• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    The present invention discloses an in-vehicle network intrusion detection method and system. The system comprises a timer module (1), an acquisition module (4) and an examination module (3); wherein the timer module is configured to send a system runtime to the communication module (2); wherein the communication module records a time stamp of a received time of a received packet and the identity of a packet-sending node according to the system runtime; the communication module sends the identity and the time stamp of the reception time to the examination module and to the acquisition module; the examination module is configured to determine a theoretical clock shift value of the transmission node according to the time stamp of the reception time under normal network conditions, and to bind the theoretical clock shift value to the identity of the transmission node; and the detection module is configured to determine a deviation of a clock shift of the transmission node relative to the theoretical clock shift value according to the time stamp of the reception time during intrusion detection and to infer whether the network is abnormal or normal. The method and system disclosed in the present invention can be installed directly in a communication module of a T-Box, are universally applicable, and can ensure the network security of most vehicles.
    公开号:CH714535B1
    申请号:CH00436/18
    申请日:2018-04-04
    公开日:2020-01-15
    发明作者:Qin Hongmao;Zhou Yunshui;Wu Xinkai;Yu Guizhen;Wang Pengcheng;Ji Haojie;Zuo Zheng;Huang Lei;Dawel Gauhar;Wei Lei;Wang Yinghui;Wang Yunpeng
    申请人:Univ Beihang;
    IPC主号:
    专利说明:

    Description The present application claims priority rights from Chinese Application No. 2017 11 385 344.9, which was filed on December 20, 2017 under the name VEHICLE INTERNAL NETWORK INTRUSION DETECTION METHOD AND SYSTEM. The above patent application is hereby incorporated by reference in its entirety.
    Technical Field The present invention relates to the field of automotive network security, and more particularly, to an in-vehicle network intrusion detection method and system.
    PRIOR ART Modern automobiles are gradually being developed in the sense of expanding networks and intelligence, the number of electronic control units (ECU) growing rapidly in every automobile, and this number has currently reached almost 100. In order to offer users ever more advantageous functions and services, the electronic and electrical systems of vehicles have to become more and more complicated, whereby these also have to be provided with interfaces for communication with the outside world, such as WLAN, Bluetooth, 3G / 4G communication and USB interfaces. In the case of an intelligent networked vehicle, a remote information processor (T-Box, Telematics Box) is a gateway device that connects the vehicle's internal network to an external network and provides external communication functions for the vehicle, in order to network with the outside world to enable, including communication systems such as V2I and V2V. Vehicle networking can bring many benefits to the user, but can also expose the vehicle system to a greater likelihood of hacker attacks through the Internet.
    In order to reduce the risk of hacker attacks, it is necessary to develop a thorough defense layer system for vehicles so that the safety of the vehicles is improved. In a thorough defense layer system, secure communication in an in-vehicle network is a critical characteristic for the overall structure of the security defense system, and only when secure communication is implemented in an in-vehicle network can a secure electronic and electrical system for vehicles be created. Currently, however, most vehicle communication networks are mainly based on a controller area network bus (CAN, Controller Area Network).
    The goal in developing a CAN network protocol is to enable its use in a closed vehicle environment without network security problems. Therefore, there are many vulnerabilities to information security risk. When these vulnerabilities are used by hackers, some malicious operations, such as theft of user private data and the like, can be performed, causing problems such as loss of ownership, privacy revelations, and issues related to the personal safety of the vehicle user. For example, a packet based on the CAN 2.0 standard does not contain identity information regarding the sender or information regarding the transmission time, but the information in a data field is not encrypted. In this case, hackers can simply monitor the data sent.
    In order to meet vehicle information security requirements, one of the most critical technologies is in-vehicle network intrusion detection and defense. In-vehicle network intrusion detection and defense can identify external attacks in a timely manner, and suitable defense measures can be used to reduce or eliminate the negative effects of harmful attacks, thereby ensuring normal and safe operation of an electronic and electrical vehicle system.
    Currently, most of the vehicle-internal networks of the bus type, such as the systems CAN, UN, MOST, or Flexray bus. The bandwidth of these buses is relatively small, and it is difficult to implement security measures such as encryption and authentication. An intrusion detection method is the easiest to use and is one of the most effective in-vehicle network security protection procedures. However, most existing intrusion detection methods target networks in the IT area and cannot be used for in-vehicle network intrusion detection.
    SUMMARY The object of the present invention is to provide an in-vehicle network intrusion detection method and system which can implement network intrusion detection for a bus-type automotive network and can ensure driver and passenger safety.
    [0009] To achieve this goal, the invention provides the following solution:
    [0010] In-vehicle network intrusion detection method for monitoring an in-vehicle CAN network, comprising:
    CH 714 535 B1 Each time after receiving N packets in a T-box, detecting an identity (ID) of a transmission node, a reception time (t,) of the received packets and a reception time interval (x,) between the i- ten and the first packet (t-t-ι), where N is a positive integer and 1 = 1 to N;
    Detection of a theoretical clock shift value (I) of the transmission node, which is linked to the identity (ID) of the transmission node in normal network conditions, the theoretical clock shift value (I) by examining a clock deviation (o,) per unit time of that by the transmission node sent packets is received in normal network conditions;
    Calculating an actual clock skew value (s [k]) using a recursive least squares method and an identification error (e [k]) using the receive time (t,) and the receive time interval (Xi), the identification error (e [k]) is determined using a linear regression model (o a00 [k]), where k is the number of times to receive the N packets;
    [0014] Comparing the actual clock shift value (s [k]) with the theoretical clock shift value (I) for abrupt shifts to determine the identity (ID) of the sending node sending a packet:
    - Calculating, by using a cumulative sum method, which accumulates the differences between the monitored values and the theoretical clock shift value (I), an average of the determined identification errors (e [k]) and a variance of the determined identification errors (e [k]), which several Have been received;
    - Calculating a cumulative identification error using the mean value (μ 0 ) of the identification errors e [k], the variance (σ 0 2 ) of the identification errors e [k] and the theoretical clock shift value (I); and if the cumulative identification error exceeds a certain threshold, determining that an in-vehicle network is abnormal; and if the cumulative identification error does not exceed the given threshold, determine that the in-vehicle network is normal.
    [0015] Optionally, a specific procedure for obtaining the theoretical clock shift value by examining the time information of the packet sending by each sending node in normal network conditions is as follows:
    Acquiring a time stamp of the reception time of the N packets;
    Calculating a transmission period of a packet according to the time stamp of the reception time of the N packets;
    Calculating a cumulative deviation according to the transmission period and the time stamp of the reception time; and calculating the clock shift according to the cumulative deviation to obtain the theoretical clock shift value.
    Optionally, calculating an identification error and an actual clock shift value according to the reception time and the reception time interval comprises in particular:
    [0021] establishing a linear regression model O "" [£] = 5 '[7c] * / [A] + e [A], where k is the number of times to receive the N packets; O aoo [k] is a cumulative clock deviation obtained by analyzing the N packets for the k-th time; S [k] denotes the actual clock shift value; t [k] is the system runtime; and e [k] is the identification error; and calculating the identification error by using a recursive least squares method according to the linear regression model, the reception time and the reception time interval.
    The present invention further discloses an in-vehicle network intrusion detection system comprising: a timer module, a detection module, an exam module, wherein an output end of the timer module is connected to a communication module of a T-Box, an output end of the communication module being connected to the exam module Communication module is further bidirectionally connected to the acquisition module and an output end of the examination module is connected to the acquisition module; and the timer module is configured to send a system runtime to the communication module; wherein the communication module records a time stamp of a received time of a received packet and the identity of a packet-sending node according to the system runtime; the communication module sends the identity and the time stamp of the reception time to the examination module and to the acquisition module; the examination module is configured to determine a theoretical clock shift value of the transmission node according to the time stamp of the reception time in normal network conditions, and to bind the theoretical clock shift value to the identity of the transmission node; and the detection module is configured to determine a deviation of a clock shift of the transmission node relative to the theoretical clock shift value according to the time stamp of the reception time during an intrusion detection.
    The system optionally further comprises a cloud control platform, the communication module communicating bidirectionally with the cloud control platform; and the communication module is configured to send alarm information to the cloud control platform when the detection module detects a network anomaly and to receive an online update instruction and an update packet sent from the cloud control platform.
    CH 714 535 B1 [0026] According to specific embodiments of the present invention, the invention discloses the following technical effects; monitor the method and system of the present invention, dynamically the in-vehicle network based on the T-Box and a Can-Bus, are suitable for monitoring anomalies in most automotive networks and are of universal applicability; in accordance with the method of the present invention, a transmit node clock skew is detected in normal network conditions, and the clock skew is used as the transmit node's clock tag information so that identity can be identified, information sent from an unassigned node can be identified, and malicious Attack can be prevented, which improves the security of the automotive network.
    BRIEF DESCRIPTION OF THE DRAWINGS In order to better describe the technical solutions in the embodiments of the present invention or in the prior art, the attached drawings which are required to describe the embodiments are briefly described below. The drawings attached to the following description show some embodiments of the present invention, and one of ordinary skill in the art can derive other drawings from these attached drawings without creative effort.
    1 shows a flowchart of a method according to an embodiment of an in-vehicle network intrusion detection method of the present invention; and
    2 shows a structural diagram of an in-vehicle network intrusion detection system according to the present invention.
    DESCRIPTION OF EMBODIMENTS In the following, technical solutions in the embodiments of the invention are described clearly and in detail with reference to the accompanying drawings in the embodiments of the present invention. Apparently, the described embodiments are only part of all embodiments of the invention. All other embodiments that can be encompassed by one of ordinary skill in the art without creative efforts based on the embodiments of the present invention fall within the scope of the present invention.
    In order to better explain the objectives, features and advantages of the invention, the invention is described in more detail below with reference to the accompanying drawings and specific implementations.
    1 shows a flow diagram of a method according to an embodiment of an in-vehicle network intrusion detection method of the present invention.
    [0031] Referring to FIG. 1, the in-vehicle network intrusion detection method includes:
    Step 101. Each time after a T-Box has received N packets, detecting a transmit node identity and the reception time of the N received packets and the reception time interval of two adjacent packets, N being a positive integer.
    Step 102. Detecting a clock shift of a transmission node according to the transmission node identity to obtain a theoretical clock shift value, the theoretical clock shift value being obtained by examining the time information of the transmission packets by each transmission node in normal network conditions, and wherein each transmission node corresponds to a clock shift.
    Step 103. Calculate an identification error and an actual clock shift value according to the reception time and the reception time interval. The step is particularly as follows:
    Establishing a linear regression model o "J *] = S [fc] s ' r [i.] + E [ÄJ, where k is the number of times to receive the N packets; O aoo [k] is a cumulative clock deviation obtained by analyzing the N packets for the k-th time; S [k] denotes the actual clock shift value; t [k] is the system runtime; and e [k] is the identification error; and calculating the identification error using a recursive least squares method according to the linear regression model, the reception time and the reception time interval.
    Step 104. Compare the actual clock skew value to the theoretical clock skew value to determine an identity of a sending node sending a packet.
    Step 105. Calculate using a cumulative sum method of an average and a variance of the multiple received identification errors.
    Step 106. Calculate a cumulative identification error according to the mean, the variance and the theoretical clock shift value.
    CH 714 535 B1 Step 107. If the cumulative identification error exceeds a given threshold, determine that an in-vehicle network is abnormal; and if the cumulative identification error does not exceed the given threshold, determine that the in-vehicle network is normal.
    [0041] A specific process for obtaining the theoretical clock shift value by examining time information for sending packets by each sending node in a normal network state is as follows:
    [0042] acquiring a time stamp of the reception time of the N packets;
    Calculating a transmission period of a packet according to the time stamp of the reception time of the N packets; Calculating a cumulative deviation according to the transmission period and the time stamp of the reception time; and calculating the clock shift according to the cumulative deviation to obtain the theoretical clock shift value.
    Fig. 2 shows a structural diagram of an in-vehicle network intrusion detection system of the present invention.
    2, the in-vehicle network intrusion detection system includes a timer module 1, a detection module 4, an investigation module 3, and a cloud control platform 5, wherein an output end of the timer module 1 is connected to a communication module 2 of a T-box, an output end of the communication module 2 is connected to the examination module 3, the communication module 2 is furthermore in a bidirectional connection with the cloud control platform 5 and the detection module 4, and an output end of the examination module 3 is connected to the detection module 4.
    The in-vehicle, based on a CAN bus of the T-Box constructed and developed (network intrusion detection system is suitable for the internal information security protection of intelligent networked automobiles, detects intrusions and attacks on the in-vehicle network of hackers in real time and takes appropriate countermeasures at an early stage - and emergency measures to minimize the risks and damage to the vehicles caused by the attack, in the present invention the in-vehicle network intrusion detection system in the T-Box is used to monitor the in-vehicle CAN network, the classification according to data security threat levels on the The timer module 1 of the in-vehicle network intrusion detection system is used to perform accurate timing and the timestamp of that of the in-vehicle Network intrusion detection system received packet is recorded. The time stamp, the identity (or ID) of the sending node sending a packet, and the data field are packed in a capture packet. The capture packet is stored in a first-in, first-out (FIFO) queue, and data in the capture packet is read by the FIFO queue to calculate a transmit node clock skew. The clock skew is used as a fingerprint feature of the transmit node, and then it is determined whether an intrusion occurs using a detection algorithm. The type of intrusion and attack is determined by a changing situation of the fingerprint feature, and real-time alarm information is sent to the cloud control platform 5 so that the cloud control platform 5 can take timely countermeasures based on the alarm information. A detection result is recorded in the form of logs, stored in a read-only memory (ROM, read-only memory) of the T-Box and loaded into the cloud at a suitable time so that the cloud can further determine an intrusion attack chain and weak points in the system which provide more detailed information for subsequent defense. The cloud control platform 5 can also, on its own initiative, request the T-Box to send the acquisition result if there is a need.
    1. Timer module 1 The timer module 1 is configured to send a system runtime to the communication module 2. The in-vehicle network intrusion detection system of the present invention is based on a clock shift feature of a transmit node (mostly ECU), and therefore an accurate timer module 1 is necessary to provide accurate timing for the entire in-vehicle network intrusion detection system. The in-vehicle network intrusion detection system of the present invention has a time accuracy of 100 microseconds. The present invention uses a 32-bit timer to select an appropriate pre-scaling coefficient according to a system clock frequency and to generate a count every 10 microseconds. An overflow interrupt is generated when a counter overflows, and the number of interrupts is recorded to obtain a time, the time being the system run time.
    2. Communication module 2 The communication module 2 draws a time stamp of a reception time of a received packet and an identity of a transmission node sending a packet in accordance with the system runtime; The communication module 2 sends the identity and the time stamp of the reception time to the examination module 3 and to the detection module 4. For an in-vehicle CAN network, the in-vehicle network intrusion detection system must communicate with the CAN bus and the cloud control platform 5. The T-Box communicates with the CAN bus through an interrupt. In a separate thread, whenever a CAN controller FIFO mailbox receives a packet, a CAN packet reception in
    CH 714 535 B1 triggered terrupt. When the interrupt is triggered, the T-Box can read a current time, record packet data and an identity of a sending node as a capture packet, and then insert the capture packet into a simply linked list for storage and send it to the exam module 3 and the capture module 4. The examination module 3 and the detection module 4 can process information that is transmitted by the detection packet, recognize the packet and determine whether there is an attack. The communication module 2 also communicates with the cloud control platform 5, sends an attack alarm to the cloud control platform 5, receives an instruction from the cloud control platform 5 and takes countermeasures, such as online updates. The communication module 2 mainly consists of a 4G module, establishes a TCP connection with the cloud control platform 5 via a dial-up connection and defines a specific application protocol for the communication.
    3. Examination module 3 The examination module 3 is configured to determine a theoretical clock shift value of the transmitting node in accordance with the time stamp of the reception time in a normal network state and to bind the theoretical clock shift value to the identity of the transmitting node. The function of the examination module 3 is to process the received packet, to extract a clock shift feature of the transmission node using the recursive method, the smallest squares, to use the clock shift feature as a fingerprint feature of the transmission node and to identify identity information of the transmission node according to the fingerprint feature. In order to explain the method of calculating the clock shift of the transmission node, the concepts of a clock deviation and a clock shift rate should first be clarified. The clock deviation relates to a difference between a real clock and a local clock of the transmission node. The clock shift rate relates to a clock deviation per unit of time.
    If the T-Box receives N packets that have been sent by the sending node, where t 0 = 0 is a time stamp when the first node sends a first frame packet, T the sending period of the packet, d, a network delay, ti a time stamp of the Reception of the i-th packet, O, a clock deviation of the i-th packet, x, a reception time interval of the i-th packet and the first packet results in:
    = ti - ÉJ.
    0; = ((i * T + dj) - dj) ~ (£; · - tj) The network delay is essentially fixed, i.e. d, = d ^ therefore:
    0. = £ * T- (ti - Ci) In order to calculate the value of T, N received packets are separated into a group, an average transmission period of the N packets is calculated as the transmission period T of the packets, and an average one The clock shift of each packet is calculated relative to the first packet. The absolute values of the average clock shifts are summed to obtain a cumulative clock deviation. From the definition, it can be known that an inclination of a straight line of the cumulative clock shift is the clock shift rate, and the clock shift rate obtained for each transmitting node is a constant. The clock shift rate is a theoretical clock shift value. Therefore, the clock shift rate of each transmission node can be calculated in accordance with the received packet, the clock shift characteristic of the transmission node being provided for anomaly detection, and used as a fingerprint characteristic of the transmission node.
    4. Acquisition module 4 The acquisition module 4 is configured to determine a deviation of a clock shift of the transmission node relative to the theoretical clock shift value according to the time stamp of the reception time during an intrusion detection. The function of the acquisition module 4 is based on the fingerprint feature that is extracted by the examination module 3 and identifies whether there is an attack by combining a state of the packet on the CAN bus. A model of a normal state of the CAN bus is initially defined. For the identity of a sending node, a cumulative clock deviation of the sending node is obtained based on the time the packet was received. The clock shift rate obtained for each sending node is a constant, and the cumulative clock deviation grows linearly with time, so that a linear regression model can be established. The formula is expressed as follows:
    = £ [&] * t [fc] + e [fc], k is the number of times to receive the N packets, and the N packets are analyzed each time, O a cc [k] is a cumulative clock deviation caused by Analyzing the N packets for the kth time obtained, t [k] is a system runtime, e [k] is an identification error, that is an error that is generated during the iteration. S [k] is a clock skew rate that represents the slope of the linear regression model. The clock shift rate S [k] is calculated using the recursive least squares method (RLS). The identification error is used as an objective function to minimize the square of the identification error. Therefore, in the least square recursive method, the identification error will go to zero. The reception time of the N packets and that
    CH 714 535 B1
    Receive time interval of every two packets are obtained by detection. If the packet sent by the sending node is not received for a long period of time, this indicates that there is a denial of service (DOS) attack and the CAN bus is in an abnormal state. After the N packets have been received, the cumulative clock deviation and the corresponding identification error and a gain coefficient 6 and a covariance P in the least squares recursive method are calculated after the time stamp of the N packets has been acquired by the clock shift rate S [k] to obtain. An iteration is performed when the N packets are received every time, and the clock shift rate S [k] and an identification error are output every time. If there is no attack, the identification error will reach zero and the clock shift rate is constant.
    A possible abnormal change in the clock shift rate is determined using the cumulative sum method. The method accumulates the differences between the monitored values and the theoretical values to detect abrupt shifts. Since the cumulative sum is calculated, even small deviations from the theoretical value are recorded, which means that the cumulative value increases or decreases steadily. The variance σ; and the mean value μ "of the identification error are updated after each step of estimating the clock shift rate. The variance σ; and the mean value μ β of the identification error represent a state of the CAN network, and are also theoretical values in the cumulative sum algorithm. Therefore these values must be monitored.
    In order to prevent effects of an attack on the theoretical values, the mean value and the variance are only updated if μ β
    In the cumulative sum algorithm, two identification error parameters are set: a maximum value of the cumulative identification error and a minimum value of the cumulative identification value, the update being carried out as follows:
    L k _ = max {0, £ (
    L k + = max {0, L k _ i + + - K}
    L k _-i_ is a minimum value of the cumulative identification error obtained by calculation after the last time the N packets are received, L k _ is a minimum value of the cumulative identification error obtained by calculation after the N packets currently received, L k _ 1+ is a maximum value of the cumulative identification error obtained by calculation after the last time the N packets are received, and L k + is a maximum value of the cumulative identification error obtained by calculation after the N packets are received at the current time. K represents the standard deviation of an intended acquisition. K can be obtained by learning offline or by monitoring the bus under normal circumstances. The value of K should allow the value of r
    Reached zero when the network is normal. If the absolute value of L k _ or L k + exceeds a given threshold, the network is declared abnormal. The default threshold is 5.
    5. Cloud control platform 5 The cloud control platform 5 is configured to receive alarm information sent by the communication module 2 when the detection module 4 detects a network anomaly and is further configured to provide an online update instruction and to send an update packet to the communication module 2.
    The method and system of the present invention dynamically monitor the in-vehicle network based on the T-Box and the CAN bus, are suitable for monitoring anomalies in most automotive networks and have universal applicability; According to the method of the present invention, a clock shift of a transmission node is detected in a normal network state, and the clock shift is used as the clock marking information of the transmission node so that identification of an identity can be realized and one of an unassigned transmission node can be identified, and a malicious attack can be prevented, which improves the security of the automotive network. In addition, the present invention also has the following technical effects:
    (1) The present invention can effectively detect attacks on the CAN bus in the vehicle in real time, including injection attacks, denial of service attacks, masquerade attacks, replay attacks and other attacks.
    CH 714 535 B1 (2) The in-vehicle network intrusion detection system of the present invention can be easily implemented in vehicles of any model without changing the original electronic and electrical architecture of the vehicle or adding additional hardware resources, is low in cost, and is reloadable and also suitable for preloading.
    (3) The detection method of the present invention can identify a sending node of a packet according to the clock characteristic of the sending node and identify the identity of the sending node.
    (4) The in-vehicle network intrusion detection system of the present invention uses an easy detection method that runs on the T-Box, consumes little hardware resources, and has real-time detection and a short detection response time.
    (5) The in-vehicle network intrusion detection method of the present invention does not require changing the vehicle CAN bus protocol matrix.
    (6) The in-vehicle network intrusion detection method of the present invention has a high detection rate and a low false alarm rate.
    (7) The in-vehicle network intrusion detection system of the present invention communicates in real time with the cloud control platform, records captured attacks, and uploads them to the cloud control platform. The cloud control platform develops new countermeasures in accordance with the records of the attack behavior and carries out a remote update of the intrusion detection system inside the vehicle.
    [0066] Several examples have been used to illustrate the principles and implementation methods of the present invention. The description of the embodiments is used to simplify the illustration of the method and its core principles according to the present invention. In addition, those skilled in the art can make various modifications to specific embodiments and areas of application in accordance with the teachings of the present invention. In summary, the content of this description should not be understood as a limitation of the invention.
    权利要求:
    Claims (5)
    [1]
    claims
    1. In-vehicle network intrusion detection method for monitoring an in-vehicle CAN network, comprising:
    each time after receiving N packets in a T-box, detecting an identity of a transmission node, a reception time of the received packets and a reception time interval between the i-th and the first packet, where N is a positive integer and 1 = 1 to N. ;
    Detecting a theoretical clock shift value of the sending node that is tied to the identity of the sending node in normal network conditions, the theoretical clock shift value being obtained by examining a clock deviation per unit time of the packets sent by the sending node in normal network conditions;
    Computing an actual clock skew value using a least squares recursive method and an identification error using the receive time and the receive time interval, the identification error being determined using a linear regression model;
    Compare the actual clock shift value to the theoretical clock shift value for abrupt shifts to determine the identity of the sending node sending a packet:
    - calculating, using a cumulative sum method that accumulates the differences between the monitored values and the theoretical clock shift value, an average of the determined identification errors and a variance of the determined identification errors that have been received multiple times;
    Calculating a cumulative identification error using the mean value of the identification errors, the variance of the identification errors and the theoretical clock offset value; and if the cumulative identification error exceeds a certain threshold, determining that an in-vehicle network is abnormal; and if the cumulative identification error does not exceed the given threshold, determine that the in-vehicle network is normal.
    [2]
    2. The in-vehicle network intrusion detection method according to claim 1, wherein a specific operation for obtaining the theoretical clock skew value by examining the time information of the packet transmission by each transmitting node in normal network conditions is as follows:
    Acquiring a time stamp of the reception time of the i-th packet received;
    Calculating an average transmission period of the N packets using the time stamp of the reception time of the i-th packet received;
    Calculating a cumulative clock deviation using the reception time interval between an i-th and a first received packet and the time stamp of the reception time; and
    Calculate the actual clock skew value using the cumulative clock skew to get the theoretical clock skew value.
    CH 714 535 B1
    [3]
    3. The in-vehicle network intrusion detection method according to claim 1, wherein calculating the identification error and the actual clock shift value by means of the reception time and the reception time interval comprises:
    Defining a linear regression model O " rc [Ar] = * <[/ ·] + < !>], Where k is the number of times to receive the N packets; wherein a cumulative clock deviation O aoo [k] is obtained by analyzing the N packets obtained for the kth time, with the actual clock shift value S [k]; the system runtime t [k]; and the identification error e [k]; and
    Calculate the identification error using a recursive least squares method according to the linear regression model, the reception time and the reception time interval.
    [4]
    4. In-vehicle network intrusion detection system for performing the method according to claim 1, comprising: a timer module (1), a detection module (4), an examination module (3), wherein an output end of the timer module (1) with a communication module (2) of a T-box is connected, an output end of the communication module (2) being connected to the examination module (3), the communication module (2) also being connected bidirectionally to the detection module (3) and an output end of the examination module (3) being connected to the detection module (4) is; and the timer module (1) is configured to send a system runtime to the communication module (2); wherein the communication module (2) records a time stamp of a reception time of a received packet and the identity of a packet-sending node in accordance with the system runtime; the communication module (2) sends the identity and the time stamp of the reception time to the examination module (3) and to the acquisition module (4); the examination module (3) is configured to determine a theoretical clock shift value of the transmitting node in accordance with the time stamp of the reception time under normal network conditions and to bind the theoretical clock shift value to the identity of the transmitting node; and the detection module (4) is configured to determine a deviation of an actual clock shift value of the transmission node relative to the theoretical clock shift value according to the time stamp of the reception time during an intrusion detection and to infer whether the network is abnormal or normal.
    [5]
    5. The in-vehicle network intrusion detection system according to claim 4, further comprising a cloud control platform (5), wherein the communication module (2) communicates bidirectionally with the cloud control platform (5); and the communication module (2) is configured to send alarm information to the cloud control platform (5) when the detection module (4) detects a network anomaly and to receive an online update instruction and an update package sent from the cloud Control platform (5) are sent.
    CH 714 535 B1
    Every time a T-Box has received N packets, it detects a sending node identity and the reception time of the N received packets, and a reception time interval of two adjacent packets, where N is a positive integer
    Detecting a clock shift of a transmit node according to the transmit node identity to obtain a theoretical clock shift value.
    Calculate an identification error and an actual |
    Clock shift value according to the reception time and the j 'reception time interval
    ......................................... I ........ ............................
    Compare the actual clock skew value to the theoretical clock skew value to determine the identity of a sending node that is sending a packet
    Calculate, using a cumulative sum method, an average, and a variance of the identification errors that have been received multiple times
    Calculate a cumulative identification error according to the mean, the variance and the theoretical clock shift value
    If the cumulative identification value exceeds a given threshold, determining that an in-vehicle network is abnormal; and if the cumulative identification value does not exceed the given threshold, determining that the in-vehicle network is normal.
    101
    107
    类似技术:
    公开号 | 公开日 | 专利标题
    CH714535B1|2020-01-15|In-vehicle network intrusion detection method and system.
    EP3278529B1|2020-05-06|Attack detection method, attack detection device and bus system for a motor vehicle
    DE102016101327B4|2021-11-04|Method for responding to unauthorized electronic access to a vehicle
    DE102017208547A1|2018-11-22|Method for protecting a network from cyber attack
    DE102013210102A1|2014-06-26|DEVICE AND METHOD FOR DETECTING AN ATTACK TO A VEHICLE-SIDED NETWORK
    DE102014200558A1|2015-07-16|Secure network access protection via authenticated timekeeping
    DE102015109057A1|2015-12-17|Lock access to confidential vehicle diagnostic data
    US20200302054A1|2020-09-24|Method for detecting physical intrusion attack in industrial control system based on analysis of signals on serial communication bus
    DE102018122152A1|2019-03-14|SYSTEMS AND METHOD FOR IMPACT DETECTION INTO THE NETWORK IN THE VEHICLE
    DE112012006919B4|2018-05-09|A communication device and method for predicting idle times of a bus based on usage state information
    DE102012109212A1|2013-03-28|Methods, apparatus and manufacturing products for providing firewalls for process control systems
    WO2016012387A1|2016-01-28|Device and method for identifying errors and attacks, for a motor vehicle
    DE102016204999A1|2017-09-28|Method for monitoring the security of communication links of a vehicle
    DE102018115266A1|2018-12-27|MALWARE DETECTION SYSTEM FOR ATTACKING PREVENTION
    DE102018122143A1|2019-03-14|SYSTEMS AND METHOD FOR IMPACT DETECTION INTO THE NETWORK IN THE VEHICLE
    WO2018077528A1|2018-05-03|Detection of manipulations in a can network by checking can identifiers
    DE102015207050A1|2016-10-20|Method for determining a channel load and method for setting a preprocessing in a vehicle-to-X communication, vehicle-to-X communication system and computer-readable storage medium
    DE102017212249A1|2019-01-24|Methods and devices for cross-subscriber communication
    DE112019000485T5|2020-10-22|SYSTEM AND PROCEDURE FOR PROVIDING SECURITY FOR IN-VEHICLE NETWORK
    DE102016214279A1|2018-02-08|Method and device for operating a bus system
    DE102015218373A1|2017-03-30|Monitor an integrity of a test record
    DE112019005529T5|2021-08-26|On-vehicle communication device, communication control method, and communication control program
    DE102019207423A1|2020-02-27|Method and system for detecting coupled message anomalies
    DE102018128612A1|2019-05-16|Capture unauthorized attempts to connect to a vehicle network
    EP3734930A1|2020-11-04|Attack detection on comptersystems
    同族专利:
    公开号 | 公开日
    CH714535A2|2019-06-28|
    CN108111510A|2018-06-01|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    CN103237308B|2013-05-15|2015-05-06|西华大学|Distributed intrusion detection method of vehicle ad hoc network|
    KR101638613B1|2015-04-17|2016-07-11|현대자동차주식회사|In-vehicle network intrusion detection system and method for controlling the same|
    CN106603578B|2017-02-15|2018-03-23|北京航空航天大学|A kind of centralized T BOX Information Security Defending Systems|
    CN106899614B|2017-04-14|2019-09-24|北京梆梆安全科技有限公司|In-vehicle network intrusion detection method and device based on the message period|RU2706887C2|2018-03-30|2019-11-21|Акционерное общество "Лаборатория Касперского"|System and method for blocking computer attack on vehicle|
    CN109150847B|2018-07-27|2021-08-17|北京梆梆安全科技有限公司|Method and device for detecting network intrusion risk of vehicle|
    CN109117632B|2018-07-27|2021-05-07|北京梆梆安全科技有限公司|Method and device for determining risk of vehicle intrusion|
    CN108881486A|2018-08-01|2018-11-23|北京航空航天大学|Intelligent network connection vehicle remote communication means and system based on trusted technology|
    CN110505134B|2019-07-04|2021-10-01|国家计算机网络与信息安全管理中心|Internet of vehicles CAN bus data detection method and device|
    CN110830435A|2019-08-27|2020-02-21|国家电网有限公司信息通信分公司|Method and device for extracting network flow space-time characteristics and detecting abnormity|
    CN111355714A|2020-02-20|2020-06-30|杭州电子科技大学|Attacker identification method based on fingerprint feature learning of vehicle control unit|
    CN111311912B|2020-02-25|2021-08-24|北京天融信网络安全技术有限公司|Internet of vehicles detection data determination method and device and electronic equipment|
    CN111464772A|2020-05-22|2020-07-28|北京罗克维尔斯科技有限公司|Method and device for setting timestamp for recorded video and vehicle|
    CN112550281A|2020-12-29|2021-03-26|广州小鹏自动驾驶科技有限公司|Automatic parking control method and device|
    法律状态:
    2020-04-15| PK| Correction|Free format text: BERICHTIGUNG ERFINDER |
    优先权:
    申请号 | 申请日 | 专利标题
    CN201711385344.9A|CN108111510A|2017-12-20|2017-12-20|A kind of in-vehicle network intrusion detection method and system|
    [返回顶部]