CN112787984A - Vehicle-mounted network anomaly detection method and system based on correlation analysis - Google Patents
Vehicle-mounted network anomaly detection method and system based on correlation analysis Download PDFInfo
- Publication number
- CN112787984A CN112787984A CN201911094247.3A CN201911094247A CN112787984A CN 112787984 A CN112787984 A CN 112787984A CN 201911094247 A CN201911094247 A CN 201911094247A CN 112787984 A CN112787984 A CN 112787984A
- Authority
- CN
- China
- Prior art keywords
- message
- byte
- value
- prediction model
- correlation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 50
- 238000010219 correlation analysis Methods 0.000 title claims abstract description 23
- 238000000034 method Methods 0.000 claims abstract description 40
- 238000004891 communication Methods 0.000 claims abstract description 36
- 230000002159 abnormal effect Effects 0.000 claims abstract description 11
- 238000013528 artificial neural network Methods 0.000 claims abstract description 7
- 230000005856 abnormality Effects 0.000 claims description 10
- 238000012549 training Methods 0.000 claims description 10
- 238000013459 approach Methods 0.000 claims description 5
- 238000002347 injection Methods 0.000 abstract description 4
- 239000007924 injection Substances 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 8
- 238000004364 calculation method Methods 0.000 description 5
- 238000005070 sampling Methods 0.000 description 5
- 239000000243 solution Substances 0.000 description 3
- 238000012800 visualization Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- 238000000611 regression analysis Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/044—Recurrent networks, e.g. Hopfield networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
A vehicle-mounted network anomaly detection method and system based on correlation analysis are disclosed, the method comprises: collecting communication data in the running process of a vehicle; the communication data comprises a message ID, message content and message occurrence time; predicting and outputting a message value corresponding to the byte order by using the established prediction model, judging whether the deviation between the predicted message value and the actual message value exceeds a detection threshold value, and if so, judging that the message is abnormal; the prediction model is established in groups based on the correlation relation between communication data in the vehicle running process; the input of the prediction model is the message values corresponding to one or more message ID byte orders in the related relation group, and the output of the prediction model is the message values corresponding to other message ID byte orders in the related relation group. The invention analyzes the correlation among original message data, establishes a message byte content prediction model by utilizing a neural network, and can detect malicious data injection attacks which do not conform to the normal driving state of the vehicle in real time.
Description
Technical Field
The invention relates to the field of vehicle data safety, in particular to a vehicle-mounted network abnormity detection method and system based on correlation analysis.
Background
Due to the broadcastability and lack of security features of the CAN protocol, it is easy for an attacker to inject malicious messages on the bus. The security problem of the vehicular network has attracted a lot of attention, and various technologies and corresponding solutions have been proposed. For the anomaly detection of malicious messages, there are two main solutions at present. One method is to detect network abnormal messages through physical variable abnormality detection, and this method needs to know the position and mode of physical variable storage, i.e. needs the content of bus communication protocol or reverse engineering the bus, and if the communication protocol or reverse data is leaked, the risk of vehicle bus communication attack will be increased. The other method is to detect through a classification method, which does not need to know a bus communication protocol, but the established detection model is greatly influenced by abnormal data of simulation training, can only detect tampering or insertion attack of abnormal data contents, and cannot detect illegal data which are inserted into the bus and belong to a normal data range and violate the logic of a driving state.
Disclosure of Invention
The invention mainly aims to provide a vehicle-mounted network anomaly detection method and system based on correlation analysis.
The invention adopts the following technical scheme:
on one hand, the invention discloses a vehicle-mounted network abnormity detection method based on correlation analysis, which comprises the following steps:
collecting communication data in the running process of a vehicle; the communication data comprises a message ID, message content and message occurrence time;
predicting and outputting a message value corresponding to the byte order by using the established prediction model, judging whether the deviation between the predicted message value and the actual message value exceeds a detection threshold value, and if so, judging that the message is abnormal; the prediction model is established in groups based on the correlation relation between communication data in the vehicle running process; the input of the prediction model is the message values corresponding to one or more message ID byte orders in the related relation group, and the output of the prediction model is the message values corresponding to other message ID byte orders in the related relation group.
Preferably, the method for establishing the prediction model includes:
collecting communication data of vehicles of the same type in the running process;
calculating a Hamming distance, analyzing Hamming distance data, and removing message IDs with unchanged message contents and bytes with unchanged message contents in the message IDs; recording the message ID with the changed message content and the corresponding byte sequence;
normalizing the occurrence time of the message event according to the recorded message ID, pairing the event time of different message IDs according to the close time, respectively calculating the correlation coefficient of each byte pair, extracting the byte pair of which the absolute value of the correlation coefficient is greater than a preset value, and marking the byte pair as a correlation relation group; the approach time comprises the same time or the time within a preset range;
and training the message data in each correlation relation group by using an LSTM neural network according to the time sequence, and establishing a prediction model of each correlation relation group.
Preferably, calculating a Hamming distance, analyzing Hamming distance data, and removing message IDs with unchanged message contents and bytes with unchanged message contents in the message IDs; recording the message ID and the corresponding byte sequence with the changed message content specifically comprises the following steps:
summarizing and counting the sum of Hamming distances of the total number of bytes according to the message ID, and calculating index values including a maximum value, a minimum value, a median, a lower quartile and an upper quartile; if all index values are 0 or equal, the message ID is rejected if the message content of all bytes of the message ID is unchanged;
counting the Hamming distance of each byte in the message ID according to the byte order for the message ID which is not removed, and calculating the index values including the maximum value, the minimum value, the median, the lower quartile and the upper quartile; if all index values are 0 or equal, the content of the byte message is not changed, and the unchanged bytes are removed;
and recording the message ID with the changed message content and the corresponding byte sequence.
Preferably, the preset value of the correlation coefficient is 0.5.
Preferably, the method for acquiring and setting the detection threshold includes:
selecting communication data collected by multiple sections of normal driving records, predicting the message value of a byte in the corresponding message ID by using the prediction model, and setting a detection threshold value based on the standard difference between the predicted message value and the actual message value.
On the other hand, the invention relates to a vehicle-mounted network anomaly detection system based on correlation analysis, which comprises the following components:
the data acquisition module is used for acquiring communication data in the running process of the vehicle; the communication data comprises a message ID, message content and message occurrence time;
the message abnormity detection module predicts and outputs a message value corresponding to the byte order by using the prediction model established by the prediction model establishment module, judges whether the deviation between the predicted message value and the actual message value exceeds a detection threshold value, and judges that the message is abnormal if the deviation exceeds the detection threshold value; the prediction model is established in groups based on the correlation relation between communication data in the vehicle running process; the input of the prediction model is the message values corresponding to one or more message ID byte orders in the related relation group, and the output of the prediction model is the message values corresponding to other message ID byte orders in the related relation group.
Preferably, the method for establishing the prediction model includes:
collecting communication data of vehicles of the same type in the running process;
calculating a Hamming distance, analyzing Hamming distance data, and removing message IDs with unchanged message contents and bytes with unchanged message contents in the message IDs; recording the message ID with the changed message content and the corresponding byte sequence;
normalizing the occurrence time of the message event according to the recorded message ID, pairing the event time of different message IDs according to the close time, respectively calculating the correlation coefficient of each byte pair, extracting the byte pair of which the absolute value of the correlation coefficient is greater than a preset value, and marking the byte pair as a correlation relation group; the approach time comprises the same time or the time within a preset range;
and training the message data in each correlation relation group by using an LSTM neural network according to the time sequence, and establishing a prediction model of each correlation relation group.
Preferably, calculating a Hamming distance, analyzing Hamming distance data, and removing message IDs with unchanged message contents and bytes with unchanged message contents in the message IDs; recording the message ID and the corresponding byte sequence with the changed message content specifically comprises the following steps:
summarizing and counting the sum of Hamming distances of the total number of bytes according to the message ID, and calculating index values including a maximum value, a minimum value, a median, a lower quartile and an upper quartile; if all index values are 0 or equal, the message ID is rejected if the message content of all bytes of the message ID is unchanged;
counting the Hamming distance of each byte in the message ID according to the byte order for the message ID which is not removed, and calculating the index values including the maximum value, the minimum value, the median, the lower quartile and the upper quartile; if all index values are 0 or equal, the content of the byte message is not changed, and the unchanged bytes are removed;
and recording the message ID with the changed message content and the corresponding byte sequence.
Preferably, the preset value of the correlation coefficient is 0.5.
Preferably, the method for acquiring and setting the detection threshold includes:
selecting communication data collected by multiple sections of normal driving records, predicting the message value of a byte in the corresponding message ID by using the prediction model, and setting a detection threshold value based on the standard difference between the predicted message value and the actual message value.
Compared with the prior art, the invention has the following beneficial effects:
according to the method and the system, a specific vehicle bus communication protocol does not need to be acquired, and the position and the mode of storing the physical variable do not need to be known; under the condition that bus communication data do not need to be converted into data with physical significance variables actually, correlation among original message data is determined through statistical analysis, a message byte content prediction model is established by utilizing a neural network, and malicious data injection attacks which do not accord with the normal driving state of a vehicle can be detected in real time.
Drawings
FIG. 1 is a schematic flow chart of a method according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of a prediction model building method according to an embodiment of the present invention;
fig. 3 is a first message change time sequence scatter diagram of a certain sampling time period according to an embodiment of the present invention;
fig. 4 is a second scattergram of message change time series in a certain sampling time period according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
Referring to fig. 1, in one aspect, the present invention provides a method for detecting an abnormality of a vehicle-mounted network based on correlation analysis, including:
s10, collecting communication data in the running process of the vehicle; the communication data comprises a message ID, message content and message occurrence time;
s20, predicting and outputting the message value of the corresponding byte order by using the established prediction model, judging whether the deviation between the predicted message value and the actual message value exceeds a detection threshold value, and if so, judging that the message is abnormal; the prediction model is established in groups based on the correlation relation between communication data in the vehicle running process; the input of the prediction model is the message values corresponding to one or more message ID byte orders in the related relation group, and the output of the prediction model is the message values corresponding to other message ID byte orders in the related relation group.
Referring to fig. 2, the method for establishing the prediction model includes:
s201, collecting communication data in the running process of vehicles of the same vehicle type.
S202, calculating a Hamming distance, analyzing Hamming distance data, and removing message IDs with unchanged message contents and bytes with unchanged message contents in the message IDs; and recording the message ID with the changed message content and the corresponding byte sequence.
Specifically, the method comprises the following steps:
s2021, summarizing and counting the sum of Hamming distances of the total byte number according to the message ID, and calculating index values including a maximum value, a minimum value, a median, a lower quartile and an upper quartile; if all index values are 0 or equal, the message ID is rejected if the message content of all bytes of the message ID is unchanged;
if the message ID is 0 xYFD 0500, the sampling result in a period of time is as follows: each message of the message fixedly comprises 8 bytes, and the total number of the messages is hundreds, the corresponding Hamming distance of 8 bytes of each two adjacent messages is calculated according to the byte sequence, and the sum of the Hamming distances is calculated. If two adjacent messages are both 0x0102030405060708, the sum of the total Hamming distance is 0, if 289 messages are the same and do not change, the maximum value, the minimum value, the median, the lower quartile and the upper quartile are all 0, and the message ID can be directly eliminated.
S2022, counting the Hamming distance of each byte in the message ID according to the byte order for the message ID which is not removed, and calculating the index values including the maximum value, the minimum value, the median, the lower quartile and the upper quartile; if all index values are 0 or equal, the content of the byte message is not changed, and the unchanged bytes are removed;
for example, the message ID YYF00F51 has hundreds of records of sampled data over a period of time, and the statistical result is as shown in table 1 below (only 8 bytes are listed in the table), wherein only the 4 th byte meets the record requirement.
TABLE 1
S2023, recording the message ID with the changed message content and the corresponding byte sequence.
S203, aiming at the recorded message ID, normalizing the occurrence time of the message event, pairing the event time of different message IDs according to the similar time, respectively calculating the correlation coefficient of each byte pair, extracting the byte pair of which the absolute value of the correlation coefficient is greater than a preset value, and marking the byte pair as a correlation relation group; the approach time includes the same time or a time within a preset range.
Specifically, for a selected packet, a line graph and a time series scatter diagram of actual packet byte values corresponding to the packet in the same time period can be drawn by using a visualization system, verification and rechecking are performed by combining the graph, and if the packet value change trends of the packet are consistent or just opposite and the correlations are very stable along with the time lapse, the packet has a strong correlation relationship, and the packet is determined and marked. If pairwise correlation exists among the multiple correlation relation groups, if correlation relations AB, BC and AC exist, ABC is merged into one correlation relation group. Or, only partial intersection relations exist between the groups, such as AB and AC, and the groups can also be combined into one group, but special marks are needed, and when training is performed later, only B and C can be selected as input items, and a is selected as output items.
Referring to fig. 3, calculated correlation coefficients of the 6 th byte and the 8 th byte of the message ID XXFEYYEE and the 3 rd byte of the message ID XXF003YY are 0.95 and 0.96, respectively, a message change time series scatter diagram of a certain sampling period is drawn by using a visualization system, wherein fig. 3(a) is a message value change diagram of the message XXFEYYEE, and fig. 3(b) is a message value change diagram of the message XXF003 YY. It can be seen from the figure that the three change trends are very consistent, the previous calculation results are verified, it is proved that pairwise correlation exists between the bytes corresponding to the two messages, a correlation group can be formed, any two bytes can be selected as input items, and the other one is an output item.
Referring to fig. 4, calculated correlation coefficients of the 2 nd and 3 rd bytes with message IDs of XXYYF030 and the 6 th byte of XXFEYY02 are 0.7 and 0.6, respectively, and a message change time sequence scatter diagram of a certain sampling period is drawn by using a visualization system, where fig. 4(a) is an XXYYF030 message value change diagram, and fig. 4(b) is an XXFEYY02 message value change diagram. The three changes are basically consistent, and by judging that the 2 nd and 3 rd bytes of XXYYF030 are combined by certain calculation rules to be more consistent with the 6 th byte change of XXFEYY02, only the 2 nd and 3 th bytes of XXYYF030 can be selected as input items, and the 6 th byte of XXFEYY02 can be selected as output items.
Further, the preset value of the correlation coefficient is 0.5.
The correlation coefficient calculation method is based on covariance and standard deviation, and a calculation formula of correlation coefficients of two-dimensional variables x and y is as follows:
wherein r isxyRepresenting the sample correlation coefficient, SxyRepresents the sample covariance, SyDenotes the sample standard deviation of x, SySample standard deviations for y are indicated. Below are respectively SxyCovariance sum Sx、SyAnd (5) a calculation formula of standard deviation.
Wherein, x represents the kth (k value is generally 1 to 8) message byte value with message ID of A in the method, and y represents the mth message byte value with message ID of B. For example, x represents the message value of the 6 th byte with the message ID XXFEYYEE, and y represents the message value of the 3 rd byte with the message ID XXF003 YY.
S204, training the message data in each correlation grouping by using an LSTM neural network according to the time sequence, and establishing a prediction model of each correlation grouping.
Specifically, one of the pair of packets is arbitrarily selected as an input item, and the other is selected as an output item. If more than two objects are contained in the group, one of the objects is selected as an output item, and the other objects are selected as input items. The selection of input and output items may be adjusted according to the training effect. If there is a pairwise correlation between the message a _1 (1 st byte indicating a message ID of a), B _2 (2 nd byte indicating B), and C _5 (5 th byte indicating C), two of them, i.e., a _1 and B _2, can be arbitrarily selected as input items, and C _5 as an output item.
Further, after the prediction model is built, a plurality of segments of CAN bus messages collected by normal driving records are selected to test the prediction model, the standard deviation between the prediction message value of a byte corresponding to the message ID and the original message value is calculated, and a proper detection threshold value is set according to the standard deviation and the normal data range of the corresponding message. Specifically, the detection threshold may be set to 2 times the standard deviation, and in practical application, the detection threshold may be adjusted according to the training data condition and the fluctuation range of the normal message value itself, so as to avoid false alarm.
Further, based on the relevance grouping, a byte value corresponding to the output item of the model is calculated and predicted in real time by using a prediction model, and if the deviation of the data value of the predicted output item and the data value of the actually received message exceeds the detection threshold value obtained by training, the group of messages is considered to be abnormal, and the system is possibly subjected to malicious and illegal injection attacks. Continuing with the example in S204, the message sequences corresponding to A _1 and B _2 in a certain small time range are input during real-time detection, the predicted message value of C _5 in the corresponding time period is output, the error between the predicted value and the actual received value is calculated, and if the error is larger than the detection threshold value, abnormal behavior is prompted to be detected.
The invention relates to a vehicle network anomaly detection method based on correlation analysis, which is used for detecting vehicle CAN bus or other bus anomaly messages, obtaining a message combination with a strong correlation relationship by directly extracting original message byte data and carrying out correlation analysis, carrying out regression analysis on grouped message data, and establishing various normal message correlation models, wherein variables of the grouped models have a forward consistency relationship or an anti-correlation relationship, are an expression of a corresponding state of a vehicle sensor in a digital form in the vehicle driving process, and CAN be used for detecting the problem of data inconsistency caused by malicious data injection attack in real time.
On the other hand, the invention relates to a vehicle-mounted network anomaly detection system based on correlation analysis, which comprises the following components:
the data acquisition module is used for acquiring communication data in the running process of the vehicle; the communication data comprises a message ID, message content and message occurrence time;
the message abnormity detection module predicts and outputs a message value corresponding to the byte order by using the prediction model established by the prediction model establishment module, judges whether the deviation between the predicted message value and the actual message value exceeds a detection threshold value, and judges that the message is abnormal if the deviation exceeds the detection threshold value; the prediction model is established in groups based on the correlation relation between communication data in the vehicle running process; the input of the prediction model is the message values corresponding to one or more message ID byte orders in the related relation group, and the output of the prediction model is the message values corresponding to other message ID byte orders in the related relation group.
The specific implementation of each module of the vehicle-mounted network abnormality detection system based on the correlation analysis is consistent with a vehicle-mounted network abnormality detection method based on the correlation analysis, and the description of the embodiment is not repeated.
The above description is only an embodiment of the present invention, but the design concept of the present invention is not limited thereto, and any insubstantial modifications made by using the design concept should fall within the scope of infringing the present invention.
Claims (10)
1. A vehicle-mounted network anomaly detection method based on correlation analysis is characterized by comprising the following steps:
collecting communication data in the running process of a vehicle; the communication data comprises a message ID, message content and message occurrence time;
predicting and outputting a message value corresponding to the byte order by using the established prediction model, judging whether the deviation between the predicted message value and the actual message value exceeds a detection threshold value, and if so, judging that the message is abnormal; the prediction model is established in groups based on the correlation relation between communication data in the vehicle running process; the input of the prediction model is the message values corresponding to one or more message ID byte orders in the related relation group, and the output of the prediction model is the message values corresponding to other message ID byte orders in the related relation group.
2. The correlation analysis-based vehicle-mounted network abnormality detection method according to claim 1, wherein the prediction model establishment method comprises:
collecting communication data of vehicles of the same type in the running process;
calculating a Hamming distance, analyzing Hamming distance data, and removing message IDs with unchanged message contents and bytes with unchanged message contents in the message IDs; recording the message ID with the changed message content and the corresponding byte sequence;
normalizing the occurrence time of the message event according to the recorded message ID, pairing the event time of different message IDs according to the close time, respectively calculating the correlation coefficient of each byte pair, extracting the byte pair of which the absolute value of the correlation coefficient is greater than a preset value, and marking the byte pair as a correlation relation group; the approach time comprises the same time or the time within a preset range;
and training the message data in each correlation relation group by using an LSTM neural network according to the time sequence, and establishing a prediction model of each correlation relation group.
3. The vehicle-mounted network anomaly detection method based on correlation analysis according to claim 2, characterized by calculating Hamming distance, analyzing Hamming distance data, and eliminating message ID with no change in message content and bytes with no change in message content in the message ID; recording the message ID and the corresponding byte sequence with the changed message content specifically comprises the following steps:
summarizing and counting the sum of Hamming distances of the total number of bytes according to the message ID, and calculating index values including a maximum value, a minimum value, a median, a lower quartile and an upper quartile; if all index values are 0 or equal, the message ID is rejected if the message content of all bytes of the message ID is unchanged;
counting the Hamming distance of each byte in the message ID according to the byte order for the message ID which is not removed, and calculating the index values including the maximum value, the minimum value, the median, the lower quartile and the upper quartile; if all index values are 0 or equal, the content of the byte message is not changed, and the unchanged bytes are removed;
and recording the message ID with the changed message content and the corresponding byte sequence.
4. The correlation analysis-based abnormality detection method for the in-vehicle network according to claim 2, wherein the preset value of the correlation coefficient is 0.5.
5. The correlation analysis-based vehicle-mounted network abnormality detection method according to claim 1, wherein the detection threshold acquisition setting method comprises:
selecting communication data collected by multiple sections of normal driving records, predicting the message value of a byte in the corresponding message ID by using the prediction model, and setting a detection threshold value based on the standard difference between the predicted message value and the actual message value.
6. A vehicle network anomaly detection system based on correlation analysis is characterized by comprising:
the data acquisition module is used for acquiring communication data in the running process of the vehicle; the communication data comprises a message ID, message content and message occurrence time;
the message abnormity detection module predicts and outputs a message value corresponding to the byte order by using the prediction model established by the prediction model establishment module, judges whether the deviation between the predicted message value and the actual message value exceeds a detection threshold value, and judges that the message is abnormal if the deviation exceeds the detection threshold value; the prediction model is established in groups based on the correlation relation between communication data in the vehicle running process; the input of the prediction model is the message values corresponding to one or more message ID byte orders in the related relation group, and the output of the prediction model is the message values corresponding to other message ID byte orders in the related relation group.
7. The correlation analysis-based vehicle-mounted network abnormality detection system according to claim 6, wherein the establishment method of the prediction model includes:
collecting communication data of vehicles of the same type in the running process;
calculating a Hamming distance, analyzing Hamming distance data, and removing message IDs with unchanged message contents and bytes with unchanged message contents in the message IDs; recording the message ID with the changed message content and the corresponding byte sequence;
normalizing the occurrence time of the message event according to the recorded message ID, pairing the event time of different message IDs according to the close time, respectively calculating the correlation coefficient of each byte pair, extracting the byte pair of which the absolute value of the correlation coefficient is greater than a preset value, and marking the byte pair as a correlation relation group; the approach time comprises the same time or the time within a preset range;
and training the message data in each correlation relation group by using an LSTM neural network according to the time sequence, and establishing a prediction model of each correlation relation group.
8. The correlation analysis-based vehicle-mounted network anomaly detection system according to claim 7, wherein a Hamming distance is calculated, Hamming distance data is analyzed, and message IDs with no change in message content and bytes with no change in message content in the message IDs are removed; recording the message ID and the corresponding byte sequence with the changed message content specifically comprises the following steps:
summarizing and counting the sum of Hamming distances of the total number of bytes according to the message ID, and calculating index values including a maximum value, a minimum value, a median, a lower quartile and an upper quartile; if all index values are 0 or equal, the message ID is rejected if the message content of all bytes of the message ID is unchanged;
counting the Hamming distance of each byte in the message ID according to the byte order for the message ID which is not removed, and calculating the index values including the maximum value, the minimum value, the median, the lower quartile and the upper quartile; if all index values are 0 or equal, the content of the byte message is not changed, and the unchanged bytes are removed;
and recording the message ID with the changed message content and the corresponding byte sequence.
9. The correlation analysis-based vehicle-mounted network abnormality detection system according to claim 7, wherein the preset value of the correlation coefficient is 0.5.
10. The correlation analysis-based vehicle-mounted network abnormality detection method according to claim 6, wherein the acquisition and setting method of the detection threshold comprises:
selecting communication data collected by multiple sections of normal driving records, predicting the message value of a byte in the corresponding message ID by using the prediction model, and setting a detection threshold value based on the standard difference between the predicted message value and the actual message value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911094247.3A CN112787984B (en) | 2019-11-11 | 2019-11-11 | Vehicle-mounted network anomaly detection method and system based on correlation analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911094247.3A CN112787984B (en) | 2019-11-11 | 2019-11-11 | Vehicle-mounted network anomaly detection method and system based on correlation analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112787984A true CN112787984A (en) | 2021-05-11 |
| CN112787984B CN112787984B (en) | 2023-11-14 |
Family
ID=75749725
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911094247.3A Active CN112787984B (en) | 2019-11-11 | 2019-11-11 | Vehicle-mounted network anomaly detection method and system based on correlation analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112787984B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114172686A (en) * | 2021-10-27 | 2022-03-11 | 北京邮电大学 | Vehicle-mounted CAN bus message intrusion detection method and related equipment |
| CN114244596A (en) * | 2021-12-10 | 2022-03-25 | 上海交通大学 | Vehicle-mounted CAN (controller area network) anomaly detection method and system based on HTM (hyper text transport protocol) |
| EP4277202A1 (en) * | 2022-05-13 | 2023-11-15 | Elektrobit Automotive GmbH | Threat detection for a processing system of a motor vehicle |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101068170A (en) * | 2007-06-05 | 2007-11-07 | 华为技术有限公司 | Message abnormal receiving detecting method, system and device thereof |
| CN103106329A (en) * | 2012-11-19 | 2013-05-15 | 华北电力大学 | Training sample grouping construction method used for support vector regression (SVR) short-term load forecasting |
| CN104133992A (en) * | 2014-07-21 | 2014-11-05 | 快威科技集团有限公司 | Assessment reference building method and assessment reference building device based on information security assessment correlation |
| US20160359893A1 (en) * | 2014-12-01 | 2016-12-08 | Panasonic Intellectual Property Corporation Of America | Anomaly detection electronic control unit, onboard network system, and anomaly detection method |
| CN108965001A (en) * | 2018-07-12 | 2018-12-07 | 北京航空航天大学 | A kind of appraisal procedure and device of vehicle message data model |
| CN110040107A (en) * | 2019-03-18 | 2019-07-23 | 百度在线网络技术(北京)有限公司 | Vehicle intrusion detection and prediction model training method, device and storage medium |
| CN110135630A (en) * | 2019-04-25 | 2019-08-16 | 武汉数澎科技有限公司 | The short term needing forecasting method with multi-step optimization is returned based on random forest |
| CN110149345A (en) * | 2019-06-11 | 2019-08-20 | 北京航空航天大学 | A kind of In-vehicle networking intrusion detection method based on sequence of message prediction |
| US20190303567A1 (en) * | 2018-03-28 | 2019-10-03 | Nvidia Corporation | Detecting data anomalies on a data interface using machine learning |
-
2019
- 2019-11-11 CN CN201911094247.3A patent/CN112787984B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101068170A (en) * | 2007-06-05 | 2007-11-07 | 华为技术有限公司 | Message abnormal receiving detecting method, system and device thereof |
| WO2008148334A1 (en) * | 2007-06-05 | 2008-12-11 | Huawei Technologies Co., Ltd. | Method, system and apparatus thereof for detecting abnormal receipt of message |
| CN103106329A (en) * | 2012-11-19 | 2013-05-15 | 华北电力大学 | Training sample grouping construction method used for support vector regression (SVR) short-term load forecasting |
| CN104133992A (en) * | 2014-07-21 | 2014-11-05 | 快威科技集团有限公司 | Assessment reference building method and assessment reference building device based on information security assessment correlation |
| US20160359893A1 (en) * | 2014-12-01 | 2016-12-08 | Panasonic Intellectual Property Corporation Of America | Anomaly detection electronic control unit, onboard network system, and anomaly detection method |
| US20190303567A1 (en) * | 2018-03-28 | 2019-10-03 | Nvidia Corporation | Detecting data anomalies on a data interface using machine learning |
| CN108965001A (en) * | 2018-07-12 | 2018-12-07 | 北京航空航天大学 | A kind of appraisal procedure and device of vehicle message data model |
| CN110040107A (en) * | 2019-03-18 | 2019-07-23 | 百度在线网络技术(北京)有限公司 | Vehicle intrusion detection and prediction model training method, device and storage medium |
| CN110135630A (en) * | 2019-04-25 | 2019-08-16 | 武汉数澎科技有限公司 | The short term needing forecasting method with multi-step optimization is returned based on random forest |
| CN110149345A (en) * | 2019-06-11 | 2019-08-20 | 北京航空航天大学 | A kind of In-vehicle networking intrusion detection method based on sequence of message prediction |
Non-Patent Citations (3)
| Title |
|---|
| DARIO STABILI; MIRCO MARCHETTI; MICHELE COLAJANNI: "Detecting attacks to internal vehicle networks through Hamming distance", IEEE * |
| 曲建云: "车载网络安全数据可视化技术的设计与实现", 厦门理工学院学报 * |
| 赵振堂: "车载网络异常检测技术研究", CNKI, no. 2018 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114172686A (en) * | 2021-10-27 | 2022-03-11 | 北京邮电大学 | Vehicle-mounted CAN bus message intrusion detection method and related equipment |
| CN114172686B (en) * | 2021-10-27 | 2022-08-05 | 北京邮电大学 | Vehicle-mounted CAN bus message intrusion detection method, related equipment and computer storage medium |
| CN114244596A (en) * | 2021-12-10 | 2022-03-25 | 上海交通大学 | Vehicle-mounted CAN (controller area network) anomaly detection method and system based on HTM (hyper text transport protocol) |
| EP4277202A1 (en) * | 2022-05-13 | 2023-11-15 | Elektrobit Automotive GmbH | Threat detection for a processing system of a motor vehicle |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112787984B (en) | 2023-11-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Marchetti et al. | READ: Reverse engineering of automotive data frames | |
| CN107302547B (en) | Web service anomaly detection method and device | |
| CN112787984B (en) | Vehicle-mounted network anomaly detection method and system based on correlation analysis | |
| CN112987675B (en) | Method, device, computer equipment and medium for anomaly detection | |
| CN111126622A (en) | Data anomaly detection method and device | |
| CN112114995B (en) | Terminal abnormality analysis method, device, equipment and storage medium based on process | |
| CN102014031A (en) | Method and system for network flow anomaly detection | |
| CN109145030B (en) | Abnormal data access detection method and device | |
| CN110011990B (en) | Intelligent analysis method for intranet security threats | |
| CN109308411B (en) | Method and system for hierarchically detecting software behavior defects based on artificial intelligence decision tree | |
| CN112492059A (en) | DGA domain name detection model training method, DGA domain name detection device and storage medium | |
| CN111970229B (en) | CAN bus data anomaly detection method aiming at multiple attack modes | |
| CN113098887A (en) | Phishing website detection method based on website joint characteristics | |
| CN109391624A (en) | A kind of terminal access data exception detection method and device based on machine learning | |
| CN115150182B (en) | Information system network attack detection method based on flow analysis | |
| CN108833139A (en) | A kind of OSSEC alert data polymerization divided based on category attribute | |
| CN115643035A (en) | Network security situation assessment method based on multi-source log | |
| CN115222303B (en) | Industry risk data analysis method and system based on big data and storage medium | |
| CN108055227B (en) | WAF unknown attack defense method based on site self-learning | |
| CN110826888B (en) | Data integrity attack detection method in power system dynamic state estimation | |
| CN115883163A (en) | Network safety alarm monitoring method | |
| CN117150576B (en) | Intelligent verification system and method for block chain electronic seal | |
| CN109413047A (en) | Determination method, system, server and the storage medium of Behavior modeling | |
| CN117240522A (en) | Vulnerability intelligent mining method based on attack event model | |
| CN116074092B (en) | Attack scene reconstruction system based on heterogram attention network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |