KR20210015704A - Method for SDN-based Intrusion Response or Prevention for In-vehicle Network and System using the same - Google Patents

Abstract

The present disclosure relates to a method for detecting and responding to vehicle intrusion using an SDN support switch installed in an in-vehicle network (IVN) and an SDN controller communicating with the SDN support switch. More specifically, the present disclosure provides an intrusion response system (IRS) and a method thereof. The method comprises: transmitting, by the SDN support switch, a packet-in message to the SDN controller so as to enable an intrusion detection system (IDS) to determine whether a particular packet is an intrusion packet; and receiving, by the SDN controller, an action according to a result of the determination and transmitting a packet-out message to the SDN support switch so as to control a flow of the particular packet. According to the present invention, the SDN switch can monitor and block traffic introduced into the IVN.

Description

SDN-based Intrusion Response or Prevention for In-vehicle Network and System using the same}

The present invention relates to a technology for detecting and blocking an intrusion or attack on an in-vehicle network (IVN).

The content described in this section merely provides background information on the present embodiment and does not constitute the prior art.

Commercial vehicles to which V2X communication and network-based autonomous driving technologies are applied are being developed. For example, IEEE 802.11p WAVE (radio access in a vehicle environment), DSRC (Dedicated Short-Range Communication), and V2X technologies provide the connectivity required in CAV (Connected and Automated Vehicle).

In order to implement a network-based autonomous driving system using multiple sensors, cameras, etc. as nodes, it is necessary to develop an in-vehicle communication protocol capable of supporting a high bandwidth. The conventional Ethernet-based network has a problem that is not completely compatible with CAV. Accordingly, development of a separate'hybrid network' including Ethernet for vehicle or CAN (Controller Area Network), Ethernet and Ethernet for vehicles is also being made.

On the other hand, as a factor that hinders the development of commercial vehicles applying V2X communication and IVN, there is a security threat based on intrusion of a communication network or a network network. 1 is a classification diagram for classifying types of security threats of vehicles. Attacks that threaten the security of a vehicle include an empowerment and non-authority anonymity attacks, an external attack based on the attack source, and an internal attack on elements inside the vehicle. Internal attacks are usually performed by an attacker by physically approaching the target vehicle, causing noticeable damage, while external attacks mainly involve sensor-based systems such as short-range RF communication, keyless entry systems, or tire pressure monitoring systems. It consisted of a foundation and had limited influence. However, as the intra-vehicle connectivity in the IVN environment and the inter-vehicle connectivity in the V2X environment increase, the influence of external attacks on the vehicle is expected to increase.

Accordingly, an intrusion detection methodology in IVN based on CAN bus is being developed. As one of the intrusion detection methodologies, a method of applying machine learning or deep learning algorithms was introduced, but these algorithms require high computing power to test traffic data and predict or determine whether an attack or intrusion has occurred. do. Accordingly, an off-load detection architecture has been proposed as an alternative, but the off-load detection architecture has a problem in compatibility with an on-load environment.

Even when an attack or intrusion is properly detected, a method of mitigating an attack or intrusion in response to this has been a problem. The mitigation methods previously proposed have not been suitable alternatives to attacks on IVN vehicles.

In other words, there is a lack of development of a technology framework to detect and respond appropriately to the dangers of vehicles supporting V2X and IVN. Currently, the intrusion detection system (IDS) installed in the vehicle has a limitation in that it supports only lightweight algorithms due to the limitation of the calculation capability of the vehicle system. Therefore, it is necessary to devise an Intrusion Response System (IRS) to provide intrusion detection and countermeasures overcoming the limitation of this computational capability.

The present disclosure uses a software-defined network (SDN) technology to detect and respond to an attack on an Ethernet-based in-vehicle network (IVN), and a method using the same. Present the system.

According to an aspect of the present disclosure, as an intrusion response system for an In-Vehicle Network (IVN), a flow entry in a flow table corresponding to an inflow packet is installed in the vehicle internal network. SDN support switch for controlling the flow of the introduced packet by referring to (entry); And an SDN controller that communicates with the SDN support switch, receives the introduced packet from the SDN support switch, and transmits an action corresponding to the introduced packet to the SDN support switch, wherein the SDN controller , The intrusion detection system (IDS) transmits the intrusion packet to determine whether it is an intrusion packet, and receives an action according to the determination result from the intrusion detection system as an action corresponding to the introduced packet. It provides an intrusion response system, characterized in that the transmission to the SDN support switch.

According to another aspect of the present disclosure, in a method for detecting and responding to vehicle intrusion using an SDN support switch installed in an In-Vehicle Network (IVN) and an SDN controller disposed outside the vehicle, the SDN support switch Transmitting a packet-in message including a packet introduced from the in-vehicle network to the SDN controller; Receiving, by the SDN controller, the packet-in message and transmitting it to an intrusion detection system (IDS); The SDN controller causing the intrusion detection system to determine whether the introduced packet is an intrusion packet, and receiving an action according to a determination result from the intrusion detection system; Transmitting, by the SDN controller, a packet-out message including an action according to the determination result to the SDN supporting switch; And controlling, by the SDN support switch, a flow of packets of the introduced packets based on an action according to the determination result.

According to another aspect of the present disclosure, in the intrusion response method of the present embodiment, the process of transmitting the packet-in message to the SDN controller includes no extracted flow entry, expired, or an action of the extracted flow entry. Provides an intrusion response method, characterized in that transmission is performed when an action field includes a forward to controller command.

The SDN switch of the present disclosure may simultaneously monitor and block traffic flowing into the vehicle internal network. That is, the SDN switch may selectively block traffic identified as an attack while monitoring traffic introduced into the vehicle based on a flow table.

According to the present disclosure, the determination of whether or not a packet entering the vehicle is an intrusion packet and the determination of the flow control action are determined remotely rather than from the vehicle internal network, thereby requiring high computing performance regardless of the vehicle internal environment. Intrusion packets can be detected based on the detection technology of, for example, deep learning or AI (Artificial Intelligence) methodology, and appropriate response commands can be presented according to the detection results. In addition, the intrusion detection system outside the vehicle makes it possible to change or update the detection algorithm or model in real time regardless of the vehicle environment.

Moreover, according to the present disclosure, it is possible to simultaneously and comprehensively monitor internal traffic generated by a plurality of vehicles in one place. This enables more precise attack detection by collecting ambiguous anomalies that are difficult to detect in a single vehicle and comparing them with normal traffic of other vehicles.

The technology of the present disclosure can also be applied by adding an SDN device to a general switch provided in an existing Ethernet-based vehicle. Accordingly, the technology of the present disclosure can be applied while minimizing a change in topology of an Ethernet-based vehicle internal network.

1 is a classification diagram for classifying types of security threats of vehicles.
2 is a conceptual diagram showing the architecture of a typical SDN.
FIG. 3 shows a configuration field of a flow entry constituting an SDN controller and an SDN device constituting the SDN system, and a flow table mounted on the SDN device.
4 is a conceptual diagram schematically showing the structure of an Intrusion Response System (IRS) according to an embodiment of the present invention.
5 is a conceptual diagram schematically illustrating the operation of an intrusion response system according to an embodiment of the present invention.
6A and 6B are diagrams illustrating an exemplary topology of an in-vehicle network according to an embodiment of the present invention.
7A and 7B are views showing a control plane topology of a centralized and distributed structure of an intrusion response system according to an embodiment of the present invention.
8A and 8B are diagrams illustrating a topology of an intrusion detection system (IDS) applicable to an intrusion response system (IRS) according to an embodiment of the present invention.
9A and 9B are flowcharts illustrating an event-driven intrusion detection method and a corresponding method according to the present embodiment.
10 is an exemplary diagram showing a use case scenario showing the usefulness of the intrusion response system according to the present disclosure.

Hereinafter, some embodiments of the present invention will be described in detail through exemplary drawings. In adding reference numerals to elements of each drawing, it should be noted that the same elements are assigned the same numerals as possible even if they are indicated on different drawings. In addition, in describing the present invention, if it is determined that a detailed description of a related known configuration or function may obscure the subject matter of the present invention, a detailed description thereof will be omitted.

In addition, in describing the constituent elements of the present invention, terms such as first, second, (a), (b) may be used. These terms are only used to distinguish the component from other components, and the nature, order, or order of the component is not limited by the term. Throughout the specification, when a part'includes' or'includes' a certain element, it means that other elements may be further included rather than excluding other elements unless otherwise stated. . In addition, the'... Terms such as'sub' and'module' mean a unit that processes at least one function or operation, which may be implemented by hardware or software or a combination of hardware and software.

The detailed description to be disclosed hereinafter together with the accompanying drawings is intended to describe exemplary embodiments of the present invention, and is not intended to represent the only embodiments in which the present invention may be practiced.

In general, the present disclosure detects an attack on an Ethernet-based in-vehicle network (IVN) and further responds to it, using a software-defined network (SDN) technology. It relates to an intrusion response method and an intrusion response system.

A software-defined network (SDN) separates the control part of network devices such as switches and routers from the data transmission part, and provides an open interface that can define the functions of the network device to the outside. It is a technology that enables route setting, control, and management.

2 is a conceptual diagram showing the architecture of a typical SDN. The SDN architecture is defined as three layers including an application layer, a control layer, and an infrastructure layer. The application layer, the control layer, and the infrastructure layer are also referred to as an application plane, a control plane, and an infrastructure plane, or data plane, respectively. Each layer communicates with each other through an open interface. The open interface between the application layer and the control layer, referred to as "northbound API", is an API that enables the development of applications with various functions and communication with other operating tools, and usually uses the Restful API. An open interface between the control layer and the infrastructure layer referred to as "southbound API" is an interface for forwarding control, information collection, etc., for example, OpenFlow, OF-config, Netconf, and the like.

FIG. 3 shows a configuration field of a flow entry constituting an SDN controller and an SDN device constituting the SDN system, and a flow table mounted on the SDN device. The SDN controller, which is a logical entity, is disposed on the control plane of the SDN system, and the SDN device, which is a hardware device, is disposed on the data plane. The flow table mounted on the SDN device includes the following three main fields to process packets received by the SDN device. This includes packet header information (rule) defining a flow, an action indicating how to process a packet, and statistics for each flow. The control device can create the flow table inside the switch by using the Southbound API, which includes the function of registering or deleting a new flow.

4 is a conceptual diagram schematically showing the structure of an Intrusion Response System (IRS) according to an embodiment of the present invention.

As described above, the intrusion response system (IRS) 400 of the present disclosure uses a software defined network (SDN) technology. Since SDN is a virtualized architecture, its components do not need to be physically co-located. According to the intrusion response system 400 of the present disclosure, an in-vehicle network (IVN) having an SDN support switch 410 is disposed in the data plane of the SDN system, and the SDN controller (SDN) is disposed in the control plane of the SDN system. A controller 420 is placed, and an intrusion detection system (IDS) 430 is placed on the application plane of the SDN system.

The intrusion response system 400 determines whether an intrusion has occurred by analyzing the vehicle and the traffic generating the traffic, and separates a logical or physical entity that determines a response according to the determination result from the vehicle internal network. The operating entity of the intrusion detection system 430 may be different from the operating entity of the SDN controller 420.

The SDN support switch 410 provided in the in-vehicle network controls traffic generated in the in-vehicle network or traffic flowing into the in-vehicle network based on a flow table. The SDN controller 420 outside the vehicle connected through V2I communication with the vehicle receives suspicious traffic from the SDN support switch, and the intrusion detection system 430 determines whether the received traffic is an attacker's intrusion-related traffic. Accordingly, an action of the SDN supporting switch 410 for the suspected traffic may be determined.

5 is a conceptual diagram schematically illustrating the operation of an intrusion response system according to an embodiment of the present invention.

(STEP 1) Attack on vehicle: An attack occurs on the vehicle. An attack is an internal attack (e.g., a bad packet from a compromised ECU) or an external attack (e.g. from the Internet or a nearby vehicle via V2V communication).

(STEP 2) Information collection: The SDN support switch 410 collects packets coming from inside or outside, and the collected packets are transmitted to an external intrusion detection system (IDS) through the SDN controller 420.

(STEP 3) Intrusion detection: The intrusion detection system 430 analyzes incoming packets using various detection methodologies. If necessary, the intrusion detection system 430 may selectively transmit the detected attack information to another intrusion detection system (not shown) or an analysis system to make a more accurate decision. Such another intrusion detection system (not shown) or analysis system can perform in-depth packet inspection, network forensic, identification of the root cause of an attack, construction and distribution of some measures in the intrusion detection system 430, etc. .

(STEP 4) Action development: The SDN controller 420 receives an intrusion determination from the intrusion detection system 430 or an action according to the determination result.

(STEP 5) Intrusion response: The SDN support switch 410 develops a packet control operation (eg, packet drop, forwarding to a destination node, temporary blocking of an input source, etc.).

Hereinafter, functions and operations of the SDN support switch 410, the SDN controller 420, and the intrusion detection system 430 in the proposed intrusion response system 400 will be described in detail.

The SDN support switch 410 controls the flow of all traffic or packets (hereinafter referred to as "packets") that are mounted on the vehicle and flow into the vehicle's IVN or V2X communication. The SDN support switch 410 may be an SDN switch or a general switch combining SDN devices to operate in an SDN environment, but is not limited thereto. For example, if the flow of packets generated in the IVN or V2X environment mounted on the vehicle can be controlled, and can communicate with the SDN controller 420 of the control plane, the SDN support switch 410 according to the present embodiment can be. .

The SDN support switch 410 controls packets introduced to the SDN support switch 410 using the mounted flow table. According to an aspect of this embodiment, the SDN support switch 410 matches packet-related data such as port information with a rule field of each flow entry in the flow table to match a specific packet. Refers to or extracts a flow entry. Such matching depends on the specification of the Southbound API corresponding to the communication protocol between the SDN supporting switch 410 and the SDN controller 420. For example, as shown in FIG. 4, the rule field of the flow entry includes a switch port, a Mac source, an Ethernet type, a VLAN ID, and an IP source. I can. At this time, matching with packet data may be established by matching all specifications of the rule field, matching within a preset range, or matching more than a preset number. In this case, there may be a plurality of flow entries matching a specific packet.

When there is a flow entry matching the introduced packet, the SDN support switch 410 extracts the flow entry and executes a command of an action field of the flow entry. According to an aspect of the present embodiment, when there are a plurality of matching flow entries, the flow entry having the highest priority may be extracted using a priority field included in the flow entry.

When all packets flowing into the SDN support switch 410 are transmitted to the SDN controller 420, there may be a problem of invading personal information and wasting resources. Accordingly, according to an aspect of the present embodiment, an event-driven detection method in which a packet is transmitted only when a specific event occurs in packet transmission may be employed. In this case, the'event' means a case in which packet control cannot be performed with only the conventional flow table, such as when there is no flow entry matching the incoming packet or when the valid period of the matched flow entry has expired. . When such an event occurs, the SDN support switch 410 assumes that the incoming packet is a new intrusion packet that has not been determined by the intrusion response system 40 and drops the packet or the SDN controller for the purpose of intrusion detection. It can be sent to 420. When an event occurs, such packet transmission is forward to controller included in the action field of the table-miss entry by extracting the table-miss entry with the lowest priority in the flow table. 'Can be done by performing the command. Packet transmission includes all or part of the packets introduced by the SDN support switch 410 and data related to the packets, and is adaptively generated by the interface adopted by the SDN support switch 410 and the SDN controller 420. This may be accomplished by transmitting a packet-in message to the SDN controller 420. This event-driven intrusion detection method will be described later in detail with reference to FIGS. 9A and 9B.

According to another aspect of the present embodiment, by including a forwarding command to the controller in an action field of a flow entry matching a specific packet, the packet may be transmitted to the SDN controller 420 for monitoring.

The flow entry may further include not only the above-described rule field and action field, but also a statistics field (STATS field of FIG. 4 ). The statistics field is a field that collects or calculates and stores statistical data about a packet, and may include a counter field. The counter field counts the number of times the rule field of the flow entry and the introduced packet are matched, and may be initialized with a preset period or incrementally increased in some cases. Such a counter field may include a match counter that records the number of matches within a predetermined reference value with the incoming packet, or may further include a bytes counter that calculates the number of bytes per second of the matched packet. have.

The SDN support switch 410 may update the flow table only when a message is received from the SDN controller 420. The SDN support switch 410 fails until the connection with the SDN controller 420 is resumed when communication with the SDN controller 420 (eg, communication based on Southbound API) is disconnected or during a cold boot (eg, engine start). -Works in fail-safe mode. In fail-safe mode, the SDN support switch can control packet flow based on the flow table set by the vehicle manufacturer. In this case, the SDN support switch 410 operates as a common switch.

The SDN controller 420 receives a packet from the SDN support switch 410 and transmits it to the intrusion detection system 430, and receives the intrusion packet determination result and the corresponding action from the intrusion detection system 430 to receive the SDN support switch 410. ). Specifically, according to an aspect of the present embodiment, the SDN controller 420 is adaptively generated according to the specification of an interface (eg, Southbound API) used for communication with the SDN supporting switch 410, and includes all or part of the packet. A packet-in message is received. The SDN controller 420 adaptively transforms the received packet-in message to the specification of an interface (eg, northbound API) used for communication with the intrusion detection system 430 and transmits it to the intrusion detection system 430. The SDN controller 420 receives an action related to a packet flow from the intrusion detection system 430 and generates a packet-out message. The SDN controller 420 transmits a packet-out message to the SDN support switch 410 to cause the SDN support switch 410 to update the flow table or control the flow of the incoming packet corresponding to the packet-out message. do.

The SDN controller 420 may be an SDN controller or a general controller in which an SDN device is combined to operate in an SDN environment, but is not limited thereto. For example, if it can manage packets occurring in an IVN or V2X environment and communicate with a vehicle equipped with the SDN support switch 410 or the SDN support switch 410, the SDN controller 420 according to the present embodiment may be.

The SDN controller 420 may generate a new rule capable of filtering a corresponding packet according to a result of determining whether an action or an intrusion packet is received from the intrusion detection system 430 and further include it in the packet-out message. Such a new rule may be generated by receiving from the intrusion detection system 430 or an external device.

According to another aspect of the present embodiment, the SDN controller 420 may perform maintenance of Southbound API-based connections such as OpenFlow and one or more SDN support switches 410 mounted on one or more vehicles, flow table management, or packet statistics collection. have. The SDN controller 420 may also maintain one or more intrusion detection systems (such as 430 in FIG. 4) and northbound API-based connections such as ad-hoc API, RESTful API, or other programming interfaces.

The operation of the SDN controller 420 will be described using OpenFlow as an example.

The SDN controller 420 receives an OFPT_HELLO message with an identifier and a data path ID (DPID) according to the OpenFlow specification upon initial connection with the SDN support switch 410 to form a session.

When a table miss occurs, such as no flow entry matching the packet introduced into the flow table, the SDN support switch 410 transmits an OFPT_PACKET_IN message to the SDN controller 420. The message contains the packet that caused the table miss. The SDN controller transmits an OFPT_PACKET_IN message and an OFPT_PACKET_OUT message including a response (eg, an action) to the message to the SDN support switch 410. Before transmission, the SDN controller 420 may request the intrusion detection system 430 to determine whether the corresponding packet is an intrusion packet.

The SDN controller 420 may request flow statistics from the intrusion detection system 430 or the SDN support switch 410. For example, the SDN controller 420 periodically monitors the IVN of each vehicle to determine whether there is a network abnormality, and provides statistics of individual flow entries, multiple flow entries, or flow tables through messages such as OFPMP_FLOW, OFPMP_AGGREGATE or OFPMP_TABLE. It may be requested from a vehicle equipped with the SDN support switch 410 or the SDN support switch 410. Accordingly, the SDN controller 420 may receive a time stamp recording the number of packets on the IVN, the number of bytes, and the matching time with the introduced packets per flow entry.

The intrusion detection system 430 communicates with the SDN controller 420, receives a packet or a packet-in message including a packet from the SDN controller 420, determines whether it is an intrusion packet, and determines an action corresponding to the determination result. Then, it is transmitted to the SDN controller 420. For example, according to an aspect of the present embodiment, when the determination target packet is determined to be an intrusion packet, the intrusion detection system 430 may determine a command to drop the corresponding packet as an action. According to another aspect of the present embodiment, in the same case, the intrusion detection system 430 determines a packet drop of a corresponding type and a forwarding command to the controller as an action, thereby dropping a packet of the corresponding type on the network and delivering it to the SDN controller 420 The controller 420 may allow the packet of the corresponding type to be monitored.

Hereinafter, exemplary topologies of a data plane, a control plane, and an application plane of the proposed intrusion response system will be described with reference to FIGS. 6A, 6B, 7A, 7B, 8A, and 8B.

6A and 6B are diagrams illustrating an exemplary topology of an in-vehicle network according to an embodiment of the present invention.

6A shows an exemplary topology of a hybrid type of in-vehicle network (IVN). The illustrated in-vehicle network (IVN) includes an Ethernet-based LAN consisting of various Ethernet devices, infotainment, and one or more Electronic Control Units (ECUs) and SDN switches to which these devices are connected. Typically, high-speed data applications such as Advanced Driver-Assistance System (ADAS) and multimedia can be connected to the SDN switch via an Ethernet-based LAN. In addition, the illustrated in-vehicle network (IVN) includes a legacy CAN bus for some applications where Ethernet is not suitable, such as a power train system that requires message priority. Legacy CAN buses can be connected to SDN-capable switches via an ETH-CAN gateway, which supports communication between Ethernet and CAN buses. The SDN switch may perform communication with other devices, servers, systems, etc. including the SDN controller 420 located remotely through a V2I modem.

6B shows an exemplary topology of an Ethernet-based in-vehicle network (IVN). The illustrated in-vehicle network (IVN) includes 3 switches (Switch 1, Switch 2, Basic Switch 3) and 9 ECUs. It should be noted that the number of switches or the number of ECU devices may vary depending on how the topology is configured. In order to ensure that all packets generated by the ECU are passed through the switch to the destination node, each ECU must be connected to the switch alone, and multiple ECUs do not occupy a single line.

Switch 1 and Switch 2 are SDN support switches with the SDN function enabled. The two switches are connected to the SDN controller through a wireless modem, which is responsible for communication (V2I communication) between the vehicle and external infrastructure. When a connection with the SDN controller is established, Switch 1 and Switch 2 process packets of ECU 1 to ECU 6 based on an action received from the SDN controller, and cannot determine the action of each packet by themselves. However, when the connection with the SDN controller is disconnected because the wireless modem cannot perform its function, Switch 1 and Switch 2 operate like Basic Switch 3 to be described later. Accordingly, the vehicle based on the vehicle intrusion response system 400 according to the present embodiment can maintain normal operation even in an emergency (for example, fail-safe operation operation), and each function of the vehicle intrusion response system 400 is selectively applied. do.

Switch 1 and Switch 2 can block packets considered as attacks without passing them to other ECUs according to commands or actions received from the SDN controller, and further transmit them to the SDN controller for post-analysis. The determination of whether the packet is intrusion by an attacker is performed by an external intrusion detection system.

Basic Switch 3 is not a switch supporting SDN according to the present embodiment, but a basic switch that performs MAC address learning that has been applied to existing vehicles. Basic Switch 3 forwards the packet to one specific port when the destination of packets sent by ECU 7 to ECU 9 is known, and broadcasts to all ports when the destination is unknown. Basic Switch 3 does not support the packet information collection function for intrusion detection/response, and does not receive an action to control packet flow from an external device such as an SDN controller.

7A and 7B are views showing a control plane topology of a centralized and distributed structure of an intrusion response system according to an embodiment of the present invention.

Typically, the SDN controller disposed in the control plane can transmit and receive data from multiple in-vehicle SDN switches. 7A shows a centralized structure in which a single SDN controller manages all packets of a vehicle. In the intrusion detection system of the present disclosure, the original purpose can be achieved with only one SDN controller, but several SDN controllers may be installed and operated in consideration of latency and load balancing. 7B shows a distributed structure in which a plurality of SDN controllers located at bases manage one or more vehicles that are physically or logically close, respectively. For example, SDN controllers may be implemented on an edge cloud server or a fog server for each base. SDN controllers for each base can perform primary communication with vehicles that are physically or logically close, and pass the result to a centralized SDN controller. In the centralized architecture, a single SDN controller communicates with the intrusion detection system 430 using the Northbound API in the distributed architecture.

8A and 8B are diagrams illustrating a topology of an intrusion detection system (IDS) applicable to an intrusion response system (IRS) according to an embodiment of the present invention.

The recently proposed deep learning-based intrusion detection system requires more resources such as GPU to obtain precise detection results, and the computing system mounted on the vehicle has the minimum performance required for driving, so it is necessary to drive such an intrusion detection system. Inappropriate. The intrusion detection system deployed outside the vehicle no longer needs to consider the in-vehicle performance problem for calculating the intrusion detection algorithm. Accordingly, the proposed intrusion response system may employ an intrusion detection system that operates a precise intrusion detection algorithm requiring high computational capability, such as the deep learning algorithm illustrated in FIG. 8A.

In the proposed intrusion response system, several intrusion detection systems can be operated simultaneously. Each intrusion detection system (IDS) is responsible for intrusion detection for a specific protocol (eg, IDS 1 for SSH, IDS 2 for AVTP, IDS 3 for UDP), or different detection algorithms as illustrated in FIG. 8B. An ensemble technique using detection results of several intrusion detection systems in operation may be used.

Placing the intrusion detection system outside the vehicle rather than the vehicle internal network provides several flexibility in the operation of the intrusion response system. The intrusion detection system can be updated in real time regardless of the location or status of the vehicle to be analyzed. For example, the intrusion detection system can dynamically add, reconfigure, or cancel an intrusion detection model or algorithm even when the vehicle to be analyzed is running. In addition, when an individual vehicle is equipped with a new function or an attack pattern of a new pattern is known to an individual vehicle, the operator (service provider) may update the detection model using related data.

9A and 9B are flowcharts illustrating an event-driven intrusion detection method and a corresponding method according to the present embodiment.

The event-oriented algorithm drops the packet once and blocks the traffic from the source when a triggered event (e.g., a table miss of an incoming packet from an IVN or an expiration of a flow entry matching the incoming packet) occurs. By deciding the packet flow as an enemy, it is possible to respond appropriately to an attack.

9A shows a process in which the SDN support switch 410 and the SDN controller 420 perform event-driven intrusion detection.

As can be seen from FIG. 9A, when a vehicle (eg, CAV) to which the intrusion response system 400 according to the present embodiment starts driving, a packet flows from the IVN or V2X environment to the SDN support switch 410. (S900).

The SDN support switch 410 determines whether there is a flow entry having a rule field matching the packet introduced from the loaded flow table (S902).

If there is a matching flow entry, it is determined whether a packet drop command is included in the action field command of the flow entry (S904), and if there is no packet drop command, the action field command is executed (S906).

If there is a packet drop command, the corresponding packet is dropped and traffic is blocked (S912).

When there is no flow entry matching the incoming packet, or when the matched flow entry expires and consequently there is no matching flow entry, event information such as port number and a packet-in message including the packet are displayed outside the vehicle. It transmits to the SDN controller 420 of (S910), drops the corresponding packet, and blocks traffic from the corresponding source (S912).

The SDN controller 420 receives a packet-in message from the SDN support switch 410 (S920) and transmits it to the intrusion detection system 430 (S922).

The SDN controller 420 determines whether event-driven intrusion detection is based on a blacklist (S924), and when the blacklist is based, sends a packet-out message including a packet included in the packet-in message and a forwarding action. It transmits to the SDN support switch 410 (S926, S952). In blacklist-based intrusion detection, when a table miss occurs, the packet in question is regarded as not included in the blacklist and forwarded first. In this case, the attack is identified and the packet is dropped only after it is determined that the packet in question is an intrusion packet.

The SDN controller 420 does not send a packet-out message to the SDN support switch 410 when event-driven intrusion detection is not based on a black list, that is, based on a white list (S928), and the intrusion detection system ( After waiting for the determination result of 430), a packet-out message including an action determined according to the determination result is transmitted (S952). The packet-out message may further include a packet included in the packet-in message as needed. In the whitelist-based intrusion detection, when a table miss occurs, the packet in question is regarded as not included in the whitelist, and the flow of the packet is controlled according to the determination result later.

The SDN support switch S400 receives the packet-out message (S960) and updates the flow table (S962). Such an update may be performed by adding a new flow entry, updating expiration information of an expired flow entry or each field of a flow entry, or by leaving the flow table as it is if there is no content to be updated.

When a packet is included in the received packet-out message (S964), the SDN support switch S400 controls the packet flow according to an action included in the packet-out message (S966).

9B shows a process in which the intrusion detection system 430 performs event-driven intrusion detection.

The intrusion detection system 430 receives a packet-in message from the SDN controller 420 (S930) and performs intrusion detection (S932).

When it is determined that the packet included in the packet-in message is not an intrusion packet (S934), when the intrusion detection is based on a blacklist (S936), the intrusion detection system 430 does not designate an action for the packet (S937). This is because the SDN controller 420 has already transmitted a packet-out message including a forwarding action in steps S926 and S952. In this case, the intrusion detection system 430 does not transmit the determination result to the SDN controller 420.

When intrusion detection is not based on a blacklist (S936), that is, based on a whitelist, a forwarding command is included in the action (S938).

When it is determined that the packet included in the packet-in message is an intrusion packet (S934), the intrusion detection system 430 includes a drop command in the action of the packet (S940).

The intrusion detection system 430 transmits a packet action to the SDN controller S420 as a result of the determination (S942). Such transmission data may include the packet itself, data related to the packet, and a determination result.

10 is an exemplary diagram showing a use case scenario showing the usefulness of the intrusion response system according to the present disclosure.

(1) Whenever an attack is detected, all vehicles transmit the detected attack information to the intrusion detection system through the SDN controller on the cloud server or fog server. In this case, the RSU can relay communication between adjacent vehicles and each server. The communication methods of RSU are NFC (Near Field Communication) method, Bluetooth Low Energy (BLE), Wireless LAN (WIFI), Ultra Wideband (UWB), Radio Frequency, Infrared Data Association (IrDA). ), Zigbee, LTE, and 5G.

(2) Any one of the vehicles to which the intrusion response system or method of the present disclosure is applied (a) When the vehicle is under attack, the IDS mounted on the vehicle transmits the attack traffic information or the packet concerned with the attack to a cloud server or a fog server. Send to the road.

(3) The SDN controller on the cloud server or fog server sends attack traffic information or packets to the intrusion detection system, and the intrusion detection system analyzes the data. When it is determined that there is an attack, the intrusion detection system (a) sends a warning command to drive by bypassing the vehicle to each vehicle through the SDN controller.

(4) When V2V (Vehicle-to-Vehicle) communication is activated, (a) the vehicle can share its state with other adjacent vehicles.

(5) When remote control by an external device is allowed, at the request of a cloud server or fog server, the external device can (a) control the vehicle to slow down and pull.

In FIGS. 5, 9A and 9B, it is described that each process is sequentially executed, but this is merely illustrative of the technical idea of an embodiment of the present invention. In other words, those of ordinary skill in the technical field to which an embodiment of the present invention belongs can change the order shown in FIGS. 5, 9A and 9B without departing from the essential characteristics of the embodiment of the present invention. Since one or more of the processes are executed in parallel and can be modified and modified in various ways, it is not limited to the time series order of FIGS. 5, 9A, and 9B.

Various implementations of the systems and techniques described herein include digital electronic circuits, integrated circuits, field programmable gate arrays (FPGAs), application specific integrated circuits (ASICs), computer hardware, firmware, software, and/or their It can be realized in combination. These various implementations may include being implemented as one or more computer programs executable on a programmable system. The programmable system comprises at least one programmable processor (which may be a special purpose processor) coupled to receive data and instructions from and to transmit data and instructions to and from a storage system, at least one input device, and at least one output device. Or a general purpose processor). Computer programs (which are also known as programs, software, software applications or code) contain instructions for a programmable processor and are stored on a "computer-readable recording medium".

The computer-readable recording medium includes all kinds of recording devices that store data that can be read by a computer system. Such computer-readable recording media are non-volatile or non-transitory, such as ROM, CD-ROM, magnetic tape, floppy disk, memory card, hard disk, magneto-optical disk, storage device, etc. It may further include a transitory medium such as a medium or a data transmission medium. In addition, the computer-readable recording medium may be distributed over a computer system connected through a network, and computer-readable codes may be stored and executed in a distributed manner.

Various implementations of the systems and techniques described herein may be implemented by a programmable computer. Here, the computer includes a programmable processor, a data storage system (including volatile memory, nonvolatile memory, or other types of storage systems or combinations thereof), and at least one communication interface. For example, the programmable computer may be one of a server, a network device, a set-top box, an embedded device, a computer expansion module, a personal computer, a laptop, a personal data assistant (PDA), a cloud computing system, or a mobile device.

The above description is merely illustrative of the technical idea of the present embodiment, and those of ordinary skill in the technical field to which the present embodiment belongs will be able to make various modifications and variations without departing from the essential characteristics of the present embodiment. Accordingly, the present exemplary embodiments are not intended to limit the technical idea of the present exemplary embodiment, but are illustrative, and the scope of the technical idea of the present exemplary embodiment is not limited by these exemplary embodiments. The scope of protection of this embodiment should be interpreted by the following claims, and all technical ideas within the scope equivalent thereto should be construed as being included in the scope of the present embodiment.

400: Intrusion Response System (IRS)
410: SDN support switch
420: SDN controller
430: Intrusion Detection System (IDS)

Claims (12)

As an intrusion response system for the In-Vehicle Network (IVN),
An SDN support switch installed in an in-vehicle network and controlling a flow of the introduced packet by referring to a flow entry in a flow table corresponding to the introduced packet; And
SDN controller that communicates with the SDN support switch, receives the introduced packet from the SDN support switch, and transmits an action corresponding to the introduced packet to the SDN support switch
Including,
The SDN controller transmits the introduced packet to an intrusion detection system (IDS) to determine whether it is an intrusion packet, and receives an action according to the determination result from the intrusion detection system to respond to the introduced packet. As an action to be transmitted to the SDN supporting switch
Intrusion response system, characterized in that. The method of claim 1,
The flow entry includes a rule field, an action field, and a counter field,
The SDN support switch,
By matching the data of the introduced packet with the rule field of each flow entry in the flow table, a flow entry with a matching number or matching range equal to or greater than a predetermined reference value is extracted, the counter field of the extracted flow entry is updated, and the extracted flow Intrusion response system, characterized in that for controlling the flow of the introduced packet according to the action field of the entry. The method of claim 1,
When communication between the SDN support switch and the SDN controller is connected, the SDN support switch updates the flow table by receiving the action from the SDN controller,
When communication between the SDN support switch and the SDN controller is cut off or the vehicle is cold booted, the SDN support switch is a common switch and controls the incoming packets based on a preset flow table. Intrusion response system, characterized in that. In a method for detecting and responding to vehicle intrusion using an SDN support switch installed in an in-vehicle network (IVN) and an SDN controller arranged outside the vehicle,
Transmitting, by the SDN support switch, a packet-in message including a packet introduced from the in-vehicle network to the SDN controller;
Receiving, by the SDN controller, the packet-in message and transmitting it to an intrusion detection system (IDS);
The SDN controller causing the intrusion detection system to determine whether the introduced packet is an intrusion packet, and receiving an action according to a determination result from the intrusion detection system;
Transmitting, by the SDN controller, a packet-out message including an action according to the determination result to the SDN supporting switch; And
The process of controlling the packet flow of the introduced packet based on an action according to the determination result by the SDN supporting switch
Intrusion response method comprising a. The method of claim 4,
And extracting, by the SDN supporting switch, a flow entry matching the introduced packet from a flow table. The method of claim 5,
The flow entry includes a rule field,
The process of extracting a flow entry matching the introduced packet,
And extracting a flow entry having a matching number or matching range equal to or greater than a predetermined reference value by matching the data of the introduced packet with the rule field of each flow entry. The method of claim 6,
The flow entry further includes a priority field,
When a plurality of flow entries are extracted, the process of extracting a flow entry matching the introduced packet,
And extracting any one flow entry matching the introduced packet based on a priority field of each flow entry. The method of claim 6,
The process of transmitting the packet-in message to the SDN controller,
Transmission is performed when there is no extracted flow entry, an event indicating that the extracted flow entry has expired, or a forward to controller command is included in the action field of the extracted flow entry. Intrusion response method, characterized in that. The method of claim 8,
In the process of transmitting the packet-in message to the SDN controller, when the event occurs, the introduced packet is dropped,
When it is determined that the introduced packet is not an intrusion packet, the packet-out message further includes the introduced packet. The method of claim 9,
When the introduced packet is an intrusion packet, the packet-out message further includes a new rule capable of extracting the introduced packet. The method of claim 4,
Before the SDN controller receives the action according to the determination result from the intrusion detection system, the process of transmitting a packet-out message including the incoming packet and an action instructing forwarding to the SDN supporting switch
Intrusion response method comprising a further. The method of claim 4,
The process of updating the flow table based on the packet-out message by the SDN support switch
Intrusion response method comprising a further.

Images