CN115102706A

Movatterモバイル変換

Info

Publication number: CN115102706A
Application number: CN202210454243.7A
Authority: CN
Inventors: 梁晨; 杨涛
Original assignee: MAGNA STEYA AUTOMOTIVE TECHNOLOGY (SHANGHAI) CO LTD
Current assignee: MAGNA STEYA AUTOMOTIVE TECHNOLOGY (SHANGHAI) CO LTD
Priority date: 2022-04-27
Filing date: 2022-04-27
Publication date: 2022-09-23
Anticipated expiration: 2042-04-27
Also published as: CN115102706B

Abstract

The invention relates to a HOST-IDS safety detection system and a method of a vehicle ECU, comprising a HOST-IDS safety component, wherein the HOST-IDS safety component comprises a system file monitoring module, a process monitoring module, a resource monitoring module and a network safety module; the system file monitoring module is used for monitoring the integrity of the ECU system file, the process monitoring module is used for monitoring the safety of the ECU system process, the resource monitoring module is used for monitoring the resource occupancy rate of the CPU, and the network safety module is used for monitoring the safety of the ECU system network; compared with the prior art, the invention helps the vehicle enterprises to carry out safety monitoring on the safety state of the vehicle system, and reduces the inestimable loss caused by information safety events.

Description

HOST-IDS safety detection system and method for vehicle ECU

[ technical field ]

The invention relates to the technical field of vehicle-mounted ECUs, in particular to a HOST-IDS safety detection system and method of a vehicle ECU.

[ background Art ]

The current systems adopted by the vehicle ECU include android, Linux, QNX and RTOS systems. Because the system lacks some safety mechanisms for monitoring, the system is easy to be attacked by hackers, and steals or attacks the system data in the ECU in the vehicle, thereby further damaging the safety of the vehicle and the privacy of a driver. Therefore, it is desirable to incorporate a HOST IDS safety component to securely monitor the safe operating status of the vehicle ECU system. Safety monitoring is mainly carried out on the basis of the following dimensions: system file integrity safety monitoring, resource safety monitoring, process safety monitoring and network safety monitoring.

Because the operating system of the ECU has no security monitoring mechanism to monitor the operating environment and the modules, hackers can invade the ECU system in a remote mode, firstly, the system is upgraded and root rights are granted by a program updating mode. In this way, in the process of attacking the ECU system by ECU hackers, the system files, the system process and the resources of the ECU can be changed greatly. The system file of the ECU can be changed, the memory and the CPU utilization rate of the system can be changed, the number of system processes can be increased or reduced, and the breakthrough of the network port is damaged.

Therefore, the HOST IDS security component needs to monitor the system environment, and when the system is running, the HOST IDS security component periodically checks the number and entries of system files, and if they change, it indicates that the system is being invaded. For example: in the running process of the ECU system, the utilization rates of the CPU and the internal memory of the ECU are greatly changed, which shows that the ECU system has the operation of upgrading the authority and is attacked by hackers; processes of the ECU system all have fixed serial numbers PID, when the system is invaded, after the authorization operation, a new system can generate a plurality of new processes, and therefore, a new process serial number PID is generated, and the ECU system is attacked by hackers; after the network port of the ECU system is invaded by hackers, the ECU vehicle-mounted firewall can record the hacking behavior, which is the protection of the first layer network dimension of the hacking system.

[ summary of the invention ]

The invention aims to solve the defects and provide a HOST-IDS safety detection system of a vehicle ECU, which carries out safety monitoring aiming at the integrity of system files of the ECU, the legality of running threads and the utilization rate of a CPU and a memory and reduces the immeasurable loss caused by information security events.

The HOST-IDS safety detection system of the vehicle ECU is designed to achieve the aim, and comprises a HOST-IDS safety component, wherein the HOST-IDS safety component is integrated into the system of the ECU in an SDK form or a library file form, and when the system of the ECU runs, data of the system running state of the ECU are fed back to the HOST-IDS safety component in real time; the HOST-IDS security component comprises a system file monitoring module, a process monitoring module, a resource monitoring module and a network security module, wherein the output end of the system file monitoring module is connected with the process monitoring module, the output end of the process monitoring module is connected with the resource monitoring module, and the output end of the resource monitoring module is connected with the network security module; the system file monitoring module is used for monitoring the integrity of the ECU system file, the process monitoring module is used for monitoring the safety of the ECU system process, the resource monitoring module is used for monitoring the resource occupation rate of the CPU, and the network safety module is used for monitoring the safety of the ECU system network.

Further, the system file monitoring module monitors the operation behavior of the monitoring directory file, and if the system file monitoring module detects that the operation behavior is damaged, safety log recording is carried out; and monitoring the abnormal operation behavior of the file, and recording a security log if tampering is detected.

Further, the process monitoring module monitors an abnormal system process, and if the abnormal system process is detected to be damaged, safety log recording is carried out; and monitoring an abnormal output event of the system process, and if the system process is detected to be tampered, carrying out safety log recording.

Further, the resource monitoring module monitors whether the CPU occupancy of the HOST-IDS security component is less than 10%, and if not, the CPU occupancy is attacked and security log recording is carried out.

Further, the network security module monitors the IP white list setting, attack defense setting, session connection quantity setting and network port scan prevention setting of the ECU system.

The system further comprises a security log file management module, wherein the security log file management module is connected with the network security module and records security events in a log form, and the security log file management module classifies, stores and uploads the security logs.

The invention also provides a HOST-IDS safety detection method of the vehicle ECU, which comprises the following steps:

1) the HOST-IDS safety component is integrated into the system of the ECU in the form of an SDK or a library file, and when the system of the ECU runs, the data of the system running state of the ECU is fed back to the HOST-IDS safety component in real time;

2) after the ECU system is started, the HOST-IDS safety component regularly checks the integrity of system files, the system regularly feeds back all system file number lists and file lists stored by the HOST IDS for comparison, and if the system number lists and the file lists are inconsistent, the HOST IDS safety logs are recorded;

3) if the file lists are consistent, checking the system thread all the time, comparing the thread number list of the time monitoring system with the thread number list stored by the HOST IDS, and if the file lists are inconsistent, recording safety logs of the HOST IDS;

4) if the thread number lists are consistent, the utilization rates of the system memory and the CPU are checked at all times, when the CPU occupancy rate is less than 10%, no attack is generated, if the CPU occupancy rate exceeds 10%, the attack is generated, and HOST IDS safety logs are recorded;

5) and finally, checking the network port of the system at all times, namely monitoring the ECU network port at all times in a network detection mode, and preventing hackers from invading the ECU system in a port scanning or illegal IP mode.

Compared with the prior art, the invention has the following advantages:

(1) the invention can monitor the safety of the vehicle ECU system, which is convenient for the security monitoring and tracking of the vehicle ECU system by the vehicle manufacturer;

(2) the success rate of the HOST IDS safety detection component is more than 97 percent, and the false alarm rate is less than 1 percent;

(3) the RAM of the HOST IDS security component occupies 4MB, and the ROM occupies 400KB, so that the occupied hardware resource is very small;

(4) the invention can perform the prior technology storage work for the certification of the car factory passing through WP 29R 155;

(5) the invention carries out safety protection on the vehicle-mounted ECU from two dimensions of a system and a network port, and occupies less hardware resources;

(6) compared with CAN IDS safety products, HOST IDS has different protection dimensions, so that the safety protection of the dimensions on a vehicle ECU CAN be increased, and the safety protection safety of vehicle information is increased to a certain extent;

in conclusion, the invention can perform safety monitoring aiming at the integrity of the system file configuration file of the vehicle ECU, the legality of the running thread and the utilization rate of the CPU and the memory, and helps the vehicle enterprises to perform safety monitoring on the safety state of the vehicle system, thereby reducing the inestimable loss of the vehicle enterprises caused by information safety events.

[ description of the drawings ]

FIG. 1 is a functional logic diagram of the present invention;

FIG. 2 is a flow chart of the detection of the present invention.

[ detailed description of the invention ]

The invention provides a HOST-IDS safety detection system of a vehicle ECU (electronic control unit), which comprises a HOST-IDS safety component, wherein the HOST-IDS safety component is integrated into the system of the ECU in an SDK (software development kit) form or a library file form; the HOST-IDS security component comprises a system file monitoring module, a process monitoring module, a resource monitoring module and a network security module, wherein the output end of the system file monitoring module is connected with the process monitoring module, the output end of the process monitoring module is connected with the resource monitoring module, and the output end of the resource monitoring module is connected with the network security module; the system file monitoring module is used for monitoring the integrity of the ECU system file, the process monitoring module is used for monitoring the safety of the ECU system process, the resource monitoring module is used for monitoring the resource occupation rate of the CPU, and the network safety module is used for monitoring the safety of the ECU system network.

The system file monitoring module monitors the operation behavior of the monitoring directory file, and if the monitoring directory file is detected to be damaged, the system file monitoring module carries out safety log recording; and monitoring the behaviors of abnormal operation of the file, and recording a security log if tampering is detected. The process monitoring module monitors abnormal system processes, and if the abnormal system processes are detected to be damaged, safety log recording is carried out; and monitoring an abnormal output event of the system process, and if the system process is detected to be tampered, carrying out safety log recording. And the resource monitoring module monitors whether the CPU occupancy of the HOST-IDS security component is less than 10%, and if the CPU occupancy is not less than 10%, the HOST-IDS security component is attacked and performs security log recording. The network security module monitors the IP white list setting, attack defense setting, session connection quantity setting and network port scanning prevention setting of the ECU system. The system also comprises a security log file management module, wherein the security log file management module is connected with the network security module and records security events in a log form, and the security log file management module classifies, stores and uploads the security logs.

3) if the file lists are consistent, checking the system thread at all times, comparing the thread number list of the instant monitoring system with the thread number list stored by the HOST IDS, and if the file lists are inconsistent, recording the safety log of the HOST IDS;

The invention is further described below with reference to the accompanying drawings:

FIG. 1 shows a functional logic diagram of a HOST IDS security component. The HOST IDS is integrated into the system of the ECU in the form of an SDK or in the form of a library file. When the system of the ECU runs, the data of the system running state of the ECU can be fed back to the component of the HOST IDS in real time, and whether the ECU system is invaded by hackers or not is further judged. If an ECU intrusion is detected, the HOST IDS security component will log the security event.

Specifically, system security profile import performs HOST IDS rule set design, and the security component of the HOST IDS rule set is embedded in the ECU system in the form of an SDK. The HOST IDS security component carries out security monitoring aiming at the security running state of the ECU, and stores, classifies and uploads the detected security events in a log mode, thereby facilitating the vehicle enterprise OEM to carry out security monitoring on the security of the vehicle produced by the owner and preventing the vehicle from being attacked by hackers.

The main detection functions of the HOST IDS security component include: (1) integrity of system files: monitoring the operation behavior of the directory file, and if the operation behavior is damaged, recording a safety log; and monitoring the abnormal operation behavior of the file, and recording a security log if the abnormal operation behavior of the file is tampered. (2) Safety monitoring of the process: monitoring an abnormal system process (a process of a non-white list), and if the abnormal system process is damaged, carrying out safety log recording; and monitoring abnormal output events of the system process (non-white list process), and if the abnormal output events are tampered, carrying out safety log recording. (3) And (3) safety monitoring of resources: the CPU occupancy of the HOST IDS component under no attack is less than 10 percent, and if the HOST IDS component is attacked, the safety logging is carried out. (4) And (3) safety monitoring of the network: IP white list settings, attack defense settings, session connection quantity settings, and network port scan prevention settings. (5) Managing a security log file: and (4) safety log classification, safety log storage and safety log uploading.

FIG. 2 shows a HOST IDS detection flow chart. After the ECU system is started, the HOST IDS begins to periodically monitor the system. The method comprises the following specific steps: (1) the integrity of the system files is checked regularly, the general design logic is that the system regularly feeds back all the system file number lists to be compared with the file lists stored by the HOST IDS, and if the system file number lists are inconsistent with the file lists stored by the HOST IDS, the safety logs of the HOST IDS are recorded. (2) The general design logic of checking the system thread at the moment is that a thread number list of a moment monitoring system is compared with a thread number list stored by the HOST IDS, and if the thread number list is not consistent with the thread number list, the safety log of the HOST IDS is recorded. (3) The utilization rates of the system memory and the CPU are checked at any time, the general design logic is that the HOST IDS pays attention to the utilization rates of the system memory and the CPU at any time, and if the utilization rates exceed a defined range, the safety logs of the HOST IDS are recorded. (4) The network port of the system is checked at any time, and the general design logic is that the network port of the ECU is monitored at any time in a network detection mode, so that hackers are prevented from invading the ECU system in a port scanning or illegal IP (Internet protocol) mode.

Compared with the singleness of the protection dimensionality of other vehicle-mounted IDS information safety products, the invention carries out safety protection on the vehicle-mounted ECU from two dimensionalities of a system and a network port. Meanwhile, compared with other vehicle-mounted IDS information security products, the invention has the advantages of less hardware resource occupation and great advantage for the characteristic of less hardware resource of the vehicle-mounted ECU; the HOST IDS is proposed first in the market and is in the leading position, and compared with CAN IDS safety products, the HOST IDS has different protection dimensions, so that the safety protection of the dimensions on a vehicle ECU CAN be increased, and the safety protection safety of vehicle information is increased to a certain extent.

In addition, the HOST IDS information security component can help a vehicle manufacturer to pass through WP 29R 155 information security standards to a certain extent, the vehicle manufacturer can make technical stock for vehicle export abroad after 2022 years when the vehicle manufacturer approves to sell vehicles in abroad, and the production and the sale of novel vehicles can be influenced if the vehicle manufacturer does not deploy IDS related components in the vehicle before 7 months in 2022. Meanwhile, the HOST IDS information security product can help the vehicle enterprises to carry out security monitoring on the security state of the vehicle system, thereby reducing the inestimable loss of the vehicle enterprises caused by information security events.

The present invention is not limited to the above embodiments, and any other changes, modifications, substitutions, combinations, and simplifications which do not depart from the spirit and principle of the present invention should be construed as equivalents and are included in the scope of the present invention.

Claims

1. A HOST-IDS safety detection system of a vehicle ECU is characterized in that: the system comprises a HOST-IDS safety component, wherein the HOST-IDS safety component is integrated into an ECU system in an SDK form or a library file form, and when the ECU system runs, data of the system running state of the ECU are fed back to the HOST-IDS safety component in real time; the HOST-IDS security component comprises a system file monitoring module, a process monitoring module, a resource monitoring module and a network security module, wherein the output end of the system file monitoring module is connected with the process monitoring module, the output end of the process monitoring module is connected with the resource monitoring module, and the output end of the resource monitoring module is connected with the network security module; the system file monitoring module is used for monitoring the integrity of the ECU system file, the process monitoring module is used for monitoring the safety of the ECU system process, the resource monitoring module is used for monitoring the resource occupation rate of the CPU, and the network safety module is used for monitoring the safety of the ECU system network.

2. The HOST-IDS security detection system for a vehicle ECU of claim 1, wherein: the system file monitoring module monitors the operation behavior of the monitoring directory file, and if the system file monitoring module detects that the monitoring directory file is damaged, the system file monitoring module records a safety log; and monitoring the behaviors of abnormal operation of the file, and recording a security log if tampering is detected.

3. The HOST-IDS security detection system for a vehicle ECU of claim 1, wherein: the process monitoring module monitors an abnormal system process, and if the abnormal system process is detected to be damaged, safety log recording is carried out; and monitoring an abnormal output event of the system process, and if the system process is detected to be tampered, carrying out safety log recording.

4. The HOST-IDS security detection system for a vehicle ECU of claim 1, wherein: and the resource monitoring module monitors whether the CPU occupancy of the HOST-IDS security component is less than 10%, and if not, the CPU occupancy is attacked and the security log is recorded.

5. The HOST-IDS security detection system for a vehicle ECU of claim 1, wherein: the network security module monitors IP white list setting, attack defense setting, session connection quantity setting and network port scanning prevention setting of the ECU system.

6. The HOST-IDS security detection system for a vehicle ECU of claim 1, wherein: the safety log file management module is connected with the network safety module and records safety events in a log form, and classifies, stores and uploads the safety logs.

7. A HOST-IDS safety detection method of a vehicle ECU is characterized by comprising the following steps:

1) the HOST-IDS safety component is integrated into an ECU system in an SDK form or a library file form, and when the ECU system runs, data of the system running state of the ECU are fed back to the HOST-IDS safety component in real time;