Vehicle-mounted network security protection method, storage medium and electronic device
By receiving multi-dimensional temporal feature sequences from the vehicle network, using a pre-trained model to simulate attack behavior and generate protection strategies, the traffic safety problem when the vehicle network is attacked is solved, achieving efficient protection and continuous upgrades.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- VOYAH AUTOMOBILE TECH CO LTD
- Filing Date
- 2026-02-06
- Publication Date
- 2026-06-16
AI Technical Summary
When an in-vehicle network is attacked from the outside, it can easily interfere with the driver's operation and lead to traffic accidents.
By receiving multi-dimensional temporal feature sequences of vehicles, a pre-trained attack behavior determination model and a network security protection strategy determination model are used to simulate attack behavior and generate protection strategies, and the vehicle is controlled to execute the protection strategies.
It improves the accuracy of attack behavior identification, reduces side effects on vehicles, ensures traffic safety, and continuously upgrades protection capabilities.
Smart Images

Figure CN122226323A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of vehicle network technology, and in particular to a vehicle network security protection method, storage medium and electronic device. Background Technology
[0002] In-vehicle networks are the "nervous system" of a car. Through a series of communication protocols and wiring harnesses, they connect the electronic control units scattered throughout the vehicle, enabling them to communicate and work together. This allows controllers of various car components (such as the engine, brakes, airbags, audio system, and windows) to exchange data efficiently and reliably, thereby simplifying wiring, reducing costs, and enabling complex functions.
[0003] When the vehicle's network is successfully attacked from the outside, the attacker can remotely control the vehicle's critical functions (such as remotely causing the vehicle to suddenly accelerate, decelerate, or shut down, interfering with power steering or steering wheel control, or maliciously triggering or disabling airbags), which can interfere with the driver's driving and easily cause traffic accidents. Summary of the Invention
[0004] This application provides a vehicle network security protection method, storage medium, and electronic device to solve the problem in the prior art that when the vehicle network is successfully attacked by external forces, it will interfere with the driver's driving and easily cause traffic safety accidents.
[0005] Firstly, this application provides a method for protecting in-vehicle network security, applied to a cloud server. The method provided in this application includes: In the event that the vehicle's in-vehicle network malfunctions due to an attack, the multi-dimensional actual time-series characteristic sequence of the network communication data sent by the vehicle's in-vehicle network is obtained. Multi-dimensional real-time feature sequences are input into a pre-trained attack behavior determination model to determine the attack behaviors of the vehicle's in-vehicle network. The attack behavior determination model is obtained by inputting multiple first training samples into a first network to be trained. Each first training sample includes a historical multi-dimensional real-time feature sequence and its labeled attack behavior. The system simulates attacks on a vehicle based on a pre-defined digital twin model of the vehicle, and detects the impact of the attacks on the vehicle. The impact results of the vehicle are input into the pre-trained network security protection strategy determination model, and the network security protection strategy corresponding to the impact results of the vehicle is output. The network security protection strategy determination model is obtained by inputting multiple second training samples into the second network to be trained. Each second training sample includes the impact results of historical vehicles and their labeled network security protection strategy. Control the vehicle to implement cybersecurity protection policies.
[0006] In some implementations, the output network security protection policy includes multiple policies, and controlling the vehicle to execute the network security protection policy includes: Choose the network security protection strategy that provides the best protection from multiple network security protection strategies; Control the vehicle to implement cybersecurity protection policies.
[0007] In some implementations, the optimal network security protection strategy is selected from multiple network security protection strategies, including: For any network security protection strategy, the network security protection strategy is executed based on the vehicle simulated under attack behavior in the vehicle digital twin model; Based on the vehicle digital twin model, a multi-dimensional simulation time-series feature sequence of the vehicle's in-vehicle network after the simulation execution of network security protection strategies is obtained; The multi-dimensional simulation time-series feature sequence is input into the pre-trained anomaly scoring model to determine the anomaly score of the vehicle that is attacked after the simulation implements the network security protection strategy. The network security protection strategy with the lowest anomaly score is selected as the optimal network security protection strategy.
[0008] In some embodiments, before receiving the multi-dimensional actual time-series characteristic sequence of network communication data from the vehicle's in-vehicle network, the method provided in this application further includes: Obtain a first training sample set, wherein the first training sample set includes multiple first training samples; The first training sample set is input into the first network to be trained to train the attack behavior determination model. The first training sample set is updated every preset time interval, and the updated sample set is input into the first network to be trained to train the updated attack behavior determination model.
[0009] In some embodiments, before receiving the multi-dimensional actual time-series characteristic sequence of network communication data from the vehicle's in-vehicle network, the method provided in this application further includes: Obtain a second training sample set, wherein the second training sample set includes multiple second training samples; The second training sample set is input into the second network to be trained to obtain a network security protection strategy determination model. The second training sample set is updated every preset time interval, and the updated sample set is input into the second network to be trained to obtain the updated network security protection strategy determination model.
[0010] Secondly, this application also provides a vehicle network security protection method, applied to a vehicle controller. The vehicle controller is communicatively connected to vehicle sensors and vehicle actuators via a vehicle network. The method provided in this application further includes: Collect multi-dimensional real-time feature sequences of network communication data from vehicle-mounted networks; The multi-dimensional real-time feature sequence is input into a pre-trained anomaly scoring model to determine the anomaly score of the vehicle network due to an attack. If the abnormal score exceeds the set score threshold, the multi-dimensional actual time series feature sequence will be uploaded to the cloud server. Receive network security protection strategies from cloud servers based on multi-dimensional real-time feature sequences; Implement network security protection strategies.
[0011] In some implementations, after executing the network security protection strategy, the method provided in this application further includes: Re-collect the multi-dimensional actual time-series feature sequence of network communication data from the vehicle network; The newly acquired multi-dimensional real-time feature sequences are input into a pre-trained anomaly scoring model to determine the updated anomaly score indicating that the in-vehicle network has become abnormal due to an attack. The updated anomaly score will be uploaded to the cloud server.
[0012] Thirdly, this application also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein when the processor executes the computer program, the electronic device performs the method provided in the first aspect of this application.
[0013] Fourthly, this application also provides a storage medium storing a computer program, which, when executed by a processor, causes the computer to perform the method provided in the first aspect of this application.
[0014] Fifthly, this application also provides a computer program product, including a computer program that, when run, causes an electronic device to perform the method provided in the first aspect of this application.
[0015] This application provides a vehicle-mounted network security protection method, storage medium, and electronic device. It inputs multi-dimensional real-time feature sequences into a pre-trained attack behavior determination model to determine the attack behaviors affecting the vehicle's in-vehicle network. Because the attack behavior determination model determines attack behaviors using multi-dimensional data and a time-series sequence including context, the accuracy of the determined attack behaviors is high. It simulates attack behaviors on the vehicle based on a preset vehicle digital twin model and detects the impact of these attacks on the vehicle. By executing simulated attack behaviors on the vehicle in the aforementioned virtual environment, the impact on the vehicle's capabilities is reduced. The impact results on the vehicle are input into a pre-trained network security protection strategy determination model, which outputs the network security protection strategy corresponding to the impact results. Because the impact results of attack behaviors on the vehicle are simulated in the virtual environment beforehand and verified before being run on the vehicle, side effects on the vehicle can be reduced. The system controls the vehicle to execute the network security protection strategy. Understandably, executing the network security protection strategy can prevent attacks on the in-vehicle network, ensuring traffic safety. Furthermore, running the trained model on the vehicle allows for continuous upgrading of the vehicle's protection capabilities, enabling it to cope with more attack behaviors. Attached Figure Description
[0016] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0017] Figure 1 The diagram illustrates the interaction between the vehicle controller provided in this application and the vehicle sensors, vehicle actuators, and cloud server. Figure 2 One of the flowcharts for the vehicle network security protection method provided in the embodiments of this application; Figure 3 The second flowchart of the vehicle network security protection method provided in the embodiments of this application; Figure 4 This is a functional block diagram of the vehicle network security protection device provided in the embodiments of this application. Detailed Implementation
[0018] Embodiments of the present disclosure will now be described with reference to the accompanying drawings. However, it should be understood that these descriptions are exemplary only and are not intended to limit the scope of the disclosure. Furthermore, descriptions of well-known structures and technologies are omitted in the following description to avoid unnecessarily obscuring the concepts of the present disclosure.
[0019] Explanation of technical terms used in this application: Message ID Frequency Matrix: The message ID frequency matrix is a structured model used to analyze the message distribution characteristics in communication networks (such as automotive CAN bus, industrial Ethernet, etc.). Its core is to construct a two-dimensional matrix from network communication data captured within a specific time window, with message identifiers (IDs) as rows and unit time slices (e.g., every second, every 100 milliseconds) as columns. Each element in the two-dimensional matrix represents the frequency or probability of that message ID appearing within the corresponding time slice. This two-dimensional matrix can intuitively reveal the distribution patterns of messages of different priorities or functions over time.
[0020] Signal value change entropy is an information theory metric used to quantify the complexity and disorder of a signal's dynamic changes over time. Specifically, the process of a signal (such as sensor readings or communication signal values) changing over time can be considered an information source, and the "entropy value" of the signal is measured by calculating the uncertainty of its value sequence or change pattern. Specifically, the continuous signal is usually discretized first, then the distribution of the direction (e.g., rising, falling, or remaining constant) or amplitude of change between adjacent sampling points is analyzed, and the information entropy of this distribution is calculated based on the Shannon entropy formula. A higher entropy value indicates a more random and unpredictable signal change, potentially corresponding to a high-noise environment, complex control logic, or abnormal interference state; a lower entropy value indicates a more regular and stable signal change pattern, typically corresponding to periodic or highly deterministic system behavior.
[0021] Cross-bus sequence pattern: A cross-bus sequence pattern is used to analyze the regular sequence of events or messages that occur sequentially across different communication buses or data streams in a specific time order in complex heterogeneous network systems. It goes beyond the analysis of a single bus and aims to uncover the "workflow" or "causal chain" of collaborative work between distributed components. For example, in a smart car, a radar signal (from the sensor bus) may always precede a braking command (from the chassis control bus), which in turn precedes a status feedback (from the body information bus). This series of ordered events spanning different physical or logical channels constitutes a cross-bus sequence pattern.
[0022] The technical solutions of this application and how they solve the aforementioned technical problems will be described in detail below with specific embodiments. These specific embodiments can be combined with each other, and the same or similar concepts or processes may not be repeated in some embodiments. The embodiments of this application will now be described with reference to the accompanying drawings.
[0023] This application provides a method for protecting vehicle-mounted network security, applied to cloud servers. For example... Figure 1As shown, the cloud server communicates with the vehicle controller via a backend cloud network. The vehicle controller communicates with vehicle sensors (such as LiDAR, cameras, throttle sensors, and brake pedal sensors) and vehicle actuators (such as air conditioning, airbags, windows, and doors) via a CAN bus. Figure 2 As shown, the method provided in this application embodiment includes: S201: In the event that the vehicle's in-vehicle network malfunctions due to an attack, the multi-dimensional actual time-series characteristic sequence of the network communication data sent by the vehicle's in-vehicle network is received.
[0024] It should be noted that the aforementioned vehicle network can be an in-vehicle network, such as the vehicle's CAN bus (used for body control, battery management, and overall vehicle control), LIN network (used to control low-cost actuators such as windows and lights), or FlexRay network (used to perform vehicle chassis control). The aforementioned vehicle network can also be the vehicle's wireless access network (such as WIFI, Bluetooth, and cellular networks). The aforementioned vehicle network can also be, but is not limited to, vehicle-to-vehicle communication networks (such as V2X networks) and backend cloud networks (such as the Internet), which are not limited here.
[0025] For example, the multi-dimensional actual timing feature sequence includes, but is not limited to, message ID frequency matrix, signal value change entropy, and cross-bus sequence pattern.
[0026] Specifically, the vehicle controller can collect multi-dimensional real-time feature sequences of network communication data of the vehicle network; input the multi-dimensional real-time feature sequences into a pre-trained anomaly scoring model to determine the anomaly score of the vehicle network being attacked; if the anomaly score is greater than the set scoring threshold, it is determined that the vehicle's vehicle network is being attacked and thus the multi-dimensional real-time feature sequences are uploaded to the cloud server.
[0027] S202: Input the multi-dimensional real-time feature sequence into the pre-trained attack behavior determination model to determine the attack behavior of the vehicle's in-vehicle network.
[0028] The attack behavior determination model is obtained by inputting multiple first training samples into the first network to be trained. Each first training sample includes a historical multi-dimensional actual time-series feature sequence and its labeled attack behavior.
[0029] For example, the training method of the above-mentioned attack behavior determination model is as follows: A first training sample set is obtained, wherein the first training sample set includes multiple first training samples; the first training sample set is input into a first network to be trained to train the attack behavior determination model; the first training sample set is updated every preset time interval (e.g., one month), and the updated set is input into the first network to be trained to train the updated attack behavior determination model. In this way, the attack behavior determination model can be dynamically updated in real time, resulting in higher reliability in determining attack behavior.
[0030] S203: Simulate an attack on a vehicle based on a preset digital twin model of the vehicle, and detect the impact of the attack on the vehicle.
[0031] For example, when the attack is a message flooding / injection attack, the result is: interference / paralysis of network communication, causing denial of service or command spoofing; as another example, when the attack is an ECU failure / link destruction attack, the result is: loss of ECU function, leading to partial or complete loss of vehicle control.
[0032] S204: Input the impact results of the vehicle into the pre-trained network security protection strategy determination model, and output the network security protection strategy corresponding to the impact results of the vehicle.
[0033] The network security protection strategy determination model is obtained by inputting multiple second training samples into the second network to be trained. Each second training sample includes the impact results of historical vehicles and their labeled network security protection strategies.
[0034] For example, when the impact results in interference / paralysis of network communication, causing denial of service or command spoofing, the corresponding network security protection strategy is to limit the 0x101 message rate of ECU_A (this can identify and suppress abnormal traffic, ensuring network availability). As another example, when the impact results in the loss of ECU functionality, leading to partial or complete loss of vehicle control, the corresponding network security protection strategy is to enable the backup communication path of ECU_B (this can maintain critical ECU functions through the backup path when the primary channel fails). In this way, there is no need to disconnect the vehicle from the network or shut it down, thus not affecting the user's use of the vehicle, improving the user experience, and achieving a high-precision balance between security protection and functional assurance.
[0035] It should be noted that the training method for the aforementioned security protection strategy determination model is as follows: a second training sample set is obtained, which includes multiple second training samples; this second training sample set is input into a second network to be trained to obtain the network security protection strategy determination model; the second training sample set is updated every preset time interval (e.g., one month), and the updated set is input into the second network to be trained to obtain the updated network security protection strategy determination model. This allows for real-time dynamic updates to the network security protection strategy determination model, resulting in higher reliability in determining network security protection strategies.
[0036] S205: Control the vehicle to implement cybersecurity protection policies.
[0037] Specifically, further, the output network security protection strategy includes multiple components; thus, S205 can be specifically implemented as follows: Step 1: Select the best network security protection strategy from multiple network security protection strategies.
[0038] Furthermore, step 1 can be specifically implemented as follows: Step A: For any network security protection strategy, execute the network security protection strategy based on the vehicle simulated by the attack behavior in the vehicle digital twin model.
[0039] Step B: Based on the vehicle digital twin model, obtain the multi-dimensional simulation time-series feature sequence of the vehicle's in-vehicle network after the simulation execution of network security protection strategies.
[0040] Step C: Input the multi-dimensional simulation time-series feature sequence into the pre-trained anomaly scoring model to determine the anomaly score of the vehicle that is attacked after the simulation implements the network security protection strategy.
[0041] Step D: Select the network security protection strategy with the lowest anomaly score as the optimal network security protection strategy.
[0042] Based on steps A-D above, the most reliable network security protection strategy can be selected for network security protection.
[0043] Step 2: Control the vehicle to implement network security protection policies.
[0044] For example, step 2 can be specifically implemented as follows: the 0x101 message rate of ECU_A can be limited; or, for another example, the backup communication path of ECU_B can be enabled.
[0045] In summary, the vehicle network security protection method provided in this application involves inputting multi-dimensional real-time feature sequences into a pre-trained attack behavior determination model to determine the attack behaviors affecting the vehicle's in-vehicle network. Because the attack behavior determination model identifies attack behaviors using multi-dimensional data that includes contextual time sequences, the accuracy of the identified attack behaviors is high. The method simulates attack behaviors on the vehicle based on a pre-set vehicle digital twin model and detects the impact of these attacks on the vehicle. By executing simulated attack behaviors on the vehicle in the aforementioned virtual environment, the impact on the vehicle's capabilities is reduced. The impact results on the vehicle are input into a pre-trained network security protection strategy determination model, which outputs the network security protection strategy corresponding to the impact results. Since the impact results of attack behaviors on the vehicle are simulated in advance in a virtual environment and verified before being run on the vehicle, side effects on the vehicle can be reduced. Finally, the method controls the vehicle to execute the network security protection strategy. Understandably, executing the network security protection strategy can prevent attacks on the in-vehicle network, ensuring traffic safety. Furthermore, running the trained model on the vehicle allows for continuous upgrades to the vehicle's protection capabilities, enabling it to cope with more attack behaviors.
[0046] In addition, this application embodiment also provides another vehicle network security protection method, applied to a vehicle controller. Still as Figure 1 As shown, the vehicle controller communicates with the cloud server via a backend cloud network. The vehicle controller also communicates with the vehicle sensors and vehicle actuators via a CAN bus. It should be noted that the vehicle network security protection method provided in this application embodiment has the same basic principle and technical effects as the above embodiments. For the sake of brevity, any parts not mentioned in this application embodiment can be referred to the corresponding content in the above embodiments. Figure 3 As shown, the method provided in this application embodiment further includes: S301: Collect multi-dimensional actual time-series feature sequences of network communication data from the vehicle network.
[0047] S302: Input the multi-dimensional actual time-series feature sequence into the pre-trained anomaly scoring model to determine the anomaly score of the vehicle network due to an attack.
[0048] S303: If the anomaly score exceeds the set score threshold, upload the multi-dimensional actual time series feature sequence to the cloud server.
[0049] S304: Receive network security protection strategies from cloud servers based on multi-dimensional actual time-series feature sequences.
[0050] S305: Implement network security protection policies.
[0051] Furthermore, following S305, the method provided in this application embodiment further includes: re-collecting multi-dimensional actual time-series feature sequences of network communication data from the vehicular network. The re-collected multi-dimensional actual time-series feature sequences are input into a pre-trained anomaly scoring model to determine an updated anomaly score indicating that the vehicular network has become abnormal due to an attack, and the updated anomaly score is uploaded to a cloud server. In this way, the cloud server can determine the effectiveness of network security protection strategies based on the updated anomaly score.
[0052] Please see Figure 4 This application provides an in-vehicle network security protection device applied to a cloud server. It should be noted that the in-vehicle network security protection device provided in this application has the same basic principle and technical effects as the above embodiments. For the sake of brevity, any parts not mentioned in this application's embodiments can be referred to the corresponding content in the above embodiments. The device provided in this application includes a data receiving unit, an attack behavior determination unit, an attack impact determination unit, a protection strategy determination unit, and a protection control unit, wherein... The data receiving unit is used to receive the multi-dimensional actual time-series characteristic sequence of network communication data sent by the vehicle's in-vehicle network when the in-vehicle network malfunctions due to an attack.
[0053] The attack behavior determination unit is used to input multi-dimensional real-time feature sequences into a pre-trained attack behavior determination model to determine the attack behaviors suffered by the vehicle's in-vehicle network.
[0054] The attack behavior determination model is obtained by inputting multiple first training samples into the first network to be trained. Each first training sample includes a historical multi-dimensional actual time-series feature sequence and its labeled attack behavior.
[0055] The attack impact determination unit is used to simulate the attack behavior on the vehicle based on the preset vehicle digital twin model and to detect the impact of the attack behavior on the vehicle. The protection strategy determination unit is used to input the impact results of the vehicle into the pre-trained network security protection strategy determination model and output the network security protection strategy corresponding to the impact results of the vehicle.
[0056] Among them, the network security protection strategy determination model is obtained by inputting multiple second training samples into the second network to be trained. Each second training sample includes the impact results of historical vehicles and their labeled network security protection strategies. The protection control unit is used to control the vehicle to implement cybersecurity protection policies.
[0057] In some implementations, the output network security protection strategy includes multiple protection control units, which are specifically used to select the optimal network security protection strategy from multiple network security protection strategies and control the vehicle to execute the network security protection strategy.
[0058] Specifically, the protection control unit is used to execute a network security protection strategy for any given network security protection strategy, based on a simulated attack behavior of a vehicle in a vehicle digital twin model; based on the vehicle digital twin model, it obtains a multi-dimensional simulation time-series feature sequence of the vehicle's in-vehicle network after the simulated execution of the network security protection strategy; it inputs the multi-dimensional simulation time-series feature sequence into a pre-trained anomaly scoring model to determine the anomaly score of the vehicle after the simulated execution of the network security protection strategy due to the attack; and it selects the network security protection strategy with the lowest anomaly score as the optimal network security protection strategy.
[0059] In some embodiments, the apparatus provided in this application further includes: The first model training unit is used to acquire a first training sample set, wherein the first training sample set includes multiple first training samples; input the first training sample set into a first network to be trained to train an attack behavior determination model; update the first training sample set at preset intervals and input the updated set into the first network to be trained to train an updated attack behavior determination model.
[0060] In some embodiments, the apparatus provided in this application further includes: The second model training unit is used to acquire a second training sample set, which includes multiple second training samples; input the second training sample set into the second network to be trained to train a network security protection strategy determination model; update the second training sample set at preset intervals and input the updated set into the second network to be trained to train an updated network security protection strategy determination model.
[0061] In addition, this application also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the computer program, the electronic device performs the method provided in the above embodiments of this application.
[0062] In addition, this application embodiment also provides a storage medium storing a computer program, which, when executed by a processor, causes the computer to perform the method provided in the above embodiments of this application.
[0063] In addition, this application also provides a computer program product, including a computer program that, when run, causes an electronic device to perform the method provided in the above embodiments of this application.
[0064] The above description does not provide detailed technical specifications regarding the structure of each layer. However, those skilled in the art should understand that layers and regions of desired shapes can be formed using various technical means. Furthermore, to form the same structure, those skilled in the art can also design methods that are not entirely identical to those described above. Additionally, although various embodiments have been described above, this does not mean that the measures in the various embodiments cannot be advantageously combined.
[0065] Although preferred embodiments of this application have been described, those skilled in the art, upon learning the basic inventive concept, can make other changes and modifications to these embodiments. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments as well as all changes and modifications falling within the scope of this application.
[0066] Obviously, those skilled in the art can make various modifications and variations to this application without departing from the spirit and scope of this application. Therefore, if such modifications and variations fall within the scope of the claims of this application and their equivalents, this application also intends to include such modifications and variations.
Claims
1. A method for protecting vehicle network security, characterized in that, Applied to cloud servers, the method includes: In the event that the vehicle's in-vehicle network malfunctions due to an attack, the multi-dimensional actual time-series characteristic sequence of the network communication data sent by the vehicle's in-vehicle network is received. The multi-dimensional actual time-series feature sequence is input into a pre-trained attack behavior determination model to determine the attack behavior of the vehicle's in-vehicle network. The attack behavior determination model is obtained by inputting multiple first training samples into a first network to be trained. Each first training sample includes a historical multi-dimensional actual time-series feature sequence and its labeled attack behavior. The vehicle is simulated to be subjected to the attack behavior in a preset vehicle digital twin model, and the impact of the attack behavior on the vehicle is detected. The impact results of the vehicle are input into a pre-trained network security protection strategy determination model, and the network security protection strategy corresponding to the impact results of the vehicle is output. The network security protection strategy determination model is obtained by inputting multiple second training samples into a second network to be trained. Each second training sample includes the impact results of historical vehicles and their labeled network security protection strategy tags. Control the vehicle to execute the network security protection strategy.
2. The method according to claim 1, characterized in that, The output network security protection policy includes multiple components, and controlling the vehicle to execute the network security protection policy includes: From the various network security protection strategies described, select the network security protection strategy with the best protection. Control the vehicle to execute the network security protection strategy.
3. The method according to claim 2, characterized in that, The step of selecting the optimal network security protection strategy from among the multiple network security protection strategies includes: For any of the aforementioned network security protection strategies, the network security protection strategy is executed based on the vehicle simulated as being subjected to the attack behavior in the vehicle digital twin model; Based on the vehicle digital twin model, a multi-dimensional simulation time-series feature sequence of the vehicle's in-vehicle network after the network security protection strategy is simulated is obtained. The multi-dimensional simulation time-series feature sequence is input into a pre-trained anomaly scoring model to determine the anomaly score of a vehicle that has become abnormal due to an attack after the simulation implements the network security protection strategy. The network security protection strategy with the lowest anomaly score is selected as the optimal network security protection strategy.
4. The method according to claim 1, characterized in that, Before receiving the multi-dimensional actual time-series feature sequence of network communication data of the vehicular network sent by the vehicle, the method further includes: Obtain a first training sample set, wherein the first training sample set includes the plurality of first training samples; The first training sample set is input into the first network to be trained to train the attack behavior determination model. The first training sample set is updated at preset intervals, and the updated sample set is input into the first network to be trained to train the updated attack behavior determination model.
5. The method according to claim 1, characterized in that, Before receiving the multi-dimensional actual time-series feature sequence of network communication data of the vehicular network sent by the vehicle, the method further includes: Obtain a second training sample set, wherein the second training sample set includes the plurality of second training samples; The second training sample set is input into the first network to be trained to train the network security protection strategy determination model. The second training sample set is updated at preset intervals, and the updated sample set is input into the second network to be trained to obtain the updated network security protection strategy determination model.
6. A method for protecting vehicle network security, characterized in that, The method is applied to an on-board controller, which is communicatively connected to on-board sensors and on-board actuators via an on-board network. The method further includes: Collect multi-dimensional real-time feature sequences of network communication data from the vehicle network; The multi-dimensional actual time-series feature sequence is input into a pre-trained anomaly scoring model to determine the anomaly score of the vehicle network due to an attack. If the abnormal score is greater than the set score threshold, the multi-dimensional actual time-series feature sequence is uploaded to the cloud server. Receive the network security protection strategy obtained by the cloud server based on the multi-dimensional actual time-series feature sequence; Implement the aforementioned network security protection strategy.
7. The method according to claim 6, characterized in that, After executing the network security protection policy, the method further includes: Re-collect the multi-dimensional actual time-series feature sequence of the network communication data of the vehicle network; The re-collected multi-dimensional real-time feature sequences are input into a pre-trained anomaly scoring model to determine the updated anomaly score indicating that the vehicular network is abnormal due to an attack. The updated anomaly score is uploaded to the cloud server.
8. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the computer program, it causes the electronic device to perform the method as described in any one of claims 1 to 7.
9. A storage medium storing a computer program, characterized in that, When the computer program is executed by a processor, it causes the computer to perform the method as described in any one of claims 1 to 7.
10. A computer program product, comprising a computer program, characterized in that, When a computer program is run, it causes an electronic device to perform the method as claimed in any one of claims 1 to 7.