CN117439785A - Safety evidence obtaining method and system for vehicle end intrusion - Google Patents
Safety evidence obtaining method and system for vehicle end intrusion Download PDFInfo
- Publication number
- CN117439785A CN117439785A CN202311425855.4A CN202311425855A CN117439785A CN 117439785 A CN117439785 A CN 117439785A CN 202311425855 A CN202311425855 A CN 202311425855A CN 117439785 A CN117439785 A CN 117439785A
- Authority
- CN
- China
- Prior art keywords
- intrusion
- event
- attack
- security
- vehicle
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000001514 detection method Methods 0.000 claims abstract description 69
- 239000013598 vector Substances 0.000 claims abstract description 64
- 238000013475 authorization Methods 0.000 claims abstract description 42
- 230000000977 initiatory effect Effects 0.000 claims abstract description 8
- 238000012544 monitoring process Methods 0.000 claims abstract description 8
- 238000004458 analytical method Methods 0.000 claims description 40
- 238000004590 computer program Methods 0.000 claims description 9
- 238000012545 processing Methods 0.000 abstract description 6
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 230000008569 process Effects 0.000 description 6
- 238000012423 maintenance Methods 0.000 description 5
- 230000007123 defense Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000004927 fusion Effects 0.000 description 4
- 230000009545 invasion Effects 0.000 description 4
- 208000018208 Hyperimmunoglobulinemia D with periodic fever Diseases 0.000 description 2
- 206010072219 Mevalonic aciduria Diseases 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 239000000523 sample Substances 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- DTXLBRAVKYTGFE-UHFFFAOYSA-J tetrasodium;2-(1,2-dicarboxylatoethylamino)-3-hydroxybutanedioate Chemical compound [Na+].[Na+].[Na+].[Na+].[O-]C(=O)C(O)C(C([O-])=O)NC(C([O-])=O)CC([O-])=O DTXLBRAVKYTGFE-UHFFFAOYSA-J 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000004374 forensic analysis Methods 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000004451 qualitative analysis Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Abstract
The invention discloses a safety evidence obtaining method and a system for vehicle-end intrusion, wherein the method comprises the steps of obtaining safety alarm events detected by a vehicle-end intrusion detection system of a plurality of vehicles, and uploading attack vectors of the safety alarm events to a cloud; the cloud terminal determines whether the intrusion event is a target intrusion event or not after qualifying the security alarm event as the intrusion event according to the attack vector; if the target intrusion event is the target intrusion event, initiating security evidence collection facing the vehicle end, and monitoring and collecting intrusion attack evidence reserved on the vehicle end after the authorization of the vehicle owner is obtained. The invention can initiate security evidence collection to the vehicle end, and monitor and collect the intrusion attack evidence reserved at the vehicle end after the authorization of the vehicle owner is obtained. The invention increases the analyzability of the intrusion event by the mode, thereby being beneficial to the safety operators to formulate a comprehensive safety event processing scheme and protecting the lives and property safety of the personnel inside and outside the vehicle.
Description
Technical Field
The invention relates to the field of intelligent automobiles, in particular to a safe evidence obtaining method and system for vehicle end invasion.
Background
Currently, a relatively widely applied intrusion detection system is network intrusion detection and host intrusion detection. In-vehicle network intrusion detection is divided into CAN intrusion detection and Ethernet intrusion detection systems. These intrusion detection systems typically report alarm events upon detection of an intrusion, and the security operator is unable to perform one-step analysis and verification of the attack event.
After the alarm event reported by the vehicle end is analyzed by the cloud end, if the attack event is to be further analyzed and verified, the relevant vehicle needs to be found and contacted for evidence collection analysis, or the vehicle is logged in remotely for evidence collection analysis. However, the possibility of touching an attacked vehicle is not high in the face of a user vehicle that has been sold. Telnet to an attacked vehicle also faces legal regulations and telnet back door is also a safety concern.
Disclosure of Invention
Aiming at the technical problems, the invention provides a safety evidence obtaining method and a system for vehicle-end intrusion, which increase the analyzability of intrusion events and enhance the accuracy of intrusion detection.
In a first aspect of the present invention, a method for safely collecting evidence of a vehicle intrusion is provided, including:
acquiring security alarm events detected by a vehicle end intrusion detection system of a plurality of vehicles, and uploading attack vectors of the security alarm events to a cloud;
the cloud terminal determines whether the intrusion event is a target intrusion event or not after qualifying the security alarm event as the intrusion event according to the attack vector;
if the target intrusion event is the target intrusion event, initiating security evidence collection facing the vehicle end, and monitoring and collecting intrusion attack evidence reserved on the vehicle end after the authorization of the vehicle owner is obtained.
In an optional embodiment, the acquiring the security alarm event detected by the vehicle-end intrusion detection system of the plurality of vehicles, and uploading the attack vector of the security alarm event to the cloud end, includes:
acquiring a first safety alarm event detected by a CAN bus intrusion detection system; acquiring a second security alarm event detected by the Ethernet intrusion detection system; acquiring a third security alarm event detected by a host intrusion detection system;
the first security alarm event, the second security alarm event and the third security alarm event are stored in a security area after being de-duplicated and fused respectively, and are used for converging the security alarm events to form event correlation data in a certain time period;
and uploading the attack vectors of the first security alarm event, the second security alarm event and the third security alarm event to the cloud respectively, and only reporting the characteristic data of the attack if the data quantity of the attack vector is greater than the corresponding threshold value.
In an optional embodiment, after the cloud end determines the security alarm event as an intrusion event according to the attack vector, determining whether the intrusion event is a target intrusion event includes:
the cloud pre-classifies the attack vectors of the security alarm event according to known attack scenes and attack paths to determine attack types;
determining the security alarm event which cannot be pre-classified as a target intrusion event;
obtaining associated data information of the target intrusion event using an association rule algorithm; the associated data information is used to determine an attack scenario and an attack path.
In an optional embodiment, after the cloud end determines the security alarm event as an intrusion event according to the attack vector, determining whether the intrusion event is a target intrusion event includes:
the method comprises the steps of obtaining a target attack scene and a target attack path corresponding to a target intrusion event through analysis of a security operator on the target intrusion event;
and adding the target attack scene and the target attack path to an attack scene and attack path set of the vehicle-end intrusion detection system to generate a corresponding intrusion recognition rule.
In an optional embodiment, if the target intrusion event is the target intrusion event, initiating security evidence collection facing to the vehicle end, and monitoring and collecting intrusion attack evidence reserved at the vehicle end after the authorization of the vehicle owner is obtained, including:
informing a user of relevant information of the attack event and analysis results of cloud security operation when a security evidence obtaining request is initiated to a vehicle end, generating an authorization certificate at the vehicle end when the user agrees to the security evidence obtaining request, and sending the authorization certificate to an account number of a security operator;
and the security operator is remotely connected with the vehicle end based on the authorization credential, monitors and collects the intrusion attack evidence reserved at the vehicle end, and the intrusion attack evidence is used for verifying the intrusion event.
In an alternative embodiment, if the data size of the attack vector is greater than the corresponding threshold value, only feature data of the attack is reported, including:
if the data volume of the attack vector is larger than the corresponding threshold value, uploading abstract information of the attack vector and the type of the security alarm event to the cloud end, wherein the abstract information comprises source IP, source port, target IP, target port, network protocol, trigger rule information, name and version of an attacked service of a vehicle end, name and version of attack software and hash value information of an effective attack vector.
In a second aspect of the present invention, a security forensics system for intrusion at a vehicle end is provided, including:
the acquisition module is used for acquiring the safety alarm events detected by the vehicle end intrusion detection systems of the vehicles and uploading attack vectors of the safety alarm events to the cloud;
the judging module is used for judging whether the intrusion event is a target intrusion event or not after the cloud terminal qualitatively determines the security alarm event as the intrusion event according to the attack vector;
and the evidence obtaining module is used for initiating safety evidence obtaining facing to the vehicle end if the target intrusion event is the target intrusion event, and monitoring and collecting the intrusion attack evidence reserved at the vehicle end after the vehicle owner authorization is obtained.
In a third aspect of the present invention, a method for obtaining evidence of intrusion at a vehicle end is provided, and the method is applied to the vehicle end, and includes:
collecting and acquiring a security alarm event detected by a vehicle-end intrusion detection system, converging the security alarm event to form event correlation data in a certain time period, and uploading an attack vector of the security alarm event in the certain time period to a cloud;
receiving intrusion analysis results fed back by the cloud and a security evidence obtaining request;
and displaying the intrusion analysis result and the range of the security evidence obtaining request, generating the authorization certificate and issuing the authorization certificate to security operators, and allowing the security operators to remotely monitor and collect the intrusion attack evidence reserved at the vehicle end.
In a fourth aspect of the present invention, there is provided a security forensics system comprising:
at least one processor; and at least one memory communicatively coupled to the processor, wherein: the memory stores program instructions executable by the processor, and the processor invokes the program instructions to perform the security evidence obtaining method of the vehicle intrusion according to the first aspect of the present invention.
In a fifth aspect of the invention, a computer-readable storage medium is provided, on which a computer program is stored, which, when being executed by a computer, performs the method according to the first aspect of the embodiment of the invention.
According to the invention, the security alarm events detected by the vehicle-end intrusion detection system of the plurality of vehicle waves are acquired, the security alarm events are processed and identified in the cloud end, after the security alarm events are determined to be target intrusion events, security evidence collection can be initiated to the vehicle-end, and after the authorization of a vehicle owner is obtained, the intrusion attack evidence reserved at the vehicle-end is monitored and collected. The invention increases the analyzability of the intrusion event by the mode, thereby being beneficial to the safety operators to formulate a comprehensive safety event processing scheme and protecting the lives and property safety of the personnel inside and outside the vehicle.
In addition, the invention integrates a plurality of intrusion detection systems, thereby enhancing the accuracy of intrusion detection and better processing security events by means of fusion analysis.
Drawings
Fig. 1 is a flow chart of a method for safely collecting evidence of vehicle end intrusion in an embodiment of the invention.
Fig. 2 is a flow chart of another method for obtaining evidence of security of vehicle intrusion according to an embodiment of the present invention.
Fig. 3 is a schematic block diagram of a security evidence obtaining system for vehicle intrusion according to an embodiment of the present invention.
Fig. 4 is a flow chart of a security evidence obtaining method applied to a vehicle end intrusion of a vehicle end in an embodiment of the invention.
Fig. 5 is a schematic structural diagram of a security forensics system according to one embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be understood that the terms "first," "second," and "third," etc. in the claims, specification and drawings of the present disclosure are used for distinguishing between different objects and not for describing a particular sequential order. The terms "comprises" and "comprising" when used in the specification and claims of the present disclosure, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
Before describing the technical scheme of the invention, the working mode of the vehicle intrusion detection system needs to be introduced:
the CANIDS system (CAN bus intrusion detection system) mainly generates a CANIDS rule through CAN signals arxml, wherein the CANIDS rule comprises a signal range, a message period, a channel load rate and other rules, and in the running process of a vehicle, signals of the CAN bus are collected and matched with the rule, and signals which do not accord with the rule are locally recorded and an alarm is generated to report to the cloud.
The NIDS system (Ethernet intrusion detection system) mainly summarizes NIDS rules by analyzing network intrusion attack characteristics, and in the running process of the vehicle, the NIDS system performs packet grabbing analysis on a heavy-point network, locally records data packets conforming to the rule characteristics, generates an alarm and reports the data packets to the cloud.
The HIDS system (host intrusion detection system) mainly forms rules by recording the states such as abstract, authority and performance of the system under normal operation, monitors the system states, important files and logs in the operation process, matches the corresponding rules, locally records abnormal files or system states, and generates warning and reports to the cloud.
Information security technologies such as authentication, access control, encryption, etc. are commonly referred to as static defense technologies, i.e. during the vehicle analysis and design phase, some fixed security mechanisms are introduced, which are not adapted during the actual operation. The vehicle intrusion detection and protection system IDPS (Intrusion Detection & Prevention System) focuses security protection on security detection and dynamic response to the current state of the vehicle, i.e. performs targeted security protection according to the actually detected attack event.
The invention installs the three intrusion detection systems at the vehicle end, can finish the static defense of the vehicle, and solves the problem that the vehicle can only give an alarm and cannot safely obtain evidence after being intruded by combining with a safe evidence obtaining mode.
Referring to fig. 1, the present invention provides a method for safely collecting evidence of vehicle end intrusion, comprising the following steps:
step 100: and acquiring security alarm events detected by a vehicle-end intrusion detection system of a plurality of vehicles, and uploading attack vectors of the security alarm events to a cloud.
The CAN bus intrusion detection system, the Ethernet intrusion detection system and the host intrusion detection system at the vehicle end detect the intrusion of the CAN longitudinal, ethernet and the host through respective operation rules, acquire intrusion data, judge whether the intrusion event belongs to the intrusion event according to the intrusion data, judge the intrusion event as the security alarm event if the intrusion event belongs to the intrusion event, and need to send an alarm to the cloud. The security alarm event comprises an attack path which is mainly presented on an attack vector, namely an attacker (or malicious software), and an enterprise can more effectively perform asset management by knowing the attack path, so that security risks are reduced.
In this step, each intrusion detection system may unify intrusion detection events into attack vectors for reporting, where the reported content may include other content, and is displayed to a security operator that may view the intrusion events at the cloud.
Step 200: and the cloud terminal determines whether the intrusion event is a target intrusion event or not after qualifying the security alarm event as the intrusion event according to the attack vector.
The intrusion event analysis module can be deployed in a security operation background in the cloud for pre-classifying security events according to known attack scenes and attack paths so as to facilitate security operators to check and analyze.
Illustratively, in a credential attack, the credential includes multiple types of user name, password, key, etc., and the methods that an attacker takes to obtain the credential include phishing, data disclosure, malware infection, weak password cracking. In phishing, an attacker sends phishing mail in order to obtain sensitive data, credentials, and access rights of the intranet. In a vulnerability attack, an attacker finds the appropriate CVE (public vulnerability and exposure) or PoC (Proof ofConcept), and uses these vulnerabilities to obtain sensitive data or rights to conduct the next attack. In the configuration attack, known and unknown vulnerabilities may appear in the system and the application by using default configuration or performing error configuration, such as default administrator passwords, default opening of high-risk ports with unauthorized access, and opening of a debug mode when the application is developed is not closed.
For known intrusion attacks, the detection systems can automatically process or patch the loopholes, and for novel intrusion attacks, if the intrusion detection system cannot identify the fault, the fault is determined to be a target intrusion event, and a security operator needs to analyze the fault according to the attack vector, and then generates corresponding coping rules so that the system can automatically identify the fault next time.
Step 300: if the target intrusion event is the target intrusion event, initiating security evidence collection facing the vehicle end, and monitoring and collecting intrusion attack evidence reserved on the vehicle end after the authorization of the vehicle owner is obtained.
After the intrusion event analysis module determines the target analysis event, a security operator can analyze according to the security alarm event, request the remote login of the vehicle end, acquire the vehicle operation log stored by the vehicle end and the like to identify an attack scene and an attack path.
For example, after the intrusion event analysis module is characterized as an intrusion event, the security operator participates in the analysis, requiring further forensic analysis and verification. And an operator initiates a remote security evidence obtaining request to the vehicle end through the background. And informing the relevant information of the attack event and the analysis result of the cloud security operation at the vehicle-computer interface, and then inquiring whether the vehicle owner agrees with the remote security evidence collection or not to inform the vehicle owner of the information such as the security evidence collection range, the time limit, the authority, the protection measures and the like. And generating the authorization certificate at the vehicle end and issuing the authorization certificate to the safety operator when the vehicle owner agrees. And then the operator holds the authorization certificate to carry out security evidence collection, and monitors and collects the invasion attack evidence reserved at the vehicle end so as to carry out subsequent analysis, protection and maintenance.
After the remote security evidence obtaining function of the intrusion event is added, the evidence obtaining data can be used for verifying the intrusion event, so that security operators can understand the intrusion method more deeply and comprehensively, the accuracy of security event analysis is improved, and the accuracy and the comprehensiveness of related defense schemes can be improved. Meanwhile, the evidence obtaining data can be used for quick reproduction of intrusion events, and the effectiveness of a defense scheme is fully verified. In addition, the evidence obtaining data is used as important evidence of the right maintenance, and can help safety operators and owners to maintain own rights.
Further, referring to fig. 2, an interaction relationship among the vehicle owner, each ECU at the vehicle end, the cloud end, and the security operation is shown.
First, each ECU of the vehicle detects an intrusion event using an intrusion detection probe, but securely stores an attack vector when an intrusion is detected.
Illustratively, each ECU acquires a first security alert event detected by the CAN bus intrusion detection system; acquiring a second security alarm event detected by the Ethernet intrusion detection system; and acquiring a third security alarm event detected by the host intrusion detection system. The CAN bus intrusion detection system, the Ethernet intrusion detection system and the host intrusion detection system are deployed on the ECU to acquire the alarm event respectively, and the alarm event CAN be acquired at different time respectively. By using three intrusion detection systems, fusion intrusion detection can be performed, and after the cloud is provided with an intrusion event analysis module for large data analysis, the accuracy of the intrusion detection system is improved, and false alarm and missing alarm events are reduced.
And then, respectively de-fusing and fusing the first security alarm event, the second security alarm event and the third security alarm event, and storing the de-duplicated and fused security alarm events in a security area for converging the security alarm events to form event correlation data in a certain time period. The data association within a certain time period can be determined by converging the vehicle-end events. Each ECU of the vehicle has deployed each intrusion detection system (HIDS, NIDS, and caids), and after detecting a security event through the intrusion detection probe, saves the complete attack vector to the secure storage area.
And then the vehicle end gathers and pre-analyzes and reports to the cloud VSOC security platform. And the vehicle end respectively uploads the attack vectors of the first security alarm event, the second security alarm event and the third security alarm event to the cloud end, and only reports the characteristic data of the attack if the data quantity of the attack vectors is greater than the corresponding threshold value.
In one embodiment, if the data size of the attack vector is greater than the corresponding threshold value, only feature data of the attack is reported, including: if the data volume of the attack vector is larger than the corresponding threshold value, uploading abstract information of the attack vector and the type of the security alarm event to the cloud end, wherein the abstract information comprises source IP, source port, target IP, target port, network protocol, trigger rule information, name and version of an attacked service of a vehicle end, name and version of attack software and hash value information of an effective attack vector. After an attack event is detected, the complete attack vector is stored in a safety area of the system, and for the attack vector with large data quantity, the alarm event only reports the characteristic data of the attack.
And analyzing the correlation among all intrusion events in a period of time through an intrusion event analysis module arranged in a security operation background, and carrying out qualitative analysis on the security events. When the attack event is sent, each intrusion detection system can timely store the complete attack vector to the system security storage area, so that the accuracy of the attack vector is ensured. For example, summary information of the attack vector together with the security alarm event is uploaded to the cloud background in time, and in this embodiment, the security storage area can prevent the attack party from destroying traces.
Further, after the cloud determines the security alarm event as an intrusion event according to the attack vector, determining whether the intrusion event is a target intrusion event includes:
the cloud pre-classifies the attack vectors of the security alarm event according to known attack scenes and attack paths to determine attack types;
determining the security alarm event which cannot be pre-classified as a target intrusion event;
obtaining associated data information of the target intrusion event using an association rule algorithm; the associated data information is used to determine an attack scenario and an attack path.
An intrusion event analysis module is deployed in a security operation background, security events are pre-classified according to known attack scenes and attack paths in the module, unknown attack events are trained by using an association rule algorithm (such as Apriori) and correlation of the intrusion events is obtained, new attack scenes and attack paths are identified through participation analysis of security operators, corresponding fusion rules are generated and added to the known attack scenes and attack path sets, and if multiple intrusion events with extremely high correlation occur simultaneously later, the occurred intrusion events can be rapidly identified.
Further, after the cloud determines the security alarm event as an intrusion event according to the attack vector, determining whether the intrusion event is a target intrusion event, and further includes:
the method comprises the steps of obtaining a target attack scene and a target attack path corresponding to a target intrusion event through analysis of a security operator on the target intrusion event;
and adding the target attack scene and the target attack path to an attack scene and attack path set of the vehicle-end intrusion detection system to generate a corresponding intrusion recognition rule.
The security operation and maintenance personnel send the analysis result and the security evidence obtaining request to the vehicle end through the cloud VSOC,
and informing the user of the relevant information of the attack event and the analysis result of the cloud security operation when the security evidence obtaining request is initiated to the vehicle end, informing the relevant information of the attack event and the analysis result of the cloud security operation through the vehicle-to-machine interface by the vehicle end, and then inquiring whether the vehicle owner agrees with the remote security evidence obtaining.
And generating an authorization credential at a vehicle end when the user agrees to the security evidence obtaining request, sending the authorization credential to a cloud end, and the cloud end trusts the authorization credential to an account number of a security operator. And the security operator is remotely connected with the vehicle end based on the authorization credential, acquires the vehicle end ECU and acquires evidence obtaining data safely, monitors and acquires the intrusion attack evidence reserved on the vehicle end, and is used for verifying the intrusion event. After analysis of the evidence-obtaining data, the security operator can designate a solution for right-keeping processing.
After the cause of the intrusion event is qualitatively determined, the security operator feeds back a security event analysis result from the VSOC security platform to the vehicle end and initiates a remote security evidence obtaining request, a driver selects whether to agree with the remote security evidence obtaining on the vehicle, and if so, the driver generates an authorization certificate at the vehicle end and issues the authorization certificate to the security operator. And then, an operator holds the authorization certificate to carry out security evidence collection, monitors and collects the invasion attack evidence reserved at the vehicle end, and carries out subsequent analysis, protection and maintenance.
Referring to fig. 3, the present invention further provides a security evidence obtaining system for vehicle end intrusion, including:
the acquiring module 31 is configured to acquire security alarm events detected by the vehicle end intrusion detection systems of a plurality of vehicles, and upload attack vectors of the security alarm events to the cloud.
Illustratively, this is achieved by:
acquiring a first safety alarm event detected by a CAN bus intrusion detection system; acquiring a second security alarm event detected by the Ethernet intrusion detection system; acquiring a third security alarm event detected by a host intrusion detection system; the first security alarm event, the second security alarm event and the third security alarm event are stored in a security area after being de-duplicated and fused respectively, and are used for converging the security alarm events to form event correlation data in a certain time period; and uploading the attack vectors of the first security alarm event, the second security alarm event and the third security alarm event to the cloud respectively, and only reporting the characteristic data of the attack if the data quantity of the attack vector is greater than the corresponding threshold value. In an embodiment, if the data size of the attack vector is greater than the corresponding threshold, uploading summary information of the attack vector and the type of the security alarm event to the cloud, wherein the summary information comprises source IP, source port, target IP, target port, network protocol, trigger rule information, name and version of the traffic to be attacked at the vehicle end, name and version of attack software, and hash value information of an effective attack vector.
The judging module 32 is configured to determine whether the intrusion event is a target intrusion event after the cloud determines the security alarm event as the intrusion event according to the attack vector.
Illustratively, this is achieved by:
the cloud pre-classifies the attack vectors of the security alarm event according to known attack scenes and attack paths to determine attack types; determining the security alarm event which cannot be pre-classified as a target intrusion event; and obtaining the associated data information of the target intrusion event by using an association rule algorithm to determine an attack scene and an attack path.
Then, a target attack scene and a target attack path corresponding to the target intrusion event are obtained through analysis of a security operator on the target intrusion event; and adding the target attack scene and the target attack path to an attack scene and attack path set of the vehicle-end intrusion detection system to generate a corresponding intrusion recognition rule.
The evidence obtaining module 33 is configured to initiate security evidence obtaining for the vehicle end if the target intrusion event is detected, and monitor and collect evidence of intrusion attack reserved on the vehicle end after the authorization of the vehicle owner is obtained. For example, when a security evidence obtaining request is initiated to a vehicle end, informing a user of relevant information of the attack event and analysis results of cloud security operation, and when the user agrees to the security evidence obtaining request, generating an authorization credential at the vehicle end, and sending the authorization credential to an account number of a security operator; and the security operator is remotely connected with the vehicle end based on the authorization credential, monitors and collects the intrusion attack evidence reserved at the vehicle end, and the intrusion attack evidence is used for verifying the intrusion event.
Referring to fig. 4, the present invention further provides a method for safely collecting evidence of vehicle end intrusion, which is applied to a vehicle end and includes the following steps:
step 410: collecting and acquiring security alarm events detected by a vehicle-end intrusion detection system, converging the security alarm events to form event correlation data in a certain time period, and uploading attack vectors of the security alarm events in the certain time period to a cloud.
Step 420: and receiving an intrusion analysis result fed back by the cloud and a security evidence obtaining request.
Step 430: and displaying the intrusion analysis result and the range of the security evidence obtaining request, generating the authorization certificate and issuing the authorization certificate to security operators, and allowing the security operators to remotely monitor and collect the intrusion attack evidence reserved at the vehicle end.
Specifically, each ECU at the vehicle end deploys three intrusion detection systems, and the vehicle end acquires a first safety alarm event detected by the CAN bus intrusion detection system; acquiring a second security alarm event detected by the Ethernet intrusion detection system; and acquiring a third security alarm event detected by the host intrusion detection system. And then the vehicle end respectively stores the first safety alarm event, the second safety alarm event and the third safety alarm event in a safety area after de-duplication fusion, and is used for converging the safety alarm events to form event correlation data in a certain time period. And the vehicle end respectively uploads the attack vectors of the first security alarm event, the second security alarm event and the third security alarm event to the cloud end, and only reports the characteristic data of the attack if the data quantity of the attack vectors is greater than the corresponding threshold value.
When a cloud initiates a security evidence obtaining request to a vehicle end, informing a user of relevant information of the attack event and analysis results of cloud security operation, generating an authorization credential at the vehicle end when the user agrees to the security evidence obtaining request, and sending the authorization credential to an account number of a security operator; and the security operator is remotely connected with the vehicle end based on the authorization credential, monitors and collects the intrusion attack evidence reserved at the vehicle end, and the intrusion attack evidence is used for verifying the intrusion event.
After the cause of the intrusion event is qualitatively determined, the security operator feeds back a security event analysis result from the VSOC security platform to the vehicle end and initiates a remote security evidence obtaining request, a driver selects whether to agree with the remote security evidence obtaining on the vehicle, and if so, the driver generates an authorization certificate at the vehicle end and issues the authorization certificate to the security operator. And then, an operator holds the authorization certificate to carry out security evidence collection, monitors and collects the invasion attack evidence reserved at the vehicle end, and carries out subsequent analysis, protection and maintenance.
As shown in fig. 5, the present invention further provides a security evidence obtaining system, including:
at least one processor; and at least one memory communicatively coupled to the processor, wherein: the memory stores program instructions executable by the processor, and the processor calls the program instructions to execute the security evidence obtaining method of the vehicle-end intrusion.
The invention also provides a computer readable storage medium, wherein the computer readable storage medium stores a computer program, and the computer program realizes the safe evidence obtaining method of the vehicle-end intrusion when being executed by a processor.
It is understood that the computer-readable storage medium may include: any entity or device capable of carrying a computer program, a recording medium, a USB flash disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a software distribution medium, and so forth. The computer program comprises computer program code. The computer program code may be in the form of source code, object code, executable files, or in some intermediate form, among others. The computer readable storage medium may include: any entity or device capable of carrying computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a software distribution medium, and so forth.
In some embodiments of the present invention, the processor may include a controller or a processor, where the controller is a single chip, and integrates a processor, a memory, a communication module, and the like. The processor may refer to a processor comprised by the controller. The processor may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and additional implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, in computer software, or in a combination of the two, and that the elements and steps of the examples have been generally described in terms of function in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. The safe evidence obtaining method for the vehicle end intrusion is characterized by comprising the following steps of:
acquiring security alarm events detected by a vehicle end intrusion detection system of a plurality of vehicles, and uploading attack vectors of the security alarm events to a cloud;
the cloud terminal determines whether the intrusion event is a target intrusion event or not after qualifying the security alarm event as the intrusion event according to the attack vector;
if the target intrusion event is the target intrusion event, initiating security evidence collection facing the vehicle end, and monitoring and collecting intrusion attack evidence reserved on the vehicle end after the authorization of the vehicle owner is obtained.
2. The method for obtaining security evidence of a vehicle end intrusion according to claim 1, wherein the obtaining the security alarm event detected by the vehicle end intrusion detection system of the plurality of vehicles, and uploading the attack vector of the security alarm event to the cloud comprises:
acquiring a first safety alarm event detected by a CAN bus intrusion detection system; acquiring a second security alarm event detected by the Ethernet intrusion detection system; acquiring a third security alarm event detected by a host intrusion detection system;
the first security alarm event, the second security alarm event and the third security alarm event are stored in a security area after being de-duplicated and fused respectively, and are used for converging the security alarm events to form event correlation data in a certain time period;
and uploading the attack vectors of the first security alarm event, the second security alarm event and the third security alarm event to the cloud respectively, and only reporting the characteristic data of the attack if the data quantity of the attack vector is greater than the corresponding threshold value.
3. The method for obtaining security evidence of a vehicle-end intrusion according to claim 2, wherein the determining, by the cloud, whether the intrusion event is a target intrusion event after qualifying the security alarm event as an intrusion event according to the attack vector, includes:
the cloud pre-classifies the attack vectors of the security alarm event according to known attack scenes and attack paths to determine attack types;
determining the security alarm event which cannot be pre-classified as a target intrusion event;
obtaining associated data information of the target intrusion event using an association rule algorithm; the associated data information is used to determine an attack scenario and an attack path.
4. The method for securely collecting evidence of a vehicle-end intrusion according to claim 3, wherein the cloud end determines whether the intrusion event is a target intrusion event after qualifying the security alarm event as an intrusion event according to the attack vector, comprising:
the method comprises the steps of obtaining a target attack scene and a target attack path corresponding to a target intrusion event through analysis of a security operator on the target intrusion event;
and adding the target attack scene and the target attack path to an attack scene and attack path set of the vehicle-end intrusion detection system to generate a corresponding intrusion recognition rule.
5. The method for safely collecting evidence of vehicle end intrusion according to claim 3, wherein if the target intrusion event is the target intrusion event, initiating the vehicle end-oriented safe collection of evidence, and monitoring and collecting the intrusion attack evidence remained at the vehicle end after the authorization of the vehicle owner is obtained, comprises the following steps:
informing a user of relevant information of the attack event and analysis results of cloud security operation when a security evidence obtaining request is initiated to a vehicle end, generating an authorization certificate at the vehicle end when the user agrees to the security evidence obtaining request, and sending the authorization certificate to an account number of a security operator;
and the security operator is remotely connected with the vehicle end based on the authorization credential, monitors and collects the intrusion attack evidence reserved at the vehicle end, and the intrusion attack evidence is used for verifying the intrusion event.
6. The method for safely collecting evidence of vehicle-end intrusion according to claim 2, wherein if the data size of the attack vector is greater than the corresponding threshold value, only the feature data of the attack is reported, comprising:
if the data volume of the attack vector is larger than the corresponding threshold value, uploading abstract information of the attack vector and the type of the security alarm event to the cloud end, wherein the abstract information comprises source IP, source port, target IP, target port, network protocol, trigger rule information, name and version of an attacked service of a vehicle end, name and version of attack software and hash value information of an effective attack vector.
7. A security forensic system for a vehicle end intrusion, comprising:
the acquisition module is used for acquiring the safety alarm events detected by the vehicle end intrusion detection systems of the vehicles and uploading attack vectors of the safety alarm events to the cloud;
the judging module is used for judging whether the intrusion event is a target intrusion event or not after the cloud terminal qualitatively determines the security alarm event as the intrusion event according to the attack vector;
and the evidence obtaining module is used for initiating safety evidence obtaining facing to the vehicle end if the target intrusion event is the target intrusion event, and monitoring and collecting the intrusion attack evidence reserved at the vehicle end after the vehicle owner authorization is obtained.
8. The safe evidence obtaining method for vehicle end intrusion is applied to the vehicle end and is characterized by comprising the following steps:
collecting and acquiring a security alarm event detected by a vehicle-end intrusion detection system, converging the security alarm event to form event correlation data in a certain time period, and uploading an attack vector of the security alarm event in the certain time period to a cloud;
receiving intrusion analysis results fed back by the cloud and a security evidence obtaining request;
and displaying the intrusion analysis result and the range of the security evidence obtaining request, generating the authorization certificate and issuing the authorization certificate to security operators, and allowing the security operators to remotely monitor and collect the intrusion attack evidence reserved at the vehicle end.
9. A security forensic system comprising:
at least one processor; and at least one memory communicatively coupled to the processor, wherein: the memory stores program instructions executable by the processor, the processor invoking the program instructions to be able to perform the method of security forensics of a vehicle end intrusion as claimed in any one of claims 1 to 6.
10. A computer-readable storage medium, on which a computer program is stored, which, when executed by a computer, performs the security evidence obtaining method of a vehicle-end intrusion according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311425855.4A CN117439785A (en) | 2023-10-31 | 2023-10-31 | Safety evidence obtaining method and system for vehicle end intrusion |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311425855.4A CN117439785A (en) | 2023-10-31 | 2023-10-31 | Safety evidence obtaining method and system for vehicle end intrusion |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117439785A true CN117439785A (en) | 2024-01-23 |
Family
ID=89556422
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311425855.4A Pending CN117439785A (en) | 2023-10-31 | 2023-10-31 | Safety evidence obtaining method and system for vehicle end intrusion |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117439785A (en) |
-
2023
- 2023-10-31 CN CN202311425855.4A patent/CN117439785A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9917857B2 (en) | Logging attack context data | |
| US10931635B2 (en) | Host behavior and network analytics based automotive secure gateway | |
| KR102642875B1 (en) | Systems and methods for providing security to in-vehicle networks | |
| Ganame et al. | A global security architecture for intrusion detection on computer networks | |
| CA2968201A1 (en) | Systems and methods for malicious code detection | |
| CN113839935B (en) | Network situation awareness method, device and system | |
| WO2009037333A2 (en) | Intrusion detection method and system | |
| CN110365709B (en) | Device for sensing unknown network attack behavior based on upstream probe | |
| WO2015178933A1 (en) | Advanced persistent threat identification | |
| CN111010384A (en) | Self-security defense system and security defense method for terminal of Internet of things | |
| CN116708210A (en) | Operation and maintenance processing method and terminal equipment | |
| CN111327601A (en) | Abnormal data response method, system, device, computer equipment and storage medium | |
| WO2021145144A1 (en) | Intrusion-path analyzing device and intrusion-path analyzing method | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| WO2024002160A1 (en) | Data processing method and apparatus, and electronic device and storage medium | |
| CN114629719A (en) | Resource access control method and resource access control system | |
| CN113794590B (en) | Method, device and system for processing network security situation awareness information | |
| CN114006722B (en) | Situation awareness verification method, device and system for detecting threat | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| CN116132989B (en) | Industrial Internet security situation awareness system and method | |
| Nilsson et al. | Creating a secure infrastructure for wireless diagnostics and software updates in vehicles | |
| CN110086812B (en) | Safe and controllable internal network safety patrol system and method | |
| CN117439785A (en) | Safety evidence obtaining method and system for vehicle end intrusion | |
| CN114301796B (en) | Verification method, device and system for prediction situation awareness | |
| CN107231365B (en) | Evidence obtaining method, server and firewall |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |