KR-20260067796-A - NETWORK SYNCHRONIZATION ENVIRONMENT BASED TIME MANIPULATION DETECTION DEVICE AND METHOD

Abstract

A device and method for detecting time manipulation in a vehicle infotainment system connected to a smartphone are disclosed. A time manipulation detection device according to one embodiment of the present invention includes: a data collection unit that collects log data including at least one of a system log and a near-field wireless communication log, respectively, from a vehicle terminal and a smartphone connected to the vehicle terminal; and a log analysis unit that analyzes at least one of the near-field wireless communication log and the system log according to a preset first analysis criterion to detect traces of suspected time manipulation, and analyzes the system log according to a preset second analysis criterion to perform time manipulation detection.

Inventors

• 조성제
• 정지헌
• 조민혁

Assignees

• 단국대학교 산학협력단

Dates

Publication Date

20260513

Application Date

20241106

Claims (20)

1. A data collection unit that collects log data including at least one of system logs and short-range wireless communication logs from an analysis target in a network synchronization environment; and A time manipulation detection device comprising a log analysis unit that analyzes at least one of the short-range wireless communication log and the system log according to a preset first analysis criterion to detect traces of suspected time manipulation, and analyzes the system log according to a preset second analysis criterion to perform time manipulation detection.
2. In claim 1, The above analysis target includes at least one of a vehicle terminal and a user terminal, and The above user terminal is a time manipulation detection device comprising at least one of a mobile communication terminal and a wired terminal.
3. In claim 2, The above log analysis unit, A time manipulation detection device that determines a suspected trace of time manipulation when it finds a pre-set suspected time manipulation log message in the above system log.
4. In claim 3, The above log analysis unit, A time manipulation detection device that determines a suspected time manipulation trace by detecting a suspected time manipulation log message containing a network synchronization off state in the above system log.
5. In claim 4, The above log analysis unit, A time manipulation detection device that, after detecting suspected traces of time manipulation, identifies the manipulated time through a preset time manipulation log message in the system log.
6. In claim 1, The above short-range wireless communication log includes a 1-1 log and a 1-2 log, and The above log analysis unit, A time manipulation detection device that recognizes suspicion of time manipulation when it discovers a time stamp changed to a reverse reference date or time in the above 1-1 log or above 1-2 log of a forward reference event occurrence scenario.
7. In claim 6, The above log analysis unit, A time manipulation detection device that detects a preset time manipulation log message from a specific log message among the above 2-2 logs and performs time manipulation detection.
8. In claim 7, The above log analysis unit, A time manipulation detection device that detects a preset time manipulation file generated during time manipulation from the above 2-1 log, and detects time manipulation by analyzing the time manipulation file.
9. In claim 1, The above log analysis unit, A time manipulation detection device that recognizes suspected time manipulation when a preset suspected time manipulation message is found between forward reference log messages of time.
10. In claim 1, The above log analysis unit, A time manipulation detection device that identifies the actual time prior to time manipulation through system log analysis according to a preset third analysis criterion.
11. In claim 10, The above log analysis unit, A time manipulation detection device that identifies a log message containing a preset Greenwich Mean Time (GMT) from a specific log file among the above 2-1 logs, and determines the actual time by reflecting regional time differences to the identified Greenwich Mean Time.
12. In a method performed by a time manipulation detection device, The above time manipulation detection device collects log data from an analysis target, including at least one of a system log and a short-range wireless communication log; A step of detecting suspected traces of time manipulation by analyzing at least one of the short-range wireless communication log and the system log according to a preset first analysis criterion; and A method for detecting time manipulation, comprising the step of analyzing the system log according to a pre-set second analysis criterion to detect time manipulation.
13. In claim 12, The above analysis target includes at least one of a vehicle terminal and a user terminal, and A method for detecting time manipulation, wherein the above-mentioned user terminal includes at least one of a mobile communication terminal and a wired terminal.
14. In claim 13, In the step of discovering suspected traces of the aforementioned time manipulation, A time manipulation detection method that determines a suspected time manipulation trace when a pre-set suspected time manipulation log message is found in the above system log.
15. In claim 14, In the step of discovering suspected traces of the aforementioned time manipulation, A method for detecting time manipulation, wherein if a log message suspected of time manipulation including a network synchronization off state is detected in the above system log, it is determined to be a trace of suspected time manipulation.
16. In claim 15, In the step of performing the above time manipulation detection, A time manipulation detection method that, after discovering suspected traces of time manipulation, identifies the manipulated time through a preset time manipulation log message in the system log.
17. In claim 12, The above short-range wireless communication log includes a 1-1 log and a 1-2 log, and In the step of discovering suspected traces of the aforementioned time manipulation, A method for detecting suspected time manipulation, which recognizes suspicion of time manipulation when a time stamp changed to a reverse reference date or time is found in the first-1 log or the first-2 log of a forward reference event occurrence scenario.
18. In claim 17, In the step of performing the above time manipulation detection, A time manipulation detection method that detects a preset time manipulation log message from a specific log message among the above 2-2 logs and performs time manipulation detection.
19. In claim 18, In the step of performing the above time manipulation detection, A time manipulation detection method that detects a preset time manipulation file generated during time manipulation from the above 2-1 log, and detects time manipulation by analyzing the time manipulation file.
20. In claim 12, In the step of discovering suspected traces of the aforementioned time manipulation, A time manipulation detection method that recognizes suspected time manipulation when a preset suspected time manipulation message is found between forward reference log messages of time.

Description

Network Synchronization Environment-Based Time Manipulation Detection Device and Method The disclosed embodiments relate to a time manipulation detection device and method based on a network synchronization environment. A vehicle infotainment system can refer to an integrated system of information, meaning driving and navigation, and entertainment, meaning various forms of entertainment and human-friendly functions. The aforementioned vehicle infotainment system can provide various services by connecting to various devices present in the vehicle (e.g., smartphones) through communication methods such as Bluetooth, Wi-Fi, and USB. Devices connected through such communication may be subject to anti-forensics acts, in which various information, including time, is manipulated by operators with malicious intent. The aforementioned anti-forensics may refer to acts that degrade the existence, quantity, and quality of digital evidence through data forgery, alteration, concealment, the use of passwords, destruction, or manipulation of timestamps, thereby making forensic investigations difficult or impossible. Accordingly, operators of related technologies are researching techniques to detect various anti-forensic activities, including the manipulation of timestamps occurring in network synchronization environments. FIG. 1 is a block diagram illustrating a time manipulation detection device according to one embodiment. FIGS. 2 to 6 are embodiments for explaining a method for detecting time manipulation according to one embodiment. FIG. 7 is a flowchart illustrating a time manipulation detection method according to one embodiment. FIG. 8 is a block diagram illustrating a computing environment including a computing device according to one embodiment. Hereinafter, specific embodiments of the present invention will be described with reference to the drawings. The following detailed description is provided to facilitate a comprehensive understanding of the methods, apparatuses, and/or systems described herein. However, this is merely illustrative and the present invention is not limited thereto. In describing the embodiments of the present invention, detailed descriptions of known technologies related to the present invention are omitted if it is determined that such detailed descriptions may unnecessarily obscure the essence of the present invention. Furthermore, the terms described below are defined in consideration of their functions within the present invention, and these may vary depending on the intentions or practices of the user or operator. Therefore, such definitions should be based on the content throughout this specification. Terms used in the detailed description are intended merely to describe the embodiments of the present invention and should not be limiting in any way. Unless explicitly stated otherwise, expressions in the singular form include the meaning of the plural form. In this description, expressions such as "include" or "comprise" are intended to refer to certain characteristics, numbers, steps, actions, elements, parts thereof, or combinations thereof, and should not be interpreted to exclude the existence or possibility of one or more other characteristics, numbers, steps, actions, elements, parts thereof, or combinations thereof other than those described. FIG. 1 is a block diagram illustrating a time manipulation detection device according to one embodiment. Hereinafter, a method for detecting time manipulation according to one embodiment will be described with reference to FIGS. 2 to 6, which are embodiments for explaining the method. Referring to FIG. 1, the time manipulation detection device (100) includes a data collection unit (110), a log analysis unit (120), and an evaluation unit (130). The components illustrated in FIG. 1 are not essential for implementing the time manipulation detection device (100) according to the present disclosure, so the time manipulation detection device (100) described herein may have more or fewer components than those listed above. The components illustrated in FIG. 1 may be connected to each other so as to be communicable through a communication network (not shown). In some embodiments, the communication network may include the Internet, one or more local area networks, wire area networks, cellular networks, mobile networks, other types of networks, or a combination of these networks. The data collection unit (110) can collect log data including at least one of system logs and short-range wireless communication logs from an analysis target in a network synchronization environment. The above analysis target may include at least one of a vehicle terminal and a user terminal. The above user terminal may include at least one of a mobile communication terminal and a wired terminal. The above vehicle terminal refers to a terminal that implements a vehicle infotainment system equipped in a vehicle, and can provide various services based on navigation, audio, and v