CN111355706A - Vehicle-mounted intrusion detection method and system based on CAN bus - Google Patents
Vehicle-mounted intrusion detection method and system based on CAN bus Download PDFInfo
- Publication number
- CN111355706A CN111355706A CN202010084249.0A CN202010084249A CN111355706A CN 111355706 A CN111355706 A CN 111355706A CN 202010084249 A CN202010084249 A CN 202010084249A CN 111355706 A CN111355706 A CN 111355706A
- Authority
- CN
- China
- Prior art keywords
- bus
- signals
- attack
- vehicle
- class
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
- H04L2012/40208—Bus networks characterized by the use of a particular bus standard
- H04L2012/40215—Controller Area Network CAN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
- H04L2012/40267—Bus for use in transportation systems
- H04L2012/40273—Bus for use in transportation systems the transportation system being a vehicle
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention provides a CAN network-based automobile intrusion detection system, which comprises the following steps: step 1: electric CAN signal measurement and pretreatment; step 2: extracting the characteristics of the preprocessed signals, extracting the electrical characteristics of the preprocessed signals, and considering all possibilities; and step 3: aiming at masquerading attack detection, a multi-class classifier is established to detect masquerading attack, wherein the number of classes is equal to the number of ECUs in a vehicle-mounted CAN network; and 4, step 4: aiming at the detection of the bus closing attack, a simple threshold-based method is executed to detect unknown signals; and 5: because the voltage signal is sensitive to the environmental factors, incremental learning is adopted, so that the VoltageIDs have adaptability to the environmental factors. The invention CAN detect the vehicle-mounted CAN network intrusion based on the unique characteristics of the CAN electric signal. Since this invention only requires installation of a monitoring unit on the CAN bus network without any modification of the current ECU, it CAN be directly applied to the current vehicle.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a vehicle-mounted intrusion detection method and system based on a CAN bus.
Background
At present, the popularization of internet technology is increased, the number of the total planes of vehicles is increased correspondingly due to the fact that the functions of computers for enhancing the safety and the convenience of drivers are flooded, and the identity authentication of the message prisons is not supported by a controller local area network protocol. Among the centralized solutions that have been proposed, most require modification of the CAN protocol and have their own vulnerabilities.
It was found that VoltageIDs (car intrusion detection system) does not require modification of the current system and is the first method to distinguish masquerading attacks from bus shutdown attacks.
Disclosure of Invention
Based on the discovery, the invention adopts the following technical scheme to realize the automobile intrusion detection:
step 1: electric CAN signal measurement and pretreatment;
step 2: extracting the characteristics of the preprocessed signals, extracting the electrical characteristics of the preprocessed signals, and considering all possibilities;
and step 3: aiming at masquerading attack detection, a multi-class classifier is established to detect masquerading attack, wherein the number of classes is equal to the number of ECUs in a vehicle-mounted CAN network;
step 3.1: in the training step, a multi-class classifier is created by using the labeled function set;
step 3.2: VoltageIDs collects the function sets and tags them with CAN IDs;
step 3.3: ECU ID refers to an identifier assigned to the ECU used to make arbitration decisions;
and 4, step 4: aiming at the detection of the bus closing attack, a simple threshold-based method is executed to detect unknown signals;
step 4.1: detecting a bus close attack using a method of novelty detection to identify new or unknown data that is not used to train a classifier;
step 4.2: VoltageIDs implements a simple threshold-based approach to detect unknown signals;
step 4.3: it is useful to use a support vector machine with Radial Basis Function (RBF) kernels for novelty detection, applying it to a class of classification techniques;
step 4.4: VoltageIDs creates a classifier for class-one classification by classifying all signals from legitimate ECUs into one class;
step 4.5: CAN signals with classification scores below established thresholds are considered unknown;
and 5: because the voltage signal is sensitive to the environmental factors, incremental learning is adopted, so that the VoltageIDs have adaptability to the environmental factors.
So far, the password generation scheme for the user group attribute is executed.
Based on the method, the invention also provides a vehicle-mounted intrusion detection system based on the CAN bus, and the system comprises:
the preprocessing module is used for measuring and preprocessing an electric CAN signal;
the characteristic extraction module is used for extracting the characteristics of the preprocessed signals, extracting the electrical characteristics of the preprocessed signals and considering all possibilities;
the classifier module is used for detecting the masquerading attack by establishing a multi-class classifier aiming at the masquerading attack detection, wherein the number of classes is equal to the number of ECUs in the vehicle-mounted CAN network;
the detection module is used for detecting the bus closing attack and executing a threshold-based method to detect unknown signals;
and the learning module is used for sensing the environmental factors based on the voltage signals and making the VoltageIDs have adaptability to the environmental factors by adopting incremental learning.
The automobile intrusion detection system realized by the invention can be directly applied to the current vehicle-mounted network without modifying any protocol.
Drawings
Fig. 1 is a schematic diagram of a vehicle-mounted intrusion network detection method based on a CAN bus according to the present invention.
Fig. 2 is a theoretical algorithm implementation code for masquerading attack detection.
Fig. 3 is a theoretical algorithm implementation code for bus closure attack detection.
Fig. 4 is a schematic diagram of the vehicle-mounted intrusion network detection system based on the CAN bus.
Detailed Description
The invention is further described in detail with reference to the following specific examples and the accompanying drawings. The procedures, conditions, experimental methods and the like for carrying out the present invention are general knowledge and common general knowledge in the art except for the contents specifically mentioned below, and the present invention is not particularly limited.
Examples
The primary goal of an adversary is to transmit malicious CAN messages to deliberately cause a vehicle malfunction. The adversary remotely destroys the ECU through a plurality of attack surfaces and methods. An adversary is only prone to intentional failures if it has access to the onboard CAN network. The invention classifies and detects different attack modes according to the situation, and the detection method of the vehicle-mounted intrusion network based on the CAN bus comprises the following specific steps:
step 1: electric CAN signal measurement and pretreatment;
step 2: extracting the characteristics of the preprocessed signals, extracting the electrical characteristics of the preprocessed signals, and considering all possibilities;
and step 3: aiming at masquerading attack detection, a multi-class classifier is established to detect masquerading attack, wherein the number of classes is equal to the number of ECUs in a vehicle-mounted CAN network;
step 3.1: in the training step, a multi-class classifier is created by using the labeled function set;
step 3.2: VoltageIDs collects the function sets and tags them with CAN IDs;
step 3.3: ECU ID refers to an identifier assigned to the ECU used to make arbitration decisions;
and 4, step 4: aiming at the detection of the bus closing attack, a simple threshold-based method is executed to detect unknown signals;
step 4.1: detecting a bus close attack using a method of novelty detection to identify new or unknown data that is not used to train a classifier;
step 4.2: VoltageIDs implements a simple threshold-based approach to detect unknown signals;
step 4.3: it is useful to use a support vector machine with Radial Basis Function (RBF) kernels for novelty detection, applying it to a class of classification techniques;
step 4.4: VoltageIDs creates a classifier for class-one classification by classifying all signals from legitimate ECUs into one class;
step 4.5: CAN signals with classification scores below established thresholds are considered unknown;
and 5: because the voltage signal is sensitive to the environmental factors, incremental learning is adopted, so that the VoltageIDs have adaptability to the environmental factors.
So far, the vehicle-mounted intrusion detection about the disguise attack and the bus closing attack is completed.
The invention also provides a vehicle-mounted intrusion detection system based on the CAN bus, which comprises:
the preprocessing module is used for measuring and preprocessing an electric CAN signal;
the characteristic extraction module is used for extracting the characteristics of the preprocessed signals, extracting the electrical characteristics of the preprocessed signals and considering all possibilities;
the classifier module is used for detecting the masquerading attack by establishing a multi-class classifier aiming at the masquerading attack detection, wherein the number of classes is equal to the number of ECUs in the vehicle-mounted CAN network;
the detection module is used for detecting the bus closing attack and executing a threshold-based method to detect unknown signals;
and the learning module is used for sensing the environmental factors based on the voltage signals and making the VoltageIDs have adaptability to the environmental factors by adopting incremental learning.
According to the CAN bus-based vehicle-mounted intrusion network detection method, the multi-class classifier is generated based on the fact that new bugs are generated by modifying the CAN protocol and VoltageIDs have high efficiency and high accuracy, so that the CAN signal discrimination efficiency is improved. And identifying the CAN signals by utilizing the established multi-class classifier, predicting the most possible class for the unmarked data by the multi-class classifier, and if the prediction result is different from the CAN ID of the CAN, judging the CAN to be an adversary to attack.
The protection of the present invention is not limited to the above embodiments. Variations and advantages that may occur to those skilled in the art may be incorporated into the invention without departing from the spirit and scope of the inventive concept, and the scope of the appended claims is intended to be protected.
Claims (8)
1. A vehicle-mounted intrusion detection method based on a CAN bus is characterized by comprising the following steps:
step 1: electric CAN signal measurement and pretreatment;
step 2: extracting the characteristics of the preprocessed signals, extracting the electrical characteristics of the preprocessed signals, and considering all possibilities;
and step 3: aiming at masquerading attack detection, a multi-class classifier is established to detect masquerading attack, wherein the number of classes is equal to the number of ECUs in a vehicle-mounted CAN network;
and 4, step 4: detecting unknown signals by a threshold-based method aiming at the detection of the bus closing attack;
and 5: based on the sensitivity of the voltage signal to environmental factors, incremental learning is adopted, so that the VoltageIDs have adaptability to the environmental factors.
2. The CAN-bus-based vehicle-mounted intrusion detection method according to claim 1, wherein the conversion rule in step 3 is as follows:
step 3.1: in the training step, a multi-class classifier is created by using the labeled function set;
step 3.2: VoltageIDs collect function sets and tag with CAN ID;
step 3.3: the ECU ID is an identifier assigned to the ECU used to make arbitration decisions.
3. The CAN bus based vehicle intrusion detection method of claim 2, wherein 60 features and CAN ID are extracted from CAN messages and used to create a tag set; the set of labels is used as training data to create a multi-class classifier.
4. The CAN bus based vehicle intrusion network detection method of claim 3, wherein in the testing step, 60 functions are extracted for a given new CAN message, and the multi-class classifier predicts a most likely class for unlabeled data.
5. The CAN-bus-based vehicle-mounted intrusion detection method according to claim 1, wherein the step 4 comprises the following steps:
step 4.1: detecting a bus close attack using a method of novelty detection to identify new or unknown data that is not used to train a classifier;
step 4.2: VoltageIDs performs a threshold-based approach to detect unknown signals;
step 4.3: it is effective to use a support vector machine with a radial basis function kernel for novelty detection, applying it to a class of classification techniques;
step 4.4: VoltageIDs creates a classifier for class-one classification by classifying all signals from legitimate ECUs into one class;
step 4.5: CAN signals with classification scores below established thresholds are considered unknown.
6. The CAN-bus based vehicle intrusion network detection method according to claim 5, wherein in step 4.4, the classifiers of one class do not require labels, and all function sets have the same label.
7. The CAN-bus based vehicle intrusion detection method of claim 1, wherein the characteristics of CAN signals for a masquerading attack and a bus closing attack are detected.
8. A CAN-bus-based vehicular intrusion detection system employing the detection method according to any one of claims 1 to 7, the system comprising:
the preprocessing module is used for measuring and preprocessing an electric CAN signal;
the characteristic extraction module is used for extracting the characteristics of the preprocessed signals, extracting the electrical characteristics of the preprocessed signals and considering all possibilities;
the classifier module is used for detecting the masquerading attack by establishing a multi-class classifier aiming at the masquerading attack detection, wherein the number of classes is equal to the number of ECUs in the vehicle-mounted CAN network;
the detection module is used for detecting the bus closing attack and executing a threshold-based method to detect unknown signals;
and the learning module is used for sensing the environmental factors based on the voltage signals and making the VoltageIDs have adaptability to the environmental factors by adopting incremental learning.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010084249.0A CN111355706A (en) | 2020-02-10 | 2020-02-10 | Vehicle-mounted intrusion detection method and system based on CAN bus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010084249.0A CN111355706A (en) | 2020-02-10 | 2020-02-10 | Vehicle-mounted intrusion detection method and system based on CAN bus |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111355706A true CN111355706A (en) | 2020-06-30 |
Family
ID=71197017
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010084249.0A Pending CN111355706A (en) | 2020-02-10 | 2020-02-10 | Vehicle-mounted intrusion detection method and system based on CAN bus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111355706A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112084185A (en) * | 2020-09-17 | 2020-12-15 | 杭州电子科技大学 | Damaged electronic control unit positioning method of vehicle-mounted edge equipment based on associated learning |
| CN113447972A (en) * | 2021-06-07 | 2021-09-28 | 华东师范大学 | Automatic driving GPS deception detection method and system based on vehicle-mounted IMU |
| CN116056087A (en) * | 2023-03-31 | 2023-05-02 | 国家计算机网络与信息安全管理中心 | Network attack detection method, device and equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110377465A (en) * | 2019-06-26 | 2019-10-25 | 江苏大学 | A kind of method for detecting abnormality of vehicle-mounted CAN bus |
| CN110636048A (en) * | 2019-08-27 | 2019-12-31 | 华东师范大学 | Vehicle-mounted intrusion detection method and system based on ECU signal characteristic identifier |
-
2020
- 2020-02-10 CN CN202010084249.0A patent/CN111355706A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110377465A (en) * | 2019-06-26 | 2019-10-25 | 江苏大学 | A kind of method for detecting abnormality of vehicle-mounted CAN bus |
| CN110636048A (en) * | 2019-08-27 | 2019-12-31 | 华东师范大学 | Vehicle-mounted intrusion detection method and system based on ECU signal characteristic identifier |
Non-Patent Citations (1)
| Title |
|---|
| WONSUK CHOI, KYUNGHO JOO, HYO JIN JO, MOON CHAN PARK, DONG HOON: "VoltageIDS: Low-Level Communication Characteristics for Automotive Intrusion Detection System", 《TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112084185A (en) * | 2020-09-17 | 2020-12-15 | 杭州电子科技大学 | Damaged electronic control unit positioning method of vehicle-mounted edge equipment based on associated learning |
| CN112084185B (en) * | 2020-09-17 | 2022-05-31 | 杭州电子科技大学 | Damaged electronic control unit positioning method of vehicle-mounted edge equipment based on associated learning |
| CN113447972A (en) * | 2021-06-07 | 2021-09-28 | 华东师范大学 | Automatic driving GPS deception detection method and system based on vehicle-mounted IMU |
| CN113447972B (en) * | 2021-06-07 | 2022-09-20 | 华东师范大学 | Automatic driving GPS deception detection method and system based on vehicle-mounted IMU |
| CN116056087A (en) * | 2023-03-31 | 2023-05-02 | 国家计算机网络与信息安全管理中心 | Network attack detection method, device and equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111355706A (en) | Vehicle-mounted intrusion detection method and system based on CAN bus | |
| Wu et al. | A survey of intrusion detection for in-vehicle networks | |
| Choi et al. | VoltageIDS: Low-level communication characteristics for automotive intrusion detection system | |
| Al-Jarrah et al. | Intrusion detection systems for intra-vehicle networks: A review | |
| Zhang et al. | Intrusion detection system using deep learning for in-vehicle security | |
| Tomlinson et al. | Towards viable intrusion detection methods for the automotive controller area network | |
| EP3752943B1 (en) | System and method for side-channel based detection of cyber-attack | |
| Derhab et al. | Histogram-based intrusion detection and filtering framework for secure and safe in-vehicle networks | |
| Dupont et al. | A survey of network intrusion detection systems for controller area network | |
| Desta et al. | ID sequence analysis for intrusion detection in the CAN bus using long short term memory networks | |
| Tanksale | Intrusion detection for controller area network using support vector machines | |
| Sharma et al. | Protecting ECUs and vehicles internal networks | |
| Ning et al. | An experimental study towards attacker identification in automotive networks | |
| Deng et al. | IdentifierIDS: A practical voltage-based intrusion detection system for real in-vehicle networks | |
| Tanaka et al. | In-vehicle network intrusion detection and explanation using density ratio estimation | |
| Okokpujie et al. | Anomaly-based intrusion detection for a vehicle can bus: A case for hyundai avante cn7 | |
| Rumez et al. | Anomaly detection for automotive diagnostic applications based on N-grams | |
| Dupont et al. | Network intrusion detection systems for in-vehicle network-Technical report | |
| Dwivedi | Anomaly detection in intra-vehicle networks | |
| Deng et al. | A lightweight sender identification scheme based on vehicle physical layer characteristics | |
| Archana et al. | Auto deep learning-based automated surveillance technique to recognize the activities in the cyber-physical system | |
| KR20200076217A (en) | A mitigation method against message flooding attacks for secure controller area network by predicting attack message retransfer time | |
| Kondratiev et al. | An algorithm for intrusion detection into the control system of an unmanned vehicle | |
| RU2737229C1 (en) | Protection method of vehicle control systems against intrusions | |
| CN114124446A (en) | Intrusion detection system based on Snort engine and adopting logistic regression algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20200630 |
|
| WD01 | Invention patent application deemed withdrawn after publication |