CN117478551A - Automobile OTA upgrading abnormality detection system and method - Google Patents
Automobile OTA upgrading abnormality detection system and method Download PDFInfo
- Publication number
- CN117478551A CN117478551A CN202311412037.0A CN202311412037A CN117478551A CN 117478551 A CN117478551 A CN 117478551A CN 202311412037 A CN202311412037 A CN 202311412037A CN 117478551 A CN117478551 A CN 117478551A
- Authority
- CN
- China
- Prior art keywords
- ota
- upgrade
- login
- information
- detection module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 167
- 230000005856 abnormality Effects 0.000 title claims abstract description 51
- 238000000034 method Methods 0.000 title claims description 36
- 230000002159 abnormal effect Effects 0.000 claims abstract description 105
- 238000000605 extraction Methods 0.000 claims abstract description 23
- 238000007499 fusion processing Methods 0.000 claims abstract description 10
- 230000008569 process Effects 0.000 claims description 15
- 238000004140 cleaning Methods 0.000 claims description 9
- 238000012545 processing Methods 0.000 claims description 9
- 238000009434 installation Methods 0.000 claims description 7
- 230000005540 biological transmission Effects 0.000 claims description 6
- 230000014509 gene expression Effects 0.000 claims description 3
- 238000004422 calculation algorithm Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000000875 corresponding effect Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000010801 machine learning Methods 0.000 description 3
- 238000007418 data mining Methods 0.000 description 2
- 230000007488 abnormal function Effects 0.000 description 1
- 230000004931 aggregating effect Effects 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000012417 linear regression Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 238000013450 outlier detection Methods 0.000 description 1
- 238000007637 random forest analysis Methods 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000011895 specific detection Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0823—Errors, e.g. transmission errors
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
- H04L41/0813—Configuration setting characterised by the conditions triggering a change of settings
- H04L41/082—Configuration setting characterised by the conditions triggering a change of settings the condition being updates or upgrades of network functionality
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
- H04L43/0888—Throughput
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/20—Services signaling; Auxiliary data signalling, i.e. transmitting data via a non-traffic channel
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Environmental & Geological Engineering (AREA)
- Data Mining & Analysis (AREA)
- Stored Programmes (AREA)
Abstract
The invention provides an automobile OTA upgrade abnormality detection system, which comprises: the OTA flow information acquisition module acquires data flow information during vehicle OTA upgrading; the OTA flow information matching detection module is used for judging whether the size of the upgrade file and the file version are abnormal according to the size of the upgrade file and the file version; the system operation log acquisition module is used for acquiring operation information; the operation information comprises an operator ID, operation time, an operation object and an operation type; the login and task issuing record extraction module is used for acquiring the associated information and login information during OTA upgrading; the login and task issuing record matching detection module is used for judging whether login equipment, login IP, address and login personnel ID are abnormal or not; the OTA anomaly detection module performs fusion processing on anomalies of the OTA traffic information matching detection module, the login and task issuing record matching detection module and the OTA upgrading information matching detection module to obtain an anomaly detection result; and the OTA abnormality detection result output module outputs an abnormality detection result.
Description
Technical Field
The invention relates to the field of data processing, in particular to an automobile OTA upgrading abnormality detection system and method.
Background
An Over-The-Air (OTA) technology is a technology capable of realizing The functions of system upgrade, application update, vulnerability repair, function opening and The like of an intelligent automobile, and allows manufacturers to send software updates and patches to The automobile through The Internet. This also means that the vehicle owner can upgrade the vehicle to the latest version, including the software of the entire vehicle system, such as the vehicle entertainment system, security system, engine management system, and other electronic device systems, by way of a smart phone application or vehicle entertainment system, etc., anywhere and anytime.
OTA technology is an important component of intelligent automobiles, and there are many potential risks, such as instability of network connection, data privacy, and internal system security, which also give hackers access to the OTA upgrade link, and generally they use the OTA upgrade link as an attack key point, and use various attack means, such as hijacking, tampering, replacement, etc., to attack the intelligent network automobile OTA upgrade link. The most commonly used attack modes include hijacking an upgrade instruction, tampering the upgrade package, replacing the legal upgrade package with a low version upgrade package with a vulnerability, and the like.
In the past, the method for detecting the abnormal OTA upgrade of the terminal is mainly used for judging the OTA event of a single terminal, for example, singly judging whether the flow generated by the terminal in OTA is within a set threshold range or detecting whether the terminal has abnormal functions in the OTA upgrade process or not by an electronic control unit (Electronic Control Unit, ECU) so as to further judge whether the OTA upgrade of the terminal has the abnormality or not.
The conventional method for judging the OTA event generally can only judge and process the OTA event received by a single terminal, and is limited in that the method can only consider the OTA event of a local terminal, but cannot link the OTA events among a plurality of terminals, and cannot comprehensively monitor and control the OTA event of the whole system.
Disclosure of Invention
The embodiment of the invention aims to provide an automobile OTA upgrading abnormality detection system and method, which are used for solving the problems existing in the prior art.
In a first aspect, the present invention provides an automobile OTA upgrade anomaly detection system, including:
the OTA traffic information acquisition module is used for acquiring data traffic information during vehicle OTA upgrading;
the OTA flow information extraction module is used for processing the data flow information to obtain upgrade file information; the upgrade file information comprises upgrade file content, upgrade file size and upgrade file version;
the OTA traffic information matching detection module is used for judging whether the content of the upgrade file, the size of the upgrade file and the version of the upgrade file are abnormal or not;
the system operation log acquisition module is used for acquiring operation information; the operation information comprises an operator ID, an operation object and an operation type;
the login and task issuing record extraction module is used for acquiring the associated information and login information during OTA upgrading; the related information comprises the issuing time of OTA upgrade, the upgrade type and the terminal ID for receiving the OTA upgrade; the login information comprises login time, login equipment, login IP, address and login personnel ID;
the login and task issuing record matching detection module is used for judging whether the ID of an operator, an operation object, an operation type, the issuing time of OTA upgrading, an upgrading type, a terminal ID for receiving OTA upgrading, the login equipment, login IP, address and login personnel ID are abnormal or not;
the OTA upgrade installation record acquisition module is used for acquiring OTA event information of a plurality of terminals; the OTA event information comprises an ECU version model, an OTA upgrading state, a reservation condition, an upgrading result, a network state and battery power;
the OTA upgrade information extraction module is used for cleaning the version model, the OTA upgrade state, the reservation condition and the upgrade result of the ECU, and extracting the cleaned version model, the cleaned OTA upgrade state, the cleaned reservation condition and the cleaned upgrade result of the ECU;
the OTA upgrade information matching detection module is used for carrying out abnormal judgment on the version model, the OTA upgrade state, the reservation condition and the upgrade result of the cleaned ECU, the network state and the battery electric quantity;
the OTA anomaly detection module is used for carrying out fusion processing on anomalies of the OTA traffic information matching detection module, the login and task issuing record matching detection module and the OTA upgrading information matching detection module to obtain an anomaly detection result;
and the OTA abnormal detection result output module is used for outputting an abnormal detection result.
In one possible implementation manner, the OTA traffic information matching detection module is configured to determine, according to the upgrade file size and the file version, whether the upgrade file size and the upgrade file version are abnormal specifically includes:
comparing the size of the upgrade file with a preset threshold range, and determining that the size of the upgrade file is abnormal when the size of the upgrade file is out of the preset threshold range;
fuzzy matching is carried out on the content of the upgrade file through a regular expression, and when the content of the upgrade file is not matched, the abnormality of the content of the upgrade file is determined;
the file version exception is determined by detecting whether there are other versions between the version to be upgraded and the current version or whether the version to be upgraded is higher than the current version. 3. The system of claim 1, wherein the OTA traffic information match detection module is further configured to determine, according to received upgrade file versions of a plurality of vehicles of a plurality of same vehicle types, whether the upgrade file versions of the same vehicle types are abnormal.
In one possible implementation manner, the login and task issuing record matching detection module is configured to determine whether the ID of the operator, the operation object, and the operation type are abnormal, and specifically includes:
and the operator ID is bound with the operation object and the operation type, and whether the operator ID is abnormal or not is judged according to the operation type or the operation object.
In one possible implementation manner, the login and task issuing record matching detection module is configured to determine whether the issuing time, the type of the OTA upgrade, the terminal ID for receiving the OTA upgrade, the login device, the login IP, the address, and the login person ID are abnormal, and specifically includes: determining whether an abnormality exists according to whether the upgrade type received by the terminal ID for receiving the OTA upgrade exceeds a preset type threshold or not or whether the issuing frequency in the preset duration exceeds a preset frequency threshold or not according to the issuing time;
judging whether the login equipment is common equipment or not; when the login device is very common device, determining that the login device is abnormal;
judging whether the login IP is a common login IP; when the login IP is the very-used login IP, determining that the login IP is abnormal;
judging whether the address is a common address; when the address is a very-used address, determining that the address is abnormal; wherein the address is location information;
judging whether the login personnel ID is an internal personnel account, and determining that the login personnel ID is abnormal when the login personnel ID is a non-internal personnel account.
In one possible implementation manner, the OTA upgrade information matching detection module is configured to perform abnormal judgment on a version model, an OTA upgrade state, a reservation condition, an upgrade result, a network state and a battery power of the cleaned ECU, and specifically includes:
detecting whether version information reported by an ECU version after OTA upgrading is the same as ECU version information scheduled by OTA upgrading, and determining that the version type of the ECU is abnormal when the version information is different from the ECU version information scheduled by OTA upgrading;
judging whether the OTA upgrading state is abnormal or not according to a state mark or an indicator in the OTA upgrading process;
judging whether the OTA upgrade reservation is carried out or not by inquiring the OTA upgrade reservation record, if the OTA upgrade reservation is carried out, judging whether the reservation record is consistent with the currently executed OTA upgrade, and if the OTA upgrade reservation is not carried out or the reservation record is inconsistent with the currently executed OTA upgrade, determining that the OTA reservation condition is abnormal;
judging whether the upgrading result is abnormal according to the index data of the upgrading result;
judging whether the network state is abnormal according to the network transmission rate or the network signal strength in OTA;
and judging whether the battery electric quantity is abnormal or not according to the battery electric quantity reported by the terminal OTA.
In one possible implementation manner, the OTA anomaly detection module is configured to perform fusion processing on anomalies of the OTA traffic information matching detection module, the login and task issuing record matching detection module, and the OTA upgrade information matching detection module, where the obtaining an anomaly detection result specifically includes:
determining weights of an OTA flow information matching detection module, a login and task issuing record matching detection module and an OTA upgrading information matching detection module according to service requirements;
calculating a total score according to the abnormal score in the OTA flow information matching detection module, the abnormal score in the login and task issuing record matching detection module, the abnormal score of the OTA upgrading information matching detection module and the weight;
judging whether the total score is larger than a preset score threshold value or not;
and when the score is larger than a preset score threshold value, determining that an abnormality exists.
In one possible implementation manner, the OTA anomaly detection result output module is configured to output an anomaly detection result specifically including:
and outputting and displaying the total score, each abnormality in the OTA flow information matching detection module, the login and task issuing record matching detection module and the OTA upgrading information matching detection module.
In a second aspect, the present invention provides a method for detecting an abnormal upgrade of an automobile OTA, where the method includes:
the OTA flow information acquisition module acquires data flow information during vehicle OTA upgrading;
the OTA flow information extraction module processes the data flow information to obtain upgrade file information; the upgrade file information comprises upgrade file content, upgrade file size and upgrade file version;
the OTA flow information matching detection module judges whether the content of the upgrade file, the size of the upgrade file and the version of the upgrade file are abnormal or not;
the system operation log acquisition module acquires operation information; the operation information comprises an operator ID, an operation object and an operation type;
the login and task issuing record extraction module acquires the associated information and login information during OTA upgrading; the related information comprises the issuing time of OTA upgrade, the upgrade type and the terminal ID for receiving the OTA upgrade; the login information comprises login time, login equipment, login IP, address and login personnel ID;
the login and task issuing record matching detection module judges whether the ID of an operator, an operation object, an operation type, the issuing time of OTA upgrading, an upgrading type, a terminal ID for receiving OTA upgrading, login equipment, login IP, an address and login personnel ID are abnormal or not;
an OTA upgrade installation record acquisition module acquires OTA event information of a plurality of terminals; the OTA event information comprises an ECU version model, an OTA upgrading state, a reservation condition, an upgrading result, a network state and battery power;
the method comprises the steps that an OTA upgrading information extraction module ECU (electronic control unit) version model, an OTA upgrading state, a reservation condition and an upgrading result are subjected to cleaning treatment, and the cleaned ECU version model, OTA upgrading state, reservation condition and upgrading result are extracted;
the OTA upgrade information matching detection module is used for carrying out abnormal judgment on the version model, the OTA upgrade state, the reservation condition and the upgrade result of the cleaned ECU, the network state and the battery electric quantity;
the OTA anomaly detection module performs fusion processing on anomalies of the OTA traffic information matching detection module, the login and task issuing record matching detection module and the OTA upgrading information matching detection module to obtain an anomaly detection result;
and the OTA abnormality detection result output module outputs an abnormality detection result.
By applying the system for detecting the upgrading abnormality of the automobile OTA, provided by the invention, various abnormalities in the OTA are classified and then fused, so that the accuracy of abnormality processing is improved. Furthermore, the method and the device can process the version abnormality of the upgrade files of a plurality of vehicles according to the classification of the vehicle types, so that the version abnormality of the upgrade files can be rapidly determined.
Drawings
Fig. 1 is a schematic structural diagram of an automobile OTA upgrade anomaly detection system according to a first embodiment of the present invention;
FIG. 2 is a schematic diagram of an anomaly resulting in an OTA;
fig. 3 is a flow chart of an abnormal detection method for upgrading an OTA in an embodiment of the invention.
Detailed Description
The present application is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be noted that, for convenience of description, only the portions related to the present invention are shown in the drawings.
It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be combined with each other. The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
Example 1
An embodiment of the present invention provides an automobile OTA upgrade anomaly detection system, which is applied in a server, as shown in fig. 1, and includes: the system comprises an OTA flow information acquisition module 1, an OTA flow information extraction module 2, an OTA flow information matching detection module 3, a system operation log acquisition module 4, a login and task issuing record extraction module 5, a login and task issuing record matching detection module 6, an OTA upgrading installation record acquisition module 7, an OTA upgrading information extraction module 8, an OTA upgrading information matching detection module 9, an OTA anomaly detection module 10 and an OTA anomaly detection result output module 11.
The OTA flow information acquisition module 1 is used for acquiring data flow information during vehicle OTA upgrading.
The OTA traffic information acquisition module 1 acquires data traffic information of a plurality of vehicles, so as to process the data traffic information of the plurality of vehicles at the same time.
The OTA flow information extraction module 2 is used for processing the data flow information to obtain upgrade file information; the upgrade file information comprises upgrade file content, upgrade file size and upgrade file version;
the OTA flow information matching detection module 3 is used for judging whether the upgrade file content, the upgrade file size and the upgrade file version are abnormal according to the upgrade file content, the upgrade file size and the upgrade file version;
the content of the upgrade file is specific upgrade content of the upgrade file, the size of the upgrade file is the size of memory occupied by the upgrade file, and the version of the upgrade file is the version to be upgraded.
The upgrade file size anomaly detection includes: setting a threshold range as a reference value, and judging that the size of the upgrade file is abnormal if the size of the upgrade file exceeds or falls below a preset threshold range. Examples are: the size of a certain upgrade file is originally in accordance with the requirement, but the upgrade text is injected with malicious codes or tampered with software of a vehicle by a hacker in an OTA process by utilizing a vulnerability, malicious operation is performed, the upgrade file size is changed and is not in accordance with a threshold range, and the upgrade file size is judged to be abnormal.
Detecting content abnormality of the upgrade file: in the predetermined upgrade package, there may be some specific files to be transmitted to the terminal device, and fuzzy matching may be performed through regular expressions to check details of the content of the upgrade files. If the upgrade file content does not conform to a predetermined rule or lacks necessary files, it will be judged as abnormal. Wherein the lack of necessary files may also be considered as data integrity anomalies.
Further, when the number of the content abnormality of the plurality of upgrade files of the same vehicle model is greater than a preset number threshold, the content abnormality of the upgrade files is also described.
The upgrade file version anomaly detection includes: and detecting whether other versions exist between the version to be upgraded and the current version, if so, judging that the version is abnormal, or whether the version to be upgraded is higher than the current version, and if the version number of the version to be upgraded is smaller than or equal to the current version, judging that the version is abnormal.
Further, the conventional OTA event discriminating method generally can only discriminate and process the OTA event received by a single terminal, but does not use the cloud OTA event to perform anomaly detection and processing. The limitation of this method is that it can only consider the OTA event of the local terminal, but cannot link the OTA events among multiple terminals, and cannot fully monitor and control the OTA event of the whole system. In the OTA upgrade anomaly detection system, OTA data flow information from a plurality of terminals is stored in the cloud end, and the data can be used for anomaly detection and analysis across terminals. If the OTA data flow information of the cloud terminal and the local terminal can be combined for analysis, the OTA event condition of the whole system can be more comprehensively known, and the problems can be timely found and solved.
Specifically, the OTA flow information matching detection module 3 processes a plurality of upgrade file versions, and determines that the upgrade file version is abnormal when detecting that the upgrade file version of the vehicle of the same vehicle type in a certain area is abnormal, including cross-version or reduced version.
The system operation log acquisition module 4 is used for acquiring operation information; the operation information comprises an operator ID, an operation object and an operation type;
the login and task issuing record extraction module 5 is used for acquiring the associated information and login information during OTA upgrading; the associated information comprises the issuing time of OTA upgrade, upgrade type and terminal ID for receiving OTA upgrade; the login information comprises login time, login equipment, login IP, address and login personnel ID;
the login and task issuing record matching detection module 6 is used for judging whether login equipment, login IP, address and login personnel ID are abnormal;
the operation objects refer to vehicle types corresponding to the operator IDs, and the operation types refer to issuing tasks aiming at each operation object. The abnormal judgment according to the operation information specifically comprises the following steps: the operator ID is bound with the operation object and the operation type, and whether the operator ID is abnormal or not is judged according to the operation type or the operation object. For example, the operator I can normally perform what operation is right-controlled, for example, the operator with ID 123456 can only operate a certain version of the issuing task (operation type) of a certain vehicle type (operation object), and when it is found that an ID that does not conform to the preset right performs an unauthorized operation, it is considered as abnormal.
The abnormal judgment of the issuing time, the upgrading type and the terminal ID for receiving the OTA upgrading comprises the following steps: and in the preset duration, the upgrade type received by the terminal ID for receiving the OTA upgrade exceeds a preset type threshold, or the issuing frequency in the preset duration is calculated according to the issuing time, and the issuing frequency is larger than a preset frequency threshold, so that the abnormality is determined.
The abnormal judgment of the login device, the login IP, the address and the login personnel ID comprises judging whether the login device is a very-used device, judging whether the login IP is a very-used IP, judging whether the address is a very-used address and judging whether the login personnel ID is a non-internal personnel account. When the login device is a very useful device, and/or the login IP is a very useful IP, and/or the address is a very useful address, and/or the login person ID is a non-internal person ID, the login and task issuing record matching detection module 6 prompts that there is an abnormality. The address refers to location information, for example, when logging in an OTA system, the location information can be calculated by a location clustering method only in a company or capable of connecting to a local area network of the company, if a login operation occurs in a very common location, a hacker may remotely log in the location, i.e. the address is abnormal.
Here, it is generally understood that the number of times of use is greater than a preset number of times threshold value within a preset period of time, and the threshold value may be a set empirical value.
The OTA upgrade installation record acquisition module 7 is used for acquiring OTA event information of a plurality of terminals; the OTA event information comprises the version model of the ECU, the OTA upgrading state, the reservation condition, the upgrading result, the network state and the battery power;
the OTA upgrade information extraction module 8 is used for cleaning the version model, the OTA upgrade state, the reservation condition and the upgrade result of the ECU, and extracting the cleaned version model, OTA upgrade state, reservation condition and upgrade result of the ECU; the cleaning process comprises missing value processing, noise data cleaning and consistency checking.
The missing value processing comprises deleting the row or column containing the missing value, filling the missing value by using a mean value, a median value, a mode value, a nearest neighbor value and the like, or predicting the missing value by using a linear regression method, a polynomial regression method and the like; alternatively, the missing value is converted into a new variable representing the missing value; or filling the missing value into the mode or average value of the characteristic value according to the value of the characteristic value; or use machine learning models (e.g., decision trees, random forests, etc.) to predict the deficiency value.
Noise data cleaning includes: deleting duplicate data: checking whether there is duplicate data in the dataset and if so, deleting the duplicate data; or outlier detection: checking whether abnormal values exist in the data set, and if so, deleting the abnormal values; or data normalization: the uniformity of the data is ensured, so that the data has better comparability; or data conversion: converting the original data into a format which can better express the characteristics of the data; or data packets: grouping the data to better understand the characteristics of the data; or data aggregation: aggregating the data into a higher level representation for better understanding of the characteristics of the data; or data mining: useful information is found from the data using machine learning algorithms or other data mining methods.
The consistency check includes: checking whether columns in the dataset have the same data type; or checking whether the columns in the dataset have duplicate values; or checking whether a column in the dataset has a reasonable data range; or checking whether a column in the dataset has a valid value; or checking whether columns in the dataset have the same coding scheme; or checking whether the columns in the dataset have a consistent format, etc.
The OTA upgrade information matching detection module 9 is used for carrying out abnormal judgment on the version model, the OTA upgrade state, the reservation condition and the upgrade result of the cleaned ECU, the network state and the battery electric quantity;
specifically, the version model of the ECU refers to a version model of each terminal device, such as a version model of an ECU on a vehicle, on which a plurality of ECUs may be provided, each ECU having a corresponding version model. The detection of the abnormality of the version type of the ECU is performed by detecting whether there is a difference between the ECU version report information after the completion of the upgrade and the ECU version information predetermined by the OTA upgrade. For example, when a certain OTA is upgraded, a certain ECU version is preset to be upgraded to a v1 version, and when the vehicle OTA is executed, the vehicle reports the ECU as a v0 version again, and the version and model of the ECU are considered to be abnormal if the version and model are different from those of the expected version and model.
The OTA upgrade state represents the current state of an ongoing or completed OTA upgrade. The OTA upgrade status includes, but is not limited to, upgrade in progress, upgrade success, upgrade failure, etc. The OTA upgrade status is represented by a status flag or indicator, for example, the upgrade is in progress, the upgrade is successful, the upgrade is failed is represented by 0,1,2 in turn, or the indicator is represented by red, green, black, etc., the present application does not limit the character of the upgrade status flag and the color of the indicator. The abnormal detection of the OTA upgrade state specifically comprises: and confirming whether the upgrading state is consistent with the expected state according to a state mark or an indicator used in the OTA upgrading process.
The reservation condition refers to whether the terminal equipment user makes an OTA upgrade reservation. The specific detection method of the reservation condition comprises the following steps: and judging whether the OTA upgrade reservation is carried out or not by inquiring the OTA upgrade reservation record. If the OTA upgrade reservation is made, it is judged whether the reservation record is consistent with the currently executed OTA upgrade, for example, the ECU upgrade is reserved, but the upgrade of the electric power steering system (ElectricPowerSteering, EPS) is executed, and the reservation condition is judged to be abnormal.
The upgrade result refers to the actual state and function of the terminal device after the OTA upgrade is completed. The abnormality detection method of the upgrade result comprises the following steps: data indexes related to upgrading, such as equipment connection state, ECU version feedback and the like, are monitored to judge whether an upgrading result is abnormal.
The network state refers to the network transmission rate or the network signal strength, and the network state abnormality detection method comprises the following steps: judging whether the network transmission rate or the network signal strength and other indexes reported by the terminal OTA meet the requirements of normal OTA, and if the network transmission rate or the network signal strength and other indexes do not meet the preset network index threshold value, considering that the OTA network state is abnormal.
The abnormal detection of the battery electric quantity is as follows: and judging whether the battery electric quantity is in a normal range or not according to the battery electric quantity reported by the terminal OTA. If the battery power is lower than the threshold value, the battery power is judged to be abnormal in the current OTA.
The above description is given of the abnormality detection of each of the version type of the ECU, the OTA upgrade status, the reservation condition, and the upgrade result alone. In practical applications, it may be correlated to perform anomaly detection. The following describes how the abnormality detection is performed in association.
For example, if the upgrade result of the reporting terminal is successful, but the version and model of the ECU do not meet the expectations, it is determined that there is an abnormality. And specifically how to determine the abnormality is realized through the following steps:
first, device model: after extracting the model information of the terminal device, a machine learning algorithm or rule is used to compare whether the device model is in a list of known models. If the equipment model is not in the list, the equipment of the OTA is considered to be abnormal.
Second, software version: and comparing the software version with the expected range, and judging that the software version is abnormal if the version exceeds the expected range.
Third, OTA upgrade package version: comparing the version of the OTA upgrade package with the expected version, and if the version is not matched, judging that the version of the OTA upgrade package is abnormal.
Fourth, network status: and judging whether the network index threshold is met according to indexes such as network transmission rate or network signal strength reported by the terminal OTA, and if the network index threshold is not met, considering that the network state of the OTA is abnormal.
Fifth, battery power: and judging whether the battery electric quantity is in a normal range or not according to the battery electric quantity reported by the terminal OTA. If the battery power is lower than the threshold value, the battery power is judged to be abnormal in the current OTA.
The OTA upgrade information matching detection module 9 can perform overall OTA upgrade abnormality judgment on each terminal device by integrating the extraction and analysis results of the multiple dimensions. For example, if the software version and the OTA upgrade package version of a certain terminal device do not match, and the battery level is too low, the terminal may have multiple anomalies.
The OTA anomaly detection module 10 is used for carrying out fusion processing on anomalies of the OTA traffic information matching detection module, the login and task issuing record matching detection module and the OTA upgrading information matching detection module to obtain an anomaly detection result;
specifically, the fusion process of the OTA anomaly detection module 10 specifically includes: and judging whether the OTA traffic information matching detection module 3, the log-in and task issuing record matching detection module 6 and the OTA upgrading information matching detection module 9 are abnormal according to whether the weighted scores exceed a threshold value.
The method specifically comprises the following steps:
according to the service requirement, determining weights of an OTA flow information matching detection module 3, a login and task issuing record matching detection module 6 and an OTA upgrading information matching detection module 9; calculating a total score according to the abnormal score in the OTA flow information matching detection module, the abnormal score in the login and task issuing record matching detection module, the abnormal score of the OTA upgrading information matching detection module and the weight; judging whether the total score is larger than a preset score threshold value or not; and when the score is larger than a preset score threshold value, determining that an abnormality exists. The service requirement may be a current service requirement, for example, the current service requirement may be obtained by extracting a keyword, for example, the service requirement is a traffic, and it may be determined that the OTA traffic information matches the weight set of the detection module 3.
In one example, the weight is typically a number between 0 and 1, and the sum should be 1. For example: the weight of the OTA flow information matching detection module is 0.4, the weight of the login and task issuing record matching detection module is 0.3, and the weight of the OTA upgrading information matching detection module is 0.3.
Secondly, according to the influence degree of the abnormal condition of each module on the OTA, a score is distributed to the abnormal condition of each OTA flow information matching detection module, the log-in and task issuing record matching detection module and the OTA upgrading information matching detection module, wherein the score can be a range, and the influence degree of the abnormal condition of each module on the OTA can be a preset value. E.g., 0 to 10, indicating the severity of the anomaly. The score may be determined based on the type and severity of the anomaly. Examples: 1. OTA traffic information match detection module anomaly score: upgrade file size exception: and 6, upgrading file version abnormality: 7, detecting abnormity of the content of the upgrade file: 8, 8; 2. logging and task issuing record matching detection module anomaly score: logging device anomaly: 5, logging IP exception: 6, address exception: 4, login personnel ID is abnormal: and 7, issuing frequency abnormality: 6, preparing a base material; 3. OTA upgrade information match detection module anomaly score: version model abnormality of ECU: 8, OTA upgrade state is abnormal: 7, abnormal reservation condition: and 6, updating result abnormality: 9.
the anomaly score for each sub-module is then multiplied by its corresponding weight and then added to yield an overall anomaly score. Examples: overall anomaly score = 0.4 x ota traffic information anomaly score) +0.3 x log-in and task issuing record anomaly score +0.3 x ota upgrade information anomaly score;
finally, judging whether the threshold value is exceeded. If the overall anomaly score exceeds the set score threshold, the system is deemed to have an anomaly condition. Examples: the threshold is set to 10. If the overall anomaly score is 25, then an anomaly is determined to occur.
The OTA anomaly detection result output module 11 is configured to output an anomaly detection result.
Specifically, when the abnormality occurs, outputting and displaying the total score and each abnormality in the OTA traffic information matching detection module, the login and task issuing record matching detection module and the OTA upgrading information matching detection module so as to quickly determine the specific abnormality in the OTA.
Fig. 2 is a schematic diagram mainly illustrating that when an external attacker enters an OTA system to execute an abnormal issuing task, an attack (abnormal OTA upgrade task) is initiated to a zombie vehicle or other vehicles, and all operation records are stored in an OTA detail log.
By applying the system for detecting the upgrading abnormality of the automobile OTA, provided by the invention, various abnormalities in the OTA are classified and then fused, so that the accuracy of abnormality processing is improved. Furthermore, the method and the device can process the version abnormality of the upgrade files of a plurality of vehicles according to the classification of the vehicle types, so that the version abnormality of the upgrade files can be rapidly determined.
Example two
Fig. 3 is a schematic flow chart of an automobile OTA upgrade anomaly detection method provided by the embodiment of the invention, as shown in fig. 3, the method includes:
step 301, an OTA flow information acquisition module acquires data flow information during vehicle OTA upgrading;
step 302, an OTA flow information extraction module processes data flow information to obtain upgrade file information; the upgrade file information comprises upgrade file content, upgrade file size and upgrade file version;
step 303, the ota traffic information matching detection module judges whether the content of the upgrade file, the size of the upgrade file and the version of the upgrade file are abnormal;
step 304, a system operation log acquisition module acquires operation information; the operation information comprises an operator ID, an operation object and an operation type;
step 305, a log-in and task issuing record extraction module obtains association information and log-in information during OTA upgrading; the associated information comprises the issuing time of OTA upgrade, upgrade type and terminal ID for receiving OTA upgrade; the login information comprises login time, login equipment, login IP, address and login personnel ID;
step 306, the login and task issuing record matching detection module judges whether the operator ID, the operation object, the operation type, the issuing time of the OTA upgrade, the upgrade type, the terminal ID for receiving the OTA upgrade, the login device, the login IP, the address, and the login operator ID are abnormal;
step 307, an OTA upgrade installation record acquisition module acquires OTA event information of a plurality of terminals; the OTA event information comprises the version model of the ECU, the OTA upgrading state, the reservation condition, the upgrading result, the network state and the battery power;
step 308, cleaning the version model, the OTA upgrading state, the reservation condition and the upgrading result of the ECU by the OTA upgrading information extraction module, and extracting the cleaned version model, OTA upgrading state, reservation condition and upgrading result of the ECU;
step 309, the OTA upgrade information matching detection module performs abnormal judgment on the version model, the OTA upgrade state, the reservation condition and the upgrade result, the network state and the battery power of the cleaned ECU;
step 310, the OTA anomaly detection module performs fusion processing on anomalies of the OTA traffic information matching detection module, the login and task issuing record matching detection module and the OTA upgrading information matching detection module to obtain an anomaly detection result;
in step 311, the ota anomaly detection result output module outputs an anomaly detection result.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of function in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The foregoing detailed description of the invention has been presented for purposes of illustration and description, and it should be understood that the invention is not limited to the particular embodiments disclosed, but is intended to cover all modifications, equivalents, alternatives, and improvements within the spirit and principles of the invention.
Claims (9)
1. An automobile OTA upgrade anomaly detection system, the system comprising:
the OTA traffic information acquisition module is used for acquiring data traffic information during vehicle OTA upgrading;
the OTA flow information extraction module is used for processing the data flow information to obtain upgrade file information; the upgrade file information comprises upgrade file content, upgrade file size and upgrade file version;
the OTA traffic information matching detection module is used for judging whether the content of the upgrade file, the size of the upgrade file and the version of the upgrade file are abnormal or not;
the system operation log acquisition module is used for acquiring operation information; the operation information comprises an operator ID, an operation object and an operation type;
the login and task issuing record extraction module is used for acquiring the associated information and login information during OTA upgrading; the related information comprises the issuing time of OTA upgrade, the upgrade type and the terminal ID for receiving the OTA upgrade; the login information comprises login time, login equipment, login IP, address and login personnel ID;
the login and task issuing record matching detection module is used for judging whether the ID of an operator, an operation object, an operation type, the issuing time of OTA upgrading, an upgrading type, a terminal ID for receiving OTA upgrading, the login equipment, login IP, address and login personnel ID are abnormal or not;
the OTA upgrade installation record acquisition module is used for acquiring OTA event information of a plurality of terminals; the OTA event information comprises an ECU version model, an OTA upgrading state, a reservation condition, an upgrading result, a network state and battery power;
the OTA upgrade information extraction module is used for cleaning the version model, the OTA upgrade state, the reservation condition and the upgrade result of the ECU, and extracting the cleaned version model, the cleaned OTA upgrade state, the cleaned reservation condition and the cleaned upgrade result of the ECU;
the OTA upgrade information matching detection module is used for carrying out abnormal judgment on the version model, the OTA upgrade state, the reservation condition and the upgrade result of the cleaned ECU, the network state and the battery electric quantity;
the OTA anomaly detection module is used for carrying out fusion processing on anomalies of the OTA traffic information matching detection module, the login and task issuing record matching detection module and the OTA upgrading information matching detection module to obtain an anomaly detection result;
and the OTA abnormal detection result output module is used for outputting an abnormal detection result.
2. The system of claim 1, wherein the OTA traffic information match detection module is configured to determine, according to the upgrade file size and the file version, whether the upgrade file size and the upgrade file version are abnormal specifically includes:
comparing the size of the upgrade file with a preset threshold range, and determining that the size of the upgrade file is abnormal when the size of the upgrade file is out of the preset threshold range;
fuzzy matching is carried out on the content of the upgrade file through a regular expression, and when the content of the upgrade file is not matched, the abnormality of the content of the upgrade file is determined;
the file version exception is determined by detecting whether there are other versions between the version to be upgraded and the current version or whether the version to be upgraded is higher than the current version.
3. The system of claim 1, wherein the OTA traffic information match detection module is further configured to determine whether the upgrade file version of the same vehicle model is abnormal based on the received upgrade file versions of the plurality of vehicles of the same vehicle model.
4. The system of claim 1, wherein the log-in and task delivery record matching detection module is configured to determine whether the operator ID, the operation object, and the operation type are abnormal specifically includes:
and the operator ID is bound with the operation object and the operation type, and whether the operator ID is abnormal or not is judged according to the operation type or the operation object.
5. The system of claim 1, wherein the log-in and task delivery record matching detection module is configured to determine whether the OTA upgrade delivery time, the upgrade type, the terminal ID for receiving the OTA upgrade, the log-in device, the log-in IP, the address, and the log-in ID are abnormal specifically includes: determining whether an abnormality exists according to whether the upgrade type received by the terminal ID for receiving the OTA upgrade exceeds a preset type threshold or not or whether the issuing frequency in the preset duration exceeds a preset frequency threshold or not according to the issuing time;
judging whether the login equipment is common equipment or not; when the login device is very common device, determining that the login device is abnormal;
judging whether the login IP is a common login IP; when the login IP is the very-used login IP, determining that the login IP is abnormal;
judging whether the address is a common address; when the address is a very-used address, determining that the address is abnormal; wherein the address is location information;
judging whether the login personnel ID is an internal personnel account, and determining that the login personnel ID is abnormal when the login personnel ID is a non-internal personnel account.
6. The system of claim 1, wherein the OTA upgrade information matching detection module is configured to perform anomaly determination on a version model of the cleaned ECU, an OTA upgrade status, a reservation condition, an upgrade result, a network status, and a battery level, specifically including:
detecting whether version information reported by an ECU version after OTA upgrading is the same as ECU version information scheduled by OTA upgrading, and determining that the version type of the ECU is abnormal when the version information is different from the ECU version information scheduled by OTA upgrading;
judging whether the OTA upgrading state is abnormal or not according to a state mark or an indicator in the OTA upgrading process;
judging whether the OTA upgrade reservation is carried out or not by inquiring the OTA upgrade reservation record, if the OTA upgrade reservation is carried out, judging whether the reservation record is consistent with the currently executed OTA upgrade, and if the OTA upgrade reservation is not carried out or the reservation record is inconsistent with the currently executed OTA upgrade, determining that the OTA reservation condition is abnormal;
judging whether the upgrading result is abnormal according to the index data of the upgrading result;
judging whether the network state is abnormal according to the network transmission rate or the network signal strength in OTA;
and judging whether the battery electric quantity is abnormal or not according to the battery electric quantity reported by the terminal OTA.
7. The system of claim 1, wherein the OTA anomaly detection module is configured to perform fusion processing on anomalies of the OTA traffic information matching detection module, the login and task issuing record matching detection module, and the OTA upgrade information matching detection module, and the obtaining an anomaly detection result specifically includes:
determining weights of an OTA flow information matching detection module, a login and task issuing record matching detection module and an OTA upgrading information matching detection module according to service requirements;
calculating a total score according to the abnormal score in the OTA flow information matching detection module, the abnormal score in the login and task issuing record matching detection module, the abnormal score of the OTA upgrading information matching detection module and the weight;
judging whether the total score is larger than a preset score threshold value or not;
and when the score is larger than a preset score threshold value, determining that an abnormality exists.
8. The system according to claim 1, wherein the OTA anomaly detection result output module is configured to output an anomaly detection result specifically includes:
and outputting and displaying the total score, each abnormality in the OTA flow information matching detection module, the login and task issuing record matching detection module and the OTA upgrading information matching detection module.
9. An automobile OTA upgrade anomaly detection method, which is characterized by comprising the following steps:
the OTA flow information acquisition module acquires data flow information during vehicle OTA upgrading;
the OTA flow information extraction module processes the data flow information to obtain upgrade file information; the upgrade file information comprises upgrade file content, upgrade file size and upgrade file version;
the OTA flow information matching detection module judges whether the content of the upgrade file, the size of the upgrade file and the version of the upgrade file are abnormal or not;
the system operation log acquisition module acquires operation information; the operation information comprises an operator ID, an operation object and an operation type;
the login and task issuing record extraction module acquires the associated information and login information during OTA upgrading; the related information comprises the issuing time of OTA upgrade, the upgrade type and the terminal ID for receiving the OTA upgrade; the login information comprises login time, login equipment, login IP, address and login personnel ID;
the login and task issuing record matching detection module judges whether the ID of an operator, an operation object, an operation type, the issuing time of OTA upgrading, an upgrading type, a terminal ID for receiving OTA upgrading, login equipment, login IP, an address and login personnel ID are abnormal or not;
an OTA upgrade installation record acquisition module acquires OTA event information of a plurality of terminals; the OTA event information comprises an ECU version model, an OTA upgrading state, a reservation condition, an upgrading result, a network state and battery power;
the method comprises the steps that an OTA upgrading information extraction module ECU (electronic control unit) version model, an OTA upgrading state, a reservation condition and an upgrading result are subjected to cleaning treatment, and the cleaned ECU version model, OTA upgrading state, reservation condition and upgrading result are extracted;
the OTA upgrade information matching detection module is used for carrying out abnormal judgment on the version model, the OTA upgrade state, the reservation condition and the upgrade result of the cleaned ECU, the network state and the battery electric quantity;
the OTA anomaly detection module performs fusion processing on anomalies of the OTA traffic information matching detection module, the login and task issuing record matching detection module and the OTA upgrading information matching detection module to obtain an anomaly detection result;
and the OTA abnormality detection result output module outputs an abnormality detection result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311412037.0A CN117478551A (en) | 2023-10-27 | 2023-10-27 | Automobile OTA upgrading abnormality detection system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311412037.0A CN117478551A (en) | 2023-10-27 | 2023-10-27 | Automobile OTA upgrading abnormality detection system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117478551A true CN117478551A (en) | 2024-01-30 |
Family
ID=89635762
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311412037.0A Pending CN117478551A (en) | 2023-10-27 | 2023-10-27 | Automobile OTA upgrading abnormality detection system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117478551A (en) |
-
2023
- 2023-10-27 CN CN202311412037.0A patent/CN117478551A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11716339B2 (en) | Integrated equipment fault and cyber attack detection arrangement | |
| CN106828362B (en) | Safety testing method and device for automobile information | |
| CN112184091B (en) | Industrial control system security threat assessment method, device and system | |
| CN112783518B (en) | Vehicle-mounted application containerization isolation framework system based on IPFS and implementation method | |
| CN110602135B (en) | Network attack processing method and device and electronic equipment | |
| CN111885060B (en) | Internet of vehicles-oriented nondestructive information security vulnerability detection system and method | |
| CN112100606B (en) | Online education processing method based on cloud big data calculation and online education platform | |
| CN102684944A (en) | Method and device for detecting intrusion | |
| CN103607291A (en) | Alarm analysis merging method for power secondary system intranet security monitoring platform | |
| CN112437034B (en) | False terminal detection method and device, storage medium and electronic device | |
| CN113077065A (en) | Method, device and equipment for processing faults of vehicle production line and storage medium | |
| CN113704772B (en) | Safety protection processing method and system based on user behavior big data mining | |
| CN112650180B (en) | Safety warning method, device, terminal equipment and storage medium | |
| CN111371581A (en) | Method, device, equipment and medium for detecting business abnormity of Internet of things card | |
| CN117254945A (en) | Vulnerability tracing method and device based on automobile attack link | |
| CN117478551A (en) | Automobile OTA upgrading abnormality detection system and method | |
| CN116248381A (en) | Alarm aggregation method and device, electronic equipment and storage medium | |
| KR102433831B1 (en) | System and method for supporting decision for security management | |
| CN109688159B (en) | Network isolation violation identification method, server and computer-readable storage medium | |
| CN117391214A (en) | Model training method and device and related equipment | |
| CN113347134B (en) | Attack detection method and system for internet of vehicles TSP platform | |
| CN113515786A (en) | Method and device for detecting whether device fingerprints collide or not by combining wind control system | |
| CN112769815A (en) | Intelligent industrial control safety monitoring and protecting method and system | |
| CN117579387B (en) | Automobile network security management method, system, equipment and medium | |
| CN115959004B (en) | Vehicle safety monitoring system and method, vehicle-mounted communication terminal, vehicle and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |