CN115664737A - Intrusion detection system and method - Google Patents

Intrusion detection system and method Download PDF

Info

Publication number
CN115664737A
CN115664737A CN202211261726.1A CN202211261726A CN115664737A CN 115664737 A CN115664737 A CN 115664737A CN 202211261726 A CN202211261726 A CN 202211261726A CN 115664737 A CN115664737 A CN 115664737A
Authority
CN
China
Prior art keywords
message
determining
detection
information
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211261726.1A
Other languages
Chinese (zh)
Other versions
CN115664737B (en
Inventor
王春锦
高德志
谷倩
张彪
王宗兴
陈浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
FAW Jiefang Automotive Co Ltd
Original Assignee
FAW Jiefang Automotive Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by FAW Jiefang Automotive Co Ltd filed Critical FAW Jiefang Automotive Co Ltd
Priority to CN202211261726.1A priority Critical patent/CN115664737B/en
Priority claimed from CN202211261726.1A external-priority patent/CN115664737B/en
Publication of CN115664737A publication Critical patent/CN115664737A/en
Application granted granted Critical
Publication of CN115664737B publication Critical patent/CN115664737B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Small-Scale Networks (AREA)

Abstract

The embodiment of the invention discloses an intrusion detection system and method. The system comprises: the device comprises a message acquisition module and a state detection module; the message acquisition module is used for acquiring a bus message in the running process of the automobile gateway and sending the bus message to the state detection module; the state detection module comprises a working condition detection unit and a correlation detection unit; the working condition detection unit is used for receiving the bus message, determining the current working condition information of the bus message based on the preset working condition configured in the prestored intrusion detection rule file, and sending the current working condition information to the correlation detection unit; and the correlation detection unit is used for determining the current signal correlation condition corresponding to the current working condition information based on the corresponding relationship between the working condition information and the signal correlation condition configured in the intrusion detection rule file, and if the signal in the bus message does not meet the current signal correlation condition, determining that the automobile gateway has an intruded risk.

Description

Intrusion detection system and method
Technical Field
The embodiment of the invention relates to the technical field of vehicle control, in particular to an intrusion detection system and method.
Background
With the development of vehicle intellectualization and networking, the number of external interfaces of a vehicle is increasing day by day, and the external interfaces and internal components of the vehicle are communicated and interconnected through a Controller Area Network (CAN) bus, but an arbitration mechanism of a CAN protocol has certain safety defects, so that the vehicle-mounted terminal and the internal Network of the vehicle are easily attacked through the external interfaces of the whole vehicle.
At present, a system for detecting and defending the situation that communication in a vehicle is attacked is not provided, so that the situation that the whole vehicle network is easy to break down is easy to occur. Therefore, it is an urgent need to provide an intrusion detection system for in-vehicle CAN communication.
Disclosure of Invention
The embodiment of the invention provides an intrusion detection system and method, which are used for avoiding the risk of being attacked in a gateway and are beneficial to improving the attack defense capability of the gateway.
According to an aspect of the present invention, there is provided an intrusion detection system including: the device comprises a message acquisition module and a state detection module connected with the message acquisition module; wherein the content of the first and second substances,
the message acquisition module is used for acquiring a bus message in the running process of the automobile gateway and sending the bus message to the state detection module; the state detection module comprises a working condition detection unit and a correlation detection unit;
the working condition detection unit is used for receiving the bus message, determining the current working condition information of the bus message based on the preset working condition configured in the prestored intrusion detection rule file, and sending the current working condition information to the correlation detection unit;
and the correlation detection unit is used for determining the current signal correlation condition corresponding to the current working condition information based on the corresponding relationship between the working condition information and the signal correlation condition configured in the intrusion detection rule file, and if the signal in the bus message does not meet the current signal correlation condition, determining that the automobile gateway has an intruded risk.
According to another aspect of the present invention, an intrusion detection method is provided, which is applied to the intrusion detection system, and the system includes a message acquisition module and a state detection module connected to the message acquisition module; the method comprises the following steps:
the method comprises the steps that a bus message is obtained through a message obtaining module in the running process of an automobile gateway, and the bus message is sent to a state detection module; the state detection module comprises a working condition detection unit and a correlation detection unit;
receiving the bus message through the working condition detection unit, determining current working condition information of the bus message based on preset working condition configured in a prestored intrusion detection rule file, and sending the current working condition information to the correlation detection unit;
and determining a current signal correlation condition corresponding to the current working condition information by the correlation detection unit based on a corresponding relation between the working condition information configured in the intrusion detection rule file and the signal correlation condition, and if the signal in the bus message does not meet the current signal correlation condition, determining that the automobile gateway has an intruded risk.
According to the technical scheme of the embodiment of the invention, the bus message is acquired by the message acquisition module in the running process of the automobile gateway, and is sent to the state detection module, wherein the state detection module comprises a working condition detection unit and a correlation detection unit; the method comprises the steps that a bus message is received through a working condition detection unit, current working condition information of the bus message is determined based on preset working condition configured in an intrusion detection rule file stored in advance, current signal correlation conditions corresponding to the current working condition information are determined through a correlation detection unit based on the corresponding relation between the working condition information configured in the intrusion detection rule file and the signal correlation conditions, and if signals in the bus message do not meet the current signal correlation conditions, the fact that an automobile gateway is invaded is determined. According to the technical scheme of the embodiment of the invention, the state detection module is used for detecting the correlation of the message signals, so that whether the automobile gateway has the risk of being invaded or not is determined, the risk of being attacked in the gateway is avoided, and the improvement of the attack defense capability of the gateway is facilitated.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present invention, nor do they necessarily limit the scope of the invention. Other features of the present invention will become apparent from the following description.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings required to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the description below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of an intrusion detection system according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an intrusion detection process provided in accordance with an embodiment of the invention;
fig. 3 is a flowchart of an intrusion detection method according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Fig. 1 is a schematic structural diagram of an intrusion detection system according to an embodiment of the present invention; as shown in fig. 1, the system includes: the message acquisition module 10 and the state detection module 11 connected with the message acquisition module 10; wherein the content of the first and second substances,
the message acquisition module 10 is used for acquiring a bus message in the running process of the automobile gateway and sending the bus message to the state detection module 11; the state detection module 11 includes a working condition detection unit 110 and a correlation detection unit 111;
the working condition detection unit 110 is configured to receive the bus packet, determine current working condition information of the bus packet based on a preset working condition configured in a prestored intrusion detection rule file, and send the current working condition information to the correlation detection unit 111;
and the correlation detection unit 111 is configured to determine a current signal correlation condition corresponding to the current working condition information based on a corresponding relationship between the working condition information and the signal correlation condition configured in the intrusion detection rule file, and determine that the automobile gateway has an intrusion risk if the signal in the bus message does not satisfy the current signal correlation condition.
In this embodiment, the message obtaining module 10 may obtain, through the communication interface, bus messages sent by each component of the entire vehicle to the vehicle gateway during the operation of the vehicle gateway, and send the received bus messages to the state detecting module 11. Illustratively, the bus message received in a preset sending period may be sent to the state detection module 11 according to the preset sending period; or, each time a bus message is received, the bus message may be directly sent to the status detection module 11.
Further, the message acquiring module 10 may also determine to acquire timestamp information of the bus message while acquiring the bus message, and form a message array by using the timestamp information and the bus message, and send the bus message to the state detecting module 11 according to a format of the message array.
In this embodiment, the bus message may be received by the operating condition detecting unit 110 in the state detecting module 11. The state detection module 11 stores an intrusion detection rule file in advance. At least one condition for determining whether the bus message has the intrusion risk is stored in the intrusion detection rule file, and the display format can be a binary format.
It should be noted that, a preconfigured intrusion detection rule file may be loaded when the car gateway is initialized, and stored in the memory, and the intrusion detection rule file is identified, and conditions stored in the intrusion detection rule file and used for determining whether the bus packet has an intrusion risk are determined, and a rule policy index table may be formed based on the conditions, and the contents in the intrusion detection rule file may be reflected in the form of the rule policy index table. Furthermore, a CAN communication database file CAN be imported for analyzing the received bus file.
In a specific implementation, the preset operating condition configured in the intrusion detection rule file may be a corresponding relationship between the message signal and the operating condition information, and the corresponding relationship may be embodied in a formula form. Based on the preset working condition, the current working condition information corresponding to the currently received bus message can be determined. For example, the operating condition information may include temperature measurement information, humidity measurement information, engine speed information, and the like.
In a specific implementation, after receiving the current operating condition information, the correlation detection unit 111 may determine the current signal correlation condition corresponding to the current operating condition information based on a corresponding relationship between the operating condition information configured in the intrusion detection rule file and the signal correlation condition. Exemplarily, the signal correlation condition may be whether the correlation relationship between the message signals is satisfied, if so, it indicates that the signal in the bus message satisfies the current signal correlation condition; if not, the signal in the bus message does not meet the current signal correlation condition. The correlation relationship may be represented by a correlation relationship formula, which includes at least one of a linear relationship formula, an inverse relationship formula, and a direct relationship formula.
Specifically, after determining the current operating condition information, the enabling state of the engine under the operating condition, which is reflected by the bus message, can be determined. The enable state may be divided into an enable state and a non-enable state. For the bus message acquired in the non-enabled state, if the signals are irregular, the correlation between the signals cannot be determined. And for the bus messages acquired in the enabling state, whether the signals of the bus messages meet the correlation relationship can be determined.
Optionally, when determining whether the signals of the bus packet satisfy the correlation relationship, two packet signals may be obtained from the bus packet, and it is determined whether the two packet signals satisfy the correlation relationship formula corresponding to the operating condition information. Illustratively, if the current working condition information is a temperature measurement working condition, a linear relation formula is responded, and whether the signal values of the two acquired message signals conform to the linear relation formula is determined. If yes, indicating that the message signals meet the correlation relationship, namely the signals in the bus message meet the current signal correlation condition; if not, it indicates that the message signals do not satisfy the correlation relationship, i.e. the signals in the bus message do not satisfy the current signal correlation condition. If the signal in the bus message meets the current signal correlation condition, determining that the automobile gateway does not have the risk of being invaded currently; and if the signal in the bus message does not meet the current signal correlation condition, determining that the automobile gateway has the intrusion risk.
According to the technical scheme of the embodiment of the invention, the bus message is acquired by the message acquisition module in the running process of the automobile gateway, and is sent to the state detection module, wherein the state detection module comprises a working condition detection unit and a correlation detection unit; the method comprises the steps that a bus message is received through a working condition detection unit, current working condition information of the bus message is determined based on preset working condition configured in an intrusion detection rule file stored in advance, current signal correlation conditions corresponding to the current working condition information are determined through a correlation detection unit based on the corresponding relation between the working condition information configured in the intrusion detection rule file and the signal correlation conditions, and if signals in the bus message do not meet the current signal correlation conditions, the fact that an automobile gateway is invaded is determined. According to the technical scheme of the embodiment of the invention, the state detection module is used for detecting the correlation of the message signals, so that whether the automobile gateway has the risk of being invaded or not is determined, the risk of being attacked in the gateway is avoided, and the improvement of the attack defense capability of the gateway is facilitated.
In this embodiment, the system further includes: the single packet detection module is connected with the message acquisition module; the message acquisition module is also used for sending the bus message to the single-packet detection module; and the single-packet detection module is used for determining the message parameters of the bus message, checking whether the message parameters meet the single-packet detection conditions in the prestored intrusion detection rule file or not, and if not, determining that the automobile gateway has the intrusion risk.
The message parameter may include at least one of a message identifier, a message length value, a message period, a scene physical value reflected by a signal in the bus message, and a physical value change rate.
The single-packet detection module can analyze the bus message, determine information such as a timestamp, message content, message identification and the like of the bus message, and determine at least one message parameter of a message length value, a message period, a scene physical value reflected by a signal in the bus message and a physical value change rate based on the information such as the timestamp, the message content, the message identification and the like.
In the specific implementation, whether the message parameters meet the single-packet detection condition or not can be determined, if yes, the received bus message is safe, and the automobile gateway is determined not to have the risk of being invaded; if the bus message does not conform to the received bus message, the received bus message is abnormal, and the automobile gateway has the risk of being invaded.
Optionally, the single packet detection module includes a packet identifier detection unit, and the packet parameter includes a packet identifier; the message identification detection unit is used for determining the message identification of the bus message, determining whether the message identification meets the single-packet detection condition by adopting a dichotomy method, and if not, determining that the automobile gateway has the intrusion risk.
Wherein, the single packet detection condition comprises that the message identification belongs to a preset identification range.
Specifically, the preset identification range to which the legal bus message belongs can be determined, and the message identification of the received bus message is determined. The message identification detection unit can determine whether the message identification belongs to a preset identification range by adopting a dichotomy method; if the message belongs to the preset identification range, the message identification is legal, the single-packet detection condition is met, and the automobile gateway has no intrusion risk; if the message identifier does not belong to the preset identifier range, the message identifier is illegal, and the single-packet detection condition is not met, so that the automobile gateway has the risk of being invaded. For example, the message identifier may be composed of at least one of a character, a number, and a letter, which is not limited in this embodiment of the present invention.
In the embodiment, the message identification of the bus message is verified, so that the bus message transmitted to the automobile gateway is ensured to be a legal message, and the safety of the automobile gateway is improved.
Optionally, the single packet detection module includes a message length detection unit, and the message parameter includes a message length value; the message length detection unit is used for determining the message length value of the bus message, determining whether the message length value meets a single-packet detection condition, and if not, determining that the automobile gateway has an intrusion risk.
Wherein, the single packet detection condition comprises that the length value of the message belongs to the range of the preset length value.
The message length detection unit can determine the range of the preset length value of the legal bus message and the message length value of the currently received bus message. And determining whether the message length value is within the preset length value range or not so as to determine that the automobile gateway has no intrusion risk. Specifically, if the length value of the message is within the preset length value range, the length value of the message is normal, the message accords with a single-packet detection condition, and the automobile gateway does not have the risk of being invaded; if the length value of the message is not in the range of the preset length value, the message length value is abnormal, and the single-packet detection condition is not met, the automobile gateway has the risk of being invaded.
In the embodiment, the length value of the bus message is verified, so that the bus message transmitted to the automobile gateway is ensured to be a normal message meeting the length requirement, and whether the bus message is abnormal or not is verified more accurately and effectively.
Optionally, the single packet detection module includes a message period detection unit, and the message parameter includes a message period; the message period detection unit is used for determining the last timestamp of the last received bus message and the current timestamp of the current received bus message, determining the message period of the bus message based on the last timestamp and the current timestamp, determining whether the message period meets a single-packet detection condition, and if not, determining that the automobile gateway has an intrusion risk.
The single-packet detection condition comprises that an error value between a message period and a standard period is smaller than a preset error value.
Specifically, the message period detection unit may determine a message period of the transmitted bus message based on a last timestamp of a last bus message and a current timestamp of a received current bus message, and compare an error value between the message period and a standard period. For example, the error value may be a positive number greater than or equal to 0. When the error value is smaller than the preset error value, the message period is in accordance with the single-packet detection condition, and the bus message is a normal message; when the error value is larger than or equal to the preset error value, the message period is not in accordance with the single-packet detection condition, the bus message is an abnormal message, and the risk that the automobile gateway is invaded is determined.
In the embodiment, the message period of the bus message is verified, so that the bus message transmitted to the automobile gateway is ensured to be a normal message meeting the period requirement, and whether the bus message is abnormal or not is verified more accurately and effectively.
Optionally, the single packet detection module includes a signal threshold detection unit, and the message parameter includes a scene physical value reflected by a signal in the bus message; the signal threshold detection unit is used for determining scene information corresponding to the bus message, determining a scene physical value reflected by a signal in the bus message, determining whether the scene physical value meets a single-packet detection condition or not based on the scene information, and if not, determining that the automobile gateway has an intrusion risk.
The single-packet detection condition comprises that the scene physical value belongs to a preset physical value range corresponding to the scene information. Illustratively, the scene information may include a temperature measurement scene, a humidity measurement scene, a rotation speed measurement scene, and the like; the scene physical value corresponds to the scene information, for example, when the scene information is a temperature measurement scene, the scene physical value is a temperature value reflected by the signal.
In specific implementation, the signal threshold detection unit determines scene information corresponding to the bus message and a scene physical value reflected by a signal in the bus message. Comparing whether the scene physical value belongs to a preset physical value range corresponding to the scene information, and when the scene physical value belongs to the preset physical value range corresponding to the scene information, indicating that the scene physical value accords with a single-packet detection condition, wherein the bus message is a normal message; and when the scene physical value does not belong to the preset physical value range corresponding to the scene information, the scene physical value is not in accordance with the single-packet detection condition, the bus message is an abnormal message, and the risk of intrusion of the automobile gateway is determined. For example, if the scene information is a temperature measurement scene, when the automobile runs, the temperature theory of each component of the automobile is greater than 0 ℃, so the value corresponding to the scene physical value should be greater than 0, the preset physical value range can be set to be greater than 0, and when the determined scene physical value is-5, the scene physical value does not belong to the preset physical value range.
In the embodiment, the scene physical value reflected by the bus message is verified to ensure that the information reflected by the received bus message conforms to the current vehicle operation scene, so that the bus message is verified more comprehensively.
Furthermore, based on the determined scene physical values reflected by different signals in the bus message, the change rate of the physical values between the different signals can be determined. The physical value change rate is equal to the absolute value of the difference between the scene physical values of the two signals, and is divided by the absolute value of the difference between the timestamps of the two signals to obtain a numerical value. In a specific implementation, a preset physical value change rate range may be preset. It should be noted that, in different scenes of the vehicle, there is a certain rule in the rate of change of the physical value reflected by the signal, for example, for a temperature measurement scene, the rate of change of the physical value is a rate of change of a temperature value, and since the temperature change of the vehicle is relatively stable and there is no temperature abrupt change, the rate of change of the temperature corresponding to the signal should be greater than 0 and smaller than a set threshold a, where a is a positive number; it is determined that the preset physical value variation rate range is (0, a).
In specific implementation, after a preset physical value change rate range is determined, whether the physical value change rate corresponding to the acquired bus message belongs to the preset physical value change rate range is determined, if so, the physical value change rate is normal, the bus message is normal, and no intrusion risk exists currently; if the current bus message belongs to the bus, the change rate of the physical value is abnormal, the bus message is abnormal, and the current intrusion risk exists. Therefore, whether the bus message is abnormal or not is comprehensively verified from the perspective of the change rate of the physical value, so that whether the gateway has the intrusion risk or not is accurately determined.
Optionally, the system further comprises: the flow detection module is connected with the message acquisition module; the message acquisition module is also used for sending the bus message to the flow detection module; and the flow detection module is used for determining the current flow information of the bus message, determining whether the current flow information meets the preset flow condition or not based on the preset flow condition configured in the prestored intrusion detection rule file, and if not, determining that the automobile gateway has an intrusion risk.
The current flow information is used for reflecting the number of the received bus messages in a preset time period. The preset flow condition may be that the flow value reflected by the current flow information belongs to a preset flow value range. When the current flow value corresponding to the current flow information does not belong to the preset flow value range, determining that the current flow information does not conform to the preset flow condition, and determining that the automobile gateway has an intrusion risk; and when the current flow value corresponding to the current flow information belongs to the preset flow value range, determining that the current flow information meets the preset flow condition, and determining that the automobile gateway does not have the intrusion risk.
In the embodiment, whether the automobile gateway has risks or not is determined from the perspective of bus message flow, and the effectiveness and comprehensiveness of determining whether the gateway has the current risk of being invaded or not are improved.
Optionally, the system further comprises: the log management module is respectively connected with the state detection module, the single-packet detection module and the flow detection module; the state detection module is also used for generating first alarm information after determining that the automobile gateway has the risk of being invaded, and sending the first alarm information to the log management module; the single-packet detection module is also used for generating second alarm information after determining that the automobile gateway has the intrusion risk and sending the second alarm information to the log management module; the flow detection module is also used for generating third alarm information after determining that the automobile gateway has the risk of being invaded, and sending the third alarm information to the log management module; and the log management module is used for receiving the first alarm information, the second alarm information and the third alarm information, generating log information meeting the requirement of a preset format based on the first alarm information, the second alarm information and the third alarm information, and storing the log information.
Specifically, when at least one of the state detection module, the single-packet detection module and the flow detection module determines that the automobile gateway has an intrusion risk, alarm information can be generated and sent to the log management module. The first alarm information is used for reflecting the condition that the automobile gateway has the risk of being invaded when the signal in the bus message does not meet the current signal correlation condition; the second alarm information is used for reflecting the condition that the automobile gateway has the risk of being invaded due to the abnormity of the single-packet bus message; the third alarm information is used for the condition that the automobile gateway has the risk of being invaded due to the abnormal bus message flow. The log management module can collect the first alarm information, the second alarm information and the third alarm information, generate log information meeting the requirements of a preset format and store the log information. For example, the preset format requirement may be that the log information needs to include a controller identifier, a module identifier, an alarm frequency, an alarm identification code, and the like. According to the embodiment, the log information is stored, so that the intrusion risk condition of the automobile gateway can be conveniently recorded, and convenience is provided for operation and maintenance personnel.
Optionally, the system further comprises: the alarm uploading module is connected with the log management module; the warning uploading module is used for acquiring log information according to a preset time period and feeding the log information back to the vehicle-mounted terminal so that the vehicle-mounted terminal uploads the log information to the server.
Specifically, the log information can be periodically acquired from the log management module according to a preset time period so as to be sent to the vehicle-mounted terminal, so that the risk condition of the vehicle gateway is provided for a user, and the user can conveniently check the risk condition; further, the vehicle-mounted terminal can upload the log information to the server for storage. According to the embodiment, the log information is provided to the vehicle-mounted terminal and the server through the alarm uploading module, so that the risk condition of the automobile gateway can be conveniently checked by a user and operation and maintenance personnel, the risk condition is timely processed, and the safety of the automobile gateway is improved.
It should be noted that, in the embodiment of the intrusion detection system, the included units and modules are only divided according to functional logic, but are not limited to the above division as long as the corresponding functions can be implemented; in addition, the specific names of the functional units are only for the convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
The above detailed description is given for the corresponding embodiment of the intrusion detection system, and specific application scenarios are given below in order to make the technical solutions further clear to those skilled in the art.
The intrusion detection system provided by the embodiment CAN be a CAN communication intrusion detection system, and the CAN communication intrusion detection system is deployed on a gateway controller. The CAN communication intrusion detection system loads and stores CAN communication database files when a gateway controller is initialized, and CAN determine the format requirement of CAN messages by analyzing the CAN communication database files, wherein the format requirement comprises the following steps: and information such as CAN message identification, period, sending type, message length, signals and the like, so that operation and maintenance personnel CAN set intrusion detection rule files according to format requirements such as the CAN message identification, the period, the sending type, the message length, the signals and the like. The CAN communication intrusion detection system CAN load and store a pre-configured intrusion detection rule file when a gateway controller is initialized. Furthermore, the CAN communication intrusion detection system CAN perform the operations of increasing, deleting, checking and modifying the intrusion detection rule file based on the received modification instruction sent by the operation and maintenance terminal.
For example, the intrusion detection rule file may store attributes such as a maximum allowable error of a period, a message length, a message signal start bit, a message signal length, a data type, a CAN message transceiving type, a CAN message identifier upper limit, a CAN message identifier lower limit, a traffic maximum value, and a traffic minimum value.
FIG. 2 is a schematic diagram of an intrusion detection process provided in accordance with an embodiment of the invention; as shown in fig. 2, in the initialization process of the automobile gateway, the intrusion detection rule file is identified and a rule policy index table is generated, where the rule policy index table includes a preset working condition, a current signal correlation condition corresponding to current working condition information, a single-packet detection condition, a preset flow condition, and other detection conditions. In the operation process of the automobile gateway, the CAN communication intrusion detection system acquires CAN messages through a communication interface, converts the CAN messages into formats which CAN be identified by a flow detection module, a single-packet detection module and a state detection module, forms CAN arrays with the CAN messages based on information such as timestamps of the CAN messages, message receiving and sending directions and the like, and respectively sends the CAN arrays to the flow detection module, the single-packet detection module and the state detection module. The three modules respectively carry out flow detection, single-packet detection and state detection on the CAN message according to corresponding conditions in the rule strategy index table, and if the detection result shows that the CAN message is abnormal, the current intrusion risk of the automobile gateway is shown; and if the detection result shows that the CAN message is normal, the current safety of the automobile gateway is indicated.
Furthermore, when the intrusion risk exists, all the modules can generate alarm information and send the alarm information to the log management module, and the log management module generates log information based on the alarm information. The warning information may include an index number and error content of a detection condition in the failed rule policy index table of the CAN message. The log management module sends log information to the alarm collection module at regular time, the alarm collection module judges whether the error content corresponding to the log information exists after receiving the log information, if yes, the alarm frequency of the error content is increased by one, and if not, the error content is stored in the alarm cache. And the alarm collection module sends the log information to the vehicle-mounted terminal equipment through CAN communication, so that the vehicle-mounted terminal equipment sends the log information to the server background.
The embodiment realizes monitoring and abnormal alarming of the network CAN communication in the vehicle, CAN timely feed back the abnormal conditions of the CAN communication to the background server, and is convenient for operation and maintenance personnel to analyze risk events and increase safety protection measures of relevant controller software.
Fig. 3 is a flowchart of an intrusion detection method according to an embodiment of the present invention, where the method is applied to an intrusion detection system, and the system includes a message acquisition module and a status detection module connected to the message acquisition module; as shown in fig. 3, the method includes:
s110, acquiring a bus message in the running process of the automobile gateway through a message acquisition module, and sending the bus message to a state detection module; the state detection module comprises a working condition detection unit and a correlation detection unit.
And S120, receiving the bus message through the working condition detection unit, determining the current working condition information of the bus message based on the preset working condition configured in the prestored intrusion detection rule file, and sending the current working condition information to the correlation detection unit.
S130, determining a current signal correlation condition corresponding to the current working condition information through a correlation detection unit based on a corresponding relation between the working condition information configured in the intrusion detection rule file and the signal correlation condition, and determining that the automobile gateway has an intrusion risk if the signal in the bus message does not meet the current signal correlation condition.
On the basis of any optional technical solution in the embodiment of the present invention, optionally, the system further includes: the single packet detection module is connected with the message acquisition module; the method further comprises the following steps:
the bus message is sent to a single-packet detection module through a message acquisition module;
and determining the message parameters of the bus message through a single-packet detection module, checking whether the message parameters meet single-packet detection conditions in a prestored intrusion detection rule file, and if not, determining that the automobile gateway has an intruded risk.
On the basis of any optional technical scheme in the embodiment of the present invention, optionally, the single packet detection module includes a packet identifier detection unit, and the packet parameter includes a packet identifier; the method comprises the following steps of determining message parameters of a bus message through a single-packet detection module, checking whether the message parameters meet single-packet detection conditions in a prestored intrusion detection rule file, and if not, determining that the automobile gateway has an intrusion risk, wherein the single-packet detection module comprises:
determining the message identification of the bus message through a message identification detection unit, determining whether the message identification meets a single-packet detection condition by adopting a dichotomy, and if not, determining that the automobile gateway has an intrusion risk;
wherein, the single packet detection condition comprises that the message identification belongs to a preset identification range.
On the basis of any optional technical scheme in the embodiment of the present invention, optionally, the single packet detection module includes a message length detection unit, and the message parameter includes a message length value; the method comprises the following steps of determining message parameters of a bus message through a single-packet detection module, checking whether the message parameters meet single-packet detection conditions in a prestored intrusion detection rule file, and if not, determining that the automobile gateway has an intrusion risk, wherein the method comprises the following steps:
determining a message length value of the bus message through a message length detection unit, determining whether the message length value meets a single-packet detection condition, and if not, determining that the automobile gateway has an intrusion risk;
wherein, the single packet detection condition comprises that the length value of the message belongs to the range of the preset length value.
On the basis of any optional technical scheme in the embodiment of the present invention, optionally, the single packet detection module includes a message period detection unit, and the message parameter includes a message period; the method comprises the following steps of determining message parameters of a bus message through a single-packet detection module, checking whether the message parameters meet single-packet detection conditions in a prestored intrusion detection rule file, and if not, determining that the automobile gateway has an intrusion risk, wherein the single-packet detection module comprises:
determining a last timestamp of a received last bus message and a current timestamp of a received current bus message through a message period detection unit, determining a message period of the bus message based on the last timestamp and the current timestamp, determining whether the message period meets a single-packet detection condition, and if not, determining that the automobile gateway has an intrusion risk;
the single-packet detection condition comprises that an error value between a message period and a standard period is smaller than a preset error value.
On the basis of any optional technical scheme in the embodiment of the invention, optionally, the single-packet detection module comprises a signal threshold detection unit, and the message parameters comprise scene physical values reflected by signals in the bus message; the method comprises the following steps of determining message parameters of a bus message through a single-packet detection module, checking whether the message parameters meet single-packet detection conditions in a prestored intrusion detection rule file, and if not, determining that the automobile gateway has an intrusion risk, wherein the single-packet detection module comprises:
determining scene information corresponding to the bus message through a signal threshold detection unit, determining a scene physical value reflected by a signal in the bus message, determining whether the scene physical value meets a single-packet detection condition or not based on the scene information, and if not, determining that the automobile gateway has an intrusion risk;
the single-packet detection condition comprises that the scene physical value belongs to a preset physical value range corresponding to the scene information.
On the basis of any optional technical solution in the embodiment of the present invention, optionally, the system further includes: the flow detection module is connected with the message acquisition module; the method further comprises the following steps:
sending the bus message to a flow detection module through a message acquisition module;
determining the current flow information of the bus message through a flow detection module, determining whether the current flow information meets the preset flow condition or not based on the preset flow condition configured in the prestored intrusion detection rule file, and if not, determining that the automobile gateway has an intrusion risk.
On the basis of any optional technical solution in the embodiment of the present invention, optionally, the system further includes: the log management module is respectively connected with the state detection module, the single-packet detection module and the flow detection module; the method further comprises the following steps:
after the state detection module determines that the automobile gateway has the intrusion risk, first alarm information is generated and sent to the log management module;
after determining that the automobile gateway has the intrusion risk through the single-packet detection module, generating second alarm information and sending the second alarm information to the log management module;
after determining that the automobile gateway has the risk of being invaded through the flow detection module, generating third alarm information and sending the third alarm information to the log management module;
the log management module receives the first alarm information, the second alarm information and the third alarm information, generates log information meeting the requirements of a preset format based on the first alarm information, the second alarm information and the third alarm information, and stores the log information.
On the basis of any optional technical solution in the embodiment of the present invention, optionally, the system further includes: the alarm uploading module is connected with the log management module; the method further comprises the following steps:
and acquiring log information according to a preset time period through an alarm uploading module, and feeding the log information back to the vehicle-mounted terminal so that the vehicle-mounted terminal uploads the log information to the server.
According to the technical scheme of the embodiment of the invention, the bus message is acquired by the message acquisition module in the running process of the automobile gateway, and is sent to the state detection module, wherein the state detection module comprises a working condition detection unit and a correlation detection unit; the method comprises the steps that a bus message is received through a working condition detection unit, current working condition information of the bus message is determined based on preset working condition configured in an intrusion detection rule file stored in advance, current signal correlation conditions corresponding to the current working condition information are determined through a correlation detection unit based on the corresponding relation between the working condition information configured in the intrusion detection rule file and the signal correlation conditions, and if signals in the bus message do not meet the current signal correlation conditions, the fact that an automobile gateway is invaded is determined. According to the technical scheme of the embodiment of the invention, the state detection module is used for detecting the correlation of the message signals, so that whether the automobile gateway has the risk of being invaded or not is determined, the risk of being attacked in the gateway is avoided, and the improvement of the attack defense capability of the gateway is facilitated.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. An intrusion detection system, comprising: the device comprises a message acquisition module and a state detection module connected with the message acquisition module; wherein, the first and the second end of the pipe are connected with each other,
the message acquisition module is used for acquiring a bus message in the running process of the automobile gateway and sending the bus message to the state detection module; the state detection module comprises a working condition detection unit and a correlation detection unit;
the working condition detection unit is used for receiving the bus message, determining the current working condition information of the bus message based on the preset working condition configured in the prestored intrusion detection rule file, and sending the current working condition information to the correlation detection unit;
and the correlation detection unit is used for determining the current signal correlation condition corresponding to the current working condition information based on the corresponding relationship between the working condition information and the signal correlation condition configured in the intrusion detection rule file, and if the signal in the bus message does not meet the current signal correlation condition, determining that the automobile gateway has an intruded risk.
2. The system of claim 1, further comprising: the single packet detection module is connected with the message acquisition module; wherein the content of the first and second substances,
the message acquisition module is also used for sending the bus message to the single packet detection module;
and the single-packet detection module is used for determining the message parameters of the bus message, checking whether the message parameters meet the single-packet detection conditions in the intrusion detection rule file stored in advance, and if not, determining that the automobile gateway has the intrusion risk.
3. The system of claim 2, wherein the single packet detection module comprises a packet identifier detection unit, and wherein the packet parameter comprises a packet identifier; wherein the content of the first and second substances,
the message identification detection unit is used for determining the message identification of the bus message, determining whether the message identification meets the single-packet detection condition by adopting a dichotomy method, and if not, determining that the automobile gateway has an intrusion risk;
and the single-packet detection condition comprises that the message identifier belongs to a preset identifier range.
4. The system of claim 2, wherein the single packet detection module comprises a message length detection unit, and wherein the message parameter comprises a message length value; wherein the content of the first and second substances,
the message length detection unit is used for determining the message length value of the bus message, determining whether the message length value meets the single-packet detection condition, and if not, determining that the automobile gateway has an intrusion risk;
wherein, the single packet detection condition comprises that the length value of the message belongs to a range of preset length values.
5. The system of claim 2, wherein the single packet detection module comprises a packet cycle detection unit, and the packet parameter comprises a packet cycle; wherein, the first and the second end of the pipe are connected with each other,
the message period detection unit is used for determining a last timestamp of a received last bus message and a current timestamp of a received current bus message, determining a message period of the bus message based on the last timestamp and the current timestamp, determining whether the message period meets the single-packet detection condition, and if not, determining that the automobile gateway has an intrusion risk;
the single packet detection condition comprises that an error value between a message period and a standard period is smaller than a preset error value.
6. The system according to claim 2, wherein the single-packet detection module comprises a signal threshold detection unit, and the message parameter comprises a scene physical value reflected by a signal in a bus message; wherein, the first and the second end of the pipe are connected with each other,
the signal threshold detection unit is used for determining scene information corresponding to the bus message, determining a scene physical value reflected by a signal in the bus message, determining whether the scene physical value meets the single-packet detection condition or not based on the scene information, and if not, determining that the automobile gateway has an intrusion risk;
and the single-packet detection condition comprises that the scene physical value belongs to a preset physical value range corresponding to the scene information.
7. The system of claim 2, further comprising: the flow detection module is connected with the message acquisition module; wherein the content of the first and second substances,
the message acquisition module is also used for sending the bus message to the flow detection module;
and the flow detection module is used for determining the current flow information of the bus message, determining whether the current flow information meets the preset flow condition or not based on the preset flow condition configured in the prestored intrusion detection rule file, and if not, determining that the automobile gateway has an intrusion risk.
8. The system of claim 7, further comprising: the log management module is respectively connected with the state detection module, the single packet detection module and the flow detection module; wherein the content of the first and second substances,
the state detection module is further used for generating first alarm information after determining that the automobile gateway has the risk of being invaded, and sending the first alarm information to the log management module;
the single-packet detection module is further configured to generate second alarm information after determining that the automobile gateway has an intrusion risk, and send the second alarm information to the log management module;
the traffic detection module is further configured to generate third alarm information after determining that the automobile gateway has an intrusion risk, and send the third alarm information to the log management module;
the log management module is configured to receive the first alarm information, the second alarm information, and the third alarm information, generate log information that meets a preset format requirement based on the first alarm information, the second alarm information, and the third alarm information, and store the log information.
9. The system of claim 8, further comprising: the alarm uploading module is connected with the log management module; wherein the content of the first and second substances,
the warning uploading module is used for acquiring the log information according to a preset time period and feeding the log information back to the vehicle-mounted terminal so that the vehicle-mounted terminal uploads the log information to the server.
10. An intrusion detection method is characterized in that the intrusion detection method is applied to an intrusion detection system, and the system comprises a message acquisition module and a state detection module connected with the message acquisition module; the method comprises the following steps:
the method comprises the steps that a bus message is obtained through a message obtaining module in the running process of an automobile gateway, and the bus message is sent to a state detection module; the state detection module comprises a working condition detection unit and a correlation detection unit;
receiving the bus message through the working condition detection unit, determining current working condition information of the bus message based on preset working condition configured in a prestored intrusion detection rule file, and sending the current working condition information to the correlation detection unit;
and determining a current signal correlation condition corresponding to the current working condition information by the correlation detection unit based on a corresponding relation between the working condition information configured in the intrusion detection rule file and the signal correlation condition, and if the signal in the bus message does not meet the current signal correlation condition, determining that the automobile gateway has an intruded risk.
CN202211261726.1A 2022-10-14 Intrusion detection system and method Active CN115664737B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211261726.1A CN115664737B (en) 2022-10-14 Intrusion detection system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211261726.1A CN115664737B (en) 2022-10-14 Intrusion detection system and method

Publications (2)

Publication Number Publication Date
CN115664737A true CN115664737A (en) 2023-01-31
CN115664737B CN115664737B (en) 2024-05-14

Family

ID=

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20200136217A (en) * 2019-05-27 2020-12-07 조선대학교산학협력단 In-vehicle external data intrusion detection apparatus by comparing multiple information entropy and operating method thereof
CN113612786A (en) * 2021-08-09 2021-11-05 上海交通大学宁波人工智能研究院 Intrusion detection system and method for vehicle bus
CN114690745A (en) * 2022-04-07 2022-07-01 中国海洋大学 Intrusion detection method for CAN bus in vehicle
CN114995330A (en) * 2022-05-18 2022-09-02 中国第一汽车股份有限公司 Vehicle CAN bus intrusion detection test method and test system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20200136217A (en) * 2019-05-27 2020-12-07 조선대학교산학협력단 In-vehicle external data intrusion detection apparatus by comparing multiple information entropy and operating method thereof
CN113612786A (en) * 2021-08-09 2021-11-05 上海交通大学宁波人工智能研究院 Intrusion detection system and method for vehicle bus
CN114690745A (en) * 2022-04-07 2022-07-01 中国海洋大学 Intrusion detection method for CAN bus in vehicle
CN114995330A (en) * 2022-05-18 2022-09-02 中国第一汽车股份有限公司 Vehicle CAN bus intrusion detection test method and test system

Similar Documents

Publication Publication Date Title
CN110224858B (en) Log-based alarm method and related device
CN112491671B (en) Method and system for monitoring whole vehicle feed problem and vehicle CAN network gateway
WO2022088160A1 (en) Anomaly detection method and apparatus
CN108444727A (en) Vehicular remote monitoring method, monitoring device and monitoring system
CN103370904A (en) Method for determining a severity of a network incident
CN109460343A (en) System exception monitoring method, device, equipment and storage medium based on log
CN108259269A (en) The monitoring method and system of the network equipment
US8040231B2 (en) Method for processing alarm data to generate security reports
CN101656013A (en) Vehicle-mounted monitoring alarm terminal, system and alarm method
CN111459782B (en) Method and device for monitoring service system, cloud platform system and server
CN113691432B (en) Method and device for monitoring automobile CAN network message, computer equipment and storage medium
CN112698915A (en) Multi-cluster unified monitoring alarm method, system, equipment and storage medium
CN113190423A (en) Service data monitoring method, device and system
CN114124655A (en) Network monitoring method, system, device, computer equipment and storage medium
CN115001877A (en) Big data based information security operation and maintenance management system and method
JP2021196997A (en) Log transmission control device
CN115664737A (en) Intrusion detection system and method
US11694489B2 (en) Message monitoring system, message transmission electronic control unit, and monitoring electronic control unit
CN112306871A (en) Data processing method, device, equipment and storage medium
CN115664737B (en) Intrusion detection system and method
CN108206826B (en) Lightweight intrusion detection method for integrated electronic system
WO2023002634A1 (en) Abnormality detection device, security system, and abnormality notification method
CN115174189A (en) Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium
CN115567258A (en) Network security situation awareness method, system, electronic device and storage medium
CN111259383A (en) Safety management center system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant