CN114615086A - Vehicle-mounted CAN network intrusion detection method - Google Patents
Vehicle-mounted CAN network intrusion detection method Download PDFInfo
- Publication number
- CN114615086A CN114615086A CN202210394125.1A CN202210394125A CN114615086A CN 114615086 A CN114615086 A CN 114615086A CN 202210394125 A CN202210394125 A CN 202210394125A CN 114615086 A CN114615086 A CN 114615086A
- Authority
- CN
- China
- Prior art keywords
- sliding window
- vehicle
- message
- sample
- intrusion detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 36
- 238000000034 method Methods 0.000 claims abstract description 25
- 230000008569 process Effects 0.000 claims abstract description 16
- 238000005457 optimization Methods 0.000 claims description 29
- 230000005540 biological transmission Effects 0.000 claims description 27
- 238000012360 testing method Methods 0.000 claims description 9
- 230000001186 cumulative effect Effects 0.000 claims description 4
- 239000000126 substance Substances 0.000 claims description 4
- IAZDPXIOMUYVGZ-UHFFFAOYSA-N Dimethylsulphoxide Chemical compound CS(C)=O IAZDPXIOMUYVGZ-UHFFFAOYSA-N 0.000 claims description 3
- 230000006870 function Effects 0.000 claims description 3
- 238000007689 inspection Methods 0.000 claims description 3
- 238000012544 monitoring process Methods 0.000 claims description 3
- 238000012549 training Methods 0.000 abstract description 8
- 238000004364 calculation method Methods 0.000 abstract description 4
- 230000002159 abnormal effect Effects 0.000 abstract description 3
- 238000004891 communication Methods 0.000 description 6
- 238000000605 extraction Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 3
- 238000007405 data analysis Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000011897 real-time detection Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
- H04L2012/40208—Bus networks characterized by the use of a particular bus standard
- H04L2012/40215—Controller Area Network CAN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
- H04L2012/40267—Bus for use in transportation systems
- H04L2012/40273—Bus for use in transportation systems the transportation system being a vehicle
Landscapes
- Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Security & Cryptography (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Probability & Statistics with Applications (AREA)
- Pure & Applied Mathematics (AREA)
- Physics & Mathematics (AREA)
- Mathematical Analysis (AREA)
- General Physics & Mathematics (AREA)
- Algebra (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Alarm Systems (AREA)
Abstract
The invention discloses a vehicle-mounted CAN network intrusion detection method, which comprises the following steps: 1, learning CAN message data under a normal condition of a vehicle by using a training model, and calculating threshold ranges of 3 characteristics; 2, adjusting the sliding window of the training model, and determining the size of the sliding window according to the skewness-kurtosis detection result; 3, the detection model collects and processes CAN message data of vehicle operation according to the size of the sliding window; and 4, analyzing the data frames through the threshold range, judging abnormal data frames, counting the abnormal data frames, and giving an alarm after the count reaches a certain threshold. The invention puts the complex training and learning process in the off-line stage, and the on-line intrusion detection CAN be judged and accumulated only with small calculation force, thereby being easy to be deployed in the vehicle environment and being capable of rapidly and accurately realizing the CAN network intrusion detection.
Description
Technical Field
The invention relates to the field of network security, in particular to a vehicle intrusion detection method and a vehicle intrusion detection device.
Background
The vehicle-mounted CAN network is used for connecting various Electronic Control Units (ECU) installed on the automobile, and each electronic control unit is connected with various sensors or execution devices so as to collect signals of various sensors or control the execution devices to complete a certain specific action. The situation that information interaction exists between the electronic control units is that data are transmitted and received in a bus mode through a vehicle-mounted CAN network. In the internet of vehicles environment, the on-board CAN network is not a closed and isolated network, but rather is connected to the off-board network in various ways.
The vehicle-mounted CAN network is lack of an encryption and identity authentication mechanism, and the transmission of CAN messages follows an arbitration mechanism, so that the vehicle-mounted CAN network has proved to have defects and CAN be invaded remotely. After the CAN network of the vehicle is invaded, the life and property safety of passengers CAN be threatened greatly.
In the intrusion detection of the vehicle-mounted CAN network at the present stage, CAN message data are analyzed to find out the characteristics of the CAN message data under the normal condition of the vehicle, and when the data characteristics of the CAN message at a certain moment are detected to be different from the characteristics of the CAN message data under the normal condition of the vehicle, the vehicle is judged to receive the intrusion. It CAN be understood that the requirement of real-time detection cannot be met by adopting a more complex data mining method, and the electronic control unit of the vehicle-mounted CAN network has limited calculation capacity and is not enough to support more complex data analysis operation. Research has been carried out to place data acquisition at the vehicle end, and place data analysis and processing at the cloud server, and this requires that network communication has higher real-time, and because the vehicle is numerous, must greatly occupy network channel resource, and it is meaningless that a lot of normal vehicle data upload to the cloud, can break the data privacy nature of vehicle itself on the contrary.
Disclosure of Invention
The invention aims to solve the defects in the prior art, and provides a vehicle-mounted CAN network intrusion detection method, so that the computational requirement of vehicle-mounted CAN network intrusion detection CAN be reduced, and therefore, the vehicle-mounted CAN network intrusion detection CAN be deployed on an automobile and CAN be realized in real time on the premise of not changing the existing software and hardware architecture of the vehicle-mounted CAN network.
In order to achieve the purpose, the invention adopts the following technical scheme:
the invention discloses a vehicle-mounted CAN network intrusion detection method which is characterized by comprising the following steps:
step 1, off-line learning:
step 1.1, taking offline CAN message data collected under normal running of a vehicle as a data set, and numbering ID (identity) in the data set as P1The standard sending period of the CAN message is recorded as t0,
Step 1.2, recording the size of a sliding window in the k-th cycle optimization as nk(ii) a Continuously recording the current nthkTime stampAnd n in a period of historyk-1 numbering ID ═ P1The actual sending period of the CAN message is recorded asAnd the timestamp of the actual transmission is noted as { T }i k|i=1,2,3...nk}; wherein the content of the first and second substances,denotes the ith actual transmission period, T, at the time of the kth round optimizationi kA timestamp representing the ith actual transmission at the kth round optimization;
step 1.3, sliding window n in k-th cycle optimizationkIn, calculate the current nthkA real transmission periodDeviation characteristics from standard transmission periodCalculating the first accumulated deviation of each actual transmission period and the standard transmission period during the k-th cycle optimizationSign forCalculating the ith actually transmitted time stamp T in the k circulation optimizationi kSecond cumulative deviation characteristic from standard predicted timestampWherein, Ti prePresentation and time stamp Ti kCorresponding standard transmission period t0The predicted serial number ID is the timestamp sent by the CAN message theory of P1;
step 2, optimizing a sliding window:
step 2.1, calculating statistic of jth sliding window in kth cycle optimizationThereby obtaining statistics of all sliding windows during the kth cycle optimization and summarizing the statistics into a sample I; wherein, the first and the second end of the pipe are connected with each other,numbering ID ═ P in jth sliding window1CAN message actual transmission period, andnumbering ID ═ P in jth sliding window1The average value of the actual sending period of the CAN message;
step 2.2, carrying out skewness-kurtosis test on the sample I:
step 2.2.1, calculating the v-order center distance B of the sample I by using the formula (1)v:
In the formula (1), n represents the total number of sliding windows in the k-th cycle optimization,represents the mean of sample I;
In the formula (2), B2Denotes the 2 nd order center distance, B, of the sample I3Denotes the 3-order center distance, B, of the sample I4Represents the 4 th order center distance of the sample I;
step 2.2.3, let the skewness variance be recorded asKurtosis variance is noted asThe mean kurtosis is recorded asThereby obtaining the deflection inspection quantityKurtosis test quantity
Step 2.2.4, when the confidence coefficient is set to be 1-alpha, if the sample I meets the condition of | U1|<uα/4And | U2|<uα/4Then, the sample I follows the standard normal distribution, the optimization of the sliding window is finished, and the number ID ═ P is obtained1The size of the optimal sliding window of the CAN message is recorded asOtherwise, assigning k +1 to k, nk=nk-1After + Δ n, returning to step 1.2 for sequential execution, wherein 1- α represents the confidence of the test; u. ofα/4Represents the upper alpha/4 quantile of the standard normal distribution, and deltan represents the fixed step length;
step 3, setting a threshold value:
step 3.1, according to the process of step 1.3, with the size of the optimal sliding windowSliding extraction number ID ═ P1The method comprises the steps that one deviation characteristic and two accumulated deviation characteristics of a CAN message under each optimal sliding window are activated through a Tanh function after three characteristics extracted in each sliding process are subjected to regularization operation, so that processed deviation characteristics and accumulated deviation characteristics are obtained, and a threshold interval of the deviation characteristics is set according to the maximum value and the minimum value of the processed deviation characteristics; setting a threshold interval of the first accumulated deviation characteristic according to the maximum value and the minimum value of the processed first accumulated deviation characteristic; setting a threshold interval of the second accumulated deviation characteristic according to the maximum value and the minimum value of the processed second accumulated deviation characteristic;
step 3.2, respectively calculating threshold intervals of three characteristics of the CAN messages with other serial numbers ID in the data set according to the processes of the step 1.1 to the step 3.1;
step 4, online monitoring:
collecting real-time CAN message data under the real driving condition of the vehicle, and calculating three actual characteristic values of the CAN messages with respective serial numbers ID under the optimal sliding window according to the process of the step 3;
and if the actual characteristic value exceeds the corresponding threshold interval, starting counting, and when the accumulated count value exceeds the set limit value, indicating that the vehicle-mounted CAN network is invaded and giving an alarm.
The invention relates to a vehicle-mounted CAN network intrusion detection device which is characterized by comprising: a memory, a processor; the memory has stored thereon an on-board CAN network intrusion detection program configured to implement the steps of the on-board CAN network intrusion detection method as claimed in claim 1 and run on the processor.
Compared with the prior art, the invention has the beneficial effects that:
1. the invention adopts an off-line learning method for CAN message data, thereby realizing the extraction and analysis of data characteristics by using an operation storage unit with higher calculation power.
2. The online detection algorithm of the invention adopts the methods of threshold discrimination and accumulative counting, has low calculation force requirement and can realize the requirement of real-time detection.
3. The invention is used for detecting based on the message data characteristics of the vehicle-mounted CAN network, and CAN be deployed on the vehicle-mounted CAN network without changing the software and hardware environment of the vehicle-mounted CAN network.
Drawings
Fig. 1 is a schematic structural diagram of an in-vehicle CAN network intrusion detection device of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of an embodiment of the vehicle CAN network intrusion detection of the present invention;
FIG. 3 is a block diagram of the training model and detection model structure of the embodiment of the invention for detecting vehicle CAN network intrusion.
Detailed Description
In this embodiment, as shown in fig. 1, the vehicle-mounted CAN network intrusion detection device may include: a processor 1001, such as a Central Processing Unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a WIreless interface (e.g., a WIreless-FIdelity (WI-FI) interface). The Memory 1005 may be a Random Access Memory (RAM) Memory, or may be a Non-Volatile Memory (NVM), such as a disk Memory. The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the configuration shown in fig. 1 does not constitute a limitation of an on-board CAN network intrusion detection device and may include more or fewer components than shown, or some components in combination, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a storage medium, may include therein an operating system, a data storage module, a network communication module, a user interface module, and an in-vehicle CAN network intrusion detection program.
In the in-vehicle CAN network intrusion detection device shown in fig. 1, the network interface 1004 is mainly used for data communication with a network server; the user interface 1003 is mainly used for data interaction with a user; the processor 1001 and the memory 1005 of the vehicle-mounted CAN network intrusion detection device CAN be arranged in the vehicle-mounted CAN network intrusion detection device, and the vehicle-mounted CAN network intrusion detection device calls a vehicle-mounted CAN network intrusion detection program stored in the memory 1005 through the processor 1001 and executes the vehicle-mounted CAN network intrusion detection method provided by the embodiment of the invention.
Based on the above vehicle-mounted CAN network intrusion detection device, the embodiment provides a vehicle-mounted CAN network intrusion detection method, which puts the complex training and learning processes into an off-line stage, and the on-line intrusion detection CAN be determined and accumulated with only a small amount of effort, so that the deployment in the vehicle environment is easy, and CAN quickly and accurately realize the CAN network intrusion detection, specifically, referring to fig. 2, the method is performed according to the following steps:
step 1, off-line learning:
step 1.1, taking offline CAN message data collected under normal running of a vehicle as a data set, and numbering ID (identity) in the data set as P1The standard sending period of the CAN message is recorded as t0And constructing a training model, as shown in fig. 3, the training model includes a training model including modules for data acquisition, sliding window, feature extraction, regularization, activation, and the like, and is used for performing normal CAN message data in an offline environmentAnd (6) calculating and analyzing.
Step 1.2, extracting and analyzing data of the data set by using a sliding window, wherein the initial value of the size of the sliding window is n0The sliding window size at the k-th round optimization is recorded as nk(ii) a Continuously recording the current nthkTime stampAnd n in a period of historyk-1 numbering ID ═ P1The actual sending period of the CAN message is recorded asAnd the timestamp of the actual transmission is noted as Ti k|i=1,2,3...nk}; wherein the content of the first and second substances,denotes the ith actual transmission period, T, at the time of the kth round optimizationi kA timestamp representing the ith actual transmission at the kth round optimization;
step 1.3, sliding window n in k-th cycle optimizationkIn, calculate the current nthkA real transmission periodDeviation characteristics from standard transmission periodCalculating a first accumulated deviation characteristic of each actual sending period and the standard sending period during the k-th cycle optimizationCalculating the ith actually transmitted time stamp T in the k circulation optimizationi kSecond cumulative deviation characteristic from standard predicted timestampWherein, Ti prePresentation and time stampingTi kCorresponding standard transmission period t0The predicted serial number ID is the timestamp sent by the CAN message theory of P1;
it should be noted that the selection of the 3 features is emphasized. When a certain forged message is sent out, the timestamp sent by the certain forged message is random, so that the deviation characteristic is greatly changed; the first accumulated deviation characteristic reflects the condition that the ID message is delayed to be sent due to an arbitration mechanism in a period of time, and the introduction of the first accumulated deviation characteristic is helpful for reducing the false detection rate of the normal message; interpretation of the meaning of the second cumulative deviation signature: the timestamp of normal message transmission should linearly return to a certain straight line L: y is near wx + b, x represents the x-th transmission of the message, and y represents the timestamp of the message corresponding to the x-th transmission. w represents the slope of the straight line, namely the standard period of message sending, b represents the intercept of the straight line on the y axis, namely the timestamp of the last time considered as the normal message sending time. While zeroing x and reconstructing line L. Standard prediction period accumulated deviationI.e. the accumulated deviation of the timestamp and the straight line L representing the actual transmission of the message within a sliding window.
Step 2, optimizing a sliding window:
step 2.1, calculating statistic of jth sliding window in kth cycle optimizationThereby obtaining statistics of all sliding windows during the kth cycle optimization and summarizing the statistics into a sample I; wherein the content of the first and second substances,numbering ID ═ P in jth sliding window1CAN message actual sending weekStandard deviation of phase, andnumbering ID ═ P in jth sliding window1The average value of the actual sending period of the CAN message;
step 2.2, carrying out skewness-kurtosis test on the sample I:
step 2.2.1, calculating the v-order center distance B of the sample I by using the formula (1)v:
In the formula (1), n represents the total number of sliding windows in the k-th cycle optimization,represents the mean of sample I;
In the formula (2), B2Denotes the 2 nd order center distance, B, of the sample I3Denotes the 3-order center distance, B, of the sample I4Represents the 4 th order center distance of the sample I;
Step 2.2.3, let the skewness variance be recorded asKurtosis variance is noted asThe mean kurtosis is recorded asThereby obtaining the deflection inspection quantityKurtosis test quantity
Step 2.2.4, when the confidence coefficient is set to be 1-alpha, if the sample I meets the condition of | U |, the confidence coefficient is set to be 1-alpha1|<uα/4And | U2|<uα/4Then, the sample I follows the standard normal distribution, the optimization of the sliding window is finished, and the number ID ═ P is obtained1The size of the optimal sliding window of the CAN message is recorded asOtherwise, assigning k +1 to k, nk=nk-1After + Δ n, the sequence returns to step 1.2 for execution, wherein 1- α represents the confidence of the test; u. ofα/4Represents the upper alpha/4 quantile of the standard normal distribution, and deltan represents the fixed step length;
step 3, setting a threshold value:
step 3.1, according to the process of step 1.3, with the size of the optimal sliding windowSliding extraction number ID ═ P1The method comprises the steps that one deviation characteristic and two accumulated deviation characteristics of a CAN message under each optimal sliding window are activated through a Tanh function after three characteristics extracted in each sliding process are subjected to regularization operation, so that processed deviation characteristics and accumulated deviation characteristics are obtained, and a threshold interval of the deviation characteristics is set according to the maximum value and the minimum value of the processed deviation characteristics; setting a first accumulated deviation according to the maximum value and the minimum value of the processed first accumulated deviation characteristicA threshold interval of difference features; setting a threshold interval of the second accumulated deviation characteristic according to the maximum value and the minimum value of the processed second accumulated deviation characteristic;
step 3.2, respectively calculating threshold intervals of three characteristics of the CAN messages with other serial numbers ID in the data set according to the processes of the step 1.1 to the step 3.1;
step 4, online monitoring:
collecting real-time CAN message data under the real driving condition of the vehicle, and calculating three actual characteristic values of the CAN messages with respective serial numbers ID under the optimal sliding window according to the process of the step 3;
and if the actual characteristic value exceeds the corresponding threshold interval, starting counting, and when the accumulated count value exceeds the set limit value, indicating that the vehicle-mounted CAN network is invaded and giving an alarm.
Specifically, a discriminator and a perceptron module are used in the online detection model, when the extracted features of the real-time detected CAN message exceed the threshold range, the discriminator outputs a discrimination result according to the number of the features exceeding the threshold range, different weight values are redistributed, and the perceptron module analyzes the result to judge whether the currently acquired real-time CAN message data is normal or abnormal.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., a rom/ram, a magnetic disk, an optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (2)
1. A vehicle-mounted CAN network intrusion detection method is characterized by comprising the following steps:
step 1, off-line learning:
step 1.1, taking offline CAN message data collected under normal running of a vehicle as a data set, and numbering ID (identity) in the data set as P1The standard sending period of the CAN message is recorded as t0,
Step 1.2, recording the size of a sliding window in the k-th cycle optimization as nk(ii) a Continuously recording the current nthkTime stampAnd n in a period of historyk-1 numbering ID ═ P1The actual sending period of the CAN message is recorded asAnd the timestamp of the actual transmission is noted as Ti k|i=1,2,3...nk}; wherein the content of the first and second substances,denotes the ith actual transmission period, T, at the time of the kth round optimizationi kA timestamp representing the ith actual transmission at the kth round optimization;
step 1.3, sliding window n in k-th cycle optimizationkIn, calculate the current nthkA real transmission periodDeviation characteristics from standard transmission periodCalculating a first accumulated deviation characteristic of each actual sending period and the standard sending period during the k-th cycle optimizationCalculating the ith actually transmitted time stamp T in the k circulation optimizationi kSecond cumulative deviation characteristic from standard predicted timestampWherein, Ti prePresentation and time stamp Ti kCorresponding standard transmission period t0The predicted serial number ID is the timestamp sent by the CAN message theory of P1;
step 2, optimizing a sliding window:
step 2.1, calculating the statistic of the jth sliding window in the kth cycle optimizationThereby obtaining statistics of all sliding windows during the kth cycle optimization and summarizing the statistics into a sample I; wherein, the first and the second end of the pipe are connected with each other,numbering ID ═ P in jth sliding window1CAN message actual transmission period, and numbering ID ═ P in jth sliding window1The average value of the actual sending period of the CAN message;
step 2.2, carrying out skewness-kurtosis test on the sample I:
step 2.2.1, calculating the v-order center distance B of the sample I by using the formula (1)v:
In the formula (1), n represents the total number of sliding windows in the k-th cycle optimization,represents the mean of sample I;
In the formula (2), B2Denotes the 2 nd order center distance, B, of the sample I3Denotes the 3-order center distance, B, of the sample I4Represents the 4 th order center distance of the sample I;
step 2.2.3, let the skewness variance be recorded asKurtosis variance is noted asThe mean kurtosis is recorded asThereby obtaining the deflection inspection quantityKurtosis test quantity
Step 2.2.4, when the confidence coefficient is set to be 1-alpha, if the sample I meets the condition of | U1|<uα/4And | U2|<uα/4Then, the sample I follows the standard normal distribution, the optimization of the sliding window is finished, and the number ID ═ P is obtained1The size of the optimal sliding window of the CAN message is recorded asOtherwise, assigning k +1 to k, nk=nk-1After + Δ n, returning to step 1.2 for sequential execution, wherein 1- α represents the confidence of the test; u. ofα/4Represents the upper alpha/4 quantile of the standard normal distribution, and deltan represents the fixed step length;
step 3, setting a threshold value:
step 3.1, according to the process of step 1.3, with the size of the optimal sliding windowSliding pick-up number ID-P1The method comprises the steps that one deviation characteristic and two accumulated deviation characteristics of a CAN message under each optimal sliding window are activated through a Tanh function after three characteristics extracted in each sliding process are subjected to regularization operation, so that processed deviation characteristics and accumulated deviation characteristics are obtained, and a threshold interval of the deviation characteristics is set according to the maximum value and the minimum value of the processed deviation characteristics; setting a threshold interval of the first accumulative deviation characteristic according to the maximum value and the minimum value of the processed first accumulative deviation characteristic; setting a threshold interval of the second accumulated deviation characteristic according to the maximum value and the minimum value of the processed second accumulated deviation characteristic;
step 3.2, respectively calculating threshold intervals of three characteristics of the CAN messages with other serial numbers ID in the data set according to the processes of the step 1.1 to the step 3.1;
step 4, online monitoring:
collecting real-time CAN message data under the real driving condition of the vehicle, and calculating three actual characteristic values of CAN messages with respective serial numbers ID under an optimal sliding window according to the process of the step 3;
and if the actual characteristic value exceeds the corresponding threshold interval, starting counting, and when the accumulated count value exceeds the set limit value, indicating that the vehicle-mounted CAN network is invaded and giving an alarm.
2. An in-vehicle CAN network intrusion detection device, the device comprising: a memory, a processor; the memory has stored thereon an on-board CAN network intrusion detection program configured to implement the steps of the on-board CAN network intrusion detection method as claimed in claim 1 and run on the processor.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210394125.1A CN114615086B (en) | 2022-04-14 | 2022-04-14 | Vehicle-mounted CAN network intrusion detection method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210394125.1A CN114615086B (en) | 2022-04-14 | 2022-04-14 | Vehicle-mounted CAN network intrusion detection method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114615086A true CN114615086A (en) | 2022-06-10 |
CN114615086B CN114615086B (en) | 2023-11-03 |
Family
ID=81868635
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210394125.1A Active CN114615086B (en) | 2022-04-14 | 2022-04-14 | Vehicle-mounted CAN network intrusion detection method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114615086B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116915514A (en) * | 2023-09-14 | 2023-10-20 | 鹏城实验室 | Intrusion detection method and device based on bidirectional time convolution network and intelligent automobile |
CN117972757A (en) * | 2024-03-25 | 2024-05-03 | 贵州大学 | Method and system for realizing safety analysis of mine data based on cloud platform |
Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160188876A1 (en) * | 2014-12-30 | 2016-06-30 | Battelle Memorial Institute | Anomaly detection for vehicular networks for intrusion and malfunction detection |
KR101638613B1 (en) * | 2015-04-17 | 2016-07-11 | 현대자동차주식회사 | In-vehicle network intrusion detection system and method for controlling the same |
CN108111510A (en) * | 2017-12-20 | 2018-06-01 | 北京航空航天大学 | A kind of in-vehicle network intrusion detection method and system |
CN109257358A (en) * | 2018-09-28 | 2019-01-22 | 成都信息工程大学 | A kind of In-vehicle networking intrusion detection method and system based on clock skew |
CN110149345A (en) * | 2019-06-11 | 2019-08-20 | 北京航空航天大学 | A kind of In-vehicle networking intrusion detection method based on sequence of message prediction |
CN110275508A (en) * | 2019-05-08 | 2019-09-24 | 西安电子科技大学 | Vehicle-mounted CAN bus network method for detecting abnormality and system |
CN110377465A (en) * | 2019-06-26 | 2019-10-25 | 江苏大学 | A kind of method for detecting abnormality of vehicle-mounted CAN bus |
CN110826054A (en) * | 2019-11-05 | 2020-02-21 | 哈尔滨工业大学 | Vehicle-mounted CAN bus intrusion detection method based on message data field characteristics |
US20210067971A1 (en) * | 2019-08-29 | 2021-03-04 | Hyundai Motor Company | Vehicle network intrusion detection device, system including the same, and method thereof |
CN113612786A (en) * | 2021-08-09 | 2021-11-05 | 上海交通大学宁波人工智能研究院 | Intrusion detection system and method for vehicle bus |
US20220006666A1 (en) * | 2020-07-02 | 2022-01-06 | Shanghai Trusted Industrial Control Platform Co., Ltd. | Method and system for detecting and defending against abnormal traffic of in-vehicle network based on information entropy |
CN114124472A (en) * | 2021-11-02 | 2022-03-01 | 华东师范大学 | Vehicle-mounted network CAN bus intrusion detection method and system based on GMM-HMM |
CN114172686A (en) * | 2021-10-27 | 2022-03-11 | 北京邮电大学 | Vehicle-mounted CAN bus message intrusion detection method and related equipment |
-
2022
- 2022-04-14 CN CN202210394125.1A patent/CN114615086B/en active Active
Patent Citations (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160188876A1 (en) * | 2014-12-30 | 2016-06-30 | Battelle Memorial Institute | Anomaly detection for vehicular networks for intrusion and malfunction detection |
KR101638613B1 (en) * | 2015-04-17 | 2016-07-11 | 현대자동차주식회사 | In-vehicle network intrusion detection system and method for controlling the same |
US20160308887A1 (en) * | 2015-04-17 | 2016-10-20 | Hyundai Motor Company | In-vehicle network intrusion detection system and method for controlling the same |
CN108111510A (en) * | 2017-12-20 | 2018-06-01 | 北京航空航天大学 | A kind of in-vehicle network intrusion detection method and system |
CN109257358A (en) * | 2018-09-28 | 2019-01-22 | 成都信息工程大学 | A kind of In-vehicle networking intrusion detection method and system based on clock skew |
CN110275508A (en) * | 2019-05-08 | 2019-09-24 | 西安电子科技大学 | Vehicle-mounted CAN bus network method for detecting abnormality and system |
CN110149345A (en) * | 2019-06-11 | 2019-08-20 | 北京航空航天大学 | A kind of In-vehicle networking intrusion detection method based on sequence of message prediction |
CN110377465A (en) * | 2019-06-26 | 2019-10-25 | 江苏大学 | A kind of method for detecting abnormality of vehicle-mounted CAN bus |
US20210067971A1 (en) * | 2019-08-29 | 2021-03-04 | Hyundai Motor Company | Vehicle network intrusion detection device, system including the same, and method thereof |
CN110826054A (en) * | 2019-11-05 | 2020-02-21 | 哈尔滨工业大学 | Vehicle-mounted CAN bus intrusion detection method based on message data field characteristics |
US20220006666A1 (en) * | 2020-07-02 | 2022-01-06 | Shanghai Trusted Industrial Control Platform Co., Ltd. | Method and system for detecting and defending against abnormal traffic of in-vehicle network based on information entropy |
CN113612786A (en) * | 2021-08-09 | 2021-11-05 | 上海交通大学宁波人工智能研究院 | Intrusion detection system and method for vehicle bus |
CN114172686A (en) * | 2021-10-27 | 2022-03-11 | 北京邮电大学 | Vehicle-mounted CAN bus message intrusion detection method and related equipment |
CN114124472A (en) * | 2021-11-02 | 2022-03-01 | 华东师范大学 | Vehicle-mounted network CAN bus intrusion detection method and system based on GMM-HMM |
Non-Patent Citations (3)
Title |
---|
T. MIZRAHI;HUAWEI NETWORK.IO INNOVATION LAB; J. FABINI; TU WIEN; A. MORTON; AT AMP;AMP;AMP;T LABS;: "Guidelines for Defining Packet Timestamps draft-ietf-ntp-packet-timestamps-06", IETF * |
谢浒;莫秀良;王春东;: "基于机器学习的车载CAN网络入侵检测研究", 天津理工大学学报, no. 02 * |
龚子超;伊晓瑞;刘满山;: "一种基于支持向量机的车载网络异常检测方法", 电脑与信息技术, no. 02 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116915514A (en) * | 2023-09-14 | 2023-10-20 | 鹏城实验室 | Intrusion detection method and device based on bidirectional time convolution network and intelligent automobile |
CN116915514B (en) * | 2023-09-14 | 2023-12-12 | 鹏城实验室 | Intrusion detection method and device based on bidirectional time convolution network and intelligent automobile |
CN117972757A (en) * | 2024-03-25 | 2024-05-03 | 贵州大学 | Method and system for realizing safety analysis of mine data based on cloud platform |
Also Published As
Publication number | Publication date |
---|---|
CN114615086B (en) | 2023-11-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN114615086A (en) | Vehicle-mounted CAN network intrusion detection method | |
US11985005B2 (en) | Method for detecting CAN bus intrusion of vehicle-mounted network based on GMM-HMM and system | |
EP3319050A1 (en) | Vehicle operation data collection apparatus, vehicle operation data collection system, and vehicle operation data collection method | |
CN110589647A (en) | Method for real-time fault detection and prediction of elevator door through monitoring | |
CN110620760A (en) | FlexRay bus fusion intrusion detection method and detection device for SVM (support vector machine) and Bayesian network | |
CN113723338A (en) | Sensor abnormality detection method, sensor abnormality detection device, and computer-readable storage medium | |
CN116826958A (en) | Intelligent safety inspection method for digital transmission channel | |
CN114511026A (en) | Fault diagnosis method and device, terminal equipment and storage medium | |
CN114229639B (en) | Elevator door fault judgment method, cloud platform and system | |
CN117251818A (en) | Data management method for safe operation of unmanned mine car | |
CN112326264A (en) | Operating state monitoring and fault diagnosis system and method for remotely controlling engineering vehicle | |
CN113282920B (en) | Log abnormality detection method, device, computer equipment and storage medium | |
CN114900331A (en) | Vehicle-mounted CAN bus intrusion detection method based on CAN message characteristics | |
CN111866017B (en) | Method and device for detecting abnormal frame interval of CAN bus | |
CN113033639A (en) | Training method of abnormal data detection model, electronic device and storage medium | |
CN110704614B (en) | Information processing method and device for predicting user group type in application | |
CN114136342B (en) | Mileage tampering judging method and system | |
CN116405261A (en) | Malicious flow detection method, system and storage medium based on deep learning | |
CN115963344A (en) | Fault detection method and device, electronic equipment and storage medium | |
CN115938114A (en) | Processing system, method, device, terminal and medium for automatic driving vehicle data | |
CN114328622A (en) | Data anomaly capture real-time processing method and system for large data flow type calculation | |
CN115834195A (en) | Log anomaly detection method, device, system and medium | |
CN115520741A (en) | Elevator operation monitoring and early warning method and system based on neural network and storage medium | |
CN114200334A (en) | Storage battery early warning method and device, vehicle and medium | |
CN114314243A (en) | Elevator overload alarm system and method based on video identification technology |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |