In general, since an in-vehicle network is operated independent of an external network, there is no equipment for protecting in-vehicle network information.
Recently, since the in-vehicle network may be connected to external networks, such as a wireless communication network (3G/4G), Bluetooth, and the like and connected to a vehicle diagnosis device, it is likely that an in-vehicle network is negatively affected. That is, when a malicious attacker of external networks disturbs an internal network, a serious problem occurs in a vehicle operation, which may threaten safety of passengers.
Meanwhile, characteristics (packet size, delay time, occurrence frequency, and the like) of Internet packets having the same IP address are changed over time and the packets also have irregular and random characteristics. Therefore, a technology of detecting a network attack generally determines whether an attack occurs based on the number of received packets per unit time.
On the other hand, traffics generated in the in-vehicle network have different packet generation frequencies for each ID, but the traffics for each ID are relatively regularly generated. In this case, when two packets are generated simultaneously, a transmission sequence is determined based on priority.
Therefore, when packets having an ID are generated at high speed, an attack of injecting packets having a higher priority than that of the ID into a network with a frequency similar to the generation frequency of packets having the ID may not be detected only by an analysis based on the number of received packets per unit time.
That is, since IDs for attack having a higher priority are injected into a network instead of a normal ID having a lower priority, an attack may not be detected merely by a method of counting the number of packets.
Therefore, a need exists for a traffic analysis method suitable for vehicle traffics, that is different from a method used for Internet intrusion detection.