JP6751049B2 - Profile creation system, profile creation method, profile creation program, and detection device - Google Patents

Description

The present invention relates to a system, a method and a program for creating a profile that characterizes driving behavior of each vehicle, and an apparatus for detecting a difference between drivers.

In recent years, research on self-driving vehicles has advanced, and it is expected that many vehicles will autonomously drive in the future. However, since these vehicles are connected to a network, there is a risk of a security vulnerability that vehicles are remotely operated via the network.
Therefore, an intrusion detection system based on DNN (Deep Neural Networks) (for example, refer to Non-Patent Document 1), a method for strengthening a communication protocol to make it difficult for an attacker to intrude (for example, refer to Non-Patent Document 2), etc. Proposed.

Min-Joo Kang et al. , "Intrusion Detection System Using Deep Neural Network for In-Vehicle Network Security", PLOS ONE Journal, Published June 7, 20,. Miller et al. , "Remote Exploitation of an Unaltered Passenger Vehicle", DEFCON 23, Las Vegas, Nevada, August 1-6, 2015. Meiring, Gys Albertus Martinus, and Hermanus Carel Myburgh. "A review of intelligent driving style analysis systems and related artificial intelligence algorithms." Sensors 15.12 (2015): 30653-30682.

However, even with the above-mentioned proposed technique, it is difficult to completely prevent unauthorized intrusion by an attacker, and a means for detecting that the vehicle has actually been hijacked is desired.
When a person is driving a vehicle, it is known that the driver can be identified by analyzing the driving operation of the driver because there are variations in the operating methods such as steering, accelerator, and brake depending on the driver. See Patent Document 3). Therefore, it is possible to detect that the driver is different depending on the difference from the normal profile for each vehicle.
However, when the vehicle is automatically driven by computer control, the optimized driving operation is shared for each vehicle, and therefore may be imitated by an attacker. As a result, it becomes difficult to detect that the self-driving vehicle has been hijacked.

It is an object of the present invention to provide a profile creating system, a profile creating method and a profile creating program that can create a profile of a different driving operation for each automatically driven vehicle, and a detection device that can detect an attack.

A profile creation system according to the present invention observes a state transition of a vehicle based on a first conversion unit that converts an input signal to an actuator that controls a driving operation of a vehicle by an operation including a random value, and sensor information. And a generation unit that generates a first profile that indicates the characteristics of the driving operation of each of the vehicles.

The first conversion unit may correct the signal value obtained by the calculation within a predetermined range.

The first conversion unit may periodically update the random value.

The profile creation system includes a second conversion unit that performs an inverse conversion of the calculation on the sensor information, and the generation unit changes the state of the vehicle based on the information converted by the second conversion unit. May be observed and the second profile may be generated.

The detection device according to the present invention includes a detection unit that detects a change in driving operation of the vehicle based on a change over time in the first profile created by the profile creation system.

The detection device according to the present invention detects a change in driving operation of the vehicle based on the change over time of the first profile and the change over time of the second profile created by the profile creation system.

A profile creating method according to the present invention includes a first conversion step of converting an input signal to an actuator for controlling a driving operation of a vehicle by a calculation including a random value, and observing a state transition of the vehicle based on sensor information. And a generating step of generating a first profile indicating a characteristic of the driving operation of each of the vehicles.

A profile creation program according to the present invention observes a state transition of the vehicle based on a first conversion step of converting an input signal to an actuator for controlling a driving operation of the vehicle by an operation including a random value, and sensor information. And a generation step of generating a first profile that indicates the characteristics of the driving operation of each of the vehicles.

According to the present invention, in order to detect an attack on a vehicle that is automatically driven, it is possible to create a profile of a driving operation that differs for each vehicle.

It is a figure which shows the structure of the detection system which concerns on embodiment. It is a figure which shows an example of a different profile for every vehicle which concerns on embodiment. It is a figure which shows the flow of the detection method of the attack which concerns on embodiment. It is a figure explaining the comparison process of the profile which concerns on embodiment.

Hereinafter, an example of the embodiment of the present invention will be described.
FIG. 1 is a diagram showing a configuration of a detection system 1 according to this embodiment.
The detection system 1 includes a vehicle 2 connected to a communication network and a monitoring device 3. The vehicle 2 and the monitoring device 3 function as a profile creation system, and the monitoring device 3 functions as an attack detection device.
The arrangement of each functional unit in the detection system 1 is not limited, and the monitoring device 3 may be built in the vehicle 2.

The vehicle 2 includes a controller 20 that controls various actuators related to driving operation.
The controller 20 generates an input signal to the actuator based on the outputs from various sensors provided in the vehicle. The controller 20 has a standard control model 21 based on a computer program, and further includes a conversion unit 22 (first conversion unit) that converts the output of the standard control model 21. The output of the conversion unit 22 becomes the actual input signal to the actuator.

The conversion unit 22 converts an input signal to the actuator that controls the driving operation of the vehicle 2 by calculation including a random value.
Specifically, the calculation of the conversion unit 22 is represented by a function T() having a random value RFεR ⁿ (R ⁿ is a real number field) as an argument.
As a result, the output of the standard control model 21 is converted into an output having a certain range of variation even in the same driving operation.

Further, the conversion unit 22 corrects the signal value obtained by the calculation within a predetermined range. As a result, the controller 20 changes the input to the actuator for each vehicle and keeps the driving operation within a safe range.

Here, the random value RF differs for each vehicle or each actuator (module). As a result, the characteristics of the driving operation are different for each vehicle, and it is possible to identify each.
Further, it is desirable that the random value RF is generated by, for example, a pseudo-random function or the like, and that it is periodically updated for security.

The monitoring device 3 is a server that can communicate with the vehicle 2 or an information processing device mounted on the vehicle 2, and includes a sensor information database (DB) 31, a profile database 32, and an inverse conversion unit 33 (second conversion unit). And a generation unit 34 and a detection unit 35.

The sensor information database 31 stores various sensor information acquired from the vehicle 2.
The profile database 32 stores the profile for each vehicle generated by the generation unit 34 based on the sensor information.

The inverse conversion unit 33 performs an inverse conversion of the operation performed by the conversion unit 22, that is, an inverse function T′() of the function T() on the sensor information. As a result, the state transition due to the output of the standard control model 21 before conversion is reproduced.

The generation unit 34 observes the state transition of the vehicle 2 based on the sensor information, generates the first profile indicating the characteristics of the driving operation of each vehicle 2, and stores the first profile in the profile database 32.
Further, the generation unit 34 observes the state transition of the vehicle 2 based on the information converted by the inverse conversion unit 33, generates the second profile, and stores it in the profile database 32.

The detection unit 35 detects a change in driving operation of the vehicle 2 based on the change over time in the first profile. That is, the detection unit 35 compares the first profile generated in the steady state that is not attacked with the newly generated first profile, and when a change more than a predetermined value is recognized, Detect that different people.

Further, the detection unit 35 detects a change in the driving operation of the vehicle 2 based on the change over time in the second profile. That is, the detection unit 35 compares the second profile generated in the steady state that is not attacked with the newly generated second profile, and when a change more than a predetermined value is recognized, Detect that different people.

Next, the processing contents of profile creation and attack detection by the detection system 1 will be described in detail.
[Control model]
First, the control model of the vehicle 2 by the controller 20 is defined as follows.

When the set of sensor outputs is S, the sensor output for determining the input to the i-th actuator (module) is a subset S ⁱ ⊆ S. Here, the sensor output at time _t is represented as S ⁱ _t .

When the set of values that can be taken as an input signal to the actuator is A, the value of the signal that can be input to the i-th actuator is expressed as a subset A ⁱ ⊆ A. Here, the input to the actuator at time _t is represented by A ⁱ _t .

The driver of the vehicle 2 is D. The driver D is assumed to be a person or a machine, but in the present embodiment, the standard control model 21 for automatic driving corresponds.

Each action is represented by an element action ⁱ εAction ⁱ , where Action ⁱ is a set of possible actions of the i-th actuator. Here, the operation of the i-th actuator at time t, denoted as action ⁱ _t ∈Action ^i.

If the set of possible states of the i-th actuator is State ⁱ , the observed state is represented by the element state ⁱ εState ⁱ . Here, the state of the i-th actuator at time t, denoted as state ⁱ _t ∈State ^i.

In the standard control model 21, the process of calculating the input to the actuator is represented by the function C ₁ (). Function _C 1 () is the sensor output ^S _{i t} at time t, the state of the actuator state ⁱ _t, and the operation action ⁱ _t as an argument, as an input to the i-th actuator at time _t, C 1 ^(S _{i t} , state ⁱ _t, and outputs the ^{_{action i t) = a i t}} .

In the vehicle 2, the conversion from the input to the actuator to the motion is represented by the function C ₂ (). Function _C 2 () is the input ^A _{i t} to the actuator as an argument at time t, the operation _C 2 changing the state state ⁱ _t at time t in state state ⁱ _t2 at time _{t 2 ^(A i} t) = to output the action ⁱ _t.

For each operation ∀action ⁱ εAction ⁱ of the actuator, the range of the input aεA ⁱ for which the safety of the vehicle 2 is ensured is defined as aεSafe _action(i) . That is, aε Safe _action(i) is allowed as an input of the function C ₂ () for safety.

Converted from A ⁱ _t by the conversion unit 22, the signal input actually the actuator is defined as R ⁱ _t.
Here, the conversion process is represented by a function T(A ⁱ _t , RF)=R ⁱ _t having A ⁱ _t and a random value RFεR ⁿ as arguments.
The inverse function of T() is T′(R ⁱ _t , RF)=A ⁱ _t . The random value RF as an argument is common to T() and T'().

The state transition associated with the motion action ⁱ of the i-th actuator at time T={t ₀ , t ₁ ,..., T _n } is _expressed as L ^action(i) _T ={state ⁱ _t0 ,..., State ⁱ _tn }.
Further, a set of state transitions L ^action(i) _T by the same driver _D is represented as L ^action(i) _D.

The process of generating a profile based on the state transition of the same driver D is represented by a function P(). That is, the profile of the driver D who performs the driving action action ⁱ on the i-th actuator is P(L ^action(i) _D )=profile ^action(i) _D.

[Create Profile]
By the control model defined in this way, the profile of each vehicle 2 is generated as follows.

A series of inputs Seq ^action(i) _state(i) ={A ⁱ _t1 , A ⁱ _t2 ,..., A ⁱ _tn } to the actuator generated by the function C ₁ () of the standard control model 21 is a function. It is represented by C ₂ () as an action action ⁱ and a state state ⁱ of the actuator at time t _n .
When a series of inputs to the actuator is converted by the function T() using the random value RF by the conversion unit 22, TSeq ^action(i) _state(i) ={R ⁱ _t1 , R ⁱ _t2 ,... ., R ⁱ _tn }.

The standard actuator input Seq ^action(i) _state(i) before conversion causes the state transition L ^action(i) _T , but the converted actuator input TSeq ^action(i) _state(i) changes state. TL ^action(i) produces _T. Here, L ^action(i) _T ≠TL ^action(i) _T.

According to the driver D based on the conversion before the standard control model 21, the state transition of the actuator performing the action i are L action (i) D, state transition of the actuator according to the converted driver D R is L action (I) Represented as D(R) .
In this case, the profile of the driver D R (first profile) P (L action (i) D (R)) is a profile P of a standard driver D (L action (i) D ), are different ..

FIG. 2 is a diagram showing an example of a different profile for each vehicle 2 according to this embodiment.
This example shows a difference in line drawing when the vehicle 2 turns right at an intersection.
For example, it is assumed that the vehicle 2 is traveling in the direction from B to E. The vehicle 2 approaching the intersection turns right and changes its course from H to C.

At this time, an operation area Safe _{action (i)} for safely making a right turn is set. There are a plurality of turning paths that the vehicle 2 can take within this region, such as V ₁ , V ₂ , and V ₃ . These differences in behavior are caused by a change in the input to the actuator based on the random value RF by the conversion unit 22.

The difference in behavior of the vehicle 2 is that, in addition to this example, in various scenes of driving operation, inputs to various actuators such as the rotation angle and speed of the steering wheel, the pressing force of the brake and the accelerator are determined for each vehicle 2. It is caused by variation due to the random value RF.

[Attack detection]
FIG. 3 is a diagram showing a flow of an attack detection method by the monitoring device 3 according to the present embodiment.
It is assumed that the sensor information database 31 stores sensor data transmitted from the vehicle 2. Further, the profile database 32 stores the profile of each vehicle 2 generated by the generation unit 34 based on the sensor information.
At this time, the second profile showing the characteristics of the standard control model 21 restored by the inverse conversion unit 33 may be stored together with the first profile showing the driving characteristics converted by the different random value RF for each vehicle 2.

In step S<b>1, the detection unit 35 extracts the latest sensor information from the sensor information database 31.
This step is executed periodically or at a predetermined timing according to specific conditions.

In step S2, the detection unit 35 analyzes the driving operation.
The detection unit compares the profile stored in the profile database 32 with the profile generated based on the latest sensor information to determine whether the drivers match or mismatch.
Here, when the profiles match, the detecting unit 35 determines the predetermined cycle or condition in step S3 to detect the next analysis timing, and proceeds to step S1.

FIG. 4 is a diagram illustrating profile comparison processing by the monitoring device 3 according to the present embodiment.
When the first profile is generated by the generation unit 34 based on the sensor information stored in the sensor information database 31, the detection unit 35 compares the first profile with the first profile stored in the profile database 32 to determine whether they match or do not match. To judge.

When the inverse function T′() can be defined for the sensor information stored in the sensor information database 31, the inverse conversion unit 33 restores the sensor information to a value based on the original standard control model 21. .. When the second profile is generated by the generation unit 34 based on the sensor information after the inverse conversion, the detection unit 35 compares the second profile with the second profile stored in the profile database 32 to determine whether they match or do not match. ..

In step S4, the detection unit 35 determines whether or not the profile inconsistency in step S2 is caused by switching from automatic operation to manual operation.
Specifically, when a profile showing characteristics of a person driving is created in advance, the detection unit 35 determines whether or not it is a remote hijack attack by comparison with this profile. ..

In step S5, the detection unit 35 determines whether or not the driver's transition has been performed safely. When shifting from automatic driving to manual driving by a legitimate driver, the state of the vehicle 2 is considered to transition within a safe predetermined range. On the other hand, when shifting to manual or automatic driving by an unauthorized attacker, the state of the vehicle 2 is highly likely to transit outside this range. Thereby, the detection unit 35 can detect the possibility of an attack.
Note that this determination is not limited to the case where the profiles do not match, and may be performed.

In step S6, the detection unit 35 integrates the results of steps S2, S4, and S5 and outputs an alarm indicating that an attack has occurred.

According to the present embodiment, the detection system 1 converts the output from the standard control model 21 by a calculation including the random value RF, and thereby the input signal to the actuator that controls the driving operation of the vehicle 2 is converted into the vehicle 2 Different for each. As a result, the detection system 1 can create different driving operation profiles for each vehicle 2 in order to detect attacks on a plurality of automatically driven vehicles 2 that share the standard control model 21.

The detection system 1 corrects the signal value obtained by the conversion unit within a predetermined range, thereby ensuring a safe behavior of the vehicle 2 and creating a different profile for each vehicle 2.

The detection system 1 can create the second profile of the driving operation corresponding to the control by the standard control model 21 before conversion by inversely converting the sensor information, and can be used as a comparison target for attack detection together with the first profile. it can.

By regularly updating the random value, the detection system 1 can make it difficult for an attacker to imitate, and can further improve the security against attacks.

Although the embodiments of the present invention have been described above, the present invention is not limited to the above-described embodiments. In addition, the effects described in the present embodiment are merely the most preferable effects produced by the present invention, and the effects according to the present invention are not limited to those described in the present embodiment.

In the present embodiment, the inverse transformation unit 33 calculates the function T′(), which is an inverse transformation, on the sensor information obtained from the vehicle 2. However, when the input signal itself to the actuator can be obtained, The output of the standard control model 21 may be more accurately restored by performing an operation on this input signal.

The profile creation and attack detection method by the detection system 1 is realized by software. When implemented by software, a program forming the software is installed in an information processing device (computer). Also, these programs may be recorded on a removable medium such as a CD-ROM and distributed to users, or may be distributed by being downloaded to users' computers via a network. Further, these programs may be provided to the user's computer as a Web service via the network without being downloaded.

1 Detection system (profile creation system)
2 Vehicle 3 Monitoring device (detection device)
20 controller 21 standard control model 22 converter (first converter)
31 sensor information database 32 profile database 33 inverse conversion unit (second conversion unit)
34 generation unit 35 detection unit

Claims (8)

A first conversion unit that converts an input signal to an actuator that controls a driving operation of a vehicle by an operation including a random value determined for each vehicle ;
A profile creation system including: a generation unit that observes a state transition of the vehicle based on sensor information and generates a first profile that indicates characteristics of driving operation of each of the vehicles. The profile creation system according to claim 1, wherein the first conversion unit corrects the signal value obtained by the calculation within a predetermined range. The profile creation system according to claim 1 or 2, wherein the first conversion unit periodically updates the random value. A second conversion unit that performs an inverse conversion of the calculation on the sensor information,
The profile generation system according to claim 1, wherein the generation unit observes a state transition of the vehicle based on the information after conversion by the second conversion unit and generates a second profile. A detection device comprising a detection unit that detects a change in driving operation of the vehicle based on a change over time in the first profile created by the profile creation system according to claim 1. A detection device comprising a detection unit that detects a change in driving operation of the vehicle based on a change over time of the first profile and a change over time of the second profile created by the profile creation system according to claim 4. A first conversion step of converting an input signal to an actuator for controlling a driving operation of a vehicle by an operation including a random value determined for each vehicle ,
A generation step of observing a state transition of the vehicle based on sensor information and generating a first profile showing a characteristic of a driving operation of each of the vehicles, the computer creating a profile generation method. A first conversion step of converting an input signal to an actuator for controlling a driving operation of a vehicle by an operation including a random value determined for each vehicle ,
A profile creation program for causing a computer to execute a generation step of observing a state transition of the vehicle based on sensor information and generating a first profile showing a characteristic of a driving operation of each of the vehicles.

Images