CN117560263A - Method, device, processor and computer equipment for CAN message security detection - Google Patents

Method, device, processor and computer equipment for CAN message security detection Download PDF

Info

Publication number
CN117560263A
CN117560263A CN202311767352.5A CN202311767352A CN117560263A CN 117560263 A CN117560263 A CN 117560263A CN 202311767352 A CN202311767352 A CN 202311767352A CN 117560263 A CN117560263 A CN 117560263A
Authority
CN
China
Prior art keywords
message
periodic
time interval
current
frame type
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311767352.5A
Other languages
Chinese (zh)
Inventor
崔圳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202311767352.5A priority Critical patent/CN117560263A/en
Publication of CN117560263A publication Critical patent/CN117560263A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0604Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • H04L43/106Active monitoring, e.g. heartbeat, ping or trace-route using time related information in packets, e.g. by adding timestamps
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40267Bus for use in transportation systems
    • H04L2012/40273Bus for use in transportation systems the transportation system being a vehicle

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Cardiology (AREA)
  • General Health & Medical Sciences (AREA)
  • Alarm Systems (AREA)

Abstract

The application discloses a method, a device, a processor and computer equipment for CAN message security detection, and belongs to the technical field of Internet of vehicles security detection. The method comprises the following steps: acquiring a current time stamp of a current periodic CAN message and a previous time stamp of a previous periodic CAN message; determining a message time interval between a current periodic CAN message and a last periodic CAN message according to the current timestamp and the last timestamp; under the condition that the message time interval does not meet the preset message time interval range, acquiring event information corresponding to the current periodic CAN message; and determining an alarm suppression strategy corresponding to the current periodic CAN message according to the event information so as to execute the alarm suppression strategy. The method and the device CAN reduce the possibility of false alarm caused by a normal mechanism on the CAN bus.

Description

Method, device, processor and computer equipment for CAN message security detection
Technical Field
The application relates to the technical field of internet of vehicles safety detection, in particular to a method, a device, a processor and computer equipment for CAN message safety detection.
Background
Currently, automobiles have achieved extensive automation, equipped with a range of sensors and computing systems. The number of car controllers exceeds 100, and this number is expected to increase in the future. The vehicle controllers are distributed around the vehicle and communicate with each other via an in-vehicle communication network, such as a controller area network (Controller Area Network, CAN). As the most common vehicle-mounted communication protocol in vehicle application, the CAN bus has the advantages of low cost, no electrical interference, self-diagnosis, error correction and the like. While CAN buses have many advantages, the increasing inter-and intra-vehicle communications make CAN buses vulnerable to network attacks.
The prior art generally performs anomaly detection on periodic messages by using the difference between the message period and the message timestamp. However, the presence of some normal scenarios on the CAN bus also results in a shortened or lengthened time interval for consecutive CAN messages. Under the condition, the CAN message detection method in the prior art is easy to cause error of abnormal detection results, and has the problem of high false alarm rate.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method, an apparatus, a processor, and a computer device for CAN message security detection, so as to solve the problem of high false alarm rate in the CAN message detection method in the prior art.
To achieve the above object, a first aspect of the embodiments of the present application provides a method for safety detection of CAN messages, where the CAN messages include periodic CAN messages, the method including:
acquiring a current time stamp of a current periodic CAN message and a previous time stamp of a previous periodic CAN message;
determining a message time interval between a current periodic CAN message and a last periodic CAN message according to the current timestamp and the last timestamp;
under the condition that the message time interval does not meet the preset message time interval range, acquiring event information corresponding to the current periodic CAN message;
and determining an alarm suppression strategy corresponding to the current periodic CAN message according to the event information so as to execute the alarm suppression strategy.
In the embodiment of the present application, the event information includes a frame type, the frame type includes a remote frame type, and an alarm suppression policy corresponding to a current periodic CAN packet is determined according to the event information, so as to execute the alarm suppression policy, including: judging whether the message time interval is smaller than a lower threshold value of a preset message time interval range or not under the condition that the frame type is a remote frame type; and under the condition that the message time interval is smaller than the lower limit threshold value of the preset message time interval range, suppressing the sending of alarm information related to the current periodic CAN message.
In the embodiment of the present application, the event information includes a frame type, the frame type includes an error frame type, and an alarm suppression policy corresponding to a current periodic CAN packet is determined according to the event information, so as to execute the alarm suppression policy, including: under the condition that the frame type is an error frame type, determining a preset alarm suppression time period; and suppressing the sending of alarm information related to the current periodic CAN message in a preset alarm suppression time period.
In the embodiment of the present application, the event information includes a frame type, the frame type includes an overload frame type, and an alarm suppression policy corresponding to a current period type CAN packet is determined according to the event information, so as to execute the alarm suppression policy, including: judging whether the message time interval is larger than the upper threshold value of the preset message time interval range or not under the condition that the frame type is an overload frame type; and under the condition that the message time interval is larger than the upper limit threshold value of the preset message time interval range, suppressing the sending of alarm information related to the current periodic CAN message.
In an embodiment of the present application, the method further includes: judging whether communication control service information is acquired or not; under the condition that the communication control service information is acquired, determining an execution action state and a target microcontroller corresponding to the execution action state according to the communication control service information; and under the condition that the execution action state is on, acquiring the time stamp information of the periodic CAN message sent by the target microcontroller corresponding to the execution action state, so as to judge whether the preset time interval range is met or not according to the time stamp information.
In this embodiment of the present application, the obtaining of the current periodic CAN packet and/or the previous periodic CAN packet includes: acquiring a database file; determining a periodic message CAN identifier of a current periodic CAN message and/or a last periodic CAN message based on rule information in a database file; and acquiring the current periodic CAN message and/or the last periodic CAN message according to the periodic CAN message identifier.
A second aspect of the embodiments of the present application provides an apparatus for CAN message security detection, including: the time stamp obtaining module is used for obtaining the current time stamp of the current periodic CAN message and the previous time stamp of the previous periodic CAN message; the time interval determining module is used for determining the message time interval between the current periodic CAN message and the last periodic CAN message according to the current time stamp and the last time stamp; the event information acquisition module is used for acquiring event information corresponding to the current periodic CAN message under the condition that the message time interval does not meet the preset message time interval range; and the alarm suppression strategy execution module is used for determining the alarm suppression strategy corresponding to the current periodic CAN message according to the event information so as to execute the alarm suppression strategy.
A third aspect of the embodiments of the present application provides a processor configured to perform the above-described method for CAN message security detection.
A fourth aspect of the present application provides a computer device, including the apparatus for CAN message security detection or the processor described above.
A fifth aspect of the embodiments of the present application provides a machine-readable storage medium having stored thereon instructions for causing a machine to perform the above-described method for CAN message security detection.
According to the technical scheme, the current time stamp of the current periodic CAN message and the last time stamp of the last periodic CAN message are obtained, and then the message time interval between the current periodic CAN message and the last periodic CAN message is determined according to the current time stamp and the last time stamp. Under the condition that the message time interval does not meet the preset message time interval range, event information corresponding to the current periodic CAN message is obtained, and then an alarm suppression strategy corresponding to the current periodic CAN message is determined according to the event information so as to execute the alarm suppression strategy. According to the method and the device, under the condition that the message time interval of the periodic CAN message is abnormal, the sending of the alarm information is restrained according to the acquired event information corresponding to the current periodic CAN message, so that the possibility of false alarm caused by a normal mechanism on a CAN bus CAN be reduced.
Additional features and advantages of embodiments of the present application will be set forth in the detailed description that follows.
Drawings
The accompanying drawings are included to provide a further understanding of embodiments of the present application and are incorporated in and constitute a part of this specification, illustrate embodiments of the present application and together with the description serve to explain, without limitation, the embodiments of the present application. In the drawings:
FIG. 1 schematically illustrates a flow chart of a method for CAN message security detection according to an embodiment of the application;
FIG. 2 schematically illustrates a schematic diagram of a remote frame according to an embodiment of the present application;
fig. 3 schematically illustrates a schematic diagram of an overload frame according to an embodiment of the present application;
fig. 4 schematically shows a block diagram of an apparatus for CAN message security detection according to an embodiment of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it should be understood that the specific implementations described herein are only for illustrating and explaining the embodiments of the present application, and are not intended to limit the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present application based on the embodiments herein.
It should be noted that, in the embodiment of the present application, directional indications (such as up, down, left, right, front, and rear … …) are referred to, and the directional indications are merely used to explain the relative positional relationship, movement conditions, and the like between the components in a specific posture (as shown in the drawings), and if the specific posture is changed, the directional indications are correspondingly changed.
In addition, if there is a description of "first", "second", etc. in the embodiments of the present application, the description of "first", "second", etc. is for descriptive purposes only and is not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In addition, the technical solutions of the embodiments may be combined with each other, but it is necessary to base that the technical solutions can be realized by those skilled in the art, and when the technical solutions are contradictory or cannot be realized, the combination of the technical solutions should be regarded as not exist and not within the protection scope of the present application.
Fig. 1 schematically shows a flow chart of a method for CAN message security detection according to an embodiment of the present application. As shown in fig. 1, an embodiment of the present application provides a method for security detection of a CAN message, where the CAN message includes a periodic CAN message, and the method is applied to a processor for explanation, and the method may include the following steps:
step S101: and acquiring the current time stamp of the current periodic CAN message and the last time stamp of the last periodic CAN message.
Step S102: and determining the message time interval between the current periodic CAN message and the last periodic CAN message according to the current time stamp and the last time stamp.
Step S103: and under the condition that the message time interval does not meet the preset message time interval range, acquiring event information corresponding to the current periodic CAN message.
Step S104: and determining an alarm suppression strategy corresponding to the current periodic CAN message according to the event information so as to execute the alarm suppression strategy.
The CAN message comprises a periodic CAN message and an event type CAN message. The periodic CAN message is a message sent according to the periodic cycle. For the periodic CAN message, the prior art firstly analyzes a database file of the vehicle, determines the periodic CAN message existing on the CAN bus through the database file, and takes the identification and the theoretical period value of the periodic CAN message as the detection rule of the processor. Assuming that the theoretical period value of the periodic CAN message with CAN identified as a is b milliseconds in the database file, the corresponding detection rule is that the timestamp difference between two consecutive periodic CAN messages with CAN identified as a should be in the range of (b- Δt) milliseconds to (b+ [ Δt ] milliseconds, where Δt is an allowable error, and typically will not exceed one half of the theoretical period value. And then the processor monitors the periodic CAN message on the CAN bus in real time, records the timestamp of the current periodic CAN message when the CAN mark of the periodic CAN message is a, and subtracts the timestamp of the periodic CAN message with the last CAN mark of a. If the time stamp difference value is not in the range of (b-Deltat) milliseconds to (b+Deltat) milliseconds, the abnormal message is judged, and the alarm processing is carried out. However, the prior art does not consider that there are some normal mechanisms on the CAN bus, which may cause the CAN message to be sent in a delayed manner, immediately sent, or not sent for a temporary period of time, such as a remote frame, an error frame, an overload frame, and a diagnostic service protocol, and these scenarios may cause the time interval of the continuous periodic CAN message to be shortened or lengthened, which may further cause the processor to perform an alarm operation. Alarm operations in these scenarios are all false alarms, however, the prior art does not deal with these scenarios specifically.
In order to solve the foregoing problems, based on the characteristics of these scenarios, the embodiments of the present application process the alarm operation performed after detecting the periodic CAN message, so as to reduce the false alarm rate. In the embodiment of the application, after the processor receives the periodic CAN message through the CAN message transceiver, the processor CAN determine the current timestamp of the current periodic CAN message and the last timestamp of the last periodic CAN message, and determine the message time interval between the current periodic CAN message and the last periodic CAN message according to the current timestamp and the last timestamp, namely, subtracting the last timestamp from the current timestamp, thereby obtaining the message time interval.
And the processor CAN analyze the database file to obtain microcontroller information on the CAN bus and a preset message time interval range corresponding to the periodic CAN message identified by each CAN message identifier. Thus, the processor CAN determine the preset message time interval range corresponding to the acquired current periodic CAN message. Furthermore, the processor CAN judge whether the message time interval between the current periodic CAN message and the last periodic CAN message meets the preset message time interval range corresponding to the current periodic CAN message. When the message time interval meets the preset message time interval range corresponding to the current periodic CAN message, the processor CAN determine that the sending period of the current periodic CAN message is normal, and the subsequent judging process is not required to be executed. Under the condition that the message time interval does not meet the preset message time interval range, the abnormal sending period of the current periodic CAN message CAN be determined. At this time, the processor needs to further judge whether to acquire the event information corresponding to the current period type CAN message, so as to determine whether to inhibit the sending of the alarm information. The event information refers to that the driving layer calls a hook function to encapsulate frame information and then sends the frame information to the processor. If the processor acquires the event information corresponding to the current periodic CAN message, the processor CAN determine an alarm suppression strategy corresponding to the current periodic CAN message according to the event information, and further execute the alarm suppression strategy to suppress the sending of the alarm information and reduce the false alarm rate in the process of detecting the periodic CAN message.
In addition, the method for CAN message security detection CAN be compiled into a static library, and two callable interfaces, namely a detection rule address interface and an information interface, are provided for the outside. The detection rule address interface may be used to obtain the address of rule information in a database file. The information interface may be used to enable information interaction. The static library and the vehicle-mounted gateway code are integrated and compiled and then burnt into the vehicle-mounted gateway equipment, and the database file is burnt into the vehicle-mounted gateway equipment, so that the periodic CAN message CAN be detected after the vehicle-mounted gateway equipment operates, and the detection false alarm rate of the periodic CAN message is reduced.
According to the technical scheme, the current time stamp of the current periodic CAN message and the last time stamp of the last periodic CAN message are obtained, and then the message time interval between the current periodic CAN message and the last periodic CAN message is determined according to the current time stamp and the last time stamp. Under the condition that the message time interval does not meet the preset message time interval range, event information corresponding to the current periodic CAN message is obtained, and then an alarm suppression strategy corresponding to the current periodic CAN message is determined according to the event information so as to execute the alarm suppression strategy. According to the method and the device, under the condition that the message time interval of the periodic CAN message is abnormal, the sending of the alarm information is restrained according to the acquired event information corresponding to the current periodic CAN message, so that the possibility of false alarm caused by a normal mechanism on a CAN bus CAN be reduced.
In the embodiment of the present application, the event information includes a frame type, where the frame type includes a remote frame type, and determining, according to the event information, an alarm suppression policy corresponding to a current periodic CAN packet, so as to execute the alarm suppression policy may include: judging whether the message time interval is smaller than a lower threshold value of a preset message time interval range or not under the condition that the frame type is a remote frame type; and under the condition that the message time interval is smaller than the lower limit threshold value of the preset message time interval range, suppressing the sending of alarm information related to the current periodic CAN message.
In the embodiment of the present application, the remote frame is a frame used by the receiving unit to request the transmitting unit to transmit data, and is composed of 6 segments, namely, a frame start, an arbitration segment, a control segment, a cyclic redundancy check (Cyclic Redundancy Check, CRC) segment, an acknowledgement (Acknowledge character, ACK) segment, and a frame end. The start of a frame of a remote frame is an explicit level that can be used to identify the beginning of the frame. An arbitration segment is a segment representing the priority of the frame, and data frames having the same identification may be requested. The control segment is a segment representing the number of bytes of data and reserved bits. The CRC segment is a segment for checking transmission errors of the frame. The ACK segment is a segment indicating that normal reception is acknowledged. The end of frame is a segment that represents the end of a remote frame. By determining the structure of the frame, the processor may determine the corresponding frame type.
The remote frame includes a CAN message identification that the microcontroller as the receiving unit expects to receive. Fig. 2 schematically illustrates a schematic diagram of a remote frame according to an embodiment of the present application. As shown in fig. 2, after receiving a remote frame and extracting a CAN message identifier from the remote frame, the microcontroller as a transmitting unit immediately assembles a CAN message corresponding to the CAN message identifier, and transmits the CAN message to the CAN bus, i.e., inserts the message. The remote frame thus results in a smaller message time interval for two consecutive periodic CAN messages. Thus, according to the above feature of the remote frame, the processor may determine whether the message time interval is less than a lower threshold of a preset message time interval range in the case that the frame type is the remote frame type. And under the condition that the message time interval is smaller than the lower limit threshold value of the preset message time interval range, suppressing the sending of alarm information related to the current periodic CAN message. Under the condition that the message time interval is larger than the upper limit threshold value of the preset message time interval range, the sending of alarm information related to the current periodic CAN message is not inhibited, so that the possibility of false alarm caused by a remote frame is reduced.
In the embodiment of the present application, the event information includes a frame type, where the frame type includes an error frame type, and determining, according to the event information, an alarm suppression policy corresponding to a current periodic CAN packet, so as to execute the alarm suppression policy may include: under the condition that the frame type is an error frame type, determining a preset alarm suppression time period; and suppressing the sending of alarm information related to the current periodic CAN message in a preset alarm suppression time period.
In the embodiment of the application, when receiving and sending the CAN message, the microcontroller sends an error frame if error information is detected, so as to inform each node that the microcontroller has an error. According to the CAN protocol, the microcontroller contains three states, namely an active error state, a passive error state and an off-line state, when an error message occurs. The microcontroller CAN normally communicate in the active error state and the passive error state, but the sent and received CAN messages are not necessarily correct. And the microcontroller enters an offline state when the number of the error messages reaches a preset number, and stops sending the CAN message. An error frame is composed of an error flag and an error delimiter. In the active error state, the error flag is 6 dominant bits, i.e., 6 high. In the passive error state, the error flag is 6 recessive bits, i.e., 6 low levels. The error qualifier is composed of 8 recessive bits, i.e. 8 low levels. By determining the structure of the frame, the processor may determine the corresponding frame type.
Thus, based on the above characteristics of the error frame, the processor may determine a preset alarm suppression period in the event that the frame type is an error frame type. The preset alarm suppression time period CAN be determined according to the duration of the CAN message which is fed back by the microcontroller and CAN not be normally sent and received. In this way, the processor CAN inhibit the sending of the alarm information related to the current periodic CAN message in the preset alarm inhibition time period, so as to reduce the possibility of false alarm caused by the error frame.
In the embodiment of the present application, the event information includes a frame type, the frame type includes an overload frame type, and an alarm suppression policy corresponding to a current period type CAN packet is determined according to the event information, so as to execute the alarm suppression policy, which may include: judging whether the message time interval is larger than the upper threshold value of the preset message time interval range or not under the condition that the frame type is an overload frame type; and under the condition that the message time interval is larger than the upper limit threshold value of the preset message time interval range, suppressing the sending of alarm information related to the current periodic CAN message.
In the embodiment of the present application, the overload frame is a frame in which the receiving unit reports that its receiving capability reaches the limit to other nodes on the CAN bus. Fig. 3 schematically illustrates a schematic diagram of an overload frame according to an embodiment of the present application. As shown in fig. 3, the CAN message sent by the sending unit may be destroyed by the overload frame, so that the sending unit delays for a preset time and then resends the CAN message that is not sent successfully, that is, the sending failure message. In this case, this will result in an extended message interval. An overload frame is composed of an overload flag and an overload delimiter. The overload flag is 6 dominant bits and the overload delimiter is 8 recessive bits. By determining the structure of the frame, the processor may determine the corresponding frame type.
Therefore, according to the above characteristics of the overload frame, in the case that the frame type is determined to be the overload frame type, the processor may determine whether the message time interval is greater than an upper threshold of a preset message time interval range. Under the condition that the message time interval is larger than the upper threshold value of the preset message time interval range, the sending of alarm information related to the current periodic CAN message is restrained, and the possibility of false alarm caused by overload frames is reduced. Under the condition that the message time interval is smaller than the lower threshold value of the preset message time interval range, the sending of alarm information related to the current periodic CAN message is not required to be restrained.
In an embodiment of the present application, the method may further include: judging whether communication control service information is acquired or not; under the condition that the communication control service information is acquired, determining an execution action state and a target microcontroller corresponding to the execution action state according to the communication control service information; and under the condition that the execution action state is on, acquiring the time stamp information of the periodic CAN message sent by the target microcontroller corresponding to the execution action state, so as to judge whether the preset time interval range is met or not according to the time stamp information.
In the embodiment of the application, the communication control service CAN control the sending switch of the CAN message. Wherein the communication control service may be a diagnostic service protocol. When the transmission efficiency needs to be improved, the transmission of partial CAN messages CAN be closed, and the communication control service is started after the data transmission is finished. The communication control service message is transmitted through the CAN data frame, and the communication control service message only prescribes the format of the data part in the CAN data frame, and the first 4 bits of the first byte in the data field are all 0. And the CAN message identifier of the communication control service message is more than 0x 700. The message format specified by the communication control service includes a service identification, which can be used to identify the service type, which is typically 0x28. Therefore, based on the characteristics of the communication control service, whether the processor acquires the communication control service message from the CAN bus CAN be judged through the first byte in the data field, the CAN message identifier and the service identifier. If the communication control service message is acquired, the processor can acquire the communication control service information by analyzing the communication control service message.
In this way, the processor CAN determine whether to detect the periodic CAN message on the CAN bus when the communication control service information is acquired. The communication control service information comprises an execution action state and a target microcontroller corresponding to the execution action state. The execution action state may be on or off. When the execution action state is on, the communication service of the target microcontroller is on, and the processor needs to detect the periodic CAN message sent by the target microcontroller according to the timestamp information. Specifically, the processor may acquire a current timestamp of a current periodic CAN message sent by the target microcontroller and a previous timestamp of a previous periodic CAN message sent by the target microcontroller, so as to determine whether a message time interval of the current periodic CAN message meets a preset time interval range, and further determine whether alarm information needs to be sent. Under the condition that the execution action state is closed, at the moment, the communication service of the target microcontroller is closed, and the target microcontroller does not receive or send the periodic CAN message, so that the processor does not need to detect. Therefore, the occupation of resources CAN be reduced, and the detection efficiency of the periodic CAN message CAN be improved.
In the embodiment of the present application, the acquiring of the current periodic CAN packet and/or the last periodic CAN packet may include: acquiring a database file; determining a periodic message CAN identifier of a current periodic CAN message and/or a last periodic CAN message based on rule information in a database file; and acquiring the current periodic CAN message and/or the last periodic CAN message according to the periodic CAN message identifier.
In an embodiment of the present application, the processor may obtain the database file. The database file includes rule information, namely microcontroller information on the CAN bus and a periodic CAN identifier of a current periodic CAN message and/or a last periodic CAN message. The processor CAN acquire the current periodic CAN message and/or the last periodic CAN message from the CAN message on the CAN bus through the periodic CAN message identifier.
In summary, compared with the prior art, the technical scheme provided by the embodiment of the application has the following advantages:
for the condition that the time interval of the periodic CAN message is abnormal due to a non-attack event, by adding the monitoring to the remote frame, the overload frame, the error frame and the communication control service information, the corresponding alarm suppression strategy CAN be determined to suppress the alarm operation of the processor on the periodic CAN message, so that the alarm information generated by the processor due to the non-man-made attack on the CAN bus is effectively reduced, and the security personnel CAN eliminate the interference of the alarm information when analyzing the alarm log.
The embodiment of the application also provides a processor configured to execute the method for CAN message security detection.
Fig. 4 schematically shows a block diagram of an apparatus for CAN message security detection according to an embodiment of the present application. As shown in fig. 4, the embodiment of the present application further provides an apparatus for CAN message security detection, including:
the timestamp obtaining module 410 is configured to obtain a current timestamp of a current periodic CAN packet and a previous timestamp of a previous periodic CAN packet.
The time interval determining module 420 is configured to determine a message time interval between the current periodic CAN message and the last periodic CAN message according to the current time stamp and the last time stamp.
The event information obtaining module 430 is configured to obtain event information corresponding to the current periodic CAN packet when the packet time interval does not satisfy the preset packet time interval range.
The alarm suppression policy execution module 440 is configured to determine an alarm suppression policy corresponding to the current periodic CAN packet according to the event information, so as to execute the alarm suppression policy.
In one embodiment, the alarm suppression policy enforcement module 440 is further configured to: judging whether the message time interval is smaller than a lower threshold value of a preset message time interval range or not under the condition that the frame type is a remote frame type; and under the condition that the message time interval is smaller than the lower limit threshold value of the preset message time interval range, suppressing the sending of alarm information related to the current periodic CAN message.
In one embodiment, the alarm suppression policy enforcement module 440 is further configured to: under the condition that the frame type is an error frame type, determining a preset alarm suppression time period; and suppressing the sending of alarm information related to the current periodic CAN message in a preset alarm suppression time period.
In one embodiment, the alarm suppression policy enforcement module 440 is further configured to: judging whether the message time interval is larger than the upper threshold value of the preset message time interval range or not under the condition that the frame type is an overload frame type; and under the condition that the message time interval is larger than the upper limit threshold value of the preset message time interval range, suppressing the sending of alarm information related to the current periodic CAN message.
In one embodiment, the apparatus for CAN message security detection further comprises a communication control module for: judging whether communication control service information is acquired or not; under the condition that the communication control service information is acquired, determining an execution action state and a target microcontroller corresponding to the execution action state according to the communication control service information; and under the condition that the execution action state is on, acquiring the time stamp information of the periodic CAN message sent by the target microcontroller corresponding to the execution action state, so as to judge whether the preset time interval range is met or not according to the time stamp information.
In one embodiment, the apparatus for CAN message security detection further includes a periodic CAN message acquisition module configured to: acquiring a database file; determining a periodic message CAN identifier of a current periodic CAN message and/or a last periodic CAN message based on rule information in a database file; and acquiring the current periodic CAN message and/or the last periodic CAN message according to the periodic CAN message identifier.
According to the technical scheme, the current time stamp of the current periodic CAN message and the last time stamp of the last periodic CAN message are obtained, and then the message time interval between the current periodic CAN message and the last periodic CAN message is determined according to the current time stamp and the last time stamp. Under the condition that the message time interval does not meet the preset message time interval range, event information corresponding to the current periodic CAN message is obtained, and then an alarm suppression strategy corresponding to the current periodic CAN message is determined according to the event information so as to execute the alarm suppression strategy. According to the method and the device, under the condition that the message time interval of the periodic CAN message is abnormal, the sending of the alarm information is restrained according to the acquired event information corresponding to the current periodic CAN message, so that the possibility of false alarm caused by a normal mechanism on a CAN bus CAN be reduced.
The embodiment of the application also provides a computer device comprising the device for CAN message security detection or the processor.
The embodiment of the application also provides a machine-readable storage medium, wherein the machine-readable storage medium is stored with instructions for causing a machine to execute the method for CAN message security detection.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, etc., such as Read Only Memory (ROM) or flash RAM. Memory is an example of a computer-readable medium.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises an element.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and changes may be made to the present application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. which are within the spirit and principles of the present application are intended to be included within the scope of the claims of the present application.

Claims (10)

1. A method for CAN message security detection, wherein the CAN message comprises a periodic CAN message, the method comprising:
acquiring a current time stamp of a current periodic CAN message and a previous time stamp of a previous periodic CAN message;
determining a message time interval between the current periodic CAN message and the last periodic CAN message according to the current timestamp and the last timestamp;
acquiring event information corresponding to the current periodic CAN message under the condition that the message time interval does not meet the preset message time interval range;
and determining an alarm suppression strategy corresponding to the current periodic CAN message according to the event information so as to execute the alarm suppression strategy.
2. The method of claim 1, wherein the event information comprises a frame type, the frame type comprises a remote frame type, the determining an alarm suppression policy corresponding to the current periodic CAN message according to the event information to execute the alarm suppression policy comprises:
judging whether the message time interval is smaller than a lower threshold value of the preset message time interval range or not under the condition that the frame type is a remote frame type;
and under the condition that the message time interval is smaller than the lower threshold value of the preset message time interval range, suppressing the sending of alarm information related to the current periodic CAN message.
3. The method of claim 1, wherein the event information comprises a frame type, the frame type comprises an error frame type, and wherein the determining the alarm suppression policy corresponding to the current periodic CAN message according to the event information to execute the alarm suppression policy comprises:
determining a preset alarm suppression time period under the condition that the frame type is an error frame type;
and suppressing the sending of the alarm information related to the current periodic CAN message in the preset alarm suppression time period.
4. The method of claim 1, wherein the event information comprises a frame type, the frame type comprises an overload frame type, and wherein the determining the alarm suppression policy corresponding to the current periodic CAN message according to the event information to execute the alarm suppression policy comprises:
judging whether the message time interval is larger than an upper threshold value of the preset message time interval range or not under the condition that the frame type is an overload frame type;
and under the condition that the message time interval is larger than the upper threshold value of the preset message time interval range, suppressing the sending of alarm information related to the current periodic CAN message.
5. The method according to claim 1, wherein the method further comprises:
judging whether communication control service information is acquired or not;
under the condition that the communication control service information is acquired, determining an execution action state and a target microcontroller corresponding to the execution action state according to the communication control service information;
and under the condition that the execution action state is on, acquiring the time stamp information of the periodic CAN message sent by the target microcontroller corresponding to the execution action state, so as to judge whether the preset time interval range is met or not according to the time stamp information.
6. The method of claim 1, wherein the obtaining of the current periodic CAN message and/or the last periodic CAN message comprises:
acquiring a database file;
determining a periodic message CAN identifier of the current periodic CAN message and/or the last periodic CAN message based on rule information in the database file;
and acquiring the current periodic CAN message and/or the last periodic CAN message according to the periodic CAN message identifier.
7. An apparatus for CAN message security detection, comprising:
the time stamp obtaining module is used for obtaining the current time stamp of the current periodic CAN message and the previous time stamp of the previous periodic CAN message;
the time interval determining module is used for determining the message time interval between the current periodic CAN message and the last periodic CAN message according to the current time stamp and the last time stamp;
the event information acquisition module is used for acquiring event information corresponding to the current periodic CAN message under the condition that the message time interval does not meet the preset message time interval range;
and the alarm suppression strategy executing module is used for determining an alarm suppression strategy corresponding to the current periodic CAN message according to the event information so as to execute the alarm suppression strategy.
8. A processor configured to perform the method for CAN message security detection according to any one of claims 1 to 6.
9. Computer device characterized by comprising an apparatus for CAN message security detection according to claim 7 or a processor according to claim 8.
10. A machine-readable storage medium having stored thereon instructions for causing a machine to perform the method for CAN message security detection according to any of claims 1 to 6.
CN202311767352.5A 2023-12-20 2023-12-20 Method, device, processor and computer equipment for CAN message security detection Pending CN117560263A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311767352.5A CN117560263A (en) 2023-12-20 2023-12-20 Method, device, processor and computer equipment for CAN message security detection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311767352.5A CN117560263A (en) 2023-12-20 2023-12-20 Method, device, processor and computer equipment for CAN message security detection

Publications (1)

Publication Number Publication Date
CN117560263A true CN117560263A (en) 2024-02-13

Family

ID=89818526

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311767352.5A Pending CN117560263A (en) 2023-12-20 2023-12-20 Method, device, processor and computer equipment for CAN message security detection

Country Status (1)

Country Link
CN (1) CN117560263A (en)

Similar Documents

Publication Publication Date Title
US10693905B2 (en) Invalidity detection electronic control unit, in-vehicle network system, and communication method
KR102030397B1 (en) Network monitoring device
EP3726782A1 (en) On-vehicle network abnormality detection system and on-vehicle network abnormality detection method
JP7280082B2 (en) Fraud detection method, fraud detection device and program
CN111147437B (en) Attributing bus disconnect attacks based on erroneous frames
JP7182559B2 (en) Log output method, log output device and program
CN104956626A (en) Network device and data sending and receiving system
CN107454107A (en) A kind of controller LAN automobile bus alarm gateway for detecting injection attack
KR102450311B1 (en) System and method for controlling load factor of internal communication bus of car, and a recording medium having computer readable program for executing the method
CN109104352B (en) Vehicle network operation protocol and method
CN113341906B (en) Fault processing method, device and equipment and automobile
CN117544410A (en) Determination method of CAN bus attack type, processor and computer equipment
US10223319B2 (en) Communication load determining apparatus
JP2021140460A (en) Security management apparatus
CN115102707A (en) Vehicle CAN network IDS safety detection system and method
KR102204656B1 (en) A mitigation system against message flooding attacks for secure controller area network by predicting transfer delay of normal can message
KR102204655B1 (en) A mitigation method against message flooding attacks for secure controller area network by predicting attack message retransfer time
CN110784440B (en) Method and apparatus for identifying irregularities in a computer network
CN117560263A (en) Method, device, processor and computer equipment for CAN message security detection
JP6527647B1 (en) Fraud detection method, fraud detection device and program
CN108556877B (en) Method, device and system for realizing train control system information safety protection
CN114503518B (en) Detection device, vehicle, detection method, and detection program
JP7160206B2 (en) SECURITY DEVICE, ATTACK RESPONSE PROCESSING METHOD, COMPUTER PROGRAM AND STORAGE MEDIUM
JP2019172261A (en) Control device, control system and control program
US20240031382A1 (en) In-vehicle apparatus, fraud detection method, and computer program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination