KR20230081562A - Method and apparatus for detecting attacking ecu using can traffic monitoring - Google Patents

Abstract

According to an embodiment of the present disclosure, a method for detecting an attack ECU using CAN traffic monitoring performed by at least one processor includes a packet including an attack identifier transmitted to a CAN bus by an attack ECU among a plurality of ECUs associated with a processor. Converting the attack ECU into an error passive state by generating at least one collision with respect to the ECU, wherein the priority is the highest among at least one identifier assigned to any ECU among the plurality of ECUs while the attack ECU maintains the error passive state. Generating a plurality of collisions for a packet including a high priority identifier and a packet including an identifier having a lower priority than the highest priority identifier between each of a plurality of error frames transmitted to the CAN bus by the plurality of collisions. case, determining that any ECU is an attack ECU switched to an error passive state.

Description

Attack ECU detection method and apparatus using CAN traffic monitoring

The present disclosure relates to a CAN (Controller Area Network) traffic monitoring method, and more particularly, to a CAN traffic monitoring method, system, and device for detecting an attack ECU (Electronic Control Unit) by utilizing a CAN error handling mechanism. .

CAN (Controller Area Network) is a representative vehicle network and is a protocol composed of a bus-type network topology. CAN was established as an international standard (ISO 11898) by ISO in 1993 due to advantages such as low wiring cost and light weight.

CAN uses a broadcast communication method, but there is a disadvantage that it is vulnerable to packet injection attacks because security techniques are not applied. Recently, as the technology provided by the vehicle and the communication with the outside increase, many cases of attack on the internal network of the vehicle are occurring. Recently, as technology provided by vehicles and communication with the outside have increased, security threats to the internal network of vehicles have increased. Accordingly, many security solutions have been proposed to cope with vehicle attacks.

In order to solve the above problems, the present disclosure provides a CAN traffic monitoring method, system, and apparatus for detecting an attack ECU by utilizing a CAN error handling mechanism.

According to an embodiment of the present disclosure, a method for detecting an attack ECU using CAN traffic monitoring performed by at least one processor includes a packet including an attack identifier transmitted to a CAN bus by an attack ECU among a plurality of ECUs associated with a processor. Converting the attack ECU into an error passive state by generating at least one collision with respect to the ECU, wherein the priority is the highest among at least one identifier assigned to any ECU among the plurality of ECUs while the attack ECU maintains the error passive state. Generating a plurality of collisions for a packet including a high priority identifier and a packet including an identifier having a lower priority than the highest priority identifier between each of a plurality of error frames transmitted to the CAN bus by the plurality of collisions. case, determining that any ECU is an attack ECU switched to an error passive state.

According to an embodiment, a packet including an identifier having a low priority may include a packet transmitted to the CAN bus by an ECU other than any ECU among a plurality of ECUs.

According to an embodiment, a packet including an identifier having a low priority may include background traffic.

According to one embodiment, when a packet including an identifier having a lower priority than the highest priority identifier exists between each of a plurality of error frames transmitted to the CAN bus due to a plurality of collisions, it is determined that an arbitrary ECU is an attacking ECU. The step of detecting a packet including an identifier having a low priority existing between each of a plurality of error frames, and determining a probability that a packet including an identifier having a priority lower than the highest priority identifier exists based on the detected result. Calculating and based on the calculated probability, determining that any ECU is an attacking ECU.

According to one embodiment, the step of converting the attack ECU into an error passive state by generating at least one collision with respect to a packet including an attack identifier transmitted to the CAN bus by an attack ECU among a plurality of ECUs connected to the processor, Obtaining data associated with a plurality of identifiers assigned to a plurality of ECUs connected to, identifying an attack identifier based on the obtained data, and generating at least one collision for packets including the attack identifier to attack the ECU It may include converting to an error passive state.

According to one embodiment, a priority order among a plurality of assigned identifiers may be predetermined.

According to one embodiment, the step of converting the attacking ECU into an error passive state by generating at least one collision with respect to a packet including an attack identifier transmitted to the CAN bus by the attacking ECU among a plurality of ECUs connected to the processor, Generating at least one collision with respect to the packet including the identifier, converting the count value of the register included in the attack ECU whenever transmission of the packet including the attack identifier fails due to collision, and converted count value and converting the attack ECU into an error passive state based on a result of comparing the count value with the reference count value.

According to one embodiment, when the attack ECU that has been switched to the error passive state continuously transmits random first packets and second packets, the attack ECU that has transmitted the first packet stops transmitting packets for a certain period of time and then It may be configured to transmit the second packet.

According to an embodiment, a packet including an identifier having a low priority may be determined as a packet to be transmitted to the CAN bus within a predetermined time when the attacking ECU stops transmission of the packet.

According to another embodiment of the present disclosure, a computer program recorded on a computer-readable recording medium may be provided to execute an attack ECU detection method using CAN traffic monitoring.

According to another embodiment of the present disclosure, an attack ECU detection apparatus using CAN traffic monitoring includes at least one processor, and at least one processor is transmitted to a CAN bus by an attack ECU among a plurality of ECUs connected to the processor. At least one identifier allocated to any ECU among the plurality of ECUs while the attack ECU is converted to an error passive state by generating at least one collision with respect to a packet including the attack identifier, and the attack ECU is in an error passive state. A plurality of collisions are generated for a packet including the highest priority identifier among the plurality of collisions, and an identifier having a lower priority than the highest priority identifier is generated between each of a plurality of error frames transmitted to the CAN bus by the plurality of collisions. If the packet is present, it may be configured to execute instructions to determine that any ECU is an attacking ECU that has transitioned to an error passive state.

According to some embodiments of the present disclosure, it is possible to easily detect an attacking ECU by utilizing an error handling mechanism of CAN.

According to some embodiments of the present disclosure, by detecting an attacking ECU using an error processing mechanism of CAN, it is possible to compensate for the disadvantage of CAN that is vulnerable to packet injection attacks because no security technique is applied.

According to some embodiments of the present disclosure, it is possible to improve the security of CAN by detecting an attack on a vehicle's internal network that frequently occurs as communication with the outside and technology provided by a vehicle has recently increased.

1 shows an example of a Controller Area Network (CAN) system according to an embodiment of the present disclosure.
2 is an example for explaining a CAN bus occupation method according to an embodiment of the present disclosure.
3 is an example illustrating an error handling mechanism of CAN according to an embodiment of the present disclosure.
4 shows an example of a CAN system for detecting an attack ECU according to an embodiment of the present disclosure.
FIG. 5 shows an example in which 5 consecutive collisions occur in data transmitted by a plurality of nodes, respectively, according to an embodiment of the present disclosure.
FIG. 6 shows an example of measuring the probability of occurrence of a priority reduction phenomenon when an error occurs (n*30) times in an ECU in a passive state in a laboratory environment according to an embodiment of the present disclosure.
FIG. 7 illustrates an example of measuring the probability of occurrence of a priority reduction phenomenon when an error occurs in an ECU in a passive state (n*30) times in an actual vehicle environment experiment according to an embodiment of the present disclosure.
8 shows an example of an attack ECU detection method using CAN traffic monitoring according to an embodiment of the present disclosure.

Hereinafter, specific details for the implementation of the present disclosure will be described in detail with reference to the accompanying drawings. However, in the following description, if there is a risk of unnecessarily obscuring the gist of the present disclosure, detailed descriptions of well-known functions or configurations will be omitted.

In the accompanying drawings, identical or corresponding elements are given the same reference numerals. In addition, in the description of the following embodiments, overlapping descriptions of the same or corresponding components may be omitted. However, omission of a description of a component does not intend that such a component is not included in an embodiment.

Advantages and features of the disclosed embodiments, and methods of achieving them, will become apparent with reference to the following embodiments in conjunction with the accompanying drawings. However, the present disclosure is not limited to the embodiments disclosed below and may be implemented in various different forms, only the present embodiments make the present disclosure complete, and the present disclosure fully covers the scope of the invention to those skilled in the art. It is provided only to inform you.

Terms used in this specification will be briefly described, and the disclosed embodiments will be described in detail. The terms used in this specification have been selected from general terms that are currently widely used as much as possible while considering the functions in the present disclosure, but they may vary according to the intention of a person skilled in the related field, a precedent, or the emergence of new technology. In addition, in a specific case, there is also a term arbitrarily selected by the applicant, and in this case, the meaning will be described in detail in the description of the invention. Therefore, terms used in the present disclosure should be defined based on the meaning of the term and the general content of the present disclosure, not simply the name of the term.

Expressions in the singular number in this specification include plural expressions unless the context clearly dictates that they are singular. Also, plural expressions include singular expressions unless the context clearly specifies that they are plural. When it is said that a certain part 'includes' a certain element in the entire specification, it means that other elements may be further included without excluding other elements unless otherwise stated.

Also, the term 'module' or 'unit' used in the specification means a software or hardware component, and the 'module' or 'unit' performs certain roles. However, 'module' or 'unit' is not meant to be limited to software or hardware. A 'module' or 'unit' may be configured to reside in an addressable storage medium and may be configured to reproduce one or more processors. Thus, as an example, 'module' or 'unit' refers to components such as software components, object-oriented software components, class components, and task components, processes, functions, properties, It may include at least one of procedures, subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, databases, data structures, tables, arrays, or variables. Functions provided within components and 'modules' or 'units' may be combined into a smaller number of components and 'modules' or 'units', or further components and 'modules' or 'units'. can be further separated.

According to an embodiment of the present disclosure, a 'module' or 'unit' may be implemented as a processor and a memory. 'Processor' should be interpreted broadly to include general-purpose processors, central processing units (CPUs), microprocessors, digital signal processors (DSPs), controllers, microcontrollers, state machines, and the like. In some circumstances, 'processor' may refer to an application specific integrated circuit (ASIC), programmable logic device (PLD), field programmable gate array (FPGA), or the like. 'Processor' refers to a combination of processing devices, such as, for example, a combination of a DSP and a microprocessor, a combination of a plurality of microprocessors, a combination of one or more microprocessors in conjunction with a DSP core, or a combination of any other such configurations. You may. Also, 'memory' should be interpreted broadly to include any electronic component capable of storing electronic information. 'Memory' includes random access memory (RAM), read-only memory (ROM), non-volatile random access memory (NVRAM), programmable read-only memory (PROM), erasable-programmable read-only memory (EPROM), It may also refer to various types of processor-readable media, such as electrically erasable PROM (EEPROM), flash memory, magnetic or optical data storage, registers, and the like. A memory is said to be in electronic communication with the processor if the processor can read information from and/or write information to the memory. Memory integrated with the processor is in electronic communication with the processor.

1 shows an example of a controller area network (CAN) system 100 according to an embodiment of the present disclosure. Here, the CAN system 100 may refer to a network system designed to allow microcontrollers and/or devices (ie, Electronic Control Units (ECUs)) to communicate with each other in a vehicle without a host computing device. In addition, the CAN system 100 may refer to a protocol composed of a network topology in the form of a bus established as an international standard (ISO 11898) due to advantages such as low wiring cost and light weight. As shown, the CAN system 100 may include a CAN bus 110 and a plurality of ECUs 120 to 170. Meanwhile, the CAN system 100 may be implemented as a program and/or instruction(s) and performed by at least one processor.

According to one embodiment, the CAN bus 110 may be connected to each of the plurality of ECUs 120 to 170. Specifically, the CAN bus 110 may be connected to each of the plurality of ECUs 120 to 170 to provide a communication path between the plurality of ECUs 120 to 170 . For example, the CAN bus 110 may receive data (or packets) from the first ECU 120 . Accordingly, the received data may occupy the CAN bus 110. Then, the CAN bus 110 may transmit data occupying the CAN bus 110 to the destination.

According to one embodiment, at least one identifier may be assigned to each of the plurality of ECUs 120 to 170 . In this case, the assigned identifier may be displayed on a part of data (or packet) transmitted by each of the plurality of ECUs 120 to 170 . On the other hand, the attack CAN system 100 may obtain / infer data about identifiers (or identifier sets) assigned to each of the plurality of ECUs 120 to 170 . Accordingly, the attack CAN system 100 can identify an attack identifier that is not pre-assigned to the plurality of ECUs 120 to 170 (ie, an identifier used by the attack ECU) using data on the obtained/inferred identifiers. there is. To this end, the CAN system 100 may use a CAN-bus mapper, but is not limited thereto, and all conventional techniques for identifying an attack identifier may be used.

According to one embodiment, the CAN system 100 may detect data (or packets) transmitted by an attacking ECU among a plurality of ECUs 120 to 170 . To this end, the CAN system 100 may use IDS (Intrusion Detection System), which is a technology for detecting an attacking ECU based on characteristics such as the ECU's clock skew and/or CAN packet cycle, but is not limited thereto. Any conventional technique for detecting transmitted data may be used.

According to one embodiment, each of the plurality of ECUs 120 to 170 may periodically transmit data (or packets) to the CAN bus 110 . For example, the first ECU 120 may transmit the first data to the CAN bus 110 at every first time interval. For another example, the second ECU 130 may transmit the second data to the CAN bus 110 at every second time interval. Additionally, each of the plurality of ECUs 120 to 170 may continuously transmit data (or packets) to the CAN bus 110 . For example, the first ECU 120 may successively transmit 1-1 data, 1-2 data, and 1-3 data to the CAN bus 110 according to a predetermined order.

According to one embodiment, the plurality of ECUs 120 to 170 may transmit data to the CAN bus 110 in parallel. For example, the first ECU 120 and the second ECU 130 may transmit data to the CAN bus 110, respectively. That is, each of the plurality of ECUs 120 to 170 may attempt to transmit data to the CAN bus 110 at the same/similar time point. In this case, the CAN system 100 may determine data to occupy the CAN bus 110 first based on a predetermined priority of one or more identifiers (IDs) assigned to each of the plurality of ECUs 120 to 170. there is.

As described above, even if data is transmitted to the CAN bus 110 from several ECUs at the same time, the CAN bus 110 is occupied from the data having the identifier with the highest priority according to the algorithm inside the system 100 for determining the priority. do. However, by an algorithm for processing data transmission errors applied to the system 100, a priority reduction phenomenon in which data having a lower priority identifier occupies the CAN bus 110 before data having a higher priority identifier. this can happen The present disclosure proposes a method of tracking the attack ECU 120 through the monitoring ECU 170 using such an error handling algorithm, and a description of this method will be described later in detail in FIGS. 2 to 8 .

2 is an example for explaining a CAN bus occupation method according to an embodiment of the present disclosure. The CAN bus occupation method may be performed through an arbitration field 210 of data (or packets) 200 transmitted by an ECU (eg, ECUs 120 to 170). For example, by performing a bitwise arbitration operation on the bits of the arbitration area 210 of the data (or packet) 200 and the bits of the arbitration area of other data (not shown), data (or packets) ) 200 (that is, the priority of the identifier of the corresponding data) may be determined.

3 is an example illustrating an error handling mechanism 300 of CAN according to an embodiment of the present disclosure. According to one embodiment, each ECU (eg, the ECUs 120 to 170) may include a register. For example, the ECU includes a TEC (Transmission Error Counter) register for counting data (or packet) transmission failures of the corresponding ECU and/or a REC (Receive Error Counter) register for counting data reception failures of the corresponding ECU. can do.

According to one embodiment, when the ECU fails to transmit data, it may transmit an error frame indicating data transmission failure. For example, when a collision occurs in data transmitted by the ECU, the corresponding ECU may transmit an error frame indicating data transmission failure to the CAN bus (eg, the CAN bus 110). At the same time, the value of the TEC register of the corresponding ECU may increase by 8, and the value of the REC register of the ECU to receive data from the corresponding ECU may increase by 1. According to another embodiment, when the ECU successfully transmits data, values of the TEC register of the corresponding ECU and the REC register of the ECU receiving data from the corresponding ECU may be decreased by 1. In this way, based on the values of the TEC register and/or the REC register that change according to data transmission or failure of the ECU, the error state of the corresponding ECU is an error active state 310 and an error passive state. 320 or a bus off state 330 may be determined. In general, the error state of the ECU can remain in the error active state 310 . When the error state of the ECU is the error active state 310, the corresponding ECU can transmit data periodically/continuously without a separate suspend transmission. On the other hand, when the error state of the ECU is the error passive state (320), the ECU is configured to have a waiting time whenever it continuously transmits data, and when the ECU is in the bus off state (330), the data transmission is stopped and mandatory standby is performed. It may return to the error active state 310 with time or through a reset of the ECU hardware.

4 shows an example of a CAN system 400 for detecting an attack ECU according to an embodiment of the present disclosure. As shown, the CAN system 400 may include a CAN bus 410, a plurality of ECUs 420 to 460, and a monitoring ECU 470. Also, the monitoring ECU 470 may include an error module 472 and a monitoring module 474 . Such a CAN system 400 may be driven to identify the attack ECU 430 when attack data (ie, data transmitted by the attack ECU 430) is detected. Here, the attack data may refer to data having identifiers not assigned to the plurality of ECUs 420 to 460 as described above with reference to FIG. 1 . Meanwhile, the CAN system 400 may be implemented as a program and/or instruction(s) and performed by at least one processor.

According to an embodiment, when attack data (or attack packets) is detected, the CAN system 400 may intentionally fail transmission of the attack data by generating at least one collision with respect to the attack data. Accordingly, the attack ECU 430 may switch to an error passive state at a specific point in time according to an error handling mechanism (eg, the error handling mechanism 300).

According to one embodiment, the monitoring ECU 470 receives an identifier having the highest priority among identifier(s) assigned to each of the plurality of ECUs 420 to 460 while the attacking ECU 430 maintains an error passive state. You can choose. Then, the error module 472 may generate n (where n is a natural number of 2 or more) consecutive collisions to the data having the highest priority identifier of each of the plurality of ECUs 420 to 460 . For example, the error module 472 sends n times to the data having the highest identifier assigned to each of the first ECU 420, the second ECU 440, the third ECU 450, and the fourth ECU 460. It is possible to generate continuous collisions, and generate n consecutive collisions to data having the highest priority identifier of the attacking ECU 430 . Accordingly, in each of the plurality of ECUs 420 to 460, (maximum) n times of data transmission failures due to n consecutive collisions occur, and accordingly, each of the plurality of ECUs 420 to 460 has up to n consecutive errors. The frame may be transmitted to the CAN bus 410.

According to an embodiment, the monitoring module 474 may monitor consecutive error frames generated according to n consecutive collisions. In this process, the error state of the ECU described above in FIG. 2 may be considered. Specifically, when the error state of the ECU is in the error active state, the ECU transmits data periodically/continuously without a separate Suspend Transmission, and when the error state of the ECU is in the error passive state, the ECU continuously transmits data It can be considered that it is configured to have a waiting time whenever transmitting.

FIG. 5 shows an example in which each of the plurality of nodes 510 to 560 generates 5 consecutive collisions (ie, n=5) in data transmitted according to an embodiment of the present disclosure. In FIG. 5, data (ID _HP , ID _LP , or Error Frame) continuously observed over time is displayed on each node 510 to 560. Here, (a) of FIG. 5 is an example of five consecutive collisions generated by a monitoring ECU (not shown) in the first target node 510 in an error active state. Meanwhile, a 'node' used in the present disclosure may be interpreted as a 'module' constituting a network such as an I/O device, a CAN interface, an embedded computer, and the like. Therefore, 'node' in the present disclosure may be replaced with 'ECU' and interpreted the same.

According to an embodiment, the first target node 510 in an error active state may initiate the first transmission 512 of the first data ID _HP having the highest identifier. In this case, the first transmission 512 of the first data (ID _HP ) fails due to the first collision with the first data (ID _HP ) of the monitoring ECU (not shown). Then, the first target node 510 performs the first transmission 532 of the error frame according to the failure of the first transmission 512 of the first data ID _HP to the CAN bus 530. can

According to an embodiment, the first target node 510 in an error active state having failed in the first transmission 512 of the first data ID _HP will receive the first data ID HP after a predetermined time (ie, period) has elapsed. _HP ) may initiate a second transmission 514 . Even in this case, the second transmission 514 of the first data (ID _HP ) fails due to the second collision with respect to the first data (ID _HP ) of the monitoring ECU. Then, the first target node 510 may start the third transmission 516 of the first data (ID _HP ) again after a predetermined time has elapsed. At this time, the other node 520 may initiate fourth transmission 522 of the second data (ID _LP ) having a lower priority than the highest identifier of the first data (ID _HP ). That is, the third transmission 516 of the first data ID _HP and the fourth transmission 522 of the second data ID _LP may be started at the same/similar time point.

On the other hand, as described above in FIG. 1, the system (eg, CAN system 100, CAN system 400) transmits a plurality of data occurring in parallel at the same / similar time point, the identifier of each of the plurality of data It can be processed based on priority among them. Accordingly, the system selects data having a higher priority among the third transmission 516 of the first data (ID _HP ) and the fourth transmission 522 of the second data (ID _LP ) occurring at the same/similar time point. The third transport 516, which is a transport, may be processed with priority. However, the third transmission 516 of the first data (ID _HP ) also fails due to the third collision of the monitoring ECU, and the first target node 510 in the error active state sends the first data (ID HP ) to the CAN bus 530. When the third transmission 516 of _HP fails, the third transmission 534 of the error frame is performed.

After the transmission of the first data (ID _HP ) 5 times and the collision 5 times are completed through the above process, as shown, the CAN bus 530 generates 5 errors due to the 5 times of transmission failure of the 1st data (ID _HP ). frame can be received. Then, the system may complete reception 562 of the second data ID _LP by processing the fourth transmission 522 of the second data ID _LP that has not yet been transmitted. Meanwhile, the second data (ID _LP ) may refer to data transmitted by other nodes 520 different from the first target node 510 transmitting the first data (ID _HP ). Also, the second data ID _LP may refer to background traffic existing in a system (eg, the CAN system 100 or the CAN system 400).

5(b) is an example in which five consecutive collisions occurred by the monitoring ECU (not shown) in the second target node 540 in the error passive state.

According to an embodiment, the second target node 540 in an error passive state may initiate transmission of third data (ID _HP ) having a top priority identifier. However, transmission of the third data (ID _HP ) 5 times fails due to 5 collisions of the monitoring ECU. However, since the second target node 540 is in an error-passive state, after transmitting the third data (ID _HP ) and the error frame and having a waiting time (542 to 548), the third data (ID _HP ) and the error frame will perform retransmission of . Therefore, another node 550 transmits 552 the fourth data (ID _LP ) having a lower priority than the identifier of the third data (ID _HP ) by reducing the second waiting time 544 of the ECU in the error passive state. If it starts within, the system processes the transmission 552 of the fourth data ID _LP , and as a result, the reception 562 of the fourth data ID _LP of the CAN bus 560 may be performed. That is, in a situation in which transmission of the third data (ID _HP ) having a high priority is not completed, a priority reduction phenomenon in which transmission 552 of the fourth data (ID _LP ) having a low priority is completed may occur.

According to an embodiment, the system detects a priority reduction phenomenon through a monitoring module (eg, the monitoring module 474), so that a node in an error passive state, which is a collision target of the error module (eg, the error module 472), attacks. It can be determined that it is a node (eg, the attack ECU 130 or the attack ECU 430). Meanwhile, the fourth data (ID _LP ), like the second data (ID _LP ), is transmitted by other nodes (550) different from the second target node 540 transmitting the third data (ID _HP ). It can refer to data that In addition, the fourth data (ID _LP ) may refer to background traffic existing in a system (eg, the CAN system 100 or the CAN system 400).

FIG. 6 shows an example of measuring the probability of occurrence of a priority reduction phenomenon when an error occurs (n*30) times in an ECU in a passive state in a laboratory environment according to an embodiment of the present disclosure. As shown, it can be confirmed that the priority reduction phenomenon occurs with a probability of about 60%, 80%, and 100% at a bus load of 50%, 75%, and 100%. That is, through this experiment, it can be confirmed that the probability of occurrence of the priority reduction phenomenon increases in proportion to the number of consecutive collisions and the bus load.

FIG. 7 shows an example of measuring the probability of occurrence of a priority reduction phenomenon when an error occurs in an ECU in a passive state (n*30) times in an actual vehicle environment experiment according to an embodiment of the present disclosure. As shown, when the number of consecutive collisions was 4, 5, and 6 at a bus load of 45.4% of Vehicle A, a priority reduction phenomenon occurred with a probability of about 30%, 40%, and 50%. Through this experiment, it can be confirmed that the priority reduction phenomenon according to the method of the present disclosure also occurs in an actual vehicle. In addition, it can be expected that when the bus load is increased through the experimental equipment, the priority reduction phenomenon can be obtained with high probability, similar to the result in the laboratory environment of FIG. 7 .

8 shows an example of an attack ECU detection method 800 using CAN traffic monitoring according to an embodiment of the present disclosure. Method 800 may be performed by at least one processor executing a program and/or instruction(s) constituting an attack ECU detection system (eg, system 100, system 400). In the method 800, converting the attack ECU into an error passive state by generating at least one collision for a packet including an attack identifier transmitted to a CAN bus by an attack ECU among a plurality of ECUs associated with at least one processor. (S810) For example, the processor may acquire data associated with a plurality of identifiers assigned to a plurality of ECUs connected to the processor, and identify an attack identifier based on the obtained data. , the processor may generate at least one collision with respect to the packet including the attack identifier to convert the attack ECU into an error passive state.

According to an embodiment, while the error passive state of the attacking ECU is maintained, the processor generates a plurality of collisions for a packet including a highest priority identifier among at least one identifier assigned to any ECU among a plurality of ECUs. may be generated (S820). For example, the processor generates at least one collision with respect to the packet including the attack identifier, and converts the count value of the register included in the attack ECU whenever transmission of the packet including the attack identifier fails due to the collision. can Then, the processor may convert the attack ECU into an error passive state based on a result of comparing the converted count value with the reference count value. In this case, priorities among the plurality of assigned identifiers may be predetermined.

According to one embodiment, the processor is in an error passive state when a packet including an identifier having a lower priority than the highest priority identifier exists among a plurality of error frames transmitted to the CAN bus due to a plurality of collisions. It can be determined that it is an attack ECU converted to . In this case, a packet including an identifier having a low priority may include packets and/or background traffic transmitted to the CAN bus by an ECU other than any ECU among the plurality of ECUs.

According to an embodiment, the processor may detect a packet including an identifier having a low priority existing between each of a plurality of error frames. Then, based on the detected result, the processor may calculate a probability that a packet including an identifier having a lower priority than the highest priority identifier exists, and determine that an arbitrary ECU is an attack ECU based on the calculated probability.

According to one embodiment, the step of converting the attack ECU into an error passive state by generating at least one collision with respect to a packet including an attack identifier transmitted to the CAN bus by an attack ECU among a plurality of ECUs connected to the processor,

According to one embodiment, when the attack ECU that has been switched to the error passive state continuously transmits random first packets and second packets, the attack ECU that has transmitted the first packet stops transmitting packets for a certain period of time and then It may be configured to transmit the second packet. Additionally, a packet including an identifier having a low priority may be determined as a packet to be transmitted to the CAN bus within a certain time period when the attacking ECU stops transmission of packets.

The preceding description of the present disclosure is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications of this disclosure will be readily apparent to those skilled in the art, and the general principles defined herein may be applied in various modifications without departing from the spirit or scope of this disclosure. Thus, the present disclosure is not intended to be limited to the examples set forth herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Although example implementations may refer to utilizing aspects of the presently disclosed subject matter in the context of one or more standalone computer systems, the subject matter is not so limited, but rather in conjunction with any computing environment, such as a network or distributed computing environment. may be implemented. Further, aspects of the presently-disclosed subject matter may be implemented in or across a plurality of processing chips or devices, and storage may be similarly affected across a plurality of devices. Such devices may include PCs, network servers, and handheld devices.

Although the present disclosure has been described in relation to some embodiments in this specification, it should be noted that various modifications and changes can be made without departing from the scope of the present disclosure that can be understood by those skilled in the art. something to do. Moreover, such modifications and variations are intended to fall within the scope of the claims appended hereto.

100: attack ECU detection system
110: CAN bus
120 to 160: a plurality of ECUs
170: monitoring ECU

Claims (11)

An attack ECU detection method using CAN traffic monitoring performed by at least one processor,
converting the attack ECU into an error passive state by generating at least one collision with respect to a packet including an attack identifier transmitted to a CAN bus by an attack ECU among a plurality of ECUs associated with the processor;
Generating a plurality of collisions with respect to packets including a highest priority identifier among at least one identifier assigned to a random ECU among the plurality of ECUs while the attack ECU maintains an error passive state; and
When a packet including an identifier having a lower priority than the highest priority identifier exists between each of a plurality of error frames transmitted to the CAN bus due to the plurality of collisions, the arbitrary ECU is switched to the error passive state. Steps to determine what is an attacking ECU
Including, attack ECU detection method using CAN traffic monitoring.
According to claim 1,
The packet including the identifier with the lower priority includes a packet transmitted to the CAN bus by an ECU other than the arbitrary ECU among the plurality of ECUs, attack ECU detection method using CAN traffic monitoring.
According to claim 1,
The attack ECU detection method using CAN traffic monitoring, wherein the packet including the identifier with the lower priority includes background traffic.
According to claim 1,
Determining that the arbitrary ECU is the attack ECU when a packet including an identifier having a lower priority than the first identifier exists between each of a plurality of error frames transmitted to the CAN bus by the plurality of collisions step is,
detecting a packet including the identifier with the low priority present between each of the plurality of error frames;
calculating a probability that a packet including an identifier having a lower priority than the first priority identifier exists based on the detection result; and
Based on the calculated probability, determining that the random ECU is the attack ECU.
Including, attack ECU detection method using CAN traffic monitoring.
According to claim 1,
Converting the attack ECU to an error passive state by generating at least one collision with respect to a packet including an attack identifier transmitted to the CAN bus by an attack ECU among a plurality of ECUs connected to the processor,
obtaining data associated with a plurality of identifiers assigned to a plurality of ECUs connected to the processor;
identifying the attack identifier based on the obtained data; and
Converting the attack ECU to an error passive state by generating at least one collision with respect to a packet including the attack identifier.
Including, attack ECU detection method using CAN traffic monitoring.
According to claim 5,
The priority among the plurality of assigned identifiers is predetermined, an attack ECU detection method using CAN traffic monitoring.
According to claim 1,
Converting the attack ECU to an error passive state by generating at least one collision with respect to a packet including an attack identifier transmitted to the CAN bus by an attack ECU among a plurality of ECUs connected to the processor,
generating at least one collision with respect to a packet including the attack identifier;
converting a count value of a register included in the attack ECU whenever transmission of a packet including the attack identifier fails due to the collision; and
Converting the attack ECU to an error passive state based on a result of comparing the converted count value with a reference count value
Including, attack ECU detection method using CAN traffic monitoring.
According to claim 1,
When the attack ECU, which has been switched to the error passive state, continuously transmits arbitrary first and second packets, the attack ECU that has transmitted the first packet stops transmission of packets for a certain period of time, and then transmits the second packet. An attack ECU detection method using CAN traffic monitoring configured to transmit packets.
According to claim 8,
The attack ECU detection method using CAN traffic monitoring, wherein the packet including the identifier with the lower priority is determined as a packet to be transmitted to the CAN bus within the predetermined time when the attack ECU stops transmitting packets.
A computer program recorded on a computer-readable recording medium to execute the attack ECU detection method using CAN traffic monitoring according to any one of claims 1 to 9.
As an attack ECU detection device using CAN traffic monitoring,
includes at least one processor;
the at least one processor
Converting the attack ECU to an error passive state by generating at least one collision with respect to a packet including an attack identifier transmitted to a CAN bus by an attack ECU among a plurality of ECUs connected to the processor;
While the error passive state of the attacking ECU is maintained, a plurality of collisions are generated for a packet including a highest priority identifier among at least one identifier assigned to any ECU among the plurality of ECUs,
When a packet including an identifier having a lower priority than the highest priority identifier exists between each of a plurality of error frames transmitted to the CAN bus due to the plurality of collisions, the arbitrary ECU is switched to the error passive state. An attack ECU detection device using CAN traffic monitoring, configured to execute commands to determine that it is an attack ECU.

Images