CN115766267A - Controller Area Network (CAN) bus identity authentication method and device and electronic equipment - Google Patents
Controller Area Network (CAN) bus identity authentication method and device and electronic equipment Download PDFInfo
- Publication number
- CN115766267A CN115766267A CN202211503625.0A CN202211503625A CN115766267A CN 115766267 A CN115766267 A CN 115766267A CN 202211503625 A CN202211503625 A CN 202211503625A CN 115766267 A CN115766267 A CN 115766267A
- Authority
- CN
- China
- Prior art keywords
- bus
- characteristic value
- message information
- ecu
- bus message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The application discloses a Controller Area Network (CAN) bus identity authentication method, a device and electronic equipment, wherein the method comprises the steps of responding to CAN or CAN-FD bus message information sent by a first Electronic Control Unit (ECU) of a sender; calling a preset SDK interface to perform preset conversion processing on the CAN or CAN-FD bus message information to obtain an image characteristic value corresponding to the CAN ID; and sending a CAN or CAN-FD bus message information processing instruction to a second ECU of a receiver under the condition that the identification result of the image characteristic value corresponding to the CAN ID passes. The method pictures the bus message information, and can easily distinguish the communication legality of each ECU through the characteristic value of the communication map; in addition, the method can also uniformly fuse more information to the same picture and carry out characteristic value identification through the CNN technology, so that the characteristic value contains larger and comprehensive information.
Description
Technical Field
The present application relates to the field of automotive communication security, and in particular, to a method and an apparatus for authenticating an identity of a Controller Area Network (CAN) bus, and an electronic device.
Background
The automobile information safety becomes the most important problem of the current regulatory authorities in China, the intelligent networking automobile information safety is divided into the automobile interior information safety and the automobile exterior information safety, wherein in the automobile interior information safety, the automobile-mounted communication information safety is the most important safety, and at present, an automobile interior bus is mainly transmitted through a CAN/CAN-FD, so that how to ensure the safety of the CAN/CAN-FD bus communication is still the core safety problem aiming at the bus information safety of the CAN/CAN-FD.
The identity authentication technology is an effective solution generated in the process of confirming the identity of an operator, is a process of verifying whether the real identity of a main body is consistent with the claimed identity of the main body, and can be divided into authentication between a user and a host and authentication between the host and the host. Traditional identity authentication techniques include static passwords, short message passwords, dynamic passwords, digital signatures, biometric identification, x.509 certificates, and the like.
The CAN/CAN-FD bus is attacked by forged illegal messages, so that serious consequences CAN be caused to automobiles, particularly intelligent networked automobiles, and the safety of passengers is threatened.
It should be noted that the statements herein merely provide background information related to the present application and may not necessarily constitute prior art.
Disclosure of Invention
In view of the above, the present application proposes a controller area network, CAN, bus, authentication method, apparatus and system that overcome the above problems or at least partially solve the above problems.
The embodiment of the application adopts the following technical scheme:
in a first aspect, an embodiment of the present application provides a controller area network CAN bus identity authentication method, where the method includes: responding to CAN or CAN-FD bus message information sent by a first ECU of a sender, wherein the CAN or CAN-FD bus message information at least comprises a controller area network identification number CAN ID; calling a preset SDK interface to perform preset conversion processing on the CAN or CAN-FD bus message information to obtain an image characteristic value corresponding to the CAN ID; and sending a CAN or CAN-FD bus message information processing instruction to a second ECU of a receiver under the condition that the identification result of the image characteristic value corresponding to the CAN ID passes.
Preferably, the invoking a preset SDK interface performs preset conversion processing on the CAN or CAN-FD bus message information, including: calling a preset SDK interface to analyze the CAN or CAN-FD bus message information and performing picture processing on the analyzed bus message information to obtain a communication map picture corresponding to the CAN ID; and identifying the communication map picture through a preset neural network model to obtain an image characteristic value corresponding to the communication map picture.
Preferably, the invoking a preset SDK interface to analyze the CAN or CAN-FD bus message information and perform a graphing process on the analyzed bus message information, including: calling an SDK data Parser Parser to convert the bus message information into syntax tree information to obtain the parsing information of the bus message information; performing picture processing on the analysis information and the context information of the analysis information to obtain a picture of the message; and stamping a time stamp on the picture of the message.
Optionally, the sending, to the second ECU of the receiver, a CAN or CAN-FD bus message information processing instruction under the condition that the recognition result of the image feature value corresponding to the CAN ID passes includes: inquiring an image characteristic value database, and confirming whether the image characteristic value passes authentication; and if the inquiry authentication passes, sending a CAN or CAN-FD bus message information processing instruction to a second ECU of the receiver.
Optionally, the querying the image feature value database to determine whether the image feature value is authenticated, and then further includes: if the query authentication is not passed, performing identity verification on the image characteristic value; if the image characteristic value identity authentication is passed, the image characteristic value is recorded into a characteristic value database and a CAN or CAN-FD bus message information processing instruction is sent to a second ECU of a receiver; and if the image characteristic value identity authentication is not passed, sending a CAN or CAN-FD bus message information discarding indication to a second ECU of a receiver.
Optionally, the recognizing the communication map picture through a preset neural network model includes: identifying each communication map picture through a Convolutional Neural Network (CNN), wherein the communication map pictures comprise black and white communication map pictures; and the image characteristic value in the image characteristic value database is authenticated again when the CAN bus is awakened again.
Optionally, the method for authenticating an identity of a controller area network CAN bus further includes: receiving CAN or CAN-FD bus message information sent by a first ECU of a sender, wherein the CAN or CAN-FD bus message information at least comprises a controller area network identity (CAN ID); receiving an identification result of a preset SDK on CAN or CAN-FD bus message information sent by a first ECU; and processing the CAN or CAN-FD bus message information sent by the first ECU under the condition that the received identification result is passed.
In a second aspect, an embodiment of the present application further provides an identity authentication apparatus for a controller area network, CAN, bus, where the apparatus includes: the response unit responds to CAN or CAN-FD bus message information sent by a first ECU of a sender, wherein the CAN or CAN-FD bus message information at least comprises a controller area network identification number CAN ID; the image characteristic value acquisition unit is used for calling a preset SDK interface to perform preset conversion processing on the CAN or CAN-FD bus message information to obtain an image characteristic value corresponding to the CAN ID; and the indicating unit is used for sending a CAN or CAN-FD bus message information processing instruction to the second ECU of the receiver under the condition that the identification result of the image characteristic value corresponding to the CAN ID passes.
In a third aspect, an embodiment of the present application further provides an electronic device, including: controller area network CAN bus identity authentication device, processor; and a memory arranged to store computer executable instructions that, when executed, cause the processor to perform the method of the first aspect.
In a fourth aspect, embodiments of the present application further provide a computer-readable storage medium storing one or more programs that, when executed by an electronic device including a plurality of application programs, cause the electronic device to perform the method of the first aspect.
The embodiment of the application adopts at least one technical scheme which can achieve the following beneficial effects: the method can uniformly fuse more information to the same picture, and then extract the characteristic value through the Convolutional Neural Network (CNN) technology, so that the information content contained in the characteristic value is larger and more comprehensive; meanwhile, the method and the device can solve the problem of ensuring the communication identity authentication of the ECU under the conditions of not increasing the cost and not changing the existing ECU.
As is apparent from the above description, the technical solutions of the present application are only the outline of the technical solutions of the present application, and the embodiments of the present application will be described below in order to make the technical means of the present application more clearly understood, and to make the above and other objects, features, and advantages of the present application more obvious.
Drawings
Various additional advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the application. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a schematic diagram of bus authentication interaction in an embodiment of the present application;
FIG. 2 is a schematic diagram of a bus identity authentication processing module according to an embodiment of the present application;
FIG. 3 is a flowchart of an SDK side bus identity authentication method according to an embodiment of the present application;
FIG. 4 is a flowchart of a method for authenticating an identity of a bus on the ECU side of a receiver in the embodiment of the present application;
FIG. 5 is a schematic diagram of a bus authentication device according to an embodiment of the present application;
FIG. 6 is a flowchart of a bus authentication service in an embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device in an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The method is characterized in that a CAN bus identity authentication method is designed aiming at the current situation that the existing traditional cryptography is difficult to apply to CAN bus communication safety, bus message information is imaged based on the characteristics of CAN bus communication, image characteristic values are extracted, and the communication legality of each ECU is distinguished according to the characteristic values. The method improves the safety of CAN bus communication.
Currently, CAN be divided into three categories for CAN/CAN-FD bus attacks: forgery, tampering, and replay.
Counterfeiting: the forged ECU is accessed into a CAN/CAN-FD bus to send an illegal vehicle control message;
tampering: CAN/CAN-FD is plaintext transmission, and a receiving end lacks a verification mechanism, so that the CAN/CAN-FD CAN be tampered;
and (3) replaying: the CAN/CAN-FD protocol is vulnerable and lacks a perfect replay attack resistant method. Where counterfeiting is closely related to authentication, this application is relevant.
The current mainstream technical scheme is to realize the identity authentication of the ECU by inserting the CMAC in the CAN/CAN-FD message, such as the SecOC protocol. SecOC adopts CMAC based on AES-128, adopts AES symmetric encryption technology, and each communication unit needs to have the same secret key, so that only the accessed communication units possess the secret key to be able to communicate with each other.
Although the CMAC is currently applied by the SecOC protocol and has been recommended by AUTOSAR, many challenges are encountered in popularization, for example, the CMAC is based on cryptography, and needs to ensure the secure storage of keys, and the available ways are hardware HSM and software SE. For hardware HSM, whether the MCU is internal or external, the cost of components is increased, which is unacceptable for many host plants.
For software SE, computational power of MCU, ROM and RAM resources are occupied, hardware resources of many current parts are basically used up to more than 90%, and basically, sufficient resources for software SE cannot be provided.
The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.
The embodiment of the application provides a controller area network CAN bus identity authentication method, device and system. As shown in fig. 1, the present application is mainly directed to identity authentication of an automobile part ECU (electronic control unit), and includes a sender ECU, a communication map software development tool SDK, and a receiver ECU. The sender ECU sends CAN message information, and both the receiver ECU and the communication map SDK receive the message information. After receiving the message information, the receiving party ECU does not directly process the message information, but waits for a processing instruction sent by the communication map SDK, and receives and sends the message information to the receiving party ECU to perform different processing on the received message according to different processing instructions.
The identity authentication method of the controller area network CAN bus does not need to be modified on parts with short resources and low cost, and does not increase the cost, but the identity authentication method of the controller area network CAN bus needs to be applied to parts with rich computing power and hardware resources, such as TBOX or DA hosts.
As shown in fig. 2, in order to clearly show the functions performed by the communication profile SDK in the present application, the communication profile SDK is divided into the following functional modules, which mainly include data acquisition, parser (data parsing), a communication profile, feature value generation, a feature value database, an authentication center, and access control. The specific function description of the modules is as follows:
the data acquisition module monitors and receives all CAN/CAN-FD messages of the bus;
the Parser (data analysis) module is used for analyzing and preprocessing the received CAN message, converting the bus message information into syntax tree information and obtaining analysis information and context information of the bus message information;
and the communication map module is used for carrying out picture transformation on the CAN message processed by the Parser. Specifically, the message of each CAN ID is changed into a black and white picture, a timestamp is also merged into the black and white picture, and finally each CAN ID is changed into a communication map;
generating a characteristic value, wherein the communication map is identified through a neural network, such as a Convolutional Neural Network (CNN) technology, so as to form an image characteristic value;
the characteristic value database is used for storing image characteristic values of pictures corresponding to the CAN IDs, and when the bus is awakened again, the characteristic value database needs to perform identity authentication on all ECUs;
the authentication center is responsible for performing identity authentication on the communication map characteristic value of the part ECU, confirming the identity of the ECU, and informing protection control whether to send a blocking message or not;
and access control, namely, sending the identity authentication result to the receiver ECU, namely, indicating the receiver ECU to confirm the message or prevent the message.
As shown in fig. 3, a schematic flow chart of the method for authenticating the identity of the controller area network CAN bus on the SDK side in the embodiment of the present application is provided, where the method at least includes the following steps S310 to S330, and all the steps are completed on the communication map SDK communication unit.
Step S310, responding to CAN or CAN-FD bus message information sent by a first ECU of a sender, wherein the CAN or CAN-FD bus message information at least comprises a controller area network identification number CAN ID.
The CAN bus is a broadcast type bus. This means that all nodes can listen to all transmitted messages and all nodes will always capture all messages. Each ECU has a unique ID on the CAN communication bus and is distinguished for its operation by a unique ID number. The CAN IDs have different meanings, and each CAN ECU CAN receive and send a plurality of different ID messages. The CAN ID is a message filter, and when the ID of the message on the bus is matched with the ID received by the CAN ID, the corresponding message CAN be received.
According to the method and the device, safety authentication is performed aiming at the attack of the CAN bus, and identity authentication is performed through the communication map SDK, so that the ECU of the receiver only processes the CAN message passing the authentication. Specifically, after receiving the CAN or CAN-FD bus message information sent by the sender ECU, the communication map performs a processing response for the received CAN or CAN-FD bus message information, and performs subsequent corresponding processing.
And step S320, calling a preset SDK interface to perform preset conversion processing on the CAN or CAN-FD bus message information to obtain an image characteristic value corresponding to the CAN ID.
The communication map SDK carries out data acquisition and monitoring on the CAN message, if the CAN message is acquired and monitored and received, the message is analyzed, then the analyzed message information and the context generate a black-and-white map through a communication map module, the generated black-and-white communication map is sent to a characteristic value generation module, and the characteristic value is generated. The characteristic value generation adopts a neural network (such as a Convolutional Neural Network (CNN) technology to carry out image characteristic value quantization on the black-white communication map so as to obtain an image characteristic value corresponding to the CAN ID.
And step S330, sending a CAN or CAN-FD bus message information processing instruction to the second ECU of the receiver under the condition that the identification result of the image characteristic value corresponding to the CAN ID passes.
And querying a characteristic value database, if the characteristic value database has the image characteristic value, determining that the image characteristic value corresponding to the CAN ID is authenticated, and then sending an authentication passing result to the receiving party ECU for indicating that the receiving party ECU CAN process the message. Whether the CAN message is legal or not is authenticated by inquiring the image characteristic value, so that the attack to a CAN/CAN-FD bus CAN be avoided. The safety of the vehicle is ensured.
In some examples of the present application, the invoking a preset SDK interface to perform preset conversion processing on the CAN or CAN-FD bus message information includes: calling a preset SDK interface to analyze the CAN or CAN-FD bus message information and performing picture processing on the analyzed bus message information to obtain a communication map picture corresponding to the CAN ID; and identifying the communication map picture through a preset neural network model to obtain an image characteristic value corresponding to the communication map picture.
The communication map SDK can capture all data messages sent by the ECU, and the message information is analyzed into syntax tree information through the analysis of the data analysis module, so that the message information can be analyzed. The bus message information containing the CAN ID and the context are subjected to imaging through a communication map module in the SDK, the purpose is to extract the characteristic value of the image by using a neural network model, and the characteristic value has uniqueness because the characteristic value contains the CAN ID information.
In some examples of the present application, the invoking of the preset SDK interface to analyze the CAN or CAN-FD bus message information and to perform the picturization processing on the analyzed bus message information includes:
calling an SDK data Parser Parser to convert the bus message information into syntax tree information to obtain the parsing information of the bus message information; performing picture processing on the analysis information and the context information of the analysis information to obtain a picture of the message; and stamping a time stamp on the picture of the message.
In the bus communication process, a strict time sequence is provided for processing signaling, the message which is not responded to overtime CAN be discarded, and abnormity CAN be reported in some scenes, so that the timestamp has great reference significance for analyzing the message, the language sequence relation in the bus message CAN be clearly determined by stamping the timestamp on the picturized message information, and then the response message received within the preset time processing duration CAN be subjected to preset processing, wherein the preset processing is a conventional mode of CAN bus information processing, and the details are not repeated here.
In some examples of the application, the sending a CAN or CAN-FD bus message processing instruction to the second ECU of the receiver when the result of identifying the image feature value corresponding to the CAN ID passes includes: inquiring an image characteristic value database, and confirming whether the image characteristic value passes authentication; and if the inquiry authentication passes, sending a CAN or CAN-FD bus message information processing instruction to a second ECU of the receiver.
The characteristic value database is one of the modules of the SDK, a picture characteristic value corresponding to each CAN ID is stored in the characteristic value database, when the CAN ID is added, the characteristic value database is updated once, whether the CAN ID is authenticated or not CAN be confirmed by inquiring and comparing the characteristic value database, if the characteristic value database has a corresponding characteristic value, the message sent by the ECU is authenticated, the SDK sends an instruction passing the authentication to the access control module, the access control module translates the message to indicate the ECU of a receiver, and the message is a safety authentication message and CAN be analyzed.
In some examples of the present application, the querying the image feature value database to determine whether the image feature value is authenticated further comprises: if the query authentication is not passed, performing identity verification on the image characteristic value; if the identity authentication of the image characteristic value passes, the image characteristic value is recorded into a characteristic value database and a CAN or CAN-FD bus message information processing instruction is sent to a second ECU of a receiver; and if the image characteristic value identity authentication is not passed, sending a CAN or CAN-FD bus message information discarding indication to a second ECU of a receiver.
If the image characteristic value corresponding to the CAN ID is not recorded by inquiring the characteristic value database, the SDK sends the characteristic value to the authentication center module to initiate the authentication of the image characteristic value. The authentication module confirms whether the message is legal or not by inquiring the information related to the ECU of the sending end, and if so, the image characteristic value is stored in the characteristic value database for facilitating the subsequent inquiry and authentication; if the illegal message is not sent to the access control center in a legal way, the access control center indicates the ECU of the receiver to discard the message through translation, and the CAN bus communication safety fault after the illegal message is analyzed is prevented.
In some examples of the present application, the identifying the communication map picture through a preset neural network model includes: identifying each communication map picture through a Convolutional Neural Network (CNN), wherein the communication map pictures comprise black and white communication map pictures; and the image characteristic value in the image characteristic value database is authenticated again when the CAN bus is awakened again.
In the processing process of the CNN convolutional neural network, the processing speed of the black-and-white image is much faster, and the black-and-white image has no influence on the communication map picture, so that the processing speed of the neural network can be greatly improved after the communication map picture is converted into the black-and-white image. In order to clean the discarded characteristic values in the characteristic value database in time and ensure the query efficiency, when the CAN bus is awakened again, the characteristic value database needs to be emptied and all image characteristic values need to be re-authenticated.
As shown in fig. 4, a schematic flow chart of the method for authenticating identity of controller area network CAN bus on the receiving side ECU side in the embodiment of the present application is provided, the method at least includes the following steps S410 to S430, and all the steps are applicable to the receiving side ECU.
Step S410, CAN or CAN-FD bus message information sent by a first ECU of a sender is received, wherein the CAN or CAN-FD bus message information at least comprises a controller area network identification number CAN ID.
The CAN bus is a broadcast type bus. This means that all nodes can listen to all transmitted messages and all nodes will always capture all messages. Each ECU has a unique ID on the CAN communication bus, and is distinguished from the operation of the ECU by a unique ID number. The CAN IDs have different meanings, and each CAN ECU CAN receive and send a plurality of different ID messages. The CAN ID is a message filter, and when the ID of the message on the bus is matched with the ID received by the CAN ID, the corresponding message CAN be received.
The method and the device perform security authentication aiming at the attack of the CAN bus, and perform identity authentication work through the communication map SDK, so that the ECU of the receiver only processes the CAN message passing the authentication. Specifically, after receiving the CAN or CAN-FD bus message information sent by the sender ECU, the communication map performs a processing response for the received CAN or CAN-FD bus message information, and performs subsequent corresponding processing.
And step S420, receiving the identification result of the CAN or CAN-FD bus message information sent by the first ECU by the preset SDK.
After receiving the CAN bus message sent by the sender ECU, the receiver ECU waits for the processing authentication result of the communication map SDK instead of directly processing the received bus message, wherein the authentication result comprises the further processing instruction of the receiver ECU to the bus message.
And step S430, processing the CAN or CAN-FD bus message information sent by the first ECU under the condition that the received identification result is passed.
And only when the indication information sent by the SDK to the ECU of the receiving party is authenticated, the ECU of the receiving party CAN process the CAN or CAN-FD bus message information sent by the ECU of the sending party.
If the indication information sent by the SDK to the receiver ECU is authentication failure, the receiver ECU discards the CAN or CAN-FD bus message information sent by the sender ECU, so that the vehicle safety is prevented from being threatened after non-authentication information is analyzed and processed.
The embodiment of the present application further provides a controller area network CAN bus identity authentication apparatus 500, as shown in fig. 5, a schematic diagram of a CAN bus identity authentication structure in the embodiment of the present application is provided, and the apparatus 500 at least includes: a response unit 510, an image feature value acquisition unit 520, and an indication unit 530, wherein:
in an embodiment of the application, the obtaining unit 510 is specifically configured to:
responding to CAN or CAN-FD bus message information sent by a first ECU of a sender, wherein the CAN or CAN-FD bus message information at least comprises a controller area network identification number CAN ID.
The CAN bus is a broadcast type bus. This means that all nodes can listen to all transmitted messages and all nodes will always capture all messages. Each ECU has a unique ID on the CAN communication bus, and is distinguished from the operation of the ECU by a unique ID number. The CAN IDs have different meanings, and each CAN ECU CAN receive and send a plurality of different ID messages. The CAN ID is a message filter, and when the ID of the message on the bus is matched with the ID received by the CAN ID, the corresponding message CAN be received.
The method and the device perform security authentication aiming at the attack of the CAN bus, and perform identity authentication work through the communication map SDK, so that the ECU of the receiver only processes the CAN message passing the authentication. Specifically, after receiving the CAN or CAN-FD bus message information sent by the sender ECU, the communication map performs a processing response for the received CAN or CAN-FD bus message information, and performs subsequent corresponding processing.
In an embodiment of the present application, the image feature value obtaining unit 520 is specifically configured to:
and calling a preset SDK interface to perform preset conversion processing on the CAN or CAN-FD bus message information to obtain an image characteristic value corresponding to the CAN ID.
The communication map SDK carries out data acquisition and monitoring on the CAN message, if the CAN message is acquired and monitored and received, the message is analyzed, then the analyzed message information and the context generate a black-and-white map through a communication map module, the generated black-and-white communication map is sent to a characteristic value generation module, and the characteristic value is generated. The characteristic value generation adopts a neural network (such as a Convolutional Neural Network (CNN) technology to carry out image characteristic value quantization on the black-white communication map so as to obtain an image characteristic value corresponding to the CAN ID.
In an embodiment of the present application, the indicating unit 530 is specifically configured to:
and sending a CAN or CAN-FD bus message information processing instruction to a second ECU of a receiver under the condition that the identification result of the image characteristic value corresponding to the CAN ID passes.
And querying a characteristic value database, if the characteristic value database has the image characteristic value, determining that the image characteristic value corresponding to the CAN ID is authenticated, and then sending an authentication passing result to the receiving party ECU for indicating that the receiving party ECU CAN process the message. Whether the CAN message is legal or not is authenticated by inquiring the image characteristic value, so that the attack to a CAN/CAN-FD bus CAN be avoided. The safety of the vehicle is ensured.
It CAN be understood that the above-mentioned CAN bus identity authentication apparatus CAN implement each step of the CAN bus identity authentication method provided in the foregoing embodiment, and the relevant explanations about the CAN bus identity authentication method are all applicable to the CAN bus identity authentication apparatus, and are not described herein again.
As shown in fig. 6, a flow chart of the CAN bus authentication service in one embodiment of the present application is shown. Specifically, the sender ECU wants to send a certain message, and if the message appears on the bus and is received by the receiver ECU, the receiver ECU does not directly process the message, and needs to wait until the identity authentication is passed before processing the message.
The sender ECU sends a CAN message, data acquisition monitors and receives the message, and transmits the message to the Parser module for preprocessing, the Parser module performs normalization processing, so that a subsequent communication map module CAN conveniently generate a black-white map, and the black-white map is transmitted to a characteristic value generation module for characteristic value generation after the black-white communication map is generated. The characteristic value generation adopts a CNN technology to carry out picture characteristic value conversion on the black-white communication map, and simultaneously, the black-white communication map is put into a characteristic value database to be inquired, whether the characteristic value is authenticated is inquired, and if the characteristic value is inquired and authenticated, the characteristic value is directly handed to an access control module to make a decision; if not, the message is processed by the authentication center, and the authentication center judges whether the characteristic value can be received or not through the confirmation of the message content and informs the result to the access control module. The access control module can give judgment according to the information transmitted in the authentication center and the characteristic value database, if the information is normal, the access control module sends a qualified instruction of the message to a receiving party, and the receiving party can process the message; if the message is abnormal, the receiving party discards the message.
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application. Referring to fig. 7, at a hardware level, the electronic device includes a processor, and optionally further includes an internal bus, a network interface, and a memory. The Memory may include a Memory, such as a Random-Access Memory (RAM), and may further include a non-volatile Memory, such as at least 1 disk Memory. Of course, the electronic device may also include hardware required for other services.
The processor, the network interface, and the memory may be connected to each other via an internal bus, which may be an ISA (Industry Standard Architecture) bus, a PCI (Peripheral Component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 7, but this does not indicate only one bus or one type of bus.
And the memory is used for storing programs. In particular, the program may include program code comprising computer operating instructions. The memory may include both memory and non-volatile storage and provides instructions and data to the processor.
The processor reads the corresponding computer program from the nonvolatile memory into the memory and then runs the computer program to form the CAN bus identity authentication device on the logic level. The processor is used for executing the program stored in the memory and is specifically used for executing the following operations:
responding to CAN or CAN-FD bus message information sent by a first ECU of a sender, wherein the CAN or CAN-FD bus message information at least comprises a controller area network identity (CAN ID);
calling a preset SDK interface to perform preset conversion processing on the CAN or CAN-FD bus message information to obtain an image characteristic value corresponding to the CAN ID;
and sending a CAN or CAN-FD bus message information processing instruction to a second ECU of a receiver under the condition that the identification result of the image characteristic value corresponding to the CAN ID passes. And/or
Receiving CAN or CAN-FD bus message information sent by a first ECU of a sender, wherein the CAN or CAN-FD bus message information at least comprises a controller area network identity (CAN ID);
receiving an identification result of a preset SDK on CAN or CAN-FD bus message information sent by a first ECU;
and processing the CAN or CAN-FD bus message information sent by the first ECU under the condition that the received identification result is passed.
The method executed by the CAN bus authentication device according to the embodiment shown in fig. 3 and/or fig. 4 of the present application may be applied to or implemented by a processor. The processor may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in ram, flash, rom, prom, or eprom, registers, etc. as is well known in the art. The storage medium is located in a memory, and a processor reads information in the memory and combines hardware thereof to complete the steps of the method.
The electronic device may further execute the method executed by the CAN bus identity authentication apparatus in fig. 3 and/or fig. 4, and implement the functions of the CAN bus identity authentication apparatus in the embodiments shown in fig. 3 and/or fig. 4, which are not described herein again in this embodiment of the present application.
An embodiment of the present application further provides a computer-readable storage medium, where the computer-readable storage medium stores one or more programs, where the one or more programs include instructions, which, when executed by an electronic device including multiple application programs, enable the electronic device to perform the method performed by the CAN bus authentication apparatus in the embodiment shown in fig. 3, and are specifically configured to perform:
responding to CAN or CAN-FD bus message information sent by a first ECU of a sender, wherein the CAN or CAN-FD bus message information at least comprises a controller area network identification number CAN ID;
calling a preset SDK interface to perform preset conversion processing on the CAN or CAN-FD bus message information to obtain an image characteristic value corresponding to the CAN ID;
and sending a CAN or CAN-FD bus message information processing instruction to a second ECU of a receiver under the condition that the identification result of the image characteristic value corresponding to the CAN ID passes.
And/or enable the electronic device to perform the method performed by the CAN bus authentication apparatus in the embodiment shown in fig. 4, and is specifically configured to perform:
receiving CAN or CAN-FD bus message information sent by a first ECU of a sender, wherein the CAN or CAN-FD bus message information at least comprises a controller area network identity (CAN ID);
receiving an identification result of a preset SDK on CAN or CAN-FD bus message information sent by a first ECU;
and processing the CAN or CAN-FD bus message information sent by the first ECU under the condition that the received identification result is passed.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both permanent and non-permanent, removable and non-removable media, may implement the information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising one of 8230; \8230;" 8230; "does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises that element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art to which the present application pertains. Any modification, equivalent replacement, improvement or the like made within the spirit and principle of the present application shall be included in the scope of the claims of the present application.
Claims (10)
1. A Controller Area Network (CAN) bus identity authentication method comprises the following steps:
responding to CAN or CAN-FD bus message information sent by a first ECU of a sender, wherein the CAN or CAN-FD bus message information at least comprises a controller area network identity (CAN ID);
calling a preset SDK interface to perform preset conversion processing on the CAN or CAN-FD bus message information to obtain an image characteristic value corresponding to the CAN ID;
and sending a CAN or CAN-FD bus message information processing instruction to a second ECU of a receiver under the condition that the identification result of the image characteristic value corresponding to the CAN ID passes.
2. The method according to claim 1, wherein the invoking of the preset SDK interface performs preset conversion processing on the CAN or CAN-FD bus message information, including:
calling a preset SDK interface to analyze the CAN or CAN-FD bus message information and performing picture processing on the analyzed bus message information to obtain a communication map picture corresponding to the CAN ID;
and identifying the communication map picture through a preset neural network model to obtain an image characteristic value corresponding to the communication map picture.
3. The method according to claim 2, wherein the invoking of the preset SDK interface to parse the CAN or CAN-FD bus packet information and perform a picture processing on the parsed bus packet information includes:
calling an SDK data Parser Parser to convert the bus message information into syntax tree information to obtain the parsing information of the bus message information;
performing picture processing on the analysis information and the context information of the analysis information to obtain a picture of the message;
and stamping a time stamp on the picture of the message.
4. The method according to claim 1, wherein the sending a CAN or CAN-FD bus message information processing instruction to the second ECU on the receiving side in case that the result of identifying the image feature value corresponding to the CAN ID passes includes:
inquiring an image characteristic value database, and confirming whether the image characteristic value passes authentication;
and if the inquiry authentication passes, sending a CAN or CAN-FD bus message information processing instruction to a second ECU of the receiver.
5. The method of claim 4, wherein said querying an image feature value database to determine whether the image feature value is authenticated further comprises:
if the query authentication is not passed, performing identity verification on the image characteristic value;
if the identity authentication of the image characteristic value passes, the image characteristic value is recorded into a characteristic value database and a CAN or CAN-FD bus message information processing instruction is sent to a second ECU of a receiver;
and if the image characteristic value identity authentication is not passed, sending a CAN or CAN-FD bus message information discarding indication to a second ECU of a receiver.
6. The method as claimed in claim 2, wherein the identifying the communication map picture through a preset neural network model comprises: identifying each communication map picture through a Convolutional Neural Network (CNN), wherein the communication map pictures comprise black and white communication map pictures;
and the image characteristic value in the image characteristic value database is authenticated again when the CAN bus is awakened again.
7. A Controller Area Network (CAN) bus identity authentication method comprises the following steps:
receiving CAN or CAN-FD bus message information sent by a first ECU of a sender, wherein the CAN or CAN-FD bus message information at least comprises a controller area network identity (CAN ID);
receiving an identification result of a preset SDK on CAN or CAN-FD bus message information sent by a first ECU;
and processing the CAN or CAN-FD bus message information sent by the first ECU under the condition that the received identification result is passed.
8. A controller area network, CAN, bus, identity authentication apparatus, wherein the apparatus comprises:
the response unit responds to CAN or CAN-FD bus message information sent by a first ECU of a sender, wherein the CAN or CAN-FD bus message information at least comprises a controller area network identification number CAN ID;
the image characteristic value acquisition unit is used for calling a preset SDK interface to perform preset conversion processing on the CAN or CAN-FD bus message information to obtain an image characteristic value corresponding to the CAN ID;
and the indicating unit is used for sending a CAN or CAN-FD bus message information processing instruction to the second ECU of the receiver under the condition that the identification result of the image characteristic value corresponding to the CAN ID passes.
9. An electronic device, comprising: controller area network CAN bus identity authentication device, processor; and a memory arranged to store computer-executable instructions that, when executed, cause the processor to perform the method of any one of claims 1 to 6, and/or the method of claim 7.
10. A computer readable storage medium storing one or more programs which, when executed by an electronic device comprising a plurality of application programs, cause the electronic device to perform the method of any of claims 1-6, and/or the method of claim 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211503625.0A CN115766267A (en) | 2022-11-28 | 2022-11-28 | Controller Area Network (CAN) bus identity authentication method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211503625.0A CN115766267A (en) | 2022-11-28 | 2022-11-28 | Controller Area Network (CAN) bus identity authentication method and device and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115766267A true CN115766267A (en) | 2023-03-07 |
Family
ID=85339525
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211503625.0A Pending CN115766267A (en) | 2022-11-28 | 2022-11-28 | Controller Area Network (CAN) bus identity authentication method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115766267A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116436723A (en) * | 2023-06-13 | 2023-07-14 | 北京集度科技有限公司 | Bus identification method, bus determination method, bus execution method and related devices |
| CN116847004A (en) * | 2023-08-30 | 2023-10-03 | 江铃汽车股份有限公司 | Analysis method, system and computer equipment for automobile CAN signals |
| CN117033287A (en) * | 2023-10-08 | 2023-11-10 | 易方信息科技股份有限公司 | Multi-bus communication method, system, equipment and storage medium based on SDK (software development kit) package |
| CN117155719A (en) * | 2023-11-01 | 2023-12-01 | 北京傲星科技有限公司 | Vehicle data security detection method, system, electronic equipment and storage medium |
-
2022
- 2022-11-28 CN CN202211503625.0A patent/CN115766267A/en active Pending
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116436723A (en) * | 2023-06-13 | 2023-07-14 | 北京集度科技有限公司 | Bus identification method, bus determination method, bus execution method and related devices |
| CN116436723B (en) * | 2023-06-13 | 2023-09-01 | 北京集度科技有限公司 | Bus identification method, bus determination method, bus execution method and related devices |
| CN116847004A (en) * | 2023-08-30 | 2023-10-03 | 江铃汽车股份有限公司 | Analysis method, system and computer equipment for automobile CAN signals |
| CN116847004B (en) * | 2023-08-30 | 2023-11-17 | 江铃汽车股份有限公司 | Analysis method, system and computer equipment for automobile CAN signals |
| CN117033287A (en) * | 2023-10-08 | 2023-11-10 | 易方信息科技股份有限公司 | Multi-bus communication method, system, equipment and storage medium based on SDK (software development kit) package |
| CN117033287B (en) * | 2023-10-08 | 2024-02-13 | 易方信息科技股份有限公司 | Multi-bus communication method, system, equipment and storage medium based on SDK (software development kit) package |
| CN117155719A (en) * | 2023-11-01 | 2023-12-01 | 北京傲星科技有限公司 | Vehicle data security detection method, system, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN115766267A (en) | Controller Area Network (CAN) bus identity authentication method and device and electronic equipment | |
| CN106911514A (en) | SCADA network inbreak detection methods and system based on the agreements of IEC60870 5 104 | |
| CN108512845B (en) | Interface calling verification method and device | |
| CN112291240B (en) | Information processing method and device | |
| CN112019478A (en) | TRDP protocol based train network safety protection method, device and system | |
| CN110908357B (en) | Security vulnerability detection method and device, storage medium and intelligent device | |
| CN116405302B (en) | System and method for in-vehicle safety communication | |
| CN114257986A (en) | Vehicle CAN network attack identification method and device | |
| CN107306251B (en) | Information authentication method and gateway equipment | |
| CN108985409B (en) | Identity card information reading method and device and electronic equipment | |
| CN112487408A (en) | Safe access method and system for ECU in vehicle and storage medium | |
| CN113987484A (en) | Method and system for detecting privacy disclosure of networked automobile | |
| CN113259134B (en) | Server protection method, device, equipment and medium based on face recognition | |
| CN116546501A (en) | 5G private network core network signaling security detection method and device | |
| CN107295022A (en) | A kind of client certificate method based on man-machine identification | |
| CN112380501A (en) | Equipment operation method, device, equipment and storage medium | |
| CN114553528B (en) | Internal and external network data safety transmission system and transmission method thereof | |
| CN115333736A (en) | Data transmission method, equipment and system | |
| CN114614996B (en) | Terminal request processing method, device and system | |
| CN112910883B (en) | Data transmission method and device and electronic equipment | |
| CN114500072B (en) | Message data transmission method and system | |
| CN115150187B (en) | Vehicle-mounted bus message security detection method and device, vehicle-mounted terminal and storage medium | |
| CN109347816B (en) | Binding method and system for port and access equipment | |
| CN116347447A (en) | Data processing method, device, equipment and storage medium | |
| CN108270800B (en) | Message processing method and system based on self-authentication code |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |