CN115204050A - Vehicle-mounted CAN bus data abnormity detection method and device - Google Patents
Vehicle-mounted CAN bus data abnormity detection method and device Download PDFInfo
- Publication number
- CN115204050A CN115204050A CN202210868437.1A CN202210868437A CN115204050A CN 115204050 A CN115204050 A CN 115204050A CN 202210868437 A CN202210868437 A CN 202210868437A CN 115204050 A CN115204050 A CN 115204050A
- Authority
- CN
- China
- Prior art keywords
- code
- digital domain
- model
- bus data
- trained
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 22
- 230000002159 abnormal effect Effects 0.000 claims abstract description 21
- 238000012549 training Methods 0.000 claims description 36
- 238000000034 method Methods 0.000 claims description 27
- 230000005856 abnormality Effects 0.000 claims description 17
- 230000006870 function Effects 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 description 10
- 238000004891 communication Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000007774 longterm Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 235000019800 disodium phosphate Nutrition 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F30/00—Computer-aided design [CAD]
- G06F30/20—Design optimisation, verification or simulation
- G06F30/27—Design optimisation, verification or simulation using machine learning, e.g. artificial intelligence, neural networks, support vector machines [SVM] or training a model
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2119/00—Details relating to the type or aim of the analysis or the optimisation
- G06F2119/02—Reliability analysis or reliability optimisation; Failure analysis, e.g. worst case scenario performance, failure mode and effects analysis [FMEA]
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Evolutionary Computation (AREA)
- Theoretical Computer Science (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Medical Informatics (AREA)
- Software Systems (AREA)
- Artificial Intelligence (AREA)
- Computer Hardware Design (AREA)
- Geometry (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides a vehicle-mounted CAN bus data abnormity detection method, which comprises the following steps: acquiring CAN bus data; coding the CAN ID and the digital domain to obtain a first CAN ID code and a first digital domain code; inputting the first CAN ID code of the previous time period into the first model, and predicting to obtain a second CAN ID code; obtaining a trained first model according to the first CAN ID code and the second CAN ID code; inputting the first digital domain code of the previous time interval into a second model, and predicting to obtain a second digital domain code; obtaining a trained second model according to the first digital domain code and the second digital domain code; inputting a first CAN ID code corresponding to a CAN ID in the current CAN bus data into the trained first model to obtain a first output result, and inputting a first digital domain code corresponding to a digital domain length in the current CAN bus data into the second model after the sequence to obtain a second output result; and judging whether the CAN bus data is abnormal or not according to the first output result and the second output result.
Description
Technical Field
The invention relates to the field of data processing, in particular to a method and a device for detecting data abnormality of a vehicle-mounted CAN bus.
Background
A Controller Area Network (CAN) bus is a field bus for communication between controllers. The CAN bus was first used in the automotive industry and was proposed by BOSCH, germany. As the demands of consumers on the functions of the automobile are continuously increased, and the electronic devices in the automobile are continuously increased, the wiring mode of communication signals among all controllers is complex, a single network bus is designed, and all the controllers of the whole automobile can be hung on the network.
The automotive industry has evolved far beyond the mechanical systems themselves, and today, many intelligent functions based on advanced embedded electronics have entered the automotive industry. While the electronic configuration and interrelationship of the various components improves overall vehicle comfort, functionality, and safe driving, it also presents security attack issues that can penetrate the in-vehicle interconnected communication network, which is initially a closed-loop system. For such application scenarios, a communication protocol that would typically be used is Controller Area Network (CAN). Such networks are still subject to various attacks due to lack of encryption and authentication. Thus, any malicious/hijacked node may cause catastrophic accidents and economic losses.
In the past, a supervised learning method is generally adopted for an intrusion detection system of a vehicle-mounted CAN bus. For example, the characteristics in time sequence are extracted from the CAN ID and data fields, and then intrusion detection is performed, or the characteristics are extracted from the aspects of message intervals, data volume and the like of the CAN bus. The message interval refers to the time length of the message interval, the data volume refers to the data volume of the vehicle in standby and driving, and normal and abnormal data are manually marked according to the message interval and the data volume.
The disadvantages of the prior art are mainly in the following aspects:
1. the CAN bus has huge data volume, the abnormal data often occupies a small proportion, the abnormal CAN data is difficult to be effectively marked manually in practical application, and an algorithm with supervision and learning is difficult to be applied or the engineering quantity is huge.
2. The abnormal detection is carried out by using the characteristic extraction method, and the sequential relation of the front CAN data and the rear CAN data, particularly the CAN ID, is not considered from the perspective of context analysis.
3. In the past, aiming at an intrusion detection system of a vehicle-mounted CAN bus, characteristics are extracted from the aspects of information intervals, data quantity and the like of CAN bus communication, and the characteristics are realized by using some more traditional abnormality detection methods, so that data abnormality in a CAN bus data packet is ignored.
Disclosure of Invention
The embodiment of the invention aims to provide a method and a device for detecting data abnormality of a vehicle-mounted CAN bus, which are used for solving the problem that the abnormality in a CAN data packet cannot be detected in the prior art.
In a first aspect, the present invention provides a method for detecting data abnormality of a vehicle-mounted CAN bus, where the method includes:
acquiring CAN bus data; the CAN bus data comprises a CAN ID and a digital domain;
coding the CAN ID and the digital domain to obtain a first CAN ID code and a first digital domain code;
inputting the first CAN ID code of the previous time period into a first model, and predicting to obtain a second CAN ID code;
training the first model according to the first CAN ID code and the second CAN ID code to obtain a trained first model;
inputting the first digital domain code of the previous time interval into a second model, and predicting to obtain a second digital domain code;
training the second model according to the first digital domain code and the second digital domain code to obtain a trained second model;
inputting a first CAN ID code corresponding to a CAN ID in the current CAN bus data into the trained first model to obtain a first output result, and inputting a first digital domain code corresponding to a digital domain length in the current CAN bus data into the trained second model to obtain a second output result;
and judging whether the CAN bus data is abnormal or not according to the first output result and the second output result.
In an optional implementation manner, the encoding the CAN ID and the digital domain to obtain the first CAN ID code and the first digital domain code specifically includes:
coding the CAN ID through single-hot coding to obtain a first CAN ID code;
and coding the digital domain through one-hot coding to obtain a first digital domain code.
In an optional implementation manner, the training the first model according to the first CAN ID code and the second CAN ID code, and obtaining the trained first model specifically includes:
predicting to obtain a next second CAN ID code according to the first CAN ID code in the previous time period;
taking the next second CAN ID code as a first CAN ID code, and continuously predicting to obtain the next second CAN ID code;
after each prediction, calculating the difference between the second CAN ID code and the true value through a loss function;
and when the difference tends to be converged, finishing the training of the first model to obtain the trained first model.
In an optional implementation manner, the training the second model according to the first digital domain coding and the second digital domain coding, and obtaining the trained second model specifically includes:
predicting to obtain a next second digital domain code according to the first digital domain code of the previous time interval;
taking the next second digital domain code as a first digital domain code, and continuing to predict to obtain the next second digital domain code;
after each prediction, calculating the difference between the second digital domain code and the true value through a loss function;
and when the difference tends to be converged, finishing the training of the second model to obtain the trained second model.
In an optional implementation manner, the inputting a first CAN ID code corresponding to a CAN ID in current CAN bus data into the trained first model to obtain a first output result, and inputting a second model after a first digital domain code corresponding to a digital domain length in current CAN bus data into a sequence to obtain a second output result specifically includes:
acquiring current CAN bus data;
coding the CAN ID in the current CAN bus data to obtain a first CAN ID code, and coding a digital domain in the current CAN bus data to obtain a digital domain code;
inputting the first CAN ID code into the trained first model, and predicting to obtain a plurality of second CAN ID codes; a plurality of second CAN ID codes as a first output result;
inputting the first digital domain codes into the trained second model, and predicting to obtain a plurality of second digital domain codes; a plurality of second digital domain codes as a second output result.
In an optional implementation manner, the determining whether the CAN bus data is abnormal according to the first output result and the second output result specifically includes:
and when the first output result does not contain the next CAN ID real value code, and/or when the second output result does not contain the next digital domain real value code, the CAN bus data is abnormal.
In a second aspect, the present invention provides an on-vehicle CAN bus data anomaly detection apparatus, including:
the acquisition module is used for acquiring CAN bus data; the CAN bus data comprises a CAN ID and a digital domain;
the coding module is used for coding the CAN ID and the digital domain to obtain a first CAN ID code and a first digital domain code;
the first prediction module is used for inputting the first CAN ID code of the previous time period into a first model and predicting to obtain a second CAN ID code;
the first training module is used for training the first model according to the first CAN ID code and the second CAN ID code to obtain a trained first model;
the second prediction module is used for inputting the first digital domain code of the previous time interval into a second model and predicting to obtain a second digital domain code;
the second training module is used for training the second model according to the first digital domain code and the second digital domain code to obtain a trained second model;
the input module is used for inputting a first CAN ID code corresponding to a CAN ID in the current CAN bus data into the trained first model to obtain a first output result, and inputting a second model after a first digital domain code corresponding to a digital domain length in the current CAN bus data into a sequence to obtain a second output result;
and the judging module is used for judging whether the CAN bus data is abnormal or not according to the first output result and the second output result.
In a third aspect, the present invention provides a computer server comprising: a memory, a processor, and a transceiver;
the processor is coupled with the memory, and is used for reading and executing the instruction in the memory so as to realize the vehicle-mounted CAN bus data anomaly detection method in the first aspect;
the transceiver is coupled to the processor, and the processor controls the transceiver to transmit and receive messages.
In a fourth aspect, the present invention provides a chip system, including a processor, where the processor is coupled to a memory, where the memory stores program instructions, and when the program instructions stored in the memory are executed by the processor, the method for detecting data abnormality of the on-vehicle CAN bus according to any one of the first aspect is implemented.
In a fifth aspect, the present invention provides a computer-readable storage medium, wherein a computer program is stored on the computer-readable storage medium, and the computer program is executed by a processor to perform the method for detecting the data abnormality of the on-vehicle CAN bus according to any one of the first aspect.
By applying the vehicle-mounted CAN bus data abnormity detection method provided by the invention, the following technical effects CAN be realized:
1. the first CAN ID code and the first digital domain code which are pre-sequences for a period of time are input by utilizing the model characteristics of the first model and the second model, the context is predicted according to the context, the context becomes a part of new context, and the long-term characteristics of the whole sequence time sequence CAN be better extracted, namely the sequential relation of the front CAN bus data and the rear CAN bus data, particularly the CAN ID, is considered from the context analysis.
2. The first model and the second model are used for simultaneously detecting the abnormality of the CAN ID and the data field part, so that the detection efficiency is improved.
3. According to the method and the device, the LSTM is utilized, manual marking in mass unbalanced data is not needed, and therefore human resources are saved.
Drawings
Fig. 1 is a schematic flow chart of a method for detecting data abnormality of a vehicle-mounted CAN bus according to a first embodiment of the present invention;
FIG. 2 is a schematic diagram of CAN bus data;
fig. 3 is a schematic structural diagram of a vehicle-mounted CAN bus data anomaly detection device according to a second embodiment of the present invention;
FIG. 4 is a schematic structural diagram of a computer server according to a third embodiment of the present invention;
fig. 5 is a schematic structural diagram of a chip system according to a fourth embodiment of the present invention;
fig. 6 is a schematic structural diagram of a computer-readable storage medium according to a fifth embodiment of the present invention.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. It should be further noted that, for the convenience of description, only the portions related to the related invention are shown in the drawings.
It should be noted that, in the present application, the embodiments and features of the embodiments may be combined with each other without conflict. The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
Example one
The embodiment of the invention provides a method for detecting the abnormality of vehicle-mounted CAN bus data, which is applied to a scene of detecting the abnormality in the vehicle-mounted CAN bus data, and as shown in figure 1, the method comprises the following steps:
specifically, the CAN bus data on a single vehicle of a certain automobile brand is collected, as shown in fig. 2, it CAN be seen that the CAN bus data includes several parts: the first column is a timestamp, representing the time at which the data occurred; such as 1478198376.389427, and the second column CAN ID, representing a different device or data source, is 16-ary data, such as 0316; the third column is the number domain, which represents the vehicle type, say 8; the other column on the right is a number field for representing valid data, and is composed of 8 bytes of 16-ary numbers, such as 05, 21,68,09,21, 00,6f.
specifically, since the CAN ID and the digital domain mainly use 16-system data, the present application encodes the 16-system data into a numerical value in a one-hot (one-hot) encoding form. one-hot encoding uses an N-bit status register to encode N states, each having its own independent register bit, and only one of which is active at any time. Taking CAN ID 0316 as an example, if it is the value with the highest frequency of occurrence, the CAN ID is encoded into the first CAN ID code by one-hot encoding, i.e. here the first CAN ID code may be binary 0, the higher the word frequency, the smaller the code, and so on, until all CAN IDs in fig. 2 are encoded into the first CAN ID code.
wherein, the first model is Long-Short Term Memory network (LSTM).
Specifically, the first column in fig. 2 represents CAN ID, the CAN ID is a first CAN ID code after being encoded by one-hot, and the second CAN ID code represents CAN ID predicted by the first model.
It should be noted that, next, the input first CAN ID code may be the next time or the next time period, and the input first CAN ID code may be the previous time or the first CAN ID code in the previous time period, where in order to increase the speed of prediction, a sliding window may be set for the previous time period, and the sliding window includes a series of first CAN ID codes within a certain time period range, so that the next second CAN ID code may be obtained through the first CAN ID code in the sliding window according to context prediction.
specifically, the next second CAN ID code is obtained through prediction according to the first CAN ID code in the previous time period, the second CAN ID code is used as the first CAN ID code, and the prediction of the second CAN ID code is continuously carried out, so that the LSTM is trained.
In a specific implementation manner, the input of the first model is n first CAN ID codes in the preamble, which are used to predict a next second CAN ID code, that is, predict a second CAN ID code at a next time according to the first CAN ID code at a previous time, and then calculate a prediction result through a cross entropy loss function, that is, a difference between the second CAN ID code and a true value at the next time, where cross entropy is used as a loss function to measure a difference between a predicted value and a true value of the first model after each iteration until the difference between the predicted value and the true value of the first model tends to converge, thereby improving the prediction accuracy of the first model.
wherein, the second model can also be LSTM.
It should be noted that the next time may refer to the next time, and may refer to the next time interval, and the input first digital domain code may be the previous time, and may also be the first digital domain code in the previous time interval, where in order to increase the speed of prediction, a sliding window may be provided, and the sliding window includes a series of first digital domain codes in a certain time range, so that the next second digital domain code may be predicted by the first digital domain code in the sliding window. Here, the process of predicting the second digital domain code is similar to step 130, and is not described here again.
specifically, the second model is trained by using the first digital domain code and the second digital domain code, m first digital domain codes are input to predict the second digital domain code at the next moment, the process is similar to the step 140, the cross entropy is adopted as a loss function to measure the difference between the predicted value and the true value of the second model during each iteration until the difference between the predicted second digital domain code and the true value tends to converge, and therefore the prediction accuracy of the second model is improved.
It should be noted that steps 130-140, and steps 150-160 may be performed simultaneously in order to increase the model training rate.
Therefore, through the steps 110-160, the training of the model is realized off line, and the steps 170-180 are directly executed in the subsequent use, so that the abnormal detection of the vehicle-mounted CAN bus data CAN be realized.
specifically, real-time CAN bus data is imported, and CAN ID and digital domain codes are respectively obtained to obtain a first CAN ID code and a first digital domain code. And inputting the first CAN ID code into the trained first model, and inputting the first digital domain code into the trained second model.
The first output result CAN be regarded as a predicted value obtained after the first CAN ID code is input into the model, and the predicted value CAN comprise a plurality of second CAN ID codes. The second output result may be regarded as a predicted value obtained after the first digital domain code is input into the model, and the predicted value may include a plurality of second digital domain codes.
And step 180, judging whether the CAN bus data is abnormal or not according to the first output result and the second output result.
Specifically, if the k second CAN ID codes output do not include the next CAN ID true value code, the CAN ID is considered to be abnormal, that is, the CAN bus data is abnormal. And if the k second digital domain codes do not contain the next digital domain real value code, the digital domain is considered to be abnormal, namely the CAN bus data is abnormal. And if the output k second CAN ID codes do not contain the next CAN ID real code and the output k second digital domain codes do not contain the next digital domain real value code, the CAN bus data are considered to be abnormal.
The next CAN ID real value code here refers to the first CAN ID code corresponding to the real value of the next CAN ID. The real value of this next CAN ID may be included in the next CAN bus data. Correspondingly, the next digital domain real value code refers to the first digital domain code corresponding to the real value of the next digital domain, and the next digital domain real value is also contained in the next CAN ID bus data.
Further, by training the first model and training the second model, the trained first model and the trained second model represent a CAN ID and a data field change pattern in a CAN bus security state, that is, a security portrait of CAN bus data.
By applying the vehicle-mounted CAN bus data abnormity detection method provided by the invention, the following technical effects CAN be realized:
1. the first CAN ID code and the first digital domain code which are pre-ordered for a period of time are input by utilizing the model characteristics of the first model and the second model, the context is predicted according to the context, the context becomes a new part of the context, the long-term characteristics on the whole sequence time sequence CAN be better extracted, namely the sequential relation of the front CAN bus data and the rear CAN bus data, particularly the CAN IDs, is considered from the context analysis perspective.
2. The first model and the second model are used for simultaneously detecting the abnormality of the CAN ID and the data field part, so that the detection efficiency is improved.
3. According to the method and the device, the LSTM is utilized, manual marking in mass unbalanced data is not needed, and therefore human resources are saved.
Example two
The second embodiment of the present invention provides a device for detecting data abnormality of a vehicle-mounted CAN bus, including: an obtaining module 310, an encoding module 320, a first prediction module 330, a first training module 340, a second prediction module 350, a second training module 360, an input module 370, and a determining module 380.
The acquiring module 310 is configured to acquire CAN bus data; the CAN bus data comprises a CAN ID and a digital domain;
the encoding module 320 is configured to encode the CAN ID and the digital domain to obtain a first CAN ID code and a first digital domain code;
the first prediction module 330 is configured to input the first CAN ID code of the previous time period into a first model, and predict to obtain a second CAN ID code;
the first training module 340 is configured to train the first model according to the first CAN ID code and the second CAN ID code to obtain a trained first model;
the second prediction module 350 is configured to input the first digital domain code of the previous time interval into a second model, and predict to obtain a second digital domain code;
the second training module 360 is configured to train the second model according to the first digital domain code and the second digital domain code to obtain a trained second model;
the input module 370 is configured to input a first CAN ID code corresponding to a CAN ID in the current CAN bus data into the trained first model to obtain a first output result, and input a first digital domain code corresponding to a digital domain length in the current CAN bus data into the trained second model to obtain a second output result;
the judging module 380 is configured to judge whether the CAN bus data is abnormal according to the first output result and the second output result.
Further, the encoding module 320 encodes the CAN ID and the digital domain to obtain a first CAN ID code and a first digital domain code specifically includes: coding the CAN ID through single-hot coding to obtain a first CAN ID code; and coding the digital domain through one-hot coding to obtain a first digital domain code.
Further, the training of the first model by the first training module 340 according to the first CAN ID code and the second CAN ID code specifically includes: predicting to obtain a next second CAN ID code according to the first CAN ID code in the previous time period; taking the next second CAN ID code as a first CAN ID code, and continuously predicting to obtain the next second CAN ID code; after each prediction, calculating the difference between the second CAN ID code and the true value through a loss function; and when the difference tends to be converged, finishing the training of the first model to obtain the trained first model.
Further, the training of the second model by the second training module 360 according to the first digital domain code and the second digital domain code specifically includes: predicting to obtain a next second digital domain code according to the first digital domain code of the previous time interval; taking the next second digital domain code as a first digital domain code, and continuing to predict to obtain the next second digital domain code; after each prediction, calculating the difference between the obtained second digital domain code and the true value through a loss function; and when the difference tends to be converged, finishing the training of the second model to obtain the trained second model.
Further, the inputting module 370 inputs the first CAN ID code corresponding to the CAN ID in the current CAN bus data into the trained first model to obtain a first output result, and inputs the second model after the first digital domain code corresponding to the digital domain length in the current CAN bus data into the sequence to obtain a second output result specifically includes: acquiring current CAN bus data; coding the CAN ID in the current CAN bus data to obtain a first CAN ID code, and coding a digital domain in the current CAN bus data to obtain a digital domain code; inputting the first CAN ID code into the trained first model, and predicting to obtain a plurality of second CAN ID codes; a plurality of second CAN ID codes as a first output result; inputting the first digital domain codes into the trained second model, and predicting to obtain a plurality of second digital domain codes; a plurality of second digital domain codes are encoded as a second output result.
The apparatus provided in the second embodiment of the present invention may perform the method steps in the first embodiment of the method, and the implementation principle and technical effects are similar, which are not described herein again.
It should be noted that the division of each module of the above apparatus is only a logical division, and all or part of the actual implementation may be integrated into one physical entity or may be physically separated. And these modules can be realized in the form of software called by processing element; or can be implemented in the form of hardware; and part of the modules can be realized in the form of calling software by the processing element, and part of the modules can be realized in the form of hardware. For example, the determining module may be a processing element separately set up, or may be implemented by being integrated in a chip of the apparatus, or may be stored in a memory of the apparatus in the form of program code, and the function of the determining module is called and executed by a processing element of the apparatus. Other modules are implemented similarly. In addition, all or part of the modules can be integrated together or can be independently realized. The processing element described herein may be an integrated circuit having signal processing capabilities. In implementation, each step of the above method or each module above may be implemented by an integrated logic circuit of hardware in a processor element or an instruction in the form of software.
For example, the above modules may be one or more integrated circuits configured to implement the above methods, such as: one or more Application Specific Integrated Circuits (ASICs), or one or more microprocessors (DSPs), or one or more Field Programmable Gate Arrays (FPGAs), etc. For another example, when some of the above modules are implemented in the form of a Processing element scheduler code, the Processing element may be a general-purpose processor, such as a Central Processing Unit (CPU) or other processor that can call the program code. As another example, these modules may be integrated together and implemented in the form of a System-on-a-chip (SOC).
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)), or wireless (e.g., infrared, wireless, bluetooth, microwave, etc.).
EXAMPLE III
An embodiment of the present invention provides a computer server, as shown in fig. 4, including: a memory, a processor, and a transceiver;
the processor is used for being coupled with the memory, reading and executing the instruction in the memory, so as to realize any one of the vehicle-mounted CAN bus data anomaly detection methods provided by the first embodiment;
the transceiver is coupled to the processor, and the processor controls the transceiver to transmit and receive messages.
Example four
A fourth embodiment of the present invention provides a chip system, as shown in fig. 5, including a processor, where the processor is coupled to a memory, and the memory stores program instructions, and when the program instructions stored in the memory are executed by the processor, the method for detecting data abnormality of any vehicle-mounted CAN bus provided in the first embodiment of the present invention is implemented.
EXAMPLE five
An embodiment of the present invention provides a computer-readable storage medium, as shown in fig. 6, which includes a program or an instruction, and when the program or the instruction runs on a computer, the method for detecting data abnormality of any vehicle-mounted CAN bus provided in the embodiment one is implemented.
Those of skill would further appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied in hardware, a software module executed by a processor, or a combination of the two. A software module may reside in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The above embodiments are provided to further explain the objects, technical solutions and advantages of the present invention in detail, it should be understood that the above embodiments are merely exemplary embodiments of the present invention and are not intended to limit the scope of the present invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. A vehicle-mounted CAN bus data abnormity detection method is characterized by comprising the following steps:
acquiring CAN bus data; the CAN bus data comprises a CAN ID and a digital domain;
coding the CAN ID and the digital domain to obtain a first CAN ID code and a first digital domain code;
inputting the first CAN ID code of the previous time period into the first model, and predicting to obtain a second CAN ID code;
training the first model according to the first CAN ID code and the second CAN ID code to obtain a trained first model;
inputting the first digital domain code of the previous time interval into a second model, and predicting to obtain a second digital domain code;
training the second model according to the first digital domain code and the second digital domain code to obtain a trained second model;
inputting a first CAN ID code corresponding to a CAN ID in the current CAN bus data into the trained first model to obtain a first output result, and inputting a first digital domain code corresponding to a digital domain length in the current CAN bus data into the trained second model to obtain a second output result;
and judging whether the CAN bus data is abnormal or not according to the first output result and the second output result.
2. The method of claim 1, wherein the encoding the CAN ID and the digital domain to obtain a first CAN ID code and a first digital domain code specifically comprises:
coding the CAN ID through single-hot coding to obtain a first CAN ID code;
and coding the digital domain through one-hot coding to obtain a first digital domain code.
3. The method according to claim 1, wherein the training of the first model according to the first CAN ID code and the second CAN ID code, and obtaining the trained first model specifically comprises:
predicting to obtain a next second CAN ID code according to the first CAN ID code in the previous time period;
taking the next second CAN ID code as a first CAN ID code, and continuously predicting to obtain the next second CAN ID code;
after each prediction, calculating the difference between the second CAN ID code and the true value through a loss function;
and when the difference tends to be converged, finishing the training of the first model to obtain the trained first model.
4. The method of claim 1, wherein the training the second model according to the first digital domain coding and the second digital domain coding, and obtaining the trained second model specifically comprises:
predicting to obtain a next second digital domain code according to the first digital domain code of the previous time interval;
taking the next second digital domain code as a first digital domain code, and continuing to predict to obtain the next second digital domain code;
after each prediction, calculating the difference between the obtained second digital domain code and the true value through a loss function;
and when the difference tends to be converged, finishing the training of the second model to obtain the trained second model.
5. The method of claim 1, wherein the inputting a first CAN ID code corresponding to a CAN ID in current CAN bus data into the trained first model to obtain a first output result, and the inputting a first digital domain code corresponding to a digital domain length in current CAN bus data into the trained second model to obtain a second output result specifically comprises:
acquiring current CAN bus data;
coding a CAN ID in current CAN bus data to obtain a first CAN ID code, and coding a digital domain in the current CAN bus data to obtain a digital domain code;
inputting the first CAN ID code into the trained first model, and predicting to obtain a plurality of second CAN ID codes; a plurality of second CAN ID codes as a first output result;
inputting the first digital domain codes into the trained second model, and predicting to obtain a plurality of second digital domain codes; a plurality of second digital domain codes are encoded as a second output result.
6. The method according to claim 5, wherein the determining whether the CAN bus data is abnormal according to the first output result and the second output result specifically comprises:
and when the first output result does not contain the next CAN ID real value code, and/or when the second output result does not contain the next digital domain real value code, the CAN bus data is abnormal.
7. An on-vehicle CAN bus data anomaly detection device, characterized in that the device includes:
the acquisition module is used for acquiring CAN bus data; the CAN bus data comprises a CAN ID and a digital domain;
the coding module is used for coding the CAN ID and the digital domain to obtain a first CAN ID code and a first digital domain code;
the first prediction module is used for inputting the first CAN ID code of the previous time period into a first model and predicting to obtain a second CAN ID code;
the first training module is used for training the first model according to the first CAN ID code and the second CAN ID code to obtain a trained first model;
the second prediction module is used for inputting the first digital domain code of the previous time period into a second model and predicting to obtain a second digital domain code;
the second training module is used for training the second model according to the first digital domain code and the second digital domain code to obtain a trained second model;
the input module is used for inputting a first CAN ID code corresponding to a CAN ID in the current CAN bus data into the trained first model to obtain a first output result, and inputting a second model after a first digital domain code corresponding to a digital domain length in the current CAN bus data into a sequence to obtain a second output result;
and the judging module is used for judging whether the CAN bus data is abnormal or not according to the first output result and the second output result.
8. A computer server, comprising: a memory, a processor, and a transceiver;
the processor is coupled with the memory, reads and executes the instructions in the memory to realize the on-vehicle CAN bus data anomaly detection method according to any one of claims 1 to 6;
the transceiver is coupled to the processor, and the processor controls the transceiver to transmit and receive messages.
9. A chip system comprising a processor coupled to a memory, the memory storing program instructions that, when executed by the processor, implement the on-board CAN bus data anomaly detection method of any of claims 1-6.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a computer program, the computer program being executed by a processor to perform the on-vehicle CAN bus data abnormality detection method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210868437.1A CN115204050A (en) | 2022-07-22 | 2022-07-22 | Vehicle-mounted CAN bus data abnormity detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210868437.1A CN115204050A (en) | 2022-07-22 | 2022-07-22 | Vehicle-mounted CAN bus data abnormity detection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115204050A true CN115204050A (en) | 2022-10-18 |
Family
ID=83583288
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210868437.1A Pending CN115204050A (en) | 2022-07-22 | 2022-07-22 | Vehicle-mounted CAN bus data abnormity detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115204050A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108390869A (en) * | 2018-02-08 | 2018-08-10 | 成都信息工程大学 | The vehicle intelligent gateway apparatus and its command sequence detection method of integrated deep learning |
| CN110098990A (en) * | 2019-05-07 | 2019-08-06 | 百度在线网络技术(北京)有限公司 | Safety protecting method, device, equipment and the storage medium of controller LAN |
| WO2020143379A1 (en) * | 2019-01-08 | 2020-07-16 | 阿里巴巴集团控股有限公司 | Abnormal data detection method and system |
| CN111835695A (en) * | 2019-04-23 | 2020-10-27 | 华东师范大学 | Vehicle-mounted CAN bus intrusion detection method based on deep learning |
| CN112070132A (en) * | 2020-08-25 | 2020-12-11 | 北京百度网讯科技有限公司 | Sample data construction method, device, equipment and medium |
| CN112491920A (en) * | 2020-12-07 | 2021-03-12 | 北京天融信网络安全技术有限公司 | Abnormity detection method and device for vehicle-mounted CAN bus |
| CN112785441A (en) * | 2020-04-20 | 2021-05-11 | 招商证券股份有限公司 | Data processing method and device, terminal equipment and storage medium |
-
2022
- 2022-07-22 CN CN202210868437.1A patent/CN115204050A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108390869A (en) * | 2018-02-08 | 2018-08-10 | 成都信息工程大学 | The vehicle intelligent gateway apparatus and its command sequence detection method of integrated deep learning |
| WO2020143379A1 (en) * | 2019-01-08 | 2020-07-16 | 阿里巴巴集团控股有限公司 | Abnormal data detection method and system |
| CN111835695A (en) * | 2019-04-23 | 2020-10-27 | 华东师范大学 | Vehicle-mounted CAN bus intrusion detection method based on deep learning |
| CN110098990A (en) * | 2019-05-07 | 2019-08-06 | 百度在线网络技术(北京)有限公司 | Safety protecting method, device, equipment and the storage medium of controller LAN |
| CN112785441A (en) * | 2020-04-20 | 2021-05-11 | 招商证券股份有限公司 | Data processing method and device, terminal equipment and storage medium |
| CN112070132A (en) * | 2020-08-25 | 2020-12-11 | 北京百度网讯科技有限公司 | Sample data construction method, device, equipment and medium |
| CN112491920A (en) * | 2020-12-07 | 2021-03-12 | 北京天融信网络安全技术有限公司 | Abnormity detection method and device for vehicle-mounted CAN bus |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10911182B2 (en) | In-vehicle information processing for unauthorized data | |
| CN110177108B (en) | Abnormal behavior detection method, device and verification system | |
| US10343630B2 (en) | Monitoring method and apparatus | |
| JP2018182724A5 (en) | ||
| Kuwahara et al. | Supervised and unsupervised intrusion detection based on CAN message frequencies for in-vehicle network | |
| US20210326677A1 (en) | Determination device, determination program, determination method and method of generating neural network model | |
| CN111447173A (en) | Device and method for classifying data of controller area network or automobile Ethernet | |
| CN111970229A (en) | CAN bus data anomaly detection method aiming at multiple attack modes | |
| CN114157469B (en) | Vehicle-mounted network variant attack intrusion detection method based on domain antagonism neural network | |
| CN114900331A (en) | Vehicle-mounted CAN bus intrusion detection method based on CAN message characteristics | |
| CN110868313A (en) | Inspection method, related device and readable storage medium | |
| CN111447166B (en) | Vehicle attack detection method and device | |
| CN113625681B (en) | CAN bus abnormality detection method, system and storage medium | |
| CN111866017B (en) | Method and device for detecting abnormal frame interval of CAN bus | |
| CN115204050A (en) | Vehicle-mounted CAN bus data abnormity detection method and device | |
| CN108292125B (en) | Method and device for influencing vehicle characteristics | |
| CN114157486B (en) | Communication flow data abnormity detection method and device, electronic equipment and storage medium | |
| CN115766092A (en) | CAN network intrusion detection method, device and storage medium | |
| CN114172686A (en) | Vehicle-mounted CAN bus message intrusion detection method and related equipment | |
| CN115774837A (en) | Signal verification method, device, equipment, medium, program product and vehicle | |
| CN115664788A (en) | Communication data hijacking monitoring method and system, storage medium and electronic equipment | |
| CN113746705B (en) | Penetration test method and device, electronic equipment and storage medium | |
| CN116915514B (en) | Intrusion detection method and device based on bidirectional time convolution network and intelligent automobile | |
| CN115168221A (en) | Abnormal remote instruction detection method and device | |
| CN117041121B (en) | Internet of Things anomaly monitoring method and system based on data mining |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |