CN113938295B - Method and system for detecting abnormal transmission behavior of internet automobile communication data, electronic equipment and readable medium - Google Patents

Method and system for detecting abnormal transmission behavior of internet automobile communication data, electronic equipment and readable medium Download PDF

Info

Publication number
CN113938295B
CN113938295B CN202111154669.2A CN202111154669A CN113938295B CN 113938295 B CN113938295 B CN 113938295B CN 202111154669 A CN202111154669 A CN 202111154669A CN 113938295 B CN113938295 B CN 113938295B
Authority
CN
China
Prior art keywords
vehicle
communication data
cloud platform
data
brand
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111154669.2A
Other languages
Chinese (zh)
Other versions
CN113938295A (en
Inventor
赵怀瑾
李政
范乐君
吴昊
李承泽
黄磊
陈燕呢
申任远
金暐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Computer Network and Information Security Management Center
Original Assignee
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Computer Network and Information Security Management Center filed Critical National Computer Network and Information Security Management Center
Priority to CN202111154669.2A priority Critical patent/CN113938295B/en
Publication of CN113938295A publication Critical patent/CN113938295A/en
Application granted granted Critical
Publication of CN113938295B publication Critical patent/CN113938295B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9024Graphs; Linked lists
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The invention provides a method and a system for detecting abnormal transmission behaviors of internet automobile communication data, electronic equipment and a readable medium, wherein the detection method comprises the following steps: acquiring to-be-detected uplink and downlink communication data between a vehicle and a cloud platform in real time; and comparing the uplink and downlink communication data to be detected with a normal transmission model corresponding to the brand and the model of the vehicle based on the qualified platform name list library, and judging whether the uplink and downlink communication data to be detected have abnormal transmission behaviors. The method is used for solving the defect that the data detection method in the prior art cannot be applied to intelligent networking automobile data transmission detection, and the real-time detection of the networking automobile communication data transmission behavior is realized by detecting the automobile transmission data through a qualified platform name list library and a normal transmission model.

Description

Method and system for detecting abnormal transmission behavior of internet automobile communication data, electronic equipment and readable medium
Technical Field
The invention relates to the technical field of communication data transmission detection, in particular to a method and a system for detecting abnormal transmission behaviors of communication data of an internet automobile, electronic equipment and a readable medium.
Background
The intelligent networked automobile realizes the deep coupling of the traditional closed automobile world and the internet space, so that various information of automobiles, roads, people and clouds can be accessed into the internet space through the internet of vehicles, and the realization of remote control, remote diagnosis and function upgrade of the automobile by means of the internet becomes an important future trend. By means of the wide application of intellectualization, networking and digitization in the traditional automobile industry, in order to develop an automatic driving function, intelligent cabin experience and the like, the intelligent networked automobile widely collects surrounding environment video information, personal information, vehicle state information and the like, and according to standards, new energy automobiles and passenger and freight cars need to upload vehicle data according to standard protocols.
At present, the methods for detecting abnormal data and flow in network space mainly include the following methods:
1. the detection method based on port identification is characterized in that applications and protocols are identified through port numbers of the Internet, and abnormal applications and protocols can be identified through the port numbers.
2. The detection method based on the deep layer packet is that the data packet is judged to be abnormal data transmission by checking the whole data packet content including the data packet head and the load and if some predefined fixed character strings or character string patterns are found at any position of the data packet.
3. The basic idea of the statistical-based detection method is that traffic characteristics generated by different types of applications are different, and currently, in research, traffic data characteristics are mainly distinguished for a traditional application protocol.
4. The basic idea of the behavior-based detection method is that different applications generate different behavior patterns, i.e. traffic characteristics are used as behavior information of host communication, such as how many hosts communicate with each other, which protocols and ports are respectively used.
According to the above description, the prior art has the following disadvantages in the data transmission applied to the internet of vehicles:
1. aiming at the traditional network space abnormal flow detection, the research on abnormal data transmission of the Internet of vehicles application protocol is not needed;
2. compared with the traditional network space protocol, the Internet of vehicles application protocol does not form a uniform specification and has a large amount of private protocol communication data, so that great differences exist in the aspects of character string matching, data statistical characteristics, behavior characteristics and the like, for example, fields such as transmission speed, mileage, position information and the like of an intelligent Internet vehicle have similar value ranges and fixed lengths; the head and the tail of part of protocol packets are fixed character strings.
Therefore, the traditional detection method cannot detect the data transmission of the intelligent networking automobile. The invention aims to solve the problem of abnormal transmission of intelligent networked automobile communication data different from the traditional internet space, and provides a method and a device for detecting abnormal transmission behavior of intelligent networked automobile communication data.
Disclosure of Invention
The invention provides a method, a system, electronic equipment and a readable medium for detecting abnormal transmission behaviors of communication data of an internet automobile, which are used for solving the defect that a data detection method in the prior art cannot be applied to detection of data transmission of the intelligent internet automobile.
The invention provides a method for detecting abnormal transmission behavior of internet automobile communication data, which comprises the following steps:
acquiring to-be-detected uplink and downlink communication data between a vehicle and a cloud platform in real time;
comparing the to-be-detected uplink and downlink communication data with a normal transmission model corresponding to the brand and the model of the vehicle based on a qualified platform name list library, and judging whether the to-be-detected uplink and downlink communication data have abnormal transmission behaviors;
the qualified platform name list library is a cloud platform address information library which is established by processing communication data between vehicles and cloud platforms and distinguishing vehicle brands and vehicle types by taking a cloud platform address in the communication data as a characteristic;
and the normal transmission model is a vehicle data model which is established by taking the IMSI number of the vehicle in the communication data as a characteristic, processing the communication data based on the cloud platform address in the qualified platform name list library and distinguishing the brand and the model of the vehicle.
According to the method for detecting the abnormal transmission behavior of the internet automobile communication data, the method for comparing the to-be-detected uplink and downlink communication data based on a qualified platform name list library with a normal transmission model corresponding to the brand and the model of the vehicle and judging whether the to-be-detected uplink and downlink communication data has the abnormal transmission behavior specifically comprises the following steps:
extracting the vehicle brand, the vehicle type and the cloud platform address of the vehicle to be detected from the uplink and downlink communication data to be detected;
judging whether the cloud platform address is contained in a qualified platform list library of corresponding vehicle brands and vehicle types; if not, judging that the vehicle to be detected has abnormal transmission;
if so, respectively drawing an association map which represents network space behavior association of the vehicles according to the cloud platform address for the to-be-detected uplink and downlink communication data corresponding to the vehicles of all the vehicle brands and the vehicle types by taking the vehicle brands and the vehicle types of the vehicles as units;
judging whether the deviation of the drawn association map and a normal transmission model of a vehicle of a corresponding vehicle brand and a corresponding vehicle type exceeds a deviation threshold value or not; if not, judging that the vehicle is in normal transmission; if yes, judging that the vehicle has abnormal transmission.
According to the method for detecting the abnormal transmission behavior of the internet automobile communication data, judging whether the cloud platform address is contained in the qualified platform list library of the corresponding automobile brand and automobile type specifically comprises the following steps:
extracting a vehicle brand, a vehicle type, a cloud platform address and a data packet corresponding to the cloud platform address from the to-be-detected uplink and downlink communication data;
counting the communication frequency and the data volume of each cloud platform address through a data packet, and defining the cloud platform address corresponding to the data packet with the communication frequency and the data volume larger than a preset threshold value as an effective platform address;
and judging whether the effective platform address is contained in a qualified platform list library of the vehicles of the corresponding vehicle brands and vehicle types.
According to the method for detecting the abnormal transmission behavior of the internet automobile communication data, the method for drawing the association map which represents the network space behavior association of the vehicle is respectively carried out on the to-be-detected uplink and downlink communication data corresponding to the vehicle of each vehicle brand and vehicle type according to the cloud platform address by taking the vehicle brand and vehicle type of the vehicle as a unit, and specifically comprises the following steps:
constructing quadruplet information of the vehicle based on the vehicle-mounted terminal address, the cloud platform address, the port information of the cloud platform and the vehicle state information comprising the IMSI number, the vehicle brand, the vehicle type and the operation data information of the vehicle, which are extracted from the to-be-detected uplink and downlink communication data;
carrying out unified expression on the four-tuple information on geospatial heterogeneous data;
by taking the vehicle brand and the vehicle type of the vehicle as units, extracting the communication frequency and the data volume of each cloud platform address from the to-be-detected uplink and downlink communication data;
and drawing the association map based on the communication frequency, the data volume and the uniformly expressed quadruple information.
According to the method for detecting the abnormal transmission behavior of the internet automobile communication data, the operation data information comprises: geographic location, operating time, vehicle speed, duration of communication with the cloud platform.
According to the method for detecting the abnormal transmission behavior of the internet automobile communication data, the step of judging whether the deviation between the drawn association map and the normal transmission model of the vehicle of the corresponding vehicle brand and vehicle type exceeds the deviation threshold value specifically comprises the following steps:
judging whether the communication frequency or the data volume of the vehicle in the association map exceeds the communication frequency or the data volume in the corresponding normal transmission model within a preset time period;
judging whether the geographic position of the vehicle in the association map is always kept in a limited access area defined in a corresponding normal transmission model within a preset time length;
judging whether the geographic position of the vehicle in the association map is always kept in a limited stay area defined in a corresponding normal transmission model within a preset time;
and judging whether the vehicle speed of the vehicle in the association map exceeds the maximum vehicle speed defined in the corresponding normal transmission model within a preset time.
The invention also provides a system for detecting the abnormal transmission behavior of the communication data of the networked automobile, which comprises the following components:
the acquisition module is used for acquiring to-be-detected uplink and downlink communication data between the vehicle and the cloud platform in real time;
the execution module is used for comparing the to-be-detected up-and-down communication data with a normal transmission model corresponding to the brand and the model of the vehicle on the basis of a qualified platform list library and judging whether the to-be-detected up-and-down communication data has abnormal transmission behaviors or not;
the qualified platform name list library is a cloud platform address information library which is established by processing communication data between vehicles and cloud platforms and distinguishing vehicle brands and vehicle types by taking a cloud platform address in the communication data as a characteristic;
and the normal transmission model is a vehicle data model which is established by processing the communication data based on the cloud platform address in the qualified platform name list library by taking the vehicle IMSI number in the communication data as a characteristic and distinguishing vehicle brands and vehicle types.
The invention also provides electronic equipment which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor executes the program to realize the steps of the method for detecting the abnormal transmission behavior of the internet automobile communication data.
The invention also provides a non-transitory computer readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of the method for detecting abnormal transmission behavior of networked automobile communication data according to any one of the above methods.
The invention also provides a computer program product, which comprises a computer program, and the computer program is used for realizing the steps of the method for detecting the abnormal transmission behavior of the internet automobile communication data when being executed by a processor.
According to the method and the system for detecting the abnormal transmission behavior of the communication data of the internet automobile, the real-time judgment of whether the abnormal transmission behavior exists in the data to be detected is realized by comparing the to-be-detected up-down communication data between the vehicle and the cloud platform, which is obtained in real time, with the qualified platform name list library and the normal transmission model corresponding to the brand and the model of the vehicle, so that the problem that the existing internet of things terminal data transmission model is not suitable for the transmission data detection of the intelligent internet automobile is solved, and the to-be-detected up-down communication data is dually compared with the qualified platform name list library and the normal transmission model based on the brand and the model of the vehicle, so that the misjudgment rate of the abnormal data transmission behavior is effectively reduced.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic flow chart of a method for detecting abnormal transmission behavior of internet-connected vehicle communication data according to the present invention;
FIG. 2 is a second schematic flow chart of the method for detecting abnormal transmission behavior of vehicle communication data through Internet according to the present invention;
FIG. 3 is a schematic structural diagram of a system for detecting abnormal transmission behavior of networked automobile communication data according to the present invention;
fig. 4 is a schematic structural diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without inventive step based on the embodiments of the present invention, are within the scope of protection of the present invention.
The method for detecting the abnormal transmission behavior of the communication data of the networked automobile according to the present invention is described below with reference to fig. 1 and 2, and as shown in fig. 1, the method specifically includes the following steps:
101. and acquiring to-be-detected uplink and downlink communication data between the vehicle and the cloud platform in real time.
It should be noted that most of the intelligent networked automobiles currently have functions of remote automobile control, OTA upgrading and the like, the functions need to send control instructions and upgrade packages to the automobile terminals through the cloud platform, risks such as man-in-the-middle attack, sensitive information leakage and the like are likely to occur in the process, and risk identification and tracing can be achieved through abnormal flow detection.
Specifically, a vehicle networking application protocol data message between a vehicle and a cloud platform can be acquired in real time, and network flow characteristics, data packet characteristics and the like are extracted from the data message, for example, flow duration time and flow bits per second belonging to the network flow characteristics, head and tail information of data packets belonging to the data packet characteristics, packet size, packet time interval and the like; meanwhile, for the internet-of-vehicles data acquired according to the application protocol, a vehicle-mounted terminal source address, a cloud platform address and port information for communication with a vehicle, and vehicle state information in a communication process can also be acquired, wherein the vehicle state information can include a vehicle IMSI number, a vehicle type, a geographic position, running time, a vehicle speed and the like, and the information is based on different data detection requirements, such as: DOS attack, cross-border transmission and the like, and the required data types can be selected for detecting the abnormal transmission behaviors of the networked automobile.
102. And comparing the to-be-detected up-and-down communication data with a normal transmission model corresponding to the brand and the model of the vehicle based on a qualified platform list library, and judging whether the to-be-detected up-and-down communication data has abnormal transmission behaviors.
It should be noted that, compared with other internet of things systems, the intelligent internet-of-things automobile has the characteristics of high moving speed and wide range, the data transmission models of different automobile types have large differences, and the scenes of vehicle data transmission are various, such as: the intelligent internet of things vehicle data transmission method comprises the steps of driving assistance, OTA (over the air) upgrading, service provider platform data collection and the like, wherein model construction is complex and changeable, so that an existing internet of things terminal data transmission model is not suitable for being used by an intelligent internet of things vehicle, whether a cloud platform communicated with the vehicle is legal or not is detected in data transmission between the vehicle and the cloud platform, and the communication behavior of the vehicle and a normal transmission model of the vehicle obtained through training are compared, so that the detection of the data transmission behavior of the intelligent internet of things vehicle can be effectively realized.
Furthermore, the intelligent internet automobile has large difference in data transmission conditions of all vehicle enterprises due to different automatic driving technology development of all vehicle enterprises and large difference in remote vehicle control and OTA upgrading functions, and the respective detection of the communication data of the intelligent internet automobiles of different brands and different vehicle types is realized by establishing a qualified platform name list library distinguished by the vehicle brands and the vehicle types and a normal transmission model distinguished by the vehicle brands and the vehicle types by taking the IMSI numbers of a plurality of vehicles as keywords, so that the misjudgment rate is effectively reduced.
In an embodiment of the present invention, the comparing the to-be-detected uplink and downlink communication data based on a qualified platform list library with a normal transmission model corresponding to the brand and model of the vehicle, and determining whether the to-be-detected uplink and downlink communication data has an abnormal transmission behavior specifically includes:
extracting the vehicle brand, the vehicle type and the cloud platform address of the vehicle to be detected from the uplink and downlink communication data to be detected;
judging whether the cloud platform address is contained in a qualified platform list library of corresponding vehicle brands and vehicle types; if not, judging that the vehicle to be detected has abnormal transmission;
if yes, respectively drawing a correlation map representing network space behavior correlation of the vehicles according to cloud platform addresses and to-be-detected uplink and downlink communication data corresponding to the vehicles of all the vehicle brands and the vehicle types by taking the vehicle brands and the vehicle types of the vehicles as units;
judging whether the deviation of the drawn association map and a normal transmission model of a vehicle of a corresponding vehicle brand and a corresponding vehicle type exceeds a deviation threshold value or not; if not, judging that the vehicle is in normal transmission; if yes, judging that the vehicle has abnormal transmission.
It should be noted that, in the detection of the transmission behavior of the intelligent networked automobile, the invention adopts the double detection of the transmission address and the transmission data, that is, for the vehicle of a certain brand and a certain model in the data to be detected, firstly, whether the cloud platform which is in data communication with the vehicle is a qualified platform is judged, and then, the data communication association map of the vehicle is compared with the normal transmission model which is in the same brand and the same model with the vehicle, so that the misjudgment rate of the wrong judgment possibly occurring in the detection process is effectively reduced.
It is worth explaining that the association map can not only reflect the characteristics of various types of data in the uplink and downlink communication data to be detected, but also reflect the association between the data and the data, and the association map is applied to the transmission behavior detection of the intelligent networked automobile, so that the characteristics of high moving speed, wide range, various vehicle data transmission scenes and the like of the intelligent networked automobile can be effectively adapted, and the detection method is further matched with the application scene of the intelligent networked automobile.
In another embodiment of the present invention, the determining whether the cloud platform address is included in the qualified platform list library of the corresponding vehicle brand and vehicle type specifically includes:
extracting a vehicle brand, a vehicle type, a cloud platform address and a data packet corresponding to the cloud platform address from the to-be-detected uplink and downlink communication data;
counting the communication frequency and the data volume of each cloud platform address through a data packet, and defining the cloud platform address corresponding to the data packet with the communication frequency and the data volume larger than a preset threshold value as an effective platform address;
and judging whether the effective platform address is contained in a qualified platform list library of the vehicles of corresponding vehicle brands and vehicle types.
It should be noted that the transmission behavior with too small data volume does not have practical significance for the behavior detection of data transmission between a vehicle and a cloud platform, so after extracting the brand, model, cloud platform address of the vehicle and the data packet corresponding to the cloud platform address from the uplink and downlink communication data to be detected, the communication frequency and data volume of each cloud platform address are counted through the data packet, the cloud platform address corresponding to the data packet with the communication frequency and data volume larger than the preset threshold value is defined as an effective platform address, and then the effective platform address is compared with the cloud platform address in the qualified platform list of the vehicle of the corresponding brand and model of the vehicle, so that the processed data volume is reduced, and the detection efficiency is improved.
It is worth to be noted that in the process of building the qualified platform name list library, control of data processing amount and accuracy of the list library is considered, and the qualified platform name list library is built on the basis of the principle of a detection method, namely, cloud platform addresses are used as characteristics, address information libraries of cloud platforms of different brands and different vehicle types are built through modeling on mass data, communication data amount and communication frequency information of the different platform addresses are obtained through statistical analysis, and the cloud platform addresses with large communication data amount and large communication frequency are used as cloud platform white list addresses of vehicles of the brand and the vehicle type.
In another embodiment of the present invention, the drawing, by using the vehicle brand and the vehicle type of the vehicle as a unit, of the association map representing the network space behavior association of the vehicle according to the cloud platform address for the uplink and downlink communication data to be detected corresponding to the vehicle of each vehicle brand and vehicle type respectively includes:
constructing quadruplet information of the vehicle based on the vehicle-mounted terminal address, the cloud platform address, the port information of the cloud platform and the vehicle state information comprising the IMSI number, the vehicle brand, the vehicle type and the operation data information of the vehicle, which are extracted from the to-be-detected uplink and downlink communication data;
carrying out unified expression on the four-tuple information on geospatial heterogeneous data;
by taking the vehicle brand and the vehicle type of the vehicle as units, extracting the communication frequency and the data volume of each cloud platform address from the to-be-detected uplink and downlink communication data;
and drawing the association map based on the communication frequency, the data volume and the uniformly expressed quadruple information.
It should be noted that by drawing the associated map, multi-feature fusion of the intelligent networked automobile transmission data containing various different types of information such as vehicle state information and data transmission information is realized.
Further, in another embodiment of the present invention, the content of the operation data information of the vehicle is specifically described, that is: the operation data information includes: geographic location, operating time, vehicle speed, duration of communication with the cloud platform.
It should be noted that, according to the actual detection requirement of the vehicle communication data transmission behavior, the operation data information of the vehicle may also be other data information that is not mentioned, which is not described herein again.
In another embodiment of the present invention, the determining whether the deviation between the drawn association map and the normal transmission model of the vehicle of the corresponding vehicle brand and vehicle type exceeds a deviation threshold specifically includes:
judging whether the communication frequency or the data volume of the vehicle in the association map exceeds the communication frequency or the data volume in the corresponding normal transmission model within a preset time period;
judging whether the geographic position of the vehicle in the association map is always kept in a limited access area defined in a corresponding normal transmission model within a preset time length;
judging whether the geographic position of the vehicle in the association map is always kept in a limited stay area defined in a corresponding normal transmission model within a preset time period;
and judging whether the vehicle speed of the vehicle in the association map exceeds the maximum vehicle speed defined in the corresponding normal transmission model within a preset time period.
It should be noted that, in the case of detecting the abnormal transmission behavior of the intelligent internet automobile communication data by applying the normal transmission model, the above related several situations may be specifically included, for example: for vehicles of the same vehicle brand and vehicle model, when the amount of data transmitted or received to a certain cloud platform address is too large or the deviation between the communication frequency and the data amount or the communication frequency contained in the normal transmission model is large within a predetermined time period, for example, 1 hour, 3 hours, 5 hours, etc., it can be clearly confirmed that the transmission behavior abnormality exists.
And comparing the association map of the vehicle in the preset time with the vehicle limited entry area or the limited stop area contained in the normal transmission model, and when the vehicle enters the limited entry area or stays in the limited stop area for too long time, determining that the transmission behavior is abnormal, namely the judgment standard realizes the combination of the current common electronic fence technology.
Specifically, in the above embodiments, only a few common detections of abnormal transmission behaviors of the intelligent networked automobile communication data are listed, and the detection of the transmission behaviors of other communication data by applying the normal transmission model is also covered by the protection scope of the present invention, which is not described herein again.
It is worth to be noted that, in the process of constructing the normal transmission model, the communication data messages of a single vehicle terminal in a period of time are tracked based on the principle of the detection method, that is, the IMSI number of the vehicle is used as a characteristic, the communication data messages of the single vehicle terminal in 1 hour, 3 hours, 5 hours or other preset time periods are collected respectively, the information such as the total amount of communication data packets, the communication frequency and the duration of the communication data packets is summarized, data modeling is performed, thousands of levels of data information are extracted, and the construction of the normal transmission model of the intelligent internet automobile data of different brands and different vehicle types is completed.
As shown in fig. 2, a process of detecting the abnormal transmission behavior of the communication data of the intelligent networked automobile a by applying the method for detecting the abnormal transmission behavior of the communication data of the intelligent networked automobile a according to the present invention is provided, so as to better understand the method for detecting the abnormal transmission behavior of the communication data of the intelligent networked automobile a provided by the present invention.
The detection process specifically comprises the following steps:
201. obtaining the communication content of A, and extracting all communication data packets within 1 hour, 2 hours or other preset time;
202. obtaining information of IMSI number, vehicle brand, vehicle type, time, geographical position, vehicle speed, communication duration, target cloud platform address and the like of a vehicle in a communication data packet;
203. comparing the target cloud platform address with effective platform addresses in a qualified platform name list library of the same brand and the same vehicle type, and judging whether the target cloud platform address is contained in the qualified platform name list library; if not, entering 204; if yes, jumping to 205;
204. judging that abnormal transmission behaviors exist in the communication content of the A;
205. constructing quadruplet information of the vehicle through the vehicle-mounted terminal address, the target cloud platform address and port information obtained from the communication content of the A and the vehicle state information;
206. after the four-tuple information is subjected to unified expression of geospatial heterogeneous data, the communication frequency and the data volume of each cloud platform address are extracted from a data packet by taking the vehicle brand and the vehicle type of a vehicle as a unit;
207. deleting the data packet with the communication frequency or the data volume smaller than the preset standard, and drawing an association map of the A in 1 hour, 2 hours or other preset time based on the residual communication frequency, the data volume and the uniformly expressed quadruple information;
208. comparing the correlation map with the normal transmission model of A, and judging whether the deviation from the normal transmission model exceeds a deviation threshold value; if yes, jumping to 204; if not, go to 209;
209. and judging that the communication content of the A has no abnormal transmission behavior, and returning to 201.
And storing the information into a distributed database system, and marking the position points of the same IMSI number in a map according to time sequence. Drawing a network space behavior correlation map of A within a period of time;
it should be noted that after the communication content of a is determined to have an abnormal transmission behavior, an early warning may also be performed, so as to facilitate timely processing and ensure the safety of information transmission.
The system for detecting the abnormal transmission behavior of the networked automobile communication data provided by the invention is described below with reference to fig. 3, and the system for detecting the abnormal transmission behavior of the networked automobile communication data described below and the method for detecting the abnormal transmission behavior of the networked automobile communication data described above can be referred to correspondingly.
As shown in fig. 3, the apparatus includes an obtaining module 310 and an executing module 320; wherein the content of the first and second substances,
the acquisition module 310 is used for acquiring to-be-detected uplink and downlink communication data between a vehicle and a cloud platform in real time;
the execution module 320 is configured to compare the to-be-detected uplink and downlink communication data with a normal transmission model corresponding to the brand and the model of the vehicle based on a qualified platform list library, and determine whether the to-be-detected uplink and downlink communication data has an abnormal transmission behavior;
the qualified platform name list library is a cloud platform address information library which is established by processing communication data between vehicles and cloud platforms and distinguishing vehicle brands and vehicle types by taking a cloud platform address in the communication data as a characteristic;
and the normal transmission model is a vehicle data model which is established by taking the IMSI number of the vehicle in the communication data as a characteristic, processing the communication data based on the cloud platform address in the qualified platform name list library and distinguishing the brand and the model of the vehicle.
The system for detecting the abnormal transmission behavior of the communication data of the internet of vehicles provided by the invention comprises an acquisition module, an execution module, a comparison module and a comparison module, wherein the acquisition module acquires the to-be-detected uplink and downlink communication data between the vehicles and a cloud platform in real time, and the execution module compares the to-be-detected uplink and downlink communication data with a qualified platform list library and a normal transmission model corresponding to the brand and model of the vehicles, so that the real-time judgment on whether the to-be-detected data has the abnormal transmission behavior is realized.
In a preferred embodiment, the executing module 320 extracts a vehicle brand, a vehicle type, and a cloud platform address of a vehicle to be detected from the uplink and downlink communication data to be detected;
judging whether the cloud platform address is contained in a qualified platform list library of corresponding vehicle brands and vehicle types; if not, judging that the vehicle to be detected has abnormal transmission;
if so, respectively drawing an association map which represents network space behavior association of the vehicles according to the cloud platform address for the to-be-detected uplink and downlink communication data corresponding to the vehicles of all the vehicle brands and the vehicle types by taking the vehicle brands and the vehicle types of the vehicles as units;
judging whether the deviation of the drawn association map and a normal transmission model of a vehicle of a corresponding vehicle brand and a corresponding vehicle type exceeds a deviation threshold value or not; if not, judging that the vehicle is in normal transmission; if yes, judging that the vehicle has abnormal transmission.
In a preferred embodiment, the executing module 320 extracts a vehicle brand, a vehicle type, a cloud platform address and a data packet corresponding to the cloud platform address from the to-be-detected uplink and downlink communication data;
counting the communication frequency and the data volume of each cloud platform address through a data packet, and defining the cloud platform address corresponding to the data packet with the communication frequency and the data volume larger than a preset threshold value as an effective platform address;
and judging whether the effective platform address is contained in a qualified platform list library of the vehicles of the corresponding vehicle brands and vehicle types.
In a preferred embodiment, the executing module 320 constructs quadruplet information of the vehicle based on the vehicle-mounted terminal address, the cloud platform address, the port information of the cloud platform, and the vehicle state information including the IMSI number, the vehicle brand, the vehicle type, and the operation data information of the vehicle, which are extracted from the to-be-detected uplink and downlink communication data; wherein the operation data information includes: geographic position, running time, vehicle speed and communication duration with the cloud platform;
carrying out unified expression on the four-tuple information on geospatial heterogeneous data;
taking the brand and the model of the vehicle as a unit, and extracting the communication frequency and the data volume of each cloud platform address from the to-be-detected uplink and downlink communication data;
and drawing the association map based on the communication frequency, the data volume and the uniformly expressed quadruple information.
In a preferred embodiment, the executing module 320 determines whether the deviation amount of the correlation map from the normal transmission model of the vehicle of the corresponding vehicle brand or model exceeds the deviation amount threshold by determining whether the communication frequency or data amount of the vehicle in the correlation map exceeds the communication frequency or data amount in the corresponding normal transmission model within a predetermined time period, whether the geographic position of the vehicle in the correlation map is always kept within the restricted entry area defined in the corresponding normal transmission model within a predetermined time period, whether the geographic position of the vehicle in the correlation map is always kept within the restricted stay area defined in the corresponding normal transmission model within a predetermined time period, or whether the vehicle speed of the vehicle in the correlation map exceeds the maximum vehicle speed defined in the corresponding normal transmission model within a predetermined time period.
The system for detecting the abnormal transmission behavior of the internet automobile communication data, provided by the embodiment of the invention, is used for signing a method for detecting the abnormal transmission behavior of the internet automobile communication data in each embodiment. The specific method and flow for realizing the corresponding functions of each module included in the system for detecting the abnormal transmission behavior of the networked automobile communication data are detailed in the embodiment of the method for detecting the abnormal transmission behavior of the networked automobile communication data, and are not described herein again.
The system for detecting the abnormal transmission behavior of the networked automobile communication data is used for the method for detecting the abnormal transmission behavior of the networked automobile communication data in the embodiments. Therefore, the description and definition in the method for detecting abnormal transmission behavior of networked automobile communication data in the foregoing embodiments can be used for understanding the execution modules in the embodiments of the present invention.
Fig. 4 illustrates a physical structure diagram of an electronic device, which may include, as shown in fig. 4: a processor (processor) 410, a communication Interface 420, a memory (memory) 430 and a communication bus 440, wherein the processor 410, the communication Interface 420 and the memory 430 are communicated with each other via the communication bus 440. The processor 410 may call logic instructions in the memory 430 to execute a method for detecting abnormal transmission behavior of networked automobile communication data, the method comprising:
101. acquiring to-be-detected uplink and downlink communication data between a vehicle and a cloud platform in real time;
102. comparing the to-be-detected uplink and downlink communication data with a normal transmission model corresponding to the brand and the model of the vehicle based on a qualified platform name list library, and judging whether the to-be-detected uplink and downlink communication data have abnormal transmission behaviors;
the qualified platform name list library is a cloud platform address information library which is established by processing communication data between vehicles and cloud platforms and distinguishing vehicle brands and vehicle types by taking a cloud platform address in the communication data as a characteristic;
and the normal transmission model is a vehicle data model which is established by taking the IMSI number of the vehicle in the communication data as a characteristic, processing the communication data based on the cloud platform address in the qualified platform name list library and distinguishing the brand and the model of the vehicle.
In addition, the logic instructions in the memory 430 may be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, the present invention further provides a computer program product, where the computer program product includes a computer program stored on a non-transitory computer-readable storage medium, the computer program includes program instructions, and when the program instructions are executed by a computer, the computer can execute a method for detecting abnormal transmission behavior of networked automobile communication data provided by the above methods, where the method includes:
101. acquiring to-be-detected uplink and downlink communication data between a vehicle and a cloud platform in real time;
102. comparing the to-be-detected up-and-down communication data with a normal transmission model corresponding to the brand and the model of the vehicle based on a qualified platform list library, and judging whether the to-be-detected up-and-down communication data has abnormal transmission behaviors;
the qualified platform name list library is a cloud platform address information library which is established by processing communication data between vehicles and cloud platforms and distinguishing vehicle brands and vehicle types by taking a cloud platform address in the communication data as a characteristic;
and the normal transmission model is a vehicle data model which is established by taking the IMSI number of the vehicle in the communication data as a characteristic, processing the communication data based on the cloud platform address in the qualified platform name list library and distinguishing the brand and the model of the vehicle.
In another aspect, the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements a method for detecting abnormal transmission behavior of internet vehicle communication data provided by the foregoing methods, where the method includes:
101. acquiring to-be-detected uplink and downlink communication data between a vehicle and a cloud platform in real time;
102. comparing the to-be-detected uplink and downlink communication data with a normal transmission model corresponding to the brand and the model of the vehicle based on a qualified platform name list library, and judging whether the to-be-detected uplink and downlink communication data have abnormal transmission behaviors;
the qualified platform name list library is a cloud platform address information library which is established by processing communication data between vehicles and cloud platforms and distinguishing vehicle brands and vehicle types by taking a cloud platform address in the communication data as a characteristic;
and the normal transmission model is a vehicle data model which is established by taking the IMSI number of the vehicle in the communication data as a characteristic, processing the communication data based on the cloud platform address in the qualified platform name list library and distinguishing the brand and the model of the vehicle.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (8)

1. A method for detecting abnormal transmission behaviors of internet automobile communication data is characterized by comprising the following steps:
acquiring to-be-detected uplink and downlink communication data between a vehicle and a cloud platform in real time;
extracting the vehicle brand, the vehicle type and the cloud platform address of the vehicle to be detected from the uplink and downlink communication data to be detected;
judging whether the cloud platform address is contained in a qualified platform list library of corresponding vehicle brands and vehicle types; if not, judging that the vehicle to be detected has abnormal transmission;
if so, respectively drawing an association map which represents network space behavior association of the vehicles according to the cloud platform address for the to-be-detected uplink and downlink communication data corresponding to the vehicles of all the vehicle brands and the vehicle types by taking the vehicle brands and the vehicle types of the vehicles as units;
judging whether the deviation of the drawn association map and a normal transmission model of a vehicle of a corresponding vehicle brand and a corresponding vehicle type exceeds a deviation threshold value or not; if not, judging that the vehicle is in normal transmission; if yes, judging that abnormal transmission exists in the vehicle;
the qualified platform name list library is a cloud platform address information library which is established by processing communication data between vehicles and cloud platforms and distinguishing vehicle brands and vehicle types by taking a cloud platform address in the communication data as a characteristic;
and the normal transmission model is a vehicle data model which is established by processing the communication data based on the cloud platform address in the qualified platform name list library by taking the vehicle IMSI number in the communication data as a characteristic and distinguishing vehicle brands and vehicle types.
2. The method for detecting the abnormal transmission behavior of the internet-connected vehicle communication data according to claim 1, wherein the step of judging whether the cloud platform address is included in the qualified platform list library of the corresponding vehicle brand and vehicle type specifically comprises:
extracting a vehicle brand, a vehicle type, a cloud platform address and a data packet corresponding to the cloud platform address from the to-be-detected uplink and downlink communication data;
counting the communication frequency and the data volume of each cloud platform address through a data packet, and defining the cloud platform address corresponding to the data packet with the communication frequency and the data volume larger than a preset threshold value as an effective platform address;
and judging whether the effective platform address is contained in a qualified platform list library of the vehicles of the corresponding vehicle brands and vehicle types.
3. The method for detecting the abnormal transmission behavior of the internet automobile communication data according to claim 1, wherein the drawing of the association map representing the network space behavior association of the vehicle is performed on the to-be-detected uplink and downlink communication data corresponding to the vehicle of each vehicle brand and vehicle type according to the cloud platform address by taking the vehicle brand and vehicle type of the vehicle as a unit, and specifically comprises the following steps:
constructing quadruplet information of the vehicle based on the vehicle-mounted terminal address, the cloud platform address and the port information of the cloud platform extracted from the to-be-detected uplink and downlink communication data, and the vehicle state information comprising the IMSI number, the brand, the model and the operation data information of the vehicle;
carrying out unified expression on the four-tuple information on geospatial heterogeneous data;
by taking the vehicle brand and the vehicle type of the vehicle as units, extracting the communication frequency and the data volume of each cloud platform address from the to-be-detected uplink and downlink communication data;
and drawing the association map based on the communication frequency, the data volume and the uniformly expressed quadruple information.
4. The method for detecting the abnormal transmission behavior of the internet automobile communication data according to claim 3, wherein the operation data information comprises: geographic location, operating time, vehicle speed, duration of communication with the cloud platform.
5. The method for detecting the abnormal transmission behavior of the networked automobile communication data according to claim 4, wherein the step of judging whether the deviation between the drawn association map and the normal transmission model of the vehicle of the corresponding vehicle brand and vehicle type exceeds a deviation threshold specifically comprises the steps of:
judging whether the communication frequency or the data volume of the vehicle in the association map exceeds the communication frequency or the data volume in the corresponding normal transmission model within a preset time period;
judging whether the geographic position of the vehicle in the association map is always kept in a limited access area defined in a corresponding normal transmission model within a preset time length;
judging whether the geographic position of the vehicle in the association map is always kept in a limited stay area defined in a corresponding normal transmission model within a preset time;
and judging whether the vehicle speed of the vehicle in the association map exceeds the maximum vehicle speed defined in the corresponding normal transmission model within a preset time.
6. The utility model provides a networking vehicle communication data abnormal transmission action detecting system which characterized in that includes:
the acquisition module is used for acquiring to-be-detected uplink and downlink communication data between the vehicle and the cloud platform in real time;
the execution module is used for extracting the vehicle brand, the vehicle type and the cloud platform address of the vehicle to be detected from the uplink and downlink communication data to be detected; judging whether the cloud platform address is contained in a qualified platform list library of corresponding vehicle brands and vehicle types; if not, judging that the vehicle to be detected has abnormal transmission; if so, respectively drawing an association map which represents network space behavior association of the vehicles according to the cloud platform address for the to-be-detected uplink and downlink communication data corresponding to the vehicles of all the vehicle brands and the vehicle types by taking the vehicle brands and the vehicle types of the vehicles as units; judging whether the deviation of the drawn association map and a normal transmission model of a vehicle of a corresponding vehicle brand and a corresponding vehicle type exceeds a deviation threshold value or not; if not, judging that the vehicle is in normal transmission; if so, judging that abnormal transmission exists in the vehicle;
the qualified platform name list library is a cloud platform address information library which is established by processing communication data between vehicles and cloud platforms and distinguishing vehicle brands and vehicle types by taking a cloud platform address in the communication data as a characteristic;
and the normal transmission model is a vehicle data model which is established by taking the IMSI number of the vehicle in the communication data as a characteristic, processing the communication data based on the cloud platform address in the qualified platform name list library and distinguishing the brand and the model of the vehicle.
7. An electronic device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the steps of the method for detecting abnormal transmission behavior of internet automobile communication data according to any one of claims 1 to 5 when executing the program.
8. A non-transitory computer readable storage medium, having a computer program stored thereon, wherein the computer program, when being executed by a processor, implements the steps of the method for detecting abnormal transmission behavior of networked automobile communication data according to any one of claims 1 to 5.
CN202111154669.2A 2021-09-29 2021-09-29 Method and system for detecting abnormal transmission behavior of internet automobile communication data, electronic equipment and readable medium Active CN113938295B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111154669.2A CN113938295B (en) 2021-09-29 2021-09-29 Method and system for detecting abnormal transmission behavior of internet automobile communication data, electronic equipment and readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111154669.2A CN113938295B (en) 2021-09-29 2021-09-29 Method and system for detecting abnormal transmission behavior of internet automobile communication data, electronic equipment and readable medium

Publications (2)

Publication Number Publication Date
CN113938295A CN113938295A (en) 2022-01-14
CN113938295B true CN113938295B (en) 2022-12-13

Family

ID=79277253

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111154669.2A Active CN113938295B (en) 2021-09-29 2021-09-29 Method and system for detecting abnormal transmission behavior of internet automobile communication data, electronic equipment and readable medium

Country Status (1)

Country Link
CN (1) CN113938295B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114760092A (en) * 2022-03-09 2022-07-15 浙江零跑科技股份有限公司 Network data safety detection system for intelligent automobile and cloud platform

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109688224A (en) * 2018-12-28 2019-04-26 国汽(北京)智能网联汽车研究院有限公司 A kind of intelligent network connection automobile cloud control platform architecture
CN111049937A (en) * 2019-12-31 2020-04-21 长城汽车股份有限公司 Data processing system and data transmission method of intelligent networked automobile
CN111865949A (en) * 2020-07-09 2020-10-30 恒安嘉新(北京)科技股份公司 Abnormal communication detection method and device, server and storage medium
CN113038426A (en) * 2021-02-27 2021-06-25 吉林大学 Internet of vehicles safety detection system and method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11017619B2 (en) * 2019-08-19 2021-05-25 Capital One Services, Llc Techniques to detect vehicle anomalies based on real-time vehicle data collection and processing

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109688224A (en) * 2018-12-28 2019-04-26 国汽(北京)智能网联汽车研究院有限公司 A kind of intelligent network connection automobile cloud control platform architecture
CN111049937A (en) * 2019-12-31 2020-04-21 长城汽车股份有限公司 Data processing system and data transmission method of intelligent networked automobile
CN111865949A (en) * 2020-07-09 2020-10-30 恒安嘉新(北京)科技股份公司 Abnormal communication detection method and device, server and storage medium
CN113038426A (en) * 2021-02-27 2021-06-25 吉林大学 Internet of vehicles safety detection system and method

Also Published As

Publication number Publication date
CN113938295A (en) 2022-01-14

Similar Documents

Publication Publication Date Title
CN107948172B (en) Internet of vehicles intrusion attack detection method and system based on artificial intelligence behavior analysis
CN110149345B (en) Vehicle-mounted network intrusion detection method based on message sequence prediction
US11748474B2 (en) Security system and methods for identification of in-vehicle attack originator
CN109600363B (en) Internet of things terminal network portrait and abnormal network access behavior detection method
CN111030962B (en) Vehicle-mounted network intrusion detection method and computer-readable storage medium
CN111885060B (en) Internet of vehicles-oriented nondestructive information security vulnerability detection system and method
CN111770069B (en) Vehicle-mounted network simulation data set generation method based on intrusion attack
CN112953971B (en) Network security flow intrusion detection method and system
WO2022078353A1 (en) Vehicle driving state determination method and apparatus, and computer device and storage medium
CN115632878B (en) Data transmission method, device, equipment and storage medium based on network isolation
CN113938295B (en) Method and system for detecting abnormal transmission behavior of internet automobile communication data, electronic equipment and readable medium
CN114900331B (en) Vehicle-mounted CAN bus intrusion detection method based on CAN message characteristics
CN111988342A (en) Online automobile CAN network anomaly detection system
CN112437034B (en) False terminal detection method and device, storage medium and electronic device
CN112991735B (en) Test method, device and equipment of traffic flow monitoring system
CN107124327B (en) The method that JT808 car-mounted terminal simulator reverse-examination is surveyed
CN112448963A (en) Method, device, equipment and storage medium for analyzing automatic attack industrial assets
CN108650274B (en) Network intrusion detection method and system
CN110198288B (en) Abnormal node processing method and equipment
CN113037750B (en) Vehicle detection data enhancement training method and system, vehicle and storage medium
CN115145241A (en) SOA service-based remote diagnosis method for vehicle-end CAN node and storage medium
CN115270400A (en) Test scene construction method for automatic driving simulation and readable storage medium
CN114489714A (en) Vehicle-mounted data processing method and device, electronic equipment and storage medium
WO2024007615A1 (en) Model training method and apparatus, and related device
CN107800696A (en) Source discrimination is forged in communication on a kind of cloud platform virtual switch

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant