A safety protection method and related product

By identifying abnormal behavior through a pre-set security rule base and pre-trained models, and combining local and cloud-based collaborative protection strategies, the problem of AUTOSAR AP security mechanisms being unable to cope with dynamic threats is solved, improving the security and reliability of information data and achieving rapid response and collaborative protection.

CN122293391APending Publication Date: 2026-06-26NEUSOFT REACH AUTOMOBILE TECH (SHENYANG) CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
NEUSOFT REACH AUTOMOBILE TECH (SHENYANG) CO LTD
Filing Date
2026-03-30
Publication Date
2026-06-26

AI Technical Summary

Technical Problem

AUTOSAR AP's security mechanisms are ill-equipped to handle dynamically changing attack threats and lack system-level protection capabilities, resulting in low security and reliability of information and data. It is also unable to update and upgrade protection strategies in a timely manner and cannot cope with advanced persistent threats and zero-day vulnerability attacks.

Method used

By using a pre-set security rule base and a pre-trained anomaly detection model to identify abnormal behavior in the data to be processed, security identification results are obtained, and local or collaborative protection strategies are adopted based on the identification results, including local protection and cloud collaborative protection, utilizing cloud platform collaborative protection strategies and collaborative security protection with other vehicles.

Benefits of technology

It improves the accuracy and comprehensiveness of abnormal behavior identification, reduces the probability of missed detections and false detections, realizes hierarchical response and rapid protection, enhances the security and reliability of the vehicle-to-everything (V2X) environment, and can effectively resist large-scale and complex security threats.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122293391A_ABST
    Figure CN122293391A_ABST
Patent Text Reader

Abstract

This application discloses a security protection method and related products. The method includes: identifying abnormal behavior in the data to be processed corresponding to a target vehicle based on a preset security rule base and a pre-trained anomaly recognition model to obtain a security recognition result; if the security recognition result indicates a first anomaly level, then performing local security protection on the target vehicle according to a local protection strategy; if the security recognition result indicates a second anomaly level, then obtaining the collaborative protection strategy sent by the cloud platform corresponding to the target vehicle, and performing collaborative security protection with other vehicles according to the collaborative protection strategy. This improves the security of the entire vehicle-to-everything (V2X) environment.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of information security technology, and in particular to a security protection method and related products. Background Technology

[0002] With the rapid development of computer technology, various devices may store a large amount of information data, which is used to meet different user needs. Taking the automotive scenario as an example, the AUTOSAR adaptive platform (AUTOSARAP) is a new generation of automotive software architecture standard that enables information data exchange between the vehicle and the cloud.

[0003] To improve the security and reliability of information data, the security mechanism of AUTOSAR AP is generally based on static configuration or preset policies to protect single points. However, this security mechanism is difficult to deal with dynamically changing attack threats and lacks system-level protection capabilities, resulting in low security and reliability issues in the information data process. Summary of the Invention

[0004] In view of the above problems, this application provides a security protection method and related products, which aim to improve the security and reliability of information data.

[0005] The embodiments of this application disclose the following technical solutions: In a first aspect, embodiments of this application provide a security protection method, which may include: Obtain the data to be processed corresponding to the target vehicle; Based on a pre-set security rule base and a pre-trained anomaly detection model, abnormal behavior is identified in the data to be processed to obtain security identification results; the security identification results include at least one of risk score, anomaly type, anomaly component, attack path or confidence level; If the security identification result is characterized as the first level of anomaly, then local security protection will be applied to the target vehicle according to the local protection strategy. If the security identification result is characterized as the second abnormal level, the collaborative protection strategy sent by the cloud platform corresponding to the target vehicle is obtained, and collaborative security protection is carried out with other vehicles according to the collaborative protection strategy; wherein, the collaborative protection strategy is obtained based on the key data sent to the cloud platform, and the key data is obtained based on the data to be processed.

[0006] In conjunction with the first aspect, in one possible implementation, based on a pre-set security rule base and a pre-trained anomaly detection model, abnormal behavior identification is performed on the data to be processed to obtain security identification results, including: Based on a preset security rule base, anomaly matching is performed on the data to be processed to obtain the first anomaly result; A pre-trained anomaly detection model is used to identify anomalies in the data to be processed, resulting in a second anomaly. The first and second abnormal results are analyzed and processed together to obtain the security identification results.

[0007] In conjunction with the first aspect, one possible implementation also includes obtaining the risk score through the following methods: Obtain historical security identification results; The risk index of the target vehicle at the current moment is determined based on historical safety identification results; The risk score is determined based on the risk index, the first abnormal result, and the second result.

[0008] In conjunction with the first aspect, in one possible implementation, local security protection is provided to the target vehicle based on a local protection strategy, including: Perform at least one of the following safety protection actions: Access permissions for abnormal applications identified in the security identification results are restricted through the identity and access management interface. Alternatively, the encryption algorithm configured for the target communication channel represented in the security identification result can be updated to a specific encryption algorithm; Alternatively, the anomalous applications or behaviors identified in the security identification results can be isolated and run in the target environment.

[0009] In conjunction with the first aspect, one possible implementation involves collaborative safety protection with other vehicles based on a collaborative protection strategy, including: By having the target vehicle and other vehicles jointly respond to the coordinated protection command, the abnormal process represented in the security identification results is isolated.

[0010] In conjunction with the first aspect, in one possible implementation, the data to be processed includes at least one of the following: application execution state, inter-process communication, network traffic, system calls, or file access.

[0011] Secondly, embodiments of this application provide a safety protection device, which may include: The acquisition unit is used to acquire the data to be processed corresponding to the target vehicle. Anomaly identification unit is used to identify abnormal behaviors in the data to be processed based on a preset security rule base and a pre-trained anomaly identification model, and obtain security identification results; the security identification results include at least one of risk score, anomaly type, anomaly component, attack path or confidence level; The security protection unit is used to provide local security protection for the target vehicle according to the local protection strategy if the security identification result is characterized as the first abnormal level. The security protection unit is also used to obtain the collaborative protection strategy sent by the cloud platform corresponding to the target vehicle if the security identification result is characterized as the second abnormal level, and to carry out collaborative security protection with other vehicles according to the collaborative protection strategy; wherein, the collaborative protection strategy is obtained based on the key data sent to the cloud platform, and the key data is obtained based on the data to be processed.

[0012] Thirdly, embodiments of this application provide a control device, including a processor and a memory, wherein the memory is used to store programs, instructions or code, and the processor is used to execute the programs, instructions or code in the memory to perform the security protection method as described in the first aspect.

[0013] Fourthly, embodiments of this application provide a computer-readable storage medium storing a computer program, which is loaded by a processor to execute the security protection method described in the first aspect.

[0014] Fifthly, embodiments of this application provide a vehicle including a controller, the controller storing programs, instructions or code, the controller being used to execute the programs, instructions or code in the controller to perform the safety protection method as described in the first aspect.

[0015] Beneficial effects: The security protection method provided in this application identifies abnormal behavior in the data to be processed corresponding to a target vehicle based on a preset security rule base and a pre-trained anomaly recognition model, thereby obtaining a security identification result. If the security identification result indicates a first anomaly level, local security protection is provided to the target vehicle according to a local protection strategy. If the security identification result indicates a second anomaly level, a collaborative protection strategy sent by the cloud platform corresponding to the target vehicle is obtained, and collaborative security protection is provided with other vehicles according to the collaborative protection strategy. The security identification result includes at least one of risk score, anomaly type, anomaly component, attack path, or confidence level. The collaborative protection strategy is obtained based on key data sent to the cloud platform, and the key data is obtained based on the data to be processed.

[0016] Thus, by comprehensively utilizing a pre-set security rule base and a pre-trained anomaly detection model to identify abnormal behavior in the data to be processed, the accuracy and comprehensiveness of anomaly detection are improved, effectively reducing the probability of missed detections and false detections. At the same time, when the security identification results are characterized by different anomaly levels, different protection strategies can be adopted. Through hierarchical processing, a rapid response can be made according to the severity of the anomaly, improving the efficiency of security protection. Furthermore, when the security identification results are characterized by the second anomaly level, through collaborative protection with other vehicles, information sharing and resource complementarity can be achieved to jointly resist large-scale and complex security threats, thereby improving the security of the entire vehicle network environment. Attached Figure Description

[0017] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0018] Figure 1 A schematic flowchart illustrating a security protection method provided in an embodiment of this application; Figure 2 This application provides a schematic diagram of the architecture of a security protection system. Figure 3 A schematic diagram of a security protection process provided in an embodiment of this application; Figure 4a A schematic diagram of a security situation awareness layer provided in an embodiment of this application; Figure 4b This is a schematic diagram of a dynamic protection execution layer provided in an embodiment of this application; Figure 5 This is a schematic diagram of the structure of a safety protection device provided in an embodiment of this application; Figure 6 This is a schematic diagram of the structure of a control device provided in an embodiment of this application. Detailed Implementation

[0019] As described earlier, with the increasing intelligence (such as autonomous driving and smart cockpit functions) and connectivity (the connection between the car and the outside world via the Internet), the automotive software architecture is becoming increasingly complex, and automotive information security faces severe challenges.

[0020] In related technologies, the security mechanism of AUTOSAR APs is mainly based on static configuration or preset policies. However, network attack methods are constantly changing and evolving, making this static protection method inadequate to cope with dynamically changing attack threats. As an example, suppose a car is configured with fixed access permissions, allowing only specific IP addresses to access the vehicle's systems. Hackers might bypass this fixed setting by constantly trying different IP addresses or using other technical means, and existing static protection mechanisms cannot detect and prevent such dynamic attacks in a timely manner.

[0021] Furthermore, because AUTOSAR AP lacks the capability for real-time monitoring and comprehensive assessment of the entire vehicle's information security status, it cannot promptly grasp the overall security situation. For example, while a car is in motion, multiple systems within the vehicle (such as the engine control system and entertainment system) are operating and may be subject to various cyberattacks. However, due to the lack of situational awareness, it is impossible to know in real time whether these systems are under attack, the extent of the attack, or the overall information security status.

[0022] Meanwhile, the security mechanisms provided by these technologies offer single-point protection, lacking system-level collaborative protection capabilities. When faced with complex attacks, single-point protection is difficult to respond effectively. For example, if a sensor in a car is attacked, the security mechanisms provided by these technologies may only protect that sensor, without considering the potential impact of the attack on other related systems (such as autonomous driving systems), and are unable to coordinate with other systems for joint protection.

[0023] Furthermore, security strategies and protective components are difficult to update and upgrade dynamically. However, with the continuous emergence of new attack methods, if security strategies and protective components are not updated in a timely manner, automotive information security will face significant risks. For example, when a new cyberattack method is discovered, the vehicle's existing security mechanisms may not be able to quickly update the corresponding protective strategies to the in-vehicle system, leaving the vehicle still vulnerable to this new type of attack.

[0024] In summary, the AUTOSAR AP security mechanism in related technologies mainly relies on basic protection measures such as encrypted communication, secure boot, and access control. However, it cannot provide effective security protection against new security threats such as advanced persistent threats (APTs, where hackers lurk in the system for a long time to launch attacks) and zero-day vulnerability attacks (attacks that exploit software vulnerabilities that have not yet been discovered and patched), resulting in a decrease in the security and reliability of information and data.

[0025] Based on this, this application provides a security protection method and related products. The method includes: the security protection method provided in this application identifies abnormal behavior in the data to be processed corresponding to a target vehicle based on a preset security rule base and a pre-trained anomaly recognition model, obtaining a security identification result; if the security identification result indicates a first anomaly level, local security protection is performed on the target vehicle according to a local protection strategy; if the security identification result indicates a second anomaly level, a collaborative protection strategy sent by the cloud platform corresponding to the target vehicle is obtained, and collaborative security protection is performed with other vehicles according to the collaborative protection strategy. The security identification result includes at least one of risk score, anomaly type, anomaly component, attack path, or confidence level; the collaborative protection strategy is obtained based on key data sent to the cloud platform, and the key data is obtained based on the data to be processed.

[0026] Thus, by comprehensively utilizing a pre-set security rule base and a pre-trained anomaly detection model to identify abnormal behavior in the data to be processed, the accuracy and comprehensiveness of anomaly detection are improved, effectively reducing the probability of missed detections and false detections. At the same time, when the security identification results are characterized by different anomaly levels, different protection strategies can be adopted. Through hierarchical processing, a rapid response can be made according to the severity of the anomaly, improving the efficiency of security protection. Furthermore, when the security identification results are characterized by the second anomaly level, through collaborative protection with other vehicles, information sharing and resource complementarity can be achieved to jointly resist large-scale and complex security threats, thereby improving the security of the entire vehicle network environment.

[0027] To enable those skilled in the art to better understand the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present application, and not all embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative effort are within the scope of protection of the present application.

[0028] The collection and processing of relevant data (including but not limited to experimental data, test data, simulation data, user data, etc.) involved in this application shall strictly comply with the requirements of national laws and regulations when applied in the following embodiments, obtain the informed consent or separate consent of the subject obtaining the data information, and carry out data use and processing within the scope of laws and regulations and the authorization of the subject.

[0029] See Figure 1 The figure is a flowchart illustrating a security protection method provided in an embodiment of this application.

[0030] Combination Figure 1 As shown, the security protection method provided in this application embodiment may include: S11: Obtain the data to be processed corresponding to the target vehicle.

[0031] The target vehicle refers to a specific vehicle that requires security monitoring.

[0032] Data to be processed refers to various data sets related to the target vehicle's operating status, communication status, system operation, etc.

[0033] In one possible implementation, the data to be processed includes at least one of the following: application execution state, inter-process communication, network traffic, system calls, or file access.

[0034] Application execution status refers to the running status of an application in a vehicle system, including whether the application is running, what stage it is in (such as startup, running, paused, stopped, etc.), runtime resource usage (such as CPU usage, memory usage, etc.), and application error status information (such as whether a crash or abnormal exit has occurred).

[0035] Inter-process communication (IPC) refers to the exchange of data and information between different processes in a vehicle system in order to collaboratively complete a specific task. Common IPC methods include pipes, message queues, shared memory, and semaphores. Through these methods, processes can share data and synchronize operations. For example, an in-vehicle navigation process might need to obtain current vehicle speed information from a vehicle status monitoring process to plan a more accurate route.

[0036] Network traffic refers to the amount of data transmitted between a vehicle and external networks (such as vehicle-to-everything (V2X) networks and the Internet) as well as within the vehicle itself (such as the network between various electronic control units within the vehicle). It includes upload traffic (data sent by the vehicle to the outside world) and download traffic (data received by the vehicle from the outside world), and can be further subdivided into different network protocols (such as TCP and UDP), different communication ports, and different communication objects (such as other vehicles, traffic infrastructure, cloud servers, etc.).

[0037] System calls refer to requests made by an application during runtime to the operating system for services such as file operations (creating, reading, writing, and deleting files), process management (creating and terminating processes), and memory management (allocating and releasing memory). Applications use these operating system-provided functions by issuing system calls; system calls serve as the interface between the application and the operating system.

[0038] File access refers to the actions performed by processes within a vehicle's system, such as reading, writing, modifying, and deleting files. Files can be stored on the vehicle's local storage devices (such as hard drives and flash memory) or in the cloud or other network storage devices. File access data records which processes performed what operations on which files, when, and how.

[0039] It should be understood that by acquiring various types of data to be processed, the safety status of a vehicle can be assessed from multiple dimensions, leaving no potential safety threats unchecked. Furthermore, real-time data acquisition allows for the timely detection of vehicle safety issues, preventing them from escalating.

[0040] S12: Based on a preset security rule base and a pre-trained anomaly recognition model, perform anomaly behavior recognition on the data to be processed to obtain security recognition results.

[0041] A pre-defined safety rule base refers to a set of predefined safety rules and guidelines. These rules are based on known security threat patterns, industry safety standards, and normal vehicle operation specifications. For example, they may specify the normal steering angle range for a vehicle at a specific speed, or restrict access to certain sensitive data.

[0042] A pre-trained anomaly detection model refers to a machine learning or deep learning model trained on a large number of normal and abnormal data samples. It can automatically learn feature patterns in the data and identify abnormal behaviors that deviate from normal patterns. For example, a neural network model can be used to identify abnormal traffic patterns in vehicle communication data.

[0043] It should be understood that combining a pre-set security rule base with a pre-trained anomaly detection model to identify abnormal behavior can improve the accuracy and efficiency of anomaly detection. The pre-set security rule base can quickly identify known and explicit security threats, while the pre-trained anomaly detection model can capture complex and covert abnormal behaviors, thereby improving the accuracy of anomaly detection. For example, the rule base can quickly match and identify some common network attack patterns; while for some new and mutated attack methods, the model can identify them by learning data features.

[0044] Security identification results may include at least one of the following: risk score, anomaly type, anomalous component, attack path, or confidence level. The risk score quantifies the severity of the anomalous behavior; the anomaly type indicates the type of security threat, such as a cyberattack or malware infection; the anomalous component identifies the affected parts of the vehicle, such as a sensor or in-vehicle communication module; the attack path describes how the attacker compromised the vehicle; and the confidence level indicates the reliability of the identification results.

[0045] It should be understood that because security identification results can contain information from multiple dimensions, they can provide a more comprehensive reference for subsequent security protection. For example, risk scoring allows security personnel to intuitively understand the severity of anomalies, thus prioritizing high-risk issues; the explicit identification of anomaly types and components helps to quickly locate the source of the problem and take targeted protective measures.

[0046] In one possible implementation, step S22 may include: A1: Based on the preset security rule base, perform anomaly matching on the data to be processed to obtain the first anomaly result.

[0047] The first abnormal result refers to the result obtained after performing anomaly matching on the data to be processed based on the preset security rule base, indicating whether the data violates the preset rules and the specific rules violated.

[0048] It should be understood that the data to be processed is compared one by one with the rules in the preset security rule base to check whether the data meets the rule requirements. If the data violates a rule, it is judged as an anomaly, and the violated rule information is recorded, forming the first anomaly result.

[0049] Because rule matching is relatively simple and computationally inefficient, it can process large amounts of data quickly and offers strong real-time performance. Furthermore, the rules are clearly defined, so when data is flagged as anomaly, it's easy to identify which rule was violated, facilitating subsequent analysis and processing.

[0050] A2: An anomaly detection model based on pre-training is used to identify anomalies in the data to be processed, and a second anomaly result is obtained.

[0051] The second anomaly result refers to the output of the pre-trained anomaly recognition model after it identifies anomalies in the data to be processed. It reflects the model's judgment on whether the data is abnormal and the type of anomaly based on the learned features.

[0052] It should be understood that by inputting the data to be processed into a pre-trained anomaly detection model, the model classifies or judges the data based on the data features and patterns it has learned internally, and outputs information such as whether the data is abnormal and the type of anomaly, i.e., the second anomaly result. Because the model can automatically learn the potential features in the data, it has a good ability to identify some unknown or new security threats and can discover some complex anomaly patterns that are difficult to describe by rules.

[0053] In this way, by using machine learning or deep learning algorithms to automatically learn data features, there is no need to manually define a large number of complex rules, which can adapt to the ever-changing security threat environment; at the same time, the model trained on a large amount of data has a certain generalization ability and can reasonably identify anomalies in unseen data.

[0054] A3: The first and second abnormal results are comprehensively analyzed and processed to obtain the security identification result.

[0055] It should be understood that by integrating and analyzing the first and second abnormal results, considering the correlation and complementarity between the results of the two methods, and comprehensively judging whether the vehicle currently faces a security threat and the specific circumstances of the threat, a final security identification result can be formed. This can reduce the possibility of misjudgment and omission, and improve the accuracy of security identification. At the same time, it can cover more types of security threats, including both known common threats and unknown new threats.

[0056] One possible implementation also includes obtaining the risk score through the following methods: B1: Obtain historical security identification results.

[0057] Historical safety identification results refer to the records of safety identification results of vehicles over a period of time in the past, which include the safety status information of vehicles at different times.

[0058] It should be understood that by retrieving records of vehicle safety identification over a period of time from databases or other storage media, a more comprehensive reflection of the vehicle's safety characteristics can be obtained, which helps to discover trends in vehicle safety status and provides a reference for predicting future safety risks.

[0059] B2: Determine the risk index of the target vehicle at the current moment based on historical safety identification results.

[0060] The risk index is a quantitative indicator determined based on historical safety identification results, used to measure the likelihood that a target vehicle faces a safety threat at the current moment.

[0061] It should be understood that by transforming abstract safety risks into concrete numerical values, comparisons and analyses become easier. Furthermore, as historical data is continuously updated, the risk index can be adjusted in real time to reflect the dynamic changes in vehicle safety conditions.

[0062] B3: Determine the risk score based on the risk index, the first abnormal result, and the second result.

[0063] Risk score refers to a comprehensive score obtained by taking into account the risk index, the first abnormal result, and the second abnormal result. It is used to more intuitively represent the current safety risk level of a vehicle and provide a basis for subsequent safety decisions.

[0064] It should be understood that a comprehensive risk score is obtained by comprehensively considering the risk index, the first abnormal result, and the second abnormal result, and by using methods such as weighted summation and fuzzy comprehensive evaluation to integrate these factors. A higher risk score indicates a higher level of current safety risk for the vehicle.

[0065] In this way, by comprehensively considering the vehicle's historical safety status, current rule matching results, and model recognition results, the assessment results are more accurate and reliable. At the same time, it provides clear quantitative basis for safety decisions, facilitating decision-makers to take appropriate measures based on different risk scores.

[0066] S13: If the security identification result is characterized as the first level of anomaly, then local security protection will be provided to the target vehicle according to the local protection strategy.

[0067] The first level of abnormality refers to a level of lower severity of abnormal behavior, meaning that the impact on the normal operation and safety of the vehicle is relatively small, and it can be handled and resolved locally within the vehicle.

[0068] Local protection strategies refer to security measures implemented locally on the vehicle for the first level of anomaly. These measures do not rely on a cloud platform and can quickly respond to and handle local security issues. Examples include restricting data collection from a specific anomalous sensor or isolating infected files.

[0069] It should be understood that when the security identification result is judged to be at the first level of anomaly, it indicates that the target vehicle faces a relatively minor security threat. At this time, the target vehicle can utilize its own resources and capabilities to handle the abnormal situation according to the pre-defined local protection strategy, thereby ensuring the normal operation and basic safety of the vehicle. Since there is no need to communicate or interact with the cloud platform, the local protection strategy can be implemented quickly, handling abnormal situations promptly and reducing the impact on normal vehicle operation. For example, when a slight anomaly is detected in the data from a certain sensor, the vehicle can immediately restrict the data acquisition of that sensor to prevent abnormal data from interfering with the vehicle control system.

[0070] Meanwhile, in a connected vehicle environment, network connections may be unstable or interrupted. Local protection strategies do not rely on the network and can still provide a certain level of security protection for the vehicle when the network is unavailable, thus improving system reliability.

[0071] In one possible implementation, step S13 may involve performing at least one of the following security protection actions: restricting access permissions to the abnormal application represented in the security identification result through the identity and access management interface; or updating the encryption algorithm configured for the target communication channel represented in the security identification result to a specific encryption algorithm; or isolating the abnormal application or abnormal behavior represented in the security identification result to run in the target environment.

[0072] The Identity and Access Management interface is used to manage system user authentication, authorization, and access control. It defines how users prove their identity (such as username and password, digital certificates, etc.) and how permissions are granted to users to access specific resources (such as applications, data, system functions, etc.) based on their identity.

[0073] Abnormal applications are those that behave abnormally within a vehicle system, posing potential security risks or malicious intent. Examples include applications that gain unauthorized access to critical vehicle systems or those that frequently send unusual network requests.

[0074] The target communication channel is a specific path used for data transmission in a vehicle system, which may involve communication between different components inside the vehicle or between the vehicle and external devices (such as other vehicles, cloud servers, etc.).

[0075] Encryption algorithms are mathematical methods used to encrypt and decrypt data, ensuring the confidentiality and integrity of data during transmission or storage. Different encryption algorithms have different security strengths and performance characteristics.

[0076] A specific encryption algorithm is a pre-selected encryption algorithm with high security and applicability based on security requirements and scenarios, used to replace the encryption algorithm currently used in the communication channel that may have security risks.

[0077] The target environment refers to an isolated and controlled operating environment, which is usually isolated from the main system environment. It is used to run abnormal applications that may pose security risks or to handle abnormal behavior in order to prevent them from affecting the main system.

[0078] It should be understood that when a security identification system detects abnormal behavior in an application, it uses the identity and access management interface to adjust the application's access permissions. For example, an application that originally had access to critical vehicle control systems may be restricted to accessing only non-critical data or functions after an anomaly is detected. This quickly limits the access scope of the abnormal application, preventing it from further acquiring sensitive information or causing more serious damage to the vehicle system. Simultaneously, it ensures that critical vehicle systems, data, and functions are not arbitrarily accessed and manipulated by abnormal applications, guaranteeing the safe operation of the vehicle. This improves flexibility and enables precise protection.

[0079] It should be understood that when a security risk is discovered in a vehicle's communication channel, such as the current encryption algorithm potentially being cracked or having vulnerabilities, the encryption algorithm configured for that communication channel will be replaced with a pre-selected, more secure, and reliable specific encryption algorithm. This improves the confidentiality and integrity of data during communication, preventing data from being stolen, tampered with, or forged during transmission. Furthermore, as security technologies develop and attack methods are constantly updated, timely replacement of encryption algorithms can effectively address new security challenges. This achieves proactive defense against security threats and offers good compatibility.

[0080] It should be understood that by transferring detected anomalous applications or processes exhibiting abnormal behavior that pose security risks to an isolated, independent target environment, the system is prevented from impacting the main system. This avoids the spread of anomalous applications or behavior within the main system, thus preventing disruption to the stable operation of other normal applications and systems. In short, security risks are effectively isolated, protecting the security and stability of the main system. Even if an anomalous application encounters problems in the isolated environment, it will not cause substantial damage to the main system. Simultaneously, isolating the anomaly does not affect the normal functioning and use of the vehicle's main system, ensuring vehicle driving safety and the normal operation of basic functions.

[0081] S14: If the security identification result is characterized as the second abnormal level, then obtain the collaborative protection strategy sent by the cloud platform corresponding to the target vehicle, and carry out collaborative security protection with other vehicles according to the collaborative protection strategy.

[0082] The collaborative protection strategy is based on key data sent to the cloud platform, and the key data is based on data to be processed.

[0083] The second level of abnormality indicates a higher degree of severity of abnormal behavior, posing a significant threat to the normal operation and safety of the vehicle. Local protection may not be effective in dealing with this, and collaborative protection with cloud platforms and other vehicles is required.

[0084] The cloud platform possesses powerful computing, data storage, and security analysis capabilities, enabling it to integrate data from multiple vehicles and formulate comprehensive collaborative protection strategies.

[0085] A collaborative protection strategy refers to a strategy developed by a cloud platform based on critical data and other relevant information sent by a target vehicle, aimed at coordinating multiple vehicles to jointly address security threats. Examples include notifying surrounding vehicles to enhance security monitoring and adjusting communication frequencies to avoid interference.

[0086] Key data refers to data extracted from the data to be processed that reflects core information about the vehicle's safety status. This data is crucial for cloud platforms to formulate collaborative protection strategies. Examples include the characteristics of abnormal behavior, the source and target of attacks, etc.

[0087] In one possible implementation, step S14 may include: isolating the abnormal process represented in the security identification result by having the target vehicle and other vehicles jointly respond to the cooperative protection command.

[0088] Collaborative protection commands refer to commands issued uniformly by a cloud platform to coordinate multiple vehicles to take joint security protection measures in response to specific security threats.

[0089] An abnormal process refers to a process that behaves abnormally during the operation of a vehicle system, and may contain security vulnerabilities or malicious behavior. For example, a process that consumes excessive system resources or frequently accesses sensitive data.

[0090] It should be understood that when a vehicle's safety management system or traffic management center issues a coordinated protection command, the target vehicle and other relevant vehicles, upon receiving the command, will jointly take action to isolate the detected abnormal process. This coordinated protection can involve information sharing and collaborative operations among multiple vehicles to more effectively address large-scale or distributed security threats.

[0091] In this way, for security threats that may affect multiple vehicles, such as cyberattacks and malware propagation, the collaborative protection of multiple vehicles can more comprehensively and promptly isolate abnormal processes and prevent the spread of security threats. At the same time, the joint participation of multiple vehicles in security protection forms a more robust security network, improving the overall security and resistance to attacks of the entire vehicle group.

[0092] It should be understood that when the security identification result is at the second level of anomaly, the vehicle sends critical data to the cloud platform. The cloud platform, leveraging its powerful analysis and processing capabilities, and combining global security information and experience, formulates a collaborative protection strategy and sends this strategy back to the target vehicle. The target vehicle then shares information and coordinates actions with other vehicles according to the collaborative protection strategy to jointly address security threats.

[0093] Thus, because cloud platforms can integrate data and security information from multiple vehicles, they can formulate collaborative protection strategies from a global perspective, enabling a more comprehensive response to large-scale and complex security threats. For example, when a distributed attack targeting the Internet of Vehicles is detected, the cloud platform can coordinate multiple attacked vehicles to take protective measures simultaneously, improving the effectiveness of the protection.

[0094] Simultaneously, through collaborative security protection with other vehicles, information sharing and resource complementarity can be achieved. Different vehicles can leverage their respective strengths to jointly defend against security threats. For example, some vehicles may possess more advanced detection technologies, enabling them to promptly detect signs of attacks and share this information with other vehicles, thus forming a more robust security defense line for the entire vehicle-to-everything (V2X) system.

[0095] Based on the security protection method provided in the above embodiments, combined with Figure 2 As shown in the embodiments of this application, a security protection system is also provided. This security protection system is an integrated core architecture of "vehicle-cloud collaboration" and "perception-decision-execution". The security protection system can be divided into two main parts: a cloud-based collaborative protection center (cloud platform) and an in-vehicle platform (the target's in-vehicle platform). Among them, the in-vehicle platform strictly follows the AUTOSAR AP standard and is divided into three logical layers, including a security situation awareness layer, a dynamic protection execution layer, and a policy management and response layer.

[0096] The security situation awareness layer, acting as the system's "sensory nerves," is responsible for all-weather, all-round data collection and threat perception. The security situation awareness layer may include: The multi-source safety data acquisition module is used to acquire data in real time from vehicle networks (such as CAN FD, vehicle Ethernet), controllers (ECUs) and V2X communication units, including application behavior, network traffic, system call logs, etc.

[0097] The security incident correlation analysis module is used to aggregate, normalize, and perform correlation analysis on the collected raw data, and identify potential security incidents based on rule bases or models.

[0098] The real-time safety situation assessment module is used to integrate various types of information, dynamically calculate the safety level and risk index of the whole vehicle or a specific functional domain, and form a global safety situation view.

[0099] The secure data storage module is designed to securely store forensic data such as event logs and system snapshots, using an anti-tamper design, for post-event auditing and tracing.

[0100] The dynamic protection execution layer, acting as the system's "immune system," is responsible for accurately and rapidly executing security policies to block threats. The dynamic protection execution layer may include: The access control enforcement module is used to implement fine-grained access control based on identity and attributes through the ARA::IAM interface of AUTOSAR AP, ensuring that only authorized entities can access the corresponding resources.

[0101] The communication security protection module integrates protocols such as SecOC, TLS, and IPsec to provide authentication, integrity, and confidentiality protection for in-vehicle and vehicle-to-cloud communication.

[0102] The application sandbox module is used to create an isolated runtime environment for critical applications, preventing malicious applications from damaging the system or other applications.

[0103] The intrusion detection and prevention module is used to detect malicious traffic and attack behaviors (such as DoS attacks) in real time and perform proactive defense actions such as blocking and rate limiting.

[0104] The strategy management and response layer, acting as the system's "decision-making brain," is responsible for overall management and adaptive response. The strategy management and response layer may include: The security policy management module is used to uniformly manage local policies and cloud-deployed policies, and is responsible for the parsing, distribution and lifecycle management of policies.

[0105] The adaptive response engine is used to automatically make decisions and trigger corresponding protective actions (such as adjusting access control rules and isolating abnormal ECUs) based on the risk index output by the security situation awareness layer.

[0106] The security update management module supports OTA updates for security components (such as rule bases and virus signature bases) to ensure the continuous evolution of protection capabilities.

[0107] The evidence collection and auditing module is used to record all security operations, generate audit reports, meet compliance requirements, and provide a basis for incident tracing.

[0108] The cloud-based collaborative protection center, acting as the system's "intelligent hub," provides comprehensive intelligent analysis and collaborative capabilities. The cloud-based collaborative protection center may include: The Threat Intelligence Analysis Center aggregates massive amounts of threat data from vehicles, conducts big data analysis, and uncovers new attack patterns.

[0109] The security model training center is used to train and optimize threat detection models based on global data using cloud computing power, and then distribute them to the vehicle.

[0110] The strategy optimization and distribution center is used to optimize protection strategies based on global analysis results and distribute them to fleets in batches.

[0111] An emergency response coordination center is used to coordinate multiple vehicles for collaborative protection during major security incidents (such as regional risk warnings).

[0112] As an example, the data interaction process at each level can be as follows: 1. "Perception-Decision-Execution" Closed Loop (Vehicle-Endogenous Safety): Data uplink (awareness): The security situation awareness layer acquires raw data from hardware and network through the multi-source security data acquisition module. After analysis and evaluation, it reports security events and situation information to the adaptive response engine of the policy management and response layer.

[0113] Decision-making and dissemination: The policy management and response layer adaptive response engine generates decisions and distributes specific protection instructions to various modules of the dynamic protection execution layer through the security policy management module.

[0114] Execution and Feedback: The dynamic protection execution layer module completes actions (such as blocking communication and isolating applications) and feeds back the execution results to the security situation awareness layer, thereby initiating a new round of cyclical optimization.

[0115] 2. "Vehicle-Cloud Collaboration" Closed Loop (Cloud-based Intelligent Empowerment): Data Upload: The vehicle-side policy management and response layer's evidence collection and auditing module uploads critical security events and logs to the threat intelligence analysis center of the cloud-based collaborative protection center.

[0116] Cloud-based intelligent analysis and strategy optimization: The cloud-based collaborative protection center utilizes its powerful computing capabilities to perform in-depth analysis and model training, generating optimized detection models and protection strategies.

[0117] Policy distribution and response coordination: The cloud-based collaborative protection center optimizes and distributes new policies and models to the vehicle's security policy management module; in emergency situations, the emergency response coordination center can directly send coordination instructions to the vehicle.

[0118] Based on the security protection system provided in the above embodiments, combined with Figure 3 As shown in the embodiments of this application, a security protection process is also provided, which may include: Step 1: Multi-source security data acquisition and preprocessing (acquiring data to be processed).

[0119] As an example, multi-dimensional data can be collected in real time through the ARA (AUTOSAR Runtime for Adaptive Applications) standard interface provided by the AUTOSAR Adaptive Platform (AP). The collected data can include: application execution status, used to monitor the lifecycle and resource consumption (CPU / memory) of adaptive applications; inter-process communication, used to collect data and patterns of inter-service communication (such as SOME / IP) via the ARA::COM interface; network traffic, used to monitor TCP / UDP communication on the vehicle's Ethernet network and analyze protocol compliance and traffic characteristics; and system calls and file access, used to record sensitive operating system operation sequences and access events to critical files.

[0120] It should be understood that the collected raw data undergoes standardized preprocessing, including data cleaning (noise removal), format standardization, timestamp alignment, and data fusion. For example, an abnormal network access request can be associated with the corresponding application system call to form a complete audit trail. To ensure data security, AUTOSAR AP's encryption services (such as Crypto Stack) are used to protect sensitive data during collection and transmission.

[0121] Step 2: Real-time security posture assessment and threat identification.

[0122] As an example, the preprocessed data is fed into a security analysis engine that employs two analysis strategies in parallel: Detection based on a pre-defined security rule base: High-speed matching is performed using a pre-defined, known attack signature base (such as specific sequences of system calls and abnormal communication patterns) to quickly discover known threats.

[0123] Anomaly detection based on pre-trained models: By using unsupervised or supervised learning models, a "normal behavior baseline" for systems and applications is established. By comparing the deviation of real-time behavior from the baseline, new and unknown threats (such as zero-day attacks) can be detected.

[0124] The security analysis engine can integrate the analysis results from both strategies to dynamically assess the current security risk level (e.g., quantify it as a score from 0 to 100 or a "low, medium, high, critical" level), and generate a structured security posture report (i.e., security identification results). The security posture report may include at least one of the following: security risk level (risk score), threat type (anomaly type), affected components (anomaly components), attack path, or confidence level.

[0125] Step 3: Dynamic protection strategy decision-making and execution.

[0126] As an example, security protection systems can make decisions based on security situation reports to determine whether security threats exceed the local handling capabilities of a single vehicle (such as whether they are new and complex attacks or whether they may cause systemic risks).

[0127] If the security threat risk level is classified as Level 1 Anomalous, such as Path A (regular or localized threat), the adaptive response engine can automatically make decisions and execute local protection actions based on the security policy library. For example, it can dynamically restrict the permissions of suspicious applications through the AUTOSAR AP's IAM (Identity and Access Management) interface; or dynamically switch to a higher level of encryption algorithm for specific communication channels (such as upgrading from AES-128 to AES-256-GCM); or place malicious or anomalous applications in a sandbox to limit their destructive scope.

[0128] Step 4: Collaborative protection and emergency response.

[0129] If the risk level of the security threat is the second abnormal level, such as path B (advanced or collaborative threat), that is, when an advanced persistent threat (APT) or a risk that may affect the vehicle group is detected, the collaborative mechanism is immediately activated.

[0130] The vehicle reports key threat data (i.e., fingerprint information IoC and context data) to the cloud-based collaborative protection center.

[0131] The cloud center conducts global threat intelligence analysis, confirms the attack scope, and then issues collaborative protection instructions (such as "all relevant vehicles, immediately isolate specific processes") to the affected vehicle cluster. After the collaborative protection instructions are issued, step 3 is executed, where the vehicle-side dynamic protection execution layer receives, verifies, and executes these cloud instructions to achieve collaborative defense of "one-point detection, network-wide immunity".

[0132] Step 5: Continuous optimization and feedback loop for safety status.

[0133] As an example, a security protection system can collect feedback on the effectiveness of protection (such as whether the policy was successfully executed and the false alarm rate) as well as global threat intelligence (such as new attack patterns) obtained from the cloud.

[0134] Based on this feedback data, the local security detection model and protection strategy are continuously optimized through machine learning algorithms (such as reinforcement learning). For example, if a certain false alarm occurs frequently, the parameters of the detection model are adjusted; if a new attack method is identified in the cloud, the cloud will train a new model and silently deploy it to the vehicle via OTA through a security update management module (such as UCM).

[0135] The optimized model and strategy influence the next round of steps 1 (data acquisition and preprocessing) and steps (situation assessment) through feedback information, so as to form a self-reinforcing positive feedback loop, enabling the system's defense capabilities to continuously adapt to the ever-changing threat environment and achieve true "dynamic evolution".

[0136] Based on the security protection system provided in the above embodiments, combined with Figure 4a As shown in the embodiments of this application, the workflow of the security situation awareness layer is also provided: C1: Multi-source data acquisition and preprocessing.

[0137] The multi-source security data acquisition module collects data in real time from three main dimensions through the ARA interface defined by AUTOSAR AP: Vehicle Network: Monitor communication traffic, protocol compliance, and abnormal messages on buses such as CAN FD and in-vehicle Ethernet.

[0138] ECU controller: Collects the operating status, resource usage (CPU / memory), and fault codes (DTCs) of key electronic control units.

[0139] V2X communication unit: Receives safety messages (such as BSM, CAM, DENM) from the external environment (other vehicles, roadside facilities) to achieve beyond-line-of-sight perception.

[0140] As an example, the collected raw data immediately enters the data cleaning and standardization process, which may include: Data cleaning: Filtering noisy data caused by network jitter and repairing erroneous packets generated during transmission.

[0141] Unified format: Convert heterogeneous data from different sources (such as binary CAN messages, SOAP / SomeIP service messages) into an internally unified standardized format (such as Protocol Buffers).

[0142] Timestamp alignment: Based on a high-precision clock source (such as GPS), all data is time-stamped uniformly, laying the foundation for subsequent correlation analysis. This step ensures that the subsequent analysis engine processes complete, consistent, and high-confidence data.

[0143] C2: Security event correlation analysis.

[0144] As an example, the preprocessed data is fed into the security event correlation analysis module. This module employs two analysis strategies in parallel: Rule-based matching detection: This method utilizes a pre-defined, known attack signature database (such as specific sequences of system calls or SQL injection patterns) for high-speed matching to quickly identify known threats. For example, matching multiple consecutive failed login attempts triggers a "brute-force" alert.

[0145] Model-based anomaly detection: This involves establishing a "normal behavior baseline" for systems and applications using unsupervised learning models. By comparing the deviation of real-time behavior from this baseline, novel and unknown threats (zero-day attacks) and slow-penetrating attacks (APT attacks) can be detected. For example, detecting an ECU issuing abnormally high numbers of network scanning requests during abnormal periods.

[0146] The module correlates and aggregates the analysis results, linking scattered anomalies into a complete attack chain. For example, it correlates three isolated events—"abnormal privilege escalation behavior," "suspicious file creation," and "malicious external connections"—into a complete "malware implantation" event and assesses its confidence level.

[0147] C3: Real-time security situation assessment.

[0148] As an example, the real-time security situation assessment module receives the output from the correlation analysis module and performs a comprehensive evaluation from a higher dimension. It follows a three-tiered situation awareness model: sensing elements, understanding the situation, and predicting the future.

[0149] Level 1 Perception Elements: Fully perceive all security events and abnormal indicators input in the previous stage.

[0150] Level 2 Situational Understanding: By comprehensively considering multiple dimensions such as asset value (e.g., ECU importance), vulnerability (e.g., existing vulnerabilities), and threat probability, a weighted calculation model is used to dynamically calculate the real-time safety level and risk index of the entire vehicle or a specific functional domain (e.g., outputting a score of 0-100 or a "low, medium, high, critical" level).

[0151] Level 3 Trend Prediction: Based on the current situation and historical data, predict the short-term development trend of security risks and provide forward-looking suggestions for proactive defense.

[0152] The real-time security situation assessment module can generate a global security situation view and output three types of structured intelligence: Security Level / Risk Index: A quantified overall security score, serving as a "barometer" of the system's security status.

[0153] Threat alert information: A detailed description of the threat event, including type, target, and severity, used to trigger an immediate response.

[0154] Diagnostic and localization results: Provides in-depth diagnostic information such as affected components and attack paths, providing a basis for troubleshooting and recovery.

[0155] C4: Secure data storage.

[0156] As an example, the secure data storage module employs tamper-proof designs (such as write protection and blockchain notarization) to ensure the integrity and authenticity of stored event logs, system snapshots, and forensic data. This not only meets compliance audit requirements but, more importantly, provides data assets for post-event traceability and continuous training of machine learning models.

[0157] Based on the security protection system provided in the above embodiments, combined with Figure 4b As shown in the embodiments of this application, a complete workflow for the dynamic protection execution layer to process a single security instruction is also provided, enabling fine-grained management from instruction reception, verification, routing to execution, which may include: D1: Command reception and security verification.

[0158] It should be understood that the embodiments of this application need to ensure that only legal and valid instructions can enter the execution phase. As an example, the following steps can be performed: E1: Receive protection instructions.

[0159] The dynamic protection execution layer receives protection commands from the upper layer (policy management and response layer) through a secure communication channel (such as the ARA::COM interface of AUTOSAR AP), ensuring reliable and low-latency command reception and guaranteeing timely delivery of critical commands. These commands typically include: action type (e.g., "isolate application," "restrict communication"), target identifier (e.g., application ID, communication session ID), execution parameters (e.g., new permission level, encryption algorithm), and digital signature and timestamp.

[0160] E2: Instruction security verification.

[0161] As an example, multiple checks can be performed on instructions to prevent spoofing or replay attacks: Authenticity verification: The digital signature of the instruction is verified using an asymmetric encryption algorithm to confirm the trustworthiness of the instruction's origin.

[0162] Timeliness verification: Check the timestamp of the instruction to ensure that the instruction is within the valid time window; expired instructions will be rejected.

[0163] Context compliance verification: Considering the current security status of the system (e.g., whether the vehicle is in a critical condition such as high speed), arbitrate whether the instruction is allowed to be executed at the current moment.

[0164] If any verification fails, the process switches to "log exception and discard," and the instruction is marked as an exception event and logged, which may trigger an alarm, terminating the process. Conversely, if the instruction passes all security checks, the process continues, entering the instruction parsing and task routing phase.

[0165] D2: Instruction parsing and task routing.

[0166] It should be understood that embodiments of this application also require understanding the instruction content and accurately distributing it to the corresponding specialized execution modules. As an example, the following steps can be performed: E3: Parse instructions and parameters.

[0167] The verified instructions are decoded to extract the operable action type, target object, and execution parameters. For example, the instruction might be parsed as "Perform network isolation on application A, with the isolation level being complete blocking".

[0168] E4: Command type routing.

[0169] As a "task distribution hub," the system processes different types of protection commands in parallel based on the parsed action type, routing the commands to the corresponding specialized execution modules. For example, access control commands are sent to the access control execution module; communication security commands are sent to the communication security protection module; application isolation commands are sent to the application sandbox module; and intrusion prevention commands are sent to the intrusion detection and prevention module.

[0170] D3: Parallel execution of protection actions.

[0171] Each specialized module executes specific, differentiated security operations based on instructions. As an example, the following actions can be performed: E5: Each module performs specific actions.

[0172] Access control enforcement module: Calls the AUTOSAR AP's ARA::IAM (Identity and Access Management) interface to dynamically adjust the access permissions of users or applications to system resources (such as specific services, files, and devices).

[0173] Communication security protection module: Dynamically manages communication security policies, such as switching encryption algorithms for specific communication sessions (e.g., upgrading from AES-128 to AES-256), updating session keys, or directly blocking malicious network connections.

[0174] Application Sandbox Module: Utilizes technologies such as containerization to create or adjust isolated runtime environments for applications identified as suspicious or malicious, restricting their ability to access networks, file systems, or other applications to prevent the spread of threats.

[0175] Intrusion Detection and Prevention Module: Implements real-time blocking strategies, such as dropping malicious data packets through kernel-level drivers or sending signals to the operating system to terminate malicious processes.

[0176] D4: Execution Feedback and Dynamic Optimization.

[0177] This step ensures the actions are performed correctly and optimizes itself based on the results, forming a closed loop. As an example, the following steps can be performed: E6: Collect execution feedback.

[0178] Each execution module collects execution feedback immediately after completing its action. The feedback information includes: execution result (success / failure / partial success), actual parameters that took effect (such as the actual rate limit), resource consumption, and timestamp.

[0179] E7: Evaluate the effectiveness of implementation.

[0180] The system analyzes and evaluates the feedback information to determine whether the protective actions have achieved the expected results.

[0181] If execution is successful, the process proceeds to "Update Security Status," indicating that the protection action is essentially complete. If execution fails or partially succeeds, the process proceeds to "Adjust Policy and Retry." The system will automatically adjust execution parameters or select an alternative policy based on the reason for failure (such as the target resource not existing or insufficient permissions), and will perform a limited number of retries to enhance robustness.

[0182] E8: Generate execution report.

[0183] Regardless of success or failure, the system generates a structured execution report, stored locally, for the system to learn from and optimize the execution efficiency or success rate of similar instructions in the future. This report summarizes the complete lifecycle information of this instruction processing, including the instruction content, execution process, final result, and performance evaluation.

[0184] At the same time, the generated execution report will be submitted to the strategy management and response layer as an important basis for strategy optimization and audit tracing.

[0185] In one possible implementation, in order to further explain the entire process of implementing this application, this application embodiment takes "malicious application detection and collaborative protection" in an intelligent connected vehicle infotainment system based on AUTOSAR AP as a typical scenario, and elaborates on the working process of the system and method of the present invention.

[0186] Suppose a new type of malware, "X-Worm," infects the infotainment system (IVI) of a certain model of intelligent connected vehicle by disguising itself as a map update package. This malware attempts to: 1) escalate privileges to obtain root access to the system; 2) scan and attempt to access the vehicle control domain network (such as the chassis CAN); and 3) spread to nearby vehicles of the same model via vehicle-to-vehicle (V2X) communication.

[0187] Phase 1: Real-time vehicle-side perception, local analysis, and event reporting.

[0188] This stage is completed inside the bicycle, demonstrating the system's "sensory nerves" and "conditioned reflexes" capabilities.

[0189] Step 1: Multi-source secure data acquisition and preprocessing.

[0190] Among them, the security situation awareness layer deployed on the AUTOSAR AP operating system begins to work, and its multi-source security data acquisition module collects the following data in real time through the ARA (AUTOSAR Runtime for Adaptive Applications) interface defined by the AP standard: Application behavior data: Through the ARA::EXEC interface, an adaptive application (AA) named "map_update_assist" in the IVI was detected to start abnormally, and its process resource utilization (CPU consistently >80%) far exceeded the baseline.

[0191] System call data: Through operating system hooks, it was captured that the process made more than 50 intensive calls to system calls such as ptrace() and setuid() within a short period of time (within 10 seconds), and attempted to access the / dev / can0 device node.

[0192] Communication data: Through the ARA::COM interface, the process was monitored sending a large number of unconventional SOME / IP service requests to the gateway ECU, with the target service identifier pointing to the chassis domain control service (0x7DF). At the same time, the V2X communication module detected that it was broadcasting an abnormally high frequency Basic Safety Message (BSM) to 224.0.0.1:37020 (V2X port).

[0193] File access data: Recorded as it attempted to read diagnostic logs from the / etc / shadow (system password file) and / var / log / directories.

[0194] Step 2: Security incident correlation analysis and real-time situation assessment.

[0195] The collected heterogeneous data, after preprocessing (timestamp alignment, format standardization), is sent to the security event correlation analysis module. This module performs correlation analysis based on a preset rule base (rule example: "Frequent privilege escalation calls by non-system processes && access control domain devices" => highly suspicious local attack) and a machine learning behavior baseline model (the process's behavior deviates from the normal baseline of "map application" by 92%).

[0196] Conclusion: The three isolated events of "abnormal privilege escalation", "scanning control network", and "abnormal broadcast" are linked together to form a complete attack chain with the characteristics of "privilege escalation - lateral movement - external propagation".

[0197] Situation assessment: The real-time security situation assessment module comprehensively considers asset value (chassis CAN is a security-critical asset), threat probability (complete attack chain), and vulnerability exploitation signs (privilege escalation exists), dynamically calculating the vehicle's real-time information security risk index, which rises sharply from the normal "20" (low risk) to "85" (high risk, threshold >70), and the security level drops to "critical".

[0198] Event Generation: The module generates a structured security event: [Event ID: SEC-2023-001, Type: Malware (Privilege Escalation + Lateral Movement), Target: map_update_assist, Confidence: 88%, Risk Level: Critical]. This event and a snapshot of the original data are stored in the secure data storage module.

[0199] Step 3: Local execution and event reporting.

[0200] Simultaneously with the completion of the evaluation, the system triggers a parallel response: Local Protection: The adaptive response engine (located in the policy management and response layer) immediately generates local protection commands based on the preset "critical" level response policy. The corresponding modules in the dynamic protection execution layer receive and execute these commands. Access control enforcement module: By calling the ARA::IAM (Identity and Access Management) interface, dynamically revoke all unnecessary permissions of the process map_update_assist.

[0201] Application Sandbox Module: Immediately forces the process and its child processes to migrate to a strongly isolated container, restricting their network and file system access.

[0202] Communication security protection module: Dynamically configures the vehicle firewall to block all network connections initiated by this process.

[0203] Security incident reporting: The vehicle-side communication agent will immediately report security incidents containing complete IoC (Intrusion Indicators: process hash, behavior sequence, network characteristics) to the cloud collaborative protection center via an encrypted V2I link (e.g., PC5 interface).

[0204] Phase Two: Dynamic Protection Strategy Decision-Making and Implementation.

[0205] This phase is responsible for overall management and adaptive response.

[0206] Step 4: Strategy Management and Dynamic Adjustment.

[0207] Policy Reception and Arbitration: The security policy management module of the policy management and response layer continuously receives two types of policies: 1) pre-set local security policy library (such as "isolate upon detection of privilege escalation"); 2) dynamically updated policies issued by the cloud policy optimization and distribution center (such as a specific containment policy for "X-Worm"). When a cloud-based collaborative command is issued, this module is responsible for policy arbitration to ensure that emergency collaborative commands issued by the cloud have higher priority than local regular policies.

[0208] Adaptive Response Engine: The adaptive response engine is activated when a local event is triggered (such as when an anomaly is detected on the vehicle) or when an external command is received. It does not simply execute fixed actions, but rather selects and combines the optimal response actions from a policy library based on the risk level and confidence level output by the real-time safety situation assessment module, as well as the current vehicle operating status (such as whether it is in autonomous driving mode). For example, for high-risk events, it may combine "process isolation + network blocking + security scanning"; for medium-risk events, it may only execute "network rate limiting + increased monitoring level".

[0209] Step 5: Security Update and Evidence Audit.

[0210] Security Update Management: When the cloud-based collaborative protection center's policy optimization and distribution center generates new detection models or protection rules, they are distributed via a secure OTA channel. The vehicle-side security update management module is responsible for receiving, verifying signatures, and securely activating these updates, ensuring the continuous evolution of vehicle-side protection capabilities. For example, in this scenario, if the cloud distributes an update rule package targeting "X-Worm" behavioral characteristics, this module is responsible for making it effective.

[0211] Evidence Collection and Auditing: Throughout the entire process, the evidence collection and auditing module records end-to-end logs in a tamper-proof manner, from detection, assessment, decision-making to execution. These logs are not only used for post-incident tracing but also provide training data for the security incident correlation analysis module and can be optionally uploaded to the cloud for macro-level analysis.

[0212] Phase Three: Core Work and System Evolution of the Cloud-Based Collaborative Protection Center

[0213] This phase is completed in the cloud, enabling "intelligent optimization" of the system, which is key to the system's "foresight" and "holistic" capabilities.

[0214] Step Six: Global Threat Intelligence Analysis and Source Tracing.

[0215] The vehicle-mounted device uploads the complete (anonymized) data packet of this incident to the cloud-based collaborative protection center. The threat intelligence analysis center then begins its work. Big Data Correlation Analysis: This feature aggregates similar event data from vehicles across the entire network and different regions, conducting cross-regional and cross-vehicle model correlation analysis. It may discover that the "X-Worm" attack not only occurred in location A, but also sporadically in location B, and that the attack targeted a specific version of the in-vehicle infotainment system software.

[0216] In-depth investigation and attribution: Based on sandbox dynamic behavior analysis, it was confirmed that "X-Worm" exploited a zero-day vulnerability (CVE-2023-XXXXX) in a third-party media library within the IVI system to escalate privileges. The Incident Response Coordination Center can then initiate a broader incident response based on this information, such as notifying component vendors.

[0217] Generate global threat intelligence: Extract complete attack chains (vulnerability exploitation -> privilege escalation -> lateral movement -> propagation) and precise IoCs (vulnerability signatures, file hashes, network behavior characteristics) to form machine-readable threat intelligence.

[0218] Step 7: Security model training and policy optimization.

[0219] Model Training: The Security Model Training Center utilized the entire chain of data from this incident and employed privacy-preserving computation techniques such as federated learning to retrain the detection models for both vehicle-side and edge computing without aggregating the original data. The new model significantly improved the recall rate and reduced the false positive rate for composite attack patterns such as "immediate network scanning after privilege escalation."

[0220] Strategy Optimization: The Strategy Optimization and Distribution Center receives the analysis results and the trained new model. It performs strategy simulation and deduction, generating two new strategies: 1) Emergency Containment Strategy: Commands all affected vehicle models to immediately and temporarily disable the vulnerable media library component through a security update. 2) Cooperative Detection Enhancement Strategy: Adds a rule to the edge cooperative decision rule base that "if a vehicle is detected making abnormal broadcasts using a specific port, a cooperative isolation check must be initiated immediately," and optimizes the algorithm parameters for cooperative decision-making.

[0221] Step 8: Strategy, Model Distribution, and Collaborative Response.

[0222] Global distribution: The updated threat intelligence (IoC), detection models, and collaborative strategies are packaged into a security update package and distributed to the security update management modules of all relevant vehicles worldwide through a secure OTA channel by the policy optimization and distribution center.

[0223] Capability Decentralization: Vehicles and edge nodes silently complete updates. Subsequently, the local model on the vehicle can identify such threats earlier; when making regional collaborative decisions, edge nodes can invoke more accurate models and better strategies, reducing the collaborative response time for similar future events from "minutes" to "seconds".

[0224] Coordinated Response: Throughout the process, the emergency response coordination center can assess the threat level and coordinate large-scale, differentiated protective actions with vehicles of different types and in different regions to achieve coordinated defense of "one point detection, network-wide immunity".

[0225] It should be understood that the security protection process provided in the embodiments of this application may include at least one of the following beneficial effects: 1. Dynamic Adaptability: Based on real-time security situation, the protection strategy is dynamically adjusted to effectively deal with new and variant attacks; 2. Deep integration: Deeply integrated with the AUTOSAR AP architecture, utilizing standard interfaces and communication mechanisms to achieve transparent security protection; 3. Intelligent Response: Employs machine learning technology to achieve intelligent threat detection and adaptive response, reducing false alarm and false negative rates; 4. Collaborative Protection: Enables collaboration between vehicle-side protection and cloud-based threat intelligence to enhance overall protection capabilities; 5. Compliance and Certification: Provides complete security audit and evidence collection capabilities to meet functional safety and information security standards.

[0226] Based on the security protection method provided in the above embodiments, see [link / reference]. Figure 5 This application also provides a schematic diagram of the structure of a safety protection device.

[0227] Combination Figure 5 As shown, the safety protection device 50 provided in this embodiment includes: Acquisition unit 51 is used to acquire the data to be processed corresponding to the target vehicle; Anomaly identification unit 52 is used to identify abnormal behavior in the data to be processed based on a preset security rule base and a pre-trained anomaly identification model, and obtain security identification results; the security identification results include at least one of risk score, anomaly type, anomaly component, attack path or confidence level; The safety protection unit 53 is used to perform local safety protection on the target vehicle according to the local protection strategy if the safety identification result is characterized as the first abnormal level. The security protection unit 53 is also used to obtain the collaborative protection strategy sent by the cloud platform corresponding to the target vehicle if the security identification result is characterized as the second abnormal level, and to carry out collaborative security protection with other vehicles according to the collaborative protection strategy; wherein, the collaborative protection strategy is obtained based on the key data sent to the cloud platform, and the key data is obtained based on the data to be processed.

[0228] In one possible implementation, the anomaly detection unit 52 is used for: Based on a preset security rule base, anomaly matching is performed on the data to be processed to obtain the first anomaly result; A pre-trained anomaly detection model is used to identify anomalies in the data to be processed, resulting in a second anomaly. The first and second abnormal results are analyzed and processed together to obtain the security identification results.

[0229] In one possible implementation, a scoring acquisition unit is also included for acquiring a risk score: Obtain historical security identification results; The risk index of the target vehicle at the current moment is determined based on historical safety identification results; The risk score is determined based on the risk index, the first abnormal result, and the second result.

[0230] In one possible implementation, the security protection unit 53 is used for: Perform at least one of the following safety protection actions: Access permissions for abnormal applications identified in the security identification results are restricted through the identity and access management interface. Alternatively, the encryption algorithm configured for the target communication channel represented in the security identification result can be updated to a specific encryption algorithm; Alternatively, the anomalous applications or behaviors identified in the security identification results can be isolated and run in the target environment.

[0231] In one possible implementation, the security protection unit 53 is used for: By having the target vehicle and other vehicles jointly respond to the coordinated protection command, the abnormal process represented in the security identification results is isolated.

[0232] In one possible implementation, the data to be processed includes at least one of the following: application execution state, inter-process communication, network traffic, system calls, or file access.

[0233] It should be noted that the security protection device provided in this application embodiment has the same beneficial effects as the security protection method provided in the above embodiments, and therefore will not be described again.

[0234] In one possible implementation, see Figure 6 The figure is a schematic diagram of a control device provided in an embodiment of this application.

[0235] The control device may include a memory 611 and a processor 612. For example... Figure 6 As shown, the memory can be random access memory (RAM), flash memory, read-only memory (ROM), EPROM, non-volatile read-only memory (Electronic Programmable ROM), registers, hard disks, removable disks, etc.

[0236] The memory 611 can store computer instructions. When the computer instructions stored in the memory 611 are executed by the processor 612, the processor 612 can be used to perform security protection methods. The memory 611 can also store data.

[0237] In the above embodiments, implementation can be achieved, in whole or in part, through software, hardware, firmware, or any combination thereof. When implemented in software, it can be implemented, in whole or in part, as a computer program product. A computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, all or part of the flow or function according to the embodiments of this application is generated. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions can be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, computer instructions can be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that a computer can access or a data storage device such as a server or data center that integrates one or more available media. The available medium can be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape) or a semiconductor medium (e.g., solid-state disk (SSD)).

[0238] This application also provides a readable storage medium for storing the methods provided in the above embodiments. Examples include random access memory (RAM), flash memory, read-only memory (ROM), EPROM, non-volatile read-only memory (EPROM), registers, hard disks, removable disks, or any other form of storage medium in the art.

[0239] In the embodiments of this application, the terms "first" and "second" (if they exist) are used only as name identifiers and do not represent the order of first and second.

[0240] It should be noted that the various embodiments in this specification are described in a progressive manner, with each embodiment focusing on the differences from other embodiments. Similar or identical parts between embodiments can be referred to interchangeably. Regarding the methods disclosed in the embodiments, since they correspond to the product embodiments disclosed in the embodiments, the description is relatively simple; relevant parts can be referred to in the description of the product embodiments.

[0241] The above description of the disclosed embodiments enables those skilled in the art to make or use this application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of this application. Therefore, this application is not to be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims

1. A security protection method, characterized in that, The method includes: Obtain the data to be processed corresponding to the target vehicle; Based on a preset security rule base and a pre-trained anomaly detection model, the data to be processed is subjected to anomaly behavior identification to obtain a security identification result; the security identification result includes at least one of risk score, anomaly type, anomaly component, attack path or confidence level; If the security identification result is characterized as the first anomaly level, then local security protection is performed on the target vehicle according to the local protection strategy; If the security identification result is characterized as the second abnormal level, then the collaborative protection strategy sent by the cloud platform corresponding to the target vehicle is obtained, and collaborative security protection is performed with other vehicles according to the collaborative protection strategy; wherein, the collaborative protection strategy is obtained based on key data sent to the cloud platform, and the key data is obtained based on the data to be processed.

2. The security protection method according to claim 1, characterized in that, The method, based on a preset security rule base and a pre-trained anomaly detection model, identifies abnormal behavior in the data to be processed to obtain security identification results, including: Based on the preset security rule base, anomaly matching is performed on the data to be processed to obtain a first anomaly result; Based on the pre-trained anomaly detection model, anomalies are detected in the data to be processed to obtain a second anomaly result; The security identification result is obtained by comprehensively analyzing and processing the first and second abnormal results.

3. The security protection method according to claim 2, characterized in that, This also includes obtaining the risk score through the following methods: Obtain historical security identification results; The risk index of the target vehicle at the current moment is determined based on the historical safety identification results; The risk score is determined based on the risk index, the first abnormal result, and the second result.

4. The security protection method according to claim 1, characterized in that, The step of providing local security protection for the target vehicle according to a local protection strategy includes: Perform at least one of the following safety protection actions: Access permissions for abnormal applications identified in the security identification results are restricted through the identity and access management interface. Alternatively, the encryption algorithm configured for the target communication channel represented in the security identification result may be updated to a specific encryption algorithm; Alternatively, the anomalous applications or behaviors characterized in the security identification results can be isolated and run in the target environment.

5. The security protection method according to claim 1, characterized in that, The provision of collaborative safety protection with other vehicles based on the collaborative protection strategy includes: By having the target vehicle and the other vehicles jointly respond to the coordinated protection command, the abnormal process represented in the security identification result is isolated.

6. The security protection method according to any one of claims 1-5, characterized in that, The data to be processed includes at least one of the following: application execution status, inter-process communication, network traffic, system calls, or file access.

7. A safety protection device, characterized in that, The device includes: The acquisition unit is used to acquire the data to be processed corresponding to the target vehicle. An anomaly identification unit is used to identify abnormal behavior in the data to be processed based on a preset security rule base and a pre-trained anomaly identification model, and obtain a security identification result; the security identification result includes at least one of risk score, anomaly type, anomaly component, attack path or confidence level; A security protection unit is used to perform local security protection on the target vehicle according to a local protection strategy if the security identification result is characterized as a first abnormal level. The security protection unit is further configured to, if the security identification result is characterized as a second abnormal level, obtain the collaborative protection strategy sent by the cloud platform corresponding to the target vehicle, and perform collaborative security protection with other vehicles according to the collaborative protection strategy; wherein, the collaborative protection strategy is obtained based on key data sent to the cloud platform, and the key data is obtained based on the data to be processed.

8. A control device, characterized in that, It includes a processor and a memory, the memory being used to store programs, instructions, or code, and the processor being used to execute the programs, instructions, or code in the memory to perform the security protection method as described in any one of claims 1-6.

9. A computer-readable storage medium, characterized in that, The device contains a computer program that is loaded by a processor to execute the security protection method as described in any one of claims 1-6.

10. A vehicle, characterized in that, The vehicle includes a controller that stores programs, instructions, or code, and the controller is used to execute the programs, instructions, or code in the controller to perform the safety protection method as described in any one of claims 1-6.