A method, device, equipment and medium for identifying an in-vehicle application

By analyzing the behavioral sequences of in-vehicle applications and combining discrete and temporal outliers with temporal rule chains, the problem of malicious program identification in intelligent connected vehicles is solved, thereby improving the security and reliability of the system.

CN122174231APending Publication Date: 2026-06-09ZHEJIANG LINGAI FUTURE TECHNOLOGY CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
ZHEJIANG LINGAI FUTURE TECHNOLOGY CO LTD
Filing Date
2026-03-04
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

Existing technologies struggle to effectively identify new types of malware in intelligent connected vehicles. Feature detection updates are slow and computational resources are high, while behavior monitoring suffers from false alarms and missed alarms.

Method used

By reading the behavior sequence of in-vehicle applications, analyzing discrete and temporal outliers, and matching them with preset temporal rule chains, it is possible to determine whether the application is malicious.

Benefits of technology

It improves the ability to identify new types of malicious programs, reduces false positives and false negatives, and enhances the security and stability of intelligent connected vehicle systems.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122174231A_ABST
    Figure CN122174231A_ABST
Patent Text Reader

Abstract

This application relates to the field of network detection technology, and discloses a method, apparatus, device, and medium for identifying in-vehicle applications. The method includes: reading the behavior sequence of the in-vehicle application within a detection time window; determining discrete anomaly information of the behavior sequence based on discrete outliers of each behavior feature in the behavior sequence; dividing the behavior sequence into multiple sequence segments when the discrete anomaly information meets preset conditions; performing temporal analysis on the behavior features in the sequence segments to generate temporal anomaly information of the behavior sequence; reading and parsing a preset temporal rule chain, and performing temporal and feature matching between the behavior features in the behavior sequence and the rule features in the temporal rule chain to obtain rule matching information of the behavior sequence; and determining whether the in-vehicle application is a malicious application based on the temporal anomaly information and the rule matching information. The technical solution provided by this application can effectively ensure the security of intelligent connected vehicle systems.
Need to check novelty before this filing date? Find Prior Art

Claims

1. A method for identifying in-vehicle applications, characterized in that, The method includes: For the in-vehicle application to be identified, the behavior sequence of the in-vehicle application within the detection time window is read, and the behavior sequence includes multiple discrete behavior features; Based on the discrete outlier values ​​of each behavioral feature in the behavioral sequence, the discrete outlier information of the behavioral sequence is determined; When the discrete anomaly information meets the preset conditions, the behavior sequence is divided into multiple sequence segments, wherein each sequence segment includes at least two temporally related behavior features; Each sequence segment is traversed to perform temporal analysis on the behavioral features in the sequence segments, obtain the temporal anomaly values ​​of each sequence segment, and generate the temporal anomaly information of the behavioral sequence based on each temporal anomaly value. Read and parse a preset temporal rule chain to obtain the rule features that characterize malicious behavior in the temporal rule chain and the temporal relationship between the rule features, and perform temporal and feature matching between the behavior features in the behavior sequence and the rule features in the temporal rule chain to obtain the rule matching information of the behavior sequence; Based on the timing anomaly information and the rule matching information, it is determined whether the in-vehicle application is a malicious application.

2. The method according to claim 1, characterized in that, The step of traversing each sequence segment to perform temporal analysis on the behavioral features in the sequence segments, obtaining temporal anomaly values ​​for each sequence segment, and generating temporal anomaly information for the behavioral sequence based on each temporal anomaly value includes: For each sequence segment, extract the behavioral features of each pair of adjacent segments to construct the corresponding temporal behavioral transition pairs; Based on the pre-generated normal behavior temporal probability values, determine the temporal probability of adapting to each of the temporal behavior transition pairs; Based on the temporal probability corresponding to each temporal behavior transition pair, determine the temporal outlier value of each sequence segment; The temporal anomalies of all the sequence segments are fused to generate the temporal anomaly information corresponding to the behavioral sequence.

3. The method according to claim 1, characterized in that, The step of performing temporal and feature matching between the behavioral features in the behavioral sequence and the rule features in the temporal rule chain to obtain the rule matching information of the behavioral sequence includes: Based on the behavioral features in the behavioral sequence and the temporal relationship between the behavioral features, construct the behavioral rule chain to be parsed; For any one of the preset temporal rule chains, the behavior rule chain to be parsed is matched with the rule features in terms of temporal sequence and features to determine the matching degree corresponding to any one temporal rule chain; Determine the maximum value of the matching degree corresponding to all the time-series rule chains, and use the maximum value as the rule matching information of the behavior sequence.

4. The method according to claim 3, characterized in that, The step of performing temporal and feature matching between the behavior rule chain to be parsed and the rule features to determine the matching degree corresponding to any temporal rule chain includes: Determine the semantic similarity between the behavioral features and the rule features in the chain of behavioral rules to be parsed; For the temporal relationship between any two rule features in the temporal rule chain, determine the behavioral features in the behavior rule chain to be parsed that match the temporal relationship between any two rule features. In the case where there are associated links between matching behavioral features, the path length of the associated link is determined; Based on the semantic similarity and the path length, each temporal rule chain is scored to determine the matching degree corresponding to each temporal rule chain.

5. The method according to claim 1, characterized in that, The step of performing temporal and feature matching between the behavioral features in the behavioral sequence and the rule features in the temporal rule chain to obtain the rule matching information of the behavioral sequence includes: Based on the rule features and the temporal relationship between the rule features, the preset temporal rule chain is transformed into a probability distribution model; The behavioral features are mapped to observational evidence in the probability distribution model, and the observational evidence is used to characterize the observation results of whether each behavioral feature in the behavioral sequence has been observed. Probabilistic reasoning is performed on the observed evidence to obtain rule matching information for the behavioral sequence.

6. The method according to claim 1, characterized in that, The step of determining whether the in-vehicle application is a malicious application based on the timing anomaly information and the rule matching information includes: The time-series anomaly information and the rule matching information are weighted and summed to obtain the decision value of the in-vehicle application; Based on the judgment value, determine whether the in-vehicle application is a malicious application; The step of determining whether the in-vehicle application is a malicious application based on the judgment value includes: If the judgment value is greater than or equal to the preset judgment threshold, the in-vehicle application is determined to be a malicious application. If the judgment value is less than the preset judgment threshold, the in-vehicle application is determined to be a normal application.

7. The method according to claim 1, characterized in that, After determining that the in-vehicle application is a malicious application, the method further includes: Receive OTA data packets sent from the cloud, and identify data segments in the OTA data packets used to correct the malicious application; Based on the behavior rule data and repair instruction sequence within the data segment, a checksum matching the data segment is generated, and the checksum and the data segment are sent to the trusted execution environment, as well as the basic data in the OTA data packet other than the data segment are sent to the basic execution environment; The basic data is executed in the basic execution environment to complete the OTA upgrade deployment, and the data segment is verified in the trusted execution environment using the checksum. The data segment is executed after the verification is successful.

8. The method according to claim 1, characterized in that, Determining the discrete anomaly information of the behavior sequence based on the discrete anomaly values ​​of each behavioral feature in the behavior sequence includes: Based on a preset target determination logic, determine whether the behavioral characteristics are abnormal behaviors; When the behavioral characteristic is determined to be abnormal behavior, a weight value for the behavioral characteristic is determined. The discrete outlier values ​​of the behavioral features are determined based on the weight values; The discrete outlier values ​​are accumulated to determine the discrete outlier information of the behavior sequence.

9. A recognition device for an in-vehicle application, characterized in that, The device includes: The behavior sequence reading unit is used to read the behavior sequence of the vehicle application to be identified within a detection time window, wherein the behavior sequence includes multiple discrete behavior features. An anomaly information determination unit is used to determine discrete anomaly information of the behavior sequence based on discrete anomaly values ​​of each behavior feature in the behavior sequence. A sequence segmentation unit is used to divide the behavior sequence into multiple sequence segments when the discrete anomaly information meets preset conditions, wherein each sequence segment includes at least two temporally related behavior features; The temporal anomaly analysis unit is used to traverse each of the sequence segments to perform temporal analysis on the behavioral features in the sequence segments, obtain the temporal anomaly values ​​of each of the sequence segments, and generate the temporal anomaly information of the behavioral sequence based on each of the temporal anomaly values. The matching information determination unit is used to read and parse a preset temporal rule chain to obtain the rule features that characterize malicious behavior in the temporal rule chain and the temporal relationship between the rule features, and to perform temporal and feature matching between the behavior features in the behavior sequence and the rule features in the temporal rule chain to obtain the rule matching information of the behavior sequence. The malicious program determination unit is used to determine whether the in-vehicle application is a malicious application based on the time-series anomaly information and the rule matching information.

10. A computer device, characterized in that, include: A memory and a processor are communicatively connected, the memory storing computer instructions, and the processor executing the computer instructions to perform the vehicle application identification method according to any one of claims 1 to 8.

11. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer instructions for causing the computer to execute the identification method of the vehicle application according to any one of claims 1 to 8.