JP2019125867A - Monitoring device, monitoring system and monitoring method - Google Patents

Abstract

To provide an in-vehicle network monitoring device capable of reducing the amount of communication and/or the capacity of a storage device.SOLUTION: A monitoring device 100 mounted on a vehicle 20 includes a first communication unit 110 that acquires communication data on an in-vehicle network, a second communication unit 120 that communicates with a server via a network different from the in-vehicle network, a storage unit 130 that stores a log of communication data, and a control unit 150 that controls the first communication unit 110, the second communication unit 120, and the storage unit 130, and the control unit 150 includes an abnormality determination unit 151 that determines an abnormality level of communication data from among a plurality of abnormality levels including abnormality, normality, and undeterminability on the basis of a predetermined determination rule, and the control unit 150 changes at least one of a method of transmitting the communication data log to the server 30 and a method of storing the communication data log according to the determined abnormal level of the communication data.SELECTED DRAWING: Figure 1

Description

  The present disclosure relates to a technique for monitoring a vehicle tampering operation by transmitting an unauthorized control command to an in-vehicle network.

  Patent Document 1 discloses a vehicle safety system including a cyberwatch man installed in each of a plurality of vehicles and a cyber hub installed outside the vehicle. The cyberwatch man is connected to the in-vehicle communication network and acquires communication traffic data on the in-vehicle communication network. Also, the cyber hub receives communication traffic data acquired by the cyberwatch man from the cyberwatch man via a communication network (for example, the Internet). Thus, the cyber hub can aggregate communication traffic data from a plurality of vehicles, and can obtain high-order information on vehicle cyber attacks.

JP, 2015-136107, A

  However, in the above-mentioned prior art, since the cyber hub needs to receive data from the cyber watch man of a plurality of vehicles, the amount of communication data may become huge. In addition, since the cyberwatch man of each vehicle needs to constantly acquire communication traffic data in order to monitor the in-vehicle communication network, the capacity of the storage device for storing data may be enormous.

  Thus, the present disclosure provides a monitoring device, a monitoring system, and a monitoring method that can reduce the amount of communication and / or the capacity of a storage device in monitoring of a vehicle-mounted network.

  A monitoring device according to an aspect of the present invention is a monitoring device mounted on a vehicle and monitoring an in-vehicle network, the first communication unit acquiring communication data on the in-vehicle network, and a network different from the in-vehicle network A second communication unit that communicates with the server via the communication unit, a first storage unit for storing a log of the communication data, and a first communication unit that controls the first communication unit, the second communication unit, and the first storage unit A first control unit, wherein the first control unit determines an abnormality level of the communication data from among a plurality of abnormality levels including abnormality, normality, and undeterminability based on a predetermined determination rule; A determination unit, the first control unit transmitting a log of the communication data to the server according to the determined abnormal level of the communication data, and a storage method of the communication data log To change at least one of the out.

  Note that these general or specific aspects may be realized by a system, a method, an integrated circuit, a computer program, or a recording medium such as a computer readable CD-ROM, a system, a method, an integrated circuit, a computer program And any combination of recording media.

  A monitoring device and the like according to an aspect of the present invention can reduce the amount of communication and / or the capacity of a storage device in monitoring an in-vehicle network.

Block diagram showing the functional configuration of the monitoring system according to the first embodiment A diagram showing an example of a full log in the first embodiment Sequence diagram of monitoring system according to the first embodiment Flow chart showing the first operation of the monitoring apparatus according to the first embodiment The figure which shows the position of the accelerator quantity in the CAN message in the form 1 of execution A diagram showing an example of the first feature amount in the first embodiment A diagram showing an example of a second feature amount according to the first embodiment A diagram showing an example of the third feature amount in the first embodiment A diagram showing an example of a combination of a plurality of feature quantities according to the first embodiment A conceptual diagram showing an example of abnormal level determination using one feature amount according to the first embodiment A conceptual diagram showing another example of abnormal level determination using one feature amount in Embodiment 1. A conceptual diagram showing an example of abnormal level determination using two feature amounts according to the first embodiment A conceptual diagram showing another example of abnormal level determination using two feature amounts in Embodiment 1. Flow chart showing the second operation of the monitoring device according to the first embodiment Flow chart showing the operation of the server according to the first embodiment A conceptual diagram showing an example of abnormal level determination using a learning model according to Embodiment 1. Block diagram showing a functional configuration of a monitoring system according to Embodiment 2 The figure which shows an example of the monitoring data in Embodiment 2 The figure which shows an example of the weight data in Embodiment 2. The figure which shows an example of the weight data in Embodiment 2. Flow chart showing the first operation of the monitoring apparatus according to the second embodiment Flow chart showing the second operation of the monitoring apparatus according to the second embodiment The figure which shows an example of the weight data in the modification of Embodiment 2. The figure which shows an example of the threshold value data in the modification of Embodiment 2.

(Summary of this disclosure)
A monitoring device according to an aspect of the present disclosure is a monitoring device that is mounted on a vehicle and monitors an in-vehicle network, and a network different from the first communication unit that acquires communication data on the in-vehicle network and the in-vehicle network. A second communication unit that communicates with the server via the communication unit, a first storage unit for storing a log of the communication data, and a first communication unit that controls the first communication unit, the second communication unit, and the first storage unit A first control unit, wherein the first control unit determines an abnormality level of the communication data from among a plurality of abnormality levels including abnormality, normality, and undeterminability based on a predetermined determination rule; A determination unit, the first control unit transmitting a log of the communication data to the server according to the determined abnormal level of the communication data, and a storage method of the communication data log To change at least one of the out.

  According to this, with the monitoring device mounted on the vehicle, it is possible to determine the abnormal level of the communication data from among a plurality of abnormal levels including abnormal, normal, and undeterminable. Therefore, in the case where the monitoring device can not accurately determine whether the abnormality is normal or not, it is not necessary to determine either the abnormality or the normal. Therefore, it is possible to reduce the determination of the wrong abnormality level in the monitoring device. It is possible to improve the determination accuracy of the abnormal level. Further, according to the determined abnormal level of the communication data, at least one of the method of transmitting the communication data log to the server and the method of storing the communication data log can be changed. It is also possible to reduce the capacity of the storage device.

  Also, for example, in the monitoring device according to an aspect of the present disclosure, the first determination unit extracts a feature amount from the communication data, and determines an abnormal level of the communication data using the extracted feature amount. It is also good.

  According to this, the abnormal level of the communication data can be determined using the feature amount. Therefore, the determination accuracy of the abnormal level can be improved by using an appropriate feature amount.

  For example, in the monitoring device according to one aspect of the present disclosure, the first communication unit acquires a plurality of communication data including the communication data, and the first determination unit determines in advance among the plurality of communication data. A value included in one or more pieces of communication data having the identified identifier may be extracted as a first feature amount included in the feature amount. For example, in the monitoring device according to one aspect of the present disclosure, the first communication unit acquires a plurality of communication data including the communication data, and the first determination unit determines in advance among the plurality of communication data. The variation amount of the value included in the two or more communication data having the identified identifier may be extracted as a second feature amount included in the feature amount. For example, in the monitoring device according to one aspect of the present disclosure, the first communication unit acquires a plurality of communication data including the communication data, and the first determination unit determines in advance among the plurality of communication data. A difference time between transmission times of two or more pieces of communication data having the identified identifier may be extracted as a third feature amount included in the feature amount.

  According to this, various feature quantities can be used for the determination of the abnormal level, and the determination accuracy of the abnormal level can be improved.

  For example, in the monitoring device according to an aspect of the present disclosure, the first control unit further includes a first communication control unit that controls the second communication unit, and the first communication control unit is configured to transmit the communication data. Sending a log of the communication data to the server if the abnormal level is determined to be abnormal, and sending the log of the communication data to the server if the abnormal level of the communication data is determined to be normal Instead, when it is determined that the abnormal level of the communication data can not be determined, (i) the feature amount of the communication data is transmitted to the server, and (ii) the abnormal level of the communication data is black from the server A log of the communication data may be transmitted to the server when a determination result indicating that the communication data is received is received.

  According to this, when it is determined that the abnormal level of the communication data can not be determined, the feature amount of the communication data can be transmitted to the server. Thereafter, when a determination result indicating that the abnormal level of the communication data is abnormal is received from the server, the log of the communication data can be transmitted to the server. Therefore, a log of communication data that can not be determined by the monitoring device can be transmitted as needed based on the determination result of the server, and the amount of communication can be reduced.

  For example, in the monitoring device according to an aspect of the present disclosure, the monitoring device further includes a second storage unit for temporarily storing a log of the communication data, and the first control unit further includes: A storage control unit configured to control the first storage unit and the second storage unit; the storage control unit is configured to determine the log of the communication data when the abnormality level of the communication data is determined to be abnormal; When it is determined that the abnormal level of the communication data can not be determined, (i) a log of the communication data is stored in the second storage unit, and (ii-1) the communication from the server When the determination result indicating that the abnormal level of the data is abnormal is received, the log of the communication data stored in the second storage unit is moved to the first storage unit, and (ii-2) the server The abnormal level of the communication data is normal Upon receiving the determination result indicating Rukoto may delete the log of the communication data.

  According to this, when it is determined that the abnormal level of the communication data can not be determined, the communication data log is temporarily stored in the second storage unit, and the server indicates that the abnormal level of the communication data is abnormal. When the determination result is received, the log of the communication data stored in the second storage unit can be moved to the first storage unit. Therefore, a log of communication data that can not be determined by the monitoring device can be stored in the first storage unit as needed based on the determination result of the server, and the capacity of the storage device can be reduced.

  Also, for example, in the monitoring device according to one aspect of the present disclosure, the first communication unit acquires a plurality of communication data including the communication data, and the first storage unit determines the plurality of communication data. Classified according to the abnormal level and stored as monitoring data, and the first control unit further includes a first communication control unit for controlling the second communication unit, the first communication control unit further including the first storage The data amount of the monitoring data stored in the unit may be acquired for each abnormal level, and the monitoring data may be transmitted to the server according to the data amount for each abnormal level.

  According to this, it is possible to transmit monitoring data to the server according to the amount of data for each abnormal level. Therefore, the transmission frequency of monitoring data can be controlled, and the amount of communication can be reduced.

  Also, for example, in the monitoring device according to one aspect of the present disclosure, the first communication control unit weights the amount of data for each of the abnormality levels using a first weight value corresponding to the abnormality level, and The monitoring data may be sent to the server if, for each level, the weighted amount of data is greater than a predetermined threshold.

  According to this, it is possible to weight the data amount using the first weight value corresponding to the abnormal level. Therefore, the transmission frequency of the monitoring data can be controlled according to the abnormal level, and the monitoring data can be transmitted according to the degree of importance of the monitoring.

  Also, for example, in the monitoring device according to an aspect of the present disclosure, the first control unit further includes a driving state estimation unit that estimates a driving state of the vehicle, and the first communication control unit In the weighting, in addition to the first weight value, a second weight value corresponding to the estimated driving condition may be used.

  According to this, in addition to the first weight value, the second weight value corresponding to the estimated driving condition can be used to weight the data amount. Therefore, the transmission frequency of the monitoring data can be controlled according to the driving state of the vehicle, and the monitoring data can be transmitted according to the degree of importance of the monitoring.

  A monitoring system according to an aspect of the present disclosure is a monitoring system that monitors an in-vehicle network, and includes the monitoring device and a server that can communicate with the monitoring device.

  According to this, the same effect as that of the monitoring device can be obtained.

  Also, for example, in the monitoring system according to an aspect of the present disclosure, the first control unit further includes a first communication control unit that controls the second communication unit, and the first communication control unit further includes the communication data. Sending a log of the communication data to the server if the abnormal level is determined to be abnormal, and sending the log of the communication data to the server if the abnormal level of the communication data is determined to be normal Instead, when it is determined that the abnormal level of the communication data can not be determined, (i) the feature amount of the communication data is transmitted to the server, and (ii) the abnormal level of the communication data is black from the server A log of the communication data is transmitted to the server when the determination result indicating that is received, and the server communicates with the monitoring device via the network from the third communication unit; and the monitoring device A third storage unit for storing a log of the received communication data, and a second control unit for controlling the third communication unit, wherein the second control unit determines that the abnormality level is not determined. When the third communication unit receives the feature amount of data from the monitoring device, it is determined whether the abnormal level of the communication data is abnormal or normal using the received feature amount of the communication data Transmitting a determination result by the second determination unit and the second determination unit to the monitoring device, and receiving the log of the communication data from the monitoring device when the abnormality level of the communication data is determined to be abnormal A second communication control unit, the third storage unit further stores a learning model for determining an abnormal level of communication data, and the second determination unit uses the learning model; Abnormality of the communication data Le may determine which one of the abnormal and normal.

  According to this, since the server only needs to determine whether the abnormal level of the communication data for which the abnormal level is determined to be undeterminable by the monitoring device is abnormal or normal, the load of the determination of the abnormal level on the server Can be reduced. Further, the server can determine the abnormal level of the communication data using the learning model, and can determine the abnormal level with higher accuracy.

  Also, for example, in the monitoring system according to an aspect of the present disclosure, the first communication control unit of the monitoring device is configured to set the feature amount of the communication data to the server when the abnormal level of the communication data is determined to be normal. When the third communication unit receives the feature of the communication data whose abnormality level is determined to be normal from the monitoring apparatus, the second control unit of the server transmits A model updating unit may be provided that updates the learning model using as labeled training data.

  According to this, the server can update the learning model using the feature amount of the communication data determined to be normal. Therefore, it is possible to construct a learning model having higher determination accuracy, and to flexibly cope with environmental changes.

  Note that these general or specific aspects may be realized by a method, an integrated circuit, a computer program, or a recording medium such as a computer readable CD-ROM, and the method, the integrated circuit, the computer program, and the recording medium It may be realized in any combination.

  Embodiments will be specifically described below with reference to the drawings.

  The embodiments described below are all inclusive or specific examples. Numerical values, shapes, materials, components, arrangement positions and connection forms of components, steps, order of steps, and the like shown in the following embodiments are merely examples, and are not intended to limit the scope of the claims. Further, among the components in the following embodiments, components not described in the independent claim indicating the highest concept are described as arbitrary components. Moreover, each figure is not necessarily illustrated exactly. In the drawings, substantially the same components are denoted by the same reference numerals, and redundant description will be omitted or simplified.

Embodiment 1
[Configuration of monitoring system]
First, the configuration of the monitoring system according to the first embodiment will be specifically described with reference to FIG. FIG. 1 is a block diagram showing a functional configuration of a monitoring system 10 according to the first embodiment.

  The monitoring system 10 monitors the in-vehicle network. The monitoring system 10 includes a monitoring device 100 mounted on a vehicle 20, and a server 30 capable of communicating with the monitoring device 100. The vehicle 20 is, for example, a car, and its motor and fuel are not particularly limited.

[Configuration of monitoring device]
The monitoring device 100 is mounted on the vehicle 20 and monitors an in-vehicle network. In the present embodiment, the in-vehicle network is a communication network built in the vehicle 20 based on CAN (Controller Area Network). In the in-vehicle network, a plurality of ECUs (Electronic Control Units) 21 are connected via a plurality of CAN buses 22, and the monitoring device 100 is connected to the plurality of CAN buses 22. The in-vehicle network does not have to be limited to CAN, and may be, for example, a communication network based on Ethernet (registered trademark).

  As shown in FIG. 1, the monitoring device 100 includes a first communication unit 110, a second communication unit 120, a storage unit 130, a temporary storage unit 140, and a control unit 150. Hereinafter, each component of the monitoring apparatus 100 will be described.

[First communication unit]
The first communication unit 110 temporally acquires CAN messages flowing on the plurality of CAN buses 22. The CAN message is an example of communication data, and is a control command based on CAN. That is, the first communication unit 110 acquires a plurality of communication data on the in-vehicle network. The CAN message acquired by the first communication unit 110 is stored in a buffer memory (not shown).

[Second communication unit]
The second communication unit 120 communicates with the server 30 via a network (for example, a mobile communication network, the Internet, etc.) different from the in-vehicle network. The second communication unit 120 is implemented, for example, as a telematics communication unit (TCU) or in-vehicle infotainment (IVI).

[Storage unit]
The storage unit 130 is an example of a first storage unit, and stores the full log 131 and the determination rule 132. The storage unit 130 is mounted using, for example, one or more semiconductor memories and / or one or more hard disk drives.

  The full log means a log of communication data, and here is a list data of CAN messages with a time stamp. The full log 131 stored in the storage unit 130 includes a CAN message determined to be abnormal. The full log 131 may be compressed or encrypted.

  FIG. 2 shows an example of the full log 131 according to the first embodiment. In the full log 131 of FIG. 2, a time stamp is added in seconds to a CAN message including the CAN ID and the payload. CAN ID is an identifier that identifies a message in CAN. The payload is a data body of a CAN message, and includes a value indicating a control amount (for example, an accelerator amount) for operation control.

  The determination rule 132 is a rule defined in advance for determining the abnormal level of the CAN message. The determination rule 132 is defined by, for example, a threshold of the feature amount. Also, the determination rule 132 may be defined by, for example, a function of the feature amount. The determination rule 132 will be described later with reference to the drawings.

[Temporary storage unit]
The temporary storage unit 140 is an example of a second storage unit, and temporarily stores the full log 141. The full log 141 stored in the temporary storage unit 140 includes a CAN message determined to be either normal or abnormal. The temporary storage unit 140 is mounted using, for example, one or more semiconductor memories and / or one or more hard disk drives. Further, the storage unit 130 and the temporary storage unit 140 are not necessarily implemented as physically separate storage media. For example, it may be realized as two areas logically separated on the same storage medium physically.

[Control unit]
The control unit 150 is an example of a first control unit, and controls the first communication unit 110, the second communication unit 120, the storage unit 130, and the temporary storage unit 140. The control unit 150 changes at least one of the method of transmitting the full log to the server 30 and the method of storing the full log according to the abnormal level of the CAN message.

  The full log transmission method includes, for example, designation of whether or not to transmit the full log. Further, for example, the full log transmission method may include designation of timing for transmitting the full log. Also, for example, the full log transmission method may include designation of a procedure for transmitting the full log.

  The full log storage method includes, for example, designation of whether or not the full log is stored. Also, for example, the full log storage method may include a procedure for storing the full log in the storage unit 130.

  As shown in FIG. 1, the control unit 150 includes an abnormality determination unit 151, a communication control unit 152, and a storage control unit 153. The control unit 150 may be implemented in software using one or more general-purpose processors and memories, or may be implemented in hardware using one or more dedicated integrated circuits.

  The abnormality determination unit 151 is an example of a first determination unit, and based on the determination rule 132, the abnormality determination unit 151 can output a CAN message from among a plurality of abnormality levels including black indicating abnormality, white indicating normality, and gray indicating non-determinability. Determine the abnormal level. Specifically, the abnormality determination unit 151 extracts the feature amount from the CAN message, and determines the abnormality level of the CAN message using the extracted feature amount. Details of the feature amount will be described later with reference to the drawings.

  The communication control unit 152 is an example of a first communication control unit, and controls the second communication unit 120. The communication control unit 152 transmits the full log to the server 30 according to the transmission method that is changed according to the determined abnormality level.

  Specifically, the communication control unit 152 transmits a full log to the server 30 when it is determined that the abnormal level of the CAN message is black. On the other hand, when the abnormal level of the CAN message is determined to be white, the communication control unit 152 does not transmit the full log to the server 30, but transmits the feature amount of the CAN message to the server 30.

  In addition, when it is determined that the abnormal level of the CAN message is gray, the communication control unit 152 first transmits the feature amount of the CAN message to the server 30. Then, when the determination result indicating that the abnormal level of the CAN message is black is received from the server 30, the communication control unit 152 transmits a full log to the server 30. On the other hand, when a determination result indicating that the abnormal level of the CAN message is white is received from the server 30, the communication control unit 152 does not transmit the full log to the server 30.

  The storage control unit 153 controls the storage unit 130 and the temporary storage unit 140. The storage control unit 153 stores the full log in the storage unit 130 or the temporary storage unit 140 according to the storage method that is changed according to the determined abnormal level.

  Specifically, the storage control unit 153 stores the full log 131 in the storage unit 130 when it is determined that the abnormal level of the CAN message is black. In addition, when the abnormal level of the CAN message is determined to be gray, the storage control unit 153 first stores the full log 141 in the temporary storage unit 140. Then, when the determination result indicating that the abnormal level of the CAN message is black is received from the server 30, the storage control unit 153 moves the full log 141 stored in the temporary storage unit 140 to the storage unit 130. On the other hand, when the determination result indicating that the abnormal level of the CAN message is white is received from the server 30, the storage control unit 153 deletes the full log 141 stored in the temporary storage unit 140. In the deletion of the full log 141, the management information of the full log 141 may only be deleted from the management area, or in addition to the deletion of the management information, the full log 141 itself may be deleted from the actual data area.

[Server configuration]
Next, the configuration of the server 30 will be described. The server 30 is installed outside the vehicle 20 and communicates with the monitoring device 100 via a network different from the in-vehicle network. As shown in FIG. 1, the server 30 includes a communication unit 31, a storage unit 32, and a control unit 33.

  The communication unit 31 is an example of a third communication unit, and communicates with the monitoring device 100 mounted on the vehicle 20.

  The storage unit 32 is an example of a third storage unit, and stores a learning model 322 for determining an abnormal level of the CAN message. Furthermore, the storage unit 32 stores the full log 321 received from the monitoring device 100. The storage unit 32 is mounted using, for example, one or more semiconductor memories and / or one or more hard disk drives.

  The learning model 322 is a mathematical model for determining whether the CAN message is abnormal (black) or normal (white) from the feature quantities of the CAN message. The learning model 322 is not particularly limited. For example, a learning model used in an abnormality detection method such as a local outlier factor (LOF) or a support vector machine (SVM) is used.

  The control unit 33 is an example of a second control unit, and controls the communication unit 31 and the storage unit 32. The control unit 33 may be implemented in software using one or more general-purpose processors and memories, or may be implemented in hardware using one or more dedicated integrated circuits. As shown in FIG. 1, the control unit 33 includes an abnormality determination unit 331, a communication control unit 332, and a model update unit 333.

  The abnormality determination unit 331 is an example of a second determination unit, and when the communication unit 31 receives, from the monitoring apparatus 100, the feature amount of the CAN message of which the abnormality level is determined to be gray in the monitoring apparatus 100, the received CAN. Using the feature amount of the message and the learning model 322 stored in the storage unit 32, it is determined whether the abnormal level of the CAN message is black or white. The method of determining the abnormality level is not particularly limited, but, for example, an abnormality determination method used in an abnormality detection method such as the aforementioned LOF or SVM is used.

  The communication control unit 332 is an example of a second communication control unit, and transmits the determination result of the abnormal level in the server 30 to the monitoring device 100. Furthermore, the communication control unit 332 receives a full log from the monitoring device 100 when it is determined that the abnormal level of the CAN message is black.

[Operation of monitoring system]
Next, the operation of the monitoring system 10 configured as described above will be specifically described with reference to FIG. FIG. 3 is a sequence diagram of the monitoring system 10 according to the first embodiment. In the following description and figures, the colors (white, black and gray) in parentheses after the data indicate the determination results of the abnormal level. For example, (black) indicates that the monitoring apparatus 100 or the server 30 has determined that the color is black. Also, (gray-> black) indicates that the server 30 has been determined to be black after being determined to be gray by the monitoring device 100.

  First, in the monitoring apparatus 100, the abnormality determination unit 151 determines the abnormal level of the CAN message (S102). Then, the communication control unit 152 of the monitoring apparatus 100 changes the full log transmission method according to the abnormal level (S104). Thereby, feature amount data (white / gray) or full log (black) is transmitted to the server 30. Furthermore, the storage control unit 153 changes the full log storage method according to the abnormal level (S106).

  In the server 30, the abnormality determination unit 331 uses the feature amount (gray) and the learning model 322 when the feature amount (gray) of the CAN message of which the abnormality level is determined to be gray is received. It is determined whether the color is black or white (S112). Then, the determination result is transmitted to the monitoring device 100. On the other hand, when the full log (black) of the CAN message in which the abnormal level is determined to be black is received, the control unit 33 stores the full log in the storage unit 32 (S114). In addition, when the feature quantity (white) of the CAN message in which the abnormal level is determined to be white is received, the learning model 322 is updated using the feature quantity (white) as training data (S116).

  In step S102, when the monitoring apparatus 100 determines that the abnormal level is gray, the monitoring apparatus 100 waits and receives the determination result transmitted from the server 30. When the monitoring apparatus 100 receives from the server 30 a determination result indicating that the abnormal level of the CAN message is black, the communication control unit 152 transmits the full log (gray-> black) of the CAN message to the server 30. (S108). In the server 30 that receives the transmitted full log (gray-> black), the control unit 33 stores it in the storage unit 32 (S118). Furthermore, in the monitoring apparatus 100, the storage control unit 153 moves the full log (gray-> black) of the CAN message from the temporary storage unit 140 to the storage unit 130 (S110).

  On the other hand, when the determination result indicating that the abnormal level of the CAN message is white is received from the server 30, the control unit 33 of the monitoring apparatus 100 determines that the full log of the CAN message stored in the temporary storage unit 140 (grey -> White) is deleted (S111).

[Operation of monitoring device]
The operation of the monitoring apparatus 100 in such a monitoring system 10 will be specifically described with reference to FIGS. 4 to 12. FIG. 4 is a flowchart showing a first operation of the monitoring apparatus 100 according to the first embodiment. Specifically, FIG. 4 shows the details of steps S102 to S106 of FIG.

  First, the first communication unit 110 temporally acquires the CAN message on the in-vehicle network and stores the CAN message in the buffer memory (S202). The abnormality determination unit 151 extracts the feature amount from the plurality of CAN messages stored in the buffer memory (S204).

  As the feature value, a value included in the CAN message payload can be used. In this case, the abnormality determination unit 151 may extract a value included in one or more CAN messages having a predetermined CAN ID among a plurality of CAN messages as the first feature value.

  For example, the case where the accelerator amount in the CAN message is extracted as the first feature amount will be described with reference to FIGS. 5 and 6. FIG. 5 shows the position of the accelerator amount in the CAN message in the first embodiment. FIG. 6 shows an example of the first feature amount in the first embodiment, and specifically shows the first feature amount extracted from the CAN message of FIG. Based on the accelerator amount represented by a hexadecimal number included in the CAN message having a CAN ID of “0x123” illustrated in FIG. 5, the accelerator amount represented by a decimal number illustrated in FIG. 6 is extracted as a first feature value .

  Also, as the feature amount, the change amount of the first feature amount can be used. In this case, the abnormality determination unit 151 may extract, as the second feature value, the change amount of the value included in two or more CAN messages having a predetermined CAN ID among the plurality of CAN messages. FIG. 7 shows an example of the second feature amount according to the first embodiment, and more specifically shows the change amount of the first feature amount of FIG. Here, the amount of change is an absolute value of a difference value between the value included in the CAN message and the value included in the CAN message immediately before the CAN message.

  Moreover, the transmission interval of a CAN message can also be used as a feature-value. In this case, the abnormality determination unit 151 may extract, as a third feature, a difference between transmission times of two or more CAN messages having a predetermined CAN ID among a plurality of CAN messages. FIG. 8 shows an example of the third feature quantity in the first embodiment, and specifically shows the third feature quantity extracted from the CAN message of FIG.

  Note that any combination of the first feature amount, the second feature amount, and the third feature amount may be used as the feature amounts. FIG. 9 shows an example of a combination of a plurality of feature quantities according to the first embodiment, and specifically shows a combination of the second feature quantity of FIG. 7 and the third feature quantity of FIG.

  The abnormality determination unit 151 determines an abnormality level of a plurality of CAN messages based on a predetermined determination rule, using the feature quantity extracted in this manner (S206). For example, when the abnormal level of each CAN message is determined, and at least one black CAN message is included in the plurality of CAN messages, the abnormality determination unit 151 determines the plurality of CAN messages as black. Also, for example, when the gray CAN message is included in the plurality of CAN messages and the black CAN message is not included, the abnormality determination unit 151 determines the plurality of CAN messages as gray. Further, for example, when all the plurality of CAN messages are determined to be white, the abnormality determination unit 151 determines the plurality of CAN messages to be white.

  At this time, in the determination of the abnormal level of each CAN message, one feature amount extracted from each CAN message may be compared with a threshold. 10A and 10B are conceptual diagrams showing an example of abnormal level determination using one feature amount according to the first embodiment.

In FIG. 10A, the feature quantity 1 If the threshold N ₁ is smaller than the abnormal level is determined to be white. When the feature amount 1 is larger than the threshold N ₂ , the abnormal level is determined to be black. When the feature amount 1 is between the threshold N ₁ and the threshold N ₂ , the abnormal level is determined to be gray.

In FIG. 10B, when the feature amount 1 is smaller than the threshold N _1a or larger than the threshold N _2b , the abnormal level is determined to be black. When the feature amount 1 is between the threshold N 1 _b and the threshold N _{2 a} , the abnormal level is determined to be white. Otherwise, the abnormal level is determined to be gray.

  Further, for example, in the determination of the abnormal level of each CAN message, the abnormal level of each CAN message may be determined by comparing one of the two feature quantities extracted from each CAN message with the other function. . 11A and 11B are conceptual diagrams showing an example of abnormality level determination using two feature quantities according to the first embodiment.

In FIG. 11A, when the feature amount 2 (Y) is smaller than the function Y = a ₁ X + b _{1 of} the feature amount 1 (X), the abnormal level is determined to be white. When the feature amount 2 (Y) is larger than the function Y = a ₂ X + b _{2 of} the feature amount 1 (X), the abnormal level is determined to be black. Otherwise, the abnormal level is determined to be gray.

In FIG. 11B, when the feature amount 2 (Y) is smaller than the function Y = a ₁ X + b ₁ of the feature amount 1 (X), or the feature amount 2 (Y) is a function Y of the feature amount 1 (X) When it is smaller than = a ₄ X + b ₄ , the abnormal level is determined to be black. When the feature quantity 2 (Y) is between the function Ya ₂ X + b _{2 of} the feature quantity 1 (X) and the function Ya ₃ X + b ₃ , the abnormal level is determined to be white. Otherwise, the abnormal level is determined to be gray.

10A to 11B are examples of determination rules of each CAN message, and it is not necessary to be limited to this. For example, in FIG. 10A, the determination of white and black may be reversed. That is, when the feature quantity 1 is the threshold N ₁ is smaller than, abnormal level is determined to black, when the feature quantity 1 is greater than the threshold N _2, abnormal level may be determined as white.

  It returns to description of the flowchart of FIG. If the abnormal level of the plurality of CAN messages is determined to be white (white in S206), the communication control unit 152 transmits the feature amount (white) of the plurality of CAN messages to the server 30 (S208). Then, the full log of the plurality of CAN messages is discarded (S210). That is, the full log is not stored in the storage unit 130 or the temporary storage unit 140.

  If the abnormal levels of the plurality of CAN messages are determined to be gray (grey in S206), the communication control unit 152 transmits the feature amounts (gray) of the plurality of CAN messages to the server 30 (S212). Furthermore, the storage control unit 153 stores the full log (gray) of the plurality of CAN messages in the temporary storage unit 140 (S214).

  When it is determined that the abnormal level of the plurality of CAN messages is black (black in S206), the communication control unit 152 transmits the full log (black) of the plurality of CAN messages to the server 30 (S216). Furthermore, the storage control unit 153 stores full logs (black) of a plurality of CAN messages in the storage unit 130 (S218).

  FIG. 12 is a flowchart showing a second operation of the monitoring apparatus 100 according to the first embodiment. Specifically, FIG. 12 shows the details of steps S108 to S111 of FIG.

  The monitoring apparatus 100 receives the determination result from the server 30 (S220). The determination result is a result of determining whether the plurality of CAN messages determined to be gray by the monitoring apparatus 100 is black or white by the server 30.

  Here, if the received determination result is white (white in S222), the storage control unit 153 deletes the full log stored in the temporary storage unit (S224). On the other hand, when the received determination result is black (black in S222), the communication control unit 152 transmits the full log stored in the temporary storage unit 140 to the server 30 (S226). Further, the communication control unit 152 moves the full log stored in the temporary storage unit 140 to the storage unit 130 (S228).

[Server operation]
Next, the operation of the server 30 will be specifically described with reference to FIGS. 13 and 14. FIG. 13 is a flowchart showing an operation of the server 30 according to the first embodiment. Specifically, FIG. 13 shows the details of step S112 to step S118 of FIG.

  First, the communication unit 31 of the server 30 receives data from the monitoring device 100 (S302). When the received data is the feature of the CAN message determined to be white in the monitoring apparatus 100 (white in S304), the model updating unit 333 updates the learning model 322 using the received feature (white) ( S306). That is, the model updating unit 333 performs supervised learning using the received feature amount (white).

  If the received data is a full log of the CAN message determined to be black in the monitoring device 100 (black in S304), the control unit 33 stores the full log (black) in the storage unit 32 (S308).

  If the received data is the feature of the CAN message determined to be gray in the monitoring apparatus 100 (grey in S304), the anomaly determining unit 331 uses the learning model 322 to determine the anomaly level of the CAN message from the received feature. Is determined (S310). That is, the abnormality determination unit 331 determines whether the abnormality level of the CAN message is black or white.

  FIG. 14 is a conceptual diagram showing an example of abnormal level determination using the learning model in the first embodiment. In FIG. 14, white and black areas are defined for two feature quantities, and no gray area exists.

  Here, when it is determined that the abnormal level is white (white in S310), the communication control unit 332 transmits the determination result (white) indicating white to the monitoring device 100 (S312). Furthermore, the model updating unit 333 updates the learning model 322 using the feature amount (gray-> white) (S314).

  On the other hand, when it is determined that the abnormal level is black (black in S310), the communication control unit 332 transmits the determination result (black) indicating black to the monitoring device 100 (S316). Thereafter, the communication unit 31 receives a full log (gray → black) from the monitoring device 100 (S318), and the control unit 33 stores the received full log (gray → black) in the storage unit 32 (S320).

[Effects, etc.]
As described above, according to the monitoring apparatus 100 according to the present embodiment, the monitoring apparatus 100 mounted on the vehicle 20 has a plurality of abnormality levels including black indicating abnormality, white indicating normality, and gray indicating non-determinability. The abnormal level of the CAN message can be determined from among the above. Therefore, in the case where it is not possible to determine black or white with high accuracy by the monitoring device 100, it is not necessary to determine either black or white. It is possible to improve the determination accuracy of the abnormal level. In addition, according to the determined abnormal level of the CAN message, at least one of the method of transmitting the full log of the CAN message to the server 30 and the method of storing the full log of the CAN message can be changed. It is also possible to reduce the capacity of the storage device and / or.

  Further, according to the monitoring apparatus 100 according to the present embodiment, various feature quantities can be used for the determination of the abnormal level, and the determination accuracy of the abnormal level can be improved.

  Moreover, according to the monitoring apparatus 100 which concerns on this Embodiment, when the abnormal level of a CAN message is determined to be gray, the feature-value of a CAN message can be transmitted to the server 30. FIG. Thereafter, when a determination result indicating that the abnormal level of the CAN message is black is received from the server 30, a full log of the CAN message can be transmitted to the server 30. Therefore, a full log of CAN messages that can not be determined by the monitoring device can be transmitted as needed based on the determination result of the server 30, and the amount of communication can be reduced.

  Moreover, according to the monitoring apparatus 100 which concerns on this Embodiment, when the abnormal level of a CAN message is determined to be gray, the feature-value of a CAN message can be transmitted to the server 30. FIG. Thereafter, when a determination result indicating that the abnormal level of the CAN message is black is received from the server 30, a full log of the CAN message can be transmitted to the server 30. Therefore, a full log of CAN messages that can not be determined by the monitoring device 100 can be transmitted as needed based on the determination result of the server 30, and the amount of communication can be reduced.

  Further, according to the monitoring apparatus 100 according to the present embodiment, when the abnormal level of the CAN message is determined to be gray, the full log of the CAN message is temporarily stored in the temporary storage unit 140 and the CAN message from the server 30 The full log of the CAN message stored in the temporary storage unit 140 can be moved to the storage unit 130 when it receives the determination result indicating that the abnormal level is black. Therefore, the full log of CAN messages that can not be determined by the monitoring device 100 can be stored in the storage unit 130 as needed based on the determination result of the server 30, and the capacity of the storage device can be reduced.

  Further, according to the monitoring system 10 according to the present embodiment, the server 30 may determine whether the abnormality level of the CAN message whose abnormality level is determined to be gray by the monitoring device 100 is black or white. Therefore, the load of abnormality level determination in the server 30 can be reduced.

  Further, according to the monitoring system 10 according to the present embodiment, the server 30 can determine the abnormal level of the CAN message using the learning model 322, and can determine the abnormal level with higher accuracy.

  Further, according to the monitoring system 10 according to the present embodiment, the server 30 can update the learning model 322 using the feature amount of the CAN message determined to be white. Therefore, it is possible to construct a learning model 322 having higher determination accuracy, and to flexibly cope with environmental changes.

[Modification]
Below, the modification of the said Embodiment 1 is demonstrated.

  In the first embodiment described above, the feature amount used in the abnormal level determination of the monitoring device 100 and the feature amount used in the abnormal level determination of the server 30 match, but the different feature amounts of the monitoring device 100 and the server 30 are different. It may be used. In this case, when the CAN message is determined to be gray, the communication control unit 332 of the monitoring device 100 adds various features (for example, a GPS (Global Positioning System) sensor, an in-vehicle camera, etc.) to the feature amount of the CAN message. The output value may be sent to the server 30. Furthermore, the server 30 may extract feature amounts from output values of various sensors.

  In the first embodiment, when the CAN message is determined to be gray, the feature amount is transmitted without transmitting the full log, but both the feature amount and the full log or only the full log may be transmitted. . In the case of transmitting only the full log, the server 30 may extract the feature amount used in the abnormal level determination from the full log. If the accuracy of the abnormal level determination of the monitoring apparatus 100 is high, the gray determination result does not occur frequently. Therefore, in such a case, even if only the feature amount and the full log or only the full log is transmitted, the adverse effect on the communication amount is small.

  In the first embodiment, the full log is transmitted when the CAN message is determined to be black, but only the determination result of black may be notified to the server 30. In this case, the full log may be transmitted from the monitoring device 100 to the server 30 in response to a request from the server 30.

  In the first embodiment, the full log stored in the temporary storage unit 140 is deleted from the temporary storage unit 140 when the determination result is received from the server 30, but the present invention is not limited to this. For example, when other predetermined conditions are satisfied, the full log may be deleted from the temporary storage unit 140. For example, the full log may be deleted from the temporary storage unit 140 based on the elapsed time since the full log is stored in the temporary storage unit 140, the explicit deletion instruction by the user, the free space of the temporary storage unit 140, or the like. .

  In the first embodiment, the deletion of the full log stored in the storage unit 130 has not been particularly described, but the full log may be deleted from the storage unit 130 when a predetermined condition is satisfied. For example, when the deletion instruction is received from the server 30, the full log may be deleted from the storage unit 130. In this case, the server 30 may transmit the deletion instruction to the monitoring apparatus 100 after storing the full log in the storage unit 32. As a result, it is possible to reduce waste of resources for storing full logs in both the server 30 and the monitoring device 100. Alternatively, the full log may be deleted from the one storage unit 130 based on the elapsed time since the full log is stored in the storage unit 130, the explicit deletion instruction by the user, the free space of the storage unit 130, or the like.

  In the first embodiment, the abnormal level is determined after a plurality of CAN messages are accumulated, but the abnormal level of the CAN message may be determined each time one CAN message is acquired. Further, the amount of CAN messages to be subjected to the abnormality level determination need not be particularly limited, and the abnormality level of the CAN messages accumulated in a predetermined time cycle may be determined.

  Further, in the first embodiment, in the abnormal level determination, an example in which one or two types of feature amounts are used has been described, but three or more types of feature amounts may be used. In this case, the abnormal level is determined in three or more dimensions.

  In the first embodiment, the feature amount is extracted from the CAN message having one specific CAN ID, but the present invention is not limited to this. Similar to the first embodiment, feature quantities may be extracted for each CAN ID for a plurality of CAN IDs.

  Although the first to third feature amounts have been described as feature amounts in the first embodiment, the feature amounts are not limited to this. For example, statistics (for example, average value, variance value, etc.) of each of the first to third feature quantities in the first embodiment may be used as feature quantities.

Second Embodiment
Next, the second embodiment will be described. The present embodiment is different from the above-described first embodiment in that the monitoring apparatus transmits the log to the server according to the data amount of the stored communication data log for each result of the abnormality determination. Hereinafter, the monitoring system according to the present embodiment will be described focusing on differences from the first embodiment.

[Configuration of monitoring system]
The configuration of the monitoring system according to the second embodiment will be specifically described with reference to FIG. FIG. 15 is a block diagram showing a functional configuration of a monitoring system 10A according to the second embodiment.

  A monitoring system 10A according to the present embodiment includes a monitoring device 100A mounted on a vehicle 20A, and a server 30A that can communicate with the monitoring device 100A.

[Configuration of monitoring device]
As in the first embodiment, the monitoring apparatus 100A is mounted on the vehicle 20A and monitors an in-vehicle network. The monitoring device 100A includes a first communication unit 110, a second communication unit 120, a storage unit 130A, and a control unit 150A. Hereinafter, each component of the monitoring apparatus 100A will be described focusing on differences from the first embodiment.

[Storage unit]
The storage unit 130A is an example of a first storage unit, and stores monitoring data 131A, a determination rule 132, and weight data 133A. The storage unit 130A is mounted using, for example, one or more semiconductor memories and / or one or more hard disk drives.

  The monitoring data 131A is a log of CAN messages on the in-vehicle network classified at the abnormal level. FIG. 16 shows an example of monitoring data 131A in the second embodiment. Specifically, (a), (b) and (c) in FIG. 16 show monitoring data of CAN messages determined to have abnormal levels of white, black and gray, respectively.

  In FIG. 16, in addition to time stamp (Timestamp), CAN ID, and data (Data) corresponding to the payload in the first embodiment, data length code (DLC), bus (Bus), level ( Level), error code (ErrorCode), and vehicle information (CarInfo).

  Here, the data length code indicates the number of bytes of data. The bus is information for individually identifying the plurality of CAN buses 22. The level indicates an abnormal level. At the level, "W" indicates white, "B" indicates black, and "G" indicates gray. The error code is information for identifying the content of the error. Vehicle information is information for identifying the type of vehicle.

  The weight data 133A is data indicating the weight used in the determination of the abnormal level. 17A and 17B show an example of weight data 133A in the second embodiment. Specifically, FIG. 17A is a first weight table in which a plurality of abnormal levels are associated with a plurality of first weight values (w1). The first weight value indicates the importance of monitoring, and the higher the value, the higher the importance. FIG. 17B is a second weight table in which a plurality of driving states are associated with a plurality of second weight values (w2). The second weight value indicates the importance of communication, and the higher the value, the higher the importance.

[Control unit]
The control unit 150A is an example of a first control unit, and controls the first communication unit 110, the second communication unit 120, and the storage unit 130A. The control unit 150A changes the transmission method of the monitoring data to the server 30A according to the abnormal level of the CAN message. In the present embodiment, the transmission method of monitoring data is changed by changing the transmission timing for each abnormal level.

  As shown in FIG. 15, the control unit 150A includes an abnormality determination unit 151, a communication control unit 152A, and a driving state estimation unit 154A. The control unit 150A may be implemented in software using one or more general-purpose processors and memories, or may be implemented in hardware using one or more dedicated integrated circuits.

  The communication control unit 152A is an example of a first communication control unit, and controls the second communication unit 120. Specifically, the communication control unit 152A acquires the data amount of the monitoring data 131A stored in the storage unit 130A for each abnormal level. The amount of data is defined, for example, by the number of records in the table of FIG. Then, the communication control unit 152A transmits monitoring data to the server 30A according to the acquired data amount for each abnormal level.

  More specifically, the communication control unit 152A first weights the data amount for each abnormal level using the first weight value corresponding to the abnormal level and the second weight value corresponding to the operating state. The weighted data amount Dw is expressed by the following equation (1).

  Dw = w1 × w2 × D (1)

  Here, w1 represents a first weight value, and w2 represents a second weight value. D represents the amount of monitoring data at each abnormal level, and represents the amount of data not yet weighted.

  Then, the communication control unit 152A transmits monitoring data to the server 30A when the weighted data amount is larger than a predetermined threshold value for each abnormality level. In the present embodiment, as the predetermined threshold, the same threshold is used at a plurality of abnormal levels. That is, the predetermined threshold is common to a plurality of abnormal levels.

  For example, it is assumed that the amount of monitoring data of white, black and gray is 1000, 20 and 6, respectively, and the vehicle 20A is driving at the automatic driving level 3. In this case, if the first weight value and the second weight value in FIGS. 17A and 17B are used, the weighted data amount is 40 (= 0.01 × 4 × 1000) and 80 (= 1 × 4), respectively. X 20) and 120 (= 5 x 4 x 6). Here, if 100 is used as the threshold, only gray monitoring data with a weighted data amount of 120 is transmitted to the server 30A.

  Driving state estimation unit 154A estimates the driving state of vehicle 20A. For example, the driving state estimation unit 154A estimates the driving state based on the CAN message on the in-vehicle network. Specifically, the driving state estimation unit 154A, for example, estimates the driving state based on data of a CAN message having a specific CAN ID.

  The driving state means the state of the vehicle being driven. In the present embodiment, the driving state is mainly defined at the automatic driving level. For example, in FIG. 17B, the operation state is: manual operation (that is, operation at automatic operation level 0), operation at automatic operation L2 or less (that is, operation at automatic operation level 1 or 2), automatic operation L3 or more In operation (that is, in operation at automatic operation level 3, 4 or 5) and classified as emergency / failure.

[Server configuration]
Next, the configuration of the server 30A will be described. The server 30A is installed outside the vehicle 20A, and communicates with the monitoring device 100A via a network different from the in-vehicle network. As shown in FIG. 15, the server 30A includes a communication unit 31, a storage unit 32A, and a control unit 33A.

  The storage unit 32A stores the monitoring data 321A received from the monitoring device 100A. The storage unit 32A is mounted using, for example, one or more semiconductor memories and / or one or more hard disk drives.

  The control unit 33A controls the communication unit 31 and the storage unit 32A. The control unit 33A may be implemented in software using one or more general-purpose processors and memories, or may be implemented in hardware using one or more dedicated integrated circuits. The control unit 33A stores the monitoring data 321A received from the monitoring device 100A in the storage unit 32A.

[Operation of monitoring device]
Next, the operation of the monitoring apparatus 100A configured as described above will be specifically described with reference to FIGS. 18 and 19. FIG. 18 is a flowchart showing a first operation of the monitoring device 100A according to the second embodiment. FIG. 19 is a flowchart showing a second operation of the monitoring device 100A according to the second embodiment.

  As shown in FIG. 18, first, the first communication unit 110 acquires a CAN message on the in-vehicle network (S402). The abnormality determination unit 151 determines an abnormal level of the CAN message from among a plurality of abnormal levels including black, white, and gray (S404).

  The control unit 150A classifies the CAN message based on the determination result by the abnormality determination unit 151, and stores the CAN message as the monitoring data 131A in the storage unit 130A (S406). This first operation is performed each time communication traffic of a CAN message is generated on the in-vehicle network. Thereby, for example, monitoring data 131A shown in FIG.

  With the monitoring data 131A thus stored in the storage unit 130A, as shown in FIG. 19, the driving condition estimating unit 154A estimates the driving condition of the vehicle 20A (S408). Here, the communication control unit 152A selects an unselected abnormality level to perform processing for each abnormality level (S410). The communication control unit 152A acquires the data amount of the monitoring data 131A of the selected abnormal level (S412).

  The communication control unit 152A weights the acquired data amount based on the estimated driving state and the selected abnormality level (S414). Specifically, the communication control unit 152A refers to the weight data 133A, and acquires a first weight value corresponding to the selected abnormal level and a second weight value corresponding to the estimated driving condition. Then, the communication control unit 152A calculates the weighted data amount by applying the acquired first weight value and second weight value to the acquired data amount.

  The communication control unit 152A compares the weighted data amount with a predetermined threshold (S416). Here, when the weighted data amount is larger than the predetermined threshold (Yes in S416), the communication control unit 152A transmits the monitoring data 131A of the selected abnormal level to the server 30A (S418). On the other hand, when the weighted data amount is equal to or less than the predetermined threshold (No in S416), the communication control unit 152A skips transmission of the monitoring data 131A of the selected abnormal level.

  The communication control unit 152A determines whether there is an unselected abnormal level among the plurality of abnormal levels (S420). Here, when there is an unselected abnormal level (Yes in S420), the process returns to the abnormal level selection process (S410). On the other hand, if all the abnormal levels have already been selected (No in S420), the processing is ended.

  The second operation of the monitoring device 100A is repeatedly performed. That is, when the process of the second operation is completed, the operation of resetting all the abnormal levels to the non-selected state and starting the process of the next second operation is repeated. At this time, the process of the second operation may be started immediately after the process of the second operation is ended, or may be started after a predetermined time has elapsed after the end of the process. Alternatively, it may be started each time a fixed amount of monitoring data is newly stored in the storage unit 130A. At this time, focusing on monitoring data of a specific monitoring level, the monitoring data of the monitoring level of interest may be started each time a predetermined amount is newly stored in the storage unit 130A. Also, it may be started each time the driving state of the vehicle changes. Furthermore, a plurality of the above-described start conditions may be selected and set, and may be started when any one of the set start conditions is satisfied.

[Effects, etc.]
As described above, according to the monitoring device 100A according to the present embodiment, it is possible to transmit monitoring data to the server according to the data amount for each abnormal level. Therefore, the transmission frequency of monitoring data can be controlled, and the amount of communication can be reduced.

  Further, according to the monitoring device 100A in the present embodiment, it is possible to weight the data amount using the first weight value corresponding to the abnormal level. Therefore, the transmission frequency of the monitoring data can be controlled according to the abnormal level, and the monitoring data can be transmitted according to the degree of importance of the monitoring.

  Further, according to monitoring apparatus 100A in accordance with the present embodiment, in addition to the first weight value, the second weight value corresponding to the estimated driving condition can be used to weight the data amount. Therefore, the transmission frequency of the monitoring data can be controlled according to the driving state of the vehicle, and the monitoring data can be transmitted according to the degree of importance of the monitoring.

[Modification]
Below, the modification of the said Embodiment 2 is demonstrated.

  In the second embodiment, both the first weight value and the second weight value are used to weight the data amount, but the present invention is not limited to this. For example, the data amount may be weighted using only one of the first weight value and the second weight value.

  Further, in the weight data 133A of the second embodiment, although the first weight value corresponding to the abnormal level and the second weight value corresponding to the driving state are separately managed, the first weight value and the second weight value are managed. May be integrated and managed. In this case, for example, instead of the weight data 133A of FIGS. 17A and 17B, the weight data 133B of FIG. 20 may be stored in the storage unit 130A.

  Furthermore, in the second embodiment, the weighted data amount is compared with the common threshold, but the threshold may be weighted. In this case, the threshold data 133C of FIG. 21 may be stored in the storage unit 130A instead of the weight data 133A of FIGS. 17A and 17B.

  In the second embodiment, the storage method of the monitoring data 131A stored in the storage unit 130A of the monitoring device 100A has not been particularly described, but the storage method may be changed according to the abnormal level. For example, the monitoring data 131A may be first stored in the volatile area of the storage unit 130A and moved to the nonvolatile area of the storage unit 130A according to the storage time or data amount in the volatile area. The monitoring data 131A stored in the nonvolatile area of the storage unit 130A is transmitted by the communication control unit 332 for each abnormal level, but may be stored as it is in the nonvolatile area without being deleted if a predetermined condition is satisfied. At this time, the monitoring data 131A may be compressed or encrypted. For example, gray or black monitoring data in operation at the automatic operation level 3 may be held in the non-volatile area for a certain period of time after being transmitted to the server 30. This makes it possible to respond to a request for retransmission of monitoring data from the server 30, and also enables forensics.

  Further, in the second embodiment, the weight data 133A is not particularly updated, but may be updated. For example, the monitoring apparatus 100A may receive new weight data from the server 30A, and update the weight data 133A in the storage unit 130A with the received new weight data.

(Other embodiments)
Although the monitoring system and the monitoring apparatus according to one or more aspects of the present disclosure have been described above based on the embodiments, the present disclosure is not limited to the embodiments. Without departing from the spirit of the present disclosure, various modifications that can occur to those skilled in the art may be applied to the present embodiment, or a configuration constructed by combining components in different embodiments may be one or more of the present disclosure. It may be included within the scope of the embodiments.

  For example, in each of the above embodiments, the transmission method according to the data amount of the second embodiment may be applied to the transmission of the log in the first embodiment.

  In addition, the format and content of the data shown in each said embodiment are an illustration, It is not limited to this.

  In addition, a part or all of the control unit included in the monitoring device in each of the above embodiments may be configured as one system LSI (Large Scale Integration: large scale integrated circuit).

  The system LSI is a super multifunctional LSI manufactured by integrating a plurality of component parts on one chip, and specifically, a microprocessor, a read only memory (ROM), a random access memory (RAM), etc. A computer system configured to include A computer program is stored in the ROM. The system LSI achieves its functions as the microprocessor operates in accordance with the computer program.

  Although a system LSI is used here, it may be called an IC, an LSI, a super LSI, or an ultra LSI depending on the degree of integration. Further, the method of circuit integration is not limited to LSI's, and implementation using dedicated circuitry or general purpose processors is also possible. After the LSI is manufactured, a programmable field programmable gate array (FPGA) may be used, or a reconfigurable processor that can reconfigure connection and setting of circuit cells in the LSI may be used.

  Furthermore, if integrated circuit technology comes out to replace LSI's as a result of the advancement of semiconductor technology or a derivative other technology, it is naturally also possible to carry out function block integration using this technology. The application of biotechnology etc. may be possible.

  Further, one aspect of the present disclosure may be a monitoring method using not only such a monitoring device for a vehicle network but also a characteristic configuration unit included in the monitoring device as a step. In addition, one aspect of the present disclosure may be a computer program that causes a computer to execute the characteristic steps included in the monitoring method. In addition, one aspect of the present disclosure may be a computer readable non-transitory recording medium in which such a computer program is recorded.

  In the above embodiments, each component may be configured by dedicated hardware or may be realized by executing a software program suitable for each component. Each component may be realized by a program execution unit such as a CPU or processor reading out and executing a software program recorded in a recording medium such as a hard disk drive or a semiconductor memory. Here, software for realizing the monitoring device and the like according to each of the above-described embodiments is the following program.

  That is, this program is a monitoring method of monitoring a vehicle-mounted network by a computer, which acquires communication data on the vehicle-mounted network, and includes a plurality of abnormal, normal and undeterminable based on a predetermined determination rule. The abnormal level of the communication data is determined from among the abnormal levels, and the method of transmitting the log of the communication data to the server according to the determined abnormal level of the communication data, and the log of the communication data The monitoring method is executed to change at least one of the storage methods.

  It can be used as a monitoring device that monitors an in-vehicle network.

10, 10A monitoring system 20, 20A vehicle 30, 30A server 31 communication unit 32, 32A storage unit 33, 33A, 150, 150A control unit 100, 100A monitoring device 110 first communication unit 120 second communication unit 130, 130A storage unit 131, 141, 321 full log 131A monitoring data 132 determination rules 133A, 133B weight data 133C threshold data 140 temporary storage unit 151, 331 abnormality determination unit 152, 152A, 332 communication control unit 153 storage control unit 154A operating state estimation unit 321A monitoring data 322 Learning Model 333 Model Updater

Claims (15)

A monitoring device mounted on a vehicle and monitoring an on-vehicle network,
A first communication unit that acquires communication data on the in-vehicle network;
A second communication unit that communicates with the server via a network different from the in-vehicle network;
A first storage unit for storing a log of the communication data;
And a first control unit that controls the first communication unit, the second communication unit, and the first storage unit.
The first control unit includes a first determination unit that determines an abnormality level of the communication data from among a plurality of abnormality levels including abnormality, normality, and undeterminability based on a predetermined determination rule;
The first control unit changes at least one of a transmission method of the communication data log to the server and a storage method of the communication data log according to the determined abnormal level of the communication data. Do,
Monitoring device. The first determination unit extracts a feature amount from the communication data, and determines an abnormal level of the communication data using the extracted feature amount.
The monitoring device according to claim 1. The first communication unit acquires a plurality of communication data including the communication data,
The first determination unit extracts a value included in one or more communication data having a predetermined identifier among the plurality of communication data as a first feature amount included in the feature amount.
The monitoring device according to claim 2. The first communication unit acquires a plurality of communication data including the communication data,
The first determination unit extracts, as a second feature amount included in the feature amount, a change amount of a value included in two or more pieces of communication data having a predetermined identifier among the plurality of communication data.
The monitoring apparatus of Claim 2 or 3. The first communication unit acquires a plurality of communication data including the communication data,
The first determination unit extracts a difference time between transmission times of two or more communication data having a predetermined identifier among the plurality of communication data as a third feature quantity included in the feature quantity.
The monitoring apparatus of any one of Claims 2-4. The first control unit further includes a first communication control unit that controls the second communication unit.
The first communication control unit
When it is determined that the abnormal level of the communication data is abnormal, a log of the communication data is transmitted to the server;
When it is determined that the abnormal level of the communication data is normal, the communication data log is not transmitted to the server.
When it is determined that the abnormal level of the communication data can not be determined, (i) the feature of the communication data is transmitted to the server, and (ii) the abnormal level of the communication data from the server is black Sending a log of the communication data to the server when receiving the determination result shown;
The monitoring apparatus of any one of Claims 1-5. The monitoring apparatus further includes a second storage unit for temporarily storing a log of the communication data.
The first control unit further includes a storage control unit that controls the first storage unit and the second storage unit.
The storage control unit
Storing a log of the communication data in the first storage unit when it is determined that the abnormal level of the communication data is abnormal;
When it is determined that the abnormal level of the communication data can not be determined, (i) a log of the communication data is stored in the second storage unit, and (ii-1) the abnormal level of the communication data from the server is abnormal The communication data log stored in the second storage unit is moved to the first storage unit, and (ii-2) abnormality of the communication data from the server Deleting the log of the communication data when the determination result indicating that the level is normal is received;
The monitoring apparatus of any one of Claims 1-6. The first communication unit acquires a plurality of communication data including the communication data,
The first storage unit classifies the plurality of communication data according to the determined abnormal level and stores it as monitoring data.
The first control unit further includes a first communication control unit that controls the second communication unit.
The first communication control unit
The data amount of the monitoring data stored in the first storage unit is acquired for each abnormal level,
Transmitting the monitoring data to the server according to the amount of data for each abnormal level;
The monitoring apparatus of any one of Claims 1-5. The first communication control unit
Weighting the data amount using a first weight value corresponding to the abnormal level for each abnormal level;
The monitoring data is transmitted to the server when the weighted amount of data is larger than a predetermined threshold value for each abnormal level.
The monitoring device according to claim 8. The first control unit further includes a driving state estimation unit configured to estimate a driving state of the vehicle,
The first communication control unit uses a second weight value corresponding to the estimated driving condition in addition to the first weight value in weighting the data amount.
The monitoring device according to claim 9. A monitoring system for monitoring an in-vehicle network,
The monitoring device according to any one of claims 1 to 10.
And a server capable of communicating with the monitoring device.
Monitoring system. The first control unit further includes a first communication control unit that controls the second communication unit.
The first communication control unit
When it is determined that the abnormal level of the communication data is abnormal, a log of the communication data is transmitted to the server;
When it is determined that the abnormal level of the communication data is normal, the communication data log is not transmitted to the server.
When it is determined that the abnormal level of the communication data can not be determined, (i) the feature of the communication data is transmitted to the server, and (ii) the abnormal level of the communication data from the server is black Sending a log of the communication data to the server when receiving the determination result indicated;
The server is
A third communication unit that communicates with the monitoring device via the network;
A third storage unit storing a log of the communication data received from the monitoring device;
A second control unit that controls the third communication unit;
The second control unit is
When the third communication unit receives from the monitoring apparatus the feature quantity of the communication data whose abnormality level is determined to be undecidable, the abnormality level of the communication data is calculated using the feature quantity of the received communication data. A second determination unit that determines which is abnormal or normal;
A second communication control unit that transmits the determination result by the second determination unit to the monitoring device, and receives the log of the communication data from the monitoring device when the abnormality level of the communication data is determined to be abnormal Equipped
The third storage unit further stores a learning model for determining an abnormal level of communication data,
The second determination unit determines whether the abnormal level of the communication data is abnormal or normal using the learning model.
The monitoring system according to claim 11. The first communication control unit of the monitoring device transmits the feature amount of the communication data to the server when it is determined that the abnormal level of the communication data is normal.
When the third communication unit receives the feature of the communication data for which the abnormal level is determined to be normal from the monitoring apparatus, the second control unit of the server is labeled with the feature at normal. Providing a model updating unit that updates the learning model using the received training data;
A monitoring system according to claim 12. A monitoring method for monitoring an in-vehicle network, comprising
Acquiring communication data on the in-vehicle network;
The abnormality level of the communication data is determined from among a plurality of abnormality levels including abnormality, normality, and undeterminability based on a predetermined determination rule,
According to the determined abnormal level of the communication data, at least one of a transmission method of the communication data to the server and a storage method of the communication data log is changed.
How to monitor.   A program for causing a computer to execute the monitoring method according to claim 14.

Images