CN115941330A - Intrusion detection method for vehicle-mounted UDS protocol - Google Patents
Intrusion detection method for vehicle-mounted UDS protocol Download PDFInfo
- Publication number
- CN115941330A CN115941330A CN202211578502.3A CN202211578502A CN115941330A CN 115941330 A CN115941330 A CN 115941330A CN 202211578502 A CN202211578502 A CN 202211578502A CN 115941330 A CN115941330 A CN 115941330A
- Authority
- CN
- China
- Prior art keywords
- intrusion detection
- request
- request data
- rule
- rules
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses an intrusion detection method aiming at a vehicle-mounted UDS protocol, wherein an intrusion detection rule is set aiming at the vehicle-mounted UDS protocol, and comprises an illegal diagnosis request check rule, an illegal diagnosis response check rule, a diagnosis request validity check rule, a brute force request authentication check rule, an active uploading check rule by starting a DTC (digital time control) and a malicious continuous resetting check rule. The invention sets intrusion detection rules aiming at the UDS protocol and ensures the communication safety of the upper layer protocol.
Description
Technical Field
The invention belongs to the technical field of intrusion detection of vehicle-mounted systems of automobiles, and particularly relates to an intrusion detection method aiming at a vehicle-mounted UDS protocol.
Background
At present, a CAN (Control Area Network) bus is used as a communication bus between Electronic Control Units (ECUs), has become a bus protocol most widely applied in automobiles, and has become a research hotspot of automobile manufacturers at home and abroad. Each part of the automobile CAN be directly controlled through the CAN information, so that the CAN bus safety detection and defense are the last defense line for the safety of the networked automobile. And the intrusion detection in the vehicle is the most important and effective protection means.
Nowadays, the basis of network intrusion detection defense is IDS (intrusion detection system), and effective defense means can be determined only when an attack is detected and the type and method of the attack are determined. Although the current key technologies of intrusion detection have respective advantages, especially anomaly detection technologies, which have become the mainstream technologies of intrusion detection technologies, the single development thereof leaves the accuracy of detection to be improved. With the continuous research of the technology, the intrusion detection technology based on the protocol analysis is also gradually becoming one of the main technologies under research.
So far, attempts have been made in different directions for intrusion detection methods of in-vehicle CAN bus networks. For example, the Michael Muter applies the information entropy theory to CAN bus abnormity detection for the first time, and 8 abnormity sensors are introduced to comprehensively evaluate bus threats in a vehicle, wherein the threats comprise frame ID detection, data load detection, message frequency detection, message sequence tampering detection and the like. Larson proposes a CAN bus intrusion detection method based on an in-vehicle communication protocol standard, which aims at the Canopen protocol, detects malformed messages violating the protocol by analyzing the protocol specification of the Canopen protocol, and provides a set of safety rules. Meanwhile, theories such as machine learning and neural network also become hot directions for researching CAN bus intrusion detection in a vehicle, a deep neural network is used for detecting the safety problem of vehicle information, a hidden Markov model is used for detecting the problem of abnormal change of vehicle speed and engine rotating speed, and a time recursive neural network LSTM is used for carrying out offline abnormal detection on collected CAN data. Although these methods all provide help for in-vehicle intrusion detection, nowadays, the application of intrusion detection technology based on protocol analysis in CAN bus network is rare, and the method aiming at UDS (Unified Diagnostic Services) protocol is rather deficient.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provide an intrusion detection method aiming at a vehicle-mounted UDS protocol, and the intrusion detection method is used for setting intrusion detection rules aiming at the UDS protocol and ensuring the communication safety of an upper layer protocol.
In order to achieve the above object, the intrusion detection method for the vehicle-mounted UDS protocol of the present invention includes the following steps:
s1: setting intrusion detection rules aiming at a vehicle-mounted UDS protocol, wherein the intrusion detection rules comprise illegal diagnosis request check rules, illegal diagnosis response check rules, diagnosis request validity check rules, violence request authentication check rules, starting DTC active upload check rules and malicious continuous reset check rules, and the intrusion detection rules comprise the following steps:
the illegal diagnosis request check rule checks and matches the SID in the request data sent by the ECU to the preset SID white list in the rule through the SID white list preset by actual requirements, if the SID which is not defined in the white list appears, the request data is reported to be abnormal, otherwise, the request data is processed normally;
presetting a response ID white list according to actual needs by an illegal diagnosis response check rule, matching a response ID in a diagnosis request with the preset response ID white list in the rule, reporting an exception if an undefined response ID occurs, and otherwise, normally processing request data;
setting requirements of SID, field range quantity, field position, field format, reference value relation and reference value in the diagnosis request data according to actual requirements by the diagnosis request validity check rule, checking whether a certain field range of the request data meets the requirements, reporting an exception if the certain field range does not meet the requirements, and otherwise, normally processing the request data;
setting a quantity threshold and a minimum interval time of the permission acquisition requests in unit time length according to actual needs by a violence request authentication check rule, reporting an exception if the quantity of the permission acquisition requests in unit time length exceeds the quantity threshold or the interval time between two permission acquisition requests is less than the minimum interval time, otherwise, normally processing request data;
the DTC active upload check rule is that if a diagnostic request is received and the DTC active upload is required to be started, exception is reported, otherwise, the request data is processed normally;
according to the malicious continuous reset check rule, setting a detection frequency threshold of the ECU reset request except the self reset detection according to actual needs, reporting an exception if the detection frequency of the ECU reset request except the self reset detection forwarded by the gateway exceeds the threshold, otherwise, normally processing request data;
s2: for each subnet in the CAN bus network in the vehicle, setting a plurality of intrusion detection rules for the ECU according to actual needs, identifying each rule by adopting the CAN ID of the ECU, and then storing the intrusion detection rules of all the subnets;
s3: when the diagnosis side sends request data to the ECU, the request data is cached to a cache region of the sub-network to which the ECU belongs, and when an intrusion detection period comes, the following method is adopted to carry out intrusion detection on the request data of each sub-network in sequence: and reading the request data from the cache region of the current subnet, then retrieving and reading all intrusion detection rules of the ECU corresponding to the request data, sequentially adopting all the intrusion detection rules to carry out matching detection on the request data, and after all the request data of the current subnet are detected, jumping to the next subnet until all the cached request data are detected completely.
The invention relates to an intrusion detection method aiming at a vehicle-mounted UDS protocol, which sets intrusion detection rules aiming at the vehicle-mounted UDS protocol, wherein the intrusion detection rules comprise an illegal diagnosis request check rule, an illegal diagnosis response check rule, a diagnosis request validity check rule, a violence request authentication check rule, an active uploading check rule by starting a DTC (digital time control) and a malicious continuous resetting check rule.
The invention has the following beneficial effects:
1) On the basis of the intrusion detection of the existing vehicle-mounted internal CAN network, the invention considers the safety of an upper protocol layer, provides a plurality of detection rules aiming at the UDS protocol, ensures the integrity of the intrusion detection of the vehicle-mounted CAN bus network and complements the deficiency of the protocol layer;
2) The intrusion detection method aiming at the UDS protocol can accurately position the characteristic attack and can make up the defect that the judgment cannot be accurately carried out in the conventional anomaly detection;
3) The invention adopts fewer rules to describe unacceptable behaviors, and can improve the abnormal detection speed and efficiency.
Drawings
FIG. 1 is a flow chart of an embodiment of an intrusion detection method for a vehicle UDS protocol according to the present invention;
FIG. 2 is a diagram illustrating an exemplary flow of an illegal diagnosis request check in the present embodiment;
FIG. 3 is a rights acquisition flow diagram;
fig. 4 is a diagram showing an exemplary flow of the violence request authentication check in the present embodiment;
FIG. 5 is a flow chart of DTC upload;
FIG. 6 is a flow chart of the malicious serial reset check in the present invention;
fig. 7 is a flowchart of generating an intrusion detection balanced binary tree in this embodiment.
Detailed Description
The following description of the embodiments of the present invention is provided in order to better understand the present invention for those skilled in the art with reference to the accompanying drawings. It is to be expressly noted that in the following description, a detailed description of known functions and designs will be omitted when it may obscure the subject matter of the present invention.
Examples
Fig. 1 is a flowchart of an embodiment of an intrusion detection method for a vehicle-mounted UDS protocol according to the present invention.
As shown in fig. 1, the intrusion detection method for the vehicle-mounted UDS protocol of the present invention specifically includes the steps of:
s101: setting an intrusion detection rule:
in order to realize intrusion detection of the vehicle-mounted UDS protocol, the invention sets intrusion detection rules aiming at the vehicle-mounted UDS protocol, wherein the intrusion detection rules comprise illegal diagnosis request check rules, illegal diagnosis response check rules, diagnosis request validity check rules, violence request authentication check rules, starting DTC active upload check rules and malicious continuous reset check rules. The above intrusion detection rules will be described in detail below.
The illegal diagnosis Request check rule checks and matches the SID in Request data (Request) sent by a Tester to an ECU (Electronic Control Unit) with a preset SID white list in the rule through the preset SID (Security identity) white list actually required, if the SID which is not defined in the white list appears, the Request data is reported to be abnormal, otherwise, the Request data is processed normally.
Fig. 2 is a flowchart illustrating the flow of the illegal diagnosis request check in the present embodiment. As shown in fig. 2, the SID in the white list is defined as 10, 11, 23, 24, 27, 28, 3E, 85. If the diagnostician now sends 11 01 a request for the ECU to simulate a KL30 restart, by comparing the SID in the white list, SID11 is in the preset white list, by checking, the ECU executes the command. If the diagnostic apparatus sends 22F1 87 to read the ECU part number, the SID in the white list is compared, and the SID22 is not in the preset white list, then the intrusion is considered to be detected, and the abnormality is reported.
And (4) an illegal diagnosis response check rule is similar to the previous rule, a white list is preset according to needs, the response ID is matched with the preset response ID in the rule, if an undefined response ID appears, the exception is reported, and otherwise, the request data is processed normally.
The method comprises the steps of setting requirements of SID, field range number (Num), field Position (Position), field Format (Format), reference Value Relation (relationship) and reference Value (Value) in diagnosis request data according to actual requirements, checking whether a certain field range of the request data meets the requirements, reporting an exception if the requirements are not met, and otherwise, normally processing the request data. The rule is a flexible check rule, and the range limit of a certain field of the diagnostic service can be set arbitrarily.
Assume that for a diagnostic session control request of 0x10, the request data for this service is fixed to 2 bytes, the first byte is SID, and the lower 7 bits of the second byte are sub-function, indicating a session to be entered by the ECU. The session defined in the on-board UDS protocol ranges from 0x00 to 0x7F. Common sessions are 0x01, 0x02, 0x03, 0x04, and the rest are reserved bits or self-defined use. In this embodiment, it is assumed that the rule only allows the four sessions with session numbers 01, 02, 03, and 04, and the sessions in the other ranges are not allowed, and if an intrusion is detected, an exception needs to be reported. In this case, by setting rule parameters, a closed-front interval in which a detection target is a diagnostic session control request 0x10 and a session is 01 to 04 is defined, and only sessions 01, 02, 03 and 04 are allowed to pass through detection, and other sessions, namely, intrusion is considered to occur, and an exception is reported. The validity check of the diagnosis request can set rules to check the session range of the session request.
The violence request authentication check rule sets a quantity threshold value and a minimum interval time (MinInterval) of a unit time length (Cycle) of the authority acquisition requests according to actual needs, if the quantity of the authority acquisition requests in the unit time length exceeds the quantity threshold value or the interval time between two authority acquisition requests is less than the minimum interval time, the request data are reported to be abnormal, otherwise, the request data are processed normally.
Some ECUs have some diagnostic services with higher Security level, and before such services are executed, the diagnostic command of Security Access needs to be executed to perform an authentication and authority acquisition process. Fig. 3 is a rights acquisition flow diagram. As shown in fig. 3, the diagnosing party (Tester) requests Seed from the ECU and sends a request command 27. When the ECU judges that the SID is correct, the response command 67 05 01 sends Seed (01) to the diagnostician, and the diagnostician receives the Seed and then sends Key (01 02 03) to the ECU, 27 06 02 0304, and the ECU successfully verifies and sends 67 06. At this time, one authority is successfully acquired, after at least interval MinInterval time, the diagnostic party requests the ECU for a higher authority 27 07 again, the ECU responds to a command 67 07 06 0606, the diagnostic instrument sends Key 27 07 08 09, and the ECU verifies that the transmission 67 is successful. In fig. 3, it can be seen that there are a total of 2 permission request processes in a unit time, and the minimum time interval between two previous requests is MinInterval. Fig. 4 is a flowchart illustrating a procedure of the violence request authentication check in the present embodiment. As shown in fig. 4, if the time interval between two permission requests is too short, an intrusion detection exception is triggered, and if the permission request number exceeds a Threshold (Threshold) set by a rule in a unit time length, the intrusion detection exception is triggered.
The DTC active upload check rule is that if a diagnostic request is received and the DTC active upload is required to be started, exception is reported, otherwise, the request data is processed normally.
Fig. 5 is a flow chart of DTC upload. As shown in fig. 5, most of the diagnostic communication is question-and-answer, and the diagnostician issues a request and the ECU responds. And the service with SID of 0x86 is an exception, after the ECU receives the 0x86 service, when DTC is generated, the ECU automatically reports the generated DTC and related data environment, and the function is in an activated state until another service with SID of 0x86 is used for closing the action of the ECU. The command is generally used in the early development stage of the ECU, and cannot be used in the later use process, so that the intrusion is considered to occur as long as the active uploading instruction of starting the DTC is received, and the abnormality is reported.
And the malicious continuous reset check rule sets an ECU reset request detection frequency threshold except self reset detection according to actual needs, if the ECU reset request detection frequency except self reset detection forwarded by the gateway exceeds the threshold, the gateway reports the abnormality, and otherwise, the gateway normally processes the request data. Fig. 6 is a flow chart of malicious serial reset checking in the present invention. As shown in fig. 6, an instruction with SID of 0x11 may cause the ECU to reset restart through a diagnostic request. The diagnosis request is detected and monitored in real time, the time and the times of each reset request are recorded, if the times of resetting exceed a set threshold value within a specified unit time, namely the high-frequency abnormal reset request occurs, the malicious continuous reset attack is suffered, the abnormality is reported at the moment, and if the times of resetting do not exceed the threshold value, the ECU executes an instruction to reset. It should be noted that this rule is only applicable to the detection of the reset request forwarded by the gateway, and does not include the detection of the reset itself.
S102: configuring an intrusion detection rule for the subnet:
for each subnet in the CAN bus network in the vehicle, a plurality of intrusion detection rules are set for the ECU according to actual needs, each rule is identified by the CAN ID of the ECU, and then the intrusion detection rules of all the subnets are stored.
In this embodiment, in order to perform efficient search in subsequent intrusion detection, the data structure for storing the intrusion detection rules uses a balanced binary tree, that is, a balanced binary tree is generated for each subnet in the in-vehicle CAN bus network, a node of the balanced binary tree is a cannid of the ECU in the subnet, then each intrusion detection rule of the subnet is sequentially read and put into an intrusion detection rule set of a corresponding node in the balanced binary tree, and thus the balanced binary tree for intrusion detection is obtained and stored.
Fig. 7 is a flowchart of generating an intrusion detection balanced binary tree in this embodiment. As shown in fig. 7, in this embodiment, a balanced binary tree is first generated for each subnet, then a rule file header is loaded, each rule is sequentially read, file integrity check is performed first, after the check is successful, an analysis rule is started from the segment No. 0, after a rule is taken out, the rule is added to the AVL tree according to the CANID, after all rules in the segment are read, if multiple segments exist, the next segment is switched to continue analyzing the rule until all rules in all segments are completely analyzed. Since the CANID of the whole vehicle can be repeatedly allocated, but the CANIDs in different network segments cannot be repeatedly allocated, the CANIDs in different network segments can be mounted on different AVL trees, and the indexing efficiency of the CANIDs is improved.
In addition, for the intrusion detection rule set of the nodes in the AVL tree, the intrusion detection rules are stored by adopting a one-way linked list structure, so that the average rule retrieval efficiency is improved.
S103: and (3) intrusion detection:
after the intrusion detection rules are configured, intrusion detection can be performed based on the rules, and the specific method is as follows:
when the diagnosis side sends request data to the ECU, the request data is cached to a cache region of the sub-network to which the ECU belongs, and when an intrusion detection period comes, the following method is adopted to carry out intrusion detection on the request data of each sub-network in sequence: and reading the request data from the cache region of the current subnet, then retrieving and reading all intrusion detection rules of the ECU corresponding to the request data, sequentially adopting all the intrusion detection rules to carry out matching detection on the request data, and after all the request data of the current subnet are detected, jumping to the next subnet until all the cached request data are detected completely.
Although illustrative embodiments of the present invention have been described above to facilitate the understanding of the present invention by those skilled in the art, it should be understood that the present invention is not limited to the scope of the embodiments, and various changes may be made apparent to those skilled in the art as long as they are within the spirit and scope of the present invention as defined and defined by the appended claims, and all matters of the invention which utilize the inventive concepts are protected.
Claims (3)
1. An intrusion detection method for a vehicle-mounted UDS protocol is characterized by comprising the following steps:
s1: setting intrusion detection rules aiming at a vehicle-mounted UDS protocol, wherein the intrusion detection rules comprise illegal diagnosis request check rules, illegal diagnosis response check rules, diagnosis request validity check rules, violence request authentication check rules, starting DTC active upload check rules and malicious continuous reset check rules, and the intrusion detection rules comprise the following steps:
the illegal diagnosis request check rule checks and matches the SID in the request data sent by the ECU from the diagnosis direction with a preset SID white list in the rule through the SID white list which is actually required to be preset, if the SID which is not defined in the white list appears, the abnormal condition is reported, otherwise, the request data are processed normally;
presetting a response ID white list according to actual needs by an illegal diagnosis response check rule, matching a response ID in a diagnosis request with the preset response ID white list in the rule, reporting an exception if an undefined response ID occurs, and otherwise, normally processing request data;
setting requirements of SID, field range quantity, field position, field format, reference value relation and reference value in the diagnosis request data according to actual requirements by the diagnosis request validity check rule, checking whether a certain field range of the request data meets the requirements, reporting an exception if the certain field range does not meet the requirements, and otherwise, normally processing the request data;
the violence request authentication check rule sets a quantity threshold and a minimum interval time of the permission acquisition requests in unit time length according to actual needs, if the quantity of the permission acquisition requests in unit time length exceeds the quantity threshold or the interval time between two permission acquisition requests is less than the minimum interval time, reporting an exception, otherwise, normally processing request data;
the DTC active upload check rule is that if a diagnostic request is received and the DTC active upload is required to be started, exception is reported, otherwise, the request data is processed normally;
setting a detection frequency threshold of the ECU reset request except the self reset detection according to actual needs by a malicious continuous reset check rule, reporting an exception if the detection frequency of the ECU reset request except the self reset detection forwarded by the gateway exceeds the threshold, and otherwise, normally processing the request data;
s2: for each subnet in the CAN bus network in the vehicle, setting a plurality of intrusion detection rules for the ECU according to actual needs, identifying each rule by adopting the CAN ID of the ECU, and then storing the intrusion detection rules of all the subnets;
s3: when the diagnosis side sends request data to the ECU, the request data is cached to a cache region of the sub-network to which the ECU belongs, and when an intrusion detection period comes, the following method is adopted to carry out intrusion detection on the request data of each sub-network in sequence: and reading the request data from the cache region of the current subnet, then retrieving and reading all intrusion detection rules of the ECU corresponding to the request data, sequentially adopting all the intrusion detection rules to carry out matching detection on the request data, and after all the request data of the current subnet are detected, jumping to the next subnet until all the cached request data are detected completely.
2. The intrusion detection method according to claim 1, wherein the data structure stored in the intrusion detection rule in step S2 is a balanced binary tree, that is, a balanced binary tree is generated for each subnet in the in-vehicle CAN bus network, the nodes of the balanced binary tree are the cannid of the ECU in the subnet, and then each intrusion detection rule of the subnet is sequentially read and put into the intrusion detection rule set of the corresponding node in the balanced binary tree, so as to obtain and store the intrusion detection balanced binary tree.
3. The intrusion detection method according to claim 2, wherein the intrusion detection rules in the intrusion detection rule set are stored in a singly linked list structure.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211578502.3A CN115941330A (en) | 2022-12-06 | 2022-12-06 | Intrusion detection method for vehicle-mounted UDS protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211578502.3A CN115941330A (en) | 2022-12-06 | 2022-12-06 | Intrusion detection method for vehicle-mounted UDS protocol |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115941330A true CN115941330A (en) | 2023-04-07 |
Family
ID=86655323
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211578502.3A Pending CN115941330A (en) | 2022-12-06 | 2022-12-06 | Intrusion detection method for vehicle-mounted UDS protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115941330A (en) |
-
2022
- 2022-12-06 CN CN202211578502.3A patent/CN115941330A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3741091B1 (en) | Intrusion anomaly monitoring in a vehicle environment | |
| Seo et al. | GIDS: GAN based intrusion detection system for in-vehicle network | |
| JP2023068037A (en) | Vehicle abnormality detection server, vehicle abnormality detection system, and vehicle abnormality detection method | |
| US10826684B1 (en) | System and method of validating Internet of Things (IOT) devices | |
| CN107454107B (en) | Controller local area network automobile bus alarm gateway for detecting injection type attack | |
| Foruhandeh et al. | SIMPLE: Single-frame based physical layer identification for intrusion detection and prevention on in-vehicle networks | |
| KR102642875B1 (en) | Systems and methods for providing security to in-vehicle networks | |
| US11522878B2 (en) | Can communication based hacking attack detection method and system | |
| CN110505134B (en) | Internet of vehicles CAN bus data detection method and device | |
| CN105320034A (en) | Securely providing diagnostic data from a vehicle to a remote server using a diagnostic tool | |
| US20200183373A1 (en) | Method for detecting anomalies in controller area network of vehicle and apparatus for the same | |
| CN114257986A (en) | Vehicle CAN network attack identification method and device | |
| CN115412279A (en) | Method for preventing network attacks on vehicles and corresponding device | |
| Levy et al. | CAN-LOC: Spoofing detection and physical intrusion localization on an in-vehicle CAN bus based on deep features of voltage signals | |
| Souma et al. | Counter attacks for bus-off attacks | |
| CN115941330A (en) | Intrusion detection method for vehicle-mounted UDS protocol | |
| CN111669352B (en) | Method and device for preventing denial of service attack | |
| WO2023048185A1 (en) | Vehicle security analysis device, method, and program thereof | |
| CN113595958B (en) | Security detection system and method for Internet of things equipment | |
| CN115801375A (en) | Penetration test system and method for vehicle-mounted CAN/CAN FD bus | |
| CN112866270A (en) | Intrusion detection defense method and system | |
| CN115150187B (en) | Vehicle-mounted bus message security detection method and device, vehicle-mounted terminal and storage medium | |
| KR102666283B1 (en) | System and method for monitoring intrusion anomalies in an automotive environment | |
| US20240073201A1 (en) | Vehicle network security | |
| CN117040865A (en) | SecOC communication security event processing method and device and electronic control unit |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |