计算机应用 ›› 2020, Vol. 40 ›› Issue (11): 3224-3228.DOI: 10.11772/j.issn.1001-9081.2020040534

• 网络空间安全 • 上一篇    下一篇

车载CAN总线脱离攻击及其入侵检测算法

李中伟1, 谭凯2, 关亚东3, 姜文淇1, 叶麟2   

  1. 1. 哈尔滨工业大学 电气工程及自动化学院, 哈尔滨 150001;
    2. 哈尔滨工业大学 网络空间安全学院, 哈尔滨 150001;
    3. 哈尔滨工业大学 计算机科学与技术学院, 哈尔滨 150001
  • 收稿日期:2020-04-26 修回日期:2020-06-27 出版日期:2020-11-10 发布日期:2020-07-20
  • 通讯作者: 李中伟(1976-),男,河南漯河人,副教授,博士,主要研究方向:工业互联网安全;lzw@hit.edu.cn
  • 作者简介:谭凯(1994-),男,黑龙江牡丹江人,博士研究生,主要研究方向:网络安全;关亚东(1996-),男,山西长治人,博士研究生,主要研究方向:工业互联网安全、语音信号处理;姜文淇(1997-),男,黑龙江肇东人,硕士研究生,主要研究方向:工业互联网安全;叶麟(1982-),男,山西阳泉人,副教授,博士,CCF会员,主要研究方向:网络安全、网络测量、云计算
  • 基金资助:
    国家自然科学基金资助项目(61872111)。

In-vehicle CAN bus-off attack and its intrusion detection algorithm

LI Zhongwei1, TAN Kai2, GUAN Yadong3, JIANG Wenqi1, YE Lin2   

  1. 1. School of Electrical Engineering and Automation, Harbin Institute of Technology, Harbin Heilongjiang 150001, China;
    2. School of Cyber Science, Harbin Institute of Technology, Harbin Heilongjiang 150001, China;
    2. School of Computer Science and Technology, Harbin Institute of Technology, Harbin Heilongjiang 150001, China
  • Received:2020-04-26 Revised:2020-06-27 Online:2020-11-10 Published:2020-07-20
  • Supported by:
    This work is partially supported by the National Natural Science Foundation of China (61872111).

摘要: CAN总线脱离攻击作为一种新型的攻击方式,通过CAN总线通信的错误处理机制,可以使节点不断产生通信错误并从CAN总线上脱离。针对上述攻击所引发的车载CAN总线通信安全问题,提出了一种车载CAN总线脱离攻击入侵检测算法。首先,总结了车载CAN总线脱离攻击发生的条件与特点,指出正常报文与恶意报文的同步发送是实现总线脱离攻击的难点,并利用前置报文满足同步发送的条件来实现总线脱离攻击。其次,提取了CAN总线脱离攻击的特征,通过累计错误帧的发送数量,并根据报文发送频率的变化实现了对CAN总线脱离攻击的检测。最后,利用基于STM32F407ZGT6的CAN通信节点模拟车内电子控制单元(ECU),实现了恶意报文和被攻击报文的同步发送。进行了CAN总线脱离攻击实验和入侵检测算法的验证。实验结果表明,检测算法对高优先级恶意报文的检测率在95%以上,因此可以有效保护车载CAN总线通信网络的安全。

关键词: 车载CAN总线, 总线脱离攻击, 入侵检测, 同步发送, 前置报文

Abstract: As a new type of attack, the CAN (Controller Area Network) bus-off attack can force the node to generate communication errors continuously and disconnect from the CAN bus through the error handling mechanism of the CAN bus communication. Aiming at the security problem of in-vehicle CAN bus communication caused by the bus-off attack, an intrusion detection algorithm for the in-vehicle CAN bus-off attack was proposed. Firstly, the conditions and characteristics of the CAN bus-off attack were summarized. It was pointed out that the synchronous transmission of normal message and malicious message is the difficulty of realizing the bus-off attack. And the front-end message satisfying the condition of synchronous transmission was used to realize the bus-off attack. Secondly, the characteristics of the CAN bus-off attack were extracted. By accumulating the transmission number of error frames and according to the change of message transmission frequency, the detection of the CAN bus-off attack was realized. Finally, the CAN communication node based on STM32F407ZGT6 was used to simulate the Electronic Control Unit (ECU) in the vehicle, and the synchronous transmission of the malicious message and the attacked message was realized. The experiment of CAN bus-off attack and the verification of intrusion detection algorithm were carried out. Experimental results show that the detection rate of the algorithm for high priority malicious messages is more than 95%, so the algorithm can effectively protect the security of the in-vehicle CAN bus communication network.

Key words: in-vehicle CAN(Controller Area Network) bus, bus-off attack, intrusion detection, synchronous transmission, front-end message

中图分类号: