JP6531011B2 - In-vehicle network device - Google Patents

Description

  BACKGROUND OF THE INVENTION Field of the Invention The present invention relates to an on-vehicle control device and a network device mounted on a vehicle or the like.

  In recent years, vehicle control of a car has been computerized, and a plurality of electronic control units (ECUs) communicate with one another via an on-vehicle network such as a controller area network (CAN) to realize function cooperation. Furthermore, the computerization of automobiles has progressed, and transmission and reception of data via communication devices such as car navigation and smart phones are being performed. In this way, computerization and computerization progress, and in order to realize the cooperation of functions using the network 6 inside and outside the vehicle, consideration of on-vehicle security is required. For example, in order to prevent a car from being controlled by illegal data, a method of monitoring the network 6 to detect or prevent the intrusion of illegal data is considered.

  As an example of this technical field, there exists Unexamined-Japanese-Patent No. 2013-131907 (patent document 1). In this publication, it is an object of the present invention to provide a vehicle network monitoring device capable of maintaining high security by monitoring data taken into the vehicle network 6 without requiring a particularly complicated configuration. As a solution for that purpose, the vehicle network 6 is provided with a monitoring on-vehicle control device for detecting illegal data through monitoring of a communication format of data defined in operating a communication protocol, and a monitoring on-vehicle control device In addition to performing processing to transmit warning information to each on-vehicle control device when detecting illegal data different from the prescribed communication format, processing to prohibit routing of illegal data by the gateway, etc. are described. ing.

JP, 2013-131907, A

  In order to detect illegal data on the network 6 without omission according to the method described in Patent Document 1 or the like, it is necessary to individually monitor all data passing through the network 6. However, when the number and types of communication data passing on the network 6 are large, if all data are monitored individually, the processing load of the on-vehicle apparatus such as the ECU and the gateway will increase. For example, routing processing of data in the gateway may be delayed, but a solution method therefor is not particularly described.

  Also, the following method is described to determine that the data is invalid. The intrusion of invalid data is detected when an error frame exceeding the set number of transmissions is transmitted. It is monitored whether the number of times of transmission of an error frame to be transmitted exceeds the number of times of abnormality (for example, 150 times) serving as a standard of occurrence of abnormality. However, it is difficult to set some threshold value to an optimum value as a method for detecting fraudulent data as described above. For example, if the threshold value for determination is fixed at a specific value, it can not be guaranteed that the set value is always optimal when performing complex control depending on the situation as in automatic operation.

  The present invention has been made in view of such a situation, and it is possible to make incorrect data without increasing the load of data processing in the on-vehicle apparatus even when performing complicated control such as automatic operation. It provides a means to detect.

  In order to solve the above problems, an in-vehicle network device that communicates data among a plurality of in-vehicle devices includes a state acquisition unit that acquires a state of the host vehicle, and a communication monitoring unit that monitors the data. It is characterized in that the monitoring method of the data is changed based on the state of the own vehicle.

  According to the present invention, it is possible to reduce the processing load for detecting fraudulent data on the in-vehicle network. In addition, it is possible to implement security measures corresponding to complex vehicle control and diversified in-vehicle networks with a simple configuration without requiring dedicated hardware and the like.

It is the figure which showed an example of a structure of the vehicle-mounted network apparatus in 1st Embodiment. It is the figure which showed an example of the processing flow of the vehicle-mounted network apparatus in 1st Embodiment. It is the figure which showed an example of the processing flow of the communication monitoring part in 1st Embodiment. It is a figure showing an example of a setup of a priority and a monitoring method corresponding to a control state in a 1st embodiment. It is the figure which showed an example of the setting of the priority and the monitoring method corresponding to the automatic driving | running state in 1st Embodiment. It is the figure which showed an example of a structure of the vehicle-mounted network apparatus in 2nd Embodiment. It is the figure which showed an example of the processing flow of the determination method setting part in 2nd Embodiment. It is the figure which showed an example of the filter setting information in 2nd Embodiment. It is a figure showing an example of the filter list in a 2nd embodiment. It is the figure which showed an example of the communication determination method in 2nd Embodiment. It is the figure which showed an example of a structure of the vehicle-mounted network apparatus in 3rd Embodiment. It is the figure which showed an example of the processing flow of the vehicle-mounted network apparatus in 3rd Embodiment. It is a figure showing an example of a surveillance data list and a surveillance group list in a 3rd embodiment. It is the figure which showed an example of a structure of the vehicle-mounted network apparatus in 4th Embodiment. It is the figure which showed an example of the processing flow of the vehicle-mounted network apparatus in 4th Embodiment. It is the figure which showed an example of the abnormality countermeasure list in 4th Embodiment.

  A mode for carrying out the present invention (hereinafter, referred to as “embodiment”) will be described in detail with reference to the drawings as appropriate. Although this embodiment mainly describes the control device and the network device in the on-vehicle system of a car, it does not prevent the application to other than the on-vehicle system.

First Embodiment
As shown in FIG. 1, the in-vehicle network device 1 according to the first embodiment includes a communication monitoring unit 2, a state acquisition unit 3, and a determination method setting unit 4. Note that, like the other ECUs 5, the in-vehicle network device 1 has an arithmetic device such as a CPU (central processing unit), a storage device such as a non-volatile memory or volatile memory, and a communication interface for connecting to the network 6. , And the function of communicating with other ECUs 5 via the network 6.

  In FIG. 1, although it connects with three ECU5 each via two networks 6, it does not specifically limit about the kind and number of the networks 6 and ECU5 to connect. The type of network 6 is, for example, a wired network such as CAN, Ethernet (registered trademark), FLExRAY (registered trademark), LIN (Local Interconnect Network), MOST (registered trademark), wireless LAN, Bluetooth (registered trademark), mobile phone There is a wireless network such as

  The communication monitoring unit 2 has a function of monitoring data passing through the network 6 and changing the communication monitoring method according to the state of the vehicle acquired by the state acquiring unit described later. Details of the communication monitoring method will be described later. Further, the communication monitoring unit 2 has the communication determination unit 7 and determines whether or not the data passing through the in-vehicle network device 1 via the network 6 is abnormal according to the determination method set in the determination method setting unit 4 Have a function to Moreover, when abnormality is detected in data, it may have a function which does not pass the said data.

  The state acquisition unit 3 has a function of acquiring one of the control state of the own vehicle, the automatic driving state, the driver's state, the surrounding environmental state, and the communication state with the outside of the vehicle as the own vehicle state. The control state is information indicating what kind of control is being performed by the in-vehicle apparatus of the own vehicle, and may be information regarding the traveling state such as traveling or stop of the own vehicle, or what control data the in-vehicle apparatus indicates It may be information indicating whether it is being processed. For example, among the levels (A to D) of the ASIL, which is an indicator of functional safety, which control process is being performed may be performed. Further, not only the control related to traveling but also information related to internal processing of the on-vehicle apparatus such as whether rewriting of the program of the ECU is being executed by OTA (Over The Air) or the like may be used.

  The automatic operation state is the operation mode in which the current operation is manual operation or automatic operation, or in the case of automatic operation. As an example of the driving mode, there are ACC (Adaptive Cruise Control), change of car line, leading car following, lane keeping support, automatic parking and the like. The driver's state includes the driver's personal identification information, the awake state, the health state, the driver's operation state, and the like. The operation state is, for example, whether or not the driver puts his hand on the steering wheel, and where the driver's gaze is facing. The surrounding environmental condition is, for example, information on the temperature and humidity inside and outside the vehicle, the amount of rainfall, and the like. The communication state with the outside of the vehicle is information indicating whether or not communication is performed with inter-vehicle communication or an external communication infrastructure by C2X (Car-to-X) communication or the like.

  The state acquisition unit 3 may acquire the various states described above from, for example, an external device such as the ECU 5 via the above-mentioned network 6, a maintenance connector such as OBD (On Board Diagnosis), or a local communication such as serial communication. It may be acquired via the communication interface, or may be acquired from various operation switches installed in the driver's seat, various sensors installed in the vehicle, or the like.

  The determination method setting unit 4 has a function of setting a communication monitoring method executed by the communication monitoring unit 2 or a processing method of the communication determination unit 7 in accordance with the state acquired by the state acquisition unit 3 described above. The communication determination unit 7 has a function of determining whether or not there is an abnormality in the data monitored by the communication monitoring unit according to the data determination method set by the above-described determination method setting unit 4.

  The detailed processing flow of the in-vehicle network device 1 will be described with reference to FIG. First, the communication monitoring unit 2 of the in-vehicle network device 1 determines the presence or absence of data reception from the network 6 (processing S201). When the data is received, the vehicle state is acquired by the state acquisition unit 3, and it is determined whether or not there is a change from the past acquisition time (processing S202). Next, when there is a change in the acquired vehicle state, a monitoring method corresponding to the changed vehicle state is newly set (processing S203). Here, the execution timing of state acquisition (processing S202) and monitoring method setting (processing S203) is not every time data reception occurs, as shown in FIG. 2, but when data reception occurs a predetermined number of times, or It may be a fixed cycle regardless of the presence or absence of data reception.

  Next, the communication monitoring unit 2 monitors the received data according to the data monitoring method set in the processing S203, and determines whether there is an abnormality in the received data (processing S204). If it is determined that there is an abnormality in the received data, error processing is executed (processing S205). The error processing is, for example, abnormality countermeasure processing such as notifying the upper system. Details of the countermeasure against abnormality will be described later. If it is determined by communication monitoring that there is no abnormality, it is determined whether it is necessary to transfer the received data to another network 6 (processing S206). If it is necessary to transfer data, the data is transferred via the predetermined network 6 with reference to, for example, address information set in the received data (processing S207). If it is not necessary to transfer data, the process ends.

  An example of the process flow of the communication monitoring unit 2 will be described with reference to FIG. First, the communication monitoring unit 2 determines whether it is necessary to change the monitoring method of received data (processing S301). For example, when there is a change in the vehicle state in the above-described processing S202, it is determined that a change in the monitoring method is necessary. If it is necessary to change the monitoring method, the monitoring method corresponding to the vehicle state is set (processing S302). For example, a priority corresponding to the vehicle state is set in data to be monitored, and a monitoring method according to the priority is set. The communication monitoring unit 2 determines the priority of the received data from the vehicle state (processing S303), and executes a data monitoring method according to the priority (processing S304 to processing S306).

  A setting example of the priority and the monitoring method corresponding to the own vehicle state will be described using FIG. 4 and FIG. FIG. 4 shows an example in which the priority and monitoring method corresponding to the control state 404 of the vehicle are set for each data type 401. The control state 404 of the own vehicle includes, for example, a running state 405, a stop state 406, a repro state 407, and the like. In the traveling state 405, the state may be divided finely according to the speed such as high speed and low speed. Similarly, the stop state 406 may be divided into states such as engine stop, idling, accessory power ON, and the like. The repro state 407 is a state in which reprogramming of firmware or the like of the ECU is being executed, and depending on the progress of reprogramming, during update software download, during software rewrite, during restart after completion of software rewrite, etc. It may be divided into more detailed states.

  The data type 401 is an index for identifying data having a specific common item, and for example, the type is defined for each data using the same network area 402 and data using the same network type 403. The type, number, and format of the data type 401 shown in FIG. 4 are an example, and the present invention is not limited to this example.

  In various vehicle states defined as described above, the monitoring priority is set for each data type 401 to be monitored. For example, in the high-speed driving state 405, priority 1 is set for the body control information and infotainment and data type 401 of C2X communication, and chassis control information, power train control information, functional safety information, automatic driving information, and the outside world. Priority 3 is set to the recognition information. Similarly, priority 0 to priority 3 are set for each vehicle state and data type 401, respectively.

  The communication monitoring unit 2 sets a data monitoring method for each data type according to the set priority. For example, in the case of the traveling state 405 in which the host vehicle state is high speed, the network area 402 to which the data type 401 having high priority belongs is preferentially monitored. The network area 402 is, for example, a communication path, a data bus, a channel, a network interface or the like in which each data type 401 mainly performs data transmission / reception. For example, in the case of chassis control information, since the network area 402B is allocated, the monitoring frequency of the network area 402B is set high. Similarly, in the case of the high-speed traveling state 405, the network areas 402B, C, D, and F with priority 3 are preferentially monitored. On the other hand, the monitoring priorities for the network areas 402A, 402E and 402G with priority 1 are set low.

  Further, the priority of the monitoring target may be set based on not only the network area 402 but also the network type used by each data type 401. For example, in the case of the high-speed running state 405, since the network type with high priority (set to priority 3) is CAN, Ethernet (registered trademark), or LVDS, priority is given to these network types. Monitor. On the other hand, for a wireless LAN with a low priority (set to priority 1), the monitoring priority is lowered.

  As a data monitoring method of high priority (for example, priority 3), there is a method of setting the monitoring frequency high (monitoring every time data reception occurs) and monitoring all the header, payload and footer of data There is (process S304). For example, it monitors whether the header, payload, and footer values are specified values.

  As a data monitoring method of medium priority (for example, priority 2), the monitoring frequency is set to medium (one time in multiple times, every predetermined time, etc.), and only the header or footer of the data is monitored. There is a method (processing S305). As a data monitoring method of low priority (for example, priority 1), there is a method of setting the monitoring frequency lower than the medium priority and monitoring only a part (for example, ID) of the header of data (processing S306). Here, the lowest priority (for example, priority 0) may be set to be excluded from the monitoring target.

  For example, when it is in the stop state 406 of the engine stop, the network area 402A related to the body control information of the data type 401 or the data of network type CAN can transmit and receive data header, payload and footer each time data transmission occurs. Monitor everything. On the other hand, network areas 402B, C, D, E and F related to chassis control information, powertrain control information, functional safety information, automatic driving information, infotainment, and external world recognition information and networks of the network type Ethernet (registered trademark) 6 Is excluded from data monitoring targets. With regard to the network area 402G for C2X communication or a wireless LAN network, the monitoring frequency is lowered and only the data ID is monitored.

  In the case of the repro state 407, for data using the network area 402G or wireless LAN involved in C2X communication with high priority, all of the header, payload and footer of received data are monitored each time. Similarly, regarding data whose data type 401 is infotainment, monitoring of medium priority is performed, monitoring of low priority is performed regarding body control information, and other data types 401 are excluded from monitoring targets.

  In the present embodiment, the control state 404, the data type 401, the setting value of the priority, and the like are not limited to the example shown in FIG. That is, even if the data type 401, the network area 402, the network 6 type, the type and number of control states 404, and the value setting of the priority, etc. are different from those in FIG.

  FIG. 5 shows an example in which the priority and the monitoring method according to the automatic driving state of the vehicle are set for each individual data. For example, a manual driving 508, an ACC 509, a leading vehicle tracking 510, and an automatic parking 511 are defined as the automatic driving state 507. It is assumed that any one of data ID 501, data name 502, data transmission source 503, transmission destination 504, transmission method 505, and communication method 506 is set as data to be monitored.

  The data ID 501 and the data name 502 are information indicating the type of data, and may be any format as long as other data can be specialized. The data transmission source 503 and the transmission destination 504 are, for example, address information indicating ECUs of the data transmission source and the transmission destination. The transmission method 505 is a type of physical network of data, and is, for example, Ethernet (registered trademark) or CAN. The communication method 506 is a type of network protocol, and in the case of Ethernet (registered trademark), for example, TCP, UDP, IP, Ethernet (registered trademark) AVB (Audio / Video Bridging, hereinafter abbreviated as AVB) or the like.

  In the example of FIG. 5, lane identification information with data ID 501 of “1” is that the transmission source 503 is ECU_A, the transmission destination 504 is ECU_B, Ethernet (registered trademark) as transmission method 505, and TCP / IP as communication method 506. It indicates that you are using it. In addition, regarding data of lane recognition information, priority 0 when automatic operation state 507 is manual operation 508, priority 3 when ACC 509, priority 3 when leading vehicle tracking 510, automatic parking 511 In the case of, priority 1 is set.

  Similarly, for each data such as landmark recognition information and steke (stereo camera) recognition information, priorities are set for each of the automatic driving states 507. The communication monitoring unit 2 sets priorities according to the automatic operation state 507, and executes data monitoring by a monitoring method according to the priorities set when data is received.

  For example, when the automatic driving state 507 is the manual driving 508, the monitoring of landmark recognition information is set to high priority (priority 3), and the data of the lane change possibility flag, the ACC possibility flag, and the leading vehicle follow possibility flag Set monitoring to medium priority (priority 2) and exclude other data from monitoring. Similarly, when the automatic driving state 507 is ACC 509, monitoring of data of lane recognition information, forward object information, and vehicle speed setting information is set to a high priority (priority 3), an ACC enable / disable flag, an automatic driving interruption flag Set data monitoring to medium priority (priority 2), and set data monitoring for landmark recognition information, step marker recognition information, and preceding vehicle information to low priority (priority 1), and other data Will not be monitored.

  As the data monitoring method of high priority (for example, priority 3), the monitoring frequency is set high (every time monitoring etc.), and data ID 501, transmission source 503, transmission destination 504, transmission method 505, information on communication method 506 There is a method such as monitoring all of (step S304). For example, it is monitored whether or not the data ID 501 of the data, the transmission source 503, the transmission destination 504, the transmission method 505, and the communication method 506 are prescribed values. In addition, as the data monitoring method of medium priority (for example, priority 2), the monitoring frequency is set to medium (one time in plural times, every predetermined time, etc.), and data ID 501 of the target data, transmission source 503, There is a method of monitoring any of the transmission destination 504, the transmission method 505, and the communication method 506 (processing S305).

  As the data monitoring method of low priority (for example, priority 1), the monitoring frequency is set to be lower than the middle priority, and data ID 501 of the target data, transmission source 503, transmission destination 504, transmission method 505, communication method 506 There is a method of monitoring only one of them (processing S306). Further, the lowest priority (for example, priority 0) may be set to be excluded from the monitoring target.

  In the present embodiment, the definition related to the type of data, the definition of the automatic operation state 507, and the setting value of the priority are not limited to the example shown in FIG. That is, data ID 501, data name 502, transmission source 503, transmission destination 504, transmission method 505, definition regarding type and number of communication method 506, definition regarding type and number of automatic operation state 507, monitoring priority in each automatic operation state 507 Even if the set value of the degree is different from that of FIG. 5, the present embodiment is established.

  As described above, according to the present embodiment, by setting the priority of data to be monitored on the in-vehicle network according to the state of the vehicle, it is possible to carefully select and monitor only important data without monitoring all data. You can do it. Therefore, it is possible to reduce the processing load for detecting data abnormality in the in-vehicle network.

Second Embodiment
As shown in FIG. 6, the in-vehicle network device 21 in the second embodiment includes the communication monitoring unit 22, the state acquisition unit 23, and the determination method setting unit 24, and functions similar to those of the in-vehicle network device 1 in the first embodiment. Have. The communication monitoring unit 22 and the state acquisition unit 23 have the same functions as in the first embodiment.

  The determination method setting unit 24 has the same function as the determination method setting unit 4 in the first embodiment. The determination method setting unit 24 further includes a filter selection unit 25, a filter list 26, a filter stage number setting unit 28, and a filter updating unit 29. Communication monitoring is performed according to the vehicle state acquired by the state acquisition unit 23. It has a function of setting a communication monitoring method performed by the unit 22 and a communication determination method in the communication determination unit 27.

  The filter selection unit 25 has a function of selecting a filter to be used for communication determination from the filter list 26 in accordance with the vehicle state acquired by the state acquisition unit 23. The filter stage number setting unit 28 has a function of setting the number of stages of the filter to be used according to the vehicle state acquired by the state acquisition unit 23. The filter updating unit 29 has a function of updating the filter list 26. Details of the filter list 26 will be described later. The filter list 26 and the filter updating unit 29 may be provided outside the in-vehicle network device 21. The filter updating unit 29 may be omitted when the change of the filter list 26 is unnecessary.

  An example of the process flow of the determination method setting unit 24 will be described using FIGS. 7 and 8. First, the determination method setting unit 24 acquires the vehicle state by the state acquisition unit 23, and determines whether or not there is a change from the previous acquisition time (processing S701). If there is a change in the own vehicle state, it is determined whether the corresponding filter has been registered in the filter setting information 800 (processing S702). The details of the filter setting information 800 will be described later.

  If registered as the filter setting information 800, the filter setting is changed to the registered filter setting (processing S703). On the other hand, when the filter setting is not set, it is determined whether or not there is a filter corresponding to the changed own vehicle state in the filter list 26 (processing S704). If there is a filter corresponding to the changed own vehicle state in the filter list 26, the filter stage number setting unit 28 sets the number of stages of the filter (processing S705).

  Next, the filter selection unit 25 selects the type of filter to be used (processing S706). When a plurality of stages are set in processing S 705, filters corresponding to the number of stages are respectively selected. If there is no corresponding filter in processing S704, it is determined whether the filter list 26 can be updated (processing S707). If the filter list 26 can be updated, the filter updating unit 29 adds a new filter or changes an existing filter (processing S 708).

  Thereafter, the processing of step S705 and step S206 is executed using the added or changed filter. If the filter can not be updated, error processing is performed (processing S209). As an example of error processing, there is an abnormal measure such as notification to the upper system. Details of the countermeasure against abnormality will be described later.

  An example of the filter setting information 800 is shown in FIG. 8 and an example of the filter list 26 is shown in FIG. In the filter setting information 800, a filter 802 corresponding to the vehicle state 801 is set. In the filter 802, a filter target data list 803 (hereinafter referred to as a target data list 803) and a filter type 804 are set. In the target data list 803, information for identifying data to be filtered, such as data ID, is set.

  The number of filters 802 is not limited to three as shown in FIG. 8, and the number to be set may be changed according to the vehicle state 801. For example, when the vehicle state 801 is manual driving, the first filter 802 performs communication determination regarding the network type for data with data IDs of 0x01 and 0x02. The second filter 802 performs communication determination regarding the transmission source / transmission destination for data whose data data ID is 0x01 and 0x02. The third filter 802 performs communication determination regarding the data size for data with data IDs of 0x01 and 0x02.

  Similarly, when the vehicle state 801 is ACC, the first filter 802 performs communication determination regarding data ID for data of 0x01. The second filter 802 makes a communication determination regarding the data transmission cycle for data of 0x02.

  Details of the filter setting shown in FIG. 8 will be described with reference to FIG. As shown in FIG. 10, in the filter setting 1002 for manual operation, since a plurality of filters 802 are selected for the same monitoring target data, the determination processing (processing 1003 to processing 1005) is executed in series. On the other hand, as for the filter setting 1006 of the ACC, since different filters 802 are set for different monitoring target data, the determination processing (processing 1007, processing 1008) is executed in parallel. Also, as in the case of the filter setting 1009 for leading vehicle follow-up, the determination processing (target data 0x03 processing 1010, target) performed in parallel with the determination processing (processing 1010 when target data is 0x04, processing 1011) to be executed in series Data may be mixed with 0x05 processing 1011).

  The combination of the target data list 803 and the filter type 804 is selected from the filter list 26 shown in FIG. For example, for data with a data ID 901 of 0x01, when using the filter 802 for the cycle 902, it is determined as normal if it is a cycle within ± 5% of a prescribed cycle of 10 ms as a threshold of determination. The filter 802 for the data size 903 is determined to be normal if the size is within ± 1 byte of error with respect to the specified 4 bytes. When using the filter 802 related to the network type 403, it is determined that the communication using the CAN is normal. When using the filter 802 related to the transmission source 503 and the transmission destination 504, if the transmission source 503 is an address indicating ECU_A and the transmission destination 504 is an address indicating ECU_B or ECU_C, it is determined as normal.

  As described above, the type of filter and the determination threshold are set for each target data to be determined by each filter 802. The target data list 803 in FIG. 8, the target data ID 901 in FIG. 9, and the monitoring target data 1001 in FIG. 10 all use data IDs, but different identification information may be used as long as they can be correlated with each other. good. For example, the target data list 803 may be identification information indicating that the data passes through a specific communication path, bus, or channel.

  Further, the filter setting information 800 in FIG. 8 and the filter list 26 in FIG. 9 are an example, and setting methods other than those shown in this example may be used. Therefore, the filter setting information 800 may have any format as long as the number, type, and combination method of the filters 802 can be set for each vehicle state 801. Similarly, the filter list 26 may have any format as long as the filter method and the threshold information for determination can be set for each monitoring target data 1001.

  As described above, according to the present embodiment, the normal or abnormal determination method of data to be monitored on the in-vehicle network can be changed according to the vehicle state. Accordingly, it is possible to flexibly adjust the processing speed, the processing load, the determination accuracy and the like.

Third Embodiment
As shown in FIG. 11, the in-vehicle network device 31 according to the third embodiment includes a communication monitoring unit 32, a state acquisition unit 33, and a determination method setting unit 34, and functions similar to those of the in-vehicle network device 1 in the first embodiment. Have. The communication monitoring unit 32 and the state acquisition unit 33 have the same functions as in the first embodiment.

  The determination method setting unit 34 has the same function as the determination method setting unit 4 in the first embodiment or the determination method setting unit 24 in the second embodiment. Further, the determination method setting unit 34 has a monitoring group list 35, a group determination method setting unit 36, a monitoring group setting unit 38 and a monitoring data list 39, and monitoring is performed according to the vehicle state acquired by the state acquisition unit 33. It has a function of grouping data and setting a communication data determination method for each group.

  The monitoring data list 39 is a list of data monitored by the communication monitoring unit 32, and includes data identification information, address information on data transmission source / transmission destination, information on data transmission method and communication method, information on data size, data And one of the information on the transmission cycle of The monitoring data list 39 may be stored outside the determination method setting unit 34.

  The monitoring group setting unit 38 has a function of grouping data registered in the monitoring data list 39 based on the vehicle state acquired by the state acquisition unit 33 and registering the data in the monitoring group list 35. The monitoring group list 35 is a list in which data groups to be monitored are defined for each vehicle state, and the determination method for each group, identification information of the group, information associating the group with the individual data, and specific information for determination , Threshold information for determination, and any one of monitoring priority. The monitoring group list 35 may be stored outside the determination method setting unit 34.

  The group determination method setting unit 34 has a function of selecting a group of monitoring data registered in the monitoring group list 35 based on the vehicle state acquired by the state acquisition unit 33 and setting a data determination method for each group. .

  The detailed processing flow of the in-vehicle network device 31 will be described with reference to FIG. First, the state acquisition unit 33 acquires the state of the vehicle and determines whether or not there is a change from the previous acquisition (processing S1201). When there is a change in the vehicle state, it is checked whether there is a monitoring group list 35 according to the vehicle state, and it is newly determined whether it is necessary to create or update the monitoring group list 35 (processing S1202).

  If it is necessary to create or update the monitoring group list 35, the monitoring group list 35 is created or updated (processing S1203). An example of the monitoring group list 35 and an example of a method of creating the list will be described later. Next, a group determination method to be used for communication determination described later is selected from the monitoring group list 35, and is set for each vehicle state (processing S1204).

  Next, the communication monitoring unit 32 monitors data reception (processing S1205). Here, communication data is monitored for each specific group according to the monitoring group list 35, and it is determined whether communication data in the group is abnormal according to the group determination method set in processing S1204 (processing S1206). A detailed example regarding the determination method of communication data will be described later. If it is determined that the data is abnormal, error processing is executed (processing S1207). The error processing is, for example, abnormality countermeasure processing such as notifying the upper system. Details of the countermeasure against abnormality will be described later.

  An example of the monitoring group list 35 and an example of a method for creating the list will be described with reference to FIG. The monitoring group list 35 is created based on the monitoring data list 39 shown in FIG. The monitoring data list 39 is information on data to be monitored by the communication monitoring unit 32. For example, as shown in FIG. 13A, data ID 1301 as identification information of data, address information indicating transmission / reception source of data (transmission source 503 and transmission destination 504), transmission method of data 505, data size 1302, transmission of data It has a cycle 1303 and the like. For example, data ID 1301 “100” data is “ECU_A” as address information of transmission source 503, “ECU_B” as address information of transmission destination 504, “Ethernet (registered trademark)” as transmission method 505, and “data size 1302”. “100 ms” is set as “100 Byte”, and the data transmission cycle 1303.

  The monitoring group setting unit 38 selects and groups a specific data group from the monitoring data list 39 for each vehicle state. As grouping criteria, for example, groups with similar data ID 1301, groups with identical source 503 or destination 504, groups with identical transmission method 505, groups with identical data size 1302 and transmission cycle 1303. There is a way to give up what you are doing. Alternatively, the importance may be set in advance for each data, and grouping may be performed according to the importance. In the present embodiment, the rules for putting data together are not particularly limited.

  Although FIG. 13 illustrates an example in which the transmission source 503 and the transmission destination 504 combine the same data as the same group, the present embodiment is established even if grouping is performed using other methods. In the monitoring group list 35, identification information of the group is set. For example, a group ID 1304 "B" is assigned to a group of data whose data ID 1301 is "101" "102". Here, one data may be included in the group, and for data whose data ID 1301 is “100”, the group ID 1304 configured of one data may be a group of “A”.

  Further, when creating the monitoring group list 35, unique information (abbreviated as determination unique information) for communication data determination described later may be set using the registration information of the monitoring data list 39 as a key. Hereinafter, an example in which the determination unique information is generated using the transmission source 503, the transmission destination 504, and the transmission method 505 as keys will be described. The determination specific information I 1305 is generated by the following equation.

Judgment-specific information I = (transmission source << 8) + (transmission destination << 4) + transmission method Here, (transmission source << 8) shifts the bit information indicating the transmission source 503 to the upper 8 bits Indicates For example, in the group of the group ID 1304 "A" composed of data ID 1301 "100", the address information (temporarily "0xA") of the ECU_A of the transmission source 503 and the address information of ECU_B of the transmission destination 504 ( Since the transmission method 505 is Ethernet (registered trademark) (provisionally “0xE”) temporarily, “0xA << 8” + (0xB << 4) + 0xE = “0xA << 8” + since the transmission method 505 is Ethernet (registered trademark) (provisionally “0xE”). Assume 0xABE.

  Similarly, for a group with a group ID 1304 "B", address information (temporarily "0xB") of ECU_B of transmission source 503, address information (temporarily "0xA") of ECU_A of transmission destination 504, transmission method Since 505 is CAN (it is temporarily set as "0xC"), determination specific information I1305 is set as "0xBAC."

  In the following, an example in which the determination unique information is generated with the data ID 1301, the data size 1302, and the transmission cycle 1303 as keys is shown. The determination specific information II 1306 is generated by the following equation.

Judgment specific information II = data ID + data size + transmission cycle ÷ 100
For example, since the data size 1302 of the data ID 1301 is “100” and the transmission cycle 1303 is “1000”, the determination unique information II 1306 is “100 + 100 + 1000 ÷ 10 = 300”. Here, a plurality of pieces of determination specific information II 1306 individually calculated for each data may be allocated to one group.

  In the example, although a simple conversion formula is used to simplify the description, the determination unique information may be generated by using a hash function or the like with the specific information in the monitoring data list 39 as a key. That is, the present embodiment is established regardless of any method as long as specific determination specific information can be generated using some information included in data in a group as a key.

  An example of a method of determining communication data in process S1206 will be described. When the communication monitoring unit 32 receives communication data, the communication monitoring unit 32 calculates the determination specific information. It is searched whether or not the calculated determination specific information is registered in the monitoring group list 35, and when it is not registered, it is determined as abnormal. Here, even if the data is abnormal, the determination specific information may be coincident by chance, so the determination specific information may be used in combination of plural types. For example, the determination specific information I 1305 is searched first, and if the values match, the determination specific information II 1306 is searched next, and if both values match, it is determined that the data is normal data.

  Another example regarding the method of determining communication data in the monitoring group list 35 and the process S1206 will be described using FIG. 13 (b). As shown in FIG. 13B, the monitoring group list 35 may have information on priority 1308 and the determination method 1309 in addition to the determination specific information. For example, the monitoring priority 1308 is set for each group ID 1304.

  The priority 1308 uses the method described in the first embodiment. For example, data of a high priority group 1308 is monitored individually, and data of a low priority group 1308 is not monitored.

  As an example of the determination method 1309, there is a method in which the upper limit size and the lower limit size of data are set for each group, and data in which the data size 1302 does not fit within a predetermined threshold is determined as abnormal data. Alternatively, the average data transfer amount of data in the group may be set, and if it does not fall within the predetermined threshold, it may be determined as abnormal.

  Note that the monitoring group list 35 is not limited to the example shown in FIG. 13, and the determination method for each group, identification information of the group, information associating the group and individual data, unique information for determination, threshold information for determination, It is sufficient to have any of the priority information for determination.

  As described above, according to the present embodiment, by grouping a plurality of monitoring data according to a specific rule and grouping the data and monitoring the data for each group, processing load is smaller than when individual data monitoring is performed. It is possible to monitor data.

Fourth Embodiment
As shown in FIG. 14, the in-vehicle network device 41 according to the fourth embodiment includes the communication monitoring unit 42, the state acquisition unit 43, and the determination method setting unit 44, and is the first embodiment or the second embodiment or the third embodiment. It has the same function as the in-vehicle network device 1/21/31 in the embodiment.

  Further, the in-vehicle network device 41 has an abnormality countermeasure list 45 and a countermeasure execution unit 46, and when the communication judgment unit 47 of the communication monitoring unit 42 detects an abnormality in the communication data, the countermeasure method is selected from the abnormality countermeasure list 45 It has a function to execute. The communication monitoring unit 42, the state acquisition unit 43, and the determination method setting unit 44 have the same functions as those in the first embodiment or the second embodiment or the third embodiment.

  The abnormality countermeasure list 45 has a list of countermeasure methods corresponding to the vehicle state acquired by the state acquisition unit 43 or the contents of the communication data whose abnormality is detected by the communication determination unit 47. The countermeasure execution unit 46 selects and executes the countermeasure method corresponding to the content of the communication data in which the abnormality is detected in the own vehicle state or the communication determination unit 47 from the abnormality countermeasure methods registered in the abnormality countermeasure list 45. It has a function.

  The detailed processing flow of the in-vehicle network device 41 will be described with reference to FIG. The communication monitoring unit 42 determines whether there is an abnormality in the communication data according to the process flow of any of the first embodiment, the second embodiment, and the third embodiment (process S1501). If an abnormality is detected in the communication data, it is determined whether or not there is a countermeasure method in the abnormality countermeasure list 45 corresponding to the vehicle state at the time of the abnormality detection and the contents of the communication data in which the abnormality is detected (processing S1502) . If there is a countermeasure in the abnormality countermeasure list 45, the countermeasure is selected and executed (processing S1503). If there is no appropriate countermeasure method in the abnormality countermeasure list 45, error processing is executed (processing S1504). As error processing, for example, there is a method of notifying the upper system of abnormality, or registering a new countermeasure method in the abnormality countermeasure list 45 or the like. In addition, a countermeasure method in the case where there is no corresponding condition may be registered in advance in the abnormality countermeasure list 45, and the countermeasure method may be executed as an error process.

  An example of the abnormality countermeasure list 45 and the abnormality countermeasure method will be described with reference to FIG. First, FIG. 16A is an example of the abnormality countermeasure list 45 related to the first embodiment. For example, a countermeasure method corresponding to the network type 403, the transmission source 503, and the transmission destination 504 of data in which the vehicle state and the abnormality are detected is registered. As an example of the countermeasure method 1602, abnormality notification, deceleration, stop, automatic operation cancellation, network disconnection, log storage, and the like can be mentioned, but measures other than those described in this example may be newly registered. Further, for example, a countermeasure ID 1603 may be added to the countermeasure method 1602 as identification information, and a countermeasure method 1602 in which a plurality of countermeasure methods 1602 are combined may be registered.

  FIG. 16B is an example of the abnormality countermeasure list 45 related to the second embodiment. For example, a countermeasure method 1602 corresponding to the vehicle state 1601 and the filter type 1605 that has detected an abnormality is registered. FIG. 16C is an example of the abnormality countermeasure list 45 related to the third embodiment. For example, a countermeasure method 1602 corresponding to the vehicle state 1601 and the group ID 1304 or data ID 1301 of the data in which an abnormality is detected or the determination specific information 1607 is registered. The items and format of the abnormality countermeasure list 45 shown in FIG. 16 are not limited to this example. Also, a plurality of abnormality countermeasure lists 45 may be used simultaneously or switched.

  As described above, according to the present embodiment, when an abnormality in communication data is detected, it is possible to execute an appropriate countermeasure against the state of the host vehicle.

1, 21, 31, 41 in-vehicle network device 2, 22, 22, 42 communication monitoring unit 3, 23, 33, 43 state acquisition unit 4, 24, 34, 44 judgment method setting unit 5 ECU
6 Network 7, 27, 37, 47 Communication Determination Unit 25 Filter Selection Unit 26 Filter List 28 Filter Stage Number Setting Unit 29 Filter Update Unit 35 Monitoring Group List 36 Group Determination Method Setting Unit 38 Monitoring Group Setting Unit 39 Monitoring Data List 45 Troubleshooting Measures List 46 Countermeasure execution unit 401 Data type 402 Network type 403 Network type 404 Control state 405 Running state 406 Stop state 407 Repro state 501, 901, 1301 Data ID
502 Data name 503 Source 504 Destination 505 Transmission method 506 Communication method 507 Automatic operation state 508 Manual operation 509 ACC
510 Leading car follow 511 automatic parking 800 filter setting information 801 vehicle state 802 filter 803 target data list 804 filter type 902, 1303 period 903, 1302 data size 1304 group ID
1305, 1306, 1607 Judgment specific information 1308 Priority 1309 Judgment method 1601 Vehicle state 1602 Countermeasure method 1603 Countermeasure ID

Claims (10)

In an in-vehicle network device that communicates data among a plurality of in-vehicle devices,
A state acquisition unit for acquiring the state of the host vehicle;
A communication monitoring unit that monitors the data without increasing the load of data processing in the in-vehicle device ;
The monitoring includes detection of abnormal data using a list defining a group of data to be monitored;
An in-vehicle network device, wherein a monitoring method of the data is changed based on a state of the host vehicle. In the in-vehicle network device according to claim 1,
The state of the host vehicle includes the control state of the host vehicle, the traveling state of the host vehicle, the automatic driving state of the host vehicle, the state of the driver riding on the host vehicle, the state of the surrounding environment of the host vehicle, and the communication state of the host vehicle. An in-vehicle network device characterized by including any of the above. In the in-vehicle network device according to claim 1 or 2,
A communication determination unit that determines the communication state of the data;
A determination method setting unit 4 configured to set the determination method of the communication state;
Changing the data monitoring method includes changing either the data monitoring frequency, changing the data monitoring priority, or changing the communication state determination method. In-vehicle network device. In the in-vehicle network device according to claim 3,
Changing the determination method of the communication state includes changing any of the types of determination conditions, changing the number of determination conditions, and changing the threshold value for determination. . In the in-vehicle network device according to claim 4,
A determination method update unit for retaining a plurality of the determination methods and deleting, changing, or adding a new determination method to any of the retained determination methods,
An in-vehicle network device characterized by updating the determination method when there is no determination method corresponding to the state of the host vehicle. In the in-vehicle network device according to any one of claims 1 to 5,
An in-vehicle network apparatus characterized by grouping together one or more pieces of data monitored by the communication monitoring unit and monitoring the data by a common monitoring method for each group. In the in-vehicle network device according to claim 6,
A monitoring group setting unit for holding information of a plurality of the groups and deleting, changing, or adding information of a new group any of the information of the held groups;
An in-vehicle network device updates the information of the group when there is no information of the group corresponding to the state of the host vehicle. In the in-vehicle network device according to claim 6 or 7,
Managing the determination specific information calculated from the information on the data for each group;
The in-vehicle network device, wherein the communication monitoring unit uses the determination specific information in monitoring the data. The in-vehicle network device according to any one of claims 1 to 8.
The in-vehicle network device characterized in that, when the communication monitoring unit detects the abnormal data, the communication monitoring unit executes an abnormality countermeasure corresponding to the state of the host vehicle and the content of the detected data. In the in-vehicle network device according to claim 9,
A plurality of anomaly countermeasure methods corresponding to the contents of the data in which the state of the vehicle or the anomaly has been detected is possessed, and the anomaly countermeasure is selected and executed from among the plurality of anomaly countermeasure methods possessed. In-vehicle network device.

Images