CN115320538A - Intelligent network automobile intrusion detection system and method - Google Patents

Intelligent network automobile intrusion detection system and method Download PDF

Info

Publication number
CN115320538A
CN115320538A CN202210852087.XA CN202210852087A CN115320538A CN 115320538 A CN115320538 A CN 115320538A CN 202210852087 A CN202210852087 A CN 202210852087A CN 115320538 A CN115320538 A CN 115320538A
Authority
CN
China
Prior art keywords
intrusion detection
probe
module
abnormal
abnormal event
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210852087.XA
Other languages
Chinese (zh)
Inventor
井明军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guoqi Intelligent Control Beijing Technology Co Ltd
Original Assignee
Guoqi Intelligent Control Beijing Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guoqi Intelligent Control Beijing Technology Co Ltd filed Critical Guoqi Intelligent Control Beijing Technology Co Ltd
Priority to CN202210852087.XA priority Critical patent/CN115320538A/en
Publication of CN115320538A publication Critical patent/CN115320538A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R25/00Fittings or systems for preventing or indicating unauthorised use or theft of vehicles
    • B60R25/10Fittings or systems for preventing or indicating unauthorised use or theft of vehicles actuating a signalling device
    • B60R25/1004Alarm systems characterised by the type of sensor, e.g. current sensing means
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R25/00Fittings or systems for preventing or indicating unauthorised use or theft of vehicles
    • B60R25/10Fittings or systems for preventing or indicating unauthorised use or theft of vehicles actuating a signalling device
    • B60R25/102Fittings or systems for preventing or indicating unauthorised use or theft of vehicles actuating a signalling device a signal being sent to a remote location, e.g. a radio signal being transmitted to a police station, a security company or the owner
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R25/00Fittings or systems for preventing or indicating unauthorised use or theft of vehicles
    • B60R25/30Detection related to theft or to other events relevant to anti-theft systems
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R2325/00Indexing scheme relating to vehicle anti-theft devices
    • B60R2325/10Communication protocols, communication systems of vehicle anti-theft devices

Landscapes

  • Engineering & Computer Science (AREA)
  • Mechanical Engineering (AREA)
  • Alarm Systems (AREA)

Abstract

The embodiment of the application provides an intelligent networking automobile intrusion detection system and method, wherein the system comprises: the system comprises an operation center module and at least one intrusion detection module, wherein different intrusion detection modules are deployed in different functional domains, different functional domains comprise different automobile components, all the automobile components in the functional domains form an intelligent networked automobile, the intrusion detection module is used for carrying out intrusion detection on the automobile components in a target functional domain, determining abnormal events and sending the abnormal events to the operation center module, the target functional domain is the functional domain where the intrusion detection module is deployed, and the operation center module is used for receiving the abnormal events sent by the at least one intrusion detection module and displaying the abnormal events sent by the at least one intrusion detection module. The method and the device improve the accuracy of abnormal intrusion detection.

Description

Intelligent network automobile intrusion detection system and method
Technical Field
The embodiment of the application relates to the technical field of network security, in particular to an intelligent networking automobile intrusion detection system and method.
Background
With the development of network technology, the application of intelligent networked automobiles is more and more popular.
When the intelligent internet automobile is applied, because the in-car network in the intelligent internet automobile can be directly interacted with the whole internet, the risk that the in-car network is abnormally invaded is increased, and the abnormal invasion needs to be detected in order to improve the application safety of the intelligent internet automobile.
However, the existing abnormal intrusion detection method generally adapts a firewall in the conventional network to a vehicle-mounted system, and can only detect an exit of the vehicle-mounted network, thereby reducing the accuracy of abnormal intrusion detection.
Disclosure of Invention
The embodiment of the application provides an intelligent networking automobile intrusion detection system and method, so that the accuracy of abnormal intrusion detection is improved.
In a first aspect, an embodiment of the present application provides an intelligent networked automobile intrusion detection system, including: the system comprises an operation center module and at least one intrusion detection module, wherein different intrusion detection modules are deployed in different functional domains, different functional domains comprise different automobile components, and the automobile components contained in all the functional domains form an intelligent networked automobile;
the intrusion detection module is used for carrying out intrusion detection on automobile parts contained in a target function domain, determining an abnormal event and sending the abnormal event to the operation center module, wherein the target function domain is a function domain deployed by the intrusion detection module;
and the operation center module is used for receiving the abnormal events sent by the at least one intrusion detection module and displaying the abnormal events sent by the at least one intrusion detection module.
Optionally, the intrusion detection module includes: a probe manager and at least one probe,
the probe is used for carrying out intrusion detection on the automobile components contained in the target function domain according to a pre-stored feature library, determining an abnormal event and sending the abnormal event to the probe manager, wherein the number of the probe is at least one, the type of the probe is at least one, and the type of the probe corresponding to each automobile component is at least one;
the probe manager is used for receiving the abnormal event sent by at least one probe and sending the abnormal event sent by the at least one probe to the operation center module.
Optionally, the intrusion detection module further includes: at least one probe is arranged on the base plate,
the probe is used for carrying out intrusion detection on the automobile parts contained in the target function domain according to a pre-stored feature library, determining an abnormal event and sending the abnormal event to probe managers in other intrusion detection modules, wherein the number of the probe is at least one, the type of the probe is at least one, and the type of the probe corresponding to each automobile part is at least one;
and the probe manager in the other intrusion detection modules is used for receiving an abnormal event sent by at least one probe and sending the abnormal event sent by the at least one probe to the operation center module, wherein the at least one probe comprises a locally deployed probe and a non-locally deployed probe.
Optionally, the intrusion detection module further includes: a reporting agent module for reporting the information of the agent module,
the reporting agent module is used for receiving abnormal events sent by the probe managers in the local probe manager and other intrusion detection modules and sending the abnormal events to the operation center module;
and the operation center module is used for receiving the abnormal event sent by the reporting agent module.
Optionally, the probe manager is further configured to:
receiving an initial abnormal event sent by at least one probe, wherein the initial abnormal event comprises an abnormal grade;
and re-determining the abnormal grade of the initial abnormal event according to a preset filtering condition, and determining a new abnormal event according to the re-determined abnormal grade.
Optionally, the operation center module is further configured to:
determining target characteristics according to the received abnormal events and newly acquired event characteristics, wherein the target characteristics comprise target types;
sending the target features to a target probe corresponding to the target type;
the target probe is used for updating the feature library according to the received target features.
Optionally, the intrusion detection module further includes: a storage module for storing the data of the data,
the probe manager is also used for sending the received abnormal event to the storage module;
and the storage module is used for receiving and storing the abnormal event sent by the probe manager.
In a second aspect, an embodiment of the present application provides an intelligent networking automobile intrusion detection method, which is applied to an intrusion detection module, where the intrusion detection module is at least one, different intrusion detection modules are deployed in different functional domains, different functional domains contain different automobile components, and all the automobile components contained in the functional domains constitute an intelligent networking automobile, including:
carrying out intrusion detection on automobile parts contained in a target function domain, and determining an abnormal event, wherein the target function domain is a function domain deployed by an intrusion detection module;
and sending the abnormal event to an operation center module so that the operation center module displays the abnormal event sent by the at least one intrusion detection module.
In a third aspect, an embodiment of the present application provides an intelligent networked automobile intrusion detection method, which is applied to an operation center module, and includes:
receiving an abnormal event sent by at least one intrusion detection module, wherein the number of the intrusion detection modules is at least one, different intrusion detection modules are deployed in different functional domains, different functional domains comprise different automobile components, and all the automobile components contained in the functional domains form an intelligent networked automobile;
and displaying the abnormal event sent by the at least one intrusion detection module.
In a fourth aspect, an embodiment of the present application provides an electronic device, including: a processor, and a memory communicatively coupled to the processor;
the memory stores computer-executable instructions;
the processor executes the computer-executable instructions stored in the memory to implement the intelligent networked automobile intrusion detection method according to the second aspect or the third aspect.
In a fifth aspect, the present application provides a computer-readable storage medium, in which a computer executing instruction is stored, and when a processor executes the computer executing instruction, the method for detecting intrusion by using a smart internet enabled vehicle as described in the second aspect or the third aspect above is implemented.
In a sixth aspect, the present application provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the method for detecting intrusion of an intelligent networked automobile according to the second aspect or the third aspect is implemented.
The embodiment of the application provides an intelligent networking automobile intrusion detection system and method, the system comprises at least one intrusion detection module and an operation center module, different intrusion detection modules are deployed in different functional domains, different functional domains contain different automobile parts, all the automobile parts contained in the functional domains form an intelligent networking automobile, the intrusion detection module is used for carrying out intrusion detection on the automobile parts contained in a target functional domain, abnormal events are determined, the abnormal events are sent to the operation center module, the operation center module is used for receiving the abnormal events sent by the at least one intrusion detection module, and the abnormal events sent by the at least one intrusion detection module are displayed. By means of the method for distributing the intrusion detection module to each functional domain contained in the intelligent networked automobile, intrusion detection of all parts of the intelligent networked automobile can be achieved, and accuracy of abnormal intrusion detection is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a schematic structural diagram of an intelligent networked automobile intrusion detection system according to an embodiment of the present application;
fig. 2 is a schematic diagram of an architecture of an intelligent networked automobile intrusion detection system according to another embodiment of the present application;
fig. 3 is a schematic diagram of an architecture of an intelligent networked automobile intrusion detection system according to another embodiment of the present application;
fig. 4 is a schematic flowchart of an intelligent networked automobile intrusion detection method according to an embodiment of the present application;
fig. 5 is a schematic flowchart of an intelligent networked automobile intrusion detection method according to another embodiment of the present application;
fig. 6 is a schematic structural diagram of an intelligent networked automobile intrusion detection device according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an intelligent networked automobile intrusion detection device according to another embodiment of the present application;
fig. 8 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the above-described drawings (if any) are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged under appropriate circumstances such that embodiments of the application described herein may include other sequential examples than those illustrated or described. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
In the related technology, the intelligent networked automobile integrates various basic technical fields such as traditional vehicles, 5G communication technology, IT infrastructure and the like. Along with the increasing popularization of intelligent internet automobiles, the continuous evolution of automobile equipment architecture and the intelligent upgrade of a traditional Electronic Control Unit (ECU) lead to more and more interaction between an in-vehicle network and the whole internet, the exposure of software and hardware in the automobile to the outside is increased, and the risk of abnormal invasion of the in-vehicle network is increased. However, when detecting an abnormal intrusion, the method mainly depends on a traditional Network security (or border security) detection manner, that is, a Network-layer firewall in a traditional Network is adapted to a vehicle-mounted system, and is usually deployed on a vehicle-mounted gateway, an intelligent driving domain Network interface, or a T-Box (i.e., wireless gateway) system, so as to implement basic functions of an IP-layer Network firewall or a CAN (Control Area Network) firewall. However, the method simply adapts the network security detection method in the conventional network and then deploys the network to the vehicle-mounted network, the detection means and the deployment method are the same as the conventional network security deployment method, and only the vehicle-mounted network outlet or a few relatively important vehicle-mounted systems in the vehicle are dispersedly monitored, so that the method is difficult to adapt to the distributed scenes of the multi-functional domain and the multi-ECU of the intelligent vehicle, and the accuracy of the abnormal intrusion detection is further reduced.
Based on above-mentioned technical problem, this application can realize carrying out intrusion detection to whole parts of intelligent networking car through the mode of every functional domain distribution intrusion detection module that contains for intelligent networking car, and then adapts to intelligent networking car multi-functional domain, many ECU's distributed scene, has improved unusual intrusion detection's accuracy.
Fig. 1 is a schematic structural diagram of an intelligent networked automobile intrusion detection system provided in an embodiment of the present application, and as shown in fig. 1, the system may include: the system comprises an operation center module and at least one intrusion detection module, wherein different intrusion detection modules are deployed in different functional domains, different functional domains comprise different automobile parts, and all the automobile parts of the functional domains form an intelligent networked automobile.
And the intrusion detection module is used for carrying out intrusion detection on the automobile parts contained in the target functional domain, determining abnormal events and sending the abnormal events to the operation center module, wherein the target functional domain is a functional domain deployed by the intrusion detection module.
And the operation center module is used for receiving the abnormal event sent by the at least one intrusion detection module and displaying the abnormal event sent by the at least one intrusion detection module.
In this embodiment, different intrusion detection modules may correspond to different functional domains, and different intrusion detection modules may be deployed in different functional domains, and each intrusion detection module may detect an automobile component in the deployed functional domain, so as to determine an abnormal event. The abnormal event may represent an event related to network information security, and generally needs to include a timestamp generated by the event, an ECU generated by the event, and specific content of the event (such as abnormal network access, abnormal process start, and the like). Furthermore, the number of intrusion detection modules may correspond to the number of functional domains. Optionally, one intrusion detection module may be deployed in each functional domain, that is, the number of intrusion detection modules is consistent with the number of functional domains. In addition, a plurality of intrusion detection modules may be deployed in each functional domain, or a plurality of intrusion detection modules may be deployed in a part of the functional domains.
Optionally, the intelligent networked automobile may be divided according to functions to obtain a plurality of functional domains, and each functional domain includes different automobile components. For example, the functional domains may be a power domain, a chassis domain, a body domain, an autopilot domain, a cockpit domain, and a control domain, and each functional domain may have at least one domain controller (for example, an ECU) to manage the domain.
In addition, the operation center module can be located at the cloud end, can receive abnormal events sent by different intrusion detection modules, and displays the abnormal events sent by at least one intrusion detection module. Optionally, when displaying the exception event sent by at least one intrusion detection module, the received exception events sent by all the intrusion detection modules may be displayed according to a preset mode, or the exception event sent by the target intrusion detection module may be displayed in a user-defined manner according to a user requirement, where the target intrusion detection module is one or more of all the intrusion detection modules, and is not limited herein in detail.
After the scheme is adopted, the intrusion detection of all parts of the intelligent networking automobile can be realized by distributing the intrusion detection module for each functional domain contained in the intelligent networking automobile, and the accuracy of abnormal intrusion detection is improved.
The technical solution of the present application will be described in detail below with specific examples. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments.
In another embodiment, the intrusion detection module includes: a probe manager and at least one probe,
the probe is used for carrying out intrusion detection on the automobile components contained in the target function domain according to a pre-stored feature library, determining an abnormal event and sending the abnormal event to the probe manager, wherein the number of the probe is at least one, the type of the probe is at least one, and the type of the probe corresponding to each automobile component is at least one.
The probe manager is used for receiving the abnormal events sent by the at least one probe and sending the abnormal events sent by the at least one probe to the operation center module.
In this embodiment, the intrusion detection module may include a probe manager and at least one probe, and the probe may detect the automobile component to determine whether there is an abnormal event. If the abnormal event exists, the abnormal event can be sent to the probe manager, and after the abnormal event sent by the probe is received by the probe manager, the abnormal event sent by the probe can be sent to the operation center module in a unified mode.
Further, when sending the received abnormal event to the operation center module, the probe manager may send the received abnormal event to the operation center module uniformly every preset time period, or send the received abnormal event to the operation center module in real time.
In addition, the probe may have one or more probes, and may detect the vehicle component in the functional domain, and further may detect a domain controller (for example, may be an ECU) in each vehicle component, so as to determine an abnormal event corresponding to the vehicle component. In addition, there may be one or more types of probes, and different types of probes may detect different types of abnormal events, and thus, for each automobile component, one or more types of probes may be provided to monitor different types of abnormalities of the automobile component. Illustratively, the probe may be an IDS (Intrusion Detection System) probe, and the type of the probe may be a network probe for detecting abnormal network access, a host monitoring probe, a process start for detecting abnormality, and the like. In addition, the probe is set for which components, and the types of the set probes can be set according to practical application scenes in a user-defined manner, and are not limited in detail herein.
In addition, when the abnormal events of the automobile parts are detected through the probe, the intrusion detection can be carried out on the automobile parts contained in the target function domain according to the pre-stored feature library, and the abnormal events are determined. The characteristic library is stored with comparison characteristics, and the characteristics of the automobile parts acquired by the probe are compared with the comparison characteristics stored in the characteristic library to further determine whether the automobile parts have abnormal events. For example, the feature library may store a website list in a normal access state, after the probe detects that the automobile component accesses the external network, the probe may acquire the accessed website, then determine whether the accessed website is in the website list, and if so, may determine that the automobile component is in the normal state. If not, the automobile part can be determined to be in an abnormal state, and an abnormal event can be generated.
In conclusion, the abnormal events of the automobile parts can be detected by adopting the probes of different types, so that the detection of the abnormal events of different types can be realized, and the comprehensiveness and the accuracy of the detection are improved.
In another embodiment, the intrusion detection module further comprises: at least one probe is arranged on the base plate,
the probe is used for carrying out intrusion detection on the automobile components contained in the target function domain according to a pre-stored feature library, determining an abnormal event and sending the abnormal event to the probe manager in other intrusion detection modules, wherein the number of the probe is at least one, the type of the probe is at least one, and the type of the probe corresponding to each automobile component is at least one.
The probe manager in the other intrusion detection modules is configured to receive an exception event sent by at least one probe, and send the exception event sent by the at least one probe to the operation center module, where the at least one probe includes a locally deployed probe and a non-locally deployed probe.
In this embodiment, since there are fewer car components in a functional domain or fewer abnormal events in the functional domain are determined from historical statistics, only probes may be deployed when deploying the intrusion detection module for this type of functional domain. Subsequent probes, after determining the exception event, may send the exception event to a probe manager in other intrusion detection modules. The probe managers in the other intrusion detection modules can send the abnormal events sent by the probes in the locally deployed intrusion detection modules and the abnormal events sent by the probes in the non-locally deployed intrusion detection modules to the operation center module in a unified or real-time manner.
In addition, when the abnormal events are sent to the probe managers in other intrusion detection modules, the number of the abnormal events needing to be uploaded by each probe manager can be determined, then the probe manager with the minimum number of the abnormal events to be uploaded is selected, and the abnormal events are sent to the probe manager. In addition, the probe manager may be determined by the shortest forwarding path, and the like, and is not limited in detail herein.
Fig. 2 is a schematic diagram of an architecture of an intelligent networked automobile intrusion detection system according to another embodiment of the present application, and as shown in fig. 2, the system may include: the system comprises an operation center module and at least one intrusion detection module. In this embodiment, there may be three intrusion detection modules, which are an intrusion detection module a, an intrusion detection module B, and an intrusion detection module C. The intrusion detection module A comprises three probes and a probe manager, and abnormal events detected by the probes in the intrusion detection module A can be sent to the operation center module through the local probe manager. The intrusion detection module B comprises two probes and a probe manager, and abnormal events detected by the probes in the intrusion detection module B can be sent to the operation center module through the local probe manager. The intrusion detection module C comprises three probes, and abnormal events detected by the probes in the intrusion detection module C can be sent to the operation center module through the probe manager in the intrusion detection module A. The abnormal event detected by the probe in the intrusion detection module C may be sent to the probe manager in the intrusion detection module a through a vehicle-mounted local area network (e.g., CAN or vehicle-mounted ethernet).
In conclusion, the abnormal events detected by the intrusion detection module without the probe manager are forwarded to other intrusion detection modules with the probe manager, so that the abnormal events in different functional domains are detected, the deployment of the probe manager is reduced, the workload of operation and maintenance personnel is reduced, and the operation and maintenance efficiency is improved.
In another embodiment, the intrusion detection module further comprises: a reporting agent module for reporting the information of the agent module,
and the reporting agent module is used for receiving the abnormal events sent by the probe managers in the local probe manager and other intrusion detection modules and sending the abnormal events to the operation center module.
And the operation center module is used for receiving and reporting the abnormal event sent by the agent module.
In this embodiment, the intrusion detection module may further include a reporting agent module, and in general, one reporting agent module may be provided and may be deployed in the intrusion detection module corresponding to the functional domain with frequent interaction with the external network. After the reporting agent module is deployed, the local probe manager and the probe managers in other intrusion detection modules can send the abnormal event to the reporting agent module, and the reporting agent module can send the received abnormal event to the operation center module at preset time intervals or in real time after receiving the abnormal event.
In summary, the reporting agent module can realize the summary of the abnormal events, reduce the interaction between the probe manager and the operation center module, and further improve the network security.
In another embodiment, the probe manager is further configured to:
and receiving an initial abnormal event sent by at least one probe, wherein the initial abnormal event comprises an abnormal grade.
And re-determining the abnormal grade of the initial abnormal event according to the preset filtering condition, and determining a new abnormal event according to the re-determined abnormal grade.
In this embodiment, the abnormal event detected by the probe may be referred to as an initial abnormal event, an abnormal level may be included in the initial abnormal event, and after the probe sends the initial abnormal event including the abnormal level to the probe manager, since the probe has a limited capability of determining the abnormal event, there is a possibility of a misjudgment, the probe manager may re-determine the abnormal level of the initial abnormal event according to the preset filtering condition and all the received abnormal events, and determine a new abnormal event according to the re-determined abnormal level. Illustratively, the level of the abnormal event detected by the probe is a medium level, the probe manager determines that the level of the abnormal event is no risk after receiving the abnormal event, and then the probe manager may directly ignore the abnormal event, and if the level of the abnormal event is low risk, the probe manager may update the level of the abnormal event to be low risk, and send the abnormal event determined to be low risk to the operation center module.
The filtering condition can be set according to the practical application scene in a user-defined mode. For example, if the number of times that the probe detects that the vehicle component accesses the target website exceeds a preset number threshold and the target website is not in the preset feature library of the probe, the event may be marked as an abnormal event, and the level of the abnormal event may be marked as a medium level. And then, sending the abnormal event with the grade marked as the middle grade to a probe manager, after receiving the abnormal event, the probe manager can re-determine the grade of the abnormal event according to a preset filtering condition, the filtering condition of the probe manager can determine whether the target website is a normal website, if the target website is determined to be the normal website, the grade of the abnormal event can be marked as no risk, and if the target website is determined to be the abnormal website, the risk grade of the abnormal event can be maintained.
In conclusion, the accuracy of determining the abnormal events is improved through the secondary filtering of the abnormal events by the probe manager.
In another embodiment, the operations center module is further configured to:
and determining target characteristics according to the received abnormal events and the newly acquired event characteristics, wherein the target characteristics comprise target types.
And sending the target characteristics to a target probe corresponding to the target type.
And the target probe is used for updating the feature library according to the received target features.
In this embodiment, the operation center may acquire a new event feature from the outside at preset intervals, then may determine a target feature according to the received abnormal event and the newly acquired event feature, where the target feature may correspond to at least one probe type, then may send the target feature to a probe corresponding to the probe type, and after receiving the target feature, the probe may update the local feature library through the target feature.
In addition, the operation center module can also be used for comprehensively analyzing the current safety situation of the whole Internet of vehicles, and provides a basis for the adjustment of a subsequent probe feature library.
For example, the event characteristics acquired by the operation center may be a security website provided by the manufacturer, the abnormal event may include an abnormal event that the probe detects a risky event, but is redefined by the probe manager as an abnormal event without a risk, for example, a target website visited more than a preset number of times, the security operation center may determine, according to the aforementioned information, target characteristics that include a security website newly provided by the manufacturer and a target website defined by the probe as a risky website that is actually not risky, and then may update the feature library of the corresponding target probe through the target characteristics. For example, a security website newly provided by the manufacturer may be added to the website list in the feature library of the target probe, and a target website without risk may also be added.
In conclusion, the accuracy of the probe for determining the abnormal event is improved by updating the feature library of the probe according to the features newly acquired by the operation center.
In another embodiment, the intrusion detection module further comprises: a storage module for storing the data of the data,
the probe manager is also used for sending the received abnormal event to the storage module.
And the storage module is used for receiving and storing the abnormal event sent by the probe manager.
In this embodiment, the event can be locally persisted by the storage module, so that offline reading of the security event or continuous sending of the log reporting the interrupt log after the vehicle is restarted can be supported. In addition, a storage module can be deployed in each intrusion detection module, or can be deployed in only a few intrusion detection modules, and the configuration can be specifically customized according to the actual application scene.
Fig. 3 is a schematic diagram of an architecture of an intelligent networked automobile intrusion detection system according to another embodiment of the present application, and as shown in fig. 3, the system may include: the system comprises an operation center module and at least one intrusion detection module. In this embodiment, there may be three intrusion detection modules, which are an intrusion detection module a, an intrusion detection module B, and an intrusion detection module C. The intrusion detection module A comprises three probes and a probe manager, and abnormal events detected by the probes in the intrusion detection module A can be sent to the operation center module through the local probe manager. The intrusion detection module B comprises two probes and a probe manager, and abnormal events detected by the probes in the intrusion detection module B can be sent to the operation center module through the local probe manager. The intrusion detection module C comprises three probes, and abnormal events detected by the probes in the intrusion detection module C can be sent to the operation center module through the probe manager in the intrusion detection module A. In addition, storage modules are arranged in the intrusion detection module A and the intrusion detection module B and are connected with the corresponding probe managers. The abnormal events detected by the probes in the intrusion detection module C may be stored in a storage module in the intrusion detection module a. In addition, the intrusion detection module a further comprises a reporting agent module, and abnormal events in each intrusion detection module can be sent to the reporting agent module through the locally deployed probe manager, and then are sent to the operation center module by the reporting agent module in a unified manner.
In addition, communication between different components in the on-board network needs to be performed by encryption, for example, data passing through the CAN network may be encrypted by using secure on board Communication (SecOC). The reporting agent module and the operation center module can transmit data in an SSL encryption mode. The operation center module can also update The feature library of each different probe by combining with other inputs (including threat information, safety analysis results and The like), and sends The feature library of each probe deployed at The vehicle end to update in an Over The Air (OTA) mode.
Fig. 4 is a schematic flowchart of an intelligent networked automobile intrusion detection method provided in an embodiment of the present application, which may be applied to intrusion detection modules, where at least one intrusion detection module is provided, different intrusion detection modules are deployed in different functional domains, different functional domains include different automobile components, and all the automobile components included in the functional domains constitute an intelligent networked automobile, and as shown in fig. 4, the method may specifically include:
s401: and carrying out intrusion detection on the automobile parts contained in the target function domain, and determining the abnormal event, wherein the target function domain is a function domain deployed by an intrusion detection module.
S402: and sending the abnormal event to the operation center module so that the operation center module displays the abnormal event sent by the at least one intrusion detection module.
In this embodiment, the intrusion detection modules may be deployed in different functional domains, and each intrusion detection module may detect an automobile component in the deployed functional domain, so as to determine an abnormal event. The abnormal event may represent an event related to network information security, and generally needs to include a timestamp generated by the event, an ECU generated by the event, and specific content of the event (such as abnormal network access, abnormal process start, and the like). Furthermore, the number of intrusion detection modules may correspond to the number of functional domains. Optionally, one intrusion detection module may be deployed in each functional domain, that is, the number of intrusion detection modules is consistent with the number of functional domains. In addition, a plurality of intrusion detection modules may be deployed in each functional domain, or a plurality of intrusion detection modules may be deployed in a part of the functional domains.
Optionally, the intelligent networked automobile may be divided according to functions to obtain a plurality of functional domains, and each functional domain includes different automobile components. For example, the functional domains may be a power domain, a chassis domain, a body domain, an autopilot domain, a cockpit domain, and a control domain, and each functional domain may have at least one domain controller (for example, an ECU) to manage the domain.
In addition, the operation center module can be located at the cloud end, can receive abnormal events sent by different intrusion detection modules, and displays the abnormal events sent by at least one intrusion detection module. Optionally, when displaying the exception event sent by at least one intrusion detection module, the received exception events sent by all the intrusion detection modules may be displayed according to a preset mode, or the exception event sent by the target intrusion detection module may be displayed in a user-defined manner according to a user requirement, where the target intrusion detection module is one or more of all the intrusion detection modules, and is not limited herein in detail.
After the scheme is adopted, the intrusion detection of all parts of the intelligent networking automobile can be realized by distributing the intrusion detection module for each functional domain contained in the intelligent networking automobile, and the accuracy of abnormal intrusion detection is improved.
Based on the method of fig. 4, the present specification also provides some specific embodiments of the method, which are described below.
In addition, the intrusion detection module further includes: a probe manager and at least one probe,
the probe is used for carrying out intrusion detection on the automobile components contained in the target function domain according to a pre-stored feature library, determining an abnormal event and sending the abnormal event to the probe manager, wherein the number of the probe is at least one, the type of the probe is at least one, and the type of the probe corresponding to each automobile component is at least one.
The probe manager is used for receiving the abnormal events sent by the at least one probe and sending the abnormal events sent by the at least one probe to the operation center module.
In addition, the intrusion detection module further includes: at least one probe is arranged on the base plate,
the probe is used for carrying out intrusion detection on the automobile components contained in the target function domain according to a pre-stored feature library, determining an abnormal event and sending the abnormal event to the probe manager in other intrusion detection modules, wherein the number of the probe is at least one, the type of the probe is at least one, and the type of the probe corresponding to each automobile component is at least one.
And the probe managers in the other intrusion detection modules are used for receiving the abnormal event sent by the at least one probe and sending the abnormal event sent by the at least one probe to the operation center module, wherein the at least one probe comprises a locally deployed probe and a non-locally deployed probe.
In addition, the intrusion detection module further includes: a reporting agent module for reporting the information of the agent module,
the reporting agent module is used for receiving the abnormal events sent by the probe managers in the local probe manager and other intrusion detection modules and sending the abnormal events to the operation center module so that the operation center module receives the abnormal events sent by the reporting agent module.
Furthermore, the method further comprises:
and receiving an initial abnormal event sent by at least one probe, wherein the initial abnormal event comprises an abnormal grade.
And re-determining the abnormal grade of the initial abnormal event according to the preset filtering condition, and determining a new abnormal event according to the re-determined abnormal grade.
Fig. 5 is a schematic flowchart of an intelligent networked automobile intrusion detection method according to another embodiment of the present application, which is applied to an operation center module, and as shown in fig. 5, the method may include:
s501: and receiving an abnormal event sent by at least one intrusion detection module, wherein the number of the intrusion detection modules is at least one, different intrusion detection modules are deployed in different functional domains, different functional domains comprise different automobile components, and all the automobile components contained in the functional domains form an intelligent networking automobile.
S502: and displaying the abnormal event sent by at least one intrusion detection module.
In this embodiment, the intrusion detection modules may be deployed in different functional domains, and each intrusion detection module may detect an automobile component in the deployed functional domain, so as to determine an abnormal event. The abnormal event may represent an event related to network information security, and generally needs to include a timestamp generated by the event, an ECU generated by the event, and specific content of the event (such as abnormal network access, abnormal process start, and the like). Furthermore, the number of intrusion detection modules may correspond to the number of functional domains. Optionally, one intrusion detection module may be deployed in each functional domain, that is, the number of intrusion detection modules is consistent with the number of functional domains. In addition, a plurality of intrusion detection modules may be deployed in each functional domain, or a plurality of intrusion detection modules may be deployed in a part of the functional domains.
Optionally, the intelligent networked automobile may be divided according to functions to obtain a plurality of functional domains, and each functional domain includes different automobile components. For example, the functional domains may be a power domain, a chassis domain, a body domain, an autopilot domain, a cockpit domain, and a control domain, and each functional domain may have at least one domain controller (for example, an ECU) to manage the domain.
In addition, the operation center module can be located at the cloud end, can receive abnormal events sent by different intrusion detection modules, and displays the abnormal events sent by at least one intrusion detection module. Optionally, when displaying the exception event sent by at least one intrusion detection module, the received exception events sent by all the intrusion detection modules may be displayed according to a preset mode, or the exception event sent by the target intrusion detection module may be displayed in a user-defined manner according to a user requirement, where the target intrusion detection module is one or more of all the intrusion detection modules, and is not limited herein in detail.
After the scheme is adopted, the intrusion detection of all parts of the intelligent networking automobile can be realized by distributing the intrusion detection module for each functional domain contained in the intelligent networking automobile, and the accuracy of abnormal intrusion detection is improved.
Based on the method of fig. 5, the present specification also provides some specific embodiments of the method, which are described below.
Furthermore, the method may further comprise:
and determining a target characteristic according to the received abnormal event and the newly acquired event characteristic, wherein the target characteristic comprises a target type, and sending the target characteristic to a target probe corresponding to the target type so that the target probe updates a characteristic library according to the received target characteristic.
Based on the same idea, the embodiment of the present specification further provides a device corresponding to the method.
Fig. 6 is a schematic structural diagram of an intelligent networked automobile intrusion detection device provided in an embodiment of the present application, where the device is applied to an intrusion detection module, the intrusion detection module is at least one, different intrusion detection modules are deployed in different functional domains, different functional domains include different automobile components, and all the automobile components included in the functional domains constitute an intelligent networked automobile, and as shown in fig. 6, the device may include:
the detection module 601 is configured to perform intrusion detection on an automobile component included in a target functional domain, and determine an abnormal event, where the target functional domain is a functional domain deployed by the intrusion detection module.
The sending module 602 is configured to send the abnormal event to the operation center module, so that the operation center module displays the abnormal event sent by the at least one intrusion detection module.
In addition, the detecting module 601 is further configured to:
and carrying out intrusion detection on the automobile parts contained in the target function domain according to a pre-stored feature library, determining an abnormal event, and sending the abnormal event to a probe manager, wherein at least one probe is adopted, the type of the probe is at least one, and the type of the probe corresponding to each automobile part is at least one.
And receiving the abnormal event sent by the at least one probe, and sending the abnormal event sent by the at least one probe to the operation center module.
In addition, the detecting module 601 is further configured to:
and carrying out intrusion detection on the automobile parts contained in the target function domain according to a pre-stored feature library, determining an abnormal event, and sending the abnormal event to a probe manager in other intrusion detection modules, wherein the number of the probes is at least one, the type of the probe is at least one, and the type of the probe corresponding to each automobile part is at least one.
The method comprises the steps of receiving an abnormal event sent by at least one probe, and sending the abnormal event sent by the at least one probe to an operation center module, wherein the at least one probe comprises a locally deployed probe and a non-locally deployed probe.
In addition, the detecting module 601 is further configured to:
and receiving abnormal events sent by the probe managers in the local probe manager and other intrusion detection modules, and sending the abnormal events to the operation center module so that the operation center module receives the abnormal events sent by the reporting agent module.
In addition, the detecting module 601 is further configured to:
and receiving an initial abnormal event sent by at least one probe, wherein the initial abnormal event comprises an abnormal grade.
And re-determining the abnormal grade of the initial abnormal event according to the preset filtering condition, and determining a new abnormal event according to the re-determined abnormal grade.
Fig. 7 is a schematic structural diagram of an intelligent networked automobile intrusion detection device according to another embodiment of the present application, which is applied to an operation center module, and as shown in fig. 7, the device may include:
the receiving module 701: the system is used for receiving the abnormal events sent by at least one intrusion detection module, wherein the number of the intrusion detection modules is at least one, different intrusion detection modules are deployed in different functional domains, different functional domains comprise different automobile components, and all the automobile components contained in the functional domains form an intelligent networked automobile.
A display module 702, configured to display the abnormal event sent by the at least one intrusion detection module.
Further, the receiving module 701: and is further configured to:
and determining a target characteristic according to the received abnormal event and the newly acquired event characteristic, wherein the target characteristic comprises a target type, and sending the target characteristic to a target probe corresponding to the target type so that the target probe updates a characteristic library according to the received target characteristic.
The apparatus provided in the embodiment of the present application may implement the method of the embodiment shown in fig. 4 or 5, and the implementation principle and the technical effect are similar, which are not described herein again.
Fig. 8 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application, and as shown in fig. 8, a device 800 according to the embodiment includes: a processor 801 and a memory communicatively coupled to the processor. The processor 801 and the memory 802 are connected by a bus 803.
In particular implementations, the processor 801 executes computer-executable instructions stored by the memory 802, causing the processor 801 to perform the methods of the above-described method embodiments.
For a specific implementation process of the processor 801, reference may be made to the above method embodiments, which have similar implementation principles and technical effects, and details of this embodiment are not described herein again.
In the embodiment shown in fig. 8, it should be understood that the Processor may be a Central Processing Unit (CPU), other general purpose processors, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the present invention may be embodied directly in a hardware processor, or in a combination of the hardware and software modules within the processor.
The memory may comprise high speed RAM memory, and may also include non-volatile storage NVM, such as at least one disk memory.
The bus may be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, an Extended ISA (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, the buses in the figures of the present application are not limited to only one bus or one type of bus.
The embodiment of the application also provides a computer-readable storage medium, wherein a computer execution instruction is stored in the computer-readable storage medium, and when a processor executes the computer execution instruction, the intelligent internet automobile intrusion detection method of the embodiment of the method is realized.
The embodiment of the application also provides a computer program product, which comprises a computer program, and when the computer program is executed by a processor, the above intelligent internet automobile intrusion detection method is realized.
The computer-readable storage medium may be implemented by any type of volatile or non-volatile storage device or combination thereof, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk. Readable storage media can be any available media that can be accessed by a general purpose or special purpose computer.
An exemplary readable storage medium is coupled to the processor such the processor can read information from, and write information to, the readable storage medium. Of course, the readable storage medium may also be an integral part of the processor. The processor and the readable storage medium may reside in an Application Specific Integrated Circuits (ASIC). Of course, the processor and the readable storage medium may also reside as discrete components in the apparatus.
Those of ordinary skill in the art will understand that: all or a portion of the steps of implementing the above-described method embodiments may be performed by hardware associated with program instructions. The program may be stored in a computer-readable storage medium. When executed, the program performs steps comprising the method embodiments described above; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.

Claims (12)

1. An intelligent networked automobile intrusion detection system, comprising: the system comprises an operation center module and at least one intrusion detection module, wherein different intrusion detection modules are deployed in different functional domains, different functional domains comprise different automobile components, and the automobile components contained in all the functional domains form an intelligent networked automobile;
the intrusion detection module is used for carrying out intrusion detection on automobile parts contained in a target function domain, determining an abnormal event and sending the abnormal event to the operation center module, wherein the target function domain is a function domain deployed by the intrusion detection module;
and the operation center module is used for receiving the abnormal events sent by the at least one intrusion detection module and displaying the abnormal events sent by the at least one intrusion detection module.
2. The system of claim 1, wherein the intrusion detection module comprises: a probe manager and at least one probe,
the probe is used for carrying out intrusion detection on the automobile components contained in the target function domain according to a pre-stored feature library, determining an abnormal event and sending the abnormal event to the probe manager, wherein the number of the probe is at least one, the type of the probe is at least one, and the type of the probe corresponding to each automobile component is at least one;
the probe manager is used for receiving the abnormal event sent by at least one probe and sending the abnormal event sent by the at least one probe to the operation center module.
3. The system of claim 1, wherein the intrusion detection module further comprises: at least one probe is arranged on the base plate,
the probe is used for carrying out intrusion detection on the automobile parts contained in the target function domain according to a pre-stored feature library, determining an abnormal event and sending the abnormal event to probe managers in other intrusion detection modules, wherein the number of the probe is at least one, the type of the probe is at least one, and the type of the probe corresponding to each automobile part is at least one;
and the probe manager in the other intrusion detection modules is used for receiving an abnormal event sent by at least one probe and sending the abnormal event sent by the at least one probe to the operation center module, wherein the at least one probe comprises a locally deployed probe and a non-locally deployed probe.
4. The system of claim 2 or 3, wherein the intrusion detection module further comprises: a reporting agent module for reporting the information of the agent module,
the reporting agent module is used for receiving abnormal events sent by the probe managers in the local probe manager and other intrusion detection modules and sending the abnormal events to the operation center module;
and the operation center module is used for receiving the abnormal event sent by the reporting agent module.
5. The system of claim 2 or 3, wherein the probe manager is further configured to:
receiving an initial abnormal event sent by at least one probe, wherein the initial abnormal event comprises an abnormal grade;
and re-determining the abnormal grade of the initial abnormal event according to a preset filtering condition, and determining a new abnormal event according to the re-determined abnormal grade.
6. The system of claim 2 or 3, wherein the operations center module is further configured to:
determining target characteristics according to the received abnormal event and newly acquired event characteristics, wherein the target characteristics comprise a target type;
sending the target features to a target probe corresponding to the target type;
the target probe is used for updating the feature library according to the received target features.
7. The system of claim 2 or 3, wherein the intrusion detection module further comprises: a storage module for storing the data of the data,
the probe manager is also used for sending the received abnormal event to the storage module;
and the storage module is used for receiving and storing the abnormal event sent by the probe manager.
8. The utility model provides an intelligent networking car intrusion detection method which characterized in that is applied to the intrusion detection module, the intrusion detection module is at least one, and different intrusion detection module deploys in different functional domains, and different functional domains contain different car parts, and the car part that all functional domains contain constitutes an intelligent networking car, includes:
carrying out intrusion detection on automobile parts contained in a target function domain, and determining an abnormal event, wherein the target function domain is a function domain deployed by an intrusion detection module;
and sending the abnormal event to an operation center module so that the operation center module displays the abnormal event sent by the at least one intrusion detection module.
9. An intelligent networked automobile intrusion detection method is characterized in that the method is applied to an operation center module and comprises the following steps:
receiving at least one abnormal event sent by at least one intrusion detection module, wherein different intrusion detection modules are deployed in different functional domains, different functional domains comprise different automobile components, and all the automobile components in the functional domains form an intelligent networked automobile;
and displaying the abnormal event sent by the at least one intrusion detection module.
10. An electronic device, comprising: a processor, and a memory communicatively coupled to the processor;
the memory stores computer-executable instructions;
the processor executes the computer-executable instructions stored in the memory to implement the intelligent networked automobile intrusion detection method according to claim 8 or 9.
11. A computer-readable storage medium, wherein the computer-readable storage medium stores computer-executable instructions, and when the computer-executable instructions are executed by a processor, the method for detecting intrusion of an intelligent networked automobile according to claim 8 or 9 is implemented.
12. A computer program product comprising a computer program, wherein the computer program, when executed by a processor, implements the intelligent networked car intrusion detection method according to claim 8 or 9.
CN202210852087.XA 2022-07-20 2022-07-20 Intelligent network automobile intrusion detection system and method Pending CN115320538A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210852087.XA CN115320538A (en) 2022-07-20 2022-07-20 Intelligent network automobile intrusion detection system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210852087.XA CN115320538A (en) 2022-07-20 2022-07-20 Intelligent network automobile intrusion detection system and method

Publications (1)

Publication Number Publication Date
CN115320538A true CN115320538A (en) 2022-11-11

Family

ID=83917246

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210852087.XA Pending CN115320538A (en) 2022-07-20 2022-07-20 Intelligent network automobile intrusion detection system and method

Country Status (1)

Country Link
CN (1) CN115320538A (en)

Citations (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001338378A (en) * 2000-05-30 2001-12-07 Sanyo Electric Service Co Ltd Device for reporting abnormality in vehicle and, device for reporting, photographing and recording intrusion into vehicle
JP2007126118A (en) * 2005-10-04 2007-05-24 Toyota Motor Corp Warning device and vehicle security system
JP2007313989A (en) * 2006-05-24 2007-12-06 Mitsubishi Cable Ind Ltd Vehicular abnormality detection device
WO2009132552A1 (en) * 2008-04-30 2009-11-05 华为技术有限公司 Intrusion detection method, system and apparatus
JP2015008558A (en) * 2013-06-24 2015-01-15 トヨタ自動車株式会社 Security device
US20160308887A1 (en) * 2015-04-17 2016-10-20 Hyundai Motor Company In-vehicle network intrusion detection system and method for controlling the same
CN106603578A (en) * 2017-02-15 2017-04-26 北京航空航天大学 Centralized T-BOX information safety protection system
CN108111510A (en) * 2017-12-20 2018-06-01 北京航空航天大学 A kind of in-vehicle network intrusion detection method and system
CN108648397A (en) * 2018-06-12 2018-10-12 上海博泰悦臻电子设备制造有限公司 Alarm system and method
CN109005173A (en) * 2018-08-02 2018-12-14 北京航空航天大学 A kind of car networking abnormal intrusion detection method based on traffic flow density variation
CN109617865A (en) * 2018-11-29 2019-04-12 中国电子科技集团公司第三十研究所 A kind of network security monitoring and defence method based on mobile edge calculations
CN109640293A (en) * 2019-01-08 2019-04-16 北京汽车股份有限公司 Vehicular communication system and vehicle
CN110463142A (en) * 2018-01-22 2019-11-15 松下电器(美国)知识产权公司 Vehicle abnormality detection service device, vehicle abnormality detection system and vehicle abnormality detection method
CN110636048A (en) * 2019-08-27 2019-12-31 华东师范大学 Vehicle-mounted intrusion detection method and system based on ECU signal characteristic identifier
CN110708388A (en) * 2019-10-15 2020-01-17 大陆投资(中国)有限公司 Vehicle body safety anchor node device, method and network system for providing safety service
US20200342099A1 (en) * 2018-01-16 2020-10-29 C2A-Sec, Ltd. Intrusion anomaly monitoring in a vehicle environment
CN112787836A (en) * 2019-11-07 2021-05-11 比亚迪股份有限公司 Information security network topology and method for implementing information security
CN112954689A (en) * 2021-02-07 2021-06-11 中国科学院计算技术研究所 Lightweight network intrusion detection system and method for Bluetooth wireless transmission
CN113836564A (en) * 2021-09-30 2021-12-24 中汽创智科技有限公司 Block chain-based networked automobile information safety system
CN113839904A (en) * 2020-06-08 2021-12-24 北京梆梆安全科技有限公司 Security situation sensing method and system based on intelligent networked automobile
CN113965431A (en) * 2020-07-01 2022-01-21 福特全球技术公司 CAN bus wake-up mode for detecting abnormality
CN114257447A (en) * 2021-12-20 2022-03-29 国汽(北京)智能网联汽车研究院有限公司 Vehicle-mounted network IDPS joint defense linkage system
CN114248799A (en) * 2020-09-22 2022-03-29 丰田自动车工程及制造北美公司 Vehicle-to-all message misbehavior detection
CN114326676A (en) * 2021-12-30 2022-04-12 北京三快在线科技有限公司 Intrusion detection method and device, storage medium and electronic equipment
CN114374565A (en) * 2022-01-30 2022-04-19 中国第一汽车股份有限公司 Intrusion detection method and device for vehicle CAN network, electronic equipment and medium
CN114697062A (en) * 2020-12-30 2022-07-01 厦门雅迅网络股份有限公司 Vehicle intrusion detection method and terminal
CN114710372A (en) * 2022-06-08 2022-07-05 湖南师范大学 Vehicle-mounted CAN network intrusion detection system and method based on incremental learning

Patent Citations (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001338378A (en) * 2000-05-30 2001-12-07 Sanyo Electric Service Co Ltd Device for reporting abnormality in vehicle and, device for reporting, photographing and recording intrusion into vehicle
JP2007126118A (en) * 2005-10-04 2007-05-24 Toyota Motor Corp Warning device and vehicle security system
JP2007313989A (en) * 2006-05-24 2007-12-06 Mitsubishi Cable Ind Ltd Vehicular abnormality detection device
WO2009132552A1 (en) * 2008-04-30 2009-11-05 华为技术有限公司 Intrusion detection method, system and apparatus
JP2015008558A (en) * 2013-06-24 2015-01-15 トヨタ自動車株式会社 Security device
US20160308887A1 (en) * 2015-04-17 2016-10-20 Hyundai Motor Company In-vehicle network intrusion detection system and method for controlling the same
CN106603578A (en) * 2017-02-15 2017-04-26 北京航空航天大学 Centralized T-BOX information safety protection system
CN108111510A (en) * 2017-12-20 2018-06-01 北京航空航天大学 A kind of in-vehicle network intrusion detection method and system
US20200342099A1 (en) * 2018-01-16 2020-10-29 C2A-Sec, Ltd. Intrusion anomaly monitoring in a vehicle environment
CN110463142A (en) * 2018-01-22 2019-11-15 松下电器(美国)知识产权公司 Vehicle abnormality detection service device, vehicle abnormality detection system and vehicle abnormality detection method
CN108648397A (en) * 2018-06-12 2018-10-12 上海博泰悦臻电子设备制造有限公司 Alarm system and method
CN109005173A (en) * 2018-08-02 2018-12-14 北京航空航天大学 A kind of car networking abnormal intrusion detection method based on traffic flow density variation
CN109617865A (en) * 2018-11-29 2019-04-12 中国电子科技集团公司第三十研究所 A kind of network security monitoring and defence method based on mobile edge calculations
CN109640293A (en) * 2019-01-08 2019-04-16 北京汽车股份有限公司 Vehicular communication system and vehicle
CN110636048A (en) * 2019-08-27 2019-12-31 华东师范大学 Vehicle-mounted intrusion detection method and system based on ECU signal characteristic identifier
CN110708388A (en) * 2019-10-15 2020-01-17 大陆投资(中国)有限公司 Vehicle body safety anchor node device, method and network system for providing safety service
CN112787836A (en) * 2019-11-07 2021-05-11 比亚迪股份有限公司 Information security network topology and method for implementing information security
CN113839904A (en) * 2020-06-08 2021-12-24 北京梆梆安全科技有限公司 Security situation sensing method and system based on intelligent networked automobile
CN113965431A (en) * 2020-07-01 2022-01-21 福特全球技术公司 CAN bus wake-up mode for detecting abnormality
CN114248799A (en) * 2020-09-22 2022-03-29 丰田自动车工程及制造北美公司 Vehicle-to-all message misbehavior detection
CN114697062A (en) * 2020-12-30 2022-07-01 厦门雅迅网络股份有限公司 Vehicle intrusion detection method and terminal
CN112954689A (en) * 2021-02-07 2021-06-11 中国科学院计算技术研究所 Lightweight network intrusion detection system and method for Bluetooth wireless transmission
CN113836564A (en) * 2021-09-30 2021-12-24 中汽创智科技有限公司 Block chain-based networked automobile information safety system
CN114257447A (en) * 2021-12-20 2022-03-29 国汽(北京)智能网联汽车研究院有限公司 Vehicle-mounted network IDPS joint defense linkage system
CN114326676A (en) * 2021-12-30 2022-04-12 北京三快在线科技有限公司 Intrusion detection method and device, storage medium and electronic equipment
CN114374565A (en) * 2022-01-30 2022-04-19 中国第一汽车股份有限公司 Intrusion detection method and device for vehicle CAN network, electronic equipment and medium
CN114710372A (en) * 2022-06-08 2022-07-05 湖南师范大学 Vehicle-mounted CAN network intrusion detection system and method based on incremental learning

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
王建;陈晓光;朱研;任翔;: "基于车载以太网的智能网联汽车网信安全防护技术研究", 智能网联汽车, no. 01, pages 94 - 97 *
罗璎珞;方强;: "车载终端信息安全威胁与防范", 电信网技术, no. 06, pages 41 - 45 *
荀毅杰;刘家佳;赵静;: "智能网联汽车的安全威胁研究", 物联网学报, no. 04 *

Similar Documents

Publication Publication Date Title
EP3915843A1 (en) Vehicle security monitoring device, method, and program
US11363045B2 (en) Vehicle anomaly detection server, vehicle anomaly detection system, and vehicle anomaly detection method
US10549760B2 (en) Systems and methods for handling a vehicle ECU malfunction
US20200198651A1 (en) System and method for detecting behavioral anomalies among fleets of connected vehicles
EP3842974B1 (en) Information processing device, information processing method, and program
CN110147946B (en) Data analysis method and device
CN114374565A (en) Intrusion detection method and device for vehicle CAN network, electronic equipment and medium
EP4105804B1 (en) Threat analysis apparatus, threat analysis method, and program
CN114170705A (en) Vehicle data uploading method, device and equipment
KR20160062259A (en) Method, system and computer readable medium for managing abnormal state of vehicle
CN112650180B (en) Safety warning method, device, terminal equipment and storage medium
EP4135261B1 (en) Information processing device, information processing method, and program
CN115320538A (en) Intelligent network automobile intrusion detection system and method
JP2021196997A (en) Log transmission control device
US11952013B2 (en) Trusted context self learning method for an in-vehicle network intrusion detection system developed to limit calibration proliferation and development costs
CN114572005B (en) Vehicle mileage backup method and terminal equipment
JP6979630B2 (en) Monitoring equipment, monitoring methods and programs
US20210375079A1 (en) Center device, data distribution system, and computer program product for executing restriction on function of data
CN110782114A (en) Driving behavior mining method and device, electronic equipment and storage medium
CN115412571A (en) Vehicle safety protection control method and related equipment
CN116909830A (en) Vehicle-mounted system monitoring method and device, vehicle and server
CN118277215A (en) Abnormal log alarming method and device, electronic equipment and storage medium
CN117319025A (en) Abnormal behavior detection method and device for network traffic and electronic equipment
CN115080332A (en) Fan rotating speed testing method, system and device and storage medium
CN116318758A (en) Network intrusion prevention method and device for vehicle, vehicle and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination