JP2024051327A - Update device, update method, and update program - Google Patents

Abstract

[Problem] To provide an update device, method, and program for updating attack/anomaly relationship information used in analyzing cyber attacks. [Solution] An update device 10 includes a storage unit 105 that stores attack/anomaly relationship information including attack information indicating an attack, a set indicating a correspondence relationship between predicted anomaly information predicted to occur in the event of an attack, and predicted anomaly location information where the predicted anomaly will occur, an update information acquisition unit 106 that acquires update information including anomaly information occurring in an electronic control system, location information where the anomaly will occur, and cause information indicating whether the anomaly has occurred due to a malfunction or an attack, and an update control unit 107 that deletes the set indicating the predicted anomaly information and predicted anomaly location information corresponding to the anomaly information and location information from the attack/anomaly relationship information when the cause information indicates a malfunction, and adds to the attack/anomaly relationship information a set indicating a correspondence relationship between the anomaly information, location information, and attack information indicating the attack indicated by the cause information when the cause information indicates an attack. [Selected Figure] Figure 3

Description

The present invention relates to a device for updating information used to analyze attacks against electronic control systems mounted on mobile objects such as automobiles, and to an update device, an update method, and an update program.

In recent years, technologies for driving assistance and autonomous driving control, including V2X (vehicle-to-vehicle communication and vehicle-to-infrastructure communication), have been attracting attention. As a result, vehicles are being equipped with communication functions, and so-called connected vehicles are becoming more common. As a result, the possibility of vehicles being subject to cyber attacks, such as unauthorized access, is increasing. For this reason, it is necessary to analyze cyber attacks against vehicles and develop countermeasures.

There are various methods for detecting abnormalities that occur in a vehicle and analyzing cyber attacks based on the detected abnormalities. For example, Patent Document 1 describes a method of acquiring detected abnormality data and comparing the combination of items in which the abnormality was detected with an abnormality detection pattern that has been specified in advance for each attack to identify the type of attack that corresponds to the abnormality.

JP 2020-123307 A

Here, the present inventors have found the following problem as a result of detailed investigation.
Malicious attackers use new technologies and methods to launch cyberattacks every day. Therefore, it is necessary to update the information used to analyze cyberattacks on a regular basis. Furthermore, anomalies that were previously thought to be caused by cyberattacks may turn out to be unrelated to cyberattacks, for example, anomalies caused by vehicle failure or malfunction. If the information used to analyze cyberattacks contains information about such anomalies that occurred unrelated to cyberattacks, not only will the efficiency of cyberattack analysis and matching decrease, but the accuracy of the analysis may also decrease. Therefore, it is desirable to remove information that is unrelated to cyberattacks from the information used to analyze cyberattacks.

The present invention therefore aims to realize an update device etc. that can appropriately update information used in analyzing cyber attacks.

The update device according to one aspect of the present disclosure includes a storage unit (105) that stores attack-anomaly relationship information including one or more sets indicating the correspondence between attack information indicating an attack on an electronic control system, predicted anomaly information indicating an anomaly predicted to occur when the electronic control system is attacked, and predicted anomaly position information indicating the position in the electronic control system where the predicted anomaly will occur; an update information acquisition unit (106) that acquires update information including anomaly information indicating an anomaly occurring in the electronic control system, position information indicating the position where the anomaly will occur, and cause information indicating whether the anomaly has occurred due to a failure or an attack; and an update control unit (107) that deletes the set indicating the predicted anomaly information and the predicted anomaly position information corresponding to the anomaly information and the position information from the attack-anomaly relationship information when the cause information indicates a failure, and adds a set indicating the correspondence between the anomaly information, the position information, and attack information indicating the attack indicated by the cause information to the attack-anomaly relationship information when the cause information indicates an attack, thereby updating the attack-anomaly relationship information.

The numbers in parentheses attached to the constituent elements of the invention described in the claims and this section indicate the correspondence between the present invention and the embodiments described below, and are not intended to limit the present invention.

With the above-described configuration, the update device disclosed herein can appropriately update the information used in analyzing cyber attacks, thereby improving the efficiency of analyzing and matching cyber attacks and increasing the accuracy of the analysis.

FIG. 1 is an explanatory diagram illustrating the arrangement of an update device according to each embodiment. FIG. 1 is an explanatory diagram illustrating a configuration of an electronic control system according to each embodiment. FIG. 1 is a block diagram showing an example of the configuration of an update device according to a first embodiment; FIG. 1 is a diagram for explaining an attack/anomaly relationship table according to the first embodiment. FIG. 1 is a diagram for explaining predicted vehicle information according to the first embodiment; FIG. 1 is a diagram for explaining updates to the attack/anomaly relationship table in the first embodiment. FIG. 1 is a block diagram illustrating an example of the configuration of an attack analysis device 20 according to a first embodiment. FIG. 1 is a diagram for explaining the operation of a fault attack determination function of the update device according to the first embodiment. FIG. 1 is a diagram for explaining the operation of the update execution function of the update device according to the first embodiment. FIG. 1 is a block diagram illustrating an example of the configuration of an update device according to a modification of the first embodiment. FIG. 11 is a block diagram illustrating an example of the configuration of an update device according to a second embodiment. FIG. 13 is a block diagram illustrating an example of the configuration of an update device according to a modified example of the second embodiment.

The following describes an embodiment of the present invention with reference to the drawings.

The present invention refers to the invention described in the claims or in the Means for Solving the Problem section, and is not limited to the following embodiments. Furthermore, at least the words in quotation marks refer to the words described in the claims or in the Means for Solving the Problem section, and are not limited to the following embodiments.

The configurations and methods described in the dependent claims of the claims are optional configurations and methods in the invention described in the independent claims of the claims. The configurations and methods of the embodiments corresponding to the configurations and methods described in the dependent claims, and the configurations and methods described only in the embodiments without being described in the claims, are optional configurations and methods in the present invention. The configurations and methods described in the embodiments when the description of the claims is broader than the description of the embodiments are also optional configurations and methods in the present invention in the sense that they are examples of the configurations and methods of the present invention. In either case, by being described in the independent claims of the claims, they become essential configurations and methods of the present invention.

The effects described in the embodiments are the effects of having the configuration of the embodiment as an example of the present invention, and are not necessarily the effects of the present invention.

When there are multiple embodiments, the configurations disclosed in each embodiment are not limited to each embodiment, but can be combined across the embodiments. For example, a configuration disclosed in one embodiment may be combined with another embodiment. Also, the configurations disclosed in each of the multiple embodiments may be collected and combined.

The problem described in the problem that the invention is intended to solve is not a publicly known problem, but was discovered independently by the inventor, and this fact, together with the configuration and method of the present invention, affirms the inventive step of the invention.

1. Configurations Premised in Each Embodiment (1) Arrangement of the Update Device 10, the Attack Analysis Device 20, and the Electronic Control System S FIG. 1 is a diagram for explaining the arrangement of the update device 10 in each embodiment. For example, as shown in FIG. 1(a), the update device 10 is "mounted" on a vehicle, which is a "mobile body", together with the attack analysis device 20 and the electronic control system S, and as shown in FIG. 1(b) and FIG. 1(c), the update device 10 is realized by a server device or the like provided outside the vehicle. In FIG. 1(b), the electronic control system S is "mounted" on a vehicle, which is a "mobile body", and the attack analysis device 20 is disposed outside the vehicle together with the update device 10, whereas in FIG. 1(c), the attack analysis device 20 is "mounted" on a vehicle, which is a "mobile body", together with the electronic control system S.

Here, the term "mobile body" refers to an object that can move and can move at any speed. It also includes cases where the moving body is stationary. For example, it includes, but is not limited to, automobiles, motorcycles, bicycles, pedestrians, ships, aircraft, and objects mounted on these vehicles.
In addition, "mounted" includes not only the case where the device is directly fixed to the moving body, but also the case where the device is not fixed to the moving body but moves with the moving body, such as the case where the device is carried by a person riding on the moving body, or the case where the device is mounted on cargo placed on the moving body.

The update device 10 is a device that updates information used by the attack analysis device 20 to analyze cyber attacks. The attack analysis device 20 is a device that acquires security logs from multiple "electronic control devices" (hereinafter referred to as ECUs (Electronic Control Units)) that constitute the electronic control system S, and analyzes cyber attacks against the electronic control system S. In FIG. 1, the update device 10 and the attack analysis device 20 are illustrated as separate, independent devices, but as will be described in the modified examples of each embodiment, in the arrangement of FIG. 1(a) and FIG. 1(b), the update device 10 and the attack analysis device 20 may be physically provided as a single device.

Here, the "electronic control device" may be a physically independent electronic control device, or a virtualized electronic control device realized using virtualization technology.

In the case of FIG. 1(a), the update device 10 and the attack analysis device 20, and the attack analysis device 20 and the electronic control system S are each connected via an in-vehicle communication network such as a Controller Area Network (CAN) or a Local Interconnect Network (LIN). Alternatively, they may be connected using any communication method, whether wired or wireless, such as Ethernet (registered trademark), Wi-Fi (registered trademark), or Bluetooth (registered trademark).

In FIG. 1(a), the update device 10 and the attack analysis device 20 are provided outside the electronic control system S, but the update device 10 and the attack analysis device 20 may be provided independently inside the electronic control system S, or at least one of the ECUs 30 constituting the electronic control system S, for example, the MC or the external communication ECU, may incorporate the functions of the update device 10 and the attack analysis device 20.

1(b) also has an update device 10 and an attack analysis device 20 installed outside the electronic control system S, but since they are installed outside the vehicle, the connection form is different from that in FIG. 1(a). The attack analysis device 20 and the electronic control system S are connected via a communication network such as IEEE802.11 (Wi-Fi (registered trademark)), IEEE802.16 (WiMAX (registered trademark)), W-CDMA (Wideband Code Division Multiple Access), HSPA (High Speed Packet Access), LTE (Long Term Evolution), LTE-A (Long Term Evolution Advanced), 4G, 5G, or other wireless communication methods. Alternatively, DSRC (Dedicated Short Range Communication) can be used. When the vehicle is parked in a parking lot or in a repair shop, a wired communication method can be used instead of a wireless communication method. For example, a LAN (Local Area Network), the Internet, or a fixed telephone line can be used.

1(c), the attack analysis device 20 is provided inside the vehicle, just like the electronic control system S, so the connection between the attack analysis device 20 and the electronic control system S is the same as in FIG. 1(a). However, the update device 10 is provided outside the vehicle, so the update device 10 and the attack analysis device 20 are connected using a wireless communication method or a wired communication method, similar to the connection between the attack analysis device 20 and the electronic control system S in FIG. 1(b). Naturally, in the example shown in FIG. 1(c), the update device 10 can be connected to each of the attack analysis devices 20 installed in multiple vehicles.

Note that in FIG. 1 and the above explanation of (1) related thereto, the update device 10 of embodiment 1 is used as an example, but it can also be applied to the update devices (11, 12, 13) in embodiment 2 and the modified examples of each embodiment.

(2) Configuration of Electronic Control System S Fig. 2 is a diagram showing an example of the configuration of the electronic control system S. The electronic control system S is made up of a plurality of ECUs 30. Fig. 2 shows an example of five ECUs (ECU 30a to ECU 30e), but it goes without saying that the electronic control system S is made up of any number of ECUs. In the following explanation, when describing one or a plurality of electronic control devices as a whole in a comprehensive manner, they will be referred to as ECU 30 or each ECU 30, and when describing each individual electronic control device in a specific manner, they will be referred to as ECU 30a, ECU 30b, ECU 30c, ....

In the electronic control system S of FIG. 2, security sensors are installed in ECU 30a, ECU 30c, ECU 30d, and ECU 30e. In contrast, ECU 30b is not equipped with a security sensor. In this way, it is sufficient that multiple ECUs 30 constituting the electronic control system S are equipped with security sensors, and it is not necessary that all ECUs 30 are equipped with security sensors.

The security sensor generates a security log when it detects an abnormality occurring in the ECU 30 or the network connected to the ECU 30.

The electronic control system S can be composed of any ECU. For example, a drive system electronic control device that controls the engine, steering wheel, brakes, etc., a vehicle body electronic control device that controls meters, power windows, etc., an information system electronic control device such as a navigation device, or a safety control system electronic control device that performs control to prevent collisions with obstacles or pedestrians can be mentioned. In addition, the ECUs may not be parallel to each other, but may be classified as master and slave. In addition, the electronic control system S may be provided with a mobility computer (MC) having a gateway function that connects the electronic control devices to each other, and an external communication ECU that communicates with the outside. For example, the ECU 30a may be an external communication ECU, and the ECU 30c may be an MC.
Furthermore, the ECU 30 may be a physically independent ECU, or may be a virtually realized virtual ECU (also called a virtual machine).

In each embodiment, the electronic control system S is described as an in-vehicle system mounted on a vehicle, but the electronic control system S is not limited to an in-vehicle system and can be applied to any electronic control system consisting of multiple ECUs. For example, the electronic control system S may be mounted on a stationary body rather than a moving body.

2. Embodiment 1
(1) Configuration of the update device 10 Fig. 3 is a block diagram showing the configuration of the update device 10 in this embodiment. The update device 10 includes a determination information acquisition unit 101, a determination information database 102 (hereinafter, determination information DB), a failure/attack determination unit 103, an update information generation unit 104, an attack/anomaly relationship table storage unit 105, an update information acquisition unit 106, an update control unit 107, and a transmission unit 108.

The update device 10 has two main functions. One is a fault/attack determination function that determines whether a combination of an abnormality and a position occurring in the electronic control system S is caused by a fault or an attack. The other is an update execution function that executes an update of the attack/anomaly relationship table based on the determination result by the fault/attack determination function. Of the blocks shown in FIG. 3, the fault/attack determination information acquisition unit 101, the determination information DB 102, the fault/attack determination unit 103, and the update information generation unit 104 are blocks used to realize the fault/attack determination function. The attack/anomaly relationship table storage unit 105, the update information acquisition unit 106, the update control unit 107, and the transmission unit 108 are blocks used to realize the update execution function. As will be described later, the transmission unit 108 transmits the updated attack/anomaly relationship table to the attack analysis device 20, and the transmission unit 108 does not necessarily have to be included in the update execution function of the update device 10. In FIG. 3, the blocks related to each function are surrounded by a dashed line.

The information for judgment acquisition unit 101 (corresponding to the "log acquisition unit") acquires a security log generated by the electronic control system S. The information for judgment acquisition unit 101 acquires a security log that includes, for example, failure information indicating that a failure has actually occurred in the electronic control system S, actual anomaly information indicating an anomaly that has actually occurred in the electronic control system S due to the failure, and actual anomaly position information indicating the "position" in the electronic control system S where the anomaly has occurred. Hereinafter, such a security log is referred to as a failure security log (corresponding to the "first log"). The information for judgment acquisition unit 101 may further acquire a security log that includes actual anomaly information and actual anomaly position information, but does not include failure information. Hereinafter, such a security log is referred to as an attack security log (corresponding to the "second log").

The information for judgment acquisition unit 101 may acquire various information used for judgment in the failure/attack judgment unit 103 described below in addition to the failure security log and the attack security log, or instead of these security logs. For example, the information for judgment acquisition unit 101 acquires diagnostic information related to vehicle repairs and failures provided by the vehicle manufacturer or dealer, information related to vulnerabilities of the ECU 30, etc.

The determination information DB 102 is a storage unit that stores the information acquired by the determination information acquisition unit 101.

The fault/attack determination unit 103 uses the information stored in the determination information DB 102 to determine whether the cause of the occurrence of the abnormality indicated by the actual anomaly information at the position indicated by the actual anomaly position information is a fault or an attack. The method by which the fault/attack determination unit 103 makes the determination will be described in detail later.

When the failure/attack determination unit 103 determines that the cause of the abnormality occurring in the electronic control system S is a failure, the update information generation unit 104 generates failure update information (corresponding to "update information"). The failure update information includes abnormality information indicating an abnormality occurring in the electronic control system S, position information indicating the position where the abnormality occurs, and cause information indicating that the cause of the abnormality is a failure. Here, the abnormality information included in the failure update information corresponds to the actual abnormality information, and the position information corresponds to the actual abnormality position information.

In contrast, if the failure/attack determination unit 103 determines that the cause of the abnormality occurring in the electronic control system S is an attack, the update information generation unit 104 generates attack update information (corresponding to "update information"). The attack update information includes abnormality information indicating an abnormality occurring in the electronic control system S, position information indicating the position where the abnormality occurs, and cause information indicating that the cause of the abnormality is an attack. Here, the abnormality information included in the attack update information corresponds to the actual abnormality information, and the position information corresponds to the actual abnormality position information.

In addition to anomaly information, location information, and cause information, the update information may also include vehicle information indicating the state of the vehicle when the anomaly occurs.

The attack/anomaly relationship table storage unit 105 (corresponding to the "storage unit") is a memory unit that stores the attack/anomaly relationship table (corresponding to the "attack/anomaly relationship information"). The attack/anomaly relationship table is a table that includes one or more sets indicating the correspondence between "attack information" indicating the type of attack that the electronic control system S will receive, predicted anomaly information indicating an anomaly that is predicted to occur if the electronic control system S is attacked, and predicted anomaly position information indicating the "position" within the electronic control system S where the predicted anomaly will occur. Note that the storage unit need only store information including sets indicating the correspondence between attack information, predicted anomaly information, and predicted anomaly position information, and the information is not limited to a table.

Here, "attack information" includes any information related to an attack, such as the type of attack, the route of the attack, and the damage caused by the attack.
A "location" may be, for example, an individual electronic control device or a network.

Figure 4 is a diagram showing an example of an attack/abnormality relationship table. The attack/abnormality relationship table shown in Figure 4 shows, for each type of cyber attack (attacks A to X), an abnormality that occurs when the electronic control system S is subjected to a cyber attack and the type of ECU in which the abnormality occurs. When subjected to a cyber attack, it is assumed that multiple abnormalities will occur in multiple ECUs. Therefore, it is preferable that the attack/abnormality relationship table shows a combination of multiple abnormalities that will occur when subjected to an attack and the ECU in which the abnormality occurs. A set showing the correspondence between attack information, predicted abnormality information, and predicted abnormality position information is, for example, a row of the table shown in Figure 4. Note that in the example shown in Figure 4, in addition to the type of cyber attack (attacks A to X), the attack information includes the assumed starting point position of the attack and the target position of the attack when subjected to the cyber attack.

For example, in the case of a cyber attack of attack type A, it is predicted that abnormalities A, C, and D will occur in the communication ECU of the electronic control system S. The attack starting point of attack A is outside the electronic control system S, and the target of attack is the external communication ECU. The attack starting point may be a position inside the electronic control system S, or it may be outside the electronic control system S. The attack starting point being outside the electronic control system S means that the cyber attack is coming from outside the vehicle.

The attack/anomaly relationship table illustrated in FIG. 4 includes multiple sets indicating the correspondence between attack information, predicted anomaly information, and predicted anomaly location information, but the attack/anomaly relationship table may further include predicted vehicle information associated with each set. The predicted vehicle information is information indicating the "vehicle state" in which the predicted anomaly indicated by the predicted anomaly information will occur.

Here, "vehicle state" includes not only the state of the vehicle itself, but also the state of the electronic control system installed in the vehicle. In addition, "state" includes both variable things (e.g., vehicle position, version, vehicle behavior, etc.) and unchanging things (e.g., vehicle make, year, model, etc.).

If the vehicle type is different, the anomalies that occur when attacked and the locations where the anomalies occur may differ. For example, if an electronic control system S whose vehicle type is (XX) is attacked by a cyber attack, anomalies A, C, and D will occur in MC30c. However, if an electronic control system S whose vehicle type is (YY) is attacked by the same attack, it may happen that anomalies A and C will occur in MC30c, but anomaly D will not occur. Therefore, in order for the attack analysis device 20 described below to accurately analyze attacks, it is desirable to associate and store the anomalies with the vehicle state when the anomalies occur.

The predicted vehicle information may be included in the attack/anomaly relationship table, or the attack/anomaly relationship table storage unit 105 may have a table showing the correspondence between the information included in the attack/anomaly relationship table and the predicted vehicle information, separate from the attack/anomaly relationship table. FIG. 5 is an example of a table showing the correspondence between attack information and predicted vehicle information. In this example, the predicted vehicle information is associated with each set included in the attack/anomaly relationship table via the attack information.

In FIG. 5, examples of predicted vehicle information include, but are not limited to, the vehicle type, ECU type, software version, and power supply status. For example, predicted vehicle information may include the vehicle type, model, year, destination, vehicle behavior (e.g., power supply status, driving status), driving time and driving location, the type and version of the ECU that constitutes the electronic control system S, the type and version of the software installed in the ECU, the interface of the connected network, the connection destination of the communication ECU, etc.

The update information acquisition unit 106 "acquires" the fault update information and attack update information generated by the update information generation unit 104.

Here, "acquire" includes any of the following cases: acquiring from an external device that is physically different from the update device, acquiring from another device connected to the update device, acquiring by the update device generating it itself, and reading and acquiring from the storage unit of the update device.

As described above, when the attack/anomaly relationship table storage unit 105 stores predicted vehicle information associated with each set of the attack/anomaly relationship table, the update information included in the update information acquisition unit 106 includes vehicle information indicating the state of the vehicle in which an abnormality occurs.

The update control unit 107 updates the attack/anomaly relationship table stored in the attack/anomaly relationship table storage unit 105 based on the update information acquired by the update information acquisition unit 106. Specifically, the update control unit 107 first determines whether the cause information included in the update information indicates a failure or an attack, that is, whether the update information is failure update information or attack update information.

If the cause information indicates a fault, i.e., if the update information is fault update information, the update control unit 107 deletes the set (i.e., the row of the table) indicating the predicted anomaly information and predicted anomaly position information corresponding to the anomaly information and position information included in the fault update information from the attack/anomaly relationship table, and updates the attack/anomaly relationship table.

In contrast, when the cause information indicates an attack, i.e., when the update information is attack update information, the update control unit 107 adds a set (i.e., a row in the table) indicating the correspondence between the anomaly information included in the attack update information, the location information, and the attack information indicating the attack indicated by the cause information to the attack/anomaly relationship table, thereby updating the attack/anomaly relationship table.

The update control unit 107 may update a machine learning model for updating the attack/anomaly relationship table based on the update information, and may update the attack/anomaly relationship table using machine learning.

Here, when the cause information indicates an attack, a set indicating the correspondence between the anomaly information included in the attack update information, the location information, and the attack information indicating the attack indicated by the cause information may already be included in the attack/anomaly relationship table. In such a case, the update control unit 107 may end the process without updating the attack/anomaly relationship table, but may weight the set including the predicted anomaly information and predicted anomaly position information corresponding to the anomaly information and location information included in the attack update information. This weighting indicates that the cause of the occurrence of the anomaly indicated by the predicted anomaly information at the position indicated by the predicted anomaly position information included in the set is likely to be an attack.

Figure 6 is a diagram explaining the update process of the attack/anomaly relationship table by the update control unit 107. For example, assume that the location information included in the failure update information indicates MC, and the anomaly information indicates anomalies A, C, and D. In this case, in the attack/anomaly relationship table shown in Figure 4, the row of predicted anomaly information and predicted anomaly location information for attack B corresponds to the anomaly information (anomalies A, C, and D) and location information (MC). Therefore, the update control unit 107 deletes the row related to attack B from the attack/anomaly relationship table. Figure 6 shows the state after deleting the row related to attack B from Figure 4.

Also, assume that the location information included in the attack update information indicates ECU 30d, and the abnormality information indicates abnormality A, abnormality B, and abnormality C. In this case, the attack/anomaly relationship table shown in FIG. 4 does not include rows of predicted anomaly information and predicted abnormality location information corresponding to the abnormality information (abnormality A, abnormality B, and abnormality C) and location information (ECU 30a). Therefore, the update control unit 107 adds rows to the attack/anomaly relationship table indicating the correspondence between the abnormality information (abnormality A, abnormality B, and abnormality C), the location information (ECU 30a), and the attack indicated by the cause information (for example, attack Z). FIG. 6 shows the state in which a row related to attack Z has been added to FIG. 4.

When the attack/anomaly relationship table storage unit 105 stores predicted vehicle information associated with each set in the attack/anomaly relationship table, the update control unit 107 deletes a row from the attack/anomaly relationship table when the predicted vehicle information matches the vehicle information included in the update information. For example, as shown in FIG. 5, the predicted vehicle information associated with attack B is vehicle model [XX], ECU type [0001], software version [2.0], and power state [on]. Therefore, when the vehicle information included in the failure update information matches this information, the update control unit 107 deletes a row from the attack/anomaly relationship table.

In addition, if the update information is attack update information, the update control unit 107 adds attack Z to the attack/anomaly relationship table, and also adds the vehicle information included in the attack update information to the table shown in FIG. 5.

The transmission unit 108 transmits the updated attack/anomaly relationship table to the attack analysis device 20.

Immediately after a vehicle is released, it is not clear what kind of abnormality will occur as a result of an attack, so there is a possibility that an attack/anomaly relationship table that broadly estimates the expected abnormalities and attacks will be used. However, as the analysis results of the logs generated by the vehicle are accumulated over time after the release, it may become clear that the attack/anomaly relationship table contains information on abnormalities that are not actually related to attacks and occur due to breakdowns or malfunctions, or does not contain information on abnormalities that are closely related to attacks. Therefore, in the update device 10 of this embodiment, unnecessary sets of information are deleted from the attack/anomaly relationship table, and necessary sets of information are added, thereby improving the analysis efficiency or analysis accuracy in the attack analysis device 20 described below.

(2) Configuration of the Attack Analysis Device 20 The configuration of the attack analysis device 20 of this embodiment will be described with reference to Fig. 7. The attack analysis device 20 includes an attack inference log acquisition unit 201, an attack/anomaly relationship table storage unit 202, an attack inference unit 203, an attack/anomaly relationship table receiving unit 204, and an update unit 205.

The attack analysis device 20 has two main functions. One is an attack estimation function that analyzes attacks received by the electronic control system S. The other is an update execution function that executes updates to the attack/anomaly relationship table used in the attack estimation function. Of the blocks shown in FIG. 7, the attack estimation log acquisition unit 201, the attack/anomaly relationship table storage unit 202, and the attack estimation unit 203 are blocks used to realize the attack estimation function, and the attack/anomaly relationship table storage unit 202, the attack/anomaly relationship table reception unit 204, and the update unit 205 are blocks used to realize the update execution function. In FIG. 7, the blocks related to each function are shown collectively surrounded by dashed lines.

The attack estimation log acquisition unit 201 acquires a security log generated by a security sensor from the electronic control system S. The security log includes information indicating an abnormality detected by the security sensor (referred to as actual abnormality information) and information indicating the position of the ECU or network where the abnormality was detected (referred to as actual abnormality position information). The security log may further include the time when the abnormality occurred, the number of times the abnormality occurred, malfunction information of the ECU 30, etc.

The attack/anomaly relationship table storage unit 202 is a storage unit that stores the attack/anomaly relationship table. The attack/anomaly relationship table stored in the attack/anomaly relationship table storage unit 202 is basically the same as that stored in the attack/anomaly relationship table storage unit 105 of the update device 10. That is, as shown in FIG. 4, the attack/anomaly relationship table storage unit 202 stores an attack/anomaly relationship table including one or more sets indicating the correspondence between "attack information" indicating the type of attack the electronic control system S receives, predicted anomaly information indicating an anomaly predicted to occur when the electronic control system S receives an attack, and predicted anomaly position information indicating the "position" in the electronic control system S where the predicted anomaly occurs. Note that the storage unit may store information including sets indicating the correspondence between attack information, predicted anomaly information, and predicted anomaly position information, and the information is not limited to a table.

The attack estimation unit 203 uses the attack/anomaly relationship table to estimate the cyber attack that the electronic control system S has received. Specifically, the attack estimation unit 203 extracts a combination of actual anomaly information and actual anomaly location information contained in the security log, and checks whether a set of predicted anomaly information and predicted anomaly location information corresponding to this combination is included in the attack/anomaly relationship table. If a set of predicted anomaly information and predicted anomaly location information that matches the extracted actual anomaly information and actual anomaly location information is present in the attack/anomaly relationship table, it estimates that the electronic control system S has received an attack with the corresponding attack type. This estimation method is also called pattern matching, as it involves checking against the attack/anomaly relationship table.

The attack estimation unit 203 may estimate that a set that is weighted to indicate that the cause of the anomaly is likely to be an attack is more likely to have been attacked than a set that is not weighted. Alternatively, if the attack estimated by the attack estimation unit 203 is an attack on a weighted set, the estimation result by the attack estimation unit 203 may be preferentially output.

The attack/anomaly relationship table receiving unit 204 obtains the updated attack/anomaly relationship table sent from the sending unit 108.

The update unit 205 performs the update by rewriting the attack/anomaly relationship table stored in the attack/anomaly relationship table storage unit 202 to the updated attack/anomaly relationship table acquired by the attack/anomaly relationship table receiving unit 204.

The attack/anomaly relationship table is updated in the attack analysis device 20 in a manner that does not affect the attack inference function. For example, the updated attack/anomaly relationship table may be stored in an area of the attack/anomaly relationship table storage unit 202 separate from the area in which the attack/anomaly relationship table being used by the attack inference function is stored, and the area used by the attack/anomaly relationship table storage unit 202 may be switched while the attack inference function is not being executed. Alternatively, the attack inference function may be set not to operate while the update execution function of the attack analysis device 20 is operating.

(3) Determination method by the failure/attack determination unit 103 There are various methods by which the failure/attack determination unit 103 can determine whether the cause of an abnormality that has occurred in the electronic control system S is a failure or an attack. Below, examples of the determination method by the failure/attack determination unit 103 are shown.

As an example, the failure/attack determination unit 103 determines whether the cause of an abnormality occurring in the electronic control system S is a failure or an attack based on the statistical determination result. For example, if the number of failure security logs acquired by the determination information acquisition unit 101 is "more" than a predetermined threshold, the failure/attack determination unit 103 determines that the occurrence of an abnormality indicated by the actual anomaly information at the position indicated by the actual anomaly position information included in the failure security log is due to a failure of the electronic control system S. The existence of a large number of failure security logs means that the same abnormality has occurred in multiple electronic control systems. Therefore, if a similar failure occurs in another electronic control system, there is a high possibility that a similar abnormality will occur. Therefore, if more failure security logs are acquired than the threshold, the failure/attack determination unit 103 determines that the cause of the abnormality is a failure.

Similarly, if the number of attack security logs acquired by the information acquisition unit 101 for determination is "more" than a predetermined threshold, the failure/attack determination unit 103 determines that the occurrence of the abnormality indicated by the actual anomaly information at the position indicated by the actual anomaly position information is due to an attack on the electronic control system S.

Here, "more than" includes both cases where the value is the same as the comparison target and cases where it is not.

As another example, the failure/attack determination unit 103 may use remote attestation to determine whether the cause of an abnormality occurring in the electronic control system S is a failure or an attack.
For example, the failure/attack determination unit 103 uses remote attestation to verify the integrity of the programs and data installed in the ECU 30a acquired by the determination information acquisition unit 101. If the remote attestation results in a determination that the programs and data are incomplete, the failure/attack determination unit 103 inquires whether the determination information acquisition unit 101 has acquired diagnostic information regarding the failure of the ECU 30a that is equipped with the programs and data that are determined to be incomplete. If the determination information acquired by the determination information acquisition unit 101 contains diagnostic information regarding the failure of the ECU 30a, the failure/attack determination unit 103 determines that the abnormality occurring in the ECU 30a is due to a failure. On the other hand, if the determination information does not contain diagnostic information regarding the failure of the ECU 30a, the failure/attack determination unit 103 determines that the abnormality occurring in the ECU 30a is due to an attack.

As yet another example, the cause of the abnormality may be determined to be either a failure or an attack using the results of analysis by an analyst at a Security Operation Center (SOC) or a Product Security Incident Response Team (PSIRT). In this case, the failure/attack determination unit 103 acquires the results of analysis by the analyst or PSIRT.

For example, the analyst or PSIRT can use the following method to determine that the cause of an anomaly is a failure.
For example, by comparing the contents of the dealer's repair information and diagnostic information from a fault diagnosis device acquired by the information for judgment acquisition unit 101 with abnormalities detected by a security sensor installed in the vehicle, and information other than abnormalities contained in the security log (for example, the function of the ECU where the abnormality occurred, the communication destinations and communication contents of the ECU, etc.), it is determined that the cause of the abnormality that has occurred is a malfunction.
As another example, when a malfunction of a specific ECU or software is identified based on information provided by a manufacturer, OEM, etc., the cause of the abnormality occurring in the relevant ECU or software is determined to be a malfunction.

Furthermore, analysts and PSIRT use the following techniques to determine that the cause of an anomaly is an attack.
For example, a situation in which a security sensor detects an abnormality is reproduced by performing a pseudo attack in a simulated environment of the electronic control system S or a vehicle equipped with the electronic control system S. Then, the cause of the abnormality occurring in such an environment is determined to be an attack.
As another example, when a vulnerability of the electronic control system S or the ECU 30 is known and it is widely known that an attack against the vulnerability exists, if an abnormality occurs in the ECU that is known to be vulnerable, it is determined that the cause of the abnormality is an attack.
As yet another example, if it is determined that the connection destination of the external communication ECU is a malicious site such as a C&C (Command and Control) server, and an abnormality occurs in the vehicle's external communication ECU, it may be determined that the cause of the abnormality is an attack.

The above are examples of determination methods by the failure/attack determination unit 103, but the method for determining whether the cause of the abnormality is a failure or an attack is not limited to these, and any method can be used. In addition, the failure/attack determination unit 103 may use machine learning to determine whether the cause of the abnormality is a failure or an attack.

In this embodiment, the failure/attack determination unit 103 determines whether the cause of an abnormality occurring in the electronic control system S is a failure or an attack. However, the failure/attack determination unit 103 may determine that the cause of the abnormality occurring is something other than a failure or an attack, for example, a malfunction of the electronic control system S.

When the failure/attack determination unit 103 determines that the cause of the abnormality is a malfunction, the update process is basically the same as when the cause is determined to be a failure. When the failure/attack determination unit 103 determines that the cause of the abnormality is a malfunction, the update information generation unit 104 generates update information including cause information indicating that the cause is a malfunction, anomaly information, and location information. Then, the update control unit 107 deletes rows including predicted anomaly information and predicted anomaly location information corresponding to the anomaly information and location information included in this update information from the attack/anomaly relationship table, and updates the attack/anomaly relationship table. This is because, as with a failure, if a combination of anomaly and location caused by a malfunction is included in the attack/anomaly relationship table, the efficiency of attack analysis may decrease, or the accuracy of analysis may decrease.

For example, the failure/attack determination unit 103 may detect an abnormality in a specified security sensor due to unstable communication at power-on. Such an abnormality is not caused by a failure or attack. Therefore, the failure/attack determination unit 103 determines that the cause of such an abnormality that occurred at power-on is a malfunction of the electronic control system S.

In another example, communication may be impossible due to a malfunction of the server or network with which the vehicle communicates, or the security sensor may detect an abnormality due to a human setting error or special operation performed by a dealer or the like. Such abnormalities are also not caused by a malfunction or attack. Therefore, the malfunction/attack determination unit 103 determines that the cause of an abnormality that occurred in the communication ECU at the time the server or network malfunction occurred, or an abnormality that occurred in an ECU operated by a dealer, is due to a malfunction of the electronic control system S.

Some failures, attacks, and malfunctions may occur only when the vehicle is in a specific state. For example, in the above example, an abnormality may occur in the external communication ECU due to the external communication ECU being connected to a malicious site. Also, an abnormality may occur at power start-up when the vehicle's power is turned on. In addition to determining whether the cause of the abnormality is a failure, attack, or malfunction, the failure/attack determination unit 103 may also determine what state the vehicle is in when the abnormality caused by these occurs. When the failure/attack determination unit 103 determines the state of the vehicle, the update information generation unit 104 generates update information including vehicle information indicating the state of the vehicle determined by the failure/attack determination unit 103.

(4) Operation of the update device 10 The operation of the update device 10 will be described with reference to Fig. 8 and Fig. 9. Fig. 8 and Fig. 9 not only show the update method executed by the update device 10, but also show the processing procedure of an update program that can be executed by the update device 10. The order of these processes is not limited to the order shown in Fig. 8 and Fig. 9. In other words, the order may be changed as long as there is no constraint such as a relationship in which a certain step utilizes the result of the previous step.

FIG. 8 shows the operation of the failure/attack determination function in the update device 10.
The determination information acquisition unit 101 acquires information (e.g., a failure security log and an attack security log) used for determination by the failure/attack determination unit 103 (S101). The information acquired by the determination information acquisition unit 101 is stored in the determination information DB 102.
The failure/attack determination unit 103 uses the information acquired in S101 to determine whether the cause of the abnormality indicated by the actual abnormality information at the position indicated by the actual abnormality position information of the electronic control system S is a failure or an attack (S102).
Here, if it is determined in S102 that the cause of the abnormality is a malfunction (S103: Y), the update information generation unit 104 generates malfunction update information including abnormality information indicating an abnormality occurring in the electronic control system S, location information indicating the location where the abnormality occurred, and cause information indicating that the cause of the abnormality is a malfunction (S104).
If it is determined in S102 that the cause of the abnormality is an attack (S103: N), the update information generation unit 104 generates fault update information including abnormality information indicating the abnormality occurring in the electronic control system S, location information indicating the location where the abnormality occurred, and cause information indicating that the cause of the abnormality is an attack (S105).
Then, the update information generating unit 104 outputs the update information generated in S104 and S105 (S106).

FIG. 9 shows the operation related to the update execution function in the update device 10.
The update information acquisition unit 106 acquires the update information output from the update information generation unit 104 (S201).
The update control unit 107 determines whether the update information is fault update information or attack update information, that is, whether the cause information indicates either a fault or an attack (S202).
If the cause information indicates a failure (S202: Y), the update control unit 107 deletes a set indicating the predicted anomaly information and predicted anomaly position information corresponding to the anomaly information and position information included in the update information from the attack/anomaly relationship table (S203).
If the cause information indicates an attack (S202: N), the update control unit 107 adds a set indicating the correspondence between the anomaly information included in the update information, the location information, and the attack information indicating the attack indicated by the cause information to the attack/anomaly relationship table (S203).
Then, the transmission unit 108 transmits the updated attack/anomaly relationship table to the attack analysis device 20 (S205).

(5) Modifications In the above-described first embodiment, the updating device 10 and the attack analysis device 20 are physically different devices. However, the updating device 10 and the attack analysis device 20 may be provided as a single device.

Figure 10 is a block diagram showing the configuration of an update device 11 of this modified example. Blocks common to embodiment 1 are given the same reference numerals as in Figure 3, and detailed explanations are omitted. Unlike the update device 10 shown in Figure 3, the update device 11 of this modified example does not have a transmission unit 108. Instead, it has an attack estimation log acquisition unit 201 and an attack estimation unit 203.

The update device 11 of this embodiment has three main functions. In addition to the same failure/attack determination function and update execution function as in the first embodiment, it also has an attack estimation function. This attack estimation function is a function that was possessed by the attack analysis device 20 of the first embodiment.

Note that this modification can only be applied to the arrangements shown in Figures 1(a) and 1(b).

(6) Summary As described above, according to this embodiment, the attack/anomaly relationship table used for analyzing cyber-attacks on vehicles is appropriately updated by deleting information about anomalies caused by causes other than attacks and adding information about anomalies caused by attacks, thereby improving the efficiency and accuracy of attack analysis.

3. Embodiment 2
In the above-described first embodiment, the update device has two functions, a failure/attack determination function and an update execution function, as shown in Fig. 3. However, the failure/attack determination function may be a function realized in a device independent of the update device.

(1) Configuration of the update device 12 Fig. 11 is a block diagram showing the configuration of the update device 12 of this embodiment. Blocks common to the first embodiment are given the same reference numerals as in Fig. 3, and detailed description will be omitted. Unlike the update device 10 shown in Fig. 3, the update device 12 of this embodiment does not have a judgment information acquisition unit, a judgment information DB, or a failure/attack judgment unit. Instead, a failure/attack judgment device 40 is provided independent of the update device 12, and the update device 12 and the failure/attack judgment device 40 are connected.

The fault/attack determination device 40 is a device that realizes functions equivalent to the determination information acquisition unit, determination information DB, and fault/attack determination unit of embodiment 1. The update information acquisition unit 106 of the update device 12 acquires the update information generated by the fault/attack determination device 40, and updates the attack/anomaly relationship table based on the update information.

The operation of the update device 12 in this embodiment is the same as the operation related to the update execution function of the update device 10 in embodiment 1 (the operation shown in FIG. 9). On the other hand, the operation of the failure/attack determination device 40 is the same as the operation related to the failure/attack determination function of the update device 10 in embodiment 1 (the operation shown in FIG. 8).

When this embodiment is applied to the arrangement shown in FIG. 1(a), the fault/attack determination device 40 may be placed either outside or inside the vehicle.

(2) Modification In the second embodiment, similarly to the modification of the first embodiment, the update device and the attack analysis device may be provided as a single device.

Figure 12 is a block diagram showing the configuration of the update device 13 of this modified example. Unlike the update device 12 shown in Figure 11, the update device 13 of this modified example does not have a transmission unit 108. Instead, it has an attack estimation log acquisition unit 201 and an attack estimation unit 203.

The update device 13 of this modified example has two main functions: an update execution function and an attack estimation function. This attack estimation function is a function that the attack analysis device 20 has.

4. Summary The features of the update device and the like in each embodiment of the present invention have been described above.

The terms used in each embodiment are merely examples and may be replaced with synonymous terms or terms with similar functions.

The block diagrams used to explain the embodiments classify and organize the device configuration by function. The blocks showing each function are realized by any combination of hardware or software. In addition, since they show functions, such block diagrams can also be understood as disclosures of method inventions and program inventions that realize the methods.

The order of the functional blocks that can be understood as processes, flows, and methods described in each embodiment may be changed as long as there are no constraints such as a relationship in which one step uses the results of another step that precedes it.

The terms 1st, 2nd, through Nth (N is an integer) used in each embodiment and in the claims are used to distinguish between two or more configurations or methods of the same type, and do not limit the order or superiority or inferiority.

Each embodiment is based on an information update device used to analyze cyber attacks against electronic control systems installed in vehicles, but the present invention also includes dedicated or general-purpose devices other than those for vehicles, unless otherwise limited by the claims.

Moreover, examples of the form of the update device of the present invention include the following.
Examples of the component include a semiconductor element, an electronic circuit, a module, and a microcomputer.
Examples of semi-finished products include an electronic control unit (ECU) and a system board.
Finished product forms include mobile phones, smartphones, tablets, personal computers (PCs), workstations, and servers.
Other examples include devices with communication functions, such as video cameras, still cameras, and car navigation systems.

Necessary functions, such as an antenna or a communication interface, may also be added to the update device.

The update device of the present invention is expected to be used, particularly on the server side, for the purpose of providing various services. In providing such services, the attack analysis device of the present invention will be used, the method of the present invention will be used, and/or the program of the present invention will be executed.

In addition, the present invention can be realized not only by dedicated hardware having the configuration and functions described in each embodiment, but also as a combination of a program for implementing the present invention recorded on a recording medium such as a memory or hard disk, and general-purpose hardware having a dedicated or general-purpose CPU and memory capable of executing the program.

Programs stored in non-transient, physical recording media (e.g., external storage devices (hard disks, USB memory, CDs/BDs, etc.) or internal storage devices (RAM, ROM, etc.)) of dedicated or general-purpose hardware can also be provided to the dedicated or general-purpose hardware via the recording media, or via a communication line from a server without using a recording media. This makes it possible to always provide the latest functions through program upgrades.

The update device of the present invention is intended primarily for use as a device for updating information used to analyze cyber attacks on electronic control systems mounted on automobiles, but may also be intended as an update device for information used to analyze attacks on normal systems not mounted on automobiles.

10 (11, 12, 13) Update device, 101: Determination information acquisition unit, 104: Update information generation unit, 105: Attack/anomaly relationship table storage unit, 106: Update information acquisition unit, 107: Update control unit, 108: Transmission unit

Claims (11)

a storage unit (105) storing attack/anomaly relationship information including one or more sets indicating a correspondence relationship between attack information indicating an attack on an electronic control system, predicted anomaly information indicating an anomaly predicted to occur when the electronic control system is attacked, and predicted anomaly position information indicating a position within the electronic control system where the predicted anomaly will occur;
an update information acquisition unit (106) that acquires update information including abnormality information indicating an abnormality occurring in the electronic control system, location information indicating a location where the abnormality occurs, and cause information indicating whether the cause of the abnormality is a failure or an attack;
an update control unit (107) that updates the attack/anomaly relationship information by deleting, when the cause information indicates a failure, the set indicating the predicted anomaly information and the predicted anomaly location information corresponding to the anomaly information and the location information from the attack/anomaly relationship information, and, when the cause information indicates an attack, adding, to the attack/anomaly relationship information, a set indicating a correspondence relationship between the anomaly information, the location information, and attack information indicating the attack indicated by the cause information;
An update device (10, 11, 12, 13). When the cause information indicates the attack, and the set indicating the predicted anomaly information and the predicted anomaly location information corresponding to the anomaly information and the location information is included in the attack/anomaly relationship information,
The update control unit weights the set.
The update device according to claim 1. the cause information indicates that the cause of the occurrence of the abnormality is the failure, the attack, or a malfunction of the electronic control system;
the update control unit deletes, when the cause information indicates a malfunction, the set indicating the predicted anomaly information and the predicted anomaly position information corresponding to the anomaly information and the position information from the attack/anomaly relationship information.
The update device according to claim 1. the electronic control system is an in-vehicle system installed in a vehicle,
The storage unit further stores predicted vehicle information indicating a state of the vehicle in which the predicted abnormality will occur in association with the one or more sets,
The update information further includes vehicle information indicating a state of the vehicle in which the abnormality occurs,
the update control unit deletes the set from the attack/anomaly relationship information when the predicted vehicle information and the vehicle information match.
The update device according to claim 1. The update device further comprises:
a log acquisition unit (101) that acquires a log including failure information indicating that a failure has actually occurred in the electronic control system, actual abnormality information indicating an abnormality that has actually occurred in the electronic control system, and actual abnormality position information indicating a position at which the abnormality indicated by the actual abnormality information has occurred;
an update information generating unit (104) that generates the update information including the anomaly information corresponding to the actual anomaly information, the position information corresponding to the actual anomaly position information, and the cause information indicating that the cause of the anomaly is a failure when the number of the logs acquired by the log acquiring unit is greater than a threshold value;
The updating device (10, 11) according to claim 1, comprising: the log acquisition unit acquires, in addition to the first log, a second log that does not include the failure information;
when the number of the second logs acquired by the log acquisition unit is greater than the threshold value, the update information generation unit generates the update information including the anomaly information corresponding to the actual anomaly information included in the second log, the position information corresponding to the actual anomaly position information included in the second log, and the cause information indicating that the cause of the anomaly is an attack.
An updating device (10, 11) according to claim 5. The electronic control system and the update device are mounted on a moving body.
7. An update device according to claim 1. The electronic control system is mounted on a moving object,
The update device is disposed outside the moving body.
An updating device according to any one of claims 1 to 6. The update device further includes a transmission unit (108) that transmits the updated attack/anomaly related information to the mobile unit.
An updating device (10, 12) according to claim 8. An updating method performed in an updating device, comprising:
the update device includes a storage unit that stores attack-anomaly relationship information including one or more sets indicating a correspondence relationship between attack information indicating an attack received by the electronic control system, predicted anomaly information indicating an anomaly predicted to occur when the electronic control system is attacked, and predicted anomaly position information indicating a position within the electronic control system where the predicted anomaly will occur;
Acquire update information including abnormality information indicating an abnormality occurring in the electronic control system, location information indicating a location where the abnormality occurs, and cause information indicating whether the cause of the abnormality is a failure or an attack (S201);
If the cause information indicates a fault, the set including the predicted anomaly information and the predicted anomaly position information corresponding to the anomaly information and the position information is deleted from the attack/anomaly relationship information, and the attack/anomaly relationship information is updated (S203);
When the cause information indicates an attack, a set indicating a correspondence relationship between the anomaly information, the location information, and the attack information indicating the attack indicated by the cause information is added to the attack/anomaly relationship information, thereby updating the attack/anomaly relationship information (S204).
How to update. An update program executable on an update device,
the update device includes a storage unit that stores attack-anomaly relationship information including one or more sets indicating a correspondence relationship between attack information indicating an attack received by the electronic control system, predicted anomaly information indicating an anomaly predicted to occur when the electronic control system is attacked, and predicted anomaly position information indicating a position within the electronic control system where the predicted anomaly will occur;
The update program is provided in the update device.
Acquire update information including abnormality information indicating an abnormality occurring in the electronic control system, location information indicating a location where the abnormality occurs, and cause information indicating whether the cause of the abnormality is a failure or an attack (S201);
If the cause information indicates a fault, the set including the predicted anomaly information and the predicted anomaly position information corresponding to the anomaly information and the position information is deleted from the attack/anomaly relationship information, and the attack/anomaly relationship information is updated (S203);
When the cause information indicates an attack, a set indicating a correspondence relationship between the anomaly information, the location information, and the attack information indicating the attack indicated by the cause information is added to the attack/anomaly relationship information, thereby updating the attack/anomaly relationship information (S204).
Updates.