CN104301177B - CAN message method for detecting abnormality and system - Google Patents
CAN message method for detecting abnormality and system Download PDFInfo
- Publication number
- CN104301177B CN104301177B CN201410524934.5A CN201410524934A CN104301177B CN 104301177 B CN104301177 B CN 104301177B CN 201410524934 A CN201410524934 A CN 201410524934A CN 104301177 B CN104301177 B CN 104301177B
- Authority
- CN
- China
- Prior art keywords
- frames
- frame
- identifier
- index tables
- legal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000005856 abnormality Effects 0.000 title claims abstract description 31
- 238000000034 method Methods 0.000 title claims abstract description 28
- 238000001514 detection method Methods 0.000 claims abstract description 113
- 230000002159 abnormal effect Effects 0.000 claims abstract description 11
- 230000005540 biological transmission Effects 0.000 claims description 34
- 230000008859 change Effects 0.000 claims description 11
- 230000006870 function Effects 0.000 description 34
- 238000004891 communication Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 6
- 238000007689 inspection Methods 0.000 description 3
- 125000004122 cyclic group Chemical group 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
Landscapes
- Small-Scale Networks (AREA)
Abstract
The present invention proposes a kind of method for detecting abnormality of CAN message, includes the following steps:The connection with the gateway and CAN subnets of the CAN bus of vehicle is established, CAN frames are received from the gateway and CAN subnets of CAN bus;Judge whether the frame format of CAN frames is correct, if the frame format mistake of CAN frames, abandons CAN frames and alarm;If the frame format of CAN frames is correct, further detection function is called to carry out legitimacy detection to CAN frames;If CAN frames are illegal, judge that CAN frames are abnormal, abandons CAN frames or and alarm.If CAN frames are legal, CAN frames are sent to gateway or CAN subnets.The method for detecting abnormality of the CAN message of the present invention is simple and efficient, is safe, is highly practical.The present invention also proposes a kind of abnormality detection system of CAN message.
Description
Technical field
The present invention relates to the method for detecting abnormality of CAN bus technical field of communication safety and comprising more particularly to a kind of CAN message and
System.
Background technology
The electronic system of automobile includes multiple electronic control unit (electronic control unit, ECU), is led between ECU
Cross controller local area network's (controller area network, CAN) bus and according to CAN communication protocol communication.CAN is logical
Cyclic redundancy check code (cyclic redundancy check, CRC) section that data frame is defined in letter agreement is logical for enhancing
The reliability of letter, but encryption and the verification process of data frame are not provided, the safety of communication can not be enhanced.If attacker controls vapour
ECU in vehicle gateway or some CAN subnet, it is possible to send attack information to other CAN subnets of any one, influence entire
The normal communication and operation of ECU in CAN network.
And existing CAN bus abnormality detection scheme, a gateway for being applied to CAN bus is typically designed, gateway will
CAN bus is divided into different subnets, for being detected, intercepting invalid data frame and reporting by the data frame of different sub-network
It is alert.Implement these CAN bus abnormality detection schemes at present to require to change the design of hardware and software of automobile gateway again, cost is higher.
Invention content
The present invention is directed to solve at least some of the technical problems in related technologies.
For this purpose, first purpose of the present invention be to propose it is a kind of be easily achieved, the exception for the CAN message that security performance is high
Detection method.
Second object of the present invention is to propose a kind of abnormality detection system for CAN message.
To achieve the goals above, the embodiment of the present invention proposes a kind of method for detecting abnormality of CAN message, including following
Step:The connection with the gateway and CAN subnets of the CAN bus of vehicle is established, CAN is received from the gateway and the CAN subnets
Frame, wherein the CAN frames include identifier and data field;Judge whether the frame format of the CAN frames is correct, if the CAN
The frame format mistake of frame then abandons the CAN frames and alarms;If the frame format of the CAN frames is correct, inspection is further called
It surveys CAN frames described in function pair and carries out legitimacy detection;If the CAN frames are illegal, judge that the CAN frames are abnormal, abandon institute
It states CAN frames and alarms, wherein the detection function includes identifier, statistical property, semantic coverage and the language to the CAN frames
The detection of adopted correlation;If the CAN frames are legal, the CAN frames are sent to the gateway or the CAN subnets.
The method for detecting abnormality of CAN message according to the ... of the embodiment of the present invention, by establishing the gateway with the CAN bus of vehicle
With the connection of CAN subnets, CAN frames are received from the gateway and CAN subnets of CAN bus;Judge whether the frame format of CAN frames is correct,
If the frame format mistake of CAN frames abandons CAN frames and alarms;If the frame format of CAN frames is correct, inspection is further called
It surveys function pair CAN frames and carries out legitimacy detection;If CAN frames are illegal, judge that CAN frames are abnormal, abandons CAN frames and alarm.Such as
Fruit CAN frames are legal, then send CAN frames to gateway or CAN subnets.The present invention CAN message method for detecting abnormality be simple and efficient,
It is safe, highly practical.
In some instances, the detection function is according to preset first CAN frame index tables and the 2nd CAN frame index tables pair
The CAN frames are detected, and the first CAN frame index tables include:The identifier of the CAN frames from the gateway, institute
State the corresponding data field semantic values of identifier of CAN frames maximum value and minimum value, frame time interval threshold, threshold count value,
The receiving time of previous frame, the semantic values of previous frame and relevance threshold;The 2nd CAN frame index tables include:From described
The maximum value and minimum of the identifier of the CAN frames of CAN subnets, the corresponding data field semantic values of identifier of the CAN frames
Value, frame time interval threshold, threshold count value, the receiving time of previous frame, the semantic values of previous frame and relevance threshold.
Further, in some instances, the identifier, which detects, includes:By the correct CAN frames of the frame format
Identifier compared with the first CAN frame index tables or the 2nd CAN frame index tables, if the first CAN frame index tables or described
The identifier is not present in two CAN frame index tables, then abandons the CAN frames and alarms, mark that is on the contrary then judging the CAN frames
Knowledge meets method.
In some instances, the statistic mixed-state includes:Detect the transmission speed of the identical CAN frames of the identifier
Rate, if the transmission rate is more than or equal to predetermined threshold value and the transmission rate is continuously more than or equal to predetermined threshold value
Number reaches predetermined value, then judges that the CAN frames are illegal and alarm, conversely, then judging that the CAN frames are legal.
In some instances, the semantic coverage, which detects, includes:The data field semantic values of the CAN frames are detected whether pre-
If in range, if so, judging that the CAN frames are legal, conversely, then judging that the CAN frames are illegal and alarm.
In some instances, the semantic dependency, which detects, includes:Detect the variation of the data field semantic values of the CAN frames
Whether rate is more than default relevance threshold, if so, judging that the CAN frames are illegal and alarm, conversely, then judging the CAN
Frame is legal.
A kind of abnormality detection system of CAN message is proposed in the embodiment of second aspect of the present invention, including:First CAN is received
Device is sent out, the CAN transceiver is connect with gateway, receives CAN frames from gateway, the CAN frames include identifier and data field;First
CAN controller, first CAN controller is for judging whether the frame format of the CAN frames from the gateway is correct;The
Two CAN transceivers, the CAN transceiver and CAN Subnetwork connections receive CAN frames from the CAN subnets, and the CAN frames include mark
Know symbol and data field;Second CAN controller, second CAN controller is for judging the CAN from the CAN subnets
Whether the frame format of frame is correct;Filter, the filter include the detection function;Alarm, the alarm is for reporting
It is alert;And microcontroller, the microcontroller respectively with first CAN controller, second CAN controller, the filtering
Device is connected with the alarm, for judging the CAN frames in first CAN controller or second CAN controller
It when frame format mistake, abandons the CAN frames and controls the alarm equipment alarm, and when the frame format of the CAN frames is correct,
It calls the detection function of the filter to carry out legitimacy detection to the CAN frames and judges institute if the CAN frames are illegal
It is abnormal to state CAN frames, abandons the CAN frames and alarms, wherein the detection function includes identifier to the CAN frames, statistics
The detection of characteristic, semantic coverage and semantic dependency.
The abnormality detection system of CAN message according to the ... of the embodiment of the present invention is received by the first CAN transceiver and the 2nd CAN
The connection of device foundation and the CAN bus network of vehicle is sent out, and CAN frames are received from the gateway of CAN bus network and CAN subnets.The
One CAN controller and the second CAN controller judge whether the frame format of CAN frames is correct, if the frame format mistake of CAN frames,
Microcontroller control CAN controller abandons CAN frames and triggers alarm equipment alarm.If the frame format of CAN frames is correct, microcontroller
The further controlling filter of device calls detection function to carry out legitimacy detection to CAN frames.If CAN frames are illegal, CAN frames are judged
Abnormal, microcontroller controlling filter abandons CAN frames and triggers alarm equipment alarm.If CAN frames are legal, microcontroller control
First CAN transceiver or the second CAN transceiver send legal CAN frames to gateway or CAN subnets.The CAN message of the present invention
Abnormality detection system is simple and efficient, is safe, is highly practical.
In some instances, the identifier, which detects, includes:By the frame format correctly the identifier of the CAN frames with
First CAN frame index tables or the 2nd CAN frame index tables compare, if the first CAN frame index tables or the 2nd CAN frame index
The identifier is not present in table, then abandons the CAN frames and alarms, it is on the contrary then judge that the identifier of the CAN frames is legal.
In some instances, the statistic mixed-state includes:Detect the transmission speed of the identical CAN frames of the identifier
Rate, if the transmission rate is more than or equal to predetermined threshold value and the transmission rate is continuously more than or equal to predetermined threshold value
Number reaches predetermined value, then judges that the CAN frames are illegal and alarm, conversely, then judging that the CAN frames are legal.
In some instances, the semantic coverage, which detects, includes:The data field semantic values of the CAN frames are detected whether pre-
If in range, if so, judging that the CAN frames are legal, conversely, then judging that the CAN frames are illegal and alarm.
In some instances, the semantic dependency, which detects, includes:Detect the variation of the data field semantic values of the CAN frames
Whether rate is more than default relevance threshold, if so, judging that the CAN frames are illegal and alarm, conversely, then judging the CAN
Frame is legal.
In some instances, first CAN transceiver is additionally operable to, by the legal CAN from the CAN subnets
Frame is sent to the gateway.
In some instances, second CAN transceiver is additionally operable to, by the legal CAN frames from the gateway
It is sent to the CAN subnets.
The additional aspect of the present invention and advantage will be set forth in part in the description, and will partly become from the following description
Obviously, or practice through the invention is recognized.
Description of the drawings
Fig. 1 is the flow chart of the method for detecting abnormality of CAN message according to an embodiment of the invention;With
Fig. 2 is the structure diagram of the abnormality detection system of CAN message according to an embodiment of the invention.
Specific implementation mode
The embodiment of the present invention is described below in detail, examples of the embodiments are shown in the accompanying drawings, wherein from beginning to end
Same or similar label indicates same or similar element or element with the same or similar functions.Below with reference to attached
The embodiment of figure description is exemplary, it is intended to for explaining the present invention, and is not considered as limiting the invention.
With reference to the method for detecting abnormality and system of the diagram CAN message that the present invention will be described in detail.
Refering to fig. 1, the method for detecting abnormality of the CAN message of the embodiment of the present invention, includes the following steps:It establishes and vehicle
The connection of the gateway and CAN subnets of CAN bus receives CAN frames from gateway and CAN subnets, and CAN frames include identifier and data
Domain;Judge whether the frame format of CAN frames is correct, if the frame format mistake of CAN frames, abandons CAN frames and alarm;If CAN
The frame format of frame is correct, then further detection function is called to carry out legitimacy detection to CAN frames;If CAN frames are illegal, judge
CAN frames are abnormal, abandon CAN frames and alarm, wherein detection function includes the identifier to CAN frames, statistical property, semantic coverage
With the detection of semantic dependency;If CAN frames are legal, CAN frames are sent to gateway or CAN subnets.Concrete implementation process is such as
Under:
Step S101 establishes the connection with the gateway and CAN subnets of the CAN bus of vehicle, is received from gateway and CAN subnets
CAN frames, CAN frames include identifier and data field.
Step S102 judges whether the frame format of CAN frames is correct, if the frame format mistake of CAN frames, abandons CAN frames
And it alarms.
Specifically, for the purpose of the frame format detection of CAN frames in order to judge whether CAN frames meet CAN communication agreement, CAN is total
The various pieces digits such as the communication protocol of line, including the domain identifier (identifier, ID), control domain, data field, verification domain,
Whether filling mode is correct, while also carrying out CRC check, if the frame format of CAN frames mistake occurs and abandons this CAN frame and report
It is alert.
Particularly, the detection of frame type belonging to also being carried out to the CAN frames from gateway and CAN subnets in step s 102.
That is, it is judged that the CAN frames received are data frame, remote frame, erroneous frame, one kind of overload frame.It is to be noted that remote frame with
Difference lies in not comprising data field part for data frame.For erroneous frame and overload frame, frame format detection is only carried out.If erroneous frame
It is without exception with the frame format of overload frame, detection is made it through, otherwise abandons and alarms.
Step S103 further calls detection function to carry out legitimacy to CAN frames if the frame format of CAN frames is correct
Detection.
Specifically, if the frame format of CAN frames is correct, record and store receiving time, identifier and the data of this CAN frame
Domain semantic values.
Further, in one embodiment of the invention, detection function is according to preset first CAN frame index tables and
Two CAN frame index tables are detected the CAN frames from gateway or CAN subnets.First CAN frame index tables include:From gateway
CAN frames ID, CAN frame the corresponding data field semanteme of identifier maximum value and minimum value, frame time interval threshold, threshold value
Count value, the receiving time of previous frame, the data field semantic values of previous frame and relevance threshold.2nd CAN frame index tables include:
The maximum value and minimum value, frame of the identifier of CAN frames from CAN subnets, the corresponding data field semantic values of identifier of CAN frames
Time interval threshold value, threshold count value, the receiving time of previous frame, the data field semantic values of previous frame and relevance threshold.Such as
Shown in table 1, the first CAN frame index tables or the 2nd CAN frame index tables include:The legal ID of legal ID, CAN frame of CAN frames is corresponded to
Data field semanteme maximum value and minimum value, frame time interval threshold, threshold count value, the receiving time of previous frame, upper one
The parameters such as the data field semantic values and relevance threshold of frame.At the beginning of the CAN message method for detecting abnormality for realizing the present invention, need pair
Concordance list is initialized, wherein threshold count value is initialized as 0.And in implementation process, detection function calls concordance list,
Concordance list is updated after the detection of a cycle.Particularly, for first CAN of the corresponding different legal ID received
Frame, with the data field semantic values of previous frame, upper one in the data field semantic values of first CAN frame, receiving time update concordance list
Two parameters of receiving time of frame, but without with the relevant abnormality detection of the two parameters.
1 CAN frame index tables of table
Detection function includes the detection of the ID to CAN frames, statistical property, semantic coverage and semantic dependency.Specifically,
1, include for the detection of the legitimacy of the CAN frames from gateway:
(1) ID is detected as:The ID of the correct CAN frames of frame format is compared with the first CAN frame index tables, if the first CAN frames
The ID is not present in concordance list, then abandons this CAN frame and alarms, it is on the contrary then judge that the ID of CAN frames is legal.
Specifically, the input parameter of ID detection functions is the ID of CAN frames, using the first CAN frame index tables of binary search,
If not finding this ID in the first CAN frame index tables, judges that the CAN frames are an attack frame, abandon and alarm;If looked into
This ID is found, returns to storage address of this ID in the first CAN frame index tables, and using storage address as presumptive address, call
The offset address of this storage address and other parameters can be directly utilized when the first CAN frame index table other parameters.
(2) statistical property is detected as:The transmission rate for detecting the identical CAN frames of ID, if transmission rate is more than or equal to
The number that predetermined threshold value and the transmission rate are continuously more than or equal to default threshold reaches default value, i.e. threshold count value reaches
Then judge that CAN frames are illegal and alarm to a certain limit value, conversely, then judging that CAN frames are legal.
For example, whether the transmission rate of the identical CAN frames of detection ID is excessively high, it can be by comparing the CAN frames of identical ID
Receiving time interval is judged with frame time interval threshold.If receiving time interval is more than frame time interval threshold, threshold
Value count value is updated to 0.If receiving time interval is less than frame time interval threshold, threshold count value increases by 1 and in CAN rope
Draw in table and updates.When threshold count value is equal to some value n, the transmission rate of continuous n CAN frames is excessively high, and judgement is attacked
And alarm, and threshold count value is updated to 0.If threshold count value is not 0 and is less than n, judge that this CAN frame is legal.
It is possible to further which different security levels is arranged by adjusting the n values in statistical property detection function, n is smaller
Security level is higher.
(3) semantic coverage detects:Detect CAN frames data field semantic values whether within a preset range, if so, judgement
CAN frames are legal, conversely, then judging that CAN frames are illegal and alarm.
If the data field semantic values of CAN frames are more than the maximum value of data field semantic values in the corresponding CAN concordance lists of its ID
Or the minimum value less than data field semantic values, then judge that CAN frames are attacked and alarmed, conversely, then judging that CAN frames are legal.
(4) semantic dependency detects:Whether the rate of change for detecting the data field semantic values of CAN frames is more than correlation threshold
Value, if so, judgement CAN frames are illegal and alarm, conversely, then judging that CAN frames are legal.
Specifically, a upper CAN for the rate of change of the corresponding data field semantic values of the ID of CAN frames, that is, CAN frames and identical ID
The ratio of the difference and receiving time interval of the data field semantic values of frame judges that the CAN frames are illegal if it is greater than relevance threshold
And alarm, conversely, then judging that CAN frames are legal.
Particularly, in actual operation, after detection, the reception of upper CAN frames in the first CAN frame index tables need to be updated
Time, upper CAN frames two parameters of data field semantic values.
It should be pointed out that due to remote frame do not include data field part, remote frame is only carried out frame format detection,
Identifier (ID) detects and statistic mixed-state.
2, include for the detection of the legitimacy of the CAN frames from CAN subnets:
(1) ID is detected as:The ID of the correct CAN frames of frame format is compared with the 2nd CAN frame index tables, if the 2nd CAN frames
The ID is not present in concordance list, then abandons this CAN frame and alarms, it is on the contrary then judge that the ID of CAN frames is legal.
Specifically, the input parameter of ID detection functions is the ID of CAN frames, using the 2nd CAN frame index tables of binary search,
If not finding this ID in the 2nd CAN frame index tables, judges that the CAN frames are an attack frame, abandon and alarm;If looked into
This ID is found, returns to storage address of this ID in the 2nd CAN frame index tables, and using storage address as presumptive address, call
The offset address of this storage address and other parameters can be directly utilized when the 2nd CAN frame index table other parameters.
(2) statistical property is detected as:The transmission rate for detecting the identical CAN frames of ID, if transmission rate is more than or equal to
The number that predetermined threshold value and the transmission rate are continuously more than or equal to default threshold reaches default value, i.e. threshold count value reaches
To a certain limit value, then judge that CAN frames are illegal and alarm, conversely, then judging that CAN frames are legal.
For example, whether the transmission rate of detection CAN frames identical with ID is excessively high, it can be by comparing the CAN frames of identical ID
Receiving time interval judged with frame time interval threshold.If receiving time interval is more than frame time interval threshold,
Threshold count value is updated to 0.If receiving time interval is less than frame time interval threshold, threshold count value increases by 1 and in CAN
It is updated in concordance list.When threshold count value is equal to some value n, the transmission rate of continuous n CAN frames is excessively high, and judgement is attacked
It hits and alarms, and threshold count value is updated to 0.If threshold count value is not 0 and is less than n, judge that this CAN frame is legal.
It is possible to further which different security levels is arranged by adjusting the n values in statistical property detection function, n is smaller
Security level is higher.
(3) semantic coverage detects:Detect CAN frames data field semantic values whether within a preset range, if so, judgement
CAN frames are legal, conversely, then judging that CAN frames are illegal and alarm.
If the data field semantic values of CAN frames are more than the maximum value of data field semantic values in the corresponding CAN concordance lists of its ID
Or the minimum value less than data field semantic values, then judge that CAN frames are attacked and alarmed, conversely, then judging that CAN frames are legal.
(4) semantic dependency detects:Whether the rate of change for detecting the data field semantic values of CAN frames is more than correlation threshold
Value, if so, judgement CAN frames are illegal and alarm, conversely, then judging that CAN frames are legal.
Specifically, a upper CAN for the rate of change of the corresponding data field semantic values of the ID of CAN frames, that is, CAN frames and identical ID
The ratio of the difference and receiving time difference of the data field semantic values of frame judges that the CAN frames are illegal if it is greater than relevance threshold
And alarm, conversely, then judging that CAN frames are legal.
Particularly, in actual operation, after detection, the reception of upper CAN frames in the 2nd CAN frame index tables need to be updated
Time, upper CAN frames two parameters of data field semantic values.
It should be pointed out that due to remote frame do not include data field part, remote frame is only carried out frame format detection,
Identifier (ID) detects and statistical property detection.
Step S104 sends CAN frames to gateway or CAN subnets if CAN frames are legal.
The method for detecting abnormality of CAN message according to the ... of the embodiment of the present invention, by establishing the gateway with the CAN bus of vehicle
With the connection of CAN subnets, CAN frames are received from the gateway and CAN subnets of CAN bus;Judge whether the frame format of CAN frames is correct,
If the frame format mistake of CAN frames abandons CAN frames and alarms;If the frame format of CAN frames is correct, inspection is further called
It surveys function pair CAN frames and carries out legitimacy detection;If CAN frames are illegal, judge that CAN frames are abnormal, abandons CAN frames and alarm.Such as
Fruit CAN frames are legal, then send CAN frames to gateway or CAN subnets.The present invention CAN message method for detecting abnormality be simple and efficient,
It is safe, highly practical.
The embodiment of second aspect of the present invention proposes a kind of abnormality detection system 100 of CAN message, including:First CAN is received
Send out device 120, the first CAN controller 122, the second CAN transceiver 140, the second CAN controller 142, filter 30, alarm 50,
Microcontroller 20, the first CAN frame index tables 42 and the 2nd CAN frame index tables 44.
First CAN transceiver 120 is connect with gateway 200, receives CAN frames from gateway 200, CAN frames include identifier sum number
According to domain.First CAN controller 122 is for judging whether the frame format of the CAN frames from gateway 200 is correct.Second CAN transceiver
140 connect with CAN subnets 300, receive CAN frames from CAN subnets 300, CAN frames include identifier and data field.2nd CAN is controlled
Device 142 is for judging whether the frame format of the CAN frames from CAN subnets 300 is correct.
Filter 30 includes detection function.Alarm 50 is for alarming.
Microcontroller 20 respectively with the first CAN controller 122, the second CAN controller 142, filter 30 and alarm 50
It is connected, for when the first CAN controller 122 or the second CAN controller 142 judge the frame format mistake of CAN frames, abandoning CAN
Frame simultaneously controls the alarm of alarm 50, and when the frame format of CAN frames is correct, calls the detection function of filter 30 to CAN frames
Legitimacy detection is carried out, if CAN frames are illegal, judges that CAN frames are abnormal, abandons CAN frames and alarm, wherein detection function packet
Include the detection of the identifier to CAN frames, statistical property, semantic coverage and semantic dependency.
Particularly, the detection of frame type belonging to also being carried out to the CAN frames from gateway and CAN subnets.That is, it is judged that receiving
CAN frames be data frame, remote frame, erroneous frame, one kind of overload frame.It is to be noted that the difference of remote frame and data frame exists
In not comprising data field part.For erroneous frame and overload frame, frame format detection is only carried out.If the frame lattice of erroneous frame and overload frame
Formula is without exception, makes it through detection, otherwise abandons and alarm.
The first CAN frame index tables 42 and the 2nd CAN frame index tables 44 being connected with microcontroller 20, detection function is according to pre-
If the first CAN frame index tables 42 and the 2nd CAN frame index tables 44 CAN frames are detected, wherein the first CAN frame index tables
42 include:The identifier of CAN frames from gateway 200, the maximum value of the corresponding data field semantic values of identifier of CAN frames and most
Small value, frame time interval threshold, threshold count value, the receiving time of previous frame, the semantic values of previous frame and relevance threshold.The
Two CAN frame index tables 44 include:The identifier of CAN frames from CAN subnets 300, the corresponding data field language of the identifier of CAN frames
The semanteme of the maximum value and minimum value, frame time interval threshold, threshold count value, the receiving time of previous frame, previous frame of justice value
Value and relevance threshold.As shown in table 2, the first CAN frame index tables or the 2nd CAN frame index tables include:The legal ID of CAN frames,
The maximum value and minimum value of the corresponding data field semantic values of the legal ID of CAN frames, frame time interval threshold, threshold count value, on
The parameters such as the receiving time of one frame, the data field semantic values of previous frame and relevance threshold.Realizing that the CAN message of the present invention is different
At the beginning of normal detection method, concordance list need to be initialized, wherein threshold count value is initialized as 0.And in implementation process,
Detection function calls concordance list, updates concordance list after the detection of a cycle.Particularly, corresponding different for what is received
First CAN frame of legal ID, with previous frame in the data field semantic values of first CAN frame, receiving time update concordance list
Two receiving time, the data field semantic values of previous frame parameters, but without with the relevant abnormality detection of the two parameters.It uses
The system 100 of the present invention is connected with CAN bus network, i.e. to the first CAN frame index tables 42 and the 2nd CAN frame index after power supply
Table 44 is initialized.Wherein, threshold count value is initialized as 0.And in implementation process, the detection function of filter 30 calls
First CAN frame index tables 42 or the 2nd CAN frame index tables 44 update the first CAN frame index tables after the detection of a cycle
42 or the 2nd CAN frame index table 44.Particularly, for first CAN frame of the corresponding different legal ID received, with first
Data field semantic values, the receiving time of CAN frames update receiving time, the data field semantic values of previous frame of previous frame in concordance list
Two parameters, but without with the relevant abnormality detection of the two parameters.
2 CAN frame index tables of table
In one embodiment of the invention, the detection function of filter 30 includes the ID to CAN frames, statistical property, language
The detection of adopted range and semantic dependency.Specifically,
1, include for the detection of the legitimacy of the CAN frames from gateway 200:
(1) ID is detected as:The ID of the correct CAN frames of frame format is compared with the first CAN frame index tables 42, if the first CAN
The ID is not present in frame index table 42, then abandons this CAN frame and alarms, it is on the contrary then judge that the ID of CAN frames is legal.
Specifically, the input parameter of ID detection functions is the ID of CAN frames, utilizes the first CAN frame index tables of binary search
42, if not finding this ID in the first CAN frame index tables 42, judges that the CAN frames are an attack frame, abandon and alarm;
If finding this ID, storage address of this ID in the first CAN frame index tables 42 is returned to, and using storage address as benchmark
The offset address that this storage address and other parameters can be directly utilized when the first CAN 42 other parameters of frame index table is called in location.
(2) statistical property is detected as:The transmission rate for detecting the identical CAN frames of ID, if transmission rate is more than or equal to
The number that predetermined threshold value and the transmission rate are continuously more than or equal to default threshold reaches default value, i.e. threshold count value reaches
To a certain limit value, then judge that CAN frames are illegal and alarm, conversely, then judging that CAN frames are legal.
For example, whether the transmission rate of the identical CAN frames of detection ID is excessively high, it can be by comparing the CAN frames of identical ID
Receiving time interval is judged with time interval threshold value.If receiving time interval is more than frame time interval threshold, threshold value
Count value is updated to 0.If receiving time interval is less than frame time interval threshold, threshold count value increases by 1 and in CAN index
It is updated in table.When threshold count value is equal to some value n, the transmission rate of continuous n CAN frames is excessively high, and judgement CAN frames are attacked
It hits and alarms, and threshold count value is updated to 0.If threshold count value is not 0 and is less than n, judge that this CAN frame is legal.
It is possible to further which different security levels, the smaller safety of n is arranged by adjusting the n values in statistic mixed-state function
Rank is higher.
(3) semantic coverage detects:Detect CAN frames data field semantic values whether within a preset range, if so, judgement
CAN frames are legal, conversely, then judging that CAN frames are illegal and alarm.
If the data field semantic values of CAN frames are more than the maximum value of data field semantic values in the corresponding CAN concordance lists of its ID
Or the minimum value less than data field semantic values, then judge that CAN frames are attacked and alarmed, conversely, then judging that CAN frames are legal.
(4) semantic dependency detects:Whether the rate of change for detecting the data field semantic values of CAN frames is more than correlation threshold
Value, if so, judgement CAN frames are illegal and alarm, conversely, then judging that CAN frames are legal.
Specifically, a upper CAN for the rate of change of the corresponding data field semantic values of the ID of CAN frames, that is, CAN frames and identical ID
The ratio of the difference and receiving time difference of the data field semantic values of frame judges that the CAN frames are illegal if it is greater than relevance threshold
And alarm, conversely, then judging that CAN frames are legal.
Particularly, in actual operation, after detection, connecing for upper CAN frames in the first CAN frame index tables 42 need to be updated
Between time receiving, two parameters of the data field semantic values of upper CAN frames.
It should be pointed out that due to remote frame do not include data field part, remote frame is only carried out frame format detection,
Identifier (ID) detects and statistical property detection.
2, include for the detection of the legitimacy of the CAN frames from CAN subnets 300:
(1) ID is detected as:The ID of the correct CAN frames of frame format is compared with the 2nd CAN frame index tables 44, if the 2nd CAN
The ID is not present in frame index table 44, then abandons this CAN frame and alarms, it is on the contrary then judge that the ID of CAN frames is legal.
Specifically, the input parameter of ID detection functions is the ID of CAN frames, utilizes the 2nd CAN frame index tables of binary search
44, if not finding this ID in the 2nd CAN frame index tables 44, judges that the CAN frames are an attack frame, abandon and alarm;
If finding this ID, storage address of this ID in the 2nd CAN frame index tables 44 is returned to, and using storage address as benchmark
The offset address that this storage address and other parameters can be directly utilized when the 2nd CAN 44 other parameters of frame index table is called in location.
(2) statistical property is detected as:The transmission rate for detecting the identical CAN frames of ID, if transmission rate is more than or equal to
The number that predetermined threshold value and the transmission rate are continuously more than or equal to default threshold reaches default value, i.e. threshold count value reaches
To a certain limit value, then judge that CAN frames are illegal and alarm, conversely, then judging that CAN frames are legal.
For example, whether the transmission rate of the identical CAN frames of detection ID is excessively high, it can be by comparing the CAN frames of identical ID
Receiving time interval is judged with time interval threshold value.If receiving time interval is more than frame time interval threshold, threshold value
Count value is updated to 0.If receiving time interval is less than frame time interval threshold, threshold count value increases by 1 and in CAN index
It is updated in table.When threshold count value is equal to some value n, the transmission rate of continuous n CAN frames is excessively high, judges by attacking simultaneously
Alarm, and threshold count value is updated to 0.If threshold count value is not 0 and is less than n, judge that this CAN frame is legal.
It is possible to further which different security levels, the smaller safety of n is arranged by adjusting the n values in statistic mixed-state function
Rank is higher.
(3) semantic coverage detects:Detect CAN frames data field semantic values whether within a preset range, if so, judgement
CAN frames are legal, conversely, then judging that CAN frames are illegal and alarm.
If the data field semantic values of CAN frames are more than the maximum value of data field semantic values in the corresponding CAN concordance lists of its ID
Or the minimum value less than data field semantic values, then judge that CAN frames are attacked and alarmed, conversely, then judging that CAN frames are legal.
(4) semantic dependency detects:Whether the rate of change for detecting the data field semantic values of CAN frames is more than relevance threshold, if so,
Judgement CAN frames are illegal and alarm, conversely, then judging that CAN frames are legal.
Specifically, a upper CAN for the rate of change of the corresponding data field semantic values of the ID of CAN frames, that is, CAN frames and identical ID
The ratio of the difference and receiving time interval of the data field semantic values of frame judges that the CAN frames are illegal if it is greater than relevance threshold
And alarm, conversely, then judging that CAN frames are legal.
Particularly, in actual operation, after detection, connecing for upper CAN frames in the 2nd CAN frame index tables 44 need to be updated
Between time receiving, two parameters of the data field semantic values of upper CAN frames.
It should be pointed out that due to remote frame do not include data field part, remote frame is only carried out frame format detection,
Identifier (ID) detects and statistical property detection.
Further, after CAN frame of the detection of filter 30 from gateway 200 or CAN subnets 300 is legal, in microcontroller
Under the control of device 20, by the first CAN transceiver 120 or the second CAN transceiver 140 send legal CAN frames to gateway 200 or
CAN subnets 300.
Specifically, by taking Fig. 2 as an example, the work of the abnormality detection system 100 for automobile CAN-bus of the present invention is illustrated
Make process:
(1) when the first CAN transceiver 120 receives the CAN frames from gateway 200, microcontroller 20 controls the first CAN
Controller 122 realizes the frame format detection to CAN frames.
If the frame format of CAN frames is correct, 122 transmission data frame of the first CAN controller to microcontroller 20.Conversely, then
It abandons data frame and alarm 50 is triggered by microcontroller 20 and alarm.Microcontroller 20 sends the correct CAN frames of frame format
To filter 30.
Filter 30 receives the correct CAN frames of frame format and carries out ID detections, statistical property detection, semantic coverage detection
It is detected with semantic dependency.When wherein any one detection function detects that CAN frames are illegal, that is, CAN frames are abandoned, and by micro-
Controller 20 triggers alarm equipment alarm.
(2) when the second CAN transceiver 140 receives the CAN frames from CAN subnets 300, pass through the second CAN controller
142 send a signal to microcontroller 20, and microcontroller 20 controls the realization of the second CAN controller 142 and examined to the frame format of CAN frames
It surveys.
If the frame format of CAN frames is correct, 142 transmission data frame of the second CAN controller to microcontroller 20.Conversely, then
It abandons data frame and alarm 50 is triggered by microcontroller 20 and alarm.Microcontroller 20 sends the correct CAN frames of frame format
To filter 30.Filter 30 receives the correct CAN frames of frame format and carries out ID detections, statistical property detection, semantic coverage
Detection and semantic dependency detection.When wherein any one detection function detects that CAN frames are illegal, that is, CAN frames are abandoned, and lead to
It crosses microcontroller 20 and triggers alarm equipment alarm.
After above-mentioned legitimacy detection passes through, microcontroller controls the first CAN transceiver 120 or the second CAN transceiver
Legal CAN frames are sent to gateway 200 or CAN subnets 300 by 140.
The abnormality detection system of CAN message according to the ... of the embodiment of the present invention is received by the first CAN transceiver and the 2nd CAN
The connection of device foundation and the CAN bus network of vehicle is sent out, and CAN frames are received from the gateway of CAN bus network and CAN subnets.The
One CAN controller and the second CAN controller judge whether the frame format of CAN frames is correct, if the frame format mistake of CAN frames,
Microcontroller control CAN controller abandons CAN frames and triggers alarm equipment alarm.If the frame format of CAN frames is correct, microcontroller
The further controlling filter of device calls detection function to carry out legitimacy detection to CAN frames.If CAN frames are illegal, CAN frames are judged
Abnormal, microcontroller controlling filter abandons CAN frames and triggers alarm equipment alarm.If CAN frames are legal, microcontroller control
First CAN transceiver or the second CAN transceiver send legal CAN frames to gateway or CAN subnets.The CAN message of the present invention
Abnormality detection system is simple and efficient, is safe, is highly practical.
In the description of the present invention, it is to be understood that, term "center", " longitudinal direction ", " transverse direction ", " length ", " width ",
" thickness ", "upper", "lower", "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom" "inner", "outside", " up time
The orientation or positional relationship of the instructions such as needle ", " counterclockwise ", " axial direction ", " radial direction ", " circumferential direction " be orientation based on ... shown in the drawings or
Position relationship is merely for convenience of description of the present invention and simplification of the description, and does not indicate or imply the indicated device or element must
There must be specific orientation, with specific azimuth configuration and operation, therefore be not considered as limiting the invention.
In addition, term " first ", " second " are used for description purposes only, it is not understood to indicate or imply relative importance
Or implicitly indicate the quantity of indicated technical characteristic.Define " first " as a result, the feature of " second " can be expressed or
Implicitly include at least one this feature.In the description of the present invention, the meaning of " plurality " is at least two, such as two, three
It is a etc., unless otherwise specifically defined.
In the present invention unless specifically defined or limited otherwise, term " installation ", " connected ", " connection ", " fixation " etc.
Term shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or integral;Can be that machinery connects
It connects, can also be electrical connection;It can be directly connected, can also can be indirectly connected through an intermediary in two elements
The interaction relationship of the connection in portion or two elements, unless otherwise restricted clearly.For those of ordinary skill in the art
For, the specific meanings of the above terms in the present invention can be understood according to specific conditions.
In the present invention unless specifically defined or limited otherwise, fisrt feature can be with "above" or "below" second feature
It is that the first and second features are in direct contact or the first and second features pass through intermediary mediate contact.Moreover, fisrt feature exists
Second feature " on ", " top " and " above " but fisrt feature be directly above or diagonally above the second feature, or be merely representative of
Fisrt feature level height is higher than second feature.Fisrt feature second feature " under ", " lower section " and " below " can be
One feature is directly under or diagonally below the second feature, or is merely representative of fisrt feature level height and is less than second feature.
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show
The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example
Point is included at least one embodiment or example of the invention.In the present specification, schematic expression of the above terms are not
It must be directed to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be in office
It can be combined in any suitable manner in one or more embodiments or example.In addition, without conflicting with each other, the skill of this field
Art personnel can tie the feature of different embodiments or examples described in this specification and different embodiments or examples
It closes and combines.
Although the embodiments of the present invention has been shown and described above, it is to be understood that above-described embodiment is example
Property, it is not considered as limiting the invention, those skilled in the art within the scope of the invention can be to above-mentioned
Embodiment is changed, changes, replacing and modification.
Claims (12)
1. a kind of method for detecting abnormality of CAN message, which is characterized in that include the following steps:
The connection with the gateway and CAN subnets of the CAN bus of vehicle is established, CAN is received from the gateway and the CAN subnets
Frame, the CAN frames include identifier and data field;
Judge whether the frame format of the CAN frames is correct, if the frame format mistake of the CAN frames, abandons the CAN frames simultaneously
Alarm;
If the frame format of the CAN frames is correct, further detection function is called to carry out legitimacy detection to the CAN frames;
If the CAN frames are illegal, judge that the CAN frames are abnormal, abandon the CAN frames and alarm, the detection function packet
Include the detection of the identifier, statistical property, semantic coverage and semantic dependency to the CAN frames;
If the CAN frames are legal, the CAN frames are sent to the gateway or the CAN subnets;
The detection function is according to preset first CAN frame index tables and the 2nd CAN frame index tables to coming from the gateway or institute
The CAN frames for stating CAN subnets are detected, wherein the first CAN frame index tables include:Described in the gateway
The maximum value of the corresponding data field semantic values of identifier of the identifier of CAN frames, the CAN frames and minimum value, frame time interval
Threshold value, threshold count value, the receiving time of previous frame, the semantic values of previous frame and relevance threshold;
The 2nd CAN frame index tables include:The identifier of the CAN frames from the CAN subnets, the mark of the CAN frames
Know the reception of the maximum value and minimum value, frame time interval threshold, threshold count value, previous frame that accord with corresponding data field semantic values
Time, the semantic values of previous frame and relevance threshold.
2. the method as described in claim 1, which is characterized in that the identifier, which detects, includes:
By the frame format correctly identifier of the CAN frames and the first CAN frame index tables or the 2nd CAN frame index table ratios
It is right, if the identifier is not present in the first CAN frame index tables or the 2nd CAN frame index tables, abandon the CAN
Frame is simultaneously alarmed, on the contrary then judge that the identifier of the CAN frames is legal.
3. the method as described in claim 1, which is characterized in that the statistic mixed-state includes:
The transmission rate of the identical CAN frames of the identifier is detected, if the transmission rate is more than or equal to default threshold
The number that value and the transmission rate are continuously more than or equal to predetermined threshold value reaches predetermined value, then judges that the CAN frames are non-
Method is simultaneously alarmed, conversely, then judging that the CAN frames are legal.
4. the method as described in claim 1, which is characterized in that the semantic coverage, which detects, includes:
Whether within a preset range the data field semantic values of the CAN frames are detected, if so, judging that the CAN frames are legal, instead
It, then judge that the CAN frames are illegal and alarm.
5. the method as described in claim 1, which is characterized in that the semantic dependency, which detects, includes:
Whether the rate of change for detecting the data field semantic values of the CAN frames is more than default relevance threshold, if so, judgement institute
It states CAN frames illegally and alarms, conversely, then judging that the CAN frames are legal.
6. a kind of abnormality detection system of CAN message, which is characterized in that including:
First CAN transceiver, the CAN transceiver are connect with gateway, receive CAN frames from the gateway, the CAN frames include mark
Know symbol and data field;
First CAN controller, first CAN controller is for judging that the frame format of the CAN frames from the gateway is
It is no correct;
Second CAN transceiver, the CAN transceiver and CAN Subnetwork connections receive CAN frames, wherein described from the CAN subnets
CAN frames include identifier and data field;
Second CAN controller, second CAN controller are used to judge the frame format of the CAN frames from the CAN subnets
It is whether correct;
Filter, the filter include detection function;
Alarm, the alarm is for alarming;With
Microcontroller, the microcontroller respectively with first CAN controller, second CAN controller, the filter
It is connected with the alarm, the frame for judging the CAN frames in first CAN controller or second CAN controller
It when format error, abandons the CAN frames and controls the alarm equipment alarm, and when the frame format of the CAN frames is correct, adjust
Legitimacy detection is carried out to the CAN frames with the detection function of the filter, if the CAN frames are illegal, described in judgement
CAN frames are abnormal, abandon the CAN frames and alarm, wherein the detection function includes special to the identifier of the CAN frames, statistics
The detection of property, semantic coverage and semantic dependency;
Further include:The first CAN frame index tables and the 2nd CAN frame index tables being connected with the microcontroller, the detection function
The CAN frames are detected according to the preset first CAN frame index tables and the 2nd CAN frame index tables, wherein institute
Stating the first CAN frame index tables includes:Identifier, the identifier of the CAN frames of the CAN frames from the gateway are corresponding
The maximum value and minimum value of data field semantic values, frame time interval threshold, threshold count value, the receiving time of previous frame, upper one
The semantic values and relevance threshold of frame;
The 2nd CAN frame index tables include:The identifier of the CAN frames from the CAN subnets, the mark of the CAN frames
Know the reception of the maximum value and minimum value, frame time interval threshold, threshold count value, previous frame that accord with corresponding data field semantic values
Time, the semantic values of previous frame and relevance threshold.
7. system as claimed in claim 6, which is characterized in that the identifier, which detects, includes:The frame format is correct
The identifier of the CAN frames is compared with the first CAN frame index tables or the 2nd CAN frame index tables, if the first CAN frame index tables
Or the identifier is not present in the 2nd CAN frame index tables, then it abandons the CAN frames and alarms, described on the contrary then judgement
The identifier of CAN frames is legal.
8. system as claimed in claim 6, which is characterized in that the statistic mixed-state includes:
The transmission rate of the identical CAN frames of the identifier is detected, if the transmission rate is more than or equal to default threshold
The number that value and the transmission rate are continuously more than or equal to predetermined threshold value reaches default value, then judges that the CAN frames are non-
Method is simultaneously alarmed, conversely, then judging that the CAN frames are legal.
9. system as claimed in claim 6, which is characterized in that the semantic coverage, which detects, includes:
Whether within a preset range the data field semantic values of the CAN frames are detected, if so, judging that the CAN frames are legal, instead
It, then judge that the CAN frames are illegal and alarm.
10. system as claimed in claim 6, which is characterized in that the semantic dependency, which detects, includes:
Whether the rate of change for detecting the data field semantic values of the CAN frames is more than default relevance threshold, if so, judgement institute
It states CAN frames illegally and alarms, conversely, then judging that the CAN frames are legal.
11. system as claimed in claim 6, which is characterized in that first CAN transceiver is additionally operable to, and legal is come from
The CAN frames of the CAN subnets are sent to the gateway.
12. system as claimed in claim 6, which is characterized in that second CAN transceiver is additionally operable to, and legal is come from
The CAN frames of the gateway are sent to the CAN subnets.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410524934.5A CN104301177B (en) | 2014-10-08 | 2014-10-08 | CAN message method for detecting abnormality and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410524934.5A CN104301177B (en) | 2014-10-08 | 2014-10-08 | CAN message method for detecting abnormality and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104301177A CN104301177A (en) | 2015-01-21 |
| CN104301177B true CN104301177B (en) | 2018-08-03 |
Family
ID=52320755
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410524934.5A Active CN104301177B (en) | 2014-10-08 | 2014-10-08 | CAN message method for detecting abnormality and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104301177B (en) |
Families Citing this family (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP6594732B2 (en) * | 2015-01-20 | 2019-10-23 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ | Fraud frame handling method, fraud detection electronic control unit, and in-vehicle network system |
| CN104836636B (en) * | 2015-02-17 | 2019-02-26 | 华为技术有限公司 | The method, apparatus and system communicated based on novel CAN frame |
| CN104767618B (en) * | 2015-04-03 | 2018-02-09 | 清华大学 | A kind of CAN authentication method and system based on broadcast |
| CN112261026B (en) * | 2015-08-31 | 2023-02-28 | 松下电器(美国)知识产权公司 | Abnormality detection method, abnormality detection electronic control unit, and abnormality detection system |
| JP6525824B2 (en) * | 2015-08-31 | 2019-06-05 | 国立大学法人名古屋大学 | Relay device |
| CN105893844A (en) * | 2015-10-20 | 2016-08-24 | 乐卡汽车智能科技(北京)有限公司 | Method and device for sending messages of vehicle bus networks |
| JP6286749B2 (en) * | 2015-10-21 | 2018-03-07 | 本田技研工業株式会社 | COMMUNICATION SYSTEM, CONTROL DEVICE, AND CONTROL METHOD |
| WO2017104096A1 (en) * | 2015-12-14 | 2017-06-22 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ | Security device, network system and attack detection method |
| WO2017104112A1 (en) * | 2015-12-16 | 2017-06-22 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ | Security processing method and server |
| WO2017119246A1 (en) * | 2016-01-08 | 2017-07-13 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ | Abnormality detection method, abnormality detection device, and abnormality detection system |
| CN107426285B (en) * | 2017-05-19 | 2022-11-25 | 北京智联安行科技有限公司 | Vehicle-mounted CAN bus safety protection method and device |
| CN107454107B (en) * | 2017-09-15 | 2020-11-06 | 中国计量大学 | Controller local area network automobile bus alarm gateway for detecting injection type attack |
| CN107948176A (en) * | 2017-12-03 | 2018-04-20 | 吴武飞 | A kind of information security Enhancement Method and controller towards CAN network |
| CN108650152B (en) * | 2018-05-21 | 2020-08-11 | 新华三技术有限公司 | Abnormal message determination method and device and computer readable storage medium |
| JP7121737B2 (en) * | 2018-05-23 | 2022-08-18 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ | Anomaly detection device, anomaly detection method and program |
| CN109286547B (en) | 2018-08-30 | 2021-03-23 | 百度在线网络技术(北京)有限公司 | Message processing method and device, electronic control unit and readable storage medium |
| CN111224917B (en) * | 2018-11-23 | 2021-11-23 | 广州汽车集团股份有限公司 | Automobile gateway firewall message health check method, gateway device and automobile |
| CN110351295A (en) * | 2019-07-22 | 2019-10-18 | 百度在线网络技术(北京)有限公司 | Message detecting method and device, electronic equipment, computer-readable medium |
| CN110750790B (en) * | 2019-09-06 | 2021-09-24 | 深圳开源互联网安全技术有限公司 | CAN bus vulnerability detection method and device, terminal equipment and medium |
| CN112153070B (en) * | 2020-09-28 | 2021-11-26 | 安徽江淮汽车集团股份有限公司 | Abnormality detection method, device, storage medium and apparatus for vehicle-mounted CAN bus |
| CN112637013B (en) * | 2020-12-21 | 2022-11-04 | 苏州三六零智能安全科技有限公司 | CAN bus message abnormity detection method and device, equipment and storage medium |
| CN113328919B (en) * | 2021-05-28 | 2023-10-10 | 江苏徐工工程机械研究院有限公司 | CAN bus identifier, communication method and communication system |
| CN113485284B (en) * | 2021-06-07 | 2023-04-07 | 岚图汽车科技有限公司 | Message data processing method, device, equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102291334A (en) * | 2010-06-21 | 2011-12-21 | 哈尔滨工业大学 | Design of automotive body CAN-LIN (Control Area Network-Local Internet Protocol) gateway |
| CN104012065A (en) * | 2011-12-21 | 2014-08-27 | 丰田自动车株式会社 | Vehilce network monitoring method and apparatus |
| CN104079444A (en) * | 2013-03-27 | 2014-10-01 | 西门子公司 | Method and device for detecting depth of industrial Ethernet data frame |
-
2014
- 2014-10-08 CN CN201410524934.5A patent/CN104301177B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102291334A (en) * | 2010-06-21 | 2011-12-21 | 哈尔滨工业大学 | Design of automotive body CAN-LIN (Control Area Network-Local Internet Protocol) gateway |
| CN104012065A (en) * | 2011-12-21 | 2014-08-27 | 丰田自动车株式会社 | Vehilce network monitoring method and apparatus |
| CN104079444A (en) * | 2013-03-27 | 2014-10-01 | 西门子公司 | Method and device for detecting depth of industrial Ethernet data frame |
Non-Patent Citations (1)
| Title |
|---|
| Enhancing Security in CAN Systems using a Star Coupling Router;Roland Kammerer;《7th IEEE International Symposium on Industrial Embedded Systems (SIES"12)》;20120622;第237-246页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104301177A (en) | 2015-01-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104301177B (en) | CAN message method for detecting abnormality and system | |
| CN104320295B (en) | CAN message method for detecting abnormality and system | |
| CN107426285B (en) | Vehicle-mounted CAN bus safety protection method and device | |
| US9231967B2 (en) | Apparatus and method for detecting in-vehicle network attack | |
| CN101589595B (en) | A containment mechanism for potentially contaminated end systems | |
| JP4545647B2 (en) | Attack detection / protection system | |
| US20210185070A1 (en) | Lightweight intrusion detection apparatus and method for vehicle network | |
| CN106537872B (en) | Method for detecting attacks in a computer network | |
| JP2017112590A (en) | Communication device, communication method and communication program | |
| EP3568963A1 (en) | Security architecture for machine type communications | |
| GB2532630A (en) | Network intrusion alarm method and system for nuclear power station | |
| CN109088743A (en) | For providing the system and method for the notice of network attack in the security system | |
| EP1833227A1 (en) | Intrusion detection in an IP connected security system | |
| CN107135127A (en) | A kind of network flow abnormal detecting method and device | |
| KR20160002269A (en) | SDN-based ARP Spoofing Detection apparatus and method therefor | |
| US11700271B2 (en) | Device and method for anomaly detection in a communications network | |
| CN105791027A (en) | Detection method of industrial network abnormal interruption | |
| US10187402B2 (en) | Network intrusion mitigation | |
| US20210329454A1 (en) | Detecting Unauthorized Access to a Wireless Network | |
| Dupont et al. | Network intrusion detection systems for in-vehicle network-Technical report | |
| CN103001958A (en) | Exception transmission control protocol (TCP) message processing method and device | |
| CN112152972A (en) | Method and device for detecting IOT equipment vulnerability and router | |
| CN114630329A (en) | Method and device for identifying relay attack in PEPS scene | |
| CN105721334B (en) | Method and equipment for determining transmission path and updating ACL | |
| CN100544288C (en) | Client and connection method for detecting thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |