CN114866305A - Intrusion detection method, device, computer equipment and medium - Google Patents
Intrusion detection method, device, computer equipment and medium Download PDFInfo
- Publication number
- CN114866305A CN114866305A CN202210454504.5A CN202210454504A CN114866305A CN 114866305 A CN114866305 A CN 114866305A CN 202210454504 A CN202210454504 A CN 202210454504A CN 114866305 A CN114866305 A CN 114866305A
- Authority
- CN
- China
- Prior art keywords
- vehicle
- detection
- intrusion detection
- control system
- configuration file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 409
- 238000000034 method Methods 0.000 claims abstract description 31
- 238000012544 monitoring process Methods 0.000 claims abstract description 26
- 230000015654 memory Effects 0.000 claims description 24
- 238000012545 processing Methods 0.000 abstract description 14
- 230000008569 process Effects 0.000 abstract description 12
- 238000010586 diagram Methods 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 230000001960 triggered effect Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 230000002035 prolonged effect Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012512 characterization method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/2866—Architectures; Arrangements
- H04L67/30—Profiles
Abstract
The invention provides an intrusion detection method, an intrusion detection device, computer equipment and a medium. The intrusion detection method comprises the following steps: and monitoring the power supply state of the vehicle-mounted controller. And if the vehicle-mounted controller is monitored to enter a power supply state, detecting whether a preset configuration file is updated, wherein the configuration file is used for determining at least one item of detection content for carrying out intrusion detection on the vehicle-mounted controller. And if the configuration file is not updated, continuing intrusion detection on the vehicle-mounted control system according to the detection content of the intrusion detection on the vehicle-mounted control system in the configuration file. The invention can reduce the time of initialization processing of the intrusion detection system, quicken the detection process, and avoid the repeated detection of the detected detection content, so as to complete intrusion detection during the running period of the vehicle-mounted control system and further improve the detection effectiveness.
Description
Technical Field
The invention relates to the field of information security, in particular to an intrusion detection method, an intrusion detection device, computer equipment and a medium.
Background
Intrusion Detection Systems (IDS) are network security devices that monitor network transmissions on-the-fly, and alert or take proactive steps when suspicious transmissions are discovered.
With the development of intellectualization and networking, automobiles face more and more serious information security problems, and the application of intrusion detection systems in vehicle-mounted controllers is more and more extensive.
In the related art, whether the vehicle-mounted control system is in an operating state depends on whether the vehicle-mounted controller is in a power supply state. When the vehicle-mounted controller is in a power supply state, the vehicle-mounted control system is in an operation state, and then the intrusion detection system can carry out intrusion detection on the vehicle-mounted control system according to relevant operation data of the vehicle-mounted control system so as to improve driving safety. When the vehicle-mounted control system is restarted and is in the running state again, the intrusion detection system deletes the historical detection data of the vehicle-mounted control system, and after initialization processing, intrusion detection is carried out on the relevant running data of the vehicle-mounted control system.
However, in practical applications, the operating resources of the vehicle-mounted control system are limited, and the number of the vehicle-mounted controllers is large, which easily causes that the intrusion detection system cannot complete intrusion detection on the vehicle-mounted control system during the operation of the vehicle-mounted control system, thereby affecting the effectiveness of the intrusion detection.
Disclosure of Invention
Therefore, the technical problem to be solved by the present invention is to overcome the defect that the intrusion detection system cannot perform effective intrusion detection on the vehicle-mounted control system during the operation period of the vehicle-mounted control system due to the short operation time and limited operation resources of the vehicle-mounted control system in the prior art, so as to provide an intrusion detection method, an apparatus, a computer device and a medium.
According to a first aspect, the present invention provides an intrusion detection method, the method comprising:
monitoring the power supply state of the vehicle-mounted controller;
if the vehicle-mounted controller is monitored to enter a power supply state, detecting whether a preset configuration file is updated, wherein the configuration file is used for determining at least one item of detection content for carrying out intrusion detection on the vehicle-mounted control system;
and if the configuration file is not updated, continuing intrusion detection on the vehicle-mounted control system according to the detection content of the configuration file for not carrying out intrusion detection on the vehicle-mounted control system.
In this manner, the intrusion detection system can determine when the onboard control system is activated by monitoring the power state of the onboard controller. In the case of determining that the on-board control system is activated, whether the on-board control system needs to be retested is determined by detecting whether the configuration file is updated. When the configuration file is determined not to be updated, intrusion detection is performed on the vehicle-mounted control system according to detection content which is not used for performing intrusion detection on the vehicle-mounted control system in the configuration file, so that the time for performing initialization processing on the intrusion detection system is shortened, the detection process is accelerated, the detected detection content is prevented from being repeatedly detected, intrusion detection can be completed in the operation period of the vehicle-mounted control system, and the detection effectiveness is further improved.
With reference to the first aspect, in a first embodiment of the first aspect, the method further includes:
if the configuration file is updated, clearing cached historical detection data, wherein the historical detection data are detection results of intrusion detection on the vehicle-mounted control system in advance according to the configuration file;
and re-detecting the vehicle-mounted control system according to the detection content included in the updated configuration file.
With reference to the first aspect, in a second embodiment of the first aspect, the method further comprises:
if the vehicle-mounted controller is monitored to enter a non-power supply state from the power supply state, stopping intrusion detection;
and caching the detection data of the current intrusion detection to obtain historical detection data so as to determine the detection content of the intrusion detection of the vehicle-mounted control system in the configuration file.
In the mode, before the intrusion detection system carries out intrusion detection on the vehicle-mounted control system, the update condition of the configuration file is detected, whether the vehicle-mounted control system needs to be detected again can be determined, so that the repeated detection times of the vehicle-mounted control system can be reduced, the time for carrying out initialization processing on the intrusion detection system is saved, the effective time for carrying out intrusion detection on the vehicle-mounted control system by the intrusion detection system is prolonged, the intrusion detection efficiency is improved, the detection condition of the vehicle-mounted control system is determined in time, and the timeliness, the effectiveness and the accuracy of intrusion detection are improved.
With reference to the second embodiment of the first aspect, in a third embodiment of the first aspect, the continuing intrusion detection on the vehicle-mounted control system according to detection content of intrusion detection on the vehicle-mounted control system that is not performed on the vehicle-mounted control system in the configuration file includes:
comparing the detection content corresponding to the historical detection data with at least one item of detection content in the configuration file, and determining the detection content which does not carry out intrusion detection on the vehicle-mounted control system in the configuration file;
and according to the detection content of not carrying out intrusion detection on the vehicle-mounted control system, carrying out intrusion detection on the vehicle-mounted control system continuously.
With reference to the second embodiment or the third embodiment of the first aspect, in a fourth embodiment of the first aspect, the monitoring that the on-board controller enters the non-power supply state from the power supply state includes:
and if the vehicle-mounted controller receives a sleep entering instruction, determining that the vehicle-mounted controller enters a non-power supply state from the power supply state.
With reference to the first aspect, in a fifth embodiment of the first aspect, the monitoring that the on-board controller enters a power supply state includes:
and if the vehicle-mounted controller is monitored to be started or restarted or the vehicle-mounted controller receives a specified wake-up instruction, determining that the vehicle-mounted controller enters a power supply state from the power supply state.
With reference to the first aspect, in a sixth embodiment of the first aspect, if it is first monitored that the on-board controller enters the power supply state, the method further includes:
according to the at least one item of detection content in the configuration file, carrying out intrusion detection on the vehicle-mounted control system;
storing attribute information of the configuration file to detect whether the configuration file is updated.
According to a second aspect, the present invention also provides an intrusion detection apparatus, the apparatus comprising:
the monitoring unit is used for monitoring the power supply state of the vehicle-mounted controller;
the vehicle-mounted controller comprises a first detection unit, a second detection unit and a control unit, wherein the first detection unit is used for detecting whether a preset configuration file is updated or not if the vehicle-mounted controller is monitored to enter a power supply state, the configuration file is used for determining at least one detection content for carrying out intrusion detection on a vehicle-mounted control system, and the vehicle-mounted control system is a control system for controlling a vehicle to run by the vehicle-mounted controller;
and the second detection unit is used for continuously carrying out intrusion detection on the vehicle-mounted control system according to the detection content of not carrying out intrusion detection on the vehicle-mounted control system in the configuration file if the configuration file is not updated.
With reference to the second aspect, in a first embodiment of the second aspect, the apparatus further comprises:
the initialization unit is used for emptying cached historical detection data if the configuration file is updated, wherein the historical detection data is a detection result of intrusion detection on the vehicle-mounted control system in advance according to the configuration file;
and the third detection unit is used for detecting the vehicle-mounted control system again according to the detection content included in the updated configuration file.
With reference to the second aspect, in a second embodiment of the second aspect, the apparatus further comprises:
the fourth detection unit is used for stopping intrusion detection if the vehicle-mounted controller is monitored to enter a non-power supply state from the power supply state;
and the cache unit is used for caching the detection data of the current intrusion detection to obtain historical detection data so as to determine the detection content of intrusion detection on the vehicle-mounted control system in the configuration file.
With reference to the second embodiment of the second aspect, in a third embodiment of the second aspect, the second detection unit includes:
the comparison unit is used for comparing the detection content corresponding to the historical detection data with at least one item of detection content in the configuration file and determining the detection content which does not carry out intrusion detection on the vehicle-mounted control system in the configuration file;
and the second detection subunit is used for continuously carrying out intrusion detection on the vehicle-mounted control system according to the detection content of not carrying out intrusion detection on the vehicle-mounted control system.
With reference to the second embodiment or the third embodiment of the second aspect, in a fourth embodiment of the second aspect, the fourth detection unit includes:
and the fourth detection subunit is used for determining that the vehicle-mounted controller enters a non-power supply state from the power supply state if the vehicle-mounted controller is monitored to receive a sleep entering instruction.
With reference to the second aspect, in a fifth embodiment of the second aspect, the first detection unit includes:
the first detection subunit is configured to determine that the vehicle-mounted controller enters a power supply state from the power supply state if it is monitored that the vehicle-mounted controller is started or restarted or the vehicle-mounted controller receives a specified wake-up instruction.
With reference to the second aspect, in a sixth embodiment of the second aspect, if it is first monitored that the vehicle-mounted controller enters the power supply state, the apparatus further includes:
a fifth detection unit, configured to perform intrusion detection on the vehicle-mounted control system according to the at least one detection content in the configuration file;
and the storage unit is used for storing the attribute information of the configuration file and detecting whether the configuration file is updated or not.
According to a third aspect, the present invention further provides a computer device, which includes a memory and a processor, where the memory and the processor are communicatively connected to each other, the memory stores computer instructions, and the processor executes the computer instructions to perform the intrusion detection method according to any one of the first aspect and the optional embodiments thereof.
According to a fourth aspect, the embodiments of the present invention further provide a computer-readable storage medium, which stores computer instructions for causing the computer to execute the intrusion detection method of any one of the first aspect and the optional embodiments thereof.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flow chart of a proposed intrusion detection method according to an exemplary embodiment.
Fig. 2 is a flow chart of another proposed intrusion detection method according to an example embodiment.
Fig. 3 is a flow chart of yet another intrusion detection method in accordance with an exemplary embodiment.
Fig. 4 is a flow chart of yet another intrusion detection method in accordance with an exemplary embodiment.
Fig. 5 is a flow chart of yet another intrusion detection method in accordance with an exemplary embodiment.
Fig. 6 is a block diagram of an intrusion detection device according to an exemplary embodiment.
Fig. 7 is a hardware configuration diagram of a computer device according to an exemplary embodiment.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the accompanying drawings, and it should be understood that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the related art, whether the vehicle-mounted control system is in an operating state depends on whether the vehicle-mounted controller is in a power supply state. When the vehicle-mounted controller is in a power supply state, the vehicle-mounted control system is in an operation state, and then the intrusion detection system can carry out intrusion detection on the vehicle-mounted control system according to relevant operation data of the vehicle-mounted control system so as to improve driving safety. When the vehicle-mounted control system is restarted and is in the running state again, the intrusion detection system deletes the historical detection data of the vehicle-mounted control system, and after initialization processing, intrusion detection is carried out on the relevant running data of the vehicle-mounted control system.
However, in practical applications, on one hand, because the running resources of the vehicle-mounted control system are limited and the number of the vehicle-mounted controllers is large, a large amount of time is consumed when the intrusion detection system redetects the vehicle-mounted control system which is restarted and is in a running state again. On the other hand, when the vehicle is in a flameout state, the storage battery can only supply power to the vehicle-mounted controller, however, due to the limited electric quantity of the storage battery, once the electric quantity is insufficient, the vehicle-mounted controller cannot be started, and further the vehicle cannot be started.
In order to solve the above problems, an embodiment of the present invention provides an intrusion detection method, which is used in a computer device, where an execution main body of the intrusion detection method may be an intrusion detection apparatus, and the apparatus may be implemented as a part or all of the computer device by software, hardware, or a combination of software and hardware, where the computer device may be a controller on a vehicle, for example, an onboard controller on which an onboard control system is operable. In the following method embodiments, the execution subject is an onboard controller, for example.
In the vehicle-mounted controller of the embodiment, a vehicle-mounted control system operates, and the vehicle can be controlled to carry out intelligent driving by calling a plurality of vehicle-mounted controllers in the vehicle in the operation process. By the intrusion detection method provided by the invention, when the vehicle-mounted control system is subjected to intrusion detection, whether the vehicle-mounted control system is subjected to re-detection after the vehicle-mounted controller enters a power supply state can be determined according to the updating condition of the configuration file preset by the vehicle-mounted control system. Under the condition that the configuration file is determined not to be updated, the intrusion detection is continuously carried out on the vehicle-mounted control system according to the detection content of the intrusion detection not carried out on the vehicle-mounted control system in the configuration file, so that the time for carrying out initialization processing on the intrusion detection system and carrying out intrusion detection again on part of the detected content is saved, the detection efficiency is improved, and the effectiveness of the intrusion detection is improved. The configuration file is a file used by the intrusion detection system for determining at least one item of detection content for performing intrusion detection on the vehicle-mounted control system.
Fig. 1 is a flow chart of a proposed intrusion detection method according to an exemplary embodiment. As shown in fig. 1, the intrusion detection method includes the following steps S101 to S103.
In step S101, the power supply state of the onboard controller is monitored.
In the embodiment of the invention, when the vehicle-mounted controller is in a power supply state, the vehicle in which the vehicle-mounted controller is located is characterized to be capable of supplying power to the vehicle-mounted controller, and a vehicle-mounted control system applied to the vehicle is in a running state and capable of calling the vehicle-mounted controller to control the vehicle to drive.
Therefore, whether the vehicle-mounted control system is started or not can be determined by monitoring the power supply state of the vehicle-mounted controller, and then whether intrusion detection needs to be carried out on the vehicle-mounted control system or not can be determined.
In step S102, if it is monitored that the vehicle-mounted controller enters the power supply state, it is detected whether the preset configuration file is updated.
In the embodiment of the invention, the configuration file is used for determining at least one item of detection content of intrusion detection of the vehicle-mounted control system by the intrusion detection system. That is, the configuration file may determine a detection range and a corresponding detection standard for the intrusion detection system to perform intrusion detection on the in-vehicle control system. Wherein, the detection process for each item of detection content may include: scanning a file to be subjected to intrusion detection in the current detection content, and calculating a hash value of the file to determine whether the file is tampered.
In the actual intrusion detection process, if the configuration file is not updated, the detection content of the intrusion detection performed by the intrusion detection system on the vehicle-mounted control system is not changed. Therefore, under the condition that the configuration file is not updated, the detected detection content can be used again, repeated invalid detection on the part of the detection content is avoided, the detection efficiency is further improved, all detection content required to be subjected to intrusion detection in the configuration file can be completed during the operation period of the vehicle-mounted control system, and the effectiveness of intrusion detection is further improved.
If the vehicle-mounted controller is monitored to enter a power supply state, the vehicle-mounted control system is represented to be started, and the intrusion detection system can carry out intrusion detection on the vehicle-mounted control system.
In an embodiment, in the process of monitoring the power supply state of the vehicle-mounted controller, if it is monitored that the vehicle-mounted controller is started, restarted or receives a specified wake-up instruction, it may be determined that the vehicle-mounted controller enters the power supply state from the power supply state. The designated wake-up instruction may be a network management message sent by another vehicle-mounted controller to the current vehicle-mounted controller. The designated wake-up command can also be a command triggered when a starting switch of the intelligent automobile is switched from an OFF gear to an ON gear.
In step S103, if the configuration file is not updated, intrusion detection is continued on the in-vehicle control system according to the detection content of intrusion detection that is not performed on the in-vehicle control system in the configuration file.
In the embodiment of the invention, if the configuration file is not updated, the detection content of the vehicle-mounted control system for carrying out intrusion detection by the characterization intrusion detection system is not changed. Therefore, under the condition that the configuration file is not updated, in order to accelerate the intrusion detection process and avoid repeated detection on the detected detection content, after the vehicle-mounted control system is started, the vehicle-mounted control system is continuously subjected to intrusion detection according to the detection content which is not subjected to intrusion detection on the vehicle-mounted control system in the configuration file, so that the intrusion detection on the vehicle-mounted control system can be completed in the operation period of the vehicle-mounted control system, and the effectiveness of the intrusion detection is further improved.
Through the embodiment, the intrusion detection system can determine the starting time of the vehicle-mounted control system by monitoring the power supply state of the vehicle-mounted controller. In the case of determining that the on-board control system is activated, whether the on-board control system needs to be retested is determined by detecting whether the configuration file is updated. When the configuration file is determined not to be updated, intrusion detection is carried out on the vehicle-mounted control system according to detection content which is not used for carrying out intrusion detection on the vehicle-mounted control system in the configuration file, so that the time for carrying out initialization processing on the intrusion detection system is shortened, the detection process is accelerated, the detected detection content is prevented from being repeatedly detected, the intrusion detection can be conveniently completed in the running period of the vehicle-mounted control system, and the detection effectiveness is further improved.
Fig. 2 is a flow chart of another proposed intrusion detection method according to an example embodiment. As shown in fig. 2, the intrusion detection method includes the following steps.
In step S201, the power supply state of the onboard controller is monitored.
In step S202, if it is monitored that the vehicle-mounted controller enters the power supply state, it is detected whether the preset configuration file is updated.
In step S203, if the configuration file is not updated, intrusion detection is continuously performed on the in-vehicle control system according to the detection content of intrusion detection that is not performed on the in-vehicle control system in the configuration file.
In step S204, if the configuration file is updated, the cached history detection data is cleared.
In the embodiment of the invention, the historical detection data is a detection result of intrusion detection on the vehicle-mounted control system in advance according to the configuration file. It can be understood that the historical detection data is detection data obtained by performing intrusion detection on the vehicle-mounted control system by the intrusion detection system in a historical operating state of the vehicle-mounted control system. The historical detection data can comprise detection data for carrying out intrusion detection on various detection contents and operation state data of the vehicle-mounted control system in the process of carrying out intrusion detection.
If the configuration file is determined to be updated through detection, when the vehicle-mounted control system is subjected to intrusion detection by the representation intrusion detection system, intrusion detection is required to be carried out according to the updated configuration file. Therefore, the cached history detection data is emptied to avoid interference of the history detection data.
In step S205, the in-vehicle control system is re-detected according to the detection content included in the updated configuration file.
In the embodiment of the invention, the intrusion detection system performs initialization processing according to the updated configuration file so as to clarify the inspection content of intrusion detection required to be performed on the vehicle-mounted control system in the updated configuration file. And after the intrusion detection system finishes initialization processing, re-detecting the vehicle-mounted control system according to the detection content included in the updated configuration file.
Through the embodiment, before the intrusion detection system carries out intrusion detection on the vehicle-mounted control system, the update condition of the configuration file is detected, whether the vehicle-mounted control system needs to be detected again can be determined, so that the repeated detection times of the vehicle-mounted control system can be reduced, the time for carrying out initialization processing on the intrusion detection system is saved, the effective time for carrying out intrusion detection on the vehicle-mounted control system by the intrusion detection system is prolonged, the intrusion detection efficiency is improved, the detection condition of the vehicle-mounted control system is determined in time, and the timeliness, the effectiveness and the accuracy of intrusion detection are improved.
Fig. 3 is a flow chart of yet another intrusion detection method in accordance with an exemplary embodiment. As shown in fig. 3, the intrusion detection method includes the following steps.
In step S301, the power supply state of the onboard controller is monitored.
In step S302, if it is monitored that the vehicle-mounted controller enters the power supply state, it is detected whether the preset configuration file is updated.
In step S303, if the configuration file is not updated, intrusion detection is continuously performed on the vehicle-mounted control system according to the detection content of intrusion detection that is not performed on the vehicle-mounted control system in the configuration file.
In step S304, if it is detected that the vehicle-mounted controller enters the non-power supply state from the power supply state, the intrusion detection is stopped.
In the embodiment of the invention, if the vehicle-mounted controller is monitored to enter the non-power supply state from the power supply state, the fact that the vehicle-mounted control system is possibly in the non-operation state is represented, and therefore, in order to avoid invalid detection, the intrusion detection on the vehicle-mounted control system is stopped.
In one embodiment, after the sleep entering command received by the vehicle-mounted controller is monitored, the vehicle-mounted controller can be determined to enter the non-power supply state from the power supply state. The sleep command can be a command triggered when a starting switch of the intelligent automobile is switched from an OFF gear to an ON gear. Or in the monitoring process, if the current vehicle-mounted controller does not receive the network management messages sent by other vehicle-mounted controllers within a period of time, determining that the vehicle-mounted controller enters a non-power supply state from the power supply state.
In step S305, the detection data of the current intrusion detection is cached to obtain historical detection data, so as to determine the detection content of intrusion detection on the vehicle-mounted control system in the configuration file.
In the embodiment of the invention, in order to make the intrusion control system clear the detection content of intrusion detection which is not performed on the vehicle-mounted control system in the configuration file after the vehicle-mounted control system is restarted, the detection data of the current intrusion detection is cached to obtain the historical detection data, and then the detection content of intrusion detection is not required to be detected when the intrusion detection is performed subsequently, so that the effectiveness of intrusion detection is improved, and the detection data can be obtained in time.
Through the embodiment, the running state of the vehicle-mounted control system can be determined in time by monitoring the power supply state of the vehicle-mounted controller, so that when the vehicle-mounted control system stops running, the detection data can be cached in time, the invalid detection condition is avoided, and the effectiveness and the accuracy of the detection result are improved.
In an embodiment, when the configuration file is not updated, the intrusion detection system compares detection content corresponding to the historical detection data with at least one item of detection content included in the configuration file, determines detection content in the configuration file, which is not used for intrusion detection on the vehicle-mounted control system, and then continues intrusion detection on the vehicle-mounted control system according to the detection content, which is not used for intrusion detection on the vehicle-mounted control system.
In another implementation, in order to avoid the situation of monitoring the power supply state of the vehicle-mounted controller by mistake, whether the sleep condition for judging that the vehicle-mounted controller enters the non-power supply state changes or not is determined in advance, and then intrusion detection is executed based on the detection result. The sleep condition may include: receiving a command triggered when a starting switch of the intelligent automobile is switched from an OFF gear to an ON gear; or if the network management messages sent by other vehicle-mounted controllers are not received within a period of time, the vehicle-mounted controller is determined to enter the non-power supply state from the power supply state.
In an implementation scenario, taking the non-power-supply state as the sleep state as an example, the process of performing intrusion detection may be as shown in fig. 4. Fig. 4 is a flow chart of yet another intrusion detection method in accordance with an exemplary embodiment.
In step S401, it is detected whether a sleep condition for the vehicle-mounted controller to enter the non-power supply state changes.
In step S4021, if a change occurs, the sleep condition is newly determined.
In step S4022, if no change has occurred, it is monitored whether or not the vehicle-mounted controller enters a non-power supply state.
In step S403, when it is determined that the vehicle-mounted controller enters the non-power supply state, the intrusion detection is stopped, and the detection data of the current intrusion detection is cached to obtain the historical detection data.
In step S404, the current state of stopping intrusion detection is maintained until it is detected that the vehicle-mounted controller enters a power supply state.
Through above-mentioned embodiment, help improving the monitoring accuracy of monitoring on-vehicle controller whether being in power supply state, and then avoid invalid condition of detecting to take place, help improving intrusion detection's validity.
Fig. 5 is a flow chart of yet another intrusion detection method in accordance with an exemplary embodiment. As shown in fig. 5, the intrusion detection method includes the following steps.
In step S501, the power supply state of the onboard controller is monitored.
In step S502, if it is monitored that the vehicle-mounted controller enters the power supply state for the first time, intrusion detection is performed on the vehicle-mounted control system according to at least one item of detection content in the configuration file.
In the embodiment of the invention, if the vehicle-mounted controller is monitored to enter the power supply state for the first time, the vehicle-mounted control system is characterized to operate for the first time, and the intrusion detection system never performs intrusion detection on the vehicle-mounted control system. Therefore, when the vehicle-mounted controller is monitored to enter the power supply state for the first time, the intrusion detection system directly performs intrusion detection on the vehicle-mounted control system according to at least one item of detection content included in the configuration file so as to detect whether the current vehicle-mounted control system has driving safety defects.
In step S503, the attribute information of the profile is stored to detect whether the profile is updated.
In the embodiment of the invention, the attribute information of the configuration file is stored, and then when the subsequent intrusion detection system needs to carry out intrusion detection on the vehicle-mounted control system again after the vehicle-mounted control system is started, the attribute information of the current configuration file is compared with the stored attribute information, so that whether the configuration file of the intrusion detection system is updated or not can be determined. The attribute information of the configuration file may be a hash value obtained by hashing the configuration file.
In step S504, if it is detected that the vehicle-mounted controller does not enter the power supply state for the first time, it is detected whether the preset configuration file is updated.
In step S505, if the configuration file is not updated, the intrusion detection is continued for the in-vehicle control system according to the detection content of the in-vehicle control system that has not been subjected to the intrusion detection in the configuration file.
Through the embodiment, before the vehicle-mounted control system is subjected to intrusion detection, the attribute information of the current configuration file can be compared with the stored attribute information, whether the configuration file of the intrusion detection system is updated or not is determined, so that the updating condition of the configuration file can be determined in time, and the intrusion detection effectiveness can be improved when the vehicle-mounted control system is subjected to intrusion detection subsequently.
In an implementation scenario, in a vehicle, the intrusion detection system may determine the time for performing intrusion detection on the vehicle-mounted control system by monitoring the power supply state of the vehicle-mounted control system. And when the vehicle-mounted controller is monitored to be in a power supply state, determining that intrusion detection needs to be carried out on the vehicle-mounted control system at present. In order to improve the effectiveness of intrusion detection, before intrusion detection, whether a configuration file of an intrusion detection system is updated is detected. And if the configuration file is not updated, determining the detection content of the intrusion detection of the vehicle-mounted control system in the configuration file based on the cached historical detection data, and continuously carrying out the intrusion detection on the vehicle-mounted control system. The historical detection data can comprise detection data for carrying out intrusion detection on various detection contents and operation state data of the vehicle-mounted control system in the process of carrying out intrusion detection. And if the configuration file is updated, clearing the cached historical detection data, and after initialization processing, carrying out intrusion detection on the vehicle-mounted control system based on at least one item of detection content included in the updated configuration file.
Through the embodiment, the detection flow of the intrusion detection system for carrying out intrusion detection on the vehicle-mounted control system can be optimized, the invalid repeated work of the intrusion detection system in the detection process is reduced, and the timeliness and the accuracy of intrusion detection are improved.
Based on the same inventive concept, the invention also provides an intrusion detection device. Wherein, the distributed storage system deployed by the main node cluster is also deployed with a standby node cluster.
Fig. 6 is a block diagram of an intrusion detection device according to an exemplary embodiment. As shown in fig. 6, the intrusion detection device includes a monitoring unit 601, a first detection unit 602, and a second detection unit 603.
The monitoring unit 601 is used for monitoring the power supply state of the vehicle-mounted controller;
the monitoring unit 601 is configured to detect whether a preset configuration file is updated or not if it is monitored that the vehicle-mounted controller enters a power supply state, where the configuration file is used to determine at least one detection content for performing intrusion detection on a vehicle-mounted control system, and the vehicle-mounted control system is a control system for controlling a vehicle to run by the vehicle-mounted controller;
a second detecting unit 603, configured to, if the configuration file is not updated, continue intrusion detection on the vehicle-mounted control system according to detection content that intrusion detection is not performed on the vehicle-mounted control system in the configuration file.
In an embodiment, the apparatus further comprises: and the initialization unit is used for clearing cached historical detection data if the configuration file is updated, wherein the historical detection data is a detection result of intrusion detection on the vehicle-mounted control system in advance according to the configuration file. And the third detection unit is used for detecting the vehicle-mounted control system again according to the detection content included in the updated configuration file.
In another embodiment, the apparatus further comprises: and the fourth detection unit is used for stopping intrusion detection if the vehicle-mounted controller is monitored to enter a non-power supply state from a power supply state. And the cache unit is used for caching the detection data of the current intrusion detection to obtain historical detection data so as to determine the detection content of the intrusion detection on the vehicle-mounted control system in the configuration file.
In yet another embodiment, the second detection unit 603 includes: and the comparison unit is used for comparing the detection content corresponding to the historical detection data with at least one item of detection content in the configuration file and determining the detection content which does not carry out intrusion detection on the vehicle-mounted control system in the configuration file. And the second detection subunit is used for continuously carrying out intrusion detection on the vehicle-mounted control system according to the detection content of not carrying out intrusion detection on the vehicle-mounted control system.
In still another embodiment, the fourth detection unit includes: and the fourth detection subunit is used for determining that the vehicle-mounted controller enters the non-power supply state from the power supply state if the vehicle-mounted controller receives the instruction of entering the sleep state.
In yet another embodiment, the monitoring unit 601 includes: the first detection subunit is configured to determine that the vehicle-mounted controller enters the power supply state from the power supply state if it is monitored that the vehicle-mounted controller is started or restarted or the vehicle-mounted controller receives a specified wake-up instruction.
In another embodiment, if it is first monitored that the vehicle-mounted controller enters the power supply state, the apparatus further includes: and the fifth detection unit is used for carrying out intrusion detection on the vehicle-mounted control system according to at least one item of detection content in the configuration file. And the storage unit is used for storing the attribute information of the configuration file so as to detect whether the configuration file is updated or not.
The specific limitations and advantageous effects of the intrusion detection apparatus can be referred to the limitations of the intrusion detection method in the above, and are not described herein again. The various modules described above may be implemented in whole or in part by software, hardware, and combinations thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
Fig. 7 is a hardware configuration diagram of a computer device according to an exemplary embodiment. As shown in fig. 7, the apparatus includes one or more processors 710 and a storage 720, where the storage 720 includes a persistent memory, a volatile memory, and a hard disk, and one processor 710 is taken as an example in fig. 7. The apparatus may further include: an input device 730 and an output device 740.
The processor 710, the memory 720, the input device 730, and the output device 740 may be connected by a bus or other means, such as the bus connection in fig. 7.
The memory 720, serving as a non-transitory computer-readable storage medium, includes a persistent memory, a volatile memory, and a hard disk, and can be used to store non-transitory software programs, non-transitory computer-executable programs, and modules, such as program instructions/modules corresponding to the service management method in the embodiment of the present application. The processor 710 performs various functional applications of the server and data processing by executing non-transitory software programs, instructions, and modules stored in the memory 720, namely, implements any of the above intrusion detection methods.
The memory 720 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data used as needed or desired, and the like. Further, the memory 720 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 720 optionally includes memory located remotely from processor 710, which may be connected to a data processing device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 730 may receive input numeric or character information and generate key signal inputs related to user settings and function control. The output device 740 may include a display device such as a display screen.
One or more modules are stored in the memory 720 that, when executed by the one or more processors 710, perform the methods shown in fig. 1-5.
The product can execute the method provided by the embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method. Details of the technique not described in detail in the present embodiment may be specifically referred to the related description in the embodiments shown in fig. 1 to fig. 5.
Embodiments of the present invention further provide a non-transitory computer storage medium, where computer-executable instructions are stored, and the computer-executable instructions may execute the authentication method in any of the method embodiments. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD) or a Solid State Drive (SSD), etc.; the storage medium may also comprise a combination of memories of the kind described above.
It should be understood that the above examples are only for clarity of illustration and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. And obvious variations or modifications therefrom are within the scope of the invention.
Claims (10)
1. An intrusion detection method, the method comprising:
monitoring the power supply state of the vehicle-mounted controller;
if the vehicle-mounted controller is monitored to enter a power supply state, detecting whether a preset configuration file is updated, wherein the configuration file is used for determining at least one item of detection content for carrying out intrusion detection on the vehicle-mounted control system;
and if the configuration file is not updated, continuing intrusion detection on the vehicle-mounted control system according to the detection content of the configuration file for not carrying out intrusion detection on the vehicle-mounted control system.
2. The method of claim 1, further comprising:
if the configuration file is updated, clearing cached historical detection data, wherein the historical detection data are detection results of intrusion detection on the vehicle-mounted control system in advance according to the configuration file;
and re-detecting the vehicle-mounted control system according to the detection content included in the updated configuration file.
3. The method of claim 1, further comprising:
if the vehicle-mounted controller is monitored to enter a non-power supply state from the power supply state, stopping intrusion detection;
and caching the detection data of the current intrusion detection to obtain historical detection data so as to determine the detection content of the intrusion detection of the vehicle-mounted control system in the configuration file.
4. The method according to claim 3, wherein the continuing intrusion detection on the vehicle-mounted control system according to the detection content of intrusion detection on the vehicle-mounted control system not performed in the configuration file comprises:
comparing the detection content corresponding to the historical detection data with at least one item of detection content in the configuration file, and determining the detection content which does not carry out intrusion detection on the vehicle-mounted control system in the configuration file;
and according to the detection content of not carrying out intrusion detection on the vehicle-mounted control system, carrying out intrusion detection on the vehicle-mounted control system continuously.
5. The method of claim 3 or 4, wherein said monitoring said on-board controller to enter a non-powered state from said powered state comprises:
and if the vehicle-mounted controller receives a sleep entering instruction, determining that the vehicle-mounted controller enters a non-power supply state from the power supply state.
6. The method of claim 1, wherein the monitoring the on-board controller to enter a powered state comprises:
and if the vehicle-mounted controller is monitored to be started or restarted or the vehicle-mounted controller receives a specified wake-up instruction, determining that the vehicle-mounted controller enters a power supply state from the power supply state.
7. The method of claim 1, wherein if it is first monitored that the on-board controller enters a power-on state, the method further comprises:
according to the at least one item of detection content in the configuration file, carrying out intrusion detection on the vehicle-mounted control system;
storing attribute information of the configuration file to detect whether the configuration file is updated.
8. An intrusion detection device, the device comprising:
the monitoring unit is used for monitoring the power supply state of the vehicle-mounted controller;
the vehicle-mounted controller comprises a first detection unit, a second detection unit and a control unit, wherein the first detection unit is used for detecting whether a preset configuration file is updated or not if the vehicle-mounted controller is monitored to enter a power supply state, the configuration file is used for determining at least one detection content for carrying out intrusion detection on a vehicle-mounted control system, and the vehicle-mounted control system is a control system for controlling a vehicle to run by the vehicle-mounted controller;
and the second detection unit is used for continuously carrying out intrusion detection on the vehicle-mounted control system according to the detection content of not carrying out intrusion detection on the vehicle-mounted control system in the configuration file if the configuration file is not updated.
9. A computer device comprising a memory and a processor, the memory and the processor being communicatively coupled to each other, the memory having stored therein computer instructions, the processor executing the computer instructions to perform the intrusion detection method of any one of claims 1-7.
10. A computer-readable storage medium having stored thereon computer instructions for causing the computer to perform the intrusion detection method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210454504.5A CN114866305A (en) | 2022-04-27 | 2022-04-27 | Intrusion detection method, device, computer equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210454504.5A CN114866305A (en) | 2022-04-27 | 2022-04-27 | Intrusion detection method, device, computer equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114866305A true CN114866305A (en) | 2022-08-05 |
Family
ID=82632992
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210454504.5A Pending CN114866305A (en) | 2022-04-27 | 2022-04-27 | Intrusion detection method, device, computer equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114866305A (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101026500A (en) * | 2007-01-31 | 2007-08-29 | 北京佳讯飞鸿电气有限责任公司 | Method for reducing missing reports of network intrusion detecting system |
| US9223972B1 (en) * | 2014-03-31 | 2015-12-29 | Fireeye, Inc. | Dynamically remote tuning of a malware content detection system |
| CN107578345A (en) * | 2017-09-08 | 2018-01-12 | 南方电网科学研究院有限责任公司 | Power system security detection method, device, storage medium and computer equipment |
| CN110572399A (en) * | 2019-09-10 | 2019-12-13 | 百度在线网络技术(北京)有限公司 | vulnerability detection processing method, device, equipment and storage medium |
| CN112532610A (en) * | 2020-11-24 | 2021-03-19 | 杭州迪普科技股份有限公司 | Intrusion prevention detection method and device based on TCP segmentation |
| CN113609479A (en) * | 2021-08-06 | 2021-11-05 | 北京天融信网络安全技术有限公司 | File detection method and device, electronic equipment and readable storage medium |
| CN113868659A (en) * | 2021-10-20 | 2021-12-31 | 前锦网络信息技术(上海)有限公司 | Vulnerability detection method and system |
| CN114238002A (en) * | 2021-12-22 | 2022-03-25 | 北京天融信网络安全技术有限公司 | Host system detection method and device, vehicle-mounted equipment and readable storage medium |
-
2022
- 2022-04-27 CN CN202210454504.5A patent/CN114866305A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101026500A (en) * | 2007-01-31 | 2007-08-29 | 北京佳讯飞鸿电气有限责任公司 | Method for reducing missing reports of network intrusion detecting system |
| US9223972B1 (en) * | 2014-03-31 | 2015-12-29 | Fireeye, Inc. | Dynamically remote tuning of a malware content detection system |
| CN107578345A (en) * | 2017-09-08 | 2018-01-12 | 南方电网科学研究院有限责任公司 | Power system security detection method, device, storage medium and computer equipment |
| CN110572399A (en) * | 2019-09-10 | 2019-12-13 | 百度在线网络技术(北京)有限公司 | vulnerability detection processing method, device, equipment and storage medium |
| CN112532610A (en) * | 2020-11-24 | 2021-03-19 | 杭州迪普科技股份有限公司 | Intrusion prevention detection method and device based on TCP segmentation |
| CN113609479A (en) * | 2021-08-06 | 2021-11-05 | 北京天融信网络安全技术有限公司 | File detection method and device, electronic equipment and readable storage medium |
| CN113868659A (en) * | 2021-10-20 | 2021-12-31 | 前锦网络信息技术(上海)有限公司 | Vulnerability detection method and system |
| CN114238002A (en) * | 2021-12-22 | 2022-03-25 | 北京天融信网络安全技术有限公司 | Host system detection method and device, vehicle-mounted equipment and readable storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 闫巧, 喻建平, 谢维信: "入侵检测系统的可信问题", 计算机研究与发展, no. 08, 30 August 2003 (2003-08-30) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10601606B2 (en) | Communications on vehicle data buses | |
| CN112104702B (en) | Power management method for vehicle TBOX, vehicle TBOX and medium | |
| CN109673009B (en) | Method and device for upgrading VCU software in air | |
| US20040214599A1 (en) | Wireless communications system for software downloading | |
| CN105824659A (en) | Application program updating method and terminal equipment | |
| US7209490B2 (en) | Rapid vehicle bus network activity | |
| CN114327606B (en) | Configuration management method and device, electronic equipment and computer readable storage medium | |
| WO2021176047A1 (en) | Power management on a vehicle | |
| CN114866305A (en) | Intrusion detection method, device, computer equipment and medium | |
| CN111107138A (en) | VOBC data download method, VOBC, download server, device and medium | |
| CN113050960A (en) | OTA (over the air) upgrading method and device, vehicle-mounted terminal and storage medium | |
| KR102109125B1 (en) | Method for managing state of ECU in vehicle based on automotive open system architecture | |
| CN116126368A (en) | Whole-vehicle OTA upgrading method and device, electronic equipment and vehicle | |
| CN107179911B (en) | Method and equipment for restarting management engine | |
| CN116088903A (en) | Vehicle software upgrading method and device, vehicle, equipment and storage medium | |
| CN114760147A (en) | Security event processing method, security event processing device, equipment and medium | |
| CN114909059A (en) | Vehicle window control method and device, vehicle body controller, vehicle and medium | |
| WO2021176053A1 (en) | Power management on a vehicle | |
| CN116600262B (en) | Method and device for determining sleep wakeup abnormality, electronic equipment and storage medium | |
| CN114148269A (en) | Method, device and equipment for processing vehicle abnormity and storage medium | |
| CN114124644B (en) | Ethernet OAM alarm method and device based on Linux kernel mode | |
| KR102384979B1 (en) | Sleep mode entering method of controller for vehicle | |
| CN111104167B (en) | Calculation result submitting method and device | |
| WO2023168953A1 (en) | Ota power-on refresh control method and system for vehicle | |
| CN115586907A (en) | Program updating method, program updating device and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |