CN113904894A - CAN network data security monitoring method, device, equipment and readable storage medium - Google Patents

CAN network data security monitoring method, device, equipment and readable storage medium Download PDF

Info

Publication number
CN113904894A
CN113904894A CN202111151787.8A CN202111151787A CN113904894A CN 113904894 A CN113904894 A CN 113904894A CN 202111151787 A CN202111151787 A CN 202111151787A CN 113904894 A CN113904894 A CN 113904894A
Authority
CN
China
Prior art keywords
data
network
mirror image
queue
image data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111151787.8A
Other languages
Chinese (zh)
Other versions
CN113904894B (en
Inventor
周鹏
王健
赵耀邦
夏洋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhixin Technology Co Ltd
Original Assignee
Zhixin Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhixin Technology Co Ltd filed Critical Zhixin Technology Co Ltd
Priority to CN202111151787.8A priority Critical patent/CN113904894B/en
Publication of CN113904894A publication Critical patent/CN113904894A/en
Application granted granted Critical
Publication of CN113904894B publication Critical patent/CN113904894B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40267Bus for use in transportation systems
    • H04L2012/40273Bus for use in transportation systems the transportation system being a vehicle
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a CAN network data security monitoring method, a device, equipment and a readable storage medium, wherein the CAN network data security monitoring method comprises the following steps: when the situation that mirror image data in the CAN network arrives is monitored, the mirror image data is written into a cache queue of a high-speed data cache region; reading the mirror image data written firstly in the cache queue of the high-speed data cache region; judging whether the read mirror image data is abnormal or not; if the mirror image data is abnormal, adding 1 to the abnormal accumulated value of the application corresponding to the mirror image data; and when the abnormal accumulated value is larger than a preset threshold value, performing corresponding operation and outputting corresponding prompt information according to the type of the application. The invention analyzes the data in the CAN network after mirroring so as to realize monitoring the CAN network data without influencing the normal function, discover illegal or suspicious operation, further adopt further active and passive information safety isolation, filtration and protection and provide safety protection for the CAN network.

Description

CAN network data security monitoring method, device, equipment and readable storage medium
Technical Field
The invention relates to the technical field of CAN network information safety protection, in particular to a CAN network data safety monitoring method, a device, equipment and a readable storage medium.
Background
With the development of the intelligent networking automobile, information safety is an indispensable core function of the future intelligent networking automobile, and when the information safety of the intelligent networking automobile is realized, the real-time performance and the high reliability are required when CAN network communication is required. In the prior art, the information security method is directly applied to the CAN network, which has certain defects, and the first point is that the information security measures CAN increase the bandwidth load of the CAN network; secondly, because the complex information security analysis technology of the CAN network in the traditional central security gateway CAN not realize real-time processing, the information security technology based on information interception and filtration CAN bring about the problems of great time delay and time delay fluctuation, and thus the real-time requirement of CAN communication CAN be damaged; the third point is that because the calculation capability of the MCU on the traditional central security gateway is limited, and the MCU is not skilled in data analysis, it is impossible to monitor and analyze the CAN network data without affecting the normal function, so as to find illegal or suspicious operations, and further take further active or passive information security isolation, filtering and protection operations to provide security protection for the CAN network, thus breaking the functional security requirements of the CAN application.
Disclosure of Invention
The invention mainly aims to provide a CAN network data security monitoring method, a device, equipment and a readable storage medium, and aims to solve the technical problem that the conventional information security method cannot monitor CAN network data without influencing normal functions because the computing capability of the conventional central security gateway is limited, and provide security protection for a CAN network.
In a first aspect, the present invention provides a CAN network data security monitoring method, including the following steps:
when the situation that mirror image data in the CAN network arrives is monitored, the mirror image data is written into a cache queue of a high-speed data cache region;
reading the mirror image data written firstly in the cache queue of the high-speed data cache region;
judging whether the read mirror image data is abnormal or not;
if the mirror image data is abnormal, adding 1 to the abnormal accumulated value of the application corresponding to the mirror image data;
and when the abnormal accumulated value is larger than a preset threshold value, performing corresponding operation and outputting corresponding prompt information according to the type of the application.
Optionally, the step of writing the mirror image data into a buffer queue of a high-speed data buffer area when it is monitored that the mirror image data in the CAN network arrives includes:
setting a unique identification number for communicating with a CAN network for data analysis equipment;
copying data meeting a preset rule on a CAN network route, and adding 1 to the numerical value of the number of forwarding copies;
and forwarding the copied mirror image data to the data analysis equipment corresponding to the unique identification number.
Optionally, the step of writing the mirror image data into a buffer queue of a high-speed data buffer area when it is monitored that the mirror image data in the CAN network arrives includes:
when the situation that mirror image data in the CAN network arrives is monitored, whether a cache queue of the cache area is full or not is judged;
and if the cache queue of the high-speed data cache region is not full, writing the mirror image data into the cache queue of the high-speed cache region, and updating a queue mark of the cache queue.
Optionally, after the step of determining whether the current cache queue of the cache region is full when it is monitored that mirror image data in the CAN network arrives, the method includes:
if the cache queue of the high-speed data cache region is full, judging whether the queue head data of the cache queue is being read;
if the queue head data is being read, discarding the mirror image data;
and if the queue head data is not being read, discarding the queue head data, writing the mirror image data into the queue head, and updating a queue mark of a buffer queue.
Optionally, the step of reading the mirrored data written first in the buffer queue of the cache data buffer includes:
and reading the mirror image data written firstly in the cache queue of the high-speed data cache region according to the queue mark of the cache queue of the high-speed data cache region, and updating the queue mark.
Optionally, the step of performing corresponding operation and outputting corresponding prompt information according to the type of the application includes:
if the application is a non-key application, closing the application and outputting a prompt message of closing the application to a user;
and if the application is the key application, isolating the ECU corresponding to the application, and outputting prompt information for a user to stop at the side for repairing.
In a second aspect, the present invention further provides a CAN network data security monitoring apparatus, including:
the write-in module is used for writing the mirror image data into a cache queue of a high-speed data cache region when the situation that the mirror image data in the CAN network arrives is monitored;
the reading module is used for reading the mirror image data written in the cache queue of the high-speed data cache region firstly;
the judging module is used for judging whether the read mirror image data is abnormal or not;
the accumulation module is used for adding 1 to the abnormal accumulation value of the application corresponding to the mirror image data if the abnormality exists;
and the control module is used for carrying out corresponding operation and outputting corresponding prompt information according to the type of the application when the abnormal cumulative value is larger than a preset threshold value.
Optionally, the CAN network data security monitoring apparatus further includes a forwarding module, configured to:
setting a unique identification number for communicating with a CAN network for data analysis equipment;
copying data meeting a preset rule on a CAN network route, and adding 1 to the numerical value of the number of forwarding copies;
and forwarding the copied mirror image data to the data analysis equipment corresponding to the unique identification number.
Optionally, the writing module is configured to:
when the situation that mirror image data in the CAN network arrives is monitored, whether a cache queue of the cache area is full or not is judged;
and if the cache queue of the high-speed data cache region is not full, writing the mirror image data into the cache queue of the high-speed cache region, and updating a queue mark of the cache queue.
Optionally, the writing module is further configured to:
if the cache queue of the high-speed data cache region is full, judging whether the queue head data of the cache queue is being read;
if the queue head data is being read, discarding the mirror image data;
and if the queue head data is not being read, discarding the queue head data, writing the mirror image data into the queue head, and updating a queue mark of a buffer queue.
Optionally, the reading module is configured to:
and reading the mirror image data written firstly in the cache queue of the high-speed data cache region according to the queue mark of the cache queue of the high-speed data cache region, and updating the queue mark.
Optionally, the control module is configured to:
if the application is a non-key application, closing the application and outputting a prompt message of closing the application to a user;
and if the application is the key application, isolating the ECU corresponding to the application, and outputting prompt information for a user to stop at the side for repairing.
In a third aspect, the present invention further provides a CAN network data security monitoring device, where the CAN network data security monitoring device includes a processor, a memory, and a CAN network data security monitoring program stored in the memory and executable by the processor, where the steps of the CAN network data security monitoring method are implemented when the CAN network data security monitoring program is executed by the processor.
In a fourth aspect, the present invention further provides a readable storage medium, where the readable storage medium stores a CAN network data security monitoring program, where the CAN network data security monitoring program, when executed by a processor, implements the steps of the CAN network data security monitoring method as described above.
In the invention, when the situation that mirror image data in a CAN network arrives is monitored, the mirror image data is written into a cache queue of a high-speed data cache region; reading the mirror image data written firstly in the cache queue of the high-speed data cache region; judging whether the read mirror image data is abnormal or not; if the mirror image data is abnormal, adding 1 to the abnormal accumulated value of the application corresponding to the mirror image data; and when the abnormal accumulated value is larger than a preset threshold value, performing corresponding operation and outputting corresponding prompt information according to the type of the application. The invention comprehensively applies a plurality of methods to send the CAN network data to the data analysis equipment such as MPU on SOC for analysis and processing in a way of being transparent to the CAN network, fully utilizes the performance of the data analysis equipment such as MPU on SOC to carry out safety analysis on the data, avoids causing performance burden on the MCU and the CAN network data, combines the existing CAN routing function, does not need to modify CAN network end codes, and carries out analysis and processing by the data analysis equipment such as MPU on SOC after mirroring the data in the CAN network so as to realize monitoring the CAN network data under the condition of not influencing the function and real-time property of the original CAN network application, discover illegal or suspicious operation, further adopt further active and passive information safety isolation, filtration and protection and provide safety protection for the CAN network.
Drawings
Fig. 1 is a schematic diagram of a hardware structure of a CAN network data security monitoring device according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of an embodiment of a CAN network data security monitoring method according to the present invention;
fig. 3 is a schematic functional block diagram of an embodiment of a CAN network data security monitoring apparatus according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In a first aspect, an embodiment of the present invention provides a device for monitoring data security of a CAN network.
Referring to fig. 1, fig. 1 is a schematic diagram of a hardware structure of a CAN network data security monitoring device according to an embodiment of the present invention. In this embodiment of the present invention, the CAN network data security monitoring device may include a processor 1001 (e.g., a Central Processing Unit, CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. The communication bus 1002 is used for realizing connection communication among the components; the user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard); the network interface 1004 may optionally include a standard wired interface, a WIreless interface (e.g., a WI-FI interface, WI-FI interface); the memory 1005 may be a Random Access Memory (RAM) or a non-volatile memory (non-volatile memory), such as a magnetic disk memory, and the memory 1005 may optionally be a storage device independent of the processor 1001. Those skilled in the art will appreciate that the hardware configuration depicted in FIG. 1 is not intended to be limiting of the present invention, and may include more or less components than those shown, or some components in combination, or a different arrangement of components.
With continued reference to fig. 1, the memory 1005 of fig. 1, which is a type of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a CAN network data security monitoring program. The processor 1001 may call a CAN network data security monitoring program stored in the memory 1005, and execute the CAN network data security monitoring method provided in the embodiment of the present invention.
In a second aspect, an embodiment of the present invention provides a method for monitoring data security of a CAN network.
Referring to fig. 2, fig. 2 is a schematic flow chart of an embodiment of a CAN network data security monitoring method of the present invention.
In an embodiment of the CAN network data security monitoring method of the present invention, the CAN network data security monitoring method includes:
step S10, when the mirror image data in the CAN network is monitored to arrive, the mirror image data is written into a cache queue of a high-speed data cache region;
in this embodiment, the MPU and the MCU are provided inside the SOC-based multicore central security gateway, where the MCU may be directly connected to the CAN network, and part of the SOC chips support the MPU to be directly connected to the CAN network. When the mirror image data in the CAN network is monitored to arrive, the mirror image data in the CAN network directly connected with the MPU CAN be cached in a high-speed memory in a shared memory mode, the mirror image data in the CAN network connected with the MCU CAN be transmitted to the high-speed memory through an on-chip high-speed bus of a chip for caching, and the arrived mirror image data is written into a cache queue of a high-speed cache area on the SOC in different modes. Because the method is only needed to be implemented on the SOC chip of the central security gateway, and the SOC chip on-chip high-speed bus and high-speed storage are utilized, the bandwidth load of communication cannot be increased on the CAN network.
Further, in an embodiment, the step of writing the mirror image data into a buffer queue of a cache data buffer area when it is detected that the mirror image data in the CAN network arrives includes:
setting a unique identification number for communicating with a CAN network for data analysis equipment;
copying data meeting a preset rule on a CAN network route, and adding 1 to the numerical value of the number of forwarding copies;
and forwarding the copied mirror image data to the data analysis equipment corresponding to the unique identification number.
In this embodiment, a unique identification number for communicating with the CAN network is set for a data analysis device, such as an MPU on the SOC, for receiving all CAN mirror image data, so as to avoid complicated protocol conversion, ensure that no additional operation is required for data mirroring, and reduce data mirroring delay. Therefore, the CAN end network of the gateway CAN be modified, monitored normally and forwarded by a route. The CAN gateway has the functions of copying and forwarding the data, so that the functions of copying and forwarding the data in the CAN network do not need to be additionally modified, and the data meeting the preset rules on the CAN network CAN be subjected to mirror image routing forwarding according to the preset rules including but not limited to a time-sharing sampling method, appointed application forwarding, complete forwarding, conditional forwarding and the like. For example, a forwarding rule CAN be configured by a time-sharing sampling method, and all or part of copied mirror image data on the selected CAN network is periodically forwarded to meet the requirements of SOC chips with different performances. Only one fixed forwarding task needs to be added into the routing rule, data on the CAN network route is copied, the number of forwarding copies is added by 1, namely, a piece of data is prepared for the data analysis equipment corresponding to the unique identification number, and the copied mirror image data is forwarded to the data analysis equipment corresponding to the unique identification number, such as an MPU on the SOC. The copying and mirroring operations of the data are instantaneous constant time operations, so that only one constant time delay is generated, the time delay exists for normal data forwarding of the gateway, and meanwhile, because the CAN network or the CAN protocol does not need to be modified, extra hardware or code implantation does not need to be added to equipment or codes on the related CAN network, and the functions of the existing system cannot be disturbed.
Further, in an embodiment, the step of writing the mirror image data into a buffer queue of a high-speed data buffer area when it is detected that the mirror image data in the CAN network arrives includes:
when the situation that mirror image data in the CAN network arrives is monitored, whether a cache queue of the cache area is full or not is judged;
and if the cache queue of the high-speed data cache region is not full, writing the mirror image data into the cache queue of the high-speed cache region, and updating a queue mark of the cache queue.
In this embodiment, when it is monitored that mirror image data in the CAN network arrives, it is determined whether a cache queue of the cache area is full, and if the cache queue of the cache area is not full, it indicates that an empty cache area is available in the current cache queue for caching, and the arriving mirror image data may be written into the empty cache area in the cache queue of the cache area, and a queue flag of the cache queue is updated.
Further, in an embodiment, after the step of determining whether the current cache queue of the cache region is full when it is detected that mirror image data in the CAN network arrives, the method includes:
if the cache queue of the high-speed data cache region is full, judging whether the queue head data of the cache queue is being read;
if the queue head data is being read, discarding the mirror image data;
and if the queue head data is not being read, discarding the queue head data, writing the mirror image data into the queue head, and updating a queue mark of a buffer queue.
In this embodiment, when it is monitored that mirror image data in the CAN network arrives, it is determined whether a cache queue of the cache area is full, and if the cache queue of the cache area is full, it indicates that the current cache queue of the cache area is full, and there is no empty cache area for caching, so it is necessary to determine whether queue head data of the current cache queue is being read. If the queue head data is being read, it means that the queue head data still cannot be interrupted in the read analysis, and there is no empty buffer area for writing in existing new data, so that the first-in mirror data in the process of being read is kept, and the newly-arrived mirror data is discarded. If the queue head data is not being read, directly discarding the most advanced mirror image data in the current queue, namely the queue head data, writing the latest arrived mirror image data into the queue head, and updating the queue mark of the buffer queue. For example, if there are 10 positions in the cache queue labeled respectively, if the most advanced mirror data is at position 2 and labeled as 1, then the most advanced mirror data is the newly-entered mirror data in sequence from position 3 to 10, and position 1 is the current last-entered data and labeled as 10, if the queue head data, i.e., the mirror data labeled as 1 at position 2, is not being read, then the most advanced mirror data in the current queue, i.e., the queue head data at position 2, is directly discarded, the newly-arrived mirror data is written into the queue head position 2, and the queue label of the cache queue is updated, the mirror data at position 2, labeled as 10, the mirror data at position 1, labeled as 9, and the mirror data from position 3 to position 10, and labeled as from 1 to 8 in sequence.
Step S20, reading the mirror image data written first in the cache queue of the high-speed data cache region;
in this embodiment, the data in the cache region is written according to the arrival timing sequence of the mirror image data, so when the data in the cache queue of the cache region is read, the first cache queue is read first, and then the data written first in the cache queue is read, that is, the data written first in the cache queue of the cache region is read, so that the data is read according to the arrival sequence of the data, and then the corresponding security analysis is performed.
Further, in an embodiment, the step of reading the mirrored data written first in the cache queue of the cache data cache region includes:
and reading the mirror image data written firstly in the cache queue of the high-speed data cache region according to the queue mark of the cache queue of the high-speed data cache region, and updating the queue mark.
In this embodiment, the mirror image data written first in the cache queue of the high-speed data cache region is read according to the queue tag of the cache queue of the high-speed data cache region, after the data reading is completed, the position where the data is originally stored is vacant, and the queue tag is also updated at the same time.
Step S30, judging whether the read mirror image data is abnormal;
in this embodiment, whether the relevant data packet or data frame is safe or not can be detected by various information security analysis methods, such as IDPS vehicle intrusion detection and defense, traffic behavior analysis, rule analysis, and the like, that is, whether the read mirror image data is abnormal or not can be determined. Taking the security rule base analysis as an example, when the mirror image data is ready, the security service reads the mirror image data, matches the read mirror image data with a given security rule, if one rule is not satisfied, it is determined that the mirror image data is abnormal, and there is a security risk.
Step S40, if there is an abnormality, adding 1 to the applied abnormality cumulative value corresponding to the mirror image data;
in this embodiment, if it is determined through security analysis that the read mirror image data is abnormal, the application corresponding to the mirror image data is found according to the ID field in the read mirror image data, 1 is added to the value of the abnormal data amount accumulated by the application, and the abnormal data is recorded and reported to the cloud.
And step S50, when the abnormal cumulative value is larger than a preset threshold value, performing corresponding operation according to the type of the application and outputting corresponding prompt information.
In this embodiment, when the value of the accumulated abnormal data amount of the same application is greater than the preset threshold, it indicates that there is a certain information security risk in the current application, and at this time, according to the application type having the information security risk, if the application is a key application, that is, if the requirement on the information security is high and if there is a risk that the driving security will be affected, corresponding operation is performed and corresponding prompt information is output.
Further, in an embodiment, the step of performing corresponding operation and outputting corresponding prompt information according to the type of the application includes:
if the application is a non-key application, closing the application and outputting a prompt message of closing the application to a user;
and if the application is the key application, isolating the ECU corresponding to the application, and outputting prompt information for parking at the side for repairing to a user.
In this embodiment, when the value of the accumulated abnormal data amount of the same application is greater than a preset threshold, it indicates that a certain information security risk exists in the current application, if it is determined that the application with the information security risk is a non-critical application, the relevant application is closed within a period of time, and prompt information for closing the application is output to a user in time, if it is determined that the application with the information security risk is a critical application, the driving security is affected by the security risk existing in the application, an ECU for controlling the application to run needs to be found according to the application with the security risk, the ECU corresponding to the application is isolated, and prompt information for stopping while is output to the user to repair the application. If the ECU corresponding to the found application supports the OTA, then no matter the type of the related application, if the application has a security risk, the vehicle-mounted cloud or the latest backup version must be connected through the gateway under the condition that the vehicle is not in a running condition, and the OTA is used for repairing the related problems. If the ECU is automatically repaired and is on-line and the safety problem is eliminated, ending the control operation of closing the application with the safety risk and isolating the ECU corresponding to the application in the CAN network data safety monitoring program; if the problem still exists and the cloud end has no solution, or the found application corresponds to the ECU which does not support the OTA, or the found applications respectively correspond to the plurality of ECUs which all have security risks, and all the applications need to output a prompt for suggesting after-sales repair to the vehicle owner.
In the embodiment, when the situation that mirror image data in the CAN network arrives is monitored, the mirror image data is written into a cache queue of a high-speed data cache region; reading the mirror image data written firstly in the cache queue of the high-speed data cache region; judging whether the read mirror image data is abnormal or not; if the mirror image data is abnormal, adding 1 to the abnormal accumulated value of the application corresponding to the mirror image data; and when the abnormal accumulated value is larger than a preset threshold value, performing corresponding operation and outputting corresponding prompt information according to the type of the application. The invention comprehensively applies a plurality of methods to send the CAN network data to the data analysis equipment such as the MPU on the SOC for analysis and processing in a way of being transparent to the CAN network, fully utilizes the performance of the data analysis equipment such as the MPU on the SOC to carry out safety analysis on the data, avoids the performance burden on the MCU and the CAN network data, combines the existing CAN routing function, does not need to modify CAN network end codes, and carries out the analysis and processing by the MPU after mirroring the data in the CAN network so as to realize the monitoring of the CAN network data under the condition of not influencing the original CAN network application function and real-time property, discover illegal or suspicious operation, further adopt further active and passive information safety isolation, filtration and protection and provide safety protection for the CAN network.
In a third aspect, an embodiment of the present invention further provides a device for monitoring data security of a CAN network.
Referring to fig. 3, a functional module of an embodiment of the CAN network data security monitoring apparatus is schematically illustrated.
In this embodiment, the device for monitoring the safety of the CAN network data includes:
the write-in module 10 is configured to, when it is monitored that mirror image data in the CAN network arrives, write the mirror image data into a cache queue of a high-speed data cache region;
a reading module 20, configured to read the mirror image data written first in the cache queue of the high-speed data cache region;
the judging module 30 is used for judging whether the read mirror image data is abnormal or not;
the accumulation module 40 is configured to add 1 to an abnormal accumulation value of an application corresponding to the mirror image data if there is an abnormality;
and the control module 50 is configured to, when the abnormal cumulative value is greater than a preset threshold, perform corresponding operation according to the type of the application and output corresponding prompt information.
Further, in an embodiment, the CAN network data security monitoring apparatus further includes a forwarding module, configured to:
setting a unique identification number for communicating with a CAN network for data analysis equipment;
copying data meeting a preset rule on a CAN network route, and adding 1 to the numerical value of the number of forwarding copies;
and forwarding the copied mirror image data to the data analysis equipment corresponding to the unique identification number.
Further, in an embodiment, the writing module 10 is configured to:
when the situation that mirror image data in the CAN network arrives is monitored, whether a cache queue of the cache area is full or not is judged;
and if the cache queue of the high-speed data cache region is not full, writing the mirror image data into the cache queue of the high-speed cache region, and updating a queue mark of the cache queue.
Further, in an embodiment, the writing module 10 is further configured to:
if the cache queue of the high-speed data cache region is full, judging whether the queue head data of the cache queue is being read;
if the queue head data is being read, discarding the mirror image data;
and if the queue head data is not being read, discarding the queue head data, writing the mirror image data into the queue head, and updating a queue mark of a buffer queue.
Further, in an embodiment, the reading module 20 is configured to:
and reading the mirror image data written firstly in the cache queue of the high-speed data cache region according to the queue mark of the cache queue of the high-speed data cache region, and updating the queue mark.
Further, in an embodiment, the control module 50 is configured to:
if the application is a non-key application, closing the application and outputting a prompt message of closing the application to a user;
and if the application is the key application, isolating the ECU corresponding to the application, and outputting prompt information for a user to stop at the side for repairing.
The function implementation of each module in the above-mentioned CAN network data security monitoring apparatus corresponds to each step in the above-mentioned CAN network data security monitoring method embodiment, and the function and implementation process thereof are not described in detail herein.
In a fourth aspect, the embodiment of the present invention further provides a readable storage medium.
The readable storage medium of the invention stores a CAN network data security monitoring program, wherein when the CAN network data security monitoring program is executed by a processor, the steps of the CAN network data security monitoring method are realized.
The method for implementing the CAN network data security monitoring program when executed may refer to each embodiment of the CAN network data security monitoring method of the present invention, and details thereof are not repeated herein.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for causing a terminal device to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (10)

1. A CAN network data security monitoring method is characterized by comprising the following steps:
when the situation that mirror image data in the CAN network arrives is monitored, the mirror image data is written into a cache queue of a high-speed data cache region;
reading the mirror image data written firstly in the cache queue of the high-speed data cache region;
judging whether the read mirror image data is abnormal or not;
if the mirror image data is abnormal, adding 1 to the abnormal accumulated value of the application corresponding to the mirror image data;
and when the abnormal accumulated value is larger than a preset threshold value, performing corresponding operation and outputting corresponding prompt information according to the type of the application.
2. The CAN network data security monitoring method of claim 1, wherein the step of writing the mirrored data into a cache queue of a cache area when it is monitored that the mirrored data in the CAN network arrives, comprises:
setting a unique identification number for communicating with a CAN network for data analysis equipment;
copying data meeting a preset rule on a CAN network route, and adding 1 to the numerical value of the number of forwarding copies;
and forwarding the copied mirror image data to the data analysis equipment corresponding to the unique identification number.
3. The CAN network data security monitoring method of claim 1, wherein the step of writing the mirrored data into a cache queue of a cache area when it is monitored that the mirrored data in the CAN network arrives comprises:
when the situation that mirror image data in the CAN network arrives is monitored, whether a cache queue of the cache area is full or not is judged;
and if the cache queue of the high-speed data cache region is not full, writing the mirror image data into the cache queue of the high-speed cache region, and updating a queue mark of the cache queue.
4. The CAN network data security monitoring method of claim 3, wherein the step of determining whether the current cache queue of the cache region is full when it is monitored that mirrored data in the CAN network arrives comprises:
if the cache queue of the high-speed data cache region is full, judging whether the queue head data of the cache queue is being read;
if the queue head data is being read, discarding the mirror image data;
and if the queue head data is not being read, discarding the queue head data, writing the mirror image data into the queue head, and updating a queue mark of a buffer queue.
5. The CAN network data security monitoring method of claim 1, wherein the step of reading the mirrored data written first in the buffer queue of the cache area is followed by:
and reading the mirror image data written firstly in the cache queue of the high-speed data cache region according to the queue mark of the cache queue of the high-speed data cache region, and updating the queue mark.
6. The CAN network data security monitoring method of claim 1, wherein the step of performing corresponding operations and outputting corresponding prompt information according to the type of the application comprises:
if the application is a non-key application, closing the application and outputting a prompt message of closing the application to a user;
and if the application is the key application, isolating the ECU corresponding to the application, and outputting prompt information for a user to stop at the side for repairing.
7. A CAN network data security monitoring apparatus, comprising:
the write-in module is used for writing the mirror image data into a cache queue of a high-speed data cache region when the situation that the mirror image data in the CAN network arrives is monitored;
the reading module is used for reading the mirror image data written in the cache queue of the high-speed data cache region firstly;
the judging module is used for judging whether the read mirror image data is abnormal or not;
the accumulation module is used for adding 1 to the abnormal accumulation value of the application corresponding to the mirror image data if the abnormality exists;
and the control module is used for carrying out corresponding operation and outputting corresponding prompt information according to the type of the application when the abnormal cumulative value is larger than a preset threshold value.
8. The CAN network data security monitoring apparatus of claim 7, further comprising a forwarding module to:
setting a unique identification number for communicating with a CAN network for data analysis equipment;
copying data meeting a preset rule on a CAN network route, and adding 1 to the numerical value of the number of forwarding copies;
and forwarding the copied mirror image data to the data analysis equipment corresponding to the unique identification number.
9. A CAN network data security monitoring device comprising a processor, a memory, and a CAN network data security monitoring program stored on the memory and executable by the processor, wherein the steps of the CAN network data security monitoring method according to any one of claims 1 to 6 are implemented when the CAN network data security monitoring program is executed by the processor.
10. A readable storage medium, having a CAN network data security monitoring program stored thereon, wherein the CAN network data security monitoring program, when executed by a processor, implements the steps of the CAN network data security monitoring method according to any one of claims 1 to 6.
CN202111151787.8A 2021-09-29 2021-09-29 CAN network data security monitoring method, device, equipment and readable storage medium Active CN113904894B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111151787.8A CN113904894B (en) 2021-09-29 2021-09-29 CAN network data security monitoring method, device, equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111151787.8A CN113904894B (en) 2021-09-29 2021-09-29 CAN network data security monitoring method, device, equipment and readable storage medium

Publications (2)

Publication Number Publication Date
CN113904894A true CN113904894A (en) 2022-01-07
CN113904894B CN113904894B (en) 2023-05-30

Family

ID=79189247

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111151787.8A Active CN113904894B (en) 2021-09-29 2021-09-29 CAN network data security monitoring method, device, equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN113904894B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105843206A (en) * 2016-01-07 2016-08-10 乐卡汽车智能科技(北京)有限公司 Vehicle bus security monitoring method, device and system
CN106330964A (en) * 2016-10-14 2017-01-11 成都信息工程大学 Network intrusion detection and active defense linkage control device
CN107124344A (en) * 2017-04-28 2017-09-01 中车青岛四方车辆研究所有限公司 Train is changed and data storage control method with CAN ethernet communications
US20180091388A1 (en) * 2016-09-27 2018-03-29 Mellanox Technologies Tlv Ltd. Multi-stage selective mirroring
CN110535855A (en) * 2019-08-28 2019-12-03 北京安御道合科技有限公司 A kind of network event method for monitoring and analyzing and system, information data processing terminal
WO2020233073A1 (en) * 2019-05-23 2020-11-26 深圳壹账通智能科技有限公司 Blockchain environment test method, device and apparatus, and storage medium
CN113393595A (en) * 2021-05-19 2021-09-14 上汽通用五菱汽车股份有限公司 Vehicle monitoring method, vehicle-mounted terminal and computer-readable storage medium
US20210286723A1 (en) * 2020-03-13 2021-09-16 International Business Machines Corporation Indicating extents of tracks in mirroring queues based on information gathered on tracks in extents in cache

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105843206A (en) * 2016-01-07 2016-08-10 乐卡汽车智能科技(北京)有限公司 Vehicle bus security monitoring method, device and system
US20180091388A1 (en) * 2016-09-27 2018-03-29 Mellanox Technologies Tlv Ltd. Multi-stage selective mirroring
CN106330964A (en) * 2016-10-14 2017-01-11 成都信息工程大学 Network intrusion detection and active defense linkage control device
CN107124344A (en) * 2017-04-28 2017-09-01 中车青岛四方车辆研究所有限公司 Train is changed and data storage control method with CAN ethernet communications
WO2020233073A1 (en) * 2019-05-23 2020-11-26 深圳壹账通智能科技有限公司 Blockchain environment test method, device and apparatus, and storage medium
CN110535855A (en) * 2019-08-28 2019-12-03 北京安御道合科技有限公司 A kind of network event method for monitoring and analyzing and system, information data processing terminal
US20210286723A1 (en) * 2020-03-13 2021-09-16 International Business Machines Corporation Indicating extents of tracks in mirroring queues based on information gathered on tracks in extents in cache
CN113393595A (en) * 2021-05-19 2021-09-14 上汽通用五菱汽车股份有限公司 Vehicle monitoring method, vehicle-mounted terminal and computer-readable storage medium

Also Published As

Publication number Publication date
CN113904894B (en) 2023-05-30

Similar Documents

Publication Publication Date Title
JP7030046B2 (en) Fraudulent communication detection method, fraudulent communication detection system and program
US7437359B2 (en) Merging multiple log entries in accordance with merge properties and mapping properties
CN111630825A (en) Intrusion anomaly monitoring in a vehicle environment
CN114374565A (en) Intrusion detection method and device for vehicle CAN network, electronic equipment and medium
CN109076016B9 (en) Illegal communication detection criterion determining method, illegal communication detection criterion determining system, and recording medium
US20200183373A1 (en) Method for detecting anomalies in controller area network of vehicle and apparatus for the same
CN109005678B (en) Illegal communication detection method, illegal communication detection system, and recording medium
CN113726566B (en) Service gateway device
US20190217869A1 (en) Control apparatus, control method, and program
CN111654477A (en) Information topology method and device of industrial control network based on FINS protocol and computer equipment
CN111903095B (en) Detection device and method thereof, and recording medium
CN110569987B (en) Automatic operation and maintenance method, operation and maintenance equipment, storage medium and device
US20210281594A1 (en) Security management device, security management method, and computer program executed by security management device
CN113904894A (en) CAN network data security monitoring method, device, equipment and readable storage medium
JP2021196997A (en) Log transmission control device
CN113672416B (en) Method and device for positioning cause of hard buffer leakage
CN114255602B (en) Safety protection method and device for traffic signal machine
CN114363018B (en) Industrial data transmission method, device, equipment and storage medium
CN113268401B (en) Log information output method and device and computer readable storage medium
EP3506034A2 (en) Control system and control device
CN113347116B (en) QoS scheduling delay jitter processing method and device
CN111443623A (en) Safety protection device and method based on vehicle CAN bus structure
WO2023238438A1 (en) Monitoring device and monitoring method
US11928422B1 (en) Explanatory configuration function annotation
KR102666283B1 (en) System and method for monitoring intrusion anomalies in an automotive environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant