CN111338318B - Method and apparatus for detecting anomalies - Google Patents
Method and apparatus for detecting anomalies Download PDFInfo
- Publication number
- CN111338318B CN111338318B CN202010135811.8A CN202010135811A CN111338318B CN 111338318 B CN111338318 B CN 111338318B CN 202010135811 A CN202010135811 A CN 202010135811A CN 111338318 B CN111338318 B CN 111338318B
- Authority
- CN
- China
- Prior art keywords
- detected
- message
- dimensional space
- points
- distribution model
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B23/00—Testing or monitoring of control systems or parts thereof
- G05B23/02—Electric testing or monitoring
- G05B23/0205—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
- G05B23/0208—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterized by the configuration of the monitoring system
- G05B23/0213—Modular or universal configuration of the monitoring system, e.g. monitoring system having modules that may be combined to build monitoring program; monitoring system that can be applied to legacy systems; adaptable monitoring system; using different communication protocols
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/24—Pc safety
- G05B2219/24065—Real time diagnostics
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Small-Scale Networks (AREA)
Abstract
The embodiment of the application discloses a method and a device for detecting abnormity. One embodiment of the method comprises: acquiring a CAN message of a controller to be detected of a vehicle-mounted network to be detected; converting the CAN message to be detected into a point to be detected in an N-dimensional space; inputting the points to be detected into a pre-trained CAN message distribution model of a vehicle-mounted network to be detected to obtain the distribution condition of the points to be detected; and generating an abnormal detection result of the CAN message to be detected based on the distribution condition of the points to be detected. According to the embodiment, the CAN message is converted into the points on the N-dimensional space, and the abnormal detection is carried out on the CAN message based on the distribution condition of the points, so that the accuracy of the abnormal detection is improved, and the occurrence of vehicle intrusion events is prevented.
Description
Technical Field
The embodiment of the application relates to the technical field of computers, in particular to a method and a device for detecting abnormity.
Background
The technology for detecting the boundary of a CAN (Controller Area Network) message transmitted in a vehicle Network is capable of detecting an abnormal CAN message which is transmitted in the vehicle Network and does not conform to the specification of a DBC document of a current vehicle type. In the wave of the current internet, technologies such as car networking and automatic driving appear in succession, and huge values are brought. But at the same time the ever-increasing occurrence of "hackers" attacking vehicles via network technology also allows people to recognize their security risks. The vehicle-mounted network is used as the last line of defense of vehicle information safety, and the information safety is particularly important.
At present, the CAN message boundary detection technology is generally solved by the following two schemes. For one, deep learning prediction is used. According to the scheme, Deep learning technologies such as DNN (Deep Neural Networks) are used, model training is carried out on collected CAN messages, a certain number of latest current historical CAN messages are used for predicting the next CAN message in the future, then the predicted CAN messages are compared with the actually received CAN messages, whether the predicted CAN messages are in an acceptable error range is determined, and whether the current CAN messages are abnormal is judged. However, the scheme is related to the timing sequence of the CAN messages, and many CAN messages of the vehicle-mounted network are triggered artificially, have no regularity, and have low detection accuracy. Second, hard coding is used for the determination. The scheme is that a CAN message format specified by a DBC document is utilized, and a programming language is adopted to logically judge whether the CAN message format specified by the DBC document is met, so that abnormal CAN messages are identified. However, the scheme CAN identify the abnormal CAN message with high reliability only under the condition that the CAN message format is known, but most of the scheme cannot be applied under the condition that the specific format of the CAN message is unavailable, and the application range of the scheme is limited.
Disclosure of Invention
The embodiment of the application provides a method and a device for detecting abnormity.
In a first aspect, an embodiment of the present application provides a method for detecting an anomaly, including: acquiring a CAN message of a controller to be detected of a vehicle-mounted network to be detected; converting the CAN message to be detected into a point to be detected in an N-dimensional space; inputting the points to be detected into a pre-trained CAN message distribution model of a vehicle-mounted network to be detected to obtain the distribution condition of the points to be detected; and generating an abnormal detection result of the CAN message to be detected based on the distribution condition of the points to be detected.
In some embodiments, converting the to-be-detected CAN message into a to-be-detected point in an N-dimensional space includes: and carrying out data dimension division and normalization processing on the CAN message to be detected to generate the point to be detected in the N-dimensional space.
In some embodiments, the data dimension division and normalization processing are performed on the CAN message to be detected to generate the point to be detected in the N-dimensional space, and the method includes: dividing the CAN message to be detected into N parts, wherein the CAN message to be detected is an M-bit binary number, and each part of the N parts comprises at least one bit of binary number; and converting each part in the N parts into a decimal number to generate an N-dimensional coordinate point corresponding to the CAN message to be detected.
In some embodiments, the CAN message distribution model is trained by: acquiring a training sample set, wherein training samples in the training sample set comprise normal CAN messages of a vehicle-mounted network to be detected; converting the training sample set into a point set on an N-dimensional space; and training a range distribution expression of the point set based on the point set to serve as a CAN message distribution model.
In some embodiments, training a range distribution expression of the point set based on the point set as a CAN message distribution model includes: determining a closed geometric figure containing the point set on the N-dimensional space, and using the closed geometric figure as a CAN message distribution model.
In some embodiments, determining a closed geometry containing a set of points over an N-dimensional space, and using the closed geometry as a CAN message distribution model, comprises: and learning the expression of the geometric boundary of the point set on the N-dimensional space, and taking the expression of the geometric boundary as a CAN message distribution model.
In a second aspect, an embodiment of the present application provides an apparatus for detecting an anomaly, including: the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is configured to acquire a Controller Area Network (CAN) message to be detected of a vehicle-mounted network to be detected; the conversion unit is configured to convert the CAN message to be detected into a point to be detected on the N-dimensional space; the input unit is configured to input the points to be detected into a pre-trained CAN message distribution model of the vehicle-mounted network to be detected, so as to obtain the distribution condition of the points to be detected; and the generating unit is configured to generate an abnormal detection result of the CAN message to be detected based on the distribution condition of the points to be detected.
In some embodiments, the conversion unit comprises: and the generating subunit is configured to perform data dimension division and normalization processing on the CAN message to be detected and generate the point to be detected in the N-dimensional space.
In some embodiments, generating the subunit comprises: the CAN message to be detected is divided into N parts, wherein the CAN message to be detected is an M-bit binary number, and each part of the N parts comprises at least one bit of binary number; and the generating module is configured to convert each part in the N parts into a decimal number and generate an N-dimensional coordinate point corresponding to the CAN message to be detected.
In some embodiments, the CAN message distribution model is trained by: acquiring a training sample set, wherein training samples in the training sample set comprise normal CAN messages of a vehicle-mounted network to be detected; converting the training sample set into a point set on an N-dimensional space; and training a range distribution expression of the point set based on the point set to serve as a CAN message distribution model.
In some embodiments, training a range distribution expression of the point set based on the point set as a CAN message distribution model includes: determining a closed geometric figure containing the point set on the N-dimensional space, and using the closed geometric figure as a CAN message distribution model.
In some embodiments, determining a closed geometry containing a set of points over an N-dimensional space, and using the closed geometry as a CAN message distribution model, comprises: and learning the expression of the geometric boundary of the point set on the N-dimensional space, and taking the expression of the geometric boundary as a CAN message distribution model.
In a third aspect, an embodiment of the present application provides an electronic device, including: one or more processors; a storage device having one or more programs stored thereon; when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement the method as described in any implementation of the first aspect.
In a fourth aspect, the present application provides a computer-readable medium, on which a computer program is stored, which, when executed by a processor, implements the method as described in any implementation manner of the first aspect.
The method and the device for detecting the abnormity, provided by the embodiment of the application, firstly, the CAN message of the controller area network to be detected of the vehicle-mounted network to be detected is obtained; then converting the CAN message to be detected into a point to be detected in an N-dimensional space; then inputting the points to be detected into a pre-trained CAN message distribution model of the vehicle-mounted network to be detected to obtain the distribution condition of the points to be detected; and finally, generating an abnormal detection result of the CAN message to be detected based on the distribution condition of the points to be detected. The CAN message is converted into the points on the N-dimensional space, and the abnormality detection is carried out on the CAN message based on the distribution condition of the points. In addition, the method CAN be applied to the abnormality detection of the CAN message in any format, and the application range is wide.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings in which:
FIG. 1 is an exemplary system architecture to which the present application may be applied;
FIG. 2 is a flow diagram of one embodiment of a method for detecting anomalies according to the present application;
FIG. 3 is a flow diagram of yet another embodiment of a method for detecting anomalies according to the present application;
FIG. 4 is a flow diagram of one embodiment of a CAN message distribution model training method according to the present application;
FIG. 5 is a plot of the point set range distribution of CAN messages over a two-dimensional space;
FIG. 6 is a schematic block diagram of one embodiment of an apparatus for detecting anomalies in accordance with the present application;
FIG. 7 is a block diagram of a computer system suitable for use in implementing the electronic device of an embodiment of the present application.
Detailed Description
The present application will be described in further detail with reference to the following drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. It should be noted that, for convenience of description, only the portions related to the related invention are shown in the drawings.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
Fig. 1 illustrates an exemplary system architecture 100 to which embodiments of the present method for detecting anomalies or apparatus for detecting anomalies may be applied.
As shown in fig. 1, a vehicle 101, a network 102, and a server 103 may be included in the system architecture 100. Network 102 is the medium used to provide a communication link between vehicle 101 and server 103. Network 102 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The server 103 may be a server that provides various services. Such as a back office server of vehicle 101. The background server of the vehicle 101 may analyze and otherwise process data, such as the to-be-detected CAN message, acquired from the vehicle 101, and generate a processing result (e.g., an abnormality detection result of the to-be-detected CAN message).
The server 103 may be hardware or software. When the server 103 is hardware, it may be implemented as a distributed server cluster composed of a plurality of servers, or may be implemented as a single server. When the server 103 is software, it may be implemented as multiple pieces of software or software modules (e.g., to provide distributed services), or as a single piece of software or software module. And is not particularly limited herein.
It should be noted that the method for detecting an abnormality provided in the embodiment of the present application is generally performed by the server 103, and accordingly, the apparatus for detecting an abnormality is generally disposed in the server 103.
It should be understood that the number of vehicles, networks, and servers in FIG. 1 is merely illustrative. There may be any number of vehicles, networks, and servers, as desired for implementation.
With continued reference to FIG. 2, a flow 200 of one embodiment of a method for detecting anomalies in accordance with the present application is shown. The method for detecting an abnormality includes the steps of:
step 201, acquiring a to-be-detected controller area network CAN message of a to-be-detected vehicle-mounted network.
In the present embodiment, an executing agent (for example, the server 103 shown in fig. 1) of the method for detecting an abnormality may acquire a CAN message to be detected of a vehicle-mounted network to be detected. The vehicle-mounted network to be detected can be the vehicle-mounted network of a vehicle of any vehicle type. The CAN messages may be messages transmitted over the CAN bus, including normal CAN messages and abnormal CAN messages. The normal CAN message may be a message to enable normal driving of the vehicle, including but not limited to various sensor data on the vehicle, various command messages to control driving of the vehicle, and the like. The abnormal CAN message may be a message causing abnormal driving of the vehicle, such as an intrusion into the vehicle. The CAN message to be detected may be any message transmitted over the CAN bus.
In this embodiment, the execution body may convert the to-be-detected CAN message into the to-be-detected point in the N-dimensional space. In general, in the on-board network to be detected, one CAN message CAN be converted into only one point in N-dimensional space. The CAN message of the vehicle-mounted network to be detected CAN correspond to a closed range on the N-dimensional space, the normal CAN message CAN be distributed in the closed range, and the abnormal CAN message CAN be distributed outside the closed range.
And 203, inputting the points to be detected into a pre-trained CAN message distribution model of the vehicle-mounted network to be detected, so as to obtain the distribution condition of the points to be detected.
In this embodiment, the executing body may input the to-be-detected points to a CAN message distribution model of the to-be-detected vehicle-mounted network, so as to obtain a distribution condition of the to-be-detected points. The CAN message distribution model CAN be used for determining the distribution condition of the points to be detected. Generally, the CAN message distribution model CAN determine whether the points to be detected are distributed in a closed range corresponding to the CAN message of the vehicle-mounted network to be detected.
And 204, generating an abnormal detection result of the CAN message to be detected based on the distribution condition of the points to be detected.
In this embodiment, the execution agent may generate an abnormality detection result of the to-be-detected CAN message based on a distribution situation of the to-be-detected points. Generally, if the points to be detected are distributed in the closed range corresponding to the CAN message of the vehicle-mounted network to be detected, the corresponding CAN message to be detected is a normal CAN message. And if the points to be detected are distributed outside the closed range corresponding to the CAN message of the vehicle-mounted network to be detected, the corresponding CAN message to be detected is an abnormal CAN message.
The method for detecting the abnormity, provided by the embodiment of the application, comprises the steps of firstly obtaining a CAN message of a controller area network to be detected of a vehicle-mounted network to be detected; then converting the CAN message to be detected into a point to be detected in an N-dimensional space; then inputting the points to be detected into a pre-trained CAN message distribution model of the vehicle-mounted network to be detected to obtain the distribution condition of the points to be detected; and finally, generating an abnormal detection result of the CAN message to be detected based on the distribution condition of the points to be detected. The CAN message is converted into the points on the N-dimensional space, and the abnormality detection is carried out on the CAN message based on the distribution condition of the points. In addition, the method CAN be applied to the abnormality detection of the CAN message in any format, and the application range is wide.
With further reference to FIG. 3, a flow 300 of yet another embodiment of a method for detecting anomalies in accordance with the present application is illustrated. The method for detecting an abnormality includes the steps of:
And 302, performing data dimension division and normalization processing on the CAN message to be detected to generate the point to be detected in the N-dimensional space.
In this embodiment, an executing entity (for example, the server 103 shown in fig. 1) of the method for detecting an anomaly may perform data dimension division and normalization processing on a CAN message to be detected, so as to generate a point to be detected on an N-dimensional space. Generally, the CAN message to be detected CAN be M-bit binary number (for example, 64-bit binary number), and the specific expression manner of the CAN message is constrained by the DBC document corresponding to the vehicle model. The execution body may divide the CAN message to be detected into N parts, where N is not greater than M, and each of the N parts includes at least one binary digit. Subsequently, the execution body CAN convert each of the N parts into a decimal number, and generate an N-dimensional coordinate point corresponding to the to-be-detected CAN message.
For ease of understanding, taking a two-dimensional space as an example, the execution body may divide a 64-bit binary number of a CAN message to be detected into a front 32-bit binary number part and a rear 32-bit binary number part. Subsequently, the execution body may convert the first 32-bit binary number portion into a decimal number as an abscissa of the point to be detected in the two-dimensional space, and similarly, convert the second 32-bit binary number portion into a decimal number as an ordinate of the point to be detected in the two-dimensional space. Thus, the CAN message to be detected is converted into a point to be detected in a two-dimensional space.
And 303, inputting the points to be detected into a pre-trained CAN message distribution model of the vehicle-mounted network to be detected to obtain the distribution condition of the points to be detected.
And 304, generating an abnormal detection result of the CAN message to be detected based on the distribution condition of the points to be detected.
In the present embodiment, the specific operations of steps 301, 302, and 304 have been described in detail in steps 201, 202, and 204 in the embodiment shown in fig. 2, and are not described herein again.
As CAN be seen from fig. 3, compared with the embodiment corresponding to fig. 2, the flow 300 of the method for detecting an anomaly in the present embodiment highlights the step of converting a CAN message into a point on an N-dimensional space. Therefore, the scheme described in this embodiment realizes the rapid conversion of the CAN message to the point on the N-dimensional space through data dimension division and normalization processing.
With further reference to fig. 4, a flow 400 of one embodiment of a CAN message distribution model training method according to the present application is shown. The CAN message distribution model training method comprises the following steps:
In this embodiment, an executing agent (e.g., the server 103 shown in fig. 1) of the CAN message distribution model training method may obtain a training sample set. Wherein, one training sample in the training sample set may include a normal CAN message of the vehicle-mounted network to be detected. The execution main body CAN collect a large amount of normal CAN messages of the vehicle-mounted network to be detected, and a training sample set is generated.
In this embodiment, the executing entity may convert the training sample set into a point set on an N-dimensional space. Where one training sample can be translated to a unique point on the N-dimensional space.
It should be understood that, the method for converting the training samples into the points on the N-dimensional space may refer to the method for converting the to-be-detected CAN messages into the to-be-detected points on the N-dimensional space, and details are not repeated here.
And 403, training a range distribution expression of the point set based on the point set to serve as a CAN message distribution model.
In this embodiment, the executing agent may train a range distribution expression of the point set based on the point set on the N-dimensional space, as a CAN message distribution model. In general, a regular or irregular closed range is always found in the N-dimensional space, so that the point set in the N-dimensional space is within the closed range. The execution subject may learn an expression of the boundary of the closed range, that is, a range distribution expression of the point set on the N-dimensional space.
For ease of understanding, taking a two-dimensional space as an example, fig. 5 shows a distribution diagram of a point set range of a CAN message on the two-dimensional space. Where the gray parts represent the range of points on the N-dimensional space where normal CAN messages are located. The white portion represents the range where the point on the N-dimensional space of the abnormal CAN message is located.
In some optional implementations of this embodiment, the execution subject may determine a closed geometric figure containing the point set on the N-dimensional space, and use the closed geometric figure as a CAN message distribution model. Specifically, the execution agent may learn an expression of a geometric boundary of the point set in an N-dimensional space, and use the expression of the geometric boundary as a CAN message distribution model.
With further reference to fig. 6, as an implementation of the methods shown in the above-mentioned figures, the present application provides an embodiment of an apparatus for detecting an anomaly, which corresponds to the method embodiment shown in fig. 2, and which is particularly applicable in various electronic devices.
As shown in fig. 6, the apparatus 600 for detecting an abnormality of the present embodiment may include: an acquisition unit 601, a conversion unit 602, an input unit 603, and a generation unit 604. The acquiring unit 601 is configured to acquire a Controller Area Network (CAN) message to be detected of a vehicle-mounted network to be detected; a conversion unit 602 configured to convert the to-be-detected CAN message into a to-be-detected point on an N-dimensional space; the input unit 603 is configured to input the points to be detected into a pre-trained CAN message distribution model of the vehicle-mounted network to be detected, so as to obtain the distribution condition of the points to be detected; the generating unit 604 is configured to generate an anomaly detection result of the to-be-detected CAN message based on the distribution of the to-be-detected points.
In the present embodiment, in the apparatus for detecting abnormality 600: the detailed processing and the technical effects of the obtaining unit 601, the transforming unit 602, the inputting unit 603 and the generating unit 604 can refer to the related descriptions of step 201 and step 204 in the corresponding embodiment of fig. 2, which are not described herein again.
In some optional implementations of this embodiment, the converting unit 602 includes: and the generating subunit (not shown in the figure) is configured to perform data dimension division and normalization processing on the CAN message to be detected, and generate the point to be detected on the N-dimensional space.
In some optional implementations of this embodiment, the generating the subunit includes: a dividing module (not shown in the figure) configured to divide the to-be-detected CAN message into N parts, wherein the to-be-detected CAN message is an M-bit binary number, and each of the N parts includes at least one bit of binary number; and the generating module (not shown in the figure) is configured to convert each part in the N parts into a decimal number and generate an N-dimensional coordinate point corresponding to the CAN message to be detected.
In some optional implementations of this embodiment, the CAN message distribution model is trained by: acquiring a training sample set, wherein training samples in the training sample set comprise normal CAN messages of a vehicle-mounted network to be detected; converting the training sample set into a point set on an N-dimensional space; and training a range distribution expression of the point set based on the point set to serve as a CAN message distribution model.
In some optional implementation manners of this embodiment, training a range distribution expression of a point set based on the point set, as a CAN message distribution model, includes: determining a closed geometric figure containing the point set on the N-dimensional space, and using the closed geometric figure as a CAN message distribution model.
In some optional implementations of this embodiment, determining a closed geometric figure including a point set in an N-dimensional space, and using the closed geometric figure as a CAN message distribution model includes: and learning the expression of the geometric boundary of the point set on the N-dimensional space, and taking the expression of the geometric boundary as a CAN message distribution model.
Referring now to FIG. 7, a block diagram of a computer system 700 suitable for use in implementing an electronic device (e.g., server 103 shown in FIG. 1) of an embodiment of the present application is shown. The electronic device shown in fig. 7 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
As shown in fig. 7, the computer system 700 includes a Central Processing Unit (CPU)701, which can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. In the RAM 703, various programs and data necessary for the operation of the system 700 are also stored. The CPU 701, the ROM 702, and the RAM 703 are connected to each other via a bus 704. An input/output (I/O) interface 705 is also connected to bus 704.
The following components are connected to the I/O interface 705: an input portion 706 including a keyboard, a mouse, and the like; an output section 707 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 708 including a hard disk and the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. A drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read out therefrom is mounted into the storage section 708 as necessary.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 709, and/or installed from the removable medium 711. The computer program, when executed by a Central Processing Unit (CPU)701, performs the above-described functions defined in the method of the present application.
It should be noted that the computer readable medium described herein can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or electronic device. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present application may be implemented by software or hardware. The described units may also be provided in a processor, and may be described as: a processor includes an acquisition unit, a conversion unit, an input unit, and a generation unit. The names of these units do not in this case form a limitation on the unit itself, for example, the acquisition unit CAN also be described as a "unit that acquires a controller area network CAN message to be detected of a vehicle-mounted network to be detected".
As another aspect, the present application also provides a computer-readable medium, which may be contained in the electronic device described in the above embodiments; or may exist separately without being assembled into the electronic device. The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: acquiring a CAN message of a controller to be detected of a vehicle-mounted network to be detected; converting the CAN message to be detected into a point to be detected in an N-dimensional space; inputting the points to be detected into a pre-trained CAN message distribution model of a vehicle-mounted network to be detected to obtain the distribution condition of the points to be detected; and generating an abnormal detection result of the CAN message to be detected based on the distribution condition of the points to be detected.
The above description is only a preferred embodiment of the application and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the invention herein disclosed is not limited to the particular combination of features described above, but also encompasses other arrangements formed by any combination of the above features or their equivalents without departing from the spirit of the invention. For example, the above features may be replaced with (but not limited to) features having similar functions disclosed in the present application.
Claims (10)
1. A method for detecting anomalies, comprising:
acquiring a CAN message of a controller to be detected of a vehicle-mounted network to be detected;
converting the CAN message to be detected into a point to be detected in an N-dimensional space;
inputting the points to be detected into a pre-trained CAN message distribution model of the vehicle-mounted network to be detected to obtain the distribution condition of the points to be detected;
generating an abnormal detection result of the CAN message to be detected based on the distribution condition of the points to be detected;
converting the CAN message to be detected into a point to be detected in an N-dimensional space, wherein the method comprises the following steps:
dividing the CAN message to be detected into N parts, wherein the CAN message to be detected is an M-bit binary number, and each part of the N parts comprises at least one bit of binary number;
and converting each part in the N parts into a decimal number to generate an N-dimensional coordinate point corresponding to the CAN message to be detected.
2. The method of claim 1 wherein the CAN message distribution model is trained by:
acquiring a training sample set, wherein training samples in the training sample set comprise normal CAN messages of the vehicle-mounted network to be detected;
converting the training sample set into a point set on the N-dimensional space;
and training a range distribution expression of the point set based on the point set to serve as the CAN message distribution model.
3. The method according to claim 2, wherein training out a range distribution expression of the point set based on the point set as the CAN message distribution model comprises:
determining a closed geometry comprising the set of points over the N-dimensional space, and using the closed geometry as the CAN message distribution model.
4. The method of claim 3, wherein the determining a closed geometry containing the set of points over the N-dimensional space and using the closed geometry as the CAN message distribution model comprises:
and learning the expression of the geometric boundary of the point set on the N-dimensional space, and taking the expression of the geometric boundary as the CAN message distribution model.
5. An apparatus for detecting anomalies, comprising:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is configured to acquire a Controller Area Network (CAN) message to be detected of a vehicle-mounted network to be detected;
the conversion unit is configured to convert the CAN message to be detected into a point to be detected on an N-dimensional space;
the input unit is configured to input the points to be detected into a pre-trained CAN message distribution model of the vehicle-mounted network to be detected, so as to obtain the distribution condition of the points to be detected;
the generating unit is configured to generate an abnormal detection result of the CAN message to be detected based on the distribution situation of the points to be detected;
wherein the conversion unit comprises:
a dividing module configured to divide the CAN message to be detected into N parts, wherein the CAN message to be detected is an M-bit binary number, and each part of the N parts comprises at least one bit of binary number;
and the generating module is configured to convert each part of the N parts into a decimal number and generate an N-dimensional coordinate point corresponding to the CAN message to be detected.
6. The apparatus of claim 5, wherein the CAN message distribution model is trained by:
acquiring a training sample set, wherein training samples in the training sample set comprise normal CAN messages of the vehicle-mounted network to be detected;
converting the training sample set into a point set on the N-dimensional space;
and training a range distribution expression of the point set based on the point set to serve as the CAN message distribution model.
7. The apparatus of claim 6, wherein the training of the range distribution expression of the point set based on the point set as the CAN message distribution model comprises:
determining a closed geometry comprising the set of points over the N-dimensional space, and using the closed geometry as the CAN message distribution model.
8. The apparatus of claim 7, wherein the determining a closed geometry containing the set of points over the N-dimensional space and using the closed geometry as the CAN message distribution model comprises:
and learning the expression of the geometric boundary of the point set on the N-dimensional space, and taking the expression of the geometric boundary as the CAN message distribution model.
9. An electronic device, comprising:
one or more processors;
a storage device having one or more programs stored thereon,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-4.
10. A computer-readable medium, on which a computer program is stored, wherein the computer program, when being executed by a processor, carries out the method according to any one of claims 1-4.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010135811.8A CN111338318B (en) | 2020-03-02 | 2020-03-02 | Method and apparatus for detecting anomalies |
| CN202111293053.3A CN114019940A (en) | 2020-03-02 | 2020-03-02 | Method and apparatus for detecting anomalies |
| CN202111310191.8A CN114035544A (en) | 2020-03-02 | 2020-03-02 | Method and apparatus for detecting anomalies |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010135811.8A CN111338318B (en) | 2020-03-02 | 2020-03-02 | Method and apparatus for detecting anomalies |
Related Child Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111310191.8A Division CN114035544A (en) | 2020-03-02 | 2020-03-02 | Method and apparatus for detecting anomalies |
| CN202111293053.3A Division CN114019940A (en) | 2020-03-02 | 2020-03-02 | Method and apparatus for detecting anomalies |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111338318A CN111338318A (en) | 2020-06-26 |
| CN111338318B true CN111338318B (en) | 2021-12-14 |
Family
ID=71184097
Family Applications (3)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111293053.3A Pending CN114019940A (en) | 2020-03-02 | 2020-03-02 | Method and apparatus for detecting anomalies |
| CN202010135811.8A Active CN111338318B (en) | 2020-03-02 | 2020-03-02 | Method and apparatus for detecting anomalies |
| CN202111310191.8A Pending CN114035544A (en) | 2020-03-02 | 2020-03-02 | Method and apparatus for detecting anomalies |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111293053.3A Pending CN114019940A (en) | 2020-03-02 | 2020-03-02 | Method and apparatus for detecting anomalies |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111310191.8A Pending CN114035544A (en) | 2020-03-02 | 2020-03-02 | Method and apparatus for detecting anomalies |
Country Status (1)
| Country | Link |
|---|---|
| CN (3) | CN114019940A (en) |
Family Cites Families (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102299911B (en) * | 2011-06-22 | 2014-04-30 | 天津大学 | DDos attack detection method based on concentric axis multidimensional data visualization model |
| JP6361175B2 (en) * | 2014-03-06 | 2018-07-25 | 株式会社豊田中央研究所 | Abnormality diagnosis apparatus and program |
| US10083071B2 (en) * | 2014-12-30 | 2018-09-25 | Battelle Memorial Institute | Temporal anomaly detection on automotive networks |
| CN104793605B (en) * | 2015-04-10 | 2017-06-20 | 北京金控数据技术股份有限公司 | A kind of method that utilization normal distribution judges equipment fault |
| CN113014464B (en) * | 2016-01-08 | 2022-07-26 | 松下电器(美国)知识产权公司 | Abnormality detection method, abnormality detection device, and abnormality detection system |
| CN107786368B (en) * | 2016-08-31 | 2021-09-07 | 华为技术有限公司 | Abnormal node detection method and related device |
| CN108112016B (en) * | 2016-11-24 | 2020-11-17 | 腾讯科技(深圳)有限公司 | Wireless local area network security assessment method and device |
| JP6782679B2 (en) * | 2016-12-06 | 2020-11-11 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America | Information processing equipment, information processing methods and programs |
| WO2018105320A1 (en) * | 2016-12-06 | 2018-06-14 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ | Information processing device, information processing method, and program |
| US20180300477A1 (en) * | 2017-04-13 | 2018-10-18 | Argus Cyber Security Ltd. | In-vehicle cyber protection |
| US10326788B1 (en) * | 2017-05-05 | 2019-06-18 | Symantec Corporation | Systems and methods for identifying suspicious controller area network messages |
| US10308242B2 (en) * | 2017-07-01 | 2019-06-04 | TuSimple | System and method for using human driving patterns to detect and correct abnormal driving behaviors of autonomous vehicles |
| CN107992026B (en) * | 2017-12-13 | 2020-09-08 | 南京越博动力系统股份有限公司 | Method for analyzing DBC analysis message based on LABVEIW |
| CN109144039B (en) * | 2018-11-04 | 2021-06-22 | 兰州理工大学 | Intermittent process fault detection method based on time sequence expansion and neighborhood preserving extreme learning machine |
-
2020
- 2020-03-02 CN CN202111293053.3A patent/CN114019940A/en active Pending
- 2020-03-02 CN CN202010135811.8A patent/CN111338318B/en active Active
- 2020-03-02 CN CN202111310191.8A patent/CN114035544A/en active Pending
Also Published As
| Publication number | Publication date |
|---|---|
| CN114019940A (en) | 2022-02-08 |
| CN111338318A (en) | 2020-06-26 |
| CN114035544A (en) | 2022-02-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111046027B (en) | Missing value filling method and device for time series data | |
| EP3637310A1 (en) | Method and apparatus for generating vehicle damage information | |
| CN108228428B (en) | Method and apparatus for outputting information | |
| CN115412370B (en) | Vehicle communication data detection method and device, electronic equipment and readable medium | |
| CN112200173B (en) | Multi-network model training method, image labeling method and face image recognition method | |
| CN112613584A (en) | Fault diagnosis method, device, equipment and storage medium | |
| CN115277261B (en) | Abnormal machine intelligent identification method, device and equipment based on industrial control network virus | |
| CN110633718B (en) | Method and device for determining a driving area in an environment image | |
| CN114780338A (en) | Host information processing method and device, electronic equipment and computer readable medium | |
| CN111915086A (en) | Abnormal user prediction method and equipment | |
| CN116166271A (en) | Code generation method and device, storage medium and electronic equipment | |
| CN115357470A (en) | Information generation method and device, electronic equipment and computer readable medium | |
| CN113762454A (en) | Track abnormity detection method and device | |
| CN112651172B (en) | Rainfall peak type dividing method, device, equipment and storage medium | |
| CN111338318B (en) | Method and apparatus for detecting anomalies | |
| CN112232326A (en) | Driving information generation method and device, electronic equipment and computer readable medium | |
| CN117034923A (en) | Training method, text evaluation method, device, medium and equipment | |
| US11704222B2 (en) | Event log processing | |
| CN111310858B (en) | Method and device for generating information | |
| CN111709784B (en) | Method, apparatus, device and medium for generating user retention time | |
| CN113111234A (en) | Regular expression-based alarm condition category determination method and device | |
| CN113469159B (en) | Obstacle information generation method and device, electronic equipment and computer readable medium | |
| CN116541251B (en) | Display device state early warning method, device, equipment and computer readable medium | |
| CN111709787B (en) | Method, device, electronic equipment and medium for generating user retention time | |
| CN112668194B (en) | Automatic driving scene library information display method, device and equipment based on page |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20211013 Address after: 100176 Room 101, 1st floor, building 1, yard 7, Ruihe West 2nd Road, economic and Technological Development Zone, Daxing District, Beijing Applicant after: Apollo Zhilian (Beijing) Technology Co.,Ltd. Address before: 2 / F, baidu building, 10 Shangdi 10th Street, Haidian District, Beijing 100085 Applicant before: BEIJING BAIDU NETCOM SCIENCE AND TECHNOLOGY Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |