KR102204655B1 - A mitigation method against message flooding attacks for secure controller area network by predicting attack message retransfer time - Google Patents

Abstract

In the method performed by a computer, based on the transmission schedule of general CAN messages, the attack message identification step of identifying the general CAN message and the CAN message used in the message flooding attack, the attacking node When transmitting an attack message including a CAN message, a dominant bit generation step in which a dominant bit is generated to induce the generation of a CAN error frame in the attacking node, and the attacking node fails to transmit an attack message due to the dominant bit. In this case, a method for mitigating a message flooding attack on a CAN network is disclosed, including a step of predicting an attack message retransmission time (T _retrans ), which predicts a time until the attack message is retransmitted.

Description

Message flooding attack mitigation method for CAN network that predicts attack message retransmission time {A MITIGATION METHOD AGAINST MESSAGE FLOODING ATTACKS FOR SECURE CONTROLLER AREA NETWORK BY PREDICTING ATTACK MESSAGE RETRANSFER TIME}

The present invention relates to a message flooding attack mitigation method for a CAN network that predicts an attack message retransmission time.

In recent years, beyond the electronic control of automobiles, basic autonomous driving support modules such as autopilots have been actively developed. For example, for full self-driving automation, sensor technologies such as LiDAR (distance measurement/object recognition sensor) and automobile IT convergence technologies that support external communication technology (V2X: Vehicle to Everything) are used. Is being developed.

To this end, the electronic control units (ECUs) inside the vehicle share information through the vehicle internal network (Controller Area Network (CAN), vehicle Ethernet) and control the vehicle.

As such, as the convergence technology of automobile and IT is developed, external contacts that can access the control network of automobiles are rapidly increasing. Many studies have been conducted on the possibility of car hacking using these external contacts. For example, Jeep recalled 1.4 million cars due to the hacking result of a telematics system.

For example, authentication, intrusion detection systems, and vehicle firewall technologies are being studied to protect the internal network of a vehicle. However, the development of remote vehicle diagnosis, remote ECU update, and autonomous vehicle technology using communication with the outside increases the contact points between the car control network and the external network, so that the attacker can use various external contacts of the car control network. The possibility exists to bypass existing automotive security technologies.

In particular, in the case of a message flooding attack that can cause CAN failure, it can be easily detected by changing the message frequency of the internal network or increasing network traffic, but the message flooding attack causes a failure (eg, transmission delay) of the vehicle's internal network. It is difficult to prevent. Therefore, when a message flooding attack occurs in CAN, it is necessary to study how to mitigate this.

Registered Patent Publication No. 10-1825711, 2018.01.30

The problem to be solved by the present invention is to provide a message flooding attack mitigation method for a CAN network that predicts the retransmission time of an attack message.

The problems to be solved by the present invention are not limited to the problems mentioned above, and other problems that are not mentioned will be clearly understood by those skilled in the art from the following description.

A method for mitigating a message flooding attack on a CAN network according to an aspect of the present invention for solving the above-described problems is based on a transmission schedule of general CAN messages, and uses a general CAN message and a CAN message used for the message flooding attack. Identification, attack message identification step, when the attacking node transmits an attack message including a plurality of CAN messages for a message flooding attack, a dominant bit is generated to induce the generation of a CAN error frame to the attacking node. And an attack message retransmission time (T _retrans ) prediction step of predicting a time until retransmission of the attack message when the attacking node fails to transmit the attack message due to the bit generating step and the dominant bit.

In addition, the attack message retransmission time prediction step includes: obtaining an error management procedure of CAN and predicting the retransmission time of the attack message based on the obtained error management procedure, but the attacking node receives an error frame due to the dominant bit. It may include the step of predicting the retransmission time of the attack message based on the transmission time and the TEC (Transmission Error Counter) of the attacking node.

In addition, it may further include a general CAN message transmission delay predicting step of predicting the transmission delay of the general CAN message when a transmission delay of the general CAN message occurs due to an attack message and an error frame.

In addition, the predicting a transmission delay of the general CAN message may include predicting a WT _delay of the transmission delay of the general CAN message.

In addition, the step of predicting the worst time includes predicting the worst time based on the following equation,

WT _delay = T _attack + T _retrans + T _error

The T _attack may mean a delay time due to the attack message, and the T _error may mean a delay time due to the error frame.

In addition, obtaining a pattern of an attack message generated from the attacking node, obtaining information on an attacking means corresponding to the pattern from a database, extracting one or more parameters from the obtained information, and the extracted It may further include adjusting the attack message retransmission time and the normal CAN message transmission delay prediction result based on the parameter.

In addition, when the attacking node is bus-off, it may further include connecting a spare node corresponding to the attacking node to the CAN network, and controlling the spare node to perform the role of the attacking node.

A method for mitigating a message flooding attack on a CAN network according to an aspect of the present invention for solving the above-described problems is based on a transmission schedule of general CAN messages, and uses a general CAN message and a CAN message used for the message flooding attack. Identification, attack message identification step, when the attacking node transmits an attack message including a plurality of CAN messages for a message flooding attack, a dominant bit is generated to induce the generation of a CAN error frame to the attacking node. It may include a bit generation step and a general CAN message transmission delay prediction step of predicting a transmission delay of the general CAN message when a transmission delay of the general CAN message occurs due to an attack message and an error frame.

An apparatus for mitigating a message flooding attack on a CAN network according to an aspect of the present invention for solving the above-described problem includes a memory storing one or more instructions and a processor executing the one or more instructions stored in the memory, , By executing the one or more instructions, the processor identifies the general CAN message and the CAN message used for the message flooding attack, based on the transmission schedule of the general CAN messages, the attack message identification step, the attacking node performs the message flooding attack. When transmitting an attack message including a plurality of CAN messages, the attacking node transmits the attack message due to the dominant bit generation step and the dominant bit to generate a dominant bit to induce the generation of a CAN error frame in the attacking node. In case of failure, a method including an attack message retransmission time (T _retrans ) prediction step of predicting a time until retransmission of the attack message may be performed.

A program for mitigating a message flooding attack on a CAN network according to an aspect of the present invention for solving the above-described problems is combined with a computer as hardware, and a computer-readable record so that the method according to the disclosed embodiment can be performed. It is stored on the medium.

Other specific details of the present invention are included in the detailed description and drawings.

According to the disclosed embodiment, while it is possible to mitigate a message flooding attack on a CAN network, there is an effect of allowing communication between ECUs other than the attacking node to be normally performed.

The effects of the present invention are not limited to the effects mentioned above, and other effects not mentioned will be clearly understood by those skilled in the art from the following description.

1 is a diagram illustrating a CAN error management method of an ECU according to an embodiment.
2 is a diagram illustrating an example in which a message flooding attack occurs on a general CAN-bus.
3 is a diagram illustrating an example in which a message flooding attack occurs on a CAN-bus to which a framework according to the disclosed embodiment is applied.
4 is a flowchart illustrating a method of mitigating a message flooding attack on a CAN network according to an embodiment.
5 is a flowchart illustrating a method of mitigating a message flooding attack according to another embodiment.
6 is a block diagram of an apparatus according to an exemplary embodiment.

Advantages and features of the present invention, and a method of achieving them will become apparent with reference to the embodiments described below in detail together with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but may be implemented in a variety of different forms, only the present embodiments are intended to complete the disclosure of the present invention, It is provided to fully inform the technician of the scope of the present invention, and the present invention is only defined by the scope of the claims.

The terms used in the present specification are for describing exemplary embodiments and are not intended to limit the present invention. In this specification, the singular form also includes the plural form unless specifically stated in the phrase. As used in the specification, “comprises” and/or “comprising” do not exclude the presence or addition of one or more other elements other than the mentioned elements. Throughout the specification, the same reference numerals refer to the same elements, and “and/or” includes each and all combinations of one or more of the mentioned elements. Although "first", "second", and the like are used to describe various elements, it goes without saying that these elements are not limited by these terms. These terms are only used to distinguish one component from another component. Therefore, it goes without saying that the first component mentioned below may be the second component within the technical idea of the present invention.

Unless otherwise defined, all terms (including technical and scientific terms) used in the present specification may be used as meanings that can be commonly understood by those of ordinary skill in the art to which the present invention belongs. In addition, terms defined in a commonly used dictionary are not interpreted ideally or excessively unless explicitly defined specifically.

The term "unit" or "module" used in the specification refers to a hardware component such as software, FPGA or ASIC, and the "unit" or "module" performs certain roles. However, "unit" or "module" is not meant to be limited to software or hardware. The "unit" or "module" may be configured to be in an addressable storage medium, or may be configured to reproduce one or more processors. Thus, as an example, "sub" or "module" refers to components such as software components, object-oriented software components, class components, and task components, processes, functions, properties, It includes procedures, subroutines, segments of program code, drivers, firmware, microcode, circuits, data, databases, data structures, tables, arrays and variables. Components and functions provided within "sub" or "module" may be combined into a smaller number of components and "sub" or "modules" or into additional components and "sub" or "modules". Can be further separated.

In the present specification, a computer refers to all kinds of hardware devices including at least one processor, and may be understood as encompassing a software configuration operating in a corresponding hardware device according to embodiments. For example, the computer may be understood as including all of a smartphone, a tablet PC, a desktop, a laptop, and a user client and an application running on each device, but is not limited thereto.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings.

Each of the steps described herein is described as being performed by a computer, but the subject of each step is not limited thereto, and at least some of the steps may be performed by different devices according to embodiments.

For example, the computer referred to in the present specification may mean an electronic system including at least one processor installed in a vehicle, but is not limited thereto.

1 is a diagram illustrating a CAN error management method of an ECU according to an embodiment.

Referring to FIG. 1, an error management technique of the CAN standard is shown.

In an embodiment, for error management of CAN, a Transmission Error Counter (TEC) and a Receive Error Counter (REC) may exist in the ECU.

In one embodiment, the ECU may have three error states, for example, Error Active, Error Passive, and Bus-Off.

In one embodiment, when a specific ECU is in a Bus-Off state, the ECU cannot participate in CAN communication for a certain period of time.

As an example, a condition for movement (state change) between each error state may be as shown in FIG. 1.

2 is a diagram illustrating an example in which a message flooding attack occurs on a general CAN-bus.

Referring to FIG. 2, an electric field system inside a vehicle and a network thereof are shown. The system includes multiple ECUs, and there is a CAN network connecting each ECU.

In one embodiment, when an attack is performed through one of a plurality of ECUs (e.g., when a DoS attack represented by a message flooding attack occurs in the vehicle internal network), as shown in FIG. Communication failure of other nodes (general ECUs) occurs due to the F (CAN message used in message flooding attack) message generated from the attacking node.

In an embodiment, when a message flooding attack is detected, the attack message may be simultaneously discarded through an error message. However, there may be a problem in that the packet schedule of the internal network is changed due to the effect of discarding the attack message.

According to the disclosed embodiment, when a message flooding attack occurs on an in-vehicle network, the attacking node may be excluded from the in-vehicle network for a specific time.

At the same time, it is necessary to ensure that there is no phenomenon that communication between normal nodes is disturbed (eg, normal ECUs are not excluded from the CAN network) due to abuse or misuse of the method according to the disclosed embodiment, which will be described in detail below with reference to the drawings. do.

3 is a diagram illustrating an example in which a message flooding attack occurs on a CAN-bus to which a framework according to the disclosed embodiment is applied.

Referring to FIG. 3, an attack node that has generated a message flooding attack by the framework according to the disclosed embodiment continuously generates an error frame E, and finally enters a bus-off state.

Since a certain time must pass before the attacking node in the bus-off state participates in CAN communication again, general ECUs can transmit CAN messages without the effect of message flooding during that time. In addition, by predicting the delay time of general messages generated due to the error frame, it is possible to prevent the general message from being erroneously discarded by the method according to the disclosed embodiment.

A specific method of performing the above-described method will be described later with reference to the drawings.

4 is a flowchart illustrating a method of mitigating a message flooding attack on a CAN network according to an embodiment.

In step S110, the computer performs an attack message identification step of identifying a general CAN message and a CAN message used in a message flooding attack based on the transmission schedule of the general CAN messages.

In step S120, when the attacking node transmits an attack message including a plurality of CAN messages for a message flooding attack, the computer generates a dominant bit to induce the generation of a CAN error frame to the attacking node by generating a dominant bit. Follow the steps.

Since the dominant bit transmission has a higher priority than the recessive bit transmission, if the dominant bit generation module continuously generates dominant bits when a message flooding attack occurs, the attacking node causes an error in the message transmission process. In other words, the attacking node increases the TEC while generating an error frame. If the TEC of the attacking node increases and becomes larger than 255, the attacking node becomes Bus-off and cannot participate in CAN communication for a certain period of time.

In step S130, when the attacking node fails to transmit the attack message due to the dominant bit, the computer performs an attack message retransmission time (T _retrans ) prediction step of predicting a time until retransmission of the attack message.

In the attack message retransmission time prediction step, the computer predicts the retransmission time of the attack message based on the step of acquiring an error management procedure of CAN and the acquired error management procedure, but the attacking node receives an error frame due to the dominant bit. A step of estimating the retransmission time of the attack message based on the transmission time point and the transmission error counter (TEC) of the attacking node is performed.

For example, in CAN, when a CAN message transmission failure occurs due to an error frame, the message is retransmitted. Therefore, the message in which the message transmission has failed is attempted to retransmit the message after the error frame is transmitted and after the interframe space (3 bit transmission time). However, if the TEC of the attacking node exceeds 127, it additionally waits for the Suspend Transmission Time (8-bit transmission time), and then attempts to retransmit the message.

Accordingly, the computer can predict the retransmission time of the attack message based on the time point when the attacking node transmits the error frame and the TEC of the attacking node.

In step S140, the computer performs a general CAN message transmission delay prediction step of predicting a transmission delay of the general CAN message when a transmission delay of the general CAN message occurs due to an attack message and an error frame.

Step S130 and step S140 may be performed together, but one of the two may be selectively performed, and the execution order and selection method are not limited.

In the general CAN message transmission delay prediction step, the computer may predict the worst time (WT _delay ) of the transmission delay of the general CAN message.

In the step of predicting the worst time, the computer may predict the worst time based on the following equation.

WT _delay = T _attack + T _retrans + T _error

In the above equation, T _attack means a delay time due to the attack message, and the T _error means a delay time due to the error frame.

In an embodiment, a possible transmission delay of a general CAN message may be predicted in consideration of the worst case of a transmission delay time of a CAN message. If the transmission delay time of a general CAN message is smaller than that of the worst case, it is possible to prevent a message identification error by classifying the information into a general message.

5 is a flowchart illustrating a method of mitigating a message flooding attack according to another embodiment.

In step S210, the computer may acquire a pattern of an attack message generated from the attack node.

In step S220, the computer may obtain information on the attack means corresponding to the pattern from the database.

In step S230, the computer may extract one or more parameters from the obtained information.

In step S240, the computer may adjust the attack message retransmission time and the general CAN message transmission delay prediction result based on the extracted parameter.

In addition, in another embodiment, when the attacking node is bus-off, the computer may connect a spare node corresponding to the attacking node to the CAN network. In addition, the computer may control the spare node to perform the role of the attack node.

In one embodiment, the system may include one or more ECUs and a CAN network connecting one or more ECUs.

In an embodiment, for a first ECU that is one of the one or more ECUs, the system may further include a second ECU that performs the same function as the first ECU.

In an embodiment, when the first ECU becomes an attack node and is bus-off, the second ECU may be connected to the CAN to perform the role of the first ECU.

In addition, with respect to a third ECU that is one of the one or more ECUs, the one or more ECUs excluding the third ECU may include at least one module corresponding to each function performed by the third ECU.

For example, modules that perform the same role as all modules included in the third ECU may be included in each of the remaining ECUs.

In an embodiment, when the third ECU becomes an attack node and is bus-off, modules included in each of the one or more ECUs excluding the third ECU may perform a function of the third ECU.

As described above, when an ECU that plays an important role is bus-off due to an attack, a problem may occur in driving the entire system, and thus a preliminary means for preparing for this may be provided.

These preliminary means are used when each ECU is bus off, and according to the embodiment, when each ECU becomes an attack node and generates an error frame and becomes bus off, the system can predict the attack message retransmission time of the attack node. I can. At this time, the system may release the bus off state of the attack node during the interval until the retransmission time. In this case, the preliminary means may be connected to the CAN again when the attack node is bused off again at a time within a predetermined range from the attack message retransmission time.

In an embodiment, when the time falls within a predetermined range from the predicted attack message retransmission time, the system detects an attack message generated from a corresponding attack node, but may lower a standard for detecting the attack message than usual. That is, by lowering the criterion for determining that the message is an attack message than usual, the element determined to be an attack message can be recognized as generating an attack message at least immediately, and the corresponding attacking node can be bused off.

In an embodiment, the system may analyze the pattern of messages generated from the attacking node.

For example, the system may analyze the interval, time, and pattern including the attack message generated in the attacking node, and acquire attack means matching the pattern based on a previously stored database.

For example, the system may acquire one or more parameters corresponding to the attack means by obtaining the attack means matching the pattern.

The system may adjust the attack message retransmission time and general CAN message transmission delay prediction result calculated by the above-described modules based on the acquired parameters.

6 is a block diagram of an apparatus according to an exemplary embodiment.

The processor 102 may include one or more cores (not shown) and a graphic processing unit (not shown) and/or a connection path (eg, a bus) for transmitting and receiving signals with other components. .

The processor 102 according to an exemplary embodiment executes one or more instructions stored in the memory 104 to perform the method described with respect to FIGS. 1 to 5.

For example, the processor 102 may perform a message flooding attack mitigation method according to the disclosed embodiment by executing one or more instructions stored in a memory.

Meanwhile, the processor 102 temporarily and/or permanently stores a signal (or data) processed inside the processor 102, a RAM (Random Access Memory, not shown) and a ROM (Read-Only Memory). , Not shown) may further include. In addition, the processor 102 may be implemented in the form of a system on chip (SoC) including at least one of a graphic processing unit, RAM, and ROM.

The memory 104 may store programs (one or more instructions) for processing and controlling the processor 102. Programs stored in the memory 104 may be divided into a plurality of modules according to functions.

The steps of a method or algorithm described in connection with an embodiment of the present invention may be implemented directly in hardware, implemented as a software module executed by hardware, or a combination thereof. Software modules include Random Access Memory (RAM), Read Only Memory (ROM), Erasable Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), Flash Memory, hard disk, removable disk, CD-ROM, or It may reside on any type of computer-readable recording medium well known in the art to which the present invention pertains.

Components of the present invention may be implemented as a program (or application) and stored in a medium in order to be combined with a computer as hardware to be executed. Components of the present invention may be implemented as software programming or software elements, and similarly, embodiments include various algorithms implemented with a combination of data structures, processes, routines or other programming elements, including C, C++ , Java, assembler, or the like may be implemented in a programming or scripting language. Functional aspects can be implemented with an algorithm running on one or more processors.

In the above, embodiments of the present invention have been described with reference to the accompanying drawings, but those of ordinary skill in the art to which the present invention pertains can be implemented in other specific forms without changing the technical spirit or essential features. You can understand. Therefore, the embodiments described above are illustrative in all respects, and should be understood as non-limiting.

100: device
102: processor
104: memory

Claims (10)

In the method performed by a computer,
An attack message identification step of identifying a general CAN message and a CAN message used in a message flooding attack based on a transmission schedule of general CAN messages;
A dominant bit generation step of generating a dominant bit to induce the generation of a CAN error frame in the attacking node by generating a dominant bit when the attacking node transmits an attack message including a plurality of CAN messages for a message flooding attack;
An attack message retransmission time (T _retrans ) prediction step of predicting a time until retransmission of the attack message when the attacking node fails to transmit the attack message due to the dominant bit; And,
A general CAN message transmission delay prediction step of predicting a transmission delay of the general CAN message when a transmission delay of the general CAN message occurs due to an attack message and an error frame; Including,
The general CAN message transmission delay prediction step,
Predicting a WT _delay of the transmission delay of the general CAN message; Including,
The step of predicting the worst time,
Predicting the worst time based on the following equation; Including,
WT _delay = T _attack + T _retrans + T _error
The T _attack means a delay time due to the attack message, and the T _error means a delay time due to the error frame,
How to mitigate message flooding attacks on CAN networks. The method of claim 1,
The attack message retransmission time prediction step,
Obtaining a CAN error management procedure; And
Predict the retransmission time of the attack message based on the obtained error management procedure, but the attack message based on the time when the attacking node transmits the error frame due to the dominant bit and the transmission error counter (TEC) of the attacking node Estimating a retransmission time of; Containing,
How to mitigate message flooding attacks on CAN networks. delete delete delete The method of claim 1,
Acquiring a pattern of an attack message generated from the attacking node;
Acquiring information on the attack means corresponding to the pattern from a database;
Extracting one or more parameters from the obtained information; And
Adjusting the attack message retransmission time and the normal CAN message transmission delay prediction result based on the extracted parameter; Further comprising,
How to mitigate message flooding attacks on CAN networks. The method of claim 1,
Connecting a spare node corresponding to the attack node to the CAN network when the attack node is bus off; And
Controlling the spare node to perform the role of the attack node; Further comprising,
How to mitigate message flooding attacks on CAN networks. delete A memory for storing one or more instructions; And
And a processor that executes the one or more instructions stored in the memory,
The processor executes the one or more instructions,
An apparatus for performing the method of claim 1. A computer program that is combined with a computer as hardware and stored in a recording medium readable by a computer to perform the method of claim 1.

Images