CN113060082B - Abnormality processing method and device for vehicle-mounted firewall, vehicle-mounted firewall and automobile - Google Patents
Abnormality processing method and device for vehicle-mounted firewall, vehicle-mounted firewall and automobile Download PDFInfo
- Publication number
- CN113060082B CN113060082B CN202010001919.8A CN202010001919A CN113060082B CN 113060082 B CN113060082 B CN 113060082B CN 202010001919 A CN202010001919 A CN 202010001919A CN 113060082 B CN113060082 B CN 113060082B
- Authority
- CN
- China
- Prior art keywords
- abnormality
- vehicle
- reported
- record table
- power
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000005856 abnormality Effects 0.000 title claims abstract description 242
- 238000003672 processing method Methods 0.000 title claims abstract description 24
- 238000000034 method Methods 0.000 claims abstract description 19
- 238000012545 processing Methods 0.000 claims description 18
- 238000004590 computer program Methods 0.000 claims description 14
- 230000009467 reduction Effects 0.000 claims description 3
- 230000002159 abnormal effect Effects 0.000 abstract description 13
- 238000013461 design Methods 0.000 description 9
- 238000003860 storage Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000032683 aging Effects 0.000 description 4
- 206010000117 Abnormal behaviour Diseases 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 230000002829 reductive effect Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 238000009825 accumulation Methods 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000000670 limiting effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60R—VEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
- B60R16/00—Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
- B60R16/02—Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
- B60R16/023—Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements for transmission of signals between vehicle parts or subsystems
- B60R16/0231—Circuits relating to the driving or the functioning of the vehicle
- B60R16/0232—Circuits relating to the driving or the functioning of the vehicle for measuring vehicle parameters and indicating critical, abnormal or dangerous conditions
Abstract
The application discloses an abnormality processing method and device of a vehicle-mounted firewall, the vehicle-mounted firewall and an automobile, which are applied to the technical field of automobiles and are used for solving the technical problem that the prior art cannot distinguish between a harmful abnormal state and a harmless abnormality under the condition that the automobiles are not networked. The method provided by the application comprises the following steps: reading historical abnormality recorded in an initial alarm record table when the whole vehicle is powered on; when an abnormality is reported in the period from the power-on of the whole vehicle to the power-off of the whole vehicle, scoring the reported abnormality once, and updating the score of the reported corresponding abnormality in the initial alarm record table; when the unreported historical abnormality exists in the initial alarm record table during the period from the power-on of the whole vehicle to the power-off of the whole vehicle, scoring the unreported historical abnormality once, and updating the score of the unreported abnormality in the initial alarm record table; if the updated abnormal score is within the preset range, judging the abnormal score as harmful, otherwise, judging the abnormal score as harmless.
Description
Technical Field
The application relates to the technical field of automobiles, in particular to an abnormality processing method and device for a vehicle-mounted firewall, the vehicle-mounted firewall and an automobile.
Background
In the prior art, the vehicle-mounted firewall can effectively identify the abnormal state of the vehicle and the malicious attack of the hacker by alarming the detected abnormal behavior of the vehicle.
Due to factors such as fluctuation of the running state of the vehicle, errors in design and production, aging of electronic components and the like, abnormal states which are not in accordance with the design expectations exist in the network communication of the vehicle, and the abnormal states are harmless to the vehicle and possibly trigger the alarm of the firewall. This type of anomaly is not considered to be a harmful abnormal state of the vehicle such as a hacking attack, but can be defined as a "characteristic" of a vehicle.
The existing vehicle-mounted firewall cannot distinguish the 'characteristic' of the vehicle from harmful abnormal states of the vehicle such as malicious attack by hackers, so that the abnormality related to the 'characteristic' of the vehicle is regarded as harmful abnormality to alarm, and the existing vehicle-mounted firewall can report the abnormality.
Disclosure of Invention
The embodiment of the application provides an abnormality processing method and device of a vehicle-mounted firewall, the vehicle-mounted firewall and an automobile, and aims to solve the technical problem that the characteristic of the automobile cannot be distinguished from harmful abnormal states of the automobile such as malicious attack of hackers under the condition that the automobile is not networked in the prior art.
According to one aspect of the application, a vehicle-mounted firewall exception handling method is provided, and comprises the following steps:
reading an initial alarm record table when the whole vehicle is electrified, wherein historical abnormality and scores of the historical abnormality are recorded in the initial alarm record table;
when an abnormality is reported through a vehicle-mounted firewall during the period from the power-on of the whole vehicle to the power-off of the whole vehicle, scoring the reported abnormality once, and updating the score of the reported corresponding abnormality in the initial alarm record table;
when the unreported historical abnormality exists in the initial alarm record table during the period from the power-on of the whole vehicle to the power-off of the whole vehicle, scoring the unreported historical abnormality once, and updating the score of the unreported corresponding abnormality in the initial alarm record table;
and if the updated scores of the anomalies are within a preset range, judging that the corresponding anomalies are harmful anomalies, otherwise, judging that the corresponding anomalies are harmless anomalies.
According to another aspect of the present application, there is provided an abnormality processing apparatus for a vehicle-mounted firewall, the apparatus comprising:
the table reading module is used for reading an initial alarm record table when the whole vehicle is electrified, wherein historical abnormality and scores of the historical abnormality are recorded in the initial alarm record table;
the first scoring module is used for scoring the reported abnormality once and updating the score of the corresponding abnormality in the initial alarm record table when the abnormality is reported through the vehicle-mounted firewall in the period from the power-on of the whole vehicle to the power-off of the whole vehicle;
the second scoring module is used for scoring the unreported historical abnormality once when the unreported historical abnormality exists in the initial alarm record table during the period from the power-on of the whole vehicle to the power-off of the whole vehicle, and updating the score of the unreported corresponding abnormality in the initial alarm record table;
and the judging module is used for judging that the corresponding abnormality is a harmful abnormality if the updated score of the abnormality is within a preset range, and judging that the corresponding abnormality is a harmless abnormality if the updated score of the abnormality is not within the preset range.
According to a further aspect of the present application, there is provided a vehicle-mounted firewall comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the abnormality processing method of the vehicle-mounted firewall when executing the computer program.
According to a further aspect of the application there is provided a vehicle comprising the vehicle firewall.
According to the abnormality processing method and device for the vehicle-mounted firewall, the vehicle-mounted firewall and the vehicle, the reported abnormalities and the non-reported historical abnormalities are respectively scored, the characteristic that the harmless abnormalities have high frequency and continuously occur can be obtained through analysis, and the harmful abnormalities do not have the characteristic, so that when the reported abnormalities and the non-reported historical abnormalities are respectively scored, the abnormalities are scored only once during the period from the whole vehicle power-on to the whole vehicle power-off, no matter how many times the same abnormalities are reported, the abnormalities are scored only once, the score of the abnormalities recorded in the initial alarm record table has identification capability, and the harmful abnormalities and the harmless abnormalities can be distinguished according to the finally scored score of each abnormality.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments of the present application will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a method for exception handling in an in-vehicle firewall according to an embodiment of the application;
FIG. 2 is a flowchart of an anomaly handling method for an in-vehicle firewall according to another embodiment of the application;
FIG. 3 is a flowchart of a method for exception handling in an in-vehicle firewall in accordance with another embodiment of the application;
FIG. 4 is a flowchart of a method for exception handling in an in-vehicle firewall in accordance with another embodiment of the application;
FIG. 5 is an exemplary block diagram of an abnormality processing device of an in-vehicle firewall according to an embodiment of the application;
FIG. 6 is a block diagram of a vehicle-mounted firewall in accordance with one embodiment of the application;
fig. 7 is a schematic view of an automobile according to an embodiment of the present application.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
The implementation of the application is described in detail below with reference to the specific drawings:
fig. 1 is a flowchart of an abnormality processing method of an in-vehicle firewall according to an embodiment of the application, and the abnormality processing method of an in-vehicle firewall according to an embodiment of the application is described in detail below with reference to fig. 1, and as shown in fig. 1, the abnormality processing method of an in-vehicle firewall includes the following steps S101 to S104.
S101, reading an initial alarm record table when the whole vehicle is electrified, wherein historical abnormality and scores of the historical abnormality are recorded in the initial alarm record table.
In one embodiment, the initial alert log table may be stored in a non-volatile memory, and the historical anomalies recorded in the initial alert log table may include both harmful anomalies and harmless anomalies.
Wherein the harmful anomalies are, for example, subjected to malicious attacks by hackers, and the harmless anomalies are, for example, caused by factors such as fluctuation of the running state of the vehicle itself, errors in design and production, aging of electronic components and the like, so that the network communication of the vehicle has abnormal states which are not in line with the design expectations.
S102, when an abnormality is reported through a vehicle-mounted firewall during the period from the power-on of the whole vehicle to the power-off of the whole vehicle, scoring the reported abnormality once, and updating the score of the reported corresponding abnormality in the initial alarm record table.
In one embodiment, the scoring the reported abnormality once may be scoring the abnormality when the abnormality is first reported during the period from the power-up of the whole vehicle to the power-down of the whole vehicle, and not scoring if the abnormality is reported again before the power-down of the whole vehicle.
Further, scoring the reported abnormality once may be scoring the reported abnormality.
In one embodiment, if the reported anomaly is a historical anomaly recorded in the initial alarm record table, a historical score of the anomaly in the initial alarm record table is obtained, and the historical score of the anomaly is added with the score of the anomaly as an updated score of the anomaly.
And S103, when the unreported historical abnormality exists in the initial alarm record table during the period from the power-on of the whole vehicle to the power-off of the whole vehicle, scoring the unreported historical abnormality once, and updating the score of the unreported corresponding abnormality in the initial alarm record table.
In one embodiment, scoring the unreported historical anomaly is of the opposite sign to scoring the reported anomaly.
In one embodiment, the scoring the unreported historical anomaly once may be a reduction of the unreported anomaly.
In this embodiment, since the harmful anomalies are not necessarily reported every time the vehicle is powered up, and the harmless anomalies are more likely to be harmful anomalies by virtue of their persistent nature, the non-reported anomalies are subtracted to reveal the non-reported anomalies.
And S104, judging that the corresponding abnormality is a harmful abnormality if the updated score of the abnormality is within a preset range, otherwise, judging that the corresponding abnormality is a harmless abnormality.
In one embodiment, the preset range may be a manually set range, for example, when the updated score of the anomaly is greater than a preset certain threshold, the anomaly is determined to be a harmless anomaly, and when the updated score of the anomaly is less than or equal to the threshold, the corresponding anomaly is determined to be a harmful anomaly. Further, the alarm processing may be performed on the abnormality determined to be harmful, or the abnormality having a score greater than the threshold may be deleted from the initial alarm record table.
In one embodiment, the method further comprises:
when the corresponding abnormality is judged to be harmful, alarming and reminding the harmful abnormality;
and when the corresponding abnormality is judged to be harmless, deleting the harmless abnormality from the initial alarm record table.
According to the method, the characteristics that the non-harmful anomalies have high frequency and continuously occur can be obtained through analysis by scoring the reported anomalies and the non-reported historical anomalies respectively, so that when the reported anomalies and the non-reported historical anomalies are scored respectively, the anomalies are scored only once during the period from the whole vehicle power-on to the whole vehicle power-off, no matter how many times the same anomaly is reported, the anomalies recorded in the initial alarm record table are scored only once, the scores of the anomalies have identification ability, and the harmful anomalies and the non-harmful anomalies can be distinguished from the scores of the anomalies finally scored.
Fig. 2 is a flowchart of an abnormality processing method of an in-vehicle firewall according to another embodiment of the application, and the abnormality processing method of an in-vehicle firewall according to another embodiment of the application is described below with reference to fig. 2, and as shown in fig. 2, the method further includes the following steps S201 and S202 on the basis of including the steps S101, S103 and S104.
S201, acquiring the abnormality reported from the period from the power-on of the whole vehicle to the power-off of the whole vehicle;
s202, judging whether the initial alarm record table contains the reported abnormality, if so, adding the reported abnormality to the initial alarm record table for the first time, otherwise, adding the reported abnormality to the initial alarm record table for the first time based on zero, and storing the reported abnormality and the scores of the reported abnormality in the initial alarm record table.
In one embodiment, if the reported abnormality is not a historical abnormality recorded in the initial alarm record table, when the reported abnormality is stored in the initial alarm record table, the score of the reported abnormality may be determined as the score recorded by the abnormality in the initial alarm record table.
Fig. 3 is a flowchart of an abnormality processing method of a firewall in a vehicle according to another embodiment of the application, and the abnormality processing method of a firewall in a vehicle according to another embodiment of the application is described below with reference to fig. 3, and as shown in fig. 3, the method further includes the following step S301 on the basis of including the steps S101, S102 and S104.
S301, when an unreported historical abnormality exists in the initial alarm record table during the period from the power-on of the whole vehicle to the power-off of the whole vehicle, subtracting the unreported historical abnormality for one time, and updating the score of the unreported corresponding abnormality in the initial alarm record table.
In this embodiment, the reported anomalies may be added at the time of first reporting, and correspondingly, the non-reported historical anomalies may be subtracted to distinguish between harmful anomalies and harmless anomalies.
In other embodiments, the reported anomalies may be subtracted when they are first reported, and correspondingly, the non-reported historical anomalies may be added, which may also distinguish between harmful anomalies and harmless anomalies.
According to the embodiment, the unreported historical anomalies are reduced, and meanwhile the reported anomalies are added to separate the scores between the harmful anomalies and the harmless anomalies, so that the vehicle-mounted firewall is convenient to distinguish the harmful anomalies from the harmless anomalies.
Fig. 4 is a flowchart of an abnormality processing method of an in-vehicle firewall according to still another embodiment of the application, and further optionally as shown in fig. 4, the step S101 further includes the following step S401:
s401, reading an initial alarm record table from a nonvolatile memory when the whole vehicle is electrified, wherein historical abnormality and scores of the historical abnormality are recorded in the initial alarm record table.
In one embodiment, the abnormality processing method of the vehicle firewall further includes the following step S402.
And S402, when the whole vehicle is powered down, the updated initial alarm record table is used as a new initial alarm record table to be stored in the nonvolatile memory.
One use scenario according to this embodiment is for example: through M ignition cycles (wherein M is a preset value), the vehicle-mounted firewall learns the error message behavior which does not accord with the definition and design targets of the bus communication protocol on the bus communication protocol bus of the vehicle, and the message cycle fluctuation and other behaviors caused by the aging of electronic devices and the change of the bus load rate. Abnormal behavior of the vehicle due to physical factors or design reasons is ignored, and malicious attacks and dangerous abnormal states of the vehicle are exposed and highlighted.
The application adds an alarm record list function in the vehicle firewall, stores the alarm (or abnormality) sent by the vehicle firewall and scores the alarm, and designs a set of method to score each alarm.
The score of the alert is calculated from its continuous occurrence over multiple ignition cycles, reflecting the persistence of the alert during vehicle operation. When the score of an alarm in the record list is larger than or equal to a threshold value x, it can be judged that the abnormal behavior of continuous high frequency occurs when the alarm is triggered, and then the vehicle-mounted firewall does not generate and send the alarm any more.
The vehicle firewall reads the record table from the nonvolatile memory to the memory every time the whole vehicle is powered on, and updates and maintains the record table in the memory during the operation of the vehicle firewall. Before the whole vehicle is powered down each time, the vehicle-mounted firewall writes the alarm record table in the memory into the nonvolatile memory to cover the old alarm record table. The application allows the vehicle firewall to maintain two alarm record tables: one in memory, run-time; one in the non-volatile memory for storing the alarm record table contents during periods when the vehicle is not in operation. The vehicle-mounted firewall only modifies the alarm record table in the memory, and only covers and reads the record table in the nonvolatile memory.
And each ignition period, namely, during the running period of the vehicle between the power-on period and the power-off period of the whole vehicle, the vehicle-mounted firewall carries out scoring and only carries out one update on each alarm in the alarm record table. If the score of a certain alarm is increased in the ignition period, the score is not decreased any more; if, instead, the score of an alarm does not change before the whole vehicle is powered down, the score is reduced. Unless the score of an alarm exceeds the threshold x, the onboard firewall does not modify the score of the alarm.
In this scenario, if at least one alarm occurs during one ignition cycle, the score of the anomaly is +2; otherwise, the score is-1. The detailed logic is as follows:
1) If the score of a certain alarm in the alarm record table is greater than or equal to a threshold value x, the score of the alarm is not modified in the whole vehicle power-down period;
2) If a certain alarm occurs, the score of the alarm in the record table is more than or equal to 1 and less than a threshold value x, and the score of the alarm is not modified in the current ignition period, the score of the alarm is +2, and the alarm is not modified in the subsequent ignition period;
3) If a certain alarm occurs and the score of the alarm in the record list is more than or equal to 1 and less than or equal to a threshold value x and the score of the alarm is modified in the current ignition period, the record list does not need to be updated;
4) If the score corresponding to a certain alarm in the record table is not modified and the score of the alarm is more than or equal to 1 and less than or equal to a threshold value x when the whole vehicle is powered down, the score is-1;
5) If the score of an alarm is equal to or less than 0 after-1, deleting the record of the alarm from the record table;
6) If the alarm record table does not have a record of the alarm, the alarm record is newly created and the initial score of the alarm is 2.
And comparing the alarm record list before sending the alarm by the vehicle-mounted firewall each time, and processing the abnormality according to the score of each alarm in the alarm record list as follows:
1) If the same alarm exists and the score is larger than or equal to the threshold value x, no alarm reminding is sent to the alarm;
2) If the same alarm exists and the score is more than or equal to 1 and less than the threshold value x, sending an alarm reminding to the alarm;
3) If the same alarm does not exist, a record of the alarm is newly established, and the corresponding initial score is 2.
According to the method, when the whole vehicle is powered down, the updated initial alarm record table is stored into the nonvolatile memory as a new initial alarm record table, so that when the whole vehicle is powered up next time, the initial alarm record table read in the nonvolatile memory is the updated initial alarm record table, the abnormality processing method of the vehicle-mounted firewall has circularity, harmful abnormality and harmless abnormality can be further distinguished through score accumulation in the cycle of multiple times of power down and power up of the whole vehicle, the distinction of the harmful abnormality and the harmless abnormality is more obvious, and the vehicle-mounted firewall can update the strategy to reduce the false alarm rate in a mode of not downloading or refreshing in the air.
Fig. 5 is an exemplary block diagram of an abnormality processing device for a firewall in a vehicle according to an embodiment of the application, and the abnormality processing device for a firewall in a vehicle according to an embodiment of the application is described in detail below with reference to fig. 5, and as shown in fig. 5, the abnormality processing device 100 for a firewall in a vehicle includes a table reading module 11, a first scoring module 12, a second scoring module 13, and a judging module 14.
The table reading module 11 is configured to read an initial alarm record table when the whole vehicle is powered on, where a history abnormality and a score of the history abnormality are recorded in the initial alarm record table.
In one embodiment, the initial alert log table may be stored in a non-volatile memory, and the historical anomalies recorded in the initial alert log table may include both harmful anomalies and harmless anomalies.
Wherein the harmful anomalies are, for example, subjected to malicious attacks by hackers, and the harmless anomalies are, for example, caused by factors such as fluctuation of the running state of the vehicle itself, errors in design and production, aging of electronic components and the like, so that the network communication of the vehicle has abnormal states which are not in line with the design expectations.
The first scoring module 12 is configured to score the reported abnormality once and update the score of the reported corresponding abnormality in the initial alarm record table when the abnormality is reported through the vehicle-mounted firewall during the period from the power-up of the whole vehicle to the power-down of the whole vehicle.
In one embodiment, the scoring the reported abnormality once may be scoring the abnormality when the abnormality is first reported during the period from the power-up of the whole vehicle to the power-down of the whole vehicle, and not scoring if the abnormality is reported again before the power-down of the whole vehicle.
Further, scoring the reported abnormality once may be scoring the reported abnormality.
In one embodiment, if the reported anomaly is a historical anomaly recorded in the initial alarm record table, a historical score of the anomaly in the initial alarm record table is obtained, and the historical score of the anomaly is added with the score of the anomaly as an updated score of the anomaly.
And the second scoring module 13 is configured to score the unreported historical anomaly once and update the score of the unreported corresponding anomaly in the initial alarm record table when the unreported historical anomaly exists in the initial alarm record table during the period from power-up to power-down of the whole vehicle.
In one embodiment, scoring the unreported historical anomaly is of the opposite sign to scoring the reported anomaly.
In one embodiment, the scoring the unreported historical anomaly once may be a reduction of the unreported anomaly.
In this embodiment, since the harmful anomalies are not necessarily reported every time the vehicle is powered up, and the harmless anomalies are more likely to be harmful anomalies by virtue of their persistent nature, the non-reported anomalies are subtracted to reveal the non-reported anomalies.
In one embodiment, the second scoring module 13 scores the unreported historical anomalies in reverse sign to score the reported anomalies.
The judging module 14 is configured to judge that the corresponding abnormality is a harmful abnormality if the updated score of the abnormality is within a preset range, or judge that the corresponding abnormality is a harmless abnormality.
In one embodiment, the preset range may be a manually set range, for example, when the updated score of the anomaly is greater than a preset certain threshold, the anomaly is determined to be a harmless anomaly, and when the updated score of the anomaly is less than or equal to the threshold, the corresponding anomaly is determined to be a harmful anomaly. Further, the alarm processing may be performed on the abnormality determined to be harmful, or the abnormality having a score greater than the threshold may be deleted from the initial alarm record table.
In one embodiment, the first splitting module 12 comprises:
the abnormality acquisition unit is used for acquiring the abnormality reported from the period from the power-on of the whole vehicle to the power-off of the whole vehicle;
and the first judging unit is used for judging whether the initial alarm record table contains the reported abnormality, if so, carrying out one-time scoring on the reported abnormality when the abnormality is reported for the first time, otherwise, carrying out one-time scoring on the reported abnormality based on zero when the abnormality is reported for the first time, and storing the reported abnormality and the scored score in the initial alarm record table.
In one embodiment, if the reported abnormality is not a historical abnormality recorded in the initial alarm record table, when the reported abnormality is stored in the initial alarm record table, the score of the reported abnormality may be determined as the score recorded by the abnormality in the initial alarm record table.
In one embodiment, the second scoring module 13 includes:
and the subtracting unit is used for subtracting the unreported historical abnormality once when the unreported historical abnormality exists in the initial alarm record table during the period from the power-on of the whole vehicle to the power-off of the whole vehicle.
In this embodiment, the first scoring module 12 may score the reported abnormality when it is first reported, and correspondingly, the second scoring module 13 may score the non-reported historical abnormality to distinguish the harmful abnormality from the harmless abnormality.
In other embodiments, the first scoring module 12 may also score the reported abnormality at the time of first reporting, and correspondingly, the second scoring module 13 may score the non-reported historical abnormality, which may also distinguish between harmful abnormalities and harmless abnormalities.
According to the embodiment, the unreported historical anomalies are reduced, and meanwhile the reported anomalies are added to separate the scores between the harmful anomalies and the harmless anomalies, so that the vehicle-mounted firewall is convenient to distinguish the harmful anomalies from the harmless anomalies.
In one embodiment, the abnormality processing device 100 of the in-vehicle firewall further includes:
the alarm module is used for alarming and reminding the harmful abnormality when judging that the corresponding abnormality is the harmful abnormality;
and the deleting module is used for deleting the harmless abnormality from the initial alarm record table when judging that the corresponding abnormality is the harmless abnormality.
In one embodiment, the table reading module 11 is specifically configured to read the initial alarm record table from the nonvolatile memory when the whole vehicle is powered on;
further, the abnormality processing device 100 of the in-vehicle firewall further includes:
and the storage module is used for storing the updated initial alarm record table into the nonvolatile memory as a new initial alarm record table when the whole vehicle is powered down.
According to the abnormality processing device of the vehicle-mounted firewall, the reported abnormalities and the non-reported historical abnormalities are respectively scored, the characteristics that the harmless abnormalities have high frequency and continuously occur can be obtained through analysis, and the harmful abnormalities do not have the characteristics, so that when the reported abnormalities and the non-reported historical abnormalities are respectively scored, the abnormalities are scored only once during the period from the power-on of the whole vehicle to the power-off of the whole vehicle, no matter how many times the same abnormalities are reported, the abnormalities are scored only once, the scores of the abnormalities recorded in the initial alarm record table have identification force, and the harmful abnormalities and the harmless abnormalities can be distinguished according to the finally scored scores of the abnormalities.
Fig. 6 is a block diagram of a vehicular firewall according to an embodiment of the present application, and the specific limitation of the abnormality processing device of the vehicular firewall may be referred to above for the limitation of the abnormality processing method of the vehicular firewall, which is not described herein. The above-mentioned each module in the abnormality processing device of the vehicle-mounted firewall may be implemented in whole or in part by software, hardware, and a combination thereof. The modules can be embedded in the processor in the vehicle-mounted firewall in a hardware mode or independent of the processor in the vehicle-mounted firewall, and can also be stored in a memory in the vehicle-mounted firewall in a software mode, so that the processor can call and execute the operations corresponding to the modules.
In one embodiment, a vehicle firewall is provided, the internal structure of which may be as shown in fig. 6. The vehicle firewall comprises a processor, a memory, a network interface, an output device and an input device which are connected through a system bus. Wherein the processor of the vehicle firewall is configured to provide computing and control capabilities. The memory of the vehicle-mounted firewall comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program, specifically for storing an initial alert record table. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The network interface of the vehicle-mounted firewall is used for communicating with external equipment through network connection. The computer program, when executed by a processor, implements a method for exception handling for a vehicle firewall.
In one embodiment, a vehicle firewall is provided, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor executes the computer program to implement steps of the method for exception handling of the vehicle firewall in the above embodiment, such as steps 101 to 104 shown in fig. 1. Alternatively, the processor may implement the functions of the respective modules/units of the abnormality processing apparatus for the vehicle-mounted firewall in the above-described embodiment, such as the functions of the modules 11 to 14 shown in fig. 5, when executing the computer program. In order to avoid repetition, a description thereof is omitted.
In one embodiment, a computer readable storage medium is provided, on which a computer program is stored, which when executed by a processor, implements the steps of the abnormality processing method of the vehicle-mounted firewall in the above embodiment, such as steps 101 to 104 shown in fig. 1. Alternatively, the computer program when executed by the processor implements the functions of the respective modules/units of the abnormality processing apparatus for the in-vehicle firewall in the above-described embodiment, such as the functions of the modules 11 to 14 shown in fig. 5. In order to avoid repetition, a description thereof is omitted.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above.
According to still another aspect of the present application, there is provided a computer-readable storage medium storing a computer program which, when executed by a processor, implements the steps of the abnormality processing method of the in-vehicle firewall.
Any reference to memory, storage, database, or other medium used in embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), memory bus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
Fig. 7 is a schematic structural diagram of an automobile according to an embodiment of the present application, and as shown in fig. 7, the automobile includes the above-mentioned vehicle firewall.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-described functions.
The above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application.
Claims (10)
1. An anomaly handling method for a vehicle-mounted firewall is characterized by comprising the following steps:
reading an initial alarm record table when the whole vehicle is electrified, wherein historical abnormality and scores of the historical abnormality are recorded in the initial alarm record table;
when an abnormality is reported through a vehicle-mounted firewall during the period from the power-on of the whole vehicle to the power-off of the whole vehicle, scoring the reported abnormality once, and updating the score of the reported corresponding abnormality in the initial alarm record table;
when the unreported historical abnormality exists in the initial alarm record table during the period from the power-on of the whole vehicle to the power-off of the whole vehicle, scoring the unreported historical abnormality once, and updating the score of the unreported corresponding abnormality in the initial alarm record table;
and if the updated scores of the anomalies are within a preset range, judging that the corresponding anomalies are harmful anomalies, otherwise, judging that the corresponding anomalies are harmless anomalies.
2. The abnormality processing method of a vehicle-mounted firewall according to claim 1, wherein when an abnormality is reported through the vehicle-mounted firewall during a period from a power-up to a power-down of the whole vehicle, the step of scoring the reported abnormality once and updating the score of the reported corresponding abnormality in the initial alarm record table includes:
acquiring the abnormality reported from the period from the power-on of the whole vehicle to the power-off of the whole vehicle;
judging whether the initial alarm record table contains the reported abnormality, if so, carrying out one-time scoring on the reported abnormality when the abnormality is reported for the first time, otherwise, carrying out one-time scoring on the reported abnormality based on zero when the abnormality is reported for the first time, and storing the reported abnormality and the scored score in the initial alarm record table.
3. The abnormality processing method of a vehicle-mounted firewall according to claim 1, wherein when there is an unreported history abnormality in the initial alarm record table during a period from power-up to power-down of the whole vehicle, the step of scoring the unreported history abnormality once includes:
when the unreported historical abnormality exists in the initial alarm record table during the period from the power-on of the whole vehicle to the power-off of the whole vehicle, the unreported historical abnormality is subjected to one-time reduction.
4. The abnormality processing method of a vehicle-mounted firewall according to claim 1, characterized in that the method further comprises:
when the corresponding abnormality is judged to be harmful, alarming and reminding the harmful abnormality;
and when the corresponding abnormality is judged to be harmless, deleting the harmless abnormality from the initial alarm record table.
5. The abnormality processing method of a vehicle-mounted firewall according to any one of claims 1 to 4, characterized in that the step of reading an initial alarm record table when the whole vehicle is powered on includes:
when the whole vehicle is powered on, the initial alarm record table is read from a nonvolatile memory;
and when the whole vehicle is powered down, the updated initial alarm record table is used as a new initial alarm record table to be stored in the nonvolatile memory.
6. An abnormality processing apparatus of a vehicle-mounted firewall, the apparatus comprising:
the table reading module is used for reading an initial alarm record table when the whole vehicle is electrified, wherein historical abnormality and scores of the historical abnormality are recorded in the initial alarm record table;
the first scoring module is used for scoring the reported abnormality once and updating the score of the corresponding abnormality in the initial alarm record table when the abnormality is reported through the vehicle-mounted firewall in the period from the power-on of the whole vehicle to the power-off of the whole vehicle;
the second scoring module is used for scoring the unreported historical abnormality once when the unreported historical abnormality exists in the initial alarm record table during the period from the power-on of the whole vehicle to the power-off of the whole vehicle, and updating the score of the unreported corresponding abnormality in the initial alarm record table;
and the judging module is used for judging that the corresponding abnormality is a harmful abnormality if the updated score of the abnormality is within a preset range, and judging that the corresponding abnormality is a harmless abnormality if the updated score of the abnormality is not within the preset range.
7. The abnormality processing device of the in-vehicle firewall according to claim 6, wherein the first dividing module includes:
the abnormality acquisition unit is used for acquiring the abnormality reported from the period from the power-on of the whole vehicle to the power-off of the whole vehicle;
and the first judging unit is used for judging whether the initial alarm record table contains the reported abnormality, if so, carrying out one-time scoring on the reported abnormality when the abnormality is reported for the first time, otherwise, carrying out one-time scoring on the reported abnormality based on zero when the abnormality is reported for the first time, and storing the reported abnormality and the scored score in the initial alarm record table.
8. The abnormality processing device of the in-vehicle firewall according to claim 6, wherein the second scoring module includes:
and the subtracting unit is used for subtracting the unreported historical abnormality once when the unreported historical abnormality exists in the initial alarm record table during the period from the power-on of the whole vehicle to the power-off of the whole vehicle.
9. A vehicle firewall comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor, when executing the computer program, performs the steps of the method for exception handling of a vehicle firewall according to any one of claims 1 to 5.
10. An automobile comprising the in-vehicle firewall of claim 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010001919.8A CN113060082B (en) | 2020-01-02 | 2020-01-02 | Abnormality processing method and device for vehicle-mounted firewall, vehicle-mounted firewall and automobile |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010001919.8A CN113060082B (en) | 2020-01-02 | 2020-01-02 | Abnormality processing method and device for vehicle-mounted firewall, vehicle-mounted firewall and automobile |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113060082A CN113060082A (en) | 2021-07-02 |
| CN113060082B true CN113060082B (en) | 2023-12-15 |
Family
ID=76558167
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010001919.8A Active CN113060082B (en) | 2020-01-02 | 2020-01-02 | Abnormality processing method and device for vehicle-mounted firewall, vehicle-mounted firewall and automobile |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113060082B (en) |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1197822A2 (en) * | 2000-10-13 | 2002-04-17 | Hitachi, Ltd. | On-vehicle breakdown-warning report system |
| CN105320050A (en) * | 2015-11-27 | 2016-02-10 | 奇瑞汽车股份有限公司 | Gateway-based vehicle function centralized control method |
| CN105553946A (en) * | 2015-12-08 | 2016-05-04 | 严威 | Vehicle-mounted system based on CAN bus firewall and control method thereof |
| CN105591858A (en) * | 2015-12-02 | 2016-05-18 | 广州汽车集团股份有限公司 | Vehicle gateway control method and device |
| JP2016134170A (en) * | 2015-01-20 | 2016-07-25 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America | Illicitness countering method and electronic control unit |
| CN106170953A (en) * | 2014-04-17 | 2016-11-30 | 松下电器(美国)知识产权公司 | Vehicle netbios, abnormal detection electronic control unit and abnormal detection method |
| CN106965758A (en) * | 2016-01-14 | 2017-07-21 | 福特全球技术公司 | Motor vehicles with communication equipment |
| CN107444309A (en) * | 2016-05-12 | 2017-12-08 | 福特全球技术公司 | Vehicle network communications protection |
| CN107548503A (en) * | 2015-06-17 | 2018-01-05 | 克朗设备公司 | Dynamic vehicle performance evaluation instrument with smoothing filter |
| CN108173929A (en) * | 2017-12-26 | 2018-06-15 | 中车大连机车车辆有限公司 | Wireless upload and expert diagnostic system of the medium-and low-speed maglev train based on TRDP agreements |
| JP2018157463A (en) * | 2017-03-21 | 2018-10-04 | オムロンオートモーティブエレクトロニクス株式会社 | On-vehicle communication system, communication management device, and vehicle controller |
| CN109866710A (en) * | 2019-02-18 | 2019-06-11 | 苏州工业园区职业技术学院 | A kind of In-vehicle networking abnormality detection system |
| CN110174885A (en) * | 2019-06-05 | 2019-08-27 | 江苏盛海智能科技有限公司 | A kind of fast diagnosis method and terminal of automatic driving vehicle |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9361463B2 (en) * | 2013-12-11 | 2016-06-07 | Ut-Batelle, Llc | Detection of anomalous events |
| US10326793B2 (en) * | 2015-06-10 | 2019-06-18 | RunSafe Security, Inc. | System and method for guarding a controller area network |
| US10708293B2 (en) * | 2015-06-29 | 2020-07-07 | Argus Cyber Security Ltd. | System and method for time based anomaly detection in an in-vehicle communication network |
| US10666615B2 (en) * | 2015-08-03 | 2020-05-26 | Sectigo, Inc. | Method for detecting, blocking and reporting cyber-attacks against automotive electronic control units |
| WO2018026030A1 (en) * | 2016-08-03 | 2018-02-08 | 엘지전자 주식회사 | Vehicle and method for controlling same |
-
2020
- 2020-01-02 CN CN202010001919.8A patent/CN113060082B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1197822A2 (en) * | 2000-10-13 | 2002-04-17 | Hitachi, Ltd. | On-vehicle breakdown-warning report system |
| CN106170953A (en) * | 2014-04-17 | 2016-11-30 | 松下电器(美国)知识产权公司 | Vehicle netbios, abnormal detection electronic control unit and abnormal detection method |
| JP2016134170A (en) * | 2015-01-20 | 2016-07-25 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America | Illicitness countering method and electronic control unit |
| CN107548503A (en) * | 2015-06-17 | 2018-01-05 | 克朗设备公司 | Dynamic vehicle performance evaluation instrument with smoothing filter |
| CN105320050A (en) * | 2015-11-27 | 2016-02-10 | 奇瑞汽车股份有限公司 | Gateway-based vehicle function centralized control method |
| CN105591858A (en) * | 2015-12-02 | 2016-05-18 | 广州汽车集团股份有限公司 | Vehicle gateway control method and device |
| CN105553946A (en) * | 2015-12-08 | 2016-05-04 | 严威 | Vehicle-mounted system based on CAN bus firewall and control method thereof |
| CN106965758A (en) * | 2016-01-14 | 2017-07-21 | 福特全球技术公司 | Motor vehicles with communication equipment |
| CN107444309A (en) * | 2016-05-12 | 2017-12-08 | 福特全球技术公司 | Vehicle network communications protection |
| JP2018157463A (en) * | 2017-03-21 | 2018-10-04 | オムロンオートモーティブエレクトロニクス株式会社 | On-vehicle communication system, communication management device, and vehicle controller |
| CN108173929A (en) * | 2017-12-26 | 2018-06-15 | 中车大连机车车辆有限公司 | Wireless upload and expert diagnostic system of the medium-and low-speed maglev train based on TRDP agreements |
| CN109866710A (en) * | 2019-02-18 | 2019-06-11 | 苏州工业园区职业技术学院 | A kind of In-vehicle networking abnormality detection system |
| CN110174885A (en) * | 2019-06-05 | 2019-08-27 | 江苏盛海智能科技有限公司 | A kind of fast diagnosis method and terminal of automatic driving vehicle |
Non-Patent Citations (1)
| Title |
|---|
| 基于车载FlexRay网络的入侵检测算法的研究;刘恬佳;《中国优秀硕士学位论文全文数据库 (工程科技Ⅱ辑)》(第01期);第C035-415页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113060082A (en) | 2021-07-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101638613B1 (en) | In-vehicle network intrusion detection system and method for controlling the same | |
| US9401923B2 (en) | Electronic system for detecting and preventing compromise of vehicle electrical and control systems | |
| EP3987424A1 (en) | Systems and methods for assessing risk in networked vehicle components | |
| US7323974B2 (en) | Method and arrangement for suppressing incorrect messages in monitoring systems | |
| CN107682172B (en) | Control center device, service system processing method and medium | |
| CN113060082B (en) | Abnormality processing method and device for vehicle-mounted firewall, vehicle-mounted firewall and automobile | |
| US20200177412A1 (en) | Monitoring device, monitoring system, and computer readable storage medium | |
| CN111669352B (en) | Method and device for preventing denial of service attack | |
| JP5518021B2 (en) | Information processing device | |
| US20210377289A1 (en) | Information processing apparatus, log analysis method and program | |
| CN112070585A (en) | Order state unified management method and device, computer equipment and storage medium | |
| KR102204655B1 (en) | A mitigation method against message flooding attacks for secure controller area network by predicting attack message retransfer time | |
| CN111262846B (en) | Control method of bus controller, bus controller and readable storage medium | |
| CN110955554B (en) | Fault processing method, device, equipment and storage medium | |
| KR20200124470A (en) | Apparatus for gateway of a vehicle, system having the same and method for detect invasion thereof | |
| US20220360992A1 (en) | Control system | |
| CN108241578B (en) | Method and device for checking software compatibility of automobile electric control unit | |
| CN110953056B (en) | Over-temperature detection method, device and equipment for urea injection system and storage medium | |
| JP6969426B2 (en) | Electronic control device | |
| WO2022244200A1 (en) | Control device | |
| CN112799370B (en) | Control device, and vehicle-mounted system software restoration method and system | |
| CN111443682B (en) | Safety protection device and method based on vehicle CAN bus structure | |
| CN115277131B (en) | Network security assessment system based on multidimensional information processing | |
| US20230174082A1 (en) | Control system | |
| CN117544410A (en) | Determination method of CAN bus attack type, processor and computer equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |