JP2023107137A - Log management device, log management method, and log management program - Google Patents

Abstract

To provide a log management device for preserving, without discarding, logs for which the necessity for analysis by a server device is high until these are transmitted to the server device.SOLUTION: The log management device comprises: a log acquisition unit for acquiring logs generated by a security sensor; a transmission allowability assessment unit for assessing whether or not the logs can be transmitted; a memory which has a first region which is disabled from overwriting the logs and is allocated a first storage capacity and a second region which is enabled for overwriting the logs and is allocated a second storage capacity; a log storage area determination unit which, when assessed by the transmission allowability assessment unit as unable to transmit the logs, determines, as a log storage area, the first region when the importance of the logs is higher than prescribed importance or the second region when said importance is lower than the prescribed importance; and a memory control unit for causing the allocation rate of the log storage area to the storage capacity to increase when the free space of the log storage area is smaller than a data volume and stores the logs in the log storage area.SELECTED DRAWING: Figure 3

Description

The present invention relates to a device for managing logs generated by a security sensor, and more particularly to a log management device mounted on a mobile object, a log management method and a log management program executed by the log management device.

In recent years, V2X such as vehicle-to-vehicle communication and road-to-vehicle communication, as well as technologies for driving support and automatic driving control have been attracting attention. Along with this, vehicles are equipped with communication functions, and the so-called connectivity of vehicles is progressing. As a result, vehicles are becoming more susceptible to cyberattacks.

In the event of a cyber-attack on a vehicle, there is a risk that the attack will interfere with vehicle control, so it is important to analyze the incident in order to prevent it in advance or to respond to the attack and recover quickly. Therefore, for example, as disclosed in Patent Literature 1, it is known that a resource-rich server device collects and analyzes logs generated by in-vehicle devices.

JP 2019-175017 A

However, if the communication environment between the vehicle and the server device is bad and the logs generated by the in-vehicle device cannot be sent to the server device, the in-vehicle device will not be able to send the logs to the server device. must be managed and stored.

If the log generated by the in-vehicle device cannot be sent to the server device for a long time, a large number of logs to be sent to the server device accumulate in the memory installed in the in-vehicle device, and there is a risk that the capacity of the memory will be reached. As a result, newly acquired logs cannot be stored in memory and are discarded, or important logs stored in memory are overwritten to collect the logs necessary for analyzing incidents such as external attacks. may not be possible.

Therefore, the present invention is designed to analyze incidents such as an external attack or an abnormality occurring in an in-vehicle device in a situation where logs generated by the in-vehicle device cannot be sent to the server device, until the logs are sent to the server device. An object of the present invention is to realize a log management device or the like that can appropriately manage and store necessary logs.

A log management device (100, 200) of the present disclosure is a log management device mounted on a mobile body, comprising: a log acquisition unit (101) for acquiring a log generated by a security sensor mounted on the mobile body; Outside the mobile object, there is a transmission availability determination unit (105) for determining whether or not the log can be transmitted, and a storage area consisting of a first area and a second area, wherein the first area is , an area in which overwriting of a first log, which is a log stored in the first area, is prohibited, and a first storage capacity of the storage capacity of the storage area is allocated; The area of is a memory ( 102), when the transmittability determination unit determines that the log cannot be transmitted, the importance of the log is determined, and if the importance is higher than a predetermined importance, the first area is a log storage area determination unit (106) for determining the second area as a log storage area for storing the log when the importance is lower than the predetermined importance; and a memory control unit (107) for increasing an allocation ratio of the storage capacity of the log storage area to the storage capacity and storing the log in the log storage area when the amount of log data is less than the data amount of the log; Prepare.

It should be noted that the numbers in parentheses attached to the constituent elements of the invention described in the claims and this section indicate the corresponding relationship between the present invention and the embodiments described later, and are not intended to limit the present invention. do not have.

With the configuration as described above, in a situation where the log generated by the in-vehicle device cannot be transmitted to the server device, the log that is highly necessary for analysis by the server device can be stored without loss until it is transmitted to the server device. becomes possible.

A diagram showing a configuration example of a log collection system according to each embodiment A diagram showing a configuration example of an electronic control system having a log management device of each embodiment 1 is a block diagram showing a configuration example of a log management device according to the first embodiment; FIG. FIG. 4 is a diagram for explaining the memory of the log management device of the first and second embodiments; FIG. 4 is a diagram for explaining the operation of the log management device according to the first and second embodiments; FIG. 4 is a diagram for explaining the operation of the log management device according to the first and second embodiments; FIG. 4 is a diagram for explaining the operation of the log management device according to the first and second embodiments; FIG. 4 is a diagram for explaining the operation of the log management device according to the first and second embodiments; Block diagram showing a configuration example of the log management device of the second embodiment FIG. 4 is a diagram for explaining a memory according to a modification of each embodiment;

BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, embodiments of the present invention will be described with reference to the drawings.

It should be noted that the present invention means the invention described in the scope of claims or the section of Means for Solving the Problems, and is not limited to the following embodiments. In addition, at least the words and phrases in angle brackets mean the words and phrases described in the claims or the means for solving the problems section, and are not limited to the following embodiments.

The configurations and methods described in the dependent claims are arbitrary configurations and methods in the invention described in the independent claims. The configurations and methods of the embodiments corresponding to the configurations and methods described in the dependent claims, and the configurations and methods described only in the embodiments without being described in the claims, are optional configurations and methods in the present invention. The configuration and method described in the embodiment when the description of the claims is broader than the description of the embodiment are also arbitrary configurations and methods in the present invention in the sense that they are examples of the configuration and method of the present invention. . In either case, the essential features and methods of the invention are described in the independent claims.

The effects described in the embodiments are the effects when having the configuration of the embodiment as an example of the present invention, and are not necessarily the effects of the present invention.

When there are multiple embodiments, the configuration disclosed in each embodiment is not limited to each embodiment, but can be combined across the embodiments. For example, a configuration disclosed in one embodiment may be combined with another embodiment. Further, the configurations disclosed in each of the plurality of embodiments may be collected and combined.

The problems described in the Problems to be Solved by the Invention are not known problems, but were independently discovered by the inventors, and are facts that affirm the inventive step of the invention together with the structure and method of the present invention.

1. Configuration Common to Each Embodiment (1) Overall Configuration of Log Collection System The overall configuration of a log collection system 1 common to each embodiment will be described with reference to FIG. The log collection system S is composed of an electronic control system 1 "mounted" in a vehicle, which is a "moving body", and a server device 2 located outside the vehicle. The electronic control system 1 and the server device 2 communicate via a communication network 3 .

Here, the "moving object" refers to an object that can move, and the moving speed is arbitrary. Naturally, it also includes the case where the moving body is stopped. Examples include, but are not limited to, automobiles, motorcycles, bicycles, pedestrians, ships, aircraft, and objects mounted thereon.
The term "mounted" includes not only being directly fixed to a moving object, but also moving together with the moving object although not being fixed to the moving object. For example, it may be carried by a person riding on a moving body, or may be mounted on a load placed on the moving body.

The configuration of the electronic control system 1 will be detailed below. In each of the following embodiments, the electronic control system 1 will be described as an in-vehicle system mounted in a vehicle. However, the electronic control system 1 is not limited to an in-vehicle system.

The server device 2 collects logs from the electronic control system 1 and analyzes cyberattacks and abnormalities occurring in the electronic control system 1 . Examples of the server device 2 include a workstation and a personal computer (PC), but may be an electronic control unit (ECU), a semiconductor circuit element, a smart phone, a mobile phone, or the like.

The communication network 3 may be a wired communication network as well as a wireless communication network. In the case of wireless communication systems, for example, IEEE802.11 (Wi-Fi (registered trademark)), IEEE802.16 (WiMAX (registered trademark)), W-CDMA (Wideband Code Division Multiple Access), HSPA (High Speed Packet Access) , LTE (Long Term Evolution), LTE-A (Long Term Evolution Advanced), 4G, 5G, etc. can be used. Alternatively, DSRC (Dedicated Short Range Communication) can be used. In the case of wired communication, for example, a LAN (Local Area Network), the Internet, or a fixed telephone line can be used. A wireless communication network may combine a wireless communication method and a wired communication method. For example, a wireless communication system is used between the electronic control system 1 and a base station device in a cellular system, and a wired communication system such as a carrier's trunk line or the Internet is used between the base station device and the server device 2. may be connected.

(2) Configuration of electronic control system 1

The configuration of the electronic control system 1 will be described with reference to FIG. The electronic control system 1 has a central gateway device (hereinafter referred to as CGW) 10, an external communication electronic control device (hereinafter referred to as external communication ECU) 11, an electronic control device (hereinafter referred to as ECU) 12, and a network 13 connecting these. .

The CGW 10 is an electronic control device that relays communication between the external communication ECUs 11 and 12 or between the ECUs 12 via the network 13 . In each embodiment described below, it is assumed that the CGW 10 functions as a log management device (100, 200). However, any electronic control device that configures the electronic control system 1 may have a function as a log management device.

The external communication ECU 11 is an electronic control unit that communicates with the server device 2 using the communication network 3 .

The ECU 12 is an electronic control unit that implements the functions of the vehicle. Any ECU can be assigned to the ECU 12 . For example, drive system electronic control units that control the engine, steering wheel, brakes, etc., vehicle system electronic control units that control meters, power windows, etc., information system electronic control units such as navigation devices, or obstacles and pedestrians safety control system electronic control device that performs control to prevent collision with.

The ECU 12 is provided with a security sensor that monitors communication between each ECU and each ECU. The security sensor monitors the ECU itself and communication of the ECU, detects external attacks and abnormalities, and generates a security log (hereinafter referred to as log). Logs generated by security sensors contain information indicating the occurrence of external attacks and abnormalities. Further, the security sensor may generate a log indicating that no attack or abnormality has occurred and that the ECU itself and the communication status are normal. The log may further include information indicating the time when the log was generated by the security sensor, and information identifying the security sensor that generated the log or the ECU in which the security sensor is provided. Logs generated by security sensors are sent to the CGW 10 .

Although not shown in FIG. 2, each ECU 12 may be provided with a log filter for filtering logs generated by the security sensors. The log filter, for example, selects logs indicating the occurrence of attacks or abnormalities from the logs generated by the security sensors, and transmits only the selected logs to the CGW 10 .

The network 13 is a network that connects the CGW 10, the external communication ECU 11, and the ECU 12. In each embodiment described below, the network 13 is an in-vehicle network. , Bluetooth (registered trademark), etc., can be used.

2. First Embodiment (1) Configuration of Log Management Apparatus 100 The configuration of the log management apparatus 100 of this embodiment will be described with reference to FIG. The log management device 100 includes a log acquisition unit 101 , memory 102 , control unit 103 and transmission unit 104 . Also, the control unit 103 implements a transmittability determination unit 105 , a log storage area determination unit 106 , and a memory control unit 107 .

The log management device 100 of the present embodiment, which is the CGW 10, includes a general-purpose CPU (Central Processing Unit), volatile memory such as RAM, non-volatile memory such as ROM, flash memory, or hard disk, various interfaces, and connecting these It can be configured with an internal bus. By executing software on these hardware, the function of each functional block shown in FIG. 3 can be realized. Of course, the log management device 100 may be realized by dedicated hardware such as LSI.

In the present embodiment, the log management device 100 is assumed to be in the form of an electronic control unit (ECU (Electric Control Unit), hereinafter abbreviated as ECU) as a semi-finished product, but the present invention is not limited to this. For example, the forms of parts include semiconductor circuits and semiconductor modules, and the forms of finished products include personal computers (PCs), smart phones, mobile phones, and navigation systems.

A log acquisition unit 101 acquires a log generated by a security sensor provided in each ECU 12 . Although not shown in FIG. 3, the log acquired by the log acquisition unit 101 may be stored in a buffer (not shown) and then stored in the memory 102 described later, or may be transmitted from the transmission unit 104. .

The memory 102 stores the log acquired by the log acquisition unit 101 . Although the memory 102 shown in the following embodiments is assumed to be non-volatile memory, it may be configured by volatile memory.

FIG. 4 is a diagram schematically illustrating the memory 102. As shown in FIG. The memory 102 has a storage area A having a predetermined storage capacity. This storage area A is an area consisting of a first area A1 and a second area A2, and stores logs acquired by the log acquisition unit 101 .

The first storage capacity of the storage capacity of the storage area A is allocated to the first area A1. The first storage capacity is specified by the allocation ratio of the storage capacity of the storage area A to the first area A1. Overwriting of the log (corresponding to the "first log") stored in the first area A1 is prohibited.

The second storage capacity of the storage capacity of the storage area A is allocated to the second area A2. The second storage capacity is specified by the allocation ratio of the storage capacity of the storage area A to the second area A2. It is possible to overwrite the log (corresponding to the "second log") stored in the second area A2.

Here, the allocation rate of the storage capacity of the storage area A to the first area A1 and the allocation rate of the storage capacity of the storage area A to the second area A2 can be changed to arbitrary values. be. Allocation ratios to the first area A1 and the second area A2 are controlled by the memory control unit 107, which will be described later. Note that the memory control unit 107 changes the storage capacity [Byte] allocated to the first area A1 and the second area A2 out of the predetermined storage capacity, so that the storage capacity of the storage area A is reduced to the first area A1 and the allocation rate to the second area A2 may be changed.

When the allocation rate to the first area A1 is increased, the allocation rate to the second area A2 is decreased accordingly. For example, FIG. 4a shows a case where the allocation rate of the storage capacity of the storage area A to the first area A1 is 50% and the allocation rate to the second area A2 is 50%. On the other hand, FIG. 4b shows a case where the allocation rate of the storage capacity of the storage area A to the first area A1 is 70% and the allocation rate to the second area A2 is 30%.

Note that FIG. 4 exemplifies a case where the memory 102 has only the storage area A as an area for storing logs. However, as a matter of course, the memory 102 may have an area capable of storing data other than the storage area A, and the log acquired by the log acquisition unit 101 or data other than the log may be stored in this area. That is, the storage capacity of storage area A is not necessarily equal to the storage capacity of memory 102 .

Control unit 103 controls operations of log acquisition unit 101 , memory 102 , and transmission unit 104 . Further, the control unit 103 implements the transmission possibility determination unit 105, the log storage area determination unit 106, and the memory control unit 107 by itself.

The transmittability determination unit 105 determines whether or not the log acquired by the log acquisition unit 101 can be transmitted to the server device 2 located outside the vehicle. For example, the transmission enable/disable determining unit 105 determines whether the communication network 3 between the external communication ECU 11 and the server device 2 is established, or whether the communication speed between the external communication ECU 11 and the server device 2 is a predetermined speed. If the communication network 3 is not established or if the communication speed is lower than a predetermined speed, it is determined that transmission is impossible. Alternatively, even when the communication network 3 is established, if the log acquisition unit 101 acquires a large amount of logs, the transmission unit 104 described later cannot immediately transmit all the logs to the server device 2 . Therefore, even when the log acquisition unit 101 acquires logs that exceed a predetermined number or data amount, the transmittability determination unit 105 may determine that the log cannot be transmitted.

When the transmittability determination unit 105 determines that the log cannot be transmitted, the log storage area determination unit 106 determines the “importance” of the log.

Here, "importance" is an index that indicates the importance of a log determined based on predetermined evaluation criteria. may be

Further, when the determined importance of the log is “higher than” the “predetermined” importance of the log, the log storage area determination unit 106 designates the first area A1 of the storage area A of the memory 102 as a log storage area for storing the log. Determine as a region. Further, when the determined importance of the log is lower than the “predetermined” importance, the log storage area determination unit 106 determines the second area A2 of the storage area A as the log storage area for storing the log. do.

Here, "predetermined" includes a case where it is always constant and a case where it is uniquely determined according to conditions.
"Than" includes both including and not including the same value as the comparison.

In the example below, the log storage area determining unit 106 determines whether the log is of high or low importance. A case where it is determined that the importance of a log is lower than a predetermined importance when it is determined that the importance of a log is low is described as an example. However, the log storage area determining unit 106 numerically determines the importance of logs based on various parameters, and determines whether the determined numerical value is higher or lower than the numerical value set as the predetermined importance. may

For example, the log storage area determination unit 106 determines that the importance of the log is high when the log indicates an attack from the outside or an abnormality in the ECU or communication.

As another example, the log storage area determining unit 106 determines the importance of the log based on the security sensor that generated the log. It is not desirable from the viewpoint of safe driving of the vehicle that the ECU, which implements functions related to vehicle driving (for example, functions related to braking and steering of the vehicle), is attacked from the outside or an abnormality occurs. There is a strong need to analyze logs generated by security sensors provided in such ECUs. Therefore, the log storage area determination unit 106 determines that logs generated by a security sensor provided in a specific ECU, for example, an ECU that implements a function related to running of the vehicle, have a high degree of importance. Note that the log storage area determining unit 106 can determine the security sensor that generated the log and the ECU on which the security sensor is mounted based on the identification information of the security sensor included in the log.

As yet another example, the log storage area determination unit 106 determines the importance of the log based on the time when the log was generated. For example, when a security sensor detects an attack from the outside, it may be possible to analyze the path of attack, details of the attack, and the impact of the attack by analyzing logs generated before and after the attack was detected. Therefore, the log storage area determining unit 106 determines that logs generated within a predetermined period of time from the time when the security sensor detected an attack or anomaly are of high importance. Note that the log storage area determining unit 106 can determine the time when the log was generated based on the time information included in the log.

In each of the above examples, the log storage area determining unit 106 determines the importance based on the information included in the log. However, the security sensor provided in each ECU 12 may determine the importance of the log and assign the determined importance to the log. In this case, the log storage area determining unit 106 can determine the importance of the log using the importance assigned to the log.

The memory control unit 107 stores the log in the log storage area determined by the log storage area determination unit 106 . Here, the memory control unit 107 compares the free space of the log storage area with the amount of log data acquired by the log acquisition unit 101 . If the free space in the log storage area is smaller than the amount of log data, the ratio of storage capacity allocated to the log storage area with respect to the storage capacity of storage area A is increased. ensure

A specific example of memory control by the memory control unit 107 will be described below. First, a case will be described where the importance of a log is higher than the predetermined importance and the log storage area determination unit 106 has determined the first area A1 as the log storage area.

When the free space of the first area A1 is larger than the log data amount, the memory control unit 107 stores the log in the first area A1, which is the log storage area.

On the other hand, if the free space in the first area A1 is less than the log data amount, the log cannot be stored in the first area A1. In addition, since overwriting of the log is prohibited in the first area A1, it is also impossible to overwrite the log stored in the first area A1 and store the log. Therefore, the memory control unit 107 compares the free space of the second area A2, which is not the log storage area, with the amount of log data. Here, when the free space of the second area A2 is larger than the amount of log data, the memory control unit 107 increases the ratio of allocation of the storage capacity of the first area A1 to the storage capacity of the storage area A. , a free space for saving the log is secured in the first area A1. Then, the log is stored in the first area A1 to which the increased storage capacity is allocated. Note that the ratio of allocation to the storage capacity of the second area A2 is reduced.

Also, if the free space of the second area A2 is less than the log data amount, the memory control unit 107 cannot increase the allocation rate to the storage capacity of the first area A1. Therefore, the memory control unit 107 first deletes one or more logs saved in the second area A2. As a result, a free space is generated in the second area A2. Next, the memory control unit 107 secures free space for saving the log in the first area A1 by increasing the allocation rate of the storage capacity of the first area A1 to the storage capacity of the storage area A. . Then, the log is stored in the first area A1 to which the increased storage capacity is allocated. In this case, by deleting the logs stored in the second area A2 and increasing the allocation rate to the first storage capacity, logs with a higher degree of importance than the deleted logs are stored.

Here, it is preferable that the memory control unit 107 deletes the logs stored in the second area A2 starting with the time generated by the security sensor, that is, the log with the oldest time information included in the log.

The log time information acquired by the log acquisition unit 101 may be older than the log time information stored in the second area A2. As shown in FIG. 2 , the log management device 100, which is the CGW 10, collects, via the network 13, logs generated by security sensors provided in multiple ECUs. Therefore, depending on network congestion, the log acquisition unit 101 may acquire the logs in an order different from the order generated by the security sensors. That is, there is a possibility that the log generated after the log acquired by the log acquisition unit 101 has already been saved in the memory 102 . In such a case, it is not desirable to delete logs with newer time information. Therefore, the log to be deleted from the second area A2 is a log including time information older than the log acquired by the log acquisition unit 101 . Further, when all of the time information of the logs stored in the second area A2 are newer than the time information included in the log acquired by the log acquisition unit 101, the memory control unit 107 causes the log acquisition unit 101 to may discard the acquired log without saving it.

Next, a case will be described in which the importance of the log is lower than the predetermined importance and the log storage area determining unit 106 has determined the second area A2 as the log storage area.

When the free space of the second area A2 is larger than the log data amount, the memory control unit 107 stores the log in the second area A2, which is the log storage area.

On the other hand, if the free space of the second area A2 is less than the log data amount, the log cannot be stored in the second area A2. Therefore, the memory control unit 107 compares the free space of the first area A1, which is not the log storage area, with the amount of log data. Here, when the free space of the first area A1 is larger than the amount of log data, the memory control unit 107 increases the ratio of allocation of the storage capacity of the second area A2 to the storage capacity of the storage area A. , to secure the free space for saving the log in the second area A2. Then, the log is stored in the second area A2 to which the increased storage capacity is allocated. Note that the allocation ratio to the storage capacity of the first area A1 is decreased.

Also, if the free space in the first area A1 is less than the amount of log data, the memory control unit 107 cannot increase the ratio of allocation to the storage capacity in the second area A2. Therefore, the memory control unit 107 overwrites the log saved in the second area A2 and saves the log. Here, the log to be overwritten is preferably the log with the oldest time information, that is, the time generated by the security sensor among the logs stored in the second area A2. Further, as in the above example, if the time information of the logs stored in the second area A2 is newer than the time information included in the log acquired by the log acquisition unit 101, the memory control unit 107 discards the log acquired by the log acquisition unit 101 without saving it.

The transmission unit 104 transmits the log to the server device 2 located outside the vehicle via the external communication ECU 11 . Here, the log to be transmitted by the transmitting unit 104 differs depending on the timing at which the transmittability determining unit 105 determines that the log can be transmitted. If the transmittability determination unit 105 determines that the log can be transmitted when the log acquisition unit 101 acquires the log, the transmission unit 104 transmits the log acquired by the log acquisition unit 101 as it is.

On the other hand, when the log acquisition unit 101 acquires the log, the transmittability determination unit 105 determines that the log cannot be transmitted. If it is determined that the log can be transmitted, the transmission unit 104 transmits the log saved in the first area A1 or the second area A2 of the memory 102. FIG. In this case, memory control section 107 deletes the log transmitted from transmitting section 104 from memory 102 .

Note that the transmission unit 104 may transmit logs stored in the memory 102 in order of importance, for example, logs stored in the first area A1. Logs with the oldest information may be transmitted in order.

(2) Operation of Log Management Apparatus 100 Operation of the log management apparatus 100 will be described with reference to FIGS. 5 to 8. FIG.
The following operations not only show the log management method executed by the log management device 100 but also show the processing procedure of the log management program executable by the log management device 100 .
These processes are not limited to the order shown in FIGS. In other words, the order may be changed as long as there is no restriction such that a step uses the result of the preceding step.
explain.

The log acquisition unit 101 acquires a log generated by a security sensor provided in each ECU 12 (S101).
The transmittability determination unit 105 determines whether or not the log acquired by the log acquisition unit 101 can be transmitted (S102).
Here, when the transmittability determination unit 105 determines that the log can be transmitted (S102: Y), the transmission unit 104 transmits the log acquired in S101 to the server device 2 located outside the vehicle ( S103).
On the other hand, when the transmittability determination unit 105 determines that the log cannot be transmitted (S102: N), the log storage area determination unit 106 determines the importance of the log acquired in S101, and determines the importance of the determined log. degree is higher than a predetermined degree of importance (S104).
Here, if the importance of the log is higher than the predetermined importance (S104: Y), the first area A1 is determined as the log storage area (S105), and the process shown in FIG. 6 is performed. On the other hand, when the importance of the log is lower than the predetermined importance (S104: N), the second area A2 is determined as the log storage area (S106), and the process proceeds to the process shown in FIG.

Next, the processing after the first area A1 is determined as the log storage area (S105) in FIG. 5 will be described with reference to FIG.
The memory control unit 107 compares the free space of the first area A1, which is a log storage area, with the amount of log data (S201).
Here, if the free space in the first area A1 is larger than the log data amount (S201: Y), the memory control unit 107 saves the log in the first area A1 (S202).
When the free space of the first area A1 is smaller than the amount of log data (S201: N), the memory control unit 107 compares the free space of the second area A2, which is not a log storage area, with the amount of log data. (S203).
In S203, as a result of comparing the free space of the second area A2 and the amount of log data, if the free space of the second area A2 is larger than the amount of log data (S203: Y), the memory control unit 107 , the allocation ratio of the storage capacity of the first area A1 to the storage capacity of the storage area A is increased (S204).
Then, the log is stored in the first area A1 (S202).

Further, in S203, as a result of comparing the free space of the second area A2 and the amount of log data, if the free space of the second area A2 is smaller than the amount of log data (S203: N), the memory control unit 107 further determines whether or not a log including time information older than the time information included in the log acquired in S101 is stored in the second area A2 (S205).
Here, when a log including time information older than the time information included in the log acquired in S101 is stored in the second area A2 (S205: Y), the memory control unit 107 deletes the log ( S206).
Then, the memory control unit 107 increases the allocation ratio of the storage capacity of the first area A1 to the storage capacity of the storage area A (S204), and stores the log in the first area A1 (S202).
Further, when the log including time information older than the time information included in the log acquired in S101 is not stored in the second area A2 (S205: N), the memory control unit 107 discards the log acquired in S101. (S207).

Next, the processing after the second area A2 is determined as the log storage area (S106) in FIG. 5 will be described with reference to FIG.
The memory control 107 compares the free space of the second area A2, which is a log storage area, with the amount of log data (S301).
Here, if the free space of the second area A2 is larger than the data amount of the log (S301: Y), the memory control unit 107 saves the log in the second area A2 (S302).
If the free space of the second area A2 is smaller than the amount of log data (S301: N), the memory control unit 107 compares the free space of the first area A1, which is not a log storage area, with the amount of log data. (S303).
In S303, as a result of comparing the free space of the first area A1 and the log data amount, if the free space of the first area A1 is larger than the log data amount (S303: Y), the memory control unit 107 , the allocation ratio of the storage capacity of the second area A2 to the storage capacity of the storage area A is increased (S304).
Then, the log is stored in the second area A2 (S302).

Further, in S303, as a result of comparing the free space of the first area A1 and the log data amount, if the free space of the first area A1 is smaller than the log data amount (S303: N), the memory control unit 107 further determines whether a log including time information older than the time information included in the log acquired in S101 is stored in the second area A2 (S305).
Here, when a log including time information older than the time information included in the log acquired in S101 is stored in the second area A2 (S305: Y), the memory control unit 107 overwrites the log. , save the log acquired in S101 (S306).
Further, when the log including the time information older than the time information included in the log acquired in S101 is not stored in the second area A2 (S305: N), the memory control unit 107 discards the log acquired in S101. (S307).

In the above-described embodiment, in S207 and S307, a configuration has been described in which logs that cannot be saved in the save area A of the memory 102 are immediately discarded. However, if the log acquired by the log acquisition unit 101 cannot be stored in the storage area A, the log storage process may simply be interrupted without discarding the log immediately. In this case, the memory control unit 107 may perform the process shown in FIG. 6 or 7 again after a predetermined period of time has passed since the log saving process was interrupted. Then, if the log cannot be saved in the memory as a result of performing the saving process to the memory a predetermined number of times, the log may be discarded.

Next, the operation of the log management device 100 after saving the log in the saving area A of the memory 102 will be described with reference to FIG.
The communication propriety determination unit 105 determines whether or not the log can be transmitted to the server device outside the vehicle (S401).
Then, when it is determined that communication is possible, the transmission unit 104 transmits the log stored in the memory 102 to the server device (S402).
Then, the memory control unit 107 deletes the transmitted log from the memory 102 (S403).

(3) Summary According to this embodiment, logs with high importance are saved in an area where overwriting is prohibited. It is possible to prevent the log from being overwritten. In addition, since logs with low importance are saved by overwriting older logs, it is possible to save the latest logs.

Furthermore, according to the present embodiment, it is possible to efficiently use the storage area of the memory by appropriately changing the allocation ratio of the storage capacity to the area where overwriting is prohibited or the area where overwriting is possible. becomes.

2. Second Embodiment In this embodiment, an example in which an electronic control device having a virtual machine functions as a log management device will be described.

FIG. 9 shows an electronic control device 200 that functions as a log management device of this embodiment. The electronic control unit 200 comprises a hypervisor (HV) 210 , multiple virtual machines ( 220 , 230 ) managed by the hypervisor 210 , and memory 102 . As in the first embodiment, the electronic control unit 200 is assumed to be the CGW 10 in FIG. 2, but is not limited to this.

Hypervisor 210 is software that virtualizes electronic control unit 200 . In the example of FIG. 9 , the first virtual machine 220 and the second virtual machine 230 are built on the hypervisor 210 . In this example, the electronic control unit 200 has only one hypervisor 210, but the electronic control unit 200 has multiple hypervisors and virtual machines managed by multiple hypervisors. may

Each virtual machine of the electronic control unit 200 has a platform (hereinafter referred to as PF). In FIG. 9, the first virtual machine 220 has a first PF 222 and the second virtual machine 230 has a second PF 232, respectively. FIG. 9 further shows applications (221, 231) running on the PF of each virtual machine.

There are various types of PFs, and arbitrary PFs can be applied as the first and second PFs (222, 232). For example, the first PF 222 is a static function optimized platform called Classic Platform (CP) in AUTOSAR (AUTomotive Open System ARchitecture). CP is primarily a suitable platform for electronic controllers for vehicle control. In addition, the second PF 232 applies, for example, a platform capable of dynamically expanding functions, which is called Adaptive Platform (AP) in AUTOSAR. AP is primarily a suitable platform for electronic controllers for autonomous driving. By mixing multiple virtual machines with different PFs in one electronic control device in this way, it becomes possible to integrate multiple functions into one electronic control device, which in turn reduces the total number of electronic control devices. becomes possible.

In such a configuration, the OS of the virtual machine may be provided, for example, between the hypervisor and the PF, or may be integrated with the hypervisor or included in the PF.

A first application 221 running on a first virtual machine 220 includes a security sensor. This security sensor has the same function as the security sensor mounted on the ECU 12 shown in FIG. That is, each security sensor monitors the operation of each virtual machine and generates a log.

A second application 231 running on the second virtual machine 230 includes a log acquisition unit 101 , a transmission unit 104 , a transmission availability determination unit 105 , a log storage area determination unit 106 , and a memory control unit 107 . The functions and operations of the log acquisition unit 101, the transmission unit 104, the transmission availability determination unit 105, the log storage area determination unit 106, and the memory control unit 107 are the same as in the first embodiment.

In the first embodiment, the log acquisition unit 101 acquires logs generated by a security sensor installed in an electronic control unit (ECU 12) different from the electronic control unit 100, which is a log management device. On the other hand, the log acquisition unit 101 of the second embodiment acquires a log generated by a security sensor installed in the electronic control device 200 that functions as a log management device. As a matter of course, the log acquisition unit 101 may acquire a log generated by a security sensor installed in the ECU 12 connected to the electronic control unit 200 via the network 13, as in the first embodiment.

3. Modified example of each embodiment (1) Modified example 1
In this modified example, the electronic control device (100, 200) functioning as a log management device will be described as an electronic control device loaded with an application for realizing other functions in addition to an application for realizing a log management function. .

FIG. 10 is a diagram for explaining the memory of Modification 1. As shown in FIG. Unlike FIG. 4, memory 102 has a shared area and a dedicated area. A shared area is an area shared by a plurality of applications installed in the electronic control units 100 and 200 . The dedicated area is an area that can be used by only one specific application among multiple applications installed in the electronic control units 100 and 200, and access from applications other than the specific application is restricted.

When the memory 102 has a shared area and a dedicated area as in this modified example, the storage area A of this embodiment, that is, the first area A1 and the second area A2 are provided in the dedicated area.

Naturally, the CGW 10 may have other functions in addition to functioning as a log management device. Therefore, when this modification is applied to the first embodiment, in the electronic control device 100, the area accessible by both the application executing the log management function and the application executing other functions is the shared area. A private area is an area that can only be used by an application that performs a function.

Further, when this modification is applied to the second embodiment, both the first application 221 and the second application 231 can access the shared area, and the area shared by these applications is shared. A dedicated area is an area that can be used by either the first application 221 or the second application 231 only.

The log generated by the security sensor is a log necessary for the server apparatus 2 to analyze an attack on the ECU or an abnormality, and is highly necessary. Therefore, by providing a log storage area in a dedicated area, a sufficient memory capacity for storing logs can be secured even when other applications are using the memory.

In the example of this modification, if the log acquired by the log acquisition unit 101 in the above-described embodiment cannot be stored in the storage area A, the log whose storage process is interrupted may be temporarily stored in the shared area.

(2) Modification 2
In the above-described embodiment, a configuration has been described in which the ratio of storage capacity allocation to the first area A1 and the second area A2 of the storage areas of the memory 102 can always be changed. However, the allocation ratios of the first area A1 and the second area A2 may not always be changeable, and may be switched between changeable and unchangeable.

The memory control unit 107 of this modification switches between a first mode in which the storage capacity allocation ratio can be changed and a second mode in which the allocation ratio cannot be changed. For example, the memory control unit 107 switches between the first mode and the second mode based on the free space of the first area A1 and the free space of the second area A2. Specifically, in the second mode in which the allocation rate of the storage capacity cannot be changed, if the difference between the free space of the first area A1 and the free space of the second area A2 is large, there is no free space in one of the areas. It is possible that the log cannot be saved even though there is. Therefore, when the difference between the free space of the first area A1 and the free space of the second area A2 becomes larger than a predetermined value, the memory control unit 107 switches from the first mode to the second mode. Then, when the difference between the free space of the first area A1 and the free space of the second area A2 becomes smaller than a predetermined value, the memory control unit 107 switches from the second mode to the first mode.

As another example, the memory control unit 107 may switch between the first mode and the second mode in situations where a large amount of logs are generated. For example, if the electronic control system 1 is under attack from the outside, the security sensor may detect the attack or abnormality and generate a large amount of logs. In particular, the logs generated under such circumstances are the logs necessary for attack analysis, and are likely to be of high importance, and the number of logs to be stored in the first area A1 may increase. expensive. Therefore, the memory control unit 107 switches from the second mode to the first mode when the log acquired by the log acquisition unit 101 indicates that the security sensor has detected an abnormality.

Note that in the second mode, the allocation ratios of the first area A1 and the second area A2 cannot be changed. If the free space of the first area A1, which is an area, is smaller than the data amount of the log, the log cannot be saved in the first area A1. Therefore, when the log cannot be saved in the log saving area in the second mode, the saving process of the log obtained by the log obtaining unit 101 is interrupted.

4. Generalization The features of the log management device and the like in each embodiment of the present invention have been described above.
Since the terms used in each embodiment are examples, they may be replaced with synonymous terms or terms including synonymous functions.

The block diagrams used in the description of the embodiments are obtained by classifying and arranging the configuration of the device for each function. Blocks representing respective functions are realized by any combination of hardware or software. Moreover, since the block diagram shows the function, it can also be understood as disclosure of the invention of the method and the invention of the program for realizing the method.

The blocks that can be grasped as the processing, flow, and method described in each embodiment can be rearranged in order unless there is a constraint such that one step uses the result of another step that precedes it. good.

Each embodiment assumes a log management device for a vehicle mounted on a vehicle, but the present invention can also be applied to a dedicated or general-purpose log management device other than for vehicles, unless otherwise specified in the scope of claims. includes.

Although each embodiment has been described on the premise that the log management device disclosed in each embodiment is installed in a vehicle, it may be assumed that the log management device is carried by a pedestrian.

Examples of forms of the log management device of the present disclosure include semiconductor elements, electronic circuits, modules, and microcomputers.
Semi-finished products include an electronic control unit (ECU (Electric Control Unit)) and a system board.
Finished product forms include mobile phones, smart phones, tablets, personal computers (PCs), workstations, and servers.
In addition, it includes a device having a communication function, such as a car navigation system.

In addition, necessary functions such as an antenna and a communication interface may be added to the log management device of the present disclosure.

In addition, the present invention can be realized not only by dedicated hardware having the configuration and functions described in each embodiment, but also by a program for realizing the present invention recorded on a recording medium such as a memory or a hard disk, and this It can also be implemented in combination with general-purpose hardware having a dedicated or general-purpose CPU and memory, etc., capable of execution.

A program for the log management device of the present invention, which is a non-transitional physical recording medium of dedicated or general-purpose hardware (for example, an external storage device (hard disk, USB memory, CD/BD, etc.), or an internal storage device) (RAM, ROM, etc.)) can also be provided to dedicated or general-purpose hardware via a recording medium, or via a communication line from a server without a recording medium. This allows us to always provide the latest features through program upgrades.

Although the log management device of the present invention has been described as an electronic control device for vehicles mainly mounted on automobiles, it can be used not only for motorcycles, motorized bicycles, railroads, but also pedestrians, ships, aircraft, and other moving bodies in general. It is possible to apply

100 log management device, 200 electronic control device, 101 log acquisition unit, 102 memory, 104 transmission unit, 105 transmission propriety determination unit, 106 log storage area determination unit, 107 memory control unit

Claims (16)

A log management device mounted on a mobile object,
a log acquisition unit (101) for acquiring a log generated by a security sensor mounted on the mobile object;
a transmittability determination unit (105) that determines whether the log can be transmitted to the outside of the mobile object;
A storage area consisting of a first area and a second area, wherein overwriting of the first log, which is a log stored in the first area, is prohibited in the first area, and The storage area is an area to which a first storage capacity is allocated in the storage capacity of the storage area, and the second area can be overwritten with a second log that is a log stored in the second area. and a memory (102), which is an area to which a second storage capacity of the storage capacity is allocated;
When the transmittability determination unit determines that the log cannot be transmitted, the importance of the log is determined, and if the importance is higher than a predetermined importance, the first area is selected. a log storage area determination unit (106) that determines the second area as a log storage area for storing the log if the degree of importance is lower than the predetermined level;
When the free space of the log storage area is less than the amount of data of the log, increasing the ratio of allocation to the storage capacity of the log storage area to the storage capacity, and storing the log in the log storage area. a control unit (107);
A log management device (100, 200). The log management device further
A transmission unit (104) that transmits the log acquired by the log acquisition unit to the outside of the vehicle when the transmission possibility determination unit determines that the log can be transmitted,
The log management device according to claim 1. After the memory control unit saves the log in the log saving area, if the transmittability determination unit determines that the log can be transmitted,
The transmission unit transmits the log stored in the log storage area to the outside of the vehicle,
The memory control unit deletes the log transmitted from the transmission unit from the log storage area.
3. The log management device according to claim 2. When the degree of importance is higher than the predetermined degree of importance, the free space of the first area, which is the log storage area, is less than the amount of data, and the free space of the second area is If it is larger than the data amount,
The memory control unit increases the allocation rate to the first storage capacity and stores the log in the first area to which the increased first storage capacity is allocated.
The log management device according to claim 1. When the degree of importance is higher than the predetermined degree of importance, the free space of the first area, which is the log storage area, is less than the amount of data, and the free space of the second area is If it is less than the data amount,
The memory control unit deletes the second log stored in the second area, increases an allocation rate to the first storage capacity, and allocates the increased first storage capacity. storing the log in the first area in the
The log management device according to claim 1. the log includes time information indicating the time when the security log generated the log;
The memory control unit retrieves, from among the second logs saved in the second area, a second log including time information older than time information included in the log acquired by the log acquisition unit. delete,
6. The log management device according to claim 5. When the time information included in the second log stored in the second area is newer than the time information included in the log acquired by the log acquisition unit, the memory control unit performs the first suspending the saving of said log to the area of
7. The log management device according to claim 6. when the degree of importance is lower than the predetermined degree of importance, the free space of the second area, which is the log storage area, is less than the amount of data, and the free space of the first area is If it is larger than the data amount,
The memory control unit increases the allocation rate to the second storage capacity and saves the log in the second area to which the increased second storage capacity is allocated.
The log management device according to claim 1. when the degree of importance is lower than the predetermined degree of importance, the free space of the second area, which is the log storage area, is less than the amount of data, and the free space of the first area is If it is less than the data amount,
The memory control unit stores the log by overwriting the second log stored in the second area.
The log management device according to claim 1. The log management device is an electronic control device,
The memory has a shared area shared by a plurality of applications installed in the electronic control unit and a dedicated area used by only one of the plurality of applications,
The log storage area is provided in the dedicated area,
The log management device according to claim 1. The memory control unit includes a first mode in which allocation ratios to the first storage capacity and the second storage capacity can be changed, and an allocation ratio to the first storage capacity and the second storage capacity. is switchable to and from a second mode that cannot be changed by
The log management device according to claim 1. The memory control unit switches between the first mode and the second mode based on the free space of the first area and the free space of the second area.
The log management device according to claim 11. wherein the memory control unit switches from the second mode to the first mode when the log indicates that the security sensor has detected an abnormality;
The log management device according to claim 11. An electronic control device mounted on a mobile object and having a memory (102), a first virtual machine (220) and a second virtual machine (230),
The memory is
A storage area consisting of a first area and a second area, wherein overwriting of the first log, which is a log stored in the first area, is prohibited in the first area, and The storage area is an area to which a first storage capacity is allocated in the storage capacity of the storage area, and the second area can be overwritten with a second log that is a log stored in the second area. and, of the storage capacity, an area to which a second storage capacity is allocated,
The first virtual machine is
having security sensors that generate logs,
The second virtual machine is
a log acquisition unit (101) for acquiring the log generated by the security sensor;
a transmittability determination unit (105) that determines whether the log can be transmitted to the outside of the mobile object;
When the transmittability determination unit determines that the log cannot be transmitted, the importance of the log is determined, and if the importance is higher than a predetermined importance, the first area is selected. a storage area determination unit (106) that determines the second area as a log storage area for storing the log if the degree of importance is lower than the predetermined level;
Memory control for increasing an allocation ratio of the storage capacity of the log storage area to the storage capacity and storing the log in the log storage area when the free space of the log storage area is smaller than the data amount of the log. a portion (107);
an electronic controller (200); A log management method executed by a log management device mounted on a mobile object,
The log management device has a storage area consisting of a first area and a second area, and the first area is a log stored in the first area. A second log that is prohibited and is an area to which a first storage capacity is allocated in the storage capacity of the storage area, and the second area is a log saved in the second area. and a memory (102), which is an area to which a second storage capacity is allocated out of the storage capacity,
Acquiring a log generated by a security sensor mounted on the mobile object (S101),
determining whether or not the log can be transmitted to the outside of the mobile object (S102);
If it is determined that the log cannot be sent, the importance of the log is determined, and if the importance is higher than a predetermined importance, the first area is set to the priority if the importance is higher than the predetermined importance. is also lower, the second area is determined as the log storage area for storing the log (S104, S105, S106),
When the free space of the log storage area is less than the data amount of the log, increasing the allocation ratio of the storage capacity of the log storage area to the storage capacity and storing the log in the log storage area ( S202, S302, S306),
Log management method. A log management program executable by a log management device mounted on a mobile object,
The log management device has a storage area consisting of a first area and a second area, and the first area is a log stored in the first area. A second log that is prohibited and is an area to which a first storage capacity is allocated in the storage capacity of the storage area, and the second area is a log saved in the second area. and a memory (102), which is an area to which a second storage capacity is allocated out of the storage capacity,
Acquiring a log generated by a security sensor mounted on the mobile object (S101),
determining whether or not the log can be transmitted to the outside of the mobile object (S102);
If it is determined that the log cannot be sent, the importance of the log is determined, and if the importance is higher than a predetermined importance, the first area is set to the priority if the importance is higher than the predetermined importance. is also lower, the second area is determined as the log storage area for storing the log (S104, S105, S106),
When the free space of the log storage area is less than the data amount of the log, increasing the allocation ratio of the storage capacity of the log storage area to the storage capacity and storing the log in the log storage area ( S202, S302, S306),
Log management program.

Images