Nothing Special   »   [go: up one dir, main page]

CN113992344A - Communication data anomaly detection method and system based on SOME/IP protocol - Google Patents

Communication data anomaly detection method and system based on SOME/IP protocol Download PDF

Info

Publication number
CN113992344A
CN113992344A CN202111067177.XA CN202111067177A CN113992344A CN 113992344 A CN113992344 A CN 113992344A CN 202111067177 A CN202111067177 A CN 202111067177A CN 113992344 A CN113992344 A CN 113992344A
Authority
CN
China
Prior art keywords
message
module
past
communication
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111067177.XA
Other languages
Chinese (zh)
Other versions
CN113992344B (en
Inventor
王颉
李民锋
万振华
张海春
鲁赵骏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Open Source Network Security Internet Of Things Technology Wuhan Co ltd
Seczone Technology Co Ltd
Original Assignee
Open Source Network Security Internet Of Things Technology Wuhan Co ltd
Seczone Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Open Source Network Security Internet Of Things Technology Wuhan Co ltd, Seczone Technology Co Ltd filed Critical Open Source Network Security Internet Of Things Technology Wuhan Co ltd
Priority to CN202111067177.XA priority Critical patent/CN113992344B/en
Publication of CN113992344A publication Critical patent/CN113992344A/en
Application granted granted Critical
Publication of CN113992344B publication Critical patent/CN113992344B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • H04L43/0811Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking connectivity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • H04L43/0817Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a communication data abnormity detection method and a system based on an SOME/IP protocol, wherein the method comprises the following steps: obtaining an SOME/IP communication message; detecting whether the address, the port and the message header format of the SOME/IP communication message are in compliance according to the SOME/IP service state and the subscription information, and recording abnormal information; detecting whether the message in the SOME/IP communication message is in compliance according to the past message flow, and recording abnormal information; and updating the SOME/IP service state, the subscription information and the past message flow according to the detection result. According to the communication data abnormity detection method, the SOME/IP message can be detected, whether the SOME/IP message address, the port, the message header field and the SOME/IP message flow are abnormal or not is detected, the running state of the SOME/IP protocol is reflected in real time, no configuration file is needed, the deployment is convenient, the SOME/IP protocol is independent from the SOME/IP protocol, and the SOME/IP protocol abnormity detection method can be applied to various nodes in SOME/IP communication.

Description

Communication data anomaly detection method and system based on SOME/IP protocol
Technical Field
The invention relates to the technical field of vehicle-mounted network safety, in particular to a communication data abnormity detection method based on an SOME/IP protocol.
Background
The rapid development of intelligent automobiles brings new research heat and consumption requirements, the application of technologies such as vehicle-mounted infotainment systems, advanced auxiliary driving systems and the like greatly enriches the driving experience of people, and under the background, the SOME/IP protocol and the Service Discovery protocol (SD) based on the vehicle-mounted ethernet are gradually implemented in an automobile Electronic Control Unit (ECU) to provide Service communication among the ECUs. Due to the particularity of the application environment, it is necessary to detect the SOME/IP protocol communication packet and the communication state to improve the network security of the intelligent vehicle.
The anomaly detection technology is one of intrusion detection technologies, and takes the behavior information of a normal system as a basis, and when the situation contradicts with the normal behavior in the network, the anomaly is considered to occur. At present, a special anomaly detection mode aiming at the SOME/IP protocol does not exist, and a general anomaly detection mode cannot independently detect the address, the port, the message header format and the message flow of a communication message according to the SOME/IP communication state.
Disclosure of Invention
The present invention provides a communication data anomaly detection method and system based on the SOME/IP protocol to solve the above technical problem, so as to provide security protection for the SOME/IP protocol if there is an anomaly in the address, port, message header field and SOME/IP message stream of the SOME/IP communication message.
In order to achieve the above object, the present invention discloses a communication data anomaly detection method based on SOME/IP protocol, which comprises:
obtaining an SOME/IP communication message;
detecting whether the address, the port and the message header format of the SOME/IP communication message are in compliance according to the SOME/IP service state and the subscription information, and recording abnormal information;
detecting whether the message in the SOME/IP communication message is in compliance according to the past message flow, and recording abnormal information;
and updating the SOME/IP service state, the subscription information and the past message flow according to the detection result.
Preferably, the method for detecting the SOME/IP communication packet according to the SOME/IP service state and the subscription information includes:
s10: judging whether the address and the port of the SOME/IP communication message are in the range of the IP address and the port of the SOME/IP service end, if so, entering S11; if not, recording the abnormity, and finishing the current detection of the SOME/IP communication message;
s11: judging whether the address and the port of the SOME/IP communication message are in the range of the IP address and the port of the client, if so, entering S12; if not, the exception is recorded and S12 is entered;
s12: judging whether the address of the SOME/IP communication message and the TCP connection corresponding to the port are established, if so, entering S13; if not, recording the abnormity, and finishing the current detection of the SOME/IP communication message;
s13: judging whether the header of the message in the SOME/IP communication message has a field exceeding a legal value range, if so, recording the exception, and entering S14; if not, go to S14;
s14: judging whether the fields of the service ID, the service version, the event group ID or the event group version of the message in the SOME/IP communication message are consistent with the service instance, if so, entering S15; if not, recording the abnormity and finishing the current detection;
s15: judging whether the client ID or event group ID field of the message in the SOME/IP communication message is consistent with the client, if so, ending the current detection; if not, the exception is recorded and the current detection is ended.
Preferably, the messages in the communication message comprise SOME/IP-SD messages and non-SD SOME/IP messages;
the method for detecting the message in the SOME/IP communication message according to the past message flow comprises a method for respectively detecting the SOME/IP-SD message and a method for detecting the SOME/IP message.
Preferably, the method for detecting the SOME/IP-SD message includes:
s200: judging whether a past message identical to the current SOME/IP-SD information item exists or not, if so, defining the current SOME/IP-SD information as replay information, recording the exception, and finishing the current detection; if not, the process goes to S201;
s201: dividing the SOME/IP-SD message into an offer service message and a subscription event group related message;
s202: judging whether the offer service message is a unicast message and a corresponding past find service message exists, if so, ending the current detection; if not, recording the abnormity and finishing the current detection;
s203: judging whether the corresponding past subscription event group message exists in the subscription event group related message, if so, ending the current detection; if not, the exception is recorded, and the current detection is ended.
Preferably, the method for detecting the SOME/IP message includes:
s210: judging whether the past message identical to the current SOME/IP information item exists or not, if so, defining the current SOME/IP information as replay information, recording the abnormity, and finishing the current detection; if not, the process goes to S211;
s211: dividing the SOME/IP message into a response message and an error message, judging whether the response message and the error message belong to the SOME/IP-TP message, and if so, entering S215;
s212: judging whether a past request message corresponding to the response message exists or not, and if so, finishing the current detection; if not, recording the abnormity and finishing the current detection;
s213: judging whether a past request message corresponding to the error message exists or not, and if so, entering S214; if not, recording the abnormity and finishing the current detection;
s214: judging that the return code of the error message is consistent with the abnormal information of the past request message, if so, ending the current detection; if not, recording the abnormity and finishing the current detection;
s215: judging whether the past TP message corresponding to the SOME/IP-TP message exists or not, and if so, recording the abnormality and finishing the current detection, wherein the offset is the same; if not, the current detection is ended.
Preferably, the method for updating the SOME/IP service status, the subscription information, and the past message flow includes:
s30: judging whether the SOME/IP-SD message in the current SOME/IP communication message is normal or not according to the detection result, and if so, updating the SOME/IP service state and subscription information according to the division of the SOME/IP-SD message; if not, go to S31;
s31: judging whether the address and the port of the current SOME/IP communication message are in the range of the IP address and the port of the SOME/IP client according to the detection result, and if not, adding the corresponding SOME/IP service state and subscription information;
s32: judging whether a restarting behavior exists or not according to a reboot flag and a session ID field of the current SOME/IP-SD message and a corresponding field in a past message, and if so, deleting the corresponding SOME/IP service state, subscription information and a past message flow;
s33: detecting whether the service instance lifetime of all the SOME/IP service ends is due, and if so, deleting the corresponding SOME/IP service state, subscription information and past message flow;
s34: detecting whether the event group lifetime of all the SOME/IP clients is due, and if so, deleting the corresponding SOME/IP subscription information;
s35: and detecting whether SOME/IP service state information corresponding to the current message exists or not, and if so, adding the message to the corresponding past message flow.
The invention also discloses a communication data abnormity detection system based on the SOME/IP protocol, which comprises a data acquisition unit, a first detection unit, a second detection unit and an updating unit;
the data acquisition unit is used for acquiring an SOME/IP communication message;
the first detection unit is used for detecting whether the address, the port and the message header format of the SOME/IP communication message are in compliance according to the SOME/IP service state and the subscription information, and recording abnormal information;
the second detection unit is used for detecting whether the message in the SOME/IP communication message is in compliance according to the past message flow and recording abnormal information;
and the updating unit is used for updating the SOME/IP service state, the subscription information and the past message flow according to the feedback of the first detection unit and the second detection unit.
Preferably, the first detection unit comprises a server judgment module, a client judgment module, a TCP connection judgment module, a field value domain judgment module, a service instance judgment module and an ID field judgment module which are in communication connection in sequence;
the service end judging module is used for judging whether the address and the port of the SOME/IP communication message are in the range of the IP address and the port of the SOME/IP service end or not and recording the abnormity;
the client judging module is used for judging whether the address and the port of the SOME/IP communication message are in the range of the IP address and the port of the client and recording the abnormity;
the TCP connection judging module is used for judging whether the address of the SOME/IP communication message and the TCP connection corresponding to the port are established or not and recording the abnormity;
the field value domain judging module is used for judging whether a field in the head of the message in the SOME/IP communication message exceeds a legal value domain or not and recording the abnormity;
the service instance judging module is used for judging whether the fields of the service ID, the service version, the event group ID or the event group version of the message in the SOME/IP communication message are consistent with the service instance or not and recording the abnormity;
and the ID field judging module is used for judging whether the client ID or event group ID field of the message in the SOME/IP communication message is consistent with the client side or not and recording the abnormity.
Preferably, the messages in the communication message comprise SOME/IP-SD messages and non-SD SOME/IP messages;
the second detection unit comprises an SOME/IP-SD message detection unit and an SOME/IP message check unit, and the SOME/IP-SD message detection unit and the SOME/IP message check unit are respectively used for detecting the SOME/IP-SD message and the SOME/IP message.
Preferably, the SOME/IP-SD message detection unit includes a first judgment module, a first message division module, a second judgment module, and a third judgment module;
the first judging module is used for judging whether the past message which is the same as the current SOME/IP-SD information item exists or not and recording the abnormity;
the first message dividing module is configured to divide the SOME/IP-SD message into an offer service message and a subscription event group related message according to the feedback of the first determining module;
the second judging module is configured to judge whether the offer service message is a unicast message and a corresponding past find service message exists, and record an exception;
and the third judging module is used for judging whether the corresponding past subscription event group message exists in the subscription event group related message and recording the abnormity.
Preferably, the SOME/IP message checking unit includes a fourth judging module, a second message dividing module, a fifth judging module, a sixth judging module, a seventh judging module, and an eighth judging module;
the fourth judging module is used for judging whether the past message which is the same as the current SOME/IP information item exists or not and recording the abnormity;
the second message dividing module is configured to divide the SOME/IP message into a response message and an error message according to the feedback of the fourth determining module, and determine whether the response message and the error message belong to the SOME/IP-TP message;
the fifth judging module is used for judging whether a past request message corresponding to the response message exists or not and recording the abnormity;
the sixth judging module is configured to judge whether a past request message corresponding to the error message exists, and record an exception;
the seventh judging module is configured to judge, according to the feedback of the sixth judging module, that a return code of the error message is consistent with the abnormal information of the past request message, and record an abnormality;
and the eighth judging module is used for judging whether the past TP message corresponding to the SOME/IP-TP message exists or not, the offset is the same, and the abnormality is recorded.
Preferably, the update unit includes a first update module, a second update module, a third update module, a fourth update module, a fifth update module, and a sixth update module;
the first updating module is used for judging whether the SOME/IP-SD message in the current SOME/IP communication message is normal according to the detection result and updating the SOME/IP service state and subscription information according to the division of the SOME/IP-SD message;
the second updating module is used for judging whether the address and the port of the current SOME/IP communication message are in the range of the IP address and the port of the SOME/IP client according to the detection result so as to add the corresponding SOME/IP service state and subscription information;
the third updating module is used for judging whether a restarting behavior exists or not according to a reboot flag and a session ID field of the current SOME/IP-SD message and a corresponding field in a past message so as to delete the corresponding SOME/IP service state, subscription information and a past message flow;
the fourth updating module is used for detecting whether the service instance lifetime of all the SOME/IP service terminals expires or not so as to delete the corresponding SOME/IP service state, subscription information and past message flow;
the fifth updating module is used for detecting whether the event group lifetime of all the SOME/IP clients is due or not so as to delete the corresponding SOME/IP subscription information;
and the sixth updating module is used for detecting whether SOME/IP service state information corresponding to the current message exists or not so as to add the message to the corresponding past message flow.
The invention also discloses a communication data anomaly detection system based on the SOME/IP protocol, which comprises one or more processors, a memory and one or more programs, wherein the one or more programs are stored in the memory and are configured to be executed by the one or more processors, and the programs comprise instructions for executing the communication data anomaly detection method based on the SOME/IP protocol.
The present invention also discloses a computer readable storage medium comprising a computer program executable by a processor to perform the SOME/IP protocol based communication data anomaly detection method as described above.
Compared with the prior art, the communication data abnormity detection method and system based on the SOME/IP protocol have the beneficial technical effects that:
1. the method can detect the SOME/IP message, detect whether the SOME/IP message address, the port, the message header field and the SOME/IP message flow are abnormal or not, reflect the running state of the SOME/IP protocol in real time, do not need configuration files, are convenient to deploy, are independent of the specific realization of the SOME/IP and can be applied to various nodes in SOME/IP communication;
2. the state and subscription information of the SOME/IP service instance are obtained by analyzing the SOME/IP-SD message, the session relation between the SOME/IP client and the service instance is obtained by analyzing the SOME/IP message flow, and the subsequent SOME/IP message address, port, message header field and SOME/IP message flow are detected according to the session relation.
Drawings
Fig. 1 is a schematic flow chart of a communication data anomaly detection method according to an embodiment of the present invention.
FIG. 2 is a diagram illustrating a mapping relationship between SOME/IP service status and subscription information and past message flows according to an embodiment of the present invention.
FIG. 3 is a diagram illustrating a SOME/IP-SD message structure according to an embodiment of the present invention.
FIG. 4 is a diagram illustrating a structure of a SOME/IP message header according to an embodiment of the present invention.
FIG. 5 is a diagram illustrating legal value fields of partial fields of the SOME/IP-SD message according to an embodiment of the present invention.
FIG. 6 is a diagram illustrating legal value fields of partial fields of the SOME/IP message header according to an embodiment of the present invention.
Fig. 7 is a schematic flow chart illustrating the detection of the SOME/IP communication packet according to the SOME/IP service status and the subscription information in the embodiment of the present invention.
FIG. 8 is a flow chart illustrating the detection of SOME/IP communication messages according to the past message flow in the embodiment of the present invention.
FIG. 9 is a diagram illustrating the type of the return code of the SOME/IP message in the embodiment of the present invention.
Fig. 10 is a schematic flow chart illustrating the updating of the SOME/IP service status, the subscription information, and the past message flow according to the embodiment of the present invention.
Detailed Description
In order to explain technical contents, structural features, and objects and effects of the present invention in detail, the following detailed description is given with reference to the accompanying drawings in conjunction with the embodiments.
The embodiment discloses a communication data abnormity detection method based on an SOME/IP protocol, which is used for detecting the SOME/IP protocol communication message and the communication state of a vehicle-mounted Ethernet and improving the network security of an intelligent automobile. Specifically, as shown in fig. 1, the method includes the following steps:
s0: and obtaining the SOME/IP communication message. In this embodiment, the SOME/IP communication packet may be acquired from a vehicle-mounted ethernet network or an offline data file.
S1: and detecting whether the address, the port and the message header format of the SOME/IP communication message are in compliance according to the SOME/IP service state and the subscription information, and recording abnormal information.
S2: and detecting whether the message in the SOME/IP communication message is in compliance according to the past message flow, and recording abnormal information.
S3: and updating the SOME/IP service state, the subscription information and the past message flow according to the detection result.
As shown in FIG. 2, the SOME/IP service state includes the IP address and port of the SOME/IP server, and the service ID, service version, service lifetime, event group ID, event group version of the service instance of the SOME/IP server. The subscription information includes the IP address, port, client ID, subscription event group ID, event group lifetime, TCP connection status of the client communicating with the service instance.
For the SOME/IP protocol, different service instances of the same SOME/IP service end operate on different ports, and one service instance can be determined through the IP address and the port of the SOME/IP service end; each service instance running one or more services or event groups; the SOME/IP client optionally invokes a service or subscribes to a group of events, and each service or group of events for each service instance may correspond to multiple SOME/IP clients.
Specifically, as shown in fig. 7, the method for detecting the SOME/IP communication packet according to the SOME/IP service state and the subscription information includes:
s10: judging whether the address and the port of the SOME/IP communication message are in the range of the IP address and the port of the SOME/IP service end, if so, entering S11; if not, recording the abnormity, and finishing the current detection of the SOME/IP communication message; it should be noted that, for such abnormal messages, since the message is not received by the service end, there is no subscription information or message flow, and therefore, no subsequent other detection (including the subsequent detection step of step S1 and step S2) is required.
S11: judging whether the address and the port of the SOME/IP communication message are in the range of the IP address and the port of the client, if so, entering S12; if not, the exception is recorded, and the result is recorded as the basis for the SOME/IP service status update, and the process proceeds to S12.
S12: judging whether the address of the SOME/IP communication message and the TCP connection corresponding to the port are established, if so, entering S13, if not, entering the step S, otherwise, entering the step S, if not, entering the step S, if the step S is not, entering the step S13; if not, recording the exception and finishing the current detection of the SOME/IP communication message.
S13: judging whether the header of the message in the SOME/IP communication message has a field exceeding a legal value range, if so, recording the exception, and entering S14; if not, proceed to S14.
S14: judging whether the fields of the service ID, the service version, the event group ID or the event group version of the message in the SOME/IP communication message are consistent with the service instance, if so, entering S15; if not, the exception is recorded and the current detection is ended.
S15: judging whether the client ID or event group ID field of the message in the SOME/IP communication message is consistent with the client, if so, ending the current detection; if not, the exception is recorded and the current detection is ended.
More specifically, in the above-described embodiment, the message header formats include a SOME/IP-SD message header format and a non-SD SOME/IP message header format. As shown in FIG. 3, the SOME/IP-SD message header format includes a SOME/IP message header and a SOME/IP-SD message header. As shown in FIG. 4, the non-SD SOME/IP message header format includes a SOME/IP message header and a SOME/IP-TP message header.
The legal value field of the message header field comprises the legal value field of the SOME/IP-SD message header field and the legal value field of the non-SD SOME/IP message header field. As shown in FIG. 5, in the header field of the SOME/IP-SD message, there are corresponding legal value ranges for the service ID, method ID, length, session ID, protocol version, interface version, message type, return code, and reserved bit. As shown in fig. 6, in the header field of the non-SD SOME/IP message, there are corresponding legal value ranges for the service ID, method ID, length, session ID, protocol version, interface version, message type, return code, and reserved bit.
Further, in step S3, since the messages in the communication message include SOME/IP-SD messages and non-SD SOME/IP messages, the specific content of the past message flow includes:
request ID, flags and entries types of past messages of the SOME/IP-SD;
message ID, request ID, message type, TP header, exception information of non-SD SOME/IP past messages.
Then the method of detecting messages in the SOME/IP communication message according to the past message flow comprises a method of detecting the SOME/IP-SD message and a method of detecting the SOME/IP message, respectively.
Specifically, as shown in fig. 8, the method for detecting the SOME/IP-SD message includes:
s200: judging whether a past message identical to the current SOME/IP-SD information item exists or not, if so, defining the current SOME/IP-SD information as replay information, recording the exception, and finishing the current detection; if not, the process proceeds to S201.
S201: dividing the SOME/IP-SD message into offer service message and subscription event group related message; in this embodiment, the subscription event group related message includes a subscription event group confirm/deny message or a stop subscription event group message.
S202: judging whether the offer service message is a unicast message and a corresponding past find service message exists, if so, ending the current detection; if not, the exception is recorded, and the current detection is ended.
S203: judging whether the corresponding past subscription event group message exists in the subscription event group related message, if so, ending the current detection; if not, the exception is recorded, and the current detection is ended.
Referring again to fig. 8, the method for detecting non-SD SOME/IP messages includes:
s210: judging whether the past message identical to the current SOME/IP information item exists or not, if so, defining the current SOME/IP information as replay information, recording the abnormity, and finishing the current detection; if not, the process proceeds to S211.
S211: dividing the SOME/IP message into a response message and an error message, judging whether the response message and the error message belong to the SOME/IP-TP message, if so, entering S215; if not, then S212 and S213 are entered, respectively.
S212: judging whether a past request message corresponding to the response message exists or not, and if so, finishing the current detection; if not, the exception is recorded, and the current detection is ended.
S213: judging whether a past request message corresponding to the error message exists or not, and if so, entering S214; if not, recording the exception and finishing the current detection.
S214: judging whether the return code of the error message is consistent with the abnormal information of the past request message, if so, ending the current detection; if not, recording the exception and finishing the current detection.
S215: judging whether the past TP message corresponding to the SOME/IP-TP message exists or not, and if so, recording the abnormality and finishing the current detection, wherein the offset is the same; if not, the current detection is ended.
In the above embodiment, the unicast SOME/IP-SD message carrying the offer service entry corresponds to the SOME/IP-SD message carrying the find service entry and having the same request ID, the SOME/IP-SD message carrying the subscription event group acknowledgement entry corresponds to the SOME/IP-SD message carrying the subscription event group entry and having the same request ID, the SOME/IP-TP messages having the same message ID, request ID, and message type correspond to each other, the SOME/IP response message corresponds to the SOME/IP request message having the same message ID and request ID, and the SOME/IP error message corresponds to the SOME/IP request message having the same message ID and request ID. In addition, in the specific flow of step S2, the SOME/IP-SD subscription event group negative confirmation message is equivalent to the SOME/IP-SD message carrying the subscription event group confirmation entry and having an event group lifetime of 0. Similarly, the SOME/IP-SD stop subscription event group message is equivalent to the SOME/IP-SD message carrying the subscription event group entry and having an event group lifetime of 0.
In the detailed execution flow of step S2, as shown in fig. 9, the error in the SOME/IP message header field corresponding to the return code includes: service ID exception, method ID exception, protocol version exception, interface version exception, message type exception. The exception information of the past request message is recorded in step S1 and the returned code is covered to correspond to the error type, and there is a checkable correspondence relationship between the two.
As shown in fig. 10, in step S3, the method for updating the SOME/IP service status, the subscription information, and the past message flow includes:
s30: judging whether the SOME/IP-SD message in the current SOME/IP communication message is normal or not according to the detection result, and if so, updating the SOME/IP service state and subscription information according to the division of the SOME/IP-SD message; if not, go to S31; in the present embodiment, the SOME/IP-SD message is divided into an offer service message, a stop offer message, a subscription event group confirmation message, and a stop subscription event group message. If the current offer service message is not abnormal, adding or updating corresponding SOME/IP service state information; if the current stop offer message is not abnormal, deleting the corresponding SOME/IP service state and subscription information; if the current subscription event group confirmation message is not abnormal, adding or updating corresponding subscription information; and if the current subscription event group stopping message is not abnormal, deleting the corresponding subscription information.
S31: and judging whether the address and the port of the current SOME/IP communication message are in the range of the IP address and the port of the SOME/IP client according to the detection result in the step S11, and if not, adding the corresponding SOME/IP service state and subscription information. The added SOME/IP service state and subscription information comprises: IP address, port, client ID, TCP connection status of the client communicating with the service instance. It should be particularly noted that, according to the detection result, if the SOME/IP communication packet address and the port are not within the IP address and the port range of the SOME/IP service end, the past message flow does not need to be updated.
S32: and judging whether a restarting behavior exists or not according to a reboot flag and a session ID field of the current SOME/IP-SD message and a corresponding field in a past message, and if so, deleting the corresponding SOME/IP service state, subscription information and a past message flow.
S33: and detecting whether the service instance lifetime of all the SOME/IP service terminals expires, and if so, deleting the corresponding SOME/IP service state, subscription information and past message flow.
S34: and detecting whether the event group lifetime of all the SOME/IP clients is expired or not, and if so, deleting the corresponding SOME/IP subscription information.
S35: and detecting whether SOME/IP service state information corresponding to the current message exists or not, and if so, adding the message to the corresponding past message flow.
In the specific execution flow of step S3, the specific content of the past message stream includes: the client communicates with the service instance the request ID, the flags, the entries type of the SOME/IP-SD past message and the message ID, the request ID, the message type, the TP header, exception information of the non-SD SOME/IP past message. Each SOME/IP client corresponding to each service or event group of each service instance respectively corresponds to two kinds of past message flows, namely an SOME/IP-SD past message flow and a non-SD SOME/IP past message flow.
In the specific execution flow of step S3, the SOME/IP-SD offer message refers to an SOME/IP-SD message carrying an offer service entry, the SOME/IP-SD stop offer message refers to an SOME/IP-SD message carrying an offer service entry and having a service lifetime of 0, and the adding, updating, or deleting corresponding SOME/IP service state information includes an IP address and a port of the SOME/IP service end and a service ID, a service version, and a service lifetime of a service instance corresponding to the SOME/IP service end. Deleting the corresponding SOME/IP service state information will also synchronize the deletion of the corresponding subscription information with the past message flow.
In the specific execution flow of step S3, the SOME/IP-SD subscription event group confirmation message refers to an SOME/IP-SD message carrying a subscription event group confirmation entry, the SOME/IP-SD subscription stop event group message refers to an SOME/IP-SD message carrying a subscription event group confirmation entry and having a service lifetime of 0, and the event group ID, the event group version, the IP address, the port, the client ID, the subscription event group ID, the event group lifetime, and the TCP connection state of the service instance of the SOME/IP service side corresponding to the subscription information are added, updated, or deleted. Deleting the corresponding subscription information only deletes the event group related information, and the rest information is not affected.
By the communication data abnormity detection method disclosed by the embodiment, the SOME/IP communication message in vehicle-mounted communication can be detected in detail, the running state of the SOME/IP protocol is reflected in real time, and the detected abnormal information is recorded so as to facilitate subsequent safety analysis.
The invention also discloses a communication data abnormity detection system based on the SOME/IP protocol, which comprises a data acquisition unit, a first detection unit, a second detection unit and an updating unit.
And the data acquisition unit is used for acquiring the SOME/IP communication message.
And the first detection unit is used for detecting whether the address, the port and the message header format of the SOME/IP communication message are in compliance according to the SOME/IP service state and the subscription information and recording abnormal information.
And the second detection unit is used for detecting whether the message in the SOME/IP communication message is in compliance according to the past message flow and recording the abnormal information.
And the updating unit is used for updating the SOME/IP service state, the subscription information and the past message flow according to the feedback of the first detection unit and the second detection unit.
Preferably, the first detecting unit includes a server determining module, a client determining module, a TCP connection determining module, a field value domain determining module, a service instance determining module, and an ID field determining module, which are sequentially connected in a communication manner.
And the service end judging module is used for judging whether the address and the port of the SOME/IP communication message are in the range of the IP address and the port of the SOME/IP service end and recording the abnormity.
And the client judging module is used for judging whether the address and the port of the SOME/IP communication message are in the range of the IP address and the port of the client and recording the abnormity.
And the TCP connection judging module is used for judging whether the address of the SOME/IP communication message and the TCP connection corresponding to the port are established or not and recording the abnormity.
And the field value domain judging module is used for judging whether a field in the head of the message in the SOME/IP communication message exceeds a legal value domain and recording the abnormity.
And the service instance judging module is used for judging whether the fields of the service ID, the service version, the event group ID or the event group version of the message in the SOME/IP communication message are consistent with the service instance or not and recording the abnormity.
And the ID field judging module is used for judging whether the client ID or the event group ID field of the message in the SOME/IP communication message is consistent with the client side or not and recording the abnormity.
Preferably, the messages in the communication message include SOME/IP-SD messages and non-SD SOME/IP messages.
The second detection unit comprises a SOME/IP-SD message detection unit and a SOME/IP message check unit, and the SOME/IP-SD message detection unit and the SOME/IP message check unit are respectively used for detecting the SOME/IP-SD message and the SOME/IP message.
Preferably, the SOME/IP-SD message detection unit includes a first judgment module, a first message division module, a second judgment module, and a third judgment module.
And the first judging module is used for judging whether the past message which is the same as the current SOME/IP-SD information item exists or not and recording the abnormity.
And the first message dividing module is used for dividing the SOME/IP-SD message into an offer service message and a subscription event group related message according to the feedback of the first judging module.
And the second judgment module is used for judging whether the offer service message is a unicast message and a corresponding past find service message exists, and recording the exception.
And the third judging module is used for judging whether the corresponding past subscription event group information exists in the subscription event group related information and recording the abnormity.
Preferably, the SOME/IP message checking unit includes a fourth judging module, a second message dividing module, a fifth judging module, a sixth judging module, a seventh judging module, and an eighth judging module.
And the fourth judging module is used for judging whether the past message identical to the current SOME/IP information item exists or not and recording the abnormity.
And the second message dividing module is used for dividing the SOME/IP message into a response message and an error message according to the feedback of the fourth judging module and judging whether the response message and the error message belong to the SOME/IP-TP message.
And the fifth judging module is used for judging whether the past request message corresponding to the response message exists or not and recording the abnormity.
And the sixth judging module is used for judging whether the past request message corresponding to the error message exists or not and recording the abnormity.
And the seventh judging module is used for judging that the return code of the error message is consistent with the abnormal information of the past request message according to the feedback of the sixth judging module and recording the abnormality.
And the eighth judging module is used for judging whether the past TP message corresponding to the SOME/IP-TP message exists or not, the offset is the same, and the abnormity is recorded.
Preferably, the update unit includes a first update module, a second update module, a third update module, a fourth update module, a fifth update module, and a sixth update module.
And the first updating module is used for judging whether the SOME/IP-SD message in the current SOME/IP communication message is normal according to the detection result and updating the SOME/IP service state and the subscription information according to the division of the SOME/IP-SD message.
And the second updating module is used for judging whether the address and the port of the current SOME/IP communication message are in the range of the IP address and the port of the SOME/IP client according to the detection result so as to add the corresponding SOME/IP service state and the subscription information.
And the third updating module is used for judging whether a restarting behavior exists or not according to a reboot flag and a session ID field of the current SOME/IP-SD message and a corresponding field in a past message so as to delete the corresponding SOME/IP service state, subscription information and a past message flow.
And the fourth updating module is used for detecting whether the service instance lifetime of all the SOME/IP service terminals expires or not so as to delete the corresponding SOME/IP service state, the subscription information and the past message flow.
And the fifth updating module is used for detecting whether the event group survival time of all the SOME/IP clients is expired or not so as to delete the corresponding SOME/IP subscription information.
And the sixth updating module is used for detecting whether SOME/IP service state information corresponding to the current message exists or not so as to add the message to the corresponding past message flow.
The working principle of the communication data abnormality detection system in the above embodiment is detailed in the above communication data abnormality detection method, and is not described herein again.
The invention also discloses a communication data anomaly detection system based on the SOME/IP protocol, which comprises one or more processors, a memory and one or more programs, wherein the one or more programs are stored in the memory and are configured to be executed by the one or more processors, and the programs comprise instructions for executing the communication data anomaly detection method based on the SOME/IP protocol.
The present invention also discloses a computer readable storage medium comprising a computer program executable by a processor to perform the SOME/IP protocol based communication data anomaly detection method as described above.
The above disclosure is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the scope of the present invention, therefore, the present invention is not limited by the appended claims.

Claims (14)

1. A communication data abnormity detection method based on SOME/IP protocol is characterized by comprising the following steps:
obtaining an SOME/IP communication message;
detecting whether the address, the port and the message header format of the SOME/IP communication message are in compliance according to the SOME/IP service state and the subscription information, and recording abnormal information;
detecting whether the message in the SOME/IP communication message is in compliance according to the past message flow, and recording abnormal information;
and updating the SOME/IP service state, the subscription information and the past message flow according to the detection result.
2. The method for detecting communication data abnormality based on the SOME/IP protocol according to claim 1, wherein the method for detecting the SOME/IP communication packet according to the SOME/IP service state and subscription information includes:
s10: judging whether the address and the port of the SOME/IP communication message are in the range of the IP address and the port of the SOME/IP service end, if so, entering S11; if not, recording the abnormity, and finishing the current detection of the SOME/IP communication message;
s11: judging whether the address and the port of the SOME/IP communication message are in the range of the IP address and the port of the client, if so, entering S12; if not, the exception is recorded and S12 is entered;
s12: judging whether the address of the SOME/IP communication message and the TCP connection corresponding to the port are established, if so, entering S13; if not, recording the abnormity, and finishing the current detection of the SOME/IP communication message;
s13: judging whether the header of the message in the SOME/IP communication message has a field exceeding a legal value range, if so, recording the exception, and entering S14; if not, go to S14;
s14: judging whether the fields of the service ID, the service version, the event group ID or the event group version of the message in the SOME/IP communication message are consistent with the service instance, if so, entering S15; if not, recording the abnormity and finishing the current detection;
s15: judging whether the client ID or event group ID field of the message in the SOME/IP communication message is consistent with the client, if so, ending the current detection; if not, the exception is recorded and the current detection is ended.
3. The SOME/IP protocol-based communication data abnormality detection method according to claim 2, wherein the messages in the communication message include SOME/IP-SD messages and non-SD SOME/IP messages;
the method for detecting the message in the SOME/IP communication message according to the past message flow comprises a method for respectively detecting the SOME/IP-SD message and a method for detecting the SOME/IP message.
4. The SOME/IP protocol-based communication data anomaly detection method according to claim 2, wherein the method for detecting the SOME/IP-SD message comprises:
s200: judging whether a past message identical to the current SOME/IP-SD information item exists or not, if so, defining the current SOME/IP-SD information as replay information, recording the exception, and finishing the current detection; if not, the process goes to S201;
s201: dividing the SOME/IP-SD message into an offer service message and a subscription event group related message;
s202: judging whether the offer service message is a unicast message and a corresponding past find service message exists, if so, ending the current detection; if not, recording the abnormity and finishing the current detection;
s203: judging whether the corresponding past subscription event group message exists in the subscription event group related message, if so, ending the current detection; if not, the exception is recorded, and the current detection is ended.
5. The SOME/IP protocol-based communication data anomaly detection method according to claim 3, wherein the method for detecting the SOME/IP message comprises:
s210: judging whether the past message identical to the current SOME/IP information item exists or not, if so, defining the current SOME/IP information as replay information, recording the abnormity, and finishing the current detection; if not, the process goes to S211;
s211: dividing the SOME/IP message into a response message and an error message, judging whether the response message and the error message belong to the SOME/IP-TP message, and if so, entering S215;
s212: judging whether a past request message corresponding to the response message exists or not, and if so, finishing the current detection; if not, recording the abnormity and finishing the current detection;
s213: judging whether a past request message corresponding to the error message exists or not, and if so, entering S214; if not, recording the abnormity and finishing the current detection;
s214: judging that the return code of the error message is consistent with the abnormal information of the past request message, if so, ending the current detection; if not, recording the abnormity and finishing the current detection;
s215: judging whether the past TP message corresponding to the SOME/IP-TP message exists or not, and if so, recording the abnormality and finishing the current detection, wherein the offset is the same; if not, the current detection is ended.
6. The SOME/IP protocol-based communication data anomaly detection method according to claim 1, wherein the method for updating the SOME/IP service state, subscription information, and the past message flow comprises:
s30: judging whether the SOME/IP-SD message in the current SOME/IP communication message is normal or not according to the detection result, and if so, updating the SOME/IP service state and subscription information according to the division of the SOME/IP-SD message; if not, go to S31;
s31: judging whether the address and the port of the current SOME/IP communication message are in the range of the IP address and the port of the SOME/IP client according to the detection result, and if not, adding the corresponding SOME/IP service state and subscription information;
s32: judging whether a restarting behavior exists or not according to a reboot flag and a session ID field of the current SOME/IP-SD message and a corresponding field in a past message, and if so, deleting the corresponding SOME/IP service state, subscription information and a past message flow;
s33: detecting whether the service instance lifetime of all the SOME/IP service ends is due, and if so, deleting the corresponding SOME/IP service state, subscription information and past message flow;
s34: detecting whether the event group lifetime of all the SOME/IP clients is due, and if so, deleting the corresponding SOME/IP subscription information;
s35: and detecting whether SOME/IP service state information corresponding to the current message exists or not, and if so, adding the message to the corresponding past message flow.
7. A communication data abnormity detection system based on an SOME/IP protocol is characterized by comprising a data acquisition unit, a first detection unit, a second detection unit and an updating unit;
the data acquisition unit is used for acquiring an SOME/IP communication message;
the first detection unit is used for detecting whether the address, the port and the message header format of the SOME/IP communication message are in compliance according to the SOME/IP service state and the subscription information, and recording abnormal information;
the second detection unit is used for detecting whether the message in the SOME/IP communication message is in compliance according to the past message flow and recording abnormal information;
and the updating unit is used for updating the SOME/IP service state, the subscription information and the past message flow according to the feedback of the first detection unit and the second detection unit.
8. The system according to claim 7, wherein the first detecting unit comprises a server judging module, a client judging module, a TCP connection judging module, a field value domain judging module, a service instance judging module and an ID field judging module which are sequentially connected in communication;
the service end judging module is used for judging whether the address and the port of the SOME/IP communication message are in the range of the IP address and the port of the SOME/IP service end or not and recording the abnormity;
the client judging module is used for judging whether the address and the port of the SOME/IP communication message are in the range of the IP address and the port of the client and recording the abnormity;
the TCP connection judging module is used for judging whether the address of the SOME/IP communication message and the TCP connection corresponding to the port are established or not and recording the abnormity;
the field value domain judging module is used for judging whether a field in the head of the message in the SOME/IP communication message exceeds a legal value domain or not and recording the abnormity;
the service instance judging module is used for judging whether the fields of the service ID, the service version, the event group ID or the event group version of the message in the SOME/IP communication message are consistent with the service instance or not and recording the abnormity;
and the ID field judging module is used for judging whether the client ID or event group ID field of the message in the SOME/IP communication message is consistent with the client side or not and recording the abnormity.
9. The SOME/IP protocol based communication data anomaly detection system according to claim 7, wherein messages in said communication message include SOME/IP-SD messages and non-SD SOME/IP messages;
the second detection unit comprises an SOME/IP-SD message detection unit and an SOME/IP message check unit, and the SOME/IP-SD message detection unit and the SOME/IP message check unit are respectively used for detecting the SOME/IP-SD message and the SOME/IP message.
10. The system according to claim 9, wherein the SOME/IP-SD message detection unit includes a first judgment module, a first message division module, a second judgment module, and a third judgment module;
the first judging module is used for judging whether the past message which is the same as the current SOME/IP-SD information item exists or not and recording the abnormity;
the first message dividing module is configured to divide the SOME/IP-SD message into an offer service message and a subscription event group related message according to the feedback of the first determining module;
the second judging module is configured to judge whether the offer service message is a unicast message and a corresponding past find service message exists, and record an exception;
and the third judging module is used for judging whether the corresponding past subscription event group message exists in the subscription event group related message and recording the abnormity.
11. The system according to claim 9, wherein the SOME/IP message inspection unit comprises a fourth judgment module, a second message division module, a fifth judgment module, a sixth judgment module, a seventh judgment module, and an eighth judgment module;
the fourth judging module is used for judging whether the past message which is the same as the current SOME/IP information item exists or not and recording the abnormity;
the second message dividing module is configured to divide the SOME/IP message into a response message and an error message according to the feedback of the fourth determining module, and determine whether the response message and the error message belong to the SOME/IP-TP message;
the fifth judging module is used for judging whether a past request message corresponding to the response message exists or not and recording the abnormity;
the sixth judging module is configured to judge whether a past request message corresponding to the error message exists, and record an exception;
the seventh judging module is configured to judge, according to the feedback of the sixth judging module, that a return code of the error message is consistent with the abnormal information of the past request message, and record an abnormality;
and the eighth judging module is used for judging whether the past TP message corresponding to the SOME/IP-TP message exists or not, the offset is the same, and the abnormality is recorded.
12. The SOME/IP protocol-based communication data anomaly detection system according to claim 7, wherein said update unit comprises a first update module, a second update module, a third update module, a fourth update module, a fifth update module, and a sixth update module;
the first updating module is used for judging whether the SOME/IP-SD message in the current SOME/IP communication message is normal according to the detection result and updating the SOME/IP service state and subscription information according to the division of the SOME/IP-SD message;
the second updating module is used for judging whether the address and the port of the current SOME/IP communication message are in the range of the IP address and the port of the SOME/IP client according to the detection result so as to add the corresponding SOME/IP service state and subscription information;
the third updating module is used for judging whether a restarting behavior exists or not according to a reboot flag and a session ID field of the current SOME/IP-SD message and a corresponding field in a past message so as to delete the corresponding SOME/IP service state, subscription information and a past message flow;
the fourth updating module is used for detecting whether the service instance lifetime of all the SOME/IP service terminals expires or not so as to delete the corresponding SOME/IP service state, subscription information and past message flow;
the fifth updating module is used for detecting whether the event group lifetime of all the SOME/IP clients is due or not so as to delete the corresponding SOME/IP subscription information;
and the sixth updating module is used for detecting whether SOME/IP service state information corresponding to the current message exists or not so as to add the message to the corresponding past message flow.
13. A system for detecting communication data abnormality based on SOME/IP protocol, comprising:
one or more processors;
a memory;
and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the programs comprising instructions for performing the SOME/IP protocol-based communication data anomaly detection method according to any one of claims 1 to 6.
14. A computer-readable storage medium comprising a computer program executable by a processor to perform the SOME/IP protocol-based communication data anomaly detection method according to any one of claims 1 to 6.
CN202111067177.XA 2021-09-10 2021-09-10 Communication data anomaly detection method and system based on SOME/IP protocol and readable storage medium Active CN113992344B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111067177.XA CN113992344B (en) 2021-09-10 2021-09-10 Communication data anomaly detection method and system based on SOME/IP protocol and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111067177.XA CN113992344B (en) 2021-09-10 2021-09-10 Communication data anomaly detection method and system based on SOME/IP protocol and readable storage medium

Publications (2)

Publication Number Publication Date
CN113992344A true CN113992344A (en) 2022-01-28
CN113992344B CN113992344B (en) 2022-11-22

Family

ID=79735690

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111067177.XA Active CN113992344B (en) 2021-09-10 2021-09-10 Communication data anomaly detection method and system based on SOME/IP protocol and readable storage medium

Country Status (1)

Country Link
CN (1) CN113992344B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112840620A (en) * 2019-07-04 2021-05-25 松下电器(美国)知识产权公司 Abnormality detection device and abnormality detection method
CN112889259A (en) * 2019-07-04 2021-06-01 松下电器(美国)知识产权公司 Abnormal frame detection device and abnormal frame detection method
CN113259351A (en) * 2021-05-12 2021-08-13 北京天融信网络安全技术有限公司 Intrusion detection method, device, storage medium and electronic equipment
CN114430896A (en) * 2020-05-26 2022-05-03 松下电器(美国)知识产权公司 Abnormality detection device, abnormality detection system, and abnormality detection method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112840620A (en) * 2019-07-04 2021-05-25 松下电器(美国)知识产权公司 Abnormality detection device and abnormality detection method
CN112889259A (en) * 2019-07-04 2021-06-01 松下电器(美国)知识产权公司 Abnormal frame detection device and abnormal frame detection method
US20210281595A1 (en) * 2019-07-04 2021-09-09 Panasonic Intellectual Property Corporation Of America Anomaly detection device and anomaly detection method
CN114430896A (en) * 2020-05-26 2022-05-03 松下电器(美国)知识产权公司 Abnormality detection device, abnormality detection system, and abnormality detection method
CN113259351A (en) * 2021-05-12 2021-08-13 北京天融信网络安全技术有限公司 Intrusion detection method, device, storage medium and electronic equipment

Also Published As

Publication number Publication date
CN113992344B (en) 2022-11-22

Similar Documents

Publication Publication Date Title
CN113691432B (en) Method and device for monitoring automobile CAN network message, computer equipment and storage medium
US20040221207A1 (en) Proxy response apparatus
CN112118249B (en) Security protection method and device based on log and firewall
US20230327956A1 (en) Network configuration estimation apparatus, network configuration estimation method and program
US11700271B2 (en) Device and method for anomaly detection in a communications network
CN113992344B (en) Communication data anomaly detection method and system based on SOME/IP protocol and readable storage medium
CN111327588A (en) Network access security detection method, system, terminal and readable storage medium
CN111309696A (en) Log processing method and device, electronic equipment and readable medium
CN111988280A (en) Server and request processing method
CN106855888B (en) Log monitoring system based on Logstash distributed system
CN115102707A (en) Vehicle CAN network IDS safety detection system and method
CN114374669A (en) VPN client proxy DNS analysis method and system
US11522892B2 (en) Method and device for intrusion detection in a computer network
CN115174245B (en) Test method and system based on DoIP protocol detection
CN116743619B (en) Network service testing method, device, equipment and storage medium
CN114979239B (en) Remote diagnosis method and device and related equipment
CN117061384A (en) Fuzzy test method, device, equipment and medium
EP4300332A1 (en) Information processing system, information processing method, and program
CN108933681B (en) Configuration updating method of cloud computing system, control center and cloud computing node
CN112217784B (en) Apparatus and method for attack identification in a computer network
US20040199579A1 (en) Collaboration bus apparatus and method
CN115883574A (en) Access equipment identification method and device in industrial control network
CN115174244B (en) Safety detection method and system
CN111683095B (en) Attack detection method and device and computer readable storage medium
EP3640830B1 (en) Method and system for determining risk in automotive ecu components

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant