JP6677132B2 - In-vehicle communication device, management device, management method, and monitoring program - Google Patents

Description

  The present invention relates to an in-vehicle communication device, a management device, a management method, and a monitoring program.

  Conventionally, in-vehicle network systems for improving security in in-vehicle networks have been developed.

  For example, Patent Document 1 (Japanese Patent Application Laid-Open No. 2013-168865) discloses the following in-vehicle network system. That is, the in-vehicle network system includes an in-vehicle control device including a memory that stores definition data that defines a part of the communication protocol used on the in-vehicle network that depends on implementation on the in-vehicle network, Communication protocol issuing device for issuing the definition data. The communication protocol issuance device, upon receiving a registration request from the registration device that causes the in-vehicle control device to participate in the in-vehicle network, requests the registration of the in-vehicle control device to participate in the in-vehicle network, performs authentication for the registration device Above, the definition data based on the above implementation is created in the in-vehicle network and returned to the registration device. The registration device receives the definition data transmitted by the communication protocol issuing device, and requests the in-vehicle control device to store the received definition data in the memory. The in-vehicle control device receives the definition data from the registration device, stores the data in the memory, and communicates with the in-vehicle network according to the communication protocol according to the portion defined by the definition data. .

JP 2013-168865 A

  Patent Document 1 discloses a configuration in which a gateway ECU in an in-vehicle network system has a function of a communication protocol issuing device and monitors an in-vehicle control device.

  Such a gateway ECU may be replaced with a fraudulent ECU that can be spoofed. If the gateway ECU can communicate with the outside of the vehicle, the gateway ECU may be hacked and the firmware of the gateway ECU may be rewritten.

  In such a case, the monitoring function for the in-vehicle control device is deteriorated, and unauthorized access to the in-vehicle control device from outside the vehicle becomes possible.

  The present invention has been made to solve the above-described problems, and an object of the present invention is to provide a vehicle-mounted communication device, a management device, a management method, and a monitoring program capable of providing good security in a vehicle. is there.

  (1) In order to solve the above problem, an on-vehicle communication device according to an aspect of the present invention is an on-vehicle communication device mounted on a vehicle, and includes a plurality of control units capable of controlling functional units in the vehicle. A relay unit that relays information, a communication unit that can communicate with a management device outside the vehicle, and a monitoring unit that performs a monitoring process that monitors the operation of the relay unit.

  (7) In order to solve the above problem, a management device according to an aspect of the present invention is a management device provided outside a vehicle, the management device being mounted on the vehicle and capable of controlling a functional unit in the vehicle. A communication unit that can communicate with a vehicle-mounted communication device that relays information transmitted from outside the vehicle to a relay unit that relays information between the control units, and a monitor that performs a monitoring process that monitors the operation of the vehicle-mounted communication device Unit.

  (11) In order to solve the above-described problem, a management method according to an aspect of the present invention is a management method in a management device provided outside a vehicle, the method being mounted on the vehicle and controlling a functional unit in the vehicle. A step of communicating with an in-vehicle communication device that relays information transmitted from outside the vehicle to a relay unit that relays information between a plurality of possible control units, and performing a monitoring process of monitoring operation of the in-vehicle communication device; Steps.

  (12) In order to solve the above problem, a monitoring program according to an aspect of the present invention is a monitoring program used in a vehicle-mounted communication device mounted on a vehicle, wherein the computer can control a functional unit in the vehicle. A relay unit that relays information between the plurality of control units, a communication unit that can communicate with a management device outside the vehicle, and a monitoring unit that performs a monitoring process that monitors the operation of the relay unit. Program.

  (13) In order to solve the above problem, a monitoring program according to another aspect of the present invention is a monitoring program used in a management device provided outside a vehicle, wherein a computer is mounted on the vehicle, A communication unit that can communicate with a vehicle-mounted communication device that relays information transmitted from outside the vehicle to a relay unit that relays information between a plurality of control units that can control functional units in the vehicle, This is a program for functioning as a monitoring unit that performs a monitoring process for monitoring operations.

  The present invention can be realized not only as an in-vehicle communication device having such a characteristic processing unit, but also as a monitoring system having an in-vehicle communication device, or as a method having such characteristic processing as steps. Or you can. Further, the present invention can be realized as a semiconductor integrated circuit that realizes a part or all of a vehicle-mounted communication device.

  The present invention can be realized not only as a management device including such a characteristic processing unit, but also as a monitoring system including the management device. Further, the present invention can be realized as a semiconductor integrated circuit that realizes part or all of the management device.

  According to the present invention, good security can be provided in a vehicle.

FIG. 1 is a diagram showing a configuration of a communication system according to an embodiment of the present invention. FIG. 2 is a diagram showing a configuration of each device mounted on the vehicle according to the embodiment of the present invention. FIG. 3 is a diagram showing a configuration of a system-specific control device according to the embodiment of the present invention. FIG. 4 is a diagram showing a configuration of the on-vehicle communication device in the monitoring system according to the embodiment of the present invention. FIG. 5 is a diagram showing a configuration of a management device in the monitoring system according to the embodiment of the present invention. FIG. 6 is a flowchart that defines an operation procedure when the relay unit performs the relay process in the monitoring system according to the embodiment of the present invention. FIG. 7 is a flowchart that defines an operation procedure when the in-vehicle communication device performs the monitoring process of the relay unit in the monitoring system according to the embodiment of the present invention. FIG. 8 is a flowchart that defines an operation procedure when the management device in the monitoring system according to the embodiment of the present invention performs the monitoring processing of the vehicle-mounted communication device.

  First, the contents of the embodiment of the present invention will be listed and described.

  (1) A vehicle-mounted communication device according to an embodiment of the present invention is a vehicle-mounted communication device mounted on a vehicle, and a relay unit that relays information between a plurality of control units that can control functional units in the vehicle. A communication unit that can communicate with a management device outside the vehicle; and a monitoring unit that performs a monitoring process for monitoring the operation of the relay unit.

  With such a configuration, for example, the in-vehicle communication device can acquire the operation content of the relay unit and transmit the operation content of the in-vehicle communication device to a management device capable of monitoring at a high security level. be able to. Thus, the onboard communication device can monitor the relay unit from outside, and the management device can monitor the onboard communication device from outside. By performing such step-by-step monitoring, replacement and hacking of the relay unit can be found well, so that a reduction in the monitoring function of the control unit can be suppressed, and unauthorized access to the control unit from outside the vehicle can be suppressed. Can be prevented. Therefore, good security can be provided in the vehicle.

  (2) Preferably, the in-vehicle communication device further includes an acquisition unit that acquires an operation log of the relay unit, and the monitoring unit performs the monitoring process based on the operation log acquired by the acquisition unit. Do.

  With such a configuration, for example, an operation or the like in the relay unit that does not comply with the predetermined agreement can be found from the operation log, so that it is possible to correctly recognize whether the relay unit is performing a normal operation.

  (3) Preferably, the in-vehicle communication device further includes an acquisition unit that acquires a monitoring log based on a monitoring result of the control unit by the relay unit, wherein the monitoring unit is configured to monitor the monitoring log acquired by the acquisition unit. The monitoring process is performed based on the log.

  With such a configuration, for example, the authentication status and the transmission / reception status of the data exchanged with the control unit by the relay unit can be recognized from the monitoring log. Therefore, it is determined whether the relay unit is appropriately monitoring the control unit. Can be correctly recognized.

  (4) Preferably, the in-vehicle communication device further includes a notifying unit for notifying that there is an abnormality when it is determined in the monitoring processing that the relay unit has an abnormality.

  With such a configuration, for example, it is possible to notify the user of the abnormality of the relay unit or to transmit information indicating the abnormality of the relay unit to another device. Therefore, the replaced relay unit is used as a valid relay unit. The user can be prompted to replace and update the firmware of the hacked relay.

  (5) Preferably, the communication unit transmits information based on a result of the monitoring process to the management device.

  With such a configuration, it is possible to confirm in the management device whether or not the monitoring processing of the relay unit by the in-vehicle communication device is valid, so that the security of the in-vehicle communication device can be enhanced.

  (6) Preferably, the in-vehicle communication device further includes a log creating unit that creates an operation log of the in-vehicle communication device, and the communication unit transmits the operation log created by the log creating unit to the log. Send to the management device.

  With such a configuration, an abnormal monitoring operation of the relay unit by the in-vehicle communication device can be found from the operation log in the management device, so that it is possible to confirm whether the in-vehicle communication device is correctly monitoring the relay unit. it can. Thereby, the security of the in-vehicle communication device can be enhanced.

  (7) A management device according to an embodiment of the present invention is a management device provided outside a vehicle, and is configured to mount information on a plurality of control units mounted on the vehicle and capable of controlling functional units in the vehicle. A relay unit for relaying includes a communication unit capable of communicating with a vehicle-mounted communication device that relays information transmitted from outside the vehicle, and a monitoring unit that performs a monitoring process for monitoring the operation of the vehicle-mounted communication device.

  With such a configuration, for example, the management device capable of acquiring the content of the information relayed by the in-vehicle communication device to the relay unit and capable of monitoring at a high security level is provided by the operation content of the in-vehicle communication device. Can be obtained. Thus, the onboard communication device can monitor the relay unit from outside, and the management device can monitor the onboard communication device from outside. By performing such step-by-step monitoring, replacement and hacking of the relay unit can be found well, so that a reduction in the monitoring function of the control unit can be suppressed, and unauthorized access to the control unit from outside the vehicle can be suppressed. Can be prevented. Therefore, good security can be provided in the vehicle.

  (8) Preferably, the management device further includes an acquisition unit that acquires an operation log of the in-vehicle communication device, and the monitoring unit performs the monitoring process based on the operation log acquired by the acquisition unit. Do.

  With such a configuration, an abnormal monitoring operation of the relay unit by the vehicle-mounted communication device can be found from the operation log, so that it is possible to confirm whether the vehicle-mounted communication device is correctly monitoring the relay unit. Thereby, the security of the in-vehicle communication device can be enhanced.

  (9) Preferably, the management device further includes an acquisition unit that acquires a monitoring log based on a monitoring result of the relay unit by the in-vehicle communication device, wherein the monitoring unit acquires the monitoring log acquired by the acquisition unit. The monitoring process is performed based on.

  With such a configuration, it is possible to confirm whether or not the monitoring processing of the relay unit by the in-vehicle communication device is valid, so that the security of the in-vehicle communication device can be enhanced.

  (10) Preferably, when it is determined in the monitoring process that the in-vehicle communication device is abnormal, the management device further performs a process of restricting the in-vehicle communication device from communicating with the outside of the vehicle. It has a restriction part.

  With such a configuration, for example, information for illegally controlling the control unit in the vehicle from the outside can be prevented from being relayed to the relay unit, so that when the relay unit is replaced and hacked, Can also reduce damage.

  (11) A management method according to an embodiment of the present invention is a management method in a management device provided outside a vehicle, and includes a plurality of control units mounted on the vehicle and capable of controlling functional units in the vehicle. Communicating with an in-vehicle communication device that relays information transmitted from outside of the vehicle to a relay unit that relays the information of the vehicle, and performing a monitoring process of monitoring the operation of the in-vehicle communication device.

  With such a configuration, for example, the management device capable of acquiring the content of the information relayed by the in-vehicle communication device to the relay unit and capable of monitoring at a high security level is provided by the operation content of the in-vehicle communication device. Can be obtained. Thus, the onboard communication device can monitor the relay unit from outside, and the management device can monitor the onboard communication device from outside. By performing such step-by-step monitoring, replacement and hacking of the relay unit can be found well, so that a reduction in the monitoring function of the control unit can be suppressed, and unauthorized access to the control unit from outside the vehicle can be suppressed. Can be prevented. Therefore, good security can be provided in the vehicle.

  (12) A monitoring program according to an embodiment of the present invention is a monitoring program used in an in-vehicle communication device mounted on a vehicle, and controls a computer between a plurality of control units capable of controlling functional units in the vehicle. A program for functioning as a relay unit that relays information, a communication unit that can communicate with a management device outside the vehicle, and a monitoring unit that performs a monitoring process that monitors the operation of the relay unit.

  With such a configuration, for example, the in-vehicle communication device can acquire the operation content of the relay unit and transmit the operation content of the in-vehicle communication device to a management device capable of monitoring at a high security level. be able to. Thus, the onboard communication device can monitor the relay unit from outside, and the management device can monitor the onboard communication device from outside. By performing such step-by-step monitoring, replacement and hacking of the relay unit can be found well, so that a reduction in the monitoring function of the control unit can be suppressed, and unauthorized access to the control unit from outside the vehicle can be suppressed. Can be prevented. Therefore, good security can be provided in the vehicle.

  (13) A monitoring program according to an embodiment of the present invention is a monitoring program used in a management device provided outside a vehicle, wherein a computer is mounted on the vehicle and can control a functional unit in the vehicle. To a relay unit that relays information between a plurality of control units, a communication unit that can communicate with an in-vehicle communication device that relays information transmitted from outside the vehicle, and a monitoring process that monitors operation of the in-vehicle communication device It is a program for functioning as a monitoring unit.

  With such a configuration, for example, the management device capable of acquiring the content of the information relayed by the in-vehicle communication device to the relay unit and capable of monitoring at a high security level is provided by the operation content of the in-vehicle communication device. Can be obtained. Thus, the onboard communication device can monitor the relay unit from outside, and the management device can monitor the onboard communication device from outside. By performing such step-by-step monitoring, replacement and hacking of the relay unit can be found well, so that a reduction in the monitoring function of the control unit can be suppressed, and unauthorized access to the control unit from outside the vehicle can be suppressed. Can be prevented. Therefore, good security can be provided in the vehicle.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. In the drawings, the same or corresponding portions have the same reference characters allotted, and description thereof will not be repeated. Further, at least some of the embodiments described below may be arbitrarily combined.

[Configuration and basic operation]
FIG. 1 is a diagram showing a configuration of a communication system according to an embodiment of the present invention. FIG. 2 is a diagram showing a configuration of each device mounted on the vehicle according to the embodiment of the present invention.

  Referring to FIGS. 1 and 2, monitoring system 301 includes in-vehicle communication device 101, relay unit 111, and management device 151. The monitoring system 301 may have a configuration including two or more in-vehicle communication devices 101. Further, the monitoring system 301 may be configured to include two or more relay units 111.

  The in-vehicle communication device 101 is mounted on the vehicle 1 traveling on a road. As shown in FIG. 2, the relay unit 111 and the plurality of system-specific control devices 121 are provided corresponding to the vehicle-mounted communication device 101 and mounted on the vehicle 1. The management device 151 is, for example, a server, and is provided outside the vehicle 1.

  The in-vehicle communication device 101 is, for example, a Telecommunications Communication Unit (TCU), and can perform wireless communication with the wireless base station device 161 in accordance with a communication standard such as LTE (Long Term Evolution) or 3G.

  The gateway device 171 and the wireless base station device 161 are operated by, for example, a communication company. The wireless base station device 161 transmits information received from the in-vehicle communication device 101 by wireless communication to the gateway device 171 and transmits information received from the gateway device 171 to the in-vehicle communication device 101 by wireless communication.

  The gateway device 171 connects the network 10 with a wireless communication line between the on-board communication device 101 and the wireless base station device 161.

  More specifically, the gateway device 171 transmits information received from the wireless base station device 161 to the management device 151 via the network 10, and transmits information received from the management device 151 via the network 10 to the wireless base station device 161. Send to

  The relay unit 111 is, for example, a central gateway (CGW) and can communicate with the on-board communication device 101.

  FIG. 3 is a diagram showing a configuration of a system-specific control device according to the embodiment of the present invention.

  Referring to FIG. 3, system-specific control device 121 includes a plurality of control units 122 and a plurality of function units 123.

  The system-specific control device 121 is not limited to the configuration including the plurality of control units 122, and may be a configuration including one control unit 122. The system-specific control device 121 is not limited to the configuration including the plurality of functional units 123, and may be configured to include one functional unit 123.

  2 and 3, control network 12 in vehicle 1 is, for example, a drive network, a chassis / safety network, a body / electrical network, and an AV / information network.

  An engine control unit, an AT (Automatic Transmission) control unit, and an HEV (Hybrid Electric Vehicle) control unit, which are examples of the control unit 122, are connected to the drive system network. The engine control unit, the AT control unit, and the HEV control unit respectively control the engine, the AT, and the switching between the engine and the motor, which are examples of the function unit 123.

  A brake control unit, a chassis control unit, and a steering control unit, which are examples of the control unit 122, are connected to the chassis / safety network. The brake control unit, the chassis control unit, and the steering control unit control the brake, the chassis, and the steering, which are examples of the function unit 123, respectively.

  An instrument display control unit, an air conditioner control unit, and an anti-theft control unit, which are examples of the control unit 122, are connected to the body / electrical system network. The instrument display control unit, the air conditioner control unit, and the anti-theft control unit respectively control an instrument, an air conditioner, and an anti-theft mechanism that are examples of the function unit 123.

  A navigation control unit, an audio control unit, an ETC (Electronic Toll Collection System) (registered trademark) control unit, and a telephone control unit, which are examples of the control unit 122, are connected to the AV / information network. The navigation control unit, the audio control unit, the ETC control unit, and the telephone control unit control the navigation device, the audio device, the ETC device, and the mobile phone device, which are examples of the function unit 123, respectively.

  The relay unit 111 relays information between a plurality of control units 122 that can control the function units 123 in the vehicle 1.

  More specifically, in the vehicle 1, for example, control information is periodically transmitted from one control unit 122 to another control unit 122 according to a predetermined agreement.

  Upon receiving the control information from a certain control unit 122 via the corresponding control network 12, the relay unit 111 performs a relay process of transmitting the received control information to another control unit 122 via the corresponding control network 12.

  The relay unit 111 holds, for example, an operation log LM1 and a monitoring log LS1. For example, every time relay processing is performed, the relay unit 111 writes a flag and a time stamp corresponding to the relay processing in the operation log LM1.

  The control information includes, for example, a message authentication code (MAC) for protecting integrity.

  The relay unit 111 authenticates the control information received from the control unit 122 based on the MAC, and writes, for example, an authentication process and an authentication result in the monitoring log LS1.

  Further, the relay unit 111 writes the reception status of the control information in the control unit 122 in the monitoring log LS1. More specifically, after transmitting the control information to control unit 122, relay unit 111 waits for an ACK transmitted when control unit 122 receives the control information normally. The relay unit 111 writes the reception confirmation result indicating whether or not the ACK has been received from the control unit 122 and the process of the reception confirmation to the monitoring log LS1.

  The relay unit 111 performs an abnormality process when at least one of the authentication result and the reception confirmation result indicates an abnormality. Specifically, for example, the relay unit 111 disconnects the connection with the control network 12 in which the abnormality has occurred, or causes the instrument display control unit to display the content of the abnormality.

  The relay unit 111 creates log information LA including, for example, the monitoring log LS1 and the operation log LM1, and periodically transmits the created log information LA to the in-vehicle communication device 101.

  FIG. 4 is a diagram showing a configuration of the on-vehicle communication device in the monitoring system according to the embodiment of the present invention.

  Referring to FIG. 4, in-vehicle communication device 101 includes communication processing unit (communication unit and acquisition unit) 51, monitoring unit 52, notification unit 53, and operation log creation unit 54.

  The communication processing unit 51 can communicate with the relay unit 111 and the management device 151. Further, the communication processing unit 51 relays information transmitted from outside the vehicle 1 to the relay unit 111.

  Specifically, the communication processing unit 51 receives a request for information from the relay unit 111, for example. The communication processing unit 51 transmits request information indicating the request received from the relay unit 111 to the wireless base station device 161 by performing communication with the wireless base station device 161 according to a communication standard such as LTE or 3G, for example. .

  When receiving, for example, audio information and map information from the wireless base station device 161 as a response to the request information, the communication processing unit 51 transmits the received information to the relay unit 111.

  Further, upon receiving the update information for updating the firmware of relay section 111 transmitted from wireless base station apparatus 161, for example, communication processing section 51 transmits the received update information to relay section 111.

  The communication processing unit 51 acquires, for example, the operation log LM1 of the relay unit 111 and the monitoring log LS1 based on the monitoring result of the control unit 122 by the relay unit 111. Specifically, the communication processing unit 51 receives the log information LA periodically transmitted from the relay unit 111, and outputs the received log information LA to the monitoring unit 52.

  The monitoring unit 52 performs a monitoring process SC for monitoring the operation of the relay unit 111. Specifically, the monitoring unit 52 performs the monitoring process SC based on, for example, the operation log LM1 and the monitoring log LS1 acquired by the communication processing unit 51.

  More specifically, when the monitoring unit 52 receives the log information LA from the communication processing unit 51, the monitoring unit 52 refers to the operation log LM1 included in the received log information LA, for example, sorts a time stamp for each flag, and It is checked whether the time interval indicated by the item conforms to a predetermined agreement.

  If the interval complies with a predetermined rule, the monitoring unit 52 determines that the relay unit 111 is monitoring each control unit 122 normally.

  On the other hand, if the interval does not conform to the predetermined agreement, the monitoring unit 52 determines that the relay unit 111 is not monitoring each control unit 122 normally.

  In addition, the monitoring unit 52 refers to the monitoring log LS1 included in the log information LA, and confirms, for example, whether the authentication process, the authentication result, the reception confirmation process, and the reception confirmation result are valid.

  When the authentication process, the authentication result, the reception confirmation process, and the reception confirmation result are valid, the monitoring unit 52 determines that the relay unit 111 is monitoring each control unit 122 normally.

  On the other hand, when at least one of the authentication process, the authentication result, the reception confirmation process, and the reception confirmation result is not valid, the monitoring unit 52 causes the relay unit 111 to monitor each control unit 122 normally. Judge that there is no.

  The monitoring unit 52 creates a monitoring log LS2, which is an example of information based on the result of the monitoring process SC. Specifically, the monitoring unit 52 holds, for example, a monitoring log LS2. The monitoring unit 52 writes the processing steps and results of the determination based on the operation log LM1 and the processing steps and results of the determination based on the monitoring log LS1 in the monitoring log LS2, and writes the written monitoring log LS2 to the communication processing unit 51, for example. Output periodically.

  When the monitoring unit 52 determines that the relay unit 111 is not monitoring each control unit 122 normally, the monitoring unit 52 notifies the notification unit 53 of the determination result.

  For example, when it is determined in the monitoring process SC that the relay unit 111 has an abnormality, the notification unit 53 notifies that there is an abnormality.

  Specifically, when receiving the notification of the determination result from the monitoring unit 52, the notification unit 53 notifies the user of the determination result, for example.

  More specifically, the notification unit 53 creates notification information including, for example, that the relay unit 111 is not normally monitoring each control unit 122, and transmits the created notification information via the communication processing unit 51 to the relay unit 111. Send to When receiving the notification information from the in-vehicle communication device 101, the relay unit 111 transmits the received notification information to the instrument display control unit. The instrument display control unit performs control to display the content of the notification information received from the relay unit 111 on the instrument.

  In addition, the notification unit 53 transmits the notification information to the wireless base station device 161 via the communication processing unit 51, for example, with the destination being a wireless terminal device such as a smartphone held by the user. Upon receiving the notification information from the in-vehicle communication device 101, the wireless base station device 161 transmits the received notification information directly to the wireless terminal device or transmits the received notification information via another wireless base station device 161.

  The operation log creation unit 54 creates, for example, an operation log LM2 of its own vehicle-mounted communication device 101. Specifically, the operation log creation unit 54 holds, for example, an operation log LM2. The operation log creation unit 54 monitors, for example, the communication operation of the communication processing unit 51, and writes a time stamp indicating the time at which the communication processing unit 51 receives the log information LA in the operation log LM2.

  Further, the operation log creating unit 54 writes an operation error in its own in-vehicle communication device 101 in the operation log LM2. Specifically, for example, when a communication error occurs in the communication processing unit 51, the operation log creating unit 54 writes the content of the communication error into the operation log LM2.

  The communication processing unit 51 transmits, for example, the operation log LM2 created by the operation log creation unit 54 and the monitoring log LS2 created by the monitoring unit 52 to the management device 151.

  Specifically, when receiving the monitoring log LS2 from the monitoring unit 52, the communication processing unit 51 acquires the operation log LM2 from the operation log creating unit 54, and creates log information LB including the operation log LM2 and the monitoring log LS2. . Then, the communication processing unit 51 periodically transmits the created log information LB to the management device 151.

  FIG. 5 is a diagram showing a configuration of a management device in the monitoring system according to the embodiment of the present invention.

  Referring to FIG. 5, the management device 151 includes a communication processing unit (communication unit and acquisition unit) 71, a monitoring unit 72, a restriction unit 73, and an operation log creation unit 74. The communication processing unit 71 is capable of communicating with the in-vehicle communication device 101.

  The communication processing unit 71 acquires, for example, an operation log LM2 of the in-vehicle communication device 101 and a monitoring log LS2 based on the monitoring result of the relay unit 111 by the in-vehicle communication device 101.

  Specifically, when the communication processing unit 71 receives the log information LB periodically transmitted from the in-vehicle communication device 101 via the wireless base station device 161, the gateway device 171, and the network 10, the communication processing unit 71 monitors the received log information LB. Output to the unit 72.

  The monitoring unit 72 performs a monitoring process SS for monitoring the operation of the in-vehicle communication device 101. Specifically, the monitoring unit 72 performs the monitoring process SS based on, for example, the operation log LM2 and the monitoring log LS2 acquired by the communication processing unit 71.

  More specifically, when receiving the log information LB from the communication processing unit 71, the monitoring unit 72 refers to the operation log LM2 included in the received log information LB, and for example, the time interval indicated by the time stamp is regular. Check if there is.

  If the interval is regular, the monitoring unit 72 determines that the in-vehicle communication device 101 is monitoring the relay unit 111 normally. On the other hand, if the interval is irregular, the monitoring unit 72 determines that the in-vehicle communication device 101 is not monitoring the relay unit 111 normally.

  Further, the monitoring unit 72 refers to the monitoring log LS2 included in the log information LB, and confirms the processing steps and results of the determination based on the operation log LM1, and the processing steps and results of the determination based on the monitoring log LS1.

  The monitoring unit 72 determines that the in-vehicle communication device 101 is normally monitoring the relay unit 111 when the above-described processing steps and the results are valid. On the other hand, when at least one of each of the above-described processing steps and each of the above-described results is not valid, the monitoring unit 72 determines that the in-vehicle communication device 101 is not monitoring the relay unit 111 normally.

  The monitoring unit 72 holds, for example, the monitoring log LS3, and writes, in the monitoring log LS3, the processing steps and results of the determination based on the operation log LM2, and the processing steps and results of the determination based on the monitoring log LS2.

  When determining that the in-vehicle communication device 101 is not monitoring the relay unit 111 normally, the monitoring unit 72 outputs notification information indicating the determination result to the communication processing unit 71.

  Upon receiving the notification information from the monitoring unit 72, the communication processing unit 71 transmits the notification information to the wireless terminal device held by the user via the network 10, the gateway device 171, and the wireless base station device 161, for example. Send to

  Note that the communication processing unit 71 may transmit the notification information to the relay unit 111 via the in-vehicle communication device 101. The relay unit 111 performs control to display the notification information received from the management device 151 on the instrument. Further, the communication processing unit 71 may transmit the notification information to the server managed by the company that manufactures or sells the vehicle 1 via the network 10 as a destination.

  When the monitoring unit 72 determines that the in-vehicle communication device 101 is not normally monitoring the relay unit 111, or when the determination result in the in-vehicle communication device 101 indicates that the relay unit 111 has normally monitored each control unit 122, If it indicates that the connection is not established, a connection restriction command is output to the restriction unit 73.

  For example, when it is determined in the monitoring process SS that there is an abnormality in the in-vehicle communication device 101 or the determination result in the in-vehicle communication device 101 is that the relay unit 111 does not normally monitor each control unit 122 If this indicates that the communication with the outside of the vehicle 1 by the in-vehicle communication device 101 is restricted, processing is performed.

  Specifically, upon receiving the connection restriction command from the monitoring unit 72, the restriction unit 73 restricts the information provided to the in-vehicle communication device 101 to update information, audio information, and map information according to the received connection restriction command. A communication restriction request is created and output to the communication processing unit 71.

  Upon receiving the communication restriction request from the restriction unit 73, the communication processing unit 71 transmits the received communication restriction request to the gateway device 171 via the network 10.

  Upon receiving the communication restriction request from the management device 151, the gateway device 171 restricts transmission of information other than the update information, audio information, and map information to the in-vehicle communication device 101 according to the received communication restriction request.

  The limiting unit 73 is configured to limit the type of information that the in-vehicle communication device 101 can communicate with the outside of the vehicle 1, but the configuration is not limited to this. The restriction unit 73 may be configured to block communication with the outside of the vehicle 1 by the in-vehicle communication device 101 by the gateway device 171 or the like.

  The operation log creation unit 74 creates, for example, the operation log LM3 of its own management device 151. Specifically, the operation log creation unit 74 monitors the communication operation of the communication processing unit 71, and writes a time stamp indicating the time at which the communication processing unit 71 received the log information LB in the operation log LM3.

[motion]
Each device in the monitoring system 301 includes a computer, and an arithmetic processing unit such as a CPU in the computer reads a program including a part or all of each step of the following sequence diagram or flowchart from a memory (not shown) and executes the program. . Each of the programs of the plurality of devices can be externally installed. The programs of the plurality of devices are distributed while being stored in a recording medium.

  FIG. 6 is a flowchart that defines an operation procedure when the relay unit performs the relay process in the monitoring system according to the embodiment of the present invention.

  Referring to FIG. 6, first, relay section 111 waits until the transmission timing of log information LA arrives or until control information is received from control section 122 (NO in step S102 and NO in step S104).

  Then, when receiving the control information from control unit 122 (YES in step S104), relay unit 111 authenticates the received control information (step S106).

  Next, the relay unit 111 transmits the authenticated control information to the destination control unit 122 (step S108).

  Next, the relay unit 111 writes the authentication process, the authentication result, the reception confirmation process, and the reception confirmation result into the monitoring log LS1, and writes the flag and the time stamp into the operation log LM1 (step S110).

  Next, when at least one of the authentication result and the reception confirmation result indicates an abnormality (YES in step S112), relay unit 111 performs an abnormality process (step S114).

  Next, the relay unit 111 determines whether the authentication result and the reception confirmation result indicate normal (NO in step S112), or performs an abnormal process (step S114). The process waits until appropriate control information is received from the control unit 122 (NO in step S102 and NO in step S104).

  On the other hand, when the transmission timing of the log information LA arrives (YES in step S102), the relay unit 111 transmits the log information LA including the monitoring log LS1 and the operation log LM1 to the in-vehicle communication device 101 (step S116).

  Next, the relay unit 111 waits until a new transmission timing of the log information LA arrives or the control information is received from the control unit 122 (NO in step S102 and NO in step S104).

  FIG. 7 is a flowchart that defines an operation procedure when the in-vehicle communication device performs the monitoring process of the relay unit in the monitoring system according to the embodiment of the present invention.

  Referring to FIG. 7, first, in-vehicle communication device 101 waits until the transmission timing of log information LB arrives or until log information LA is received from relay unit 111 (NO in step S202 and NO in step S204). ).

  When receiving the log information LA from the relay unit 111 (YES in step S204), the in-vehicle communication device 101 monitors the status of each control unit 122 in the relay unit 111 based on the operation log LM1 included in the received log information LA. Is determined (step S206).

  Next, the in-vehicle communication device 101 determines the monitoring state of each control unit 122 in the relay unit 111 based on the monitoring log LS1 included in the log information LA (Step S208).

  Next, the in-vehicle communication device 101 writes the process and result of the determination based on the operation log LM1 and the process and result of the determination based on the monitoring log LS1 in the monitoring log LS2, and writes the time stamp in the operation log LM2 ( Step S210).

  Next, when the in-vehicle communication device 101 determines that the relay unit 111 is not monitoring each control unit 122 normally (YES in step S212), the notification information is transmitted to the relay unit 111 and the wireless terminal device (step S212). S214).

  Next, when the in-vehicle communication device 101 determines that the relay unit 111 is not normally monitoring each control unit 122 (NO in step S212) or transmits notification information (step S214), the log information LB The process waits until the transmission timing arrives or new log information LA is received from the relay unit 111 (NO in step S202 and NO in step S204).

  On the other hand, when the transmission timing of the log information LB comes (YES in step S202), the in-vehicle communication device 101 transmits the log information LB including the monitoring log LS2 and the operation log LM2 to the management device 151 (step S216).

  Next, the in-vehicle communication device 101 waits until a new transmission timing of the log information LB arrives or the log information LA is received from the relay unit 111 (NO in step S202 and NO in step S204).

  The order of steps S206 and S208 is not limited to the above, and the order may be changed.

  FIG. 8 is a flowchart that defines an operation procedure when the management device in the monitoring system according to the embodiment of the present invention performs the monitoring processing of the vehicle-mounted communication device.

  Referring to FIG. 8, first, management device 151 waits until log information LB is received from in-vehicle communication device 101 (NO in step S302).

  Then, when receiving the log information LB from the in-vehicle communication device 101 (YES in step S302), the management device 151 monitors the monitoring state of the relay unit 111 in the in-vehicle communication device 101 based on the operation log LM2 included in the received log information LB. Is determined (step S304).

  Next, the management device 151 determines the monitoring state of the relay unit 111 in the in-vehicle communication device 101 based on the monitoring log LS2 included in the log information LB (Step S306).

  Next, the management device 151 writes the process and result of the determination based on the operation log LM2 and the process and result of the determination based on the monitor log LS2 in the monitor log LS3, and writes the time stamp in the operation log LM3 (step S308).

  Next, when determining that the in-vehicle communication device 101 is not monitoring the relay unit 111 normally (YES in step S310), the management device 151 transmits notification information to the wireless terminal device (step S312). Then, the management device 151 transmits a communication restriction request to the gateway device 171 via the network 10 (Step S314).

  On the other hand, when the management device 151 determines that the in-vehicle communication device 101 is normally monitoring the relay unit 111 (NO in step S310), the determination result in the in-vehicle communication device 101 indicates that the relay unit 111 has It is determined whether or not it indicates that the monitoring is not normally performed (step S316).

  When the determination result in the in-vehicle communication device 101 indicates that the relay unit 111 is not monitoring each control unit 122 normally (YES in step S316), the management device 151 sends a communication restriction request to the gateway device via the network 10. 171 (step S314).

  In addition, when the management apparatus 151 determines that the determination result in the in-vehicle communication device 101 indicates that the relay unit 111 is normally monitoring each control unit 122 (NO in step S316) or transmits a communication restriction request ( Step S314), and waits until the log information LB is received from the in-vehicle communication device 101 (NO in step S302).

  The order of steps S304 and S306 is not limited to the above, and the order may be changed.

  In the monitoring system according to the embodiment of the present invention, the relay unit 111 is provided outside the in-vehicle communication device 101, but the present invention is not limited to this. The relay unit 111 may be provided inside the vehicle-mounted communication device 101.

  Further, in the in-vehicle communication device according to the embodiment of the present invention, the monitoring unit 52 is configured to perform the monitoring process SC based on the monitoring log LS1 and the operation log LM1, but is not limited thereto. The monitoring unit 52 may be configured to directly monitor the operation of the relay unit 111 without using these logs, or to perform the monitoring process SC based on one of the monitoring log LS1 and the operation log LM1. It may be.

  Further, in the in-vehicle communication device according to the embodiment of the present invention, the monitoring unit 52 is configured to create the monitoring log LS2, but the configuration is not limited to this. The monitoring unit 52 may be configured not to create the monitoring log LS2.

  Further, in the in-vehicle communication device according to the embodiment of the present invention, the operation log creating unit 54 is configured to create the operation log LM2, but the configuration is not limited to this. The operation log creation unit 54 may be configured not to create the operation log LM2.

  In the management device according to the embodiment of the present invention, the monitoring unit 72 is configured to perform the monitoring process SS based on the monitoring log LS2 and the operation log LM2. However, the configuration is not limited to this. The monitoring unit 72 may be configured to directly monitor the operation of the in-vehicle communication device 101 without using these logs, or perform the monitoring process SS based on one of the monitoring log LS2 and the operation log LM2. It may be a configuration.

  Further, some or all of the functions of the management device according to the embodiment of the present invention may be provided by cloud computing. That is, the management device according to the embodiment of the present invention may be configured by a plurality of cloud servers and the like.

  Meanwhile, Patent Literature 1 discloses a configuration in which a gateway ECU in a vehicle-mounted network system has a function of a communication protocol issuing device and monitors a vehicle-mounted control device.

  Such a gateway ECU may be replaced with a fraudulent ECU that can be spoofed. If the gateway ECU can communicate with the outside of the vehicle, the gateway ECU may be hacked and the firmware of the gateway ECU may be rewritten.

  In such a case, the monitoring function for the in-vehicle control device is deteriorated, and unauthorized access to the in-vehicle control device from outside the vehicle becomes possible.

  On the other hand, the on-vehicle communication device according to the embodiment of the present invention is mounted on vehicle 1. The communication processing unit 51 can communicate with the relay unit 111 that relays information between the plurality of control units 122 that can control the function unit 123 in the vehicle 1 and the management device 151 outside the vehicle 1. Then, the monitoring unit 52 performs a monitoring process SC for monitoring the operation of the relay unit 111.

  With such a configuration, for example, the operation of the in-vehicle communication device 101 can be acquired by the management device 151 that can acquire the operation content of the relay unit 111 and can perform monitoring at a high security level. Content can be sent. Thus, the in-vehicle communication device 101 can monitor the relay unit 111 from outside, and the management device 151 can monitor the in-vehicle communication device 101 from outside. By performing such step-by-step monitoring, replacement and hacking of the relay unit 111 can be found satisfactorily, so that a reduction in the monitoring function for the control unit 122 is suppressed and a control unit from outside the vehicle 1 is controlled. Unauthorized access to the device 122 can be prevented. Therefore, good security can be provided in the vehicle.

  In the vehicle-mounted communication device according to the embodiment of the present invention, communication processing unit 51 acquires operation log LM1 of relay unit 111. Then, the monitoring unit 52 performs the monitoring process SC based on the operation log LM1 acquired by the communication processing unit 51.

  With such a configuration, for example, an operation or the like in the relay unit 111 that does not comply with a predetermined agreement can be found from the operation log LM1, so that it is possible to correctly recognize whether or not the relay unit 111 is performing a normal operation. Can be.

  Further, in the in-vehicle communication device according to the embodiment of the present invention, the communication processing unit 51 acquires the monitoring log LS1 based on the monitoring result of the control unit 122 by the relay unit 111. Then, the monitoring unit 52 performs the monitoring process SC based on the monitoring log LS1 acquired by the communication processing unit 51.

  With such a configuration, for example, the relay unit 111 can recognize the authentication status and the transmission / reception status of data exchanged with the control unit 122 from the monitoring log LS1, so that the relay unit 111 appropriately monitors the control unit 122. It can be correctly recognized whether or not.

  Further, in the in-vehicle communication device according to the embodiment of the present invention, when it is determined in the monitoring process SC that the relay unit 111 has an abnormality, the notification unit 53 notifies that there is an abnormality.

  With such a configuration, for example, it is possible to notify the user of the abnormality of the relay unit 111 or to transmit information indicating the abnormality of the relay unit 111 to another device. It is possible to prompt the user to replace the relay unit with the relay unit and to update the firmware of the hacked relay unit 111.

  In the in-vehicle communication device according to the embodiment of the present invention, communication processing unit 51 transmits information based on the result of monitoring process SC to management device 151.

  With such a configuration, it is possible to confirm in the management device 151 whether the monitoring process SC of the relay unit 111 by the in-vehicle communication device 101 is valid, and thus the security of the in-vehicle communication device 101 can be enhanced.

  Further, in the in-vehicle communication device according to the embodiment of the present invention, the operation log creating unit 54 creates the operation log LM2 of the in-vehicle communication device 101. Then, the communication processing unit 51 transmits the operation log LM2 created by the operation log creation unit 54 to the management device 151.

  With such a configuration, an abnormal monitoring operation of the relay unit 111 by the in-vehicle communication device 101 can be found in the operation log LM2 in the management device 151. Therefore, it is determined whether the in-vehicle communication device 101 is monitoring the relay unit 111 correctly. Can be confirmed. Thereby, the security of the in-vehicle communication device 101 can be enhanced.

  Further, the management device according to the embodiment of the present invention is provided outside vehicle 1. The communication processing unit 71 relays information transmitted from outside the vehicle 1 to a relay unit 111 that is mounted on the vehicle 1 and relays information between a plurality of control units 122 that can control the functional units 123 in the vehicle 1. It can communicate with the in-vehicle communication device 101. Then, the monitoring unit 72 performs a monitoring process SS for monitoring the operation of the in-vehicle communication device 101.

  With such a configuration, for example, the management device 151 capable of acquiring the content of the information relayed by the in-vehicle communication device 101 to the relay unit 111 and capable of monitoring at a high security level is provided by the in-vehicle communication device. 101 can be acquired. Thus, the in-vehicle communication device 101 can monitor the relay unit 111 from outside, and the management device 151 can monitor the in-vehicle communication device 101 from outside. By performing such step-by-step monitoring, replacement and hacking of the relay unit 111 can be found satisfactorily, so that a reduction in the monitoring function for the control unit 122 is suppressed and a control unit from outside the vehicle 1 is controlled. Unauthorized access to the device 122 can be prevented. Therefore, good security can be provided in the vehicle.

  In the management device according to the embodiment of the present invention, communication processing unit 71 acquires operation log LM2 of in-vehicle communication device 101. Then, the monitoring unit 72 performs the monitoring process SS based on the operation log LM2 acquired by the communication processing unit 71.

  With such a configuration, an abnormal monitoring operation of the relay unit 111 by the in-vehicle communication device 101 can be found from the operation log LM2. Therefore, it is confirmed whether the in-vehicle communication device 101 is correctly monitoring the relay unit 111. be able to. Thereby, the security of the in-vehicle communication device 101 can be enhanced.

  In the management device according to the embodiment of the present invention, communication processing unit 71 acquires monitoring log LS2 based on the result of monitoring of relay unit 111 by in-vehicle communication device 101. Then, the monitoring unit 72 performs the monitoring process SS based on the monitoring log LS2 acquired by the communication processing unit 71.

  With such a configuration, it is possible to confirm whether or not the monitoring processing SC of the relay unit 111 by the in-vehicle communication device 101 is legitimate, so that the security of the in-vehicle communication device 101 can be enhanced.

  Further, in the management device according to the embodiment of the present invention, when the monitoring unit SS determines that the in-vehicle communication device 101 has an abnormality, the restriction unit 73 performs communication with the outside of the vehicle 1 using the in-vehicle communication device 101. Is performed.

  With such a configuration, for example, information for illegally controlling the control unit 122 in the vehicle 1 from the outside can be prevented from being relayed to the relay unit 111, so that the relay unit 111 can be replaced and hacked. Even in the case of damage, the damage can be reduced.

  The above embodiment is to be considered in all respects as illustrative and not restrictive. The scope of the present invention is defined by the terms of the claims, rather than the description above, and is intended to include any modifications within the scope and meaning equivalent to the terms of the claims.

  The above description includes the features described below.

[Appendix 1]
An in-vehicle communication device mounted on a vehicle,
A relay unit that relays information between a plurality of control units that can control the functional units in the vehicle, and a communication unit that can communicate with a management device outside the vehicle,
A monitoring unit that performs a monitoring process for monitoring the operation of the relay unit,
The in-vehicle communication device is a TCU (Telematics Communication Unit),
The management device is a server,
The relay unit is a CGW (Central Gateway), and is connected to a first control network and a second control network.
The relay unit receives control information from a first control unit via the first control network, and transmits the received control information to a second control unit via the second control network. Do the processing,
The monitoring unit is to monitor the relay process in the relay unit,
The in-vehicle communication device, wherein the communication unit is capable of communicating with the management device according to a long term evolution (LTE) or 3G communication standard.

[Appendix 2]
A management device provided outside the vehicle,
A communication unit mounted on the vehicle and capable of communicating with a vehicle-mounted communication device that relays information transmitted from outside the vehicle to a relay unit that relays information between a plurality of control units that can control functional units in the vehicle. When,
A monitoring unit that performs a monitoring process for monitoring the operation of the vehicle-mounted communication device,
The management device is a server,
The relay unit is a CGW, and a first control network and a second control network are connected;
The relay unit receives control information from the first control unit via the first control network, and transmits the received control information to the second control unit via the second control network;
The in-vehicle communication device is a TCU,
The management device, wherein the communication unit is capable of communicating with the in-vehicle communication device according to an LTE or 3G communication standard.

1 vehicle 10 network 12 control network 51 communication processing unit (communication unit and acquisition unit)
52 monitoring unit 53 notification unit 54 operation log creation unit 71 communication processing unit (communication unit and acquisition unit)
72 monitoring unit 73 limiting unit 74 operation log creating unit 101 in-vehicle communication device 111 relay unit 121 system-specific control device 122 control unit 123 function unit 151 management device 161 wireless base station device 171 gateway device 301 monitoring system

Claims (13)

An in-vehicle communication device mounted on a vehicle,
A relay unit that relays information between a plurality of control units that can control the functional units in the vehicle, and a communication unit that can communicate with a management device outside the vehicle,
A vehicle-mounted communication device comprising: a monitoring unit that performs a monitoring process that monitors an operation of the relay unit. The in-vehicle communication device further includes:
An acquisition unit that acquires an operation log of the relay unit,
The vehicle-mounted communication device according to claim 1, wherein the monitoring unit performs the monitoring process based on the operation log acquired by the acquisition unit. The in-vehicle communication device further includes:
An acquisition unit that acquires a monitoring log based on a monitoring result of the control unit by the relay unit,
The in-vehicle communication device according to claim 1, wherein the monitoring unit performs the monitoring process based on the monitoring log acquired by the acquisition unit. The in-vehicle communication device further includes:
4. The in-vehicle communication device according to claim 1, further comprising: a notification unit that notifies the relay unit that there is an abnormality when the relay unit is determined to be abnormal in the monitoring process. 5.   The in-vehicle communication device according to any one of claims 1 to 4, wherein the communication unit transmits information based on a result of the monitoring process to the management device. The in-vehicle communication device further includes:
A log creating unit that creates an operation log of the in-vehicle communication device of the self,
The in-vehicle communication device according to any one of claims 1 to 5, wherein the communication unit transmits the operation log created by the log creation unit to the management device. A management device provided outside the vehicle,
A communication unit mounted on the vehicle and capable of communicating with a vehicle-mounted communication device that relays information transmitted from outside the vehicle to a relay unit that relays information between a plurality of control units that can control functional units in the vehicle. When,
A monitoring unit that performs a monitoring process for monitoring the operation of the on-vehicle communication device. The management device further includes:
An acquisition unit for acquiring an operation log of the in-vehicle communication device,
The management device according to claim 7, wherein the monitoring unit performs the monitoring process based on the operation log acquired by the acquisition unit. The management device further includes:
An acquisition unit that acquires a monitoring log based on a monitoring result of the relay unit by the in-vehicle communication device,
The management device according to claim 7, wherein the monitoring unit performs the monitoring process based on the monitoring log acquired by an acquiring unit. The management device further includes:
10. The monitoring device according to claim 7, further comprising a restriction unit configured to perform a process of restricting communication with the outside of the vehicle by the in-vehicle communication device when it is determined in the monitoring process that the in-vehicle communication device is abnormal. The management device according to claim 1. A management method in a management device provided outside the vehicle,
A step of communicating with an in-vehicle communication device that relays information transmitted from outside the vehicle to a relay unit that is mounted on the vehicle and relays information between a plurality of control units that can control a functional unit in the vehicle;
Performing a monitoring process for monitoring the operation of the in-vehicle communication device. A monitoring program used in a vehicle-mounted communication device mounted on a vehicle,
Computer
A relay unit that relays information between a plurality of control units that can control the functional units in the vehicle, and a communication unit that can communicate with a management device outside the vehicle,
A monitoring unit that performs a monitoring process for monitoring the operation of the relay unit;
A monitoring program to function as A monitoring program used in a management device provided outside the vehicle,
Computer
A communication unit mounted on the vehicle and capable of communicating with a vehicle-mounted communication device that relays information transmitted from outside the vehicle to a relay unit that relays information between a plurality of control units that can control functional units in the vehicle. When,
A monitoring unit that performs a monitoring process for monitoring the operation of the vehicle-mounted communication device,
A monitoring program to function as

Images