CN115396134A - CAN network anomaly monitoring and positioning method and system based on relative entropy and automobile - Google Patents

CAN network anomaly monitoring and positioning method and system based on relative entropy and automobile Download PDF

Info

Publication number
CN115396134A
CN115396134A CN202210395666.6A CN202210395666A CN115396134A CN 115396134 A CN115396134 A CN 115396134A CN 202210395666 A CN202210395666 A CN 202210395666A CN 115396134 A CN115396134 A CN 115396134A
Authority
CN
China
Prior art keywords
message
relative entropy
messages
identifier
probability
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210395666.6A
Other languages
Chinese (zh)
Inventor
彭海德
汪向阳
何文
谭成宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing Changan Automobile Co Ltd
Original Assignee
Chongqing Changan Automobile Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing Changan Automobile Co Ltd filed Critical Chongqing Changan Automobile Co Ltd
Priority to CN202210395666.6A priority Critical patent/CN115396134A/en
Publication of CN115396134A publication Critical patent/CN115396134A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses a relative entropy-based CAN network anomaly monitoring and positioning method, a system and an automobile, wherein the method comprises the following steps: collecting messages on an automobile CAN network; extracting the identifier serial number of the message; judging whether each message is a periodic message or not; judging whether the relative entropy calculated between any one message and all the other messages is within a reference fluctuation range; and judging the abnormal condition of the message according to whether the transmission probability calculated by each message is within the reference transmission probability interval of the message. According to the scheme, the sending condition of the periodic message in the CAN network communication CAN be monitored, and the message identifier serial number of the message CAN be accurately positioned after the message is abnormal, so that the follow-up response strategy processing is facilitated.

Description

CAN network anomaly monitoring and positioning method and system based on relative entropy and automobile
Technical Field
The invention relates to the technical field of intelligent networking automobile information safety and intrusion detection, in particular to a method and a system for monitoring and positioning CAN network abnormity based on relative entropy and an automobile.
Background
At present, the development of intelligent networked automobiles is leaps and bounds, electronic control devices of the automobiles are gradually increased, and the electronic control devices are communicated with each other and matched to realize the multifunctional and stable operation of the automobiles. The technology of the internet of vehicles is continuously developed, so that the communication between the automobile and the outside is more and more convenient, and meanwhile, the invasion of external illegal persons and terminal equipment into the automobile network is more and more convenient. Since the information security problem is not considered at the beginning of the design of automotive electronic communication (such as a CAN network). The popularization of the internet of vehicles inevitably threatens the safety of the automobile control network with lower safety level.
Intrusion detection and anomaly detection techniques are widely spotlighted as an important technique in the information security technology of automobile networks (especially CAN networks). For a periodic message of an automobile CAN network, a commonly used detection method is to perform entropy calculation and judgment on an automobile communication message and further detect the sending condition of a CAN bus message, but the current method cannot locate an identifier serial number (identifier ID) of an abnormal message after the abnormality occurs.
For example, the invention patent application with the application number of CN201810546058.4 discloses a vehicle-mounted CAN bus abnormality detection method based on relative entropy, which comprises the following steps: in an interrupt processing program, after a vehicle is powered on, a detection node starts timing interrupt and is triggered at regular time to realize the calculation of the relative entropy of a message, if the calculated relative entropy result exceeds a set threshold value, an alarm is triggered, otherwise, the operations of counting data zero clearing and window switching are executed; when the relative entropy of the message is calculated, two time windows with variable lengths are alternately used and are respectively recorded as a window 1 and a window 2 for increasing and two groups of independent counters for counting. The invention adopts and improves an anomaly detection algorithm based on relative entropy, improves detection precision and detection granularity, combines anomaly detection based on a white list and time intervals, and realizes better detection effect, but the method CAN only detect the condition that the CAN bus has anomaly but CAN not specifically position the message with the anomaly condition on the CAN bus communication.
Disclosure of Invention
Aiming at the defects in the prior art, the technical problems to be solved by the invention are as follows: how to provide a CAN network abnormity monitoring and positioning method and system based on relative entropy, which CAN monitor the sending condition of periodic messages in CAN network communication, and CAN accurately position the message identifier sequence number of the message after the message is abnormal, thereby facilitating the subsequent response strategy processing.
In order to solve the technical problems, the invention adopts the following technical scheme:
a CAN network anomaly monitoring and positioning method based on relative entropy comprises the following steps:
step 1) collecting messages on an automobile CAN network;
step 2) extracting the identifier serial number of the message acquired in the step 1);
step 3) judging whether each message is a periodic message according to the occurrence frequency of the identifier serial numbers of the messages, if so, executing the step 4), and if not, returning to execute the step 1);
step 4) setting a reference detection window and a reference fluctuation range of the relative entropy, calculating the relative entropy between any two messages of all periodic messages, judging whether the relative entropy calculated between any one message and all the other messages is within the reference fluctuation range, if so, returning to execute the step 1), and if not, executing the step 5);
step 5) calculating the respective transmission probability of the two messages with the calculated relative entropy outside the reference fluctuation range, and judging the abnormal condition of the message according to whether the transmission probability calculated by each message is in the reference transmission probability interval of the message, if so, executing step 7), and if not, executing step 6);
step 6) judging the message as an abnormal message, positioning the identifier serial number of the message, and merging into an intrusion response strategy;
and 7) judging the message to be a normal message.
Preferably, in step 2), a white list of reference message identifier numbers is set, and it is determined whether the identifier number of the extracted message is in the white list of the set reference message identifier numbers, if so, step 3) is executed, otherwise, step 6) is executed.
Preferably, the white list of identifier sequence numbers of the reference message includes identifier sequence numbers of all periodic messages under normal conditions of the CAN network.
Preferably, in the step 4), the method for determining the reference fluctuation range of the relative entropy includes: selecting a plurality of detection windows with different sizes under the normal condition of the CAN network, calculating the fluctuation range of the relative entropy under each detection window, determining one detection window as a reference detection window according to the calculation time of the relative entropy and the fluctuation range of the relative entropy, and taking the fluctuation range of the relative entropy under the reference detection window as the reference fluctuation range of the relative entropy.
Preferably, in step 5), when the calculated transmission probability of a certain message is greater than the reference transmission probability of the message, the message is determined to be a replay attack message;
and when the transmission probability calculated by a certain message is smaller than the reference transmission probability of the message, judging the message as a discarded attack message.
Preferably, in step 5), when the transmission probability calculated by only one message is not equal to the reference transmission probability of the message, it is determined that the abnormality of the relative entropy outside the reference fluctuation range is caused by the abnormal transmission of the message;
and when the sending probabilities calculated by the two messages are different from the reference sending probabilities of the respective messages, judging that the abnormality of the relative entropy outside the reference fluctuation range is caused by the abnormal sending of the two messages.
Preferably, the identifier number of the message is ID 1 And the identifier number of the message is ID 2 The calculation formula of the relative entropy between the two messages is as follows:
Figure BDA0003597236050000031
in the formula:
Figure BDA0003597236050000032
the identifier serial number of the message in the detection window is ID for reference 1 The probability of occurrence of the message of (a),
Figure BDA0003597236050000033
the identifier serial number of the message in the detection window is ID for reference 2 The probability of occurrence of the message of (a),
Figure BDA0003597236050000034
the identifier of the message is numbered ID 1 And the identifier serial number of the message is ID 2 Relative entropy between the two messages.
Preferably, the identifier serial number of the message in the reference detection window is ID 1 Probability of occurrence of message(s)
Figure BDA0003597236050000035
The calculation formula of (c) is:
Figure BDA0003597236050000036
in the formula:
Figure BDA0003597236050000037
the identifier serial number of the message in the detection window is ID for reference 1 Number of occurrences of the message, N total The total number of periodic messages in the window is detected as a reference.
A positioning system for realizing the CAN network abnormity monitoring and positioning method based on the relative entropy comprises the following steps:
the message acquisition module is used for acquiring messages on the CAN network communication of the automobile;
the message identifier serial number extraction module is used for extracting the identifier serial number of the acquired message;
the periodic message judging module is used for judging whether each message is a periodic message according to the occurrence frequency of the identifier serial number of the message;
the relative entropy calculation and judgment module is used for calculating the relative entropy between any two messages of all periodic messages and judging whether the relative entropy calculated between any one message and the rest of messages is within the reference fluctuation range;
the calculation and judgment module of the message sending probability is used for calculating the sending probability of each of two messages with the calculated relative entropy outside a reference fluctuation range, and comparing the calculated sending probability of each message with the reference sending probability of the message to judge whether the calculated sending probability of each message is equal to the reference sending probability of the message;
and the message abnormity judgment module is used for judging whether the message is an abnormal message according to the output signals of the relative entropy calculation judgment module and the message sending probability calculation judgment module.
The scheme also provides an automobile which adopts the CAN network abnormity monitoring and positioning method based on the relative entropy.
Compared with the prior art, the invention has the following advantages:
1. the invention CAN accurately position the identifier serial number (identifier ID) of a certain CAN message by monitoring the sending condition of the periodic message in the CAN network and after the sending of the CAN message or the CAN messages is abnormal, thereby facilitating the processing of the subsequent response strategy.
2. The CAN message with the abnormal identifier number is judged and screened through a white list of the identifier number of the reference message under the normal condition of the CAN network; then, preliminarily detecting the message which is possibly sent abnormally through the judgment of the relative entropy of every two messages; and finally, calculating the sending probability in the reference detection window of the message participating in the abnormal relative entropy to accurately position the identifier serial number of the abnormal message.
3. According to the invention, the CAN message with the abnormal identifier serial number CAN be directly screened out through the white list of the identifier serial number of the reference message; meanwhile, in the overall detection process, the relative entropy calculation is carried out on every two messages, so that the overall sending condition of all the messages can be detected, and the detection judgment burden is reduced by half.
Drawings
FIG. 1 is a flow chart of a CAN network anomaly monitoring and positioning method based on relative entropy.
FIG. 2 is a flow chart of relative entropy and message transmission probability detection window and threshold determination in a relative entropy-based CAN network anomaly monitoring and positioning method of the present invention;
FIG. 3 is a system block diagram of the CAN network anomaly monitoring and positioning system based on relative entropy.
Detailed Description
The invention will be further explained with reference to the drawings and the embodiments.
As shown in fig. 1 and fig. 2, a method for monitoring and positioning CAN network abnormality based on relative entropy includes the following steps:
step 1) collecting messages on an automobile CAN network; the message can be acquired by directly connecting with an automobile, and can also be acquired by simulating automobile electronic software such as CANoe.
Step 2) extracting the identifier serial number of the message acquired in the step 1); the identifier serial number (identifier ID) of the message is a section of binary level of the message arbitration field of the CAN network, and is converted into 16-system number for subsequent convenience of operation.
In addition, in step 2), the identifier ID of the message needs to be determined, and a trusted ID list set in advance, also called a white list of identifier numbers of reference messages, needs to be provided in the identifier ID determination process of the message, where the white list of identifier numbers of reference messages includes all periodic messages in normal vehicle running communication, and the message with an abnormal identifier ID can be screened and determined through the process, so that the message with an unspecified malicious identifier ID is prevented from entering the network, normal communication of the network is prevented from being interfered, and the solution of vehicle state information and control information is prevented, and meanwhile, subsequent calculation is more accurate and trusted. Therefore, in step 2), a white list of the identifier serial numbers of the reference messages is set, and whether the identifier serial numbers of the extracted messages are in the white list of the identifier serial numbers of the set reference messages is judged, if yes, step 3) is executed, and if not, step 6) is executed.
Step 3) judging whether each message is a periodic message according to the occurrence frequency of the identifier serial numbers of the messages, if so, executing step 4), and if not, returning to execute step 1); the method only aims at the abnormal detection and positioning of the periodic message sending condition, if a connected automobile obtains a message, the periodic message is firstly analyzed, then the periodic message is processed by the method, and if the periodic message is not the periodic message, the method returns to obtain a new message again.
And 4) before the transmission condition of the CAN network periodic message is detected, firstly determining a threshold value under the normal communication condition so as to judge and position subsequent abnormity, wherein the threshold value is obtained by calculating the normal CAN network communication message and is used for subsequent monitoring and judgment, and the principle of detection window selection is that the normal threshold value is stable, reasonable and consumes short time. Through the steps, a plurality of CAN messages which are possibly abnormal are roughly found, and the identifiers ID of the abnormal messages CAN be conveniently and accurately positioned in the follow-up process. Therefore, in the step, a reference detection window and a reference fluctuation range of the relative entropy are set, the relative entropy between any two messages of all the periodic messages is calculated, whether the relative entropy calculated between any one message and all the other messages is within the reference fluctuation range or not is judged, if yes, the step 1) is executed, and if not, the step 5) is executed.
In this embodiment, in step 4), every two periodic messages are combined to facilitate subsequent calculation of relative entropy, and here, it is ensured that each message of the identifier ID is calculated, thereby preventing detection omission.
Specifically, the identifier serial number of the message is used as ID 1 And the identifier serial number of the message is ID 2 For example, the identifier of the message is ID 1 And the identifier serial number of the message is ID 2 The calculation formula of the relative entropy between the two messages is as follows:
Figure BDA0003597236050000051
in the formula:
Figure BDA0003597236050000052
the identifier serial number of the message in the window is detected as ID for reference 1 The probability of occurrence of the message of (a),
Figure BDA0003597236050000053
the identifier serial number of the message in the detection window is ID for reference 2 The probability of occurrence of the message of (a),
Figure BDA0003597236050000054
the identifier of the message is numbered ID 1 And the identifier serial number of the message is ID 2 Relative entropy between the two messages.
And the identifier serial number of the message in the reference detection window is ID 1 Probability of occurrence of message
Figure BDA0003597236050000055
The calculation formula of (2) is as follows:
Figure BDA0003597236050000056
in the formula:
Figure BDA0003597236050000057
the identifier serial number of the message in the detection window is ID for reference 1 Number of occurrences of the message, N total The total number of periodic messages in the window is detected as a reference.
In this embodiment, for all periodic packets, the relative entropy values of two packets are a fixed value, and considering the actual error condition, the value may fluctuate slightly within a threshold interval under normal conditions. If abnormal fluctuation occurs, at least one of the two messages for calculating the relative entropy is indicated to have a sending abnormality.
In the scheme, the method for determining the reference fluctuation range of the relative entropy comprises the following steps: selecting a plurality of detection windows with different sizes under the normal condition of the CAN network, calculating the fluctuation range of the relative entropy under each detection window, determining one detection window as a reference detection window according to the calculation time of the relative entropy and the fluctuation range of the relative entropy, and taking the fluctuation range of the relative entropy under the reference detection window as the reference fluctuation range of the relative entropy.
Specifically, the reference detection window and the reference fluctuation range of the relative entropy are determined by the following method: the process is as shown in fig. 2, firstly, the message is acquired, secondly, the message is preprocessed to obtain the identifier ID for subsequent calculation, and finally, the size of the final reference detection window and the reference fluctuation range of the relative entropy are selected by comparing the numerical fluctuation conditions of a plurality of detection windows. Here, a theoretical analysis was performed: assuming that the identifier ID of the periodic communication packet has {0x111,0x222,0x333,0x444,0x555,0x666}, the transmission periods of the above five types of packets are {0.1s, 0.2s }, respectively.
Ideally, the normal transmission probability of the message 0x111 in the detection window is:
Figure BDA0003597236050000061
similarly, the normal transmission probability of the message 0x222 is: p is ID=ox222 =0.222
Similarly, the normal transmission probability of the message 0x333 is: p ID=ox333 =0.222
Similarly, the normal transmission probability of the message 0x444 is: p ID=ox444 =0.111
Similarly, the normal sending probability of the message 0x555 is: p ID=ox555 =0.111
Similarly, the normal transmission probability of the message 0x666 is: p ID=ox666 =0.111
According to the calculation of a relative entropy formula, under the normal communication condition of the CAN bus, the relative entropy values of the messages 0x111 and 0x222 are as follows:
Figure BDA0003597236050000062
similarly, the relative entropy values of the messages 0x333 and 0x444 are:
D(P ID=0x333 ||P ID=0x444 )=0.222
similarly, the relative entropy values of the messages 0x555 and 0x666 are:
D(P ID=0x555 ||P ID=Ox666 )=0
therefore, under an ideal condition, when the CAN network normally transmits, the message transmission probability and the relative entropy value of every two of the periodic messages are a fixed value. However, in practical processes, due to the window size selection problem and the bus transmission situation, the message transmission probability and the pairwise relative entropy of the periodic message do not always maintain a constant value, but fluctuate around the constant value, thereby generating a normal threshold interval. Generally, a proper relative entropy calculation window and a proper relative entropy threshold value are selected, the window and the threshold value are subjected to multiple calculation tests, and a window and a threshold value interval which are short in calculation time consumption and stable in fluctuation are selected as a reference detection window and a reference fluctuation range of the relative entropy through calculation of a normally sent message, so that the subsequent detection process is facilitated.
And 5) calculating the respective transmission probability of the two messages with the calculated relative entropy out of the reference fluctuation range, judging the abnormal condition of the message according to whether the calculated transmission probability of each message is in the reference transmission probability interval of the message (the reference transmission probability is the probability of each message appearing in the reference detection window under the normal communication condition of the CAN network, and the appearance probability of each periodic message has a normal and reasonable threshold interval), if so, executing the step 7), and otherwise, executing the step 6).
Specifically, in the step 5), when the transmission probability calculated by only one message is not equal to the reference transmission probability of the message, it is determined that the abnormality of the relative entropy outside the reference fluctuation range is caused by abnormal transmission of the message; and when the sending probabilities calculated by the two messages are different from the reference sending probabilities of the respective messages, judging that the abnormality of the relative entropy outside the reference fluctuation range is caused by the abnormal sending of the two messages. Therefore, when the sending probability of a certain periodic message is abnormal, a certain abnormal sending message can be positioned, and when the sending probability of a certain periodic message is abnormal, a certain abnormal sending message can be positioned, so that the identifier ID of the abnormal message under the abnormal condition can be positioned, and then the subsequent intrusion response strategy can be carried out.
Further, in step 5), the replay attack message and the discard attack message can be positioned by calculating the message sending probability. When the transmission probability calculated by a certain message is far greater than the reference transmission probability of the message, judging that the message is a replay attack message; when the calculated sending probability of a certain message is far smaller than the reference sending probability of the message, the message is judged to be a discard attack message.
Specifically, after a certain type of message is replayed and attacked, a certain relative entropy value is suddenly changed and seriously exceeds a threshold value, an abnormality is generated, and then subsequent abnormal message identifier ID positioning is performed, and then corresponding measures are taken.
Assuming that a large amount of 0x111 packets are played back in a certain period of time, this will cause the relative entropy values of 0x111 packets and 0x222 packets to increase suddenly, as shown in the following formula:
Figure BDA0003597236050000071
when 0x111 message is replayed in large quantity, the transmission probability P of 0x111 message in the detection window can be caused ID=0x111 And (4) increasing. The sending number of 0x222 messages in the detection window is slightly reduced, so that the sending probability P of the 0x222 messages is reduced ID=0x222 And (4) reducing. By solving for D (P) ID=0x111 ||P ID=0x222 ) As can be seen from the formula (1), the relative entropy values of the 0x111 message and the 0x222 message increase sharply. Due to 0x333,0x444,0x555,The 0x666 messages are suppressed by the same amount, so the message sending amount ratio and the sending probability ratio are almost unchanged in the detection window, which makes the relative entropy value of the messages not change greatly.
After the relative entropy increases of the 0x111 message and the 0x222 message are calculated, the sending probabilities of the 0x111 message and the 0x222 message in the detection window are called for judgment. Due to the fact that the 0x111 message is replayed in a large quantity, the sending probability of the 0x111 message is obviously increased, and in comparison judgment with a normal threshold value, the sending probability of the 0x111 message is found to be seriously higher than the threshold value). And when the abnormality in the window is detected, the ID of the abnormal message is positioned to be 0x111, and the abnormal condition is that the abnormal message is continuously replayed and sent, so that the message can be judged to be a replay attack message.
If a certain type of message is subjected to discarding attack, a certain relative entropy value is also subjected to mutation, the threshold value is seriously exceeded, and an anomaly is generated, so that subsequent positioning of an abnormal message identifier ID is performed, and a corresponding measure is taken.
Assuming that an electronic control unit responsible for sending a 0x111 message is attacked in a certain period of time, the sending of the message is suppressed or discarded by the network, and then a discard attack is caused, which may cause a relative entropy dip of the 0x111 message and the 0x222 message, as shown in the following formula:
Figure BDA0003597236050000081
when 0x111 message is discarded in a large amount, the sending probability P of 0x111 message in the detection window can be caused ID=0x111 And (4) reducing. The sending number of 0x222 messages in the detection window is relatively increased, so that the sending probability P of the 0x222 messages is increased ID=0x222 The relative increase. By solving for D (P) ID=0x111 ||P ID=0x222 ) As can be seen from the formula, the relative entropy values of the 0x111 message and the 0x222 message are suddenly reduced. Since the number of the 0x333,0x444,0x555, and 0x666 messages will increase equally, the message sending number ratio and the sending probability ratio in the detection window are almost unchanged, so that the relative entropy values of the messages will not change greatly.
After the relative entropy dips of the 0x111 message and the 0x222 message are calculated, the sending probabilities of the 0x111 message and the 0x222 message in the detection window are called for judgment. Due to the fact that a large number of 0x111 messages are discarded, the sending probability of the 0x111 messages is remarkably reduced, and in comparison and judgment with a normal threshold value, the sending probability of the 0x111 messages is found to be seriously lower than a threshold value interval. And when the abnormality in the window is detected, the ID of the abnormal message is positioned to be 0x111, and the abnormal condition is that the abnormal message is discarded and sent, so that the message can be judged to be a discarded attack message.
And 6) judging the message to be an abnormal message, positioning the identifier serial number of the message, and then carrying out subsequent intrusion response strategy.
And 7) judging the message to be a normal message.
As shown in fig. 3, in addition, the present solution also provides a positioning system for implementing the above CAN network anomaly monitoring and positioning method based on relative entropy, where the positioning system includes:
the message acquisition module is used for acquiring messages on the CAN network communication of the automobile;
the message identifier serial number extraction module is used for extracting the identifier serial number of the acquired message;
the periodic message judging module is used for judging whether each message is a periodic message according to the occurrence frequency of the identifier serial number of the message;
the relative entropy calculation and judgment module is internally provided with a reference detection window and a reference fluctuation range of the relative entropy, and is used for calculating the relative entropy between any two messages of all periodic messages and judging whether the calculated relative entropy between any one message and all the other messages is within the reference fluctuation range or not;
the message sending probability calculation and judgment module is used for calculating the sending probability of each message for two messages with the calculated relative entropy outside the reference fluctuation range and comparing the calculated sending probability of each message with the reference sending probability of each message to judge whether the calculated sending probability of each message is equal to the reference sending probability of each message;
and the message abnormity judgment module is used for judging whether the message is an abnormal message according to the output signals of the calculation judgment module of the relative entropy and the calculation judgment module of the message sending probability.
In addition, the scheme also provides an automobile which adopts the CAN network abnormity monitoring and positioning method based on the relative entropy.
Compared with the prior art, the method and the device CAN accurately position the identifier serial number (identifier ID) of a certain CAN message or several CAN messages after the CAN message or the CAN messages are abnormally sent by monitoring the sending condition of the periodic message in the CAN network, thereby facilitating the processing of subsequent response strategies. The CAN message with the abnormal identifier serial number is judged and screened through a white list of the identifier serial numbers of the reference messages under the normal condition of the CAN network; then, preliminarily detecting the message which is possibly sent abnormally through the judgment of the relative entropy of every two messages; and finally, calculating the sending probability in the reference detection window of the message participating in the abnormal relative entropy to accurately position the identifier serial number of the abnormal message. According to the invention, the CAN message with the abnormal identifier serial number CAN be directly screened out through the white list of the identifier serial number of the reference message; meanwhile, in the overall detection process, the relative entropy calculation is carried out on every two messages, so that the overall sending condition of all the messages can be detected, and the detection judgment burden is reduced by half.
It should be noted that the above embodiments are only used for illustrating the technical solutions of the present invention and not for limiting the technical solutions, and those skilled in the art should understand that the technical solutions of the present invention can be modified or substituted with equivalent solutions without departing from the spirit and scope of the technical solutions, and all should be covered in the claims of the present invention.

Claims (9)

1. A CAN network anomaly monitoring and positioning method based on relative entropy is characterized by comprising the following steps:
step 1) collecting messages on an automobile CAN network;
step 2) extracting the identifier serial number of the message acquired in the step 1);
step 3) judging whether each message is a periodic message according to the occurrence frequency of the identifier serial numbers of the messages, if so, executing the step 4), and if not, returning to execute the step 1);
step 4) setting a reference detection window and a reference fluctuation range of the relative entropy, calculating the relative entropy between any two messages of all periodic messages, judging whether the relative entropy calculated between any one message and all the other messages is within the reference fluctuation range, if so, returning to execute the step 1), and if not, executing the step 5);
step 5) calculating the respective transmission probability of the two messages with the calculated relative entropy outside the reference fluctuation range, and judging the abnormal condition of the message according to whether the transmission probability calculated by each message is in the reference transmission probability interval of the message, if so, executing step 7), and if not, executing step 6);
step 6) judging the message as an abnormal message, positioning the identifier serial number of the message, and merging into an intrusion response strategy;
and 7) judging the message to be a normal message.
2. The CAN network anomaly monitoring and positioning method based on relative entropy as claimed in claim 1, wherein in step 2), a white list of reference message identifier numbers is set, and whether the identifier number of the extracted message is in the white list of the set reference message identifier numbers is determined, if yes, step 3) is performed, and if not, step 6) is performed.
3. The CAN network anomaly monitoring and positioning method based on relative entropy as claimed in claim 2, wherein in the step 4), the reference fluctuation range of the relative entropy is determined by the following method: selecting a plurality of detection windows with different sizes under the normal condition of the CAN network, calculating the fluctuation range of the relative entropy under each detection window, determining one detection window as a reference detection window according to the calculation time of the relative entropy and the fluctuation range of the relative entropy, and taking the fluctuation range of the relative entropy under the reference detection window as the reference fluctuation range of the relative entropy.
4. The CAN network anomaly monitoring and positioning method based on relative entropy of claim 1, wherein in step 5), when the calculated transmission probability of a message is greater than the reference transmission probability of the message, the message is determined to be a replay attack message;
and when the transmission probability calculated by a certain message is smaller than the reference transmission probability of the message, judging the message as a discarded attack message.
5. The CAN network abnormality monitoring and positioning method based on relative entropy of claim 4, wherein in step 5), when the calculated transmission probability of only one message is not equal to the reference transmission probability of the message, it is determined that the abnormality of relative entropy outside the reference fluctuation range is caused by the abnormal transmission of the message;
and when the transmission probabilities calculated by the two messages are different from the reference transmission probabilities of the respective messages, judging that the abnormality of the relative entropy outside the reference fluctuation range is caused by the abnormal transmission of the two messages.
6. The CAN network abnormality monitoring and positioning method based on relative entropy as claimed in claim 5, wherein the serial number of the identifier of the message is ID 1 And the identifier number of the message is ID 2 The calculation formula of the relative entropy between the two messages is as follows:
Figure FDA0003597236040000021
in the formula:
Figure FDA0003597236040000027
the identifier serial number of the message in the detection window is ID for reference 1 The probability of occurrence of the message of (a),
Figure FDA0003597236040000022
the identifier serial number of the message in the detection window is ID for reference 2 The probability of occurrence of the message of (a),
Figure FDA0003597236040000023
the identifier of the message is numbered ID 1 And the identifier number of the message is ID 2 The relative entropy between the two messages.
7. The CAN network abnormality monitoring and positioning method based on relative entropy as claimed in claim 6, wherein the identifier sequence number of the message in the reference detection window is ID 1 Probability of occurrence of message(s)
Figure FDA0003597236040000024
The calculation formula of (c) is:
Figure FDA0003597236040000025
in the formula:
Figure FDA0003597236040000026
the identifier serial number of the message in the window is detected as ID for reference 1 Number of occurrences of message, N total And detecting the total number of the periodic messages in the window as a reference.
8. A positioning system for implementing the CAN network anomaly monitoring positioning method based on relative entropy according to claim 1, wherein the positioning system comprises:
the message acquisition module is used for acquiring messages on an automobile CAN network;
the message identifier serial number extraction module is used for extracting the identifier serial number of the acquired message;
the periodic message judging module is used for judging whether each message is a periodic message according to the occurrence frequency of the identifier serial number of the message;
the relative entropy calculation and judgment module is internally provided with a reference detection window and a reference fluctuation range of the relative entropy, and is used for calculating the relative entropy between any two messages of all periodic messages and judging whether the calculated relative entropy between any one message and all the other messages is within the reference fluctuation range or not;
the message sending probability calculation and judgment module is used for calculating the sending probability of each message for two messages with the calculated relative entropy outside the reference fluctuation range and comparing the calculated sending probability of each message with the reference sending probability of each message to judge whether the calculated sending probability of each message is equal to the reference sending probability of each message;
and the message abnormity judgment module is used for judging whether the message is an abnormal message according to the output signals of the relative entropy calculation judgment module and the message sending probability calculation judgment module.
9. An automobile, characterized in that the automobile adopts the CAN network abnormality monitoring and positioning method based on the relative entropy as claimed in any one of claims 1 to 7.
CN202210395666.6A 2022-04-14 2022-04-14 CAN network anomaly monitoring and positioning method and system based on relative entropy and automobile Pending CN115396134A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210395666.6A CN115396134A (en) 2022-04-14 2022-04-14 CAN network anomaly monitoring and positioning method and system based on relative entropy and automobile

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210395666.6A CN115396134A (en) 2022-04-14 2022-04-14 CAN network anomaly monitoring and positioning method and system based on relative entropy and automobile

Publications (1)

Publication Number Publication Date
CN115396134A true CN115396134A (en) 2022-11-25

Family

ID=84115767

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210395666.6A Pending CN115396134A (en) 2022-04-14 2022-04-14 CAN network anomaly monitoring and positioning method and system based on relative entropy and automobile

Country Status (1)

Country Link
CN (1) CN115396134A (en)

Similar Documents

Publication Publication Date Title
CN108848072B (en) Vehicle-mounted CAN bus abnormality detection method based on relative entropy
CN111541661A (en) Power information network attack scene reconstruction method and system based on causal knowledge
KR101853676B1 (en) Appratus and method for detecting vehicle intrusion
KR20190019208A (en) How to Identify Damaged Electronic Control Units with Voltage Fingerfering
CN110120935B (en) Method and device for identifying anomalies in data flows in a communication network
CN111147448B (en) CAN bus flood attack defense system and method
CN111970229B (en) CAN bus data anomaly detection method aiming at multiple attack modes
CN113163369A (en) Vehicle intrusion prevention processing method and device and automobile
US20210067523A1 (en) Method and device for detecting an attack on a serial communications system
CN107682354B (en) Network virus detection method, device and equipment
CN114900331A (en) Vehicle-mounted CAN bus intrusion detection method based on CAN message characteristics
CN114616800A (en) Attack detection method, attack detection system, and program
US10666671B2 (en) Data security inspection mechanism for serial networks
Boumiza et al. An efficient hidden Markov model for anomaly detection in can bus networks
CN115396134A (en) CAN network anomaly monitoring and positioning method and system based on relative entropy and automobile
Maggi et al. On the use of different statistical tests for alert correlation–short paper
CN112866270B (en) Intrusion detection defense method and system
CN113938844B (en) Network connection monitoring method, system, computer device and storage medium
CN115664788A (en) Communication data hijacking monitoring method and system, storage medium and electronic equipment
CN112751822B (en) Communication apparatus, operation method, abnormality determination apparatus, abnormality determination method, and storage medium
CN114827538B (en) Construction progress monitoring method and system for intelligent building site
Cheng et al. An intrusion detection method for the in-vehicle network
CN114389832B (en) Vehicle state monitoring device and vehicle state monitoring method thereof
JP7182470B2 (en) Message processing device and message processing method
CN117390707B (en) Data security detection system and detection method based on data storage equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination