CN114615086A - Vehicle-mounted CAN network intrusion detection method - Google Patents

Vehicle-mounted CAN network intrusion detection method Download PDF

Info

Publication number
CN114615086A
CN114615086A CN202210394125.1A CN202210394125A CN114615086A CN 114615086 A CN114615086 A CN 114615086A CN 202210394125 A CN202210394125 A CN 202210394125A CN 114615086 A CN114615086 A CN 114615086A
Authority
CN
China
Prior art keywords
sliding window
vehicle
message
sample
intrusion detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210394125.1A
Other languages
Chinese (zh)
Other versions
CN114615086B (en
Inventor
胡东辉
黄秋生
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hefei University of Technology
Intelligent Manufacturing Institute of Hefei University Technology
Original Assignee
Hefei University of Technology
Intelligent Manufacturing Institute of Hefei University Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hefei University of Technology, Intelligent Manufacturing Institute of Hefei University Technology filed Critical Hefei University of Technology
Priority to CN202210394125.1A priority Critical patent/CN114615086B/en
Publication of CN114615086A publication Critical patent/CN114615086A/en
Application granted granted Critical
Publication of CN114615086B publication Critical patent/CN114615086B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40267Bus for use in transportation systems
    • H04L2012/40273Bus for use in transportation systems the transportation system being a vehicle

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Algebra (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Pure & Applied Mathematics (AREA)
  • Alarm Systems (AREA)

Abstract

The invention discloses a vehicle-mounted CAN network intrusion detection method, which comprises the following steps: 1, learning CAN message data under a normal condition of a vehicle by using a training model, and calculating threshold ranges of 3 characteristics; 2, adjusting the sliding window of the training model, and determining the size of the sliding window according to the skewness-kurtosis detection result; 3, the detection model collects and processes CAN message data of vehicle operation according to the size of the sliding window; and 4, analyzing the data frames through the threshold range, judging abnormal data frames, counting the abnormal data frames, and giving an alarm after the count reaches a certain threshold. The invention puts the complex training and learning process in the off-line stage, and the on-line intrusion detection CAN be judged and accumulated only with small calculation force, thereby being easy to be deployed in the vehicle environment and being capable of rapidly and accurately realizing the CAN network intrusion detection.

Description

Vehicle-mounted CAN network intrusion detection method
Technical Field
The invention relates to the field of network security, in particular to a vehicle intrusion detection method and a vehicle intrusion detection device.
Background
The vehicle-mounted CAN network is used for connecting various Electronic Control Units (ECU) installed on the automobile, and each electronic control unit is connected with various sensors or execution devices so as to collect signals of various sensors or control the execution devices to complete a certain specific action. The situation that information interaction exists between the electronic control units is that data are transmitted and received in a bus mode through a vehicle-mounted CAN network. In the internet of vehicles environment, the on-board CAN network is not a closed and isolated network, but rather is connected to the off-board network in various ways.
The vehicle-mounted CAN network is lack of an encryption and identity authentication mechanism, and the transmission of CAN messages follows an arbitration mechanism, so that the vehicle-mounted CAN network has proved to have defects and CAN be invaded remotely. After the CAN network of the vehicle is invaded, the life and property safety of passengers CAN be threatened greatly.
In the intrusion detection of the vehicle-mounted CAN network at the present stage, CAN message data are analyzed to find out the characteristics of the CAN message data under the normal condition of the vehicle, and when the data characteristics of the CAN message at a certain moment are detected to be different from the characteristics of the CAN message data under the normal condition of the vehicle, the vehicle is judged to receive the intrusion. It CAN be understood that the requirement of real-time detection cannot be met by adopting a more complex data mining method, and the electronic control unit of the vehicle-mounted CAN network has limited calculation capacity and is not enough to support more complex data analysis operation. Research has been carried out to place data acquisition at the vehicle end, and place data analysis and processing at the cloud server, and this requires that network communication has higher real-time, and because the vehicle is numerous, must greatly occupy network channel resource, and it is meaningless that a lot of normal vehicle data upload to the cloud, can break the data privacy nature of vehicle itself on the contrary.
Disclosure of Invention
The invention aims to solve the defects in the prior art, and provides a vehicle-mounted CAN network intrusion detection method, so that the computational requirement of vehicle-mounted CAN network intrusion detection CAN be reduced, and therefore, the vehicle-mounted CAN network intrusion detection CAN be deployed on an automobile and CAN be realized in real time on the premise of not changing the existing software and hardware architecture of the vehicle-mounted CAN network.
In order to achieve the purpose, the invention adopts the following technical scheme:
the invention discloses a vehicle-mounted CAN network intrusion detection method which is characterized by comprising the following steps:
step 1, off-line learning:
step 1.1, taking offline CAN message data collected under normal running of a vehicle as a data set, and numbering ID (identity) in the data set as P1The standard sending period of the CAN message is recorded as t0
Step 1.2, recording the size of a sliding window in the k-th cycle optimization as nk(ii) a Continuously recording the current nthkTime stamp
Figure BDA0003596681540000021
And n in a period of historyk-1 numbering ID ═ P1The actual sending period of the CAN message is recorded as
Figure BDA0003596681540000022
And the timestamp of the actual transmission is noted as { T }i k|i=1,2,3...nk}; wherein the content of the first and second substances,
Figure BDA0003596681540000023
denotes the ith actual transmission period, T, at the time of the kth round optimizationi kA timestamp representing the ith actual transmission at the kth round optimization;
step 1.3, sliding window n in k-th cycle optimizationkIn, calculate the current nthkA real transmission period
Figure BDA0003596681540000024
Deviation characteristics from standard transmission period
Figure BDA0003596681540000025
Calculating the first accumulated deviation of each actual transmission period and the standard transmission period during the k-th cycle optimizationSign for
Figure BDA0003596681540000026
Calculating the ith actually transmitted time stamp T in the k circulation optimizationi kSecond cumulative deviation characteristic from standard predicted timestamp
Figure BDA0003596681540000027
Wherein, Ti prePresentation and time stamp Ti kCorresponding standard transmission period t0The predicted serial number ID is the timestamp sent by the CAN message theory of P1;
step 2, optimizing a sliding window:
step 2.1, calculating statistic of jth sliding window in kth cycle optimization
Figure BDA0003596681540000028
Thereby obtaining statistics of all sliding windows during the kth cycle optimization and summarizing the statistics into a sample I; wherein, the first and the second end of the pipe are connected with each other,
Figure BDA0003596681540000029
numbering ID ═ P in jth sliding window1CAN message actual transmission period, and
Figure BDA00035966815400000210
numbering ID ═ P in jth sliding window1The average value of the actual sending period of the CAN message;
step 2.2, carrying out skewness-kurtosis test on the sample I:
step 2.2.1, calculating the v-order center distance B of the sample I by using the formula (1)v
Figure BDA00035966815400000211
In the formula (1), n represents the total number of sliding windows in the k-th cycle optimization,
Figure BDA00035966815400000212
represents the mean of sample I;
step 2.2.2, calculating skewness of the sample I by using the formula (2)
Figure BDA00035966815400000213
Degree of kurtosis
Figure BDA00035966815400000214
Figure BDA0003596681540000031
In the formula (2), B2Denotes the 2 nd order center distance, B, of the sample I3Denotes the 3-order center distance, B, of the sample I4Represents the 4 th order center distance of the sample I;
step 2.2.3, let the skewness variance be recorded as
Figure BDA0003596681540000032
Kurtosis variance is noted as
Figure BDA0003596681540000033
The mean kurtosis is recorded as
Figure BDA0003596681540000034
Thereby obtaining the deflection inspection quantity
Figure BDA0003596681540000035
Kurtosis test quantity
Figure BDA0003596681540000036
Step 2.2.4, when the confidence coefficient is set to be 1-alpha, if the sample I meets the condition of | U1|<uα/4And | U2|<uα/4Then, the sample I follows the standard normal distribution, the optimization of the sliding window is finished, and the number ID ═ P is obtained1The size of the optimal sliding window of the CAN message is recorded as
Figure BDA0003596681540000037
Otherwise, assigning k +1 to k, nk=nk-1After + Δ n, returning to step 1.2 for sequential execution, wherein 1- α represents the confidence of the test; u. ofα/4Represents the upper alpha/4 quantile of the standard normal distribution, and deltan represents the fixed step length;
step 3, setting a threshold value:
step 3.1, according to the process of step 1.3, with the size of the optimal sliding window
Figure BDA0003596681540000038
Sliding extraction number ID ═ P1The method comprises the steps that one deviation characteristic and two accumulated deviation characteristics of a CAN message under each optimal sliding window are activated through a Tanh function after three characteristics extracted in each sliding process are subjected to regularization operation, so that processed deviation characteristics and accumulated deviation characteristics are obtained, and a threshold interval of the deviation characteristics is set according to the maximum value and the minimum value of the processed deviation characteristics; setting a threshold interval of the first accumulated deviation characteristic according to the maximum value and the minimum value of the processed first accumulated deviation characteristic; setting a threshold interval of the second accumulated deviation characteristic according to the maximum value and the minimum value of the processed second accumulated deviation characteristic;
step 3.2, respectively calculating threshold intervals of three characteristics of the CAN messages with other serial numbers ID in the data set according to the processes of the step 1.1 to the step 3.1;
step 4, online monitoring:
collecting real-time CAN message data under the real driving condition of the vehicle, and calculating three actual characteristic values of the CAN messages with respective serial numbers ID under the optimal sliding window according to the process of the step 3;
and if the actual characteristic value exceeds the corresponding threshold interval, starting counting, and when the accumulated count value exceeds the set limit value, indicating that the vehicle-mounted CAN network is invaded and giving an alarm.
The invention relates to a vehicle-mounted CAN network intrusion detection device which is characterized by comprising: a memory, a processor; the memory has stored thereon an on-board CAN network intrusion detection program configured to implement the steps of the on-board CAN network intrusion detection method as claimed in claim 1 and run on the processor.
Compared with the prior art, the invention has the beneficial effects that:
1. the invention adopts an off-line learning method for CAN message data, thereby realizing the extraction and analysis of data characteristics by using an operation storage unit with higher calculation power.
2. The online detection algorithm of the invention adopts the methods of threshold discrimination and accumulative counting, has low calculation force requirement and can realize the requirement of real-time detection.
3. The invention is used for detecting based on the message data characteristics of the vehicle-mounted CAN network, and CAN be deployed on the vehicle-mounted CAN network without changing the software and hardware environment of the vehicle-mounted CAN network.
Drawings
Fig. 1 is a schematic structural diagram of an in-vehicle CAN network intrusion detection device of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of an embodiment of the vehicle CAN network intrusion detection of the present invention;
FIG. 3 is a block diagram of the training model and detection model structure of the embodiment of the invention for detecting vehicle CAN network intrusion.
Detailed Description
In this embodiment, as shown in fig. 1, the vehicle-mounted CAN network intrusion detection device may include: a processor 1001, such as a Central Processing Unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a WIreless interface (e.g., a WIreless-FIdelity (WI-FI) interface). The Memory 1005 may be a Random Access Memory (RAM) Memory, or may be a Non-Volatile Memory (NVM), such as a disk Memory. The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the configuration shown in fig. 1 does not constitute a limitation of an on-board CAN network intrusion detection device and may include more or fewer components than shown, or some components in combination, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a storage medium, may include therein an operating system, a data storage module, a network communication module, a user interface module, and an in-vehicle CAN network intrusion detection program.
In the in-vehicle CAN network intrusion detection device shown in fig. 1, the network interface 1004 is mainly used for data communication with a network server; the user interface 1003 is mainly used for data interaction with a user; the processor 1001 and the memory 1005 of the vehicle-mounted CAN network intrusion detection device CAN be arranged in the vehicle-mounted CAN network intrusion detection device, and the vehicle-mounted CAN network intrusion detection device calls a vehicle-mounted CAN network intrusion detection program stored in the memory 1005 through the processor 1001 and executes the vehicle-mounted CAN network intrusion detection method provided by the embodiment of the invention.
Based on the above vehicle-mounted CAN network intrusion detection device, the embodiment provides a vehicle-mounted CAN network intrusion detection method, which puts the complex training and learning processes into an off-line stage, and the on-line intrusion detection CAN be determined and accumulated with only a small amount of effort, so that the deployment in the vehicle environment is easy, and CAN quickly and accurately realize the CAN network intrusion detection, specifically, referring to fig. 2, the method is performed according to the following steps:
step 1, off-line learning:
step 1.1, taking offline CAN message data collected under normal running of a vehicle as a data set, and numbering ID (identity) in the data set as P1The standard sending period of the CAN message is recorded as t0And constructing a training model, as shown in fig. 3, the training model includes a training model including modules for data acquisition, sliding window, feature extraction, regularization, activation, and the like, and is used for performing normal CAN message data in an offline environmentAnd (6) calculating and analyzing.
Step 1.2, extracting and analyzing data of the data set by using a sliding window, wherein the initial value of the size of the sliding window is n0The sliding window size at the k-th round optimization is recorded as nk(ii) a Continuously recording the current nthkTime stamp
Figure BDA0003596681540000051
And n in a period of historyk-1 numbering ID ═ P1The actual sending period of the CAN message is recorded as
Figure BDA0003596681540000052
And the timestamp of the actual transmission is noted as Ti k|i=1,2,3...nk}; wherein the content of the first and second substances,
Figure BDA0003596681540000053
denotes the ith actual transmission period, T, at the time of the kth round optimizationi kA timestamp representing the ith actual transmission at the kth round optimization;
step 1.3, sliding window n in k-th cycle optimizationkIn, calculate the current nthkA real transmission period
Figure BDA0003596681540000054
Deviation characteristics from standard transmission period
Figure BDA0003596681540000055
Calculating a first accumulated deviation characteristic of each actual sending period and the standard sending period during the k-th cycle optimization
Figure BDA0003596681540000056
Calculating the ith actually transmitted time stamp T in the k circulation optimizationi kSecond cumulative deviation characteristic from standard predicted timestamp
Figure BDA0003596681540000057
Wherein, Ti prePresentation and time stampingTi kCorresponding standard transmission period t0The predicted serial number ID is the timestamp sent by the CAN message theory of P1;
it should be noted that the selection of the 3 features is emphasized. When a certain forged message is sent out, the timestamp sent by the certain forged message is random, so that the deviation characteristic is greatly changed; the first accumulated deviation characteristic reflects the condition that the ID message is delayed to be sent due to an arbitration mechanism in a period of time, and the introduction of the first accumulated deviation characteristic is helpful for reducing the false detection rate of the normal message; interpretation of the meaning of the second cumulative deviation signature: the timestamp of normal message transmission should linearly return to a certain straight line L: y is near wx + b, x represents the x-th transmission of the message, and y represents the timestamp of the message corresponding to the x-th transmission. w represents the slope of the straight line, namely the standard period of message sending, b represents the intercept of the straight line on the y axis, namely the timestamp of the last time considered as the normal message sending time. While zeroing x and reconstructing line L. Standard prediction period accumulated deviation
Figure BDA0003596681540000061
I.e. the accumulated deviation of the timestamp and the straight line L representing the actual transmission of the message within a sliding window.
Step 2, optimizing a sliding window:
step 2.1, calculating statistic of jth sliding window in kth cycle optimization
Figure BDA0003596681540000062
Thereby obtaining statistics of all sliding windows during the kth cycle optimization and summarizing the statistics into a sample I; wherein the content of the first and second substances,
Figure BDA0003596681540000063
numbering ID ═ P in jth sliding window1CAN message actual sending weekStandard deviation of phase, and
Figure BDA0003596681540000064
numbering ID ═ P in jth sliding window1The average value of the actual sending period of the CAN message;
step 2.2, carrying out skewness-kurtosis test on the sample I:
step 2.2.1, calculating the v-order center distance B of the sample I by using the formula (1)v
Figure BDA0003596681540000065
In the formula (1), n represents the total number of sliding windows in the k-th cycle optimization,
Figure BDA0003596681540000066
represents the mean of sample I;
step 2.2.2, calculating skewness of the sample I by using the formula (2)
Figure BDA0003596681540000067
Degree of kurtosis
Figure BDA0003596681540000068
Figure BDA0003596681540000069
In the formula (2), B2Denotes the 2 nd order center distance, B, of the sample I3Denotes the 3-order center distance, B, of the sample I4Represents the 4 th order center distance of the sample I;
according to statistical theory, when n is sufficiently large
Figure BDA00035966815400000610
Step 2.2.3, let the skewness variance be recorded as
Figure BDA00035966815400000611
Kurtosis variance is noted as
Figure BDA0003596681540000071
The mean kurtosis is recorded as
Figure BDA0003596681540000072
Thereby obtaining the deflection inspection quantity
Figure BDA0003596681540000073
Kurtosis test quantity
Figure BDA0003596681540000074
Step 2.2.4, when the confidence coefficient is set to be 1-alpha, if the sample I meets the condition of | U |, the confidence coefficient is set to be 1-alpha1|<uα/4And | U2|<uα/4Then, the sample I follows the standard normal distribution, the optimization of the sliding window is finished, and the number ID ═ P is obtained1The size of the optimal sliding window of the CAN message is recorded as
Figure BDA0003596681540000075
Otherwise, assigning k +1 to k, nk=nk-1After + Δ n, the sequence returns to step 1.2 for execution, wherein 1- α represents the confidence of the test; u. ofα/4Represents the upper alpha/4 quantile of the standard normal distribution, and deltan represents the fixed step length;
step 3, setting a threshold value:
step 3.1, according to the process of step 1.3, with the size of the optimal sliding window
Figure BDA0003596681540000076
Sliding extraction number ID ═ P1The method comprises the steps that one deviation characteristic and two accumulated deviation characteristics of a CAN message under each optimal sliding window are activated through a Tanh function after three characteristics extracted in each sliding process are subjected to regularization operation, so that processed deviation characteristics and accumulated deviation characteristics are obtained, and a threshold interval of the deviation characteristics is set according to the maximum value and the minimum value of the processed deviation characteristics; setting a first accumulated deviation according to the maximum value and the minimum value of the processed first accumulated deviation characteristicA threshold interval of difference features; setting a threshold interval of the second accumulated deviation characteristic according to the maximum value and the minimum value of the processed second accumulated deviation characteristic;
step 3.2, respectively calculating threshold intervals of three characteristics of the CAN messages with other serial numbers ID in the data set according to the processes of the step 1.1 to the step 3.1;
step 4, online monitoring:
collecting real-time CAN message data under the real driving condition of the vehicle, and calculating three actual characteristic values of the CAN messages with respective serial numbers ID under the optimal sliding window according to the process of the step 3;
and if the actual characteristic value exceeds the corresponding threshold interval, starting counting, and when the accumulated count value exceeds the set limit value, indicating that the vehicle-mounted CAN network is invaded and giving an alarm.
Specifically, a discriminator and a perceptron module are used in the online detection model, when the extracted features of the real-time detected CAN message exceed the threshold range, the discriminator outputs a discrimination result according to the number of the features exceeding the threshold range, different weight values are redistributed, and the perceptron module analyzes the result to judge whether the currently acquired real-time CAN message data is normal or abnormal.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., a rom/ram, a magnetic disk, an optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (2)

1. A vehicle-mounted CAN network intrusion detection method is characterized by comprising the following steps:
step 1, off-line learning:
step 1.1, taking offline CAN message data collected under normal running of a vehicle as a data set, and numbering ID (identity) in the data set as P1The standard sending period of the CAN message is recorded as t0
Step 1.2, recording the size of a sliding window in the k-th cycle optimization as nk(ii) a Continuously recording the current nthkTime stamp
Figure FDA0003596681530000011
And n in a period of historyk-1 numbering ID ═ P1The actual sending period of the CAN message is recorded as
Figure FDA0003596681530000012
And the timestamp of the actual transmission is noted as Ti k|i=1,2,3...nk}; wherein the content of the first and second substances,
Figure FDA0003596681530000013
denotes the ith actual transmission period, T, at the time of the kth round optimizationi kA timestamp representing the ith actual transmission at the kth round optimization;
step 1.3, sliding window n in k-th cycle optimizationkIn, calculate the current nthkA real transmission period
Figure FDA0003596681530000014
Deviation characteristics from standard transmission period
Figure FDA0003596681530000015
Calculating a first accumulated deviation characteristic of each actual sending period and the standard sending period during the k-th cycle optimization
Figure FDA0003596681530000016
Calculating the ith actually transmitted time stamp T in the k circulation optimizationi kSecond cumulative deviation characteristic from standard predicted timestamp
Figure FDA0003596681530000017
Wherein, Ti prePresentation and time stamp Ti kCorresponding standard transmission period t0The predicted serial number ID is the timestamp sent by the CAN message theory of P1;
step 2, optimizing a sliding window:
step 2.1, calculating the statistic of the jth sliding window in the kth cycle optimization
Figure FDA0003596681530000018
Thereby obtaining statistics of all sliding windows during the kth cycle optimization and summarizing the statistics into a sample I; wherein, the first and the second end of the pipe are connected with each other,
Figure FDA0003596681530000019
numbering ID ═ P in jth sliding window1CAN message actual transmission period, and
Figure FDA00035966815300000110
Figure FDA00035966815300000111
numbering ID ═ P in jth sliding window1The average value of the actual sending period of the CAN message;
step 2.2, carrying out skewness-kurtosis test on the sample I:
step 2.2.1, calculating the v-order center distance B of the sample I by using the formula (1)v
Figure FDA0003596681530000021
In the formula (1), n represents the total number of sliding windows in the k-th cycle optimization,
Figure FDA0003596681530000022
represents the mean of sample I;
step 2.2.2, calculating skewness of the sample I by using the formula (2)
Figure FDA0003596681530000023
Degree of kurtosis
Figure FDA0003596681530000024
Figure FDA0003596681530000025
In the formula (2), B2Denotes the 2 nd order center distance, B, of the sample I3Denotes the 3-order center distance, B, of the sample I4Represents the 4 th order center distance of the sample I;
step 2.2.3, let the skewness variance be recorded as
Figure FDA0003596681530000026
Kurtosis variance is noted as
Figure FDA0003596681530000027
The mean kurtosis is recorded as
Figure FDA0003596681530000028
Thereby obtaining the deflection inspection quantity
Figure FDA0003596681530000029
Kurtosis test quantity
Figure FDA00035966815300000210
Step 2.2.4, when the confidence coefficient is set to be 1-alpha, if the sample I meets the condition of | U1|<uα/4And | U2|<uα/4Then, the sample I follows the standard normal distribution, the optimization of the sliding window is finished, and the number ID ═ P is obtained1The size of the optimal sliding window of the CAN message is recorded as
Figure FDA00035966815300000211
Otherwise, assigning k +1 to k, nk=nk-1After + Δ n, returning to step 1.2 for sequential execution, wherein 1- α represents the confidence of the test; u. ofα/4Represents the upper alpha/4 quantile of the standard normal distribution, and deltan represents the fixed step length;
step 3, setting a threshold value:
step 3.1, according to the process of step 1.3, with the size of the optimal sliding window
Figure FDA00035966815300000212
Sliding pick-up number ID-P1The method comprises the steps that one deviation characteristic and two accumulated deviation characteristics of a CAN message under each optimal sliding window are activated through a Tanh function after three characteristics extracted in each sliding process are subjected to regularization operation, so that processed deviation characteristics and accumulated deviation characteristics are obtained, and a threshold interval of the deviation characteristics is set according to the maximum value and the minimum value of the processed deviation characteristics; setting a threshold interval of the first accumulative deviation characteristic according to the maximum value and the minimum value of the processed first accumulative deviation characteristic; setting a threshold interval of the second accumulated deviation characteristic according to the maximum value and the minimum value of the processed second accumulated deviation characteristic;
step 3.2, respectively calculating threshold intervals of three characteristics of the CAN messages with other serial numbers ID in the data set according to the processes of the step 1.1 to the step 3.1;
step 4, online monitoring:
collecting real-time CAN message data under the real driving condition of the vehicle, and calculating three actual characteristic values of CAN messages with respective serial numbers ID under an optimal sliding window according to the process of the step 3;
and if the actual characteristic value exceeds the corresponding threshold interval, starting counting, and when the accumulated count value exceeds the set limit value, indicating that the vehicle-mounted CAN network is invaded and giving an alarm.
2. An in-vehicle CAN network intrusion detection device, the device comprising: a memory, a processor; the memory has stored thereon an on-board CAN network intrusion detection program configured to implement the steps of the on-board CAN network intrusion detection method as claimed in claim 1 and run on the processor.
CN202210394125.1A 2022-04-14 2022-04-14 Vehicle-mounted CAN network intrusion detection method Active CN114615086B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210394125.1A CN114615086B (en) 2022-04-14 2022-04-14 Vehicle-mounted CAN network intrusion detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210394125.1A CN114615086B (en) 2022-04-14 2022-04-14 Vehicle-mounted CAN network intrusion detection method

Publications (2)

Publication Number Publication Date
CN114615086A true CN114615086A (en) 2022-06-10
CN114615086B CN114615086B (en) 2023-11-03

Family

ID=81868635

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210394125.1A Active CN114615086B (en) 2022-04-14 2022-04-14 Vehicle-mounted CAN network intrusion detection method

Country Status (1)

Country Link
CN (1) CN114615086B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116915514A (en) * 2023-09-14 2023-10-20 鹏城实验室 Intrusion detection method and device based on bidirectional time convolution network and intelligent automobile
CN117972757A (en) * 2024-03-25 2024-05-03 贵州大学 Method and system for realizing safety analysis of mine data based on cloud platform

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160188876A1 (en) * 2014-12-30 2016-06-30 Battelle Memorial Institute Anomaly detection for vehicular networks for intrusion and malfunction detection
KR101638613B1 (en) * 2015-04-17 2016-07-11 현대자동차주식회사 In-vehicle network intrusion detection system and method for controlling the same
CN108111510A (en) * 2017-12-20 2018-06-01 北京航空航天大学 A kind of in-vehicle network intrusion detection method and system
CN109257358A (en) * 2018-09-28 2019-01-22 成都信息工程大学 A kind of In-vehicle networking intrusion detection method and system based on clock skew
CN110149345A (en) * 2019-06-11 2019-08-20 北京航空航天大学 A kind of In-vehicle networking intrusion detection method based on sequence of message prediction
CN110275508A (en) * 2019-05-08 2019-09-24 西安电子科技大学 Vehicle-mounted CAN bus network method for detecting abnormality and system
CN110377465A (en) * 2019-06-26 2019-10-25 江苏大学 A kind of method for detecting abnormality of vehicle-mounted CAN bus
CN110826054A (en) * 2019-11-05 2020-02-21 哈尔滨工业大学 Vehicle-mounted CAN bus intrusion detection method based on message data field characteristics
US20210067971A1 (en) * 2019-08-29 2021-03-04 Hyundai Motor Company Vehicle network intrusion detection device, system including the same, and method thereof
CN113612786A (en) * 2021-08-09 2021-11-05 上海交通大学宁波人工智能研究院 Intrusion detection system and method for vehicle bus
US20220006666A1 (en) * 2020-07-02 2022-01-06 Shanghai Trusted Industrial Control Platform Co., Ltd. Method and system for detecting and defending against abnormal traffic of in-vehicle network based on information entropy
CN114124472A (en) * 2021-11-02 2022-03-01 华东师范大学 Vehicle-mounted network CAN bus intrusion detection method and system based on GMM-HMM
CN114172686A (en) * 2021-10-27 2022-03-11 北京邮电大学 Vehicle-mounted CAN bus message intrusion detection method and related equipment

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160188876A1 (en) * 2014-12-30 2016-06-30 Battelle Memorial Institute Anomaly detection for vehicular networks for intrusion and malfunction detection
KR101638613B1 (en) * 2015-04-17 2016-07-11 현대자동차주식회사 In-vehicle network intrusion detection system and method for controlling the same
US20160308887A1 (en) * 2015-04-17 2016-10-20 Hyundai Motor Company In-vehicle network intrusion detection system and method for controlling the same
CN108111510A (en) * 2017-12-20 2018-06-01 北京航空航天大学 A kind of in-vehicle network intrusion detection method and system
CN109257358A (en) * 2018-09-28 2019-01-22 成都信息工程大学 A kind of In-vehicle networking intrusion detection method and system based on clock skew
CN110275508A (en) * 2019-05-08 2019-09-24 西安电子科技大学 Vehicle-mounted CAN bus network method for detecting abnormality and system
CN110149345A (en) * 2019-06-11 2019-08-20 北京航空航天大学 A kind of In-vehicle networking intrusion detection method based on sequence of message prediction
CN110377465A (en) * 2019-06-26 2019-10-25 江苏大学 A kind of method for detecting abnormality of vehicle-mounted CAN bus
US20210067971A1 (en) * 2019-08-29 2021-03-04 Hyundai Motor Company Vehicle network intrusion detection device, system including the same, and method thereof
CN110826054A (en) * 2019-11-05 2020-02-21 哈尔滨工业大学 Vehicle-mounted CAN bus intrusion detection method based on message data field characteristics
US20220006666A1 (en) * 2020-07-02 2022-01-06 Shanghai Trusted Industrial Control Platform Co., Ltd. Method and system for detecting and defending against abnormal traffic of in-vehicle network based on information entropy
CN113612786A (en) * 2021-08-09 2021-11-05 上海交通大学宁波人工智能研究院 Intrusion detection system and method for vehicle bus
CN114172686A (en) * 2021-10-27 2022-03-11 北京邮电大学 Vehicle-mounted CAN bus message intrusion detection method and related equipment
CN114124472A (en) * 2021-11-02 2022-03-01 华东师范大学 Vehicle-mounted network CAN bus intrusion detection method and system based on GMM-HMM

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
T. MIZRAHI;HUAWEI NETWORK.IO INNOVATION LAB; J. FABINI; TU WIEN; A. MORTON; AT AMP;AMP;AMP;T LABS;: "Guidelines for Defining Packet Timestamps draft-ietf-ntp-packet-timestamps-06", IETF *
谢浒;莫秀良;王春东;: "基于机器学习的车载CAN网络入侵检测研究", 天津理工大学学报, no. 02 *
龚子超;伊晓瑞;刘满山;: "一种基于支持向量机的车载网络异常检测方法", 电脑与信息技术, no. 02 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116915514A (en) * 2023-09-14 2023-10-20 鹏城实验室 Intrusion detection method and device based on bidirectional time convolution network and intelligent automobile
CN116915514B (en) * 2023-09-14 2023-12-12 鹏城实验室 Intrusion detection method and device based on bidirectional time convolution network and intelligent automobile
CN117972757A (en) * 2024-03-25 2024-05-03 贵州大学 Method and system for realizing safety analysis of mine data based on cloud platform

Also Published As

Publication number Publication date
CN114615086B (en) 2023-11-03

Similar Documents

Publication Publication Date Title
CN114615086A (en) Vehicle-mounted CAN network intrusion detection method
US11985005B2 (en) Method for detecting CAN bus intrusion of vehicle-mounted network based on GMM-HMM and system
EP3319050A1 (en) Vehicle operation data collection apparatus, vehicle operation data collection system, and vehicle operation data collection method
CN110589647A (en) Method for real-time fault detection and prediction of elevator door through monitoring
CN111948541A (en) Vehicle battery overvoltage prediction method and device, server and storage medium
CN110620760A (en) FlexRay bus fusion intrusion detection method and detection device for SVM (support vector machine) and Bayesian network
CN113723338A (en) Sensor abnormality detection method, sensor abnormality detection device, and computer-readable storage medium
CN116826958A (en) Intelligent safety inspection method for digital transmission channel
CN114511026A (en) Fault diagnosis method and device, terminal equipment and storage medium
CN114229639B (en) Elevator door fault judgment method, cloud platform and system
CN117251818A (en) Data management method for safe operation of unmanned mine car
CN112326264A (en) Operating state monitoring and fault diagnosis system and method for remotely controlling engineering vehicle
CN113282920B (en) Log abnormality detection method, device, computer equipment and storage medium
CN111611519A (en) Method and device for detecting personal abnormal behaviors
CN114900331A (en) Vehicle-mounted CAN bus intrusion detection method based on CAN message characteristics
CN113033639A (en) Training method of abnormal data detection model, electronic device and storage medium
CN114136342B (en) Mileage tampering judging method and system
CN111866017A (en) Method and device for detecting abnormal frame interval of CAN bus
CN116405261A (en) Malicious flow detection method, system and storage medium based on deep learning
CN115963344A (en) Fault detection method and device, electronic equipment and storage medium
CN115938114A (en) Processing system, method, device, terminal and medium for automatic driving vehicle data
CN114328622A (en) Data anomaly capture real-time processing method and system for large data flow type calculation
CN115834195A (en) Log anomaly detection method, device, system and medium
CN115520741A (en) Elevator operation monitoring and early warning method and system based on neural network and storage medium
CN114200334A (en) Storage battery early warning method and device, vehicle and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant