[go: up one dir, main page]

CN111447167A - Safety protection method and device for vehicle-mounted system - Google Patents

Safety protection method and device for vehicle-mounted system Download PDF

Info

Publication number
CN111447167A
CN111447167A CN201811639374.2A CN201811639374A CN111447167A CN 111447167 A CN111447167 A CN 111447167A CN 201811639374 A CN201811639374 A CN 201811639374A CN 111447167 A CN111447167 A CN 111447167A
Authority
CN
China
Prior art keywords
vehicle
vulnerability
defense
rules
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811639374.2A
Other languages
Chinese (zh)
Other versions
CN111447167B (en
Inventor
汤晓轩
宋戈
刘健皓
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Anxinxing Beijing Technology Co ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201811639374.2A priority Critical patent/CN111447167B/en
Publication of CN111447167A publication Critical patent/CN111447167A/en
Application granted granted Critical
Publication of CN111447167B publication Critical patent/CN111447167B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

本发明公开了一种车载系统安全防护方法及装置。其中,方法包括:S1,根据获取的漏洞信息以及与获取的漏洞信息对应的防御策略,生成相应的车机防御规则;S2,将车机防御规则下发至车机终端,以供车机终端根据车机防御规则进行漏洞防御;S3,获取车机终端通过自身攻击检测而反馈的漏洞信息,并生成与反馈的漏洞信息对应的防御策略;并进一步执行步骤S1。本方案可实现漏洞预测、对预测的漏洞进行防御、终端自身攻击检测、以及对终端自身攻击检测的快速响应,并且根据终端自身漏洞检测及响应结果为另一终端提供漏洞预测,依次循环,形成针对于车载系统完整的防护生态循环,从而可多方位一体化地实现对车载系统的安全防护,具有优异的防护效果。

Figure 201811639374

The invention discloses a safety protection method and device for a vehicle-mounted system. The method includes: S1, generating corresponding vehicle-machine defense rules according to the obtained vulnerability information and the defense strategy corresponding to the obtained vulnerability information; S2, delivering the vehicle-machine defense rules to the vehicle-machine terminal for the vehicle-machine terminal Vulnerability defense is performed according to the vehicle-machine defense rules; S3, the vulnerability information fed back by the vehicle-machine terminal through self-attack detection is obtained, and a defense strategy corresponding to the feedback vulnerability information is generated; and step S1 is further performed. This solution can realize vulnerability prediction, defense against predicted vulnerabilities, terminal self-attack detection, and rapid response to terminal self-attack detection, and provides vulnerability prediction for another terminal according to the terminal's own vulnerability detection and response results, and loops in turn to form Aiming at the complete protection ecological cycle of the on-board system, it can realize the safety protection of the on-board system in a multi-directional and integrated manner, and has an excellent protective effect.

Figure 201811639374

Description

车载系统安全防护方法及装置Vehicle system safety protection method and device

技术领域technical field

本发明涉及车辆安全技术领域,具体涉及一种车载系统安全防护方法及装置。The invention relates to the technical field of vehicle safety, in particular to a safety protection method and device for a vehicle-mounted system.

背景技术Background technique

随着科技及社会的不断发展,各类智能化、自动化车辆的出现极大方便了人们的工作与生活,但同时也催生了许多针对车辆的安全威胁。例如,车辆中的可编程化或可远程控制化的车载系统为非法入侵者提供了新的入侵渠道,从而对人们的财产及生命安全造成了极大的威胁。With the continuous development of technology and society, the emergence of various types of intelligent and automated vehicles has greatly facilitated people's work and life, but at the same time, it has also spawned many security threats to vehicles. For example, the programmable or remotely controllable in-vehicle systems in vehicles provide new intrusion channels for illegal intruders, thus posing a great threat to people's property and life.

为保障车载系统的正常运行,现有技术中通常采用热补丁等方式来对车载系统进行安全防护。然而,目前针对车载系统的安全防护往往为单点防护方式,即针对于系统中存在的漏洞统一采用某一种防御方式,例如,针对于车载系统中的所有漏洞均采用对车辆稳定性影响较大的热补丁的修复方式等。由此可见,采用该种单点的防护方式不仅防护效果差,还会进一步降低车辆的稳定性。In order to ensure the normal operation of the in-vehicle system, in the prior art, methods such as hot patches are usually used to protect the in-vehicle system. However, the current security protection for in-vehicle systems is often a single-point protection method, that is, a certain defense method is adopted for the vulnerabilities existing in the system. How to fix big hot patches etc. It can be seen that the use of this single-point protection method not only has poor protection effect, but also further reduces the stability of the vehicle.

发明内容SUMMARY OF THE INVENTION

鉴于上述问题,提出了本发明以便提供一种克服上述问题或者至少部分地解决上述问题的车载系统安全防护方法及装置。In view of the above problems, the present invention is proposed to provide a vehicle system security protection method and device that overcomes the above problems or at least partially solves the above problems.

根据本发明的一个方面,提供了一种车载系统安全防护方法,包括:According to one aspect of the present invention, a method for safety protection of a vehicle-mounted system is provided, comprising:

S1,根据获取的漏洞信息以及与所述获取的漏洞信息对应的防御策略,生成相应的车机防御规则;S1, according to the acquired vulnerability information and the defense strategy corresponding to the acquired vulnerability information, generate corresponding vehicle-machine defense rules;

S2,将所述车机防御规则下发至车机终端,以供车机终端根据所述车机防御规则进行漏洞防御;S2, delivering the vehicle-machine defense rule to the vehicle-machine terminal, so that the vehicle-machine terminal can perform vulnerability defense according to the vehicle-machine defense rule;

S3,获取车机终端通过自身攻击检测而反馈的漏洞信息,生成与所述反馈的漏洞信息对应的防御策略;并进一步执行步骤S1。S3: Obtain vulnerability information fed back by the vehicle-machine terminal through self-attack detection, and generate a defense strategy corresponding to the feedback vulnerability information; and further perform step S1.

根据本发明的另一方面,提供了一种车载系统安全防护装置,包括:According to another aspect of the present invention, a vehicle-mounted system safety protection device is provided, comprising:

防御规则生成模块,适于根据获取的漏洞信息以及与所述获取的漏洞信息对应的防御策略,生成相应的车机防御规则;The defense rule generation module is adapted to generate corresponding vehicle and machine defense rules according to the acquired vulnerability information and the defense strategy corresponding to the acquired vulnerability information;

下发模块,适于将所述车机防御规则下发至车机终端,以供车机终端根据所述车机防御规则进行漏洞防御;a delivery module, adapted to deliver the vehicle-machine defense rule to the vehicle-machine terminal, so that the vehicle-machine terminal can perform vulnerability defense according to the vehicle-machine defense rule;

响应模块,适于获取车机终端通过自身攻击检测而反馈的漏洞信息,生成与所述反馈的漏洞信息对应的防御策略;并进一步执行防御规则生成模块。The response module is adapted to obtain the vulnerability information fed back by the vehicle-machine terminal through self-attack detection, and generate a defense strategy corresponding to the feedback vulnerability information; and further execute the defense rule generation module.

根据本发明的又一方面,提供了一种计算设备,包括:处理器、存储器、通信接口和通信总线,所述处理器、所述存储器和所述通信接口通过所述通信总线完成相互间的通信;According to yet another aspect of the present invention, a computing device is provided, comprising: a processor, a memory, a communication interface, and a communication bus, and the processor, the memory, and the communication interface complete mutual communication through the communication bus. communication;

所述存储器用于存放至少一可执行指令,所述可执行指令使所述处理器执行上述车载系统安全防护方法对应的操作。The memory is used for storing at least one executable instruction, and the executable instruction enables the processor to perform operations corresponding to the above-mentioned vehicle system security protection method.

根据本发明的再一方面,提供了一种计算机存储介质,所述存储介质中存储有至少一可执行指令,所述可执行指令使处理器执行如上述车载系统安全防护方法对应的操作。According to yet another aspect of the present invention, a computer storage medium is provided, wherein at least one executable instruction is stored in the storage medium, and the executable instruction enables a processor to perform operations corresponding to the above-mentioned method for security protection of an in-vehicle system.

根据本发明提供的车载系统安全防护方法及装置,根据获取的漏洞信息以及与获取的漏洞信息对应的防御策略,生成相应的车机防御规则;并将车机防御规则下发至车机终端,以供车机终端根据车机防御规则进行漏洞防御;以及,获取车机终端通过自身攻击检测而反馈的漏洞信息,并生成与反馈的漏洞信息对应的防御策略。本方案可实现漏洞预测、对预测的漏洞进行防御、终端自身攻击检测、以及对终端自身攻击检测的快速响应,并且根据终端自身漏洞检测及响应结果为另一终端提供漏洞预测,依次循环,形成针对于车载系统完整的防护生态循环,从而可多方位一体化地实现对车载系统的安全防护,具有优异的防护效果。According to the vehicle system security protection method and device provided by the present invention, according to the acquired vulnerability information and the defense strategy corresponding to the acquired vulnerability information, corresponding vehicle defense rules are generated; and the vehicle vehicle defense rules are sent to the vehicle terminal, It is used for the vehicle-machine terminal to perform vulnerability defense according to the vehicle-machine defense rules; and, the vulnerability information fed back by the vehicle-machine terminal through self-attack detection is obtained, and a defense strategy corresponding to the feedback vulnerability information is generated. This solution can realize vulnerability prediction, defense against predicted vulnerabilities, terminal self-attack detection, and rapid response to terminal self-attack detection, and provides vulnerability prediction for another terminal according to the terminal's own vulnerability detection and response results, and loops in turn to form Aiming at the complete protection ecological cycle of the on-board system, it can realize the safety protection of the on-board system in a multi-directional and integrated manner, and has an excellent protective effect.

上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段,而可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。The above description is only an overview of the technical solutions of the present invention, in order to be able to understand the technical means of the present invention more clearly, it can be implemented according to the content of the description, and in order to make the above and other purposes, features and advantages of the present invention more obvious and easy to understand , the following specific embodiments of the present invention are given.

附图说明Description of drawings

通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的,而并不认为是对本发明的限制。而且在整个附图中,用相同的参考符号表示相同的部件。在附图中:Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are for the purpose of illustrating preferred embodiments only and are not to be considered limiting of the invention. Also, the same components are denoted by the same reference numerals throughout the drawings. In the attached image:

图1示出了根据本发明一个实施例提供的一种车载系统安全防护方法的流程示意图;FIG. 1 shows a schematic flowchart of a method for safety protection of an in-vehicle system provided according to an embodiment of the present invention;

图2示出了根据本发明另一个实施例提供的一种车载系统安全防护方法的流程示意图;FIG. 2 shows a schematic flowchart of a vehicle-mounted system security protection method provided according to another embodiment of the present invention;

图3示出了根据本发明一个实施例提供的一种车载系统安全防护装置的结构示意图;3 shows a schematic structural diagram of a vehicle-mounted system safety protection device provided according to an embodiment of the present invention;

图4示出了根据本发明一个实施例提供的一种计算设备的结构示意图。FIG. 4 shows a schematic structural diagram of a computing device according to an embodiment of the present invention.

具体实施方式Detailed ways

下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以各种形式实现本公开而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本公开,并且能够将本公开的范围完整的传达给本领域的技术人员。Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided so that the present disclosure will be more thoroughly understood, and will fully convey the scope of the present disclosure to those skilled in the art.

经营范围Business Scope

图1示出了根据本发明一个实施例提供的一种车载系统安全防护方法的流程示意图。FIG. 1 shows a schematic flowchart of a method for safety protection of an in-vehicle system according to an embodiment of the present invention.

其中,本实施例所述的车载系统可以为车载T-box(Telematics Box)系统、车载信息娱乐系统(IVI,In-Vehicle Infotainment)、和/或平视显示系统(HUD,Head UpDisplay)等等。本实施例对车载系统的具体类型等不作限定。本实施例具体可以在服务器侧执行。如图1所示,该方法包括:The in-vehicle system described in this embodiment may be an in-vehicle T-box (Telematics Box) system, an in-vehicle infotainment system (IVI, In-Vehicle Infotainment), and/or a head-up display system (HUD, Head Up Display) and the like. This embodiment does not limit the specific type and the like of the in-vehicle system. This embodiment may be specifically executed on the server side. As shown in Figure 1, the method includes:

步骤S110,根据获取的漏洞信息以及与获取的漏洞信息对应的防御策略,生成相应的车机防御规则。Step S110, according to the acquired vulnerability information and the defense strategy corresponding to the acquired vulnerability information, generate corresponding vehicle-machine defense rules.

在具体的实施过程中,可对从车联网中至少一个车机终端反馈的漏洞信息和/或从安全论坛或网站中获得的漏洞信息进行分析,根据分析结果确定车联网中的车机终端可能存在的安全漏洞。并进一步结合获取的漏洞信息对应的防御策略,生成相应的车机防御规则,以此来实现对车联网中漏洞的预测。In the specific implementation process, the vulnerability information fed back from at least one vehicle terminal in the Internet of Vehicles and/or the vulnerability information obtained from the security forum or website can be analyzed, and the vehicle terminal in the Internet of Vehicles may be determined according to the analysis results. Existing security vulnerabilities. And further combined with the defense strategy corresponding to the acquired vulnerability information, the corresponding vehicle-machine defense rules are generated, so as to realize the prediction of vulnerabilities in the Internet of Vehicles.

在一种可选的实施方式中,可以针对于不同漏洞所对应的车辆类别,为不同类别的车机终端制定相应的车机防御规则,从而实现对车机终端中的车载系统定制化的漏洞防御。例如,某漏洞bug1是针对于A类型车辆的攻击,则为A类型车辆的各车机终端制定的车机防御规则中包含有该漏洞bug1的防御规则。In an optional implementation manner, corresponding vehicle defense rules can be formulated for different types of vehicle terminals according to the vehicle categories corresponding to different vulnerabilities, so as to realize the customized vulnerability of the vehicle system in the vehicle terminal. defense. For example, if a certain vulnerability bug1 is an attack against a type A vehicle, the vehicle-machine defense rules formulated for each vehicle-machine terminal of the A-type vehicle include the defense rule of the vulnerability bug1.

步骤S120,将车机防御规则下发至车机终端,以供车机终端根据车机防御规则进行漏洞防御。Step S120, delivering the vehicle-machine defense rule to the vehicle-machine terminal, so that the vehicle-machine terminal can perform vulnerability defense according to the vehicle-machine defense rule.

在生成相应的车机防御规则之后,进一步将车机防御规则下发至车机终端。可选的,若步骤S110中为不同类别的车机终端制定有相应的车机防御规则,则本步骤可将车机防御规则下发至与车机防御规则相对应的车机终端中,从而在实现对车机终端中车载系统定制化安全防御的同时,节省系统资源。After the corresponding vehicle-machine defense rules are generated, the vehicle-machine defense rules are further issued to the vehicle-machine terminal. Optionally, if corresponding vehicle-machine defense rules are formulated for different types of vehicle-machine terminals in step S110, in this step, the vehicle-machine defense rules may be issued to the vehicle-machine terminals corresponding to the vehicle-machine defense rules, thereby While realizing the customized security defense of the vehicle system in the vehicle terminal, it saves system resources.

车机终端在接收到下发的车机防御规则之后,根据下发的车机防御规则进行漏洞防御,从而达到对预测的漏洞进行防御的目的。After receiving the issued car-machine defense rules, the car-machine terminal performs vulnerability defense according to the issued car-machine defense rules, so as to achieve the purpose of defending the predicted loopholes.

步骤S130,获取车机终端通过自身攻击检测而反馈的漏洞信息,生成与反馈的漏洞信息对应的防御策略。Step S130, acquiring vulnerability information fed back by the vehicle-machine terminal through self-attack detection, and generating a defense strategy corresponding to the feedback vulnerability information.

车机终端除了可依据车机防御规则对预测的漏洞进行防御之外,还进一步根据相应的攻击检测手段对自身进行攻击检测。车机终端在通过自身攻击检测确定该车机终端中的车载系统受到攻击时,可反馈该攻击对应的漏洞信息。In addition to defending against the predicted vulnerabilities according to the vehicle-machine defense rules, the vehicle-machine terminal can further detect attacks on itself according to the corresponding attack detection methods. When the vehicle-mounted terminal determines that the vehicle-mounted system in the vehicle-mounted terminal is attacked through self-attack detection, it can feed back vulnerability information corresponding to the attack.

进一步可获取车机终端通过自身攻击检测而反馈的漏洞信息,并对车机终端反馈的漏洞信息进行迅速响应,生成与反馈的漏洞信息对应的防御策略,并发送至该车机终端,以供该车机终端根据与反馈的漏洞信息对应的防御策略进行攻击阻断或漏洞修复。Further, the vulnerability information fed back by the vehicle terminal through its own attack detection can be obtained, and the vulnerability information fed back by the vehicle terminal can be quickly responded to, and a defense strategy corresponding to the feedback vulnerability information can be generated and sent to the vehicle terminal for use. The vehicle-machine terminal performs attack blocking or vulnerability repair according to the defense strategy corresponding to the feedback vulnerability information.

车机终端反馈的漏洞信息,以及生成的与该反馈信息的漏洞信息可进一步为步骤S110生成车机防御规则提供基础。从而在本步骤执行之后,进一步执行步骤S110,从而形成针对于车载系统完整的防护生态循环。The vulnerability information fed back by the vehicle terminal and the generated vulnerability information related to the feedback information may further provide a basis for generating the vehicle defense rules in step S110. Therefore, after this step is performed, step S110 is further performed, thereby forming a complete protection ecological cycle for the vehicle-mounted system.

以下以一具体示例来详细阐述本实施例的实施过程中:The following describes the implementation process of this embodiment in detail with a specific example:

针对车机终端1以及车机终端2反馈的漏洞信息以及从预设安全论坛中获取的漏洞信息进行分析后,确定出车联网的车机终端中可能存在漏洞bug1,则进一步根据漏洞bug1以及漏洞bug1对应的防御策略,生成相应的车机防御规则(对应步骤S110);进一步将生成的车机防御规则下发至车辆网中的其他车机终端中,车辆网中的车机终端3根据下发的车机防御规则对车机终端3中的漏洞bug1进行防御;并且,车机终端3还可通过相应的攻击检测方法检测当前车载系统是否受到攻击,若是,则将检测到的攻击对应的漏洞信息bug2进行反馈(对应步骤S120);根据车机终端反馈的漏洞信息可进行快速的响应,生成与针对漏洞bug2的防御策略,并将该防御策略快速地反馈至车机终端3,以供车机终端3对漏洞bug2进行攻击阻断或修复(对应步骤S130);并且,该漏洞bug2及其防御策略可进一步地为生成新的车机防御规则提供基础(对应步骤S110)。After analyzing the vulnerability information fed back by the car-machine terminal 1 and the car-machine terminal 2 and the vulnerability information obtained from the preset security forum, it is determined that there may be a vulnerability bug1 in the car-machine terminal of the Internet of Vehicles. According to the defense strategy corresponding to bug1, corresponding vehicle-machine defense rules are generated (corresponding to step S110); further, the generated vehicle-machine defense rules are sent to other vehicle-machine terminals in the vehicle network, and the vehicle-machine terminal 3 in the vehicle network is based on the following The issued vehicle defense rule defends the vulnerability bug1 in the vehicle terminal 3; and the vehicle terminal 3 can also detect whether the current vehicle system is attacked through the corresponding attack detection method, and if so, the detected attack corresponds to the attack detection method. The vulnerability information bug2 is fed back (corresponding to step S120); a quick response can be made according to the vulnerability information fed back by the vehicle terminal, a defense strategy for the vulnerability bug2 is generated, and the defense strategy is quickly fed back to the vehicle terminal 3 for use in the vehicle terminal 3. The vehicle terminal 3 performs attack blocking or repair on the vulnerability bug2 (corresponding to step S130 ); and the vulnerability bug2 and its defense strategy can further provide a basis for generating new vehicle defense rules (corresponding to step S110 ).

由此可见,本实施例根据获取的漏洞信息以及与获取的漏洞信息对应的防御策略,生成相应的车机防御规则,从而对车联网中的车机终端可能存在的漏洞进行预测;并进一步将车机防御规则下发至车机终端,以供车机终端根据车机防御规则对预测的漏洞进行防御;并且,车机终端还可对自身进行攻击检测,并反馈受到的攻击所对应的漏洞信息,从而可快速生成与反馈的漏洞信息对应的防御策略,以供车机终端对当前所遭受的攻击进行阻断及漏洞修复,并可根据终端自身攻击检测及响应结果为另一终端提供漏洞预测,实现由点及面的安全防护。所以,采用本方案,可实现漏洞预测、对预测的漏洞进行防御、终端自身攻击检测、以及对终端自身攻击检测的快速响应,从而形成针对于车载系统的完整防护生态循环,进而可多方位一体化地实现对车载系统的安全防护;并且本方案可实现对车载系统的多点防护,有利于车载系统安全性及稳定性的进一步提高。It can be seen that, according to the obtained vulnerability information and the defense strategy corresponding to the obtained vulnerability information, this embodiment generates corresponding vehicle-machine defense rules, so as to predict the possible vulnerabilities of the vehicle-machine terminal in the Internet of Vehicles; and further The vehicle-machine defense rules are sent to the vehicle-machine terminal, so that the vehicle-machine terminal can defend against the predicted vulnerabilities according to the vehicle-machine defense rules; in addition, the vehicle-machine terminal can also perform attack detection on itself, and feedback the vulnerabilities corresponding to the attack. information, so that the defense strategy corresponding to the feedback vulnerability information can be quickly generated, so that the vehicle terminal can block the current attack and repair the vulnerability, and can provide a vulnerability for another terminal according to the terminal's own attack detection and response results. Prediction and realize security protection from point to surface. Therefore, this solution can realize vulnerability prediction, defense against predicted vulnerabilities, terminal self-attack detection, and rapid response to terminal self-attack detection, thus forming a complete protection ecological cycle for vehicle-mounted systems, which can be integrated in all directions. In addition, the solution can realize the multi-point protection of the in-vehicle system, which is beneficial to the further improvement of the safety and stability of the in-vehicle system.

图2示出了根据本发明另一个实施例提供的一种车载系统安全防护方法的流程示意图。如图2所示,该方法包括:FIG. 2 shows a schematic flowchart of a method for safety protection of an in-vehicle system according to another embodiment of the present invention. As shown in Figure 2, the method includes:

步骤S210,根据获取的第一类漏洞信息和/或第二类漏洞信息,以及与第一类漏洞信息和/或第二类漏洞信息对应的防御策略,生成相应的车机防御规则。Step S210, according to the acquired first type of vulnerability information and/or second type of vulnerability information, and the defense strategy corresponding to the first type of vulnerability information and/or the second type of vulnerability information, generate corresponding vehicle and machine defense rules.

本实施例中,在对漏洞进行预测,生成车机防御规则过程中,具体获取有至少一类漏洞信息。该漏洞信息包括第一类漏洞信息以及第二类漏洞信息。其中,第一类漏洞信息为车机终端反馈的漏洞信息,第二类漏洞信息为从预设漏洞库中获取的漏洞信息。该预设漏洞库可以为包含漏洞信息的预设网站、预设论坛、预设交流平台等;也可以从预设网站、预设论坛、预设交流平台等获取漏洞信息后集中存储于预设的信息库中,而该信息库即为预设漏洞库。In this embodiment, in the process of predicting vulnerabilities and generating vehicle-machine defense rules, at least one type of vulnerability information is specifically obtained. The vulnerability information includes the first type of vulnerability information and the second type of vulnerability information. The first type of vulnerability information is the vulnerability information fed back by the vehicle terminal, and the second type of vulnerability information is the vulnerability information obtained from a preset vulnerability database. The preset vulnerability library can be a preset website, a preset forum, a preset communication platform, etc. that contain vulnerability information; or the vulnerability information can be obtained from a preset website, a preset forum, a preset communication platform, etc., and then stored in a preset In the information database, which is the default vulnerability database.

进一步地,根据获取的第一类漏洞信息和/或第二类漏洞信息,以及与第一类漏洞信息和/或第二类漏洞信息对应的防御策略,生成相应的车机防御规则。Further, according to the acquired first type of vulnerability information and/or the second type of vulnerability information, and the defense strategy corresponding to the first type of vulnerability information and/or the second type of vulnerability information, a corresponding vehicle-machine defense rule is generated.

其中,车机防御规则至少包含有加固隔离规则、漏洞排查规则和/或漏洞阻断修复规则。其中,加固隔离规则用于对车机终端中的车载系统进行加固与加固,以提高车载系统整体的抗攻击能力;漏洞排查规则用于对车载系统进行漏洞排查,确定车载系统中是否存在预测的漏洞;漏洞阻断修复规则用于对排查出的漏洞进行阻断修复。Among them, the vehicle-machine defense rules at least include reinforcement isolation rules, vulnerability investigation rules and/or vulnerability blocking and repairing rules. Among them, the reinforcement isolation rules are used to reinforce and reinforce the in-vehicle system in the vehicle terminal to improve the overall anti-attack capability of the in-vehicle system; the vulnerability inspection rules are used to check the vulnerabilities of the in-vehicle system to determine whether there is a predicted vulnerability in the in-vehicle system. Vulnerability; Vulnerability blocking and repairing rules are used to block and repair the identified vulnerabilities.

在一种可选的实施方式中,可通过对获取的第一类漏洞信息和/或第二类漏洞信息的分析,确定出相应的待防御漏洞。其中,该待防御漏洞为车联网中的车载系统可能存在的漏洞,即预测的车载系统所存在的漏洞。为便于车机终端对漏洞的快速且精准的排查,本步骤生成的车机防御规则中还包含有待防御漏洞的优先级信息和/或待防御漏洞的位置信息。即为待防御漏洞划定相应的危险级别,如高危漏洞、一般漏洞、低危漏洞等等;和/或,确定待防御漏洞易发的层级(如应用层、框架层和/或内核层等等)以及具体的模块等等。In an optional implementation manner, the corresponding vulnerability to be defended may be determined by analyzing the acquired vulnerability information of the first type and/or the vulnerability information of the second type. Wherein, the to-be-defended vulnerability is a possible vulnerability existing in the in-vehicle system in the Internet of Vehicles, that is, a predicted vulnerability existing in the in-vehicle system. In order to facilitate the rapid and accurate inspection of vulnerabilities by the vehicle terminal, the vehicle defense rules generated in this step also include priority information of the vulnerabilities to be defended and/or location information of the vulnerabilities to be defended. That is, define the corresponding danger level for the vulnerabilities to be defended, such as high-risk vulnerabilities, general vulnerabilities, low-risk vulnerabilities, etc.; and/or, determine the layers where the vulnerabilities to be defended are prone to occur (such as application layer, framework layer, and/or kernel layer, etc. etc.) and specific modules, etc.

步骤S220,将车机防御规则下发至车机终端,以供车机终端根据车机防御规则中的漏洞排查规则进行漏洞排查;并利用车机防御规则中的漏洞阻断修复规则对排查出的漏洞进行阻断修复。In step S220, the vehicle-machine defense rule is issued to the vehicle-machine terminal, so that the vehicle-machine terminal can perform vulnerability investigation according to the vulnerability checking rule in the vehicle-machine defense rule; The vulnerability is blocked and repaired.

具体地,可将生成的车机防御规则下发至车机终端,从而可供车机终端根据下发的车机防御规则进行安全防御。在此,本领域技术人员应当理解的是,本实施例中车机防御规则包含的加固隔离规则、漏洞排查规则和/或漏洞阻断修复规则可一次性下发至车机终端,也可分次进行下发。例如,可在漏洞排查规则下发之后,根据车机终端的反馈,下发漏洞阻断修复,从而节省带宽资源,降低成本,并便于对车载系统的及时防护。Specifically, the generated vehicle-machine defense rule can be delivered to the vehicle-machine terminal, so that the vehicle-machine terminal can perform security defense according to the issued vehicle-machine defense rule. Here, those skilled in the art should understand that the reinforcement isolation rules, vulnerability checking rules and/or vulnerability blocking and repairing rules included in the vehicle-machine defense rules in this embodiment may be delivered to the vehicle-machine terminal at one time, or may be divided into two groups. to be issued. For example, after the vulnerability inspection rules are issued, according to the feedback of the vehicle terminal, the vulnerability blocking repair can be issued, thereby saving bandwidth resources, reducing costs, and facilitating timely protection of the vehicle system.

在一种可选的实施方式中,车机终端可根据车机防御规则中的加固隔离规则对车机终端中的车载系统进行系统加固与系统隔离。例如,可通过相应的程序加固方式、修改安全配置等方式实现对系统的加固;也可隔离车联网与手机网络等等。其中,本实施例对系统具体的加固隔离方式不做限定,本领域技术人员可根据实际的情况自行设定。In an optional implementation manner, the vehicle-mounted terminal can perform system reinforcement and system isolation on the vehicle-mounted system in the vehicle-mounted terminal according to the reinforcement and isolation rules in the vehicle-mounted defense rule. For example, the reinforcement of the system can be achieved by means of corresponding program reinforcement methods, modification of security configurations, etc.; the Internet of Vehicles and mobile phone networks can also be isolated. Wherein, this embodiment does not limit the specific reinforcement and isolation method of the system, and those skilled in the art can set it by themselves according to the actual situation.

在又一种可选的实施方式中,车机终端可首先利用车机防御规则中的漏洞排查规则对车机终端进行漏洞排查,并根据排查结果判断车机终端中是否存在漏洞排查规则所包含的待防御漏洞。具体地,可根据待防御漏洞的位置信息快速确定车机终端中是否存在待防御漏洞。可选的,漏洞排查规则中包含有文件监控规则和/或入侵监测规则。则在具体的漏洞排查过程中,可根据文件监控规则和/或入侵监测规则来对车机终端进行漏洞排查。此外,还可采用预设渗透测试方法对车机终端进行漏洞排查。In yet another optional implementation, the on-board terminal may first use the vulnerability checking rules in the on-board defense rules to perform vulnerability checking on the on-board terminal, and determine whether the on-board terminal includes the vulnerability checking rules according to the checking result. of pending vulnerabilities. Specifically, whether there is a to-be-defended vulnerability in the vehicle terminal can be quickly determined according to the location information of the to-be-defended vulnerability. Optionally, the vulnerability checking rules include file monitoring rules and/or intrusion monitoring rules. Then, in the specific vulnerability inspection process, the vehicle terminal can be inspected for vulnerabilities according to the file monitoring rules and/or the intrusion monitoring rules. In addition, the preset penetration testing method can also be used to check the vulnerabilities of the vehicle terminal.

在确定车机终端中存在待防御漏洞时,则进一步下发与车机终端中存在的待防御漏洞相对应的漏洞阻断修复规则,从而使车机终端利用车机防御规则中的漏洞阻断修复规则对车机终端存在的待防御漏洞进行阻断修复。具体地,可根据车机终端存在的待防御漏洞的类别和/或优先级,采用相对应的漏洞阻断修复规则对待防御漏洞进行阻断修复。并且,可采用漏洞阻断修复规则中包含的文件阻断规则、入侵阻断规则和/或热补丁修复规则对待防御漏洞进行阻断修复。When it is determined that there is a to-be-defended vulnerability in the vehicle-mounted terminal, a vulnerability blocking and repair rule corresponding to the to-be-defended vulnerability in the vehicle-mounted terminal is further issued, so that the vehicle-mounted terminal can utilize the vulnerability blocking in the vehicle-mounted defense rule. The repair rules block and repair the vulnerabilities to be defended in the car terminal. Specifically, according to the category and/or priority of the to-be-defended vulnerability existing in the vehicle terminal, corresponding vulnerability blocking and repairing rules can be used to block and repair the to-be-defended vulnerability. In addition, the file blocking rules, intrusion blocking rules and/or hot patch repair rules included in the vulnerability blocking and repairing rules can be used to block and repair the to-be-defended vulnerabilities.

可选的,在对待防御漏洞进行排查及阻断修复的过程中,本实施例为保障车载系统的安全性及稳定性,采用了分级防御的方式。具体地,首先采用精准度较低,但对系统影响较小的文件监控的方式进行待防御漏洞排查,在确定存在待防御漏洞时,采用文件冻结或删除等方式进行漏洞阻断。其中,该文件监控具体可以为payload文件监控,本实施例对具体的文件监控方式不做限定,例如可通过恶意攻击文件监测、文件特征串匹配和/或文件调用序列匹配等方式进行待防御漏洞排查;进一步地,采用检测精度较高,对车载系统影响较小的入侵检测的方式进行待防御漏洞排查,例如,可通过接口参数恶意数据监测、Root提权方式监测等方式进行待防御漏洞排查,并采用相应的路径阻断等方式进行阻断。同样,本实施例对具体的入侵检测的方式也不做限定;最后,可针对于某些特定的待防御漏洞进行热补丁修复,从而达到使车载系统免疫该漏洞的效果。Optionally, in the process of checking and blocking and repairing the vulnerability to be defensed, this embodiment adopts a hierarchical defense method to ensure the security and stability of the vehicle-mounted system. Specifically, firstly, the method of monitoring files with low accuracy but less impact on the system is used to check the vulnerabilities to be defended. When it is determined that there are vulnerabilities to be defended, methods such as file freezing or deletion are used to block the vulnerabilities. The file monitoring may specifically be payload file monitoring, and this embodiment does not limit the specific file monitoring method. For example, the vulnerability to be defended may be monitored by malicious attack file monitoring, file feature string matching, and/or file calling sequence matching, etc. Investigation; further, the intrusion detection method with high detection accuracy and less impact on the vehicle system is used to investigate the to-be-defended vulnerabilities. For example, the to-be-defended vulnerabilities can be inspected by means of interface parameter malicious data monitoring, root privilege escalation method monitoring, etc. , and use corresponding path blocking and other methods to block. Likewise, this embodiment does not limit the specific intrusion detection method; finally, hot patch repair can be performed for some specific vulnerabilities to be defended, so as to achieve the effect of making the vehicle system immune to the vulnerabilities.

步骤S230,获取车机终端通过自身攻击检测而反馈的漏洞信息,生成与反馈的漏洞信息对应的防御策略。Step S230, acquiring vulnerability information fed back by the vehicle-machine terminal through self-attack detection, and generating a defense strategy corresponding to the feedback vulnerability information.

车机终端除了可依据车机防御规则对预测的漏洞进行防御之外,还进一步根据相应的攻击检测手段对自身进行攻击检测,从而确定出当前对车机终端中的车载系统所受到的攻击。In addition to defending against the predicted vulnerabilities according to the vehicle-machine defense rules, the vehicle-machine terminal can further detect the attack on itself according to the corresponding attack detection method, so as to determine the current attack on the vehicle-mounted system in the vehicle-machine terminal.

具体地,可通过文件监测和/或行为监测的方式进行车机终端的自身攻击检测。本实施例对具体的文件监测和/或行为监测的方式不做限定。例如,可利用特征匹配的静态文件监测以及实施监控恶意攻击数据或漏洞利用手段的动态恶意行为的监测。Specifically, the self-attack detection of the vehicle terminal can be performed by means of file monitoring and/or behavior monitoring. This embodiment does not limit the specific file monitoring and/or behavior monitoring manner. For example, static file monitoring for signature matching and dynamic malicious behavior monitoring for malicious attack data or exploit means can be implemented.

可选的,为进一步提高车载系统的安全性,降低攻击检测的误报率,本实施例可针对于车载系统中的至少一个层级进行攻击检测。例如,可在车载系统中的应用层、框架层以及内核层均进行攻击检测,从而可大幅提高攻击检测的覆盖面,降低攻击检测的漏报率。进一步可选的,为提升攻击检测效果,本实施例可针对于不同层级采用相应的攻击检测方式。例如,在内核层通过埋点法的方式检测对内核层的攻击行为,而在框架层,可通过埋点以及云端智能判断的方式确定攻击行为。Optionally, in order to further improve the security of the in-vehicle system and reduce the false alarm rate of attack detection, this embodiment may perform attack detection for at least one level in the in-vehicle system. For example, attack detection can be performed at the application layer, framework layer and kernel layer in the vehicle system, which can greatly improve the coverage of attack detection and reduce the false negative rate of attack detection. Further optionally, in order to improve the attack detection effect, this embodiment may adopt corresponding attack detection methods for different levels. For example, at the kernel layer, the attack behavior on the kernel layer can be detected by the method of burying points, while at the framework layer, the attack behavior can be determined by the method of burying points and intelligent judgment in the cloud.

车机终端在通过自身攻击检测后,可根据监测出的攻击行为反馈相应的漏洞信息。则本步骤可在接收到车机终端反馈的漏洞信息之后,进行快速响应,从而制定出与反馈的漏洞信息对应的防御策略。从而可供车机终端自身攻击检测出的漏洞进行修复阻断。After passing the self-attack detection, the vehicle terminal can feed back the corresponding vulnerability information according to the detected attack behavior. In this step, after receiving the vulnerability information fed back by the vehicle terminal, a quick response can be performed, so as to formulate a defense strategy corresponding to the feedback vulnerability information. Thereby, the vulnerabilities detected by the vehicle terminal itself can be repaired and blocked.

并且,车机终端反馈的漏洞信息以及响应信息可作为第一类漏洞信息,供步骤S210进行新的车机防御规则的下发。In addition, the vulnerability information and response information fed back by the vehicle terminal can be used as the first type of vulnerability information for step S210 to issue a new vehicle defense rule.

由此可见,本实施例根据获取的漏洞信息以及与获取的漏洞信息对应的防御策略,生成相应的车机防御规则,从而对车联网中的车机终端可能存在的漏洞进行预测;并进一步将车机防御规则下发至车机终端,以供车机终端根据车机防御规则对预测的漏洞进行防御;并且,车机终端还可对自身进行攻击检测,并反馈受到的攻击所对应的漏洞信息,从而可快速生成与反馈的漏洞信息对应的防御策略,以供车机终端对当前所遭受的攻击进行阻断及漏洞修复,并可根据终端自身攻击检测及响应结果为另一终端提供漏洞预测,实现由点及面的安全防护。所以,采用本方案,可实现漏洞预测、对预测的漏洞进行防御、终端自身攻击检测、以及对终端自身攻击检测的快速响应,从而形成针对于车载系统的完整防护生态循环,进而可多方位一体化地实现对车载系统的安全防护;并且本方案可实现对车载系统的多点防护,有利于车载系统安全性及稳定性的进一步提高;并且,本实施例在对车机终端进行防御过程中采用分级防御的方式,可在提高车载系统安全性的同时,进一步提高车载系统的稳定性。It can be seen that, according to the obtained vulnerability information and the defense strategy corresponding to the obtained vulnerability information, this embodiment generates corresponding vehicle-machine defense rules, so as to predict the possible vulnerabilities of the vehicle-machine terminal in the Internet of Vehicles; and further The vehicle-machine defense rules are sent to the vehicle-machine terminal, so that the vehicle-machine terminal can defend against the predicted vulnerabilities according to the vehicle-machine defense rules; in addition, the vehicle-machine terminal can also perform attack detection on itself, and feedback the vulnerabilities corresponding to the attack. information, so that the defense strategy corresponding to the feedback vulnerability information can be quickly generated, so that the vehicle terminal can block the current attack and repair the vulnerability, and can provide a vulnerability for another terminal according to the terminal's own attack detection and response results. Prediction and realize security protection from point to surface. Therefore, this solution can realize vulnerability prediction, defense against predicted vulnerabilities, terminal self-attack detection, and rapid response to terminal self-attack detection, thus forming a complete protection ecological cycle for vehicle-mounted systems, which can be integrated in all directions. The security protection of the vehicle-mounted system can be realized comprehensively; and this solution can realize the multi-point protection of the vehicle-mounted system, which is beneficial to the further improvement of the security and stability of the vehicle-mounted system; and, in the process of defending the vehicle-machine terminal in this embodiment By adopting the method of hierarchical defense, the stability of the in-vehicle system can be further improved while the security of the in-vehicle system is improved.

图3示出了根据本发明一个实施例提供的一种车载系统安全防护装置的结构示意图。如图3所示,该装置包括:防御规则生成模块31下发模块32、以及响应模块33。FIG. 3 shows a schematic structural diagram of a vehicle-mounted system safety protection device according to an embodiment of the present invention. As shown in FIG. 3 , the device includes: a defense rule generation module 31 issuing module 32 and a response module 33 .

防御规则生成模块31,适于根据获取的漏洞信息以及与获取的漏洞信息对应的防御策略,生成相应的车机防御规则;The defense rule generation module 31 is adapted to generate corresponding vehicle and machine defense rules according to the acquired vulnerability information and the defense strategy corresponding to the acquired vulnerability information;

下发模块32,适于将所述车机防御规则下发至车机终端,以供车机终端根据所述车机防御规则进行漏洞防御;The issuing module 32 is adapted to issue the vehicle-machine defense rule to the vehicle-machine terminal, so that the vehicle-machine terminal can perform vulnerability defense according to the vehicle-machine defense rule;

响应模块33,适于获取车机终端通过自身攻击检测而反馈的漏洞信息,生成与所述反馈的漏洞信息对应的防御策略;并进一步执行防御规则生成模块。The response module 33 is adapted to obtain vulnerability information fed back by the vehicle terminal through self-attack detection, and generate a defense strategy corresponding to the feedback vulnerability information; and further execute a defense rule generation module.

可选的,防御规则生成模块31进一步适于:根据获取的第一类漏洞信息和/或第二类漏洞信息,以及与所述第一类漏洞信息和/或第二类漏洞信息对应的防御策略,生成相应的车机防御规则;Optionally, the defense rule generation module 31 is further adapted to: based on the acquired first-type vulnerability information and/or second-type vulnerability information, and the defense corresponding to the first-type vulnerability information and/or the second-type vulnerability information. strategy, and generate corresponding vehicle and machine defense rules;

其中,所述第一类漏洞信息为车机终端反馈的漏洞信息;所述第二类漏洞信息为从预设漏洞库中获取的漏洞信息。Wherein, the first type of vulnerability information is the vulnerability information fed back by the vehicle terminal; the second type of vulnerability information is the vulnerability information obtained from a preset vulnerability database.

可选的,所述车机防御规则包括:加固隔离规则、漏洞排查规则和/或漏洞阻断修复规则。Optionally, the vehicle and machine defense rules include: reinforcement isolation rules, vulnerability investigation rules, and/or vulnerability blocking and repairing rules.

可选的,所述车机防御规则中还包含有待防御漏洞的优先级信息和/或待防御漏洞的位置信息。Optionally, the vehicle-machine defense rule further includes priority information of the vulnerability to be defended and/or location information of the vulnerability to be defended.

可选的,所述漏洞排查规则包括:文件监控规则和/或入侵监测规则;Optionally, the vulnerability checking rules include: file monitoring rules and/or intrusion monitoring rules;

所述漏洞阻断修复规则包括:文件阻断规则、入侵阻断规则和/或热补丁修复规则。The vulnerability blocking and repairing rules include: file blocking rules, intrusion blocking rules and/or hot patch repairing rules.

可选的,下发模块32进一步适于:将所述车机防御规则下发至车机终端,以供车机终端根据车机防御规则中的漏洞排查规则对车机终端进行漏洞排查,并根据排查结果判断车机终端中是否存在漏洞排查规则所包含的待防御漏洞;若是,则车机终端利用车机防御规则中的漏洞阻断修复规则对车机终端存在的待防御漏洞进行阻断修复。Optionally, the issuing module 32 is further adapted to: issue the vehicle-machine defense rule to the vehicle-machine terminal, so that the vehicle-machine terminal can perform vulnerability checking on the vehicle-machine terminal according to the vulnerability checking rule in the vehicle-machine defense rule, and According to the inspection results, determine whether there are any vulnerabilities to be defended in the vehicle terminal that are included in the vulnerability inspection rules; if so, the vehicle terminal uses the vulnerability blocking and repair rules in the vehicle defense rules to block the to-be-defended loopholes in the vehicle terminal. repair.

可选的,下发模块32进一步适于:将所述车机防御规则下发至车机终端,以供车机终端根据车机终端存在的待防御漏洞的类别和/或优先级,采用相对应的漏洞阻断修复规则对所述待防御漏洞进行阻断修复。Optionally, the issuing module 32 is further adapted to: issue the on-board defense rules to the on-board terminal, so that the on-board terminal can adopt the corresponding defense rules according to the category and/or priority of the vulnerabilities to be defended existing in the on-board terminal. The corresponding vulnerability blocking and repairing rules block and repair the to-be-defended vulnerability.

可选的,响应模块33进一步适于:获取车机终端通过文件监测和/或行为监测而反馈的漏洞信息。Optionally, the response module 33 is further adapted to: acquire vulnerability information fed back by the vehicle terminal through file monitoring and/or behavior monitoring.

其中,本实施例所提供的车载系统安全防护装置中各模块的具体实施过程可参照图1和/或图2所示实施例中相应步骤的描述,本实施例在此不做赘述。For the specific implementation process of each module in the vehicle-mounted system safety protection device provided in this embodiment, reference may be made to the description of the corresponding steps in the embodiment shown in FIG. 1 and/or FIG. 2 , which will not be repeated in this embodiment.

由此可见,本实施例根据获取的漏洞信息以及与获取的漏洞信息对应的防御策略,生成相应的车机防御规则,从而对车联网中的车机终端可能存在的漏洞进行预测;并进一步将车机防御规则下发至车机终端,以供车机终端根据车机防御规则对预测的漏洞进行防御;并且,车机终端还可对自身进行攻击检测,并反馈受到的攻击所对应的漏洞信息,从而可快速生成与反馈的漏洞信息对应的防御策略,以供车机终端对当前所遭受的攻击进行阻断及漏洞修复,并可根据终端自身攻击检测及响应结果为另一终端提供漏洞预测,实现由点及面的安全防护。所以,采用本方案,可实现漏洞预测、对预测的漏洞进行防御、终端自身攻击检测、以及对终端自身攻击检测的快速响应,从而形成针对于车载系统的完整防护生态循环,进而可多方位一体化地实现对车载系统的安全防护;并且本方案可实现对车载系统的多点防护,有利于车载系统安全性及稳定性的进一步提高。It can be seen that, according to the obtained vulnerability information and the defense strategy corresponding to the obtained vulnerability information, this embodiment generates corresponding vehicle-machine defense rules, so as to predict the possible vulnerabilities of the vehicle-machine terminal in the Internet of Vehicles; and further The vehicle-machine defense rules are sent to the vehicle-machine terminal, so that the vehicle-machine terminal can defend against the predicted vulnerabilities according to the vehicle-machine defense rules; in addition, the vehicle-machine terminal can also perform attack detection on itself, and feedback the vulnerabilities corresponding to the attack. information, so that the defense strategy corresponding to the feedback vulnerability information can be quickly generated, so that the vehicle terminal can block the current attack and repair the vulnerability, and can provide a vulnerability for another terminal according to the terminal's own attack detection and response results. Prediction and realize security protection from point to surface. Therefore, this solution can realize vulnerability prediction, defense against predicted vulnerabilities, terminal self-attack detection, and rapid response to terminal self-attack detection, thus forming a complete protection ecological cycle for vehicle-mounted systems, which can be integrated in all directions. In addition, the solution can realize the multi-point protection of the in-vehicle system, which is beneficial to the further improvement of the safety and stability of the in-vehicle system.

根据本发明一个实施例提供了一种非易失性计算机存储介质,所述计算机存储介质存储有至少一可执行指令,该计算机可执行指令可执行上述任意方法实施例中的车载系统安全防护方法。According to an embodiment of the present invention, a non-volatile computer storage medium is provided. The computer storage medium stores at least one executable instruction, and the computer executable instruction can execute the vehicle system security protection method in any of the above method embodiments. .

图4示出了根据本发明一个实施例提供的一种计算设备的结构示意图,本发明具体实施例并不对计算设备的具体实现做限定。FIG. 4 shows a schematic structural diagram of a computing device according to an embodiment of the present invention. The specific embodiment of the present invention does not limit the specific implementation of the computing device.

如图4所示,该计算设备可以包括:处理器(processor)402、通信接口(Communications Interface)404、存储器(memory)406、以及通信总线408。As shown in FIG. 4 , the computing device may include: a processor (processor) 402 , a communications interface (Communications Interface) 404 , a memory (memory) 406 , and a communication bus 408 .

其中:in:

处理器402、通信接口404、以及存储器406通过通信总线408完成相互间的通信。The processor 402 , the communication interface 404 , and the memory 406 communicate with each other through the communication bus 408 .

通信接口404,用于与其它设备比如客户端或其它服务器等的网元通信。The communication interface 404 is used for communicating with network elements of other devices such as clients or other servers.

处理器402,用于执行程序410,具体可以执行上述车载系统安全防护方法实施例中的相关步骤。The processor 402 is configured to execute the program 410, and specifically may execute the relevant steps in the foregoing embodiments of the vehicle-mounted system security protection method.

具体地,程序410可以包括程序代码,该程序代码包括计算机操作指令。Specifically, the program 410 may include program code including computer operation instructions.

处理器402可能是中央处理器CPU,或者是特定集成电路ASIC(ApplicationSpecific Integrated Circuit),或者是被配置成实施本发明实施例的一个或多个集成电路。计算设备包括的一个或多个处理器,可以是同一类型的处理器,如一个或多个CPU;也可以是不同类型的处理器,如一个或多个CPU以及一个或多个ASIC。The processor 402 may be a central processing unit (CPU), or an application specific integrated circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the present invention. The one or more processors included in the computing device may be the same type of processors, such as one or more CPUs; or may be different types of processors, such as one or more CPUs and one or more ASICs.

存储器406,用于存放程序410。存储器406可能包含高速RAM存储器,也可能还包括非易失性存储器(non-volatile memory),例如至少一个磁盘存储器。The memory 406 is used to store the program 410 . Memory 406 may include high-speed RAM memory, and may also include non-volatile memory, such as at least one disk memory.

程序410具体可以用于使得处理器402执行以下操作:The program 410 can specifically be used to cause the processor 402 to perform the following operations:

S1,根据获取的漏洞信息以及与所述获取的漏洞信息对应的防御策略,生成相应的车机防御规则;S1, according to the acquired vulnerability information and the defense strategy corresponding to the acquired vulnerability information, generate corresponding vehicle-machine defense rules;

S2,将所述车机防御规则下发至车机终端,以供车机终端根据所述车机防御规则进行漏洞防御;S2, delivering the vehicle-machine defense rule to the vehicle-machine terminal, so that the vehicle-machine terminal can perform vulnerability defense according to the vehicle-machine defense rule;

S3,获取车机终端通过自身攻击检测而反馈的漏洞信息,生成与所述反馈的漏洞信息对应的防御策略;并进一步执行步骤S1。S3: Obtain vulnerability information fed back by the vehicle-machine terminal through self-attack detection, and generate a defense strategy corresponding to the feedback vulnerability information; and further perform step S1.

在一种可选的实施方式中,程序410具体可以用于使得处理器402执行以下操作:In an optional implementation manner, the program 410 may specifically be used to cause the processor 402 to perform the following operations:

根据获取的第一类漏洞信息和/或第二类漏洞信息,以及与所述第一类漏洞信息和/或第二类漏洞信息对应的防御策略,生成相应的车机防御规则;According to the obtained first-type vulnerability information and/or second-type vulnerability information, and the defense strategy corresponding to the first-type vulnerability information and/or the second-type vulnerability information, corresponding vehicle-machine defense rules are generated;

其中,所述第一类漏洞信息为车机终端反馈的漏洞信息;所述第二类漏洞信息为从预设漏洞库中获取的漏洞信息。Wherein, the first type of vulnerability information is the vulnerability information fed back by the vehicle terminal; the second type of vulnerability information is the vulnerability information obtained from a preset vulnerability database.

在一种可选的实施方式中,所述车机防御规则包括:加固隔离规则、漏洞排查规则和/或漏洞阻断修复规则。In an optional implementation manner, the vehicle and machine defense rules include: reinforcement isolation rules, vulnerability investigation rules, and/or vulnerability blocking and repairing rules.

在一种可选的实施方式中,所述车机防御规则中还包含有待防御漏洞的优先级信息和/或待防御漏洞的位置信息。In an optional implementation manner, the vehicle-machine defense rule further includes priority information of the vulnerability to be defended and/or location information of the vulnerability to be defended.

在一种可选的实施方式中,所述漏洞排查规则包括:文件监控规则和/或入侵监测规则;In an optional implementation manner, the vulnerability checking rules include: file monitoring rules and/or intrusion monitoring rules;

所述漏洞阻断修复规则包括:文件阻断规则、入侵阻断规则和/或热补丁修复规则。The vulnerability blocking and repairing rules include: file blocking rules, intrusion blocking rules and/or hot patch repairing rules.

在一种可选的实施方式中,程序410具体可以用于使得处理器402执行以下操作:In an optional implementation manner, the program 410 may specifically be used to cause the processor 402 to perform the following operations:

车机终端根据车机防御规则中的漏洞排查规则对车机终端进行漏洞排查,并根据排查结果判断车机终端中是否存在漏洞排查规则所包含的待防御漏洞;The in-vehicle terminal conducts vulnerability inspection on the in-vehicle terminal according to the vulnerability inspection rules in the in-vehicle defense rules, and judges whether there are any vulnerabilities to be defended contained in the vulnerability inspection rules in the in-vehicle terminal according to the inspection results;

若是,则车机终端利用车机防御规则中的漏洞阻断修复规则对车机终端存在的待防御漏洞进行阻断修复。If so, the vehicle terminal uses the vulnerability blocking and repairing rule in the vehicle defense rule to block and repair the to-be-defended vulnerability existing in the vehicle terminal.

在一种可选的实施方式中,程序410具体可以用于使得处理器402执行以下操作:In an optional implementation manner, the program 410 may specifically be used to cause the processor 402 to perform the following operations:

根据车机终端存在的待防御漏洞的类别和/或优先级,采用相对应的漏洞阻断修复规则对所述待防御漏洞进行阻断修复。According to the category and/or priority of the to-be-defended vulnerability existing in the vehicle terminal, the corresponding vulnerability blocking and repairing rule is used to block and repair the to-be-defended vulnerability.

在一种可选的实施方式中,程序410具体可以用于使得处理器402执行以下操作:In an optional implementation manner, the program 410 may specifically be used to cause the processor 402 to perform the following operations:

获取车机终端通过文件监测和/或行为监测而反馈的漏洞信息。Obtain the vulnerability information fed back by the vehicle terminal through file monitoring and/or behavior monitoring.

在此提供的算法和显示不与任何特定计算机、虚拟系统或者其它设备固有相关。各种通用系统也可以与基于在此的示教一起使用。根据上面的描述,构造这类系统所要求的结构是显而易见的。此外,本发明也不针对任何特定编程语言。应当明白,可以利用各种编程语言实现在此描述的本发明的内容,并且上面对特定语言所做的描述是为了披露本发明的最佳实施方式。The algorithms and displays provided herein are not inherently related to any particular computer, virtual system, or other device. Various general-purpose systems can also be used with teaching based on this. The structure required to construct such a system is apparent from the above description. Furthermore, the present invention is not directed to any particular programming language. It is to be understood that various programming languages may be used to implement the inventions described herein, and that the descriptions of specific languages above are intended to disclose the best mode for carrying out the invention.

在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. It will be understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.

类似地,应当理解,为了精简本公开并帮助理解各个发明方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如下面的权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。Similarly, it is to be understood that in the above description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together into a single embodiment, figure, or its description. This disclosure, however, should not be construed as reflecting an intention that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.

本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art will understand that the modules in the device in the embodiment can be adaptively changed and arranged in one or more devices different from the embodiment. The modules or units or components in the embodiments may be combined into one module or unit or component, and further they may be divided into multiple sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings) and any method so disclosed may be employed in any combination, unless at least some of such features and/or procedures or elements are mutually exclusive. All processes or units of equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如,在权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。Furthermore, those skilled in the art will appreciate that although some of the embodiments described herein include certain features, but not others, included in other embodiments, that combinations of features of different embodiments are intended to be within the scope of the invention within and form different embodiments. For example, in the claims, any of the claimed embodiments may be used in any combination.

本发明的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例中的车载系统安全防护装置中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。Various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. It should be understood by those skilled in the art that a microprocessor or a digital signal processor (DSP) may be used in practice to implement some or all functions of some or all components of the vehicle-mounted system safety protection device according to the embodiments of the present invention. The present invention can also be implemented as apparatus or apparatus programs (eg, computer programs and computer program products) for performing part or all of the methods described herein. Such a program implementing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such signals may be downloaded from Internet sites, or provided on carrier signals, or in any other form.

应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。It should be noted that the above-described embodiments illustrate rather than limit the invention, and that alternative embodiments may be devised by those skilled in the art without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several different elements and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, and third, etc. do not denote any order. These words can be interpreted as names.

本发明公开了:A1.一种车载系统安全防护方法,包括:The invention discloses: A1. A vehicle-mounted system safety protection method, comprising:

S1,根据获取的漏洞信息以及与所述获取的漏洞信息对应的防御策略,生成相应的车机防御规则;S1, according to the acquired vulnerability information and the defense strategy corresponding to the acquired vulnerability information, generate corresponding vehicle-machine defense rules;

S2,将所述车机防御规则下发至车机终端,以供车机终端根据所述车机防御规则进行漏洞防御;S2, delivering the vehicle-machine defense rule to the vehicle-machine terminal, so that the vehicle-machine terminal can perform vulnerability defense according to the vehicle-machine defense rule;

S3,获取车机终端通过自身攻击检测而反馈的漏洞信息,生成与所述反馈的漏洞信息对应的防御策略;并进一步执行步骤S1。S3: Obtain vulnerability information fed back by the vehicle-machine terminal through self-attack detection, and generate a defense strategy corresponding to the feedback vulnerability information; and further perform step S1.

A2.根据A1所述的方法,其中,所述根据获取的漏洞信息以及与所述获取的漏洞信息对应的防御策略,生成相应的车机防御规则进一步包括:A2. The method according to A1, wherein generating the corresponding vehicle-machine defense rules according to the acquired vulnerability information and the defense strategy corresponding to the acquired vulnerability information further includes:

根据获取的第一类漏洞信息和/或第二类漏洞信息,以及与所述第一类漏洞信息和/或第二类漏洞信息对应的防御策略,生成相应的车机防御规则;According to the obtained first-type vulnerability information and/or second-type vulnerability information, and the defense strategy corresponding to the first-type vulnerability information and/or the second-type vulnerability information, corresponding vehicle-machine defense rules are generated;

其中,所述第一类漏洞信息为车机终端反馈的漏洞信息;所述第二类漏洞信息为从预设漏洞库中获取的漏洞信息。Wherein, the first type of vulnerability information is the vulnerability information fed back by the vehicle terminal; the second type of vulnerability information is the vulnerability information obtained from a preset vulnerability database.

A3.根据A1或A2所述的方法,其中,所述车机防御规则包括:加固隔离规则、漏洞排查规则和/或漏洞阻断修复规则。A3. The method according to A1 or A2, wherein the vehicle-machine defense rules include: reinforcement isolation rules, vulnerability inspection rules and/or vulnerability blocking and repairing rules.

A4.根据A3所述的方法,其中,所述车机防御规则中还包含有待防御漏洞的优先级信息和/或待防御漏洞的位置信息。A4. The method according to A3, wherein the vehicle-machine defense rule further includes priority information of the vulnerability to be defended and/or location information of the vulnerability to be defended.

A5.根据A4所述的方法,其中,所述漏洞排查规则包括:文件监控规则和/或入侵监测规则;A5. The method according to A4, wherein the vulnerability checking rules include: file monitoring rules and/or intrusion monitoring rules;

所述漏洞阻断修复规则包括:文件阻断规则、入侵阻断规则和/或热补丁修复规则。The vulnerability blocking and repairing rules include: file blocking rules, intrusion blocking rules and/or hot patch repairing rules.

A6.根据A5所述的方法,其中,所述车机终端根据所述车机防御规则进行漏洞防御进一步包括:A6. The method according to A5, wherein the vulnerability defense performed by the vehicle-machine terminal according to the vehicle-machine defense rule further comprises:

车机终端根据车机防御规则中的漏洞排查规则对车机终端进行漏洞排查,并根据排查结果判断车机终端中是否存在漏洞排查规则所包含的待防御漏洞;The in-vehicle terminal conducts vulnerability inspection on the in-vehicle terminal according to the vulnerability inspection rules in the in-vehicle defense rules, and judges whether there are any vulnerabilities to be defended contained in the vulnerability inspection rules in the in-vehicle terminal according to the inspection results;

若是,则车机终端利用车机防御规则中的漏洞阻断修复规则对车机终端存在的待防御漏洞进行阻断修复。If so, the vehicle terminal uses the vulnerability blocking and repairing rule in the vehicle defense rule to block and repair the to-be-defended vulnerability existing in the vehicle terminal.

A7.根据A6所述的方法,其中,所述利用车机防御规则中的漏洞修复规则对车机终端存在的待防御漏洞进行修复进一步包括:A7. The method according to A6, wherein, using the vulnerability repair rules in the vehicle-machine defense rules to repair the to-be-defended vulnerability existing in the vehicle-machine terminal further comprises:

根据车机终端存在的待防御漏洞的类别和/或优先级,采用相对应的漏洞阻断修复规则对所述待防御漏洞进行阻断修复。According to the category and/or priority of the to-be-defended vulnerability existing in the vehicle terminal, the corresponding vulnerability blocking and repairing rule is used to block and repair the to-be-defended vulnerability.

A8.根据A1-A7中任一项所述的方法,其中,所述获取车机终端通过自身攻击检测而反馈的漏洞信息进一步包括:A8. The method according to any one of A1-A7, wherein the acquiring the vulnerability information fed back by the vehicle terminal through self-attack detection further includes:

获取车机终端通过文件监测和/或行为监测而反馈的漏洞信息。Obtain the vulnerability information fed back by the vehicle terminal through file monitoring and/or behavior monitoring.

本发明还公开了:B9.一种车载系统安全防护装置,包括:The invention also discloses: B9. A vehicle-mounted system safety protection device, comprising:

防御规则生成模块,适于根据获取的漏洞信息以及与所述获取的漏洞信息对应的防御策略,生成相应的车机防御规则;The defense rule generation module is adapted to generate corresponding vehicle and machine defense rules according to the acquired vulnerability information and the defense strategy corresponding to the acquired vulnerability information;

下发模块,适于将所述车机防御规则下发至车机终端,以供车机终端根据所述车机防御规则进行漏洞防御;a delivery module, adapted to deliver the vehicle-machine defense rule to the vehicle-machine terminal, so that the vehicle-machine terminal can perform vulnerability defense according to the vehicle-machine defense rule;

响应模块,适于获取车机终端通过自身攻击检测而反馈的漏洞信息,生成与所述反馈的漏洞信息对应的防御策略;并进一步执行防御规则生成模块。The response module is adapted to obtain the vulnerability information fed back by the vehicle-machine terminal through self-attack detection, and generate a defense strategy corresponding to the feedback vulnerability information; and further execute the defense rule generation module.

B10.根据B9所述的装置,其中,所述防御规则生成模块进一步适于:根据获取的第一类漏洞信息和/或第二类漏洞信息,以及与所述第一类漏洞信息和/或第二类漏洞信息对应的防御策略,生成相应的车机防御规则;B10. The device according to B9, wherein the defense rule generation module is further adapted to: based on the acquired first-type vulnerability information and/or second-type vulnerability information, and a combination with the first-type vulnerability information and/or The defense strategy corresponding to the second type of vulnerability information, and the corresponding vehicle and machine defense rules are generated;

其中,所述第一类漏洞信息为车机终端反馈的漏洞信息;所述第二类漏洞信息为从预设漏洞库中获取的漏洞信息。Wherein, the first type of vulnerability information is the vulnerability information fed back by the vehicle terminal; the second type of vulnerability information is the vulnerability information obtained from a preset vulnerability database.

B11.根据B9或B10所述的装置,其中,所述车机防御规则包括:加固隔离规则、漏洞排查规则和/或漏洞阻断修复规则。B11. The device according to B9 or B10, wherein the vehicle and machine defense rules include: reinforcement isolation rules, vulnerability checking rules and/or vulnerability blocking and repairing rules.

B12.根据B11所述的装置,其中,所述车机防御规则中还包含有待防御漏洞的优先级信息和/或待防御漏洞的位置信息。B12. The device according to B11, wherein the vehicle-machine defense rule further includes priority information of the vulnerability to be defended and/or location information of the vulnerability to be defended.

B13.根据B11所述的装置,其中,所述漏洞排查规则包括:文件监控规则和/或入侵监测规则;B13. The device according to B11, wherein the vulnerability checking rules include: file monitoring rules and/or intrusion monitoring rules;

所述漏洞阻断修复规则包括:文件阻断规则、入侵阻断规则和/或热补丁修复规则。The vulnerability blocking and repairing rules include: file blocking rules, intrusion blocking rules and/or hot patch repairing rules.

B14.根据B13所述的装置,其中,所述下发模块进一步适于:B14. The apparatus according to B13, wherein the issuing module is further adapted to:

将所述车机防御规则下发至车机终端,以供车机终端根据车机防御规则中的漏洞排查规则对车机终端进行漏洞排查,并根据排查结果判断车机终端中是否存在漏洞排查规则所包含的待防御漏洞;若是,则车机终端利用车机防御规则中的漏洞阻断修复规则对车机终端存在的待防御漏洞进行阻断修复。Sending the vehicle-machine defense rule to the vehicle-machine terminal, so that the vehicle-machine terminal can perform vulnerability investigation on the vehicle-machine terminal according to the vulnerability investigation rule in the vehicle-machine defense rule, and judge whether there is a vulnerability investigation in the vehicle-machine terminal according to the inspection result. The loopholes to be defended contained in the rules; if so, the on-board terminal uses the loophole blocking and repair rules in the on-board defense rules to block and repair the to-be-defended loopholes existing in the onboard terminal.

B15.根据B14所述的装置,其中,所述下发模块进一步适于:B15. The apparatus according to B14, wherein the issuing module is further adapted to:

将所述车机防御规则下发至车机终端,以供车机终端根据车机终端存在的待防御漏洞的类别和/或优先级,采用相对应的漏洞阻断修复规则对所述待防御漏洞进行阻断修复。Sending the vehicle-machine defense rules to the vehicle-machine terminal, so that the vehicle-machine terminal can adopt the corresponding vulnerability blocking and repairing rules according to the category and/or priority of the to-be-defended vulnerability existing in the vehicle-machine terminal. Vulnerabilities are blocked and repaired.

B16.根据B9-B15中任一项所述的装置,其中,所述响应模块进一步适于:获取车机终端通过文件监测和/或行为监测而反馈的漏洞信息。B16. The apparatus according to any one of B9-B15, wherein the response module is further adapted to: acquire vulnerability information fed back by the vehicle terminal through file monitoring and/or behavior monitoring.

本发明还公开了:C17.一种计算设备,包括:处理器、存储器、通信接口和通信总线,所述处理器、所述存储器和所述通信接口通过所述通信总线完成相互间的通信;The present invention also discloses: C17. A computing device, comprising: a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface communicate with each other through the communication bus;

所述存储器用于存放至少一可执行指令,所述可执行指令使所述处理器执行如A1-A8中任一项所述的车载系统安全防护方法对应的操作。The memory is used to store at least one executable instruction, and the executable instruction enables the processor to perform an operation corresponding to the vehicle-mounted system security protection method described in any one of A1-A8.

本发明还公开了:D18.一种计算机存储介质,所述存储介质中存储有至少一可执行指令,所述可执行指令使处理器执行如A1-A8中任一项所述的车载系统安全防护方法对应的操作。The present invention also discloses: D18. A computer storage medium, wherein at least one executable instruction is stored in the storage medium, and the executable instruction enables a processor to execute the in-vehicle system security according to any one of A1-A8 Action corresponding to the protection method.

Claims (10)

1. A safety protection method for an on-board system comprises the following steps:
s1, generating a corresponding vehicle defense rule according to the acquired vulnerability information and a defense strategy corresponding to the acquired vulnerability information;
s2, issuing the vehicle defense rule to a vehicle terminal for the vehicle terminal to defend the vulnerability according to the vehicle defense rule;
s3, acquiring vulnerability information fed back by the vehicle terminal through self attack detection, and generating a defense strategy corresponding to the fed vulnerability information; and further performs step S1.
2. The method of claim 1, wherein generating the corresponding in-vehicle defense rule according to the obtained vulnerability information and a defense policy corresponding to the obtained vulnerability information further comprises:
generating a corresponding vehicle-mounted defense rule according to the acquired first-type vulnerability information and/or second-type vulnerability information and a defense strategy corresponding to the first-type vulnerability information and/or the second-type vulnerability information;
the first type of vulnerability information is vulnerability information fed back by the vehicle terminal; the second type of vulnerability information is vulnerability information obtained from a preset vulnerability database.
3. The method of claim 1 or 2, wherein the car defense rules include: reinforcement isolation rules, vulnerability troubleshooting rules, and/or vulnerability blocking repair rules.
4. The method according to claim 3, wherein the in-vehicle defense rules further include priority information of vulnerabilities to be defended and/or location information of vulnerabilities to be defended.
5. The method of claim 4, wherein the vulnerability troubleshooting rules include: file monitoring rules and/or intrusion monitoring rules;
the bug blocking and repairing rule comprises the following steps: file blocking rules, intrusion blocking rules, and/or hot patch repair rules.
6. The method of claim 5, wherein the in-vehicle terminal defending against vulnerabilities according to the in-vehicle defense rules further comprises:
the vehicle-mounted terminal carries out vulnerability investigation on the vehicle-mounted terminal according to vulnerability investigation rules in the vehicle-mounted defense rules, and judges whether vulnerabilities to be defended contained in the vulnerability investigation rules exist in the vehicle-mounted terminal or not according to investigation results;
if so, the vehicle-mounted terminal blocks and repairs the to-be-defensive loopholes existing in the vehicle-mounted terminal by using a loophole blocking and repairing rule in the vehicle-mounted defense rule.
7. The method of claim 6, wherein the repairing the vulnerability to be defended existing in the car machine terminal by using the vulnerability repairing rule in the car machine defense rule further comprises:
and adopting a corresponding bug blocking and repairing rule to block and repair the to-be-defended bug according to the category and/or priority of the to-be-defended bug existing in the vehicle terminal.
8. An on-board system safety shield, comprising:
the defense rule generating module is suitable for generating a corresponding vehicle-mounted defense rule according to the acquired vulnerability information and a defense strategy corresponding to the acquired vulnerability information;
the issuing module is suitable for issuing the vehicle-mounted defense rule to a vehicle-mounted terminal so that the vehicle-mounted terminal can defend the vulnerability according to the vehicle-mounted defense rule;
the response module is suitable for acquiring vulnerability information fed back by the vehicle-mounted terminal through self attack detection and generating a defense strategy corresponding to the fed-back vulnerability information; and further executing a defense rule generating module.
9. A computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the vehicle-mounted system safety protection method according to any one of claims 1-7.
10. A computer storage medium having at least one executable instruction stored therein, the executable instruction causing a processor to perform operations corresponding to the in-vehicle system safeguard method according to any one of claims 1-7.
CN201811639374.2A 2018-12-29 2018-12-29 Safety protection method and device for vehicle-mounted system Active CN111447167B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811639374.2A CN111447167B (en) 2018-12-29 2018-12-29 Safety protection method and device for vehicle-mounted system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811639374.2A CN111447167B (en) 2018-12-29 2018-12-29 Safety protection method and device for vehicle-mounted system

Publications (2)

Publication Number Publication Date
CN111447167A true CN111447167A (en) 2020-07-24
CN111447167B CN111447167B (en) 2024-04-02

Family

ID=71652280

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811639374.2A Active CN111447167B (en) 2018-12-29 2018-12-29 Safety protection method and device for vehicle-mounted system

Country Status (1)

Country Link
CN (1) CN111447167B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114157471A (en) * 2021-11-29 2022-03-08 阿波罗智联(北京)科技有限公司 Vehicle abnormity processing method and device, electronic equipment and medium
CN114282225A (en) * 2021-12-27 2022-04-05 北京安天网络安全技术有限公司 Vulnerability defense method and device and computer equipment
CN115001815A (en) * 2022-05-31 2022-09-02 重庆长安汽车股份有限公司 Vehicle-mounted system attack event monitoring method, system, medium and electronic equipment
CN115296860A (en) * 2022-07-15 2022-11-04 智己汽车科技有限公司 Vehicle safety operation and maintenance operation system based on central computing platform and vehicle
CN115664787A (en) * 2022-10-24 2023-01-31 惠州市德赛西威智能交通技术研究院有限公司 Automobile network vulnerability protection method, system, terminal equipment and medium
CN118503991A (en) * 2024-07-17 2024-08-16 中汽研汽车检验中心(常州)有限公司 Method, device and storage medium for balancing risk rate and repair cost of automobile component

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016055730A1 (en) * 2014-10-08 2016-04-14 Renault S.A.S. On-board vehicle network system and method for detecting intrusions on the on-board network
US20160134653A1 (en) * 2014-11-11 2016-05-12 Goldman, Sachs & Co. Synthetic Cyber-Risk Model For Vulnerability Determination
CN106685968A (en) * 2016-12-29 2017-05-17 北京安天网络安全技术有限公司 Automatic vulnerability defense system and method for industrial control equipment
CN106982194A (en) * 2016-01-19 2017-07-25 中国移动通信集团河北有限公司 Vulnerability scanning method and device
CN108965254A (en) * 2018-06-11 2018-12-07 武汉般若互动科技有限公司 One kind being used for government website security protection scheme

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016055730A1 (en) * 2014-10-08 2016-04-14 Renault S.A.S. On-board vehicle network system and method for detecting intrusions on the on-board network
US20160134653A1 (en) * 2014-11-11 2016-05-12 Goldman, Sachs & Co. Synthetic Cyber-Risk Model For Vulnerability Determination
CN106982194A (en) * 2016-01-19 2017-07-25 中国移动通信集团河北有限公司 Vulnerability scanning method and device
CN106685968A (en) * 2016-12-29 2017-05-17 北京安天网络安全技术有限公司 Automatic vulnerability defense system and method for industrial control equipment
CN108965254A (en) * 2018-06-11 2018-12-07 武汉般若互动科技有限公司 One kind being used for government website security protection scheme

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114157471A (en) * 2021-11-29 2022-03-08 阿波罗智联(北京)科技有限公司 Vehicle abnormity processing method and device, electronic equipment and medium
CN114282225A (en) * 2021-12-27 2022-04-05 北京安天网络安全技术有限公司 Vulnerability defense method and device and computer equipment
CN115001815A (en) * 2022-05-31 2022-09-02 重庆长安汽车股份有限公司 Vehicle-mounted system attack event monitoring method, system, medium and electronic equipment
CN115296860A (en) * 2022-07-15 2022-11-04 智己汽车科技有限公司 Vehicle safety operation and maintenance operation system based on central computing platform and vehicle
CN115296860B (en) * 2022-07-15 2023-08-15 智己汽车科技有限公司 Vehicle safety operation and maintenance operation system based on central computing platform and vehicle
CN115664787A (en) * 2022-10-24 2023-01-31 惠州市德赛西威智能交通技术研究院有限公司 Automobile network vulnerability protection method, system, terminal equipment and medium
CN118503991A (en) * 2024-07-17 2024-08-16 中汽研汽车检验中心(常州)有限公司 Method, device and storage medium for balancing risk rate and repair cost of automobile component
CN118503991B (en) * 2024-07-17 2024-10-15 中汽研汽车检验中心(常州)有限公司 Method, device and storage medium for balancing risk rate and repair cost of automobile component

Also Published As

Publication number Publication date
CN111447167B (en) 2024-04-02

Similar Documents

Publication Publication Date Title
US11799900B2 (en) Detecting and mitigating golden ticket attacks within a domain
CN111447167A (en) Safety protection method and device for vehicle-mounted system
US12003534B2 (en) Detecting and mitigating forged authentication attacks within a domain
US12301628B2 (en) Correlating network event anomalies using active and passive external reconnaissance to identify attack information
US11792229B2 (en) AI-driven defensive cybersecurity strategy analysis and recommendation system
US12058177B2 (en) Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance
US11647039B2 (en) User and entity behavioral analysis with network topology enhancement
US11218510B2 (en) Advanced cybersecurity threat mitigation using software supply chain analysis
US20240364749A1 (en) Automated internet-scale web application vulnerability scanning and enhanced security profiling
US20240314146A1 (en) Detecting authentication object-focused attacks
US20220210202A1 (en) Advanced cybersecurity threat mitigation using software supply chain analysis
US11562068B2 (en) Performing threat detection by synergistically combining results of static file analysis and behavior analysis
US9967265B1 (en) Detecting malicious online activities using event stream processing over a graph database
CN107634959B (en) Vehicle-based protection method, device and system
US11005824B2 (en) Detecting and mitigating forged authentication object attacks using an advanced cyber decision platform
EP3789896B1 (en) Method and system for managing security vulnerability in host system using artificial neural network
US20180189697A1 (en) Methods and apparatus for processing threat metrics to determine a risk of loss due to the compromise of an organization asset
US20230308459A1 (en) Authentication attack detection and mitigation with embedded authentication and delegation
JP6349244B2 (en) In-vehicle network testing equipment
CN105049228A (en) Method and apparatus for auditing operation and maintenance operation
US12536285B2 (en) Threat analysis method and threat analysis system
CN106341426A (en) Method for defending APT attack and safety controller
JP7761773B2 (en) SYSTEM AND METHOD FOR PLATFORM CYBER VULNERABILITY ASSESSMENT - Patent application
CN105306467A (en) Method and device for analyzing webpage data tampering
CN111447166B (en) Vehicle attack detection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20231113

Address after: 1739, 17th Floor, 15th Floor, Building 3, No.10 Jiuxianqiao Road, Chaoyang District, Beijing, 100000

Applicant after: Anxinxing (Beijing) Technology Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Applicant before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant