CN116599688A - Method and system for realizing alarm event reporting on vehicle-mounted fireproof wall based on probe mechanism - Google Patents
Method and system for realizing alarm event reporting on vehicle-mounted fireproof wall based on probe mechanism Download PDFInfo
- Publication number
- CN116599688A CN116599688A CN202310299144.0A CN202310299144A CN116599688A CN 116599688 A CN116599688 A CN 116599688A CN 202310299144 A CN202310299144 A CN 202310299144A CN 116599688 A CN116599688 A CN 116599688A
- Authority
- CN
- China
- Prior art keywords
- data
- data packet
- information
- vehicle
- firewall
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 56
- 239000000523 sample Substances 0.000 title claims abstract description 41
- 238000012545 processing Methods 0.000 claims description 13
- 230000006399 behavior Effects 0.000 claims description 12
- 238000001514 detection method Methods 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 8
- 230000006870 function Effects 0.000 claims description 6
- 238000005457 optimization Methods 0.000 claims description 6
- 238000003860 storage Methods 0.000 claims description 5
- 238000012423 maintenance Methods 0.000 claims description 4
- 238000004458 analytical method Methods 0.000 claims description 3
- 239000011159 matrix material Substances 0.000 claims description 3
- 230000035945 sensitivity Effects 0.000 claims description 3
- 238000012163 sequencing technique Methods 0.000 claims description 3
- 238000007796 conventional method Methods 0.000 description 7
- 238000004422 calculation algorithm Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000006854 communication Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000002474 experimental method Methods 0.000 description 3
- 238000003491 array Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000009545 invasion Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/12—Network monitoring probes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a method and a system for realizing alarm event reporting on a vehicle-mounted fireproof wall based on a probe mechanism, which relate to the technical field of mobile Internet and comprise the following steps: introducing the firewall component probe packet into a vehicle system, and initializing a firewall component; obtaining a data packet on a network card, analyzing the network data packet, calling an API of a kernel system, and searching a strategy cache; and generating a related event output log according to the data packet information and the strategy hit result, and reporting the related event output log to the cloud platform. The method for realizing the alarm event on the vehicle-mounted fireproof wall based on the probe mechanism solves the problem that the alarm log of the vehicle-mounted fireproof wall cannot be timely perceived and reported, so that the risk of being invaded is increased; the firewall log can be timely obtained through the probe program and reported to the cloud end, so that follow-up problem solving and repairing and updating of firewall rule strategies are facilitated, and the safety of the vehicle is improved.
Description
Technical Field
The application relates to the technical field of mobile Internet, in particular to a method for reporting an alarm event on a vehicle-mounted fireproof wall based on a probe mechanism.
Background
With the rapid development of intelligent network automobiles, a plurality of automobiles at home and abroad have firewall technology, and the information safety of the automobiles is guaranteed to a certain extent. The internal and external networks are isolated by building a corresponding network communication monitoring system on the network boundary to block network intrusion from the outside. Firewall policies refer to rules, requirements, or filtering terms that a firewall is to refer to, and policy information generally includes information such as source IP address, destination IP address, protocol, destination port, etc.
The traditional firewall policy is defined and designed by the early development requirement, and blocks/releases the data packet in the vehicle network communication process, but the process is a background non-perception process, the blocking cannot be updated in time, released policy content is easy to obtain security holes by network intruders through illegal means, and the risk of the system being intruded is increased.
Therefore, a method for realizing the alarm event on the vehicle-mounted firewall based on the probe mechanism is needed, so that the problem that the vehicle-mounted firewall alarm log cannot be timely perceived and reported is solved, and the invasion risk is reduced.
Disclosure of Invention
This section is intended to outline some aspects of embodiments of the application and to briefly introduce some preferred embodiments. Some simplifications or omissions may be made in this section as well as in the description of the application and in the title of the application, which may not be used to limit the scope of the application.
The present application has been made in view of the above-described problems.
Therefore, the technical problems solved by the application are as follows: the problem that the alarm log of the vehicle-mounted firewall cannot be timely perceived and reported, and the risk of being invaded is increased is solved.
In order to solve the technical problems, the application provides the following technical scheme: the method for realizing the alarm event on the vehicle-mounted fireproof wall based on the probe mechanism comprises the following steps:
introducing the firewall component probe packet into a vehicle system, and initializing a firewall component;
obtaining a data packet on a network card, analyzing the network data packet, calling an API of a kernel system, and searching a strategy cache;
and judging the threat degree according to the data packet information and the strategy hit result, generating a related event output log and reporting to the cloud platform.
As a preferred scheme of the method for implementing the on-vehicle firewall alarm event based on the probe mechanism, the firewall component initialization includes:
acquiring policy contents by calling a policy management component, caching the policy contents in a RAM, starting a probe program along with a vehicle system, requesting rules from the policy management component, returning the rules by the policy management component, and checking rule format legitimacy;
when the rule format check is passed, the obtained rule is sent to a cache module, the rule is normally loaded after the caching is finished, and the firewall component finishes initialization;
when any step of the initialization fails, entering a bypass mode, and restarting the initialization flow of the probe program after entering the bypass mode;
the bypass mode includes that the firewall component does not perform policy matching, captures input, does not perform any output, and the system operates normally.
As a preferable scheme of the method for realizing the on-vehicle fireproof wall alarm event based on the probe mechanism, the method comprises the following steps:
registering package logic processing in a framework through a network subsystem netfilter framework of a linux kernel, and adopting self-learning detection, identification and optimization;
the analyzing network data comprises obtaining source IP, destination IP, source port, destination port and data packet protocol;
the calling of the kernel system API comprises the steps of obtaining a process ID of an application to which a network data packet belongs through a kernel system interface, so as to obtain an identity of the application to which the data packet belongs;
the searching of the strategy cache comprises analyzing and analyzing the network data packet and calling the kernel system API to acquire whether the data are matched.
As a preferable scheme of the method for realizing the on-vehicle fireproof wall alarm event based on the probe mechanism, the self-learning detection recognition optimization is expressed as follows:
wherein f k The gradient of the objective function is represented,representing deviation measure->Represents W to L k W represents the number of identification parameters in the data packet, L k For Cartesian space coordinates, ΔD is expressed as the difference between the calculated value and the measured value, and J is the sensitivity matrix.
As a preferable scheme of the method for realizing the on-vehicle fireproof wall alarm event based on the probe mechanism, the method for realizing the on-vehicle fireproof wall alarm event based on the probe mechanism comprises the following steps:
identifying the acquired data, uploading the acquired data to a cloud platform, judging whether the acquired data is matched with information in a database by the cloud platform, analyzing and identifying a list type, and recording and releasing records and storing the released records to the cloud platform when the information is matched with the information in a firewall policy white list;
when the information is matched in the firewall policy blacklist, data interception is performed;
and when the information is matched and no record exists, the cloud platform analyzes the access times, and when the information is accessed for the first time, the data is classified into a gray list, and the operation of the data package is limited.
As a preferred scheme of the method for realizing the on-vehicle fireproof wall alarm event based on the probe mechanism, the method for realizing the on-vehicle fireproof wall alarm event based on the probe mechanism comprises the following steps:
analyzing the gray list data packet, analyzing the network data packet with the cloud platform, calling the API data of the kernel system for comparison, and reporting gray list information data to the cloud platform;
if the data is matched with the data in the blacklist, converting the blacklist into the blacklist, and intercepting the data;
if the data is matched with the data in the white list, converting the gray list into the white list, and releasing the data packet;
if the data is not matched with the data in the blacklist and the whitelist, allowing temporary access to acquire the message information of the access request at the same time, recording the transmitted data message, carrying out characteristic analysis on the message, if the message characteristic data packet information is not associated, judging that suspicious behaviors exist in the connection behaviors, adding the data information into the blacklist, carrying out data interception, notifying the suspicious behaviors to a user, and prompting the user to unload;
the message characteristic data packet information unassociated comprises:
acquiring a gray list data packet source IP, a destination IP, a source port, a destination port, a data packet protocol, and process identity ID information which belongs to the data packet protocol, comparing the data packet source IP, the destination IP, the source port, the destination port and the data packet protocol with a record permission value in a cloud platform database, judging suspicious behavior if the process identity ID information is inconsistent, adding the data packet information into a blacklist, updating the data information in the cloud platform blacklist database, and intercepting the data packet;
if the homogeneous character is judged to be normal, adding the data information into the white list, updating the data information in the cloud platform white list database and releasing the data packet.
As a preferable scheme of the method for realizing the on-vehicle fireproof wall alarm event based on the probe mechanism, the threat degree judgment is expressed as follows:
A(p i )=α*(1-C λ )+β*(a 1 *(P c *C+P i *I+P a *A)+a 2 *NC+a 3 *(b 1 *Pr+b 2 *Cr+b 3 *Sr))
wherein,,p i c is the vulnerable State of the node λ For attack complexity, C, I, A is confidentiality, integrity and availability values, NC is node association, pr and Cr are node property and node main body criticality, alpha and beta are index weights with sum of 1, a 1 、a 2 、a 3 Index weight, P, of sum 1 c 、P i 、P a Index weight of sum 1, b 1 、b 2 And b 3 An index weight of 1;
sequencing the attack prediction results according to threat degrees, generating an unknown threat report, adding the attack characteristics of the corresponding attack prediction results into an attack knowledge base, and carrying out version upgrading on the cloud platform by operation and maintenance personnel according to the threat report.
Another object of the present application is to provide a system for reporting an alarm event on a vehicle-mounted firewall based on a probe mechanism, which can obtain new policy rules from the cloud, and can report a firewall alarm log, so as to solve the problem that blocking and releasing cannot be updated in time at present.
In order to solve the technical problems, the application provides the following technical scheme: the system for realizing the alarm event on the vehicle-mounted fireproof wall based on the probe mechanism is characterized by comprising the following components:
the system comprises a data processing module, a cloud platform module and a strategy management module;
the application relates to a system for realizing on-vehicle fireproof wall alarming event based on a probe mechanism, which is a preferable scheme, wherein the data processing module is a device for analyzing a data packet and is used for obtaining the data packet on a network card, analyzing the network data packet, calling an API of a kernel system, searching a strategy cache and transmitting the data to a cloud platform module;
as a preferable scheme of the system for realizing the on-vehicle fireproof wall alarming event based on the probe mechanism, the cloud platform module is a device for comparing data and is used for receiving and storing the data stored by the data processing module, comparing the data with the data in the database and transmitting the comparison result to the policy management module;
as a preferable scheme of the system for realizing the on-vehicle fireproof wall alarming event based on the probe mechanism, the policy management module is a device for performing policy management according to the analyzed data, and is used for dividing the data into blacklist data, whitelist data and gray list data according to the comparison result of the cloud platform module, intercepting the blacklist data, releasing the whitelist data, analyzing the gray list data, and managing according to the identification result after identification.
A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method as described above when executing the computer program.
A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method as described above.
The application has the beneficial effects that: the method for realizing the alarm event on the vehicle-mounted fireproof wall based on the probe mechanism solves the problem that the alarm log of the vehicle-mounted fireproof wall cannot be timely perceived and reported, so that the risk of being invaded is increased; the firewall log can be timely obtained through the probe program and reported to the cloud end, so that follow-up problem solving and repairing and updating of firewall rule strategies are facilitated, and the safety of the vehicle is improved.
The cloud intuitively embodies and discovers the effective implementation and updating of the firewall policy, reduces the investment of operation and maintenance personnel resources, reduces the cost and increases the efficiency.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art. Wherein:
FIG. 1 is a flowchart illustrating a method for reporting an alarm event on a vehicle-mounted firewall based on a probe mechanism according to an embodiment of the present application;
FIG. 2 is a block diagram of a system for reporting an alarm event on a vehicle-mounted firewall based on a probe mechanism according to a second embodiment of the present application;
FIG. 3 is a graph showing a comparison between a method for reporting an alarm event on a vehicle-mounted firewall based on a probe mechanism and a conventional method according to a fourth embodiment of the present application;
FIG. 4 is a diagram showing a comparison between a method for reporting an alarm event on a vehicle-mounted firewall based on a probe mechanism and a conventional method for detecting a memory occupancy condition according to a fourth embodiment of the present application;
fig. 5 is a diagram showing a comparison of detection accuracy of a method for reporting an alarm event on a vehicle-mounted firewall based on a probe mechanism according to a fourth embodiment of the present application and a conventional method.
Detailed Description
So that the manner in which the above recited objects, features and advantages of the present application can be understood in detail, a more particular description of the application, briefly summarized above, may be had by reference to the embodiments, some of which are illustrated in the appended drawings. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments of the present application without making any inventive effort, shall fall within the scope of the present application.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present application, but the present application may be practiced in other ways other than those described herein, and persons skilled in the art will readily appreciate that the present application is not limited to the specific embodiments disclosed below.
Further, reference herein to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic can be included in at least one implementation of the application. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments.
While the embodiments of the present application have been illustrated and described in detail in the drawings, the cross-sectional view of the device structure is not to scale in the general sense for ease of illustration, and the drawings are merely exemplary and should not be construed as limiting the scope of the application. In addition, the three-dimensional dimensions of length, width and depth should be included in actual fabrication.
Also in the description of the present application, it should be noted that the orientation or positional relationship indicated by the terms "upper, lower, inner and outer", etc. are based on the orientation or positional relationship shown in the drawings, are merely for convenience of describing the present application and simplifying the description, and do not indicate or imply that the apparatus or elements referred to must have a specific orientation, be constructed and operated in a specific orientation, and thus should not be construed as limiting the present application. Furthermore, the terms "first, second, or third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
The terms "mounted, connected, and coupled" should be construed broadly in this disclosure unless otherwise specifically indicated and defined, such as: can be fixed connection, detachable connection or integral connection; it may also be a mechanical connection, an electrical connection, or a direct connection, or may be indirectly connected through an intermediate medium, or may be a communication between two elements. The specific meaning of the above terms in the present application will be understood in specific cases by those of ordinary skill in the art.
Example 1
Referring to fig. 1, for one embodiment of the present application, a method for implementing on-vehicle firewall alarm event based on probe mechanism is provided, including:
introducing the firewall component probe packet into a vehicle system, and initializing a firewall component;
obtaining a data packet on a network card, analyzing the network data packet, calling an API of a kernel system, and searching a strategy cache;
the firewall component initialization includes: the method comprises the steps of obtaining policy content by calling a policy management component, caching the policy content in a RAM (random access memory), accelerating rule matching speed, starting a probe program along with a vehicle system, requesting rules from the policy management component, returning the rules by the policy management component, and checking rule format legitimacy;
when the rule format check is passed, the obtained rule is sent to a cache module, the rule is normally loaded after the caching is finished, and the firewall component finishes initialization;
when any step of the initialization fails, entering a bypass mode, and restarting the initialization flow of the probe program after entering the bypass mode;
the bypass mode includes that the firewall component does not perform policy matching, captures input, does not perform any output, and the system operates normally.
Registering package logic processing in a framework through a network subsystem netfilter framework of a linux kernel, and adopting a self-learning detection recognition optimization algorithm;
the self-learning detection recognition optimization algorithm is expressed as:
wherein f k The gradient of the objective function is represented,representing deviation measure->Represents W to L k W represents the number of identification parameters in the data packet, L k For Cartesian space coordinates, ΔD is expressed as the difference between the calculated value and the measured value, and J is the sensitivity matrix.
Analyzing the network data comprises obtaining a source IP, a destination IP, a source port, a destination port and a data packet protocol;
calling the kernel system API comprises obtaining a process ID of an application to which a network data packet belongs through a kernel system interface, so as to obtain an identity of the application to which the data packet belongs;
searching the policy cache comprises analyzing and analyzing the network data packet and calling the kernel system API to acquire whether the data are matched.
Whether the data match includes: and identifying the acquired data, identifying a blacklist and a white list, and alarming according to an identification result.
Identifying the acquired data includes: uploading the acquired data to a cloud platform, judging whether the data are matched with information in a database by the cloud platform, analyzing and identifying a list type, when the information are matched into a firewall policy white list, releasing the data package, and recording and releasing records and storing the releasing records to the cloud platform;
when the information is matched in the firewall policy blacklist, data interception is performed;
and when the information is matched and no record exists, the cloud platform analyzes the access times, and when the information is accessed for the first time, the data is classified into a gray list, and the operation of the data package is limited.
Limiting packet operations includes: analyzing the gray list data packet, analyzing the network data packet with the cloud platform, calling the API data of the kernel system for comparison, and reporting gray list information data to the cloud platform;
if the data is matched with the data in the blacklist, converting the blacklist into the blacklist, and intercepting the data;
if the data is matched with the data in the white list, converting the gray list into the white list, and releasing the data packet;
if the data is not matched with the data in the blacklist and the whitelist, allowing temporary access to acquire the message information of the access request at the same time, recording the transmitted data message, carrying out characteristic analysis on the message, if the message characteristic data packet information is not associated, judging that suspicious behaviors exist in the connection behaviors, adding the data information into the blacklist, carrying out data interception, notifying the suspicious behaviors to a user, and prompting the user to unload.
The message characteristic data packet information unassociated comprises: acquiring a gray list data packet source IP, a destination IP, a source port, a destination port, a data packet protocol, and process identity ID information which belongs to the data packet protocol, comparing the data packet source IP, the destination IP, the source port, the destination port and the data packet protocol with a record permission value in a cloud platform database, judging suspicious behavior if the process identity ID information is inconsistent, adding the data packet information into a blacklist, updating the data information in the cloud platform blacklist database, and intercepting the data packet;
if the homogeneous character is judged to be normal, adding the data information into the white list, updating the data information in the cloud platform white list database and releasing the data packet.
And judging the threat degree according to the data packet information and the strategy hit result, generating a related event output log and reporting to the cloud platform.
Judging the threat degree is expressed as:
A(p i )=α*(1-C λ )+β*(a 1 *(P c *C+P i *I+Pa*A)+a 2 *NC+a 3 *(b 1 *Pr+b 2 *Cr+b 3 *Sr))
wherein p is i C is the vulnerable State of the node λ For attack complexity, C, I, A is confidentiality, integrity and availability values, NC is node association, pr and Cr are node property and node main body criticality, alpha and beta are index weights with sum of 1, a 1 、a 2 、a 3 Index weight, P, of sum 1 c 、P i 、P a Index weight of sum 1, b 1 、b 2 And b 3 An index weight of 1;
sequencing the attack prediction results according to threat degrees, generating an unknown threat report, adding the attack characteristics of the corresponding attack prediction results into an attack knowledge base, and carrying out version upgrading on the cloud platform by operation and maintenance personnel according to the threat report.
Example 2
Referring to fig. 2, for one embodiment of the present application, a system for implementing on-board firewall alarm event based on probe mechanism is provided, including:
the system comprises a data processing module 100, a cloud platform module 200 and a policy management module 300;
the data processing module 100 is a device for analyzing a data packet, and is configured to obtain the data packet on a network card, analyze the network data packet, call an API of a kernel system, search a policy cache, and transmit the data to the cloud platform module 200;
the cloud platform module 200 is a device for comparing data, and is configured to receive and store the data stored by the data processing module 100, compare the data with the data in the database, and transmit the comparison result to the policy management module 300;
the policy management module 300 is a device for performing policy management according to the parsed data, and is configured to divide the data into blacklist data, whitelist data and gray list data according to the comparison result of the cloud platform module 200, intercept the blacklist data, perform release operation on the whitelist data, analyze the gray list data, and manage according to the recognition result after recognition.
Example 3
One embodiment of the present application, which is different from the first two embodiments, is:
the functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Logic and/or steps represented in the flowcharts or otherwise described herein, e.g., a ordered listing of executable instructions for implementing logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). In addition, the computer readable medium may even be paper or other suitable medium on which the program is printed, as the program may be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.
It is to be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, may be implemented using any one or combination of the following techniques, as is well known in the art: discrete logic circuits having logic gates for implementing logic functions on data signals, application specific integrated circuits having suitable combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), and the like.
Example 4
Referring to fig. 3-5, in order to verify the beneficial effects of the present application, a method for reporting an alarm event on a vehicle-mounted firewall based on a probe mechanism is scientifically demonstrated through economic benefit calculation and simulation experiments.
In this embodiment, a specific use experiment is performed on the method of the present application, and in a preset equal experimental environment, the present embodiment performs 15 experiments on the existing conventional method and the method of the present embodiment, and for the algorithm of the above embodiment, the economic benefit of the algorithm is measured, and the experimental results are shown in fig. 3-5:
as shown in fig. 3, when the number of data packets to be detected increases, the conventional method cannot achieve the initial detection time, and compared with the conventional method, the time consumption is greatly increased, as shown in fig. 4, when the number of data packets to be detected increases, the memory duty ratio is increased, the consumption is reduced, as shown in fig. 5, and when the number of data packets to be detected increases, the detection accuracy of the method is greatly improved compared with that of the conventional method.
When a plurality of data packets are detected, the effect achieved by the method cannot be achieved by the traditional method, potential risks can be found in advance, the repairing cost is reduced, the application safety of the vehicle-mounted system is ensured, the problem that the vehicle-mounted firewall alarm log cannot be timely perceived and reported is effectively solved, and therefore the invasion risk is increased; according to the method, the firewall log can be timely obtained through the probe program and reported to the cloud end, so that follow-up problem solving and repairing and updating of firewall rule strategies are facilitated, and the safety of a vehicle is improved.
The comparison experiment can confirm that the identification speed of the data packet of the party provided by the application is obviously improved, and compared with the prior art, the data packet processing efficiency is obviously improved, and the time spent is reduced; meanwhile, the method has real-time performance and greatly reduces the error rate.
It should be noted that the above embodiments are only for illustrating the technical solution of the present application and not for limiting the same, and although the present application has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that the technical solution of the present application may be modified or substituted without departing from the spirit and scope of the technical solution of the present application, which is intended to be covered in the scope of the claims of the present application.
Claims (10)
1. The method for realizing the alarm event on the vehicle-mounted fireproof wall based on the probe mechanism is characterized by comprising the following steps:
introducing the firewall component probe packet into a vehicle system, and initializing a firewall component;
obtaining a data packet on a network card, analyzing the network data packet, calling an API of a kernel system, and searching a strategy cache;
and judging the threat degree according to the data packet information and the strategy hit result, generating a related event output log and reporting to the cloud platform.
2. The method for implementing an on-vehicle firewall alarm event based on probe mechanism of claim 1, wherein said firewall component initialization comprises:
acquiring policy contents by calling a policy management component, caching the policy contents in a RAM, starting a probe program along with a vehicle system, requesting rules from the policy management component, returning the rules by the policy management component, and checking rule format legitimacy;
when the rule format check is passed, the obtained rule is sent to a cache module, the rule is normally loaded after the caching is finished, and the firewall component finishes initialization;
when any step of the initialization fails, entering a bypass mode, and restarting the initialization flow of the probe program after entering the bypass mode;
the bypass mode includes that the firewall component does not perform policy matching, captures input, does not perform any output, and the system operates normally.
3. The method for implementing a vehicle-mounted firewall alarm event based on a probe mechanism according to claim 1 or 2, wherein the obtaining data on a network card comprises:
registering package logic processing in a framework through a network subsystem netfilter framework of a linux kernel, and adopting self-learning detection, identification and optimization;
the analyzing network data comprises obtaining source IP, destination IP, source port, destination port and data packet protocol;
the calling of the kernel system API comprises the steps of obtaining a process ID of an application to which a network data packet belongs through a kernel system interface, so as to obtain an identity of the application to which the data packet belongs;
the searching of the strategy cache comprises analyzing and analyzing the network data packet and calling the kernel system API to acquire whether the data are matched.
4. The method for implementing on-vehicle firewall alarm event based on probe mechanism according to claim 3, wherein the self-learning detection recognition optimization is expressed as:
wherein f k The gradient of the objective function is represented,representing deviation measure->Represents W to L k W represents the number of identification parameters in the data packet, L k For Cartesian space coordinates, ΔD is expressed as the difference between the calculated value and the measured value, and J is the sensitivity matrix.
5. The method for implementing an alarm event on a vehicle firewall based on a probe mechanism of claim 4, wherein whether the data matches comprises:
identifying the acquired data, uploading the acquired data to a cloud platform, judging whether the acquired data is matched with information in a database by the cloud platform, analyzing and identifying a list type, and recording and releasing records and storing the released records to the cloud platform when the information is matched with the information in a firewall policy white list;
when the information is matched in the firewall policy blacklist, data interception is performed;
and when the information is matched and no record exists, the cloud platform analyzes the access times, and when the information is accessed for the first time, the data is classified into a gray list, and the operation of the data package is limited.
6. The method for implementing an alarm event on a vehicle firewall based on probe mechanism of claim 5, wherein said restricting packet operations comprises:
analyzing the gray list data packet, analyzing the network data packet with the cloud platform, calling the API data of the kernel system for comparison, and reporting gray list information data to the cloud platform;
if the data is matched with the data in the blacklist, converting the blacklist into the blacklist, and intercepting the data;
if the data is matched with the data in the white list, converting the gray list into the white list, and releasing the data packet;
if the data is not matched with the data in the blacklist and the whitelist, allowing temporary access to acquire the message information of the access request at the same time, recording the transmitted data message, carrying out characteristic analysis on the message, if the message characteristic data packet information is not associated, judging that suspicious behaviors exist in the connection behaviors, adding the data information into the blacklist, carrying out data interception, notifying the suspicious behaviors to a user, and prompting the user to unload;
the message characteristic data packet information unassociated comprises:
acquiring a gray list data packet source IP, a destination IP, a source port, a destination port, a data packet protocol, and process identity ID information which belongs to the data packet protocol, comparing the data packet source IP, the destination IP, the source port, the destination port and the data packet protocol with a record permission value in a cloud platform database, judging suspicious behavior if the process identity ID information is inconsistent, adding the data packet information into a blacklist, updating the data information in the cloud platform blacklist database, and intercepting the data packet;
if the homogeneous character is judged to be normal, adding the data information into the white list, updating the data information in the cloud platform white list database and releasing the data packet.
7. The method for implementing on-vehicle firewall alarm event based on probe mechanism according to claim 6, wherein the threat level judgment is expressed as:
A(p i )=α*(1-C λ )+β*(a 1 *(P c *C+P i *I+P a *A)+a 2 *NC+a 3 *(b 1 *Pr+b 2 *Cr+b 3 *Sr))
wherein p is i C is the vulnerable State of the node λ For attack complexity, C, I, A is confidentiality, integrity and availability values, NC is node association, pr and Cr are node property and node main body criticality, alpha and beta are index weights with sum of 1, a 1 、a 2 、a 3 Index weight, P, of sum 1 c 、P i 、P a Index weight of sum 1, b 1 、b 2 And b 3 An index weight of 1;
sequencing the attack prediction results according to threat degrees, generating an unknown threat report, adding the attack characteristics of the corresponding attack prediction results into an attack knowledge base, and carrying out version upgrading on the cloud platform by operation and maintenance personnel according to the threat report.
8. The system for realizing the alarm event on the vehicle-mounted fireproof wall based on the probe mechanism is characterized by comprising the following components:
a data processing module (100), a cloud platform module (200), a policy management module (300);
the data processing module (100) is a device for analyzing the data packet, and is used for obtaining the data packet on the network card, analyzing the network data packet, calling the kernel system API, searching the strategy cache and transmitting the data to the cloud platform module (200);
the cloud platform module (200) is a device for comparing data, and is used for receiving and storing the data stored by the data processing module (100), comparing the data with the data in the database, and transmitting the comparison result to the policy management module (300);
the policy management module (300) is a device for performing policy management according to the analyzed data, and is used for dividing the data into blacklist data, white list data and gray list data according to the comparison result of the cloud platform module (200), intercepting the blacklist data, performing release operation on the whitelist data, analyzing the gray list data, and managing according to the identification result after identification.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 7 when the computer program is executed.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310299144.0A CN116599688A (en) | 2023-03-24 | 2023-03-24 | Method and system for realizing alarm event reporting on vehicle-mounted fireproof wall based on probe mechanism |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310299144.0A CN116599688A (en) | 2023-03-24 | 2023-03-24 | Method and system for realizing alarm event reporting on vehicle-mounted fireproof wall based on probe mechanism |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116599688A true CN116599688A (en) | 2023-08-15 |
Family
ID=87605047
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310299144.0A Pending CN116599688A (en) | 2023-03-24 | 2023-03-24 | Method and system for realizing alarm event reporting on vehicle-mounted fireproof wall based on probe mechanism |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116599688A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118247715A (en) * | 2024-05-21 | 2024-06-25 | 深圳市瀚晖威视科技有限公司 | Streaming media disk storage method based on real-time video monitoring |
-
2023
- 2023-03-24 CN CN202310299144.0A patent/CN116599688A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118247715A (en) * | 2024-05-21 | 2024-06-25 | 深圳市瀚晖威视科技有限公司 | Streaming media disk storage method based on real-time video monitoring |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10862870B2 (en) | Privacy as a service by offloading user identification and network protection to a third party | |
| KR102642875B1 (en) | Systems and methods for providing security to in-vehicle networks | |
| US8549645B2 (en) | System and method for detection of denial of service attacks | |
| CN110602135B (en) | Network attack processing method and device and electronic equipment | |
| CN1588889A (en) | Abnormal detection method for user access activity in attached net storage device | |
| CN116938600B (en) | Threat event analysis method, electronic device and storage medium | |
| CN116599688A (en) | Method and system for realizing alarm event reporting on vehicle-mounted fireproof wall based on probe mechanism | |
| CN113132311A (en) | Abnormal access detection method, device and equipment | |
| CN109583056A (en) | A kind of network-combination yarn tool performance appraisal procedure and system based on emulation platform | |
| CN114091042A (en) | Risk early warning method | |
| KR100959276B1 (en) | A system for preventing installation of malicious codes using a control list at the kernel level and the computer-readable recording medium having recording the program thereof | |
| CN116915515B (en) | Access security control method and system for industrial control network | |
| CN111131166B (en) | User behavior prejudging method and related equipment | |
| CN112287345A (en) | Credible edge computing system based on intelligent risk detection | |
| CN115085956B (en) | Intrusion detection method, intrusion detection device, electronic equipment and storage medium | |
| US11983272B2 (en) | Method and system for detecting and preventing application privilege escalation attacks | |
| CN107623677B (en) | Method and device for determining data security | |
| CN112769815B (en) | Intelligent industrial control safety monitoring and protecting method and system | |
| KR20230032591A (en) | Cyber attack detection method of electronic apparatus | |
| CN116346488B (en) | Unauthorized access detection method and device | |
| CN118174969B (en) | Data management method and system for network security test | |
| CN117201195B (en) | Process network policy limiting method and device, equipment and storage medium | |
| CN117375990A (en) | Malicious access identification method, device and equipment | |
| RU2739833C1 (en) | System and method for reducing load on malware detection service | |
| WO2024032032A1 (en) | Cloud platform testing method and apparatus, service node, and cloud platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |