * | 2021-07-19 | 2021-11-09 | 湖南大学 | CAN bus abnormality detection method, system and storage medium |
| CN113625681B (en) * | 2021-07-19 | 2022-12-13 | 湖南大学 | CAN bus abnormality detection method, system and storage medium |
| CN113589793B (en) * | 2021-07-30 | 2022-07-22 | 中汽院(重庆)汽车检测有限公司 | Automobile bus network design safety detection method |
| CN113589793A (en) * | 2021-07-30 | 2021-11-02 | 中汽院(重庆)汽车检测有限公司 | Automobile bus network design safety detection method |
| CN114172686B (en) * | 2021-10-27 | 2022-08-05 | 北京邮电大学 | Vehicle-mounted CAN bus message intrusion detection method, related equipment and computer storage medium |
| CN114172686A (en) * | 2021-10-27 | 2022-03-11 | 北京邮电大学 | Vehicle-mounted CAN bus message intrusion detection method and related equipment |
| WO2023078243A1 (en) * | 2021-11-02 | 2023-05-11 | 中汽创智科技有限公司 | Intrusion detection method and system for can bus of in-vehicle network |
| CN114157492A (en) * | 2021-12-02 | 2022-03-08 | 北京天融信网络安全技术有限公司 | CAN bus intrusion detection method and device |
| CN115277051A (en) * | 2022-06-01 | 2022-11-01 | 北京邮电大学 | Method and device for detecting attack of controller area network bus |
| CN116915589A (en) * | 2023-09-12 | 2023-10-20 | 延锋伟世通电子科技(南京)有限公司 | Vehicle-mounted CAN bus network message anomaly detection method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111030962B (en) | 2023-03-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111030962B (en) | Vehicle-mounted network intrusion detection method and computer-readable storage medium | |
| CN110149345B (en) | Vehicle-mounted network intrusion detection method based on message sequence prediction | |
| Hanselmann et al. | CANet: An unsupervised intrusion detection system for high dimensional CAN bus data | |
| Avatefipour et al. | An intelligent secured framework for cyberattack detection in electric vehicles’ CAN bus using machine learning | |
| Martinelli et al. | Car hacking identification through fuzzy logic algorithms | |
| CN110505134B (en) | Internet of vehicles CAN bus data detection method and device | |
| Kuwahara et al. | Supervised and unsupervised intrusion detection based on CAN message frequencies for in-vehicle network | |
| CN108390869B (en) | Vehicle-mounted intelligent gateway device integrating deep learning and command sequence detection method thereof | |
| CN111885060B (en) | Internet of vehicles-oriented nondestructive information security vulnerability detection system and method | |
| CN112671701B (en) | Vehicle-mounted terminal intrusion detection method based on vehicle-mounted network abnormal behavior feature driving | |
| CN111131247B (en) | Vehicle-mounted internal network intrusion detection system | |
| Kwak et al. | Cosine similarity based anomaly detection methodology for the CAN bus | |
| CN110996300A (en) | Vehicle-mounted terminal information safety risk control method based on traffic scene safety | |
| CN114157469B (en) | Vehicle-mounted network variant attack intrusion detection method based on domain antagonism neural network | |
| CN114900331A (en) | Vehicle-mounted CAN bus intrusion detection method based on CAN message characteristics | |
| Kang et al. | A transfer learning based abnormal can bus message detection system | |
| CN113938295B (en) | Method and system for detecting abnormal transmission behavior of internet automobile communication data, electronic equipment and readable medium | |
| CN105516164A (en) | P2P botnet detection method based on fractal and self-adaptation fusion | |
| Li et al. | GAN model using field fuzz mutation for in-vehicle CAN bus intrusion detection | |
| Qiu et al. | Research on vehicle network intrusion detection technology based on dynamic data set | |
| CN112084185B (en) | Damaged electronic control unit positioning method of vehicle-mounted edge equipment based on associated learning | |
| CN116938586A (en) | CAN network intrusion detection method and device based on data domain | |
| CN112751822B (en) | Communication apparatus, operation method, abnormality determination apparatus, abnormality determination method, and storage medium | |
| CN113055341A (en) | CAN abnormal intrusion detection method and computer readable storage medium | |
| CN117201107A (en) | Cloud vehicle linkage intrusion detection method and system based on multidimensional features |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |