CN116471062A - Vehicle-mounted network intrusion detection method supporting data privacy protection - Google Patents
Vehicle-mounted network intrusion detection method supporting data privacy protection Download PDFInfo
- Publication number
- CN116471062A CN116471062A CN202310354229.4A CN202310354229A CN116471062A CN 116471062 A CN116471062 A CN 116471062A CN 202310354229 A CN202310354229 A CN 202310354229A CN 116471062 A CN116471062 A CN 116471062A
- Authority
- CN
- China
- Prior art keywords
- data frame
- layer
- data
- category
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 77
- 238000012549 training Methods 0.000 claims abstract description 82
- 238000000034 method Methods 0.000 claims abstract description 22
- 238000013528 artificial neural network Methods 0.000 claims abstract description 10
- 238000012545 processing Methods 0.000 claims abstract description 6
- 238000011176 pooling Methods 0.000 claims description 58
- 230000004913 activation Effects 0.000 claims description 39
- 230000003213 activating effect Effects 0.000 claims description 20
- 238000013507 mapping Methods 0.000 claims description 15
- 238000012887 quadratic function Methods 0.000 claims description 12
- 238000012360 testing method Methods 0.000 claims description 7
- 238000004364 calculation method Methods 0.000 claims description 6
- 239000000284 extract Substances 0.000 claims description 6
- 238000011156 evaluation Methods 0.000 claims description 4
- 238000012986 modification Methods 0.000 claims description 2
- 230000004048 modification Effects 0.000 claims description 2
- 238000000605 extraction Methods 0.000 abstract description 2
- 230000009545 invasion Effects 0.000 abstract 2
- 239000010410 layer Substances 0.000 description 95
- 238000004891 communication Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 238000007619 statistical method Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 239000002356 single layer Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/0464—Convolutional networks [CNN, ConvNet]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/048—Activation functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/008—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Computation (AREA)
- Computer Hardware Design (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Life Sciences & Earth Sciences (AREA)
- Molecular Biology (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Medical Informatics (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention provides a vehicle-mounted network intrusion detection method supporting data privacy protection, which comprises the following steps: collecting real data of a CAN bus of a vehicle, generating data containing invasion by utilizing characteristics of an attack mode, and constructing an invasion detection data set; step two, processing the data in the data set to finish feature extraction; step three, converting the plaintext information into ciphertext information through homomorphic encryption, and training by using a neural network training model; and step four, after training is completed, the detection model sets the weight output by the training model, and intrusion detection is performed. The method and the device can solve the problems that data privacy cannot be protected and detection accuracy is not high in the prior art.
Description
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a vehicle-mounted network intrusion detection method supporting data privacy protection.
Background
The intelligent network-connected automobile completes various intelligent decision control by means of the ECUs with complete functions and numerous functions, completes network-connected communication by means of various communication paths such as vehicle-mounted network and workshop communication, and can provide a more convenient and quicker passing mode for human travel.
However, with the development of intelligent and networking of automobiles, the information security problem of intelligent networking automobiles is exposed. Because of the large number of ECUs of the intelligent network connected automobile and poor security of vehicle-mounted network information, the attack surface of hackers for attacking the intelligent network connected automobile is increased, and the life and property security of drivers is challenged unprecedented.
Therefore, an effective vehicle-mounted network intrusion detection system is an important means for protecting the safety and normal running of vehicle communication. The vehicle network intrusion detection is to monitor and check data transmitted in the CAN bus vehicle network, and identify a series of active safety behaviors of abnormal information affecting the normal functions of the vehicle according to the data characteristics, so that malicious attacks of hackers on intelligent network automobiles CAN be prevented.
In the prior art, a physical information method and a statistical method are generally utilized to prevent attacks. The physical information method utilizes the physical hardware characteristics of the ECU and the vehicle-mounted network to analyze, and if abnormality occurs, the characteristics of the ECU and the vehicle-mounted network are changed. The statistical method utilizes the data set to extract the data characteristics and make reasoning, and detects the data according to the characteristics, if abnormality occurs, abnormal characteristics can be generated.
However, the method in the prior art has the problems of incapability of protecting the privacy of data during detection, low detection precision, high false alarm rate, single data and the like.
Disclosure of Invention
Aiming at the problems existing in the prior art, the invention provides a vehicle-mounted network intrusion detection method supporting data privacy protection, which can solve the problems that the data privacy cannot be protected and the detection precision is low in the prior art.
The invention provides a vehicle-mounted network intrusion detection method supporting data privacy protection, which comprises the following specific steps:
step 1, acquiring an intrusion detection data set; dividing the intrusion detection data set into a training set and a test set;
step 2, processing data in the intrusion detection data set to obtain a new data frame;
selecting a specification of a time window; dividing data in a data frame sequence into data frame sub-sequences according to the time stamp in the data frame sequence in the intrusion detection data set according to the specification of the time window; calculating the Hamming distance between the data in each data frame sub-sequence; combining two groups of data with hamming distance values smaller than a distance threshold value according to the sequence of the time stamps, and finishing the two groups of data into a new data frame;
step 3, establishing a privacy-encrypted intrusion detection system model;
establishing a neural network structure, wherein the neural network structure comprises a training model structure and a detection model structure;
homomorphic encryption is carried out on each new data frame to obtain a plurality of ciphertext information;
based on a plurality of ciphertext information of each new data frame in the training set, obtaining a data category of a pre-training model and a weight of the pre-training model by using a training model structure;
training the data category of the pre-training model and the parameters of the pre-training model by utilizing all the new data frames in the step 2 to obtain the weight of the training model;
step 4, intrusion detection;
acquiring all ciphertext information of a data frame to be detected in a test set; inputting all ciphertext information of a data frame to be detected and the weight of a training model into a detection model structure; and acquiring the category of the data frame to be detected based on all ciphertext information of the data frame to be detected and the weight of the training model.
Optionally, the specific steps of acquiring the intrusion detection data set are as follows: acquiring a normal data frame sequence of a normal network data frame; modifying all normal data frames to simulate a network attack mode and obtaining an intrusion detection data set;
the modification mode of modifying all normal data frames to simulate the network attack mode is as follows:
randomly inserting high-priority network data frames into the normal data frame sequence to construct a denial of service attack data frame sequence of the denial of service attack network data frames;
inserting repeated network data frames into the normal data frame sequence according to time to construct a replay attack data frame sequence of replay attack network data frames;
randomly deleting partial network data frames in the normal data frame sequence according to time to construct a lost attack data frame sequence of the lost attack network data frame;
randomly inserting and modifying network data frames which do not accord with a protocol in a normal data frame sequence, and constructing a fuzzy attack sequence of the fuzzy attack network data frames;
and adding the denial of service attack data frame sequence, the replay attack data frame sequence, the loss attack data frame sequence and the fuzzy attack sequence into the normal data frame sequence to obtain an intrusion detection data set.
Optionally, the specific steps of homomorphic encrypting each new data frame to obtain a plurality of ciphertext information are:
inputting the characteristics of the new data frame, and enabling the characteristics of the new data frame to be plaintext information;
from plaintext polynomial ringsMapping to ciphertext polynomial ring ++>Ciphertext information is obtained by encrypting, and the encryption expression is as follows:
wherein Z is t [x]The coefficients representing the polynomial with x as the variable are all integer sets of plaintext moduli t, Z q [x]Coefficients of polynomials with x as variables are integer sets of ciphertext modes q; t is a plaintext modulus, q is a ciphertext modulus; n is plaintext polynomial ring R t n And ciphertext polynomial ring R q n Power of x n +1 is the polynomial modulus, n is the polynomial modulus x n A power of +1; c represents ciphertext information of the characteristics of the new data frame; m is plaintext information; e and s are ciphertext polynomial rings R respectively q n Random noise polynomials of (2); [ a ]] q The coefficient of the polynomial a is reduced by taking the ciphertext modulus q as a modulus, and then the coefficient is valued in a symmetrical interval taking 0 as a center and taking the length as the ciphertext modulus q; h is the public key.
Alternatively, q is a prime number satisfying 2n| (q-1); t is a prime number satisfying 2n| (t-1).
Alternatively, public key h= tgf -1 Wherein f -1 Representing the inverse of the polynomial f, selecting a random polynomial f', g ε R t n Let private key f=tf' +1.
Optionally, the neural network structure comprises a training model structure; the training model structure sequentially comprises a first convolution layer, a first square activation layer, a first pooling layer, a second convolution layer, a second pooling layer, a first full-connection layer, a second square activation layer, a second full-connection layer and a sigmoid activation function layer.
Optionally, the first convolution layer of the training model structure carries out convolution calculation on all ciphertext information of each new data frame, and ciphertext information characteristics of corresponding ciphertext information are extracted; the first square activation layer uses a quadratic function as an activation function, and nonlinear mapping is carried out on all ciphertext information features of each new data frame extracted in the first convolution layer; the first pooling layer calculates the average value of the nonlinear ciphertext information feature adjacent association areas by using an average pooling method as a value of the adjacent association areas after first pooling; the second convolution layer convolves the value of the adjacent association region output by the first pooling layer after the first pooling, and extracts the value characteristic of the adjacent association region; the second pooling layer calculates the average value of the adjacent correlation areas of the value characteristics of the adjacent correlation areas output by the second convolution layer by using an average pooling method as the value of the second pooling of the adjacent correlation areas; the first full-connection layer is connected with the value characteristics of all adjacent associated areas output by the second pooling layer after second pooling to obtain full-data area combination characteristics; the acquired multiple ciphertext information of the new data frame and the combined characteristics of the all data area are completely connected and then input into a second square activating layer; the second square activating layer uses a quadratic function as an activating function, and the first full-connection layer obtains the combined characteristics of all data areas to perform nonlinear mapping; the second full-connection layer is used for completely connecting the nonlinear full-data region combination characteristics output by the second square activation layer with the data classification category to be output to obtain the probability of the category which is possibly generated by the new data frame, and outputting the probability to the sigmoid activation function layer; the sigmoid activation function layer activates the corresponding classification category by using a sigmoid function on the probability of the category where the new data frame possibly appears, and generates the data frame category of the pre-training model and the weight of the pre-training model; the classification categories of the data frames comprise a normal data frame category, a denial of service attack data frame category, a replay attack data frame category, a lost attack data frame category and a fuzzy attack data frame category.
Optionally, the detection model structure comprises a third convolution layer, a third squaring activation layer, a linear pooling layer, a fourth squaring activation layer, and an output layer in order.
Optionally, a third convolution layer of the detection model structure carries out convolution calculation on all ciphertext information of the data frame to be detected, and all ciphertext information characteristics of the data frame to be detected are extracted; the third square activation layer uses a quadratic function as an activation function, and nonlinear mapping is carried out on all ciphertext information features of the data frame to be detected, which are output from the third convolution layer; the linear pooling layer performs weighted summation by using the weight of the training model to output the pooling values of all the ciphertext information characteristic adjacent associated areas of the nonlinear data frame to be detected; transmitting the pooling values of all the ciphertext information characteristic adjacent associated areas of the nonlinear data frame to be detected to a fourth square activating layer, wherein the fourth square activating layer uses a quadratic function as an activating function, and transmitting the pooling values of all the ciphertext information characteristic adjacent associated areas of the nonlinear data frame to be detected output by the linear pooling layer to the output layer through nonlinear mapping; the output layer outputs a weighted sum corresponding to the normal data frame category, the denial of service attack data frame category, the replay attack data frame category, the lost attack data frame category and the fuzzy attack data frame category by using the weight of the training model, and obtains the category of the data frame to be detected according to the value of the weighted sum; the classification categories of the data frames comprise a normal data frame category, a denial of service attack data frame category, a replay attack data frame category, a lost attack data frame category and a fuzzy attack data frame category.
Optionally, after obtaining the training model, detecting the accuracy of the training model, and if the accuracy assessment meets the assessment threshold, the training model meets the requirements.
The invention has at least the following beneficial effects: according to the invention, an intrusion detection model is established according to the information characteristics of the vehicle-mounted network, homomorphic encryption is carried out on detection data, and model training is carried out by utilizing a neural network, so that a high-precision intrusion detection method supporting privacy protection is realized.
In the invention, the technical schemes can be mutually combined to realize more preferable combination schemes. Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention may be realized and attained by the structure particularly pointed out in the written description and drawings.
Drawings
The drawings are only for purposes of illustrating particular embodiments and are not to be construed as limiting the invention, like reference numerals being used to refer to like parts throughout the several views.
FIG. 1 is a schematic flow chart of a vehicle-mounted network intrusion detection method of the invention;
FIG. 2 is a schematic diagram of intrusion detection data of a vehicle-mounted network according to the present invention;
FIG. 3 is a schematic diagram of a training model of the present invention;
FIG. 4 is a schematic diagram of a detection model according to the present invention.
Reference numerals:
the first convolution layer 1, the first square activation layer 2, the first pooling layer 3, the second convolution layer 4, the second pooling layer 5, the first full connection layer 6, the second square activation layer 7, the second full connection layer 8, the sigmoid activation function layer 9 and the detection model sequentially comprise a third convolution layer 10, a third square activation layer 11, a linear pooling layer 12, a fourth square activation layer 13 and an output layer 14.
Detailed Description
Preferred embodiments of the present invention will now be described in detail with reference to the accompanying drawings, which form a part hereof, and together with the description serve to explain the principles of the invention, and are not intended to limit the scope of the invention.
1-4, a vehicle-mounted network intrusion detection method supporting data privacy protection is disclosed, wherein real data of a vehicle CAN bus is collected, intrusion-containing data is generated by utilizing an attack mode and characteristics, and an intrusion detection data set is constructed; processing the data in the data set, completing the conversion of the system and the feature extraction of the full connection layer, and merging the data with similar features; the combined data converts plaintext information into ciphertext information through homomorphic encryption, and training is carried out by utilizing a neural network training model; after training is completed, the detection model sets the weight output by the training model, and intrusion detection is performed; the method specifically comprises the following steps:
step 1, acquiring an intrusion detection data set;
connecting a CAN bus network of a vehicle, and acquiring a normal data frame sequence of normal CAN bus data frames generated in the running process and the stopping process of the vehicle; each frame of normal CAN bus data frame comprises hexadecimal data of a frame starting section, an arbitration section, a control section, a data section, a cyclic check section, a confirmation section and a frame ending section; modifying all normal CAN bus data frames to simulate a CAN bus attack mode and obtaining an intrusion detection data set, wherein the method comprises the following specific steps of:
randomly inserting high-priority CAN bus data frames into the normal data frame sequence, and constructing a denial of service attack data frame sequence of the denial of service attack CAN bus data frames;
inserting repeated CAN bus data frames into the normal data frame sequence according to time to construct a replay attack data frame sequence of replay attack CAN bus data frames;
randomly deleting part of CAN bus data frames in the normal data frame sequence according to time to construct a lost attack data frame sequence of the lost attack CAN bus data frames;
randomly inserting and modifying CAN bus data frames which do not accord with a protocol in a normal data frame sequence, and constructing a fuzzy attack sequence of the fuzzy attack CAN bus data frames;
the method comprises the steps of adding a denial of service attack data frame sequence, a replay attack data frame sequence, a loss attack data frame sequence and a fuzzy attack sequence into a normal data frame sequence to obtain an intrusion detection data set, randomly dividing the intrusion detection data set into a training set and a testing set, wherein data in the training set is used for training a model, and data in the testing set is used for detecting the model.
Step 2, processing the data frames in the intrusion detection data set to obtain new data frames;
converting hexadecimal data frame sequences of the intrusion detection data set into binary data frame sequences so as to improve the dimension of information contained in the data frame sequences and provide a dimension space for subsequent processing; selecting a specification of a time window; dividing data in the binary data frame sequence into data frame sub-sequences according to the time stamp in the data frame sequence according to the specification of the time window; calculating the Hamming distance between the data in each data frame sub-sequence so as to consider similar information in the detection process; combining two groups of data with hamming distance values smaller than a distance threshold value according to the sequence of the time stamps, and finishing the two groups of data into a new data frame; and obtaining the characteristics of the new data frame by using a single-layer perceptron, and enhancing the characteristics of the new data frame.
Step 3, establishing a privacy-encrypted intrusion detection system model;
step 31, homomorphic encryption is carried out on each new data frame to obtain a plurality of ciphertext information;
inputting the characteristics of the new data frame, and enabling the characteristics of the new data frame to be plaintext information;
from plaintext polynomial ringsMapping to ciphertext polynomial ring ++>Ciphertext information is obtained by encrypting, and the encryption expression is as follows:
wherein Z is t [x]The coefficients representing the polynomial with x as the variable are all integer sets of plaintext moduli t, Z q [x]Coefficients of polynomials with x as variables are integer sets of ciphertext modes q; t is a plaintext modulus, q is a ciphertext modulus; n is plaintext polynomial ring R t n And ciphertext polynomial ring R q n Power of x n +1 is the polynomial modulus, n is the polynomial modulus x n A power of +1; c represents ciphertext information of the characteristics of the new data frame; m is plaintext information; e and s are ciphertext polynomial rings R respectively q n Random noise polynomials of (2); [ a ]] q The coefficient of the polynomial a is reduced by taking the ciphertext modulus q as a modulus, and then the coefficient is valued in a symmetrical interval taking 0 as a center and taking the length as the ciphertext modulus q; h is a public key, preferably a random polynomial f', g ε R is chosen t n ,f -1 Representing the inverse of the polynomial f, let private key f=tf' +1, public key h= tgf -1 . Preferably, q is a prime number satisfying 2n| (q-1), t is a prime number satisfying 2n| (t-1), and x is data in a new data frame participating in the encryption process.
Step 32, establishing an intrusion detection system model;
specifically, the intrusion detection system model is of a neural network structure and comprises a training model structure and a detection model structure; the training model structure sequentially comprises a first convolution layer 1, a first square activation layer 2, a first pooling layer 3, a second convolution layer 4, a second pooling layer 5, a first full-connection layer 6, a second square activation layer 7, a second full-connection layer 8 and a sigmoid activation function layer 9; the detection model structure comprises, in order, a third convolution layer 10, a third squaring activation layer 11, a linear pooling layer 12, a fourth squaring activation layer 13 and an output layer 14.
Step 321, enabling the training batch to be the same as the power value of the polynomial modulus, so that data in a complete data frame is input in each training, and the effectiveness of the training and the integrity of the data are ensured;
step 322, building a training model:
acquiring a plurality of ciphertext information of each new data frame in a training set; inputting a plurality of ciphertext information of each new data frame into a training model structure;
the first convolution layer 1 of the training model structure carries out convolution calculation on all ciphertext information of each new data frame, and ciphertext information characteristics of corresponding ciphertext information are extracted; the first square activation layer 2 uses a quadratic function as an activation function, and performs nonlinear mapping on all ciphertext information features of each new data frame extracted in the first convolution layer 1, namely, obtaining nonlinear ciphertext information features corresponding to the new data frame by squaring values of all ciphertext information features; the first pooling layer 3 calculates the average value of the nonlinear ciphertext information feature adjacent association area as the value of the adjacent association area after the first pooling by using an average pooling method, so that the complexity of data can be reduced; the second convolution layer 4 convolves the value of the adjacent association region after the first pooling output by the first pooling layer 3, and extracts the value characteristic of the adjacent association region; the second pooling layer 5 calculates the average value of the adjacent correlation areas of the value characteristics of the adjacent correlation areas output by the second convolution layer 4 by using an average pooling method as the value of the second pooling of the adjacent correlation areas, thereby reducing the complexity of data; the first full-connection layer 6 is connected with the value characteristics of all adjacent associated areas output by the second pooling layer 5 after second pooling to obtain full-data area combination characteristics; the acquired multiple ciphertext information of the new data frame and the combined characteristics of the all data area are completely connected and then input into a second square activating layer 7; the second square activating layer 7 uses a quadratic function as an activating function, and the first full-connection layer 6 obtains full-data area combination characteristics and performs nonlinear mapping, namely, the value square of each full-data area combination characteristic obtains nonlinear full-data area combination characteristics; the second full-connection layer 8 is used for completely connecting the combination characteristics of the nonlinear full-data region output by the second square activation layer 7 with the data classification category to be output to obtain the probability of the category which is likely to appear in the new data frame, and outputting the probability to the sigmoid activation function layer 9; the sigmoid activation function layer 9 uses a sigmoid function to activate the corresponding classification class for the probability of the possible classification of the new data frame, and generates the data class of the pre-training model and the weight of the pre-training model.
It is understood that the data classification categories include a normal data frame category, a denial of service attack data frame category, a replay attack data frame category, a lost attack data frame category, and a fuzzy attack data frame category.
Training the data category of the pre-training model and the parameters of the pre-training model in a batch number by utilizing all the new data frames in the step 2 to obtain a training model and weights of the training model;
step 323, detecting accuracy of the training model, wherein the expression is:
in the formula, ACC is the detection accuracy; TP indicates true positive, which indicates the number of intrusion data correctly classified; TN is true negative and indicates the normal data quantity of correct classification; FP refers to false positives, which are the number of falsely classifying normal data as intrusions; FN refers to false negative, which is the number of wrongly classifying the intrusion data into normal data; FPR refers to false positive rate; FNR refers to false negative rate, F-measure refers to the detection accuracy of the estimated training model;
if the accuracy evaluation meets the evaluation threshold, the training model meets the requirements; weights of the training model are obtained based on the training model meeting accuracy requirements.
Step 4, intrusion detection;
acquiring all ciphertext information of a data frame to be detected in a test set; inputting all ciphertext information of a data frame to be detected and the weight of a training model into a detection model structure; and acquiring the category of the data frame to be detected based on all ciphertext information of the data frame to be detected and the weight of the training model.
The third convolution layer 10 of the detection model structure carries out convolution calculation on all ciphertext information of the data frame to be detected, and extracts all ciphertext information characteristics of the data frame to be detected; the third square activating layer 11 uses a quadratic function as an activating function to perform nonlinear mapping on all ciphertext information features of the data frame to be detected output from the third convolution layer 10; the linear pooling layer 12 performs weighted summation by using the weight of the training model to output the pooling values of all the ciphertext information characteristic adjacent associated areas of the nonlinear data frame to be detected; transmitting the pooling values of all the ciphertext information feature adjacent associated areas of the nonlinear data frame to be detected to a fourth square activating layer 13, wherein the fourth square activating layer 13 uses a quadratic function as an activating function to output the pooling values of all the ciphertext information feature adjacent associated areas of the nonlinear data frame to be detected by the linear pooling layer 12 to be subjected to nonlinear mapping and transmit the pooling values to an output layer 14; the output layer 14 outputs a weighted sum corresponding to the normal data frame category, the denial of service attack data frame category, the replay attack data frame category, the lost attack data frame category, and the fuzzy attack data frame category using the weight of the training model, and acquires the category of the data frame to be detected according to the value of the weighted sum.
Decrypting the data of the data frame to be detected to obtain an original data frame corresponding to the data of the data frame to be detected.
The decryption formula of the data frame to be detected is as follows:
wherein f is a private key; c is ciphertext information; [ a ]] t The coefficient of the polynomial a is expressed by a modulus of plaintext modulus t, and then is valued in a symmetric section of length Wen Moshu t centered at 0.
The invention realizes class division of the data frames to be detected, and realizes detection of the denial of service attack data frame sequence, the replay attack data frame sequence, the lost attack data frame sequence, the fuzzy attack sequence and the normal data frame sequence and data restoration of the data frames to be detected.
The present invention is not limited to the above-mentioned embodiments, and any changes or substitutions that can be easily understood by those skilled in the art within the technical scope of the present invention are intended to be included in the scope of the present invention.
Claims (10)
1. A vehicle-mounted network intrusion detection method supporting data privacy protection is characterized by comprising the following specific steps:
step 1, acquiring an intrusion detection data set; dividing the intrusion detection data set into a training set and a test set;
step 2, processing data in the intrusion detection data set to obtain a new data frame;
selecting a specification of a time window; dividing data in a data frame sequence into data frame sub-sequences according to the time stamp in the data frame sequence in the intrusion detection data set according to the specification of the time window; calculating the Hamming distance between the data in each data frame sub-sequence; combining two groups of data with hamming distance values smaller than a distance threshold value according to the sequence of the time stamps, and finishing the two groups of data into a new data frame;
step 3, establishing a privacy-encrypted intrusion detection system model;
establishing a neural network structure, wherein the neural network structure comprises a training model structure and a detection model structure;
homomorphic encryption is carried out on each new data frame to obtain a plurality of ciphertext information;
based on a plurality of ciphertext information of each new data frame in the training set, obtaining a data category of a pre-training model and a weight of the pre-training model by using a training model structure;
training the data category of the pre-training model and the parameters of the pre-training model by utilizing all the new data frames in the step 2 to obtain the weight of the training model;
step 4, intrusion detection;
acquiring all ciphertext information of a data frame to be detected in a test set; inputting all ciphertext information of a data frame to be detected and the weight of a training model into a detection model structure; and acquiring the category of the data frame to be detected based on all ciphertext information of the data frame to be detected and the weight of the training model.
2. The method for intrusion detection of an on-board network according to claim 1, wherein the specific step of acquiring the intrusion detection data set is as follows: acquiring a normal data frame sequence of a normal network data frame; modifying all normal data frames to simulate a network attack mode and obtaining an intrusion detection data set;
the modification mode of modifying all normal data frames to simulate the network attack mode is as follows:
randomly inserting high-priority network data frames into the normal data frame sequence to construct a denial of service attack data frame sequence of the denial of service attack network data frames;
inserting repeated network data frames into the normal data frame sequence according to time to construct a replay attack data frame sequence of replay attack network data frames;
randomly deleting partial network data frames in the normal data frame sequence according to time to construct a lost attack data frame sequence of the lost attack network data frame;
randomly inserting and modifying network data frames which do not accord with a protocol in a normal data frame sequence, and constructing a fuzzy attack sequence of the fuzzy attack network data frames;
and adding the denial of service attack data frame sequence, the replay attack data frame sequence, the loss attack data frame sequence and the fuzzy attack sequence into the normal data frame sequence to obtain an intrusion detection data set.
3. The method for detecting intrusion of a vehicle-mounted network according to claim 1, wherein the step of homomorphic encrypting each new data frame to obtain a plurality of ciphertext information comprises the steps of:
inputting the characteristics of the new data frame, and enabling the characteristics of the new data frame to be plaintext information;
from plaintext polynomial ringsMapping to ciphertext polynomial ring ++>Ciphertext information is obtained by encrypting, and the encryption expression is as follows:
wherein Z is t [x]The coefficients representing the polynomial with x as the variable are all integer sets of plaintext moduli t, Z q [x]Coefficients of polynomials with x as variables are integer sets of ciphertext modes q; t is a plaintext modulus, q is a ciphertext modulus; n is plaintext polynomial ring R t n And ciphertext polynomial ring R q n Power of x n +1 is the polynomial modulus, n is the polynomial modulus x n +1A power of (a); c represents ciphertext information of the characteristics of the new data frame; m is plaintext information; e and s are ciphertext polynomial rings R respectively q n Random noise polynomials of (2); [ a ]] q The coefficient of the polynomial a is reduced by taking the ciphertext modulus q as a modulus, and then the coefficient is valued in a symmetrical interval taking 0 as a center and taking the length as the ciphertext modulus q; h is the public key.
4. A vehicle-mounted network intrusion detection method according to claim 3, wherein q is a prime number satisfying 2n| (q-1); t is a prime number satisfying 2n| (t-1).
5. A vehicle network intrusion detection method according to claim 3, characterised in that the public key h = tgf -1 Wherein f -1 Representing the inverse of the polynomial f, selecting a random polynomial f', g ε R t n Let private key f=tf' +1.
6. The in-vehicle network intrusion detection method according to claim 1, wherein the neural network structure comprises a training model structure; the training model structure sequentially comprises a first convolution layer, a first square activation layer, a first pooling layer, a second convolution layer, a second pooling layer, a first full-connection layer, a second square activation layer, a second full-connection layer and a sigmoid activation function layer.
7. The method for detecting vehicle-mounted network intrusion according to claim 6, wherein the first convolution layer of the training model structure performs convolution calculation on all ciphertext information of each new data frame, and extracts ciphertext information features of corresponding ciphertext information; the first square activation layer uses a quadratic function as an activation function, and nonlinear mapping is carried out on all ciphertext information features of each new data frame extracted in the first convolution layer; the first pooling layer calculates the average value of the nonlinear ciphertext information feature adjacent association areas by using an average pooling method as a value of the adjacent association areas after first pooling; the second convolution layer convolves the value of the adjacent association region output by the first pooling layer after the first pooling, and extracts the value characteristic of the adjacent association region; the second pooling layer calculates the average value of the adjacent correlation areas of the value characteristics of the adjacent correlation areas output by the second convolution layer by using an average pooling method as the value of the second pooling of the adjacent correlation areas; the first full-connection layer is connected with the value characteristics of all adjacent associated areas output by the second pooling layer after second pooling to obtain full-data area combination characteristics; the acquired multiple ciphertext information of the new data frame and the combined characteristics of the all data area are completely connected and then input into a second square activating layer; the second square activating layer uses a quadratic function as an activating function, and the first full-connection layer obtains the combined characteristics of all data areas to perform nonlinear mapping; the second full-connection layer is used for completely connecting the nonlinear full-data region combination characteristics output by the second square activation layer with the data classification category to be output to obtain the probability of the category which is possibly generated by the new data frame, and outputting the probability to the sigmoid activation function layer; the sigmoid activation function layer activates the corresponding classification category by using a sigmoid function on the probability of the category where the new data frame possibly appears, and generates the data frame category of the pre-training model and the weight of the pre-training model; the classification categories of the data frames comprise a normal data frame category, a denial of service attack data frame category, a replay attack data frame category, a lost attack data frame category and a fuzzy attack data frame category.
8. The method of in-vehicle network intrusion detection according to claim 6, wherein the detection model structure comprises, in order, a third convolution layer, a third squaring activation layer, a linear pooling layer, a fourth squaring activation layer, and an output layer.
9. The vehicle-mounted network intrusion detection method according to claim 8, wherein the third convolution layer of the detection model structure carries out convolution calculation on all ciphertext information of the data frame to be detected, and extracts all ciphertext information characteristics of the data frame to be detected; the third square activation layer uses a quadratic function as an activation function, and nonlinear mapping is carried out on all ciphertext information features of the data frame to be detected, which are output from the third convolution layer; the linear pooling layer performs weighted summation by using the weight of the training model to output the pooling values of all the ciphertext information characteristic adjacent associated areas of the nonlinear data frame to be detected; transmitting the pooling values of all the ciphertext information characteristic adjacent associated areas of the nonlinear data frame to be detected to a fourth square activating layer, wherein the fourth square activating layer uses a quadratic function as an activating function, and transmitting the pooling values of all the ciphertext information characteristic adjacent associated areas of the nonlinear data frame to be detected output by the linear pooling layer to the output layer through nonlinear mapping; the output layer outputs a weighted sum corresponding to the normal data frame category, the denial of service attack data frame category, the replay attack data frame category, the lost attack data frame category and the fuzzy attack data frame category by using the weight of the training model, and obtains the category of the data frame to be detected according to the value of the weighted sum; the classification categories of the data frames comprise a normal data frame category, a denial of service attack data frame category, a replay attack data frame category, a lost attack data frame category and a fuzzy attack data frame category.
10. The method for detecting vehicle-mounted network intrusion according to claim 8, wherein after obtaining the training model, accuracy of the training model is detected, and if the accuracy evaluation satisfies the evaluation threshold, the training model satisfies the requirement.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310354229.4A CN116471062A (en) | 2023-04-04 | 2023-04-04 | Vehicle-mounted network intrusion detection method supporting data privacy protection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310354229.4A CN116471062A (en) | 2023-04-04 | 2023-04-04 | Vehicle-mounted network intrusion detection method supporting data privacy protection |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116471062A true CN116471062A (en) | 2023-07-21 |
Family
ID=87176416
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310354229.4A Pending CN116471062A (en) | 2023-04-04 | 2023-04-04 | Vehicle-mounted network intrusion detection method supporting data privacy protection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116471062A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116774678A (en) * | 2023-08-24 | 2023-09-19 | 北京航空航天大学 | Intrusion detection method and system for train control system based on transfer learning |
-
2023
- 2023-04-04 CN CN202310354229.4A patent/CN116471062A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116774678A (en) * | 2023-08-24 | 2023-09-19 | 北京航空航天大学 | Intrusion detection method and system for train control system based on transfer learning |
| CN116774678B (en) * | 2023-08-24 | 2023-10-13 | 北京航空航天大学 | Intrusion detection method and system for train control system based on transfer learning |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Qin et al. | Application of controller area network (CAN) bus anomaly detection based on time series prediction | |
| Martinelli et al. | Car hacking identification through fuzzy logic algorithms | |
| Xun et al. | VehicleEIDS: A novel external intrusion detection system based on vehicle voltage signals | |
| Zhang et al. | Federated graph neural network for fast anomaly detection in controller area networks | |
| Kuwahara et al. | Supervised and unsupervised intrusion detection based on CAN message frequencies for in-vehicle network | |
| Gao et al. | Intrusion detection system using SOEKS and deep learning for in-vehicle security | |
| CN113612786A (en) | Intrusion detection system and method for vehicle bus | |
| Nguyen et al. | Transformer-based attention network for in-vehicle intrusion detection | |
| Tanksale | Intrusion detection for controller area network using support vector machines | |
| CN116471062A (en) | Vehicle-mounted network intrusion detection method supporting data privacy protection | |
| Han et al. | PPM-InVIDS: Privacy protection model for in-vehicle intrusion detection system based complex-valued neural network | |
| Aneja et al. | Artificial intelligence based intrusion detection system to detect flooding attack in VANETs | |
| CN116132989B (en) | Industrial Internet security situation awareness system and method | |
| Levy et al. | CAN-LOC: Spoofing detection and physical intrusion localization on an in-vehicle CAN bus based on deep features of voltage signals | |
| Park et al. | G-idcs: Graph-based intrusion detection and classification system for can protocol | |
| CN113162902A (en) | Low-delay and safe vehicle-mounted intrusion detection method based on deep learning | |
| Swessi et al. | A comparative review of security threats datasets for vehicular networks | |
| Sun et al. | Analysis of ID sequences similarity using DTW in intrusion detection for CAN bus | |
| CN114710310B (en) | Method and system for recognizing Tor user access website based on network traffic frequency domain fingerprint | |
| Rumez et al. | Anomaly detection for automotive diagnostic applications based on N-grams | |
| Zhou et al. | A model-based method for enabling source mapping and intrusion detection on proprietary can bus | |
| Agbaje et al. | A framework for consistent and repeatable controller area network ids evaluation | |
| Kumar et al. | CAVIDS: Real time intrusion detection system for connected autonomous vehicles using logical analysis of data | |
| Khatri et al. | Transfer learning-based intrusion detection system for a controller area network | |
| CN117955704A (en) | Attention-based CNN-BiLSTM algorithm Internet of vehicles intrusion detection method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |