Nothing Special   »   [go: up one dir, main page]

CN116318758A - Network intrusion prevention method and device for vehicle, vehicle and storage medium - Google Patents

Network intrusion prevention method and device for vehicle, vehicle and storage medium Download PDF

Info

Publication number
CN116318758A
CN116318758A CN202211097990.6A CN202211097990A CN116318758A CN 116318758 A CN116318758 A CN 116318758A CN 202211097990 A CN202211097990 A CN 202211097990A CN 116318758 A CN116318758 A CN 116318758A
Authority
CN
China
Prior art keywords
vehicle
message
defended
preset
rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211097990.6A
Other languages
Chinese (zh)
Inventor
谭成宇
彭海德
汪向阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing Changan Automobile Co Ltd
Original Assignee
Chongqing Changan Automobile Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing Changan Automobile Co Ltd filed Critical Chongqing Changan Automobile Co Ltd
Priority to CN202211097990.6A priority Critical patent/CN116318758A/en
Publication of CN116318758A publication Critical patent/CN116318758A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Small-Scale Networks (AREA)

Abstract

The application relates to the technical field of automobile network security detection and defense, in particular to a network intrusion defense method and device for a vehicle, the vehicle and a storage medium, wherein the method comprises the following steps: acquiring a vehicle model of a vehicle to be defended; matching a preset DBC sample library, a preset scene report library and a preset rule library according to the model of the vehicle; training to obtain a first detection model based on a pre-defined communication protocol in a pre-set DBC sample library and a pre-established bus communication rule in a pre-set rule library, training to obtain a second detection model based on log data of communication messages of different types of vehicles in a pre-set scene report library in different driving states, detecting a first network abnormality of the vehicle to be defended by using the first detection model, and detecting a second network abnormality of the vehicle to be defended by using the second detection model. Therefore, the problems that general type whole vehicle intrusion detection defense cannot be realized in the related technology, user experience is poor and the like are solved.

Description

Network intrusion prevention method and device for vehicle, vehicle and storage medium
Technical Field
The present invention relates to the field of automotive network security detection and defense technologies, and in particular, to a method and apparatus for defending network intrusion of a vehicle, and a storage medium.
Background
In recent years, with the rapid development of intelligent and networking of automobiles, network security risks are increasing, network security of the Internet of vehicles needs to be guaranteed by adopting a multiple defense technology, and on the basis, illegal attack behaviors need to be detected, and network security threats are perceived in real time.
However, in the related art, researches are performed on a certain type of attack rules of a certain vehicle, and abnormal messages of the network are detected only from the network message sending flow, so that the general type whole vehicle intrusion detection defense can not be realized, and the use experience of a user is greatly reduced.
Disclosure of Invention
The application provides a network intrusion prevention method and device for a vehicle, the vehicle and a storage medium, and aims to solve the problems that general type whole vehicle intrusion detection prevention cannot be realized in the related technology, user experience is poor and the like.
An embodiment of a first aspect of the present application provides a network intrusion prevention method for a vehicle, including the following steps: acquiring a vehicle model of a vehicle to be defended; according to the vehicle model, a preset DBC sample library, a preset scene report library and a preset rule library are matched, wherein the preset DBC sample library comprises a predefined communication protocol of the vehicle to be defended, the preset scene report library comprises log data of communication messages of vehicles of different models in different running states, and the preset rule library comprises a bus communication rule preset based on the preset DBC sample library; training to obtain a first detection model based on a communication protocol predefined in the preset DBC sample library and a bus communication rule preset in the preset rule library, training to obtain a second detection model based on log data of communication messages of different types of vehicles in the preset scene report library in different driving states, detecting first network abnormality of the vehicle to be defended by using the first detection model, and detecting second network abnormality of the vehicle to be defended by using the second detection model.
According to the technical means, the DBC sample library, the scene report library and the rule library are defined, the definition is combined to train a detection model which can distinguish the intrusion risk and does not accord with the communication faults of the rules, whether the communication network faults exist or not is rapidly and accurately detected based on the detection model, rapid defense of network intrusion is achieved, specific training according to different vehicle types is achieved, network intrusion defense requirements of all vehicle types are met, accordingly universal whole vehicle intrusion detection defense can be achieved, and user experience is improved.
Optionally, the first detection model has a bus rule, a message rule and a signal rule, the second detection model has a custom rule according to a preset scene, the detecting, by using the first detection model, a first network anomaly of the vehicle to be defended, and detecting, by using the second detection model, a second network anomaly of the vehicle to be defended, including: collecting the communication message of the vehicle to be defended, and extracting the message time stamp, the message ID and the message data domain information of the communication message; inputting the message ID and the message data domain information into the first detection model, and judging that a first network abnormality occurs in the whole vehicle network when the message ID or the message data domain information is detected to not meet the bus rule, the message rule or the signal rule; and inputting the message time stamp into the second detection model, and judging that a second network abnormality occurs in the whole vehicle network when the message time stamp is detected to not meet the self-defined rule.
According to the technical means, the method and the device can specifically identify the unsatisfied rule according to the message timestamp, the message ID and the message data domain information of the communication message so as to accurately determine the specific communication network fault, effectively distinguish the communication fault which has an intrusion risk and does not accord with the rule, realize the rapid defense of network intrusion and improve the use experience of users.
Optionally, after detecting the first network anomaly of the vehicle to be defended by using the first detection model and detecting the second network anomaly of the vehicle to be defended by using the second detection model, the method further includes: when the first network abnormality occurs in the vehicle to be defended, controlling the vehicle to execute a first abnormality alarming action and simultaneously executing a communication blocking action; and when the second network abnormality occurs to the vehicle to be defended, controlling the vehicle to execute a second abnormality alarming action.
According to the technical means, the embodiment of the application can respond according to the first-level rule or the second-level rule which is violated, if the first-level rule is violated, the alarm is continued and the communication is blocked, if the second-level rule is violated, only abnormal alarm is carried out, and then related personnel judge whether to block the communication or not according to alarm information and the running state of the vehicle, so that different defense strategies can be executed according to different invasion degrees, on the basis of guaranteeing the safety of the whole vehicle network, the usability of the whole vehicle network is guaranteed to the greatest extent, and the use experience of users is improved.
Optionally, the communication protocol includes a message ID, a message signal type, and a message communication matrix of the bus communication; the log data comprises vehicle state data and vehicle control information under all driving conditions; the bus communication rule comprises a message period and a message length of a periodic message.
An embodiment of a second aspect of the present application provides a network intrusion prevention device for a vehicle, including: the acquisition module is used for acquiring the vehicle model of the vehicle to be defended;
the matching module is used for matching a preset DBC sample library, a preset scene report library and a preset rule library according to the vehicle model, wherein the preset DBC sample library comprises a predefined communication protocol of the vehicle to be defended, the preset scene report library comprises log data of communication messages of vehicles of different models in different running states, and the preset rule library comprises bus communication rules preset based on the preset DBC sample library; the training module is used for training to obtain a first detection model based on a communication protocol predefined in the preset DBC sample library and a bus communication rule preset in the preset rule library, and training to obtain a second detection model based on log data of communication messages of different types of vehicles in the preset scene report library in different driving states; the detection module is used for detecting the first network abnormality of the vehicle to be defended by using the first detection model, and detecting the second network abnormality of the vehicle to be defended by using the second detection model.
Optionally, the first detection model has a bus rule, a message rule and a signal rule, the second detection model has a custom rule according to a preset scene, and the detection module is configured to: collecting the communication message of the vehicle to be defended, and extracting the message time stamp, the message ID and the message data domain information of the communication message; inputting the message ID and the message data domain information into the first detection model, and judging that the vehicle to be defended has a first network abnormality when detecting that the message ID or the message data domain information does not meet the bus rule, the message rule or the signal rule; and inputting the message time stamp into the second detection model, and judging that the vehicle to be defended has a second network abnormality when the message time stamp is detected to not meet the custom rule.
Optionally, the method further comprises: the defending module is used for controlling the vehicle to execute a first abnormal alarming action and execute a communication blocking action when the first network abnormality occurs to the vehicle to be defended after the first network abnormality of the vehicle to be defended is detected by the first detection model and the second network abnormality of the vehicle to be defended is detected by the second detection model; and when the second network abnormality occurs to the vehicle to be defended, controlling the vehicle to execute a second abnormality alarming action.
Optionally, the communication protocol includes a message ID, a message signal type, and a message communication matrix of the bus communication; the log data comprises vehicle state data and vehicle control information under all driving conditions; the bus communication rule comprises a message period and a message length of a periodic message.
An embodiment of a third aspect of the present application provides a vehicle, including: the system comprises a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein the processor executes the program to realize the network intrusion prevention method of the vehicle according to the embodiment.
An embodiment of a fourth aspect of the present application provides a computer-readable storage medium having stored thereon a computer program that is executed by a processor for implementing the network intrusion prevention method for a vehicle as described in the above embodiment.
Therefore, the application has at least the following beneficial effects:
(1) The embodiment of the application defines a DBC sample library, a scene report library and a rule library, combines definition training to obtain a detection model capable of distinguishing the intrusion risk and communication faults which do not accord with rules, rapidly and accurately detects whether communication network faults exist or not based on the detection model, realizes rapid defense of network intrusion, can be specifically trained according to different vehicle types, meets the network intrusion defense requirements of all vehicle types, and accordingly can realize general type whole vehicle intrusion detection defense and improve the use experience of users;
(2) According to the embodiment of the application, the unsatisfied rules can be specifically identified according to the message time stamp, the message ID and the message data domain information of the communication message, so that specific communication network faults can be accurately determined, communication faults with invasion risks and inconsistent rules can be effectively resolved, rapid defense of network invasion is realized, and the use experience of users is improved;
(3) According to the embodiment of the application, the response can be performed according to whether the first-level rule or the second-level rule is violated, if the first-level rule is violated, the alarm is continued, and the communication is blocked, if the second-level rule is violated, only abnormal alarm is performed, and then related personnel judge whether to block the communication or not according to alarm information and the running state of the vehicle, so that different defense strategies can be executed according to different invasion degrees, the availability of the whole vehicle network is guaranteed to the greatest extent on the basis of guaranteeing the safety of the whole vehicle network, and the use experience of a user is improved.
Additional aspects and advantages of the application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the application.
Drawings
The foregoing and/or additional aspects and advantages of the present application will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings, in which:
fig. 1 is a flowchart of a network intrusion prevention method for a vehicle according to an embodiment of the present application;
FIG. 2 is a block diagram of a network intrusion prevention system for a vehicle according to an embodiment of the present application;
fig. 3 is an example diagram of a network intrusion prevention device for a vehicle according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a vehicle according to an embodiment of the present application.
Detailed Description
Embodiments of the present application are described in detail below, examples of which are illustrated in the accompanying drawings, wherein the same or similar reference numerals refer to the same or similar elements or elements having the same or similar functions throughout. The embodiments described below by referring to the drawings are exemplary and intended for the purpose of explaining the present application and are not to be construed as limiting the present application.
The network intrusion prevention method and device for the vehicle, the vehicle and the storage medium of the embodiments of the application are described below with reference to the accompanying drawings. Aiming at the problem that the related technology mentioned in the background technology cannot realize universal type whole vehicle intrusion detection defense and the user experience is poor, the application provides a network intrusion defense method of a vehicle.
Specifically, fig. 1 is a flowchart of a network intrusion prevention method for a vehicle according to an embodiment of the present application.
As shown in fig. 1, the network intrusion prevention method of the vehicle includes the steps of:
in step S101, a vehicle model of a vehicle to be defended is acquired.
In step S102, a preset DBC sample library, a preset scene report library and a preset rule library are matched according to the vehicle model, wherein the preset DBC sample library comprises a predefined communication protocol of the vehicle to be defended, the preset scene report library comprises log data of communication messages under different driving states of different models of vehicles, and the preset rule library comprises a bus communication rule preset based on the preset DBC sample library.
The communication protocol comprises a message ID, a message signal type and a message communication matrix of bus communication; the log data includes vehicle state data and vehicle control information under all driving conditions; the bus communication rule includes the message period and message length of the periodic message
It will be appreciated that (1) the DBC library contains all DBC sample libraries of the vehicle model under study, in which the communication protocol of the vehicle model under study is defined, and in which the bus communication conditions, such as message ID, message signal type, and message communication matrix, are defined. (2) The scene report library contains log data of communication messages of vehicles of different types under different running conditions, and the log data in the library records the automobile state data and the automobile control information of the vehicles under certain scenes and even all running conditions. (3) The rule base is a basic rule, such as a message period of a periodic message, a CAN message length and the like, which is complied with by some vehicle CAN communication formulated in advance according to the DBC base.
In step S103, training is performed based on a communication protocol predefined in a preset DBC sample library and a bus communication rule preset in a preset rule library to obtain a first detection model, training is performed based on log data of communication messages of different types of vehicles in a preset scene report library in different driving states to obtain a second detection model, detecting a first network abnormality of the vehicle to be protected by using the first detection model, and detecting a second network abnormality of the vehicle to be protected by using the second detection model.
The first detection model is provided with bus rules, message rules and signal rules, and the second detection model is provided with custom rules according to a preset scene.
It can be understood that the embodiment of the application defines the DBC sample library, the scene report library and the rule library, combines definition training to obtain a detection model capable of distinguishing the intrusion risk and the communication faults which do not accord with rules, rapidly and accurately detects whether the communication network faults exist or not based on the detection model, realizes rapid defense of network intrusion, can be specifically trained according to different vehicle types, meets the network intrusion defense requirements of all vehicle types, and accordingly can realize general type whole vehicle intrusion detection defense and improve the use experience of users.
It should be noted that, all the detection models trained in the embodiment of the present application are stored in a detection model library, and different types of detection models of different vehicle types are stored in the library, and in the subsequent use process, the detection models are screened and used for specific vehicle types and configurations; the detection model screened for a certain vehicle type can be imported into a specific vehicle, and the importing mode can support an OTA mode, other modes and the like, and is not particularly limited.
Specifically, when the detection model is trained for a certain rule, specific analysis is performed according to the rule, which model is selected, parameter tuning training is performed, and finally all detection models expected for the researched rule are obtained. Wherein, training the model includes: sample entropy, relative entropy, decision tree, support vector machine, neural network, etc.
And a module for training a CAN network anomaly detection model, wherein the model firstly needs DBC library input, scene report library input and rule library input according to the vehicle type selection before training the detection model. After training, each model can generate multiple types of detection rules, wherein the detection rules comprise bus rules, message rules, signal rules and custom rules according to specific scenes. Among the rules, the detection model trained by the rule base and the DBC base is defined as a first-level rule; the detection model trained by the scene report library is defined as a secondary rule.
In an embodiment of the present application, detecting a first network anomaly of a vehicle to be defended using a first detection model, and detecting a second network anomaly of the vehicle to be defended using a second detection model includes: collecting a communication message of a vehicle to be defended, and extracting a message time stamp, a message ID and message data domain information of the communication message; inputting the message ID and the message data domain information into a first detection model, and judging that a first network abnormality occurs in the vehicle to be defended when the fact that the message ID or the message data domain information does not meet a bus rule, a message rule or a signal rule is detected; and inputting the message time stamp into a second detection model, and judging that the vehicle to be defended has a second network abnormality when the message time stamp does not meet the custom rule.
When the fact that the message ID or the message data domain information does not meet the bus rule, the message rule or the signal rule is detected, the first-level rule violation can be determined; when the message timestamp is detected not to meet the custom rule, the violation of the secondary rule can be determined.
It can be appreciated that the embodiment of the application can specifically identify the unsatisfied rule according to the message timestamp, the message ID and the message data domain information of the communication message so as to accurately determine the specific communication network fault, effectively distinguish the communication fault with the intrusion risk and the unsatisfied rule, realize the rapid defense of network intrusion and improve the use experience of users.
Specifically, the real-time CAN message collection module CAN collect and process the CAN message of the real vehicle, extract message time stamp, message ID, message data domain information and the like, the related information of the message CAN be stored in the internal related storage module regularly, and the quantity of the collected and once stored messages needs to be determined specifically according to the capacity and the communication speed of the storage module.
The detection judging module judges the CAN network communication condition according to the detection model and the data to be detected stored in the real-time CAN message collecting module, and if the model is detected and then judges that the CAN network message and the traffic condition thereof are abnormal, the follow-up alarm and other processing are carried out.
In this embodiment of the present application, after detecting a first network anomaly of a vehicle to be defended using a first detection model and detecting a second network anomaly of the vehicle to be defended using a second detection model, the method further includes: when the first network abnormality occurs in the vehicle to be defended, the vehicle is controlled to execute a first abnormality alarming action and simultaneously execute a communication blocking action; and when the second network abnormality occurs in the vehicle to be defended, controlling the vehicle to execute a second abnormality alarming action.
It can be understood that the embodiment of the application can respond according to whether the first-level rule or the second-level rule is violated, if the first-level rule is violated, the alarm is continued and the communication is blocked, and if the second-level rule is violated, only the abnormal alarm is carried out, and the follow-up related personnel judge whether to block the communication or not according to the alarm information and the running state of the vehicle, so that different defense strategies can be executed according to different invasion degrees, the usability of the whole vehicle network is guaranteed to the greatest extent on the basis of guaranteeing the safety of the whole vehicle network, and the use experience of a user is improved.
When the method is specifically applied, the method of the embodiment of the application can be applied to the whole vehicle intrusion detection defense system shown in fig. 2, and comprises the following steps: the system comprises a DBC library, a scene report library, a rule library, a detection model learning unit, a detection model library, a storage module for a detection model of a certain vehicle, a real-time message acquisition module, a detection judgment module, an alarm and other processing modules, wherein the explanation of each module and unit is specifically as follows:
(1) The DBC library comprises all DBC sample libraries of the investigated vehicle types, wherein the library defines the communication protocol of the investigated vehicle types, and the protocol defines the bus communication conditions such as message ID, message signal types, message communication matrix and the like.
(2) The scene report library contains log data of communication messages of vehicles of different types under different running conditions, and the log data in the library records the automobile state data and the automobile control information of the vehicles under certain scenes and even all running conditions.
(3) The rule base is a basic rule, such as a message period of a periodic message, a CAN message length and the like, which is complied with by some vehicle CAN communication formulated in advance according to the DBC base.
(5) The detection model learning unit is a module for training a CAN network anomaly detection model, and the model firstly needs DBC library input, scene report library input and rule library input according to the vehicle type selection before training the detection model. After training, each model can generate multiple types of detection rules, wherein the detection rules comprise bus rules, message rules, signal rules and custom rules according to specific scenes. Among the rules, the detection model trained by the rule base and the DBC base is defined as a first-level rule, and the alarm and the communication blocking are continued when the rule is violated; the detection model trained by the scene report library is defined as a secondary rule, only abnormal alarm is carried out against the rule, and the follow-up related personnel judge whether to block communication or not according to the alarm information and the running state of the vehicle.
(6) The training model adopted by the detection model learning unit is as follows: sample entropy, relative entropy, decision tree, support vector machine, neural network, etc. When training a detection model aiming at a certain rule, firstly, carrying out specific analysis according to the rule, selecting which model, and then carrying out parameter adjustment training to finally obtain all detection models expected to aim at the researched rule.
(7) All the detection models trained by the detection model learning unit are stored in a detection model library, different types of detection models of different vehicle types are stored in the library, and in the subsequent use process, the detection models are screened and used for specific vehicle types and configuration. The detection model screened for a certain vehicle type can be imported into a specific vehicle, and the importing mode can support an OTA mode and other modes.
(8) The real-time CAN message acquisition module CAN acquire and process CAN messages of the real vehicle, extract message time stamps, message IDs, message data domain information and the like, and the related information of the messages CAN be stored in the internal related storage module regularly, wherein the number of the acquired and once-stored messages is required to be determined specifically according to the capacity and the communication speed of the storage module.
(9) The detection judging module judges the CAN network communication condition according to the detection model and the data to be detected stored in the real-time CAN message collecting module, and if the model is detected and then judges that the CAN network message and the traffic condition thereof are abnormal, the follow-up alarm and other processing are carried out.
(10) The alarm and other processing modules respond specifically based on whether the primary or secondary rule is violated: if the first-level rule is violated, alarming and blocking communication are carried out; if the second-level rule is violated, only abnormal alarm is carried out, and the follow-up related personnel judge whether to block communication or not according to the alarm information and the running state of the vehicle.
According to the network intrusion prevention method of the vehicle, which is provided by the embodiment of the application, the DBC sample library, the scene report library and the rule library are defined, the definition is combined to train a detection model which can distinguish the intrusion risk and does not accord with the communication faults of the rules, whether the communication network faults exist or not is rapidly and accurately detected based on the detection model, the rapid prevention of the network intrusion is realized, the specific training according to different vehicle types is realized, the network intrusion prevention requirements of all vehicle types are met, the general type whole vehicle intrusion detection prevention can be realized, and the use experience of a user is improved; the unsatisfied rules can be specifically identified according to the message time stamp, the message ID and the message data domain information of the communication message so as to accurately determine the specific communication network faults and effectively distinguish the communication faults with intrusion risks and inconsistent rules; different defense strategies can be executed according to different invasion degrees, the availability of the whole vehicle network is guaranteed to the greatest extent on the basis of guaranteeing the safety of the whole vehicle network, and the use experience of a user is improved.
Next, a network intrusion prevention device for a vehicle according to an embodiment of the present application will be described with reference to the accompanying drawings.
Fig. 4 is a block schematic diagram of a network intrusion prevention device of a vehicle according to an embodiment of the present application.
As shown in fig. 4, the network intrusion prevention device 10 of the vehicle includes: an acquisition module 100, a matching module 200, a training module 300 and a detection module 400.
The acquiring module 100 is configured to acquire a vehicle model of a vehicle to be defended; the matching module 200 is configured to match a preset DBC sample library, a preset scenario report library and a preset rule library according to a vehicle model, where the preset DBC sample library includes a predefined communication protocol of a vehicle to be defended, the preset scenario report library includes log data of communication messages under different driving states of different models of vehicles, and the preset rule library includes a bus communication rule preset based on the preset DBC sample library; the training module 300 is configured to train to obtain a first detection model based on a communication protocol predefined in a preset DBC sample library and a bus communication rule preset in a preset rule library, and train to obtain a second detection model based on log data of communication messages in different driving states of different types of vehicles in a preset scene report library; the detection module 400 is configured to detect a first network anomaly of a vehicle to be defended using a first detection model, and detect a second network anomaly of the vehicle to be defended using a second detection model. .
In this embodiment of the present application, the first detection model has a bus rule, a message rule, and a signal rule, the second detection model has a custom rule according to a preset scenario, and the detection module 400 is configured to: collecting a communication message of a vehicle to be defended, and extracting a message time stamp, a message ID and message data domain information of the communication message; inputting the message ID and the message data domain information into a first detection model, and judging that a first network abnormality occurs in the vehicle to be defended when the fact that the message ID or the message data domain information does not meet a bus rule, a message rule or a signal rule is detected; and inputting the message time stamp into a second detection model, and judging that the vehicle to be defended has a second network abnormality when the message time stamp does not meet the custom rule.
In the embodiment of the present application, the apparatus 10 of the embodiment of the present application further includes: and a defense module. The defending module is used for detecting a first network abnormality of the vehicle to be defended by using the first detection model, and executing a communication blocking action while controlling the vehicle to execute a first abnormality alarming action when the first network abnormality of the vehicle to be defended occurs after detecting a second network abnormality of the vehicle to be defended by using the second detection model; and when the second network abnormality occurs in the vehicle to be defended, controlling the vehicle to execute a second abnormality alarming action.
In the embodiment of the present application, the communication protocol may include a message ID, a message signal type, and a message communication matrix of the bus communication; the log data may include vehicle state data and vehicle control information under all driving conditions; the bus communication rules may include message periods and message lengths of periodic messages.
It should be noted that the foregoing explanation of the embodiment of the network intrusion prevention method for a vehicle is also applicable to the network intrusion prevention device for a vehicle of this embodiment, and will not be repeated here.
According to the network intrusion prevention device for the vehicle, which is provided by the embodiment of the application, the DBC sample library, the scene report library and the rule library are defined, the definition is combined to train a detection model which can distinguish the intrusion risk and does not accord with the communication faults of the rules, whether the communication network faults exist or not is rapidly and accurately detected based on the detection model, the rapid prevention of network intrusion is realized, the network intrusion prevention requirements of all vehicle types can be met according to specific training of different vehicle types, the general type whole vehicle intrusion detection prevention can be realized, and the use experience of a user is improved; the unsatisfied rules can be specifically identified according to the message time stamp, the message ID and the message data domain information of the communication message so as to accurately determine the specific communication network faults and effectively distinguish the communication faults with intrusion risks and inconsistent rules; different defense strategies can be executed according to different invasion degrees, the availability of the whole vehicle network is guaranteed to the greatest extent on the basis of guaranteeing the safety of the whole vehicle network, and the use experience of a user is improved.
Fig. 4 is a schematic structural diagram of a vehicle according to an embodiment of the present application. The vehicle may include:
memory 401, processor 402, and a computer program stored on memory 401 and executable on processor 402.
The processor 402 implements the network intrusion prevention method of the vehicle provided in the above-described embodiment when executing the program.
Further, the vehicle further includes:
a communication interface 403 for communication between the memory 401 and the processor 402.
A memory 401 for storing a computer program executable on the processor 402.
The memory 401 may include high speed RAM (Random Access Memory ) memory, and may also include non-volatile memory, such as at least one disk memory.
If the memory 401, the processor 402, and the communication interface 403 are implemented independently, the communication interface 403, the memory 401, and the processor 402 may be connected to each other by a bus and perform communication with each other. The bus may be an ISA (Industry Standard Architecture ) bus, a PCI (Peripheral Component, external device interconnect) bus, or EISA (Extended Industry Standard Architecture ) bus, among others. The buses may be divided into address buses, data buses, control buses, etc. For ease of illustration, only one thick line is shown in fig. 4, but not only one bus or one type of bus.
Alternatively, in a specific implementation, if the memory 401, the processor 402, and the communication interface 403 are integrated on a chip, the memory 401, the processor 402, and the communication interface 403 may perform communication with each other through internal interfaces.
The processor 402 may be a CPU (Central Processing Unit ) or ASIC (Application Specific Integrated Circuit, application specific integrated circuit) or one or more integrated circuits configured to implement embodiments of the present application.
The embodiment of the application also provides a computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements the network intrusion prevention method for a vehicle as above.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present application. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or N embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present application, the meaning of "N" is at least two, such as two, three, etc., unless explicitly defined otherwise.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more N executable instructions for implementing specific logical functions or steps of the process, and further implementations are included within the scope of the preferred embodiment of the present application in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the embodiments of the present application.
It is to be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the N steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. As with the other embodiments, if implemented in hardware, may be implemented using any one or combination of the following techniques, as is well known in the art: discrete logic circuits having logic gates for implementing logic functions on data signals, application specific integrated circuits having suitable combinational logic gates, programmable gate arrays, field programmable gate arrays, and the like.
Those of ordinary skill in the art will appreciate that all or a portion of the steps carried out in the method of the above-described embodiments may be implemented by a program to instruct related hardware, where the program may be stored in a computer readable storage medium, and where the program, when executed, includes one or a combination of the steps of the method embodiments.
Although embodiments of the present application have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the application, and that variations, modifications, alternatives, and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the application.

Claims (10)

1. A network intrusion prevention method for a vehicle, comprising the steps of:
acquiring a vehicle model of a vehicle to be defended;
according to the vehicle model, a preset DBC sample library, a preset scene report library and a preset rule library are matched, wherein the preset DBC sample library comprises a predefined communication protocol of the vehicle to be defended, the preset scene report library comprises log data of communication messages of vehicles of different models in different running states, and the preset rule library comprises a bus communication rule preset based on the preset DBC sample library;
training to obtain a first detection model based on a communication protocol predefined in the preset DBC sample library and a bus communication rule preset in the preset rule library, training to obtain a second detection model based on log data of communication messages of different types of vehicles in the preset scene report library in different driving states, detecting first network abnormality of the vehicle to be defended by using the first detection model, and detecting second network abnormality of the vehicle to be defended by using the second detection model.
2. The method of claim 1, wherein the first detection model has bus rules, message rules, and signal rules, the second detection model has custom rules according to a preset scenario, the detecting a first network anomaly of the vehicle to be defended using the first detection model, and detecting a second network anomaly of the vehicle to be defended using the second detection model, comprising:
collecting the communication message of the vehicle to be defended, and extracting the message time stamp, the message ID and the message data domain information of the communication message;
inputting the message ID and the message data domain information into the first detection model, and judging that the vehicle to be defended has a first network abnormality when detecting that the message ID or the message data domain information does not meet the bus rule, the message rule or the signal rule;
and inputting the message time stamp into the second detection model, and judging that the vehicle to be defended has a second network abnormality when the message time stamp is detected to not meet the custom rule.
3. The method of claim 1, further comprising, after detecting a first network anomaly of the vehicle to be defended using the first detection model and detecting a second network anomaly of the vehicle to be defended using the second detection model:
when the first network abnormality occurs in the vehicle to be defended, controlling the vehicle to execute a first abnormality alarming action and simultaneously executing a communication blocking action;
and when the second network abnormality occurs to the vehicle to be defended, controlling the vehicle to execute a second abnormality alarming action.
4. A method according to any one of the claims 1-3, characterized in that,
the communication protocol comprises a message ID, a message signal type and a message communication matrix of bus communication;
the log data comprises vehicle state data and vehicle control information under all driving conditions;
the bus communication rule comprises a message period and a message length of a periodic message.
5. A network intrusion prevention device for a vehicle, comprising:
the acquisition module is used for acquiring the vehicle model of the vehicle to be defended;
the matching module is used for matching a preset DBC sample library, a preset scene report library and a preset rule library according to the vehicle model, wherein the preset DBC sample library comprises a predefined communication protocol of the vehicle to be defended, the preset scene report library comprises log data of communication messages of vehicles of different models in different running states, and the preset rule library comprises bus communication rules preset based on the preset DBC sample library;
the training module is used for training to obtain a first detection model based on a communication protocol predefined in the preset DBC sample library and a bus communication rule preset in the preset rule library, and training to obtain a second detection model based on log data of communication messages of different types of vehicles in the preset scene report library in different driving states;
the detection module is used for detecting the first network abnormality of the vehicle to be defended by using the first detection model, and detecting the second network abnormality of the vehicle to be defended by using the second detection model.
6. The apparatus of claim 5, wherein the first detection model has bus rules, message rules, and signal rules, the second detection model has custom rules according to a preset scenario, and the detection module is configured to:
collecting the communication message of the vehicle to be defended, and extracting the message time stamp, the message ID and the message data domain information of the communication message;
inputting the message ID and the message data domain information into the first detection model, and judging that the vehicle to be defended has a first network abnormality when detecting that the message ID or the message data domain information does not meet the bus rule, the message rule or the signal rule;
and inputting the message time stamp into the second detection model, and judging that the vehicle to be defended has a second network abnormality when the message time stamp is detected to not meet the custom rule.
7. The apparatus as recited in claim 5, further comprising:
the defending module is used for controlling the vehicle to execute a first abnormal alarming action and execute a communication blocking action when the first network abnormality occurs to the vehicle to be defended after the first network abnormality of the vehicle to be defended is detected by the first detection model and the second network abnormality of the vehicle to be defended is detected by the second detection model; and when the second network abnormality occurs to the vehicle to be defended, controlling the vehicle to execute a second abnormality alarming action.
8. The apparatus according to any one of claims 5 to 7, wherein,
the communication protocol comprises a message ID, a message signal type and a message communication matrix of bus communication;
the log data comprises vehicle state data and vehicle control information under all driving conditions;
the bus communication rule comprises a message period and a message length of a periodic message.
9. A vehicle, characterized by comprising: a memory, a processor and a computer program stored on the memory and executable on the processor, the processor executing the program to implement the network intrusion prevention method of a vehicle according to any one of claims 1-4.
10. A computer-readable storage medium, on which a computer program is stored, characterized in that the program is executed by a processor for implementing a network intrusion prevention method for a vehicle according to any one of claims 1-4.
CN202211097990.6A 2022-09-08 2022-09-08 Network intrusion prevention method and device for vehicle, vehicle and storage medium Pending CN116318758A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211097990.6A CN116318758A (en) 2022-09-08 2022-09-08 Network intrusion prevention method and device for vehicle, vehicle and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211097990.6A CN116318758A (en) 2022-09-08 2022-09-08 Network intrusion prevention method and device for vehicle, vehicle and storage medium

Publications (1)

Publication Number Publication Date
CN116318758A true CN116318758A (en) 2023-06-23

Family

ID=86789290

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211097990.6A Pending CN116318758A (en) 2022-09-08 2022-09-08 Network intrusion prevention method and device for vehicle, vehicle and storage medium

Country Status (1)

Country Link
CN (1) CN116318758A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117714180A (en) * 2023-12-19 2024-03-15 北京信息科技大学 Vehicle CAN bus anomaly detection method and medium based on timing and semantic features

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117714180A (en) * 2023-12-19 2024-03-15 北京信息科技大学 Vehicle CAN bus anomaly detection method and medium based on timing and semantic features
CN117714180B (en) * 2023-12-19 2025-01-07 北京信息科技大学 Vehicle CAN bus anomaly detection method and medium based on timing and semantic features

Similar Documents

Publication Publication Date Title
Marchetti et al. Evaluation of anomaly detection for in-vehicle networks through information-theoretic algorithms
CN110177108B (en) Abnormal behavior detection method, device and verification system
CN110888783B (en) Method and device for monitoring micro-service system and electronic equipment
US9870470B2 (en) Method and apparatus for detecting a multi-stage event
US11115433B2 (en) System and method for content based anomaly detection in an in-vehicle communication network
CN110505134B (en) Internet of vehicles CAN bus data detection method and device
CN111600880A (en) Method, system, storage medium and terminal for detecting abnormal access behavior
KR101853676B1 (en) Appratus and method for detecting vehicle intrusion
EP3752943B1 (en) System and method for side-channel based detection of cyber-attack
US20180013778A1 (en) Apparatus and method for detecting abnormal behavior
CN109688030B (en) Message detection method, device, equipment and storage medium
KR101585342B1 (en) Apparatus and method for detecting abnormal behavior
CN109144023A (en) A kind of safety detection method and equipment of industrial control system
CN113839904A (en) Security situation sensing method and system based on intelligent networked automobile
CN112671767A (en) Security event early warning method and device based on alarm data analysis
CN114268452A (en) Network security protection method and system
CN116318758A (en) Network intrusion prevention method and device for vehicle, vehicle and storage medium
US20200312060A1 (en) Message monitoring system, message transmission electronic control unit, and monitoring electronic control unit
CN113556335A (en) Vehicle-mounted bus safety testing method and system
JP6939907B2 (en) Detection device, its method, and program
US12113810B2 (en) Autonomic incident response system
CN112650180A (en) Safety warning method, device, terminal equipment and storage medium
CN109462617B (en) Method and device for detecting communication behavior of equipment in local area network
CN117201273A (en) Automatic analysis and noise reduction method and device for safety alarm and server
CN118355383A (en) Threat information expansion system, threat information expansion method and program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination