CN111885060A

CN111885060A - Internet of vehicles-oriented nondestructive information security vulnerability detection system and method

Info

Publication number: CN111885060A
Application number: CN202010716756.1A
Authority: CN
Inventors: 陈秀真; 裘炜程; 马进; 陈家浩
Original assignee: Shanghai Jiaotong University; Shanghai Intelligent and Connected Vehicle R&D Center Co Ltd
Current assignee: Shanghai Jiaotong University; Shanghai Intelligent and Connected Vehicle R&D Center Co Ltd
Priority date: 2020-07-23
Filing date: 2020-07-23
Publication date: 2020-11-03
Anticipated expiration: 2040-07-23
Also published as: CN111885060B

Abstract

The invention provides a nondestructive information security vulnerability detection system and method for Internet of vehicles, which comprises the following steps: module M1: a vulnerability detection subsystem in the detection system analyzes the flow data of the network outside the vehicle and/or the network inside the vehicle to obtain an attack detection result; module M2: comparing the attack detection result with a vulnerability knowledge base in the detection system to find a vulnerability, and generating a vulnerability detection report; module M3: and generating a log file according to the vulnerability detection report, and modifying the vulnerability knowledge base and the detection system configuration data according to the log file to update the detection system. According to the invention, before the intelligent networked automobile is attacked in a large scale, the security loophole is detected in time under the condition of not influencing the normal running of the automobile, and the security defense capability of the intelligent networked automobile is improved.

Description

Internet of vehicles-oriented nondestructive information security vulnerability detection system and method

Technical Field

The invention relates to the field of computer network security, in particular to a nondestructive information security vulnerability detection system and method for Internet of vehicles.

Background

The internet of vehicles means that vehicle-mounted devices on vehicles communicate with external electronic devices or cloud servers through a wireless communication technology, so that dynamic information of all vehicles is effectively utilized, and different functional services such as unmanned driving, automatic parking, intelligent traffic management and the like are provided in the running process of the vehicles. Nowadays, the car networking is to intelligent, networking and electronic quick transformation, through the mutual of car with the car, the interconnection of car and high in the clouds, each electronic component's in the car communication, has greatly optimized traffic resource utilization, has promoted the security and the travelling comfort of auttombilism. The introduction of communication technology between the outside vehicle network and the inside vehicle network enables the vehicles to gradually move towards 'intellectualization and networking', which brings a possibility for hackers to invade and brings new safety problems, and the risk that the vehicles are remotely controlled and the driving behaviors are falsified by malicious codes exists, which threatens the life safety of personnel in the vehicles and even causes great social safety problems.

The common protocol of the vehicle external network communication V2X is DSRC, and various attacks of the traditional wireless network, such as DOS attack, MAC spoofing attack, man-in-the-middle attack, Sybil attack and the like, can be applied to the communication aspect. Because the DSRC protocol sends a large amount of alarm information and control information, an attacker can inject error information through means of eavesdropping, intercepting, tampering and the like so as to influence the judgment of a driver and cause traffic accidents. To prevent an attacker from easily modifying the message, encryption and identity authentication need to be added to DSRC communications. In the internet of vehicles environment, however, vehicles move at a high speed to form a dynamic network topology, so that efficient and accurate identity authentication is difficult to realize; the internet of vehicles has very high requirements on message timeliness, and an encryption algorithm with excessive cost is not suitable. In the aspect of terminals of the external vehicle network, vehicles, people and cloud are all network terminals, and operating system bugs and APP bugs in the field of computers can still be utilized, so that a large number of attack points are provided for intruders.

The typical protocol of vehicle intranet communication is a CAN bus protocol, and the CAN is designed primarily to enable messages to be transmitted to each node as soon as possible, so that the message length is short, encryption or authentication is not involved, a sender ID is not available, and only CRC (cyclic redundancy check) is used, so that an attacker CAN easily eavesdrop and tamper the message, and the vehicle function is directly influenced. A large number of sensors are arranged in the vehicle, an attacker CAN acquire and analyze sensor data through the interception of a CAN network, and purposefully interfere with the reading of the sensors according to an analysis result to further influence the vehicle. The nodes on the CAN bus are in-vehicle electronic components, and the traditional software and hardware attack methods exist, such as buffer overflow, firmware reverse analysis and the like. The attacker obtains the data frame format and the corresponding meaning of the ECU through the means, obtains the control right of the ECU and sends a malicious message. The ECU software and hardware design in the current automobile industry has no universal safety standard, and a large number of loopholes are found in the ECU and become the largest potential safety hazard of the current in-automobile network.

Passive vulnerability detection, originally developed by Tenable network security companies, has later become a common function in the entire network security industry. The passive vulnerability detection identifies vulnerabilities existing in network application based on network flow information, cannot cause any influence on system operation, and belongs to a nondestructive vulnerability detection technology. Different from active vulnerability detection, the performance of the detected object cannot be influenced in practical application of nondestructive detection. There are two methods for realizing nondestructive vulnerability detection: firstly, directly analyzing network flow data to find evidence of a vulnerability; and secondly, vulnerability rule matching is carried out on the local system configuration file.

Patent document CN110908357A (application number: 201911011295.1) discloses a security hole detection method, device, storage medium and intelligent device, including: acquiring identity information of a target Electronic Control Unit (ECU) in a Controller Area Network (CAN); sending a frame data request instruction to the target electronic control unit ECU according to the identity information of the target electronic control unit ECU; receiving frame data fed back by the target electronic control unit ECU based on the frame data request instruction; performing key calculation based on the frame data and a preset key calculation algorithm to obtain a key; and authenticating the target electronic control unit ECU by using the secret key, and determining whether the target electronic control unit ECU has security holes according to an authentication result fed back by the target electronic control unit ECU.

Disclosure of Invention

Aiming at the defects in the prior art, the invention aims to provide a nondestructive information security vulnerability detection system and method for the Internet of vehicles.

The invention provides a nondestructive information security vulnerability detection system for Internet of vehicles, which comprises:

module M1: a vulnerability detection subsystem in the detection system analyzes the flow data of the network outside the vehicle and/or the network inside the vehicle to obtain an attack detection result;

module M2: comparing the attack detection result with a vulnerability knowledge base in the detection system to find a vulnerability, and generating a vulnerability detection report;

module M3: and generating a log file according to the vulnerability detection report, and modifying the vulnerability knowledge base and the detection system configuration data according to the log file to update the detection system.

Preferably, the vulnerability detection subsystem in the detection system comprises a V2X vulnerability detection subsystem and a CAN vulnerability detection subsystem;

the vulnerability knowledge base in the detection system comprises a CAN vulnerability attack knowledge base and a V2X vulnerability attack knowledge base;

the CAN vulnerability detection subsystem analyzes the flow data of the network in the vehicle;

the V2X vulnerability detection subsystem analyzes the traffic data of the network outside the vehicle;

comparing data in a CAN vulnerability attack knowledge base and data in a V2X vulnerability attack knowledge base according to flow data obtained by the CAN vulnerability detection subsystem and the V2X vulnerability detection subsystem to generate a vulnerability detection report;

the CAN vulnerability detection subsystem receives input CAN network flow and returns an attack detection result by using a joint detection algorithm based on entropy and period;

the CAN vulnerability attack knowledge base stores a self-constructed CAN network vulnerability and attack relation database and records related parameters of a CAN vulnerability detection algorithm;

the V2X vulnerability detection subsystem receives input V2X network flow and returns an attack detection result by using an XGboost machine learning-based detection algorithm;

the V2X vulnerability attack knowledge base stores a self-constructed V2X network vulnerability and attack relation database and records a training model of the V2X vulnerability detection algorithm.

Preferably, the CAN vulnerability attack knowledge base includes a variety of vulnerabilities of each electronic control unit, including: theoretical vulnerabilities, real vulnerabilities, and security policy vulnerabilities; the vulnerability utilized by each vulnerability organizing attack is organized, and corresponding consequences are listed; recording entropy, period and ID in a normal network used by a CAN vulnerability detection algorithm in a CAN vulnerability attack knowledge base;

the V2X vulnerability knowledge base comprises the security vulnerabilities of a protocol DSRC, the relationship between security attacks and security services, the vulnerabilities utilized by the attacks are sorted for each vulnerability, and corresponding consequences are listed; and recording a preset threshold value and an XGboost training model for feature extraction in the detection stage in the V2X vulnerability attack knowledge base.

Preferably, the analyzing of the traffic data of the in-vehicle network by the CAN vulnerability detection subsystem to obtain the attack detection result includes:

receiving an in-vehicle network message data packet of a CAN network, extracting the message ID, the bus where the message is located and the sending time of each message, and carrying out induction and storage according to the message ID to obtain storage data; and the CAN vulnerability detection subsystem analyzes the stored data to obtain the total number of the message IDs, the time sequence of sending the message by each message ID, the frequency of occurrence of each message ID and the total number of the messages.

Preferably, the V2X vulnerability detection subsystem analyzes traffic data of the off-board network, and obtaining an attack detection result includes: and receiving the network message data packet outside the vehicle of the V2X network, and extracting the sender ID, the receiver ID, the sending time, the vehicle position and the vehicle speed of each message.

Preferably, comparing the attack detection result with a CAN vulnerability attack knowledge base, and generating a vulnerability detection report comprises:

comparing the obtained total number of the message IDs, the time sequence of sending the message by each message ID, the frequency of occurrence of each message ID and the total number of the messages with the message IDs in the CAN bus in a normal state in a CAN vulnerability attack knowledge base, detecting whether the message IDs which do not occur exist or not, and judging that the message IDs exist as the DOS attack when the message IDs which do not exist and are in a preset range are detected; when the message ID is not in the preset range, judging that the attack is an attack by using a diagnosis system;

when the detected message ID appears in the message ID in the CAN bus under the normal state in the CAN vulnerability attack knowledge base, calculating the entropy of the occurrence frequency of each message ID, comparing the entropy with the entropy of each message ID under the normal state in the CAN vulnerability attack knowledge base, judging that a large number of periodic message attacks exist when the deviation is larger than a preset threshold value, and returning the names of the attacked electronic control units;

checking the message sending interval of each message ID, comparing the message sending interval with the period of each ID in a normal state in a CAN vulnerability attack knowledge base, judging that a small amount of non-periodic message attacks exist when the interval comparison period is small, and returning the names of the attacked electronic control units;

and inputting the detection result into a vulnerability detection report generation module, comparing the vulnerability in the CAN vulnerability attack knowledge base with the attack relation, determining the attacked electronic control unit, the utilized vulnerability and the generated consequence, and generating a detection report.

Preferably, comparing the attack detection result with the V2X vulnerability attack knowledge base, and generating the vulnerability detection report includes: according to the extracted sender ID, receiver ID, sending time, vehicle position, vehicle speed and a preset threshold value in a V2X vulnerability attack knowledge base of each message, carrying out rationality check on the position and the speed of the vehicle, and extracting rationality characteristics for describing movement;

inputting the extracted rationality characteristics describing the movement into an XGboost algorithm to obtain a prediction result of each message by the XGboost algorithm, wherein the prediction result comprises normal data, Sybil attack data and position error attack data;

performing statistical analysis on data with the prediction result of attack, sequencing all nodes according to the quantity of transmitted malicious data, and judging the nodes with the proportion exceeding a threshold value as malicious nodes;

and inputting the detection result into a vulnerability detection report generation module, comparing the vulnerability in the V2X vulnerability knowledge base with the attack relation, determining the attacked node ID and the utilized vulnerability, and generating a detection report.

The invention provides a nondestructive information security vulnerability detection method for Internet of vehicles, which comprises the following steps:

step M1: a vulnerability detection subsystem in the detection system analyzes the flow data of the network outside the vehicle and/or the network inside the vehicle to obtain an attack detection result;

step M2: comparing the attack detection result with a vulnerability knowledge base in the detection system to find a vulnerability, and generating a vulnerability detection report;

step M3: and generating a log file according to the vulnerability detection report, and modifying the vulnerability knowledge base and the detection system configuration data according to the log file to update the detection system.

the V2X vulnerability attack knowledge base stores a self-constructed V2X network vulnerability and attack relation database and records a training model of a V2X vulnerability detection algorithm;

the CAN vulnerability attack knowledge base comprises various vulnerabilities of each electronic control unit, and comprises the following steps: theoretical vulnerabilities, real vulnerabilities, and security policy vulnerabilities; the vulnerability utilized by each vulnerability organizing attack is organized, and corresponding consequences are listed; recording entropy, period and ID in a normal network used by a CAN vulnerability detection algorithm in a CAN vulnerability attack knowledge base;

the V2X vulnerability knowledge base comprises the security vulnerabilities of a protocol DSRC, the relationship between security attacks and security services, the vulnerabilities utilized by the attacks are sorted for each vulnerability, and corresponding consequences are listed; recording a preset threshold value and an XGboost training model for feature extraction in a detection stage in a V2X vulnerability attack knowledge base;

the CAN vulnerability detection subsystem analyzes the flow data of the network in the vehicle, and the attack detection result is obtained by the CAN vulnerability detection subsystem, which comprises the following steps:

receiving an in-vehicle network message data packet of a CAN network, extracting the message ID, the bus where the message is located and the sending time of each message, and carrying out induction and storage according to the message ID to obtain storage data; the CAN vulnerability detection subsystem analyzes the stored data to obtain the total number of message IDs, the time sequence of sending messages by each message ID, the frequency of occurrence of each message ID and the total number of messages;

the V2X vulnerability detection subsystem analyzes the traffic data of the network outside the vehicle, and the obtained attack detection result comprises the following steps: and receiving the network message data packet outside the vehicle of the V2X network, and extracting the sender ID, the receiver ID, the sending time, the vehicle position and the vehicle speed of each message.

Preferably, the comparing the attack detection result with the CAN vulnerability attack knowledge base and the generating of the vulnerability detection report includes:

inputting the detection result into a vulnerability detection report generation module, comparing the vulnerability in the CAN vulnerability attack knowledge base with the attack relation, determining the attacked electronic control unit, the utilized vulnerability and the generated consequence, and generating a detection report;

comparing the attack detection result with the V2X vulnerability attack knowledge base, and generating a vulnerability detection report comprises: according to the extracted sender ID, receiver ID, sending time, vehicle position, vehicle speed and a preset threshold value in a V2X vulnerability attack knowledge base of each message, carrying out rationality check on the position and the speed of the vehicle, and extracting rationality characteristics for describing movement;

Compared with the prior art, the invention has the following beneficial effects:

1. before the intelligent networked automobile is attacked in a large scale, the security loophole is detected in time under the condition that the normal running of the automobile is not influenced, and the security defense capability of the intelligent networked automobile is improved;

2. the invention is suitable for the requirements of user level and enterprise level with high efficiency and high detection success rate.

3. According to the lossless information security vulnerability detection method and system for the Internet of vehicles, disclosed by the invention, vulnerabilities, attacks and consequences of the external network V2X and the internal network CAN are collected and stored in a vulnerability knowledge database.

4. The system receives the flow of two networks as input, the CAN network flow uses a joint detection algorithm based on entropy and period, the V2X network flow uses a detection algorithm based on XGboost, and the attacked object and the attack type CAN be detected by approaching 100%. The system compares the information with a vulnerability knowledge base and reports corresponding vulnerability conditions.

5. The system detection algorithm does not generate performance loss on the Internet of vehicles, the performance of the algorithm is good, the system can be deployed on a third-party network detection node and can also be deployed on vehicles for detecting the system and the surrounding vehicles, the system adopts a modular design, and detection personnel can quickly update the system, so that the system has a flexible deployment mode and good expandability.

Drawings

Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments with reference to the following drawings:

FIG. 1 is a diagram of a nondestructive information security vulnerability detection system oriented to the Internet of vehicles;

FIG. 2 is a flow chart of a CAN vulnerability detection subsystem;

fig. 3 is a flow chart of the V2X vulnerability detection subsystem.

Detailed Description

The present invention will be described in detail with reference to specific examples. The following examples will assist those skilled in the art in further understanding the invention, but are not intended to limit the invention in any way. It should be noted that it would be obvious to those skilled in the art that various changes and modifications can be made without departing from the spirit of the invention. All falling within the scope of the present invention.

The invention aims to solve the safety problem accompanying the development of the future automobile, namely, eliminate the potential safety hazard caused by the intellectualization of the automobile, systematically summarize and collect the safety loopholes of the communication protocol of the external network of the automobile, the communication protocol of the internal network of the automobile and the electronic components in the automobile, construct the knowledge base of the loopholes of the Internet of vehicles, and provide a nondestructive information safety loophole detection method.

Example 1

Specifically, the vulnerability detection subsystem in the detection system comprises a V2X vulnerability detection subsystem and a CAN vulnerability detection subsystem;

Specifically, the CAN vulnerability attack knowledge base includes various vulnerabilities of each electronic control unit, including: theoretical vulnerabilities, real vulnerabilities, and security policy vulnerabilities; the method comprises the steps of (1) organizing the vulnerabilities utilized by the attacks on each vulnerability, and listing corresponding consequences, wherein the vulnerabilities comprise 138 pieces of data of 24 electronic control units; recording entropy, period and ID in a normal network used by a CAN vulnerability detection algorithm in a CAN vulnerability attack knowledge base;

The XGboost training model predicts the category of each data packet, and the prediction is based on the trained XGboost training model. The training model is trained by using training data with labels printed in advance, and the relation between the characteristic value and the labels is recorded, so that the unknown labels can be predicted through the characteristic value in the real prediction stage.

Specifically, the analyzing of the traffic data of the in-vehicle network by the CAN vulnerability detection subsystem to obtain the attack detection result includes:

Specifically, the V2X vulnerability detection subsystem analyzes traffic data of the network outside the vehicle, and obtaining an attack detection result includes: and receiving the network message data packet outside the vehicle of the V2X network, and extracting the sender ID, the receiver ID, the sending time, the vehicle position and the vehicle speed of each message.

Specifically, comparing the attack detection result with the CAN vulnerability attack knowledge base, and generating a vulnerability detection report comprises:

the preset range is that the smallest message ID is found according to a vehicle manual or factory information, the preset range is smaller than the smallest message ID, and the ID of the preset range is usually 0-5;

the large number of periodic message attacks are that an attacker sends a message with a period shorter than that of a normal message, so that the message sending frequency of the attacker is obviously higher than that of the normal message, the normal message is submerged, the normal message is periodically sent, and even if malicious data occurs, the normal data cannot be stopped being sent, so that the attack message with a shorter sending period is needed to submerge the normal data, and the frequency of the general attack message is 4-20 times that of the normal message, so that the large number of messages are obtained.

the attack cost of a large number of periodic messages is high, an attacker hopes to cause the abnormality of the vehicle only in a short time, therefore, the attacker can send the non-periodic messages in a short time, only the normal messages are submerged in the short time, and therefore, the number of the non-periodic messages is small, and the periodic attack, namely the attack of a small number of the non-periodic messages, is not needed.

Two classes of attacks summarize all possible attacks from the attack detection point of view.

And the vulnerability detection report generation module compares data in the CAN vulnerability knowledge base according to the attack detection result of the detection subsystem to generate a vulnerability detection report.

Specifically, comparing the attack detection result with the V2X vulnerability attack knowledge base, and generating a vulnerability detection report includes: according to the extracted sender ID, receiver ID, sending time, vehicle position, vehicle speed and a preset threshold value in a V2X vulnerability attack knowledge base of each message, carrying out rationality check on the position and the speed of the vehicle, and extracting rationality characteristics for describing movement;

the rationality check is to judge the rationality of the vehicle motion state according to the current and historical speed, acceleration, position and direction information of the vehicle, such as: whether the vehicle is suddenly present at a location, whether the vehicle is present on an obstacle, whether past acceleration of the vehicle can bring it to its present speed. The specific method comprises the following steps: firstly, calculating the possible position, speed, acceleration and direction under the current state by using a physics formula according to the historical information of the vehicle, then comparing the position, speed, acceleration and direction with the current information of the vehicle, and judging that the vehicle is unreasonable if the current information exceeds the calculated value; if not, it is reasonable.

The rationality characteristics describing the movement, i.e. the results of the rationality check, return a range of values 0-1, being continuous values; the core logic is to remember that the current position, speed, acceleration, direction and other ranges of the vehicle are S1, the predicted range according to the historical values is S2, the intersection of the two parts is S3-S1-S2, and the characteristic value is S3/S2, and the ratio is expressed as: the degree of rationality of the vehicle motion state is what (0-1 continuous value), rather than just whether it is rational (0, 1 binary value).

performing statistical analysis on data with a prediction result of attack, sequencing all nodes according to the quantity of transmitted malicious data, judging the nodes with the proportion exceeding a threshold value as malicious nodes, representing the statistical result by using a histogram, and making a network topological graph after determining the malicious nodes;

Example 2

Example 2 is a modification of example 1

The invention provides a nondestructive information security vulnerability detection system facing the Internet of vehicles, which consists of a CAN network vulnerability knowledge base, an entropy and period-based CAN vulnerability detection subsystem, a V2X network vulnerability knowledge base and an XGboost-based V2X vulnerability detection subsystem. The system of the invention takes CAN and V2X network flow as input, uses two detection algorithms to carry out attack detection on data of two networks, compares the detection results in a self-constructed vulnerability knowledge base, reports vulnerabilities utilized by the attack, and provides repair suggestions for users aiming at the vulnerabilities. The system is shown in fig. 1, and comprises the following modules:

1) CAN vulnerability attack knowledge base: storing a self-constructed CAN network vulnerability and attack relation database, wherein the database comprises: theoretical vulnerabilities that are theoretically feasible but still remain to be considered if they can be valid on an actual vehicle; the actual loopholes are realized on the actual vehicles and recorded in a CVE loophole database, so that vehicle recall and software and hardware updating are caused; and the security policy vulnerability refers to the defect of the security policy of the ECU on software and hardware design. Related parameters of the CAN vulnerability detection algorithm, such as entropy, period, ID and the like in a normal network, are also recorded in the knowledge base;

2) the CAN vulnerability detection subsystem: receiving input CAN network flow by using an entropy and period-based joint detection algorithm, extracting ID, time sequence, entropy and period information, inputting the information into the detection algorithm, comparing threshold values in a knowledge base, and returning an attack detection result;

3) V2X vulnerability attack knowledge base: a self-constructed V2X network vulnerability and attack relationship database is stored, including the relationships between security vulnerabilities, security attacks and security services of the exemplary protocol DSRC, the attacks and consequences each cause. A threshold value and an XGboost training model for feature extraction in the detection stage are also recorded in the knowledge base;

4) V2X vulnerability detection subsystem: receiving input V2X network traffic by using an XGboost machine learning detection algorithm, extracting 12 characteristics describing the position and the motion state of a vehicle, inputting the characteristics into the XGboost algorithm, and returning an attack detection result;

5) vulnerability detection report generation module: comparing data in the vulnerability knowledge base according to an attack detection result of the detection subsystem to generate a vulnerability detection report;

6) the administrator and log generation module: and recording the detected related information to generate a log file, and allowing an administrator to view the log file, modify database data and update the system.

Fig. 2 shows the flow of the CAN vulnerability detection subsystem in detail.

The CAN message has three characteristics: the types of IDs of CAN messages are few, and each ECU corresponds to 1-2 message IDs; each ECU actively sends messages in a fixed period, and basically no event-triggered message exists; aiming at the attack of the CAN network, a large amount of periodic messages and a small amount of messages with concentrated density in a short time without a fixed period are presented on the flow. Firstly, detecting whether an ID which does not appear exists or not, if the ID exists and is a small ID, judging that the ID is DOS attack, and if the ID is a message in the ID range of a diagnosis system, possibly utilizing the attack of the diagnosis system; and if no abnormal ID message appears, sequentially entering entropy-based detection and cycle-based detection. The detection principle based on the entropy is that the normal messages have a fixed period, and the entropy is used for representing randomness or distribution of the normal messages, so that the entropy of the normal traffic needs to change little, and the entropy changes obviously when a large number of messages appear. The entropy is calculated as follows, where p_iRepresenting the probability of occurrence of an i-node message, n representing the total number of IDs:

the detection principle based on the period is that the transmission based on the message strictly follows the periodicity, and the specific method is to record the interval between the messages, and if the interval is abnormal, the message is an attack message. And comparing the entropy and the time sequence of the calculated message with a threshold value, and judging whether the ECU is attacked if the ECU is abnormal. The detection algorithm needs to acquire some threshold values and background data in advance, and the threshold values and the background data are obtained through a simulation environment.

Fig. 3 shows the flow of the V2X vulnerability detection subsystem in detail.

In fig. 3, message traffic data is input on the left side, a check mark represents normal data, an x represents malicious data, normal data and attack data are distinguished through feature extraction, XGBoost classification and statistical analysis, and the malicious data is classified into a malicious node. In the characteristic extraction stage, a sender, a receiver, a position, a speed and time in a message are firstly obtained, and then 12 characteristics are extracted, wherein the range reasonableness, the position and speed consistency, the maximum position and speed consistency, the sudden appearance degree, the Kalman position acceleration consistency, the Kalman position and speed consistency, the Kalman speed consistency and the cross degree are respectively checked, and the values of the characteristics are all 0-1. Then inputting the characteristic value into an XGboost algorithm, wherein the XGboost is an integrated learning algorithm, belongs to an algorithm framework in a Boost concept, and is an addition model, and a regression tree is used as a basic model. The algorithm is used for three classifications, namely normal data, Sybil attack data and position error attack data are distinguished, and a model of the algorithm is trained by using a data set obtained in a simulation environment. And (4) performing further statistical analysis on the data judged to be attacked through prediction of a classification algorithm, and counting the number of malicious data sent by each node, wherein the malicious nodes are determined when the percentage of the malicious data exceeds 3%. In order to visualize the detection result, the subsystem draws a histogram of the malicious data in the statistical analysis process, draws a network topological graph after obtaining the malicious nodes, and displays the flow direction of the malicious data, an attacker and a victim in the topological graph.

The system CAN detect CAN network and V2X network bugs and provide repair suggestions to users. The system provides a nondestructive vulnerability detection system applied to the Internet of vehicles for users, can be applied to single vehicles, network management nodes or independent detection servers, and has real application requirements and rich application scenes. The system adopts a modular design, the vulnerability knowledge base can be updated at any time, and the detection algorithm module can be plugged and unplugged. The system is suitable for the requirements of user level and enterprise level with high efficiency and high detection success rate.

Those skilled in the art will appreciate that, in addition to implementing the systems, apparatus, and various modules thereof provided by the present invention in purely computer readable program code, the same procedures can be implemented entirely by logically programming method steps such that the systems, apparatus, and various modules thereof are provided in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Therefore, the system, the device and the modules thereof provided by the present invention can be considered as a hardware component, and the modules included in the system, the device and the modules thereof for implementing various programs can also be considered as structures in the hardware component; modules for performing various functions may also be considered to be both software programs for performing the methods and structures within hardware components.

The foregoing description of specific embodiments of the present invention has been presented. It is to be understood that the present invention is not limited to the specific embodiments described above, and that various changes or modifications may be made by one skilled in the art within the scope of the appended claims without departing from the spirit of the invention. The embodiments and features of the embodiments of the present application may be combined with each other arbitrarily without conflict.

Claims

1. The utility model provides a towards nondestructive formula information security vulnerability detection system of car networking which characterized in that includes:

2. The internet-of-vehicles-oriented nondestructive information security vulnerability detection system of claim 1, wherein the vulnerability detection subsystem in the detection system comprises a V2X vulnerability detection subsystem and a CAN vulnerability detection subsystem;

3. The internet-of-vehicles-oriented nondestructive information security vulnerability detection system of claim 2, wherein the CAN vulnerability attack knowledge base includes a variety of vulnerabilities of each electronic control unit, including: theoretical vulnerabilities, real vulnerabilities, and security policy vulnerabilities; the vulnerability utilized by each vulnerability organizing attack is organized, and corresponding consequences are listed; recording entropy, period and ID in a normal network used by a CAN vulnerability detection algorithm in a CAN vulnerability attack knowledge base;

4. The internet-of-vehicles-oriented nondestructive information security vulnerability detection system of claim 2, wherein the CAN vulnerability detection subsystem analyzes flow data of an in-vehicle network, and obtaining attack detection results comprises:

5. The internet-of-vehicles-oriented nondestructive information security vulnerability detection system of claim 2, wherein the V2X vulnerability detection subsystem analyzes traffic data of the internet outside the vehicle, and obtaining attack detection results comprises: and receiving the network message data packet outside the vehicle of the V2X network, and extracting the sender ID, the receiver ID, the sending time, the vehicle position and the vehicle speed of each message.

6. The Internet of vehicles-oriented nondestructive information security vulnerability detection system of claim 4, wherein comparing attack detection results with a CAN vulnerability attack knowledge base to generate vulnerability detection reports comprises:

7. The Internet of vehicles-oriented nondestructive information security vulnerability detection system of claim 5, wherein comparing attack detection results with V2X vulnerability attack knowledge base, generating vulnerability detection report comprises: according to the extracted sender ID, receiver ID, sending time, vehicle position, vehicle speed and a preset threshold value in a V2X vulnerability attack knowledge base of each message, carrying out rationality check on the position and the speed of the vehicle, and extracting rationality characteristics for describing movement;

8. The nondestructive information security vulnerability detection method for the Internet of vehicles is characterized by comprising the following steps:

9. The internet-of-vehicles-oriented nondestructive information security vulnerability detection method according to claim 8, wherein the vulnerability detection subsystems in the detection system comprise a V2X vulnerability detection subsystem and a CAN vulnerability detection subsystem;

10. The internet-of-vehicles-oriented nondestructive information security vulnerability detection method according to claim 9, wherein the comparing the attack detection results with a CAN vulnerability attack knowledge base to generate vulnerability detection reports comprises: