[go: up one dir, main page]

CN118802351A - Vehicle charging interface attack detection method, device, equipment and storage medium - Google Patents

Vehicle charging interface attack detection method, device, equipment and storage medium Download PDF

Info

Publication number
CN118802351A
CN118802351A CN202410964314.7A CN202410964314A CN118802351A CN 118802351 A CN118802351 A CN 118802351A CN 202410964314 A CN202410964314 A CN 202410964314A CN 118802351 A CN118802351 A CN 118802351A
Authority
CN
China
Prior art keywords
message
information
data
abnormal
current
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410964314.7A
Other languages
Chinese (zh)
Inventor
张海春
万振华
刘政林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Open Source Network Security Internet Of Things Technology Wuhan Co ltd
Huazhong University of Science and Technology
Original Assignee
Open Source Network Security Internet Of Things Technology Wuhan Co ltd
Huazhong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Open Source Network Security Internet Of Things Technology Wuhan Co ltd, Huazhong University of Science and Technology filed Critical Open Source Network Security Internet Of Things Technology Wuhan Co ltd
Priority to CN202410964314.7A priority Critical patent/CN118802351A/en
Publication of CN118802351A publication Critical patent/CN118802351A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/044Recurrent networks, e.g. Hopfield networks
    • G06N3/0442Recurrent networks, e.g. Hopfield networks characterised by memory or gating, e.g. long short-term memory [LSTM] or gated recurrent units [GRU]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/0464Convolutional networks [CNN, ConvNet]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/16Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40267Bus for use in transportation systems
    • H04L2012/40273Bus for use in transportation systems the transportation system being a vehicle
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/84Vehicles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/141Denial of service attacks against endpoints in a network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Evolutionary Computation (AREA)
  • Artificial Intelligence (AREA)
  • Molecular Biology (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Computational Linguistics (AREA)
  • General Health & Medical Sciences (AREA)
  • Biophysics (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses a vehicle charging interface attack detection method, a device, equipment and a storage medium, wherein the detection method comprises the following steps: judging whether ID information in the received CAN message belongs to a set list or not; judging whether the CAN message accords with a set data frame period according to the ID information; calculating at least one of data load rate, information entropy and abnormal interval message quantity, and comparing with a set threshold value; searching a message processing rule according to the ID information, and judging whether the data segment is abnormal or not; identifying the charging states of the BMS and the charger according to the PGN information, and judging whether the charging states are abnormal or not by comparing the state transition diagram; constructing a data set from the current CAN message and the historical CAN message; and inputting a stacked LSTM residual network, and training a message anomaly detection model to obtain a CAN message classification result. According to the vehicle charging interface attack detection method, potential attack behaviors can be comprehensively detected in real time through fusion detection of multiple detection mechanisms, and charging safety of a vehicle is effectively protected.

Description

车辆充电接口攻击检测方法、装置、设备及存储介质Vehicle charging interface attack detection method, device, equipment and storage medium

技术领域Technical Field

本发明涉及一种车辆充电接口攻击检测技术领域,尤其涉及一种车辆充电接口攻击检测方法、装置、设备及存储介质。The present invention relates to the technical field of vehicle charging interface attack detection, and in particular to a vehicle charging interface attack detection method, device, equipment and storage medium.

背景技术Background Art

电动汽车在充电场景下通过CAN总线与充电桩进行通信,以协商充电电流、电压等充电参数,二者之间并未采用安全通信协议进行数据传输,存在严重的信息安全问题,时刻面临潜在网络安全攻击。In charging scenarios, electric vehicles communicate with charging piles through the CAN bus to negotiate charging parameters such as charging current and voltage. No secure communication protocol is used for data transmission between the two, resulting in serious information security issues and facing potential network security attacks at all times.

利用CAN总线进行通信,面临数据监听、数据篡改、节点仿冒的严重风险。部分厂商会设置双向身份认证来提高信息的安全性,其能够解决通信过程中的节点仿冒的问题,以及使得车辆与充电桩之间能够协商后续加密所需的会话密钥,但其无法解决通信数据的加密和完整性校验的问题。Using the CAN bus for communication faces serious risks of data monitoring, data tampering, and node impersonation. Some manufacturers will set up two-way identity authentication to improve information security, which can solve the problem of node impersonation during communication and enable the vehicle and charging pile to negotiate the session key required for subsequent encryption, but it cannot solve the problem of encryption and integrity verification of communication data.

车辆的充电接口依然存在被攻击的风险,举例而言,使用优先级仲裁的CAN总线容易受到拒绝服务(DOS)攻击。攻击者仅需控制任意ECU向其所在网络发送高速率高优先级ID的报文即可,通过高频率发送大量的高优先级报文来占据总线资源,使得网络上的节点无法发送消息,造成总线瘫痪。再者,攻击者还可以通过修改CAN数据帧中的ID和数据域来对CAN总线实现注入攻击等操作。The charging interface of the vehicle is still at risk of being attacked. For example, the CAN bus using priority arbitration is vulnerable to denial of service (DOS) attacks. The attacker only needs to control any ECU to send high-speed, high-priority ID messages to the network where it is located. By sending a large number of high-priority messages at a high frequency to occupy the bus resources, the nodes on the network cannot send messages, causing the bus to be paralyzed. Furthermore, the attacker can also perform injection attacks on the CAN bus by modifying the ID and data fields in the CAN data frame.

发明内容Summary of the invention

本发明的目的是提供一种车辆充电接口攻击检测方法、装置、设备及存储介质,通过多检测机制的融合检测,能够实时全面地检测潜在的攻击行为,有效地保护车辆的充电安全。The purpose of the present invention is to provide a vehicle charging interface attack detection method, device, equipment and storage medium, which can detect potential attack behaviors in real time and comprehensively through the fusion detection of multiple detection mechanisms, and effectively protect the charging safety of the vehicle.

为了实现上述目的,本发明公开了一种车辆充电接口攻击检测方法,CAN报文包括ID信息、PGN信息和数据段,所述检测方法包括:In order to achieve the above object, the present invention discloses a vehicle charging interface attack detection method, the CAN message includes ID information, PGN information and data segment, and the detection method includes:

判断接收的CAN报文中的ID信息是否属于设定名单;Determine whether the ID information in the received CAN message belongs to the set list;

根据所述ID信息判断所述CAN报文是否符合设定的数据帧周期;Determine whether the CAN message complies with a set data frame period according to the ID information;

计算CAN总线中的数据负载率、信息熵和异常间隔报文量中的至少一者,并与对应的设定值进行比较,以判断是否存在拒绝服务攻击;Calculate at least one of the data load rate, information entropy and abnormal interval message volume in the CAN bus, and compare with the corresponding set value to determine whether there is a denial of service attack;

根据所述ID信息从规则库中查找对应的报文处理规则,并根据查找的所述报文处理规则判断所述数据段是否异常;Searching for a corresponding message processing rule from a rule base according to the ID information, and judging whether the data segment is abnormal according to the searched message processing rule;

根据所述PGN信息识别车辆电池的BMS和充电机当前的充电状态,并对照状态转换图判断所述充电状态是否异常;Identify the current charging status of the BMS and charger of the vehicle battery according to the PGN information, and determine whether the charging status is abnormal by comparing the state transition diagram;

将当前CAN报文和历史CAN报文组建数据集;The current CAN messages and historical CAN messages are combined into a data set;

将组建的所述数据集输入堆叠式LSTM残差网络,并进行报文异常检测模型训练,以获得CAN报文分类结果;The assembled data set is input into a stacked LSTM residual network, and a message anomaly detection model is trained to obtain a CAN message classification result;

发现任何异常情况时,至少执行以下操作中的其中一操作:If you find any abnormal situation, do at least one of the following:

发出告警信号;Send out warning signals;

丢弃当前CAN报文,并终止执行剩余检测;Discard the current CAN message and terminate the remaining detection;

终止通信,并终止执行剩余检测。Terminates the communication and stops the remaining detection.

进一步地,所述“计算CAN总线中的数据负载率、信息熵和异常间隔报文量中的至少一者,并与对应的设定值进行比较,以判断是否存在拒绝服务攻击”包括:Furthermore, the “calculating at least one of the data load rate, information entropy and abnormal interval message volume in the CAN bus, and comparing with the corresponding set value to determine whether there is a denial of service attack” includes:

统计单位时间内CAN总线中传送CAN报文的数量,计算CAN总线当前的传输速率,并将当前的传输速率与传输速率阈值进行比较,当当前的传输速率大于传输速率阈值时,则判断存在拒绝服务攻击;和/或,Counting the number of CAN messages transmitted in the CAN bus per unit time, calculating the current transmission rate of the CAN bus, and comparing the current transmission rate with the transmission rate threshold. When the current transmission rate is greater than the transmission rate threshold, it is determined that a denial of service attack exists; and/or,

利用多熵值算法检测CAN总线当前的信息熵,并与阀值样本库中对应的信息熵阀值进行比较,当信息熵大于信息熵阀值时,则判断存在拒绝服务攻击;和/或,Detect the current information entropy of the CAN bus using a multi-entropy algorithm and compare it with the corresponding information entropy threshold in the threshold sample library. When the information entropy is greater than the information entropy threshold, it is determined that a denial of service attack exists; and/or,

计算传送相邻两CAN报文的间隔时间,统计间隔时间小于预设间隔时间的次数,当统计的次数大于预设次数时,则判断存在拒绝服务攻击。Calculate the interval time between the transmission of two adjacent CAN messages, and count the number of times the interval time is less than the preset interval time. When the counted number is greater than the preset number, it is determined that a denial of service attack exists.

进一步地,所述“将当前CAN报文和历史CAN报文组建数据集”包括:Furthermore, the “forming a data set from current CAN messages and historical CAN messages” includes:

提取当前CAN报文和历史CAN报文中的ID信息和数据段作为输入数据;Extract the ID information and data segments in the current CAN message and the historical CAN message as input data;

对提取的所述输入数据进行归一化处理;Normalizing the extracted input data;

对归一化处理后的输入数据进行平稳性检测;Perform stationarity test on the normalized input data;

对检测为不平稳的输入数据进行平稳化处理;Stabilize the input data detected as unstable;

将所有处理后的输入数据分类打上对应的标签。Classify all processed input data and label them accordingly.

进一步地,所述“将组建的所述数据集输入堆叠式LSTM残差网络,并进行报文异常检测模型训练,以获得CAN报文分类结果”之后包括:Furthermore, the step of “inputting the assembled data set into a stacked LSTM residual network and training a message anomaly detection model to obtain a CAN message classification result” includes:

利用遗传算法对所述报文异常检测模型的参数进行优化,以优化所述CAN报文分类结果。The parameters of the message anomaly detection model are optimized using a genetic algorithm to optimize the CAN message classification result.

为了实现上述目的,本发明公开了一种车辆充电接口攻击检测装置,其包括:In order to achieve the above object, the present invention discloses a vehicle charging interface attack detection device, which includes:

第一判断模块,用于判断接收的CAN报文中的ID信息是否属于设定名单;The first judgment module is used to judge whether the ID information in the received CAN message belongs to the set list;

第二判断模块,用于根据所述ID信息判断所述CAN报文是否符合设定的数据帧周期;A second judgment module is used to judge whether the CAN message conforms to a set data frame period according to the ID information;

计算比较模块,用于计算CAN总线中的数据负载率、信息熵和异常间隔报文量中的至少一者,并与对应的设定值进行比较,以判断是否存在拒绝服务攻击;A calculation and comparison module, used to calculate at least one of the data load rate, information entropy and abnormal interval message volume in the CAN bus, and compare it with the corresponding set value to determine whether there is a denial of service attack;

查找判断模块,用于根据所述ID信息从规则库中查找对应的报文处理规则,并根据查找的所述报文处理规则判断所述数据段是否异常;A search and judgment module, used to search for a corresponding message processing rule from a rule base according to the ID information, and judge whether the data segment is abnormal according to the searched message processing rule;

识别判断模块,用于根据所述PGN信息识别车辆电池的BMS和充电机当前的充电状态,并对照状态转换图判断所述充电状态是否异常;An identification and judgment module, used to identify the current charging status of the BMS and charger of the vehicle battery according to the PGN information, and judge whether the charging status is abnormal by comparing the state transition diagram;

组建模块,用于将当前CAN报文和历史CAN报文组建数据集;A building module is used to build a data set from current CAN messages and historical CAN messages;

训练模块,用于将组建的所述数据集输入堆叠式LSTM残差网络,并进行报文异常检测模型训练,以获得CAN报文分类结果。The training module is used to input the assembled data set into a stacked LSTM residual network and perform message anomaly detection model training to obtain CAN message classification results.

为了实现上述目的,本发明公开了一种电子设备,其包括:In order to achieve the above object, the present invention discloses an electronic device, which includes:

一个或多个处理器;one or more processors;

一个或多个存储器,用于存储一个或多个程序,当一个或多个所述程序被所述处理器执行,使得所述处理器实现如前述的车辆充电接口攻击检测方法。One or more memories are used to store one or more programs. When one or more of the programs are executed by the processor, the processor implements the vehicle charging interface attack detection method as described above.

为了实现上述目的,本发明公开了一种计算机可读存储介质,其上存储有程序,所述程序被处理器执行时实现如前述的车辆充电接口攻击检测方法。In order to achieve the above-mentioned purpose, the present invention discloses a computer-readable storage medium having a program stored thereon, and when the program is executed by a processor, the vehicle charging interface attack detection method as described above is implemented.

在本申请中,通过执行多个检测操作来检测判断车辆充电接口是否遭到攻击,首先判断接收的CAN报文是否属于设定名单以及是否符合设定的数据帧周期;计算CAN总线中的数据负载率、信息熵和异常间隔报文量中的至少一者来判断CAN总线是否受到拒绝服务攻击;根据规则库中的报文处理规则判断CAN报文的数据段是否异常;依照状态转换图判断车辆电池的BMS和充电机当前的充电状态是否异常,利用堆叠式LSTM残差网络对当前CAN报文和历史CAN报文进行报文异常检测模型训练,以获得CAN报文分类结果,进而通过上述多检测机制的融合检测,实现实时全面地检测潜在的攻击行为,有效地保护车辆的充电安全。In the present application, multiple detection operations are performed to detect and determine whether the vehicle charging interface is attacked. First, it is determined whether the received CAN message belongs to the set list and whether it conforms to the set data frame period; at least one of the data load rate, information entropy and abnormal interval message volume in the CAN bus is calculated to determine whether the CAN bus is attacked by denial of service; according to the message processing rules in the rule base, it is determined whether the data segment of the CAN message is abnormal; according to the state transition diagram, it is determined whether the current charging status of the BMS and charger of the vehicle battery is abnormal, and the stacked LSTM residual network is used to train the message anomaly detection model for the current CAN message and the historical CAN message to obtain the CAN message classification result, and then through the fusion detection of the above-mentioned multiple detection mechanisms, real-time and comprehensive detection of potential attack behaviors is achieved, effectively protecting the charging safety of the vehicle.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1为本发明实施例车辆充电接口攻击检测方法的流程图。FIG. 1 is a flow chart of a vehicle charging port attack detection method according to an embodiment of the present invention.

图2为本发明实施例车辆充电接口攻击检测方法中的状态转换图。FIG. 2 is a state transition diagram of a vehicle charging port attack detection method according to an embodiment of the present invention.

图3为本发明实施例车辆充电接口攻击检测方法中充电状态识别的示意图。FIG3 is a schematic diagram of charging status identification in a vehicle charging port attack detection method according to an embodiment of the present invention.

图4为本发明实施例车辆充电接口攻击检测方法中报文异常检测模型的示意图。FIG4 is a schematic diagram of a message anomaly detection model in a vehicle charging interface attack detection method according to an embodiment of the present invention.

图5为本发明实施例车辆充电接口攻击检测装置的模块图。FIG5 is a module diagram of a vehicle charging port attack detection device according to an embodiment of the present invention.

图6为本发明实施例电子设备的系统图。FIG. 6 is a system diagram of an electronic device according to an embodiment of the present invention.

具体实施方式DETAILED DESCRIPTION

为详细说明本发明的技术内容、构造特征、所实现目的及效果,以下结合实施方式并配合附图详予说明。In order to explain the technical content, structural features, achieved objectives and effects of the present invention in detail, the following is a detailed description in conjunction with the implementation methods and the accompanying drawings.

实施例一Embodiment 1

请参阅图1至图4,本发明公开了一种车辆充电接口攻击检测方法,CAN报文包括ID信息、PGN信息和数据段,Please refer to Figures 1 to 4. The present invention discloses a vehicle charging interface attack detection method. The CAN message includes ID information, PGN information and a data segment.

需要说明的是,CAN报文为主要字段包括冲裁段(CAN ID)、数据段和用于数据校验的CRC段的CAN总线数据帧结构,但不以此为限。It should be noted that the CAN message is a CAN bus data frame structure whose main fields include a punching segment (CAN ID), a data segment and a CRC segment for data verification, but is not limited thereto.

检测方法包括:Detection methods include:

101、判断接收的CAN报文中的ID信息是否属于设定名单;101. Determine whether the ID information in the received CAN message belongs to the set list;

可以理解的是,ID信息从CAN报文的仲裁段中获取,设定名单包括白名单和黑名单,白名单记录完全可信的消息,黑名单记录明令禁止的信息,若检测到ID信息在白名单中时,则放行该CAN报文,以进行下一项的检测,若检测到ID信息在黑名单中时,则执行112丢弃当前CAN报文,并终止执行剩余检测的操作,通过对照黑名单和白名单有利于实现CAN报文高效且实时的快速过滤检测,但不以此为限。It can be understood that the ID information is obtained from the arbitration segment of the CAN message, and the set list includes a white list and a black list. The white list records completely credible messages, and the black list records information that is expressly prohibited. If the ID information is detected in the white list, the CAN message is released to perform the next detection. If the ID information is detected in the black list, 112 is executed to discard the current CAN message and terminate the execution of the remaining detection operations. By comparing the black list and the white list, it is beneficial to realize efficient and real-time rapid filtering and detection of CAN messages, but it is not limited to this.

102、根据ID信息判断CAN报文是否符合设定的数据帧周期;102. Determine whether the CAN message complies with the set data frame period according to the ID information;

可以理解的是,数据帧周期检测针对CAN总线中针对充电场景下车辆与充电桩之间通信传输的周期性CAN报文消息,因此仅需将特定ID信息的CAN报文的数据帧周期,与正常通信状态下该ID信息的CAN报文的数据帧周期进行比对即可,举例而言,某一ID信息的CAN报文是每3个数据帧发送一次,而另一ID信息的CAN报文是每5个数据帧发送一次等,因此可以通过CAN报文的ID信息来判定CAN报文是不是存在周期异常。有利于检测出少量的注入攻击和大量的Dos攻击,但不以此为限。It can be understood that the data frame cycle detection is for the periodic CAN message messages transmitted between the vehicle and the charging pile in the CAN bus for the charging scenario. Therefore, it is only necessary to compare the data frame cycle of the CAN message of a specific ID information with the data frame cycle of the CAN message of the ID information in the normal communication state. For example, a CAN message of a certain ID information is sent once every 3 data frames, while a CAN message of another ID information is sent once every 5 data frames, etc. Therefore, it is possible to determine whether the CAN message has a cycle abnormality through the ID information of the CAN message. It is helpful to detect a small amount of injection attacks and a large amount of Dos attacks, but not limited to this.

103、计算CAN总线中的数据负载率、信息熵和异常间隔报文量中的至少一者,并与对应的设定值进行比较,以判断是否存在拒绝服务攻击;103. Calculate at least one of the data load rate, information entropy, and abnormal interval message volume in the CAN bus, and compare with the corresponding set value to determine whether there is a denial of service attack;

利用总线负载率、信息熵和重复帧间隔时间检测CAN总线可能受到的拒绝服务(DoS)攻击,既可以检测特定的DoS攻击,也能实现互补检测,全面地检测多种DoS攻击。The bus load rate, information entropy and repeated frame interval time are used to detect the possible denial of service (DoS) attacks on the CAN bus. This can not only detect specific DoS attacks, but also achieve complementary detection and comprehensively detect multiple DoS attacks.

进一步地,“计算CAN总线中的数据负载率、信息熵和异常间隔报文量中的至少一者,并与对应的设定值进行比较,以判断是否存在拒绝服务攻击”包括:Furthermore, “calculating at least one of the data load rate, information entropy and abnormal interval message volume in the CAN bus, and comparing with the corresponding set value to determine whether there is a denial of service attack” includes:

1031、统计单位时间内CAN总线中传送CAN报文的数量,计算CAN总线当前的传输速率,并将当前的传输速率与传输速率阈值进行比较,当当前的传输速率大于传输速率阈值时,则判断存在拒绝服务攻击;和/或,1031. Count the number of CAN messages transmitted in the CAN bus within a unit time, calculate the current transmission rate of the CAN bus, and compare the current transmission rate with the transmission rate threshold. When the current transmission rate is greater than the transmission rate threshold, it is determined that a denial of service attack exists; and/or,

CAN总线负载率检测能够实时且高效地检测大量CAN报文消息注入的攻击。CAN bus load rate detection can detect attacks of massive CAN message injection in real time and efficiently.

可以理解的是,CAN总线负载率指的是当前报文传输速率占CAN总线最大传输速率的百分比。正常通信情况下,报文传输速率会保持在传输速率阈值之下,当报文传输速率超出传输速率阈值时,则可以判断CAN总线网络存在异常,可能是攻击者发送大量垃圾报文导致的,那么则可以执行操作111发出告警信号或执行操作113终止通信,并终止执行剩余检测,但不以此为限。It is understandable that the CAN bus load rate refers to the percentage of the current message transmission rate to the maximum transmission rate of the CAN bus. Under normal communication conditions, the message transmission rate will remain below the transmission rate threshold. When the message transmission rate exceeds the transmission rate threshold, it can be determined that there is an abnormality in the CAN bus network, which may be caused by the attacker sending a large number of junk messages. Then, operation 111 can be executed to send an alarm signal or operation 113 can be executed to terminate the communication and terminate the execution of the remaining detection, but this is not limited to this.

1032、利用多熵值算法检测CAN总线当前的信息熵,并与阀值样本库中对应的信息熵阀值进行比较,当信息熵大于信息熵阀值时,则判断存在拒绝服务攻击;和/或,1032. Detect the current information entropy of the CAN bus using a multi-entropy algorithm, and compare it with the corresponding information entropy threshold in the threshold sample library. When the information entropy is greater than the information entropy threshold, it is determined that a denial of service attack exists; and/or,

可以理解的是,一个系统越混乱,其信息熵越高,CAN总线中流动的数据存在周期规律性,正常情况下,在某一时间节点,CAN总线的信息熵为趋于不变的数值,当信息熵发生波动时,说明CAN总线中出现了违背系统预定的CAN报文,可能存在恶意节点或者收到外部攻击,因此,信息熵的检测是针对CAN总线中的周期性CAN报文。It is understandable that the more chaotic a system is, the higher its information entropy is. The data flowing in the CAN bus has periodic regularity. Under normal circumstances, at a certain time point, the information entropy of the CAN bus is a constant value. When the information entropy fluctuates, it means that there are CAN messages in the CAN bus that violate the system's predetermined settings. There may be malicious nodes or external attacks. Therefore, the detection of information entropy is for periodic CAN messages in the CAN bus.

需要说明的是,利用多熵值算法来检测CAN总线是否受到泛洪攻击,首先需要利用多熵值算法离线训练正常车载CAN总线网络的报文数据,以得到阀值样本库,然后利用多熵值算法对待检测的车载CAN总线网络中的CAN报文数据进行统计分析,以计算得到当前CAN总线网络的信息熵,并依据统计分析选择阀值样本库中合适的信息熵阀值进行对比,进而有效地判断CAN总线的信息熵是否异常。It should be noted that when using the multi-entropy algorithm to detect whether the CAN bus is under flood attack, it is first necessary to use the multi-entropy algorithm to offline train the message data of the normal on-board CAN bus network to obtain the threshold sample library, and then use the multi-entropy algorithm to perform statistical analysis on the CAN message data in the on-board CAN bus network to be detected to calculate the information entropy of the current CAN bus network, and select the appropriate information entropy threshold in the threshold sample library based on the statistical analysis for comparison, so as to effectively determine whether the information entropy of the CAN bus is abnormal.

1033、计算传送相邻两CAN报文的间隔时间,统计间隔时间小于预设间隔时间的次数,当统计的次数大于预设次数时,则判断存在拒绝服务攻击。1033. Calculate the interval time between transmitting two adjacent CAN messages, and count the number of times the interval time is less than a preset interval time. When the counted number is greater than the preset number, it is determined that a denial of service attack exists.

可以理解的是,异常间隔报文量的检测针对CAN总线中的所有CAN报文,预设间隔时间为特定毫秒值,通过统计前后报文的接收时间间隔来统计异常间隔报文量,进而在异常间隔报文量超过设定的异常阀值时,判定受到Dos攻击,但不以此为限。It can be understood that the detection of the amount of abnormal interval messages is for all CAN messages in the CAN bus. The preset interval time is a specific millisecond value. The amount of abnormal interval messages is counted by counting the time intervals between the reception of the previous and next messages. When the amount of abnormal interval messages exceeds the set abnormal threshold, it is determined that a Dos attack has occurred, but this is not limited to this.

104、根据ID信息从规则库中查找对应的报文处理规则,并根据查找的报文处理规则判断数据段是否异常;104. Search the corresponding message processing rule from the rule base according to the ID information, and determine whether the data segment is abnormal according to the searched message processing rule;

需要说明的是,CAN报文的数据段携带有多个信号值,对应的信息值处于一定的范围或为特定的值,假若接收到的CAN帧信号值超出特定范围或者不是特定值,则可以判断CAN报文的数据段异常,并执行操作111发出告警信号,以提示充电接口当前存在的风险,并进入下一检测操作,但不以此为限。It should be noted that the data segment of the CAN message carries multiple signal values, and the corresponding information values are within a certain range or are specific values. If the received CAN frame signal value exceeds the specific range or is not a specific value, it can be judged that the data segment of the CAN message is abnormal, and operation 111 is executed to send an alarm signal to prompt the current risk of the charging interface and enter the next detection operation, but it is not limited to this.

可以理解的是,规则库中保存有以ID信息分类记录的用于对数据进行异常判定与处置的报文处理规则,报文处理规则包括检测规则和处理动作选项,依据检测规则对CAN报文进行CAN帧数据长度和规则选项字段的匹配,若符合则进入下一检测操作,否则执行操作111发出告警信号,并依据处理动作选项进行阻断的操作。It can be understood that the rule base stores message processing rules classified by ID information for data abnormality judgment and disposal. The message processing rules include detection rules and processing action options. The CAN message is matched with the CAN frame data length and the rule option field according to the detection rules. If it meets the requirements, the next detection operation is entered. Otherwise, operation 111 is executed to send an alarm signal, and a blocking operation is performed according to the processing action options.

举例而言,在充电场景下,当检测到当前CAN报文的ID信息为0x123时,其代表的是该CAN报文为充电数据帧,CAN报文的数据域中携带的是充电电流等数据段,那么直接从规则库中搜索查找ID信息为0x123的报文处理规则,依据报文处理规则对CAN报文进行异常判定和处理(例如,电流超过300A判定为充电电流过高等)。For example, in a charging scenario, when it is detected that the ID information of the current CAN message is 0x123, it means that the CAN message is a charging data frame. The data field of the CAN message carries data segments such as the charging current. Then, the message processing rule with the ID information of 0x123 is directly searched from the rule base, and the CAN message is abnormally judged and processed according to the message processing rule (for example, the current exceeding 300A is judged as the charging current is too high, etc.).

105、根据PGN信息识别车辆电池的BMS和充电机当前的充电状态,并对照状态转换图判断充电状态是否异常;105. Identify the current charging status of the vehicle battery's BMS and charger based on the PGN information, and determine whether the charging status is abnormal by comparing it with the state transition diagram;

状态转换异常检测能够检测出违反正常操作行为的事件,有利于提升检测充电接口攻击行为的全面性。State transition anomaly detection can detect events that violate normal operating behaviors, which is helpful to improve the comprehensiveness of detecting charging interface attack behaviors.

需要说明的是,充电桩采用GB/T 27930标准规范通信流程与内容,依据充电标准,充电过程中,充电桩的充电机和车辆的BMS均存在行为状态的转换,行为状态表示车辆的BMS和充电桩的充电机在处理车桩通信协议过程中的状态,例如,等待态、就绪态等;因此,通过采集多个CAN帧的不同顺序,利用行为状态机记录多个CAN帧序列,进而构建充电正常时充电机和BMS的运行状态,得到如图2所示的状态转换图(实际状态转换未全部标明,实际参考充电标准)。It should be noted that the charging pile adopts the GB/T 27930 standard to regulate the communication process and content. According to the charging standard, during the charging process, the charger of the charging pile and the BMS of the vehicle have behavioral state conversion. The behavioral state indicates the state of the BMS of the vehicle and the charger of the charging pile in the process of processing the vehicle-pile communication protocol, for example, waiting state, ready state, etc.; therefore, by collecting different orders of multiple CAN frames, using the behavioral state machine to record multiple CAN frame sequences, and then constructing the operating state of the charger and BMS when charging is normal, the state transition diagram shown in Figure 2 is obtained (the actual state conversion is not fully indicated, and the actual reference charging standard is used).

可以理解的是,从CAN报文的冲裁段(ID)中解析出PGN信息,并以此对CAN报文进行如图3所示的识别,在收到某一个或特定顺序的多个CAN报文(接收到激励)后,可以判断充电机和BMS的状态发生转换,将当前的充电状态与行为状态机进行匹配,以实时监控当前充电状态是否偏离正常的状态机模型,实现基于状态机的入侵检测,当检测到非法CAN帧序列,发现状态转换未按预设的状态转换图进行,则可以判断当前充电状态进入状态机异常状态,并视为检测到威胁和可能存在潜在安全风险,那么执行操作112丢弃当前CAN报文,并终止执行剩余检测。It can be understood that the PGN information is parsed from the punched segment (ID) of the CAN message, and the CAN message is identified as shown in Figure 3. After receiving a certain or multiple CAN messages in a specific order (receiving stimulation), it can be determined that the state of the charger and the BMS has changed, and the current charging state is matched with the behavior state machine to monitor in real time whether the current charging state deviates from the normal state machine model, so as to realize intrusion detection based on the state machine. When an illegal CAN frame sequence is detected and it is found that the state transition is not performed according to the preset state transition diagram, it can be determined that the current charging state has entered an abnormal state of the state machine, and it is regarded as a threat and a potential security risk. Then, operation 112 is executed to discard the current CAN message and terminate the execution of the remaining detections.

106、将当前CAN报文和历史CAN报文组建数据集;106. The current CAN message and the historical CAN message are formed into a data set;

进一步地,“将当前CAN报文和历史CAN报文组建数据集”包括:Furthermore, "forming a data set of current CAN messages and historical CAN messages" includes:

1061、提取当前CAN报文和历史CAN报文中的ID信息和数据段作为输入数据;1061. Extracting ID information and data segments from the current CAN message and the historical CAN message as input data;

可以理解的是,针对CAN总线的攻击多表现为操作CAN报文的数据帧中的冲裁段(ID)和数据段,因此,以CAN报文的ID信息和数据段作为模型的输入数据特征,但不以此为限。It is understandable that attacks on the CAN bus are mostly manifested as manipulating the punching segment (ID) and data segment in the data frame of the CAN message. Therefore, the ID information and data segment of the CAN message are used as the input data features of the model, but not limited to this.

1062、对提取的输入数据进行归一化处理;1062. Normalizing the extracted input data;

利用归一化处理将输入数据限制在一定范围,以消除特殊数据特征的影响,有利于加快梯度下降模型的收敛速度。Normalization is used to limit the input data to a certain range to eliminate the influence of special data features, which is conducive to accelerating the convergence speed of the gradient descent model.

1063、对归一化处理后的输入数据进行平稳性检测;1063. Perform a stationarity test on the normalized input data;

1064、对检测为不平稳的输入数据进行平稳化处理;1064. Performing stabilization processing on the input data detected as unstable;

可以理解的是,平稳化处理包括使用差分、变换、分解等方式。It is understandable that the stabilization process includes the use of differentiation, transformation, decomposition and the like.

1065、将所有处理后的输入数据分类打上对应的标签。1065. Classify all processed input data and label them accordingly.

举例而言,对输入数据增加例如正常报文、DoS攻击报文、信号值异常报文等Tag,以形成可用于训练和测试的数据集。For example, tags such as normal messages, DoS attack messages, and abnormal signal value messages are added to the input data to form a data set that can be used for training and testing.

107、将组建的数据集输入堆叠式LSTM残差网络,并进行报文异常检测模型训练,以获得CAN报文分类结果。107. Input the assembled data set into the stacked LSTM residual network and train the message anomaly detection model to obtain the CAN message classification results.

基于深度学习的深度检测技术能够有效地检测注入攻击行为,有利于保护电动汽车充电接口免于攻击。Deep detection technology based on deep learning can effectively detect injection attack behaviors, which is helpful to protect electric vehicle charging interfaces from attacks.

可以理解的是,如图4所示,利用堆叠式LSTM残差网络对当前CAN报文信息和历史CAN报文信息进行报文异常检测模型的训练,能够实现端到端的模型训练,以直接输出CAN报文的异常分类结果,并根据异常分类结果执行操作111发出告警信号或操作113终止通信,进而实现基于上下文的CAN总线异常检测,但不以此为限。It can be understood that, as shown in Figure 4, using a stacked LSTM residual network to train a message anomaly detection model for current CAN message information and historical CAN message information can achieve end-to-end model training to directly output the abnormal classification results of the CAN message, and perform operation 111 to send an alarm signal or operation 113 to terminate communication based on the abnormal classification results, thereby realizing context-based CAN bus anomaly detection, but not limited to this.

可以理解的是,LSTM网络能够解决CAN报文序列处理中传统RNN网络的梯度消失问题,以捕捉时间较早的历史CAN报文信息,而在此基础上,设置堆叠式LSTM网络来增加模型的复杂度,以全面地学习和提取复杂报文序列的特征,并引入残差链接来解决模型复杂度的增加带来的模型训练困难的问题。而堆叠式LSTM残差网络设置有隐藏层和循环层来提取高维输入数据的特征,通常,隐藏层作为一般的多层感知机,用于提取数据的一般特征,循环层则用于提取数据的时间特征或时间先后关联特征,但不以此为限。It is understandable that the LSTM network can solve the gradient vanishing problem of the traditional RNN network in CAN message sequence processing to capture the historical CAN message information at an earlier time. On this basis, a stacked LSTM network is set to increase the complexity of the model to comprehensively learn and extract the features of complex message sequences, and residual links are introduced to solve the problem of model training difficulties caused by the increase in model complexity. The stacked LSTM residual network is set with hidden layers and recurrent layers to extract the features of high-dimensional input data. Usually, the hidden layer is used as a general multi-layer perceptron to extract the general features of the data, and the recurrent layer is used to extract the time features of the data or the time-sequential correlation features, but not limited to this.

进一步地,“将组建的数据集输入堆叠式LSTM残差网络,并进行报文异常检测模型训练,以获得CAN报文分类结果”之后包括:Furthermore, “inputting the assembled data set into the stacked LSTM residual network and training the message anomaly detection model to obtain the CAN message classification result” includes:

108、利用遗传算法对报文异常检测模型的参数进行优化,以优化CAN报文分类结果。108. The genetic algorithm is used to optimize the parameters of the message anomaly detection model to optimize the CAN message classification results.

可以理解的是,报文异常检测模型的参数包括权重、偏置等神经网络模型参数,利用遗传算法对其进行优化,有利于达到报文异常检测模型训练的最优检测效果。It can be understood that the parameters of the message anomaly detection model include neural network model parameters such as weights and biases, and optimizing them using genetic algorithms is conducive to achieving the optimal detection effect of the message anomaly detection model training.

发现任何异常情况时,至少执行以下操作中的其中一操作:If you find any abnormal situation, do at least one of the following:

111、发出告警信号;111. Send out warning signals;

112、丢弃当前CAN报文,并终止执行剩余检测;112. Discard the current CAN message and terminate the remaining detection;

113、终止通信,并终止执行剩余检测。113. Terminate the communication and terminate the remaining detection.

根据实时检测到的攻击行为做出必要的告警和/或阻止攻击的操作,有利于建立充电接口的安全防护机制。Making necessary warnings and/or blocking operations based on the attack behaviors detected in real time is conducive to establishing a safety protection mechanism for the charging interface.

可以理解的是,操作101为黑白名单检测,操作102为数据帧周期检测,操作103为数据域检测,操作104为拒绝服务攻击检测,操作105为状态转换检测,操作106和107为基于深度学习的深度检测,在本实施例中,按顺序执行上述检测操作,每执行一种检测便评估是否存在异常情况,若检测通过,则按顺序执行下一种检测,而若检测到异常情况,则根据实际的情况执行操作111至113中的至少一操作,但不以此为限。It can be understood that operation 101 is a black and white list detection, operation 102 is a data frame period detection, operation 103 is a data domain detection, operation 104 is a denial of service attack detection, operation 105 is a state transition detection, operations 106 and 107 are deep detection based on deep learning. In this embodiment, the above detection operations are performed in sequence, and each detection is evaluated whether there is an abnormal situation. If the detection passes, the next detection is performed in sequence. If an abnormal situation is detected, at least one operation of operations 111 to 113 is performed according to the actual situation, but it is not limited to this.

在本申请中,通过执行多个检测操作来检测判断车辆充电接口是否遭到攻击,首先判断接收的CAN报文是否属于设定名单以及是否符合设定的数据帧周期;计算CAN总线中的数据负载率、信息熵和异常间隔报文量中的至少一者来判断CAN总线是否受到拒绝服务攻击;根据规则库中的报文处理规则判断CAN报文的数据段是否异常;依照状态转换图判断车辆电池的BMS和充电机当前的充电状态是否异常,利用堆叠式LSTM残差网络对当前CAN报文和历史CAN报文进行报文异常检测模型训练,以获得CAN报文分类结果,进而通过上述多检测机制的融合检测,实现实时全面地检测潜在的攻击行为,有效地保护车辆的充电安全。In the present application, multiple detection operations are performed to detect and determine whether the vehicle charging interface is attacked. First, it is determined whether the received CAN message belongs to the set list and whether it conforms to the set data frame period; at least one of the data load rate, information entropy and abnormal interval message volume in the CAN bus is calculated to determine whether the CAN bus is attacked by denial of service; according to the message processing rules in the rule base, it is determined whether the data segment of the CAN message is abnormal; according to the state transition diagram, it is determined whether the current charging status of the BMS and charger of the vehicle battery is abnormal, and the stacked LSTM residual network is used to train the message anomaly detection model for the current CAN message and the historical CAN message to obtain the CAN message classification result, and then through the fusion detection of the above-mentioned multiple detection mechanisms, real-time and comprehensive detection of potential attack behaviors is achieved, effectively protecting the charging safety of the vehicle.

实施例二Embodiment 2

请参阅图1和图5,本发明公开了一种车辆充电接口攻击检测装置,其包括:Referring to FIG. 1 and FIG. 5 , the present invention discloses a vehicle charging interface attack detection device, which includes:

第一判断模块201,用于判断接收的CAN报文中的ID信息是否属于设定名单;The first judgment module 201 is used to judge whether the ID information in the received CAN message belongs to the set list;

第二判断模块202,用于根据ID信息判断CAN报文是否符合设定的数据帧周期;The second judgment module 202 is used to judge whether the CAN message conforms to the set data frame period according to the ID information;

计算比较模块203,用于计算CAN总线中的数据负载率、信息熵和异常间隔报文量中的至少一者,并与对应的设定值进行比较,以判断是否存在拒绝服务攻击;A calculation and comparison module 203 is used to calculate at least one of the data load rate, information entropy and abnormal interval message volume in the CAN bus, and compare it with the corresponding set value to determine whether there is a denial of service attack;

查找判断模块204,用于根据ID信息从规则库中查找对应的报文处理规则,并根据查找的报文处理规则判断数据段是否异常;A search and judgment module 204 is used to search for a corresponding message processing rule from a rule base according to the ID information, and judge whether the data segment is abnormal according to the searched message processing rule;

识别判断模块205,用于根据PGN信息识别车辆电池的BMS和充电机当前的充电状态,并对照状态转换图判断充电状态是否异常;The identification and judgment module 205 is used to identify the current charging status of the BMS and charger of the vehicle battery according to the PGN information, and to judge whether the charging status is abnormal by comparing the state transition diagram;

组建模块206,用于将当前CAN报文和历史CAN报文组建数据集;A building module 206, used for building a data set from current CAN messages and historical CAN messages;

训练模块207,用于将组建的数据集输入堆叠式LSTM残差网络,并进行报文异常检测模型训练,以获得CAN报文分类结果。The training module 207 is used to input the assembled data set into the stacked LSTM residual network and perform message anomaly detection model training to obtain CAN message classification results.

实施例三Embodiment 3

请参阅图1和图6,本发明公开了一种电子设备,其包括:Referring to FIG. 1 and FIG. 6 , the present invention discloses an electronic device, which includes:

一个或多个处理器301;One or more processors 301;

一个或多个存储器302,用于存储一个或多个程序,当一个或多个程序被处理器执行,使得处理器实现如前述的车辆充电接口攻击检测方法。One or more memories 302 are used to store one or more programs. When the one or more programs are executed by the processor, the processor implements the vehicle charging interface attack detection method as described above.

实施例四Embodiment 4

本申请实施例公开了一种计算机可读存储介质,其上存储有程序,程序被处理器执行时实现如前述的车辆充电接口攻击检测方法。An embodiment of the present application discloses a computer-readable storage medium on which a program is stored. When the program is executed by a processor, the vehicle charging interface attack detection method as described above is implemented.

实施例五Embodiment 5

本申请实施例公开了一种计算机程序产品或计算机程序,该计算机程序产品或计算机程序包括计算机指令,该计算机指令存储在计算机可读存储介质中。电子设备的处理器从计算机可读存储介质读取该计算机指令,处理器执行该计算机指令,使得该电子设备执行上述车辆充电接口攻击检测方法。The embodiment of the present application discloses a computer program product or a computer program, which includes computer instructions stored in a computer-readable storage medium. A processor of an electronic device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the electronic device executes the above-mentioned vehicle charging interface attack detection method.

应当理解,在本申请实施例中,所称处理器可以是中央处理模块(CentralProcessing Unit,CPU),该处理器还可以是其他通用处理器、数字信号处理器(DigitalSignal Processor,DSP)、专用集成电路(Application SpecificIntegratedCircuit,ASIC)、现成可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that in the embodiments of the present application, the processor referred to may be a central processing unit (CPU), and the processor may also be other general-purpose processors, digital signal processors (DSP), application-specific integrated circuits (ASIC), field-programmable gate arrays (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general-purpose processor may be a microprocessor or the processor may also be any conventional processor, etc.

本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序指令相关的硬件来完成,程序可存储于一计算机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。其中,的存储介质可为磁碟、光盘、只读存储记忆体(Read-OnlyMemory,ROM)或随机存储记忆体(Random AccessMemory,RAM)等。Those skilled in the art can understand that all or part of the processes in the above-mentioned embodiments can be implemented by hardware related to computer program instructions, and the program can be stored in a computer-readable storage medium. When the program is executed, it can include the processes of the embodiments of the above-mentioned methods. The storage medium can be a disk, an optical disk, a read-only memory (ROM) or a random access memory (RAM).

以上所揭露的仅为本发明的优选实施例而已,当然不能以此来限定本发明之权利范围,因此依本发明申请专利范围所作的等同变化,仍属本发明所涵盖的范围。The above disclosure is only the preferred embodiment of the present invention, which certainly cannot be used to limit the scope of rights of the present invention. Therefore, equivalent changes made according to the scope of the patent application of the present invention are still within the scope covered by the present invention.

Claims (7)

1. The method for detecting the attack of the charging interface of the vehicle is characterized in that a CAN message comprises ID information, PGN information and a data segment, and comprises the following steps:
Judging whether ID information in the received CAN message belongs to a set list or not;
judging whether the CAN message accords with a set data frame period according to the ID information;
Calculating at least one of data load rate, information entropy and abnormal interval message quantity in the CAN bus, and comparing the data load rate, the information entropy and the abnormal interval message quantity with corresponding set thresholds to judge whether denial of service attack exists or not;
searching a corresponding message processing rule from a rule base according to the ID information, and judging whether the data segment is abnormal according to the searched message processing rule;
Identifying the current charging states of the BMS and the charger of the vehicle battery according to the PGN information, and judging whether the charging states are abnormal or not according to a state transition diagram;
constructing a data set from the current CAN message and the historical CAN message;
Inputting the constructed data set into a stacked LSTM residual network, and training a message anomaly detection model to obtain a CAN message classification result;
when any abnormal situation is found, at least one of the following operations is executed:
Sending out an alarm signal;
discarding the current CAN message, and terminating execution of the residual detection;
the communication is terminated and the execution of the remaining detection is terminated.
2. The method of claim 1, wherein calculating at least one of a data load rate, an information entropy, and an abnormal interval message amount in the CAN bus and comparing the calculated data load rate, the information entropy, and the abnormal interval message amount with corresponding set values to determine whether a denial of service attack exists comprises:
Counting the number of CAN messages transmitted in a CAN bus in unit time, calculating the current transmission rate of the CAN bus, comparing the current transmission rate with a transmission rate threshold, and judging that denial of service attack exists when the current transmission rate is greater than the transmission rate threshold; and/or the number of the groups of groups,
Detecting the current information entropy of the CAN bus by utilizing a multi-entropy algorithm, comparing the current information entropy with a corresponding information entropy threshold value in a threshold value sample library, and judging that denial of service attack exists when the information entropy is larger than the information entropy threshold value; and/or the number of the groups of groups,
Calculating the interval time of transmitting two adjacent CAN messages, counting the times that the interval time is smaller than the preset interval time, and judging that denial of service attacks exist when the counted times are larger than the preset times.
3. The method for detecting an attack on a vehicle charging interface according to claim 1, wherein the step of constructing a data set from a current CAN message and a history CAN message includes:
Extracting ID information and data segments in a current CAN message and a historical CAN message as input data;
Normalizing the extracted input data;
Carrying out stability detection on the input data after normalization processing;
Performing stabilization processing on input data detected as unstable;
And classifying and marking all the processed input data with corresponding labels.
4. The method for detecting the attack of the vehicle charging interface according to claim 1, wherein the step of inputting the constructed data set into the stacked LSTM residual network and training the message anomaly detection model to obtain the CAN message classification result comprises the following steps:
and optimizing parameters of the message anomaly detection model by utilizing a genetic algorithm so as to optimize the CAN message classification result.
5. A vehicle charging interface attack detection device, comprising:
The first judging module is used for judging whether the ID information in the received CAN message belongs to a set list or not;
the second judging module is used for judging whether the CAN message accords with a set data frame period according to the ID information;
The calculation comparison module is used for calculating at least one of the data load rate, the information entropy and the abnormal interval message quantity in the CAN bus and comparing the data load rate, the information entropy and the abnormal interval message quantity with corresponding set values so as to judge whether denial of service attack exists or not;
the searching and judging module is used for searching corresponding message processing rules from the rule base according to the ID information and judging whether the data segment is abnormal according to the searched message processing rules;
the identification judging module is used for identifying the current charging states of the BMS of the vehicle battery and the charger according to the PGN information, and judging whether the charging states are abnormal or not according to a state transition diagram;
The construction module is used for constructing a data set from the current CAN message and the historical CAN message;
the training module is used for inputting the constructed data set into a stacked LSTM residual network and training a message anomaly detection model to obtain a CAN message classification result.
6. An electronic device, comprising:
One or more processors;
One or more memories for storing one or more programs which, when executed by the processor, cause the processor to implement the vehicle charging interface attack detection method according to any of claims 1 to 4.
7. A computer-readable storage medium having a program stored thereon, wherein the program when executed by a processor implements the vehicle charging interface attack detection method according to any one of claims 1 to 4.
CN202410964314.7A 2024-07-18 2024-07-18 Vehicle charging interface attack detection method, device, equipment and storage medium Pending CN118802351A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410964314.7A CN118802351A (en) 2024-07-18 2024-07-18 Vehicle charging interface attack detection method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410964314.7A CN118802351A (en) 2024-07-18 2024-07-18 Vehicle charging interface attack detection method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN118802351A true CN118802351A (en) 2024-10-18

Family

ID=93029368

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410964314.7A Pending CN118802351A (en) 2024-07-18 2024-07-18 Vehicle charging interface attack detection method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN118802351A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119520159A (en) * 2025-01-09 2025-02-25 中汽研汽车检验中心(天津)有限公司 A safety testing method for vehicle charging interface information

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180021287A (en) * 2016-08-18 2018-03-02 고려대학교 산학협력단 Appratus and method for detecting vehicle intrusion
EP4096169A1 (en) * 2021-05-26 2022-11-30 Marelli Europe S.p.A. Method for protection from cyber attacks to a vehicle, and corresponding device
CN116488936A (en) * 2023-05-30 2023-07-25 武汉大学 An intrusion detection method and system for charging pile CAN network
CN116668099A (en) * 2023-05-16 2023-08-29 杭州远眺科技有限公司 A vehicle CAN bus intrusion detection method and system based on deep neural network
CN117176421A (en) * 2023-09-05 2023-12-05 吉林大学 CAN-FD abnormality detection method based on time sequence content attention and long-short time memory network
CN117544410A (en) * 2023-12-20 2024-02-09 北京天融信网络安全技术有限公司 Determination method of CAN bus attack type, processor and computer equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180021287A (en) * 2016-08-18 2018-03-02 고려대학교 산학협력단 Appratus and method for detecting vehicle intrusion
EP4096169A1 (en) * 2021-05-26 2022-11-30 Marelli Europe S.p.A. Method for protection from cyber attacks to a vehicle, and corresponding device
CN116668099A (en) * 2023-05-16 2023-08-29 杭州远眺科技有限公司 A vehicle CAN bus intrusion detection method and system based on deep neural network
CN116488936A (en) * 2023-05-30 2023-07-25 武汉大学 An intrusion detection method and system for charging pile CAN network
CN117176421A (en) * 2023-09-05 2023-12-05 吉林大学 CAN-FD abnormality detection method based on time sequence content attention and long-short time memory network
CN117544410A (en) * 2023-12-20 2024-02-09 北京天融信网络安全技术有限公司 Determination method of CAN bus attack type, processor and computer equipment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119520159A (en) * 2025-01-09 2025-02-25 中汽研汽车检验中心(天津)有限公司 A safety testing method for vehicle charging interface information

Similar Documents

Publication Publication Date Title
Khanday et al. Implementation of intrusion detection model for DDoS attacks in Lightweight IoT Networks
CN108566364B (en) Intrusion detection method based on neural network
CN114978770B (en) Internet of Things security risk early warning management and control method and system based on big data
CN108390869B (en) In-vehicle intelligent gateway device integrating deep learning and its command sequence detection method
WO2016082284A1 (en) Modbus tcp communication behaviour anomaly detection method based on ocsvm dual-profile model
CN109347853B (en) Anomaly detection method for integrated electronic system based on deep packet analysis
CN110324323A (en) A kind of new energy plant stand relates to net end real-time, interactive process exception detection method and system
CN111885060A (en) Non-destructive information security vulnerability detection system and method for Internet of Vehicles
Tanksale Intrusion detection for controller area network using support vector machines
Yu et al. Anomaly intrusion detection based upon data mining techniques and fuzzy logic
CN118802351A (en) Vehicle charging interface attack detection method, device, equipment and storage medium
Soewu et al. Analysis of Data Mining-Based Approach for Intrusion Detection System
Somwang et al. Computer network security based on support vector machine approach
Al-Fawa'reh et al. Detecting stealth-based attacks in large campus networks
CN116756578A (en) Vehicle information security threat aggregation analysis and early warning method and system
Hendry et al. Intrusion signature creation via clustering anomalies
Deng et al. Intrusion detection method based on support vector machine access of modbus TCP protocol
KR102695131B1 (en) Apparatus and method for generating data set
Padhiar et al. Performance evaluation of botnet detection using machine learning techniques
CN114268484A (en) Malicious encrypted flow detection method and device, electronic equipment and storage medium
Dwivedi Anomaly detection in intra-vehicle networks
Sapozhnikova et al. Intrusion detection system based on data mining technics for industrial networks
TW202416699A (en) Network intrusion detecting system and network intrusion detecting method
Zhou et al. Research on network security attack detection algorithm in smart grid system
Ye et al. An LDDoS Attack Detection Method Based on Behavioral Characteristics and Stacking Mechanism.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination