WO2021107822A1 - Procédé de protection de systèmes de commande de moyens de transport contre les intrusions - Google Patents

Procédé de protection de systèmes de commande de moyens de transport contre les intrusions Download PDF

Info

Publication number
WO2021107822A1
WO2021107822A1 PCT/RU2020/050348 RU2020050348W WO2021107822A1 WO 2021107822 A1 WO2021107822 A1 WO 2021107822A1 RU 2020050348 W RU2020050348 W RU 2020050348W WO 2021107822 A1 WO2021107822 A1 WO 2021107822A1
Authority
WO
WIPO (PCT)
Prior art keywords
traffic
data
network
information
vehicle control
Prior art date
Application number
PCT/RU2020/050348
Other languages
English (en)
Russian (ru)
Inventor
Дмитрий Михайлович МИХАЙЛОВ
Артем Дмитриевич ДОЛГИХ
Алексей Сергеевич ПРОНИЧКИН
Сергей Валерьевич БАГРОВ
Владимир Александрович ПЕДАНОВ
Original Assignee
Дмитрий Михайлович МИХАЙЛОВ
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Дмитрий Михайлович МИХАЙЛОВ filed Critical Дмитрий Михайлович МИХАЙЛОВ
Publication of WO2021107822A1 publication Critical patent/WO2021107822A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • the present invention relates to the field of information technology, in particular to information security, and can be used to analyze and identify anomalies in the behavior of traffic within information networks for data transmission of vehicle control systems.
  • a vehicle should be understood as any type of vehicle (shipping, surface, underground, underwater, etc.) in which there is a control system.
  • the developed method can be used both in conjunction with IPS / IDS systems (i.e., be an integral part), and separately. It is based on Extreme Learning Machines models.
  • the disadvantages of the known method can be recognized that, on the one hand, it characterizes the structure of the system, which is designed to ensure information security (cybersecurity), with a deep degree of detail; on the other hand, a specific use case for ICS power generation and distribution is characterized. There are calculations of probabilistic characteristics to determine the weight of the internal components of the system when solving cybersecurity problems.
  • This system includes a device. This device is installed between the data bus and the electronic control unit (ECU). The device includes the following functional blocks: message receiving unit (monitoring messages between the bus and the ECU electronic control unit), message analysis unit (determining the fact of unauthorized commands, based on the established rules), message transmission unit (sending legitimate commands to the ECU electronic control unit ).
  • message receiving unit monitoring messages between the bus and the ECU electronic control unit
  • message analysis unit determining the fact of unauthorized commands, based on the established rules
  • message transmission unit sending legitimate commands to the ECU electronic control unit ).
  • This system is a device that is designed to implement some of the functions of the hardware Firewall. This technical solution has the following disadvantages:
  • one device of the system is used to ensure the cybersecurity of only one electronic control unit of the ECU; - does not allow to determine the facts of substitution of standard electronic devices on the information bus, including the installation of new ones.
  • US patent 9881165 does not provide for the use of machineleaming technologies to detect the presence of unauthorized interference.
  • the claimed method is based only on the filtering method, which is not an intelligent method for detecting the facts of unauthorized interference in the operation of the system.
  • a system for detecting unauthorized connected devices in a vehicle containing at least one electronic device of a vehicle connected via an electric bus to a module for detecting unauthorized devices, consisting of a measurement unit, an analog-to-digital converter, a digital signal processing unit, a buffer unit, a comparator unit, a control unit and a communication interface driver unit, while the measurement unit and the analog-to-digital converter are configured to obtain the parameters of the electrical signal of the busbar in the first and second time intervals, in the digital signal processing unit, processing and construction of the signal spectrum is carried out, the buffer unit is designed to store the received signal data, the control unit, through commands, executes all transfer and arbitration algorithms, the communication interface driver unit provides interpretation of the field learned data in the corresponding standard or data protocol and their delivery to the communication channel, and in the comparator block, the comparison of the signal spectra obtained in the first and in the second time intervals is performed by analyzing the spectral components of
  • the described method is aimed at identifying the facts of unauthorized connection to the information bus (electric bus) of the vehicle by means of physical methods of fixing parameters without analyzing the directly transmitted data on it.
  • the main element for an attack is data.
  • the method described in RU 2704720 analyzes the physical transmission medium of such data, and not the data itself. Thus, the conclusion about unauthorized connection / intrusion is made on the basis of secondary signs.
  • the technical problem solved by the implementation of the developed technical solution consists in the development of a method for detecting unauthorized intrusion into the information bus of data transmission on a vehicle, and the developed method will allow the most reliable determination of the presence of an intrusion.
  • the technical result achieved by the implementation of the developed method consists in leveling the facts of unauthorized access to the information bus of vehicle control systems, which in turn prevents possible losses (material, image), death of people, etc., ensuring the possibility of creating on the basis of developed method of ips / ids (Intrusion detection, prevention system) level systems and their components.
  • the developed method of protecting information buses of vehicle control systems from intrusions When implementing the developed method, all nodes / devices in the control network are identified, the traffic of information networks for data transmission inside the vehicle management system is collected and analyzed using the machine learning method, the normal state of the system traffic is determined, the change in the traffic state from normal to abnormal is detected, when In this case, the system used is made with the possibility, after detecting a change in traffic, only to inform the user about the traffic state and with the possibility of blocking abnormal traffic.
  • network traffic analysis is carried out according to static characteristics and dynamic characteristics.
  • the traffic in the network is collected in a passive mode, after which the traffic is forwarded to a data preprocessing module from the network, in which features are extracted for further processing to compose a general structure, which is a structured dataset, for processing by the neural network.
  • a data preprocessing module from the network, in which features are extracted for further processing to compose a general structure, which is a structured dataset, for processing by the neural network.
  • the collection and analysis of traffic is carried out using a system of modules made on the basis of industrial computers.
  • the developed method has a more detailed description of the technology itself, which allows you to record the facts of unauthorized connection / intrusion into various vehicle control networks.
  • the developed method in contrast to the known ones, shows the use of machineleaming technologies to identify these threats.
  • the developed method is more versatile from the point of view of its application, since it can be used as an independent system, as well as as separate components of an integrated system, in contrast from that described in RU, 2583703, where a description of the general architecture of the system for ensuring its application is presented.
  • the developed method of protecting vehicle control systems from intrusions allows collecting and analyzing the traffic of information networks for data transmission within the system in real time in order to determine the current state. After detecting a change in state from normal to abnormal, the system can only inform the user, and the functionality of blocking abnormal traffic (for example, blocking abnormal data packets) can also be implemented.
  • blocking abnormal traffic for example, blocking abnormal data packets
  • One of the main tasks solved by the developed method is to ensure the security of data exchange between nodes in information networks of vehicle control systems.
  • the rules by which the process takes place exchange of data (packets) within information networks depend on the protocols and standards used.
  • Fig. 1 The most vulnerable parts of such systems can be identified, as shown in Fig. 1, where sensors, data acquisition modules, and actuators are represented as nodes 101.
  • the number of such units in a vehicle is not limited. Data from such nodes enter the data collection and processing devices (node 102) (for example, for cars, ECUs can act as such nodes).
  • the transmission of processed data from nodes 102 occurs to information collection centers (node 103).
  • the main vulnerable elements in these control systems are data transmission buses (nodes 201).
  • These nodes can represent various options for interfaces or standards (CAN, Ethernet, NMEA, Seatalk, RS485, etc.). The interface type is irrelevant to the implementation of the developed method.
  • the OS-ELM machine learning method is used, which can be effectively used to detecting abnormal behavior that could be caused by an external attack or malfunction.
  • the learning process is to get an idea of the normal state of the system.
  • the traffic that takes place during the normal operation of the vehicle control system is recorded.
  • Network traffic is analyzed for static characteristics and dynamic characteristics to identify its abnormal behavior. So, in the event of a malicious effect on the network, it will be detected due to a deviation from normal behavior. So, for example, in the standard case, an exploit involves several attack options. Attackers send packets containing overloaded data, which is a clear deviation from the normal behavior of devices, as a result of which this can lead to a denial of service (DDoS) implementation on the receiving device. Implementation of such attacks was evaluated experimentally on a test bench and proved to be effective.
  • DDoS denial of service
  • the network detection of such anomalies is realized due to the knowledge of the initial normal state of the network.
  • the test results show that the false positive rate and the false negative rate are 0.19% and 0.42%, respectively, when anomalies are detected.
  • the result shows that the developed behavioral solution can effectively identify the change in the normal state in a given experiment.
  • the state detection process is shown in FIG. 2.
  • the figure graphically displays the difference between the predicted data at ideal signal (solid line), and tamper / attack (dashed line). These differences in signals are due to the introduced unpredictable deviations from the ideal signal in the presence of an attack.
  • the traffic processing algorithm is shown in FIG. 3.
  • All traffic in the network was recorded in a passive mode, after which the registered information goes to the module for preprocessing data from the network, then after the preprocessing module extracts features for further processing, after which they form a general structure, which is a structured a dataset to be processed by a neural network.
  • the next intrusion detection module receives as input the intrusion detection input structure prepared at the preliminary stage.
  • the basis of this module is an improved trained neural network model, which, based on the data obtained, determines the state of the network at a given time. For the subsequent processing of the incident, if the state of the network deviates from normal, we use the intrusion processing module.
  • the data collection module performs the task of sniffing and filtering data across the entire network segment.
  • Ethemet packet consists of MAC header, data and CRC sum.
  • the MAC header in turn, consists of three components: the MAC address of the data source, the MAC address of the data receiver, EtherType, which is used to identify the type of protocol used in payload.
  • CRC - the sum is used to check the integrity of the data when receiving data.
  • FIG. 4 shows the Ethernet protocol frame format.
  • Libpcap provides a wide range of analysis of incoming traffic, in particular, determination of data integrity, data type, MAC - addresses of the source and destination of data, as well as receive data.
  • packets are filtered by data type, source and destination MAC addresses, and data format.
  • the data collection module is implemented using libpcap.
  • Libpcap is a powerful library for capturing network packets. Libpcap can monitor and collect data packets across an entire network segment. After receiving the headers of network packets, this step determines the correctness of the packet, as well as its type. Depending on the type of packets, the data of protocols differing in semantic analysis will be sent to the data processing module.
  • the data processing module performs the task of preparing input data for the OS - ELM.
  • data is extracted from packets with the subsequent vectorization of a sequence of Ethernet packets into a multidimensional time series of size (n, t), where n is the number of features, m is the number of points within the considered time interval window size.
  • n is the number of features
  • m is the number of points within the considered time interval window size.
  • data normalization is applied so that at the stages of OS training - ELM and inference, each separate time series makes the same contribution to the processing of the OS - ELM model.
  • the resulting normalized multidimensional time series is used as a featuremap of the intrusion detection module.
  • FIG. 5 shows the dependences of network traffic on time.
  • FIG. 6 shows a block diagram of the work of the Data Processing Module.
  • the data processing module is implemented primarily for converting raw packets into data that can be recognized by the intrusion detection module. This module implements the functions of fast data extraction from the package. After the applied normalization algorithms, as well as the search for dimensional features, they can be used as input to the intrusion detection module.
  • One of the prerequisites for the intrusion detection engine is a high processing speed for detecting attacks in real time.
  • One of the main problems solved by this module in addition to intrusion detection itself, is the solution of scalability problems, including in the absence of malicious traffic (for the training process).
  • An improved OS-ELM is used to solve these problems.
  • the advantage of this system is the high learning rate for classifying one class. Unlike existing neural networks, ELM randomly generates weights between input layers and hidden layers. In addition, ELM trains these weights by solving a least squares optimization problem instead of backpropagating the operation error. Because of the aforementioned advantages, ELM can usually achieve high learning rates and good generalizability.
  • a training set Ch c d is given containing n data points with d dimensions and L hidden nodes.
  • OS-ELM directly maps all hidden layer outputs to one target output value.
  • the output data of the OS-ELM of the given training set y [yl, ..., yn]
  • the error of mapping the training set xi to the target value yi is
  • the dT threshold can be selected, to exclude a small fraction (p) of the farthest learning points (di> dT).
  • the intrusion handling module is designed to:
  • the module can block the transmitted data according to preset conditions.
  • FIG. 7 shows a diagram of the operation of the Intrusion Handling Module.
  • the scheme describes the basic principle of the construction of the algorithm; a set of parameters is fed to the input (input Node), on the basis of which the detection and classification of incidents occurs.
  • the Output Node value indicates the presence or absence of an intrusion
  • the end-user interaction module provides an interface for displaying current information as well as managing the system. Of the control functions, it is worth highlighting the ability to enter tuning parameters, make configurations for the operation of the system, etc.
  • the tasks of the system are reduced to studying all possible situations of the system's behavior and identifying hidden dependencies of the mutual influence of network parameters and predicting the behavior of the system in normal mode.
  • the first stage is training the system, for this on the basis of the module data collection is performed by sniffing and filtering data across the entire network segment.
  • the received data should cover as much as possible all possible situations of network behavior in normal mode.
  • this data is processed using a data processing module and a featuremap is extracted, which in a specialized way describes the state of the system and allows you to predict how the system would behave during normal operation.
  • the system is integrated into the object and, on the basis of regularly received data on the current state of the system (from the data collection module), predicts the parameters of the system's behavior during normal operation.
  • the intrusion detection module analyzes the real data received from the data collection module and compares it with the expected traffic parameters for normal operation. If there is a discrepancy between the parameters of the expected and actual network traffic, alerts are generated to the user.
  • the received warning can be interpreted in different ways by the user, depending on the type of applied system to which it is sent.
  • IPS Intrusion Detection System
  • generated alerts are sent to the user in the SIEM / SOC module. Messages of this kind are filtered, and the user takes appropriate action as appropriate.
  • the measures should be of an organizational nature: stopping the vehicle, disconnecting individual modules from the general information management of the vehicle, physical examination of individual modules for defect or operability, etc.
  • the warnings transmitted to higher hierarchical levels can be markers for making a decision on blocking separate data packages.
  • IPS Intrusion Prevention System
  • Each individual scenario is configured depending on the purpose of the system, equipment used, structure, etc. In this case, the system can automatically respond to unauthorized intrusions into vehicle management information systems and eliminate them.
  • the described methods ensure information security of information control systems in vehicles.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Artificial Intelligence (AREA)
  • Mathematical Physics (AREA)
  • Medical Informatics (AREA)
  • Evolutionary Computation (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

La présente invention se rapporte au domaine des techniques informatiques, notamment de la sécurité informatique, et peut être utilisée afin d'analyser et de révéler des anomalies de comportement de trafic au sein de réseaux informatiques de transmission de données de systèmes de commande de moyens de transport. Lors de sa mise en oeuvre, le procédé consiste à effectuer une identification des tous les noeuds/dispositifs dans les systèmes informatiques de commande, collecter et analyser le trafic des réseaux informatiques de transmission de données au sein du système de commande de moyens de transport, puis, en utilisant un procédé d'apprentissage machine, effectuer une détermination de l'état normal du trafic du système, et révéler les changements anormaux de l'état du trafic par rapport au trafic normal; le système utilisé peut informer l'utilisateur sur l'état du trafic uniquement et peut bloquer un trafic anormal, et le système utilisé peut également être mis en oeuvre comme un système indépendant ou comme un sous-système.
PCT/RU2020/050348 2019-11-25 2020-11-24 Procédé de protection de systèmes de commande de moyens de transport contre les intrusions WO2021107822A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
RU2019137876 2019-11-25
RU2019137876A RU2737229C1 (ru) 2019-11-25 2019-11-25 Способ защиты систем управления транспортных средств от вторжений

Publications (1)

Publication Number Publication Date
WO2021107822A1 true WO2021107822A1 (fr) 2021-06-03

Family

ID=73543567

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/RU2020/050348 WO2021107822A1 (fr) 2019-11-25 2020-11-24 Procédé de protection de systèmes de commande de moyens de transport contre les intrusions

Country Status (2)

Country Link
RU (1) RU2737229C1 (fr)
WO (1) WO2021107822A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220263709A1 (en) * 2020-05-26 2022-08-18 Panasonic Intellectual Property Corporation Of America Anomaly detecting device, anomaly detecting system, and anomaly detecting method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030133443A1 (en) * 2001-11-02 2003-07-17 Netvmg, Inc. Passive route control of data networks
CN102092477B (zh) * 2010-11-30 2013-02-20 中国民航大学 飞机音频综合系统自动测试与故障诊断装置及方法
US20150195297A1 (en) * 2014-01-06 2015-07-09 Argus Cyber Security Ltd. Global automotive safety system
US20160261482A1 (en) * 2015-03-04 2016-09-08 Fisher-Rosemount Systems, Inc. Anomaly detection in industrial communications networks
US20180109975A1 (en) * 2016-10-18 2018-04-19 Nokia Solutions And Networks Oy Detection and Mitigation of Signalling Anomalies in Wireless Network

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7904569B1 (en) * 1999-10-06 2011-03-08 Gelvin David C Method for remote access of vehicle components
US9173100B2 (en) * 2011-11-16 2015-10-27 Autoconnect Holdings Llc On board vehicle network security
RU2706887C2 (ru) * 2018-03-30 2019-11-21 Акционерное общество "Лаборатория Касперского" Система и способ блокирования компьютерной атаки на транспортное средство

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030133443A1 (en) * 2001-11-02 2003-07-17 Netvmg, Inc. Passive route control of data networks
CN102092477B (zh) * 2010-11-30 2013-02-20 中国民航大学 飞机音频综合系统自动测试与故障诊断装置及方法
US20150195297A1 (en) * 2014-01-06 2015-07-09 Argus Cyber Security Ltd. Global automotive safety system
US20160261482A1 (en) * 2015-03-04 2016-09-08 Fisher-Rosemount Systems, Inc. Anomaly detection in industrial communications networks
US20180109975A1 (en) * 2016-10-18 2018-04-19 Nokia Solutions And Networks Oy Detection and Mitigation of Signalling Anomalies in Wireless Network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
JING YUAN, RUIXI YUAN, XI CHEN: "Network anomaly detection based on multi-scale dynamic characteristics of traffic", INTERNATIONAL JOURNAL OF COMPUTERS COMMUNICATIONS & CONTROL, vol. 9, no. 21, 2014, pages 101 - 112, XP055831479, ISSN: 1841-9844, Retrieved from the Internet <URL:http://univagora.ro/jour/index.php/ijccc/article/view/870/212> [retrieved on 20210228] *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220263709A1 (en) * 2020-05-26 2022-08-18 Panasonic Intellectual Property Corporation Of America Anomaly detecting device, anomaly detecting system, and anomaly detecting method
US11792219B2 (en) * 2020-05-26 2023-10-17 Panasonic Intellectual Property Corporation Of America Anomaly detecting device, anomaly detecting system, and anomaly detecting method

Also Published As

Publication number Publication date
RU2737229C1 (ru) 2020-11-26

Similar Documents

Publication Publication Date Title
US11546359B2 (en) Multidimensional clustering analysis and visualizing that clustered analysis on a user interface
Saxena et al. General study of intrusion detection system and survey of agent based intrusion detection system
EP2040435B1 (fr) Système et procédé de détection d&#39;intrusion
US9369484B1 (en) Dynamic security hardening of security critical functions
US20090178139A1 (en) Systems and Methods of Network Security and Threat Management
KR20150091775A (ko) 비정상 행위 탐지를 위한 네트워크 트래픽 분석 방법 및 시스템
US9961047B2 (en) Network security management
CN114006723B (zh) 基于威胁情报的网络安全预测方法、装置及系统
CA2954552A1 (fr) Procede de detection d&#39;une attaque dans un reseau d&#39;ordinateurs
CN111224973A (zh) 一种基于工业云的网络攻击快速检测系统
US11297082B2 (en) Protocol-independent anomaly detection
EP3742677B1 (fr) Dispositif de détection, procédé de détection et programme
RU2737229C1 (ru) Способ защиты систем управления транспортных средств от вторжений
CN117749426A (zh) 一种基于图神经网络的异常流量检测方法
CN104580087A (zh) 一种免疫网络系统
CN116366319A (zh) 一种检测网络安全的方法及系统
CN106330975A (zh) 一种基于scada系统的周期性异常检测的方法
Faizal et al. Time based intrusion detection on fast attack for network intrusion detection system
EP2911362B1 (fr) Procédé et système de détection d&#39;intrusions dans des réseaux et des systèmes, sur la base de la spécification de processus opérationnels
Sapozhnikova et al. Intrusion detection system based on data mining technics for industrial networks
CN114006719B (zh) 基于态势感知的ai验证方法、装置及系统
Larriva-Novo et al. Dynamic risk management architecture based on heterogeneous data sources for enhancing the cyber situational awareness in organizations
Levonevskiy et al. Network attacks detection using fuzzy logic
KR101761798B1 (ko) 제어 네트워크에서의 스캐닝 공격 탐지 장치
KR102037192B1 (ko) 계층적 구조 학습을 통한 네트워크 트래픽의 지속적인 신호 트래픽 탐지 장치 및 방법

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20892045

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20892045

Country of ref document: EP

Kind code of ref document: A1