CN113992391B - Method and device for analyzing message - Google Patents
Method and device for analyzing message Download PDFInfo
- Publication number
- CN113992391B CN113992391B CN202111246587.0A CN202111246587A CN113992391B CN 113992391 B CN113992391 B CN 113992391B CN 202111246587 A CN202111246587 A CN 202111246587A CN 113992391 B CN113992391 B CN 113992391B
- Authority
- CN
- China
- Prior art keywords
- message
- analyzed
- instruction
- vehicle bus
- attribute information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000004458 analytical method Methods 0.000 claims abstract description 20
- 238000004590 computer program Methods 0.000 claims description 9
- 238000007689 inspection Methods 0.000 claims description 7
- 238000010586 diagram Methods 0.000 description 10
- 238000004891 communication Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 238000007405 data analysis Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
- H04L12/40006—Architecture of a communication node
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
- H04L2012/40267—Bus for use in transportation systems
- H04L2012/40273—Bus for use in transportation systems the transportation system being a vehicle
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Small-Scale Networks (AREA)
Abstract
The embodiment of the disclosure discloses a method and a device for analyzing a message. One embodiment of the method comprises the following steps: acquiring a vehicle bus message; and analyzing the command of which the attribute information is matched with the predetermined attribute information from the vehicle bus message according to the predetermined attribute information of the command to be analyzed. The embodiment improves the message analysis efficiency.
Description
The application is a divisional application of a method and a device for analyzing a message, the application date of the original application is 2018, 12 and 28, the application number of the original application is CN201811625725.4, and the invention of the original application is named as: method and apparatus for parsing a message.
Technical Field
The embodiment of the disclosure relates to the technical field of computers, in particular to a method and a device for analyzing a message.
Background
An on-board Gateway (Gateway) is typically used to forward vehicle bus data. The efficiency of the vehicle gateway in analyzing the data directly influences the performance of the vehicle control system.
Disclosure of Invention
The embodiment of the disclosure provides a method and a device for analyzing a message.
In a first aspect, embodiments of the present disclosure provide a method for parsing a message, the method including: acquiring a vehicle bus message; and analyzing the command of which the attribute information is matched with the predetermined attribute information from the vehicle bus message according to the predetermined attribute information of the command to be analyzed.
In some embodiments, the method further comprises: and determining whether the vehicle bus message is an attack message according to the analyzed instruction.
In some embodiments, the instructions to parse are determined by: acquiring rule information; and carrying out semantic analysis on the rule information to obtain an instruction associated with the rule information, and determining the obtained instruction as an instruction to be analyzed.
In some embodiments, the attribute information of the instruction to be parsed includes: the starting position of the command to be analyzed in the bus message of the vehicle and the command length of the command to be analyzed.
In some embodiments, the vehicle bus message is a deep packet inspection (Deep Packet Inspection, DPI) message.
In a second aspect, an embodiment of the present disclosure provides an apparatus for parsing a packet, including: the message acquisition unit is configured to acquire a vehicle bus message; and the message analysis unit is configured to analyze the instruction, of which the attribute information is matched with the predetermined attribute information, from the vehicle bus message according to the predetermined attribute information of the instruction to be analyzed.
In some embodiments, the apparatus further comprises: and the attack judging unit is configured to determine whether the vehicle bus message is an attack message according to the analyzed instruction.
In some embodiments, the instructions to parse are determined by: acquiring rule information; and carrying out semantic analysis on the rule information to obtain an instruction associated with the rule information, and determining the obtained instruction as an instruction to be analyzed.
In some embodiments, the attribute information of the instruction to be parsed includes: the starting position of the command to be analyzed in the bus message of the vehicle and the command length of the command to be analyzed.
In some embodiments, the vehicle bus message is a deep packet inspection message.
In a third aspect, embodiments of the present disclosure provide a server comprising: one or more processors; and a storage device having one or more programs stored thereon, which when executed by the one or more processors cause the one or more processors to implement a method as in any of the embodiments of the method for parsing a message.
In a fourth aspect, embodiments of the present disclosure provide a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method as any of the embodiments of the method for parsing a message.
The method and the device for analyzing the message provided by the embodiment of the disclosure can firstly acquire the vehicle bus message. And then analyzing the command of which the attribute information is matched with the predetermined attribute information from the vehicle bus message according to the predetermined attribute information of the command to be analyzed. The method and the device provided by the embodiment of the invention only analyze the command to be analyzed in the vehicle bus message, can reduce unnecessary data analysis time and are beneficial to improving the message analysis efficiency.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the following drawings, in which:
FIG. 1 is an exemplary system architecture diagram in which an embodiment of the present application may be applied;
FIG. 2 is a flow chart of one embodiment of a method for parsing a message according to the present application;
FIG. 3 is a schematic diagram of one application scenario of a method for parsing a message according to an embodiment of the present disclosure;
FIG. 4 is a flow chart of yet another embodiment of a method for parsing a message according to the present application;
FIG. 5 is a schematic diagram illustrating one embodiment of an apparatus for parsing a message according to the present application;
FIG. 6 is a schematic diagram of a computer system suitable for use with a server implementing embodiments of the present disclosure.
Detailed Description
The present application is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be noted that, for convenience of description, only the portions related to the present invention are shown in the drawings.
It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be combined with each other. The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
Fig. 1 illustrates an exemplary system architecture 100 of a method for parsing a message or an apparatus for parsing a message to which embodiments of the present disclosure may be applied.
As shown in fig. 1, the system architecture 100 may include a vehicle bus system 101, a network 102, and a gateway device 103. The network 102 is the medium used to provide a communication link between the vehicle bus system 101 and the gateway device 103. Network 102 may include various connection types such as wired, wireless communication links, or fiber optic cables, among others.
The vehicle bus system 101 may interact with the gateway device 103 through the network 102 to receive or send messages, etc. The vehicle bus system 101 may be a vehicle bus system having various bus functions, for example, a vehicle bus system that transmits vehicle bus messages to gateway devices. The vehicle bus system may transmit a vehicle bus message to the gateway device.
Gateway device 103 may be a variety of gateway devices, such as gateway devices that process vehicle bus messages transmitted by vehicle bus system 101. The gateway device may parse, according to the predetermined attribute information of the instruction to be parsed, an instruction whose attribute information matches the predetermined attribute information from the vehicle bus message.
It should be noted that, the method for parsing a message provided by the embodiment of the present disclosure is generally performed by the gateway device 103, and accordingly, the apparatus for parsing a message is generally disposed in the gateway device 103.
It should be understood that the number of vehicle bus systems, networks, and gateway devices in fig. 1 are merely illustrative. There may be any number of vehicle bus systems, networks, and gateway devices, as desired for implementation.
With continued reference to fig. 2, a flow 200 of one embodiment of a method for parsing a message according to the present application is shown. The method for analyzing the message comprises the following steps:
step 201, a vehicle bus message is acquired.
In this embodiment, the execution subject of the method for parsing a message (for example, the gateway device 103 shown in fig. 1) may acquire a vehicle bus message from a vehicle bus system that is communicatively connected. The vehicle bus message is typically a message transmitted on a vehicle bus.
It is noted that in various embodiments of the present application, the above-described vehicle may be various vehicles. For example, an unmanned vehicle. The vehicle may also be various other vehicles. Such as aircraft, ship.
Step 202, according to the predetermined attribute information of the instruction to be analyzed, analyzing the instruction of which the attribute information is matched with the predetermined attribute information from the vehicle bus message.
In this embodiment, since the vehicle bus message often has a specific message format, the executing body may parse the acquired vehicle bus message after acquiring the vehicle bus message. A plurality of instructions may typically be included in a vehicle bus message. The command to be parsed is usually a command preset by a technician and to be parsed in a vehicle bus message. The attribute information may be information describing a certain characteristic of the instruction to be parsed. As an example, the attribute information may be an identity of the instruction to be parsed. At this time, the executing body may find the instruction having the attribute information matching the identity identifier of the instruction to be analyzed from the vehicle bus message by using the identity identifier of the instruction to be analyzed, thereby analyzing the found instruction. Here, the instruction matching with the identity of the instruction to be analyzed may refer to an instruction having the same identity. It should be noted that there may be one instruction or multiple instructions to be parsed. When the instructions to be analyzed are multiple, the execution body can analyze the instructions, of which the attribute information is matched with the attribute information of the instructions to be analyzed, from the vehicle bus message by adopting the attribute information of each instruction to be analyzed.
Optionally, the attribute information of the instruction to be parsed may include, but is not limited to: the starting position of the command to be analyzed in the bus message of the vehicle and the command length of the command to be analyzed. Here, the execution subject may find the instruction having the attribute information of the start position and the instruction length from the vehicle bus message by using the start position and the instruction length of the instruction to be parsed. Thereby parsing out the found instruction.
It should be noted that, the instruction to be analyzed, namely the instruction to be analyzed, is determined in advance, and only the instruction matched with the attribute information of the instruction to be analyzed can be analyzed in each subsequent analysis of the vehicle bus message, and all the instructions in the vehicle bus message are not required to be analyzed, so that unnecessary data analysis time can be reduced, and the message analysis efficiency is improved.
In some optional implementations of this embodiment, the vehicle bus message is a deep packet inspection message. In the above implementation manner, when the vehicle bus message is a deep message parsing message, the execution body may parse the vehicle bus message by using a deep message parsing method. Here, since the execution body adopts the deep packet analysis method to analyze the vehicle bus packet, the vehicle bus packet can be accurately analyzed, but more calculation resources are required to be consumed. Therefore, only the command to be analyzed in the vehicle bus message is analyzed, so that accurate analysis of the vehicle bus message can be realized, and meanwhile, the consumption of computing resources is reduced.
In some optional implementations of this embodiment, the above instruction to be parsed is determined by:
first, rule information is acquired. Here, the rule information may be rule information set in advance by a technician. The rule information may be various information for characterizing a rule. As an example, the rule information may be a character set "if a+b, then X" for characterizing the rule "if instruction a and instruction B occur simultaneously, then it is a network attack event X". It should be noted that the rule information may be stored directly in the local area or may be stored in another electronic device communicatively connected to the execution subject. When the rule information is stored locally, the executing body may directly extract the locally stored rule information for processing. When the rule information is stored in other electronic devices communicatively connected with the execution subject, the execution subject may acquire the rule information for processing by wired connection or wireless connection.
And secondly, carrying out semantic analysis on the rule information to obtain an instruction associated with the rule information, and determining the obtained instruction as an instruction to be analyzed. Here, the execution body may perform semantic analysis on the rule information to obtain an instruction associated with the rule information. As an example, if the rule information is "if a+b, X". Wherein A is an instruction A, B is an instruction B, and X is a network attack event X. The execution body may perform semantic analysis on the rule information to obtain an instruction a and an instruction B associated with the rule information. In addition, after the execution body obtains the instruction associated with the rule information, the execution body may determine the obtained instruction as the instruction to be analyzed. It should be noted that a piece of rule information may include a plurality of instructions. In addition, the rule information may be one or a plurality of pieces. When the rule information has a plurality of pieces, the execution body can perform semantic analysis on each piece of rule information in the plurality of pieces of rule information to obtain an instruction associated with the rule information, and determine the obtained instruction as an instruction to be analyzed.
It should be noted that, after the execution body analyzes all the set rule information (one or more), if multiple (two or more) instructions to be analyzed are obtained, the multiple instructions to be analyzed obtained at this time may be an instruction set to be analyzed.
With continued reference to fig. 3, fig. 3 is a schematic diagram of an application scenario of the method for parsing a message according to the present embodiment. In the application scenario 300 of fig. 3, the gateway device 301 first obtains a vehicle bus message from the vehicle bus system 302. At this time, the instructions included in the vehicle bus message include: a, B, C, D, E. Then, according to the predetermined attribute information of the command to be analyzed, analyzing the vehicle bus message to obtain a command of which the attribute information is matched with the attribute information: a and B.
The method for analyzing a message provided in the foregoing embodiment of the present application may first obtain a vehicle bus message. And then analyzing the command of which the attribute information is matched with the predetermined attribute information from the vehicle bus message according to the predetermined attribute information of the command to be analyzed. The method provided by the embodiment of the disclosure only analyzes the command to be analyzed in the vehicle bus message, so that unnecessary data analysis time can be reduced, and the message analysis efficiency can be improved.
With further reference to fig. 4, a flow 400 of yet another embodiment of a method for parsing a message is shown. The flow 400 of the method for parsing a message includes the steps of:
step 401, a vehicle bus message is acquired.
And step 402, analyzing the command with the attribute information matched with the predetermined attribute information from the vehicle bus message according to the predetermined attribute information of the command to be analyzed.
In this embodiment, the specific operations of steps 401 to 402 are substantially the same as those of steps 201 to 202 in the embodiment shown in fig. 2, and will not be described herein.
Step 403, determining whether the vehicle bus message is an attack message according to the parsed instruction.
The attack message generally refers to a message that occupies network access bandwidth or system resources of the host, so that the host cannot normally operate. The host may be a vehicle-mounted server.
In this embodiment, the execution body may determine whether the vehicle bus packet is an attack packet by analyzing the instruction. The execution body may analyze one instruction at a time, may analyze a plurality of instructions at a time, and may analyze all the obtained instructions at a time. It should be noted that, the instruction may generally include: at least one of data and address information. Optionally, the executing body may determine a vehicle bus packet corresponding to the instruction meeting the preset condition as the attack packet. As an example, if the target address and the source address are the same in the instruction, the vehicle bus message corresponding to the instruction may be considered as an attack message. As another example, if the target address and the source address are the same in the continuous multiple instructions, the vehicle bus message corresponding to the multiple instructions may be considered as an attack message.
As can be seen from fig. 4, compared with the embodiment corresponding to fig. 2, the flow 400 of the method for parsing a message in this embodiment represents a step of determining whether the vehicle bus message is an attack message based on the command to be parsed. Therefore, the scheme described in the embodiment can help to improve the message analysis efficiency, and can improve the safety detection efficiency of the vehicle bus message.
With further reference to fig. 5, as an implementation of the method shown in the foregoing figures, the present application provides an embodiment of an apparatus for parsing a packet, where an embodiment of the apparatus corresponds to the embodiment of the method shown in fig. 2, and the apparatus may be specifically applied to various servers.
As shown in fig. 5, the apparatus 500 for parsing a packet according to the present embodiment includes: a message acquisition unit 501 configured to acquire a vehicle bus message; the message parsing unit 502 parses, from the vehicle bus message, a command whose attribute information matches with predetermined attribute information according to predetermined attribute information of the command to be parsed.
In some optional implementations of the present embodiment, the apparatus may further include an attack determination unit (not shown in the figure). The attack determination unit may be configured to determine whether the vehicle bus message is an attack message according to the parsed instruction.
In some alternative implementations of the present embodiment, the instructions to be parsed are determined by: first, rule information is acquired. And then, carrying out semantic analysis on the rule information to obtain an instruction associated with the rule information. And finally, determining the obtained instruction as the instruction to be analyzed.
In some optional implementations of this embodiment, the attribute information of the instruction to be parsed includes: the starting position of the command to be analyzed in the bus message of the vehicle and the command length of the command to be analyzed.
In some optional implementations of this embodiment, the vehicle bus message is a deep packet inspection message.
In the device provided in the foregoing embodiment of the present application, the message obtaining unit 501 obtains a vehicle bus message. Then, the message parsing unit 502 parses, from the vehicle bus message, a command whose attribute information matches the predetermined attribute information according to the predetermined attribute information of the command to be parsed. The device of the embodiment only analyzes the command to be analyzed in the vehicle bus message, can reduce unnecessary data analysis time and is beneficial to improving message analysis efficiency.
Referring now to FIG. 6, there is illustrated a schematic diagram of a computer system 600 suitable for use with a server embodying embodiments of the present disclosure. The server illustrated in fig. 6 is merely an example, and should not be construed as limiting the functionality and scope of use of the embodiments of the present disclosure in any way.
As shown in fig. 6, the computer system 600 includes a Central Processing Unit (CPU) 601, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. In the RAM 603, various programs and data required for the operation of the system 600 are also stored. The CPU 601, ROM 602, and RAM 603 are connected to each other through a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
The following components are connected to the I/O interface 605: an input portion 606 including a keyboard, mouse, etc.; an output portion 607 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The drive 610 is also connected to the I/O interface 605 as needed. Removable media 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on drive 610 so that a computer program read therefrom is installed as needed into storage section 608.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network through the communication portion 609, and/or installed from the removable medium 611. The above-described functions defined in the method of the present application are performed when the computer program is executed by a Central Processing Unit (CPU) 601. It should be noted that the computer readable medium of the present application may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present application, however, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units involved in the embodiments described in the present disclosure may be implemented by means of software, or may be implemented by means of hardware. The described units may also be provided in a processor, for example, described as: a processor includes a message acquisition unit, a message parsing unit, and an instruction matching unit. The names of these units do not limit the unit itself in some cases, and the message acquisition unit may also be described as a "unit that acquires a vehicle bus message", for example.
As another aspect, the present application also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be present alone without being fitted into the device. The computer readable medium carries one or more programs which, when executed by the apparatus, cause the apparatus to: acquiring a vehicle bus message; and analyzing the command of which the attribute information is matched with the predetermined attribute information from the vehicle bus message according to the predetermined attribute information of the command to be analyzed.
The foregoing description is only of the preferred embodiments of the present application and is presented as a description of the principles of the technology being utilized. It will be appreciated by persons skilled in the art that the scope of the invention referred to in this application is not limited to the specific combinations of features described above, but it is intended to cover other embodiments in which any combination of features described above or equivalents thereof is possible without departing from the spirit of the invention. Such as the above-described features and technical features having similar functions (but not limited to) disclosed in the present application are replaced with each other.
Claims (6)
1. A method for parsing a message, comprising:
acquiring a vehicle bus message;
acquiring a plurality of pieces of rule information;
carrying out semantic analysis on each piece of rule information in the plurality of pieces of rule information to obtain instructions associated with the rule information, and determining the obtained instructions as an instruction set to be analyzed;
according to the attribute information of each instruction to be analyzed in the instruction set to be analyzed, analyzing an instruction with the attribute information matched with each piece of attribute information from the vehicle bus message, wherein the attribute information of the instruction to be analyzed comprises: the starting position of the command to be analyzed in the vehicle bus message, the command length of the command to be analyzed and the identity of the command to be analyzed;
and determining whether the vehicle bus message is an attack message according to the analyzed instruction.
2. The method of claim 1, wherein the vehicle bus message is a deep packet inspection message.
3. An apparatus for parsing a message, comprising:
the message acquisition unit is configured to acquire a vehicle bus message;
an information acquisition unit configured to acquire a plurality of pieces of rule information;
the instruction determining unit is configured to perform semantic analysis on each piece of rule information in the plurality of pieces of rule information to obtain instructions associated with the rule information, and determine the obtained instructions as an instruction set to be analyzed;
the message analysis unit is configured to analyze the instruction of which the attribute information is matched with each piece of attribute information from the vehicle bus message according to the attribute information of each piece of instruction to be analyzed in the instruction set to be analyzed, wherein the attribute information of the instruction to be analyzed comprises: the starting position of the command to be analyzed in the vehicle bus message, the command length of the command to be analyzed and the identity of the command to be analyzed;
the apparatus further comprises:
and the attack judging unit is configured to determine whether the vehicle bus message is an attack message according to the analyzed instruction.
4. The apparatus of claim 3, wherein the vehicle bus message is a deep packet inspection message.
5. A server, comprising:
one or more processors;
a storage device having one or more programs stored thereon,
when executed by the one or more processors, cause the one or more processors to implement the method of any of claims 1 or 2.
6. A computer readable medium having stored thereon a computer program, wherein the program when executed by a processor implements the method of any of claims 1 or 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111246587.0A CN113992391B (en) | 2018-12-28 | 2018-12-28 | Method and device for analyzing message |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111246587.0A CN113992391B (en) | 2018-12-28 | 2018-12-28 | Method and device for analyzing message |
| CN201811625725.4A CN109743310B (en) | 2018-12-28 | 2018-12-28 | Method and device for analyzing message |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811625725.4A Division CN109743310B (en) | 2018-12-28 | 2018-12-28 | Method and device for analyzing message |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113992391A CN113992391A (en) | 2022-01-28 |
| CN113992391B true CN113992391B (en) | 2023-12-29 |
Family
ID=66361857
Family Applications (3)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811625725.4A Active CN109743310B (en) | 2018-12-28 | 2018-12-28 | Method and device for analyzing message |
| CN202111247588.7A Pending CN113904864A (en) | 2018-12-28 | 2018-12-28 | Method and device for analyzing message |
| CN202111246587.0A Active CN113992391B (en) | 2018-12-28 | 2018-12-28 | Method and device for analyzing message |
Family Applications Before (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811625725.4A Active CN109743310B (en) | 2018-12-28 | 2018-12-28 | Method and device for analyzing message |
| CN202111247588.7A Pending CN113904864A (en) | 2018-12-28 | 2018-12-28 | Method and device for analyzing message |
Country Status (1)
| Country | Link |
|---|---|
| CN (3) | CN109743310B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111314354B (en) * | 2020-02-19 | 2021-11-16 | 北京天融信网络安全技术有限公司 | Intelligent vehicle communication method and device, electronic equipment and readable storage medium |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103997489A (en) * | 2014-05-09 | 2014-08-20 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for recognizing DDoS bot network communication protocol |
| CN105025011A (en) * | 2015-06-12 | 2015-11-04 | 吉林大学 | A vehicle information security evaluation method |
| CN105279421A (en) * | 2014-06-19 | 2016-01-27 | 移威视信公司 | Information safety detection system and method based on car networking accessing OBD II |
| CN105681199A (en) * | 2015-12-29 | 2016-06-15 | 北京经纬恒润科技有限公司 | Method and device for processing message data in vehicular bus |
| CN107547572A (en) * | 2017-10-13 | 2018-01-05 | 北京洋浦伟业科技发展有限公司 | A kind of CAN communication means based on pseudo random number |
| CN107566316A (en) * | 2016-06-30 | 2018-01-09 | 中兴通讯股份有限公司 | A kind of message parsing method, device and network processing unit |
| CN108076010A (en) * | 2016-11-10 | 2018-05-25 | 中国移动通信集团广东有限公司 | A kind of XML message analytic method and server |
| JP2018170591A (en) * | 2017-03-29 | 2018-11-01 | パナソニックIpマネジメント株式会社 | Communication device, communication method, and control program |
| CN108965267A (en) * | 2018-06-28 | 2018-12-07 | 北京车和家信息技术有限公司 | network attack processing method, device and vehicle |
Family Cites Families (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2002026924A (en) * | 2000-07-06 | 2002-01-25 | Denso Corp | Data repeater and multiplex communication system |
| TWI409645B (en) * | 2009-05-27 | 2013-09-21 | Ibm | Communication server and method and computer readable medium of processing messages utilizing the server |
| CN104247361B (en) * | 2011-12-01 | 2018-07-24 | 英特尔公司 | For method, equipment and the associated vehicle control system of security message filtering, and the computer-readable memory containing corresponding instruction |
| US8983714B2 (en) * | 2012-11-16 | 2015-03-17 | Robert Bosch Gmbh | Failsafe communication system and method |
| CN104216391B (en) * | 2013-05-31 | 2017-04-19 | 广州汽车集团股份有限公司 | Automotive type recognition method of automobile decoder |
| CN104156565B (en) * | 2014-07-21 | 2018-08-24 | 北京航天发射技术研究所 | System mode analysis method based on offline CAN bus data and analytical equipment |
| US10120843B2 (en) * | 2014-08-26 | 2018-11-06 | International Business Machines Corporation | Generation of parsable data for deep parsing |
| CN105703990A (en) * | 2014-11-28 | 2016-06-22 | 联创汽车电子有限公司 | Analysis method and construction method of CAN communication message of vehicle controller |
| US10425447B2 (en) * | 2015-08-28 | 2019-09-24 | International Business Machines Corporation | Incident response bus for data security incidents |
| CN105564439B (en) * | 2015-12-28 | 2018-03-23 | 广州汽车集团股份有限公司 | Control method for vehicle and system |
| CN107231279A (en) * | 2016-03-26 | 2017-10-03 | 深圳市沃特玛电池有限公司 | A kind of message parsing method based on CAN communication |
| CN106130855B (en) * | 2016-07-18 | 2019-06-11 | 珠海格力电器股份有限公司 | The method and device of data processing |
| US20180062988A1 (en) * | 2016-08-31 | 2018-03-01 | Faraday&Future Inc. | Ethernet communication of can signals |
| CN106817366A (en) * | 2016-12-31 | 2017-06-09 | 惠州市蓝微新源技术有限公司 | A kind of CAN document analysis and again store method |
| KR101856487B1 (en) * | 2017-03-03 | 2018-06-19 | 주식회사 티맥스데이터 | Computing device for processing parsing |
| CN107656520B (en) * | 2017-10-24 | 2021-04-02 | 厦门市福工动力技术有限公司 | CAN bus data analysis method and computer readable storage medium |
| CN108415408A (en) * | 2018-03-16 | 2018-08-17 | 宁波杉杉汽车有限公司 | Automobile packet parsing based on CAN communication and method for diagnosing faults |
| CN108965293B (en) * | 2018-07-13 | 2021-06-11 | 智车优行科技(北京)有限公司 | Message analysis method and device and electronic equipment |
-
2018
- 2018-12-28 CN CN201811625725.4A patent/CN109743310B/en active Active
- 2018-12-28 CN CN202111247588.7A patent/CN113904864A/en active Pending
- 2018-12-28 CN CN202111246587.0A patent/CN113992391B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103997489A (en) * | 2014-05-09 | 2014-08-20 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for recognizing DDoS bot network communication protocol |
| CN105279421A (en) * | 2014-06-19 | 2016-01-27 | 移威视信公司 | Information safety detection system and method based on car networking accessing OBD II |
| CN105025011A (en) * | 2015-06-12 | 2015-11-04 | 吉林大学 | A vehicle information security evaluation method |
| CN105681199A (en) * | 2015-12-29 | 2016-06-15 | 北京经纬恒润科技有限公司 | Method and device for processing message data in vehicular bus |
| CN107566316A (en) * | 2016-06-30 | 2018-01-09 | 中兴通讯股份有限公司 | A kind of message parsing method, device and network processing unit |
| CN108076010A (en) * | 2016-11-10 | 2018-05-25 | 中国移动通信集团广东有限公司 | A kind of XML message analytic method and server |
| JP2018170591A (en) * | 2017-03-29 | 2018-11-01 | パナソニックIpマネジメント株式会社 | Communication device, communication method, and control program |
| CN107547572A (en) * | 2017-10-13 | 2018-01-05 | 北京洋浦伟业科技发展有限公司 | A kind of CAN communication means based on pseudo random number |
| CN108965267A (en) * | 2018-06-28 | 2018-12-07 | 北京车和家信息技术有限公司 | network attack processing method, device and vehicle |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109743310A (en) | 2019-05-10 |
| CN113992391A (en) | 2022-01-28 |
| CN113904864A (en) | 2022-01-07 |
| CN109743310B (en) | 2021-11-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107330522B (en) | Method, device and system for updating deep learning model | |
| CN109766082B (en) | Method and device for application program page jump | |
| CN109308681B (en) | Image processing method and device | |
| CN109359194B (en) | Method and apparatus for predicting information categories | |
| CN109065053B (en) | Method and apparatus for processing information | |
| CN106815031B (en) | Kernel module loading method and device | |
| CN109976995B (en) | Method and apparatus for testing | |
| US11941529B2 (en) | Method and apparatus for processing mouth image | |
| CN110719215B (en) | Flow information acquisition method and device of virtual network | |
| CN109766127B (en) | Method for updating application version information | |
| CN109766148B (en) | Method and apparatus for processing interface method calls | |
| CN113992391B (en) | Method and device for analyzing message | |
| CN111435380B (en) | Page cross-domain interaction method, system, device and storage device | |
| CN116893912B (en) | Inter-core communication method, system, device, equipment and medium for vehicle-mounted software | |
| WO2019072037A1 (en) | Access information pushing method and device | |
| CN110223694B (en) | Voice processing method, system and device | |
| CN109376220B (en) | Method and device for acquiring information | |
| CN112948138A (en) | Method and device for processing message | |
| CN112132120B (en) | Method and device for video structuring | |
| CN114819679A (en) | Customer service session quality inspection method and device | |
| CN113946729A (en) | Data processing method and device for vehicle, electronic equipment and medium | |
| CN109086210B (en) | Navigation information method and device for testing navigation application | |
| CN110209959B (en) | Information processing method and device | |
| CN108288135B (en) | System compatibility method and device, computer readable storage medium and electronic equipment | |
| CN109298831B (en) | Information storage method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |