KR20190003112A - Method and System for detecting bypass hacking attacks based on the CAN protocol - Google Patents

Abstract

According to an embodiment of the present invention, a method for detecting a controller area network (CAN) communication-based bypass attack comprises: a CAN ID obtaining step of generating a CAN ID list by obtaining a CAN ID from one or more CAN messages received from a CAN bus; a diagnosis communication ID extracting step of extracting a diagnosis communication CAN ID corresponding to a diagnosis communication related request or response from the CAN ID; a matching step of matching a detection object electronic control unit (ECU) corresponding to the diagnosis communication CAN ID; an ECU state monitoring step of determining whether or not a state of the detection object ECU is a message transmission abled state or a message transmission disabled state; and an abnormal message determining step of determining a CAN message corresponding to the detection object ECU as an abnormal message in the case in which the CAN messages corresponding to the detection object ECU are periodically received when the state of the detection object ECU is the message transmission disabled state. The present invention can monitor an ECU having an idle state in real time.

Description

[0001] The present invention relates to a method and system for detecting a bypass of a CAN communication based on a CAN attack,

More particularly, the present invention relates to a CAN communication based bypass attack detection method and system, and more particularly, to a CAN communication based bypass attack detection method and system, Based bypass detec- tion detection method and system for discriminating a corresponding CAN message as an abnormal CAN message when the received CAN message is received.

In general, according to the remarkable development of electronic control technology, various devices which are operated by a mechanical method in an automobile are driven by an electric method for convenience of driver and safety of operation, and automobile systems are gradually advanced It is becoming more advanced. Particularly, as the system of the vehicle becomes electronic, communication between ECUs in the vehicle is also frequently performed. CAN (Controller Area Network) communication is generally used for intra-vehicle communication.

In other words, the electronic control system in the automobile is composed of dozens of electronic ECUs (electronic control units) such as an engine ECU, a transmission ECU, a brake ECU, and an airbag ECU. In addition, each electronic ECU has a CAN controller for CAN communication, and the communication between these electronic ECUs uses CAN communication.

Basically, according to a CAN (Controller Area Network) protocol-based message communication, a network is composed of a plurality of nodes (or a CAN controller) and a common CAN bus, each node transmits a message in a broadcast manner, Selects and receives a necessary message. That is, all CAN controllers (or nodes) send and receive messages using a common CAN bus. In addition, each CAN controller (or node) broadcasts messages to be transmitted to all nodes on the network in a broadcast manner. And provides its own arbitration function based on the message identifier. Specifically, each node or the CAN controller recognizes the identifier of the message, and receives only necessary messages among the broadcasted messages. That is, in the CAN communication, there is no field for authenticating the transmission destination of the message in the data frame of the message.

However, as described above, there is a security risk inherent in the CAN protocol by transmitting and receiving CAN (Controller Area Network) communication using only the broadcasting method and message identifier.

For example, because a CAN communication sends messages in a broadcast fashion, adding a malicious node to a CAN communication network can allow a malicious node to collect all messages sent by other nodes. The malicious node can then use the collected information to generate a fake message and send it to the CAN communication network. In the data frame of the CAN communication message, there is no separate field for authenticating the transmission object, so that the spoofing attack as described above is easily possible.

In addition, if the arbitration function based on the CAN message identifier is abused, a denial of service attack is also easily possible. An arbitration function based on an identifier is a function of assigning a priority to each identifier and preferentially transmitting a message to which a priority is assigned. Once an attacker (or malicious node) collects messages on the CAN communication network, it finds out the identifier with the highest priority (ID). Then, the attacker uses the identifier to create a fake message, and continuously transmits the message on the network. Since the fake message by the attacker has a high priority, other normal messages are not transmitted by the arbitration function by the CAN message identifier. If this state continues, only the attacker's message remains in the CAN communication network, resulting in a denial of service situation where other normal messages can not be delivered.

In particular, conventional vehicle electronic control systems based on CAN communication are connected to the same CAN bus with high security vulnerability devices and security critical devices. Therefore, if security devices (engine ECU, brake ECU, airbag ECU, etc.) are stolen when hackers gain control of highly vulnerable devices (telematics, AVN systems, etc.) due to high external network connectivity, There is a problem that can become a security threat.

In order to solve the above problems, there is proposed a technique of transmitting and receiving a message by exchanging encryption keys and encrypting only within a mutually-shared time window [Patent Document 1]. Also, there is proposed a technique of generating a secret key stream and encrypting it with a symmetric key method to transmit and receive a message [Patent Literatures 2 and 3]. In addition, a technique of providing an OTP (one-time password) ROM for generating an encryption key is also proposed (Patent Document 4). A technique for determining whether a hacking message is used by using the periodicity of a message in CAN communication has been proposed Literature 5].

However, since the above-mentioned prior art encrypts and transmits a message, an operation for encrypting or decrypting the message must be performed, and an encryption key or a secret key must be generated or exchanged for encryption communication. Since a computation time is required for such an encryption operation, there is a problem that the transmission and reception time of a message may be delayed.

Korean Registered Patent No. 10-1651648 (Announced 2016.08.29) Korean Patent Laid-Open No. 10-2011-0057348 (published on June 1, 2011) Korean Registered Patent No. 10-1413427 (Announced 2014.07.01) Korean Patent Publication No. 10-2016-0093764 (published on Aug. 20, 2016) Korean Registered Patent No. 10-1472896 (issued October 16, 2014)

An object of the present invention is to monitor an ECU in an idle state, that is, an ECU which can not transmit a message due to a hacking attack, in real time.

Another object of the present invention is to discriminate a corresponding CAN message as an abnormal CAN message when a CAN message corresponding to an ECU which has been unable to transmit a message due to a hacking attack is received.

The present invention seeks to monitor an ECU that has been subject to a bypass attack using international standards for diagnostic communication.

{Describe after determining patent claim scope}

According to the present invention, it is possible to monitor an ECU in an idle state by a hacking attack in real time.

The present invention can discriminate a corresponding CAN message as an abnormal CAN message when a CAN message corresponding to an ECU whose message transmission disabled state is caused by a hacking attack is received.

By using the international standard for diagnostic communication, the present invention can detect an ECU that has been unable to transmit a message due to an attack by a hacker without using a complicated security algorithm separately.

1 is a block diagram illustrating a configuration of a CAN communication according to an embodiment of the present invention.
2 is a block diagram illustrating an internal configuration of a CAN controller according to an embodiment of the present invention.
3 is a block diagram illustrating an internal configuration of a detour detection unit according to an embodiment of the present invention.
FIG. 4 illustrates a structure of transmission data according to an embodiment of the present invention. Referring to FIG.
5A and 5B are diagrams illustrating a process of receiving an abnormal message in a target ECU due to an attack by a hacker.
6 is a diagram for explaining a change in state of a detection target ECU according to an embodiment of the present invention.
FIG. 7 is a flowchart illustrating a method of detecting a detour attack based on CAN communication according to an embodiment of the present invention in a time-series manner.
FIG. 8 is a diagram illustrating a case where a detour detection unit exists outside a CAN controller according to an embodiment of the present invention.

The following detailed description of the invention refers to the accompanying drawings, which illustrate, by way of illustration, specific embodiments in which the invention may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention. It should be understood that the various embodiments of the present invention are different, but need not be mutually exclusive. For example, the specific shapes, structures, and characteristics described herein may be implemented by changing from one embodiment to another without departing from the spirit and scope of the invention. It should also be understood that the location or arrangement of individual components within each embodiment may be varied without departing from the spirit and scope of the present invention. Therefore, the following detailed description is not to be taken in a limiting sense, and the scope of the present invention should be construed as encompassing the scope of the appended claims and all equivalents thereof. In the drawings, like reference numbers designate the same or similar components throughout the several views.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings in order to facilitate a person skilled in the art to which the present invention pertains.

1 is a block diagram illustrating a configuration of a CAN communication according to an embodiment of the present invention.

Referring to FIG. 1, the CAN communication of the present invention comprises a CAN bus 50 for data transmission and reception, and a plurality of ECUs 10 connected to a CAN bus 50.

The CAN bus 50 is a communication line for data transmission, and is preferably composed of a twisted pair wire. At this time, the two lines constituting the twisted pair are driven by different signals (CAN_H, CAN_L). The transmission speed on the CAN bus 50 may vary depending on the length of the bus.

Further, the CAN bus 50 is divided into a transmission line Tx and a reception line Rx, and each ECU 10 transmits a message to the transmission line Tx and receives the message from the reception line Rx. In particular, all the ECUs 10 are connected to the common transmission and reception lines Tx and Rx of the CAN bus 50 to transmit and receive messages.

A plurality of ECUs (Electronic Control Unit) 10 or first to Nth ECUs 10 may be connected to the CAN bus 50 through a predetermined CAN connector, and theoretically, a maximum ECU Is 2032.

The ECU 10 can be classified into ECUs that are directly exposed to security risks connected to external communication networks such as a smart phone, the Internet, and a traffic information system, and ECUs that are relatively safe because there is no direct connection with an external communication network.

The former ECUs 10 are multimedia can (CAN), ECUs related to telematics, navigation, and the like. These ECUs are connected to an external communication network such as a smart phone, the Internet, and a traffic information system to perform data communication. Accordingly, these ECUs 10 are ECUs accessible from an external terminal or system.

On the other hand, the latter ECUs are mainly conventional conventional ECUs, and are ECUs for controlling an in-vehicle system. ECUs associated with powertrain such as engine, transmission, etc., for example; ECUs related to the chassis such as a braking device, a steering device, and an airbag; Clusters, doors, windows, and so on. These are usually referred to as P-CAN, C-CAN, and B-CAN, respectively.

On the other hand, each ECU 10 is composed of a CAN transceiver 20, a CAN controller 30 and a microcontroller (CPU) The CAN transceiver 20 is connected to the CAN bus 50 via a predetermined CAN connector and constitutes the physical layer of the ECU. The CAN transceiver 20 can provide functions of detecting and managing the failure of the CAN bus 50 and transmitting and receiving a message.

The CAN controller 30 transmits and receives a CAN protocol message and performs a message filtering function on the received message. In addition, the CAN controller 30 provides a message buffer for retransmission control and an interface function with the microcontroller 40.

The microcontroller 40 can be equipped with a CPU, can provide an upper layer protocol and can provide various applications.

On the other hand, the CAN communication of the present invention can be extended not only to general CAN communication but also to extended CAN (Extended CAN) and CAN-Flexible Data-Rate (CAN). In addition, the CAN communication of the present invention can be mounted on vehicles, construction heavy equipment, tractors, and the like. CAN communication can be classified into Vehicle-CAN and Diagnostic-CAN. Vehicle communication is communication used during communication between ECUs and diagnostic communication is communication used for special purposes such as maintenance, faulty parts and cause, trouble code (DTC), firmware update, diagnosis and so on. Diagnostic communications can affect vehicle communications. In particular, reprogramming services and communication control related services for updating firmware can function to permanently stop vehicle communication temporarily or under certain conditions. Diagnostic communications use the Unified Diagnostic Services (UDS) standard as an international standard. UDS is defined in the standard ISO 14229 and ISO 15765-3. The present invention is characterized in that a detour attack of a hacker is detected using the diagnostic communication, which will be described later.

In the following description, for convenience of explanation, ECUs 10 to be attacked by a hacker (that is, an object to receive an abnormal message due to a hacking attack) among a plurality of ECUs 10 connected to the CAN bus 50 Target ECU, and the target ECU may be typically an autonomous-travel-related ECU of the vehicle. Further, an ECU to be monitored as to whether or not an idle state is caused by a hacking attack may be referred to as a detection target ECU (the detection target ECU is a normal ECU before the detection of an idle state by attack of a hacker). Also, an ECU that transmits an abnormal CAN message that simulates a normal CAN message by a hacker is referred to as an abnormal ECU.

According to an embodiment of the present invention, the target ECU determines whether the messages having CAN IDs sent by the other ECUs (ECUNs) are normal CAN messages transmitted by normal ECUs or abnormal CAN messages transmitted by the abnormal ECUs . Particularly, according to an embodiment of the present invention, it is possible to determine whether a normal ECU can not transmit a message due to a hacking attack and whether the received CAN message is an abnormal CAN message simulated by a hacker. To this end, according to the present invention, the target ECU receives the CAN messages having the CAN ID assigned to the diagnostic communication request or response, and determines whether the corresponding detection target ECU is the current message normal transmission state or the message transmission disabled state, Can be monitored and detected. That is, the target ECU monitors the status information of the ECU corresponding to the CAN ID when receiving the CAN messages having the CAN ID corresponding to the request or response for the diagnosis communication together, and determines whether the CAN message received subsequently is normal Can be distinguished.

As described above, the reason why the target ECU can monitor whether the state of the detection target ECU is the message normal transmission state or the message transmission disabled state is that since the diagnosis communication is based on the international standard, the sequence causing the message transmission disabled state There is a possible pattern.

Hereinafter, the internal configuration of the CAN controller 30 of the target ECU will be described and the present invention will be described in more detail.

2 is a block diagram illustrating an internal configuration of a CAN controller according to an embodiment of the present invention.

Referring to FIG. 2, the CAN controller 30 according to the present invention includes a transmission buffer unit 31 for temporarily storing data to be transmitted, a detour detection unit 31 for detecting whether a detour attack of a hacker exists, (100), and a reception buffer unit (36) for temporarily storing a reception message. It further comprises a protection memory 38 for additionally storing filter values.

The transmission buffer unit 31 has a buffer and temporarily stores data to be transmitted in the buffer. In particular, the microcontroller 40 stores the data (or transmission data) to be transmitted in the buffer of the transmission buffer unit 31. [

The transmission buffer unit 31 sequentially stores transmission data in a buffer, stores the data in the order received by the microcontroller 40, and transmits the data through the CAN transceiver 20 in the order received. That is, the transmission buffer unit 31 sequentially stores the transmission data composed of the header 210 and the payload 220, which will be described later with reference to FIG. 4, in the buffer and stores them in the order received by the microcontroller 40 Via the CAN transceiver 20 in the order received.

Next, the reception buffer unit 36 stores the reception CAN message in the reception buffer. According to an embodiment of the present invention, the reception buffer unit 36 may store only the message determined as the normal CAN message by the detour detection unit 100 in the reception buffer. The received CAN message stored in the reception buffer unit 36 is transmitted to the microcontroller 40. [

The detour attack detecting unit 100 determines whether the received CAN message is a normal CAN message or an abnormal CAN message due to a detour attack of a hacker before delivering the receiving CAN message to the receiving buffer unit 36. [ According to an embodiment of the present invention, the detour attack detecting unit 100 determines whether or not the detection target ECU corresponding to the abnormal CAN message is in a message transmission disabled state in order to discriminate whether or not it is an abnormal CAN message. This will be described later in more detail with reference to FIG.

Next, the protection memory 38 is a non-volatile memory such as a ROM (Read Only Memory) or a flash memory, and stores a filter value or a message ID list.

Preferably, the protection memory 38 is constituted by a normal nonvolatile memory, and a part of the memory space can be designated as a protection area. In this case, only the data stored in the memory of the protection area is allowed to be read, and data in the area other than the protection area can be changed or deleted. The protection memory 38 or the protected memory area (protection area) can not be accessed by a memory address value like a general non-volatile memory (e.g. flash memory), and a special approach And a password are required.

According to an embodiment of the present invention, the state of the detection target ECUs is stored in the protection memory 38, so that the state information of the detection target ECUs can be learned and stored even when the target ECU abnormally terminates. Further, preferably, the learned detection score of the detection target ECUs can be stored in the protection memory 38. [

According to an embodiment of the present invention, the ECU including the detour detection unit 100 as shown in FIG. 2 may be a target ECU. According to an embodiment of the present invention, the target ECU receives an CAN message from another ECU as an autonomic-travel-related ECU, grasps the state of the vehicle, and transmits a CAN message for controlling the vehicle system in relation to autonomous travel of the vehicle ECU. Accordingly, the hacker can send an abnormal message to misunderstand the state of the vehicle that the target ECU grasps, and the target ECU, receiving the abnormal message from the CAN bus 50, There is a risk of sending CAN messages. In order to prevent such a danger, the bypass detec- tion detection unit 100 of the target ECU according to an embodiment of the present invention can detect whether or not the received message is an abnormal message. 3, a detour detection method of a hacker according to the present invention will be described focusing on the configuration of the detour attack detecting unit 100. FIG.

3 is a block diagram illustrating an internal configuration of a detour detection unit according to an embodiment of the present invention.

The detour attack detection unit 100 according to an embodiment of the present invention includes a CAN ID acquisition unit 110, a diagnostic communication ID extraction unit 120, an ID-ECU matching unit 130, a reprogram detection unit 140, An abnormality message discrimination unit 160 and a detection score learning unit 170 including a temporary disablement sensing unit 150. [

First, the CAN ID acquisition unit 110 can acquire the preset CAN IDs and generate the CAN ID list (CAN ID LIST). CAN ID is an identifier for each transmission data in the structure of transmission data of CAN communication. The CAN IDs received by the target ECU from the other ECUs to be detected may be defined in advance, and the CAN IDs may be values pre-assigned to each of the ECUs to be detected.

FIG. 4 illustrates a structure of transmission data according to an embodiment of the present invention. Referring to FIG.

As shown in FIG. 4, the transmission data is composed of a CAN header 210 part and a CAN payload part 220 which is a data frame part. The CAN payload 220 records information to be transmitted. For example, in the case of an engine ECU, data on the current state of the engine and the like are recorded in the CAN payload 220 field. The standard of the message conforms to the standard defined by the CAN protocol.

In the CAN header 210 of the transmission data, there is a message ID field 211, and the ID of the message is recorded in the corresponding field. The message ID (ID) is an identifier of the message, and indicates the type of the message. For example, a message that transmits an RPM of an engine is periodically transmitted, wherein the RPM transmission message has the same message ID (ID). That is, the ECU 10 receiving the message confirms what data the corresponding message has via the message ID (ID).

5A and 5B are diagrams illustrating a process of receiving an abnormal message in a target ECU due to an attack by a hacker.

Referring to FIG. 5A, the target ECU 51 generates a CAN ID list (CAN_ID_LIST), and the CAN ID list includes 0x11, 0x22, 0x33, and 0x44 CAN IDs. There are ECUs 1 52, ECU 2 53 and ECU 3 54 serving as detection target ECUs and the ECU 1 52 sends a message having a CAN ID of 0x11 and 0x22 when it is in a normal ECU state, Can be broadcast to the CAN bus (50). For example, the normal CAN message 52m may have a CAN ID of 0x11. On the other hand, in the example of FIG. 5A, ECU k may exist as an abnormal ECU that is controlled by a hacker and broadcasts an abnormal CAN message 55m, and the abnormal CAN message 55m may be a message . At this time, when both the normal CAN message 52m and the abnormal CAN message 55m are broadcast on the CAN bus 50, the normal CAN message 52m and the abnormal CAN message 55m collide with each other, It can not be achieved. Thus, the hacker can prevent the normal CAN message 52m from being broadcasted by using the detour attack which makes the ECU1 52 disable the message transmission as shown in Fig. 5B. In addition, the hacker can broadcast an abnormal CAN message (55m) having a 0x11 CAN ID using the abnormal ECU (ECUk). In this case, the target ECU 51 receives only the abnormal CAN message 55m and there is a risk that the target ECU 51 will misjudge the vehicle as the intention of the hacker. In order to prevent this, according to an embodiment of the present invention, the target ECU monitors whether or not the detection target ECU can not transmit a message using the diagnosis communication service, and can determine whether the CAN message is normal according to the monitoring result.

The diagnostic communication ID extracting unit 120 may extract a diagnostic communication CAN ID corresponding to a request or a response related to the diagnosis communication among the CAN IDs present in the CAN ID list. That is, the diagnostic communication ID extracting unit 120 can determine whether the CAN ID of the received CAN message is a CAN message using at least one of the CAN IDs assigned to the request for diagnostic communication or the response.

More specifically, as described above, the CAN communication of the vehicle may include vehicle communication and diagnostic communication. At this time, the CAN IDs corresponding to the respective ECUs used in the vehicle communication may vary depending on the manufacturer of the finished car. Also, the CAN ID corresponding to the request and the response of each ECU used in the diagnosis communication may be different for the vehicle maker. That is, in the vehicle communication and diagnosis communication, the CAN ID corresponding to each ECU can be changed depending on the vehicle maker. However, the diagnostic communication for each ECU connected to the CAN communication may have two predefined and assigned CAN IDs corresponding to the request and the response. For example, the CAN ID corresponding to the request for diagnostic communication may be 0x7E and the CAN ID corresponding to the response may be 0x7E8, but the specific request and response CAN ID may vary depending on the manufacturer as described above. That is, the service IDs used in the diagnostic communication follow the same international standard regardless of the manufacturer, and the present invention can determine the state of the detection target ECU by using the service ID of the diagnostic communication having such characteristics.

Next, the ID-ECU matching unit 130 may match the detection target ECU corresponding to the diagnostic communication CAN ID. That is, it is possible to match the detection target ECU corresponding to the extracted diagnostic communication ID, and the matching detection target ECU can be assumed to have received the diagnostic communication related request or transmitted the response. Therefore, the target ECU can monitor whether the status of the ECU that has received or transmitted the diagnostic communication related message is in the message normal transmission possible state or in the message transmission disabled state. In this case, the target ECU selects the detection target ECU It can be based on the extraction of the diagnostic communication CAN ID and the ECU matching as described above.

Next, the ECU state monitoring unit 101 includes a reprogram sensing unit 140 and a temporary disablement sensing unit 150. The ECU state monitoring unit 101 determines whether the detection target ECU is in a normal message transmission state or a message transmission disabled state .

A CAN communication used in a vehicle or the like transmits a CAN message in a broadcast manner so that even if one node (ECU) connected to the CAN bus 50 normally receives a specific CAN message, the corresponding CAN message does not disappear. That is, due to the nature of the CAN communication, all ECUs connected to the CAN bus 50 can receive the CAN message broadcast on the CAN bus.

Due to the characteristics of the CAN communication, as described above, during the CAN communication-based hacking attack, both the abnormal CAN message from the abnormal ECU due to the hacking attack and the normal CAN message from the normal ECU are broadcast to the CAN bus, Can occur. In this case, the hacker can not achieve the desired purpose, so the hacker can use the bypass attack method to block the occurrence of the collision by preventing the normal ECU from transmitting the normal CAN message. At this time, the hacker can use the international standard service of diagnostic communication so as not to send the normal CAN message. Therefore, the ECU status monitoring unit 101 according to the embodiment of the present invention detects the CAN ID In response to the detection of the request / response CAN ID of the diagnostic communication service that makes the message transmission impossible state, monitors the status of the detection target ECU, and when it is determined that the detection target ECU is in the message transmission disabled state, The periodic CAN message can be judged to be an abnormal message simulated by a hacking attack.

According to an embodiment of the present invention, the ECU state monitoring unit 101 may acquire 2N filter IDs (IDs for request / response of diagnostic communication) for one or more N priority ECUs having a high priority, ), A CAN message having a CAN ID corresponding to the filter ID is detected, and when a pattern that can be determined that the corresponding ECU has become unable to transmit a message is detected, the corresponding detected ECU transmits an idle mode It can be judged that it is in a disabled state). The state information of the detection target ECU determined by the ECU state monitoring unit 101 is stored in the nonvolatile memory (for example, the protection memory 38), and even when the detour detection unit 100 abnormally terminates, The ECU status information may not be lost.

The triggering condition for determining that the ECU status monitoring unit 101 determines that the detection target ECU is in a message transmission disabled state is one of 1) requesting reprogramming 0x03 to the ecuReset service specified in the UDS specification for the detection target ECU, and 2) a disableNormalMessageTransmission service request specified in the UDS specification, and two triggering conditions may be detected by the reprogramming detection unit 140 and the temporal disablement unit 150, respectively.

On the other hand, when detecting the message transmission disabled state of the detection target ECU by the temporary disablement sensing unit 150 and the reprogramming sensing unit 140, the ECU state monitoring unit 101 refers to the subfunction value of the diagnosis service ID can do. For example, the reprogramming sensing unit 140 may detect a message transmission failure state by referring to whether or not a subfunction of EcuReset $ 11 is a reprogramming related function.

First, the reprogramming detection unit 140 detects a request to cause the detection target ECU to enter the reprogramming mode, and more particularly, when the diagnostic service that performs the EcuReset-related function for firmware reprogramming purposes is triggered. An EcuReset related function for firmware reprogramming is a service defined in UDS with service ID $ 11.

According to an embodiment of the present invention, the reprogramming detection unit 140 monitors whether or not the detection target ECU is in a message transmission disabled state by monitoring the detection target ECU state in real time.

6 is a diagram for explaining a change in state of a detection target ECU according to an embodiment of the present invention.

Referring to FIG. 6, when the detection target ECU is in a normal state, an EcuReset request (EcuReset $ 11) may be received. In this case, the detection target ECU first issues a negative response and then performs a positive response after the reset. EcuReset If the two sub-functions of $ 11 are reprogramming related functions (Reprogramming 0x03) and the ECU satisfies two conditions that the ECU responds positively after reset, the target ECU enters the reprogramming mode.

The ECU to be detected enters the reprogramming mode and the message transmission is disabled. That is, according to one embodiment of the present invention, the reprogramming sensing unit 140 determines that the sub-function of EcuReset $ 11 is a reprogramming related function, and 2) the two conditions of the affirmative response Is satisfied, the ECU to be detected can determine that the message can not be transmitted. Alternatively, according to another embodiment of the present invention, the reprogramming sensing unit 140 determines that the detection target ECU is in a message transmission disabled state when the subfunction of EcuReset $ 11 is a reprogramming related function as the minimum triggering condition, It is possible to determine the message transmission disabled state depending on whether an affirmative response or a negative response has occurred since the reset.

In addition, the detection target ECU can transition to the normal state when a Request Transfer Exit $ 37 request is received in the reprogramming mode, and again the message is transmitted normally. Accordingly, when the reprogramming sensing unit 140 detects the request transfer request 37, it can transfer the state of the detection target ECU from the message transmission failure state to the message normal transmission state. In this case, the CAN messages corresponding to the detection target ECU detected by the target ECU can be judged as normal CAN messages.

On the other hand, there may be a case where only the detection target ECU is detached from the power source during the reprogramming mode of the detection target ECU. In this case, since the detection object ECU can send out the normal CAN message after the reset of the detection object ECU (that is, since the message is normally transmitted), the ECU state monitoring unit 101 receives both the normal CAN message and the abnormal CAN message . That is, since the normal CAN message and the abnormal CAN message conflict, it is possible to detect a hacker's attack.

Next, the temporary disablement detecting unit 150 detects a diagnostic service request for temporarily disabling the message transmission of the detection target ECU, and when a service for performing a message related to disableNormalMessageTransmission for diagnostic service purposes is triggered Detection. That is, the temporary disablement detecting unit 150 can detect a diagnostic service request that performs the disableNormalMessageTransmission related function specified in the UDS specification.

The disableNormalMessageTransmission service is a subordinate function of Communication Control $ 28 in UDS. It can only operate in Extended Mode and has a limited duration. Typically, the disableNormalMessageTransmission service is persistent for about 3 seconds, so you must send disableNormalMessageTransmission $ 28 continuously to maintain the disableNormalMessageTransmission state. Therefore, the temporary disablement sensing unit 150 can determine that the detection target ECU is temporarily unable to transmit a message when the disableNormalMessageTransmission $ 28 request is continuously (for example, every 3 seconds) below the predetermined time interval.

Next, the abnormal message determination unit 160 determines whether or not the reprogramming detection unit 140 or the temporary disablement detection unit 150 determines that the detection target ECU is a message transmission disabled state, as described above, If the CAN message having the CAN ID is received periodically, the CAN message can be determined as an abnormal CAN message. That is, if the CAN message corresponding to the detection object ECU is received despite the fact that the detection object ECU is unable to normally transmit the CAN message due to the message transmission disabled state, the corresponding CAN message is transmitted by the abnormal ECU, It can be determined that there is one abnormal CAN message.

Next, the detection score learning unit 170 may provide a detection learning algorithm that can be used when the abnormal message determination unit 160 determines whether the received CAN message is normal or abnormal.

In this regard, whenever the abnormal message determiner 160 receives the CAN messages corresponding to the detection target ECU, it is difficult to determine the CAN message as an abnormal message. Because of the characteristics of the embedded environment, even in the normal case, the receiving period of the messages may be wrong due to noise or the like, and the message may be erroneously transmitted. Therefore, in the present invention, a detection point learning algorithm capable of detecting an abnormal message more accurately can be used.

More specifically, the detection score learning unit 170 increases the detection score by a predetermined value when the CAN message corresponding to the detection subject ECU is received when the detection subject ECU is in a message transmission disabled state, If the CAN message is not received within a predetermined time, the detection score may be reduced by a predetermined value. Using the calculated detection score, the abnormal message determination unit 160 can determine that the CAN message corresponding to the detection target ECU is an abnormal message when the detection score is equal to or greater than a preset reference value.

The present invention has been described above with reference to the bypass attack detection unit 100 in the CAN controller 30. Meanwhile, in another embodiment of the present invention, the detour attack detector 100 described above may exist outside the CAN controller 30, or a method related to the operation of the detour attack detector 100 may be implemented May be implemented as an example. That is, according to another embodiment of the present invention, the operations of the detour detection unit 100 described herein may be implemented as a method having a time series step, . For example, a method of performing the steps described in FIG. 7 may be an embodiment of the present invention, and the method of performing the steps may be performed by a device other than the CAN controller 30. [

At this time, the subject performing the method according to another embodiment of the present invention may be a processor embedded in the target ECU, and the commands stored in the processor may be transmitted to the CAN controller 30 of the target ECU and the target ECU according to the embodiment of the present invention. It can be applied not only to automobiles, but also to electronic ECUs in various fields using CAN communication such as construction heavy equipment and agricultural tractors. Alternatively, the subject performing the method according to another embodiment of the present invention may be an auxiliary controller connected to the target ECU in a connector type of H / W type. In this case, since only the auxiliary controller is connected to the target ECU, Or there is no need to change the S / W aspect. Alternatively, the subject performing the method according to another embodiment of the present invention is a semiconductor device embedded in the CAN controller 30 of the target ECU, and the S / W of the semiconductor device can be designed to perform the method of the present invention. Alternatively, the subject performing the method according to another embodiment of the present invention may be a security gateway connected to the CAN bus, in which case the security gateway is not connected to the individual controller, Or not.

FIG. 7 is a flowchart illustrating a method of detecting a detour attack based on CAN communication according to an embodiment of the present invention in a time-series manner. Each step of FIG. 7 according to an embodiment of the present invention may be performed by the detour detection unit 100. FIG.

Referring to FIG. 7, first, a predetermined CAN ID list is acquired (S1).

Next, a diagnosis communication CAN ID corresponding to a request or a response related to the diagnosis communication among the CAN IDs corresponding to one or more CAN messages received from the CAN bus is extracted (S2).

Next, the detection target ECU corresponding to the diagnostic communication CAN ID is matched (S3).

Next, it is determined whether or not the state of the detection target ECU is the message transmission disabled state. If the message transmission state is normal, the process returns to step S1. If the message transmission is impossible, step S5 is performed (step S4).

Next, when the detection target ECU is in a message transmission disabled state, it is determined whether or not the CAN messages corresponding to the detection target ECU are periodically received. If not, the process returns to step S1. If not, the process proceeds to step S6 (S5).

Finally, the CAN message corresponding to the ECU to be detected is determined to be an abnormal message (S6).

8 is a diagram illustrating a case in which a detour detection unit exists outside the CAN controller 30 according to an embodiment of the present invention.

8, the detour detection unit 100 exists outside the CAN controller 30 and the detour detection unit 100 acquires the receiving CAN message from the CAN transceiver 20 so that the CAN message is an abnormal message And then returns the determination result to the reception buffer unit 36. [0060] FIG. At this time, the bypass attack detection unit 100 may include a processor for storing a command for controlling the target ECU according to the method of the present invention.

The specific acts described in the present invention are, by way of example, not intended to limit the scope of the invention in any way. For brevity of description, descriptions of conventional electronic configurations, control systems, software, and other functional aspects of such systems may be omitted. Also, the connections or connecting members of the lines between the components shown in the figures are illustrative of functional connections and / or physical or circuit connections, which may be replaced or additionally provided by a variety of functional connections, physical Connection, or circuit connections. Also, unless explicitly mentioned, such as " essential ", " importantly ", etc., it may not be a necessary component for application of the present invention.

The use of the terms " above " and similar indication words in the specification of the present invention (particularly in the claims) may refer to both singular and plural. In addition, in the present invention, when a range is described, it includes the invention to which the individual values belonging to the above range are applied (unless there is contradiction thereto), and each individual value constituting the above range is described in the detailed description of the invention The same. Finally, the steps may be performed in any suitable order, unless explicitly stated or contrary to the description of the steps constituting the method according to the invention. The present invention is not necessarily limited to the order of description of the above steps. The use of all examples or exemplary language (e.g., etc.) in this invention is for the purpose of describing the present invention only in detail and is not to be limited by the scope of the claims, It is not. It will also be appreciated by those skilled in the art that various modifications, combinations, and alterations may be made depending on design criteria and factors within the scope of the appended claims or equivalents thereof.

The embodiments of the present invention described above can be implemented in the form of program instructions that can be executed through various computer components and recorded in a computer-readable recording medium. The computer-readable recording medium may include program commands, data files, data structures, and the like, alone or in combination. The program instructions recorded on the computer-readable recording medium may be those specifically designed and configured for the present invention or may be those known and used by those skilled in the computer software arts. Examples of computer-readable media include magnetic media such as hard disks, floppy disks and magnetic tape, optical recording media such as CD-ROM and DVD, magneto-optical media such as floptical disks, medium, and hardware devices specifically configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code, such as those generated by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like. The hardware device may be modified into one or more software modules for performing the processing according to the present invention, and vice versa.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, Those skilled in the art will appreciate that various modifications and changes may be made thereto without departing from the scope of the present invention.

Accordingly, the spirit of the present invention should not be construed as being limited to the above-described embodiments, and all ranges that are equivalent to or equivalent to the claims of the present invention as well as the claims .

Claims (8)

A CAN ID acquiring step of acquiring a CAN ID from at least one CAN message received from the CAN bus to generate a CAN ID list;
A diagnostic communication ID extracting step of extracting a diagnostic communication CAN ID corresponding to a request or response of a diagnostic communication related to the CAN ID;
A matching step of matching a detection target ECU corresponding to the diagnostic communication CAN ID;
An ECU state monitoring step of determining whether the state of the detection object ECU is a message normal transmission state or a message transmission disabled state;
An abnormal message discrimination step of discriminating the CAN message corresponding to the detection object ECU as an abnormal message when the CAN messages corresponding to the detection object ECU are periodically received when the detection object ECU is in a message transmission disabled state;
Based detour attack detection method. The method according to claim 1,
Wherein the ECU state monitoring step includes:
Detecting a reprogramming step of detecting that the detection target ECU enters a reprogramming mode and a message transmission disabled state is established; And
Detecting that the detection target ECU has become temporarily untransferred; Based CAN detection method. 3. The method of claim 2,
The method of claim 1,
Based on the detection of a reprogramming-related ECU reset request for the detection target ECU, determines that the detection target ECU has entered the reprogramming mode and has become unable to transmit a message. 3. The method of claim 2,
Wherein the temporarily disabled detection step comprises:
And if the message transmission inactivation request for the detection target ECU is less than or equal to a predetermined time interval, determines that the detection target ECU has become temporarily unable to transmit a message. The method according to claim 1,
When the CAN message corresponding to the detection object ECU is received when the detection object ECU is in a message transmission disabled state, the detection score is increased by a predetermined value, and the CAN message corresponding to the detection object ECU is received A detection score learning step of reducing the detection score by a preset value if the detection score is not satisfied; Further comprising:
Wherein the abnormal message distinguishing step determines that the CAN message corresponding to the detection target ECU is an abnormal message when the detection score is equal to or greater than a reference value. The method according to claim 1,
Wherein the state of the detection target ECU is stored in a nonvolatile memory. A CAN ID acquiring unit for acquiring a CAN ID from at least one CAN message received from the CAN bus and generating a CAN ID list;
A diagnostic communication ID extracting unit for extracting a diagnostic communication CAN ID corresponding to a request or a response related to a diagnosis communication among the CAN IDs;
A matching unit for matching a detection target ECU corresponding to the diagnostic communication CAN ID;
An ECU state monitoring unit for determining whether the state of the detection object ECU is a message normal transmission state or a message transmission disabled state;
An abnormal message discrimination unit for discriminating the CAN message corresponding to the detection target ECU as an abnormal message when the CAN messages corresponding to the detection subject ECU are periodically received when the detection subject ECU is in a message transmission disabled state;
CAN based detour attack detection system. A computer program stored in a computer-readable medium for carrying out the method according to any one of claims 1 to 6.

Images