KR101853676B1 - Appratus and method for detecting vehicle intrusion - Google Patents

Abstract

An intrusion detection method of a vehicle is disclosed. The intrusion detection method is performed in an intrusion detection device of a vehicle, the method comprising: monitoring CAN messages of a vehicle internal network; counting the number of message occurrences for each CAN ID used in the vehicle internal network using the CAN ID of the CAN message; Calculating an entropy (H ') using the number of message occurrences for each CAN ID used in the vehicle internal network, calculating entropy (H') using the number of messages generated for each CAN ID used in the vehicle internal network, . And providing the driver with a notification of the first attack if the entropy (H ') is less than the threshold value for the first attack.

Description

[0001] APPARATUS AND METHOD FOR DETECTING VEHICLE INTRUSION [0002]

An embodiment according to the concept of the present invention relates to an apparatus and method for intrusion detection of a vehicle, and more particularly, to an intrusion detection apparatus and method for detecting a message injection attack, a DoS attack, ≪ / RTI >

The present invention proposes an intrusion detection technology for protecting a vehicle from external intrusion by analyzing a CAN message ID for a message injection attack and a DoS attack on a CAN in a vehicle internal network.

Due to the development of IT technology, various kinds of mechanical control systems constituting automobiles are increasingly replaced by electronic systems. In particular, various modules constituting an ECU (Electric Computer Unit) and a power train existing in the vehicle are connected to the CAN in order to simplify implementation in the vehicle and minimize errors.

CAN is a standard protocol implemented to enable in-vehicle devices to communicate with each other and is implemented in many automobiles. For simple implementation, all the communication devices are connected to one line, and the message transmitted to the CAN bus is broadcasted to all the ECUs in the vehicle.

CSMA / CD + AMP technology is a technology to prevent collision of lines when multiple nodes have data to be transmitted at the same time in the internal network implemented by CAN, and to prioritize the CAN bus. Several nodes with a message to be sent attempt to send a message to the CAN bus at the same time according to the synchronized signal, and compare the value of the ID field in front of the CAN message bit by bit. In CAN, a message has a higher priority with a lower ID value, and according to this principle, the message with the highest priority (lower ID value) preempts the CAN bus. Then, once all the messages prevailing on the CAN bus are transmitted, the same operation is repeated according to the synchronized signal. As a result, even if there are a plurality of nodes to occupy the CAN bus, stable communication can be performed without collision of lines according to the priority of the CAN ID. However, the CSMA / CD + AMP technology can mask the priorities of messages only if the IDs of the competing messages are different.

A method of identifying a priority using a competition ID (CAN ID) of a CAN message will be described in detail below (see FIG. 2). A message transmitted from each node has an ID value including a priority, and when two or more nodes simultaneously attempt to transmit a message, the comparison is performed bit by bit in an arbitration phase. At this time, since the messages to be transmitted always start at the same timing, only one bit of the same place can be checked in the arbitration step. If a certain bit of the CAN ID has the same value, the next bit is checked. And the bit (s) have different values, the message (s) with a Low value continues to transmit on the CAN bus. Examining all the bit fields of the CAN ID will result in only the message with the lowest ID value being able to transmit the contents of the message. The messages pushed into the competition in the arbitration phase again compete at the next message transmission timing.

Due to the broadcast messaging nature, ECUs and modules connected to the in-vehicle CAN bus all receive the same message. The ECU and module check the CAN ID of the message to determine whether to process the data contained in the message or ignore the message.

As the telematics service evolves as the communication technology develops, the driver's device is directly connected to the CAN network through the OBD-II (On-Board Diagnosis version II) terminal. In addition, CAN is a broadcasting protocol that does not provide message encryption or authentication functions, and can not identify the frames injected from the outside, and transmits the frames to the modules of the internal network as they are. There is a problem that the vehicle may be directly affected by an external attack through the telematics terminal.

Therefore, there is a need for an intrusion detection method capable of quickly detecting a message injection attack on a CAN internal network with a small amount of computation. The present invention proposes an apparatus and method for performing intrusion detection of a packet injection attack or a DoS attack using an OBD-II terminal by analyzing a CAN message ID in a vehicle internal network environment.

KR 10-1605783 B1 KR 10-1328389 B1

SUMMARY OF THE INVENTION The present invention has been made in view of the above problems, and it is an object of the present invention to provide a system and method for detecting a DoS attack that cancels a function of a vehicle by occupying resources of a CAN bus by analyzing a CAN message ID in a vehicle internal network environment, A vehicle intrusion detection apparatus and method capable of detecting an intruder.

A method for intrusion detection of a vehicle according to an embodiment of the present invention is carried out in an intrusion detection device of a vehicle, comprising the steps of monitoring CAN messages of an intra-vehicle network, detecting all CAN IDs Calculating an entropy (H ') using the number of message occurrences for each CAN ID used in the vehicle internal network, calculating entropy (H' 1 attack, and if the entropy (H ') is less than the threshold value for the first attack, providing the driver with a notification of the first attack occurrence.

The intrusion detection apparatus for a vehicle according to an embodiment of the present invention includes a monitoring unit for monitoring an entire CAN message in a vehicle internal network, a CAN ID information management unit for obtaining a CAN ID from the CAN message monitored by the monitoring unit and managing related information, A threshold value management unit for managing at least one threshold value for vehicle intrusion detection, a vehicle intrusion detection unit for detecting the intrusion of a vehicle using the CAN ID related information and the threshold value, Wherein the CAN ID information management unit includes a CAN ID list used by all ECUs existing in the in-vehicle network, a number of message occurrences for each CAN ID, and a number of CAN IDs for each CAN ID, , And the threshold value is used for a first attack for detecting a DoS attack And a threshold for a second attack for detecting a message injection attack.

According to the vehicle intrusion detection apparatus and method according to the embodiment of the present invention, the ID of the CAN message is analyzed, and a message injection attack and a DoS attack can be detected quickly and informed.

In addition, the apparatus and method for detecting a vehicle intrusion according to an embodiment of the present invention performs analysis based on an ID included in a message, and does not depend on the meaning indicated by the message ID. Therefore, There is an effect that intrusion detection can be performed.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS In order to more fully understand the drawings recited in the detailed description of the present invention, a detailed description of each drawing is provided.
1 is a functional block diagram of an intrusion detection apparatus according to an embodiment of the present invention.
2 shows a method of identifying a priority using a CAN message ID.
FIG. 3 is a flowchart illustrating an intrusion detection method of a vehicle using the intrusion detection apparatus shown in FIG. 1 according to an embodiment of the present invention.
4 shows an example of CAN ID and CAN ID related information for vehicle intrusion detection.
5 is a flowchart for explaining another embodiment of the intrusion detection method of a vehicle using the intrusion detection apparatus shown in FIG.

It is to be understood that the specific structural or functional description of embodiments of the present invention disclosed herein is for illustrative purposes only and is not intended to limit the scope of the inventive concept But may be embodied in many different forms and is not limited to the embodiments set forth herein.

The embodiments according to the concept of the present invention can make various changes and can take various forms, so that the embodiments are illustrated in the drawings and described in detail herein. It should be understood, however, that it is not intended to limit the embodiments according to the concepts of the present invention to the particular forms disclosed, but includes all modifications, equivalents, or alternatives falling within the spirit and scope of the invention.

The terms first, second, etc. may be used to describe various elements, but the elements should not be limited by the terms. The terms may be named for the purpose of distinguishing one element from another, for example, without departing from the scope of the right according to the concept of the present invention, the first element may be referred to as a second element, The component may also be referred to as a first component.

It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that no other element exists in between.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In this specification, the terms "comprises" or "having" and the like are used to specify that there are features, numbers, steps, operations, elements, parts or combinations thereof described herein, But do not preclude the presence or addition of one or more other features, integers, steps, operations, components, parts, or combinations thereof.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the meaning of the context in the relevant art and, unless explicitly defined herein, are to be interpreted as ideal or overly formal Do not.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings attached hereto.

1 is a functional block diagram of an intrusion detection apparatus according to an embodiment of the present invention.

The intrusion detection device 100 according to the present invention analyzes the message ID of the in-vehicle network CAN and detects whether or not the vehicle is intruded. Further, the intrusion detection device 100 can transmit the intrusion detection result to the in-vehicle alarm device or the predetermined terminal.

Intrusion detection device 100 is preferably located inside the vehicle for rapid detection of vehicle intrusion. The intrusion detection apparatus 100 may be installed inside the gateway 110 in the CAN network or may be connected to the bus as an independent entity to communicate with the gateway 110. [ The intrusion detection device 100 may be an ECU. Alternatively, the intrusion detection device 100 may be a separate server located outside the vehicle.

Intrusion detection device 100 can monitor all messages on the corresponding CAN network from gateways and ECUs.

1, the intrusion detection apparatus 100 includes a monitoring unit 110, a CAN ID information management unit 120, a threshold value management unit 130, a vehicle intrusion detection unit 140, a warning unit 150, (180) and a control unit (190).

The monitoring unit 110 may monitor the entire message of the in-vehicle network and collect necessary information for vehicle intrusion detection.

The CAN ID information management unit 120 acquires and analyzes the CAN ID of the monitored CAN message, and manages information related to vehicle intrusion detection. For vehicle intrusion detection, the CAN ID management unit 120 acquires CAN IDs used by all the ECUs existing in the in-vehicle network, and counts the number of messages generated per CAN ID. Then, the entropy (H ') is obtained using the obtained CAN ID and the number of generated messages. When a DoS attack occurs in the vehicle network, the proportion of messages having a specific CAN ID in the vehicle internal network is overwhelmingly high, and as a result, the entropy becomes low, and the vehicle intrusion detection unit 130 can detect a DoS attack have.

In addition, when an error control message occurs, the CAN ID information management unit 120 can increase the error count corresponding to the corresponding CAN ID.

The vehicle intrusion detection unit 130 analyzes the CAN ID related information and compares it with a threshold value to detect whether or not the vehicle intrudes. According to an embodiment of the present invention, the types of attacks due to vehicle intrusion to be detected can be categorized into the first attack and the second attack. The first attack may be a DoS attack that generates a large amount of messages in a short period of time to generate an overload, and the second attack may be a message injection attack that generates a malfunction by injecting a specific CAN ID message into a CAN have.

In a vehicle internal network implemented with CAN The DoS attack occurs as a method of transmitting a large amount of data by setting a low ID value to a message so that it has a higher priority than the CAN ID processed by the ECU mounted in the existing vehicle. The message injection attack occurs with the existing CAN ID And sending the contents to be attacked in a message.

When the entropy calculated by the CAN ID information management unit 120 becomes lower than a predetermined threshold value for the first attack, the first attack detection unit 131 determines that a DoS attack has occurred, and the second attack detection unit 132 It is determined that a message injection attack has occurred if the error count for the corresponding CAN ID becomes higher than the preset threshold value for the second attack.

The threshold value management unit 140 manages at least one threshold value for vehicle intrusion detection. The threshold value management unit 140 may set a threshold value for the first attack and a threshold value for the second attack for each attack type. Also, in order to improve the detection performance, when the priority of the newly discovered CAN ID is higher than the priority of the CAN IDs processed in the vehicle, the DoS attack may be more easily succeeded. Therefore, You can set the value higher. In addition, the threshold value management unit 140 may set different thresholds for each CAN ID.

A method of determining whether a vehicle is attacked through CAN ID analysis will be described in more detail in the description of the intrusion detection method below.

When the intrusion is detected, the warning unit 150 provides notification of the intrusion to the alarm device of the vehicle, the terminal held by the driver of the vehicle, or a terminal predetermined by the driver or the administrator do. For example, an intrusion alert message containing vehicle intrusion related information may be transmitted, or a warning sound may be generated.

The storage unit 180 stores respective CAN ID related information and threshold values for intrusion detection. The CAN ID related information includes a list of CAN IDs used in all the ECUs existing in the in-vehicle network, a message occurrence number of the corresponding CAN ID, a ratio of a message having the corresponding CAN ID, an error count information And the like. Also, in this specification, the storage unit 180 may mean functional and structural combination of software and hardware for storing information corresponding to each storage unit. The storage unit 180 may include a program storage unit and a data storage unit. Programs for controlling the operation of the intrusion detection device 100 may be stored in the program storage unit. The data storage unit may store data generated during the execution of the programs.

The control unit 190 controls the overall operation of the intrusion detection device 100. That is, the operation of the monitoring 110, the CAN ID information management unit 120, the threshold value management unit 130, the intrusion detection unit 140, the warning unit 150, and the storage unit 180 can be controlled.

Each of the configurations of the intrusion detection apparatus shown in FIG. 1 indicates that it is functionally and logically separable, and does not necessarily mean that each configuration is divided into separate physical devices or written in separate codes. The average expert in the field of technology would be easily inferable.

In the present specification, the term "minus" may mean a functional and structural combination of hardware for carrying out the technical idea of the present invention and software for driving the hardware. For example, the '-section' may refer to a logical unit of a predetermined code and a hardware resource for executing the predetermined code, and it does not necessarily mean a physically connected code or a kind of hardware .

Hereinafter, a method for intrusion detection of a vehicle using the intrusion detection device according to an embodiment of the present invention will be described in detail with reference to FIG. 3 to FIG.

FIG. 3 is a flowchart illustrating an intrusion detection method of a vehicle using the intrusion detection apparatus shown in FIG. 1 according to an embodiment of the present invention. 4 shows an example of CAN ID and CAN ID related information for vehicle intrusion detection.

Referring to FIG. 3, the monitoring unit 110 of the intrusion detection apparatus 100 receives the CAN messages of the in-vehicle network (S110), and detects all of the existing Obtain the CAN ID used by the ECU. Specifically, when the CAN ID of the received CAN message is a new CAN ID (S120), the CAN ID can be stored in the CAN ID list of the internal network of the vehicle (S130) to obtain the CAN ID list of the internal network of the vehicle. For example, in order to obtain the CAN ID processed in the vehicle, a message having a CAN ID of '7DF' may be transmitted to the OBD-II terminal, or a method of organizing the internal network of the vehicle for a long time and arranging it into a table may be used.

Next, the entire message is monitored to detect the DoS attack (S140), and the number of messages generated per CAN ID is counted by using the ID list of the message used in the vehicle internal network.

Next, the entropy (H ') is obtained by using the obtained CAN ID and the number of generated messages, and the CAN ID and CAN ID related information is stored in the storage unit. The CAN ID related information may include the number of times of using the corresponding CAN ID, the ratio of the message having the corresponding CAN ID, and the entropy (H '). One example of related information corresponding to the collecting CAN ID and CAN ID is shown in FIG. As shown in (c) of FIG. 4, when a large amount of CAN message having the CAN ID '0x702' is input, the diversity index is lowered and the entropy (H ') is lowered.

Next, it is determined whether the entropy H 'is smaller than a predetermined threshold at step S150. If the entropy H' is lower than the threshold value, the driver is informed of a DoS attack occurrence warning at step S170. The Shannon's diversity index for obtaining the entropy (H ') can be defined by Equation (1) below.

n: Number of CAN IDs used in the internal network

: 특정 CAN ID를 가지는 메시지의 비율 (

)

: Percentage of messages with a specific CAN ID (

)

The threshold value may be set differently for each vehicle.

A DoS attack is aimed at disabling the communication of ECUs in the vehicle, so it injects messages with a high enough priority to occupy all of the lines into the internal network. The proportion of messages having a specific CAN ID in the vehicle internal network is overwhelmingly high, resulting in lower entropy (H '). If the entropy (H') becomes smaller than a predetermined threshold value, And notifies the driver of the vehicle intrusion warning. For example, when a vehicle intrusion is detected, a notification message of an intrusion can be transmitted to an alarm unit of the vehicle, a terminal possessed by a driver of the vehicle, or a preset terminal for reception of a notification message, May include information about the type of attack (attack).

For more accurate detection of the DoS attack, it may further include determining whether the message for the corresponding CAN ID occupies the highest rate (S160). If the message for the corresponding CAN ID occupies the highest rate, the driver can be notified of the occurrence of a DoS attack (S170).

Also, in order to improve the detection performance, if the priority of the newly discovered (imported) CAN ID is higher than the priority of the existing CAN IDs processed in the vehicle, the DoS attack can be more easily succeeded. If found, detection can be performed by increasing the threshold. That is, when a new CAN ID is not found, a threshold value (hereinafter referred to as a " first threshold value ") for detecting a DoS attack is detected (Hereinafter, referred to as a 'second threshold value') is set high, it is possible to increase the sensitivity of detecting a DoS attack using a newly discovered CAN ID.

When the priority of the new CAN ID is lower than the priority of the conventional CAN ID, the threshold for detecting the DoS attack used when the priority of the new CAN ID is lower than the priority of the conventional CAN ID It is also possible to detect a DoS attack by setting it higher than the threshold for detecting a DoS attack to be used.

5 is a flowchart for explaining another embodiment of the intrusion detection method of a vehicle using the intrusion detection apparatus shown in FIG. FIG. 5 shows an embodiment of a method for detecting whether a vehicle is invaded by a message injection attack.

Referring to FIG. 5, the intrusion detection device 100 monitors the entire message of the vehicle network (S210).

A message injection attack occurs by injecting a message consisting of a CAN ID (CAN ID of the CAN message) actually used in the vehicle and an attack command into the vehicle internal network. Conventional in-vehicle ECUs and modules perform an attack command without any verification according to the CAN ID of the received message. Since the message injection attack uses the actual CAN ID in the vehicle, the normal message generated by the vehicle traveling and the message caused by the message injection attack may be competing on the CAN bus with the same CAN ID. Also, since the attacker continuously injects the message to perform an effective attack, this competition often occurs. CSMA / CD + AMP technology prioritizes messages according to CAN ID to avoid line collision. However, if a message with the same CAN ID is transmitted at the same time, the ID is transmitted to the CAN bus as it is because the collision is not detected in the arbitration phase, and the CAN bus error occurs in the data transmission phase. The CAN bus controller generates an error control message. The error control message informs all ECUs and modules in the internal network of the occurrence of the error, and after having a delay time, the communication is resumed.

The intrusion detection apparatus 100 checks whether an error control message has been generated (S220) while monitoring the entire message of the vehicle network (S210), and if an error control message has occurred, it is possible to collect the CAN ID associated with the error (S230).

If the CAN ID associated with the error can be collected, the error count for the corresponding CAN ID is increased (S240). According to the embodiment, when the error control message for the corresponding CAN ID does not occur for a predetermined period of time, it is determined that an attack (intrusion) has not occurred to the ECU having the specific CAN ID of the vehicle or the vehicle concerned, It is also possible to reset the error count.

Next, it is determined whether an error count for a specific CAN ID exceeds a predetermined threshold value for the second attack (S250). At this time, the threshold value for the second attack may be set to the same or different for each vehicle type or CAN ID.

If an error for a specific CAN ID occurs more than a preset threshold value for the second attack, the driver is informed of a message injection attack (second attack) warning for the ECU corresponding to the specific CAN ID (S270). CAN busses can be faulty due to electrical noise, but the probability of errors occurring only when sending messages related to a specific CAN ID is very low, so the proposed method effectively detects vehicle intrusion attacks without false positives and false negatives .

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is evident that many alternatives, modifications and variations will be apparent to those skilled in the art. Accordingly, the true scope of the present invention should be determined by the technical idea of the appended claims.

100: intrusion detection device 110:
120: CAN ID information management unit 130:
140: Vehicle Intrusion Detection Unit 150: Warning Unit
180: storage unit 190: control unit

Claims (8)

A vehicle intrusion detection method using CAN ID analysis of a CAN message carried out in an intrusion detection device of a vehicle,
Monitoring CAN messages in the vehicle internal network;
Counting the number of message occurrences for each CAN ID used in the in-vehicle network using the CAN ID of the CAN message;
Calculating an entropy (H ') using the number of message occurrences for each CAN ID used in the vehicle internal network;
Determining whether the entropy (H ') is less than a predetermined threshold for a first attack; And
If the entropy (H ') is less than the threshold value for the first attack, providing a notification to the driver of a first attack,
Wherein the entropy (H ') is calculated using the following equation.
[Mathematical Expression]

,

(Where n denotes the number of CAN IDs used in the internal network,

Quot; means the ratio of messages having a specific CAN ID) delete The method according to claim 1,
Wherein the threshold for the first attack includes a first threshold and a second threshold greater than the first threshold,
Detecting a first attack by comparing the first threshold value and the entropy (H ') when a CAN message including a new CAN ID is not received,
And detecting a first attack by comparing the second threshold and the entropy (H ') when a CAN message including a new CAN ID is received. A vehicle intrusion detection method using CAN ID analysis of a CAN message carried out in an intrusion detection device of a vehicle,
Monitoring CAN messages in the vehicle internal network;
Confirming whether or not an error control message is generated in the vehicle internal network;
Confirming whether collection of a CAN ID related to the error control message is possible;
If the collection of the CAN ID is possible, increasing an error count for the corresponding CAN ID;
Determining whether an error count for a specific CAN ID is greater than a predetermined threshold for a second attack; And
And providing a warning to the driver about a second attack if the error count is greater than a threshold value for the second attack. 5. The method of claim 4,
When the error control message for a specific CAN ID does not occur for a predetermined time, resetting an error count by judging that an attack to the ECU having the CAN ID does not occur Intrusion detection method. A monitoring unit for monitoring the entire CAN message of the vehicle internal network;
A CAN ID information management unit for obtaining a CAN ID from the CAN message monitored by the monitoring unit and managing the CAN ID and the CAN ID related information;
A threshold value management unit for managing at least one threshold value for vehicle intrusion detection;
A vehicle intrusion detection unit for determining whether a vehicle intrusion has occurred using the CAN ID, the CAN ID related information, and the threshold value; And
And an alarm unit for providing a notification of the intrusion if an intrusion to the vehicle internal network is detected,
The CAN ID information management unit manages a CAN ID list used by all the ECUs existing in the in-vehicle network, a message occurrence number for each CAN ID, and an error count for each CAN ID,
Wherein the threshold comprises a threshold for a first attack for DoS attack detection and a threshold for a second attack for message injection attack detection.
Intrusion detection device of a vehicle. The method according to claim 6,
The CAN ID information management unit calculates an entropy (H ') using the number of messages generated corresponding to each CAN ID used in the vehicle internal network,
The vehicle intrusion detection unit determines whether the entropy (H ') is less than a threshold value for the first attack,
If the entropy (H ') is smaller than the threshold value for the first attack, the alarm unit notifies the driver of the occurrence of the DoS attack,
Wherein the entropy (H ') is calculated using the following equation.
[Mathematical Expression]

,

(Where n denotes the number of CAN IDs used in the internal network,

Quot; means the ratio of messages having a specific CAN ID) The method according to claim 6,
The vehicle intrusion detecting unit determines whether an error count for a specific CAN ID is greater than a threshold value for the second attack,
Wherein the alarm unit notifies the driver of a message injection attack if the error count is greater than a threshold value for the second attack.

Images