CN116939611A

CN116939611A - Method, device and system for detecting network attack of vehicle-mounted device, electronic equipment and medium

Info

Publication number: CN116939611A
Application number: CN202311008531.0A
Authority: CN
Inventors: 胡涛; 范渊; 王欣
Original assignee: DBAPPSecurity Co Ltd
Current assignee: DBAPPSecurity Co Ltd
Priority date: 2023-08-10
Filing date: 2023-08-10
Publication date: 2023-10-24

Abstract

The application discloses a vehicle-to-machine network attack detection method, a device, a system, electronic equipment and a readable storage medium, which are applied to the technical field of Internet of things. The method comprises the steps that after the vehicle-mounted client monitors that the current WiFi environment meets the safety requirement, a Probe data frame is sent to a target AP. If the AP server returns frame payload encryption, the frame payload encryption is used for transmitting primary connection data with a target AP to the AP server for verification, the target AP authenticates the vehicle-mounted client, the vehicle-mounted client verifies the target AP, if the AP server fails to verify and/or fails to verify the target AP, network attack behavior is judged to exist, and the vehicle-mounted client does not transmit a connection request to the target AP. The application can solve the problem of poor network attack detection efficiency and precision in the related art, can efficiently and accurately detect whether the attack exists in the vehicle-to-machine network, and effectively improve the safety and the correctness of the vehicle-to-machine network environment.

Description

Method, device and system for detecting network attack of vehicle-mounted device, electronic equipment and medium

Technical Field

The application relates to the technical field of the internet of things, in particular to a vehicle-to-machine network attack detection method, device and system, electronic equipment and a readable storage medium.

Background

With the development of vehicle intellectualization and internet technology, a network module with an intelligent interconnection system on a vehicle machine network, namely a vehicle, provides various convenience and entertainment functions for users, and the vehicle is increasingly dependent on an electronic control system and internet connection, so that malicious activities are performed on the electronic system and the network of the vehicle, and behaviors of interfering, destroying or acquiring unauthorized access to information or control rights of the vehicle, namely vehicle network security attack behaviors such as remote intrusion and software vulnerability utilization, are increasingly performed, and the effects of privacy leakage and damage of the vehicle of users such as vehicle runaway, stolen owner information, remote tracking and monitoring, vehicle halt, vehicle-mounted system faults and the like are caused.

The Evil Twons attack is used as a security attack for a wireless network, and seriously threatens the security of a vehicle-machine network. In a malicious twin attack, an attacker creates a false wireless AP (ACCESS POINT) and sets its SSID (Service Set Identifier, the name of the wireless local area network used to identify the specific network) to be the same as or similar to the legitimate AP, so as to fool the wireless device on the vehicle into connecting to the false AP, i.e., the malicious twin AP, and the attacker can acquire sensitive information on the vehicle, control the vehicle system, or perform other malicious activities. In the evol Twins attack, the attacker typically uses wireless communication functions inside the vehicle, such as bluetooth, wiFi or mobile data networks, to select the same frequency bands and channels as the wireless networks known or commonly used by the vehicle to increase the success rate of spoofing. Once the devices on the vehicle are connected to the rogue twins AP, the attacker can perform further attacks by man-in-the-middle attacks, password stealing, malicious software implantation, etc. In the daily living environment, if the internet equipment of the automobile is in an unsafe network with the same SSID, the internet equipment of the automobile is easy to connect due to the lack of authentication capability of an AP access point with a known SSID, so that hidden danger or damage of the automobile is easy to be caused, evil Twains attacks cause damage to the automobile through the approaches, such as: through counterfeit wireless networks, an attacker can steal sensitive information of a vehicle user, such as login credentials, bank account information, etc., which may lead to problems of identity theft, financial loss, etc. The attacker can also use Evil Tins to attack and acquire the position information of the vehicle user, so that the track of the user is tracked, and privacy is violated. An attacker can also inject malicious software or viruses into the equipment of the vehicle user through a fake wireless network, so as to control or destroy the vehicle system. This may lead to a breakdown of the vehicle system, a malfunction or a loss of data. An attacker can also log in the page through a fake wireless network, and deceive the car machine user into sensitive information such as a user name, a password and the like. This may lead to problems with account intrusion, personal information disclosure, etc., commonly known as phishing.

In order to avoid user privacy disclosure and vehicle damage, the related art determines that there is a risk of phishing attack in the public WiFi network by comparing a target service set identifier SSID and target medium access control MAC information of an access point AP obtained by detecting the access point AP in the public WiFi network by a user equipment with a pre-stored MAC information reference library. However, this mapping matching comparison technique of MAC (Media Access Control Address ) and SSID can detect partial WiFi network attack, but some upper layer applications can read AP access point information, including MAC, SSID, etc., so as to simulate an identical AP access point, which cannot be detected by this scheme.

In view of this, whether there is attack in the car machine network is high-efficient and accurate, effectively promotes car machine network environment's security and correctness, is the technical problem that the skilled person needs to solve.

Disclosure of Invention

The application provides a vehicle-mounted network attack detection method, device, system, electronic equipment and readable storage medium, which can efficiently and accurately detect whether an attack exists in a vehicle-mounted network and effectively improve the safety and the correctness of the vehicle-mounted network environment.

In order to solve the technical problems, the application provides the following technical scheme:

the application provides a vehicle-mounted network attack detection method, which is applied to a vehicle-mounted client and comprises the following steps:

when the current WiFi environment is monitored to meet the safety requirement, sending a Probe data frame to a target AP;

when receiving the encryption of the payload of a returned frame of an AP server, sending the primary connection data of the target AP to the AP server for verification, and verifying the target AP according to the received authentication response data of the target AP to the vehicle-mounted client;

if the AP server fails to check and/or fails to check the target AP, judging that network attack behavior exists, and not sending a connection request to the target AP.

Optionally, before the current WiFi environment is monitored to meet the security requirement, the method further includes:

and judging whether the current WiFi environment meets the security requirement or not through network feature analysis of the abnormal AP with the same SSID as the target AP.

Optionally, the determining whether the current WiFi environment meets the security requirement through network feature analysis of the abnormal AP having the same SSID as the target AP includes:

judging whether an abnormal AP with the same SSID as the target AP exists in the current WiFi environment or not;

if the WiFi environment does not exist, judging that the current WiFi environment meets the safety requirement; if yes, updating a preset network attack risk value, and judging whether the abnormal AP is open;

if the abnormal AP is not open, judging that the current WiFi environment meets the safety requirement; if the abnormal AP is open, updating the network attack risk value again, and judging whether the signal intensity of the abnormal AP is larger than a preset intensity threshold value;

if the signal intensity of the abnormal AP is not greater than a preset intensity threshold, judging that the current WiFi environment meets the safety requirement; if the abnormal AP is larger than a preset intensity threshold, updating the network attack risk value again, if the updated current network attack risk value is larger than the preset risk threshold, judging that the current WiFi environment has network attack behaviors, and if the updated current network attack risk value is smaller than or equal to the preset risk threshold, judging that the current WiFi environment meets the safety requirement.

Optionally, before the Probe data frame is sent to the target AP, the method further includes:

if the target AP is connected for the first time, generating a client authentication certificate according to an authentication mode through connection time, and simultaneously, locally storing matched authentication information and sending the client authentication certificate to the AP server;

receiving a corresponding AP service certificate fed back by the AP server after the verification of the client authentication certificate is completed, and verifying the AP service certificate based on the authentication information or through an authentication server;

if the verification is unsuccessful, judging that network attack behavior exists.

Optionally, the corresponding AP service certificate fed back by the AP server after the verification of the client authentication certificate is completed includes:

when the verification of the client authentication certificate is completed, if the AP service certificate corresponding to the client MAC does not exist locally, the AP service certificate is generated according to the current time.

Optionally, the verifying the target AP according to receiving authentication response data of the target AP to the vehicle-mounted client includes:

sending an AP identity authentication request to the target AP, and receiving a data packet of an authentication completion response and a client identity authentication request fed back by the target AP; the data packet carries an initial connection time stamp or AP identity credential information of the target AP and the vehicle-mounted client;

Based on an authentication mode, the initial connection time stamp or the AP identity credential information is compared with corresponding data stored locally to finish the uniqueness check of the target AP. Another aspect of the present application provides a vehicle-mounted device for detecting a network attack, which is applied to a vehicle-mounted client, and includes:

the environment monitoring module is used for sending a Probe data frame to the target AP when the current WiFi environment is monitored to meet the safety requirement;

the verification module is used for sending the primary connection data with the target AP to the AP server for verification when the frame payload encryption returned by the AP server is received, and verifying the target AP according to the received authentication response data of the target AP to the vehicle-mounted client;

and the attack judging module is used for judging that network attack behaviors exist if the AP server fails to check and/or fails to check the target AP, and not sending a connection request to the target AP.

The application also provides an electronic device comprising a processor for implementing the steps of the vehicle-to-machine network attack detection method according to any one of the preceding claims when executing a computer program stored in a memory.

The application also provides a readable storage medium having stored thereon a computer program which when executed by a processor implements the steps of the method for detecting a cyber attack of a vehicle machine as described in any one of the preceding claims.

The application finally provides a vehicle-mounted network attack detection system, which comprises an AP access point, a vehicle-mounted client and an AP server; the AP access point is used for providing a wireless network access function for the vehicle-mounted client and supporting an access control list; the steps of the vehicle-mounted client-side network attack detection method according to any one of the previous claims are realized when the vehicle-mounted client-side executes the computer program stored in the memory.

The technical scheme provided by the application has the advantages that whether the current AP is the AP access point of the network attack can be checked by detecting whether the AP access point which needs to be connected has the network attack behavior characteristic or not, and then after the target AP checks the certificate of the vehicle-mounted client during the connection, the vehicle-mounted client performs corresponding certificate check on the AP which needs to be connected in turn, so that the corresponding blocking and blocking can be performed according to the corresponding strategy. Compared with the network attack of the wifi environment of the vehicle-mounted device by means of the upper-layer application software, the network attack detection precision and efficiency are higher, the vehicle-mounted client does not need to record the AP information such as SSID and MAC, part of work is uniformly spread in the AP server, the load of the vehicle-mounted client is reduced, the vehicle-mounted device is suitable for the construction of the network environment of the vehicle-mounted device, the safety and the accuracy of the network environment of the vehicle-mounted device can be effectively improved, the cost is lower, the vehicle-mounted device can be used for interconnection of the vehicle-mounted device, other AP environments can be basically nested, and the universality is better.

In addition, the application also provides a corresponding implementation device, a corresponding system, a corresponding electronic device and a corresponding readable storage medium for the vehicle network attack detection method, so that the method has more practicability, and the device, the system, the electronic device and the corresponding readable storage medium have corresponding advantages.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application as claimed.

Drawings

For a clearer description of the present application or of the technical solutions related thereto, the following brief description will be given of the drawings used in the description of the embodiments or of the related art, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained from these drawings without the inventive effort of a person skilled in the art.

FIG. 1 is a schematic flow chart of a method for detecting network attacks of a vehicle and a machine;

fig. 2 is a schematic diagram of an interaction flow of a WiFi timing authentication method between a vehicle-mounted client and an AP server according to the present application;

fig. 3 is a schematic diagram of a WiFi environment monitoring flow of a vehicle-mounted client provided by the present application;

Fig. 4 is a schematic diagram of an authentication flow when a vehicle-mounted client and a target AP are first connected;

fig. 5 is a schematic flow chart of checking a target AP by a vehicle-mounted client provided by the present application;

FIG. 6 is a schematic diagram of a structural framework of an exemplary application scenario provided by the present application;

FIG. 7 is a block diagram of an embodiment of a network attack detection device for a vehicle according to the present application;

FIG. 8 is a block diagram of an embodiment of an electronic device according to the present application;

fig. 9 is a block diagram of an embodiment of a vehicle-to-machine network attack detection system provided by the application.

Detailed Description

In order to better understand the aspects of the present application, the present application will be described in further detail with reference to the accompanying drawings and detailed description. It will be apparent that the described embodiments are only some, but not all, embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application. The terms "comprising" and "having" and any variations thereof in the description and claims of the application and in the foregoing drawings are intended to cover non-exclusive inclusions. The term "exemplary" means "serving as an example, embodiment, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments. Various non-limiting embodiments of the present application are described in detail below. Numerous specific details are set forth in the following description in order to provide a better understanding of the application. It will be understood by those skilled in the art that the present application may be practiced without these specific details. In other instances, well known methods, procedures, components, and circuits have not been described in detail so as not to obscure the present application.

Referring to fig. 1, fig. 1 is a schematic flow chart of a network attack detection method of a vehicle machine provided by the application, in order to solve the problem that a vehicle machine device in public places is connected with an external network, and a false Wi-Fi access point (i.e., an AP) is created, so as to obtain an attack mode of sensitive information of a user, and further cause the problems of privacy disclosure of the user, damage of a vehicle system, and the like, a method for detecting and avoiding a vehicle network attack such as evil twins is provided. The In-vehicle client may be, for example, an IVI (In-Vehicle Infotainment System ), which is an integrated entertainment and information system installed In an automobile that combines vehicle information, entertainment functions and communication technologies to provide various services and functions for passengers In the automobile to enhance driving experience and ride comfort. Of course, the vehicle client may be any other device capable of performing the above functions, which is not limited in this application. This embodiment may include the following:

S101: and when the current WiFi environment is monitored to meet the safety requirement, sending a Probe data frame to the target AP.

For convenience of description, the embodiment defines an AP access point to which a vehicle-mounted client wants to connect as a target AP, after receiving a Beacon broadcast management frame sent by an AP server, the vehicle-mounted client detects whether a lower environment meets a security requirement, that is, whether an AP access point of a suspected attacker exists in the current environment, before sending a Probe data frame to an AP access point carrying a specified SSID, that is, the target AP. The AP in this embodiment is a wireless AP, that is, a wireless access point, which is used for connecting a bridge of a wireless network and a wired network, and may provide an access function of the wireless network, and is responsible for supporting an access control list, so that a mobile computer user may enter the wired network.

S102: and when the frame payload encryption returned by the AP server is received, the primary connection data with the target AP is sent to the AP server for verification, and the target AP is verified according to the received authentication response data of the target AP to the vehicle-mounted client.

In this embodiment, the authentication timing of the AP server and the vehicle-mounted client is shown in fig. 2, where the AP server sends a Beacon broadcast management frame, the vehicle-mounted client sends a Probe Request frame to an AP access point carrying a specified SSID, the AP access point responds to the SSID connection Request of the vehicle-mounted client, the vehicle-mounted client performs identity authentication on the target AP Request, the AP access point responds to the SSID connection Request of the client and carries corresponding identity certificate information of the AP, the vehicle-mounted client performs identity authentication on the AP certificate, and if the connection Request is sent if the connection Request passes, there may be network attack behaviors including, but not limited to, deauthentication attack, disassociation attack, and eval twins attack. The AP server responds to the connection request, and when the vehicle-mounted client does not need to be connected with the AP, the AP server sends a disconnection request. The service module of the AP access point, namely the AP server plays an important role in the network, provides wireless network connection and service, manages and controls the vehicle-mounted client equipment, performs security authentication and encryption on the vehicle-mounted client, interacts with the authentication server when in primary connection to generate an authentication certificate of the AP itself, and transmits the authentication certificate to the client protocol for verification, thereby ensuring the security and performance of the network. When the on-vehicle client sends a Probe data frame to request connection from the AP server, if the AP is connected for the first time, authorization authentication is not performed yet or an attacker appears, such as a new evil twins AP access point appears, the AP server returns a frame-payload-encryption (frame-payload-encryption) indicating that any form of frame payload encryption is not accepted. At this time, whether the connection is in the initial connection state or not needs to be judged first, a time stamp is recorded when the initial connection of the AP is successful in the client side, and the time stamp and the generated authentication certificate are transmitted to the AP service. The first connection state, that is, the judgment of the initial connection state, can inquire the initial connection time stored under the same SSID of the client, if not found, the connection is the first connection, if the connection is found, and the time difference is larger, the network attack is judged, if the network attack is the evil twins AP access point. When the vehicle-mounted client receives the response of frame payload encryption, the target AP authenticates the vehicle-mounted client, and then the vehicle-mounted client authenticates the target AP.

S103: if the AP server fails to check and/or fails to check the target AP, judging that network attack behavior exists, and not sending a connection request to the target AP.

After the verification cognition is carried out for many times in the previous step, if authentication or verification is successful each time, the vehicle-mounted client sends a connection request, if one verification is unsuccessful, the vehicle-mounted client directly ends interaction with the target AP, the connection request is not sent to the target AP, and the possibility of network attacks such as evil twins attack is avoided.

In the technical scheme provided by the application, whether the current AP is an AP access point of network attack can be checked by detecting whether the AP access point to be connected has network attack behavior characteristics or not, and then after the target AP checks the certificate of the vehicle-mounted client during connection, the vehicle-mounted client performs corresponding certificate check on the AP to be connected in turn, so that corresponding blocking and blocking can be performed according to a corresponding strategy. Compared with the network attack of the wifi environment of the vehicle-mounted device by means of the upper-layer application software, the network attack detection precision and efficiency are higher, the vehicle-mounted client does not need to record the AP information such as SSID and MAC, part of work is uniformly spread in the AP server, the load of the vehicle-mounted client is reduced, the vehicle-mounted device is suitable for the construction of the network environment of the vehicle-mounted device, the safety and the accuracy of the network environment of the vehicle-mounted device can be effectively improved, the cost is lower, the vehicle-mounted device can be used for interconnection of the vehicle-mounted device, other AP environments can be basically nested, and the universality is better.

In the above embodiment, how to perform the step of monitoring whether the current WiFi environment meets the security is not limited, and the implementation manner of determining whether the current WiFi environment meets the security is further provided in this embodiment, which may include the following:

and judging whether the current WiFi environment meets the security requirement or not through network feature analysis of the abnormal AP with the same SSID as the target AP. Namely, by detecting whether an AP access point which has information of SSID, MAC, BSSID and SSID service of a target AP exists in the environment, defining the access point as an abnormal AP, if so, proving that the current WiFi environment does not accord with the security, and if not, proving that the current WiFi environment accords with the security.

As an exemplary embodiment, the flow of the detection of the WiFi environment at the initial connection stage of the vehicle-mounted client may be: judging whether an abnormal AP with the same SSID as the target AP exists in the current WiFi environment or not; if the WiFi environment does not exist, judging that the current WiFi environment meets the safety requirement; if so, updating a preset network attack risk value, and judging whether the abnormal AP is open; if the abnormal AP is not open, judging that the current WiFi environment meets the security requirement; if the abnormal AP is open, updating the network attack risk value again, and judging whether the signal intensity of the abnormal AP is larger than a preset intensity threshold value; if the signal intensity of the abnormal AP is not greater than the preset intensity threshold, judging that the current WiFi environment meets the safety requirement; if the abnormal AP is larger than the preset intensity threshold, updating the network attack risk value again, if the updated current network attack risk value is larger than the preset risk threshold, judging that the current WiFi environment has network attack behaviors, and if the updated current network attack risk value is smaller than or equal to the preset risk threshold, judging that the current WiFi environment meets the safety requirement.

The network attack risk value is a preset parameter with a variable numerical value, the preset intensity threshold value and the preset risk threshold value are experience values set according to actual application scenes and network attack precision, and the experience values are used for indicating whether the AP signal intensity reaches the intensity or whether the network attack risk value reaches the intensity, so that the probability is the network attack behavior. In order to make the implementation manner of this embodiment more clear to those skilled in the art, this embodiment uses the network attack as the evil twins as an example in conjunction with fig. 3 to describe the implementation manner of this embodiment in the actual application scenario, in this embodiment, the network attack risk value is evil_val, firstly, whether WiFi with the same SSID as the target AP exists is detected, whether the WiFi with the same name has an evil twins feature value is detected, and whether the evil twins feature value and the configuration threshold value are compared to determine whether there is an evil twins attack really.

From the above, the embodiment can discover the network attack behavior as soon as possible by monitoring the WiFi environment, which is further beneficial to improving the accuracy and efficiency of network attack detection.

In order to further improve the accuracy and efficiency of network attack detection, the first connection between the vehicle-mounted client and the target AP needs to be verified, which may include the following contents:

If the target AP is connected for the first time, generating a client authentication certificate according to an authentication mode through the connection time, and simultaneously, locally storing matched authentication information and sending the client authentication certificate to an AP server; receiving a corresponding AP service certificate fed back by the AP server after the verification of the client authentication certificate is completed, and verifying the AP service certificate based on authentication information or through the authentication server; if the verification is unsuccessful, judging that network attack behavior exists.

The authentication mode may be an authentication mode pre-configured or supported by the vehicle-mounted client and the target AP, such as 802.1X authentication or PSK (pre-shared key) authentication, as shown in fig. 4, the matching authentication information locally stored in the vehicle-mounted client in different authentication modes is different, for the PSK authentication mode, the initial connection time is used as the pre-shared key, and the locally stored initial connection time is the initial connection time; for the 802.1X authentication mode, the initial connection time is used for generating the certificate to the central authentication server, and the local storage is part of certificate information. After receiving the client authentication certificate, the AP server performs a certificate verification on the client certificate, which may be referred to as a client authentication certificate for convenience of distinction. The certificate verification can verify the validity and legitimacy of the server-side certificate in the wireless network connection, can ensure that the safety communication established with the WiFi network is carried out with a legal server, and can prevent man-in-the-middle attack and data tampering. After the client certificate passes, the AP server feeds back the certificate of the AP, so that the AP service certificate is called as the AP service certificate for convenience of distinction, namely whether the certificate corresponding to the client MAC exists locally or not is detected, if not, the certificate is generated according to the current time and is sent to the vehicle-mounted client, the vehicle-mounted client checks the certificate, and if the checking fails, the network attack such as the evil twins attack is at risk.

Because the information that can be matched with the corresponding authentication certificate generated according to the authentication mode through the connection time is stored locally in the vehicle-mounted client in the primary connection process, the verification process of the vehicle-mounted client can comprise the following steps: when the AP server feeds back the stored corresponding certificate information, the client sends the content to the authentication server or directly matches the content with the local information, if the matching is successful, the normal WiFi connection is realized, and if the matching is failed, a network attack such as an evil twins attack connection is possible.

From the verification direction of the certificate, the application firstly accesses the WiFi Access Point (AP), takes the connection time as the authentication certificate, locally stores the matching information, and sends the matching information to the AP server, so that the AP server transmits back the sitting verification when the AP server belongs to the MAC connection, and after the AP service authenticates the client, the AP service feeds back the AP certificate of the AP server, and then the client is subjected to information matching to judge whether the AP service is the real AP service, thereby judging whether the network attack occurs or not, and facilitating the AP connection with the characteristics of the evil twins attack in the network environment of the vehicle. Under most conditions, whether the attack is the evil twins attack can be effectively identified, so that information leakage is fundamentally stopped, and the safety and the correctness of the vehicle-mounted environment are ensured.

The above embodiment does not limit any process how the vehicle client performs verification on the target AP, and the present application further provides an exemplary embodiment, which may include the following:

the vehicle-mounted client sends an AP identity authentication request to a target AP and receives a data packet of an authentication completion response fed back by the target AP and the client identity authentication request; the data packet carries a primary connection time stamp or AP identity credential information of the target AP and the vehicle-mounted client; referring to fig. 5, based on the authentication mode, the uniqueness verification of the target AP is completed by comparing the initial time stamp or the AP identity credential information with the locally stored corresponding data.

The authentication response of the AP is accompanied with the identity credential information of the client after the AP authenticates the vehicle-mounted client, and the vehicle-mounted client verifies the AP so as to verify whether network attacks such as evil twins are at risk.

In order to make the technical solution provided by the present application more clear for those skilled in the art, the present application further provides an application scenario embodiment, as shown in fig. 6, the vehicle network attack detection method described in any of the above embodiments may be used for security inspection of a series of networking devices such as vehicle IVI, etc., to prevent damage caused by the evil twins attack, and the security mechanism is integrated in the vehicle system, including but not limited to: the first connection AP access point can send a connection time stamp and a certificate used by the client to check the AP service to the AP access server, so that the check on the AP access point is convenient when needed. When a client needs to be connected with a certain AP access point, whether the evol twins attack characteristic exists in the wifi environment of the current vehicle machine is verified, namely the AP access point which needs to be connected currently has an AP with the same information as SSID, BSSID, MAC, and the AP access point is basically open, and the information of the open homonymous AP access point is very strong. After the AP access terminal verifies the certificate of the connection client terminal, the client terminal also can verify the certificate of the AP access point which is connected for the first time, certificate certificates (initial time stamping) of the client terminal and the AP terminal are compared, and if the certificates are inconsistent, the risk of potential evil twins attack is indicated. Therefore, the risk of a malicious wireless network can be effectively reduced. In addition, the method has more practical application scenes and audiences, and can also increase the use of security protocols for communication, encryption of sensitive data, implementation of access control and authentication and the like. For example, vehicle manufacturers may provide security updates and firmware upgrades according to this scheme to repair known vulnerabilities and weaknesses, maintain the security of the vehicle systems, and fundamentally stop such attacks, even other attacks that are similar. The vehicle application developer can generate a network connection alarm based on the scheme so as to inform the vehicle owner, the vehicle manufacturer or the related service provider, thereby being beneficial to improving the alertness to Evil Twos attacks and avoiding being targets of the attacker.

It should be noted that, in the present application, the steps are not strictly executed sequentially, so long as they conform to the logic sequence, and the steps may be executed simultaneously or according to a certain preset sequence, and fig. 1-5 are only schematic, and do not represent only such an execution sequence.

The application also provides a corresponding device for the vehicle-mounted network attack detection method, which is applied to the vehicle-mounted client, so that the method has more practicability. Wherein the device may be described separately from the functional module and the hardware. In the following description, the present application provides a vehicle network attack detection device, which is configured to implement the vehicle network attack detection method provided by the present application, where in this embodiment, the vehicle network attack detection device may include or be divided into one or more program modules, where the one or more program modules are stored in a storage medium and executed by one or more processors, to complete the vehicle network attack detection method disclosed in the first embodiment. Program modules in the present application refer to a series of computer program instruction segments capable of performing specific functions, and are more suitable for describing the execution process of the vehicle network attack detection device in a storage medium than the program itself. The following description will specifically describe functions of each program module of the present embodiment, and the vehicle-to-machine network attack detection device described below and the vehicle-to-machine network attack detection method described above may be referred to correspondingly.

Based on the angle of the functional module, referring to fig. 7, fig. 7 is a block diagram of the vehicle-to-machine network attack detection device provided by the application under a specific implementation mode, where the device may include:

the environment monitoring module 701 is configured to send a Probe data frame to the target AP when it is monitored that the current WiFi environment meets the security requirement;

the verification module 702 is configured to send, when receiving the encryption of the payload of the frame returned by the AP server, primary connection data with the target AP to the AP server for verification, and verify the target AP according to receiving authentication response data of the target AP to the vehicle-mounted client;

an attack determination module 703, configured to determine that a network attack behavior exists if the AP server fails to check and/or fails to check the target AP, and not send a connection request to the target AP

Optionally, in some implementations of this embodiment, the environmental monitoring module 701 may further be configured to: and judging whether the current WiFi environment meets the security requirement or not through network feature analysis of the abnormal AP with the same SSID as the target AP.

As an alternative implementation of the above embodiment, the above environmental monitoring module 701 may be further configured to: judging whether an abnormal AP with the same SSID as the target AP exists in the current WiFi environment or not; if the WiFi environment does not exist, judging that the current WiFi environment meets the safety requirement; if so, updating a preset network attack risk value, and judging whether the abnormal AP is open; if the abnormal AP is not open, judging that the current WiFi environment meets the security requirement; if the abnormal AP is open, updating the network attack risk value again, and judging whether the signal intensity of the abnormal AP is larger than a preset intensity threshold value; if the signal intensity of the abnormal AP is not greater than the preset intensity threshold, judging that the current WiFi environment meets the safety requirement; if the abnormal AP is larger than the preset intensity threshold, updating the network attack risk value again, if the updated current network attack risk value is larger than the preset risk threshold, judging that the current WiFi environment has network attack behaviors, and if the updated current network attack risk value is smaller than or equal to the preset risk threshold, judging that the current WiFi environment meets the safety requirement.

Optionally, in other implementations of this embodiment, the apparatus may further include a first connection verification module, configured to generate, according to an authentication manner, a client authentication certificate according to a connection time if the target AP is first connected, and store the matching authentication information locally, and send the client authentication certificate to the AP server; receiving a corresponding AP service certificate fed back by the AP server after the verification of the client authentication certificate is completed, and verifying the AP service certificate based on authentication information or through the authentication server; if the verification is unsuccessful, judging that network attack behavior exists.

As an alternative implementation manner of the foregoing embodiment, the foregoing first connection verification module may further be used to: and when the verification of the client authentication certificate is completed, if the AP service certificate corresponding to the client MAC does not exist locally, generating the AP service certificate according to the current time.

Optionally, in other implementations of this embodiment, the verification module 702 may be further configured to: sending an AP identity authentication request to a target AP, and receiving an authentication completion response fed back by the target AP and a data packet of a client identity authentication request; the data packet carries a primary connection time stamp or AP identity credential information of the target AP and the vehicle-mounted client; based on the authentication mode, the uniqueness verification of the target AP is completed by comparing the initial connection time stamp or the AP identity credential information with corresponding data stored locally.

The functions of each functional module of the vehicle-to-machine network attack detection device can be specifically realized according to the method in the method embodiment, and the specific implementation process can refer to the related description of the method embodiment, and the detailed description is omitted herein.

Therefore, the method and the device can efficiently and accurately detect whether the attack exists in the vehicle-to-machine network, and effectively improve the safety and the correctness of the vehicle-to-machine network environment.

The above-mentioned network attack detection device of the automobile machine is described from the perspective of a functional module, and further, the application also provides an electronic device which is described from the perspective of hardware. Fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 8, the electronic device comprises a memory 80 for storing a computer program; a processor 81 for implementing the steps of the vehicle-to-machine network attack detection method according to any of the above embodiments when executing a computer program.

Processor 81 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and processor 81 may also be a controller, microcontroller, microprocessor, or other data processing chip, among others. The processor 81 may be implemented in at least one hardware form of DSP (Digital Signal Processing ), FPGA (Field-Programmable Gate Array, field programmable gate array), PLA (Programmable Logic Array ). The processor 81 may also include a main processor, which is a processor for processing data in an awake state, also called a CPU (Central Processing Unit ), and a coprocessor; a coprocessor is a low-power processor for processing data in a standby state. In some embodiments, the processor 81 may be integrated with a GPU (Graphics Processing Unit, image processor) for taking care of rendering and drawing of the content that the display screen is required to display. In some embodiments, the processor 81 may also include an AI (Artificial Intelligence ) processor for processing computing operations related to machine learning.

Memory 80 may include one or more computer-readable storage media, which may be non-transitory. Memory 80 may also include high-speed random access memory as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. The memory 80 may in some embodiments be an internal storage unit of the electronic device, such as a hard disk of a server. The memory 80 may also be an external storage device of the electronic device, such as a plug-in hard disk provided on a server, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash Card (Flash Card), etc. in other embodiments. Further, the memory 80 may also include both internal storage units and external storage devices of the electronic device. The memory 80 may be used to store not only application software installed in an electronic device, but also various types of data, such as: code or the like that performs a program in the course of the vehicular network attack detection method may also be used to temporarily store data that has been output or is to be output. In this embodiment, the memory 80 is at least used for storing a computer program 801, where the computer program is loaded and executed by the processor 81, and then can implement the relevant steps of the vehicle-to-machine network attack detection method disclosed in any of the foregoing embodiments. In addition, the resources stored in the memory 80 may further include an operating system 802, data 803, and the like, where the storage manner may be transient storage or permanent storage. The operating system 802 may include Windows, unix, linux, among others. The data 803 may include, but is not limited to, data corresponding to the network attack detection result of the vehicle and the like.

In some embodiments, the electronic device may further include a display 82, an input/output interface 83, a communication interface 84, alternatively referred to as a network interface, a power supply 85, and a communication bus 86. Among other things, the display 82, input output interface 83 such as a Keyboard (Keyboard) belong to a user interface, which may optionally also include standard wired interfaces, wireless interfaces, etc. Alternatively, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch, or the like. The display may also be referred to as a display screen or display unit, as appropriate, for displaying information processed in the electronic device and for displaying a visual user interface. The communication interface 84 may optionally include a wired interface and/or a wireless interface, such as a WI-FI interface, a bluetooth interface, etc., typically used to establish a communication connection between the electronic device and other electronic devices. The communication bus 86 may be a peripheral component interconnect standard (peripheral component interconnect, PCI) bus, or an extended industry standard architecture (extended industry standard architecture, EISA) bus, among others. The bus may be classified as an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in fig. 8, but not only one bus or one type of bus.

Those skilled in the art will appreciate that the configuration shown in fig. 8 is not limiting of the electronic device and may include more or fewer components than shown, for example, may also include sensors 87 to perform various functions.

The functions of each functional module of the electronic device of the present application may be specifically implemented according to the method in the above method embodiment, and the specific implementation process may refer to the relevant description of the above method embodiment, which is not repeated herein.

It will be appreciated that if the vehicle-to-machine network attack detection method in the above embodiment is implemented in the form of a software functional unit and sold or used as a separate product, it may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in part or all of the technical solution contributing to the related art, or may be embodied in the form of a software product stored in a storage medium, which performs all or part of the steps of the methods of the various embodiments of the present application. And the aforementioned storage medium includes: a U disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), an electrically erasable programmable ROM, registers, a hard disk, a multimedia card, a card-type Memory (e.g., SD or DX Memory, etc.), a magnetic Memory, a removable disk, a CD-ROM, a magnetic disk, or an optical disk, etc., that can store program code.

Based on this, the application also provides a readable storage medium storing a computer program, which when executed by a processor, performs the steps of the network attack detection method of any embodiment of the vehicle machine.

Finally, the present application also provides a system for detecting network attack of a vehicle machine, referring to fig. 9, which may include:

the in-vehicle network attack detection system may include an AP access point 901, an in-vehicle client 902, and an AP server 903. The AP access point 901 is configured to provide a wireless network access function for the vehicle client and support an access control list, where the AP access point 901 may include a plurality of APs, one of which is the target AP in the above embodiment. The in-vehicle client 902 executes a computer program stored in a memory to implement the steps of the in-vehicle network attack detection method described in any of the foregoing embodiments. The AP server 903 may refer to the functions and actions of the AP server as described in any of the foregoing embodiments, and the method steps for implementing the functions and actions, which will not be described herein.

The functions of each functional module of the vehicle-to-machine network attack detection system according to the embodiment of the present application may be specifically implemented according to the method in the embodiment of the method, and the specific implementation process may refer to the related description of the embodiment of the method, which is not repeated herein.

In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the hardware including the device and the electronic equipment disclosed in the embodiments, the description is relatively simple because the hardware includes the device and the electronic equipment corresponding to the method disclosed in the embodiments, and relevant places refer to the description of the method.

Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

The method, the device, the system, the electronic equipment and the readable storage medium for detecting the network attack of the vehicle-mounted device provided by the application are described in detail. The principles and embodiments of the present application have been described herein with reference to specific examples, the description of which is intended only to facilitate an understanding of the method of the present application and its core ideas. It should be noted that it will be apparent to those skilled in the art that various modifications and adaptations of the application can be made without departing from the principles of the application and these modifications and adaptations are intended to be within the scope of the application as defined in the following claims.

Claims

1. The vehicle-mounted network attack detection method is characterized by being applied to a vehicle-mounted client and comprising the following steps of:

2. The method for detecting a network attack on a vehicle according to claim 1, wherein before the current WiFi environment is detected to meet the security requirement, further comprising:

3. The method for detecting a network attack of a vehicle-mounted device according to claim 2, wherein the determining whether the current WiFi environment meets the security requirement by analyzing the network characteristics of the abnormal AP having the same SSID as the target AP includes:

4. The method for detecting a network attack on a vehicle according to claim 1, wherein before the Probe data frame is sent to the target AP, further comprising:

5. The method for detecting a network attack of a vehicle according to claim 4, wherein the corresponding AP service certificate fed back by the AP server after the verification of the client authentication certificate is completed, includes:

6. The method for detecting a network attack on a vehicle according to any one of claims 1 to 5, wherein the verifying the target AP according to the received authentication response data of the target AP to the vehicle-mounted client includes:

based on an authentication mode, the initial connection time stamp or the AP identity credential information is compared with corresponding data stored locally to finish the uniqueness check of the target AP.

7. The utility model provides a car machine network attack detection device which characterized in that is applied to on-vehicle customer end, includes:

8. An electronic device comprising a processor and a memory, the processor being configured to implement the steps of the car machine network attack detection method according to any of claims 1 to 6 when executing a computer program stored in the memory.

9. A readable storage medium, wherein a computer program is stored on the readable storage medium, the computer program implementing the steps of the car machine network attack detection method according to any one of claims 1 to 6 when executed by a processor.

10. The vehicle-mounted network attack detection system is characterized by comprising an AP access point, a vehicle-mounted client and an AP server;

the AP access point is used for providing a wireless network access function for the vehicle-mounted client and supporting an access control list;

the steps of the vehicle-mounted client-side network attack detection method according to any one of claims 1 to 6 are realized when the computer program stored in the memory is executed by the vehicle-mounted client-side.