KR20180015791A - Device for detecting anomaly of vehicle based on sequence mining - Google Patents

Abstract

The present invention discloses a device for detecting a defect symptom of a vehicle based on a sequence mining which generates a pattern from an ID sequence of a controller area network (CAN) message by using a sequence mining technique and can determine whether a vehicle is abnormal. The detecting device comprises a pattern generating part. The pattern generating part includes: a first message receiving part receiving a plurality of messages sequentially generated in a communication system; a first ID extracting part extracting a transmission ID from each of the plurality of messages, and outputting the ID sequence; and a normal pattern generating part generating the pattern of the ID from the ID sequence.

Description

TECHNICAL FIELD [0001] The present invention relates to a device for detecting a vehicle abnormality based on sequence mining,

An embodiment according to the concept of the present invention relates to a vehicle abnormality detection apparatus, and more particularly, to a system and method for generating a pattern from an ID sequence of a CAN message using a sequence mining technique, To a vehicle abnormality detection device.

With the development of information technology (IT), there is a trend of increasing the rate of conversion of the vehicle control system from mechanical to electronic, and the electronic control allows connection via OBD-II (On-Board Diagnostics) Access to the internal network has become easier.

In addition, the use of an ECU (Electronic Control Unit) is indispensable for fusing information and communication technology in a vehicle. A number of ECUs are installed inside the vehicle. Various communication techniques such as CAN (Controller Area Network), LIN (Local Interconnect Network), MOST (Media Oriented System Transport) and FlexRay are used for efficient communication between ECUs. .

CAN is a network protocol developed for use in vehicle networks, providing a cost-effective and reliable network for multiple ECUs to communicate with each other. Each ECU checks all messages broadcast on the CAN bus and performs control by filtering only the messages related to itself.

However, CAN is vulnerable to attacks such as message injection, because it does not provide most of the data encryption and authentication functions even though it is a broadcasting protocol that delivers messages to all ECUs. The present invention seeks to detect a vehicle anomaly by analyzing a message in a vehicle internal network, in particular a sequence of CAN messages.

Korean Registered Patent No. 1446525 (Registered on September 25, 2014) Japanese Laid-Open Patent Application No. 2013-048374 (published on Mar. 03, 2013) United States Patent Publication No. 2008-0133955 (published on June 5, 2008)

SUMMARY OF THE INVENTION The present invention provides a device for detecting a vehicle abnormality based on sequence mining capable of generating a pattern from an ID sequence of a CAN message using a sequence mining technique and determining whether the vehicle is abnormal .

The vehicle abnormality detection apparatus according to an embodiment of the present invention includes a pattern generation unit, wherein the pattern generation unit includes: a first message reception unit that receives a plurality of messages sequentially generated in the communication system; A first ID extracting unit for extracting a transmission ID and outputting an ID sequence, and a normal pattern generating unit for generating a pattern of IDs from the ID sequence.

According to another aspect of the present invention, there is provided a vehicle abnormality detection apparatus including an abnormality detection unit, wherein the abnormality detection unit comprises: a message reception unit for receiving a plurality of messages sequentially occurring in the communication system; And a similarity calculation unit for determining whether the vehicle is abnormal by comparing the ID sequence with a plurality of ID patterns previously stored in the ID sequence, And the editing distance of each of the plurality of ID patterns is calculated, and the editing distance having the smallest value among the calculated editing distances is determined as the similarity.

In the case of the vehicle abnormality detection apparatus based on the sequence mining according to the embodiment of the present invention, a message injection attack targeting a vehicle under running can be detected in real time.

In addition, since the CAN message sequence of the vehicle detects an external attack or an internal abnormality, it is possible to detect the abnormality of the vehicle in a short time without requiring a small amount of computing resources and to promptly inform the driver of the abnormality of the vehicle, There is an effect.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS In order to more fully understand the drawings recited in the detailed description of the present invention, a detailed description of each drawing is provided.
1 shows a communication system according to an embodiment of the present invention.
FIG. 2 shows an example of a data frame of the CAN protocol according to an embodiment of the present invention.
3 is a functional block diagram of the detection device shown in Fig.
FIG. 4A is a diagram showing an example of a process of generating a normal pattern from a divided ID sequence. FIG. 4A illustrates an example (right) of a sequence of ID sequences and an example (right) FIG. 4B shows an example (right) of a pattern extracted from an example (left) sequence of SEQ IDs.

It is to be understood that the specific structural or functional description of embodiments of the present invention disclosed herein is for illustrative purposes only and is not intended to limit the scope of the inventive concept But may be embodied in many different forms and is not limited to the embodiments set forth herein.

The embodiments according to the concept of the present invention can make various changes and can take various forms, so that the embodiments are illustrated in the drawings and described in detail herein. It should be understood, however, that it is not intended to limit the embodiments according to the concepts of the present invention to the particular forms disclosed, but includes all modifications, equivalents, or alternatives falling within the spirit and scope of the invention.

The terms first, second, etc. may be used to describe various elements, but the elements should not be limited by the terms. The terms may be named for the purpose of distinguishing one element from another, for example, without departing from the scope of the right according to the concept of the present invention, the first element may be referred to as a second element, The component may also be referred to as a first component.

It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that no other element exists in between. Other expressions that describe the relationship between components, such as "between" and "between" or "neighboring to" and "directly adjacent to" should be interpreted as well.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In this specification, the terms "comprises" or "having" and the like are used to specify that there are features, numbers, steps, operations, elements, parts or combinations thereof described herein, But do not preclude the presence or addition of one or more other features, integers, steps, operations, components, parts, or combinations thereof.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the meaning of the context in the relevant art and, unless explicitly defined herein, are to be interpreted as ideal or overly formal Do not.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings attached hereto.

1 shows a communication system according to an embodiment of the present invention. The communication system 10 may refer to a vehicle communication system, specifically, a CAN (Controller Area Network) communication system. However, the present invention is not limited to the type of the communication system 10, and the communication system 10 may be a CAN (Flexible Data Rate), a FlexRay, a Local Interconnect Network (LIN) Oriented Systems Transport) communication system.

Referring to FIG. 1, a communication system 10 includes a plurality of ECUs (Electronic Control Units), a detection device 100, and a bus 12. Although only four ECUs (ECU A to ECUD) are shown in FIG. 1, the number of ECUs included in the communication system 10 may be n (n is a natural number of 2 or more).

The plurality of ECUs includes a first ECU (ECU A), a second ECU (ECUB), a third ECU (ECUC), and a fourth ECU (ECUD). The bus 12 may also include two communication lines, CAN-H (or CAN High) and CAN-L (or CAN Low). In this case, when a value of a digital '0' (dominant state) is transmitted, a voltage of about 3.5 V can be applied to the CAN-H and a voltage of about 1.5 V can be applied to the CAN- CAN-H and CAN-L can have a voltage of about 2.5V.

The detection device 100, which may be called an abnormality detection device of a vehicle, an abnormality detection device, or the like, may be implemented as a kind of ECU. Detector 100 may monitor a message, e.g., a CAN message, that is generated or transmitted within communication system 10 to detect anomalies in the vehicle.

1, the detection apparatus 100 is shown and described as being part of the configuration of the communication system 10. However, the detection apparatus 100 may be implemented separately from the communication system 10, depending on the embodiment. Specifically, when the communication system 10 is a CAN communication system, the detection device 100 may receive a message from the communication system 10 via a predetermined terminal, for example, an OBD-2 (On Board Diagnostics) terminal.

Each of the plurality of ECUs can control the operation of the corresponding electronic device and can communicate with other ECUs via the bus 12. [ At this time, each of the plurality of ECUs may include a transceiver for transmitting or receiving a message, and the transceiver may be implemented separately from the corresponding ECU according to an embodiment.

The ECUs are connected to the bus 12, for example a CAN communication bus, and can communicate in a broadcast manner. When an ECU that wants to transmit data (or a message) broadcasts to the bus 12 including the ID of the receiving ECU and the information to be transmitted in the CAN data standard, all the ECUs connected to the bus 12 receive it, Only the ECU corresponding to the ID of the receiving ECU included in the CAN data processing unit processes the CAN data.

FIG. 2 shows an example of a data frame of the CAN protocol according to an embodiment of the present invention.

2, a data frame (or a CAN message) includes a Start of Frame (SOF) field, an ID (arbitration) field, an RTR field, a Control field, a Data field, a CRC field, an ACK field, and an End of Frame (EOF) Field.

The SOF field is a field indicating the start of a data frame and is assigned 1 bit, and the ID field indicates ID information capable of identifying the sender of the data frame and 11 bits can be allocated. The RTR field is a field that distinguishes between a remote frame and a data frame. One bit is assigned to the RTR field. The signal type for a remote frame is 1, and the signal type for a data frame is 0. In the present invention, the ID of the ECU that has transmitted the CAN message can be extracted using the ID of the sender included in the ID field. In the present specification, the ID can refer to the ID of the ECU that transmitted the CAN message.

A total of 6 bits are assigned to the Control field. Of these bits, 2 bits output a fixed value '00' as a reserved bit, and the remaining 4 bits can indicate the data length of a subsequent Data field.

The Data field indicates data of a data frame, and a maximum of 64 bits can be allocated. 16 bits are assigned to the CRC field, 15 bits (CRC Sequence) means the CRC value of the data frame, 1 bit (CRC delimiter) means the end of the CRC value, and a fixed value '1' can be output.

2 bits are allocated to the ACK field, and information indicating whether data is received is displayed. In other words, if an arbitrary data sender loads a data frame containing specific data on the CAN bus 12, all the ECUs connected to the CAN bus 12 determine whether the data currently stored on the CAN bus 12 is data necessary for itself And if it is determined that the necessary data is received, the data stored in the CAN bus 12 is received. At this time, the ECU that has received the data transmits to the ACK field of the data frame output by the data sender information indicating that it has received the data, so that the data sender does not continue to output the same data. That is, the data output by an arbitrary data sender can be fed back to itself after being loaded on the CAN bus 12, and it is determined whether to retransmit the same data based on the information in the ACK field of the data frame to be fed back . 1 bit (ACK slot) is the ACK bit, and the remaining 1 bit (ACK delimiter) means the end of the ACK value and outputs the fixed value '1'.

Finally, 7 bits are allocated to the end of frame (EOF) field indicating the end of the frame, and the fixed value '1111111' is output.

It will be apparent to those skilled in the art that the above-described exemplary CAN data frame may vary depending on the embodiment.

3 is a functional block diagram of the detection device shown in Fig. FIG. 4A is a diagram showing an example of a process of generating a normal pattern from a divided ID sequence. FIG. 4A illustrates an example (right) of a sequence of ID sequences and an example (right) FIG. 4B shows an example (right) of a pattern extracted from an example (left) sequence of SEQ IDs.

1 to 4, the detection apparatus 100 may include at least one of the pattern generation unit 110 and the abnormality detection unit 130. According to an embodiment, the detection apparatus 100 includes a database , 150).

The pattern generating unit 110 receives messages sequentially generated during running, particularly during normal running, extracts the IDs of the transmitting ECUs from the respective messages, and extracts a predetermined pattern, for example, a normal pattern Normal running pattern) can be generated. Also, the generated pattern may be stored in the DB 150 by the pattern generation unit 110.

The abnormality detection unit 130 receives messages sequentially generated during the running (actual running) of the vehicle, extracts the IDs of the sending ECUs from the respective messages, and stores the extracted sequences of IDs and the IDs It is possible to detect the abnormality of the vehicle by comparing the pattern (or the traveling pattern).

The DB 150 may store at least one pattern related to a sequence of transmission IDs of generated messages. The pattern may be a pattern generated by the pattern generation unit 110 or a previously stored pattern.

Specifically, the pattern generating unit 110 includes a first message receiving unit 111, a first ID extracting unit 113, and a normal pattern generating unit 115.

The first message receiving unit 111 may receive CAN messages sequentially occurring in the communication system 10. [ The first message receiving unit 111 can receive CAN messages via the bus 12 of the communication system 10 or receive CAN messages via the OBD-2 terminal.

The first ID extracting unit 113 can extract the ID of the ECU that has transmitted each of the sequentially received CAN messages, that is, the transmission ID. The first ID extracting unit 113 can output an ID sequence.

The normal pattern generating unit 115 may generate a predetermined pattern, for example, a normal pattern (or normal traveling pattern) from the ID sequence output from the first ID extracting unit 113. [ The generated normal pattern can be stored in the DB 150.

The specific operation of the normal pattern generating unit 115 is as follows.

First, the normal pattern generation unit 115 can divide the ID sequence into ID sequences (for example, ID sequences including k IDs (k is a natural number of 2 or more)) in a predetermined unit. One example of the divided ID sequence is shown in Fig. 4A (left).

Next, the normal pattern generation unit 115 may rearrange each of the divided ID sequences using a sequence alignment technique, specifically, a multiple sequence alignment technique. One example of sequence sequences is shown in FIG. 4A (right).

Finally, the normal pattern generating unit 115 may generate a predetermined pattern from the sequence sequences. The normal pattern generating unit 115 can generate only a pattern belonging to a predetermined length section in a normal pattern. The predetermined length section may mean a length in which the pattern should be included. An example of the extracted pattern is shown in Fig. 4B (right).

As described above, the normal pattern generation unit 115 can generate a plurality of normal patterns by repeating the above-described process.

The anomaly detection unit 130 includes a second message reception unit 131, a second ID extraction unit 133, and a similarity calculation unit 135.

The second message receiving unit 131 may receive CAN messages sequentially occurring in the communication system 10. [ The first message receiver 131 can receive CAN messages via the bus 12 of the communication system 10 or receive CAN messages via the OBD-2 terminal.

The second ID extracting unit 133 can extract the ID of the ECU that has transmitted each of the sequentially received CAN messages, that is, the transmission ID. The second ID extracting unit 133 can output an ID sequence.

The similarity calculation unit 135 calculates the similarity between the ID sequence output from the second ID extraction unit 133 and at least one normal pattern stored in the DB 150, Can be determined. The similarity may mean an edit distance. The editing distance means the number of operations (correction, insertion, or deletion) required to make the input character string and the comparison character string equal, and is also referred to as a distance. It can be defined that the smaller the number of operations (i.e., the lower the distance) is, the higher the similarity is.

The specific operation of the similarity calculation unit 135 is as follows.

First, the similarity calculation unit 135 extracts ID sequences including a predetermined number of IDs. The similarity calculation unit 135 may receive an ID sequence including a predetermined number of IDs outputted from the second ID extraction unit 133. [

Next, the similarity calculation unit 135 may calculate an edit distance between the extracted ID sequence and each of the plurality of normal patterns stored in the DB 150. At this time, the edit distance having the smallest value can be regarded as the similarity between the extracted ID sequence and the normal pattern.

Table 1 below shows an example of calculating the edit distance between an arbitrary ID sequence ({27, 17}) and an arbitrary normal pattern ({31, 17, 52, 41}).

Number of times Operation Type Before change after change Input sequence Comparison sequence 0 Initial state {27, 17} {31, 17, 52, 41} One Modified 27 31 {31, 17} {31, 17, 52, 41} 2 insertion none 52 {31, 17, 52} {31, 17, 52, 41} 3 insertion none 41 {31, 17, 52, 41} {31, 17, 52, 41}

An operation of modifying the ID "27" included in the input sequence {27, 17} to "31" in order to make the input sequence {27, 17} equal to the comparison sequence {31, 17, 52, 41} need.

Next, by performing two insert operations for inserting the ID "52" and the ID "41" into the sequence {31, 17}, the input sequence {27, 17} }. ≪ / RTI > Therefore, the editing distance between the input sequence {27, 17} and the comparison target sequence {31, 17, 52, 41} is "3".

Table 2 below shows an example of calculating the edit distance between an arbitrary ID sequence {27, 17, 33, 41} and an arbitrary normal pattern {31}.

Number of times Operation Type Before change after change Input sequence Comparison sequence 0 Initial state {27, 17, 33, 41} {31} One delete 41 delete {27, 17, 33} {31} 2 delete 33 delete {27, 17} {31} 3 delete 17 delete {27} {31} 4 Modified 27 31 {31} {31}

41, 33, and 17 included in the input sequence {27, 17, 33, 41} to make the input sequence {27, 17, 33, 41} equal to the comparison sequence { An operation of correcting ID "27" to "31 " Therefore, the editing distance between the input sequence {27, 17, 33, 41} and the comparison target sequence {31} is "4".

Table 3 below shows an example of calculating the edit distance between an arbitrary ID sequence {27, 17, 33, 41} and an arbitrary normal pattern {31, 17, 52, 41}.

Number of times Operation Type Before change after change Input sequence Comparison sequence 0 Initial state {27, 17, 33, 41} {31, 17, 52, 41} One Modified 27 31 {31, 17, 33, 41} {31, 17, 52, 41} 2 Modified 33 52 {31, 17, 52, 41} {31, 17, 52, 41}

27 and 33 included in the input sequence {27, 17, 33, 41} in order to make the input sequence {27, 17, 33, 41} equal to the comparison sequence {31, "To" 31 "and" 52 ". Therefore, the editing distance between the input sequence {27, 17, 33, 41} and the comparison target sequence {31, 17, 52, 41} is "2".

Finally, if the similarity between the extracted ID sequence and the normal pattern stored in the DB 150 is smaller than a predetermined similarity, the similarity calculation unit 135 stores the extracted ID sequence in the DB 150 If the edit distance between the normal patterns is larger than the predetermined edit distance, the state of the vehicle can be determined as "abnormal state ". According to the embodiment, the similarity calculation unit 135 may display a notification message (not shown) to inform the driver of the state of the vehicle through a display device or a speaker included in the detection device 100 or separately from the detection device 100, Or output a notification sound.

Each of the configurations of the detection apparatus 100 shown in FIG. 3 indicates that it is functionally and logically separable, and does not necessarily mean that each configuration is divided into separate physical devices or written in separate codes The average expert in the field of the invention will readily be able to deduce.

Also, in this specification, "part" may mean a functional and structural combination of hardware for carrying out the technical idea of the present invention and software for driving the hardware. For example, the above-mentioned "part" may mean a logical unit of a predetermined code and a hardware resource for executing the predetermined code, and it does not necessarily mean a physically connected code or a kind of hardware .

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is evident that many alternatives, modifications and variations will be apparent to those skilled in the art. Accordingly, the true scope of the present invention should be determined by the technical idea of the appended claims.

10: Communication system
100: Detector
110: pattern generator
111: first message receiver
113: First ID extracting unit
115: normal pattern generating unit
130: abnormality detection unit
131: second message receiver
133: Second ID extracting unit
135:
150: DB

Claims (9)

A detection device comprising a pattern generation section,
Wherein the pattern generator comprises:
A first message receiver for receiving a plurality of messages sequentially occurring in the communication system;
A first ID extractor for extracting a transmission ID from each of the plurality of messages and outputting an ID sequence; And
And a normal pattern generation unit for generating a pattern of IDs from the ID sequence,
Detector.
The method according to claim 1,
Wherein the communication system is a vehicle communication system,
Each of the plurality of messages is a CAN (Controller Area Network) message,
Detector.
The method according to claim 1,
Wherein the normal pattern generator generates a pattern of the ID using a sequence alignment technique,
Detector.
The method according to claim 1,
Wherein the normal pattern generating unit comprises:
Generating a plurality of divided ID sequences by dividing the ID sequence into predetermined units and generating a pattern of the ID by rearranging each of the plurality of divided ID sequences;
Detector.
The method according to claim 1,
The detection device further includes an abnormality detection unit,
Wherein the abnormality detecting unit comprises:
A second message receiver for receiving a plurality of second messages sequentially occurring in the communication system;
A second ID extractor for extracting a transmission ID from each of the plurality of second messages and outputting a second ID sequence; And
And a similarity calculating unit for comparing the second ID sequence with each of a plurality of ID patterns stored in advance,
Detector.
6. The method of claim 5,
The similarity calculation unit calculates an edit distance of each of the second ID sequence having a predetermined length and each of the plurality of ID patterns and determines an edit distance having the smallest value among the calculated edit distances as a degree of similarity ,
Detector.
The method according to claim 6,
Wherein the similarity calculation unit determines the state of the vehicle as an abnormal state when the value of the similarity is greater than a predetermined value,
Detector.
An abnormality detection device comprising:
Wherein the abnormality detecting unit comprises:
A message receiver for receiving a plurality of messages sequentially occurring in the communication system;
An ID extractor for extracting a transmission ID from each of the plurality of messages and outputting an ID sequence; And
And a similarity calculation unit for determining whether the vehicle is abnormal by comparing the ID sequence with a plurality of ID patterns stored in advance,
Wherein the similarity calculation unit calculates an editing distance of each of the ID sequence having a predetermined length and each of the plurality of ID patterns and determines an editing distance having the smallest value among the calculated editing distances as the similarity,
Detector.
9. The method of claim 8,
Wherein the similarity calculation unit determines the state of the vehicle as an abnormal state when the value of the similarity is greater than a predetermined value,
Detector.

Images