CN112787984B - Vehicle-mounted network anomaly detection method and system based on correlation analysis - Google Patents
Vehicle-mounted network anomaly detection method and system based on correlation analysis Download PDFInfo
- Publication number
- CN112787984B CN112787984B CN201911094247.3A CN201911094247A CN112787984B CN 112787984 B CN112787984 B CN 112787984B CN 201911094247 A CN201911094247 A CN 201911094247A CN 112787984 B CN112787984 B CN 112787984B
- Authority
- CN
- China
- Prior art keywords
- message
- value
- byte
- prediction model
- correlation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 50
- 238000010219 correlation analysis Methods 0.000 title claims abstract description 21
- 238000000034 method Methods 0.000 claims abstract description 43
- 238000004891 communication Methods 0.000 claims abstract description 36
- 230000002159 abnormal effect Effects 0.000 claims abstract description 9
- 238000013528 artificial neural network Methods 0.000 claims abstract description 8
- 230000005856 abnormality Effects 0.000 claims description 13
- 238000012545 processing Methods 0.000 claims description 10
- 238000012549 training Methods 0.000 claims description 10
- 238000010606 normalization Methods 0.000 claims description 5
- 238000002347 injection Methods 0.000 abstract description 5
- 239000007924 injection Substances 0.000 abstract description 5
- 238000004364 calculation method Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 238000005070 sampling Methods 0.000 description 5
- 238000013459 approach Methods 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 238000012800 visualization Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- 238000000611 regression analysis Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/044—Recurrent networks, e.g. Hopfield networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
A vehicle-mounted network anomaly detection method and system based on correlation analysis, the method comprises the following steps: collecting communication data in the running process of the vehicle; the communication data comprises a message ID, message content and message occurrence time; predicting and outputting a message value of a corresponding byte order by using the established prediction model, judging whether the deviation between the predicted message value and the actual message value exceeds a detection threshold value, and judging that the message is abnormal if the deviation exceeds the detection threshold value; the prediction model is established based on a correlation group between communication data in the vehicle driving process; the input of the prediction model is a message value corresponding to one or more message ID byte sequences in the correlation group, and the output of the prediction model is a message value corresponding to other message ID byte sequences in the correlation group. The invention analyzes the relativity between the original message data, establishes a message section content prediction model by utilizing the neural network, and can detect the malicious data injection attack which does not accord with the normal running state of the vehicle in real time.
Description
Technical Field
The invention relates to the field of vehicle data safety, in particular to a vehicle-mounted network anomaly detection method and system based on correlation analysis.
Background
Because of the broadcasting nature and lack of security features of the CAN protocol, an attacker CAN easily inject malicious messages on the bus. The problem of vehicle network security has attracted a great deal of attention, and various technologies and corresponding solutions have been proposed. For anomaly detection of malicious messages, two main solutions exist at present. One method is to discover network anomaly messages through physical variable anomaly detection, and the method needs to know the storage position and mode of physical variables, namely, needs bus communication protocol content or reverse engineering of a bus, and if the communication protocol or reverse data is revealed, the risk of attack on vehicle bus communication is increased. The other method is to detect through a classification method, the method does not need to know a bus communication protocol, but the established detection model is greatly influenced by abnormal data of simulation training, only tampering or insertion attack of abnormal data content can be detected, and illegal data which is inserted into the bus and belongs to a normal data range but violates driving state logic cannot be detected.
Disclosure of Invention
The invention mainly aims to provide a vehicle-mounted network anomaly detection method and system based on correlation analysis, which can be used for detecting malicious data injection which does not accord with a normal running state of a vehicle in real time by analyzing the correlation among original message data and establishing a message section content prediction model by utilizing a neural network.
The invention adopts the following technical scheme:
on one hand, the invention discloses a vehicle-mounted network anomaly detection method based on correlation analysis, which comprises the following steps:
collecting communication data in the running process of the vehicle; the communication data comprises a message ID, message content and message occurrence time;
predicting and outputting a message value of a corresponding byte order by using the established prediction model, judging whether the deviation between the predicted message value and the actual message value exceeds a detection threshold value, and judging that the message is abnormal if the deviation exceeds the detection threshold value; the prediction model is established based on a correlation group between communication data in the vehicle driving process; the input of the prediction model is a message value corresponding to one or more message ID byte sequences in the correlation group, and the output of the prediction model is a message value corresponding to other message ID byte sequences in the correlation group.
Preferably, the method for establishing the prediction model includes:
collecting communication data in the running process of vehicles of the same vehicle type;
calculating the Hamming distance, analyzing the Hamming distance data, and eliminating the message ID with unchanged message content and the bytes with unchanged message content in the message ID; recording the changed message ID and the corresponding byte sequence of the message content;
carrying out normalization processing on the occurrence time of the message event aiming at the recorded message ID, carrying out pairing processing on the event time of different message IDs according to similar moments, respectively calculating the correlation coefficient of each byte pair, extracting the byte pair with the absolute value of the correlation coefficient larger than a preset value, and marking the byte pair as a correlation group; the approach time comprises the same time or a time within a preset range;
training the message data in each correlation group by using an LSTM neural network according to time sequence, and establishing a prediction model of each correlation group.
Preferably, the Hamming distance is calculated, hamming distance data is analyzed, and message ID with unchanged message content and bytes with unchanged message content in the message ID are removed; recording the message ID with the changed message content and the corresponding byte sequence, which comprises the following steps:
summarizing and counting the sum of hamming distances of total bytes according to the message ID, and calculating index values comprising a maximum value, a minimum value, a median, a lower quartile and an upper quartile; if all index values are 0 or equal, indicating that the contents of all bytes of the message ID are unchanged, and eliminating the message ID;
counting the hamming distances of all bytes in the message ID according to the byte sequence for the unremoved message ID, and calculating index values comprising a maximum value, a minimum value, a median, a lower quartile and an upper quartile; if all index values are 0 or equal, indicating that the content of the byte message is unchanged, and eliminating unchanged bytes;
the message content of the record message has a changed message ID and a corresponding byte order.
Preferably, the preset value of the correlation coefficient is 0.5.
Preferably, the method for setting the detection threshold includes:
and selecting a plurality of segments of communication data collected by normal running records, predicting a message value of a certain byte in a corresponding message ID by using the prediction model, and setting a detection threshold value based on a standard deviation between the predicted message value and an actual message value.
On the other hand, the invention discloses a vehicle-mounted network abnormality detection system based on correlation analysis, which comprises the following steps:
the data acquisition module is used for acquiring communication data in the running process of the vehicle; the communication data comprises a message ID, message content and message occurrence time;
the message abnormality detection module predicts and outputs a message value of a corresponding byte sequence by using a prediction model established by the prediction model establishment module, judges whether the deviation between the predicted message value and an actual message value exceeds a detection threshold value, and judges that the message is abnormal if the deviation exceeds the detection threshold value; the prediction model is established based on a correlation group between communication data in the vehicle driving process; the input of the prediction model is a message value corresponding to one or more message ID byte sequences in the correlation group, and the output of the prediction model is a message value corresponding to other message ID byte sequences in the correlation group.
Preferably, the method for establishing the prediction model includes:
collecting communication data in the running process of vehicles of the same vehicle type;
calculating the Hamming distance, analyzing the Hamming distance data, and eliminating the message ID with unchanged message content and the bytes with unchanged message content in the message ID; recording the changed message ID and the corresponding byte sequence of the message content;
carrying out normalization processing on the occurrence time of the message event aiming at the recorded message ID, carrying out pairing processing on the event time of different message IDs according to similar moments, respectively calculating the correlation coefficient of each byte pair, extracting the byte pair with the absolute value of the correlation coefficient larger than a preset value, and marking the byte pair as a correlation group; the approach time comprises the same time or a time within a preset range;
training the message data in each correlation group by using an LSTM neural network according to time sequence, and establishing a prediction model of each correlation group.
Preferably, the Hamming distance is calculated, hamming distance data is analyzed, and message ID with unchanged message content and bytes with unchanged message content in the message ID are removed; recording the message ID with the changed message content and the corresponding byte sequence, which comprises the following steps:
summarizing and counting the sum of hamming distances of total bytes according to the message ID, and calculating index values comprising a maximum value, a minimum value, a median, a lower quartile and an upper quartile; if all index values are 0 or equal, indicating that the contents of all bytes of the message ID are unchanged, and eliminating the message ID;
counting the hamming distances of all bytes in the message ID according to the byte sequence for the unremoved message ID, and calculating index values comprising a maximum value, a minimum value, a median, a lower quartile and an upper quartile; if all index values are 0 or equal, indicating that the content of the byte message is unchanged, and eliminating unchanged bytes;
the message content of the record message has a changed message ID and a corresponding byte order.
Preferably, the preset value of the correlation coefficient is 0.5.
Preferably, the method for setting the detection threshold includes:
and selecting a plurality of segments of communication data collected by normal running records, predicting a message value of a certain byte in a corresponding message ID by using the prediction model, and setting a detection threshold value based on a standard deviation between the predicted message value and an actual message value.
Compared with the prior art, the invention has the following beneficial effects:
the method and the system of the invention do not need to acquire a specific vehicle bus communication protocol and know the storage position and mode of the physical variable; under the condition that bus communication data do not need to be converted into data with physical meaning variables in practice, the correlation among original message data is determined through statistical analysis, a message section content prediction model is built by utilizing a neural network, and malicious data injection attack which does not accord with the normal running state of a vehicle can be detected in real time.
Drawings
FIG. 1 is a schematic flow chart of a method according to an embodiment of the invention;
FIG. 2 is a schematic flow chart of a method for establishing a prediction model according to an embodiment of the present invention;
FIG. 3 is a graph of a time series scatter plot of a message change over a sampling period according to an embodiment of the present invention;
fig. 4 is a second plot of a time series of message changes for a certain sampling period according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the embodiments of the present invention will be described in further detail with reference to the accompanying drawings.
Referring to fig. 1, in one aspect, the method for detecting an abnormality of a vehicle-mounted network based on correlation analysis of the present invention includes:
s10, collecting communication data in the running process of a vehicle; the communication data comprises a message ID, message content and message occurrence time;
s20, predicting and outputting a message value of a corresponding byte order by using the established prediction model, judging whether the deviation between the predicted message value and the actual message value exceeds a detection threshold value, and judging that the message is abnormal if the deviation exceeds the detection threshold value; the prediction model is established based on a correlation group between communication data in the vehicle driving process; the input of the prediction model is a message value corresponding to one or more message ID byte sequences in the correlation group, and the output of the prediction model is a message value corresponding to other message ID byte sequences in the correlation group.
Referring to fig. 2, the method for establishing the prediction model includes:
s201, collecting communication data in the running process of vehicles of the same vehicle type.
S202, calculating the Hamming distance, analyzing the Hamming distance data, and eliminating the message ID with unchanged message content and bytes with unchanged message content in the message ID; the record message content has a changed message ID and a corresponding byte order.
Specifically, the method comprises the following steps:
s2021, summarizing and counting the sum of Hamming distances of total byte numbers according to the message ID, and calculating index values comprising a maximum value, a minimum value, a median, a lower quartile and an upper quartile; if all index values are 0 or equal, indicating that the contents of all bytes of the message ID are unchanged, and eliminating the message ID;
the sampling result over a period of time for a message ID of 0xYYFD0500 is: each message of the message fixedly comprises 8 bytes, hundreds of messages are totally contained, the corresponding Hamming distance is calculated according to byte sequence for 8 bytes of every two adjacent messages, and the sum of the Hamming distances is obtained. If the two adjacent messages are 0x0102030405060708, the sum of the total hamming distances is 0, if 289 messages are the same and have no change, the maximum value, the minimum value, the median, the lower quartile and the upper quartile are all 0, and the message ID can be directly removed.
S2022, counting the Hamming distance of each byte in the message ID according to byte sequence, and calculating index values comprising maximum value, minimum value, median, lower quartile and upper quartile; if all index values are 0 or equal, indicating that the content of the byte message is unchanged, and eliminating unchanged bytes;
for example, the message ID YYF F51 has hundreds of pieces of sampled data recorded over a period of time, and the statistics are shown in table 1 (only 8 bytes are listed in the table), where only the 4 th byte meets the recording requirement.
TABLE 1
S2023, recording the message ID and the corresponding byte order of the message content with variation.
S203, carrying out normalization processing on the occurrence time of the message event according to the recorded message ID, carrying out pairing processing on the event time of different message IDs according to similar moments, respectively calculating the correlation coefficient of each byte pair, extracting the byte pair with the absolute value of the correlation coefficient larger than the preset value, and marking the byte pair as a correlation relation group; the approach time includes the same time or a time within a preset range.
Specifically, for the selected group, a visual system can be used to draw a line graph and a time sequence scatter graph of actual message node values of the corresponding group in the same time period, verification and rechecking are performed by combining the graph, if the message value change trend of the group is consistent or just opposite, and the correlations are very stable along with the time, the group has a stronger correlation, and the group is determined and marked. If there is a correlation between every two correlation groups, if there is a correlation AB, BC, AC, ABC is combined into a correlation group. Or, only partial intersection relation exists between the groups, such as AB and AC, and the groups can be combined into one group, but special marks are needed, and when training is carried out later, only B and C can be selected as input items, and A is output item.
Referring to fig. 3, after calculation, correlation coefficients of the 6 th byte and the 8 th byte of the message ID XXFEYYEE and the 3 rd byte of the XXF003YY are 0.95 and 0.96 respectively, and a message change time sequence scatter diagram of a certain sampling period is drawn by using a visualization system, wherein fig. 3 (a) is a message value change diagram of the XXFEYYEE, and fig. 3 (b) is a message value change diagram of the XXF003 YY. The change trend of the three is very consistent, the previous calculation result is verified, the bytes corresponding to the two messages are proved to have a two-to-two correlation relationship, a correlation relationship group can be formed, any two bytes can be selected as input items, and the other one is selected as output items.
Referring to fig. 4, after calculation, the correlation coefficients between the 2 nd byte and the 3 rd byte of the message ID XXYYF030 and the 6 th byte of the XXFEYY02 are 0.7 and 0.6, respectively, and a message change time sequence scatter diagram of a certain sampling period is drawn by using a visualization system, where fig. 4 (a) is a message value change diagram of the XXYYF030, and fig. 4 (b) is a message value change diagram of the XXFEYY 02. The three changes are basically consistent, and by judging that the 2 nd and 3 rd bytes of XXYYF030 are combined through certain calculation rules and then are more consistent with the 6 th byte change of XXFEYY02, only the 2 nd and 3 rd bytes of XXYF 030 can be selected as input items and the 6 th byte of XXFEYY02 is selected as output item.
Further, the preset value of the correlation coefficient is 0.5.
The correlation coefficient calculation method is based on covariance and standard deviation, and comprises the following steps of calculating a calculation formula of correlation coefficients of two-dimensional variables x and y:
wherein r is xy Representing the sample correlation coefficient S xy Representing the sample covariance, S y Represents the standard deviation of samples of x, S y The sample standard deviation of y is indicated. The following are S respectively xy Covariance sum S x 、S y And calculating a standard deviation formula.
Where x represents the kth (k is typically 1 to 8) message byte value for message ID a in the present method and y represents the mth message byte value for message ID B. If x represents the 6 th byte message value of message ID XXFEYYEE, and y represents the 3 rd byte message value of message ID XXF003 YY.
S204, training the message data in each correlation group by using an LSTM neural network according to time sequence, and establishing a prediction model of each correlation group.
Specifically, one of the grouping pairs is arbitrarily selected as an input item, and the other is selected as an output item. If the group contains more than two objects, any one of the objects is taken as an output item, and the other objects are taken as input items. The selection of the input and output items may be adjusted according to the training effect. If there is a two-to-two correlation between message a_1 (representing the 1 st byte of message ID a), b_2 (representing the 2 nd byte of message ID B), and c_5 (representing the 5 th byte of message ID C), two of the items, such as a_1 and b_2, can be arbitrarily selected as input items, and c_5 as output items.
Further, after the prediction model is built, a plurality of sections of CAN bus messages collected by normal running records are selected to test the prediction model, the standard deviation between the predicted message value and the original message value of a certain byte corresponding to the message ID is calculated, and a proper detection threshold is set according to the standard deviation and the normal data range of the corresponding message. Specifically, the detection threshold may be set to 2 times of the standard deviation, and in practical application, the detection threshold may be adjusted according to the training data condition and the fluctuation range of the normal message value, so as to avoid false alarm.
Further, based on the correlation grouping, the byte value corresponding to the output item of the prediction model is calculated and predicted in real time by using the prediction model, if the deviation between the data value of the prediction output item and the data value of the actually received message exceeds the detection threshold value obtained by training, the group of messages are considered to have abnormality, and the system is possibly attacked by malicious illegal injection. Continuing with the example in S204, inputting a message sequence corresponding to a_1 and b_2 in a certain small time period during real-time detection, outputting a predicted message value of c_5 in a corresponding time period, calculating an error between the predicted value and an actual received value, and prompting detection of abnormal behavior when the error is greater than a detection threshold.
The invention relates to a vehicle-mounted network anomaly detection method based on correlation analysis, which is used for detecting vehicle-mounted CAN bus or other bus anomaly information, obtaining a message combination with a stronger correlation by directly extracting original message byte data and carrying out correlation analysis, carrying out regression analysis on packet message data, and establishing various normal message correlation models, wherein variables of the packet models have forward consistency relationship or inverse correlation relationship, are a representation of corresponding states of a sensor of a vehicle in a digital form in the running process of the vehicle, and CAN be used for detecting the data inconsistency problem caused by malicious data injection attack in real time.
On the other hand, the invention discloses a vehicle-mounted network abnormality detection system based on correlation analysis, which comprises the following steps:
the data acquisition module is used for acquiring communication data in the running process of the vehicle; the communication data comprises a message ID, message content and message occurrence time;
the message abnormality detection module predicts and outputs a message value of a corresponding byte sequence by using a prediction model established by the prediction model establishment module, judges whether the deviation between the predicted message value and an actual message value exceeds a detection threshold value, and judges that the message is abnormal if the deviation exceeds the detection threshold value; the prediction model is established based on a correlation group between communication data in the vehicle driving process; the input of the prediction model is a message value corresponding to one or more message ID byte sequences in the correlation group, and the output of the prediction model is a message value corresponding to other message ID byte sequences in the correlation group.
The specific implementation of each module of the vehicle-mounted network abnormality detection system based on the correlation analysis is consistent with that of a vehicle-mounted network abnormality detection method based on the correlation analysis, and the description of the embodiment is not repeated.
The foregoing is merely illustrative of specific embodiments of the present invention, but the design concept of the present invention is not limited thereto, and any insubstantial modification of the present invention by using the design concept shall fall within the scope of the present invention.
Claims (8)
1. The vehicle-mounted network anomaly detection method based on correlation analysis is characterized by comprising the following steps of:
collecting communication data in the running process of the vehicle; the communication data comprises a message ID, message content and message occurrence time;
predicting and outputting a message value of a corresponding byte order by using the established prediction model, judging whether the deviation between the predicted message value and the actual message value exceeds a detection threshold value, and judging that the message is abnormal if the deviation exceeds the detection threshold value; the prediction model is established based on a correlation group between communication data in the vehicle driving process; the input of the prediction model is a message value corresponding to one or more message ID byte sequences in the related relation packet, and the output of the prediction model is a message value corresponding to other message ID byte sequences in the related relation packet;
the method for establishing the prediction model comprises the following steps:
collecting communication data in the running process of vehicles of the same vehicle type;
calculating the Hamming distance, analyzing the Hamming distance data, and eliminating the message ID with unchanged message content and the bytes with unchanged message content in the message ID; recording the changed message ID and the corresponding byte sequence of the message content;
carrying out normalization processing on the occurrence time of the message event aiming at the recorded message ID, carrying out pairing processing on the event time of different message IDs according to similar moments, respectively calculating the correlation coefficient of each byte pair, extracting the byte pair with the absolute value of the correlation coefficient larger than a preset value, and marking the byte pair as a correlation group; the similar time comprises the same time or a time within a preset range;
training the message data in each correlation group by using an LSTM neural network according to time sequence, and establishing a prediction model of each correlation group.
2. The method for detecting vehicular network anomaly based on correlation analysis according to claim 1, wherein hamming distance is calculated, hamming distance data is analyzed, message IDs with unchanged message contents are removed, and bytes with unchanged message contents in the message IDs are removed; recording the message ID with the changed message content and the corresponding byte sequence, which comprises the following steps:
summarizing and counting the sum of hamming distances of total bytes according to the message ID, and calculating index values comprising a maximum value, a minimum value, a median, a lower quartile and an upper quartile; if all index values are 0 or equal, indicating that the contents of all bytes of the message ID are unchanged, and eliminating the message ID;
counting the hamming distances of all bytes in the message ID according to the byte sequence for the unremoved message ID, and calculating index values comprising a maximum value, a minimum value, a median, a lower quartile and an upper quartile; if all index values are 0 or equal, indicating that the content of the byte message is unchanged, and eliminating unchanged bytes;
the message content of the record message has a changed message ID and a corresponding byte order.
3. The method for detecting an abnormality of an on-vehicle network based on correlation analysis according to claim 1, wherein the preset value of the correlation coefficient is 0.5.
4. The on-vehicle network abnormality detection method based on correlation analysis according to claim 1, wherein the acquisition setting method of the detection threshold value includes:
and selecting a plurality of segments of communication data collected by normal running records, predicting a message value of a certain byte in a corresponding message ID by using the prediction model, and setting a detection threshold value based on a standard deviation between the predicted message value and an actual message value.
5. The vehicle-mounted network anomaly detection system based on correlation analysis is characterized by comprising the following components:
the data acquisition module is used for acquiring communication data in the running process of the vehicle; the communication data comprises a message ID, message content and message occurrence time;
the message abnormality detection module predicts and outputs a message value of a corresponding byte sequence by using a prediction model established by the prediction model establishment module, judges whether the deviation between the predicted message value and an actual message value exceeds a detection threshold value, and judges that the message is abnormal if the deviation exceeds the detection threshold value; the prediction model is established based on a correlation group between communication data in the vehicle driving process; the input of the prediction model is a message value corresponding to one or more message ID byte sequences in the related relation packet, and the output of the prediction model is a message value corresponding to other message ID byte sequences in the related relation packet;
the method for establishing the prediction model comprises the following steps:
collecting communication data in the running process of vehicles of the same vehicle type;
calculating the Hamming distance, analyzing the Hamming distance data, and eliminating the message ID with unchanged message content and the bytes with unchanged message content in the message ID; recording the changed message ID and the corresponding byte sequence of the message content;
carrying out normalization processing on the occurrence time of the message event aiming at the recorded message ID, carrying out pairing processing on the event time of different message IDs according to similar moments, respectively calculating the correlation coefficient of each byte pair, extracting the byte pair with the absolute value of the correlation coefficient larger than a preset value, and marking the byte pair as a correlation group; the similar time comprises the same time or a time within a preset range;
training the message data in each correlation group by using an LSTM neural network according to time sequence, and establishing a prediction model of each correlation group.
6. The system for detecting vehicular network anomalies based on correlation analysis according to claim 5, wherein hamming distances are calculated, hamming distance data are analyzed, message IDs with unchanged message contents are removed, and bytes with unchanged message contents in the message IDs are removed; recording the message ID with the changed message content and the corresponding byte sequence, which comprises the following steps:
summarizing and counting the sum of hamming distances of total bytes according to the message ID, and calculating index values comprising a maximum value, a minimum value, a median, a lower quartile and an upper quartile; if all index values are 0 or equal, indicating that the contents of all bytes of the message ID are unchanged, and eliminating the message ID;
counting the hamming distances of all bytes in the message ID according to the byte sequence for the unremoved message ID, and calculating index values comprising a maximum value, a minimum value, a median, a lower quartile and an upper quartile; if all index values are 0 or equal, indicating that the content of the byte message is unchanged, and eliminating unchanged bytes;
the message content of the record message has a changed message ID and a corresponding byte order.
7. The correlation analysis-based vehicular network abnormality detection system according to claim 5, wherein the preset value of the correlation coefficient is 0.5.
8. The correlation analysis-based vehicular network abnormality detection system according to claim 5, wherein the acquisition setting method of the detection threshold includes:
and selecting a plurality of segments of communication data collected by normal running records, predicting a message value of a certain byte in a corresponding message ID by using the prediction model, and setting a detection threshold value based on a standard deviation between the predicted message value and an actual message value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911094247.3A CN112787984B (en) | 2019-11-11 | 2019-11-11 | Vehicle-mounted network anomaly detection method and system based on correlation analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911094247.3A CN112787984B (en) | 2019-11-11 | 2019-11-11 | Vehicle-mounted network anomaly detection method and system based on correlation analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112787984A CN112787984A (en) | 2021-05-11 |
| CN112787984B true CN112787984B (en) | 2023-11-14 |
Family
ID=75749725
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911094247.3A Active CN112787984B (en) | 2019-11-11 | 2019-11-11 | Vehicle-mounted network anomaly detection method and system based on correlation analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112787984B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114172686B (en) * | 2021-10-27 | 2022-08-05 | 北京邮电大学 | Vehicle-mounted CAN bus message intrusion detection method, related equipment and computer storage medium |
| CN114244596A (en) * | 2021-12-10 | 2022-03-25 | 上海交通大学 | Vehicle-mounted CAN (controller area network) anomaly detection method and system based on HTM (hyper text transport protocol) |
| EP4277202A1 (en) * | 2022-05-13 | 2023-11-15 | Elektrobit Automotive GmbH | Threat detection for a processing system of a motor vehicle |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101068170A (en) * | 2007-06-05 | 2007-11-07 | 华为技术有限公司 | Message abnormal receiving detecting method, system and device thereof |
| CN103106329A (en) * | 2012-11-19 | 2013-05-15 | 华北电力大学 | Training sample grouping construction method used for support vector regression (SVR) short-term load forecasting |
| CN104133992A (en) * | 2014-07-21 | 2014-11-05 | 快威科技集团有限公司 | Assessment reference building method and assessment reference building device based on information security assessment correlation |
| CN108965001A (en) * | 2018-07-12 | 2018-12-07 | 北京航空航天大学 | A kind of appraisal procedure and device of vehicle message data model |
| CN110040107A (en) * | 2019-03-18 | 2019-07-23 | 百度在线网络技术(北京)有限公司 | Vehicle intrusion detection and prediction model training method, device and storage medium |
| CN110135630A (en) * | 2019-04-25 | 2019-08-16 | 武汉数澎科技有限公司 | The short term needing forecasting method with multi-step optimization is returned based on random forest |
| CN110149345A (en) * | 2019-06-11 | 2019-08-20 | 北京航空航天大学 | A kind of In-vehicle networking intrusion detection method based on sequence of message prediction |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3657757B1 (en) * | 2014-12-01 | 2021-08-04 | Panasonic Intellectual Property Corporation of America | Illegality detection electronic control unit, car onboard network system, and illegality detection method |
| EP3776367A1 (en) * | 2018-03-28 | 2021-02-17 | Nvidia Corporation | Detecting data anomalies on a data interface using machine learning |
-
2019
- 2019-11-11 CN CN201911094247.3A patent/CN112787984B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101068170A (en) * | 2007-06-05 | 2007-11-07 | 华为技术有限公司 | Message abnormal receiving detecting method, system and device thereof |
| WO2008148334A1 (en) * | 2007-06-05 | 2008-12-11 | Huawei Technologies Co., Ltd. | Method, system and apparatus thereof for detecting abnormal receipt of message |
| CN103106329A (en) * | 2012-11-19 | 2013-05-15 | 华北电力大学 | Training sample grouping construction method used for support vector regression (SVR) short-term load forecasting |
| CN104133992A (en) * | 2014-07-21 | 2014-11-05 | 快威科技集团有限公司 | Assessment reference building method and assessment reference building device based on information security assessment correlation |
| CN108965001A (en) * | 2018-07-12 | 2018-12-07 | 北京航空航天大学 | A kind of appraisal procedure and device of vehicle message data model |
| CN110040107A (en) * | 2019-03-18 | 2019-07-23 | 百度在线网络技术(北京)有限公司 | Vehicle intrusion detection and prediction model training method, device and storage medium |
| CN110135630A (en) * | 2019-04-25 | 2019-08-16 | 武汉数澎科技有限公司 | The short term needing forecasting method with multi-step optimization is returned based on random forest |
| CN110149345A (en) * | 2019-06-11 | 2019-08-20 | 北京航空航天大学 | A kind of In-vehicle networking intrusion detection method based on sequence of message prediction |
Non-Patent Citations (1)
| Title |
|---|
| 车载网络安全数据可视化技术的设计与实现;曲建云;厦门理工学院学报;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112787984A (en) | 2021-05-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112787984B (en) | Vehicle-mounted network anomaly detection method and system based on correlation analysis | |
| Marchetti et al. | READ: Reverse engineering of automotive data frames | |
| CN103927307B (en) | A kind of method and apparatus of identification website user | |
| CN105809035B (en) | The malware detection method and system of real-time behavior is applied based on Android | |
| CN102014031A (en) | Method and system for network flow anomaly detection | |
| CN113645232A (en) | Intelligent flow monitoring method and system for industrial internet and storage medium | |
| CN111970229B (en) | CAN bus data anomaly detection method aiming at multiple attack modes | |
| CN113098887A (en) | Phishing website detection method based on website joint characteristics | |
| CN110011990B (en) | Intelligent analysis method for intranet security threats | |
| CN115150182B (en) | Information system network attack detection method based on flow analysis | |
| CN108491717A (en) | A kind of xss systems of defense and its implementation based on machine learning | |
| CN104244016A (en) | H264 video content tampering detection method | |
| CN115277180A (en) | Block chain log anomaly detection and tracing system | |
| CN110826888B (en) | Data integrity attack detection method in power system dynamic state estimation | |
| CN108055227B (en) | WAF unknown attack defense method based on site self-learning | |
| CN109413047A (en) | Determination method, system, server and the storage medium of Behavior modeling | |
| CN110222513B (en) | Abnormality monitoring method and device for online activities and storage medium | |
| CN114244594A (en) | Network flow abnormity detection method and detection system | |
| CN110162973A (en) | A kind of Webshell file test method and device | |
| CN117240522A (en) | Vulnerability intelligent mining method based on attack event model | |
| CN116074092B (en) | Attack scene reconstruction system based on heterogram attention network | |
| CN108737399B (en) | Snort alarm data aggregation method based on corner mark random reading | |
| CN110225025B (en) | Method and device for acquiring abnormal network data behavior model, electronic equipment and storage medium | |
| CN107306252A (en) | A kind of data analysing method and system | |
| CN114745148B (en) | Vehicle-mounted network CAN bus intrusion detection method and system based on dynamic programming |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |