CN116192436A - Security event analysis method and device - Google Patents

Security event analysis method and device Download PDF

Info

Publication number
CN116192436A
CN116192436A CN202211582125.0A CN202211582125A CN116192436A CN 116192436 A CN116192436 A CN 116192436A CN 202211582125 A CN202211582125 A CN 202211582125A CN 116192436 A CN116192436 A CN 116192436A
Authority
CN
China
Prior art keywords
log data
safety
vehicle
extended
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211582125.0A
Other languages
Chinese (zh)
Inventor
赵志伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN202211582125.0A priority Critical patent/CN116192436A/en
Publication of CN116192436A publication Critical patent/CN116192436A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3006Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3065Monitoring arrangements determined by the means or processing involved in reporting the monitored data
    • G06F11/3072Monitoring arrangements determined by the means or processing involved in reporting the monitored data where the reporting involves data filtering, e.g. pattern matching, time or event triggered, adaptive or policy-based reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • General Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Computer Hardware Design (AREA)
  • Mathematical Physics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Traffic Control Systems (AREA)

Abstract

The application provides a security event analysis method and a security event analysis device, and relates to the technical field of network security. The method comprises the following steps: acquiring first safety log data and first audit log data recorded by a vehicle-mounted unit in a target vehicle; acquiring second security log data and second audit log data acquired by road side equipment; performing expansion processing on the first safety log data and the second safety log data to obtain expanded safety log data of the target vehicle; performing expansion processing on the first audit log data and the second audit log data to obtain expanded audit log data of the target vehicle; detecting the extended safety log data and the extended audit log data by utilizing a detection rule of the safety event, and determining whether the target vehicle has safety risk or not; and when the safety risk exists, generating a corresponding safety event according to the safety risk of the target vehicle.

Description

Security event analysis method and device
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a method and an apparatus for analyzing a security event.
Background
The internet of vehicles is a new direction of future development of the automotive industry. The internet of things integrates the technologies of internet of things, the traditional internet, the mobile internet and the like, and provides intelligent service for intelligent traffic, and meanwhile, the intelligent traffic system also generates a wider safety problem. The internet of vehicles comprises a complex communication architecture, a cloud-to-end multi-interaction path, a long industrial upstream and downstream, and the like, and the internet of vehicles is free from new potential safety hazards. The Internet of vehicles becomes a target object of ubiquitous attack, and frequent outbreaks of Internet of vehicles safety accidents also illustrate the problem. Therefore, the analysis of the security events of the internet of vehicles is an important field subject of general attention to the business.
When analyzing the safety event of the Internet of vehicles, the data used is single, so that the obtained analysis result of the safety event is simple, the reliability is low, and the user cannot be helped to get rid of alarm fatigue and misleading.
Therefore, how to deeply analyze the safety event of the internet of vehicles and improve the safety of the internet of vehicles are one of the technical problems to be considered.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for analyzing a security event, which are used for further analyzing the security event of the internet of vehicles, so as to improve the security of the internet of vehicles.
Specifically, the application is realized by the following technical scheme:
according to a first aspect of the present application, there is provided a security event analysis method comprising:
acquiring first safety log data and first audit log data recorded by a vehicle-mounted unit in a target vehicle;
acquiring second security log data and second audit log data acquired by road side equipment;
performing expansion processing on the first safety log data and the second safety log data to obtain expanded safety log data of the target vehicle;
performing expansion processing on the first audit log data and the second audit log data to obtain expanded audit log data of the target vehicle;
detecting the extended safety log data and the extended audit log data by utilizing a detection rule of the safety event, and determining whether the target vehicle has safety risk or not;
and when the safety risk exists, generating a corresponding safety event according to the safety risk of the target vehicle.
According to a second aspect of the present application, there is provided a security event analysis apparatus comprising:
the first acquisition module is used for acquiring first safety log data and first audit log data recorded by a vehicle-mounted unit in the target vehicle;
The second acquisition module is used for acquiring second safety log data and second audit log data acquired by the road side equipment;
the first expansion module is used for carrying out expansion processing on the first safety log data and the second safety log data to obtain expanded safety log data of the target vehicle;
the second expansion module is used for carrying out expansion processing on the first audit log data and the second audit log data to obtain expanded audit log data of the target vehicle;
the detection module is used for detecting and processing the extended safety log data and the extended audit log data by utilizing the detection rule of the safety event and determining whether the target vehicle has safety risk or not;
and the generation module is used for generating a corresponding safety event according to the safety risk of the target vehicle when the safety risk exists.
According to a third aspect of the present application there is provided an electronic device comprising a processor and a machine-readable storage medium storing a computer program executable by the processor, the processor being caused by the computer program to perform the method provided by the first aspect of the embodiments of the present application.
According to a fourth aspect of the present application there is provided a machine-readable storage medium storing a computer program which, when invoked and executed by a processor, causes the processor to perform the method provided by the first aspect of the embodiments of the present application.
The beneficial effects of the embodiment of the application are that:
in the method and the device for analyzing the security event, first security log data and first audit log data recorded by a vehicle-mounted unit in a target vehicle are obtained; acquiring second security log data and second audit log data acquired by road side equipment; performing expansion processing on the first safety log data and the second safety log data to obtain expanded safety log data of the target vehicle; performing expansion processing on the first audit log data and the second audit log data to obtain expanded audit log data of the target vehicle; detecting the extended safety log data and the extended audit log data by utilizing a detection rule of the safety event, and determining whether the target vehicle has safety risk or not; and when the safety risk exists, generating a corresponding safety event according to the safety risk of the target vehicle. According to the method, the safety log data and the audit log data respectively reported by the vehicle-mounted unit and the road side equipment are respectively subjected to expansion processing, and then the expanded safety log data and the expanded audit log data obtained through expansion are subjected to identification processing, so that whether the target vehicle has safety risks or not is obtained, and then safety events are generated when the safety risks are identified, thereby not only improving the accuracy of safety risk identification results, but also avoiding false alarm caused by directly alarming the safety log as the safety events, and avoiding occurrence of alarm fatigue caused by the fact that a user falls into.
Drawings
Fig. 1 is a flow chart of a security event analysis method according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a security event analysis device according to an embodiment of the present application;
fig. 3 is a schematic hardware structure of an electronic device for implementing a security event analysis method according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with aspects as described herein.
The terminology used in the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the present application. As used in this application, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the corresponding listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, a first message may also be referred to as a second message, and similarly, a second message may also be referred to as a first message, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
The security event analysis method provided in the present application is described in detail below.
Referring to fig. 1, fig. 1 is a flowchart of a security event analysis method provided in the present application, where the method is also applied to an electronic device, and the electronic device may be, but is not limited to, applied to a cloud platform, and for convenience of description, when the method is implemented with the cloud platform, the method may include the following steps:
s101, acquiring first safety log data and first audit log data recorded by an on-board unit in a target vehicle.
In this step, in order to ensure the safety of the vehicle in the internet of vehicles, a vehicle-mounted Unit (OBU) is disposed in the vehicle, where the vehicle-mounted Unit is a core data interaction device that forms an intelligent internet system, and the device is deployed on the vehicle, and may acquire, in real time, the first safety log data and the first audit log data of the vehicle by positioning.
Specifically, the first security log data is formed by deploying an IDPS system in an in-vehicle unit to detect whether the state of an important component of a vehicle is abnormal or not, and to detect a security alarm of the vehicle by connecting the network traffic of the important component; in addition, the vehicle-mounted unit also has a series of safety functions such as firewall, intrusion detection and defense, deep message detection, safety log and the like, so that the information safety of a vehicle end is ensured.
In addition to detecting the security log based on the IDPS, the vehicle state audit log may be acquired based on the positioning system, and may be recorded as the first audit log data, but not limited to, various logs including a flow log. Specifically, during the running of the vehicle, the vehicle may communicate with the running participant through a V2X communication protocol, where V2X may be, but is not limited to, V2P, V2N, V2I, V V, and the like, and N represents an infinite possibility. Thus, the vehicles can know which vehicles exist around, and first audit log data is generated based on the vehicles.
On the basis, the vehicle-mounted unit can adopt a set communication mode to send the first safety log data and the first audit log data to the cloud platform after generating the first safety log data and the first audit log data. Thus, the cloud platform can acquire the first security log data and the first audit log data.
The setting communication method may be, but not limited to, a communication method including 5G, etc. to be transmitted to the cloud platform.
S102, second safety log data and second audit log data acquired by the road side equipment are acquired.
In the step, road side equipment is arranged in the Internet of vehicles, and then the road side equipment accurately acquires relevant data of the vehicles to generate second safety log data and second audit log data. Specifically, the road side equipment can include road side perception unit, and it can provide pedestrian, signal lamp, road conditions, position, time etc. information, and road side equipment still includes road side calculation unit simultaneously, and road side calculation unit can carry out the edge calculation, discerns the driving risk, can also carry out local traffic early warning simultaneously and report the driving risk log through road side communication unit. For example, the road side sensing unit may include a laser radar, and then the laser radar may acquire information such as a position, a speed, a heading angle, a pedestrian, etc. of the vehicle, and may also acquire information such as a signal lamp. On the basis, the data acquired by the laser radar is locally calculated by the inside of the road side computing equipment, so that the running risk of the vehicle can be acquired, and further second safety log data are generated.
In addition, the road side sensing unit records a large amount of audit logs, including but not limited to the position, speed, course angle and surrounding pedestrians of the vehicle, and records signal lamp information.
On the basis, the road side equipment can upload the locally generated second security log data and the second audit log data to the cloud platform through the road side communication unit in the road side equipment.
S103, performing expansion processing on the first safety log data and the second safety log data to obtain the expanded safety log data of the target vehicle.
Specifically, the security log data primarily describes a security alert, such as an attacker initiating a denial of service attack on the vehicle. Such logs pertain to preliminary decision security alarms, decisions having been given. If no additional analysis is performed, the user can be directly reported as a security event, but this may put the user into alarm fatigue because there are many alarm logs that do not require the user's attention.
In addition, as the first safety log data and the second safety log data respectively reported by the vehicle-mounted unit and the road side equipment can identify whether the target vehicle has safety risk, in order to more accurately identify the safety risk and generate a safety event, and avoid the condition that the user alarms are tired caused by the safety event generated by alarms which do not need to be concerned, the first safety log data and the second safety log data are respectively subjected to expansion processing, so that the expanded safety log data are obtained.
Specifically, when the expansion processing is performed, the cloud knowledge base may be used to expand the first security log data and the second security log data.
The vehicle security knowledge base may include, but is not limited to, vehicle information and historical security data of a vehicle, wherein the vehicle information may include, but is not limited to, vehicle attribute information and user information, the user information may be a vehicle owner, the vehicle attribute information may include a license plate, a vehicle age of the vehicle, a vehicle body color, and the like, and the historical security data may include, but is not limited to, data related to a security event that has occurred for the vehicle, for example: the information such as loopholes, number of violations, area names corresponding to longitude and latitude, geographic positions and the like of the vehicle, association of an attacker with IP, means of the attacker and the like. The data can expand and enrich the acquired security log data.
In addition, the cloud platform can also store attacker threat information, such as information of common IP addresses, domain names, attack types and the like of hacker organizations.
S104, performing expansion processing on the first audit log data and the second audit log data to obtain expanded audit log data of the target vehicle.
Specifically, the audit log is an objectively recorded log, and no subjective judgment exists. For the rich cloud end of the audit log, the cloud platform can refer to the expansion mode of the security log data for expansion processing, and detailed description is omitted here.
S105, detecting the extended safety log data and the extended audit log data by utilizing a detection rule of the safety event, and determining whether the target vehicle has safety risk.
Specifically, the cloud platform further stores a built-in risk identification model, and the cloud platform utilizes the risk identification model to identify and process the extended safety log data and the extended audit log data, so that whether the safety log data reported by the on-board unit OBU and the road side equipment need to generate risks or not can be identified, and the vehicle end can be pushed to the vehicle end through the cloud platform data acquisition and pushing platform.
It should be noted that, the risk identification model is determined based on the detection rule of the security event.
And S106, when the safety risk exists, generating a corresponding safety event according to the safety risk of the target vehicle.
In this step, when the target vehicle is identified as having a security risk based on the extended security log data and the extended audit log data, a corresponding security event may be generated using the extended security log data and the extended audit log data according to the identified security risk.
By implementing the security event analysis method provided by the application, first security log data and first audit log data recorded by a vehicle-mounted unit in a target vehicle are obtained; acquiring second security log data and second audit log data acquired by road side equipment; performing expansion processing on the first safety log data and the second safety log data to obtain expanded safety log data of the target vehicle; performing expansion processing on the first audit log data and the second audit log data to obtain expanded audit log data of the target vehicle; detecting the extended safety log data and the extended audit log data by utilizing a detection rule of the safety event, and determining whether the target vehicle has safety risk or not; and when the safety risk exists, generating a corresponding safety event according to the safety risk of the target vehicle. According to the method, the safety log data and the audit log data respectively reported by the vehicle-mounted unit and the road side equipment are respectively subjected to expansion processing, and then the expanded safety log data and the expanded audit log data obtained through expansion are subjected to identification processing, so that whether the target vehicle has safety risks or not is obtained, and then safety events are generated when the safety risks are identified, thereby not only improving the accuracy of safety risk identification results, but also avoiding false alarm caused by directly alarming the safety log as the safety events, and avoiding occurrence of alarm fatigue caused by the fact that a user falls into.
Based on the foregoing embodiment, the first security log data reported by the vehicle-mounted unit in this embodiment may, but is not limited to, at least one of the following parameters: as specific examples, reference may be made to table 1, where table 1 is only an example and does not constitute a limitation of the first security log data.
TABLE 1
Parameter name Meaning of Remarks
id Security event message identification uuid value
model_device_code Device code Equipment code (straddle carrier type)
eventcategory_id Event type id
code Event type code
category_name Event type name
grade Event type level
vin Vehicle identification VIN code
vehicle_id Vehicle id
vehicle_device_id Vehicle equipment id
eventtime Event occurrence time Number of milliseconds
ip_src Attack IP
port_src Attack port
ip_dst Attacked IP
port_dst Attacked port
content Attack event log content
business_code Service code Default: network work
convergence Aggregation times Default to 1
direction Data flow direction 0 no direction, 1 in, 2 out, default value of 0
Similarly, the first audit log data reported by the on-board unit may include, but is not limited to, at least one of the following parameters: the flow data message identifier, the vehicle identifier, the inlet flow cumulative value size, the outlet flow cumulative value size, and the like are specifically shown in table 2, and it should be noted that table 2 is only an example and does not constitute limitation of the first audit log data.
TABLE 2
Figure BDA0003991862940000081
Figure BDA0003991862940000091
Based on the foregoing embodiment, the second security log data reported by the roadside device in this embodiment may, but is not limited to, at least one parameter as follows: as shown in table 3, it should be noted that table 3 is only an example, and does not constitute a limitation of the second security log data.
TABLE 3 Table 3
Parameter name Meaning of Remarks
id Security event message identification uuid value
eventcategory_id Event type id
code Event type code
category_name Event type name
grade Event type level
Vin_code License plate number
Vin_color Vehicle body color
eventtime Event occurrence time Number of milliseconds
content Event log content
business_code Service code Default: network work
Similarly, the second audit log data uploaded by the roadside device may include, but is not limited to, at least one of the following parameters: the audit log message identification, license plate number, body color, etc. may be specifically referred to as shown in table 4.
TABLE 4 Table 4
Parameter name Meaning of Remarks
id Audit log message identification uuid value
Vin_code License plate number
Vin_color Vehicle body color
createtime Recording time Number of milliseconds
content Event log content
business_code Service code Default: network work
Alternatively, based on any of the above embodiments, in this embodiment, the cloud platform may execute step S103 according to the following procedure: extracting target safety log data corresponding to the vehicle identification from the second safety log data according to the vehicle identification in the first safety log data; utilizing the vehicle identification in the first safety log data to match a vehicle safety knowledge base so as to match historical safety log data and vehicle attribute information of a target vehicle corresponding to the vehicle identification; and generating extended safety log data according to the first safety log data, the target safety log data, the historical safety log data and the vehicle attribute information.
Specifically, since the second security log data collected by the roadside device is often security log data of each vehicle within the collection range of the roadside device. The first security log data reported by the vehicle-mounted unit in the target vehicle is often the security log data of the target vehicle itself, and in this application, in order to analyze whether the target vehicle has a security risk, it is necessary to screen the security log data of the target vehicle from the second security log data. In view of this, this embodiment proposes that the vehicle identifier characterizing the identity of the vehicle may be extracted from the first security log data, then the target security log data corresponding to the vehicle identifier may be extracted from the second security log data, where the extracted data is the security log data of the target vehicle collected by the road side device. Meanwhile, in order to enrich the safety log data of the target vehicle, the vehicle safety knowledge base is matched based on the vehicle identification, and then the historical safety log data and the vehicle attribute information of the target vehicle are extracted. And generating extended safety log data based on the first safety log data, the target safety log data, the vehicle attribute information and the historical safety log data, thereby realizing the extension processing of the safety log data.
It should be noted that, when the historical security log data is extracted from the vehicle security knowledge base, security log data which is relatively close to the time of the current security analysis of the target vehicle can be extracted, so as to ensure the accuracy of the security risk identification result.
Alternatively, based on any of the above embodiments, step S104 may be performed according to the following method in this embodiment: extracting target audit log data corresponding to the vehicle identification from the second audit log data according to the vehicle identification in the first audit log data; matching the vehicle identification in the first audit log data with a vehicle audit knowledge base to match historical audit log data and vehicle attribute information of a target vehicle corresponding to the vehicle identification; and generating extended audit log data according to the first audit log data, the target audit log data, the historical audit log data and the vehicle attribute information.
Specifically, since the second audit log data collected by the roadside device is often audit log data of each vehicle within the roadside device collection range. The first audit log data reported by the vehicle-mounted unit in the target vehicle is often the audit log data of the target vehicle, and in order to analyze whether the target vehicle has audit risk, the audit log data of the target vehicle needs to be screened from the second audit log data. In view of this, this embodiment proposes that the vehicle identifier that characterizes the identity of the vehicle may be extracted from the first audit log data, then the target audit log data corresponding to the vehicle identifier may be extracted from the second audit log data, where the extracted data is the audit log data of the target vehicle collected by the road side device. Meanwhile, in order to enrich the audit log data of the target vehicle, a vehicle audit knowledge base is matched based on the vehicle identification, and then the historical audit log data and the vehicle attribute information of the target vehicle are extracted. And further generating extended audit log data based on the first audit log data, the target audit log data, the vehicle attribute information and the historical audit log data, thereby realizing the extended processing of the audit log data.
Notably, when historical audit log data is extracted from the vehicle audit knowledge base, audit log data which is relatively close to the time of the current audit analysis of the target vehicle can be extracted so as to ensure the accuracy of the audit risk identification result.
Based on any of the above embodiments, in one possible embodiment, step S105 may be performed according to the following method: if any security event exists in the extended security log data according to the detection rule of the security event, judging whether the security event exists in the extended audit log data; and if the security event exists in the extended audit log data, confirming that the security risk exists in the target vehicle.
Specifically, the risk identification model may be constructed according to a rule model of the security event, and then risk identification is performed on the extended security log data and the extended audit log data by using the risk identification model. For example, if the target vehicle is found to have a security event a, theoretically, the OBU may detect the security log a from the traffic message of the CAN bus of the vehicle, and then the audit log a, the audit log B, and the like accompanying the target vehicle may also appear simultaneously. In view of this, a risk identification model is constructed based on the detection rule. On this basis, when step S105 needs to be executed, the risk recognition model may be invoked, and then the risk recognition model is used to recognize the extended safety log data and the extended audit log data, if it is confirmed that the extended safety log data has the safety event a, it may be further confirmed whether the extended audit log data has the safety event a, and if it also has the safety event a, it may be confirmed that the target vehicle has the safety risk, and further, based on the extended safety log data and the extended audit log data of the target vehicle, the safety event a is generated.
And if the safety event A does not exist in the extended audit log data, the target vehicle can be confirmed to have no safety risk.
In another possible embodiment, step S105 may also be performed according to the following method: if any security event exists in the audit expansion log data according to the detection rule of the security event, judging whether the security event exists in the expansion security log data; and if the safety event exists in the extended safety log data, confirming that the target vehicle has safety risk.
It should be noted that, the implementation of this step may refer to the description of the foregoing embodiments, and will not be described in detail here.
In addition, in still another possible embodiment, step S105 may be performed as follows: identifying the extended audit log data by utilizing the learned normal behavior base line, and determining the deviation degree of the extended audit log data from the normal behavior base line, wherein the normal behavior base line is obtained by learning and establishing the normal audit log data; if the deviation degree exceeds the set degree range, determining the matching degree between the extended safety log data and the learned abnormal behavior base line, wherein the abnormal behavior base line is established by learning based on the abnormal safety log data; and if the matching degree is within the set degree range, determining that the target vehicle has safety risk.
On the basis, the extended audit log data is identified by using a normal behavior base line, so that the degree of deviation of the audit log data from the behavior base line can be determined and recorded as the deviation degree. And judging whether the deviation degree exceeds the set deviation degree, and when the deviation degree exceeds the set deviation degree, indicating that the extended audit log data may have safety risk. In order to further ensure accuracy of the security risk identification result, the embodiment proposes that the expanded security log data is further processed, namely, a matching degree between the expanded security log data and the abnormal behavior baseline is determined, and when the matching degree is within a set degree range, the expanded security log data is indicated to have security risk, so that the security risk of the target vehicle can be confirmed, and a security event is generated.
The normal behavior baseline is calculated by a machine learning algorithm such as clustering or density calculation on normal audit log data of all vehicles based on history. For example, audit log data employed may include, but is not limited to, data of multiple dimensions including traffic size, number of outlier messages, access source, and the like. Similarly, the abnormal behavior baseline is calculated by a machine learning algorithm such as clustering or density calculation on abnormal safety log data of all vehicles based on history.
Furthermore, when it is confirmed that any security event exists in the extended security log data and the security event does not exist in the extended audit log data based on the security event detection rule, the embodiment further provides the following scheme: identifying the extended audit log data by utilizing the learned normal behavior base line, and determining the deviation degree of the extended audit log from the normal behavior base line, wherein the normal behavior base line is obtained by learning and establishing the normal audit log data; if the deviation degree exceeds the set degree range, determining the matching degree between the extended safety log data and the learned abnormal behavior base line, wherein the abnormal behavior base line is established by learning based on the abnormal safety log data; and if the matching degree is within the set degree range, determining that the target vehicle has safety risk.
Based on any of the above embodiments, in the present embodiment, the security data generated based on step S106 may include, but is not limited to, at least one of the following: the type of security event, the threat level of the security event, the trustworthiness of the security event, the source of the security event, the victim device of the security event, possible losses, etc. In addition, a processing recommendation for the security event may be output to the user.
By adopting the security event analysis method provided by any embodiment, the accuracy of the identification result of the security event is improved, and the occurrence of false alarm caused by the existing analysis of only security log data is avoided.
For a better understanding of the present embodiment, the following examples are given: assuming that the road side equipment is infected with worm viruses, the target vehicle can be attacked because the worm viruses automatically scan and discover the peripheral equipment and then spread in an explosion way. Then the roadside device will generate audit log data as shown with reference to table 5. It should be noted that, for the privacy protection process, the roadside apparatus may only know the desensitization number of the target vehicle, and not the specific vehicle information.
TABLE 5
Figure BDA0003991862940000141
Similarly, the security log data collected by the roadside device may be shown in table 6:
TABLE 6
Figure BDA0003991862940000142
The audit log data obtained by the on-board unit in the target vehicle may be shown in table 7, and it should be noted that, due to privacy protection, the target vehicle may only know the desensitization number of the road side equipment.
TABLE 7
Figure BDA0003991862940000143
Figure BDA0003991862940000151
Similarly, the safety log data recorded by the on-board unit can be shown with reference to table 8.
TABLE 8
Figure BDA0003991862940000152
Based on the method, the cloud platform can perform expansion processing based on the safety log data and the audit log data respectively reported by the road side equipment and the vehicle-mounted unit, further perform risk identification based on the obtained expanded safety log data and the obtained expanded audit log data by adopting any one of the methods provided by the method, and generate a corresponding safety event when the safety risk of the target vehicle is identified. Therefore, the accuracy of the identification result of the security event is improved, and the occurrence of false alarm caused by the fact that only the security log data is analyzed in the prior art is avoided.
Based on the same inventive concept, the application also provides a security event analysis device corresponding to the security event analysis method. The implementation of the security event analysis device may be specifically referred to the above description of the security event analysis method, and will not be discussed here.
Referring to fig. 2, fig. 2 is a security event analysis apparatus according to an exemplary embodiment of the present application, including:
a first acquisition module 201, configured to acquire first security log data and first audit log data recorded by a vehicle-mounted unit in a target vehicle;
a second obtaining module 202, configured to obtain second security log data and second audit log data collected by the roadside device;
The first expansion module 203 is configured to perform expansion processing on the first security log data and the second security log data, so as to obtain expanded security log data of the target vehicle;
the second expansion module 204 is configured to perform expansion processing on the first audit log data and the second audit log data to obtain expanded audit log data of the target vehicle;
the detection module 205 is configured to detect the extended security log data and the extended audit log data by using a detection rule of a security event, and determine whether the target vehicle has a security risk;
and the generating module 206 is configured to generate a corresponding security event according to the security risk of the target vehicle when the security risk exists.
Optionally, based on the foregoing embodiment, in this embodiment, the first expansion module 203 is specifically configured to extract, according to a vehicle identifier in the first security log data, target security log data corresponding to the vehicle identifier from the second security log data; matching a vehicle safety knowledge base by utilizing the vehicle identification in the first safety log data so as to match historical safety log data and vehicle attribute information of the target vehicle corresponding to the vehicle identification; and generating extended safety log data according to the first safety log data, the target safety log data, the historical safety log data and the vehicle attribute information.
Optionally, based on any one of the foregoing embodiments, in this embodiment, the second expansion module 204 is specifically configured to extract, according to a vehicle identifier in the first audit log data, target audit log data corresponding to the vehicle identifier from the second audit log data; matching a vehicle audit knowledge base by using the vehicle identification in the first audit log data to match historical audit log data and vehicle attribute information of the target vehicle corresponding to the vehicle identification; and generating extended audit log data according to the first audit log data, the target audit log data, the historical audit log data and the vehicle attribute information.
Optionally, based on any one of the above embodiments, in this embodiment, the detection module 205 is specifically configured to:
if any security event exists in the extended security log data according to the detection rule of the security event, judging whether the security event exists in the extended audit log data;
if the security event exists in the extended audit log data, confirming that the security risk exists in the target vehicle;
or alternatively, the process may be performed,
if any security event exists in the audit expansion log data according to the detection rule of the security event, judging whether the security event exists in the expansion security log data;
And if the safety event exists in the extended safety log data, confirming that the target vehicle has safety risk.
Further, the above detection module 205 is further configured to identify the extended audit log data by using a learned normal behavior baseline if the extended audit log data does not have the security event, and determine a deviation degree of the extended audit log from the normal behavior baseline, where the normal behavior baseline is obtained by learning and establishing the normal audit log data; if the deviation degree exceeds a set degree range, determining the matching degree between the extended safety log data and a learned abnormal behavior baseline, wherein the abnormal behavior baseline is established by learning based on the abnormal safety log data; and if the matching degree is within the set degree range, determining that the target vehicle has safety risk.
Optionally, based on any one of the foregoing embodiments, in this embodiment, the detection module 205 is specifically configured to perform recognition processing on the extended audit log data by using a learned normal behavior baseline, and determine a deviation degree of the extended audit log from the normal behavior baseline, where the normal behavior baseline is obtained by learning and establishing normal extended audit log data; if the deviation degree exceeds a set degree range, determining the matching degree between the extended safety log data and the learned abnormal behavior baseline; and if the matching degree is within the set degree range, determining that the target vehicle has safety risk.
According to the safety event analysis device, the safety log data and the audit log data respectively reported by the vehicle-mounted unit and the road side equipment are respectively subjected to expansion processing, and then the expanded safety log data and the expanded audit log data obtained by expansion are subjected to identification processing, so that whether the target vehicle has safety risks or not is obtained, and then safety events are generated when the safety risks are identified, thereby not only improving the accuracy of safety risk identification results, but also avoiding false alarm caused by directly taking the safety log as a safety event alarm, and avoiding occurrence of alarm fatigue caused by the fact that a user falls into the safety event alarm.
Based on the same inventive concept, the embodiments of the present application provide an electronic device, which may be, but is not limited to, the cloud platform described above. As shown in fig. 3, the electronic device includes a processor 301 and a machine-readable storage medium 302, the machine-readable storage medium 302 storing a computer program executable by the processor 301, the processor 301 being caused by the computer program to perform the security event analysis method provided by any of the embodiments of the present application. The electronic device further comprises a communication interface 303 and a communication bus 304, wherein the processor 301, the communication interface 303 and the machine readable storage medium 302 perform communication with each other via the communication bus 304.
The communication bus mentioned above for the electronic devices may be a peripheral component interconnect standard (PeripheralComponent Interconnect, PCI) bus or an extended industry standard architecture (Extended IndustryStandard Architecture, EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface is used for communication between the electronic device and other devices.
The machine-readable storage medium 302 may be a Memory, which may include random access Memory (Random Access Memory, RAM), DDR SRAM (Double Data RateSynchronous Dynamic Random Access Memory, double rate synchronous dynamic random access Memory), or Non-Volatile Memory (NVM), such as at least one magnetic disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but also digital signal processors (DigitalSignal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
For the electronic device and the machine-readable storage medium embodiments, the description is relatively simple, and reference should be made to the description of the method embodiments for relevant points, since the method content involved is substantially similar to that of the method embodiments described above.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The implementation process of the functions and roles of each unit/module in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be repeated here.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The above described apparatus embodiments are merely illustrative, wherein the units/modules illustrated as separate components may or may not be physically separate, and the components shown as units/modules may or may not be physical units/modules, i.e. may be located in one place, or may be distributed over a plurality of network units/modules. Some or all of the units/modules may be selected according to actual needs to achieve the purposes of the present application. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
The foregoing description of the preferred embodiments of the present invention is not intended to limit the invention to the precise form disclosed, and any modifications, equivalents, improvements and alternatives falling within the spirit and principles of the present invention are intended to be included within the scope of the present invention.

Claims (12)

1. A method of security event analysis, comprising:
acquiring first safety log data and first audit log data recorded by a vehicle-mounted unit in a target vehicle;
acquiring second security log data and second audit log data acquired by road side equipment;
performing expansion processing on the first safety log data and the second safety log data to obtain expanded safety log data of the target vehicle;
performing expansion processing on the first audit log data and the second audit log data to obtain expanded audit log data of the target vehicle;
detecting the extended safety log data and the extended audit log data by utilizing a detection rule of the safety event, and determining whether the target vehicle has safety risk or not;
and when the safety risk exists, generating a corresponding safety event according to the safety risk of the target vehicle.
2. The method of claim 1, wherein performing an expansion process on the first security log data and the second security log data to obtain expanded security log data of the target vehicle, comprises:
extracting target safety log data corresponding to the vehicle identification from the second safety log data according to the vehicle identification in the first safety log data;
Matching a vehicle safety knowledge base by utilizing the vehicle identification in the first safety log data so as to match historical safety log data and vehicle attribute information of the target vehicle corresponding to the vehicle identification;
and generating extended safety log data according to the first safety log data, the target safety log data, the historical safety log data and the vehicle attribute information.
3. The method of claim 1, wherein performing an expansion process on the first audit log data and the second audit log data to obtain expanded audit log data for the target vehicle, comprises:
extracting target audit log data corresponding to the vehicle identification from the second audit log data according to the vehicle identification in the first audit log data;
matching a vehicle audit knowledge base by using the vehicle identification in the first audit log data to match historical audit log data and vehicle attribute information of the target vehicle corresponding to the vehicle identification;
and generating extended audit log data according to the first audit log data, the target audit log data, the historical audit log data and the vehicle attribute information.
4. The method of claim 1, wherein detecting the extended security log data and extended audit log data using detection rules for security events to determine whether the target vehicle is at risk for security comprises:
if any security event exists in the extended security log data according to the detection rule of the security event, judging whether the security event exists in the extended audit log data;
if the security event exists in the extended audit log data, confirming that the security risk exists in the target vehicle;
or alternatively, the process may be performed,
if any security event exists in the audit expansion log data according to the detection rule of the security event, judging whether the security event exists in the expansion security log data;
and if the safety event exists in the extended safety log data, confirming that the target vehicle has safety risk.
5. The method of claim 4, wherein the step of determining the position of the first electrode is performed,
if the security event does not exist in the extended audit log data, the extended audit log data are identified by utilizing a learned normal behavior baseline, the deviation degree of the extended audit log from the normal behavior baseline is determined, and the normal behavior baseline is obtained by learning and establishing the normal audit log data;
If the deviation degree exceeds a set degree range, determining the matching degree between the extended safety log data and a learned abnormal behavior baseline, wherein the abnormal behavior baseline is established by learning based on the abnormal safety log data;
and if the matching degree is within the set degree range, determining that the target vehicle has safety risk.
6. The method of claim 1, wherein detecting the extended security log data and extended audit log data using detection rules for security events to determine whether the target vehicle is at risk for security comprises:
identifying the extended audit log data by utilizing the learned normal behavior base line, and determining the deviation degree of the extended audit log from the normal behavior base line, wherein the normal behavior base line is obtained by learning and establishing the normal extended audit log data;
if the deviation degree exceeds a set degree range, determining the matching degree between the extended safety log data and the learned abnormal behavior baseline;
and if the matching degree is within the set degree range, determining that the target vehicle has safety risk.
7. A security event analysis apparatus, comprising:
the first acquisition module is used for acquiring first safety log data and first audit log data recorded by a vehicle-mounted unit in the target vehicle;
the second acquisition module is used for acquiring second safety log data and second audit log data acquired by the road side equipment;
the first expansion module is used for carrying out expansion processing on the first safety log data and the second safety log data to obtain expanded safety log data of the target vehicle;
the second expansion module is used for carrying out expansion processing on the first audit log data and the second audit log data to obtain expanded audit log data of the target vehicle;
the detection module is used for detecting and processing the extended safety log data and the extended audit log data by utilizing the detection rule of the safety event and determining whether the target vehicle has safety risk or not;
and the generation module is used for generating a corresponding safety event according to the safety risk of the target vehicle when the safety risk exists.
8. The apparatus of claim 7, wherein the device comprises a plurality of sensors,
the first expansion module is specifically configured to extract, according to a vehicle identifier in the first security log data, target security log data corresponding to the vehicle identifier from the second security log data; matching a vehicle safety knowledge base by utilizing the vehicle identification in the first safety log data so as to match historical safety log data and vehicle attribute information of the target vehicle corresponding to the vehicle identification; and generating extended safety log data according to the first safety log data, the target safety log data, the historical safety log data and the vehicle attribute information.
9. The apparatus of claim 7, wherein the device comprises a plurality of sensors,
the second expansion module is specifically configured to extract, according to a vehicle identifier in the first audit log data, target audit log data corresponding to the vehicle identifier from the second audit log data; matching a vehicle audit knowledge base by using the vehicle identification in the first audit log data to match historical audit log data and vehicle attribute information of the target vehicle corresponding to the vehicle identification; and generating extended audit log data according to the first audit log data, the target audit log data, the historical audit log data and the vehicle attribute information.
10. The apparatus of claim 7, wherein the detection module is specifically configured to:
if any security event exists in the extended security log data according to the detection rule of the security event, judging whether the security event exists in the extended audit log data;
if the security event exists in the extended audit log data, confirming that the security risk exists in the target vehicle;
or alternatively, the process may be performed,
if any security event exists in the audit expansion log data according to the detection rule of the security event, judging whether the security event exists in the expansion security log data;
And if the safety event exists in the extended safety log data, confirming that the target vehicle has safety risk.
11. The apparatus of claim 10, wherein the device comprises a plurality of sensors,
the detection module is further configured to identify the extended audit log data by using a learned normal behavior baseline if the extended audit log data does not have the security event, and determine a deviation degree of the extended audit log from the normal behavior baseline, where the normal behavior baseline is obtained by learning and establishing the normal audit log data; if the deviation degree exceeds a set degree range, determining the matching degree between the extended safety log data and a learned abnormal behavior baseline, wherein the abnormal behavior baseline is established by learning based on the abnormal safety log data; and if the matching degree is within the set degree range, determining that the target vehicle has safety risk.
12. The apparatus of claim 7, wherein the device comprises a plurality of sensors,
the detection module is specifically configured to perform recognition processing on the extended audit log data by using a learned normal behavior baseline, determine a deviation degree of the extended audit log from the normal behavior baseline, where the normal behavior baseline is obtained by learning and establishing normal extended audit log data; if the deviation degree exceeds a set degree range, determining the matching degree between the extended safety log data and the learned abnormal behavior baseline; and if the matching degree is within the set degree range, determining that the target vehicle has safety risk.
CN202211582125.0A 2022-12-09 2022-12-09 Security event analysis method and device Pending CN116192436A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211582125.0A CN116192436A (en) 2022-12-09 2022-12-09 Security event analysis method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211582125.0A CN116192436A (en) 2022-12-09 2022-12-09 Security event analysis method and device

Publications (1)

Publication Number Publication Date
CN116192436A true CN116192436A (en) 2023-05-30

Family

ID=86433392

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211582125.0A Pending CN116192436A (en) 2022-12-09 2022-12-09 Security event analysis method and device

Country Status (1)

Country Link
CN (1) CN116192436A (en)

Similar Documents

Publication Publication Date Title
CN107948172B (en) Internet of vehicles intrusion attack detection method and system based on artificial intelligence behavior analysis
CN113839904B (en) Security situation awareness method and system based on intelligent network-connected automobile
CN106850647B (en) Malicious domain name detection algorithm based on DNS request period
CN111600880A (en) Method, system, storage medium and terminal for detecting abnormal access behavior
CN111131247B (en) Vehicle-mounted internal network intrusion detection system
CN111680068A (en) Verification method, device, equipment and storage medium
US20200389474A1 (en) System and method for connected vehicle security incident integration based on aggregate events
CN110325410B (en) Data analysis device and storage medium
US11539724B2 (en) Centralized detection techniques for cyber-attacks directed at connected vehicles
CN112491920A (en) Abnormity detection method and device for vehicle-mounted CAN bus
CN111447166B (en) Vehicle attack detection method and device
JP2023031255A (en) Anomaly detection
KR20160062259A (en) Method, system and computer readable medium for managing abnormal state of vehicle
CN114445088A (en) Method and device for judging fraudulent conduct, electronic equipment and storage medium
CN112600828B (en) Attack detection and protection method and device for power control system based on data message
CN117201273A (en) Automatic analysis and noise reduction method and device for safety alarm and server
CN116192436A (en) Security event analysis method and device
CN109167773B (en) Access anomaly detection method and system based on Markov model
CN112953895B (en) Attack behavior detection method, device and equipment and readable storage medium
CN110176145B (en) Detection method and device for fake-licensed vehicle and bayonet
CN113347134B (en) Attack detection method and system for internet of vehicles TSP platform
CN116155519A (en) Threat alert information processing method, threat alert information processing device, computer equipment and storage medium
Du et al. A Multi-source Alarm Information Fusion Processing Method for Network Attack Situation
CN108055246B (en) Control system for automatically adding abnormal network space assets into blacklist
CN113192348A (en) Vehicle abnormity warning method and device and computer equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination