基于通信特征的CAN总线泛洪攻击检测方法

doi:10.11959/j.issn.2096-109x.2020005

网络与信息安全学报 ›› 2020, Vol. 6 ›› Issue (1): 27-37.doi: 10.11959/j.issn.2096-109x.2020005

基于通信特征的CAN总线泛洪攻击检测方法

季一木^1,^2,^3,⁴,焦志鹏^1,³(),刘尚东^1,^2,^3,⁴,吴飞^3,⁵,孙静^1,³,王娜^1,³,陈治宇^1,³,毕强^1,³,田鹏浩^1,³

¹ 南京邮电大学计算机学院，江苏南京 210023
² 南京邮电大学江苏省无线传感网高技术研究重点实验室，江苏南京 210023
³ 南京邮电大学高性能计算与大数据处理研究所，江苏南京 210023
⁴ 南京邮电大学高性能计算与智能处理工程研究中心，江苏南京 210023；5.南京邮电大学自动化学院，江苏南京 210023
⁵ 南京邮电大学自动化学院，江苏南京 210023

修回日期:2019-07-29 出版日期:2020-02-15 发布日期:2020-03-23
作者简介:季一木（1978– ），男，江苏南京人，南京邮电大学教授、博士生导师，主要研究方向为 P2P 网络、云计算和大数据安全等|焦志鹏（1994– ），男，江苏淮安人，南京邮电大学硕士生，主要研究方向为总线安全|刘尚东（1979– ），男，甘肃永靖人，南京邮电大学讲师，主要研究方向为网络行为分析，大数据处理等|吴飞（1989– ），男，江苏常州人，博士，南京邮电大学讲师，主要研究方向为人工智能、模式识别|孙静（1993– ），女，江苏南京人，南京邮电大学博士生，主要研究方向为机器学习|王娜（1995– ），女，安徽芜湖人，南京邮电大学硕士生，主要研究方向为计算机视觉|陈治宇（1994– ），男，江苏徐州人，南京邮电大学硕士生，主要研究方向为视觉与激光雷达的传感器融合|毕强（1995– ），男，江苏宿迁人，南京邮电大学硕士生，主要研究方向为计算机视觉|田鹏浩（1996– ），男，江苏连云港人，南京邮电大学硕士生，主要研究方向为路径规划
基金资助:
国家重点研发计划基金资助项目(2017YFB1401302);国家重点研发计划基金资助项目(2017YFB0202200);国家自然科学基金资助项目(61572260);国家自然科学基金资助项目(61872196);江苏省自然科学基金优秀青年基金资助项目(BK20170100);江苏省重点研发计划基金资助项目(BE2017166)

CAN bus flood attack detection based on communication characteristics

Yimu JI^1,^2,^3,⁴,Zhipeng JIAO^1,³(),Shangdong LIU^1,^2,^3,⁴,Fei WU^3,⁵,Jing SUN^1,³,Na WANG^1,³,Zhiyu CHEN^1,³,Qiang BI^1,³,Penghao TIAN^1,³

¹ School of Computer Science,Nanjing University of Posts and Telecommunications,Nanjing 210023,China
² Jiangsu Key Laboratory of High-Tech Research on Wireless Sensor Networks,Nanjing University of Posts and Telecommunications,Nanjing 210023,China
³ Institute of High Performance Computing and Big Data Processing,Nanjing University of Posts and Telecommunications,Nanjing 210023,China
⁴ Research Center for High Performance Computing and Intelligent Processing Engineering,Nanjing University of Posts and Telecommunications,Nanjing 210023,China;5.School of Automation,Nanjing University of Posts and Telecommunications,Nanjing 210023,China
⁵ School of Automation,Nanjing University of Posts and Telecommunications,Nanjing 210023,China

Revised:2019-07-29 Online:2020-02-15 Published:2020-03-23
Supported by:
The National Key R＆D Program of China(2017YFB1401302);The National Key R＆D Program of China(2017YFB0202200);The National Natural Science Foundation of China(61572260);The National Natural Science Foundation of China(61872196);The Jiangsu Natural Science Foundation Excellent Youth Fund Project(BK20170100);The Jiangsu Provincial Key R＆D Program(BE2017166)

摘要/Abstract

摘要：

CAN由于其突出的可靠性和灵活性，已成为当代汽车应用最广泛的现场总线。但是标准CAN协议没有提供足够的安全措施，易遭受窃听、重放、泛洪、拒绝服务攻击。为了有效检测 CAN 总线是否遭受到攻击，并在遭受泛洪攻击时将恶意报文滤除。对车载 CAN 总线报文通信特征进行了分析，提出一种入侵检测方法，该方法可以有效进行入侵检测、恶意报文滤除。通过实验验证，该方法可以100%检测出CAN总线是否遭受攻击，恶意报文过滤的准确率可达99%以上。

关键词: CAN总线, 通信特征, 入侵检测, 恶意报文过滤

Abstract:

CAN has become the most extensive fieldbus for contemporary automotive applications due to its outstanding reliability and flexibility.However,the standard CAN protocol does not provide sufficient security measures and is vulnerable to eavesdropping,replay,flooding,and denial of service attacks.In order to effectively detect whether the CAN bus is attacked,and to filter malicious messages when subjected to flooding attacks.The characteristics of vehicle CAN bus message communication were analyzed,and an intrusion detection method was proposed,which could effectively perform intrusion detection and malicious message filtering.Through experimental verification,the method can detect whether the CAN bus is attacked by 100%,and the accuracy of malicious packet filtering can reach over 99%.

Key words: CAN bus, communication characteristics, intrusion detection, malicious message filtering

中图分类号:

TP336

季一木,焦志鹏,刘尚东,吴飞,孙静,王娜,陈治宇,毕强,田鹏浩. 基于通信特征的CAN总线泛洪攻击检测方法[J]. 网络与信息安全学报, 2020, 6(1): 27-37.

Yimu JI,Zhipeng JIAO,Shangdong LIU,Fei WU,Jing SUN,Na WANG,Zhiyu CHEN,Qiang BI,Penghao TIAN. CAN bus flood attack detection based on communication characteristics[J]. Chinese Journal of Network and Information Security, 2020, 6(1): 27-37.

图/表 10

图1

图2

图3

表1

图4

图5

表2

图6

图7

表3

参考文献 15

[1]	WOLF M , WEIMERSKIRCH A , WOLLINGER T ,et al. State of the art:embedding security in vehicles[J]. EURASIP Journal on Embedded Systems, 2007(5): 1-16.
[2]	NOLTE T , HANSSON H , BELLO L L ,et al. Automotive communications-past,current and future[C]// IEEE International Conference on Emerging Technologies and Factory Automation. 2005: 19-22.
[3]	CHECKOWAY S , MCCOY D , KANTOR B ,et al. Comprehensive experimental analyses of automotive attack surfaces[C]// USENIX Security Symposium. 2011.
[4]	AVATEFIPOUR O.MALIK H . State-of-the-art survey on in-vehicle network communication can-bus security and vulnerabilities[J]. Comput Sci Netw, 2017,6: 720-727.
[5]	ANDREEA R , FLAVIO D . LeiA:A lightweight authentication protocol for CAN[C]// Computer Science-ESORIC, 2016: 283-300
[6]	YING X , BERNIERI G , CONTI M ,et al. TACAN:transmitter authentication through covert channels in controller area networks[J].arXiv preprint arXiv.1903.05231,2019. arXiv preprint arXiv.1903.05231, 2019.
[7]	HOPPE T , KILTZ S , DITTMANN J ,et al. Security threats to automotive can networks practical examples and selected short term countermeasures[J]. Reliability Engineering and System Safety, 2011(96): 11-25.
[8]	TAYLOR A , JAPKOWICZ N , LEBLANC S ,et al. Frequency-based anomaly detection for the automotive CAN bus[C]// World Congress on Industrial Control Systems Security. 2015: 45-49.
[9]	SONG H M , KIM H R , KIM H K ,et al. Intrusion detection system based on the analysis of time intervals of CAN messages for in-vehicle network[C]// 2016 International Conference on Information Networking (ICOIN). 2016: 63-68.
[10]	MUTER M , ASAJ N . Entropy-based anomaly detection for in-vehicle networks[J]..2011:1110-1115. IEEE Intelligent Vehicles Symposium, 2011: 1110-1115.
[11]	MUTER M , GROLL A , FRELING F ,et al. A structured approach to anomaly detection for in-vehicle networks[C]// International Conference on Information Assurance and Security. 2010: 92-98.
[12]	MOORE M R , BRIDGES R A , COMBS F L ,et al. Modeling inter-signal arrival times for accurate detection of can bus signal injection attacks:a data-driven approach to in-vehicle intrusion detection[C]// Annual Conference on Cyber and Information Security Research. 2017:11.
[13]	MILLER C , VALASEK C . Adventures in automotive networks and control units[C]// Def Con. 2013: 260-264.
[14]	MILLER C , VALASEK C . A survey of remote automotive attack surfaces[C]// BlackHat USA, 2014:94.
[15]	SAGONG S U , YING X , BUSHNELL L ,et al. Exploring attack surfaces of voltage-based intrusion detection systems in controller area networks[C]// ESCAR Europe 2018. 2018: 1-13.

索引	接收时间	发送/接收	ID	帧类型	帧格式	长度	字节0	字节1	字节2	字节3	字节4	字节5	字节6	字节 7
1	000.001.335	接收	OCFF01DC	数据帧	扩展帧	8	0	0	0	0	8	0	0	128
2	000.016.289	接收	18C00301	数据帧	扩展帧	8	186	13	150	78	0	66	72	1
3	000.019.992	接收	18C00301	数据帧	扩展帧	8	186	13	150	78	0	66	72	1
4	000.002.463	接收	08FF01DD	数据帧	扩展帧	8	8	152	0	0	0	0	0	0
5	000.010.220	接收	OCFF00DC	数据帧	扩展帧	8	132	12	69	0	0	0	0	16
6	000.007.359	接收	18C00301	数据帧	扩展帧	8	186	13	150	78	0	66	72	1
7	000.019.993	接收	18C00301	数据帧	扩展帧	8	186	13	150	78	0	66	72	1
8	000.000.560	接收	17COEEF4	数据帧	扩展帧	8	209	14	14	166	14	15	58	1
9	000.000.568	接收	17COEEF4	数据帧	扩展帧	8	150	0	186	13	4	78	0	0
10	000.000.584	接收	17FF00F4	数据帧	扩展帧	8	0	0	0	0	0	0	0	0
11	000.000.607	接收	18C00501	数据帧	扩展帧	8	0	0	3	0	0	0	0	0
12	000.009.985	接收	08FF00DD	数据帧	扩展帧	8	0	0	171	1	0	0	0	0
13	000.007.689	接收	18C00301	数据帧	扩展帧	8	186	13	150	78	0	66	72	1
14	000.003.654	接收	0CFF01DC	数据帧	扩展帧	8	0	0	0	0	8	0	0	144
15	000.000.578	接收	401	数据帧	扩展帧	8	0	2	0	0	0	0	0	0
16	000.015.782	接收	18C00301	数据帧	扩展帧	8	186	13	150	78	0	66	72	1

接收时间	ID	字节0	字节1	字节2	字节3	字节4	字节5	字节6	字节7
32.016	CFF01DC	0	0	1	0	8	0	0	32
132.845	CFF01DC	0	0	1	0	8	0	0	48
232.033	CFF01DC	0	0	1	0	8	0	0	64
332.203	CFF01DC	0	0	1	0	8	0	0	80
432.096	CFF01DC	0	0	1	0	8	0	0	96
532.469	CFF01DC	0	0	1	0	8	0	0	112
632.033	CFF01DC	0	0	1	0	8	0	0	128
732.047	CFF01DC	0	0	1	0	8	0	0	144
832.423	CFF01DC	0	0	1	0	8	0	0	160
932.861	CFF01DC	0	0	1	0	8	0	0	176
1032.065	CFF01DC	0	0	1	0	8	0	0	192
1132.058	CFF01DC	0	0	1	0	8	0	0	208
1232.251	CFF01DC	0	0	1	0	8	0	0	224
1332.487	CFF01DC	0	0	1	0	8	0	0	240
1432.079	CFF01DC	0	0	1	0	8	0	0	0
1532.063	CFF01DC	0	0	1	0	8	0	0	16
1632.116	CFF01DC	0	0	1	0	8	0	0	32
1732.500	CFF01DC	0	0	1	0	8	0	0	48
1832.062	CFF01DC	0	0	1	0	8	0	0	64

检测系统	攻击检测准确率	恶意报文过滤准确率
CLAD	100.00%	大于99.00%
IDS based on the analysis of time intervals^[9]	100.00%	—
IDS based on anomaly frequency^[12]	99.98%	—

基于通信特征的CAN总线泛洪攻击检测方法

CAN bus flood attack detection based on communication characteristics

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 10

参考文献 15

相关文章 5

Metrics

推荐阅读 0

[1]	赵淦森,谢智健,王欣明,何嘉浩,张成志,林成创,ZihengZhou,陈冰川,ChunmingRong. ContractGuard：面向以太坊区块链智能合约的入侵检测系统[J]. 网络与信息安全学报, 2020, 6(2): 35-55.
[2]	张斌,李立勋,董书琴. 基于改进SOINN算法的恶意软件增量检测方法[J]. 网络与信息安全学报, 2019, 5(6): 21-30.
[3]	燕昺昊,韩国栋. 基于深度循环神经网络和改进SMOTE算法的组合式入侵检测模型[J]. 网络与信息安全学报, 2018, 4(7): 48-59.
[4]	王佳林, 刘吉强, 赵迪, 王盈地, 相迎宵, 陈彤, 童恩栋, 牛温佳. 基于非对称卷积自编码器和支持向量机的入侵检测模型[J]. 网络与信息安全学报, 2018, 4(11): 57-68.
[5]	樊迪,刘静,庄俊玺,赖英旭. 基于因果知识发现的攻击场景重构研究[J]. 网络与信息安全学报, 2017, 3(4): 58-68.