CN115664737B - Intrusion detection system and method - Google Patents
Intrusion detection system and method Download PDFInfo
- Publication number
- CN115664737B CN115664737B CN202211261726.1A CN202211261726A CN115664737B CN 115664737 B CN115664737 B CN 115664737B CN 202211261726 A CN202211261726 A CN 202211261726A CN 115664737 B CN115664737 B CN 115664737B
- Authority
- CN
- China
- Prior art keywords
- message
- determining
- detection
- information
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 305
- 238000000034 method Methods 0.000 title claims abstract description 46
- 230000008569 process Effects 0.000 claims abstract description 17
- 230000009545 invasion Effects 0.000 claims description 13
- 230000008859 change Effects 0.000 description 18
- 238000004891 communication Methods 0.000 description 17
- 230000002159 abnormal effect Effects 0.000 description 14
- 238000009529 body temperature measurement Methods 0.000 description 6
- 238000012423 maintenance Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000005259 measurement Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Small-Scale Networks (AREA)
Abstract
The embodiment of the invention discloses an intrusion detection system and method. The system comprises: the message acquisition module and the state detection module; the message acquisition module is used for acquiring a bus message and sending the bus message to the state detection module in the running process of the automobile gateway; the state detection module comprises a working condition detection unit and a correlation detection unit; the working condition detection unit is used for receiving the bus message, determining the current working condition information of the bus message based on the preset working condition configured in the prestored intrusion detection rule file, and sending the current working condition information to the correlation detection unit; the correlation detection unit is used for determining the current signal correlation condition corresponding to the current working condition information based on the corresponding relation between the working condition information configured in the intrusion detection rule file and the signal correlation condition, and determining that the automobile gateway has an intrusion risk if the signal in the bus message does not meet the current signal correlation condition.
Description
Technical Field
The embodiment of the invention relates to the technical field of vehicle control, in particular to an intrusion detection system and method.
Background
Along with the development of vehicle intellectualization and networking, the number of external interfaces of the automobile is increasing, and the external interfaces and internal components of the automobile are in communication interconnection through a CAN (Controller Area Network ) bus, but the arbitration mechanism of the CAN protocol has certain safety defects, so that the situation that the external interfaces of the whole automobile attack the vehicle-mounted terminal and the internal network of the vehicle is easy to occur.
At present, a system for detecting and defending the condition that the communication in the vehicle is attacked is not proposed, so that the condition that the whole vehicle network is paralyzed easily occurs. Therefore, providing an intrusion detection system for in-car CAN communication is a current urgent problem to be solved.
Disclosure of Invention
The embodiment of the invention provides an intrusion detection system and method, which are used for avoiding the risk of a gateway being attacked and helping to improve the attack defending capability of the gateway.
According to an aspect of the present invention, there is provided an intrusion detection system including: the message acquisition module and the state detection module are connected with the message acquisition module; wherein,
The message acquisition module is used for acquiring a bus message and sending the bus message to the state detection module in the running process of the automobile gateway; the state detection module comprises a working condition detection unit and a correlation detection unit;
the working condition detection unit is used for receiving the bus message, determining current working condition information of the bus message based on preset working condition configured in a prestored intrusion detection rule file, and sending the current working condition information to the correlation detection unit;
The correlation detection unit is configured to determine a current signal correlation condition corresponding to the current working condition information based on a corresponding relation between the working condition information configured in the intrusion detection rule file and a signal correlation condition, and if a signal in the bus message does not meet the current signal correlation condition, determine that an intrusion risk exists in the automotive gateway.
According to another aspect of the present invention, there is provided an intrusion detection method applied to the intrusion detection system, the system including a message acquisition module and a state detection module connected to the message acquisition module; the method comprises the following steps:
The message acquisition module acquires a bus message in the running process of the automobile gateway and sends the bus message to the state detection module; the state detection module comprises a working condition detection unit and a correlation detection unit;
receiving the bus message through the working condition detection unit, determining current working condition information of the bus message based on preset working condition configured in a prestored intrusion detection rule file, and sending the current working condition information to the correlation detection unit;
And determining a current signal correlation condition corresponding to the current working condition information based on a corresponding relation between the working condition information configured in the intrusion detection rule file and the signal correlation condition through the correlation detection unit, and determining that an intrusion risk exists in the automobile gateway if the signal in the bus message does not meet the current signal correlation condition.
According to the technical scheme, the bus message is acquired by the message acquisition module in the running process of the automobile gateway, and the bus message is sent to the state detection module, wherein the state detection module comprises a working condition detection unit and a correlation detection unit; the method comprises the steps of receiving a bus message through a working condition detection unit, determining current working condition information of the bus message based on preset working condition configured in a pre-stored intrusion detection rule file, determining current signal correlation conditions corresponding to the current working condition information based on a corresponding relation between the working condition information configured in the intrusion detection rule file and the signal correlation conditions through a correlation detection unit, and determining that an intrusion risk exists in an automobile gateway if signals in the bus message do not meet the current signal correlation conditions. According to the technical scheme provided by the embodiment of the invention, the correlation of the message signals is detected through the state detection module, so that whether the automobile gateway has an intrusion risk or not is determined, the risk of the gateway being attacked is avoided, and the defending and attacking capabilities of the gateway are improved.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of an intrusion detection system according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an intrusion detection process provided in accordance with an embodiment of the present invention;
fig. 3 is a flowchart of an intrusion detection method according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "includes," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
FIG. 1 is a schematic diagram of an intrusion detection system according to an embodiment of the present invention; as shown in fig. 1, the system includes: the message acquisition module 10 and the state detection module 11 connected with the message acquisition module 10; wherein,
The message acquisition module 10 is configured to acquire a bus message and send the bus message to the state detection module 11 during an operation process of the automotive gateway; the state detection module 11 includes a working condition detection unit 110 and a correlation detection unit 111;
The working condition detection unit 110 is configured to receive the bus message, determine current working condition information of the bus message based on preset working condition configured in a prestored intrusion detection rule file, and send the current working condition information to the correlation detection unit 111;
The correlation detection unit 111 is configured to determine a current signal correlation condition corresponding to the current working condition information based on a correspondence between the working condition information configured in the intrusion detection rule file and the signal correlation condition, and determine that the automotive gateway has an intrusion risk if the signal in the bus packet does not satisfy the current signal correlation condition.
In this embodiment, the message obtaining module 10 may obtain, through a communication interface, a bus message sent by each component of the whole vehicle to the automotive gateway during the running process of the automotive gateway, and send the received bus message to the state detecting module 11. For example, the bus message received in the transmission period may be transmitted to the state detection module 11 according to a preset transmission period; or each time a bus message is received, the bus message may be directly sent to the state detection module 11.
Further, the message obtaining module 10 may determine to obtain the timestamp information of the bus message while obtaining the bus message, and form a message array with the timestamp information and the bus message, and send the bus message to the state detecting module 11 according to the format of the message array.
In this embodiment, the working condition detecting unit 110 in the state detecting module 11 may receive the bus message. The intrusion detection rule file is stored in advance in the state detection module 11. At least one condition for determining whether the bus message has an intrusion risk is stored in the intrusion detection rule file, and the display format can be a binary format.
It should be noted that, the intrusion detection rule file may be loaded in advance when the automotive gateway is initialized, and stored in the memory, and the intrusion detection rule file is identified, a condition stored in the intrusion detection rule file for determining whether the bus message has an intrusion risk is determined, and a rule policy index table may be formed based on each condition, and the content in the intrusion detection rule file may be reflected in the form of the rule policy index table. Further, CAN communication database files may also be imported for parsing the received bus files.
In a specific implementation, the preset working condition configured in the intrusion detection rule file may be a corresponding relationship between the message signal and the working condition information, where the corresponding relationship may be represented by a formula form. Based on the preset working condition, the current working condition information corresponding to the currently received bus message can be determined. For example, the operating condition information may include temperature measurement information, humidity measurement information, engine speed information, and the like.
In a specific implementation, after receiving the current working condition information, the correlation detection unit 111 may determine a current signal correlation condition corresponding to the current working condition information based on a correspondence between the working condition information configured in the intrusion detection rule file and the signal correlation condition. The signal correlation condition may be whether a correlation relationship is satisfied between the message signals, and if so, it is described that the signal in the bus message satisfies the current signal correlation condition; if not, it is indicated that the signal in the bus message does not satisfy the current signal correlation condition. The correlation relationship can be represented by a correlation relationship formula, wherein the correlation relationship formula comprises at least one of a linear relationship formula, an inverse relationship formula and a proportional relationship formula.
Specifically, after the current working condition information is determined, the enabling state of the engine under the working condition reflected by the bus message can be determined. The enabled state may be divided into an enabled state and a disabled state. For bus messages acquired in a non-enabled state, signals are irregular, and correlation between the signals cannot be determined. And for the bus message acquired in the enabled state, whether the signals of the bus message meet the correlation relationship can be determined.
Optionally, when determining whether the signals of the bus message satisfy the correlation relationship, two message signals may be acquired in the bus message, and whether the two message signals conform to the correlation relationship formula corresponding to the working condition information is determined. If the current working condition information is a temperature measurement working condition, the method should be used for responding to a linear relation formula, and determining whether the signal values of the two acquired message signals accord with the linear relation formula or not is needed. If yes, the message signals are indicated to meet the correlation relation, namely the signals in the bus message meet the current signal correlation condition; if not, the fact that the message signals do not meet the correlation relation is indicated, namely the signals in the bus message do not meet the current signal correlation condition. If the signal in the bus message meets the current signal correlation condition, determining that the automobile gateway is not invaded currently; if the signal in the bus message does not meet the current signal correlation condition, determining that the automobile gateway has an intrusion risk.
According to the technical scheme, the bus message is acquired by the message acquisition module in the running process of the automobile gateway, and the bus message is sent to the state detection module, wherein the state detection module comprises a working condition detection unit and a correlation detection unit; the method comprises the steps of receiving a bus message through a working condition detection unit, determining current working condition information of the bus message based on preset working condition configured in a pre-stored intrusion detection rule file, determining current signal correlation conditions corresponding to the current working condition information based on a corresponding relation between the working condition information configured in the intrusion detection rule file and the signal correlation conditions through a correlation detection unit, and determining that an intrusion risk exists in an automobile gateway if signals in the bus message do not meet the current signal correlation conditions. According to the technical scheme provided by the embodiment of the invention, the correlation of the message signals is detected through the state detection module, so that whether the automobile gateway has an intrusion risk or not is determined, the risk of the gateway being attacked is avoided, and the defending and attacking capabilities of the gateway are improved.
In this embodiment, the system further includes: the single packet detection module is connected with the message acquisition module; the message acquisition module is further used for sending the bus message to the single-packet detection module; and the single packet detection module is used for determining the message parameters of the bus message, checking whether the message parameters meet the single packet detection conditions in the prestored intrusion detection rule file, and if not, determining that the intrusion risk exists in the automobile gateway.
The message parameter may include at least one of a message identifier, a message length value, a message period, a physical value of a scene reflected by a signal in the bus message, and a change rate of the physical value.
The single packet detection module can analyze the bus message, determine information such as a time stamp, message content, message identification and the like of the bus message, and determine at least one message parameter of a message length value, a message period, a scene physical value reflected by a signal in the bus message and a physical value change rate based on the information such as the time stamp, the message content, the message identification and the like.
In specific implementation, whether the message parameters meet the single-packet detection condition or not can be determined, if so, the received bus message is safe, and the automobile gateway is determined to be free from the invasion risk; if the bus messages do not accord with the bus messages, the bus messages are abnormal, and the automobile gateway is at risk of being invaded.
Optionally, the single packet detection module includes a packet identifier detection unit, and the packet parameter includes a packet identifier; the message identification detection unit is used for determining the message identification of the bus message, determining whether the message identification accords with the single-packet detection condition or not by adopting a dichotomy, and if not, determining that the automobile gateway has an intrusion risk.
The single packet detection condition comprises that the message identifier belongs to a preset identifier range.
Specifically, a preset identification range to which a legal bus message belongs can be determined, and a message identification of the received bus message can be determined. The message identification detection unit can adopt a dichotomy to determine whether the message identification belongs to a preset identification range; if the message identification is within the preset identification range, the message identification is legal, the single-packet detection condition is met, and the automobile gateway has no invasion risk; if the message identification is not in the preset identification range, the message identification is illegal and does not accord with the single-packet detection condition, and the automobile gateway has the risk of being invaded. By way of example, the message identifier may be composed of at least one of a character, a number, and a letter, which is not limited by the embodiment of the present invention.
The embodiment ensures that the bus message transmitted to the automobile gateway is legal by verifying the message identifier of the bus message, thereby being beneficial to improving the safety of the automobile gateway.
Optionally, the single packet detection module includes a message length detection unit, and the message parameter includes a message length value; the message length detection unit is used for determining a message length value of the bus message, determining whether the message length value accords with a single-packet detection condition, and if not, determining that the automobile gateway has an intrusion risk.
The single packet detection condition includes that the message length value belongs to a preset length value range.
The message length detection unit can determine the range of the preset length value of the legal bus message and the message length value of the currently received bus message. And determining whether the message length value belongs to a preset length value range or not so as to determine that the automobile gateway is not invaded. Specifically, if the message length value belongs to the preset length value range, the message length value is normal, the single packet detection condition is met, and the automobile gateway is not invaded; if the message length value is not in the preset length value range, the message length value is abnormal, and the single-packet detection condition is not met, so that the automobile gateway has the risk of being invaded.
The embodiment ensures that the bus message transmitted to the automobile gateway is a normal message meeting the length requirement by verifying the message length value of the bus message, and more accurately and effectively verifies whether the bus message is abnormal or not.
Optionally, the single packet detection module includes a packet period detection unit, and the packet parameter includes a packet period; the message period detection unit is used for determining a last timestamp of a received last bus message and a current timestamp of a received current bus message, determining a message period of the bus message based on the last timestamp and the current timestamp, determining whether the message period accords with a single packet detection condition, and if not, determining that the automobile gateway has an intrusion risk.
The single packet detection condition includes that an error value between a message period and a standard period is smaller than a preset error value.
Specifically, the message period detection unit may determine a message period of the transmitted bus message based on a previous timestamp of the previous bus message and a current timestamp of the received current bus message, and compare an error value between the message period and a standard period. Illustratively, the error value may be a positive number greater than or equal to 0. When the error value is smaller than the preset error value, the message period is proved to accord with the single-packet detection condition, and the bus message is a normal message; when the error value is greater than or equal to the preset error value, the message period is not in accordance with the single-packet detection condition, the bus message is an abnormal message, and the risk of intrusion of the automobile gateway is determined.
According to the embodiment, the message period of the bus message is verified, so that the bus message transmitted to the automobile gateway is ensured to be a normal message meeting the period requirement, and whether the bus message is abnormal or not is verified more accurately and effectively.
Optionally, the single packet detection module includes a signal threshold detection unit, and the message parameter includes a scene physical value reflected by a signal in the bus message; the signal threshold detection unit is used for determining scene information corresponding to the bus message, determining a scene physical value reflected by a signal in the bus message, determining whether the scene physical value accords with a single-packet detection condition or not based on the scene information, and if not, determining that the automobile gateway has an intrusion risk.
The single-packet detection condition comprises that a scene physical value belongs to a preset physical value range corresponding to scene information. Exemplary, the scene information may include a temperature measurement scene, a humidity measurement scene, a rotation speed measurement scene, etc.; the scene physical value corresponds to the scene information, for example, when the scene information is a temperature measurement scene, the scene physical value is a temperature value reflected by the signal.
In a specific implementation, the signal threshold detection unit determines scene information corresponding to the bus message and a scene physical value reflected by a signal in the bus message. Comparing whether the scene physical value belongs to a preset physical value range corresponding to the scene information, and when the scene physical value belongs to the preset physical value range corresponding to the scene information, indicating that the scene physical value accords with a single packet detection condition, wherein the bus message is a normal message; when the scene physical value does not belong to the preset physical value range corresponding to the scene information, the scene physical value is not in accordance with the single-packet detection condition, the bus message is an abnormal message, and the risk of intrusion of the automobile gateway is determined. For example, when the scene information is a temperature measurement scene, the temperature theory of each part of the vehicle is greater than 0 ℃ during running of the automobile, so that the value corresponding to the scene physical value is greater than 0, the range of the preset physical value is set to be greater than 0, and when the determined scene physical value is-5, the scene physical value is not in the preset physical value range.
The embodiment verifies the physical value of the scene reflected by the bus message to ensure that the information reflected by the received bus message accords with the current vehicle running scene, thereby more comprehensively verifying the bus message.
Further, based on the determined scene physical values reflected by different signals in the bus message, the change rate of the physical values among the different signals can be determined. The physical value change rate is equal to the absolute value of the scene physical value difference between the two signals, divided by the absolute value of the timestamp difference between the two signals, to obtain a numerical value. In a specific implementation, the preset physical value change rate range may be preset. It should be noted that, in different scenes of the vehicle, there is a certain rule of the change rate of the physical value reflected by the signal, for example, for a temperature measurement scene, the change rate of the physical value is the change rate of the temperature value, and since the temperature change of the vehicle is relatively stable and no abrupt temperature change exists, the change rate of the temperature corresponding to the signal should be greater than 0 and less than the set threshold value a, where a is a positive number; the predetermined physical value change rate range may be determined to be (0, a).
In specific implementation, after determining a preset physical value change rate range, determining whether the physical value change rate corresponding to the acquired bus message belongs to the preset physical value change rate range, if so, indicating that the physical value change rate is normal, and if so, ensuring that the bus message is normal and does not have an invasion risk currently; if the physical value is abnormal, the physical value change rate is abnormal, the bus message is abnormal, and the invasion risk exists currently. Therefore, from the angle of the change rate of the physical value, whether the bus message is abnormal or not is comprehensively verified, so that whether the gateway is invaded or not is accurately determined.
Optionally, the system further comprises: the flow detection module is connected with the message acquisition module; the message acquisition module is also used for sending the bus message to the flow detection module; the flow detection module is used for determining current flow information of the bus message, determining whether the current flow information accords with preset flow conditions or not based on preset flow conditions configured in a prestored intrusion detection rule file, and if not, determining that the automobile gateway has intrusion risk.
The current flow information is used for reflecting the number of the received bus messages in a preset time period. The preset flow condition may be that a flow value reflected by the current flow information belongs to a preset flow value range. When the current flow value corresponding to the current flow information does not belong to the preset flow value range, determining that the current flow information does not accord with the preset flow condition, and determining that the intrusion risk exists in the automobile gateway; when the current flow value corresponding to the current flow information belongs to the preset flow value range, determining that the current flow information accords with the preset flow condition, and determining that the automobile gateway is not at the invasion risk.
In the embodiment, from the perspective of bus message flow, whether the automobile gateway has risks or not is determined, and the effectiveness and comprehensiveness of determining whether the gateway has the invaded risks or not at present are improved.
Optionally, the system further comprises: the log management module is respectively connected with the state detection module, the single packet detection module and the flow detection module; the state detection module is further used for generating first alarm information after determining that the automobile gateway has an invasion risk, and sending the first alarm information to the log management module; the single-packet detection module is also used for generating second alarm information after determining that the automobile gateway has an invasion risk and sending the second alarm information to the log management module; the flow detection module is also used for generating third alarm information after determining that the automobile gateway has an invasion risk and sending the third alarm information to the log management module; the log management module is used for receiving the first alarm information, the second alarm information and the third alarm information, generating log information meeting the requirement of a preset format based on the first alarm information, the second alarm information and the third alarm information, and storing the log information.
Specifically, when at least one module of the state detection module, the single packet detection module and the flow detection module determines that the automobile gateway has an invaded risk, alarm information can be generated and sent to the log management module. The first alarm information is used for reflecting the situation that the automobile gateway is invaded when the signal in the bus message does not meet the current signal correlation condition; the second alarm information is used for reflecting the situation that the automobile gateway is invaded by the abnormal single-packet bus message; the third alarm information is used for bus message flow abnormality, and the automobile gateway is in the situation of invasion risk. The log management module can collect the first alarm information, the second alarm information and the third alarm information, generate log information meeting the requirement of a preset format and store the log information. For example, the preset format requirement may be that the log information includes a controller identifier, a module identifier, the number of alarms, an alarm identifier code, etc. By storing the log information, the embodiment can be convenient for recording the intrusion risk condition existing in the automobile gateway, and provides convenience for operation and maintenance personnel.
Optionally, the system further comprises: the alarm uploading module is connected with the log management module; the warning uploading module is used for acquiring log information according to a preset time period and feeding the log information back to the vehicle-mounted terminal so that the vehicle-mounted terminal can upload the log information to the server.
Specifically, log information can be periodically obtained from the log management module according to a preset time period to be sent to the vehicle-mounted terminal, so that risk conditions of the vehicle gateway are provided for a user, and the user can check the risk conditions conveniently; further, the vehicle-mounted terminal can upload the log information to the server for storage. According to the embodiment, the log information is provided to the vehicle-mounted terminal and the server through the alarm uploading module, so that a user and operation and maintenance personnel can check the risk condition of the automobile gateway conveniently, the risk condition is processed timely, and the safety of the automobile gateway is improved.
It should be noted that, in the embodiment of the intrusion detection system, each unit and module included are only divided according to the functional logic, but not limited to the above division, so long as the corresponding functions can be implemented; in addition, the specific names of the functional units are also only for distinguishing from each other, and are not used to limit the protection scope of the present invention.
The foregoing details of the corresponding embodiments of the intrusion detection system are described in detail, and specific application scenarios are given below in order to make the technical solution further clear to those skilled in the art.
The intrusion detection system provided in this embodiment may be a CAN communication intrusion detection system, where the CAN communication intrusion detection system is deployed on a gateway controller. The CAN communication intrusion detection system loads and stores the CAN communication database file when the gateway controller is initialized, and CAN determine the format requirement of the CAN message by analyzing the CAN communication database file, wherein the format requirement comprises the following steps: the information such as the CAN message identifier, the period, the sending type, the message length, the signal and the like is convenient for operation and maintenance personnel to set the intrusion detection rule file according to the format requirements such as the CAN message identifier, the period, the sending type, the message length, the signal and the like. The CAN communication intrusion detection system CAN load and store a preconfigured intrusion detection rule file when a gateway controller is initialized. Furthermore, the CAN communication intrusion detection system CAN perform addition, deletion, check and modification operations on the intrusion detection rule file based on the received modification instruction sent by the operation and maintenance terminal.
For example, the intrusion detection rule file may store the period maximum allowable error, the message length, the message signal start bit, the message signal length, the data type, the CAN message transceiving type, the CAN message identifier upper limit, the CAN message identifier lower limit, the flow maximum value, the flow minimum value, and other attributes.
FIG. 2 is a schematic diagram of an intrusion detection process provided in accordance with an embodiment of the present invention; as shown in fig. 2, during the initialization process of the automotive gateway, the intrusion detection rule file is identified and a rule policy index table is generated, where the rule policy index table includes detection conditions such as a preset working condition, a current signal correlation condition corresponding to current working condition information, a single packet detection condition, a preset flow condition, and the like. In the running process of the automobile gateway, the CAN communication intrusion detection system acquires CAN messages through a communication interface, converts the CAN messages into formats which CAN be identified by the flow detection module, the single-packet detection module and the state detection module, forms a CAN array with the CAN messages based on information such as time stamps, message receiving and transmitting directions and the like of the CAN messages, and respectively sends the CAN array to the flow detection module, the single-packet detection module and the state detection module. The three modules respectively perform flow detection, single packet detection and state detection on the CAN message according to the corresponding conditions in the rule policy index table, and if the detection result shows that the CAN message is abnormal, the current intrusion risk of the automobile gateway is indicated; and if the detection result shows that the CAN message is normal, indicating that the automobile gateway is safe currently.
Further, when there is an intrusion risk, each module may generate alarm information and send the alarm information to the log management module, which generates log information based on the alarm information. The alarm information may include an index number and error content of the detection condition in the CAN packet failing the rule policy index table. The log management module sends log information to the alarm collection module at regular time, the alarm collection module judges whether error content corresponding to the log information exists or not after receiving the log information, if so, the number of times of alarm is increased by one for the error content, and if not, the error content is stored in the alarm cache. The alarm collection module sends the log information to the vehicle-mounted terminal equipment through CAN communication so that the vehicle-mounted terminal equipment sends the log information to the server background.
The embodiment realizes monitoring and abnormal alarm of the CAN communication of the in-vehicle network, CAN timely feed back the abnormal condition of the CAN communication to the background server, and is convenient for operation and maintenance personnel to analyze risk events later and increase safety protection measures of related controller software.
FIG. 3 is a flowchart of an intrusion detection method according to an embodiment of the present invention, where the method is applied to an intrusion detection system, and the system includes a message acquisition module and a state detection module connected to the message acquisition module; as shown in fig. 3, the method includes:
S110, acquiring a bus message through a message acquisition module in the running process of the automobile gateway, and sending the bus message to a state detection module; the state detection module comprises a working condition detection unit and a correlation detection unit.
S120, receiving the bus message through the working condition detection unit, determining current working condition information of the bus message based on preset working condition configured in a prestored intrusion detection rule file, and sending the current working condition information to the correlation detection unit.
S130, determining a current signal correlation condition corresponding to the current working condition information based on a corresponding relation between the working condition information configured in the intrusion detection rule file and the signal correlation condition through the correlation detection unit, and determining that the automobile gateway has an intrusion risk if the signal in the bus message does not meet the current signal correlation condition.
On the basis of any optional technical scheme in the embodiment of the invention, optionally, the system further comprises: the single packet detection module is connected with the message acquisition module; the method further comprises the steps of:
Sending the bus message to a single-packet detection module through a message acquisition module;
and determining message parameters of the bus message through a single-packet detection module, and checking whether the message parameters meet single-packet detection conditions in a prestored intrusion detection rule file, and if not, determining that the automobile gateway has intrusion risk.
On the basis of any optional technical scheme in the embodiment of the invention, optionally, the single packet detection module comprises a message identification detection unit, and the message parameters comprise a message identification; the method for determining the intrusion risk of the automobile gateway through the single packet detection module comprises the steps of determining the message parameters of a bus message, checking whether the message parameters meet the single packet detection conditions in a prestored intrusion detection rule file, and if not, determining that the intrusion risk exists in the automobile gateway, wherein the method comprises the following steps:
determining a message identifier of a bus message through a message identifier detection unit, determining whether the message identifier accords with a single-packet detection condition by adopting a dichotomy, and if not, determining that the automobile gateway has an invasion risk;
The single packet detection condition comprises that the message identifier belongs to a preset identifier range.
On the basis of any optional technical scheme in the embodiment of the invention, optionally, the single packet detection module comprises a message length detection unit, and the message parameter comprises a message length value; the method for determining the intrusion risk of the automobile gateway through the single packet detection module comprises the steps of determining the message parameters of a bus message, checking whether the message parameters meet the single packet detection conditions in a pre-stored intrusion detection rule file, and if not, determining that the intrusion risk exists in the automobile gateway, wherein the method comprises the following steps:
Determining a message length value of a bus message through a message length detection unit, determining whether the message length value accords with a single-packet detection condition, and if not, determining that an intrusion risk exists in the automobile gateway;
the single packet detection condition includes that the message length value belongs to a preset length value range.
On the basis of any optional technical scheme in the embodiment of the invention, optionally, the single packet detection module comprises a message period detection unit, and the message parameters comprise a message period; the method for determining the intrusion risk of the automobile gateway through the single packet detection module comprises the steps of determining the message parameters of a bus message, checking whether the message parameters meet the single packet detection conditions in a prestored intrusion detection rule file, and if not, determining that the intrusion risk exists in the automobile gateway, wherein the method comprises the following steps:
Determining a last time stamp of a received last bus message and a current time stamp of a received current bus message through a message period detection unit, determining a message period of the bus message based on the last time stamp and the current time stamp, determining whether the message period accords with a single packet detection condition, and if not, determining that an intrusion risk exists in an automobile gateway;
the single packet detection condition includes that an error value between a message period and a standard period is smaller than a preset error value.
On the basis of any optional technical scheme in the embodiment of the invention, optionally, the single packet detection module comprises a signal threshold detection unit, and the message parameters comprise scene physical values reflected by signals in the bus message; the method for determining the intrusion risk of the automobile gateway through the single packet detection module comprises the steps of determining the message parameters of a bus message, checking whether the message parameters meet the single packet detection conditions in a prestored intrusion detection rule file, and if not, determining that the intrusion risk exists in the automobile gateway, wherein the method comprises the following steps:
Determining scene information corresponding to the bus message through a signal threshold detection unit, determining a scene physical value reflected by a signal in the bus message, determining whether the scene physical value accords with a single-packet detection condition or not based on the scene information, and if not, determining that the automobile gateway has an invaded risk;
The single-packet detection condition comprises that a scene physical value belongs to a preset physical value range corresponding to scene information.
On the basis of any optional technical scheme in the embodiment of the invention, optionally, the system further comprises: the flow detection module is connected with the message acquisition module; the method further comprises the steps of:
the method comprises the steps that a message acquisition module sends a bus message to a flow detection module;
the method comprises the steps of determining current flow information of a bus message through a flow detection module, determining whether the current flow information accords with preset flow conditions or not based on preset flow conditions configured in a prestored intrusion detection rule file, and if not, determining that an intrusion risk exists in an automobile gateway.
On the basis of any optional technical scheme in the embodiment of the invention, optionally, the system further comprises: the log management module is respectively connected with the state detection module, the single packet detection module and the flow detection module; the method further comprises the steps of:
After determining that the automobile gateway has an invaded risk through the state detection module, generating first alarm information, and sending the first alarm information to the log management module;
after determining that the automobile gateway has an invaded risk through the single-packet detection module, generating second alarm information, and sending the second alarm information to the log management module;
after determining that the automobile gateway has an invaded risk through the flow detection module, generating third alarm information, and sending the third alarm information to the log management module;
and receiving the first alarm information, the second alarm information and the third alarm information through the log management module, generating log information meeting the requirement of a preset format based on the first alarm information, the second alarm information and the third alarm information, and storing the log information.
On the basis of any optional technical scheme in the embodiment of the invention, optionally, the system further comprises: the alarm uploading module is connected with the log management module; the method further comprises the steps of:
and acquiring log information through an alarm uploading module according to a preset time period, and feeding the log information back to the vehicle-mounted terminal so that the vehicle-mounted terminal can upload the log information to the server.
According to the technical scheme, the bus message is acquired by the message acquisition module in the running process of the automobile gateway, and the bus message is sent to the state detection module, wherein the state detection module comprises a working condition detection unit and a correlation detection unit; the method comprises the steps of receiving a bus message through a working condition detection unit, determining current working condition information of the bus message based on preset working condition configured in a pre-stored intrusion detection rule file, determining current signal correlation conditions corresponding to the current working condition information based on a corresponding relation between the working condition information configured in the intrusion detection rule file and the signal correlation conditions through a correlation detection unit, and determining that an intrusion risk exists in an automobile gateway if signals in the bus message do not meet the current signal correlation conditions. According to the technical scheme provided by the embodiment of the invention, the correlation of the message signals is detected through the state detection module, so that whether the automobile gateway has an intrusion risk or not is determined, the risk of the gateway being attacked is avoided, and the defending and attacking capabilities of the gateway are improved.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (7)
1. An intrusion detection system, comprising: the message acquisition module and the state detection module are connected with the message acquisition module; wherein,
The message acquisition module is used for acquiring a bus message and sending the bus message to the state detection module in the running process of the automobile gateway; the state detection module comprises a working condition detection unit and a correlation detection unit;
the working condition detection unit is used for receiving the bus message, determining current working condition information of the bus message based on preset working condition configured in a prestored intrusion detection rule file, and sending the current working condition information to the correlation detection unit;
The correlation detection unit is configured to determine a current signal correlation condition corresponding to the current working condition information based on a corresponding relation between the working condition information configured in the intrusion detection rule file and a signal correlation condition, and if a signal in the bus message does not meet the current signal correlation condition, determine that an intrusion risk exists in an automotive gateway;
the intrusion detection system further comprises a single packet detection module connected with the message acquisition module;
the message acquisition module is further configured to send the bus message to the single packet detection module;
The single packet detection module is used for determining the message parameters of the bus message, checking whether the message parameters accord with the single packet detection conditions in the pre-stored intrusion detection rule file, and if not, determining that the automobile gateway has an intrusion risk;
The single packet detection module comprises a packet period detection unit and a signal threshold detection unit, and the packet parameters comprise a packet period and a scene physical value reflected by a signal in a bus packet;
The message period detection unit is used for determining a last timestamp of a received last bus message and a current timestamp of a received current bus message, determining a message period of the bus message based on the last timestamp and the current timestamp, determining whether the message period accords with the single-packet detection condition, and if not, determining that the automobile gateway has an intrusion risk; the single packet detection condition comprises that an error value between a message period and a standard period is smaller than a preset error value;
The signal threshold detection unit is used for determining scene information corresponding to the bus message, determining a scene physical value reflected by a signal in the bus message, determining whether the scene physical value accords with the single-packet detection condition or not based on the scene information, and if not, determining that the automobile gateway has an intrusion risk; the single packet detection condition further comprises that the scene physical value belongs to a preset physical value range corresponding to the scene information.
2. The system of claim 1, wherein the single packet detection module comprises a packet identity detection unit, and wherein the packet parameter comprises a packet identity; wherein,
The message identification detection unit is used for determining the message identification of the bus message, determining whether the message identification accords with the single-packet detection condition or not by adopting a dichotomy, and if not, determining that the automobile gateway has an invasion risk;
the single packet detection condition includes that a message identifier belongs to a preset identifier range.
3. The system of claim 1, wherein the single packet detection module comprises a message length detection unit, and wherein the message parameter comprises a message length value; wherein,
The message length detection unit is used for determining a message length value of the bus message, determining whether the message length value accords with the single-packet detection condition, and if not, determining that the automobile gateway has an intrusion risk;
The single packet detection condition includes that the message length value belongs to a preset length value range.
4. The system of claim 1, further comprising: the flow detection module is connected with the message acquisition module; wherein,
The message acquisition module is further configured to send the bus message to the flow detection module;
The flow detection module is used for determining current flow information of the bus message, determining whether the current flow information accords with preset flow conditions or not based on preset flow conditions configured in a prestored intrusion detection rule file, and if not, determining that the automobile gateway has intrusion risk.
5. The system of claim 4, further comprising: the log management module is respectively connected with the state detection module, the single packet detection module and the flow detection module; wherein,
The state detection module is further used for generating first alarm information after determining that the automobile gateway has an invasion risk, and sending the first alarm information to the log management module;
The single-packet detection module is further configured to generate second alarm information after determining that the automotive gateway has an intrusion risk, and send the second alarm information to the log management module;
the flow detection module is further used for generating third alarm information after determining that the automobile gateway has an invasion risk, and sending the third alarm information to the log management module;
The log management module is configured to receive the first alarm information, the second alarm information, and the third alarm information, generate log information meeting a preset format requirement based on the first alarm information, the second alarm information, and the third alarm information, and store the log information.
6. The system of claim 5, further comprising: the alarm uploading module is connected with the log management module; wherein,
The alarm uploading module is used for acquiring the log information according to a preset time period and feeding the log information back to the vehicle-mounted terminal so that the vehicle-mounted terminal can upload the log information to a server.
7. The intrusion detection method is characterized by being applied to an intrusion detection system, wherein the system comprises a message acquisition module and a state detection module connected with the message acquisition module; the method comprises the following steps:
The message acquisition module acquires a bus message in the running process of the automobile gateway and sends the bus message to the state detection module; the state detection module comprises a working condition detection unit and a correlation detection unit;
receiving the bus message through the working condition detection unit, determining current working condition information of the bus message based on preset working condition configured in a prestored intrusion detection rule file, and sending the current working condition information to the correlation detection unit;
Determining a current signal correlation condition corresponding to the current working condition information based on a corresponding relation between working condition information configured in the intrusion detection rule file and signal correlation conditions through the correlation detection unit, and determining that an intrusion risk exists in an automobile gateway if signals in the bus message do not meet the current signal correlation condition;
the intrusion detection system further comprises a single packet detection module connected with the message acquisition module;
The bus message is sent to the single-packet detection module through the message acquisition module;
Determining message parameters of the bus message through the single-packet detection module, and checking whether the message parameters meet single-packet detection conditions in the pre-stored intrusion detection rule file, if not, determining that the automobile gateway has an intrusion risk;
The single packet detection module comprises a packet period detection unit and a signal threshold detection unit, and the packet parameters comprise a packet period and a scene physical value reflected by a signal in a bus packet;
Determining a last time stamp of a received last bus message and a current time stamp of a received current bus message through the message period detection unit, determining a message period of the bus message based on the last time stamp and the current time stamp, determining whether the message period accords with the single-packet detection condition, and if not, determining that the automobile gateway has an intrusion risk; the single packet detection condition comprises that an error value between a message period and a standard period is smaller than a preset error value;
Determining scene information corresponding to the bus message through the signal threshold detection unit, determining a scene physical value reflected by a signal in the bus message, determining whether the scene physical value accords with the single-packet detection condition or not based on the scene information, and if not, determining that the automobile gateway has an intrusion risk; the single packet detection condition further comprises that the scene physical value belongs to a preset physical value range corresponding to the scene information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211261726.1A CN115664737B (en) | 2022-10-14 | 2022-10-14 | Intrusion detection system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211261726.1A CN115664737B (en) | 2022-10-14 | 2022-10-14 | Intrusion detection system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115664737A CN115664737A (en) | 2023-01-31 |
| CN115664737B true CN115664737B (en) | 2024-05-14 |
Family
ID=84988122
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211261726.1A Active CN115664737B (en) | 2022-10-14 | 2022-10-14 | Intrusion detection system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115664737B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20200136217A (en) * | 2019-05-27 | 2020-12-07 | 조선대학교산학협력단 | In-vehicle external data intrusion detection apparatus by comparing multiple information entropy and operating method thereof |
| CN113612786A (en) * | 2021-08-09 | 2021-11-05 | 上海交通大学宁波人工智能研究院 | Intrusion detection system and method for vehicle bus |
| CN114690745A (en) * | 2022-04-07 | 2022-07-01 | 中国海洋大学 | Intrusion detection method for CAN bus in vehicle |
| CN114995330A (en) * | 2022-05-18 | 2022-09-02 | 中国第一汽车股份有限公司 | Vehicle CAN bus intrusion detection test method and test system |
-
2022
- 2022-10-14 CN CN202211261726.1A patent/CN115664737B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20200136217A (en) * | 2019-05-27 | 2020-12-07 | 조선대학교산학협력단 | In-vehicle external data intrusion detection apparatus by comparing multiple information entropy and operating method thereof |
| CN113612786A (en) * | 2021-08-09 | 2021-11-05 | 上海交通大学宁波人工智能研究院 | Intrusion detection system and method for vehicle bus |
| CN114690745A (en) * | 2022-04-07 | 2022-07-01 | 中国海洋大学 | Intrusion detection method for CAN bus in vehicle |
| CN114995330A (en) * | 2022-05-18 | 2022-09-02 | 中国第一汽车股份有限公司 | Vehicle CAN bus intrusion detection test method and test system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115664737A (en) | 2023-01-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7045288B2 (en) | Data analysis device, data analysis method and program | |
| CN106462702B (en) | Method and system for acquiring and analyzing electronic forensic data in a distributed computer infrastructure | |
| JP7045286B2 (en) | Data analysis device, data analysis method and program | |
| US11523292B2 (en) | Mobile device protocol health monitoring system | |
| WO2021162473A1 (en) | System and method for detecting intrusion into in-vehicle network | |
| CN110325410B (en) | Data analysis device and storage medium | |
| CN111934913A (en) | Intelligent network management system | |
| CN115951647A (en) | Abnormal event detection method and system for UDS vehicle diagnosis service scene | |
| CN109076081B (en) | Method for monitoring the safety of a communication connection of a vehicle | |
| KR20160062259A (en) | Method, system and computer readable medium for managing abnormal state of vehicle | |
| CN115664737B (en) | Intrusion detection system and method | |
| US11694489B2 (en) | Message monitoring system, message transmission electronic control unit, and monitoring electronic control unit | |
| JP2021196997A (en) | Log transmission control device | |
| CN108206826B (en) | Lightweight intrusion detection method for integrated electronic system | |
| EP4106278A1 (en) | System and method for detecting intrusion into in-vehicle network | |
| CN114503518B (en) | Detection device, vehicle, detection method, and detection program | |
| CN213182719U (en) | Weighing data acquisition, storage, distribution and monitoring equipment and system | |
| CN117040865A (en) | SecOC communication security event processing method and device and electronic control unit | |
| CN112615766A (en) | Safety monitoring device and method for vehicle network | |
| US20240031382A1 (en) | In-vehicle apparatus, fraud detection method, and computer program | |
| CN115378697A (en) | Data transmission system of ship and ship | |
| CN117544410A (en) | Determination method of CAN bus attack type, processor and computer equipment | |
| CN117118731A (en) | Network security detection method for automobile CAN bus | |
| CN116226858A (en) | Network security test evaluation system and method | |
| CN114221787A (en) | Network security processing method, system and storage medium based on time strategy |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |