CN115801396A - Vehicle intrusion detection method and related device for establishing fingerprint for each identifier - Google Patents
Vehicle intrusion detection method and related device for establishing fingerprint for each identifier Download PDFInfo
- Publication number
- CN115801396A CN115801396A CN202211429335.6A CN202211429335A CN115801396A CN 115801396 A CN115801396 A CN 115801396A CN 202211429335 A CN202211429335 A CN 202211429335A CN 115801396 A CN115801396 A CN 115801396A
- Authority
- CN
- China
- Prior art keywords
- voltage
- training
- frame
- signal
- identifier
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Lock And Its Accessories (AREA)
Abstract
A vehicle intrusion detection method and related apparatus for establishing a fingerprint for each identifier, comprising: acquiring a voltage signal in a CAN bus, and preprocessing the acquired voltage signal to obtain an acquired identifier; acquiring time domain signals and frequency domain signal characteristics of the preprocessed voltage signals; the characteristics acquired according to the characteristics of the time domain signal and the frequency domain signal and the acquired identifier are used as a training data set; training the data set, training fingerprints for the voltage of each identifier, and obtaining a corresponding number of models; putting test data in the coming time of a data frame into a corresponding trained model, and then obtaining a model score; and detecting according to the score. According to the invention, deep-SVDD is used for establishing an electric signal fingerprint for each ID to detect malicious frames and locate an attack source, and because each data frame of the CAN bus carries an ID field, the mapping between the ECU and the ID is not required to be known.
Description
Technical Field
The invention belongs to the technical field of vehicle intrusion detection, and particularly relates to a vehicle intrusion detection method and a related device for establishing fingerprints for each identifier.
Background
With the wide application of emerging technologies such as mobile communication, internet of vehicles, artificial intelligence and the like in intelligent internet automobiles, a driver can obtain convenient driving experience. At the same time, these technologies also bring a series of vulnerable interfaces to the vehicle. The ECU where the interfaces are located is connected with other ECUs through the CAN bus without encryption and authentication, so that an attacker CAN control functions of other nodes on the CAN bus through the nodes. For this reason, researchers have designed schemes for encrypting and authenticating messages to protect the CAN bus, but such schemes may occupy bandwidth resources of the on-board network. Therefore, researchers have proposed Intrusion Detection Systems (IDS) based on parameter monitoring, intrusion detection systems based on information theory, and intrusion detection systems based on fingerprints, which do not occupy bandwidth. However, these IDSs either fail to locate the source of the attack, or fail to detect frames sent non-periodically, or require knowledge of the non-public mapping between the ECU and the ID.
Disclosure of Invention
The invention aims to provide a vehicle intrusion detection method and a related device for establishing a fingerprint for each identifier, so as to solve the problems that the existing intrusion detection system cannot locate an attack source, cannot detect a non-periodically transmitted frame, and needs to know the non-public mapping relation between an ECU and an ID.
In order to achieve the purpose, the invention adopts the following technical scheme:
a method of vehicle intrusion detection by establishing a fingerprint for each identifier, comprising:
acquiring a voltage signal in the CAN bus, and preprocessing the acquired voltage signal to obtain an acquired identifier;
acquiring time domain signals and frequency domain signal characteristics of the preprocessed voltage signals;
the characteristics acquired according to the characteristics of the time domain signal and the frequency domain signal and the acquired identifier are used as a training data set;
training the data set, and training fingerprints for the voltage of each identifier to obtain a corresponding number of models;
putting test data in the coming time of a data frame into a corresponding trained model, and then obtaining a model score;
and if the score is lower than the threshold, the data frame is considered to be a legal data frame, if the score is higher than the threshold, the frame is indicated to be a malicious frame, the test data is put into all the corresponding models after training in sequence until the score is lower than the threshold in the corresponding models, and the sending source of the frame is obtained.
Furthermore, in the collected voltage signals, the interval from the first point to the first point of the voltage interval to the voltage of which the voltage exceeds the average value of the voltage in the interval is taken as a rising edge, the interval from the last point to the last point of the voltage interval to the voltage of which the voltage exceeds the average value of the voltage in the interval is taken as a falling edge, and the rest interval part is the display state.
Further, the acquisition of the time domain signal and the frequency domain signal features:
after the falling edge, the rising edge and the dominant state of the electric signal are collected, the characteristics of the electric signal need to be respectively obtained, and a frequency domain signal is obtained by carrying out Fourier transform on a time domain signal; different characteristics are respectively selected in the time domain and the frequency domain: extracting 8 features of mean value, standard deviation, variance, root mean square, highest value, lowest value, skewness and kurtosis from the time domain signal, and extracting 8 features of centroid, entropy, spectrum spread, variance, skewness, mean value, kurtosis and irregularity of the signal spectrum from the frequency domain signal; there are 16 features for each rising edge, appearance, and falling edge, respectively, and 48 features for each signal.
Further, the test data:
in the detection stage, when a data frame comes, voltage signals of the data frame are collected and preprocessed, and the extracted voltage signals are analyzed to obtain ID x of the data frame; acquiring the characteristics of a preprocessed voltage signal time domain signal and a frequency domain signal; and using the collected characteristics and the ID x of the data frame as test data.
Further, training of the model:
and training the voltage signal for each identifier ID by using Deep-SVDD to construct a voltage fingerprint of the identifier ID, wherein a plurality of identical voltage fingerprints exist in each ECU, and score values of training data are recorded when a Deep-SVDD training model is used for each ID, and the score distribution interval of the model is the fingerprint of the ID.
Further, in the stage of testing the model, when the frame is transmitted on the CAN bus, 48 voltage signal characteristics of the voltage signal are extracted, and then the voltage signal characteristics are matched with the fingerprints corresponding to the tested identifiers, at the moment, the Deep-SVDD model scores the frame according to the characteristic values of the frame, when the score is in the distribution interval of the training data score, the frame is judged to be a normal frame, otherwise, the frame is malicious, an ECU of the vehicle-mounted network is determined to be damaged, and then the model of the frame is sequentially matched with the fingerprints of other identifiers ID to search an attack source.
Further, a vehicle intrusion detection system that creates a fingerprint for each identifier, comprising:
the voltage signal acquisition module is used for acquiring voltage signals in the CAN bus and preprocessing the acquired voltage signals to obtain acquired identifiers;
the characteristic acquisition module is used for acquiring the time domain signal and the frequency domain signal characteristic of the preprocessed voltage signal;
the training set acquisition module is used for acquiring characteristics and acquired identifiers according to the characteristics of the time domain signal and the frequency domain signal as a training data set;
the training module is used for training the data set, training fingerprints for the voltage of each identifier and obtaining a corresponding number of models;
the judging module is used for putting the test data when the data frame comes into the corresponding model after training, and then obtaining the model score; and if the score is lower than the threshold, the data frame is considered to be a legal data frame, if the score is higher than the threshold, the frame is indicated to be a malicious frame, the test data is put into all the corresponding models after training in sequence until the score is lower than the threshold in the corresponding models, and the sending source of the frame is obtained.
Further, a computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor when executing the computer program implementing the steps of a method of vehicle intrusion detection for establishing a fingerprint for each identifier.
Further, a computer readable storage medium, having stored thereon a computer program, which when executed by a processor, carries out the steps of a method of vehicle intrusion detection for establishing a fingerprint for each identifier.
Compared with the prior art, the invention has the following technical effects:
the invention designs a vehicle intrusion detection scheme for establishing fingerprints for each ID by utilizing the characteristic that data frames of different IDs of each ECU in a vehicle CAN bus have the same electrical signal characteristics. The present invention has the following advantages in that,
firstly, the method comprises the following steps: according to the invention, deep-SVDD is used for establishing an electric signal fingerprint for each ID to detect malicious frames and locate an attack source, and because each data frame of the CAN bus carries an ID field, the mapping between the ECU and the ID is not required to be known;
secondly, the method comprises the following steps: the present invention can be applied to a data frame transmitted periodically and a data frame transmitted aperiodically;
thirdly, the steps of: the invention does not need to send data frames to the CAN bus, so the limited bandwidth of the CAN bus CAN not be consumed;
fourthly: the invention utilizes the differential signal of the CAN bus, has anti-interference capability, CAN be directly obtained from an OBD-II port, and has simple obtaining mode.
Drawings
Fig. 1 is a schematic diagram of interference rejection capability of differential signals.
Fig. 2 is a diagram illustrating that a data frame includes a plurality of data fields.
Fig. 3 is a diagram of the complete electrical signal composition.
FIG. 4 is a schematic diagram of constructing a voltage fingerprint.
FIG. 5 is a schematic diagram of detection.
FIG. 6 is a graph illustrating the average recall of IDs on Luxgen and Buick for different training sample set sizes.
Detailed Description
The invention is further described below with reference to the accompanying drawings:
referring to fig. 1 to 6, the present invention designs a vehicle intrusion detection scheme for establishing a voltage fingerprint for each ID by using the characteristic that data frames of different IDs of each ECU in a CAN bus of an automobile have the same electrical signal characteristics. The scheme can be divided into three parts, namely acquisition and pretreatment of voltage signals, acquisition of time domain signals and frequency domain signal characteristics and training of an intrusion detection model.
1. Acquisition and pre-processing of voltage signals
The CAN bus consists of two twisted-pair lines of CANhigh and CANlow. The CAN bus selects the differential signal, i.e., the difference between CAN high and CAN low, to transmit data. As shown in fig. 1, the differential signal has excellent interference rejection capability. When there is interference in the external environment, the interference is coupled to both the CAN high level and the CAN low level. However, the receiving end is only concerned about the difference between the two signals, so that the external common mode noise on the differential signal can be cancelled. Only when the dominant bit 0 is sent will the ECU actively transmit an electrical signal on the CAN bus. Therefore, only the dominant bit sent in the CAN bus contains the electrical characteristics of the sender ECU. As shown in FIG. 2, one data frame comprises a plurality of data fields, and voltage signals of an ID field and an ACK field may be influenced by a plurality of ECUs, so that the invention collects an interval from an RTR field to a CRC field, wherein the voltage of a differential signal is higher than 0.8V, as a characteristic signal. As shown in fig. 3, a complete electrical signal is composed of three parts (i.e., a rising edge, a dominant state, and a falling edge), all of which contain the electrical characteristics of the signal. For this purpose, the present invention takes the interval from the first point to the first point of the voltage interval, where the voltage exceeds the average value of the voltage in the interval, as the rising edge, and the interval from the last point to the last point of the voltage interval, where the voltage exceeds the average value of the voltage in the interval, as the falling edge, and the rest of the interval is the display state.
2. Acquisition of time domain signal and frequency domain signal characteristics
After collecting the falling edge, rising edge and dominant state of the electrical signal, it is necessary to obtain their characteristics respectively. It should be noted that the differential point voltage collected on the CAN bus is a time domain signal, but the frequency domain of the electrical signal also includes the characteristics of the signal. Therefore, the invention obtains a frequency domain signal by performing fourier transform on the time domain signal. As shown in table 1, the present invention selects different features in the time domain and the frequency domain, respectively. 8 features of mean, standard deviation, variance, root mean square, maximum value, minimum value, skewness and kurtosis are extracted from the time domain signal, and 8 features of centroid, entropy, spectrum spread, variance, skewness, mean, kurtosis and irregularity of the signal spectrum are extracted from the frequency domain signal. There are 16 features for each rising, apparent and falling edge of the signal, so there are 48 features for each signal, and each complete signal can be converted into 1 × 48 samples. Before the vehicle is not attacked, the characteristics of the differential voltage signal are collected for the data frame of each ID.
TABLE 1
3. Training of intrusion detection models the model of the present invention is divided into two stages:
training of models and detection of malicious frames. First, the model needs to be trained to build a voltage fingerprint. Since the relationship between the ID and the ECU is not public, the present invention uses Deep-SVDD to train the voltage signal for each ID to construct a voltage fingerprint for the ID, as shown in FIG. 4, where there are multiple identical voltage fingerprints for each ECU (e.g., ID fingerprint 1 and ID fingerprint 4 both belong to ECUA). When a Deep-SVDD training model is used for each ID, scoring scores of training data are recorded, and the score distribution interval of the model is the fingerprint of the ID. The ID voltage fingerprints from the same ECU are essentially the same (e.g., ID fingerprint 3 equals ID fingerprint 5, ID fingerprint 2 equals ID fingerprint 4).
In the testing phase of the model, as shown in fig. 5, the sender ECU of ID3 and ID5 is controlled, which sends a malicious frame with ID 4. When the frame is transmitted on the CAN bus, 48 voltage signal characteristics of the voltage signal of the frame are extracted, and then the voltage signal characteristics are matched with the fingerprint corresponding to the ID4 (namely the fingerprint 4). At this time, the Deep-SVDD model scores the frames according to their feature values. And when the score is in the distribution interval of the training data score, judging the frame as a normal frame, otherwise, judging the frame as a malicious frame. At this time, it may be determined that one ECU of the in-vehicle network is damaged. Next, the model of the frame is sequentially matched to fingerprints of other IDs to find the attack source. Since the frame is sent by the ECU corresponding to ID3, the score calculated in the ID3 model of the frame will be included in the distribution interval of the training data. It can be judged that the attack source is the ECU corresponding to ID 3.
Specifically, the method comprises the following steps:
s1, collecting voltage signals in a CAN bus, and preprocessing the collected voltage signals;
s2, collecting time domain signals and frequency domain signal characteristics of the voltage signals preprocessed in the step S1;
s3, analyzing the voltage signal extracted in the step S1 to obtain an ID (Identifier) of the data frame;
s4, using the features collected in the step S2 and the identifiers collected in the step S3 as training data sets, wherein the number of the data sets is equal to the number of IDs in the CAN bus (assuming n IDs, namely n data sets);
s5, respectively training n data sets in the S4 by using a Deep-SVDD algorithm, and training fingerprints for the voltage of each ID to obtain n models;
s6, in a detection stage, when a data frame comes, voltage signals of the data frame are collected and preprocessed;
s7, collecting the characteristics of the voltage signal time domain signal and the frequency domain signal preprocessed in the step S6;
s8, analyzing the voltage signal extracted in the step S6 to obtain the ID x of the data frame;
s9, inputting the model corresponding to the ID x trained in the step S5 by using the characteristics acquired in the step S7 and the label acquired in the step S8 as test data, and then obtaining a model score;
s10, if the score of the step S9 is lower than a threshold value, the data frame is considered to be a legal data frame, if the score is higher than the threshold value, the data frame is indicated to be a malicious frame, and the step S11 is carried out;
and S11, taking the characteristics collected in the step S7 and the labels collected in the step S8 as test data, and sequentially inputting the models corresponding to all the IDs trained in the step S5 until the score in the model corresponding to the ID y is lower than a threshold value to obtain the transmission source of the frame, namely the ECU to which the ID y belongs.
Example (b):
the experimental environment is as follows:
actual vehicle and equipment: experiments were conducted on both bikes and nazijie vehicles to evaluate the performance of the invention in detecting malicious frames. In order to record the voltage signals of the data frames, the PicoScope2206B is used for collecting the voltage differential signals of the CAN bus through an OBD-II interface for training and detecting the model of the invention.
Hardware and software environments: the invention uses Python3.7 as a programming language for processing data and training a model, and uses a TensorFlow2.5 framework and a Deep-SVDD algorithm in a Pyod library to train the model, detect a malicious frame and locate an attack source.
Data set: the invention uses PicoScope2206B to collect the voltage differential signals of data frames on two vehicle CAN buses at a sampling rate of 62.5 MS/s. 11200 full signals were collected for each ID. 10000 signals are used as training samples, and 1200 signals are used as test samples. As described in the third section, a complete signal consists of a falling edge, a rising edge and a dominant state. The PicoScope CAN analyze the differential signal into a CAN message in real time and record the ID of the signal.
The experimental results are as follows:
to evaluate the performance of the present invention on real vehicles, 11 ID frames (i.e., 0x0AA,0x0BE,0x0C9, 0x0B9,0x0BA,0x0BB, 0x0C1,0x0C5,0x0D1, 0x0F1, and 0x1E 1) were recorded on the peck CAN bus. Similarly, frames on the Luxgen CAN bus have 11 IDs recorded (i.e., 0x316,0x329,0x335, 0x340,0x34A,0x34F, 0x350,0x360,0x380, 0x39A, and 0x 39E). Although the present invention does not need to know which IDs come from the same ECU, in order to evaluate the performance of the model, the mapping between the ECU and the IDs needs to be known. In Luxgen, {0x316,0x329,0x335} belongs to the same ECU A, {0x340,0x34A,0x34F } belongs to the same ECU B, {0x350,0x360,0x380} belongs to the same ECU C, and {0x39A,0x39E } belongs to the same ECU D. In Nikka, {0x0AA,0x0BE,0x0C9} belongs to the same ECU A, {0x0B9,0x0BA,0x0BB } belongs to the same ECU B, {0x0C1,0x0C5,0x0D1} belongs to the same ECUC, and {0x0F1,0x0E1} belongs to the same ECU D.
Intrusion detection results under different numbers of training samples
First, we evaluate the performance of our system with training sample sets of different sizes. In the experiment, the size of the training sample set for each ID was increased by 300 at a time. FIG. 6 shows the average recall of IDs on Luxgen and Buick for different training sample set sizes. The recall rate represents the proportion of the data frame from the ECU that is predicted to be accurate. As the number of training samples increased, the model recall rate increased for both vehicles. When the number of training samples per ID exceeds 8400, the recall rate exceeds 98%.
Matching of data frames of different IDs across all ID fingerprints
To further demonstrate the performance of the present invention on detecting the source ECU of a frame, the matching rates of data frames of different IDs on nagagate and buck on all ID fingerprints are shown in table 2 and table 3, respectively. Where F1 to F11 represent 11 ID trained models (fingerprints) of the CAN bus, each column represents a sequence of match rates of data frames of one ID over 11 fingerprints. It can be seen that data frames from different IDs but the same ECU have a high matching rate on the fingerprint trained by that ECU for the corresponding ID, while data frames from other ECUs with IDs have a low matching rate on the fingerprint of that ECU. Therefore, the invention can accurately detect whether the data frame is legal or not and identify the sender of the data frame.
DeepSVDD and k-NN Performance comparison
To illustrate the necessity of using the Deep-SVDD algorithm, the performance of Deep-SVDD and the classical single classification algorithm k-nearest neighbor (k-NN) in detecting the legitimacy of data frames was compared using 6 metrics in Table 4. Accuracy a represents the proportion of all data frames on each fingerprint whose source matches correctly. The accuracy P represents the proportion of frames that are inferred to be correct among frames matching a plurality of ID fingerprints of the ECU. The R recall indicates the proportion of a frame of data from the ECU that is predicted to be accurate. F1-measure can be used to simultaneously evaluate accuracy and recall. The higher the values of these 4 indices, the better the model performance. False Negative Rate (FNR) and False Positive Rate (FPR) are values of 1-precision P and 1-recall R, respectively. The lower their value, the better the model. Therefore, the vehicle intrusion detection system using the Deep-SVDD algorithm has better performance than the vehicle intrusion detection system using the k-NN algorithm.
TABLE 2
TABLE 3
TABLE 4
In another embodiment of the present invention, a vehicle intrusion detection system for creating a fingerprint for each identifier is provided, which can be used to implement the above vehicle intrusion detection method, and specifically, the system includes:
the voltage signal acquisition module is used for acquiring voltage signals in the CAN bus and preprocessing the acquired voltage signals to obtain acquired identifiers;
the characteristic acquisition module is used for acquiring the time domain signal and the frequency domain signal characteristic of the preprocessed voltage signal;
the training set acquisition module is used for acquiring characteristics and acquired identifiers according to the characteristics of the time domain signal and the frequency domain signal as a training data set;
the training module is used for training the data set, training fingerprints for the voltage of each identifier and obtaining a corresponding number of models;
the judging module is used for putting the test data when the data frame comes into the corresponding model after training, and then obtaining the model score; and if the score is lower than the threshold, the data frame is considered to be a legal data frame, if the score is higher than the threshold, the frame is indicated to be a malicious frame, the test data is put into all the corresponding models after training in sequence until the score is lower than the threshold in the corresponding models, and the sending source of the frame is obtained.
The division of the modules in the embodiments of the present invention is schematic, and only one logical function division is provided, and in actual implementation, there may be another division manner, and in addition, each functional module in each embodiment of the present invention may be integrated in one processor, or may exist alone physically, or two or more modules are integrated in one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode.
In yet another embodiment of the present invention, a computer device is provided that includes a processor and a memory for storing a computer program comprising program instructions, the processor for executing the program instructions stored by the computer storage medium. The Processor may be a Central Processing Unit (CPU), or may be other general-purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable gate array (FPGA) or other Programmable logic device, a discrete gate or transistor logic device, a discrete hardware component, etc., which is a computing core and a control core of the terminal, and is specifically adapted to load and execute one or more instructions in a computer storage medium to implement a corresponding method flow or a corresponding function; the processor described in embodiments of the present invention may be used in the operation of a vehicle intrusion detection method that creates a fingerprint for each identifier.
In yet another embodiment of the present invention, the present invention further provides a storage medium, specifically a computer-readable storage medium (Memory), which is a Memory device in a computer device and is used for storing programs and data. It is understood that the computer readable storage medium herein can include both built-in storage media in the computer device and, of course, extended storage media supported by the computer device. The computer-readable storage medium provides a storage space storing an operating system of the terminal. Also, the memory space stores one or more instructions, which may be one or more computer programs (including program code), adapted to be loaded and executed by the processor. It should be noted that the computer-readable storage medium may be a high-speed RAM memory, or may be a non-volatile memory (non-volatile memory), such as at least one disk memory. One or more instructions stored in a computer-readable storage medium may be loaded and executed by a processor to perform the corresponding steps of one of the above-described embodiments with respect to a method of vehicle intrusion detection that establishes a fingerprint for each identifier.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.
Claims (9)
1. A method for vehicle intrusion detection by creating a fingerprint for each identifier, comprising:
acquiring a voltage signal in a CAN bus, and preprocessing the acquired voltage signal to obtain an acquired identifier;
acquiring time domain signals and frequency domain signal characteristics of the preprocessed voltage signals;
the characteristics acquired according to the characteristics of the time domain signal and the frequency domain signal and the acquired identifier are used as a training data set;
training the data set, and training fingerprints for the voltage of each identifier to obtain a corresponding number of models;
putting test data in the coming time of a data frame into a corresponding trained model, and then obtaining a model score;
and if the score is lower than the threshold, the data frame is considered to be a legal data frame, if the score is higher than the threshold, the frame is indicated to be a malicious frame, the test data is put into all the corresponding models after training in sequence until the score is lower than the threshold in the corresponding models, and the sending source of the frame is obtained.
2. The method according to claim 1, wherein the voltage signal is collected, a section from a first point to a first point of a voltage interval where the voltage exceeds the average value of the voltage in the interval is taken as a rising edge, a section from a last point to a last point of the voltage interval where the voltage exceeds the average value of the voltage in the interval is taken as a falling edge, and the remaining section is in a display state.
3. The vehicle intrusion detection method according to claim 1, wherein the acquisition of the time domain signal and the frequency domain signal features:
after the falling edge, the rising edge and the dominant state of the electric signal are collected, the characteristics of the electric signal need to be respectively obtained, and a frequency domain signal is obtained by carrying out Fourier transform on a time domain signal; different characteristics are respectively selected in the time domain and the frequency domain: extracting 8 features of mean value, standard deviation, variance, root mean square, highest value, lowest value, skewness and kurtosis from the time domain signal, and extracting 8 features of centroid, entropy, spectrum spread, variance, skewness, mean value, kurtosis and irregularity of the signal spectrum from the frequency domain signal; there are 16 features for each rising edge, dominant state and falling edge, respectively, and 48 features for each signal.
4. The vehicle intrusion detection method according to claim 1, wherein the test data:
in the detection stage, when a data frame comes, voltage signals of the data frame are collected and preprocessed, and the extracted voltage signals are analyzed to obtain an ID x of the data frame; acquiring the characteristics of a preprocessed voltage signal time domain signal and a frequency domain signal; and using the collected characteristics and the ID x of the data frame as test data.
5. The vehicle intrusion detection method according to claim 1, wherein the training of the model:
and training the voltage signal for each identifier ID by using Deep-SVDD to construct a voltage fingerprint of the identifier ID, wherein a plurality of identical voltage fingerprints exist in each ECU, and score values of training data are recorded when a Deep-SVDD training model is used for each ID, and the score distribution interval of the model is the fingerprint of the ID.
6. The vehicle intrusion detection method according to claim 1, wherein in a test stage of the model, when the frame is transmitted on the CAN bus, 48 voltage signal features of the voltage signal are extracted, and then the voltage signal features are matched with the fingerprint corresponding to the tested identifier, at this time, the Deep-SVDD model scores the frame according to the feature value of the frame, when the score is within a distribution interval of the training data score, the frame is judged to be a normal frame, otherwise, a malicious frame is determined, it is determined that one ECU of the vehicle-mounted network is damaged, and then the model of the frame is sequentially matched with the fingerprints of other identifier IDs to search for an attack source.
7. A vehicle intrusion detection system for fingerprinting each identifier, comprising:
the voltage signal acquisition module is used for acquiring voltage signals in the CAN bus and preprocessing the acquired voltage signals to obtain acquired identifiers;
the characteristic acquisition module is used for acquiring the time domain signal and the frequency domain signal characteristic of the preprocessed voltage signal;
the training set acquisition module is used for acquiring characteristics and acquired identifiers according to the characteristics of the time domain signal and the frequency domain signal as a training data set;
the training module is used for training the data set, training fingerprints for the voltage of each identifier and obtaining a corresponding number of models;
the judging module is used for putting the test data when the data frame comes into the corresponding model after training, and then obtaining the model score; and if the score is lower than the threshold, the data frame is considered to be a legal data frame, if the score is higher than the threshold, the frame is indicated to be a malicious frame, the test data is put into all the corresponding models after training in sequence until the score is lower than the threshold in the corresponding models, and the sending source of the frame is obtained.
8. A computer arrangement comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor when executing the computer program carries out the steps of a method of vehicle intrusion detection for fingerprinting each identifier according to any one of claims 1 to 6.
9. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of a method for vehicle intrusion detection by fingerprinting each identifier according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211429335.6A CN115801396A (en) | 2022-11-15 | 2022-11-15 | Vehicle intrusion detection method and related device for establishing fingerprint for each identifier |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211429335.6A CN115801396A (en) | 2022-11-15 | 2022-11-15 | Vehicle intrusion detection method and related device for establishing fingerprint for each identifier |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115801396A true CN115801396A (en) | 2023-03-14 |
Family
ID=85437918
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211429335.6A Pending CN115801396A (en) | 2022-11-15 | 2022-11-15 | Vehicle intrusion detection method and related device for establishing fingerprint for each identifier |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115801396A (en) |
-
2022
- 2022-11-15 CN CN202211429335.6A patent/CN115801396A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111131185B (en) | CAN bus network anomaly detection method and device based on machine learning | |
| CN108390869B (en) | Vehicle-mounted intelligent gateway device integrating deep learning and command sequence detection method thereof | |
| CN110636048B (en) | Vehicle-mounted intrusion detection method and system based on ECU signal characteristic identifier | |
| Taylor et al. | Probing the limits of anomaly detectors for automobiles with a cyberattack framework | |
| CN110620760A (en) | FlexRay bus fusion intrusion detection method and detection device for SVM (support vector machine) and Bayesian network | |
| Jaynes et al. | Automating ECU identification for vehicle security | |
| CN112491920A (en) | Abnormity detection method and device for vehicle-mounted CAN bus | |
| Tanksale | Intrusion detection for controller area network using support vector machines | |
| CN114900331B (en) | Vehicle-mounted CAN bus intrusion detection method based on CAN message characteristics | |
| CN111988342A (en) | Online automobile CAN network anomaly detection system | |
| CN114936149A (en) | CAN bus fuzzy test case generation method based on WGAN-GP and fuzzy test system | |
| Ezeobi et al. | Reverse engineering controller area network messages using unsupervised machine learning | |
| CN114157469B (en) | Vehicle-mounted network variant attack intrusion detection method based on domain antagonism neural network | |
| CN112637029B (en) | Method and device for extracting CAN data frame signal in vehicle | |
| Deng et al. | A lightweight sender identification scheme based on vehicle physical layer characteristics | |
| Buscemi et al. | A data-driven minimal approach for CAN bus reverse engineering | |
| Rumez et al. | Anomaly detection for automotive diagnostic applications based on N-grams | |
| CN113359666A (en) | Deep SVDD (singular value decomposition) based vehicle external intrusion detection method and system | |
| Liu et al. | vProfile: Voltage-based anomaly detection in controller area networks | |
| CN115801396A (en) | Vehicle intrusion detection method and related device for establishing fingerprint for each identifier | |
| Li et al. | A light-weighted machine learning based ECU identification for automotive CAN security | |
| CN113420791B (en) | Access control method and device for edge network equipment and terminal equipment | |
| CN112566117B (en) | Vehicle node identity recognition method and device based on metric learning | |
| Yin et al. | Detecting CAN overlapped voltage attacks with an improved voltage-based in-vehicle intrusion detection system | |
| CN112491677B (en) | CAN bus identification method and device based on physical layer characteristic fingerprint |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |