Search

CN-116707965-B - Threat detection method and device, storage medium and electronic equipment

CN116707965BCN 116707965 BCN116707965 BCN 116707965BCN-116707965-B

Abstract

The present disclosure relates to a threat detection method, apparatus, computer-readable storage medium, and electronic device. The threat detection method comprises the steps of carrying out threat detection on message data based on a threat detection rule set to obtain a first detection result, carrying out threat detection on the message data based on an intelligent detection model to obtain a second detection result, determining that the detection result is abnormal when the first detection result or the second detection result indicates that the message data is abnormal, determining a dispute data set when the first detection result and the second detection result are inconsistent, and updating the threat detection rule set based on the dispute data set. The method and the device can detect the known threat and the unknown threat, improve the overall detection rate, and simultaneously reduce the false alarm rate and the missing report rate.

Inventors

  • ZHANG YINGYING
  • SHI GUIZHEN
  • LI CHUNJIANG

Assignees

  • 中汽创智科技有限公司

Dates

Publication Date
20260508
Application Date
20230630

Claims (8)

  1. 1. A method of threat detection, the method comprising: obtaining message data in a controller area network bus; Threat detection is carried out on the message data based on a threat detection rule set to obtain a first detection result, wherein the threat detection rule set comprises at least one threat detection rule; Threat detection is carried out on the message data based on an intelligent detection model to obtain a second detection result; in the case that the first detection result or the second detection result indicates that the message data is abnormal Determining that the detection result is abnormal, wherein the abnormal data comprises at least one of replay attack, fuzzy attack and denial of service attack; And under the condition that the first detection result and the second detection result are inconsistent, determining a dispute data set, updating the threat detection rule set based on the dispute data set, wherein the dispute data set comprises message data with abnormal detection results and first detection information and second detection information corresponding to the message data, updating the threat detection rule set based on the dispute data set comprises extracting data characteristics of the dispute data set under the condition that the first detection result is data normal and the second detection result is data abnormal, determining a first target classification mapping relation based on the data characteristics and the second detection result, determining a first target threat detection rule set based on the first target classification mapping relation, adding the first target threat detection rule set to the threat detection rule set, updating the threat detection rule set based on the dispute data set, and further comprises determining a new target classification rule set based on the first target classification rule set and the second target classification rule set when the first detection result is data abnormal and the second detection result is data normal.
  2. 2. The method of claim 1, wherein the threat detection rule includes a period parameter and a threshold parameter, and wherein threat detection of the message data based on the threat detection rule results in a first detection result, including at least one of: Under the condition that the interval time of the occurrence of the message data is smaller than the interval time determined based on the period parameter, determining a first detection result of the message data as a denial of service attack in data abnormality; Determining a first detection result of the message data as a fuzzy attack in data abnormality under the condition that the number of continuous occurrence times of the message data is larger than a preset number of times and the load of the message data is random; And determining that the first detection result of the message data is replay attack in data abnormality under the condition that the interval time of the occurrence of the message data is larger than the interval time determined based on the period parameter and the frequency of the occurrence of the message data is larger than the threshold value determined based on the threshold value parameter.
  3. 3. The method according to claim 1 or 2, wherein the threat detection on the message data based on the intelligent detection model obtains a second detection result, including: inputting the message data into the intelligent detection model; Based on the message data classification mapping relation in the intelligent detection model, carrying out classification mapping on the message data to obtain a classification result, wherein the classification result comprises data normal or data abnormal, and the data abnormal comprises at least one of replay attack, fuzzy attack and denial of service attack; and determining the second detection result based on the classification result.
  4. 4. The method of claim 3, wherein before threat detection is performed on the message data based on the intelligent detection model to obtain a second detection result, the method further comprises: Acquiring historical message data, and preprocessing the historical message data, wherein the preprocessing comprises at least one of data cleaning, data sampling and data feature extraction; Marking the history message data after the preprocessing, wherein the marking the normal message data as normal and marking the message data possibly having threat as abnormal; Training the intelligent detection model based on the noted historical message data, wherein an intelligent algorithm contained in the intelligent detection model comprises at least one of naive Bayesian classification, a support vector machine, a decision tree, a random forest and a neural network; and evaluating the trained intelligent detection model, wherein the evaluated index comprises at least one of the precision, the accuracy and the recall rate of the intelligent detection model.
  5. 5. The method according to claim 1, wherein the method further comprises: And under the condition that the first detection result and the second detection result both indicate that the message data are normal, determining that the detection result is normal.
  6. 6. A threat detection apparatus, the apparatus comprising: The data acquisition module is used for acquiring message data in the controller area network bus; the first detection module is used for carrying out threat detection on the message data based on a threat detection rule set to obtain a first detection result, wherein the threat detection rule set comprises at least one threat detection rule; The second detection module is used for carrying out threat detection on the message data based on the intelligent detection model to obtain a second detection result; The data anomaly determination module is used for determining that the detection result is data anomalies under the condition that the first detection result or the second detection result indicates the message data anomalies, and the data anomalies comprise at least one of replay attacks, fuzzy attacks and denial of service attacks; The rule updating module is used for determining a dispute data set under the condition that the first detection result and the second detection result are inconsistent, updating the threat detection rule set based on the dispute data set, wherein the dispute data set comprises message data with abnormal detection results and first detection information and second detection information corresponding to the message data, the rule updating module is further used for extracting data characteristics of the dispute data set under the condition that the first detection result is normal data and the second detection result is abnormal data, determining a first target classification mapping relation based on the data characteristics and the second detection result, determining a first target threat detection rule based on the first target classification mapping relation, adding the first target threat detection rule into the threat detection rule set, and determining a second target detection rule based on the first target classification relation and the second target classification relation when the first detection result is abnormal data and the second detection result is normal data.
  7. 7. A computer readable storage medium having stored therein at least one instruction or at least one program loaded and executed by a processor to implement the threat detection method of any of claims 1 to 5.
  8. 8. An electronic device comprising at least one processor and a memory communicatively coupled to the at least one processor, wherein the memory stores instructions executable by the at least one processor, the at least one processor implementing the threat detection method of any of claims 1-5 by executing the instructions stored by the memory.

Description

Threat detection method and device, storage medium and electronic equipment Technical Field The disclosure relates to the field of information security, and in particular relates to a threat detection method, a threat detection device, a storage medium and electronic equipment. Background Common controller area network bus threat detection methods are generally divided into two types, one is a detection method based on intelligent analysis, and the other is a detection method based on rules, and threat detection is carried out by the detection method in a mode of matching keywords or statistical thresholds. Both detection systems have advantages and disadvantages. The detection method based on the rule detection is characterized in that the characteristic matching is carried out on the message by utilizing the rules defined by artificial summarization, the corresponding threat event can be output after the condition defined by the rules is met, the detection effect depends on the integrity of rule formulation and the accuracy of threshold setting, so that the detection method has better detection effect on the known threat, but has the condition of missing report on the unknown threat. Disclosure of Invention In order to solve at least one technical problem set forth above, the present disclosure proposes a threat detection method, apparatus, storage medium, and electronic device. According to one aspect of the disclosure, a threat detection method is provided, which includes obtaining message data in a controller area network bus, performing threat detection on the message data based on a threat detection rule set to obtain a first detection result, wherein the threat detection rule set includes at least one threat detection rule, performing threat detection on the message data based on an intelligent detection model to obtain a second detection result, determining that the detection result is data abnormality when the first detection result or the second detection result indicates that the message data is abnormal, determining that the data abnormality includes at least one of replay attack, fuzzy attack and denial of service attack, determining a dispute data set when the first detection result and the second detection result are inconsistent, and updating the threat detection rule set based on the dispute data set, wherein the dispute data set includes message data with the detection result being data abnormality and first detection information and second detection information corresponding to the message data. In some possible embodiments, the threat detection rule includes a period parameter and a threshold parameter, the threat detection is performed on the message data based on the threat detection rule to obtain a first detection result, where at least one of determining that the first detection result of the message data is a denial of service attack in a data anomaly if an interval time of occurrence of the message data is less than an interval time determined based on the period parameter, determining that the first detection result of the message data is a fuzzy attack in a data anomaly if a number of consecutive occurrences of the message data is greater than a preset number and a load of the message data is random, and determining that an interval time of occurrence of the message data is greater than an interval time determined based on the period parameter and determining that a frequency of occurrence of the message data is greater than a replay attack in a data anomaly if the first detection result of the message data is greater than a threshold value determined based on the threshold parameter. In some possible embodiments, the threat detection for the message data based on the intelligent detection model to obtain a second detection result includes inputting the message data into the intelligent detection model, performing classification mapping for the message data based on the message data classification mapping relationship in the intelligent detection model to obtain a classification result, where the classification result includes data normal or data abnormal, and the data abnormal includes at least one of replay attack, fuzzy attack, denial of service attack, and determining the second detection result based on the classification result. In some possible embodiments, before threat detection is performed on the message data based on the intelligent detection model to obtain the second detection result, the method further includes obtaining historical message data, preprocessing the historical message data, wherein the preprocessing includes at least one of data cleaning, data sampling and data feature extraction, labeling the preprocessed historical message data, including labeling normal message data as normal, labeling the message data with possible threat as abnormal, training the intelligent detection model based on the labeled historical message data, wherein the intelligent a