CN117040865A - SecOC communication security event processing method and device and electronic control unit - Google Patents
SecOC communication security event processing method and device and electronic control unit Download PDFInfo
- Publication number
- CN117040865A CN117040865A CN202311044567.4A CN202311044567A CN117040865A CN 117040865 A CN117040865 A CN 117040865A CN 202311044567 A CN202311044567 A CN 202311044567A CN 117040865 A CN117040865 A CN 117040865A
- Authority
- CN
- China
- Prior art keywords
- event
- secoc
- security event
- uploading
- log
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000006854 communication Effects 0.000 title claims abstract description 195
- 238000004891 communication Methods 0.000 title claims abstract description 188
- 238000003672 processing method Methods 0.000 title claims abstract description 21
- 238000012544 monitoring process Methods 0.000 claims abstract description 55
- 238000012545 processing Methods 0.000 claims abstract description 13
- 230000001360 synchronised effect Effects 0.000 claims description 26
- 230000008439 repair process Effects 0.000 claims description 21
- 230000006855 networking Effects 0.000 claims description 20
- 238000000034 method Methods 0.000 claims description 17
- 230000001960 triggered effect Effects 0.000 claims description 9
- 238000012795 verification Methods 0.000 description 18
- 230000008569 process Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The invention discloses a SecOC communication security event processing method, a SecOC communication security event processing device and an electronic control unit, wherein the SecOC communication security event processing method comprises the following steps: when a SecOC communication security event trigger is detected, acquiring event information of the SecOC communication security event based on a preset security event information table; generating an event log according to the event information, and uploading the event log to a preset security event monitoring background according to a preset log uploading rule. According to the invention, when the SecOC communication safety event trigger is detected, the event information is acquired based on the safety event information table, the event log is generated, and the event log is uploaded to the safety event monitoring background, so that the SecOC communication safety event can be monitored and early-warned in time.
Description
Technical Field
The invention relates to the technical field of vehicles, in particular to a SecOC communication safety event processing method and device and an electric control unit.
Background
With the continuous development of the automobile industry, the safety requirement of users on vehicle information is also increasing, so that the current vehicle internal network communication is generally configured with a safety protection mechanism, and SecOC is one of the safety protection mechanisms for vehicle internal network communication. Safety events caused by external attacks or system software errors can occur in the SecOC-based in-vehicle network communication process, and a processing strategy aiming at the SecOC communication safety events is lacking in the prior art, so that the SecOC communication safety events cannot be monitored and early-warned in time.
Disclosure of Invention
The invention provides a SecOC communication safety event processing method, a SecOC communication safety event processing device and an electric control unit, which can acquire event information and generate an event log based on a safety event information table when the triggering of the SecOC communication safety event is detected, and can realize timely monitoring and early warning of the SecOC communication safety event by uploading the event log to a safety event monitoring background.
In order to solve the above technical problems, a first aspect of the embodiments of the present invention provides a SecOC communication security event processing method, including the following steps:
when a SecOC communication security event trigger is detected, acquiring event information of the SecOC communication security event based on a preset security event information table;
generating an event log according to the event information, and uploading the event log to a preset security event monitoring background according to a preset log uploading rule.
As a preferred solution, the uploading the event log to a preset security event monitoring background according to a preset log uploading rule specifically includes the following steps:
acquiring the continuous uploading times of the current log of the SecOC communication security event, and judging whether the continuous uploading times of the log are smaller than a preset uploading times threshold value or not;
when the continuous uploading frequency of the log is smaller than the preset uploading frequency threshold value, uploading the event log to the security event monitoring background;
and when the continuous uploading frequency of the log is not less than the preset uploading frequency threshold, not uploading the event log to the security event monitoring background.
Preferably, the acquiring the event information of the SecOC communication security event based on the preset security event information table specifically includes the following steps:
determining a target security event matching the SecOC communication security event from the security event information table based on the security event information table;
determining the security event code of the SecOC communication security event according to the preset event code corresponding to the target security event in the security event information table;
when the additional information uploading requirement corresponding to the target security event exists in the security event information table, acquiring additional uploading information from an event triggering module corresponding to the SecOC communication security event according to the additional information uploading requirement;
and acquiring the latest synchronization fresh value when the SecOC communication security event is triggered from the event triggering module.
Preferably, the generating an event log according to the event information specifically includes the following steps:
when the event information comprises the additional uploading information, generating the event log according to the security event code of the SecOC communication security event, the additional uploading information, the latest synchronization freshness value and the triggering times;
and when the event information does not comprise the additional uploading information, generating the event log according to the security event code, the latest synchronization freshness value and the triggering times of the SecOC communication security event.
Preferably, the acquiring the event information of the SecOC communication security event based on the preset security event information table further includes the following steps:
and determining the security event repair code of the SecOC communication security event according to the preset event repair code corresponding to the target security event in the security event information table.
Preferably, the method further comprises the steps of:
acquiring the continuous repairing times of the current SecOC communication security event;
and uploading the security event repairing code of the SecOC communication security event to the security event monitoring background when the log continuous uploading frequency is not less than the preset uploading frequency threshold and the continuous repairing frequency reaches the preset repairing frequency threshold.
Preferably, the security event code includes a first identification bit for characterizing the SecOC communication security event and a second identification bit for characterizing a security event type corresponding to the SecOC communication security event;
the security event repair code includes a third identification bit for characterizing the SecOC communication security event and a fourth identification bit for characterizing a security event type corresponding to the SecOC communication security event.
As a preferred scheme, the additional uploading information includes, but is not limited to, an encrypted message with a failure of the SecOC verification, a synchronous message with a failure of the SecOC verification, a CAN bus ID identifier corresponding to the encrypted message with a failure of the SecOC verification, and a CAN bus ID identifier corresponding to the synchronous message with a failure of the SecOC verification; the synchronous message is a message carrying a synchronous fresh value to be updated currently.
As a preferred solution, the uploading the event log to a preset security event monitoring background specifically includes the following steps:
uploading the event log to a preset networking module;
and uploading the event log to the security event monitoring background through the networking module.
Preferably, the uploading the event log to the security event monitoring background through the networking module specifically further includes the following steps:
and uploading the event log, the vehicle VIN code, the device information of the ECU triggering the SecOC communication safety event and the vehicle state information to the safety event monitoring background through the networking module.
A second aspect of an embodiment of the present invention provides a SecOC communication security event processing apparatus, including:
the event information acquisition module is used for acquiring event information of the SecOC communication safety event based on a preset safety event information table when the SecOC communication safety event trigger is detected;
and the event log uploading module is used for generating an event log according to the event information and uploading the event log to a preset security event monitoring background according to a preset log uploading rule.
A third aspect of the embodiment of the present invention provides an electronic control unit, where the electronic control unit is configured to perform the SecOC communication security event processing method according to any one of the first aspect.
Compared with the prior art, the method and the device have the advantages that when the SecOC communication safety event trigger is detected, event information can be acquired based on the safety event information table, an event log is generated, and timely monitoring and early warning of the SecOC communication safety event can be achieved through uploading the event log to the safety event monitoring background.
Drawings
FIG. 1 is a flow chart of a SecOC communication security event handling method in an embodiment of the present invention;
fig. 2 is a diagram of a SecOC-based network communication architecture for each ECU in an embodiment of the present invention;
FIG. 3 is a schematic diagram of a SecOC-based message sending and receiving process in an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a SecOC communication security event processing apparatus in an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, a first aspect of the embodiment of the present invention provides a SecOC communication security event processing method, which includes steps S1 to S2 as follows:
step S1, when a SecOC communication security event trigger is detected, acquiring event information of the SecOC communication security event based on a preset security event information table;
and S2, generating an event log according to the event information, and uploading the event log to a preset security event monitoring background according to a preset log uploading rule.
It should be noted that, the embodiment of the present invention is applicable to a network communication process based on SecOC in a vehicle, and as shown in fig. 2, for example, the master ECU performs network communication with 3 slave ECUs, and since the communication information between 4 ECUs has a security requirement, that is, the interaction message is prevented from being replayed and tampered, a SecOC security protection mechanism is configured. Further, the process of sending and receiving the SecOC-based message is shown in fig. 3, when any ECU needs to send the message, the SecOC module is called, and an encryption algorithm such as AES128 is adopted by the SecOC module, and the current latest synchronous fresh value is combined to generate an encrypted message and send the encrypted message to the target ECU; when the target ECU receives the encrypted message, the SecOC module is called to check the encrypted message, specifically, the SecOC module judges whether the encrypted message is tampered according to whether the MAC value of the received encrypted message is changed, if the MAC value is not changed, the encrypted message is judged not to be tampered, and if the MAC value is changed, the encrypted message is judged to be tampered; further, in order to prevent the interactive message from being replayed, the master ECU periodically transmits a synchronization message carrying a synchronization fresh value to be updated to the remaining slave ECUs, so that the synchronization fresh value is updated synchronously, in general, the data length of the synchronization fresh value increases every time a message is transmitted, so that by comparing whether the data length of the synchronization fresh value in the currently received encrypted message is greater than the data length of the synchronization fresh value in the previously received encrypted message, if the data length of the synchronization fresh value in the currently received encrypted message is less than or equal to the data length of the synchronization fresh value in the previously received encrypted message, it indicates that the encrypted message is replayed.
In the foregoing SecOC-based network communication process, secOC communication security events may sometimes occur due to external attacks or system software errors, including, but not limited to, the following: the method comprises the steps that verification cannot be completed due to system software errors in the process of verifying encrypted messages, received encrypted messages cannot pass verification, valid fresh values cannot be built according to received encrypted messages, valid fresh values cannot be built in the process of generating encrypted messages, encrypted messages cannot be generated due to system software errors in the process of generating encrypted messages, verification cannot be completed due to system software errors in the process of verifying synchronous messages, received synchronous messages cannot pass verification, a synchronous counter fails to read and write an NVM (non-volatile memory), a communication key fails to read, a master communication node fails to acquire synchronous messages, a slave communication node cannot update synchronous fresh values according to synchronous messages, a slave communication node receives synchronous messages Wen Chaoshi and the like.
In step S1, when a SecOC communication security event trigger is detected, event information of the SecOC communication security event is acquired based on a preset security event information table. It can be understood that the security event information table stores a plurality of security events which may be triggered in the SecOC communication process and event information corresponding to each security event.
In step S2, an event log is generated according to the obtained event information, and is uploaded to a security event monitoring background according to a preset log uploading rule, which is worth noting that a risk early warning rule is preset in the security event monitoring background, so that risk level evaluation can be performed according to the received event log, and a security manager is notified to perform further repairing measures, thereby realizing timely monitoring and early warning of a SecOC communication security event.
As a preferred solution, the uploading the event log to a preset security event monitoring background according to a preset log uploading rule specifically includes the following steps:
acquiring the continuous uploading times of the current log of the SecOC communication security event, and judging whether the continuous uploading times of the log are smaller than a preset uploading times threshold value or not;
when the continuous uploading frequency of the log is smaller than the preset uploading frequency threshold value, uploading the event log to the security event monitoring background;
and when the continuous uploading frequency of the log is not less than the preset uploading frequency threshold, not uploading the event log to the security event monitoring background.
It should be noted that if a system software error occurs in the SecOC communication process or an external attack occurs, the same SecOC communication security event may be continuously triggered within a period of time, in this case, if an event log is uploaded once every time the event log is triggered, an overload of uploading data may be caused, so this embodiment proposes a log uploading rule capable of avoiding the overload of uploading data.
Firstly, the number of continuous uploading of the log of the current SecOC communication security event is obtained, which is worth to be explained, in this embodiment, the number of continuous uploading of the log of each SecOC communication security event may be counted in real time in a preset time period, in this preset time period, for each SecOC communication security event, each time the log of each event is uploaded, the number of continuous uploading of the corresponding log is increased by 1, further, it is judged whether the number of continuous uploading of the log is smaller than a preset threshold number of uploading times, and it is to be noted that, in order to avoid overload of the uploading data caused by too many times of uploading event logs of the same SecOC communication security event, for example, 3 times, 4 times, 5 times, etc. the embodiment of the present invention is not limited in detail herein.
Further, when the continuous uploading frequency of the log is smaller than a preset uploading frequency threshold, the event log of the SecOC communication security event is indicated to be continuously uploaded without causing overload of uploading data, and in order to ensure that the SecOC communication security event is monitored and early-warned, the event log is continuously uploaded to a security event monitoring background; when the number of continuous uploading times of the log is not smaller than the preset threshold value of the number of uploading times, the number of uploading event logs of the current SecOC communication security event is excessive, and in order to avoid overload of uploading data, the event logs are not continuously uploaded to the security event monitoring background. It should be noted that, the preset uploading frequency threshold value only limits the continuous uploading frequency of the logs of the single SecOC communication security event, if the continuous uploading frequency of the logs of one SecOC communication security event is too high and the continuous uploading frequency of the logs of the other SecOC communication security event is smaller than the preset uploading frequency threshold value, the event logs of the other SecOC communication security event still need to be continuously uploaded.
Preferably, the acquiring the event information of the SecOC communication security event based on the preset security event information table specifically includes the following steps:
determining a target security event matching the SecOC communication security event from the security event information table based on the security event information table;
determining the security event code of the SecOC communication security event according to the preset event code corresponding to the target security event in the security event information table;
when the additional information uploading requirement corresponding to the target security event exists in the security event information table, acquiring additional uploading information from an event triggering module corresponding to the SecOC communication security event according to the additional information uploading requirement;
and acquiring the latest synchronization fresh value when the SecOC communication security event is triggered from the event triggering module.
Specifically, since several security events are stored in the security event information table, a target security event that matches the SecOC communication security event is determined from the security event information table based on the SecOC communication security event, that is, the target security event and the SecOC communication security event belong to the same security event.
Further, each security event stored in the security event information table is configured with a preset event code, where a preset event code corresponds to one security event, and it should be noted that the preset event code may be, but is not limited to, binary code, octal code, hexadecimal code, etc., and the embodiment of the present invention is not limited to this, and the preset event code corresponding to the target security event in the security event information table is used as the security event code of the corresponding SecOC communication security event.
Further, some security events are provided with additional information uploading requirements, and the additional uploading information can be used for assisting a security administrator in analyzing triggering reasons of the security events, so when the additional information uploading requirements corresponding to the target security events exist in the security event information table, the additional uploading information is acquired from an event triggering module corresponding to the SecOC communication security events according to the additional information uploading requirements, and it is worth to be noted that the event triggering module here is a module in the communication device for triggering the SecOC communication security events, and the event triggering module may be a SecOC module or other modules except the SecOC module in the ECU, taking the ECU in fig. 2 as an example.
Further, a latest synchronization fresh value at the time of SecOC communication security event triggering is acquired from the event triggering module. As an alternative embodiment, the present embodiment implements data transmission with the event triggering module through a pre-developed API interface.
Preferably, the generating an event log according to the event information specifically includes the following steps:
when the event information comprises the additional uploading information, generating the event log according to the security event code of the SecOC communication security event, the additional uploading information, the latest synchronization freshness value and the triggering times;
and when the event information does not comprise the additional uploading information, generating the event log according to the security event code, the latest synchronization freshness value and the triggering times of the SecOC communication security event.
Specifically, when the event information comprises additional uploading information, according to the security event code of the SecOC communication security event, the additional uploading information, the latest synchronization fresh value and the triggering times, the event log is packaged according to a preset event log format; when the event information does not comprise additional uploading information, the event log is packaged according to a preset event log format only according to the security event code, the latest synchronous fresh value and the triggering times of the SecOC communication security event. Illustratively, the preset event log format is shown in table 1 below.
Table 1 event log format
Preferably, the acquiring the event information of the SecOC communication security event based on the preset security event information table further includes the following steps:
and determining the security event repair code of the SecOC communication security event according to the preset event repair code corresponding to the target security event in the security event information table.
It should be noted that, each stored security event in the security event information table is configured with a preset event repair code, which is used to indicate that the corresponding security event has been repaired, and one preset event repair code corresponds to one security event, and it should be noted that the preset event repair code may be, but is not limited to, binary code, octal code, hexadecimal code, and the like, and embodiments of the present invention are not limited thereto. Preferably, the preset event repair code and the preset event code are the same type of code.
Preferably, the method further comprises the steps of:
acquiring the continuous repairing times of the current SecOC communication security event;
and uploading the security event repairing code of the SecOC communication security event to the security event monitoring background when the log continuous uploading frequency is not less than the preset uploading frequency threshold and the continuous repairing frequency reaches the preset repairing frequency threshold.
Specifically, each SecOC communication security event has a corresponding execution operation, for example, in the process of checking an encrypted message, the verification cannot be completed due to a system software error, and the execution operation corresponding to the SecOC communication security event is to check the encrypted message. And the verification can be successfully completed in the process of verifying the encrypted message.
As an optional embodiment, the embodiment realizes data transmission with the event triggering module through a pre-developed API interface, and when the event triggering module detects that the SecOC communication security event is repaired, the embodiment can detect that the SecOC communication security event is repaired by transmitting information through the API interface.
It has been mentioned in the foregoing that if a system software error occurs during the SecOC communication process or an external attack occurs, the same SecOC communication security event may be continuously triggered during a period of time, and the event log of the SecOC communication security event may also be continuously uploaded during a period of time, so that the security administrator continuously performs a plurality of continuous repairing measures during a period of time in response to the event log of the SecOC communication security event, so that the SecOC communication security event is continuously repaired a plurality of times during a period of time. In order to perform feedback and recording based on the repairing situation of the SecOC communication security event, the embodiment firstly obtains the continuous repairing times of the current SecOC communication security event, and when the continuous uploading times of the log are not less than the preset uploading times threshold and the continuous repairing times reach the preset repairing times threshold, the security event repairing code of the SecOC communication security event is uploaded to the security event monitoring background so as to record the repairing situation of the SecOC communication security event. In addition, when a system software error occurs or external attack occurs, the security event repairing code is not required to be uploaded under the condition that the continuous uploading frequency of the log does not reach the preset uploading frequency threshold, during the period, the uploading frequency of the event log represents the triggering frequency of the corresponding SecOC communication security event, and after the continuous uploading frequency of the log reaches the preset uploading frequency threshold, the security event repairing code is uploaded, so that the continuous occurrence time of the SecOC communication security event can be still confirmed under the condition that all event logs are not required to be uploaded. Preferably, the preset repair number threshold is equal to the preset upload number threshold.
Preferably, the security event code includes a first identification bit for characterizing the SecOC communication security event and a second identification bit for characterizing a security event type corresponding to the SecOC communication security event;
the security event repair code includes a third identification bit for characterizing the SecOC communication security event and a fourth identification bit for characterizing a security event type corresponding to the SecOC communication security event.
It should be noted that, in the embodiment of the present invention, a plurality of security events that may be triggered in the SecOC communication process are classified in advance, and are represented by an identification bit in the security event code and the security event repair code, so that management and processing of the SecOC communication security event are facilitated.
In this embodiment, the security event code includes a first identification bit for characterizing a SecOC communication security event and a second identification bit for characterizing a security event type corresponding to the SecOC communication security event, and between different SecOC communication security events of the same security event type, the security event code has the same second identification bit but the first identification bit is different from each other, so that each SecOC communication security event can be distinguished, and classification of the SecOC communication security events can be realized.
Similarly, the security event repairing code comprises a third identification bit for representing the SecOC communication security event and a fourth identification bit for representing the security event type corresponding to the SecOC communication security event, and the security event repairing code has the same fourth identification bit but different from each other among different SecOC communication security events of the same security event type.
As a preferred embodiment, the security event code and the security event repair code are hexadecimal codes, the highest bit of the security event code is 0, and the highest position 1 of the security event code is used to form the security event repair code corresponding to the security event code, as shown in table 2 below.
Table 2 security event information table
As a preferred scheme, the additional uploading information includes, but is not limited to, an encrypted message with a failure of the SecOC verification, a synchronous message with a failure of the SecOC verification, a CAN bus ID identifier corresponding to the encrypted message with a failure of the SecOC verification, and a CAN bus ID identifier corresponding to the synchronous message with a failure of the SecOC verification; the synchronous message is a message carrying a synchronous fresh value to be updated currently.
It should be noted that, by attaching the encrypted message, the synchronous message and the corresponding CAN bus ID identifier that the uploading SecOC check fails, the safety manager CAN be assisted to analyze the triggering reason of the safety event, so as to perform the repairing measure in a targeted manner.
As a preferred solution, the uploading the event log to a preset security event monitoring background specifically includes the following steps:
uploading the event log to a preset networking module;
and uploading the event log to the security event monitoring background through the networking module.
It should be noted that, in the embodiment of the invention, the networking module is used for uniformly collecting each uploaded event log, and the networking module is used for uniformly uploading a plurality of collected event logs to the security event monitoring background, so that each communication device is not required to be equipped with a networking function.
Preferably, the uploading the event log to the security event monitoring background through the networking module specifically further includes the following steps:
and uploading the event log, the vehicle VIN code, the device information of the ECU triggering the SecOC communication safety event and the vehicle state information to the safety event monitoring background through the networking module.
Specifically, in order to better monitor, repair and early warn the SecOC communication security event, the present embodiment uploads the event log, the vehicle VIN code, the device information of the ECU triggering the SecOC communication security event and the vehicle status information, including but not limited to the vehicle speed, whether there is a person in the vehicle, the unlock status, etc. to the security event monitoring background through the networking module.
According to the SecOC communication security event processing method provided by the embodiment of the invention, when the SecOC communication security event trigger is detected, the event information is acquired based on the security event information table and the event log is generated, and the event log is uploaded to the security event monitoring background, so that the SecOC communication security event can be monitored and early-warned in time.
Referring to fig. 4, a second aspect of the embodiment of the present invention provides a SecOC communication security event processing apparatus, including:
the event information obtaining module 401 is configured to obtain event information of a SecOC communication security event based on a preset security event information table when a SecOC communication security event trigger is detected;
the event log uploading module 402 is configured to generate an event log according to the event information, and upload the event log to a preset security event monitoring background according to a preset log uploading rule.
As a preferred solution, the event log uploading module 402 is configured to upload the event log to a preset security event monitoring background according to a preset log uploading rule, and specifically includes:
acquiring the continuous uploading times of the current log of the SecOC communication security event, and judging whether the continuous uploading times of the log are smaller than a preset uploading times threshold value or not;
when the continuous uploading frequency of the log is smaller than the preset uploading frequency threshold value, uploading the event log to the security event monitoring background;
and when the continuous uploading frequency of the log is not less than the preset uploading frequency threshold, not uploading the event log to the security event monitoring background.
As a preferred solution, the event information obtaining module 401 is configured to obtain, based on a preset security event information table, event information of the SecOC communication security event, and specifically includes:
determining a target security event matching the SecOC communication security event from the security event information table based on the security event information table;
determining the security event code of the SecOC communication security event according to the preset event code corresponding to the target security event in the security event information table;
when the additional information uploading requirement corresponding to the target security event exists in the security event information table, acquiring additional uploading information from an event triggering module corresponding to the SecOC communication security event according to the additional information uploading requirement;
and acquiring the latest synchronization fresh value when the SecOC communication security event is triggered from the event triggering module.
Preferably, the event log uploading module 402 is configured to generate an event log according to the event information, and specifically includes:
when the event information comprises the additional uploading information, generating the event log according to the security event code of the SecOC communication security event, the additional uploading information, the latest synchronization freshness value and the triggering times;
and when the event information does not comprise the additional uploading information, generating the event log according to the security event code, the latest synchronization freshness value and the triggering times of the SecOC communication security event.
Preferably, the event information obtaining module 401 is configured to obtain event information of the SecOC communication security event based on a preset security event information table, and further includes:
and determining the security event repair code of the SecOC communication security event according to the preset event repair code corresponding to the target security event in the security event information table.
Preferably, the event log uploading module 402 is further configured to:
acquiring the continuous repairing times of the current SecOC communication security event;
and uploading the security event repairing code of the SecOC communication security event to the security event monitoring background when the log continuous uploading frequency is not less than the preset uploading frequency threshold and the continuous repairing frequency reaches the preset repairing frequency threshold.
Preferably, the security event code includes a first identification bit for characterizing the SecOC communication security event and a second identification bit for characterizing a security event type corresponding to the SecOC communication security event;
the security event repair code includes a third identification bit for characterizing the SecOC communication security event and a fourth identification bit for characterizing a security event type corresponding to the SecOC communication security event.
As a preferred scheme, the additional uploading information includes, but is not limited to, an encrypted message with a failure of the SecOC verification, a synchronous message with a failure of the SecOC verification, a CAN bus ID identifier corresponding to the encrypted message with a failure of the SecOC verification, and a CAN bus ID identifier corresponding to the synchronous message with a failure of the SecOC verification; the synchronous message is a message carrying a synchronous fresh value to be updated currently.
Preferably, the event log uploading module 402 is configured to upload the event log to a preset security event monitoring background, and specifically includes:
uploading the event log to a preset networking module;
and uploading the event log to the security event monitoring background through the networking module.
Preferably, the event log uploading module 402 is configured to upload the event log to the security event monitoring background through the networking module, and specifically further includes:
and uploading the event log, the vehicle VIN code, the device information of the ECU triggering the SecOC communication safety event and the vehicle state information to the safety event monitoring background through the networking module.
It should be noted that, the SecOC communication security event processing apparatus provided by the embodiment of the present invention can implement all the flows of the SecOC communication security event processing method described in any one of the embodiments, and the functions and the implemented technical effects of each module in the apparatus are respectively the same as those of the SecOC communication security event processing method described in the foregoing embodiment, and are not described herein again.
A third aspect of the embodiments of the present invention provides an electronic control unit, where the electronic control unit is configured to perform the SecOC communication security event processing method according to any of the embodiments of the first aspect.
In summary, the method, the device and the electronic control unit for processing the SecOC communication security event provided by the embodiments of the present invention can obtain the event information and generate the event log based on the security event information table when the triggering of the SecOC communication security event is detected, and can realize timely monitoring and early warning of the SecOC communication security event by uploading the event log to the security event monitoring background.
While the foregoing is directed to the preferred embodiments of the present invention, it will be appreciated by those skilled in the art that changes and modifications may be made without departing from the principles of the invention, such changes and modifications are also intended to be within the scope of the invention.
Claims (12)
1. A method for processing a SecOC communication security event, comprising the steps of:
when a SecOC communication security event trigger is detected, acquiring event information of the SecOC communication security event based on a preset security event information table;
generating an event log according to the event information, and uploading the event log to a preset security event monitoring background according to a preset log uploading rule.
2. The method for processing a SecOC communication security event according to claim 1, wherein the uploading the event log to a preset security event monitoring background according to a preset log uploading rule comprises the following steps:
acquiring the continuous uploading times of the current log of the SecOC communication security event, and judging whether the continuous uploading times of the log are smaller than a preset uploading times threshold value or not;
when the continuous uploading frequency of the log is smaller than the preset uploading frequency threshold value, uploading the event log to the security event monitoring background;
and when the continuous uploading frequency of the log is not less than the preset uploading frequency threshold, not uploading the event log to the security event monitoring background.
3. The method for processing the SecOC communication security event according to claim 2, wherein the acquiring the event information of the SecOC communication security event based on the preset security event information table comprises the following steps:
determining a target security event matching the SecOC communication security event from the security event information table based on the security event information table;
determining the security event code of the SecOC communication security event according to the preset event code corresponding to the target security event in the security event information table;
when the additional information uploading requirement corresponding to the target security event exists in the security event information table, acquiring additional uploading information from an event triggering module corresponding to the SecOC communication security event according to the additional information uploading requirement;
and acquiring the latest synchronization fresh value when the SecOC communication security event is triggered from the event triggering module.
4. The SecOC communication security event processing method of claim 3, wherein the generating an event log from the event information comprises the steps of:
when the event information comprises the additional uploading information, generating the event log according to the security event code of the SecOC communication security event, the additional uploading information, the latest synchronization freshness value and the triggering times;
and when the event information does not comprise the additional uploading information, generating the event log according to the security event code, the latest synchronization freshness value and the triggering times of the SecOC communication security event.
5. The SecOC communication security event processing method of claim 3, wherein the acquiring the event information of the SecOC communication security event based on a preset security event information table further comprises the steps of:
and determining the security event repair code of the SecOC communication security event according to the preset event repair code corresponding to the target security event in the security event information table.
6. The SecOC communication security event processing method of claim 5, further comprising the steps of:
acquiring the continuous repairing times of the current SecOC communication security event;
and uploading the security event repairing code of the SecOC communication security event to the security event monitoring background when the log continuous uploading frequency is not less than the preset uploading frequency threshold and the continuous repairing frequency reaches the preset repairing frequency threshold.
7. The SecOC communication security event processing method of claim 5 wherein the security event code comprises a first identification bit for characterizing the SecOC communication security event and a second identification bit for characterizing the security event type to which the SecOC communication security event corresponds;
the security event repair code includes a third identification bit for characterizing the SecOC communication security event and a fourth identification bit for characterizing a security event type corresponding to the SecOC communication security event.
8. The SecOC communication security event processing method of claim 3, wherein the additional upload information includes, but is not limited to, an encrypted message that fails the SecOC check, a synchronous message that fails the SecOC check, a CAN bus ID identifier corresponding to the encrypted message that fails the SecOC check, and a CAN bus ID identifier corresponding to the synchronous message that fails the SecOC check; the synchronous message is a message carrying a synchronous fresh value to be updated currently.
9. The SecOC communication security event processing method according to any one of claims 1 to 8, wherein the uploading the event log to a preset security event monitoring background comprises the following steps:
uploading the event log to a preset networking module;
and uploading the event log to the security event monitoring background through the networking module.
10. The SecOC communication security event processing method of claim 9, wherein the uploading the event log to the security event monitoring background via the networking module further comprises:
and uploading the event log, the vehicle VIN code, the device information of the ECU triggering the SecOC communication safety event and the vehicle state information to the safety event monitoring background through the networking module.
11. A SecOC communication security event processing apparatus, comprising:
the event information acquisition module is used for acquiring event information of the SecOC communication safety event based on a preset safety event information table when the SecOC communication safety event trigger is detected;
and the event log uploading module is used for generating an event log according to the event information and uploading the event log to a preset security event monitoring background according to a preset log uploading rule.
12. An electronic control unit, characterized in that it is configured to perform the SecOC communication security event processing method according to any one of claims 1 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311044567.4A CN117040865A (en) | 2023-08-17 | 2023-08-17 | SecOC communication security event processing method and device and electronic control unit |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311044567.4A CN117040865A (en) | 2023-08-17 | 2023-08-17 | SecOC communication security event processing method and device and electronic control unit |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117040865A true CN117040865A (en) | 2023-11-10 |
Family
ID=88626152
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311044567.4A Pending CN117040865A (en) | 2023-08-17 | 2023-08-17 | SecOC communication security event processing method and device and electronic control unit |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117040865A (en) |
-
2023
- 2023-08-17 CN CN202311044567.4A patent/CN117040865A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11277427B2 (en) | System and method for time based anomaly detection in an in-vehicle communication | |
| US11875612B2 (en) | Vehicle monitoring apparatus, fraud detection server, and control methods | |
| US11115433B2 (en) | System and method for content based anomaly detection in an in-vehicle communication network | |
| EP3264718B1 (en) | System and method for detection and prevention of attacks on in-vehicle networks | |
| EP3293659A1 (en) | Network monitoring device, network system and computer-readable medium | |
| CA3086472C (en) | A vehicle authentication and protection system | |
| CN111066001A (en) | Log output method, log output device, and program | |
| JP2023515379A (en) | SYSTEM AND METHOD FOR INTRUSION DETECTION FOR IN-VEHICLE NETWORK | |
| Lee et al. | Ttids: Transmission-resuming time-based intrusion detection system for controller area network (can) | |
| US11694489B2 (en) | Message monitoring system, message transmission electronic control unit, and monitoring electronic control unit | |
| US10666671B2 (en) | Data security inspection mechanism for serial networks | |
| CN112671603A (en) | Fault detection method and server | |
| CN117040865A (en) | SecOC communication security event processing method and device and electronic control unit | |
| JP6483461B2 (en) | Management method, management program, management device, management system, and information processing method | |
| TWI716135B (en) | Security monitoring apparatus and method for vehicle network | |
| CN115104291A (en) | System and method for detecting intrusion into vehicular network | |
| JP2022024266A (en) | Log analyzer | |
| CN115190578B (en) | Information updating method and device in vehicle-mounted communication | |
| CN111133722A (en) | Method and device for protecting a field bus | |
| WO2023170995A1 (en) | Vehicle diagnosis system | |
| US20230119190A1 (en) | Arrangement of cyber security and prognostics, coexisting on a single platform | |
| CN115941330A (en) | Intrusion detection method for vehicle-mounted UDS protocol | |
| CN115664737A (en) | Intrusion detection system and method | |
| CN112448942A (en) | Method for identifying a deterioration in a network | |
| CN112448943A (en) | Method for analyzing and adapting a network model in a signal fingerprinting system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |