Search

CN-122027216-A - Method, device and storage medium for detecting abnormal bus message

CN122027216ACN 122027216 ACN122027216 ACN 122027216ACN-122027216-A

Abstract

The application discloses a method and a device for detecting abnormal bus messages and a storage medium, and belongs to the technical field of vehicle control. The method comprises the steps of responding to the starting of a vehicle, receiving a data frame from a CAN bus and recording the receiving time, responding to the detection result that the data frame meets the communication protocol specification, determining an identifier of the data frame and a data domain semantic value, responding to the fact that the identifier of the data frame is contained in a preset identifier of a detection table, calculating a time interval from the time of receiving the data frame which is received the same as the last time, responding to the fact that the time interval is larger than or equal to a time interval threshold value, and responding to the fact that the data domain semantic value of the data frame is in a data domain value range, calculating the change speed from the data frame which is received the last time and is the same as the data frame which is received the last time to the data domain semantic value of the data frame, and responding to the fact that the change speed of the data domain semantic value is larger than the data threshold value, confirming that the data frame is an illegal data frame and discarding. And the CAN bus is subjected to abnormality detection.

Inventors

  • ZHU YIDONG
  • JIN XINKAI

Assignees

  • 奇瑞新能源汽车股份有限公司

Dates

Publication Date
20260512
Application Date
20260106

Claims (10)

  1. 1. The method for detecting the abnormal bus message is characterized by comprising the following steps: Acquiring a start-stop state of a vehicle, wherein the start-stop state of the vehicle comprises a vehicle start and a vehicle sleep; receiving a data frame from a Controller Area Network (CAN) bus and recording a receiving time in response to the start-stop state of the vehicle as the start of the vehicle; Analyzing the data frame, and obtaining a detection result of a communication protocol specification of the data frame, wherein the detection result of the communication protocol specification is used for indicating whether the data frame meets the communication protocol specification or not; determining an identifier and a data domain semantic value of the data frame in response to obtaining a detection result that the data frame meets the communication protocol specification; Responding to the identifier of the data frame contained in a preset identifier of a detection table, calculating the time interval between the last time of receiving the data frame and the last time of receiving the data frame of the same identifier, wherein the detection table is used for detecting CAN bus abnormality, the detection table comprises the preset identifier, a data domain value range, a last frame time value, a time interval threshold and a data threshold, the data domain value range comprises the maximum value and the minimum value of a data domain semantic value, the last frame time value is the time of last receiving the data frame of a certain preset identifier, the last frame data value is the data domain semantic value of last time of receiving the data frame of a certain preset identifier, the time interval threshold is the minimum time interval between the data frames of two continuous identical identifiers, and the data threshold is the maximum change speed of the data city semantic value of the data frames of two continuous identical identifiers; Calculating a change speed from a last received data frame of the same identifier to a data field semantic value of a current received data frame in the data field semantic value range in response to the time interval being greater than or equal to the time interval threshold; and in response to the change speed of the data domain semantic value being greater than the data threshold, confirming that the data frame is an illegal data frame and discarding the illegal data frame.
  2. 2. The method according to claim 1, wherein the method further comprises: And in response to the detection result that the data frame does not meet the communication protocol specification, the identifier of the data frame is not contained in the preset identifier of the detection table, the time interval is smaller than the time interval threshold, or the data domain semantic value of the data frame is not in the data domain value range, the data frame is confirmed to be the illegal data frame and discarded.
  3. 3. The method according to claim 1, wherein the method further comprises: In response to the data field semantic value of the data frame exceeding the data field value range, updating a last frame time value of an identifier corresponding to the data frame in the detection table to the time when the data frame is received this time, and updating a last frame data value of an identifier corresponding to the data frame to a maximum or minimum value of the data field semantic value, and/or And in response to the change speed of the data domain semantic value being greater than the data threshold, updating a last frame time value of an identifier corresponding to the data frame in the detection table to be the time of receiving the data frame, and updating a last frame data value of the identifier corresponding to the data frame to be the data domain semantic value of the data frame.
  4. 4. The method of claim 1, wherein the data frame comprises an arbitration segment, a control segment, a data field, a check field, a start of frame, a reply field, and an end of frame, and wherein the obtaining the detection result of the communication protocol specification of the data frame comprises: Acquiring a detection result of Cyclic Redundancy Check (CRC), wherein the detection result of the CRC is used for indicating whether the data frame passes the CRC; And responding to the situation that the digits of the arbitration section, the control section, the data field, the check field, the frame start, the response field and the frame end all meet preset digit standards, and obtaining a detection result that the data frame meets the communication protocol specification by the CRC from the arbitration section, the control section, the data field, the check field, the frame start, the response field to the frame end without more than five continuous identical digits.
  5. 5. The method of claim 4, wherein said determining the identifier and data field semantic value of the data frame comprises: Extracting the identifier from the arbitration segment; extracting original bytes corresponding to the semantic value of the data field from the data field according to the data length code DLC in the control section; and converting the original bytes corresponding to the data domain semantic values into the data domain semantic values according to a preset decoding rule, wherein the preset decoding rule corresponds to the identifier.
  6. 6. The method according to claim 1, wherein calculating a rate of change of the semantic value of the data field from the last received data frame of the same identifier to the current received data frame comprises: Calculating the difference value between the data domain semantic value of the data frame with the same identifier received last time and the data domain semantic value of the data frame received this time; And calculating the quotient of the difference value and the time interval, and taking the calculation result as the change speed of the semantic value of the data domain from the data frame with the same identifier received last time to the data frame received this time.
  7. 7. The method according to claim 1, wherein the method further comprises: and responding to the start-stop state of the vehicle to sleep the vehicle, and stopping the detection operation of the bus abnormal message.
  8. 8. A device for detecting bus anomaly messages, the device comprising: The first acquisition module is used for acquiring the start-stop state of the vehicle, wherein the start-stop state of the vehicle comprises vehicle start and vehicle dormancy; The receiving module is used for responding to the start-stop state of the vehicle to start the vehicle, receiving a data frame from a Controller Area Network (CAN) bus and recording the receiving time; the second acquisition module is used for analyzing the data frame and acquiring a detection result of a communication protocol specification of the data frame, wherein the detection result of the communication protocol specification is used for indicating whether the data frame meets the communication protocol specification or not; a determining module, configured to determine an identifier and a data field semantic value of the data frame in response to obtaining a detection result that the data frame meets the communication protocol specification; The first calculation module is used for responding to the fact that the identifier of the data frame is contained in a preset identifier of a detection table, calculating the time interval of the data frame which is received at this time and is the same as the data frame which is received at last, wherein the detection table is used for detecting CAN bus abnormality, the detection table comprises the preset identifier, a data domain value range, a last frame time value, a last frame data value, a time interval threshold and a data threshold, the data domain value range comprises the maximum value and the minimum value of the data domain semantic value, the last frame time value is the time of the data frame which is received at last time of a certain preset identifier, the last frame data value is the data domain semantic value of the data frame which is received at last time of a certain preset identifier, the time interval threshold is the minimum time interval between the data frames which are received at last time of two continuous identical identifiers, and the data threshold is the maximum change speed of the data domain semantic value of the data frame of the two continuous identical identifiers; A second calculating module, configured to calculate, in response to the time interval being greater than or equal to the time interval threshold, a rate of change of the data domain semantic value of the data frame from the data frame with the same identifier received last time to the data domain semantic value of the data frame received this time, in the data domain value range; and the first confirming module is used for responding to the change speed of the semantic value of the data domain is larger than the data threshold value, confirming that the data frame is an illegal data frame and discarding the illegal data frame.
  9. 9. A computer program product comprising computer instructions which, when executed by a processor, implement the steps of the method of detecting bus anomaly messages according to any one of claims 1 to 7.
  10. 10. A non-transitory computer readable storage medium, wherein a computer program is stored in the computer readable storage medium, and the computer program is loaded and executed by a processor to implement the method for detecting a bus anomaly message according to any one of claims 1 to 7.

Description

Method, device and storage medium for detecting abnormal bus message Technical Field The embodiment of the application relates to the technical field of vehicle control, in particular to a method and a device for detecting a bus abnormal message and a storage medium. Background With the rapid development of technologies such as internet of things and mobile communication, the informatization and internet connection degree of vehicles are continuously improved, so that vehicle information security events frequently occur in recent years, and vehicles face serious information security problems. In the history event, an attacker sends malicious instructions to control the vehicle through the in-vehicle network after invading the vehicle through various ways, and serious threat is caused to the information security of the vehicle. Typically, a CAN (Controller Area Network ) bus is the most widely used in-vehicle network bus protocol for transmitting control commands and status information within a vehicle. Therefore, how to detect the abnormality of the CAN bus is the core of ensuring the safety of the in-vehicle network. Disclosure of Invention The embodiment of the application provides a method and a device for detecting a bus abnormal message and a storage medium, which CAN be used for detecting the abnormality of a CAN bus. The technical scheme is as follows: in one aspect, an embodiment of the present application provides a method for detecting a bus abnormal packet, where the method includes: Acquiring a start-stop state of a vehicle, wherein the start-stop state of the vehicle comprises a vehicle start and a vehicle sleep; receiving a data frame from a Controller Area Network (CAN) bus and recording a receiving time in response to the start-stop state of the vehicle as the start of the vehicle; Analyzing the data frame, and obtaining a detection result of a communication protocol specification of the data frame, wherein the detection result of the communication protocol specification is used for indicating whether the data frame meets the communication protocol specification or not; determining an identifier and a data domain semantic value of the data frame in response to obtaining a detection result that the data frame meets the communication protocol specification; Responding to the identifier of the data frame contained in a preset identifier of a detection table, calculating the time interval between the last time of receiving the data frame and the last time of receiving the data frame of the same identifier, wherein the detection table is used for detecting CAN bus abnormality, the detection table comprises the preset identifier, a data domain value range, a last frame time value, a time interval threshold and a data threshold, the data domain value range comprises the maximum value and the minimum value of a data domain semantic value, the last frame time value is the time of last receiving the data frame of a certain preset identifier, the last frame data value is the data domain semantic value of last time of receiving the data frame of a certain preset identifier, the time interval threshold is the minimum time interval between the data frames of two continuous identical identifiers, and the data threshold is the maximum change speed of the data city semantic value of the data frames of two continuous identical identifiers; Calculating a change speed from a last received data frame of the same identifier to a data field semantic value of a current received data frame in the data field semantic value range in response to the time interval being greater than or equal to the time interval threshold; and in response to the change speed of the data domain semantic value being greater than the data threshold, confirming that the data frame is an illegal data frame and discarding the illegal data frame. On the other hand, a detection device for bus abnormal messages is provided, and the device comprises: The first acquisition module is used for acquiring the start-stop state of the vehicle, wherein the start-stop state of the vehicle comprises vehicle start and vehicle dormancy; The receiving module is used for responding to the start-stop state of the vehicle to start the vehicle, receiving a data frame from a Controller Area Network (CAN) bus and recording the receiving time; the second acquisition module is used for analyzing the data frame and acquiring a detection result of a communication protocol specification of the data frame, wherein the detection result of the communication protocol specification is used for indicating whether the data frame meets the communication protocol specification or not; a determining module, configured to determine an identifier and a data field semantic value of the data frame in response to obtaining a detection result that the data frame meets the communication protocol specification; The first calculation module is used for responding to the fact that the iden