KR20180137306A - Method and System for detecting hacking attack based on the CAN protocol - Google Patents

Abstract

According to an embodiment of the present invention, provided is a method for detecting a hacking attack based on CAN communication for a method for detecting an abnormal message based on CAN communication. The method for detecting a hacking attack based on CAN communication comprises: a step of obtaining a receiving time of a receiving message; a receiving filter step of performing period calculation comparing a reference period of a corresponding message ID with a difference between receiving times of receiving messages having the same message ID; an abnormal message detecting step of determining the receiving message as an abnormal message when the difference between the receiving times is smaller the reference period according to a result of the period calculation, and determining the receiving message as a normal message when the difference is greater than the reference period; and a blocking step of blocking the abnormal message.

Description

[0001] The present invention relates to a method and a system for detecting a hacking attack based on CAN communication,

The present invention relates to a CAN communication-based hacking attack detection method and system for detecting an abnormal message by comparing reception periods of reception messages with reference periods using reception time information of a reception message transmitted via a CAN bus.

In general, according to the remarkable development of electronic control technology, various devices which are operated by a mechanical method in an automobile are driven by an electric method for convenience of driver and safety of operation, and automobile systems are gradually advanced It is becoming more advanced. Particularly, as the system of the vehicle becomes electronic, communication among the in-vehicle controllers is also frequently performed. CAN (Controller Area Network) communication is generally used for intra-vehicle communication.

That is, the electronic control system in the automobile is composed of dozens of electronic control units such as an engine controller, a transmission controller, a brake controller, and an air bag controller. In addition, each electronic controller has a CAN controller for CAN communication, and the communication between these electronic controllers uses CAN communication.

Basically, according to a CAN (Controller Area Network) protocol-based message communication, a network is composed of a plurality of nodes (or a CAN controller) and a common CAN bus, each node transmits a message in a broadcast manner, Selects and receives a necessary message. That is, all CAN controllers (or nodes) send and receive messages using a common CAN bus. In addition, each CAN controller (or node) broadcasts messages to be transmitted to all nodes on the network in a broadcast manner. And provides its own arbitration function based on the message identifier. Specifically, each node or the CAN controller recognizes the identifier of the message, and receives only necessary messages among the broadcasted messages. That is, in the CAN communication, there is no field for authenticating the transmission destination of the message in the data frame of the message.

However, as described above, there is a security risk inherent in the CAN protocol by transmitting and receiving CAN (Controller Area Network) communication using only the broadcasting method and message identifier.

For example, because a CAN communication sends messages in a broadcast fashion, adding a malicious node to a CAN communication network can allow a malicious node to collect all messages sent by other nodes. The malicious node can then use the collected information to generate a fake message and send it to the CAN communication network. In the data frame of the CAN communication message, there is no separate field for authenticating the transmission object, so that the spoofing attack as described above is easily possible.

In addition, if the arbitration function based on the CAN message identifier is abused, a denial of service attack is also easily possible. An arbitration function based on an identifier is a function of assigning a priority to each identifier and preferentially transmitting a message to which a priority is assigned. Once an attacker (or malicious node) collects messages on the CAN communication network, it finds out the identifier with the highest priority (ID). Then, the attacker uses the identifier to create a fake message, and continuously transmits the message on the network. Since the fake message by the attacker has a high priority, other normal messages are not transmitted by the arbitration function by the CAN message identifier. If this state continues, only the attacker's message remains in the CAN communication network, resulting in a denial of service situation where other normal messages can not be delivered.

In particular, conventional vehicle electronic control systems based on CAN communication are connected to the same CAN bus with high security vulnerability devices and security critical devices. Therefore, if security devices (such as engine controller, brake controller, airbag controller, etc.) are stolen when high-security devices (telematics, AVN system, etc.) are secured to hackers due to high external network connectivity, There is a problem that can become a security threat.

In order to solve the above problems, there is proposed a technique of transmitting and receiving a message by exchanging encryption keys and encrypting only within a mutually-shared time window [Patent Document 1]. Also, there is proposed a technique of generating a secret key stream and encrypting it with a symmetric key method to transmit and receive a message [Patent Literatures 2 and 3]. In addition, a technique of providing an OTP (one-time password) ROM for generating an encryption key is also proposed (Patent Document 4). A technique for determining whether a hacking message is used by using the periodicity of a message in CAN communication has been proposed Literature 5].

However, since the above-mentioned prior art encrypts and transmits a message, an operation for encrypting or decrypting the message must be performed, and an encryption key or a secret key must be generated or exchanged for encryption communication. Since a computation time is required for such an encryption operation, there is a problem that the transmission and reception time of a message may be delayed.

Korean Registered Patent No. 10-1651648 (Announced 2016.08.29) Korean Patent Laid-Open No. 10-2011-0057348 (published on June 1, 2011) Korean Registered Patent No. 10-1413427 (Announced 2014.07.01) Korean Patent Publication No. 10-2016-0093764 (published on Aug. 20, 2016) Korean Registered Patent No. 10-1472896 (issued October 16, 2014)

An object of the present invention is to solve the above-mentioned problems, and it is an object of the present invention to provide a method and apparatus for detecting whether or not a received message is an abnormal message by using a periodic operation for comparing a reception time difference of received messages having the same message ID with a reference period A CAN communication based hacking attack detection method and system.

It is another object of the present invention to provide a CAN communication based hacking attack detection method and system for filtering a message received from a CAN bus, but filtering only a message having a valid receiving ID.

It is another object of the present invention to provide a CAN communication-based hacking attack detection method and system for filtering a message to be transmitted on a CAN bus, but filtering only a message having a valid transmission ID (ID).

According to an embodiment of the present invention, there is provided a method of detecting an abnormal communication message based on CAN communication, comprising: obtaining a reception time of a received message; A reception filter step for performing a periodic operation for comparing a difference in reception time of received messages having the same message ID with a reference period of a corresponding message ID; An abnormal message detection step of determining that the received message is an abnormal message when the difference in the reception time is smaller than the reference period as a result of the periodic operation and determining that the received message is a normal message if the difference is larger than the reference period; A blocking step of blocking the abnormal message; A CAN communication based hacking attack detection method is provided.

In the present invention, the step of acquiring the reception time of the reception message may include acquiring the reception time of the reception message measured by generating the interrupt signal by the microcontroller, or acquiring the reception time of the reception message measured by the CAN controller using the internal module The reception time can be obtained.

In the present invention, the reception filter step compares the difference between the reception time of the latest received message having the same message ID and the cycle of the corresponding message ID, If the difference between the first reception time and the third reception time is smaller than the reference period of the corresponding message ID, at least one reception message among the at least three reception messages may be determined as an abnormal message.

In the present invention, a detection score learning unit for correcting a detection score value using a result of the periodic calculation; Wherein the detection score learning unit performs the periodic operation every time a message is received, and when the difference in the reception time is smaller than the reference period as a result of the periodic operation, the detection score learning unit increases the detection score by a predetermined value And if the detection score is larger than a predetermined value, the received message is determined to be an abnormal message.

In the present invention, at least one of the reference period of the message ID and the learned detection score is stored in the protection memory, and the protection memory may be a ROM (Read Only Memory) or a nonvolatile memory of a flash memory.

A program recorded on a computer-readable recording medium for realizing the above-described method of the present invention is also provided.

According to another embodiment of the present invention, there is provided a CAN communication-based abnormal message detection system including a CAN controller and a microprocessor, the system comprising: a reception time measuring unit for obtaining a reception time of a received message; A reception filter unit for performing a periodic operation for comparing a difference between reception times of reception messages having the same message ID and a reference period of a corresponding message ID; An abnormal message detection unit for determining that the received message is an abnormal message when the difference in the reception time is smaller than the reference period as a result of the periodic operation and determining that the received message is a normal message if the difference is larger than the reference period; A CAN communication-based abnormal message detection system is provided.

As described above, according to the CAN communication-based hacking attack detection method and system according to the present invention, an electronic control unit (ECU) connected to an automobile CAN bus detects abnormality among CAN messages received from a CAN bus A message (a hacking attack message, a malicious message) can be detected or blocked.

According to the method and system for detecting a hacking attack based on CAN communication according to the present invention, it is possible to prevent a hacking attack in which an electronic control unit (ECU), which has been hijacked by a hacker, has transmitted an attack (abnormal) It is possible to prevent the abuse by the tool. In particular, it is possible to detect or block unknown attack messages as well as known attack methods.

In addition, according to the method and system for detecting a hacking attack based on CAN communication according to the present invention, by providing a direct detection and blocking system in an electronic control unit (ECU) connected to a CAN bus, a secure CAN communication environment built in a semiconductor form is provided Therefore, it is possible to apply the present invention to the internal network of the existing automobile without any change in accordance with the international standard for automobile communication.

In addition, according to the method and system for detecting a hacking attack based on CAN communication according to the present invention, a processor capable of controlling an electronic control device connected or embedded in an electronic control unit (ECU) It is possible to filter.

1 is a block diagram of a configuration of an overall system for implementing the present invention.
2A and 2B are block diagrams of a configuration of a CAN controller according to an embodiment of the present invention.
3 is a configuration diagram of a transmission / reception message of a CAN message according to an embodiment of the present invention.
FIG. 4 is a diagram illustrating a method of setting a filter value according to an embodiment of the present invention in a time-series manner. FIG. 5 is a diagram illustrating a configuration for filtering transmission data according to an embodiment of the present invention. .
6A and 6B are views for explaining a configuration in which a reception filter unit filters a received message according to an embodiment of the present invention.
FIGS. 7, 8A and 8B are time-series views illustrating a method of filtering received data according to an embodiment of the present invention.
9 and 10 are views for explaining an embodiment in which the method of the present invention is performed by an auxiliary controller.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the drawings.

In the description of the present invention, the same parts are denoted by the same reference numerals, and repetitive description thereof will be omitted.

First, an example of the overall system configuration for implementing the present invention will be described with reference to FIG.

As shown in FIG. 1, the overall system for implementing the present invention comprises a CAN network 50 for transmitting and receiving data, and a plurality of controllers 10 connected to a CAN bus 50 . At this time, the CAN network of the present invention can be extended not only to a general CAN network but also to an extended CAN (Extended CAN) and a CAN-Flexible Data-Rate (CAN) FD.

The CAN bus 50 is a communication line for data transmission, and is preferably composed of a twisted pair wire. At this time, the two lines constituting the twisted pair are driven by different signals (CAN_H, CAN_L). The transmission speed on the CAN bus 50 may vary depending on the length of the bus.

Further, the CAN bus 50 is divided into a transmission line Tx and a reception line Rx, and each controller 10 transmits a message to the transmission line Tx and receives the message from the reception line Rx. In particular, all the controllers 10 are connected to the common transmission and reception lines Tx and Rx of the CAN bus 50 to transmit and receive messages.

A plurality of controllers (ECUs) 10 or first to Nth controllers 10 may be connected to the CAN bus 50 via a predetermined CAN connector and may theoretically be connected to one CAN network The maximum number of controllers is 2032.

The controller (ECU) 10 can be divided into controllers that are directly exposed to security risks connected with external communication networks such as a smart phone, the Internet, and a traffic information system, and relatively safe controllers because there is no direct connection with an external communication network have.

The former controllers 10 are multimedia can (CAN), controllers related to telematics, navigation and the like. These controllers are connected to an external communication network such as a smart phone, the Internet, and a traffic information system to perform data communication. Thus, these controllers 10 are controllers accessible from an external terminal or system.

On the other hand, the latter controllers are mainly conventional conventional controllers, and are controllers for controlling the in-vehicle system. For example, controllers related to powertrain such as engine, transmission, etc .; Controllers associated with the chassis such as braking devices, steering devices, airbags, etc.; Clusters, doors, windows, and so on. These are usually referred to as P-CAN, C-CAN, and B-CAN, respectively.

Each controller 10 includes a CAN transceiver 20, a CAN controller 30, and a microcontroller (CPU) 40. The CAN transceiver 20 is connected to the CAN bus 50 via a predetermined CAN connector and constitutes the physical layer of the controller. The CAN transceiver 20 can provide functions of detecting and managing the failure of the CAN bus 50 and transmitting and receiving a message.

The CAN controller 30 transmits and receives a CAN protocol message and performs a message filtering function on the received message. In addition, the CAN controller 30 provides a message buffer for retransmission control and an interface function with the microcontroller 40.

The microcontroller 40 can be equipped with a CPU, can provide an upper layer protocol and can provide various applications.

2A and 2B are block diagrams illustrating an internal configuration of the CAN controller 30 according to an embodiment of the present invention.

The embodiments of FIGS. 2A and 2B are diagrams for illustrating the internal configuration of the CAN controller 30, but there is a difference only in the configuration for measuring a received message. Therefore, repeated description in the description of Figs. 2A and 2B will be omitted.

2A, the CAN controller 30 according to the present invention includes a transmission buffer unit 31 for temporarily storing data to be transmitted, a transmission filter unit 32 for filtering transmission data, a filter value A setting unit 33, a reception filter unit 35 for filtering the reception message, and a reception buffer unit 36 for temporarily storing the reception message. It further comprises a protection memory 38 for additionally storing filter values.

According to an embodiment of the present invention, when detecting a reception message from the CAN bus, the microcontroller 40 can generate an Rx (reception) interrupt message, and the reception time measurement unit 41, which receives the Rx interrupt message, The reception time of the received message may be measured based on the timer or the clock information and the measured reception time may be transmitted to the reception filter unit 35. [ Although the reception time measuring unit 41 is shown as an external configuration of the microcontroller 40 in FIG. 2A for the sake of convenience, the reception time measuring unit 41 may be included in the microcontroller 40.

The transmission buffer unit 31 has a buffer and temporarily stores data to be transmitted in the buffer. In particular, the microcontroller 40 stores the data (or transmission data) to be transmitted in the buffer of the transmission buffer unit 31. [

FIG. 3 illustrates a structure of transmission data according to an embodiment of the present invention.

As shown in FIG. 3, the transmission data is composed of a CAN header 210 part and a CAN payload part 220 which is a data frame part. The CAN payload 220 records information to be transmitted. For example, in the case of the engine controller (ECU) 10, data on the current state of the engine and the like are recorded in the CAN payload 220 field. The standard of the message conforms to the standard defined by the CAN protocol.

In the CAN header 210 of the transmission data, there is a message ID (ID) field 211, and the ID of the message is recorded in the corresponding field. The message ID (ID) is an identifier of the message, and indicates the type of the message. For example, a message that transmits an RPM of an engine is periodically transmitted, wherein the RPM transmission message has the same message ID (ID). That is, the controller 10 receiving the message confirms what data the corresponding message has via the message ID (ID).

The transmission buffer unit 31 sequentially stores the transmission data composed of the header 210 and the payload 220 in the buffer and stores the transmission data in the order received by the microcontroller 40, Via the CAN transceiver 20.

 Next, the transmission filter unit 32 filters the message ID 211 in the transmission data, and transmits only the transmission data having the message ID included in the filter value. That is, the transmission filter unit 32 holds a white list of the message IDs permitted to be transmitted, and transmits only the transmission data having the message IDs in the white list.

That is, the transmission filter unit 32 performs filtering by comparing the message ID of the transmission data with the whitelist.

Next, the filter value setting unit 33 sets the filter value of the transfer filter unit 32, that is, the white list. The mode for setting a filter value is composed of two modes, one is a protection function mode and the other is an administrator mode (or a test mode).

In the manager mode, the filter value setting unit 33 sets a filter value or a white list according to a direct instruction from the microcontroller 40. [ That is, the filter value setting unit 33 receives the allowed message ID list (or white list) from the microcontroller 40, and sets the received message IDs as filter values of the transmission filter unit 32.

In the protection function mode, the filter value setting unit 33 fetches the message ID list or the whitelist stored in the protection memory 38, and sets the message ID list or the white list as the filter value of the transmission filter unit 32. Preferably, when the CAN controller 30 is first turned on (or booted), the filter value setting unit 33 fetches the whitelist stored in the protection memory 38 and sets the whitelist to the filter value do. The filter value setting unit 33 does not change the filter value in the middle of driving by the instruction of the microcontroller 40 or the like once the filter value is initially set.

 Therefore, since the filter value is set to be taken from the protection memory 38 only when the initial drive is performed, the filter value is not changed even if the controller 10 is hacked by a malicious attacker in the middle.

The filter value setting unit 33 can set a filter value of the reception filter unit 35, that is, a white list. The white list of the transmission filter unit 32 will be referred to as a first white list and the white list of the reception filter unit 35 will be referred to as a second white list. The second whitelist, like the first whitelist, has a list of message IDs that are allowed to be received.

The filter value setting unit 33 fetches the second white list from the protection memory 38 or the microcontroller 40 and sets the filtering value to the reception filter unit 35. [ In the protection function mode, the filter value of the reception filter unit 35 is initially set at once, and is not changed in the middle of driving.

The filter value setting unit 33 sets the reference period for each received message ID as the period of the reception time table of the reception filter unit 35. [ The set reference period is a period in which a message corresponding to each message ID is transmitted. When the message is transmitted by a sender having an appropriate authority, the received messages can be received at a reference period interval. Preferably, the reference period is set once at the beginning, and is not changed in the middle of the driving, and the filter value setting unit 33 can obtain the reference period corresponding to each message ID from the protection memory 38. [

Next, the protection memory 38 is a non-volatile memory such as a ROM (Read Only Memory) or a flash memory, and stores a filter value or a message ID list.

The protection memory 38 is a memory for which only the read function is allowed for the filter value setting unit 33. [ That is, the filter value setting unit 33 or the microcontroller 40 can not directly access the protection memory 38 to change or delete data.

Preferably, the protection memory 38 is constituted by a normal nonvolatile memory, and a part of the memory space can be designated as a protection area. In this case, only the data stored in the memory of the protection area is allowed to be read, and data in the area other than the protection area can be changed or deleted.

Protected memory or a protected memory area (protection area) is not accessible as a memory address value, like normal non-volatile memory (eg flash memory), and special access and passwords are required for read / need.

The following information is stored in the protected memory or protection area. That is, the valid transmission message IDs, i.e., the first whitelist. That is, the message IDs contained in the first white list are valid CAN IDs that can be transmitted to the CAN bus in the electronic controller to which the " secure CAN controller (or protection mode) "

The second white list is also a set of valid CAN IDs that can be received from the CAN bus 50 in the electronic controller 10 to which the " safe CAN controller (or protection mode) "

Further, preferably, the protection memory 38 also records information on the reference period for each of the receiving CAN IDs and the learned detection score to be described later.

Next, the reception time measurement unit 41 measures the reception time of the data received from the CAN transceiver 20 (hereinafter, the reception message in this specification). 2A, the reception time measuring unit 41 may receive the Rx interrupt signal generated by the microcontroller 40 and measure the reception time of the reception message. At this time, the reception time measuring unit 41 can measure the reception time based on a timer or a clock signal in the microprocessor, and transmits the measured reception time to the reception filter unit 35. [

Next, the reception filter unit 35 performs filtering on the message ID of the received message, and transmits only the received message having the allowed message ID to the reception buffer unit 36 to buffer the received message. Specifically, the reception filter unit 35 filters the message ID 211 in the received message, and receives only the received message having the message ID included in the filter value. That is, the reception filter unit 35 holds a second white list of the message IDs permitted to be received, and receives only the reception messages having the message IDs in the second white list. That is, the reception filter unit 35 performs filtering by comparing the message ID of the received message with the second white list.

In addition, the reception filter unit 35 determines whether an abnormal message is generated by performing a periodic operation to compare the difference between the reception times of reception messages having the same message ID and the reference period of the corresponding message ID, (36) and buffers them. More specifically, the reception filter unit 35 records the reception time inserted in the reception message into the reception time table for each message ID. Preferably, all the reception times of at least three consecutively received messages are recorded, and the difference between the reception times of the received messages and the reference period is compared to determine whether the message is a normal message. At this time, the three consecutive reception times are the reception times of the reception message having the same message ID.

The reception period of received messages received in this specification may not necessarily be the time interval between adjacent received messages. For example, the difference in the reception time of the reception messages of the present invention may be the difference between the first reception time and the third reception time among the three consecutive reception times. Specifically, when the difference between the first reception time and the third reception time is shorter than the reference period, the reception filter unit 35 determines that at least one of the received three reception messages is an abnormal message do.

A specific configuration in which the reception filter unit 35 detects an abnormal message through ID filtering or reception time period analysis will be described in more detail with reference to FIGS. 6A and 6B.

Next, the reception buffer unit 36 stores the reception message in the reception buffer. Only the reception message filtered by the reception filter unit 35 is stored in the reception buffer. The received message stored in the reception buffer unit 36 is transmitted to the microcontroller 40.

On the other hand, FIG. 2B shows the configuration of the controller 10 when the CAN controller 30 itself measures the reception time of the received message.

2B, since the reception time of the received message is directly measured by the CAN controller 30, unlike the embodiment of FIG. 2A, which measures the reception time of the received message by the Rx interrupt signal of the microcontroller 40, The configuration of the reception time measuring unit 41 of FIG. 2A can be omitted. Instead, in the embodiment of FIG. 2B, a configuration for measuring the reception time of a received message may be separately provided in the CAN controller 30. FIG. This will be described later in more detail with reference to FIG. 6B.

In the embodiment of FIG. 2B, other configurations are the same as those of FIG. 2A except that the reception time of the reception message is measured by the CAN controller 30 itself, so the description of the redundant configuration is omitted .

4 is a time-series diagram illustrating a method of setting a filter value according to an exemplary embodiment of the present invention.

As shown in FIG. 4, first, the CAN controller 30 or the filter value setting unit 33 determines whether the protection function mode is activated (S10). The determination whether or not the protection function mode is activated is performed in a step of initializing the CAN communication.

If the protection function mode is activated, the white list stored in the protection area in the protection memory 38 or the protection memory 38 is fetched and set as a transmission filter value or a reception filter value (S20). The whitelist is a list of message IDs (IDs) that are allowed to be transmitted or received. Preferably, the white list is divided into a transmission filter and a reception filter separately, and a transmission filter value and a reception filter value are set separately from each other.

If the protection function mode is not activated, the transmission filter value or the reception filter value may be set according to an instruction of the microcontroller 40, as an administrator mode or a test mode (S30). Specifically, the microprocessor 40 receives the filter value through SPI (Serial Peripheral Interface) communication according to an instruction from the microcontroller 40, and sets a transmission filter value or a reception filter value. Alternatively, a filter value (or white list) is temporarily stored in a register (not shown) using a register provided in the controller 10, and a transmission filter value or a reception filter value is set as a value stored in the register do.

5 is a view for explaining a configuration in which a transmission filter unit filters transmission data according to an embodiment of the present invention.

 As shown in FIG. 5, the transmission filter unit 32 according to the present invention includes a transmission register 321 for temporarily storing transmission data, a transmission filter 322 in which a plurality of filters are recorded, And a comparator 324 for comparing the transmission filter value with the transmission register 321. The multiplexer 323 multiplexes the transmission filter value with the transmission register 321,

That is, in the transfer register 321, transfer data fetched from the transfer buffer unit 31 is temporarily stored. In addition, the transmission filter 322 stores a plurality of filter values or a whitelist, and only one filter value is selected by the multiplexer 323. The comparator 324 performs filtering by comparing the message ID and the filter value in the transmission data of the transmission register 321. The result of the comparator 324 controls the transmission register 321 to be transmitted to the CAN transceiver 20 or blocked.

In particular, the transport filter 322 is set at the time of initialization, and the filter values are valid message IDs that can be transmitted. Thus, the comparator 324 causes the transfer data of the transfer register 321 to be transferred to the CAN transceiver 20 only if at least the same result is obtained. Therefore, if the result of the determination is the same as any filter value of the transmission filter 322, the transmission data is not transmitted to the CAN transceiver 20. That is, since it has an invalid message ID, the corresponding transmission data is blocked.

6A and 6B are views for explaining a configuration in which a reception filter unit filters a received message according to an embodiment of the present invention.

First, FIG. 6A shows the detailed configuration of the reception filter unit 35 when the microcontroller 40 generates the Rx interrupt signal to measure the reception time, following the embodiment of FIG. 2A.

As shown in FIG. 6A, the reception filter unit 35 includes a cyclic operation circuit unit 352 that compares the difference in reception time and a cycle, an abnormal message detection unit that detects an abnormal message using a reception filter and a cyclic operation result 353), a detection score learning section (354) for applying a learning algorithm to the result of periodic calculation, an ID filter table (358) for recording IDs allowed to be received, and a reception time table (359) do. Specifically, the ID filter table 358 is configured as a storage space for recording the reception ID filter allowed to be received, and the reception time table 359 comprises a storage space for recording the message ID, the reference period, and the reception time. Preferably, the ID filter table 358 and the reception time table 359 may be comprised of a two-dimensional register, memory, cache, or the like.

First, the ID filter table 358 receives the received message and compares the ID value of the received message with the received ID filter allowed to be received stored in the table, thereby filtering the received message. At this time, the reception ID filter which is allowed to receive the ID filter table 358 may be obtained from the protection memory 38.

The reception time table 359 may also include a reference period of the received message obtained from the protection memory 38. [ In this case, the reference period may be a value expected by a time difference between received messages when normal messages are received. In addition, the reception time of the reception message may be recorded in the reception time table 359 based on the reception message in which the reception time measured by the reception time measurement unit 41 is inserted. As described above, the microcontroller 40 according to an embodiment of the present invention can generate an Rx interrupt signal when the controller 10 receives a message from the CAN bus, The measuring unit 41 may measure the reception time of the reception message and provide the measured reception time to the reception filter unit 35. [

At this time, the reception time has at least three fields. Each field stores the reception time. Preferably, the field of the reception time consists of at least three shift registers, and the stored value is shifted forward as the received message of the corresponding message ID is received. That is, the first reception time received last is discarded, the second reception time is shifted to the first shift register, and the third data is shifted to the second shift register. And the last receive register stores the latest receive time.

Next, the periodic operation circuit unit 352 compares the difference between the reception period of the reference period and at least three reception messages recorded in the reception time table 359, and outputs the resultant value. Preferably, the periodic operation circuit 352 calculates the difference between the first reception time and the third reception time, and outputs the result in comparison with whether the calculated reception time difference is smaller than the period. On the other hand, the periodic operation circuit unit 352 includes a subtracter for calculating a comparison between the difference of the reception time and the reference period.

The CAN communication control system of the present invention is based on a real-time operating system, and the electronic control related CAN messages of the controller 10 can be periodically transmitted. At this time, a plurality of CAN IDs may be assigned to one controller 10, and messages having an electronic control related CAN ID may be periodically transmitted to the CAN bus by updating related information periodically. Therefore, an abnormal message such as a malicious message caused by a hacking attack is highly likely to collide with a normal message periodically. In consideration of this point, the periodic operation circuit 352 can compare the reception time difference of the received messages with a predetermined period. In the present invention, when the difference in the reception time of the received messages is smaller than the reference period, the cyclic operation result satisfies the blocking condition, and the received message is determined to be an abnormal message.

More specifically, the periodic operation circuit unit 352 calculates the reception times T1, T2, and T3 (the reception time of the most recently received message T3) according to the order in which three messages are sequentially received for a specific CAN ID, , And the value of [T3-T1] can be calculated. In addition, the periodic operation circuit 352 can determine whether or not [T3-T1 < a predetermined cycle with respect to the corresponding CAN ID]. If the equation is satisfied, the cycle operation result can be regarded as satisfying the cutoff condition .

Next, the abnormal message detection unit 353 extracts the message ID of the received data, and searches whether or not the extracted message ID exists in the reception time table 359. If the extracted message ID does not exist in the reception time table 359, the abnormal message detection unit 353 blocks the received message.

The abnormal message detection unit 353 transmits or blocks the received message to the reception buffer unit 36 in accordance with the operation result of the periodic operation circuit unit 352. That is, when the difference in the reception time of the reception messages of the periodic operation circuit 352 is smaller than the reference period, the reception message is blocked. When the result is not small, it transmits the received message to the reception buffer unit 36.

In one embodiment, when [T3-T1 <predetermined period for the corresponding CAN ID], that is, when the cyclic operation result satisfies the blocking condition, the abnormal message detection unit 353 can determine that the abnormal message has occurred have. Alternatively, even if the cyclic operation result of the periodic operation circuit unit 352 satisfies the cutoff condition, the abnormal message detection unit 353 does not determine that the received message is an abnormal message, It can be determined that an abnormal message has occurred according to the detection score result.

On the other hand, in another embodiment of the present invention, the abnormal message detection unit 353 performs filtering on the message at the reception time only when the extracted message ID exists as the reception ID filter in the reception time table 359 The periodic operation circuit unit 352 can be controlled. That is, the abnormal message detection unit 353 can control the reception time filtering by the periodic operation circuit unit 352 only when the received message passes the ID filtering.

Also, according to an embodiment of the present invention, the CAN controller 30 may additionally include a detection score learning unit 354. [ The detection score learning unit 354 can further apply a detection learning algorithm to the period calculation result of the period calculation circuit unit 352. [

In this regard, there is a difficulty in judging a corresponding message as an abnormal message whenever the cyclic operation result by the cyclic operation circuit unit 352 as described above satisfies the set cutoff condition. Because of the characteristics of the embedded environment, the reception period of messages may be incorrect due to noise or the like even in the normal case. Therefore, in the present invention, it is possible to use a detection point learning algorithm that can more accurately detect an abnormal message in the periodic calculation.

More specifically, the detection score learning unit 354 increases the detection score for the corresponding CAN ID by a preset value every time the cycle calculation result of the cycle calculation circuit unit 352 satisfies the cutoff condition. If not satisfied, the detection score for the corresponding CAN ID is reduced by a predetermined value. In this way, the detection score can be adjusted every time a message is received. If the detection score is greater than a predetermined value, it can be determined that an abnormal message has been received definitively.

If it is determined that the abnormal message has been received, the abnormal message detection unit 353 blocks reception of the corresponding CAN ID, and does not receive the message of the corresponding CAN ID for a predetermined period or permanently, (For example, a limp home mode).

On the other hand, the detection score calculated by the detection score learning unit 354 can be stored in the nonvolatile memory. This is so that even if the controller 10 is reset due to a problem of the controller 10 itself, the learned detection score is not lost but reflected. In particular, the non-volatile memory area in which the detection score is stored may be a protected memory 38 area.

6B is a diagram showing the internal configuration of the reception filter unit 35 when the CAN controller 30 directly measures the reception time, following the embodiment of FIG. 2B.

As shown in FIG. 6B, the CAN controller 30 includes a reception time measurement unit 351 and can directly measure the reception time of the reception message and record the reception time in the reception time table 359 from this. In one embodiment of the present invention, the reception time insertion unit 34 may measure the reception time using a time triggering method. In one specific embodiment, the receive filter unit 35 can measure the receive time using a Time Triggered Controller Area Network (TTCAN) module in the can controller 30. The reception time measurement unit 351 transfers the measured reception time to the reception time table 359. [

2A and FIG. 6A, when the microcontroller 40 uses the method of measuring the reception time, there is an advantage that it can be easily implemented in a general microcontroller 40, Depending on the performance, there may be a slight difference in the reception time measured by the Rx interrupt signal and the point of time when the actual message is received. On the other hand, when the direct reception time is measured by the CAN controller 30 as in the embodiment of FIGS. 2B and 6B, a reception time measurement unit 351, which is a module for measuring reception time separately, is provided inside the CAN controller 30 However, since it is not dependent on the microcontroller 40, there is an advantage that the measurement time is more accurate than the method using the Rx interrupt signal without being affected by the load or the like.

According to an embodiment of the present invention, when the module functioning as the reception time measuring unit 351 is not included in the CAN controller 30 based on the embodiment of FIGS. 2B and 6B, And the receiving time of the received message can be measured using the embodiment of FIG. 6A.

FIGS. 7, 8A and 8B are time-series views illustrating a method of filtering received data according to an embodiment of the present invention. Hereinafter, a method for filtering a received message according to an embodiment of the present invention will be described in more detail with reference to FIGS. 7, 8A and 8B.

First, FIG. 7 shows the steps in a time series for filtering received messages with receive time filtering. More specifically, the CAN controller 30 receives the reception message (S110). Next, after receiving the reception message, the CAN controller 30 records the reception time in the reception time table (S120). At this time, according to the embodiment of the present invention, the CAN controller 30 acquires the time measured by the microcontroller 40 together with the received message, or the CAN controller 30 directly measures the receiving time of the received message. Also, the reception time shift register of the reception time table is shifted, the oldest reception time is discarded, and the current reception time is recorded as the latest reception time.

Further, the CAN controller 30 calculates the difference in the reception time of the reception filter of the message ID and compares the calculated reference time of the time difference reception time table (S130). Preferably, the difference (? T) between the first reception time and the third reception time is obtained, and the obtained difference is compared with the reference period (T).

If the reception time difference? T is smaller than the reference period T, the reception message is blocked (S160). According to the CAN communication protocol, the controller is required to transmit data at least once within the cycle time when transmitting data. Therefore, the period between the third reception time and the first reception time must be longer than the cycle time. If the difference between the first reception time and the third reception time is less than the period, it can be considered that the abnormal message is interrupted in the middle. That is, at least one of the first, second, and third messages may be an abnormal message. Accordingly, the CAN controller 30 determines that an abnormal message has been received, blocks the received data, or warns that an abnormal message has been detected.

Finally, when the difference in the reception time is larger than the reference period, the reception message is transmitted to the reception buffer (S150).

As shown in FIG. 7, unlike the embodiments of FIGS. 8A and 8B described later, all the CAN messages existing in the CAN network can be monitored based on the reception period without receiving ID filtering. So that it can be applied to a security gateway connected to the CAN bus 50 rather than the level of the individual controller 10.

Next, Figs. 8A and 8B are views showing a time-series method when receiving ID filtering and reception time filtering are performed together.

As shown in FIG. 8A, first, the CAN controller 30 receives a reception message (S210).

Next, the CAN controller 30 extracts the message ID from the received message and searches the ID filter table 358 for a matching ID filter (S220). The message ID is data stored in the CAN header of the received message, and is information on the identifier of the message. That is, the message ID is extracted from the CAN header 210 of the received message 200. And retrieves a received ID filter that matches the extracted message ID.

Next, if the matched reception ID filter is not present in the ID filter table 358, the reception message is blocked (S260). That is, the ID filter table 358 is a whitelist of the message IDs that are allowed to be received. Therefore, if the message ID does not exist in the corresponding white list, the received message is not an allowed message. Therefore, the received message is blocked.

On the other hand, after receiving the reception message, the CAN controller 30 records the reception time in the reception time table (S230). Hereinafter, a description overlapping with FIG. 7 will be omitted in connection with the reception time filtering.

Next, the CAN controller 30 calculates the difference in the reception time of the reception filter of the message ID and compares the calculated reference time of the time difference reception time table (S240). Preferably, the difference (? T) between the first reception time and the third reception time is obtained, and the obtained difference is compared with the reference period (T). If the reception time difference? T is smaller than the reference period T, the reception message is blocked (S260).

 If the ID filter table 358 matches the ID of the received message or if the difference in the received time is greater than the reference period, the received message is transmitted to the receiving buffer in operation S250.

8B is a time-series diagram illustrating a method of filtering received data according to another embodiment of the present invention. As shown in FIG. 8, first, the CAN controller 30 receives a reception message (S110).

8B, the ID filtering step S320 and the reception time filtering steps S330 and S340 are the same as in FIG. 8A. However, in the case of FIG. 8B, the reception time filtering is performed only when there is a matching reception ID new filter There is a difference in point. That is, FIG. 8B is a modification of FIG. 8A, which illustrates a configuration in which reception time filtering is performed only on messages that have passed the ID filtering step S320.

The present invention has been described above with the CAN controller 30 as the center. Meanwhile, in another embodiment of the present invention, a method related to the operation of the CAN controller 30 described in the above description can be implemented as an embodiment. In other words, according to another embodiment of the present invention, the operations of the CAN controller 30 described herein can be implemented as a method having a time series step, wherein the execution subject of the method is not necessarily the CAN controller 30 It is possible. For example, a method of performing the steps described in FIGS. 4, 7 and 8A and 8B may be an embodiment of the present invention. Device. &Lt; / RTI &gt;

At this time, the subject performing the method according to another embodiment of the present invention may be a processor embedded in the controller 10, wherein the commands stored in the processor are transmitted to the controller 10 and the CAN controller 30 ), It is advantageous that it can be applied not only to automobiles but also to electronic controllers of various fields using CAN communication such as construction heavy equipment and agricultural tractor. Alternatively, the subject performing the method according to another embodiment of the present invention may be a sub-controller connected to the controller 10 in the form of a connector of the H / W type, in which case only by connecting the sub-controller to the controller 10 Therefore, there is an advantage that it is unnecessary to change the H / W or S / W aspect. Alternatively, the subject performing the method according to another embodiment of the present invention is a semiconductor device embedded in the CAN controller 30, and the S / W of the semiconductor device can be designed to perform the method of the present invention. Alternatively, the subject performing the method according to another embodiment of the present invention may be a security gateway connected to the CAN bus, in which case the security gateway receives all CAN messages of the connected CAN bus network It can be filtered by periodic filtering.

9 and 10 are views for explaining an embodiment in which the method of the present invention is performed by an auxiliary controller.

Referring to FIG. 9, the controller 10 is connected to an auxiliary controller 100. The auxiliary controller 100 may include a processor for storing the instructions for controlling the controller 10 in accordance with the method of the present invention. 10, the auxiliary controller 100 may include a processor 130. The processor 130 may include a filter value setting unit 133, a transmission filter unit 132, and a reception filter unit And may perform the same functions as the filter value setting unit 33, the transmission filter unit 32, and the reception filter unit 35 of the CAN controller 30 shown in FIG. 2B, respectively . As a more specific example, in the embodiment of FIGS. 9 and 10, the reception filter unit 135 of the sub-controller 10 receives the reception ID of the received message in step S120 (retrieving the ID filtering table matched with the message ID of the received message) Retrieving an ID filtering table matching the message ID of the message, or controlling the controller 10 to perform the step.

The use of the terms &quot; above &quot; and similar indication words in the specification of the present invention (particularly in the claims) may refer to both singular and plural. In addition, in the present invention, when a range is described, it includes the invention to which the individual values belonging to the above range are applied (unless there is contradiction thereto), and each individual value constituting the above range is described in the detailed description of the invention The same. Finally, the steps may be performed in any suitable order, unless explicitly stated or contrary to the description of the steps constituting the method according to the invention. The present invention is not necessarily limited to the order of description of the above steps. The use of all examples or exemplary language (e.g., etc.) in this invention is for the purpose of describing the present invention only in detail and is not to be limited by the scope of the claims, It is not. It will also be appreciated by those skilled in the art that various modifications, combinations, and alterations may be made depending on design criteria and factors within the scope of the appended claims or equivalents thereof.

The embodiments of the present invention described above can be implemented in the form of program instructions that can be executed through various computer components and recorded in a computer-readable recording medium. The computer-readable recording medium may include program commands, data files, data structures, and the like, alone or in combination. The program instructions recorded on the computer-readable recording medium may be those specifically designed and configured for the present invention or may be those known and used by those skilled in the computer software arts. Examples of computer-readable media include magnetic media such as hard disks, floppy disks and magnetic tape, optical recording media such as CD-ROM and DVD, magneto-optical media such as floptical disks, medium, and hardware devices specifically configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code, such as those generated by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like. The hardware device may be modified into one or more software modules for performing the processing according to the present invention, and vice versa.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, Those skilled in the art will appreciate that various modifications and changes may be made thereto without departing from the scope of the present invention.

Accordingly, the spirit of the present invention should not be construed as being limited to the above-described embodiments, and all ranges that are equivalent to or equivalent to the claims of the present invention as well as the claims .

10: controller 20: CAN transceiver
30: CAN controller 31: transmission buffer section
32: transmission filter unit 33: filter value setting unit
34: reception time insertion section 35: reception filter section
36: Receive buffer unit 38: Protected memory
40: Microcontroller

Claims (7)

In a CAN communication-based hacking attack detection method,
Obtaining a reception time of a received message;
A reception filter step for performing a periodic operation for comparing a difference in reception time of received messages having the same message ID with a reference period of a corresponding message ID;
An abnormal message detection step of determining that the received message is an abnormal message when the difference in the reception time is smaller than the reference period as a result of the periodic operation and determining that the received message is a normal message if the difference is larger than the reference period;
A blocking step of blocking the abnormal message;
A CAN communication based hacking attack detection method. The method according to claim 1,
Wherein the step of acquiring the reception time of the reception message comprises:
A CAN communication based hacking attack detection method, wherein a microcontroller obtains a reception time of a received message measured by generating an interrupt signal or acquires a reception time of a reception message measured by a CAN controller using an internal module. The method according to claim 1,
Wherein the reception filter step compares the difference between the reception times of the at least three received messages having the same message ID and the most recently received message with the cycle of the corresponding message ID,
If at least one of the at least three received messages is determined to be an abnormal message if the difference between the first received time and the third received time among the at least three received messages is smaller than the reference period of the corresponding message ID And detecting the CAN communication based hacking attack. The method according to claim 1,
A detection point learning unit for correcting a detection point value using a result of the periodic operation; Lt; / RTI &gt;
The detection score learning unit performs the periodic operation every time a message is received and increases the detection score by a preset value when the difference of the reception time is smaller than the reference period as a result of the periodic operation, Decreasing the detection score by a predetermined value,
Wherein the blocking step determines that the received message is an abnormal message when the detection score is equal to or greater than a predetermined value. 5. The method of claim 4,
Wherein at least one of the reference period of the message ID and the learned detection score is stored in a protection memory, and the protection memory is a ROM (Read Only Memory) or a nonvolatile memory of a flash memory. Attack detection method. A CAN communication-based abnormal message detection system including a CAN controller and a microprocessor,
A reception time measuring unit for obtaining a reception time of a received message;
A reception filter unit for performing a periodic operation for comparing a difference between reception times of reception messages having the same message ID and a reference period of a corresponding message ID;
An abnormal message detection unit for determining that the received message is an abnormal message if the difference in the reception time is smaller than the reference period as a result of the cyclic operation and determining that the received message is a normal message if the difference is larger than the reference period;
A CAN communication based hacking attack detection system. A program recorded on a computer-readable recording medium for realizing the method according to any one of claims 1 to 5.

Images