CN115226104B - UDS-based intrusion detection method, intrusion detection device, vehicle and storage medium - Google Patents

UDS-based intrusion detection method, intrusion detection device, vehicle and storage medium Download PDF

Info

Publication number
CN115226104B
CN115226104B CN202210405402.4A CN202210405402A CN115226104B CN 115226104 B CN115226104 B CN 115226104B CN 202210405402 A CN202210405402 A CN 202210405402A CN 115226104 B CN115226104 B CN 115226104B
Authority
CN
China
Prior art keywords
message information
service request
intrusion detection
preset
vehicle
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210405402.4A
Other languages
Chinese (zh)
Other versions
CN115226104A (en
Inventor
罗浩
张金池
石笑生
王娜
林慧雯
朱建新
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Automobile Group Co Ltd
Original Assignee
Guangzhou Automobile Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Automobile Group Co Ltd filed Critical Guangzhou Automobile Group Co Ltd
Priority to CN202210405402.4A priority Critical patent/CN115226104B/en
Publication of CN115226104A publication Critical patent/CN115226104A/en
Application granted granted Critical
Publication of CN115226104B publication Critical patent/CN115226104B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/40Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Alarm Systems (AREA)

Abstract

The application discloses an intrusion detection method, an intrusion detection device, a vehicle and a storage medium based on UDS, wherein the intrusion detection method based on UDS comprises the steps of receiving a diagnosis service request sent by terminal equipment; acquiring message information in a diagnosis service request; when the message information is determined to accord with the preset condition, generating a count value corresponding to the diagnosis service request; and when the count value is greater than or equal to a preset threshold value, determining that the vehicle is invaded. The method determines whether the vehicle is invaded according to the message information in the diagnosis service request sent by the terminal equipment, so that a user can conveniently process the vehicle when the vehicle is invaded, and the potential safety hazard of the vehicle is reduced.

Description

UDS-based intrusion detection method, intrusion detection device, vehicle and storage medium
Technical Field
The present application relates to the field of vehicle communications technologies, and in particular, to an intrusion detection method, an intrusion detection device, a vehicle, and a storage medium that are assisted with UDS.
Background
With the rapid development of the internet of vehicles technology, the internet of vehicles information security problem also gets more and more attention. In the face of increasingly complex and diversified information security problems, the requirement of vehicle network security cannot be met only by relying on the traditional defense technology, so that relevant intrusion detection systems are required to be arranged in vehicles to monitor various intrusion events.
Among them, UDS (Unified Diagnostic Services, unified diagnostic service) is a key service of a vehicle, which can guarantee a configuration changing function, a fault reading function, etc. of the vehicle, and the diagnostic service often has very high operation authority, and once the diagnostic service is maliciously destroyed, the safety of the vehicle is seriously affected. At present, the intrusion detection means for UDS is blank, so that potential safety hazards of vehicles are increased.
Disclosure of Invention
In view of the above, the present application proposes a UDS-based intrusion detection method, intrusion detection device, vehicle and storage medium, to overcome or at least partially solve the above problems of the prior art.
In a first aspect, an embodiment of the present application provides an intrusion detection method based on UDS, including: receiving a diagnosis service request sent by a terminal device; acquiring message information in a diagnosis service request; when the message information is determined to accord with the preset condition, generating a count value corresponding to the diagnosis service request; and when the count value is greater than or equal to a preset threshold value, determining that the vehicle is invaded.
In a second aspect, an embodiment of the present application provides an intrusion detection device based on UDS, including a receiving module, an obtaining module, a count generating module, and an intrusion determining module. The receiving module is used for receiving the diagnosis service request sent by the terminal equipment; the acquisition module is used for acquiring the message information in the diagnosis service request; the counting generation module is used for generating a counting value corresponding to the diagnosis service request when the message information is determined to accord with the preset condition; and the intrusion determination module is used for determining that the vehicle is intruded when the count value is greater than or equal to a preset threshold value.
In a third aspect, embodiments of the present application provide a vehicle, including: a memory; one or more processors coupled to the memory; one or more applications, wherein the one or more applications are stored in memory and configured to be executed by the one or more processors, the one or more applications configured to perform the UDS-based intrusion detection method as provided in the first aspect above.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium having program code stored therein, the program code being executable by a processor to invoke the UDS-based intrusion detection method as provided in the first aspect above.
According to the scheme, the diagnosis service request sent by the terminal equipment is received, the message information in the diagnosis service request is obtained, when the message information is determined to meet the preset condition, the count value corresponding to the diagnosis service request is generated, and when the count value is greater than or equal to the preset threshold value, the vehicle is determined to be invaded, so that whether the vehicle is invaded or not is determined according to the message information in the diagnosis service request sent by the terminal equipment, the vehicle is conveniently processed when the vehicle is invaded by a user, and the potential safety hazard of the vehicle is reduced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly introduced below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 shows a schematic view of a scenario of an intrusion detection system according to an embodiment of the present application.
Fig. 2 is a schematic flow chart of an intrusion detection method based on UDS according to an embodiment of the present application.
Fig. 3 is a schematic flow chart of another intrusion detection method based on UDS according to an embodiment of the present application.
Fig. 4 is a schematic flow chart of yet another intrusion detection method based on UDS according to an embodiment of the present application.
Fig. 5 shows a block diagram of a structure of an intrusion detection device based on UDS according to an embodiment of the present application.
Fig. 6 shows a functional block diagram of a vehicle provided in an embodiment of the present application.
Fig. 7 illustrates a computer readable storage medium provided by an embodiment of the present application for storing or carrying program code for implementing a UDS-based intrusion detection method provided according to an embodiment of the present application.
Detailed Description
Embodiments of the present application are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are exemplary only for the purpose of explaining the present application and are not to be construed as limiting the present application.
The following disclosure provides many different embodiments or examples for implementing different structures of the present application. In order to simplify the disclosure of the present application, the components and arrangements of specific examples are described below. Of course, they are merely examples and are not intended to limit the present application. Furthermore, the present application may repeat reference numerals and/or letters in the various examples, which are for the purpose of brevity and clarity, and which do not in themselves indicate the relationship between the various embodiments and/or arrangements discussed.
With the rapid development of the internet of vehicles technology, the internet of vehicles information security problem also gets more and more attention. In the face of increasingly complex and diversified information security problems, the requirement of vehicle network security cannot be met only by relying on the traditional defense technology, so that relevant intrusion detection systems are required to be arranged in vehicles to monitor various intrusion events.
The UDS (Unified Diagnostic Services, unified diagnostic service) is used as a key service of the vehicle, so that a configuration change function, a fault reading function and the like of the vehicle can be guaranteed, the UDS protocol is an application layer protocol mainly used by automobile manufacturers and related to diagnosis at present, external equipment can temporarily acquire related rights and read and change related information of an electronic control unit (Electronic Control Unit, electronic Control Unit (ECU) in the vehicle, and an intruder can forge a malicious message by using the UDS protocol so as to read or tamper with key information in the ECU, so that corresponding vehicle information security events are caused.
However, since the vehicle information safety starts later, the international society has come to pay attention to the protection of the vehicle information safety in recent years, and the monitoring of the vehicle information safety event is still in the starting stage. At present, the intrusion detection means for UDS is blank, so that potential safety hazards of vehicles are increased.
Aiming at the problems, the inventor researches and puts forward the UDS-based intrusion detection method, the intrusion detection device, the vehicle and the storage medium for a long time, so that whether the vehicle is intruded or not is determined according to message information in a diagnosis service request sent by the terminal equipment, and the user can conveniently process the vehicle when the vehicle is intruded, and the potential safety hazard of the vehicle is reduced.
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.
Referring to fig. 1, an application scenario schematic diagram of an intrusion detection system provided in an embodiment of the present application may include a terminal device 100 and a vehicle 200, where the terminal device 100 may be connected to the vehicle 200 through a vehicle network and perform data interaction with the vehicle 200. The terminal device 100 may be configured to transmit a diagnostic service request to the vehicle 200, and the vehicle 200 may be configured to receive the diagnostic service request from the terminal device 100 and determine whether the vehicle 200 is intruded according to the diagnostic service request, so as to implement intrusion detection on the vehicle.
The Internet of vehicles is a large system network which is based on an in-vehicle network, an inter-vehicle network and a vehicle-mounted mobile Internet and performs wireless communication and information interaction among vehicles, roads, vehicles, people, the vehicle-Internet and the like according to agreed communication protocols and data interaction standards, and is an integrated network capable of realizing intelligent traffic management, intelligent dynamic information service and intelligent vehicle control. The internet of vehicles may include mobile communication networks (e.g., 5G networks, 4G networks, etc.), wireless wide area networks (Wireless Wide Area Network, WWAN), controller area networks (Controller Area Network, CAN), bluetooth networks, infrared networks, digital living network alliance (Digital Living Network Alliance, DLNA) networks, wireless local area networks (Wireless Local Area Network, WLAN), wireless metropolitan area networks (Wireless Metropolitan Area Network, WMAN), and wireless personal area networks (Wireless Personal Area Network, WPAN), etc., without limitation herein.
Terminal device 100 may include, without limitation, mobile terminals (e.g., cell phone, palm top (Personal Digital Assistant, PDA), tablet (Tablet Personal Computer, tablet PC) notebook, smart watch, smart bracelet, etc.), and stationary terminals (e.g., desktop computer, smart control panel, etc.), among others.
The vehicle 200 may include an electric vehicle (e.g., an electric vehicle, an electric battery vehicle, etc.), a hybrid vehicle (e.g., a hybrid electric vehicle (Hybrid Electric Vehicle, HEV)), a fuel-oil vehicle, a gas vehicle, etc., without limitation herein.
In some embodiments, the vehicle 200 may include a frame 210 and an intrusion detection module 220, the intrusion detection module 220 may be mounted to the frame 210, and the frame 210 may provide mounting support for the intrusion detection module 220.
The terminal device 100 may be connected to the intrusion detection module 220 through the internet of vehicles and perform data interaction with the intrusion detection module 220. The terminal device 100 may be configured to send a diagnostic service request to the intrusion detection module 220, and the intrusion detection module 220 may be configured to receive the diagnostic service request sent by the terminal device 100 and determine whether the vehicle 200 is intruded according to the diagnostic service request.
Referring to fig. 2, a flowchart of a method for detecting intrusion based on UDS according to an embodiment of the present application is shown. In a specific embodiment, the intrusion detection method based on UDS may be applied to the intrusion detection module 220 in the intrusion detection system shown in fig. 1, and the flow shown in fig. 2 will be described in detail below by taking the intrusion detection module 220 as an example, and the intrusion detection method based on UDS may include the following steps S110 to S140.
Step S110: and receiving a diagnosis service request sent by the terminal equipment.
In the embodiment of the application, the diagnostic service request may be a service request type based on the UDS protocol and adopting a request-response interaction manner for communication. In order to realize intrusion detection of vehicles, the terminal device can send a diagnosis service request to the intrusion detection module through the Internet of vehicles, and the intrusion detection module receives the diagnosis service request sent by the terminal device through the Internet of vehicles. The internet of vehicles may include, but is not limited to, mobile communication networks (e.g., 5G networks, 4G networks, etc.), wireless wide area networks (Wireless Wide Area Network, WWAN), controller area networks (Controller Area Network, CAN networks), bluetooth networks, infrared networks, digital living network alliance (Digital Living Network Alliance, DLNA) networks, wireless local area networks (Wireless Local Area Network, WLAN), wireless metropolitan area networks (Wireless Metropolitan Area Network, WMAN), and wireless personal area networks (Wireless Personal Area Network, WPAN), among others.
In some embodiments, the internet of vehicles may be a 5G network, and the terminal device may be connected to the intrusion detection module through the 5G network and perform data interaction with the intrusion detection module. The terminal device can send the diagnosis service request to the intrusion detection module through the 5G network, and the intrusion detection module receives the diagnosis service request sent by the terminal device through the 5G network.
In some embodiments, the internet of vehicles may be a CAN network, and the terminal device may be connected to the intrusion detection module through a CAN bus, and perform data interaction with the intrusion detection module. The terminal equipment CAN send a diagnosis service request to the intrusion detection module through the CAN network, and the intrusion detection module receives the diagnosis service request sent by the terminal equipment through the CAN network.
Step S120: and acquiring message information in the diagnosis service request.
In the embodiment of the application, after receiving the diagnostic service request sent by the terminal device, the intrusion detection module may analyze the diagnostic service request to obtain the message information in the diagnostic service request. The message information may include at least any one of UDS message information and application message.
In some embodiments, after the intrusion detection receives the diagnostic service request sent by the terminal device, the diagnostic service request may be decoded, to obtain decoding information, and the decoding information is used as message information in the diagnostic service request.
In some embodiments, the intrusion detection module stores a trained deep learning network model in advance, after receiving a diagnostic service request sent by the terminal device, the intrusion detection module may input the diagnostic service request into the deep learning network model, the deep learning network model receives and responds to the diagnostic service request, and outputs message information in the diagnostic service request, and the intrusion detection module receives the message information output by the deep learning network model.
The deep learning network model may be a convolutional neural network (Convolutional Neural Networks, CNN) model, a deep belief network (Deep Belief Networks, DBN) model, a stack self-coding network (Stacked Auto Encoder Networks, SAE) model, a cyclic neural network (Recurrent Neural Networks, RNN) model, a deep neural network (Deep Neural Networks, DNN) model, a Long Short-Term Memory (LSTM) network model, or a threshold cyclic unit (Gated Recurring Units, GRU) model, which is not limited to the type of the deep learning network model, and may be specifically set according to actual requirements.
In some embodiments, after the intrusion detection module obtains the message information in the diagnostic service request, the intrusion detection module may identify the message information, obtain an identification result, and determine, according to the identification result, whether the message information in the diagnostic service request is obtained meets a preset condition. The preset condition may be that the message information is UDS message information and application message information, or that a service identifier (Service Identifier, SID) of the message information is a preset SID, etc.
When the intrusion detection module identifies the message information to obtain a result for representing that the message information is UDS message information and application message information, determining that the message information in the acquired diagnostic service request accords with a preset condition; when the intrusion detection module identifies the message information to obtain a result used for representing that the message information is not UDS message information and application message information, determining that the message information in the acquired diagnostic service request does not accord with a preset condition.
When the intrusion detection module identifies the message information to obtain a result that the SID used for representing the message information is a preset SID, determining that the message information in the acquired diagnostic service request accords with a preset condition; when the intrusion detection module identifies the message information to obtain a result that the SID used for representing the message information is a non-preset SID, the message information obtained from the diagnostic service request is determined to be not in accordance with a preset condition.
As an implementation manner, the intrusion detection module may perform preset keyword recognition on the message information, and when obtaining that the message information includes a recognition result of the preset keyword, determine that the message information is UDS message information and application message information, and determine that the message information obtained from the diagnostic service request meets a preset condition; when the message information does not comprise the identification result of the preset keyword, determining that the message information is not UDS message information and application message information, and determining that the message information in the acquired diagnosis service request does not accord with the preset condition. The preset keywords can be used for representing that the message information is the keywords of the UDS message information and the application message information.
As an implementation manner, the intrusion detection module may perform SID identification on the message information to obtain a SID value, and when the SID value is equal to the preset SID value, determine that the SID is the preset SID, and determine that the message information in the acquired diagnostic service request meets a preset condition; when the SID value is not equal to the preset SID value, determining that the SID is not the preset SID, and determining that the message information in the diagnostic service request does not accord with the preset condition.
For example, the preset SID value may be 10, and when the acquired sid=10 (indicating that the diagnostic access request is a session diagnostic session service request), the SID is determined to be the preset SID, and the message information in the acquired diagnostic service request is determined to meet the preset condition; when the acquired SID is not equal to 10, determining that the SID is not the preset SID, and determining that the message information in the acquired diagnostic service request does not accord with the preset condition. The preset SID value may be 27, and when the acquired sid=27 (indicating that the diagnostic access request is a session security access service request), determining that the SID is the preset SID, and determining that the message information in the acquired diagnostic service request meets a preset condition; when the acquired SID is not equal to 27, determining that the SID is not the preset SID, and determining that the message information in the acquired diagnostic service request does not accord with the preset condition. The value of the preset SID is not limited herein, and may specifically be set according to actual requirements.
Step S130: and when the message information is determined to accord with the preset condition, generating a count value corresponding to the diagnosis service request.
In this embodiment of the present application, when the intrusion detection module determines that the message information meets a preset condition, a count value corresponding to the diagnostic service request may be generated, so as to determine whether the vehicle is intruded according to the count value. When the count value is greater than or equal to a preset threshold value, determining that the vehicle is invaded; when the count value is smaller than the preset threshold value, the vehicle is determined not to be invaded. The preset threshold may be a preset value set by a user, or may be an adjustment value dynamically adjusted by the intrusion detection module according to the intrusion detected by the vehicle, which is not limited herein.
In some embodiments, when the message information is UDS message information and application message information, the intrusion detection module determines that the message information meets a preset condition, a first count value corresponding to the diagnostic service request may be generated.
In some embodiments, when the SID of the message information is a preset SID and the intrusion detection module determines that the message information meets a preset condition, a second count value corresponding to the diagnostic service request may be generated.
Step S140: and when the count value is greater than or equal to a preset threshold value, determining that the vehicle is invaded.
In the embodiment of the application, after the count value corresponding to the diagnosis service request is generated, the intrusion detection module can determine that the vehicle is intruded when the count value is greater than or equal to the preset threshold value, so that whether the vehicle is intruded or not is determined according to the message information in the diagnosis service request sent by the terminal equipment, the user can conveniently process the vehicle when the vehicle is intruded, and the potential safety hazard of the vehicle is reduced.
The intrusion may include a first preset pattern intrusion, a second preset pattern intrusion, and a third preset pattern intrusion. The intrusion of the first preset mode represents intrusion that a large number of diagnosis messages are sent out by an intrusion detection module based on a UDS protocol to carry out denial of service (Denial of Service, doS) attack, so that the ECU always responds to the diagnosis request and further influences the normal operation of the service; the second preset mode intrusion represents an intrusion that initiates a diagnostic Session (Session) attack, heuristically enters a factory custom diagnostic Session through a diagnostic Session service with SID of 10; the third preset mode intrusion means that a security algorithm cracking attack is initiated, diagnostic messages of security access service with SID of 27 are recorded continuously, and the intrusion of the security algorithm is reversed based on the response messages.
In some embodiments, the intrusion detection system may further include a designated client associated with the user, the designated client being connected to the intrusion detection module via the internet of vehicles and being in data interaction with the intrusion detection module. When the count value is greater than or equal to a preset threshold value, the intrusion detection module can determine that the vehicle is intruded, generate corresponding prompt information, send the prompt information to the appointed client through the Internet of vehicles, and the user can process the intrusion behavior of the vehicle according to the prompt information received by the appointed client, so that the intrusion behavior of the vehicle can be timely processed, serious damage to the vehicle caused by the intrusion behavior is avoided, and potential safety hazards of the vehicle are reduced.
The specified clients may include mobile clients (e.g., cell phones, PDAs, tablet computers, notebook computers, smartwatches, smartbands, etc.), and fixed clients (e.g., smartcontrol panels, desktop computers, etc.), among others, without limitation.
According to the scheme, the diagnosis service request sent by the terminal equipment is received, the message information in the diagnosis service request is obtained, when the message information is determined to meet the preset condition, the count value corresponding to the diagnosis service request is generated, and when the count value is greater than or equal to the preset threshold value, the vehicle is determined to be invaded, so that whether the vehicle is invaded or not is determined according to the message information in the diagnosis service request sent by the terminal equipment, the vehicle is conveniently processed when the vehicle is invaded by a user, and the potential safety hazard of the vehicle is reduced.
Referring to fig. 3, a flowchart of a method for detecting intrusion based on UDS according to another embodiment of the present application is shown. In a specific embodiment, the intrusion detection method based on UDS may be applied to the intrusion detection module 220 in the intrusion detection system shown in fig. 1, and the flow shown in fig. 3 will be described in detail below by taking the intrusion detection module 220 as an example, and the intrusion detection method based on UDS may include the following steps S210 to S250.
Step S210: and receiving a diagnosis service request sent by the terminal equipment.
Step S220: and acquiring message information in the diagnosis service request.
In this embodiment, the step S210 and the step S220 may refer to the content of the corresponding steps in the foregoing embodiments, which is not described herein.
Step S230: and when the message information is UDS message information and application message information, calculating the bus load rate of the message information.
In this embodiment, when the message information is UDS message information and application message information, the intrusion detection module may calculate a bus load rate of the message information, where the bus load rate is used to characterize a duty ratio of an actual transmission message in a theoretical transmission message. Specifically, when the message information is UDS message information and application message information, the intrusion detection module may calculate a ratio of the data size to the receiving duration according to the data size and the receiving duration of the received message information, obtain a transmission rate corresponding to the message information, calculate a ratio of the transmission rate to a preset transmission rate, and use the ratio as a bus load rate corresponding to the message information, where the transmission rate may be used to characterize the byte number of the message information transmitted in the unit duration.
For example, the preset transmission rate may be 1000 bits per second (bps), and the transmission rate of the message information may be 800bps, so that the bus load rate of the message is 80%. The preset transmission rate may be 1200bps, and the transmission rate of the message information may be 600bps, so that the bus load rate of the message is 50%. The value of the preset transmission rate is not limited herein, and may be specifically set according to actual requirements.
Step S240: and generating a count value corresponding to the diagnosis service request according to the bus load rate.
In this embodiment, after calculating the bus load rate of the message information, the intrusion detection module may generate a count value corresponding to the diagnostic service request according to the bus load rate. Specifically, after calculating the bus load rate of the message information, the intrusion detection module may record a duration value that the bus load rate is greater than or equal to the load rate threshold, and use the duration value as a count value corresponding to the diagnostic service request. The load factor threshold is the lowest required value of the bus load factor of the message information when the vehicle is invaded by the first preset mode, and the load threshold can be a preset value preset by a user, or can be an adjustment value dynamically adjusted by the invasion detection module according to the detected invasion of the first preset mode, and the like, and is not limited herein.
In some embodiments, after recording the duration value that the bus load rate is greater than or equal to the load rate threshold, the intrusion detection module may determine whether the vehicle is intruded by the first preset mode according to the duration value and the duration threshold. When the duration value is greater than or equal to the duration threshold value, determining that the vehicle is invaded by a first preset mode; and when the duration value is smaller than the duration threshold value, determining that the vehicle is not invaded by the first preset mode.
For example, the duration threshold may be 3 seconds(s), and when the intrusion detection module records that the bus load rate is greater than or equal to the duration value of the load rate threshold is greater than or equal to 3 seconds, determining that the vehicle is intruded by the first preset mode; and when the intrusion detection module records that the bus load rate is greater than or equal to the duration value of the load rate threshold value and is smaller than 3s, determining that the vehicle is not intruded by the first preset mode. The duration threshold may also be 5s or 10s, which is not limited herein, and may be specifically set according to actual requirements.
Step S250: and when the duration value is greater than or equal to the duration threshold value, determining that the vehicle is invaded by the first preset mode.
In this embodiment, when the duration value is greater than or equal to the duration threshold, the intrusion detection module may determine that the vehicle is intruded by the first preset mode, generate the storage denial of service attack information (DoS attack happen information), and clear the duration value by 0, so as to facilitate the user to trace back the intrusion record, and improve the user experience.
In some embodiments, the intrusion detection system may further include a local memory coupled to the intrusion detection module and in data interaction with the intrusion detection module. When the duration value is greater than or equal to the duration threshold, the intrusion detection module may determine that the vehicle is being intruded by the first predetermined pattern and generate DoS attack happen information and send DoS attack happen information to the local memory, which receives and stores DoS attack happen the information.
In some embodiments, the intrusion detection system may further include a server connected to the intrusion detection module through the internet of vehicles and performing data interaction with the intrusion detection module, and the server is provided with a network memory. When the duration value is greater than or equal to the duration threshold, the intrusion detection module may determine that the vehicle is intruded by the first preset mode, generate DoS attack happen information, send DoS attack happen information to a server via the internet of vehicles, and the server receives and responds DoS attack happen information and stores DoS attack happen information to the network memory.
The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content delivery networks (Content Delivery Network, CDN), basic cloud computing services such as big data and artificial intelligent platforms, and the like.
According to the scheme provided by the embodiment, the diagnosis service request sent by the terminal equipment is received, the message information in the diagnosis service request is obtained, when the message information is UDS message information and application message information, the bus load rate of the message information is calculated, the count value corresponding to the diagnosis service request is generated according to the bus load rate, and when the time length value is greater than or equal to the time length threshold value, the vehicle is determined to be invaded by the first preset mode, so that whether the vehicle is invaded by the first preset mode or not is determined according to the message information in the diagnosis service request sent by the terminal equipment, and the vehicle is conveniently processed by a user when the vehicle is invaded by the first preset mode, and the potential safety hazard of the vehicle is reduced.
Referring to fig. 4, a flowchart of a method for detecting intrusion based on UDS according to still another embodiment of the present application is shown. In a specific embodiment, the intrusion detection method based on UDS may be applied to the intrusion detection module 220 in the intrusion detection system shown in fig. 1, and the flow shown in fig. 4 will be described in detail below by taking the intrusion detection module 220 as an example, and the intrusion detection method based on UDS may include the following steps S310 to S350.
Step S310: and receiving a diagnosis service request sent by the terminal equipment.
Step S320: and acquiring message information in the diagnosis service request.
In this embodiment, the step S310 and the step S320 may refer to the content of the corresponding steps in the foregoing embodiments, which is not described herein.
Step S330: and when the service identifier of the message information is a preset service identifier, acquiring the sub-function identifier of the message information.
In this embodiment, when the SID of the message information is a preset SID, the intrusion detection module may parse the message information to obtain a Sub-Function (SF) identifier of the message information.
Step S340: and generating a count value corresponding to the diagnosis service request according to the sub-function identification.
In this embodiment, after acquiring the SF identifier of the message information, the intrusion detection module may calculate an attack value corresponding to the diagnostic service request according to the SF identifier, and generate the attack value as a count value corresponding to the diagnostic service request. Specifically, after the intrusion detection module obtains the SF identifier of the message information, it can determine whether the SF identifier is a preset SF identifier, and calculate an attack value corresponding to the diagnostic service request according to a corresponding determination result. When the SF mark is determined to be the preset SF mark, adding 1 to an attack value corresponding to the diagnosis service request; and when the SF is determined to be a non-preset SF mark, setting an attack value corresponding to the diagnosis service request to 0. The attack value comprises a session attack value and a cracking attack value, wherein the session attack value is used for representing the attack value under the diagnosis session service request, and the cracking attack value is used for representing the attack value under the security access request.
For example, when the preset SID is 10, the preset SF identifier may be a normal type session identifier, for example, preset sf=01 (for characterizing a default session function), preset sf=02 (for characterizing a programming session function), or preset sf=03 (for extending a diagnostic session function), when the SID of the message information is a preset SID (i.e., sid=10, indicating that the diagnostic service request is a diagnostic session service request). When the intrusion detection module determines that the SF is any one of 01, 02 or 03, namely the SF mark is determined to be a preset SF mark, the session attack value can be increased by 1; the intrusion detection module may set the session attack value to 0 when determining that the SF is not any of 01, 02 or 03, that is, determining that the SF identifier is a non-preset SF identifier.
When the SID of the message information is the preset SID (i.e., sid=27, indicating that the diagnostic service request is a security access service request), the preset SF identifier may be an identifier of the seed calculated for the request-to-send security algorithm, for example, preset sf=01 (seed is requested for I-level security access), or sf=03 (seed is requested for II-level security access). When the intrusion detection module determines that the SF is 01 or 03, namely the SF identifier is determined to be a preset SF identifier, the cracking attack value can be increased by 1; when the intrusion detection module determines that the SF is not 01 or 03, that is, determines that the SF identifier is a non-preset SF identifier, the cracking attack value may be set to 0.
In some embodiments, the intrusion detection module may determine whether the vehicle is intruded according to the attack value and the attack threshold after calculating the attack value corresponding to the diagnostic service request according to the SF identifier. When the attack value is greater than or equal to the attack threshold value, determining that the vehicle is invaded; when the attack value is less than the attack threshold, it is determined that the vehicle is not being intruded.
Step S350: and when the attack value is greater than or equal to the attack threshold value, determining that the vehicle is invaded.
In this embodiment, the attack value may include a session attack value and a hack attack value, and the preset SID may include a diagnostic session service identifier (sid=10) and a security access service identifier (sid=27). The intrusion may include a second preset pattern intrusion corresponding to a diagnostic session service identification and a third preset pattern intrusion corresponding to a secure access service identification.
In some embodiments, the preset service identifier may be a diagnostic session service identifier, the attack value may be a session attack value, and when the session attack value is greater than or equal to the session attack threshold, the intrusion detection module may determine that the vehicle is intruded by the second preset mode, generate session attack information (Session attack happen information), store Session attack happen information to the local memory, or/and, a network memory of the server, and clear the session attack value to 0.
For example, the session attack threshold may be 3, and when the session attack value is greater than or equal to 3, which indicates that the session request for continuous access to the irregular type exceeds 3 times, the intrusion detection module may determine that the vehicle is intruded by the second preset pattern. The value of the session attack threshold is not limited herein, and may be specifically set according to actual requirements.
In some embodiments, the preset service identifier may be a secure access service identifier, the attack value may be a hack attack value, and when the hack attack value is greater than or equal to a hack attack threshold, the intrusion detection module may determine that the vehicle is intruded by a third preset mode, generate hack attack information (Brute force attack happen information), store Brute force attack happen information to a local memory, or/and a network memory of the server, and clear the hack attack value to 0.
For example, the cracking attack threshold may be 5, and when the cracking attack value is greater than or equal to 5, which indicates that the continuous request is sent for the security algorithm seed more than 5 times, the intrusion detection module may determine that the vehicle is intruded by the third preset mode. The value of the cracking attack threshold is not limited here, and may be specifically set according to actual requirements.
According to the scheme provided by the embodiment, the diagnostic service request sent by the terminal equipment is received, the message information in the diagnostic service request is obtained, the sub-function identification of the message information is obtained when the service identification of the message information is the preset service identification, the count value corresponding to the diagnostic service request is generated according to the sub-function identification, and the vehicle is determined to be invaded when the attack value is greater than or equal to the attack threshold value, so that whether the vehicle is invaded or not is determined according to the service identification of the message information and the sub-function identification, the vehicle is conveniently processed when the vehicle is invaded by a user, and the potential safety hazard of the vehicle is reduced.
Referring to fig. 5, which illustrates a UDS-based intrusion detection apparatus 400 according to an embodiment of the present application, the UDS-based intrusion detection apparatus 400 may be applied to the intrusion detection module 220 in the intrusion detection system shown in fig. 1, and hereinafter, the UDS-based intrusion detection apparatus 400 shown in fig. 5 will be described in detail by taking the intrusion detection module 220 as an example, and the UDS-based intrusion detection apparatus 400 may include a receiving module 410, an obtaining module 420, a count generating module 430, and an intrusion determining module 440.
The receiving module 410 may be configured to receive a diagnostic service request sent by a terminal device; the obtaining module 420 may be configured to obtain message information in the diagnostic service request; the count generation module 430 may be configured to generate a count value corresponding to the diagnostic service request when it is determined that the message information meets a preset condition; the intrusion determination module 440 may be configured to determine that the vehicle is intruded when the count value is greater than or equal to a preset threshold.
In some implementations, the UDS-based intrusion detection device 400 may further include a first determination module and a second determination module.
The first determining module may be configured to determine, when it is determined that the message information meets the preset condition, whether the message information meets the preset condition before the count generating module 430 generates the count value corresponding to the diagnostic service request; the second determining module may be configured to determine that the message information meets a preset condition when the message information is UDS message information and application message information.
In some implementations, the count generation module 430 may include a calculation unit and a first generation unit.
The calculating unit can be used for calculating the bus load rate of the message information when the message information is UDS message information and application message information; the first generating unit may be configured to generate a count value corresponding to the diagnostic service request according to the bus load rate.
In some embodiments, the computing unit may include an acquisition subunit and a first computing subunit.
The obtaining subunit may be configured to obtain, when the message information is UDS message information and application message information, a transmission rate corresponding to the message information, where the transmission rate is used to characterize a byte number of the message information transmitted in a unit duration; the first calculating subunit may be configured to calculate a ratio of the transmission rate to a preset transmission rate, and obtain a bus load rate corresponding to the message information.
In some embodiments, the first generation unit may include a recording subunit.
The recording subunit may be configured to record, as the count value corresponding to the diagnostic service request, a duration value that the bus load rate is greater than or equal to the load rate threshold.
In some implementations, the intrusion determination module 440 may include a first determination unit.
The first determining unit may be configured to determine that the vehicle is invaded by the first preset mode when the duration value is greater than or equal to the duration threshold.
In some implementations, the UDS-based intrusion detection device 400 may further include a third determination module and a fourth determination module.
The third determining module may be configured to determine, when it is determined that the message information meets the preset condition, whether the message information meets the preset condition before the count generating module 430 generates the count value corresponding to the diagnostic service request; the fourth determining module may be configured to determine that the message information meets a preset condition when the service identifier of the message information is a preset service identifier.
In some embodiments, the count generation module 430 may further include an acquisition unit and a second generation unit.
The obtaining unit may be configured to obtain a sub-function identifier of the message information when the service identifier of the message information is a preset service identifier; the second generating unit may be configured to generate a count value corresponding to the diagnostic service request according to the sub-function identifier.
In some embodiments, the second generation unit may include a second calculation subunit, a first execution subunit, a second execution subunit, and a generation subunit.
The second calculating subunit may be configured to calculate an attack value corresponding to the diagnostic service request according to the sub-function identifier; the first execution subunit may be configured to add 1 to an attack value corresponding to the diagnostic service request when the sub-function identifier is a preset sub-function identifier; the second execution subunit may be configured to set an attack value corresponding to the diagnostic service request to 0 when the sub-function identifier is not a preset sub-function identifier; the generating subunit may be configured to generate the attack value as a count value corresponding to the diagnostic service request.
In some embodiments, the preset service identifier is a diagnostic session service identifier, the attack value is a session attack value, and the intrusion determination module 440 may further include a second determination unit.
The second determining unit may be configured to determine that the vehicle is invaded by a second preset pattern when the session attack value is greater than or equal to the session attack threshold.
In some embodiments, the preset service identifier is a secure access service identifier, the attack value is a hack attack value, and the intrusion determination module 440 may further include a third determination unit.
The third determining unit may be configured to determine that the vehicle is invaded by a third preset mode when the cracking attack value is greater than or equal to the cracking attack threshold value.
In some implementations, the UDS-based intrusion detection device 400 may also include an information generation module.
The information generating module may be configured to generate and send a prompt message to the designated client after the intrusion determining module 440 determines that the vehicle is intruded when the count value is greater than or equal to the preset threshold, so that the user processes the intrusion behavior suffered by the vehicle according to the prompt message.
According to the scheme, the diagnosis service request sent by the terminal equipment is received, the message information in the diagnosis service request is obtained, when the message information is determined to meet the preset condition, the count value corresponding to the diagnosis service request is generated, and when the count value is greater than or equal to the preset threshold value, the vehicle is determined to be invaded, so that whether the vehicle is invaded or not is determined according to the message information in the diagnosis service request sent by the terminal equipment, the vehicle is conveniently processed when the vehicle is invaded by a user, and the potential safety hazard of the vehicle is reduced.
It should be noted that, in the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described as different from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other. For the apparatus class embodiments, the description is relatively simple as it is substantially similar to the method embodiments, and reference is made to the description of the method embodiments for relevant points. Any of the described processing manners in the method embodiment may be implemented by a corresponding processing module in the device embodiment, which is not described in detail in the device embodiment.
In addition, each functional module in each embodiment of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module. The integrated modules may be implemented in hardware or in software functional modules.
Referring to fig. 6, a functional block diagram of a vehicle 500 provided in accordance with another embodiment of the present application is shown, the vehicle 500 may include one or more of the following components: memory 510, processor 520, and one or more applications, wherein the one or more applications may be stored in memory 510 and configured to be executed by the one or more processors 520, the one or more applications configured to perform the method as described in the foregoing method embodiments.
The Memory 510 may include a random access Memory (Random Access Memory, RAM) or a Read-Only Memory (Read-Only Memory). Memory 510 may be used to store instructions, programs, code sets, or instruction sets. The memory 510 may include a stored program area and a stored data area, where the stored program area may store instructions for implementing an operating system, instructions for implementing at least one function (e.g., receiving a diagnostic service request, obtaining message information, determining that the message information meets a preset condition, generating a count value, determining an intrusion, determining whether the preset condition is met, calculating a bus load factor, obtaining a transmission rate, calculating a ratio, recording a time period value, determining a first preset mode intrusion, obtaining a sub-function identification, calculating an attack value, adding 1 to the attack value, setting the attack value to 0, determining a second preset mode intrusion, determining a third preset mode intrusion, generating a hint information, sending a hint information, processing an intrusion behavior, etc.), instructions for implementing various method embodiments described below, etc. The stored data area may also store data created by the vehicle 500 in use (e.g., terminal device, diagnostic service request, message information, preset condition, count value, preset threshold, UDS message information, application message information, bus load factor, transmission rate, unit duration, number of bytes, preset transmission rate, ratio, load factor threshold, duration value, duration threshold, first preset mode, service identification, preset service identification, sub-function identification, attack value, preset sub-function identification, non-preset sub-function identification, diagnostic session service identification, session attack value, session attack threshold, second preset mode, secure access service identification, hack attack value, hack attack threshold, third preset mode, hint information, designated client, and intrusion behavior), etc.
Processor 520 may include one or more processing cores. The processor 520 utilizes various interfaces and lines to connect various portions of the overall vehicle 500, perform various functions of the vehicle 500, and process data by executing or executing instructions, programs, code sets, or instruction sets stored in the memory 510, and invoking data stored in the memory 510. Alternatively, the processor 520 may be implemented in hardware in at least one of digital signal processing (Digital Signal Processing, DSP), field programmable gate array (Field-Programmable Gate Array, FPGA), programmable logic array (Programmable Logic Array, PLA). The processor 520 may integrate one or a combination of several of a central processing unit (Central Processing Unit, CPU), an image processor (Graphics Processing Unit, GPU), and a modem, etc. The CPU mainly processes an operating system, a user interface, an application program and the like; the GPU is used for being responsible for rendering and drawing of display content; the modem is used to handle wireless communications. It will be appreciated that the modem may not be integrated into the processor 520 and may be implemented solely by a single communication chip.
Referring to fig. 7, a block diagram of a computer readable storage medium according to an embodiment of the present application is shown. The computer readable storage medium 600 has stored therein program code 610, the program code 610 being executable by a processor to perform the method described in the above method embodiments.
The computer readable storage medium 600 may be an electronic memory such as a flash memory, an EEPROM (electrically erasable programmable read only memory), an EPROM, a hard disk, or a ROM. Optionally, the computer readable storage medium 600 comprises a non-volatile computer readable medium (non-transitory computer-readable storage medium). The computer readable storage medium 600 has storage space for program code 610 that performs any of the method steps described above. The program code can be read from or written to one or more computer program products. Program code 610 may be compressed, for example, in a suitable form.
According to the scheme, the diagnosis service request sent by the terminal equipment is received, the message information in the diagnosis service request is obtained, when the message information is determined to meet the preset condition, the count value corresponding to the diagnosis service request is generated, and when the count value is greater than or equal to the preset threshold value, the vehicle is determined to be invaded, so that whether the vehicle is invaded or not is determined according to the message information in the diagnosis service request sent by the terminal equipment, the vehicle is conveniently processed when the vehicle is invaded by a user, and the potential safety hazard of the vehicle is reduced.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and are not limiting thereof; although the present application has been described in detail with reference to the foregoing embodiments, one of ordinary skill in the art will appreciate that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not drive the essence of the corresponding technical solutions to depart from the spirit and scope of the technical solutions of the embodiments of the present application.

Claims (12)

1. An intrusion detection method based on UDS, the intrusion detection method comprising:
receiving a diagnosis service request sent by a terminal device;
acquiring message information in the diagnosis service request;
when the message information is determined to accord with a first preset condition, generating a first count value corresponding to the diagnosis service request; wherein, the first preset condition is: the message information is UDS message information and application message information;
when the message information is determined to accord with a second preset condition, generating a second count value corresponding to the diagnosis service request; wherein the second preset condition is: the service identifier of the message information is a preset service identifier;
And when the first count value or the second count value is greater than or equal to a preset threshold value, determining that the vehicle is invaded.
2. The intrusion detection method according to claim 1, wherein the generating the first count value corresponding to the diagnostic service request includes:
calculating the bus load rate of the message information;
and generating a first count value corresponding to the diagnosis service request according to the bus load rate.
3. The intrusion detection method according to claim 2, wherein the calculating the bus load rate of the message information includes:
acquiring a transmission rate corresponding to the message information, wherein the transmission rate is used for representing the byte number of the message information transmitted in unit time length;
and calculating the ratio of the transmission rate to a preset transmission rate to obtain the bus load rate corresponding to the message information.
4. The intrusion detection method according to claim 2, wherein the generating the first count value corresponding to the diagnostic service request according to the bus load factor includes:
recording a time length value of which the bus load rate is greater than or equal to a load rate threshold value as a first count value corresponding to the diagnosis service request;
The method further comprises the steps of:
when the duration value is greater than or equal to the duration threshold value, determining that the first count value is greater than or equal to a preset threshold value, and determining that the intrusion suffered by the vehicle is a first preset mode intrusion.
5. The intrusion detection method according to claim 1, wherein the generating the second count value corresponding to the diagnostic service request includes:
acquiring a sub-function identifier of the message information;
and generating a second count value corresponding to the diagnosis service request according to the sub-function identification.
6. The intrusion detection method according to claim 5, wherein generating the second count value corresponding to the diagnostic service request according to the sub-function identifier comprises:
according to the sub-function identification, calculating an attack value corresponding to the diagnosis service request;
when the sub-function identifier is a preset sub-function identifier, adding 1 to an attack value corresponding to the diagnosis service request;
when the sub-function identifier is a non-preset sub-function identifier, setting an attack value corresponding to the diagnosis service request to 0;
and generating the attack value into a second count value corresponding to the diagnosis service request.
7. The intrusion detection method according to claim 6, wherein the preset service identifier is a diagnostic session service identifier, the attack value is a session attack value, and the method further comprises:
And when the session attack value is greater than or equal to the session attack threshold value, determining that the second count value is greater than or equal to a preset threshold value, and determining that the intrusion suffered by the vehicle is a second preset mode intrusion.
8. The intrusion detection method according to claim 6, wherein the preset service identifier is a security access service identifier, the attack value is a hack attack value, and the method further comprises:
when the cracking attack value is larger than or equal to the cracking attack threshold value, determining that the second count value is larger than or equal to a preset threshold value, and determining that the intrusion suffered by the vehicle is a third preset mode intrusion.
9. The intrusion detection method according to any one of claims 1 to 8, wherein the intrusion detection method further comprises, after determining that a vehicle is intruded when the first count value or the second count value is greater than or equal to a preset threshold value:
and generating and sending prompt information to the appointed client so that a user can process the intrusion behaviors suffered by the vehicle according to the prompt information.
10. An intrusion detection device based on UDS, the intrusion detection device comprising:
The receiving module is used for receiving the diagnosis service request sent by the terminal equipment;
the acquisition module is used for acquiring the message information in the diagnosis service request;
the counting generation module is used for generating a first counting value corresponding to the diagnosis service request when the message information is determined to accord with a first preset condition; wherein, the first preset condition is: the message information is UDS message information and application message information;
the count generation module is further configured to generate a second count value corresponding to the diagnostic service request when it is determined that the message information meets a second preset condition; wherein the second preset condition is: the service identifier of the message information is a preset service identifier;
and the intrusion determination module is used for determining that the vehicle is intruded when the first count value or the second count value is greater than or equal to a preset threshold value.
11. A vehicle, characterized by comprising:
a memory;
one or more processors coupled with the memory;
one or more applications, wherein the one or more applications are stored in the memory and configured to be executed by one or more processors, the one or more applications configured to perform the intrusion detection method of any one of claims 1 to 9.
12. A computer readable storage medium having stored therein program code which is callable by a processor to perform the intrusion detection method according to any one of claims 1 to 9.
CN202210405402.4A 2022-04-18 2022-04-18 UDS-based intrusion detection method, intrusion detection device, vehicle and storage medium Active CN115226104B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210405402.4A CN115226104B (en) 2022-04-18 2022-04-18 UDS-based intrusion detection method, intrusion detection device, vehicle and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210405402.4A CN115226104B (en) 2022-04-18 2022-04-18 UDS-based intrusion detection method, intrusion detection device, vehicle and storage medium

Publications (2)

Publication Number Publication Date
CN115226104A CN115226104A (en) 2022-10-21
CN115226104B true CN115226104B (en) 2024-02-23

Family

ID=83606577

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210405402.4A Active CN115226104B (en) 2022-04-18 2022-04-18 UDS-based intrusion detection method, intrusion detection device, vehicle and storage medium

Country Status (1)

Country Link
CN (1) CN115226104B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180021287A (en) * 2016-08-18 2018-03-02 고려대학교 산학협력단 Appratus and method for detecting vehicle intrusion
CN112394703A (en) * 2019-08-14 2021-02-23 中车时代电动汽车股份有限公司 Vehicle fault management system
KR102259884B1 (en) * 2020-06-26 2021-06-03 주식회사 이스트시큐리티 An apparatus for providing an integrated diagnostic information for control response, a method therefor, and a computer recordable medium storing program to perform the method
CN113904862A (en) * 2021-10-22 2022-01-07 中车株洲电力机车有限公司 Distributed train control network intrusion detection method, system and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180021287A (en) * 2016-08-18 2018-03-02 고려대학교 산학협력단 Appratus and method for detecting vehicle intrusion
CN112394703A (en) * 2019-08-14 2021-02-23 中车时代电动汽车股份有限公司 Vehicle fault management system
KR102259884B1 (en) * 2020-06-26 2021-06-03 주식회사 이스트시큐리티 An apparatus for providing an integrated diagnostic information for control response, a method therefor, and a computer recordable medium storing program to perform the method
CN113904862A (en) * 2021-10-22 2022-01-07 中车株洲电力机车有限公司 Distributed train control network intrusion detection method, system and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
智能网联汽车入侵检测及防护策略的研究及实现;王开宇;《CNKI中国优秀硕士学位论文全文数据库》;第29,37页 *
自适应的轻量级CAN总线安全机制;陈颖;《CNKI中国优秀硕士学位论文全文数据库》;第20页 *

Also Published As

Publication number Publication date
CN115226104A (en) 2022-10-21

Similar Documents

Publication Publication Date Title
US20190140778A1 (en) Information processing method, information processing system, and recording medium
US9294479B1 (en) Client-side authentication
US10869198B2 (en) Wireless system access control method and device
CN107438832B (en) Data refreshing method and device and computer readable storage medium
CN111539025B (en) Page display method and device, electronic equipment and storage medium
CN111107132A (en) Early warning method, system, device, equipment and storage medium
WO2020135755A1 (en) Vehicle attack detection method and apparatus
CN113489653A (en) Message sending method and device and computer equipment
CN113608483A (en) Method for acquiring vehicle signal value, electronic equipment and electronic control unit
CN115226104B (en) UDS-based intrusion detection method, intrusion detection device, vehicle and storage medium
CN114462096A (en) Block chain-based Internet of things equipment control method and device, computer equipment and storage medium
CN114979109A (en) Behavior track detection method and device, computer equipment and storage medium
CN112995098B (en) Authentication method, electronic device and storage medium
CN110868410B (en) Method and device for acquiring webpage Trojan horse connection password, electronic equipment and storage medium
CN112953723A (en) Vehicle-mounted intrusion detection method and device
CN112395647A (en) Block chain light node data acquisition system
CN112434341A (en) Block chain light node data acquisition method and device for preventing service tampering
Okokpujie et al. Congestion Intrusion Detection-Based Method for Controller Area Network Bus: A Case for Kia Soul Vehicle
CN115333748B (en) Anti-counterfeiting communication method, system, electronic equipment and computer readable storage medium
US20230179570A1 (en) Canbus cybersecurity firewall
RU135433U1 (en) DEVICE FOR DETECTING REMOTE COMPUTER ATTACKS IN A MILITARY COMPUTER NETWORK
CN115085951B (en) Internet of vehicles safety early warning method and electronic equipment
Wang et al. Traffic anomaly detection algorithm for CAN bus using similarity analysis
CN111865717B (en) CAN bus conventional packet reverse test method, system, electronic device and storage medium
CN115604041B (en) Security agent method, system, apparatus, computer device, and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant