CN117955733B - Vehicle-mounted CAN network intrusion detection method and system - Google Patents

Vehicle-mounted CAN network intrusion detection method and system Download PDF

Info

Publication number
CN117955733B
CN117955733B CN202410323680.4A CN202410323680A CN117955733B CN 117955733 B CN117955733 B CN 117955733B CN 202410323680 A CN202410323680 A CN 202410323680A CN 117955733 B CN117955733 B CN 117955733B
Authority
CN
China
Prior art keywords
average value
unit time
variance
network
messages
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410323680.4A
Other languages
Chinese (zh)
Other versions
CN117955733A (en
Inventor
于海洋
李子墨
任毅龙
王晓波
杨阳
赵亚楠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beihang University
Original Assignee
Beihang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beihang University filed Critical Beihang University
Priority to CN202410323680.4A priority Critical patent/CN117955733B/en
Publication of CN117955733A publication Critical patent/CN117955733A/en
Application granted granted Critical
Publication of CN117955733B publication Critical patent/CN117955733B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40267Bus for use in transportation systems
    • H04L2012/40273Bus for use in transportation systems the transportation system being a vehicle

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses a vehicle-mounted CAN network intrusion detection method and a system, wherein the vehicle-mounted CAN network intrusion detection method comprises the following steps: acquiring a first variance and a second average value of the number of received messages in unit time of an abnormal-free network; acquiring the number of second messages corresponding to the preset number of continuous unit time in the current network in real time; according to the second message number and the second average value, calculating to obtain a second variance of the received message number in unit time of the current vehicle-mounted network; and judging whether the second variance is larger than the first variance, if so, determining that the current vehicle-mounted network is attacked by the message injection. The method accurately identifies the message injection attack by comparing the variance of the number of messages received in unit time in the current vehicle CAN network with the variance of the number of messages received in unit time in the non-abnormal CAN network, has simple operation and low calculation complexity, and meets the calculation power requirement of the vehicle-mounted CAN network.

Description

Vehicle-mounted CAN network intrusion detection method and system
Technical Field
The present invention relates to the field of transmission of digital information. In particular to a vehicle-mounted CAN network intrusion detection method and system.
Background
The rapid development of internet of vehicles has presented additional challenges to the safety systems of automobiles. When people enjoy the convenience brought by the internet of vehicles, the safety system of the automobile also deals with various risks from the network. For example, a controller area network bus (Controller Area Network, CAN) is a core of each electronic control unit (ElectronicControl Unit, ECU) in a vehicle, and is very likely to be an attacker's target. An attacker CAN permeate into the vehicle-mounted CAN network in a remote control or physical contact mode, so that network data of the vehicle are obtained, monitoring and even control of the vehicle are realized, and safety of a driver and passengers of the vehicle is seriously threatened. Therefore, how to ensure the safety of the CAN network on board the vehicle becomes an urgent problem to be solved.
Hardware and software with an intrusion detection function are added to the CAN bus in the existing calculation to detect message information received by the CAN bus and perform alarm processing when the CAN bus is attacked.
However, in the current vehicle-mounted CAN network, many intrusion detection methods based on complex algorithms are difficult to operate normally due to poor computing power of the ECU and limited storage space.
Disclosure of Invention
The invention is based on the above-mentioned requirement of the prior art, and the technical problem to be solved by the invention is to provide a vehicle-mounted CAN network intrusion detection method and system, which CAN reduce the calculation complexity and enable the calculation power of the vehicle-mounted CAN network to be enough to support on the premise of ensuring the detection accuracy.
In order to solve the problems, the invention is realized by adopting the following technical scheme:
A vehicle-mounted CAN network intrusion detection method, the method comprising: acquiring a first variance and a second average value of the number of received messages in a unit time of an anomaly-free network, wherein the first variance and the second average value comprise: acquiring the first message quantity in a plurality of groups of preset time periods in a non-abnormal network, wherein the preset time periods comprise a plurality of continuous unit time; according to the first message quantity, calculating to obtain a first average value of the received message quantity in each group of unit time in the non-abnormal network; acquiring the average value of a plurality of corresponding first average values as a second average value of the number of received messages in unit time in the non-abnormal network; calculating to obtain a first variance of the number of received messages in unit time in the non-abnormal network based on the first average value and the second average value; acquiring the number of second messages corresponding to the preset number of continuous unit time in the current network in real time; according to the second message number and the second average value, calculating to obtain a second variance of the received message number in unit time of the current vehicle-mounted network, wherein the expression comprises: wherein/> Represents a second average value of received messages within a unit time, d represents a preset number of consecutive unit times,/>Represents the/>The number of second messages acquired in each unit time, S 2 represents a second variance; and judging whether the second variance is larger than the first variance, if so, determining that the current vehicle-mounted network is attacked by the message injection.
Optionally, the detection method further comprises: if the second variance is smaller than or equal to the first variance, determining that the current vehicle-mounted network is not abnormal; and updating the first variance and the second average value according to the second message quantity.
Optionally, the calculating, according to the first number of messages, a first average value of the number of received messages in each group of unit time in the non-abnormal network includes: the following calculation is performed on the number of the first messages in each group: Wherein, Representing the j-th group i consecutive unit time,/>Representing the number of first messages acquired in the nth unit time of the jth group,/>A first average value representing the number of received messages in the j-th group per unit time.
Optionally, calculating a first variance of the number of received messages in a unit time in the non-abnormal network based on the first average value and the second average value, where the expression includes: wherein/> A first average value representing the number of received messages in unit time of the j-th group,/>The first variance is represented and m represents the number of groups.
Optionally, the updating the first variance and the second average according to the second message number includes: updating a second average value according to the second message quantity, wherein the expression is as follows: wherein/> Represents a second average value of received messages within a unit time, d represents a preset number of consecutive unit times,/>Represents the/>The number of second messages acquired in unit time,/>Representing the updated second average; and updating the first variance of the received message in the unit time in the non-abnormal network according to the first average value and the updated second average value.
An in-vehicle CAN network intrusion detection system, the system comprising: the acquisition module acquires a first variance and a second average value of received messages in unit time of an abnormal-free network, and comprises the following steps: acquiring the first message quantity in a plurality of groups of preset time periods in a non-abnormal network, wherein the preset time periods comprise a plurality of continuous unit time; according to the first message quantity, calculating to obtain a first average value of the received message quantity in each group of unit time in the non-abnormal network; acquiring the average value of a plurality of corresponding first average values as a second average value of the number of received messages in unit time in the non-abnormal network; calculating to obtain a first variance of the number of received messages in unit time in the non-abnormal network based on the first average value and the second average value; acquiring the number of second messages corresponding to the preset number of continuous unit time in the current network in real time; the processing module is used for receiving the second average value in the acquisition module, and calculating to obtain a second variance of the number of received messages in unit time of the current vehicle-mounted network according to the second number of messages and the second average value; the detection module is used for judging the magnitude relation between the received first variance and the second variance, and determining that the current vehicle-mounted network is attacked by message injection if the second variance is larger than the first variance; and the alarm module is used for receiving the detection result of the detection module, and if the current vehicle-mounted network is attacked by the message injection, the alarm module is used for carrying out alarm processing to prompt the user of network abnormality.
Optionally, the detection module further comprises: if the second variance is smaller than or equal to the first variance, determining that the current vehicle-mounted network is not abnormal; and updating the first variance and the second average value according to the second message quantity, and sending the updated first variance and the updated second average value to the acquisition module.
Optionally, the calculating, according to the first number of messages, a first average value of the number of received messages in each group of unit time in the non-abnormal network includes: the following calculation is performed on the number of the first messages in each group: Wherein, Representing the j-th group i consecutive unit time,/>Representing the number of first messages acquired in the nth unit time of the jth group,/>A first average value representing the number of received messages in the j-th group per unit time.
Optionally, the calculating, according to the second number of messages and the second average value, a second variance of the number of received messages in a unit time of the current vehicle-mounted network, where the expression includes: wherein/> Represents a second average value of received messages within a unit time, d represents a preset number of consecutive unit times,/>Represents the/>The number of second messages acquired in a unit time, S 2, represents the second variance.
Optionally, the updating the first variance and the second average according to the second message number includes: updating a second average value according to the second message quantity, wherein the expression is as follows: wherein/> Represents a second average value of received messages within a unit time, d represents a preset number of consecutive unit times,/>Represents the/>The number of second messages acquired in unit time,/>Representing the updated second average; and updating the first variance of the received message in the unit time in the non-abnormal network according to the first average value and the updated second average value.
Compared with the prior art, the method and the system for detecting the intrusion of the vehicle-mounted CAN network are provided, whether the vehicle is invaded or not is judged by comparing the variance of the number of messages received in unit time in the current vehicle CAN network with the variance of the number of messages received in unit time in the non-abnormal CAN network, the method CAN accurately identify the attack of the message injection, and is simple in operation and low in calculation complexity, the calculation power of the vehicle-mounted CAN network is enough to execute the method, and the situation that the system cannot normally run due to the implementation of the method is avoided.
Drawings
In order to more clearly illustrate the embodiments of the present description or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the embodiments of the present description, and other drawings may be obtained according to these drawings for a person having ordinary skill in the art.
FIG. 1 is a flowchart of a vehicle-mounted CAN network intrusion detection method provided in an embodiment of the invention;
Fig. 2 is a schematic structural diagram of a vehicle-mounted CAN network intrusion detection system according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
For the purpose of facilitating an understanding of the embodiments of the present invention, reference will now be made to the following description of specific embodiments, taken in conjunction with the accompanying drawings, which are not intended to limit the scope of the invention.
Example 1
The embodiment provides a vehicle-mounted CAN network intrusion detection method, the flow of which is shown in figure 1, comprising the following steps:
S1: and acquiring a first variance and a second average value of the received messages in unit time of the abnormal-free network.
In this step, it includes:
S100: and acquiring a plurality of groups of corresponding first message numbers in a time period formed by a plurality of continuous unit time in the non-abnormal network.
Exemplary, assume there are m groups, the j-th group i consecutive unit time periodsThe corresponding first message number is/>
S101: and according to the first message quantity, calculating to obtain a first average value of the received message quantity in each group of unit time in the non-abnormal network.
Specifically, the following calculation is performed on the first message number corresponding to each group:
Wherein, Representing the j-th group i consecutive unit time,/>Representing the number of first messages acquired in the nth unit time of the jth group,/>A first average value representing the number of received messages in the j-th group per unit time.
Obtaining m groups of corresponding data according to the calculation method
S102: and acquiring the average value of a plurality of corresponding first average values as a second average value of the number of received messages in unit time in the non-abnormal network.
In this step, for m groupsPerform average operation/>Obtain a second average/>
S103: and calculating to obtain a first variance of the number of received messages in unit time in the non-abnormal network based on the first average value and the second average value.
Specifically, the first average value and the second average value are calculated as follows: Calculating to obtain a first variance/>
S2: and acquiring the second message quantity corresponding to the preset quantity of continuous unit time in the current network in real time.
The second message number N '1,…,N'd corresponding to the d continuous unit times T' 1,…,T'd is collected in real time.
S3: and according to the second message quantity and the second average value, calculating to obtain a second variance of the received message quantity in unit time of the current vehicle-mounted network.
Specifically, the following calculation is performed on the second message number and the second average value:
wherein d represents a preset number of consecutive unit times, Represents the/>The number of second messages acquired in a unit time, S 2, represents the second variance.
The second message quantity in each unit time is used for making a difference with a second average value of the non-abnormal network, so that the accuracy of the calculated second variance can be improved. The specific reasons for using the second average value are as follows: firstly, the comparison is convenient, the second average value is used for calculating the first variance and the second variance, and the influence of the second message quantity on the result can be highlighted. And secondly, selecting the second average value instead of the average value of the second message numbers can prevent that the second message numbers are all abnormal data under the attack condition, the difference between the average value and the second message numbers is smaller, and the calculated second variance is possibly smaller than the first variance, so that the misjudgment is in a state of no attack network at the moment.
S4: and judging whether the second variance is larger than the first variance, if so, determining that the current vehicle-mounted network is attacked by the message injection.
For the second variance S 2 and the first varianceA comparison is made. If the comparison result is/>And determining that the current vehicle-mounted network is attacked by the message injection.
If it isDetermining that the current vehicle-mounted network is not abnormal; and updating the first variance and the second average value according to the second message quantity.
The updating the first variance and the second average according to the second message number includes:
Updating a second average value according to the second message quantity, wherein the expression is as follows:
Wherein, Represents a second average value of received messages within a unit time, d represents a preset number of consecutive unit times,/>Represents the/>The number of second messages acquired in unit time,/>Representing the updated second average.
Updating the first variance of the received message in the unit time of the non-abnormal network according to the first average value and the updated second average value, including: bringing the first average value and the updated second average value to an expressionIn (3) obtaining updated first variance/>
Obtaining the number of the second messages of the new round, calculating the new second variance by using the updated second average value and the updated first variance, and judging the size relation between the updated first variance and the new second variance in real time to determine whether the network of the new round is attacked.
Compared with the prior art, the method for detecting the intrusion of the vehicle-mounted CAN network is capable of accurately identifying the intrusion of the message by comparing the variance of the number of messages received in unit time in the current vehicle CAN network with the variance of the number of messages received in unit time in the non-abnormal CAN network, and is simple in operation and low in calculation complexity, and the calculation power of the vehicle-mounted CAN network is enough to execute the method, so that the situation that the system cannot normally run due to implementation of the method is avoided.
Example 2
The embodiment provides a vehicle-mounted CAN network intrusion detection system, which is carried on a CAN bus to perform real-time network detection. As shown in fig. 2, the detection system includes an acquisition module, a processing module, a detection module, and an alarm module.
The acquisition module acquires a first variance and a second average value of received messages in unit time of the abnormal-free network; and acquiring the second message quantity corresponding to the preset quantity of continuous unit time in the current network in real time.
The second message number is obtained by receiving message information from the CAN bus in real time.
The obtaining the first variance and the second average value of the received message in the unit time of the pre-calculated non-abnormal network includes:
firstly, the first message number in a plurality of groups of preset time periods in an abnormal-free network is obtained, wherein the preset time periods comprise a plurality of continuous unit time.
Secondly, according to the first message quantity, calculating to obtain a first average value of the received message quantity in each group of unit time in the non-abnormal network, wherein the first average value comprises the following steps:
The following calculation is performed on the number of the first messages in each group:
Wherein, Representing the j-th group i consecutive unit time,/>Representing the number of first messages acquired in the nth unit time of the jth group,/>A first average value representing the number of received messages in the j-th group per unit time.
And then, acquiring the average value of a plurality of corresponding first average values as a second average value of the number of received messages in unit time in the non-abnormal network.
And finally, calculating to obtain a first variance of the number of received messages in unit time in the non-abnormal network based on the first average value and the second average value.
The processing module receives the second average value in the acquisition module, and calculates a second variance of the number of received messages in unit time of the current vehicle-mounted network according to the second number of messages and the second average value.
Specifically, calculating the expression of the second variance includes:
Wherein, Represents a second average value of received messages within a unit time, d represents a preset number of consecutive unit times,/>Represents the/>The number of second messages acquired in a unit time, S 2, represents the second variance.
The detection module judges the magnitude relation between the received first variance and the second variance, and determines that the current vehicle-mounted network is attacked by the message injection if the second variance is larger than the first variance.
The detection module further comprises: and if the second variance is smaller than or equal to the first variance, determining that the current vehicle-mounted network is not abnormal. And updating the first variance and the second average value according to the second message quantity, and sending the updated first variance and the updated second average value to the acquisition module.
In a new round, the processing module calculates a second variance according to the updated second average value; and the detection module judges according to the updated first variance.
The updating the first variance and the second average according to the second message number includes:
Updating a second average value according to the second message quantity, wherein the expression is as follows:
Wherein, Represents a second average value of received messages within a unit time, d represents a preset number of consecutive unit times,/>Represents the/>The number of second messages acquired in unit time,/>Representing the updated second average.
And updating the first variance of the received message in the unit time in the non-abnormal network according to the first average value and the updated second average value.
And the alarm module is used for receiving the detection result of the detection module, and if the current vehicle-mounted network is attacked by the message injection, the alarm module is used for carrying out alarm processing to prompt the user of network abnormality.
And if the current vehicle-mounted network is determined to be abnormal, the alarm module does not execute any operation.
Example 3
A computer readable storage medium having stored thereon a computer program, the computer readable storage medium having stored thereon a vehicle-mounted CAN network intrusion detection program which, when executed by a processor, implements the steps of a vehicle-mounted CAN network intrusion detection method described in embodiment 1.
The foregoing description of the embodiments has been provided for the purpose of illustrating the general principles of the invention, and is not meant to limit the scope of the invention, but to limit the invention to the particular embodiments, and any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the invention are intended to be included within the scope of the invention.

Claims (6)

1. The vehicle-mounted CAN network intrusion detection method is characterized by comprising the following steps of:
acquiring a first variance and a second average value of the number of received messages in a unit time of an anomaly-free network, wherein the first variance and the second average value comprise: acquiring the first message quantity in a plurality of groups of preset time periods in a non-abnormal network, wherein the preset time periods comprise a plurality of continuous unit time; according to the first message quantity, calculating to obtain a first average value of the received message quantity in each group of unit time in the non-abnormal network; acquiring the average value of a plurality of corresponding first average values as a second average value of the number of received messages in unit time in the non-abnormal network; calculating to obtain a first variance of the number of received messages in unit time in the non-abnormal network based on the first average value and the second average value;
acquiring the number of second messages corresponding to the preset number of continuous unit time in the current network in real time;
according to the second message number and the second average value, calculating to obtain a second variance of the received message number in unit time of the current vehicle-mounted network, wherein the expression comprises: wherein/> Represents a second average value of received messages within a unit time, d represents a preset number of consecutive unit times,/>Represents the/>The number of second messages acquired in each unit time, S 2 represents a second variance;
Judging whether the second variance is larger than the first variance, if so, determining that the current vehicle-mounted network is attacked by message injection; if the second variance is smaller than or equal to the first variance, determining that the current vehicle-mounted network is not abnormal; and updating the first variance and the second average according to the second message quantity, including: updating a second average value according to the second message quantity, wherein the expression is as follows: Wherein/> Represents a second average value of received messages within a unit time, d represents a preset number of consecutive unit times,/>Represents the/>The number of second messages acquired in unit time,/>Representing the updated second average; and updating the first variance of the received message in the unit time in the non-abnormal network according to the first average value and the updated second average value.
2. The method for detecting the intrusion of the vehicle-mounted CAN network according to claim 1, wherein the calculating a first average value of the number of received messages in each group of unit time in the non-abnormal network according to the first number of messages comprises:
The following calculation is performed on the number of the first messages in each group:
wherein/> Representing the j-th group i consecutive unit time,/>Representing the number of first messages acquired in the nth unit time of the jth group,/>A first average value representing the number of received messages in the j-th group per unit time.
3. The method for detecting the intrusion of the vehicle-mounted CAN network according to claim 1, wherein the first variance of the number of received messages in a unit time of the non-abnormal network is calculated based on the first average value and the second average value, and the expression comprises: Wherein/> A first average value representing the number of received messages in unit time of the j-th group,/>The first variance is represented and m represents the number of groups.
4. An in-vehicle CAN network intrusion detection system, comprising:
The acquisition module acquires a first variance and a second average value of received messages in unit time of an abnormal-free network, and comprises the following steps: acquiring the first message quantity in a plurality of groups of preset time periods in a non-abnormal network, wherein the preset time periods comprise a plurality of continuous unit time; according to the first message quantity, calculating to obtain a first average value of the received message quantity in each group of unit time in the non-abnormal network; acquiring the average value of a plurality of corresponding first average values as a second average value of the number of received messages in unit time in the non-abnormal network; calculating to obtain a first variance of the number of received messages in unit time in the non-abnormal network based on the first average value and the second average value; acquiring the number of second messages corresponding to the preset number of continuous unit time in the current network in real time;
the processing module is used for receiving the second average value in the acquisition module, and calculating to obtain a second variance of the number of received messages in unit time of the current vehicle-mounted network according to the second number of messages and the second average value;
The detection module is used for judging the magnitude relation between the received first variance and the second variance, and determining that the current vehicle-mounted network is attacked by message injection if the second variance is larger than the first variance; if the second variance is smaller than or equal to the first variance, determining that the current vehicle-mounted network is not abnormal; updating the first variance and the second average according to the second message quantity, including: updating a second average value according to the second message quantity, wherein the expression is as follows: Wherein/> Represents a second average value of received messages within a unit time, d represents a preset number of consecutive unit times,/>Represents the/>The number of second messages acquired in unit time,/>Representing the updated second average; updating a first variance of received messages in unit time in the non-abnormal network according to the first average value and the updated second average value; and sending the updated first variance and the updated second mean to the acquisition module;
And the alarm module is used for receiving the detection result of the detection module, and if the current vehicle-mounted network is attacked by the message injection, the alarm module is used for carrying out alarm processing to prompt the user of network abnormality.
5. The system of claim 4, wherein the calculating, according to the first number of messages, a first average value of the number of received messages in each group of unit time in the non-heterogeneous network includes: the following calculation is performed on the number of the first messages in each group: Wherein/> Representing the j-th group i consecutive unit time,/>Representing the number of first messages acquired in the nth unit time of the jth group,/>A first average value representing the number of received messages in the j-th group per unit time.
6. The vehicle-mounted CAN network intrusion detection system of claim 4, wherein the calculating a second variance of the number of received messages in a unit time of the current vehicle-mounted network according to the second number of messages and the second average value includes: wherein/> Represents a second average value of received messages within a unit time, d represents a preset number of consecutive unit times,/>Represents the/>The number of second messages acquired in a unit time, S 2, represents the second variance.
CN202410323680.4A 2024-03-21 2024-03-21 Vehicle-mounted CAN network intrusion detection method and system Active CN117955733B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410323680.4A CN117955733B (en) 2024-03-21 2024-03-21 Vehicle-mounted CAN network intrusion detection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410323680.4A CN117955733B (en) 2024-03-21 2024-03-21 Vehicle-mounted CAN network intrusion detection method and system

Publications (2)

Publication Number Publication Date
CN117955733A CN117955733A (en) 2024-04-30
CN117955733B true CN117955733B (en) 2024-06-18

Family

ID=90796287

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410323680.4A Active CN117955733B (en) 2024-03-21 2024-03-21 Vehicle-mounted CAN network intrusion detection method and system

Country Status (1)

Country Link
CN (1) CN117955733B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101217396A (en) * 2007-12-29 2008-07-09 华中科技大学 An Ad hoc network invasion detecting method and system based on trust model
CN105049291A (en) * 2015-08-20 2015-11-11 广东睿江科技有限公司 Method for detecting network traffic anomaly

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105847283A (en) * 2016-05-13 2016-08-10 深圳市傲天科技股份有限公司 Information entropy variance analysis-based abnormal traffic detection method
CN106899614B (en) * 2017-04-14 2019-09-24 北京梆梆安全科技有限公司 In-vehicle network intrusion detection method and device based on the message period
US11991196B2 (en) * 2021-03-04 2024-05-21 Qatar Foundation For Education, Science And Community Development Anomalous user account detection systems and methods

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101217396A (en) * 2007-12-29 2008-07-09 华中科技大学 An Ad hoc network invasion detecting method and system based on trust model
CN105049291A (en) * 2015-08-20 2015-11-11 广东睿江科技有限公司 Method for detecting network traffic anomaly

Also Published As

Publication number Publication date
CN117955733A (en) 2024-04-30

Similar Documents

Publication Publication Date Title
CN106059987B (en) Vehicle-mounted network intrusion detection system and control method thereof
CN111506048B (en) Vehicle fault early warning method and related equipment
CN108944799B (en) Vehicle driving behavior abnormity processing method and device
CN112153070B (en) Abnormality detection method, device, storage medium and apparatus for vehicle-mounted CAN bus
US20190078527A1 (en) Method of diagnosing fault of timer for monitoring engine off time
CN110949404B (en) Warning method and device, central control equipment, storage medium and system
US11636002B2 (en) Information processing device and information processing method
CN108806019B (en) Driving record data processing method and device based on acceleration sensor
CN117955733B (en) Vehicle-mounted CAN network intrusion detection method and system
CN112590798B (en) Method, apparatus, electronic device, and medium for detecting driver state
CN113569699A (en) Attention analysis method, vehicle, and storage medium
CN114415646B (en) Remote vehicle diagnosis method, system and terminal equipment based on DoIP protocol
CN111824171A (en) Apparatus and method for providing user interface for queue driving in vehicle
CN115534867A (en) Vehicle anti-theft method, device, vehicle and storage medium
KR101857691B1 (en) Method and appratus for detecting anomaly of vehicle based on euclidean distance measure
CN114760147A (en) Security event processing method, security event processing device, equipment and medium
CN113179312A (en) Scratch accident processing method, automobile and computer readable storage medium
CN112002034A (en) Vehicle accident rescue method, device, equipment and storage medium
CN113867314B (en) Access control method and device for fault code library, electronic equipment and storage medium
WO2023168745A1 (en) Vehicle driver monitoring method and apparatus based on domain controller platform
JP5899882B2 (en) Fault diagnosis system and fault diagnosis method
CN114155705B (en) Method, device and equipment for evaluating traffic barrier behavior of vehicle and storage medium
CN118003919B (en) Charging method, system, storage medium and vehicle
CN114531312B (en) Vehicle data analysis device and vehicle data analysis method thereof
CN116424356A (en) Function improvement method of millimeter wave radar of cooperative adaptive cruise control system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant