CN111865949A - Abnormal communication detection method and device, server and storage medium - Google Patents

Abnormal communication detection method and device, server and storage medium Download PDF

Info

Publication number
CN111865949A
CN111865949A CN202010656185.7A CN202010656185A CN111865949A CN 111865949 A CN111865949 A CN 111865949A CN 202010656185 A CN202010656185 A CN 202010656185A CN 111865949 A CN111865949 A CN 111865949A
Authority
CN
China
Prior art keywords
internet
network communication
communication
network
platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010656185.7A
Other languages
Chinese (zh)
Inventor
龚济才
邓拓
薛强
吕慧
马少林
尚程
高华
梁彧
田野
傅强
王杰
杨满智
蔡琳
金红
陈晓光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Eversec Beijing Technology Co Ltd
Original Assignee
Eversec Beijing Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Eversec Beijing Technology Co Ltd filed Critical Eversec Beijing Technology Co Ltd
Priority to CN202010656185.7A priority Critical patent/CN111865949A/en
Publication of CN111865949A publication Critical patent/CN111865949A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Abstract

The embodiment of the invention discloses a method and a device for detecting abnormal communication, a server and a storage medium. The method comprises the following steps: monitoring the network flow of the Internet of vehicles platform in real time, and analyzing and acquiring network communication data; wherein the network communication data comprises access request frequency and access request data packet; acquiring network communication characteristics of the Internet of vehicles platform according to the historical network communication record of the Internet of vehicles platform; wherein the network communication characteristics include average access request frequency and average access request packet capacity; and judging whether abnormal communication exists in the network flow of the Internet of vehicles platform according to the network communication data and the network communication characteristics of the Internet of vehicles platform. The technical scheme provided by the embodiment of the invention realizes the abnormal detection of the communication between the vehicle and the vehicle networking platform, enhances the supervision on the vehicle networking platform and ensures the safety of the communication between the vehicle and the vehicle networking platform.

Description

Abnormal communication detection method and device, server and storage medium
Technical Field
The embodiment of the invention relates to the technical field of communication and automobiles, in particular to a method and a device for detecting abnormal communication, a server and a storage medium.
Background
With the continuous progress of science and technology, automobile technology and communication technology are rapidly developed, and as an important future development direction of the automobile industry, the car networking technology is gradually applied to automobiles.
The Internet of Vehicles (Internet of Vehicles), namely the Internet of things of Vehicles, uses a running vehicle as an information perception object, and realizes information interaction between the vehicle and the outside through the wireless communication function of vehicle-mounted terminal equipment, so as to improve the overall intelligent driving level of the vehicle.
In the prior art, effective supervision is lacked for the vehicle networking platform, and abnormal conditions in communication between the vehicle and the vehicle networking platform cannot be obtained in time, so that great safety risks exist in the communication between the vehicle and the vehicle networking platform.
Disclosure of Invention
The embodiment of the invention provides a method, a device, a server and a storage medium for detecting abnormal communication, so as to realize effective supervision on communication between a vehicle and a vehicle networking platform.
In a first aspect, an embodiment of the present invention provides a method for detecting abnormal communication, where the method includes:
acquiring the associated information of at least one Internet of vehicles platform to be monitored through an Internet of vehicles platform information table; wherein the association information comprises a domain name and/or an internet protocol address;
monitoring the network flow of the Internet of vehicles platform in real time according to the correlation information, and acquiring the target network flow according to a preset sampling period;
analyzing and acquiring network communication data according to the target network flow; wherein the network communication data comprises access request frequency and access request data packet;
acquiring network communication characteristics of the Internet of vehicles platform according to the historical network communication record of the Internet of vehicles platform; wherein the network communication characteristics include average access request frequency and average access request packet capacity;
and judging whether abnormal communication exists in the network flow of the Internet of vehicles platform according to the network communication data and the network communication characteristics of the Internet of vehicles platform.
In a second aspect, an embodiment of the present invention further provides an apparatus for detecting abnormal communication, where the apparatus includes:
the system comprises a correlation information acquisition module, a monitoring module and a monitoring module, wherein the correlation information acquisition module is used for acquiring correlation information of at least one Internet of vehicles platform to be monitored through an Internet of vehicles platform information table; wherein the association information comprises a domain name and/or an internet protocol address;
The target network flow acquisition module is used for monitoring the network flow of the Internet of vehicles platform in real time according to the associated information and acquiring the target network flow according to a preset sampling period;
the network communication data acquisition module is used for analyzing and acquiring the network communication data according to the target network flow; wherein the network communication data comprises access request frequency and access request data packet;
the network communication characteristic acquisition module is used for acquiring the network communication characteristics of the Internet of vehicles platform according to the historical network communication records of the Internet of vehicles platform; wherein the network communication characteristics include average access request frequency and average access request packet capacity;
and the communication abnormity judgment module is used for judging whether abnormal communication exists in the network flow of the Internet of vehicles platform according to the network communication data and the network communication characteristics of the Internet of vehicles platform.
In a third aspect, an embodiment of the present invention further provides a server, where the server includes:
one or more processors;
a memory for storing one or more programs;
when the one or more programs are executed by the one or more processors, the one or more processors implement the method for detecting abnormal communication provided by any embodiment of the present invention.
In a fourth aspect, the embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for detecting abnormal communication provided in any embodiment of the present invention.
According to the technical scheme provided by the embodiment of the invention, the access request frequency and the access request data packet are extracted from the current network flow of the vehicle networking platform, and whether abnormal communication exists in the current network flow of the vehicle networking platform is judged according to the network communication characteristics in the historical network communication record of the vehicle networking platform, so that the abnormal detection of the communication between the vehicle and the vehicle networking platform is realized, the supervision on the vehicle networking platform is enhanced, and the safety of the communication between the vehicle and the vehicle networking platform is ensured.
Drawings
Fig. 1 is a flowchart of a method for detecting abnormal communication according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for detecting abnormal communication according to a second embodiment of the present invention;
fig. 3 is a block diagram of a detection apparatus for abnormal communication according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of a server according to a fourth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Before discussing exemplary embodiments in more detail, it should be noted that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although a flowchart may describe the steps as a sequential process, many of the steps can be performed in parallel, concurrently or simultaneously. In addition, the order of the steps may be rearranged. The process may be terminated when its operations are completed, but may have additional steps not included in the figure. The processes may correspond to methods, functions, procedures, subroutines, and the like.
Example one
Fig. 1 is a flowchart of a method for detecting abnormal communication according to an embodiment of the present invention. The embodiment is applicable to detecting abnormal communication between a vehicle and a vehicle networking platform, and the method can be executed by the abnormal communication detection device provided by the embodiment of the invention, the device can be realized by hardware and/or software, and is integrated in a server, typically, the device can be integrated in a server of an operator, or a third-party network traffic monitoring server. The method specifically comprises the following steps:
s110, acquiring the associated information of at least one Internet of vehicles platform to be monitored through an Internet of vehicles platform information table; wherein the association information comprises a domain name and/or an internet protocol address.
The Domain Name (Domain Name) is the Name of a computer device on the Internet consisting of a string of names separated by dots, and is used for positioning identification of the computer during data transmission; an Internet Protocol (IP) address is a logical address allocated to a computer device on the Internet; according to the domain name and/or the IP address, a unique target object can be determined in the Internet; the information table of the Internet of vehicles platform comprises the associated information of one or more Internet of vehicles platforms which need to be monitored.
And S120, monitoring the network flow of the Internet of vehicles platform in real time according to the associated information, and acquiring the target network flow according to a preset sampling period.
In order to improve the safety performance of each Internet of vehicles platform, the sampling period can be set to a smaller value so as to execute flow monitoring tasks as much as possible and ensure the network communication safety of each Internet of vehicles platform; in order to reduce the processing pressure of the server, the sampling period can be set to a larger value so as to save the detection resources of the server; in the embodiment of the present invention, the setting of the sampling period is not particularly limited.
Particularly, different sampling periods can be set for different car networking platforms, for example, the sampling period can be set according to the historical network flow and the number of users of each car networking platform, and a smaller sampling period can be set for car networking platforms with larger historical network flow and larger number of users, so as to execute monitoring tasks for the car networking platforms as much as possible; the abnormal communication monitoring method can also be set according to the historical detection results of the abnormal communication of each Internet of vehicles platform, and a smaller sampling period is set for the Internet of vehicles platforms with more abnormal communication times in the historical detection results so as to strengthen supervision.
S130, analyzing and acquiring network communication data according to the target network flow; wherein the network communication data comprises access request frequency and access request data packet.
The access request is initiated by the vehicle-mounted terminal device through an internet of things card or initiated by the mobile terminal (for example, a mobile phone) through an installed internet of vehicles Application (APP) related to the internet of vehicles platform.
S140, acquiring network communication characteristics of the Internet of vehicles platform according to the historical network communication record of the Internet of vehicles platform; wherein the network communication characteristics include average access request frequency and average access request packet capacity.
The access request frequency represents the number of times that the vehicle accesses the vehicle networking platform in unit time, the number of users of each vehicle networking platform is relatively fixed, and each vehicle can also report the running data (such as running track, running speed, flameout operation and vehicle door opening and closing operation) of the vehicle at regular time when running; the capacity of the data packet, that is, the byte amount contained in the data packet, can be obtained for the data packet of each access request in the network flow; the type of the running data reported by the vehicle at regular time is relatively fixed, and the data packet capacity of each access request received by each vehicle networking platform is relatively fixed in the normal communication state, so that the average data packet capacity can also be used as a network communication characteristic.
Optionally, in an embodiment of the present invention, the obtaining a network communication feature of the car networking platform according to the historical network communication record of the car networking platform includes: acquiring network communication characteristics of the Internet of vehicles platform in each time period according to historical network communication records of the Internet of vehicles platform; the judging whether abnormal communication exists in the network flow of the vehicle networking platform according to the network communication data and the network communication characteristics of the vehicle networking platform comprises the following steps: and judging whether abnormal communication exists in the network flow of the Internet of vehicles platform according to the network communication data of the Internet of vehicles platform and the network communication characteristics in the corresponding time period. Compared with other network service platforms, the network traffic of the vehicle networking platform has particularity, and the network communication characteristics of the vehicle networking platform have obvious differences in different time periods, for example, in the morning of a working day from 7 to 9 o 'clock and in the afternoon from 5 to 7 o' clock, that is, in the peak hours on duty, the access frequency of the vehicle networking platform is much higher than that of other time periods, so that the numerical values of different network communication characteristics can be respectively obtained according to different time periods.
S150, judging whether abnormal communication exists in the network flow of the Internet of vehicles platform according to the network communication data and the network communication characteristics of the Internet of vehicles platform.
The network communication data extracted from the current network flow by the vehicle networking platform is compared with the network communication characteristics obtained from the historical network communication records, whether communication abnormity exists in the current network flow of the vehicle networking platform can be judged, and if the communication abnormity exists, the corresponding vehicle networking platform can be informed in an alarm prompting mode so as to search the reason of the abnormity in time.
Optionally, in this embodiment of the present invention, the determining, according to the network communication data and the network communication feature of the car networking platform, whether there is abnormal communication in the network traffic of the car networking platform includes: setting a corresponding network communication characteristic threshold value according to the network communication characteristic of the Internet of vehicles platform; and judging whether abnormal communication exists in the network flow of the Internet of vehicles platform according to the network communication data of the Internet of vehicles platform and the network communication characteristic threshold value. The network communication characteristic threshold is set according to an actual value of the network communication characteristic, for example, 20% is used as a floating proportion, that is, the network communication characteristic value of the car networking platform is multiplied by 120% as an upper limit value of the network communication characteristic threshold, the network communication characteristic value of each car networking platform is multiplied by 80% as a lower limit value of the network communication characteristic threshold, if the current network communication data of the car networking platform is within the threshold interval, the current network traffic communication of the car networking platform is normal, and if the current network communication data of the car networking platform is not within the threshold interval, the current network traffic communication of the car networking platform is abnormal; different floating proportions can be selected according to different actual values of the network communication characteristics of the Internet of vehicles platforms, and then the corresponding network communication characteristic threshold values are determined.
Optionally, in this embodiment of the present invention, the determining, according to the network communication data and the network communication feature of the car networking platform, whether there is abnormal communication in the network traffic of the car networking platform includes: taking the network communication characteristics of the Internet of vehicles platform as training samples, and training an initial classifier to obtain a trained communication behavior classifier; and judging whether abnormal communication exists in the network flow of the Internet of vehicles platform or not through the communication behavior classifier according to the network communication data of the Internet of vehicles platform. The Classifier (Classifier) is a mathematical model for mapping data records to given categories through certain mathematical algorithms, such as an XGboost algorithm, a logistic regression algorithm, a naive Bayesian algorithm and a neural network algorithm, so as to realize data prediction.
According to the technical scheme provided by the embodiment of the invention, the access request frequency and the access request data packet are extracted from the current network flow of the vehicle networking platform, and whether abnormal communication exists in the current network flow of the vehicle networking platform is judged according to the network communication characteristics in the historical network communication record of the vehicle networking platform, so that the abnormal detection of the communication between the vehicle and the vehicle networking platform is realized, the supervision on the vehicle networking platform is enhanced, and the safety of the communication between the vehicle and the vehicle networking platform is ensured.
Example two
Fig. 2 is a flowchart of a method for detecting abnormal communication according to a second embodiment of the present invention. The technical solution of this embodiment is further refined on the basis of the above technical solution, and specifically, in this embodiment, after acquiring the network communication characteristics of the internet of vehicles platform according to the historical network communication record of the internet of vehicles platform, the method further includes: the method comprises the following steps of obtaining a target historical network communication record of the Internet of vehicles platform as a target Internet protocol address, and determining a communication signal set corresponding to a source Internet protocol address in the target historical network communication record, wherein the method specifically comprises the following steps:
s210, acquiring the network communication characteristics of the Internet of vehicles platform according to the historical network communication records of the Internet of vehicles platform.
S220, acquiring a target historical network communication record of the Internet of vehicles platform as a target Internet protocol address from the historical network communication record, and determining a communication number set corresponding to a source Internet protocol address in the target historical network communication record; wherein the set of communication numbers includes at least one communication number.
The access request in the historical network communication record comprises a destination IP address and a source IP address; a source IP address, namely an IP address of an access request initiator; the destination IP address is the IP address of the requested party; in the embodiment of the invention, according to the historical network communication record, the historical network communication record with the Internet of vehicles platform as the destination IP address is used as the target information, and then the corresponding source IP address, namely the access request initiator is the vehicle-mounted terminal equipment or the Internet of vehicles APP; particularly, although the source IP address is randomly allocated in the access request initiated by the vehicle-mounted terminal device through the internet of things card and the access request initiated by the mobile terminal through the internet of vehicles APP, the number information (i.e., the number of the internet of things card or the number of the mobile phone SIM card) of the access request initiator can be accurately obtained according to the initiation time of the access request and the IP address, and therefore, the relevant number information can be obtained in the historical network communication record.
S230, analyzing and acquiring the historical driving characteristics of the communication number according to the historical access request data packet of the communication number; wherein the historical driving characteristics comprise a driving track, a driving speed, a flameout operation and/or a door opening and closing operation.
By analyzing the data packet in the history access request of the communication number, the driving characteristics of the communication number can be acquired.
And S240, monitoring the network flow of the communication number in real time, and analyzing to obtain the current driving data.
And S250, judging whether the communication number is in abnormal running currently or not according to the current running data and the historical running characteristics.
Matching the current running data of the communication number with the historical running characteristics, and judging whether the communication number is in abnormal running currently according to the matching degree; for example, in the historical driving characteristics, a user usually does not have a driving track after ten minutes at night, but the acquired current driving data show that the user still drives after ten minutes at night and the driving speed is too high, then the communication number is judged to be abnormal driving at this time, the risk of vehicle theft may exist, the risk of drunk driving may also exist, and at this time, prompt information is sent to the communication number or a prompt is sent to a corresponding vehicle networking platform, so that the vehicle networking platform can take corresponding processing measures in time after acquiring the abnormal driving.
According to the technical scheme provided by the embodiment of the invention, the current driving data is analyzed and obtained by monitoring the network flow of the user communication number related to the Internet of vehicles platform and is matched with the historical driving characteristics of the communication number, so that whether the current driving of the communication number is abnormal driving is judged, the communication abnormality of the Internet of vehicles platform is monitored, meanwhile, the driving data of related vehicles is effectively monitored, and the driving safety of the vehicles is ensured.
EXAMPLE III
Fig. 3 is a block diagram of a structure of a device for detecting abnormal communication according to a third embodiment of the present invention, where the device may be implemented by hardware and/or software, and specifically includes: the system comprises an association information acquisition module 310, a target network traffic acquisition module 320, a network communication data acquisition module 330, a network communication characteristic acquisition module 340 and a communication abnormality judgment module 350.
The associated information acquiring module 310 is configured to acquire associated information of at least one internet of vehicles platform to be monitored through the internet of vehicles platform information table; wherein the association information comprises a domain name and/or an internet protocol address;
the target network traffic acquiring module 320 is configured to monitor the network traffic of the internet of vehicles platform in real time according to the association information, and acquire the target network traffic according to a preset sampling period;
A network communication data obtaining module 330, configured to analyze and obtain network communication data according to the target network traffic; wherein the network communication data comprises access request frequency and access request data packet;
the network communication characteristic acquisition module 340 is used for acquiring the network communication characteristics of the Internet of vehicles platform according to the historical network communication records of the Internet of vehicles platform; wherein the network communication characteristics include average access request frequency and average access request packet capacity;
a communication abnormality determining module 350, configured to determine whether there is abnormal communication in the network traffic of the car networking platform according to the network communication data and the network communication characteristics of the car networking platform.
According to the technical scheme provided by the embodiment of the invention, the access request frequency and the access request data packet are extracted from the current network flow of the vehicle networking platform, and whether abnormal communication exists in the current network flow of the vehicle networking platform is judged according to the network communication characteristics in the historical network communication record of the vehicle networking platform, so that the abnormal detection of the communication between the vehicle and the vehicle networking platform is realized, the supervision on the vehicle networking platform is enhanced, and the safety of the communication between the vehicle and the vehicle networking platform is ensured.
On the basis of the foregoing technical solution, optionally, the network communication characteristic obtaining module 340 is specifically configured to obtain the network communication characteristics of the car networking platform in each time period according to the historical network communication record of the car networking platform.
On the basis of the foregoing technical solution, optionally, the communication abnormality determining module 350 is specifically configured to determine whether there is abnormal communication in the network traffic of the vehicle networking platform according to the network communication data of the vehicle networking platform and the network communication characteristics in the corresponding time period.
On the basis of the foregoing technical solution, optionally, the communication abnormality determining module 350 includes:
the threshold value acquisition unit is used for setting a corresponding network communication characteristic threshold value according to the network communication characteristics of the Internet of vehicles platform;
the first communication abnormity judging unit is used for judging whether abnormal communication exists in the network flow of the Internet of vehicles platform according to the network communication data of the Internet of vehicles platform and the network communication characteristic threshold value.
On the basis of the foregoing technical solution, optionally, the communication abnormality determining module 350 includes:
the training execution unit is used for taking the network communication characteristics of the Internet of vehicles platform as a training sample, and training an initial classifier to obtain a communication behavior classifier which is trained;
And the second communication abnormity judging unit is used for judging whether abnormal communication exists in the network flow of the Internet of vehicles platform through the communication behavior classifier according to the network communication data of the Internet of vehicles platform.
On the basis of the above technical solution, optionally, the apparatus for detecting abnormal communication includes:
a communication signal set acquisition module, configured to acquire a target historical network communication record of the car networking platform as a target internet protocol address from the historical network communication records, and determine a communication signal set corresponding to a source internet protocol address in the target historical network communication record; wherein the set of communication numbers includes at least one communication number;
and the historical driving feature acquisition module is used for analyzing and acquiring the historical driving features of the communication number according to the historical access request data packet of the communication number.
On the basis of the above technical solution, optionally, the historical driving characteristics include a driving track, a driving speed, a flameout operation and/or a door opening and closing operation.
On the basis of the above technical solution, optionally, the apparatus for detecting abnormal communication further includes:
the driving data acquisition module is used for monitoring the network flow of the communication number in real time and analyzing and acquiring the current driving data;
And the abnormal running judging module is used for judging whether the communication number is abnormal running at present according to the current running data and the historical running characteristics.
The device can execute the abnormal communication detection method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method. For technical details not described in detail in this embodiment, reference may be made to the method provided in any embodiment of the present invention.
Example four
Fig. 4 is a schematic structural diagram of a server according to a fourth embodiment of the present invention. FIG. 4 illustrates a block diagram of an exemplary server 12 suitable for use in implementing embodiments of the present invention. The server 12 shown in fig. 4 is only an example, and should not bring any limitation to the function and the scope of use of the embodiment of the present invention.
As shown in FIG. 4, the server 12 is in the form of a general purpose computing device. The components of the server 12 may include, but are not limited to: one or more processors or processing units 16, a system memory 28, and a bus 18 that couples various system components including the system memory 28 and the processing unit 16.
Bus 18 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, micro-channel architecture (MAC) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
The server 12 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by server 12 and includes both volatile and nonvolatile media, removable and non-removable media.
The system memory 28 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM)30 and/or cache memory 32. The server 12 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 4, and commonly referred to as a "hard drive"). Although not shown in FIG. 4, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to bus 18 by one or more data media interfaces. System memory 28 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
A program/utility 40 having a set (at least one) of program modules 42 may be stored, for example, in system memory 28, such program modules 42 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may comprise an implementation of a network environment. Program modules 42 generally carry out the functions and/or methodologies of the described embodiments of the invention.
The server 12 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), with one or more devices that enable a user to interact with the server 12, and/or with any devices (e.g., network card, modem, etc.) that enable the server 12 to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface 22. Also, the server 12 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet) via the network adapter 20. As shown, the network adapter 20 communicates with the other modules of the server 12 via the bus 18. It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the server 12, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processing unit 16 executes various functional applications and data processing by executing programs stored in the system memory 28, for example, implementing the method for detecting abnormal communication provided by any of the embodiments of the present invention. Namely: acquiring the associated information of at least one Internet of vehicles platform to be monitored through an Internet of vehicles platform information table; wherein the association information comprises a domain name and/or an internet protocol address; monitoring the network flow of the Internet of vehicles platform in real time according to the correlation information, and acquiring the target network flow according to a preset sampling period; analyzing and acquiring network communication data according to the target network flow; wherein the network communication data comprises access request frequency and access request data packet; acquiring network communication characteristics of the Internet of vehicles platform according to the historical network communication record of the Internet of vehicles platform; wherein the network communication characteristics include average access request frequency and average access request packet capacity; and judging whether abnormal communication exists in the network flow of the Internet of vehicles platform according to the network communication data and the network communication characteristics of the Internet of vehicles platform.
EXAMPLE five
Fifth, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements a method for detecting abnormal communication according to any embodiment of the present invention; the method comprises the following steps:
acquiring the associated information of at least one Internet of vehicles platform to be monitored through an Internet of vehicles platform information table; wherein the association information comprises a domain name and/or an internet protocol address;
monitoring the network flow of the Internet of vehicles platform in real time according to the correlation information, and acquiring the target network flow according to a preset sampling period;
analyzing and acquiring network communication data according to the target network flow; wherein the network communication data comprises access request frequency and access request data packet;
acquiring network communication characteristics of the Internet of vehicles platform according to the historical network communication record of the Internet of vehicles platform; wherein the network communication characteristics include average access request frequency and average access request packet capacity;
and judging whether abnormal communication exists in the network flow of the Internet of vehicles platform according to the network communication data and the network communication characteristics of the Internet of vehicles platform.
Computer storage media for embodiments of the invention may employ any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (10)

1. A method for detecting abnormal communication, comprising:
acquiring the associated information of at least one Internet of vehicles platform to be monitored through an Internet of vehicles platform information table; wherein the association information comprises a domain name and/or an internet protocol address;
monitoring the network flow of the Internet of vehicles platform in real time according to the correlation information, and acquiring the target network flow according to a preset sampling period;
analyzing and acquiring network communication data according to the target network flow; wherein the network communication data comprises access request frequency and access request data packet;
acquiring network communication characteristics of the Internet of vehicles platform according to the historical network communication record of the Internet of vehicles platform; wherein the network communication characteristics include average access request frequency and average access request packet capacity;
and judging whether abnormal communication exists in the network flow of the Internet of vehicles platform according to the network communication data and the network communication characteristics of the Internet of vehicles platform.
2. The method according to claim 1, wherein the obtaining the network communication characteristics of the internet of vehicles platform according to the historical network communication record of the internet of vehicles platform comprises:
Acquiring network communication characteristics of the Internet of vehicles platform in each time period according to historical network communication records of the Internet of vehicles platform;
the judging whether abnormal communication exists in the network flow of the vehicle networking platform according to the network communication data and the network communication characteristics of the vehicle networking platform comprises the following steps:
and judging whether abnormal communication exists in the network flow of the Internet of vehicles platform according to the network communication data of the Internet of vehicles platform and the network communication characteristics in the corresponding time period.
3. The method of claim 1, wherein the determining whether there is abnormal communication in network traffic of the vehicle networking platform according to the network communication data and the network communication characteristics of the vehicle networking platform comprises:
setting a corresponding network communication characteristic threshold value according to the network communication characteristic of the Internet of vehicles platform;
and judging whether abnormal communication exists in the network flow of the Internet of vehicles platform according to the network communication data of the Internet of vehicles platform and the network communication characteristic threshold value.
4. The method of claim 1, wherein the determining whether there is abnormal communication in network traffic of the vehicle networking platform according to the network communication data and the network communication characteristics of the vehicle networking platform comprises:
Taking the network communication characteristics of the Internet of vehicles platform as training samples, and training an initial classifier to obtain a trained communication behavior classifier;
and judging whether abnormal communication exists in the network flow of the Internet of vehicles platform or not through the communication behavior classifier according to the network communication data of the Internet of vehicles platform.
5. The method of claim 1, further comprising, after obtaining the network communication characteristics of the internet of vehicles platform according to the historical network communication record of the internet of vehicles platform:
in the historical network communication records, acquiring a target historical network communication record of which the Internet of vehicles platform is used as a target Internet protocol address, and determining a communication signal set corresponding to a source Internet protocol address in the target historical network communication record; wherein the set of communication numbers includes at least one communication number;
and analyzing and acquiring the historical driving characteristics of the communication number according to the historical access request data packet of the communication number.
6. The method of claim 5, wherein the historical driving characteristics include a driving trajectory, a driving speed, a key-off operation, and/or a door opening and closing operation.
7. The method according to claim 5 or 6, further comprising, after parsing and acquiring the historical travel characteristics of the communication number according to the historical access request packet of the communication number:
monitoring the network flow of the communication number in real time, and analyzing to obtain current driving data;
and judging whether the communication number is abnormal driving currently or not according to the current driving data and the historical driving characteristics.
8. An apparatus for detecting an abnormal communication, comprising:
the system comprises a correlation information acquisition module, a monitoring module and a monitoring module, wherein the correlation information acquisition module is used for acquiring correlation information of at least one Internet of vehicles platform to be monitored through an Internet of vehicles platform information table; wherein the association information comprises a domain name and/or an internet protocol address;
the target network flow acquisition module is used for monitoring the network flow of the Internet of vehicles platform in real time according to the associated information and acquiring the target network flow according to a preset sampling period;
the network communication data acquisition module is used for analyzing and acquiring the network communication data according to the target network flow; wherein the network communication data comprises access request frequency and access request data packet;
the network communication characteristic acquisition module is used for acquiring the network communication characteristics of the Internet of vehicles platform according to the historical network communication records of the Internet of vehicles platform; wherein the network communication characteristics include average access request frequency and average access request packet capacity;
And the communication abnormity judgment module is used for judging whether abnormal communication exists in the network flow of the Internet of vehicles platform according to the network communication data and the network communication characteristics of the Internet of vehicles platform.
9. A server, comprising:
one or more processors;
a memory for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement a method of detecting anomalous communications in accordance with any one of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out a method of detecting abnormal communication according to any one of claims 1 to 7.
CN202010656185.7A 2020-07-09 2020-07-09 Abnormal communication detection method and device, server and storage medium Pending CN111865949A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010656185.7A CN111865949A (en) 2020-07-09 2020-07-09 Abnormal communication detection method and device, server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010656185.7A CN111865949A (en) 2020-07-09 2020-07-09 Abnormal communication detection method and device, server and storage medium

Publications (1)

Publication Number Publication Date
CN111865949A true CN111865949A (en) 2020-10-30

Family

ID=73152912

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010656185.7A Pending CN111865949A (en) 2020-07-09 2020-07-09 Abnormal communication detection method and device, server and storage medium

Country Status (1)

Country Link
CN (1) CN111865949A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112882905A (en) * 2021-03-22 2021-06-01 四川英得赛克科技有限公司 Method, system and electronic equipment for judging whether network communication behavior is abnormal or not
CN113938295A (en) * 2021-09-29 2022-01-14 国家计算机网络与信息安全管理中心 Method and system for detecting abnormal transmission behavior of internet automobile communication data
CN114338454A (en) * 2022-01-04 2022-04-12 中车株洲电力机车有限公司 Network communication quality detection method, system, train display screen and storage medium
CN115412370A (en) * 2022-10-31 2022-11-29 广汽埃安新能源汽车股份有限公司 Vehicle communication data detection method and device, electronic equipment and readable medium
CN116366477A (en) * 2023-05-30 2023-06-30 中车工业研究院(青岛)有限公司 Train network communication signal detection method, device, equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107483455A (en) * 2017-08-25 2017-12-15 国家计算机网络与信息安全管理中心 A kind of network node abnormality detection method and system based on stream
CN108334774A (en) * 2018-01-24 2018-07-27 中国银联股份有限公司 A kind of method, first server and the second server of detection attack
CN110210980A (en) * 2018-06-15 2019-09-06 腾讯科技(深圳)有限公司 A kind of driving behavior appraisal procedure, device and storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107483455A (en) * 2017-08-25 2017-12-15 国家计算机网络与信息安全管理中心 A kind of network node abnormality detection method and system based on stream
CN108334774A (en) * 2018-01-24 2018-07-27 中国银联股份有限公司 A kind of method, first server and the second server of detection attack
CN110210980A (en) * 2018-06-15 2019-09-06 腾讯科技(深圳)有限公司 A kind of driving behavior appraisal procedure, device and storage medium

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112882905A (en) * 2021-03-22 2021-06-01 四川英得赛克科技有限公司 Method, system and electronic equipment for judging whether network communication behavior is abnormal or not
CN113938295A (en) * 2021-09-29 2022-01-14 国家计算机网络与信息安全管理中心 Method and system for detecting abnormal transmission behavior of internet automobile communication data
CN113938295B (en) * 2021-09-29 2022-12-13 国家计算机网络与信息安全管理中心 Method and system for detecting abnormal transmission behavior of internet automobile communication data, electronic equipment and readable medium
CN114338454A (en) * 2022-01-04 2022-04-12 中车株洲电力机车有限公司 Network communication quality detection method, system, train display screen and storage medium
CN114338454B (en) * 2022-01-04 2023-10-13 中车株洲电力机车有限公司 Network communication quality detection method, system, train display screen and storage medium
CN115412370A (en) * 2022-10-31 2022-11-29 广汽埃安新能源汽车股份有限公司 Vehicle communication data detection method and device, electronic equipment and readable medium
CN115412370B (en) * 2022-10-31 2023-03-21 广汽埃安新能源汽车股份有限公司 Vehicle communication data detection method and device, electronic equipment and readable medium
CN116366477A (en) * 2023-05-30 2023-06-30 中车工业研究院(青岛)有限公司 Train network communication signal detection method, device, equipment and storage medium
CN116366477B (en) * 2023-05-30 2023-08-18 中车工业研究院(青岛)有限公司 Train network communication signal detection method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN111865949A (en) Abnormal communication detection method and device, server and storage medium
US10811031B2 (en) Method and device for obtaining amplitude of sound in sound zone
CN111694341A (en) Fault data storage method and device, vehicle-mounted equipment and storage medium
CN114374565A (en) Intrusion detection method and device for vehicle CAN network, electronic equipment and medium
CN108667855A (en) Network traffic anomaly monitor method, apparatus, electronic equipment and storage medium
CN113619554B (en) Friction plate abrasion alarming method and system, vehicle and storage medium
CN112435469A (en) Vehicle early warning control method and device, computer readable medium and electronic equipment
CN115034596A (en) Risk conduction prediction method, device, equipment and medium
CN111614614B (en) Safety monitoring method and device applied to Internet of things
CN112651172B (en) Rainfall peak type dividing method, device, equipment and storage medium
CN110866996B (en) Engine start-stop frequency control method and system, vehicle and storage medium
CN111785000A (en) Vehicle state data uploading method and device, electronic equipment and storage medium
CN113377573A (en) Abnormity processing method, device, equipment and storage medium for automatic driving vehicle
CN113895449B (en) Forward target determination method and device and electronic equipment
CN115550265A (en) Vehicle-mounted network communication event filtering method, device, equipment and medium
CN110696807B (en) Engine shutdown control method under traffic jam condition, vehicle and storage medium
CN113256981B (en) Alarm analysis method, device, equipment and medium based on vehicle driving data
CN114801632A (en) Suspension height adjusting method, device, equipment and storage medium
CN114368388B (en) Driving behavior analysis method, device, equipment and storage medium
CN111565377A (en) Safety monitoring method and device applied to Internet of things
CN114821858B (en) Method, device, equipment and storage medium for illustrating abnormal vehicle index
CN110758394B (en) Engine starting control method and system under traffic jam working condition, vehicle and storage medium
CN113743945B (en) Method and device for switching payment verification modes based on risks
CN109389542A (en) Predict method, apparatus, computer equipment and the storage medium of drunk driving hotspot
CN116567719B (en) Data transmission method, vehicle-mounted system, device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20201030