WO2017038351A1 - Onboard network device - Google Patents

Onboard network device Download PDF

Info

Publication number
WO2017038351A1
WO2017038351A1 PCT/JP2016/072719 JP2016072719W WO2017038351A1 WO 2017038351 A1 WO2017038351 A1 WO 2017038351A1 JP 2016072719 W JP2016072719 W JP 2016072719W WO 2017038351 A1 WO2017038351 A1 WO 2017038351A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
vehicle
state
monitoring
communication
Prior art date
Application number
PCT/JP2016/072719
Other languages
French (fr)
Japanese (ja)
Inventor
松本 典剛
本多 豊太
中西 一弘
敏史 大塚
Original Assignee
日立オートモティブシステムズ株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日立オートモティブシステムズ株式会社 filed Critical 日立オートモティブシステムズ株式会社
Publication of WO2017038351A1 publication Critical patent/WO2017038351A1/en

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R16/00Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
    • B60R16/02Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R16/00Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
    • B60R16/02Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
    • B60R16/023Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements for transmission of signals between vehicle parts or subsystems
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/02Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/04Monitoring the functioning of the control system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]

Definitions

  • the present invention relates to an in-vehicle control device and a network device mounted on an automobile or the like.
  • JP, 2013-131907, A (patent documents 1) as an example of this technical field.
  • the vehicle network 6 is provided with a vehicle-mounted control device for monitoring that detects illegal data through monitoring of the data communication format defined in operating the communication protocol, and the vehicle-mounted control device for monitoring Describes that when illegal data different from the specified communication format is detected, processing for sending warning information to each in-vehicle control device and processing for prohibiting illegal data from being routed by the gateway are described. ing.
  • Intrusion of illegal data is detected when error frames exceeding the set number of transmissions are transmitted. It is monitored whether or not the number of transmissions of the error frame to be transmitted exceeds the number of abnormalities (for example, 150 times) that is a criterion for occurrence of abnormality.
  • the threshold value for determination is fixed at a specific value, it cannot be guaranteed that the set value is always optimal when performing complex control according to the situation, such as in automatic operation.
  • the present invention has been made in view of such a situation, and even when complex control is performed as in automatic driving, illegal data can be obtained without increasing the data processing load in the in-vehicle device. It provides a means for detection.
  • an in-vehicle network device that performs data communication between a plurality of in-vehicle devices, a state acquisition unit that acquires a state of the host vehicle, and a communication monitoring unit that monitors the data, The data monitoring method is changed based on the state of the host vehicle.
  • the present invention it is possible to reduce the processing load for detecting unauthorized data on the in-vehicle network.
  • security measures corresponding to the complicated vehicle control and the diversified in-vehicle network are possible with a simple configuration without requiring dedicated hardware.
  • Embodiments for carrying out the present invention (hereinafter referred to as “embodiments”) will be described in detail with reference to the drawings as appropriate.
  • the present embodiment mainly describes a control device and a network device in an in-vehicle system of an automobile, application to other than the in-vehicle system is not hindered.
  • the in-vehicle network device 1 includes a communication monitoring unit 2, a state acquisition unit 3, and a determination method setting unit 4.
  • the in-vehicle network device 1 has an arithmetic device such as a CPU (central processing unit), a storage device such as a nonvolatile memory and a volatile memory, and a communication interface for connecting to the network 6, as with other ECUs 5. And has a function of communicating with other ECUs 5 via the network 6.
  • the three ECUs 5 are connected to each other via the two networks 6, but the types and number of the networks 6 and ECUs 5 to be connected are not particularly limited.
  • types of the network 6 for example, a wired network such as CAN, Ethernet (registered trademark), FLEXRAY (registered trademark), LIN (Local Interconnect Network), MOST (registered trademark), wireless LAN, Bluetooth (registered trademark), mobile phone There is a wireless network.
  • the communication monitoring unit 2 has a function of monitoring data passing through the network 6 and changing the communication monitoring method according to the vehicle state acquired by the state acquisition unit described later. Details of the communication monitoring method will be described later. Further, the communication monitoring unit 2 includes a communication determination unit 7 and determines whether or not there is an abnormality in data passing through the in-vehicle network device 1 via the network 6 according to the determination method set in the determination method setting unit 4. It has the function to do. In addition, when an abnormality is detected in the data, it may have a function of preventing the data from passing therethrough.
  • the state acquisition unit 3 has a function of acquiring one of the control state of the own vehicle, the automatic driving state, the driver's state, the surrounding environmental state, and the communication state with the outside of the vehicle as the own vehicle state.
  • the control state is information indicating what kind of control is being performed by the in-vehicle device of the own vehicle, and may be information regarding the traveling state of the vehicle, such as traveling or stopping, or what control data the in-vehicle device has. Information indicating whether processing is performed may be used. For example, it may be related to which level of ASIL levels (A to D), which is an index of functional safety, control processing is being executed.
  • ASIL levels A to D
  • information related to internal processing of the in-vehicle device such as whether or not the program of the ECU is being rewritten by OTA (OverOThe Air) or the like may be used.
  • the automatic operation state is the operation mode when the current operation is manual operation or automatic operation, or automatic operation.
  • driving modes include ACC (Adaptive Cruise Control), lane change, leading vehicle tracking, lane maintenance support, automatic parking, and the like.
  • the driver's state includes the driver's personal identification information, arousal state, health state, driver's operation state, and the like.
  • the operation state is, for example, whether or not the driver puts his hand on the steering wheel, where the driver's line of sight is pointing, and the like.
  • the surrounding environmental state is, for example, information on the temperature and humidity inside and outside the vehicle, the amount of rainfall, and the like.
  • the state of communication with the outside of the vehicle is information indicating whether or not communication between vehicles or communication with an external communication infrastructure is performed by C2X (Car-to-X) communication or the like.
  • the state acquisition unit 3 may acquire the various states described above from, for example, an external ECU 5 or the like via the network 6 described above, a maintenance connector such as OBD (OnOBoard Diagnosis), or local communication such as serial communication. It may be acquired via a communication interface, or may be acquired from various operation switches installed in the driver's seat or various sensors installed in the vehicle.
  • a maintenance connector such as OBD (OnOBoard Diagnosis)
  • local communication such as serial communication. It may be acquired via a communication interface, or may be acquired from various operation switches installed in the driver's seat or various sensors installed in the vehicle.
  • the determination method setting unit 4 has a function of setting a communication monitoring method executed by the communication monitoring unit 2 or a processing method of the communication determination unit 7 according to the state acquired by the state acquisition unit 3 described above.
  • the communication determination unit 7 has a function of determining whether or not the data monitored by the communication monitoring unit is abnormal in accordance with the data determination method set by the determination method setting unit 4 described above.
  • the communication monitoring unit 2 of the in-vehicle network device 1 determines whether data is received from the network 6 (processing S201).
  • the vehicle state is acquired by the state acquisition unit 3, and it is determined whether or not there is a change since the previous acquisition (processing S202).
  • a monitoring method corresponding to the changed vehicle state is newly set (processing S203).
  • the execution timing of the status acquisition (processing S202) and the monitoring method setting (processing S203) is not every time data reception occurs, as shown in FIG. 2, or when a predetermined number of data receptions occur, or A fixed period may be used regardless of whether or not data is received.
  • the communication monitoring unit 2 monitors the received data by the data monitoring method set in the process S203, and determines whether or not the received data is abnormal (process S204). If it is determined that there is an abnormality in the received data, error processing is executed (processing S205).
  • the error process is an abnormality countermeasure process such as notifying a higher system. Details of the countermeasure against abnormality will be described later. If it is determined by communication monitoring that there is no abnormality, it is determined whether or not the received data needs to be transferred to another network 6 (process S206). If data transfer is necessary, the data is transferred via the predetermined network 6 with reference to, for example, address information set in the received data (process S207). If data transfer is unnecessary, the process is terminated.
  • the communication monitoring unit 2 determines whether or not the received data monitoring method needs to be changed (processing S301). For example, when there is a change in the vehicle state in the above-described process S202, it is determined that the monitoring method needs to be changed. If it is necessary to change the monitoring method, a monitoring method corresponding to the vehicle condition is set (processing S302). For example, a priority corresponding to the vehicle state is set for the monitoring target data, and a monitoring method corresponding to the priority is set. The communication monitoring unit 2 determines the priority of data received from the vehicle state (processing S303), and executes a data monitoring method according to the priority (processing S304 to processing S306).
  • FIG. 4 shows an example in which a priority and a monitoring method corresponding to the control state 404 of the own vehicle are set for each data type 401.
  • Examples of the control state 404 of the host vehicle include a traveling state 405, a stopped state 406, and a repro state 407.
  • the running state 405 may be further divided according to speed such as high speed and low speed.
  • the stop state 406 may also be divided into states such as engine stop, idling, and accessory power ON.
  • the repro state 407 is a state in which reprogramming such as the firmware of the ECU is being executed. Depending on the progress of reprogramming, the update software is being downloaded, the software is being rewritten, the software is being reactivated, etc. It may be further divided into fine states.
  • the data type 401 is an index for identifying data having a specific common item.
  • the type is defined for each data using the same network area 402 and each data using the same network type 403.
  • the types, numbers, and formats of the data types 401 shown in FIG. 4 are examples, and are not limited to this example.
  • a monitoring priority is set for each data type 401 to be monitored.
  • the body control information, infotainment, and data type 401 of C2X communication are set to priority 1
  • chassis control information, powertrain control information, functional safety information, automatic driving information, and the outside world are set.
  • a priority of 3 is set for the recognition information.
  • priority levels 0 to 3 are set for each vehicle state and data type 401, respectively.
  • the communication monitoring unit 2 sets a data monitoring method for each data type according to the set priority. For example, when the vehicle state is a high-speed driving state 405, the network area 402 to which the data type 401 having a high priority belongs is preferentially monitored.
  • the network area 402 is, for example, a communication path, a data bus, a channel, a network interface, etc., in which each data type 401 mainly executes data transmission / reception.
  • the network area 402B is allocated in the case of chassis control information, the monitoring frequency of the network area 402B is set high.
  • the priority 3 network areas 402B, C, D, and F are preferentially monitored.
  • the monitoring priority for the network areas 402A, E, and G with priority 1 is set low.
  • the priority of the monitoring target may be set based not only on the network area 402 but also on the network type used by each data type 401.
  • the network types with high priority are CAN, Ethernet (registered trademark), and LVDS. Monitor.
  • the monitoring priority is lowered.
  • a data monitoring method of high priority for example, priority 3
  • the monitoring frequency is set high (monitored every time data reception occurs), and all of the data header, payload, and footer are monitored.
  • Yes processing S304. For example, it is monitored whether the values of the header, payload, and footer are specified values.
  • the monitoring frequency is set to medium (once every time, every fixed time, etc.), and only the data header and footer are monitored. There is a method (processing S305).
  • a data monitoring method with a low priority for example, priority 1
  • the monitoring frequency is set lower than the medium priority and only a part of the data header (for example, ID) is monitored (processing) S306).
  • the lowest priority for example, priority 0
  • the network area 402B, C, D, E, F related to chassis control information, powertrain control information, functional safety information, automatic driving information, infotainment, and external world recognition information, and the network 6 with the network type Ethernet (registered trademark). are excluded from data monitoring.
  • the monitoring frequency is lowered and only the data ID is monitored.
  • the header, payload, and footer of the received data are monitored every time for data using the network area 402G or the wireless LAN related to the C2X communication with high priority.
  • the data type 401 is infotainment data
  • the medium priority is monitored
  • the body control information is monitored with low priority
  • the other data types 401 are excluded from monitoring targets.
  • control state 404, the data type 401, the priority setting value, and the like are not limited to the example shown in FIG. That is, even if the data type 401, the network area 402, the network 6 type, the type and number of control states 404, the priority value setting, and the like are different from those in FIG.
  • Fig. 5 shows an example in which the priority and the monitoring method according to the automatic driving state of the vehicle are set for each individual data.
  • manual driving 508, ACC 509, leading vehicle tracking 510, and automatic parking 511 are defined as the automatic driving state 507.
  • data to be monitored includes data ID 501, data name 502, data transmission source 503, transmission destination 504, transmission method 505, and communication method 506.
  • the data ID 501 and the data name 502 are information indicating the type of data and may be in any format as long as other data can be specially specified.
  • the data transmission source 503 and the transmission destination 504 are, for example, address information indicating the data transmission source and the transmission destination ECU.
  • the transmission method 505 is a type of data physical network, such as Ethernet (registered trademark) or CAN.
  • the communication method 506 is a type of network protocol. For example, in the case of Ethernet (registered trademark), TCP, UDP, IP, Ethernet (registered trademark) AVB (Audio / Video Bridging, hereinafter abbreviated as AVB) and the like.
  • the transmission source 503 is ECU_A
  • the transmission destination 504 is ECU_B
  • the transmission method 505 is Ethernet (registered trademark)
  • the communication method 506 is TCP / IP. Indicates that it is in use.
  • the priority is 0, when the ACC 509 is the priority 3, when the leading vehicle follow 510 is the priority 3, the automatic parking 511 is performed. In this case, priority 1 is set.
  • priorities are set for each automatic driving state 507 for each piece of data such as landmark recognition information and steering camera (stereo camera) recognition information.
  • the communication monitoring unit 2 sets priority according to the automatic operation state 507, and executes data monitoring by a monitoring method according to the priority set when data is received.
  • the landmark recognition information monitoring is set to the high priority (priority 3), and the data of the lane change enable / disable flag, the ACC enable / disable flag, and the leading vehicle follow-up enable / disable flag are set.
  • Monitoring is set to medium priority (priority 2), and other data is excluded from monitoring.
  • the automatic driving state 507 is ACC509
  • the monitoring of the data of the lane recognition information, the forward object information, and the vehicle speed setting information is set to the high priority (priority 3)
  • the ACC availability flag is set to the automatic driving interruption flag
  • the monitoring of the data is set to the medium priority (priority 2)
  • the monitoring of the landmark recognition information, the steering wheel sign recognition information, and the preceding vehicle information is set to the low priority (priority 1), and other data Are not monitored.
  • the monitoring frequency is set high (such as monitoring every time), and data ID 501, transmission source 503, transmission destination 504, transmission method 505, and communication method 506 information
  • processing S304 There is a method of monitoring all of the above (processing S304). For example, it is monitored whether or not the data ID 501, the transmission source 503, the transmission destination 504, the transmission method 505, and the communication method 506 are specified values.
  • the monitoring frequency is set to medium (once a plurality of times, every fixed time, etc.), and the data ID 501 of the target data, the transmission source 503, There is a method of monitoring any one of the transmission destination 504, the transmission method 505, and the communication method 506 (processing S305).
  • the monitoring frequency is set lower than the medium priority, and the data ID 501 of the target data, the transmission source 503, the transmission destination 504, the transmission method 505, and the communication method 506 are set. There is a method of monitoring only one of them (processing S306).
  • the lowest priority (for example, priority 0) may be set to be excluded from the monitoring target.
  • the definition related to the type of data, the definition of the automatic operation state 507, and the setting value of the priority are not limited to the example shown in FIG. That is, the data ID 501, the data name 502, the transmission source 503, the transmission destination 504, the transmission method 505, the definition relating to the type and number of the communication method 506, the definition relating to the type and number of the automatic operation state 507, and the monitoring priority in each automatic operation state 507 Even if the setting value of the degree is different from that in FIG.
  • the present embodiment by setting the priority of data to be monitored on the in-vehicle network according to the own vehicle state, only important data is carefully selected and monitored without monitoring all data. I can do it. Therefore, it is possible to reduce the processing load for detecting data abnormality in the in-vehicle network.
  • the in-vehicle network device 21 in the second embodiment includes a communication monitoring unit 22, a state acquisition unit 23, and a determination method setting unit 24, and has the same functions as the in-vehicle network device 1 in the first embodiment.
  • the communication monitoring unit 22 and the state acquisition unit 23 have the same functions as in the first embodiment.
  • the determination method setting unit 24 has the same function as the determination method setting unit 4 in the first embodiment.
  • the determination method setting unit 24 further includes a filter selection unit 25, a filter list 26, a filter stage number setting unit 28, and a filter update unit 29. According to the own vehicle state acquired by the state acquisition unit 23, communication monitoring is performed. The communication monitoring method executed by the unit 22 and the communication determination method in the communication determination unit 27 are set.
  • the filter selection unit 25 has a function of selecting a filter to be used for communication determination from the filter list 26 according to the own vehicle state acquired by the state acquisition unit 23.
  • the filter stage number setting unit 28 has a function of setting the number of filter stages to be used according to the vehicle state acquired by the state acquisition unit 23.
  • the filter update unit 29 has a function of updating the filter list 26. Details of the filter list 26 will be described later.
  • the filter list 26 and the filter update unit 29 may be outside the in-vehicle network device 21, and when the change of the filter list 26 is not necessary, the filter update unit 29 may be omitted.
  • the determination method setting unit 24 acquires the vehicle state by the state acquisition unit 23, and determines whether or not there has been a change since the previous acquisition (processing S701). When there is a change in the vehicle state, it is determined whether or not the corresponding filter has been registered in the filter setting information 800 (processing S702). Details of the filter setting information 800 will be described later.
  • the filter setting is changed to the registered filter setting (step S703).
  • the filter setting is not set, it is determined whether or not there is a filter corresponding to the changed vehicle state in the filter list 26 (processing S704). If there is a filter corresponding to the changed vehicle state in the filter list 26, the filter stage number setting unit 28 sets the number of filter stages (step S705).
  • the filter selection unit 25 selects the type of filter to be used (processing S706). If a plurality of stages are set in step S705, filters corresponding to the number of stages are selected. If there is no corresponding filter in the process S704, it is determined whether or not the filter list 26 can be updated (process S707). If the filter list 26 can be updated, the filter update unit 29 adds a new filter or changes an existing filter (processing S708).
  • Step S705 and Step S206 are executed using the added or changed filter. If the filter cannot be updated, error processing is executed (processing S209).
  • error processing there is an abnormality countermeasure such as notification to a higher system. Details of the countermeasure against abnormality will be described later.
  • FIG. 8 An example of the filter setting information 800 is shown in FIG. 8, and an example of the filter list 26 is shown in FIG.
  • a filter 802 corresponding to the vehicle state 801 is set.
  • a filter target data list 803 (hereinafter referred to as a target data list 803) and a filter type 804 are set.
  • the target data list 803 information for identifying data to be filtered, for example, a data ID is set.
  • the number of filters 802 is not limited to three as shown in FIG. 8, and the number set according to the vehicle state 801 may be changed.
  • the first filter 802 performs communication determination related to the network type for data with data IDs of 0x01 and 0x02.
  • the second filter 802 performs communication determination regarding a transmission source / destination for data having data data IDs of 0x01 and 0x02.
  • the third filter 802 performs communication determination regarding the data size for data with data IDs of 0x01 and 0x02.
  • the first filter 802 performs communication determination regarding the data ID for 0x01 data.
  • the second filter 802 performs communication determination regarding the data transmission cycle for 0x02 data.
  • the combination of the target data list 803 and the filter type 804 is selected from the filter list 26 shown in FIG.
  • the filter 802 related to the period 902 when using the filter 802 related to the period 902, it is determined as normal if the period is within ⁇ 5% of the error with respect to the specified period of 10 ms.
  • the filter 802 related to the data size 903 is determined to be normal if the size is within an error of ⁇ 1 byte with respect to the specified 4 bytes.
  • the filter 802 relating to the transmission source 503 and the transmission destination 504 is used, if the transmission source 503 is an address indicating ECU_A and the transmission destination 504 is an address indicating ECU_B or ECU_C, it is determined as normal.
  • the filter type and the determination threshold are set for each target data to be determined by each filter 802.
  • the target data list 803 in FIG. 8, the target data ID 901 in FIG. 9, and the monitoring target data 1001 in FIG. 10 all use data IDs. good.
  • the target data list 803 may be identification information indicating that the data passes through a specific communication path, bus, or channel.
  • the filter setting information 800 in FIG. 8 and the filter list 26 in FIG. 9 are examples, and setting methods other than those shown in this example may be used. Therefore, the filter setting information 800 may be in any format as long as the number, type, and combination method of the filters 802 can be set for each vehicle state 801. Similarly, the filter list 26 may have any format as long as the filtering method and threshold information for determination can be set for each monitoring target data 1001.
  • the method for determining normality or abnormality of data monitored on the in-vehicle network can be changed according to the state of the vehicle. Accordingly, the processing speed, processing load, determination accuracy, etc. can be adjusted flexibly.
  • the in-vehicle network device 31 in the third embodiment includes a communication monitoring unit 32, a state acquisition unit 33, and a determination method setting unit 34, and has the same functions as the in-vehicle network device 1 in the first embodiment.
  • the communication monitoring unit 32 and the state acquisition unit 33 have the same functions as in the first embodiment.
  • the determination method setting unit 34 has the same function as the determination method setting unit 4 in the first embodiment or the determination method setting unit 24 in the second embodiment. Further, the determination method setting unit 34 includes a monitoring group list 35, a group determination method setting unit 36, a monitoring group setting unit 38, and a monitoring data list 39. According to the own vehicle state acquired by the state acquisition unit 33, monitoring is performed. It has a function of grouping data and setting a method for determining communication data for each group.
  • the monitoring data list 39 is a list of data monitored by the communication monitoring unit 32, and includes data identification information, address information related to the data transmission source / destination, information related to the data transmission method and communication method, information related to the data size, data Any of the information related to the transmission cycle.
  • the monitoring data list 39 may be stored outside the determination method setting unit 34.
  • the monitoring group setting unit 38 has a function of grouping data registered in the monitoring data list 39 based on the own vehicle state acquired by the state acquisition unit 33 and registering it in the monitoring group list 35.
  • the monitoring group list 35 is a list that defines a group of data to be monitored for each vehicle state, and includes a determination method for each group, group identification information, information for associating groups with individual data, and unique information for determination. , Threshold information for determination, and monitoring priority information.
  • the monitoring group list 35 may be stored outside the determination method setting unit 34.
  • the group determination method setting unit 34 has a function of selecting a group of monitoring data registered in the monitoring group list 35 based on the own vehicle state acquired by the state acquisition unit 33 and setting a data determination method for each group. .
  • the state acquisition unit 33 acquires the own vehicle state and determines whether or not there is a change from the previous acquisition (processing S1201). When there is a change in the vehicle state, it is checked whether or not there is a monitoring group list 35 corresponding to the vehicle state, and it is determined whether it is necessary to create or update a new monitoring group list 35 (processing) S1202).
  • the monitoring group list 35 When the monitoring group list 35 needs to be created or updated, the monitoring group list 35 is created or updated (processing S1203). An example of the monitoring group list 35 and an example of a list creation method will be described later. Next, a group determination method to be used for communication determination described later is selected from the monitoring group list 35 and set for each vehicle state (processing S1204).
  • the communication monitoring unit 32 monitors data reception (process S1205).
  • the communication data is monitored for each specific group according to the monitoring group list 35, and it is determined whether or not the communication data in the group is abnormal according to the group determination method set in step S1204 (step S1206).
  • step S1206 A detailed example regarding the communication data determination method will be described later.
  • step S1207 If it is determined that the data is abnormal, error processing is executed (step S1207).
  • the error process is an abnormality countermeasure process such as notifying a higher system. Details of the countermeasure against abnormality will be described later.
  • the monitoring group list 35 is created based on the monitoring data list 39 shown in FIG.
  • the monitoring data list 39 is information relating to data to be monitored by the communication monitoring unit 32.
  • a data ID 1301 as data identification information
  • address information transmission source 503 and transmission destination 504 indicating the transmission / reception source of data
  • data transmission method 505 a data size 1302, and data transmission A period 1303 and the like are included.
  • data with a data ID 1301 of “100” is “ECU_A” as the address information of the transmission source 503, “ECU_B” as the address information of the transmission destination 504, “Ethernet (registered trademark)” as the transmission method 505, and “ “100 bytes” and “1000 ms” are set as the data transmission cycle 1303.
  • the monitoring group setting unit 38 selects and groups specific data groups from the monitoring data list 39 for each vehicle state.
  • data having the same data ID 1301 are collected, data having the same transmission source 503 or transmission destination 504, data having the same transmission method 505, data size 1302 and transmission period 1303 are the same or approximate.
  • There are methods such as putting together what is done.
  • a method may be used in which importance is set in advance for each data and grouped according to importance.
  • the rules for collecting data are not particularly limited.
  • FIG. 13 shows an example in which the transmission source 503 and the transmission destination 504 group the same data as the same group, but the present embodiment can be realized even if they are grouped by other methods.
  • Group identification information is set in the monitoring group list 35. For example, a group with data ID 1301 “101” “102” is assigned a group ID 1304 “B”. Here, the group may have only one data, and for data with the data ID 1301 of “100”, the group ID 1304 made up of one data may be a group with “A”.
  • determination specific information unique information for communication data determination described later (abbreviated as determination specific information) may be set using the registration information of the monitoring data list 39 as a key.
  • determination specific information is generated using the transmission source 503, the transmission destination 504, and the transmission method 505 as keys.
  • the determination specific information I1305 is generated by the following equation.
  • Determination unique information I (transmission source ⁇ 8) + (transmission destination ⁇ 4) + transmission method
  • (transmission source ⁇ 8) shifts bit information indicating the transmission source 503 to the upper 8 bits.
  • the determination specific information I1305 is “0xBAC”.
  • the determination specific information II 1306 is generated by the following equation.
  • Judgment specific information II Data ID + Data size + Transmission cycle ⁇ 100
  • a plurality of determination specific information II 1306 calculated individually for each data may be assigned to one group.
  • the determination specific information may be generated by using a hash function or the like using the specific information in the monitoring data list 39 as a key. That is, the present embodiment can be established by any method as long as specific information unique to the determination can be generated using some information included in the data in the group as a key.
  • the communication monitoring unit 32 calculates determination specific information. Whether or not the calculated determination specific information is registered in the monitoring group list 35 is searched. If it is not registered, it is determined as abnormal. Here, even if the data is abnormal, there is a possibility that the determination unique information may coincide, so that the determination unique information may be used in combination of a plurality of types. For example, the determination specific information I1305 is searched first, and if the values match, the determination specific information II1306 is searched next, and only when both values match, it is determined as normal data.
  • the monitoring group list 35 may include information on the priority 1308 and the determination method 1309 in addition to the determination specific information.
  • a monitoring priority 1308 is set for each group ID 1304.
  • the method shown in the first embodiment is used. For example, there is a method in which data of a group with a high priority 1308 is individually monitored, and data of a group with a low priority 1308 is excluded from monitoring.
  • the determination method 1309 there is a method in which an upper limit size and a lower limit size of data are set for each group, and data whose data size 1302 does not fall within a predetermined threshold is determined as abnormal data. Further, an average data transfer amount of data in the group may be set, and if it does not fall within a predetermined threshold, it may be determined as abnormal.
  • the monitoring group list 35 is not limited to the example shown in FIG. 13, but a determination method for each group, group identification information, information for associating groups with individual data, unique information for determination, threshold information for determination, It is sufficient if any of the priority information for determination is included.
  • a plurality of monitoring data is grouped according to a specific rule, and the data is monitored for each group, thereby reducing the processing load compared to the case of individually monitoring data. Data can be monitored.
  • the in-vehicle network device 41 includes a communication monitoring unit 42, a state acquisition unit 43, and a determination method setting unit 44, and the first embodiment, second embodiment, or third embodiment. It has the same function as the in-vehicle network device 1/21/31 in the embodiment.
  • the in-vehicle network device 41 has an abnormality countermeasure list 45 and a countermeasure execution unit 46, and selects a countermeasure method from the abnormality countermeasure list 45 when the communication determination unit 47 of the communication monitoring unit 42 detects an abnormality in communication data. Has the function to execute.
  • the communication monitoring unit 42, the state acquisition unit 43, and the determination method setting unit 44 have the same functions as those in the first embodiment, the second embodiment, or the third embodiment.
  • the abnormality countermeasure list 45 includes a list of countermeasure methods corresponding to the state of the vehicle acquired by the state acquisition unit 43 or the content of communication data in which an abnormality is detected by the communication determination unit 47.
  • the countermeasure execution unit 46 selects and executes a countermeasure method corresponding to the vehicle state or the content of the communication data in which the abnormality is detected in the communication determination unit 47 from the abnormality countermeasure methods registered in the abnormality countermeasure list 45. It has a function.
  • the communication monitoring unit 42 determines whether there is an abnormality in the communication data according to the processing flow of any one of the first embodiment, the second embodiment, and the third embodiment (processing S1501). If an abnormality is detected in the communication data, it is determined whether or not a countermeasure method corresponding to the state of the vehicle at the time of abnormality detection and the content of the communication data in which the abnormality is detected is in the abnormality countermeasure list 45 (processing S1502). . If there is a countermeasure method in the abnormality countermeasure list 45, the countermeasure method is selected and executed (step S1503).
  • an error process is executed (process S1504).
  • error processing for example, there are methods such as notifying the host system of an abnormality and registering a new countermeasure method in the abnormality countermeasure list 45. Further, a countermeasure method when there is no applicable condition may be registered in the abnormality countermeasure list 45 in advance, and the countermeasure method may be executed as error processing.
  • FIG. 16A is an example of the abnormality countermeasure list 45 related to the first embodiment.
  • a countermeasure method corresponding to the network type 403, the transmission source 503, and the transmission destination 504 of the data in which the vehicle state and abnormality are detected is registered.
  • the countermeasure method 1602 include notification of abnormality, deceleration, stop, automatic operation cancellation, network disconnection, log storage, and the like, but countermeasures other than those described in this example may be newly registered.
  • a countermeasure ID 1603 may be assigned to the countermeasure method 1602 as identification information, and a countermeasure method 1602 in which a plurality of countermeasure methods 1602 are combined may be registered.
  • FIG. 16B is an example of the abnormality countermeasure list 45 related to the second embodiment.
  • a countermeasure method 1602 corresponding to the own vehicle state 1601 and the filter type 1605 that detected the abnormality is registered.
  • FIG. 16C is an example of the abnormality countermeasure list 45 related to the third embodiment.
  • a countermeasure method 1602 corresponding to the own vehicle state 1601 and the group ID 1304 or data ID 1301 of the data in which the abnormality is detected or the determination specific information 1607 is registered.
  • the items and format of the abnormality countermeasure list 45 shown in FIG. 16 are not limited to this example.
  • a plurality of abnormality countermeasure lists 45 may be used simultaneously or by switching.

Landscapes

  • Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Mechanical Engineering (AREA)
  • Human Computer Interaction (AREA)
  • Transportation (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)
  • Control Of Driving Devices And Active Controlling Of Vehicle (AREA)

Abstract

Illicit data transferred over an onboard network can be detected by means of a simple configuration without increasing the data processing load in an onboard device, even during complicated control such as automatic driving. An onboard network device 1 has a communication monitoring unit 2, a status acquisition unit 3, and a determination method setting unit 4. The communication monitoring unit 2 monitors data passing through a network 6, and changes the communication monitoring method in accordance with the status of the automobile acquired by the status acquisition unit. The communication monitoring unit 2 has a communication determination unit 7, and determines, according to the determination method set in the determination method setting unit 4, whether or not there are any abnormalities in the data passing through the onboard network device 1 via the network 6.

Description

車載ネットワーク装置In-vehicle network device
 本発明は、自動車等に搭載される車載制御装置やネットワーク装置に関する。 The present invention relates to an in-vehicle control device and a network device mounted on an automobile or the like.
 近年、自動車の車両制御は電子化され、複数のECU(Electronic Control Unit)がCAN(Controller Area Network)などの車載ネットワークを介して互いに通信を行うことで機能連携を実現している。さらに、自動車の情報化が進み、カーナビやスマートフォンなどの通信機器を経由したデータの送受信が行われている。このように電子化と情報化が進み、自動車の車両内外のネットワーク6を利用した機能連携を実現する際には、車載セキュリティの考慮が必要となる。例えば、自動車が不正なデータによって制御されないようにするため、ネットワーク6を監視し不正なデータの侵入を検知または防止する方法などが検討されている。 In recent years, vehicle control of automobiles has been digitized, and a plurality of ECUs (Electronic Control Unit) communicate with each other via an in-vehicle network such as CAN (Controller Area Network) to realize functional cooperation. Furthermore, with the progress of computerization of automobiles, data is transmitted and received via communication devices such as car navigation systems and smartphones. In this way, computerization and computerization have progressed, and in-vehicle security needs to be taken into consideration when realizing functional linkage using the network 6 inside and outside the vehicle. For example, in order to prevent an automobile from being controlled by unauthorized data, a method for monitoring or preventing intrusion of unauthorized data by monitoring the network 6 has been studied.
 本技術分野の一例として、特開2013‐131907号公報(特許文献1)がある。この公報では、特に複雑な構成を要することなく車両ネットワーク6に取り込まれるデータの監視を通じて、セキュリティを高く維持することのできる車両ネットワーク監視装置を提供することを課題としている。そのための解決手段として、車両ネットワーク6には、通信プロトコルを運用する上で規定されたデータの通信形式の監視を通じて不正データを検知する監視用の車載制御装置を設けること,監視用の車載制御装置は、規定された通信形式とは異なる不正データを検知したとき、各車載制御装置に警告情報を送信する処理を行うとともに、ゲートウェイによる不正データのルーティングを禁止させる処理を行うこと,などが記載されている。 There is JP, 2013-131907, A (patent documents 1) as an example of this technical field. In this publication, it is an object to provide a vehicle network monitoring device capable of maintaining high security through monitoring of data taken into the vehicle network 6 without requiring a particularly complicated configuration. As a means for solving this problem, the vehicle network 6 is provided with a vehicle-mounted control device for monitoring that detects illegal data through monitoring of the data communication format defined in operating the communication protocol, and the vehicle-mounted control device for monitoring Describes that when illegal data different from the specified communication format is detected, processing for sending warning information to each in-vehicle control device and processing for prohibiting illegal data from being routed by the gateway are described. ing.
特開2013‐131907号公報JP 2013-131907 A
 特許文献1に記載されている方法などによって,ネットワーク6上の不正なデータを漏れなく検知するためには、ネットワーク6を通過する全てのデータを個別に監視する必要がある。しかしながら,ネットワーク6上を通過する通信データの数や種類が多い場合には、全てのデータを個別に監視すると、ECUやゲートウェイなどの車載装置の処理負荷が増大することになる。例えば、ゲートウェイにおけるデータのルーティング処理などが遅延する可能性があるが、そのための解決方法については特に記載されていない。 In order to detect illegal data on the network 6 without omission by the method described in Patent Document 1, it is necessary to individually monitor all data passing through the network 6. However, when the number and types of communication data passing through the network 6 are large, if all the data are individually monitored, the processing load on the in-vehicle devices such as the ECU and the gateway increases. For example, there is a possibility that data routing processing in the gateway may be delayed, but a solution for that is not described in particular.
 また,不正データであることを判定するために,次の様な方法が記載されている。設定した送信回数を超えるエラーフレームが送信されたことをもって不正データの侵入を検知する。送信するエラーフレームの送信回数が異常発生の基準となる異常回数(例えば150回)を超えているか否かを監視する。しかしながら,このように不正データの検知方法として何らかの閾値を最適な値に設定するのは困難である。例えば、判定のための閾値を特定の値で固定してしまうと,自動運転のように状況に応じて複雑な制御を実行する際には,設定した値が常に最適であるかは保証できない。 Also, the following method is described to determine whether the data is illegal. Intrusion of illegal data is detected when error frames exceeding the set number of transmissions are transmitted. It is monitored whether or not the number of transmissions of the error frame to be transmitted exceeds the number of abnormalities (for example, 150 times) that is a criterion for occurrence of abnormality. However, it is difficult to set any threshold value to an optimum value as a method for detecting illegal data. For example, if the threshold value for determination is fixed at a specific value, it cannot be guaranteed that the set value is always optimal when performing complex control according to the situation, such as in automatic operation.
 本発明はこのような状況を鑑みてなされたものであり、自動運転のように複雑な制御をしている場合であっても,車載装置におけるデータ処理の負荷を増大させずに不正なデータを検知する手段を提供するものである。 The present invention has been made in view of such a situation, and even when complex control is performed as in automatic driving, illegal data can be obtained without increasing the data processing load in the in-vehicle device. It provides a means for detection.
 上記課題を解決するために、複数の車載装置間でデータの通信を行う車載ネットワーク装置において、自車両の状態を取得する状態取得部と、前記データを監視する通信監視部とを有し、前記自車両の状態に基づいて、前記データの監視方法を変えることを特徴とする。 In order to solve the above-mentioned problem, in an in-vehicle network device that performs data communication between a plurality of in-vehicle devices, a state acquisition unit that acquires a state of the host vehicle, and a communication monitoring unit that monitors the data, The data monitoring method is changed based on the state of the host vehicle.
 本発明によれば、車載ネットワーク上の不正データを検知するための処理負荷を低減することが可能である。また、専用のハードウェアなどを必要とせず簡易な構成で,複雑化する車両制御および多様化する車載ネットワークに対応したセキュリティ対策が可能である。 According to the present invention, it is possible to reduce the processing load for detecting unauthorized data on the in-vehicle network. In addition, security measures corresponding to the complicated vehicle control and the diversified in-vehicle network are possible with a simple configuration without requiring dedicated hardware.
第1実施形態における車載ネットワーク装置の構成の一例を示した図である。It is the figure which showed an example of the structure of the vehicle-mounted network apparatus in 1st Embodiment. 第1実施形態における車載ネットワーク装置の処理フローの一例を示した図である。It is the figure which showed an example of the processing flow of the vehicle-mounted network apparatus in 1st Embodiment. 第1実施形態における通信監視部の処理フローの一例を示した図である。It is the figure which showed an example of the processing flow of the communication monitoring part in 1st Embodiment. 第1実施形態における制御状態に対応した優先度および監視方法の設定の一例を示した図である。It is the figure which showed an example of the setting of the priority and monitoring method corresponding to the control state in 1st Embodiment. 第1実施形態における自動運転状態に対応した優先度および監視方法の設定の一例を示した図である。It is the figure which showed an example of the setting of the priority and monitoring method corresponding to the automatic driving | running state in 1st Embodiment. 第2実施形態における車載ネットワーク装置の構成の一例を示した図である。It is the figure which showed an example of the structure of the vehicle-mounted network apparatus in 2nd Embodiment. 第2実施形態における判定方法設定部の処理フローの一例を示した図である。It is the figure which showed an example of the processing flow of the determination method setting part in 2nd Embodiment. 第2実施形態におけるフィルタ設定情報の一例を示した図である。It is the figure which showed an example of the filter setting information in 2nd Embodiment. 第2実施形態におけるフィルタリストの一例を示した図である。It is the figure which showed an example of the filter list | wrist in 2nd Embodiment. 第2実施形態における通信判定方法の一例を示した図である。It is the figure which showed an example of the communication determination method in 2nd Embodiment. 第3実施形態における車載ネットワーク装置の構成の一例を示した図である。It is the figure which showed an example of the structure of the vehicle-mounted network apparatus in 3rd Embodiment. 第3実施形態における車載ネットワーク装置の処理フローの一例を示した図である。It is the figure which showed an example of the processing flow of the vehicle-mounted network apparatus in 3rd Embodiment. 第3実施形態における監視データリストおよび監視グループリストの一例を示した図である。It is the figure which showed an example of the monitoring data list and monitoring group list in 3rd Embodiment. 第4実施形態における車載ネットワーク装置の構成の一例を示した図である。It is the figure which showed an example of the structure of the vehicle-mounted network apparatus in 4th Embodiment. 第4実施形態における車載ネットワーク装置の処理フローの一例を示した図である。It is the figure which showed an example of the processing flow of the vehicle-mounted network apparatus in 4th Embodiment. 第4実施形態における異常対策リストの一例を示した図である。It is the figure which showed an example of the abnormality countermeasure list | wrist in 4th Embodiment.
 本発明を実施するための形態(以降、「実施形態」と称す)について、適宜図面を参照しながら詳細に説明する。本実施形態は、主に自動車の車載システムにおける制御装置およびネットワーク装置について説明しているが、車載システム以外への適用を妨げるものではない。 DETAILED DESCRIPTION Embodiments for carrying out the present invention (hereinafter referred to as “embodiments”) will be described in detail with reference to the drawings as appropriate. Although the present embodiment mainly describes a control device and a network device in an in-vehicle system of an automobile, application to other than the in-vehicle system is not hindered.
 (第1実施形態)
 第1実施形態における車載ネットワーク装置1は、図1に示すように、通信監視部2と状態取得部3と判定方法設定部4とから構成される。なお、車載ネットワーク装置1は、他のECU5と同様に、CPU(中央処理装置)などの演算装置、不揮発性メモリや揮発性メモリなどの記憶装置、ネットワーク6と接続するための通信インタフェースを有し、ネットワーク6を介して他のECU5と通信する機能を有する。 (First embodiment)
As shown in FIG. 1, the in-vehicle network device 1 according to the first embodiment includes a communication monitoring unit 2, a state acquisition unit 3, and a determination method setting unit 4. The in-vehicle network device 1 has an arithmetic device such as a CPU (central processing unit), a storage device such as a nonvolatile memory and a volatile memory, and a communication interface for connecting to the network 6, as with other ECUs 5. And has a function of communicating with other ECUs 5 via the network 6.
 図1では2つのネットワーク6を介してそれぞれ3つのECU5と接続しているが,接続するネットワーク6およびECU5の種類や数につて特に限定はない。ネットワーク6の種類として例えば、 CAN、Ethernet(登録商標)、FLExRAY(登録商標)、LIN(Local Interconnect Network)、MOST(登録商標)などの有線ネットワークや、無線LAN、Bluetooth(登録商標)、携帯電話などの無線ネットワークがある。 In FIG. 1, the three ECUs 5 are connected to each other via the two networks 6, but the types and number of the networks 6 and ECUs 5 to be connected are not particularly limited. As types of the network 6, for example, a wired network such as CAN, Ethernet (registered trademark), FLEXRAY (registered trademark), LIN (Local Interconnect Network), MOST (registered trademark), wireless LAN, Bluetooth (registered trademark), mobile phone There is a wireless network.
 通信監視部2はネットワーク6を通過するデータを監視し、後述の状態取得部が取得した自車状態に応じて通信の監視方法を変更する機能を有する。通信の監視方法についての詳細は後述する。また、通信監視部2は、通信判定部7を有し、判定方法設定部4において設定した判定方法に従って、ネットワーク6を介して車載ネットワーク装置1を通過するデータに異常があるか否かを判定する機能を有する。また,データに異常を検知した場合には,当該データを通過させない機能を有していても良い。 The communication monitoring unit 2 has a function of monitoring data passing through the network 6 and changing the communication monitoring method according to the vehicle state acquired by the state acquisition unit described later. Details of the communication monitoring method will be described later. Further, the communication monitoring unit 2 includes a communication determination unit 7 and determines whether or not there is an abnormality in data passing through the in-vehicle network device 1 via the network 6 according to the determination method set in the determination method setting unit 4. It has the function to do. In addition, when an abnormality is detected in the data, it may have a function of preventing the data from passing therethrough.
 状態取得部3は、自車状態として,自車の制御状態、自動運転状態、運転者の状態、周辺の環境状態、車外との通信状態のうちいずれかを取得する機能を有する。制御状態とは,自車の車載装置がどのような制御を実行中かを示す情報であり、自車の走行,停止などの走行状態に関する情報でも良いし、車載装置がどのような制御データを処理しているかを示す情報でも良い。例えば、機能安全の指標であるASILのレベル(A~D)のうちどのレベルに関わる制御処理を実行しているかなどでも良い。また、走行に関する制御だけでなく、 OTA(Over The Air)などにより、ECUのプログラムの書き換えを実行中か否かなど車載装置の内部処理に関わる情報でも良い。 The state acquisition unit 3 has a function of acquiring one of the control state of the own vehicle, the automatic driving state, the driver's state, the surrounding environmental state, and the communication state with the outside of the vehicle as the own vehicle state. The control state is information indicating what kind of control is being performed by the in-vehicle device of the own vehicle, and may be information regarding the traveling state of the vehicle, such as traveling or stopping, or what control data the in-vehicle device has. Information indicating whether processing is performed may be used. For example, it may be related to which level of ASIL levels (A to D), which is an index of functional safety, control processing is being executed. In addition to the control related to traveling, information related to internal processing of the in-vehicle device, such as whether or not the program of the ECU is being rewritten by OTA (OverOThe Air) or the like may be used.
 自動運転状態とは、現在の運転がマニュアル運転か自動運転か、自動運転である場合には、どのような運転モードになっているかである。運転モードの例として、ACC(Adaptive Cruise Control)、自動車線変更、先導車追従、車線維持支援、自動駐車などがある。運転者の状態とは運転者の個人識別情報、覚醒状態、健康状態、運転者の操作状態などである。操作状態とは例えば、運転者がハンドルに手を添えているか否か、運転者の視線がどこを向いているかなどである。周辺の環境状態とは、例えば車内外の気温や湿度、降雨量などに関する情報である。車外との通信状態とは,C2X(Car-to-X)通信などにより,車々間通信や外部通信インフラと通信を行っているか否かなどを示す情報である。 The automatic operation state is the operation mode when the current operation is manual operation or automatic operation, or automatic operation. Examples of driving modes include ACC (Adaptive Cruise Control), lane change, leading vehicle tracking, lane maintenance support, automatic parking, and the like. The driver's state includes the driver's personal identification information, arousal state, health state, driver's operation state, and the like. The operation state is, for example, whether or not the driver puts his hand on the steering wheel, where the driver's line of sight is pointing, and the like. The surrounding environmental state is, for example, information on the temperature and humidity inside and outside the vehicle, the amount of rainfall, and the like. The state of communication with the outside of the vehicle is information indicating whether or not communication between vehicles or communication with an external communication infrastructure is performed by C2X (Car-to-X) communication or the like.
 状態取得部3は上記の各種状態を例えば前述のネットワーク6を介して外部のECU5などの機器から取得しても良いし、OBD(On Board Diagnosis)などの保守用コネクタや、シリアル通信などのローカル通信インタフェースを介して取得しても良いし、運転席に設置された各種操作スイッチや車内に装備された各種センサなどから取得しても良い。 The state acquisition unit 3 may acquire the various states described above from, for example, an external ECU 5 or the like via the network 6 described above, a maintenance connector such as OBD (OnOBoard Diagnosis), or local communication such as serial communication. It may be acquired via a communication interface, or may be acquired from various operation switches installed in the driver's seat or various sensors installed in the vehicle.
 判定方法設定部4は、前述の状態取得部3が取得した状態に応じて、通信監視部2が実行する通信の監視方法または通信判定部7の処理方法を設定する機能を有する。通信判定部7は,前述の判定方法設定部4が設定したデータの判定方法に従って,通信監視部が監視するデータに異常があるか否かを判定する機能を有する。 The determination method setting unit 4 has a function of setting a communication monitoring method executed by the communication monitoring unit 2 or a processing method of the communication determination unit 7 according to the state acquired by the state acquisition unit 3 described above. The communication determination unit 7 has a function of determining whether or not the data monitored by the communication monitoring unit is abnormal in accordance with the data determination method set by the determination method setting unit 4 described above.
 図2を用いて車載ネットワーク装置1の詳細な処理フローについて説明する。はじめに、車載ネットワーク装置1の通信監視部2はネットワーク6からのデータ受信の有無を判定する(処理S201)。データを受信した場合には状態取得部3により自車状態を取得し、過去の取得時から変更があるか否かを判定する(処理S202)。次に,取得した自車状態に変更があった場合には,変更された自車状態に対応した監視方法を新たに設定する(処理S203)。ここで、状態取得(処理S202)および監視方法設定(処理S203)の実行タイミングは、図2に示すように,データ受信は発生する毎ではなく、所定回数のデータ受信が発生した際、または、データ受信の有無に関わらず一定周期としても良い。 A detailed processing flow of the in-vehicle network device 1 will be described with reference to FIG. First, the communication monitoring unit 2 of the in-vehicle network device 1 determines whether data is received from the network 6 (processing S201). When the data is received, the vehicle state is acquired by the state acquisition unit 3, and it is determined whether or not there is a change since the previous acquisition (processing S202). Next, when there is a change in the acquired vehicle state, a monitoring method corresponding to the changed vehicle state is newly set (processing S203). Here, the execution timing of the status acquisition (processing S202) and the monitoring method setting (processing S203) is not every time data reception occurs, as shown in FIG. 2, or when a predetermined number of data receptions occur, or A fixed period may be used regardless of whether or not data is received.
 次に、通信監視部2は処理S203において設定したデータの監視方法により受信データを監視し、受信データに異常があるか否かを判定する(処理S204)。受信データに異常があると判定した場合にはエラー処理を実行する(処理S205)。エラー処理とは例えば上位システムに通知するなどの異常対策処理である。異常対策の詳細については後述する。通信監視により異常がないと判定された場合には、受信データを別のネットワーク6に転送する必要があるか否かを判定する(処理S206)。データの転送が必要な場合には、例えば受信データ内に設定されたアドレス情報などを参照して所定のネットワーク6を介してデータを転送する(処理S207)。データの転送が不要な場合にはそのまま処理を終了する。 Next, the communication monitoring unit 2 monitors the received data by the data monitoring method set in the process S203, and determines whether or not the received data is abnormal (process S204). If it is determined that there is an abnormality in the received data, error processing is executed (processing S205). The error process is an abnormality countermeasure process such as notifying a higher system. Details of the countermeasure against abnormality will be described later. If it is determined by communication monitoring that there is no abnormality, it is determined whether or not the received data needs to be transferred to another network 6 (process S206). If data transfer is necessary, the data is transferred via the predetermined network 6 with reference to, for example, address information set in the received data (process S207). If data transfer is unnecessary, the process is terminated.
 図3を用いて通信監視部2の処理フローの一例について説明する。はじめに,通信監視部2は受信データの監視方法を変更する必要があるか否かを判定する(処理S301)。例えば、前述の処理S202において自車状態に変更があった場合には,監視方法の変更が必要と判定する。監視方法の変更が必要な場合には、自車状態に対応した監視方法を設定する(処理S302)。例えば,監視対象のデータに自車状態に対応した優先度を設定しておき,優先度に応じた監視方法を設定する。通信監視部2は自車状態から受信したデータの優先度を判定し(処理S303),優先度に応じたデータ監視方法を実行する(処理S304~処理S306)。 An example of the processing flow of the communication monitoring unit 2 will be described with reference to FIG. First, the communication monitoring unit 2 determines whether or not the received data monitoring method needs to be changed (processing S301). For example, when there is a change in the vehicle state in the above-described process S202, it is determined that the monitoring method needs to be changed. If it is necessary to change the monitoring method, a monitoring method corresponding to the vehicle condition is set (processing S302). For example, a priority corresponding to the vehicle state is set for the monitoring target data, and a monitoring method corresponding to the priority is set. The communication monitoring unit 2 determines the priority of data received from the vehicle state (processing S303), and executes a data monitoring method according to the priority (processing S304 to processing S306).
 自車状態に対応した優先度および監視方法の設定例について,図4および図5を用いて説明する。図4はデータ種別401毎に,自車の制御状態404に対応した優先度と監視方法を設定した例である。自車の制御状態404として例えば走行状態405、停止状態406、リプロ状態407などが挙げられる。走行状態405は更に高速、低速など速度に応じて細かく状態を分けても良い。同様に停止状態406についても、エンジン停止、アイドリング中、アクセサリー電源ONなどの状態に分けても良い。リプロ状態407とはECUのファームウェアなどのリプログラミングを実行している状態であり、リプログラミングの進行状況に応じて、更新ソフトウェアダウンロード中、ソフトウェアの書換え中、ソフトウェア書換え終了後の再起動中など、更に細かい状態に分けても良い。 An example of setting the priority and monitoring method corresponding to the vehicle state will be described with reference to FIGS. FIG. 4 shows an example in which a priority and a monitoring method corresponding to the control state 404 of the own vehicle are set for each data type 401. Examples of the control state 404 of the host vehicle include a traveling state 405, a stopped state 406, and a repro state 407. The running state 405 may be further divided according to speed such as high speed and low speed. Similarly, the stop state 406 may also be divided into states such as engine stop, idling, and accessory power ON. The repro state 407 is a state in which reprogramming such as the firmware of the ECU is being executed. Depending on the progress of reprogramming, the update software is being downloaded, the software is being rewritten, the software is being reactivated, etc. It may be further divided into fine states.
 データ種別401は,特定の共通項目を有するデータを識別するための指標であり,例えば同一のネットワーク領域402を使用するデータ,同じネットワーク種別403を使用するデータごとに種別を定義する。図4に示すデータ種別401の種類や数および形式は一例であり,本例に限定されるものではない。 The data type 401 is an index for identifying data having a specific common item. For example, the type is defined for each data using the same network area 402 and each data using the same network type 403. The types, numbers, and formats of the data types 401 shown in FIG. 4 are examples, and are not limited to this example.
 以上の様に定義した様々な自車状態において、監視対象のデータ種別401ごとに監視の優先度を設定する。例えば,高速での走行状態405において、ボディ制御情報およびインフォテイメントおよびC2X通信のデータ種別401には優先度1を設定し、シャシ制御情報およびパワートレイン制御情報および機能安全情報および自動運転情報および外界認識情報には優先度3を設定する。同様にして、各自車状態とデータ種別401にそれぞれ優先度0~優先度3を設定する。 In various vehicle states defined as described above, a monitoring priority is set for each data type 401 to be monitored. For example, in the high-speed driving state 405, the body control information, infotainment, and data type 401 of C2X communication are set to priority 1, and chassis control information, powertrain control information, functional safety information, automatic driving information, and the outside world are set. A priority of 3 is set for the recognition information. Similarly, priority levels 0 to 3 are set for each vehicle state and data type 401, respectively.
 通信監視部2は設定した優先度に応じて,データ種別ごとのデータの監視方法を設定する。例えば、自車状態が高速の走行状態405の際には優先度の高いデータ種別401の属するネットワーク領域402を優先的に監視する。ネットワーク領域402とは例えば各データ種別401が主としてデータ送受信を実行する通信路、データバス、チャネル、ネットワークインタフェースなどである。例えば、シャシ制御情報であればネットワーク領域402Bを割り当てているため、ネットワーク領域402Bの監視頻度を高く設定する。同様に、高速の走行状態405の場合には、優先度3のネットワーク領域402B、C、D、Fを優先的に監視する。一方、優先度1のネットワーク領域402A、E、Gに対する監視優先度は低く設定する。 The communication monitoring unit 2 sets a data monitoring method for each data type according to the set priority. For example, when the vehicle state is a high-speed driving state 405, the network area 402 to which the data type 401 having a high priority belongs is preferentially monitored. The network area 402 is, for example, a communication path, a data bus, a channel, a network interface, etc., in which each data type 401 mainly executes data transmission / reception. For example, since the network area 402B is allocated in the case of chassis control information, the monitoring frequency of the network area 402B is set high. Similarly, in the case of the high-speed running state 405, the priority 3 network areas 402B, C, D, and F are preferentially monitored. On the other hand, the monitoring priority for the network areas 402A, E, and G with priority 1 is set low.
 また、ネットワーク領域402だけでなく、各データ種別401が使用しているネットワーク種別をもとにして監視対象の優先度を設定しても良い。例えば、高速の走行状態405の場合には優先度の高い(優先度3に設定されている)ネットワーク種別はCAN、Ethernet(登録商標)、LVDSであるため、これらのネットワーク種別については優先的に監視する。一方、優先度の低い(優先度1に設定されている)無線LANについては監視の優先度を下げる。 Also, the priority of the monitoring target may be set based not only on the network area 402 but also on the network type used by each data type 401. For example, in the case of the high-speed driving state 405, the network types with high priority (set to priority 3) are CAN, Ethernet (registered trademark), and LVDS. Monitor. On the other hand, for a wireless LAN with a low priority (set to priority 1), the monitoring priority is lowered.
 高優先度(例えば優先度3)のデータ監視方法として、監視頻度を高く(データ受信が発生する毎に監視)設定し、データのヘッダ、ペイロード、フッタの全てを監視対象とするなどの方法がある(処理S304)。例えば,ヘッダ、ペイロード、フッタの値が規定値か否かなどを監視する。 As a data monitoring method of high priority (for example, priority 3), there is a method in which the monitoring frequency is set high (monitored every time data reception occurs), and all of the data header, payload, and footer are monitored. Yes (processing S304). For example, it is monitored whether the values of the header, payload, and footer are specified values.
 中優先度(例えば優先度2)のデータ監視方法としては、監視頻度を中程度(複数回に一回、一定時間毎など)に設定し、データのヘッダやフッタのみを監視対象とするなどの方法がある(処理S305)。低優先度(例えば優先度1)のデータ監視方法としては、監視頻度を中優先度より更に低く設定し、データのヘッダの一部分(例えばID)のみを監視対象とするなどの方法がある(処理S306)。ここで、最低の優先度(例えば優先
度0)については監視対象から外すという設定にしても良い。 As a data monitoring method of medium priority (for example, priority 2), the monitoring frequency is set to medium (once every time, every fixed time, etc.), and only the data header and footer are monitored. There is a method (processing S305). As a data monitoring method with a low priority (for example, priority 1), there is a method in which the monitoring frequency is set lower than the medium priority and only a part of the data header (for example, ID) is monitored (processing) S306). Here, the lowest priority (for example, priority 0) may be set to be excluded from the monitoring target.
 例えば、エンジン停止の停止状態406にある場合には、データ種別401のボディ制御情報に関わるネットワーク領域402Aもしくはネットワーク種別がCANのデータに関してはデータ送受信が発生する毎にデータのヘッダ、ペイロード、フッタの全てを監視する。一方、シャシ制御情報、パワートレイン制御情報、機能安全情報、自動運転情報、インフォテイメント、外界認識情報に関わるネットワーク領域402B、C、D、E、Fやネットワーク種別がEthernet(登録商標)のネットワーク6に関してはデータ監視対象から除外する。C2X通信に関するネットワーク領域402G、もしくは無線LANのネットワークについては、監視頻度を下げてデータのIDのみを監視対象とする。 For example, when the engine is in the stop state 406, the network area 402A related to the body control information of the data type 401 or the data of the network type CAN each time data transmission / reception occurs, the data header, payload, and footer Monitor everything. On the other hand, the network area 402B, C, D, E, F related to chassis control information, powertrain control information, functional safety information, automatic driving information, infotainment, and external world recognition information, and the network 6 with the network type Ethernet (registered trademark). Are excluded from data monitoring. For the network area 402G related to C2X communication or a wireless LAN network, the monitoring frequency is lowered and only the data ID is monitored.
 リプロ状態407の場合には、優先度の高いC2X通信に関わるネットワーク領域402Gもしくは無線LANを使用するデータについては毎回,受信データのヘッダ、ペイロード、フッタの全てを監視する。同様に、データ種別401がインフォテイメントのデータに関しては、中優先度の監視とし、ボディ制御情報に関しては低優先度の監視とし、その他のデータ種別401については監視対象から外す。 In the case of the repro state 407, the header, payload, and footer of the received data are monitored every time for data using the network area 402G or the wireless LAN related to the C2X communication with high priority. Similarly, when the data type 401 is infotainment data, the medium priority is monitored, the body control information is monitored with low priority, and the other data types 401 are excluded from monitoring targets.
 本実施形態において、制御状態404、データ種別401、および優先度の設定値などは図4に示す例に限定されるものではない。すなわち、データ種別401、ネットワーク領域402、ネットワーク6種別、制御状態404の種類や数、優先度の値設定などが、図4と異なっていても、本実施例は成立する。 In the present embodiment, the control state 404, the data type 401, the priority setting value, and the like are not limited to the example shown in FIG. That is, even if the data type 401, the network area 402, the network 6 type, the type and number of control states 404, the priority value setting, and the like are different from those in FIG.
 図5は個別のデータ毎に,自車の自動運転状態に応じた優先度および監視方法を設定した例である。自動運転状態507として例えば、マニュアル運転508、ACC509、先導車追従510、自動駐車511を定義する。監視対象のデータにはデータID501、データ名502、データの送信元503,送信先504、伝送方式505、通信方式506のいずれかの情報が設定されているものとする。 Fig. 5 shows an example in which the priority and the monitoring method according to the automatic driving state of the vehicle are set for each individual data. For example, manual driving 508, ACC 509, leading vehicle tracking 510, and automatic parking 511 are defined as the automatic driving state 507. Assume that data to be monitored includes data ID 501, data name 502, data transmission source 503, transmission destination 504, transmission method 505, and communication method 506.
 データID501やデータ名502はデータの種類を示す情報であり他のデータ特別できるものであればどのような形式であっても良い。データの送信元503および送信先504は、例えばデータ送信元および送信先のECUを示すアドレス情報などである。伝送方式505は、データの物理ネットワークの種類であり、例えばEthernet(登録商標)やCANなどである。通信方式506はネットワークプロトコルの種類であり、例えばEthernet(登録商標)であればTCP、UDP、IP、Ethernet(登録商標) AVB(Audio/Video Bridging、以降AVBと略す)などである。 The data ID 501 and the data name 502 are information indicating the type of data and may be in any format as long as other data can be specially specified. The data transmission source 503 and the transmission destination 504 are, for example, address information indicating the data transmission source and the transmission destination ECU. The transmission method 505 is a type of data physical network, such as Ethernet (registered trademark) or CAN. The communication method 506 is a type of network protocol. For example, in the case of Ethernet (registered trademark), TCP, UDP, IP, Ethernet (registered trademark) AVB (Audio / Video Bridging, hereinafter abbreviated as AVB) and the like.
 図5の例では,データID501が「1」のレーン認識情報は、送信元503がECU_Aであり、送信先504がECU_B、伝送方式505としてEthernet(登録商標)、通信方式506としてTCP/IPを使用している事を示している。また、レーン認識情報のデータについては、自動運転状態507がマニュアル運転508の場合には優先度0、ACC509の場合には優先度3、先導車追従510の場合には優先度3、自動駐車511の場合には優先度1を設定している。 In the example of FIG. 5, in the lane recognition information with the data ID 501 “1”, the transmission source 503 is ECU_A, the transmission destination 504 is ECU_B, the transmission method 505 is Ethernet (registered trademark), and the communication method 506 is TCP / IP. Indicates that it is in use. Further, regarding the data of the lane recognition information, when the automatic driving state 507 is the manual driving 508, the priority is 0, when the ACC 509 is the priority 3, when the leading vehicle follow 510 is the priority 3, the automatic parking 511 is performed. In this case, priority 1 is set.
 同様に、ランドマーク認識情報やステカメ(ステレオカメラ)認識情報など、各データについて、自動運転状態507ごとに優先度を設定している。通信監視部2は自動運転状態507に応じて優先度を設定し、データを受信した際に設定された優先度に応じた監視方法によりデータ監視を実行する。 Similarly, priorities are set for each automatic driving state 507 for each piece of data such as landmark recognition information and steering camera (stereo camera) recognition information. The communication monitoring unit 2 sets priority according to the automatic operation state 507, and executes data monitoring by a monitoring method according to the priority set when data is received.
 例えば、自動運転状態507がマニュアル運転508の場合には、ランドマーク認識情報の監視を高優先度(優先度3)に設定し、車線変更可否フラグ、ACC可否フラグ、先導車追従可否フラグのデータ監視を中優先度(優先度2)に設定し、その他のデータは監視対象外とする。同様に、自動運転状態507がACC509の場合には、レーン認識情報、前方物体情報、車速設定情報のデータの監視を高優先度(優先度3)に設定し、ACC可否フラグ、自動運転中断フラグのデータの監視を中優先度(優先度2)に設定し、ランドマーク認識情報、ステカメ標識認識情報、先行車情報のデータの監視を低優先度(優先度1)に設定し、その他のデータは監視対象外とする。 For example, when the automatic driving state 507 is the manual driving 508, the landmark recognition information monitoring is set to the high priority (priority 3), and the data of the lane change enable / disable flag, the ACC enable / disable flag, and the leading vehicle follow-up enable / disable flag are set. Monitoring is set to medium priority (priority 2), and other data is excluded from monitoring. Similarly, when the automatic driving state 507 is ACC509, the monitoring of the data of the lane recognition information, the forward object information, and the vehicle speed setting information is set to the high priority (priority 3), the ACC availability flag, the automatic driving interruption flag The monitoring of the data is set to the medium priority (priority 2), the monitoring of the landmark recognition information, the steering wheel sign recognition information, and the preceding vehicle information is set to the low priority (priority 1), and other data Are not monitored.
 高優先度(例えば優先度3)のデータ監視方法としては、監視頻度を高く(毎回監視など)設定し、データのデータID501、送信元503、送信先504、伝送方式505、通信方式506に関する情報の全てを監視するなどの方法がある(処理S304)。例えば、データのデータID501、送信元503、送信先504、伝送方式505、通信方式506が規定値か否かなどを監視する。また、中優先度(例えば優先度2)のデータ監視方法としては、監視頻度を中程度(複数回に一回、一定時間ごとなど)に設定し、対象のデータのデータID501、送信元503、送信先504、伝送方式505、通信方式506のうち何れかを監視するなどの方法がある(処理S305)。 As a data monitoring method of high priority (for example, priority 3), the monitoring frequency is set high (such as monitoring every time), and data ID 501, transmission source 503, transmission destination 504, transmission method 505, and communication method 506 information There is a method of monitoring all of the above (processing S304). For example, it is monitored whether or not the data ID 501, the transmission source 503, the transmission destination 504, the transmission method 505, and the communication method 506 are specified values. Further, as a data monitoring method of medium priority (for example, priority 2), the monitoring frequency is set to medium (once a plurality of times, every fixed time, etc.), and the data ID 501 of the target data, the transmission source 503, There is a method of monitoring any one of the transmission destination 504, the transmission method 505, and the communication method 506 (processing S305).
 低優先度(例えば優先度1)のデータ監視方法としては、監視頻度を中優先度より低く設定し、対象のデータのデータID501、送信元503、送信先504、伝送方式505、通信方式506のうち何れか一つのみを監視するなどの方法がある(処理S306)。また、最低の優先度(例えば優先度0)については監視対象から外すという設定にしても良い。 As a data monitoring method of low priority (for example, priority 1), the monitoring frequency is set lower than the medium priority, and the data ID 501 of the target data, the transmission source 503, the transmission destination 504, the transmission method 505, and the communication method 506 are set. There is a method of monitoring only one of them (processing S306). The lowest priority (for example, priority 0) may be set to be excluded from the monitoring target.
 本実施形態において、データの種類に関連する定義や自動運転状態507の定義、優先度の設定値については、図5に示す例に限定されるものではない。すなわち、データID501、データ名502、送信元503、送信先504、伝送方式505、通信方式506の種類や数に関する定義、自動運転状態507の種類や数に関する定義、各自動運転状態507における監視優先度の設定値などが図5と異なっていても本実施形態は成立する。 In the present embodiment, the definition related to the type of data, the definition of the automatic operation state 507, and the setting value of the priority are not limited to the example shown in FIG. That is, the data ID 501, the data name 502, the transmission source 503, the transmission destination 504, the transmission method 505, the definition relating to the type and number of the communication method 506, the definition relating to the type and number of the automatic operation state 507, and the monitoring priority in each automatic operation state 507 Even if the setting value of the degree is different from that in FIG.
 以上のように、本実施形態によれば、自車状態に応じて、車載ネットワーク上で監視するデータの優先度を設定することにより、全データを監視せず重要なデータのみを厳選して監視する事ができる。したがって,車載ネットワークにおいてデータの異常を検知するための処理負荷を低減することが可能である。 As described above, according to the present embodiment, by setting the priority of data to be monitored on the in-vehicle network according to the own vehicle state, only important data is carefully selected and monitored without monitoring all data. I can do it. Therefore, it is possible to reduce the processing load for detecting data abnormality in the in-vehicle network.
 (第2実施形態)
 第2実施形態における車載ネットワーク装置21は図6に示すように、通信監視部22と状態取得部23と判定方法設定部24とから構成され第1実施形態における車載ネットワーク装置1と同様の機能を有する。通信監視部22および状態取得部23は第1実施形態と同様の機能を有する。 (Second Embodiment)
As shown in FIG. 6, the in-vehicle network device 21 in the second embodiment includes a communication monitoring unit 22, a state acquisition unit 23, and a determination method setting unit 24, and has the same functions as the in-vehicle network device 1 in the first embodiment. Have. The communication monitoring unit 22 and the state acquisition unit 23 have the same functions as in the first embodiment.
 判定方法設定部24は、第1実施形態における判定法設定部4と同様の機能を有する。判定方法設定部24は、更に、フィルタ選択部25、フィルタリスト26、フィルタ段数設定部28、および、フィルタ更新部29を有し、状態取得部23が取得した自車状態に応じて、通信監視部22が実行する通信の監視方法や通信判定部27における通信判定方法を設定する機能を有する。 The determination method setting unit 24 has the same function as the determination method setting unit 4 in the first embodiment. The determination method setting unit 24 further includes a filter selection unit 25, a filter list 26, a filter stage number setting unit 28, and a filter update unit 29. According to the own vehicle state acquired by the state acquisition unit 23, communication monitoring is performed. The communication monitoring method executed by the unit 22 and the communication determination method in the communication determination unit 27 are set.
 フィルタ選択部25は状態取得部23が取得した自車状態に応じて、フィルタリスト26から通信判定のために使用するフィルタを選択する機能を有する。フィルタ段数設定部28は状態取得部23が取得した自車状態に応じて、使用するフィルタの段数を設定する機能を有する。フィルタ更新部29はフィルタリスト26を更新する機能を有する。フィルタリスト26の詳細については後述する。フィルタリスト26およびフィルタ更新部29は車載ネットワーク装置21の外部にあっても良く、フィルタリスト26の変更が不要な場合にはフィルタ更新部29は無くても良い。 The filter selection unit 25 has a function of selecting a filter to be used for communication determination from the filter list 26 according to the own vehicle state acquired by the state acquisition unit 23. The filter stage number setting unit 28 has a function of setting the number of filter stages to be used according to the vehicle state acquired by the state acquisition unit 23. The filter update unit 29 has a function of updating the filter list 26. Details of the filter list 26 will be described later. The filter list 26 and the filter update unit 29 may be outside the in-vehicle network device 21, and when the change of the filter list 26 is not necessary, the filter update unit 29 may be omitted.
 図7および図8を用いて判定方法設定部24の処理フローの一例について説明する。はじめに、判定方法設定部24は状態取得部23により自車状態を取得し、前回取得時から変更があるか否かを判定する(処理S701)。自車状態に変更がある場合には、フィルタ設定情報800に,該当するフィルタが登録済みであるか否かを判定する(処理S702)。フィルタ設定情報800については詳細を後述する。 An example of the processing flow of the determination method setting unit 24 will be described with reference to FIGS. First, the determination method setting unit 24 acquires the vehicle state by the state acquisition unit 23, and determines whether or not there has been a change since the previous acquisition (processing S701). When there is a change in the vehicle state, it is determined whether or not the corresponding filter has been registered in the filter setting information 800 (processing S702). Details of the filter setting information 800 will be described later.
 フィルタ設定情報800として登録済みであれば、登録済みのフィルタ設定に変更する(処理S703)。一方、フィルタ設定が未設定の場合には、フィルタリスト26に変更後の自車状態に対応したフィルタがあるか否かを判定する(処理S704)。フィルタリスト26に変更後の自車状態に対応したフィルタがある場合には、フィルタ段数設定部28はフィルタの段数を設定する(処理S705)。 If registered as filter setting information 800, the filter setting is changed to the registered filter setting (step S703). On the other hand, if the filter setting is not set, it is determined whether or not there is a filter corresponding to the changed vehicle state in the filter list 26 (processing S704). If there is a filter corresponding to the changed vehicle state in the filter list 26, the filter stage number setting unit 28 sets the number of filter stages (step S705).
 次に、フィルタ選択部25は使用するフィルタの種類を選択する(処理S706)。処理S705において複数の段数を設定した場合には、段数分のフィルタをそれぞれ選択する。処理S704において対応するフィルタが無い場合には、フィルタリスト26を更新可能か否かを判定する(処理S707)。フィルタリスト26を更新可能な場合にはフィルタ更新部29は新しいフィルタを追加もしくは既存のフィルタを変更する(処理S708)。 Next, the filter selection unit 25 selects the type of filter to be used (processing S706). If a plurality of stages are set in step S705, filters corresponding to the number of stages are selected. If there is no corresponding filter in the process S704, it is determined whether or not the filter list 26 can be updated (process S707). If the filter list 26 can be updated, the filter update unit 29 adds a new filter or changes an existing filter (processing S708).
 以降は追加もしくは変更されたフィルタを用いて処理S705および処理S206の処理を実行する。フィルタ更新が不可能な場合には、エラー処理を実行する(処理S209)。エラー処理の例としては上位システムへの通知などの異常対策がある。異常対策の詳細については後述する。 Thereafter, the processing of Step S705 and Step S206 is executed using the added or changed filter. If the filter cannot be updated, error processing is executed (processing S209). As an example of error processing, there is an abnormality countermeasure such as notification to a higher system. Details of the countermeasure against abnormality will be described later.
 フィルタ設定情報800の例を図8、フィルタリスト26の例を図9に示す。フィルタ設定情報800には、自車状態801に応じたフィルタ802を設定する。フィルタ802にはフィルタ対象のデータリスト803(以降,対象データリスト803とする)およびフィルタ種類804を設定する。対象データリスト803には,フィルタ対象とするデータを識別するための情報,例えばデータIDなどを設定する。 An example of the filter setting information 800 is shown in FIG. 8, and an example of the filter list 26 is shown in FIG. In the filter setting information 800, a filter 802 corresponding to the vehicle state 801 is set. In the filter 802, a filter target data list 803 (hereinafter referred to as a target data list 803) and a filter type 804 are set. In the target data list 803, information for identifying data to be filtered, for example, a data ID is set.
 フィルタ802の数は図8のように3つに限定するものではなく、自車状態801に応じて設定する数を変更しても良い。例えば、自車状態801がマニュアル運転の場合には、1つ目のフィルタ802は、データIDが0x01、0x02のデータを対象として、ネットワーク種別に関する通信判定を行う。2つ目のフィルタ802は、データデータIDが0x01、0x02のデータを対象として、送信元/送信先に関する通信判定を行う。3つ目のフィルタ802は、データIDが0x01、0x02のデータを対象として,データサイズに関する通信判定を行う。 The number of filters 802 is not limited to three as shown in FIG. 8, and the number set according to the vehicle state 801 may be changed. For example, when the host vehicle state 801 is a manual operation, the first filter 802 performs communication determination related to the network type for data with data IDs of 0x01 and 0x02. The second filter 802 performs communication determination regarding a transmission source / destination for data having data data IDs of 0x01 and 0x02. The third filter 802 performs communication determination regarding the data size for data with data IDs of 0x01 and 0x02.
 同様に、自車状態801がACCの場合には、1つ目のフィルタ802は、0x01のデータを対象として,データIDに関する通信判定を行う。2つ目のフィルタ802は,0x02のデータを対象として,データの送信周期に関する通信判定を行う。 Similarly, when the vehicle state 801 is ACC, the first filter 802 performs communication determination regarding the data ID for 0x01 data. The second filter 802 performs communication determination regarding the data transmission cycle for 0x02 data.
 図8に示すフィルタ設定の詳細について図10を用いて説明する。図10に示すように、マニュアル運転のフィルタ設定1002は、同一の監視対象データに対して複数のフィルタ802を選択しているため判定処理(処理1003~処理1005)は直列に実行される。一方、ACCのフィルタ設定1006については、異なる監視対象データに対して,それぞれ異なるフィルタ802を設定しているため判定処理(処理1007,処理1008)は並列に実行される。また、先導車追従のフィルタ設定1009のように,直列に実行する判定処理(対象データが0x04の場合の処理1010,処理1011)と並列に実行する判定処理(対象データが0x03の処理1010,対象データが0x05の処理1011)とを混在させても良い。 Details of the filter setting shown in FIG. 8 will be described with reference to FIG. As shown in FIG. 10, in the manual operation filter setting 1002, since a plurality of filters 802 are selected for the same monitoring target data, determination processing (processing 1003 to processing 1005) is executed in series. On the other hand, regarding the ACC filter setting 1006, since different filters 802 are set for different monitoring target data, determination processing (processing 1007 and processing 1008) is executed in parallel. In addition, as with the leading vehicle following filter setting 1009, the determination processing executed in series (processing 1010 when the target data is 0x04, processing 1011) and the determination processing executed in parallel (processing 1010 when the target data is 0x03, target Processing 1011) with data 0x05 may be mixed.
 対象データリスト803とフィルタ種類804の組合せについては、図9に示すフィルタリスト26から選択する。例えば、データID901が0x01のデータについては、周期902に関するフィルタ802を利用する際には、判定の閾値として、規定の周期10msに対して誤差±5%以内の周期であれば正常と判定する。データサイズ903に関するフィルタ802については、規定の4Byteに対して誤差±1Byte以内のサイズであれば正常と判定する。ネットワーク種別403に関するフィルタ802を利用する際には、CANを使用した通信であれば正常と判定する。送信元503および送信先504に関するフィルタ802を利用する際には、送信元503がECU_Aを示すアドレスであり、送信先504がECU_BもしくはECU_Cを示すアドレスであれば正常と判定する。 The combination of the target data list 803 and the filter type 804 is selected from the filter list 26 shown in FIG. For example, for data with a data ID 901 of 0x01, when using the filter 802 related to the period 902, it is determined as normal if the period is within ± 5% of the error with respect to the specified period of 10 ms. The filter 802 related to the data size 903 is determined to be normal if the size is within an error of ± 1 byte with respect to the specified 4 bytes. When using the filter 802 related to the network type 403, it is determined as normal if the communication uses CAN. When the filter 802 relating to the transmission source 503 and the transmission destination 504 is used, if the transmission source 503 is an address indicating ECU_A and the transmission destination 504 is an address indicating ECU_B or ECU_C, it is determined as normal.
 以上のように、各フィルタ802による判定対象とする対象データ毎に,フィルタの種類と判定閾値を設定する。図8の対象データリスト803、図9の対象データID901、図10の監視対象データ1001は全てデータIDを利用しているが、互いに関連付けが可能な情報であれば異なる識別情報を利用しても良い。例えば、対象データリスト803には特定の通信路、バス、チャネルを経由するデータであることを示す識別情報であっても良い。 As described above, the filter type and the determination threshold are set for each target data to be determined by each filter 802. The target data list 803 in FIG. 8, the target data ID 901 in FIG. 9, and the monitoring target data 1001 in FIG. 10 all use data IDs. good. For example, the target data list 803 may be identification information indicating that the data passes through a specific communication path, bus, or channel.
 また、図8のフィルタ設定情報800および図9のフィルタリスト26は一例であり、本例に示す以外の設定方法を使用しても良い。したがって、フィルタ設定情報800は自車状態801ごとに、フィルタ802の数、種類、組合せ方法が設定できればどのような形式でも良い。同様に,フィルタリスト26は、監視対象データ1001ごとに、フィルタの方法、判定のための閾値情報が設定できればどのような形式でも良い。 Also, the filter setting information 800 in FIG. 8 and the filter list 26 in FIG. 9 are examples, and setting methods other than those shown in this example may be used. Therefore, the filter setting information 800 may be in any format as long as the number, type, and combination method of the filters 802 can be set for each vehicle state 801. Similarly, the filter list 26 may have any format as long as the filtering method and threshold information for determination can be set for each monitoring target data 1001.
 以上のように、本実施形態によれば自車状態に応じて、車載ネットワーク上で監視するデータの正常または異常判定方法を変更できるため、固定のフィルタを用いて判定する場合に比べ,状況に応じて処理速度,処理負荷,判定精度などを柔軟に調整することが可能である。 As described above, according to the present embodiment, the method for determining normality or abnormality of data monitored on the in-vehicle network can be changed according to the state of the vehicle. Accordingly, the processing speed, processing load, determination accuracy, etc. can be adjusted flexibly.
 (第3実施形態)
 第3実施形態における車載ネットワーク装置31は図11に示すように、通信監視部32と状態取得部33と判定方法設定部34とから構成され第1実施形態における車載ネットワーク装置1と同様の機能を有する。通信監視部32および状態取得部33は第1実施形態と同様の機能を有する。 (Third embodiment)
As shown in FIG. 11, the in-vehicle network device 31 in the third embodiment includes a communication monitoring unit 32, a state acquisition unit 33, and a determination method setting unit 34, and has the same functions as the in-vehicle network device 1 in the first embodiment. Have. The communication monitoring unit 32 and the state acquisition unit 33 have the same functions as in the first embodiment.
 判定方法設定部34は、第1実施形態における判定方法設定部4または第2実施形態における判定方法設定部24と同様の機能を有する。さらに、判定方法設定部34は、監視グループリスト35とグループ判定方法設定部36、監視グループ設定部38と監視データリスト39を有し、状態取得部33が取得した自車状態に応じて、監視データをグループ分けし、グループ毎に通信データの判定方法を設定する機能を有する。 The determination method setting unit 34 has the same function as the determination method setting unit 4 in the first embodiment or the determination method setting unit 24 in the second embodiment. Further, the determination method setting unit 34 includes a monitoring group list 35, a group determination method setting unit 36, a monitoring group setting unit 38, and a monitoring data list 39. According to the own vehicle state acquired by the state acquisition unit 33, monitoring is performed. It has a function of grouping data and setting a method for determining communication data for each group.
 監視データリスト39は通信監視部32が監視するデータのリストであり、データの識別情報、データの送信元/送信先に関するアドレス情報、データの伝送方式や通信方式に関する情報、データサイズに関する情報、データの送信周期に関する情報のうちいずれかの情報を有する。監視データリスト39は判定方法設定部34の外部に保存されていても良い。 The monitoring data list 39 is a list of data monitored by the communication monitoring unit 32, and includes data identification information, address information related to the data transmission source / destination, information related to the data transmission method and communication method, information related to the data size, data Any of the information related to the transmission cycle. The monitoring data list 39 may be stored outside the determination method setting unit 34.
 監視グループ設定部38は、監視データリスト39に登録されているデータを状態取得部33が取得した自車状態に基づいてグループ化し、監視グループリスト35に登録する機能を有する。監視グループリスト35は、自車状態ごとに監視対象とするデータのグループを定義したリストであり、グループごとの判定方法、グループの識別情報、グループと個別データを関連付ける情報、判定のための固有情報、判定のための閾値情報、監視優先度のうち何れかの情報を有する。監視グループリスト35は判定方法設定部34の外部に保存されていても良い。 The monitoring group setting unit 38 has a function of grouping data registered in the monitoring data list 39 based on the own vehicle state acquired by the state acquisition unit 33 and registering it in the monitoring group list 35. The monitoring group list 35 is a list that defines a group of data to be monitored for each vehicle state, and includes a determination method for each group, group identification information, information for associating groups with individual data, and unique information for determination. , Threshold information for determination, and monitoring priority information. The monitoring group list 35 may be stored outside the determination method setting unit 34.
 グループ判定方法設定部34は状態取得部33が取得した自車状態に基づいて、監視グループリスト35に登録されている監視データのグループを選択し、グループ毎のデータ判定方法を設定する機能を有する。 The group determination method setting unit 34 has a function of selecting a group of monitoring data registered in the monitoring group list 35 based on the own vehicle state acquired by the state acquisition unit 33 and setting a data determination method for each group. .
 図12を用いて車載ネットワーク装置31の詳細な処理フローについて説明する。はじめに、状態取得部33は自車状態を取得し前回取得から変更があるか否かを判定する(処理S1201)。自車状態に変更がある場合には、自車状態に応じた監視グループリスト35があるか否かを確認し、新たに監視グループリスト35の作成または更新が必要か否かを判定する(処理S1202)。 A detailed processing flow of the in-vehicle network device 31 will be described with reference to FIG. First, the state acquisition unit 33 acquires the own vehicle state and determines whether or not there is a change from the previous acquisition (processing S1201). When there is a change in the vehicle state, it is checked whether or not there is a monitoring group list 35 corresponding to the vehicle state, and it is determined whether it is necessary to create or update a new monitoring group list 35 (processing) S1202).
 監視グループリスト35の作成または更新が必要な場合には、監視グループリスト35を作成または更新する(処理S1203)。監視グループリスト35の例およびリストの作成方法の例については後述する。次に、監視グループリスト35の中から後述の通信判定のために使用するグループ判定方法を選択し、自車状態毎に設定する(処理S1204)。 When the monitoring group list 35 needs to be created or updated, the monitoring group list 35 is created or updated (processing S1203). An example of the monitoring group list 35 and an example of a list creation method will be described later. Next, a group determination method to be used for communication determination described later is selected from the monitoring group list 35 and set for each vehicle state (processing S1204).
 次に、通信監視部32においてデータ受信の監視を行う(処理S1205)。ここでは、監視グループリスト35に従って、特定のグループ毎に通信データを監視し、処理S1204において設定したグループ判定方法に従って、グループ内の通信データが異常であるか否かを判定する(処理S1206)。通信データの判定方法に関する詳細な例は後述する。データが異常であると判定した場合にはエラー処理を実行する(処理S1207)。エラー処理とは例えば上位システムに通知するなどの異常対策処理である。異常対策の詳細については後述する。 Next, the communication monitoring unit 32 monitors data reception (process S1205). Here, the communication data is monitored for each specific group according to the monitoring group list 35, and it is determined whether or not the communication data in the group is abnormal according to the group determination method set in step S1204 (step S1206). A detailed example regarding the communication data determination method will be described later. If it is determined that the data is abnormal, error processing is executed (step S1207). The error process is an abnormality countermeasure process such as notifying a higher system. Details of the countermeasure against abnormality will be described later.
 監視グループリスト35の例およびリストの作成方法の例について,図13を用いて説明する。監視グループリスト35は、図13に示す監視データリスト39に基づいて作成する。監視データリスト39は、通信監視部32が監視対象とするデータに関する情報である。例えば、図13(a)に示す通り、データの識別情報としてデータID1301、データの送受信元を示すアドレス情報(送信元503および送信先504)、データの伝送方式505、データサイズ1302、データの送信周期1303などを有する。例えば、データID1301が「100」のデータは送信元503のアドレス情報として「ECU_A」、送信先504のアドレス情報として「ECU_B」、伝送方式505として「Ethernet(登録商標)」、データサイズ1302として「100Byte」、データ送信周期1303として「1000ms」が設定されている。 An example of the monitoring group list 35 and an example of a list creation method will be described with reference to FIG. The monitoring group list 35 is created based on the monitoring data list 39 shown in FIG. The monitoring data list 39 is information relating to data to be monitored by the communication monitoring unit 32. For example, as shown in FIG. 13A, a data ID 1301 as data identification information, address information (transmission source 503 and transmission destination 504) indicating the transmission / reception source of data, a data transmission method 505, a data size 1302, and data transmission A period 1303 and the like are included. For example, data with a data ID 1301 of “100” is “ECU_A” as the address information of the transmission source 503, “ECU_B” as the address information of the transmission destination 504, “Ethernet (registered trademark)” as the transmission method 505, and “ “100 bytes” and “1000 ms” are set as the data transmission cycle 1303.
 監視グループ設定部38は、自車状態毎に監視データリスト39の中から特定のデータ群選択しグループ化する。グループ化の基準として例えば、データID1301が近いものを纏める、送信元503または送信先504が同一のものを纏める、伝送方式505が同一のものを纏める、データサイズ1302や送信周期1303が同一または近似しているものを纏めるなどの方法がある。その他、データ毎に予め重要度を設定しておき、重要度に応じてグループ化するなどの方法でも良い。本実施形態において、データを纏めるためのルールについては特に限定しない。 The monitoring group setting unit 38 selects and groups specific data groups from the monitoring data list 39 for each vehicle state. As a grouping standard, for example, data having the same data ID 1301 are collected, data having the same transmission source 503 or transmission destination 504, data having the same transmission method 505, data size 1302 and transmission period 1303 are the same or approximate. There are methods such as putting together what is done. In addition, a method may be used in which importance is set in advance for each data and grouped according to importance. In the present embodiment, the rules for collecting data are not particularly limited.
 図13では、送信元503および送信先504が同一のデータを同じグループとして纏めている例を示すが、その他の方法でグループ化しても本実施形態は成立する。監視グループリスト35にはグループの識別情報を設定する。例えば、データID1301が「101」「102」のデータのグループにはグループID1304「B」を付与する。ここで、グループにはデータが一つでも良く、データID1301が「100」のデータについては、1つのデータから構成されるグループID1304が「A」のグループとしても良い。 FIG. 13 shows an example in which the transmission source 503 and the transmission destination 504 group the same data as the same group, but the present embodiment can be realized even if they are grouped by other methods. Group identification information is set in the monitoring group list 35. For example, a group with data ID 1301 “101” “102” is assigned a group ID 1304 “B”. Here, the group may have only one data, and for data with the data ID 1301 of “100”, the group ID 1304 made up of one data may be a group with “A”.
 また,監視グループリスト35を作成する際には、監視データリスト39の登録情報をキーとして、後述する通信データ判定のための固有情報(判定固有情報と略す)を設定しても良い。以下に,送信元503、送信先504、伝送方式505をキーとして判定固有情報を生成する例を示す。判定固有情報I1305は次式により生成する。 Further, when the monitoring group list 35 is created, unique information for communication data determination described later (abbreviated as determination specific information) may be set using the registration information of the monitoring data list 39 as a key. In the following, an example in which determination specific information is generated using the transmission source 503, the transmission destination 504, and the transmission method 505 as keys is shown. The determination specific information I1305 is generated by the following equation.
 判定固有情報I=(送信元 << 8)+(送信先 << 4)+ 伝送方式
 ここで、(送信元<< 8)は送信元503を示すビット情報を8ビット上位にシフト演算する事を示す。例えば、データID1301「100」のデータから構成されるグループID1304「A」のグループには、送信元503のECU_Aのアドレス情報(仮に「0xA」とする)および、送信先504のECU_Bのアドレス情報(仮に「0xB」とする)、伝送方式505がEthernet(登録商標)(仮に「0xE」とする)であることから、判定固有情報I1305は(0xA << 8 )+ (0xB <<4)+0xE = 0xABEとする。 Determination unique information I = (transmission source << 8) + (transmission destination << 4) + transmission method Here, (transmission source << 8) shifts bit information indicating the transmission source 503 to the upper 8 bits. Indicates. For example, the group ID 1304 “A” composed of data with the data ID 1301 “100” includes the address information of the ECU_A of the transmission source 503 (assuming “0xA”) and the address information of the ECU_B of the transmission destination 504 ( Since the transmission method 505 is Ethernet (registered trademark) (assumed to be “0xE”), the determination specific information I1305 is (0xA << 8) + (0xB << 4) + 0xE = It is assumed that 0xABE.
 同様に、グループID1304「B」のグループについては、送信元503のECU_Bのアドレス情報(仮に「0xB」とする)および、送信先504のECU_Aのアドレス情報(仮に「0xA」とする)、伝送方式505がCAN(仮に「0xC」とする)であることから、判定固有情報I1305は「0xBAC」とする。 Similarly, for the group with the group ID 1304 “B”, the address information of the ECU_B of the transmission source 503 (assuming “0xB”), the address information of the ECU_A of the transmission destination 504 (temporarily “0xA”), and the transmission method Since 505 is CAN (assuming “0xC”), the determination specific information I1305 is “0xBAC”.
 以下に、データID1301、データサイズ1302、送信周期1303をキーとして判定固有情報を生成する例を示す。判定固有情報II1306は次式により生成する。 Hereinafter, an example in which the determination specific information is generated using the data ID 1301, the data size 1302, and the transmission cycle 1303 as keys will be described. The determination specific information II 1306 is generated by the following equation.
 判定固有情報II= データID+ データサイズ+ 送信周期÷ 100 
例えば、データID1301が「100」のデータはデータサイズ1302が「100」、送信周期1303が「1000」であることから、判定固有情報II1306は「100+100+1000÷10=300」となる。ここで、データ毎に個別に算出した判定固有情報II1306は一つのグループ内に複数個を割当てても良い。 Judgment specific information II = Data ID + Data size + Transmission cycle ÷ 100
For example, since the data size 1302 is “100” and the transmission cycle 1303 is “1000” for the data with the data ID 1301 “100”, the determination specific information II 1306 is “100 + 100 + 1000 ÷ 10 = 300”. Here, a plurality of determination specific information II 1306 calculated individually for each data may be assigned to one group.
 例では説明を簡単とするため、単純な変換式を利用しているが、監視データリスト39中の特定情報をキーとしてハッシュ関数などを用いることにより、判定固有情報を生成しても良い。すなわちグループ内のデータが有する何らかの情報をキーとして、特定の判定固有情報を生成できれば,どのような方式を用いても本実施例は成立する。 In the example, a simple conversion formula is used to simplify the description. However, the determination specific information may be generated by using a hash function or the like using the specific information in the monitoring data list 39 as a key. That is, the present embodiment can be established by any method as long as specific information unique to the determination can be generated using some information included in the data in the group as a key.
 処理S1206における通信データの判定方法の例について説明する。通信監視部32は通信データを受信した際に、判定固有情報を算出する。算出した判定固有情報が監視グループリスト35に登録されているか否かを検索し、登録されていない場合には異常と判定する。ここで、異常なデータであっても、判定固有情報が偶然一致する可能性もあるため、判定固有情報は複数種類を組合せて使用しても良い。例えば、判定固有情報I1305をまず検索し、値が一致した場合には次に判定固有情報II1306を検索し、両方の値が一致した場合のみを正常データと判定する。 An example of a communication data determination method in process S1206 will be described. When the communication monitoring unit 32 receives communication data, the communication monitoring unit 32 calculates determination specific information. Whether or not the calculated determination specific information is registered in the monitoring group list 35 is searched. If it is not registered, it is determined as abnormal. Here, even if the data is abnormal, there is a possibility that the determination unique information may coincide, so that the determination unique information may be used in combination of a plurality of types. For example, the determination specific information I1305 is searched first, and if the values match, the determination specific information II1306 is searched next, and only when both values match, it is determined as normal data.
 監視グループリスト35および処理S1206における通信データの判定方法に関する他の例を、図13(b)を用いて説明する。図13(b)に示すように、監視グループリスト35は判定固有情報以外に、優先度1308や判定方法1309に関する情報を有していても良い。例えばグループID1304毎に監視の優先度1308を設定する。 Other examples of the monitoring group list 35 and the communication data determination method in step S1206 will be described with reference to FIG. As shown in FIG. 13B, the monitoring group list 35 may include information on the priority 1308 and the determination method 1309 in addition to the determination specific information. For example, a monitoring priority 1308 is set for each group ID 1304.
 優先度1308については第1実施形態において示した方法などを利用する。例えば、優先度1308の高いグループのデータについては個別にデータを監視し、優先度1308の低いグループのデータは監視対象外とするなどの方法がある。 For the priority 1308, the method shown in the first embodiment is used. For example, there is a method in which data of a group with a high priority 1308 is individually monitored, and data of a group with a low priority 1308 is excluded from monitoring.
 判定方法1309の例として、グループ毎にデータの上限サイズや下限サイズを設定しておき、データサイズ1302が所定の閾値内に収まらないデータは異常なデータとして判定する方法がある。また、グループ内のデータの平均データ転送量を設定しておき、所定の閾値内に収まらない場合には異常と判定しても良い。 As an example of the determination method 1309, there is a method in which an upper limit size and a lower limit size of data are set for each group, and data whose data size 1302 does not fall within a predetermined threshold is determined as abnormal data. Further, an average data transfer amount of data in the group may be set, and if it does not fall within a predetermined threshold, it may be determined as abnormal.
 なお、監視グループリスト35は図13に示す例に限定せず,グループごとの判定方法、グループの識別情報、グループと個別データを関連付ける情報、判定のための固有情報、判定のための閾値情報、判定のための優先度情報のうち何れかの情報を有していれば良い。 The monitoring group list 35 is not limited to the example shown in FIG. 13, but a determination method for each group, group identification information, information for associating groups with individual data, unique information for determination, threshold information for determination, It is sufficient if any of the priority information for determination is included.
 以上のように、本実施形態によれば複数の監視データを特定の規則に従って纏めてグループ化し、グループ毎にデータを監視する事により、個別にデータ監視を行う場合に比べてより少ない処理負荷でデータの監視が可能である。 As described above, according to the present embodiment, a plurality of monitoring data is grouped according to a specific rule, and the data is monitored for each group, thereby reducing the processing load compared to the case of individually monitoring data. Data can be monitored.
 (第4実施形態)
 第4実施形態における車載ネットワーク装置41は図14に示すように、通信監視部42と状態取得部43と判定方法設定部44とから構成され、第1実施形態または第2実施形態または第3実施形態における車載ネットワーク装置1/21/31と同様の機能を有する。 (Fourth embodiment)
As shown in FIG. 14, the in-vehicle network device 41 according to the fourth embodiment includes a communication monitoring unit 42, a state acquisition unit 43, and a determination method setting unit 44, and the first embodiment, second embodiment, or third embodiment. It has the same function as the in-vehicle network device 1/21/31 in the embodiment.
 また、車載ネットワーク装置41は異常対策リスト45と対策実行部46を有し、通信監視部42の通信判定部47において通信データの異常を検知した場合に、異常対策リスト45から対策方法を選択し実行する機能を有する。通信監視部42、状態取得部43、判定方法設定部44は第1実施形態または第2実施形態または第3実施形態と同様の機能を有する。 The in-vehicle network device 41 has an abnormality countermeasure list 45 and a countermeasure execution unit 46, and selects a countermeasure method from the abnormality countermeasure list 45 when the communication determination unit 47 of the communication monitoring unit 42 detects an abnormality in communication data. Has the function to execute. The communication monitoring unit 42, the state acquisition unit 43, and the determination method setting unit 44 have the same functions as those in the first embodiment, the second embodiment, or the third embodiment.
 異常対策リスト45は状態取得部43が取得する自車状態、または、通信判定部47において異常を検知した通信データの内容に対応した対策方法のリストを有する。対策実行部46は異常対策リスト45に登録されている異常対策方法の中から、自車状態、または、通信判定部47において異常を検知した通信データの内容に対応した対策方法を選択し実行する機能を有する。 The abnormality countermeasure list 45 includes a list of countermeasure methods corresponding to the state of the vehicle acquired by the state acquisition unit 43 or the content of communication data in which an abnormality is detected by the communication determination unit 47. The countermeasure execution unit 46 selects and executes a countermeasure method corresponding to the vehicle state or the content of the communication data in which the abnormality is detected in the communication determination unit 47 from the abnormality countermeasure methods registered in the abnormality countermeasure list 45. It has a function.
 図15を用いて車載ネットワーク装置41の詳細な処理フローについて説明する。通信監視部42は、第1実施形態、第2実施形態、第3実施形態のいずれかの処理フローに従って、通信データに異常があるか否かの判定を行う(処理S1501)。通信データに異常を検知した場合には、異常検知時の自車状態と異常を検知した通信データの内容に対応した、対策方法が異常対策リスト45にあるか否かを判定する(処理S1502)。異常対策リスト45に対策方法がある場合にはその対策方法を選択し実行する(処理S1503)。異常対策リスト45に適切な対策方法が無い場合にはエラー処理を実行する(処理S1504)。エラー処理として例えば、上位システムに異常を通知する、異常対策リスト45に新たな対策方法を登録するなどの方法がある。また、予め該当する条件が無い場合の対策方法を異常対策リスト45に登録しておき、その対策方法をエラー処理として実行しても良い。 A detailed processing flow of the in-vehicle network device 41 will be described with reference to FIG. The communication monitoring unit 42 determines whether there is an abnormality in the communication data according to the processing flow of any one of the first embodiment, the second embodiment, and the third embodiment (processing S1501). If an abnormality is detected in the communication data, it is determined whether or not a countermeasure method corresponding to the state of the vehicle at the time of abnormality detection and the content of the communication data in which the abnormality is detected is in the abnormality countermeasure list 45 (processing S1502). . If there is a countermeasure method in the abnormality countermeasure list 45, the countermeasure method is selected and executed (step S1503). If there is no appropriate countermeasure method in the abnormality countermeasure list 45, an error process is executed (process S1504). As error processing, for example, there are methods such as notifying the host system of an abnormality and registering a new countermeasure method in the abnormality countermeasure list 45. Further, a countermeasure method when there is no applicable condition may be registered in the abnormality countermeasure list 45 in advance, and the countermeasure method may be executed as error processing.
 異常対策リスト45および異常対策方法の例について図16を用いて説明する。まず、図16(a)は第1実施形態に関連する異常対策リスト45の例である。例えば、自車状態および異常を検知したデータのネットワーク種別403、送信元503、送信先504に対応した対策方法を登録する。対策方法1602の例として、異常通知、減速、停止、自動運転解除、ネットワーク切断、ログ保存などがあげられるが、本例に記載する以外の対策を新たに登録しても良い。また、対策方法1602には識別情報として例えば対策ID1603を付与し、複数の対策方法1602を組合せた対策方法1602を登録しても良い。 An example of the abnormality countermeasure list 45 and abnormality countermeasure method will be described with reference to FIG. First, FIG. 16A is an example of the abnormality countermeasure list 45 related to the first embodiment. For example, a countermeasure method corresponding to the network type 403, the transmission source 503, and the transmission destination 504 of the data in which the vehicle state and abnormality are detected is registered. Examples of the countermeasure method 1602 include notification of abnormality, deceleration, stop, automatic operation cancellation, network disconnection, log storage, and the like, but countermeasures other than those described in this example may be newly registered. Further, for example, a countermeasure ID 1603 may be assigned to the countermeasure method 1602 as identification information, and a countermeasure method 1602 in which a plurality of countermeasure methods 1602 are combined may be registered.
 図16(b)は第2実施形態に関連する異常対策リスト45の例である。例えば、自車状態1601と異常を検知したフィルタ種類1605に対応した対策方法1602を登録する。図16(c)は第3実施形態に関連する異常対策リスト45の例である。例えば、自車状態1601と異常を検知したデータのグループID1304またはデータID1301または判定固有情報1607などに対応した対策方法1602を登録する。図16に示す異常対策リスト45の項目や形式は本例に限定するものではない。また複数の異常対策リスト45を同時または切換えて利用しても良い。 FIG. 16B is an example of the abnormality countermeasure list 45 related to the second embodiment. For example, a countermeasure method 1602 corresponding to the own vehicle state 1601 and the filter type 1605 that detected the abnormality is registered. FIG. 16C is an example of the abnormality countermeasure list 45 related to the third embodiment. For example, a countermeasure method 1602 corresponding to the own vehicle state 1601 and the group ID 1304 or data ID 1301 of the data in which the abnormality is detected or the determination specific information 1607 is registered. The items and format of the abnormality countermeasure list 45 shown in FIG. 16 are not limited to this example. A plurality of abnormality countermeasure lists 45 may be used simultaneously or by switching.
 以上のように、本実施形態によれば、通信データにおける異常を検知した際に、自車状態に対応した適切な異常対策を実行する事が可能である。 As described above, according to this embodiment, when an abnormality is detected in communication data, it is possible to execute an appropriate abnormality countermeasure corresponding to the state of the vehicle.
1,21,31,41 車載ネットワーク装置
2,22,32,42 通信監視部
3,23,33,43 状態取得部
4,24,34,44 判定方法設定部
5 ECU
6 ネットワーク
7,27,37,47 通信判定部
25 フィルタ選択部
26 フィルタリスト
28 フィルタ段数設定部
29 フィルタ更新部
35 監視グループリスト
36 グループ判定方法設定部
38 監視グループ設定部
39 監視データリスト
45 異常対策リスト
46 対策実行部
401 データ種別
402 ネットワーク領
403 ネットワーク種別
404 制御状態
405 走行状態
406 停止状態
407 リプロ状態
501,901,1301 データID
502 データ名
503 送信元
504 送信先
505 伝送方式
506 通信方式
507 自動運転状態
508 マニュアル運転
509 ACC
510 先導車追従
511 自動駐車
800 フィルタ設定情報
801 自車状態
802 フィルタ
803 対象データリスト
804 フィルタ種類
902,1303 周期
903,1302 データサイズ
1304 グループID
1305,1306,1607 判定固有情報
1308 優先度
1309 判定方法
1601 自車状態
1602 対策方法
1603 対策ID 1, 21, 31, 41 In- vehicle network device 2, 22, 32, 42 Communication monitoring unit 3, 23, 33, 43 State acquisition unit 4, 24, 34, 44 Determination method setting unit 5 ECU
6 Network 7, 27, 37, 47 Communication determination unit 25 Filter selection unit 26 Filter list 28 Filter stage number setting unit 29 Filter update unit 35 Monitoring group list 36 Group determination method setting unit 38 Monitoring group setting unit 39 Monitoring data list 45 Abnormal countermeasure List 46 Countermeasure execution unit 401 Data type 402 Network area 403 Network type 404 Control state 405 Running state 406 Stopped state 407 Repro state 501, 901, 1301 Data ID
502 Data name 503 Transmission source 504 Transmission destination 505 Transmission method 506 Communication method 507 Automatic operation state 508 Manual operation 509 ACC
510 Leading vehicle follow-up 511 Automatic parking 800 Filter setting information 801 Own vehicle state 802 Filter 803 Target data list 804 Filter type 902, 1303 Period 903, 1302 Data size 1304 Group ID
1305, 1306, 1607 Determination unique information 1308 Priority 1309 Determination method 1601 Own vehicle state 1602 Countermeasure method 1603 Countermeasure ID

Claims (10)

  1.  複数の車載装置間でデータの通信を行う車載ネットワーク装置において、
     自車両の状態を取得する状態取得部と、前記データを監視する通信監視部と、を有し、
     前記自車両の状態に基づいて、前記データの監視方法を変えることを特徴とする車載ネットワーク装置。     In an in-vehicle network device that communicates data between multiple in-vehicle devices,
    A state acquisition unit that acquires the state of the host vehicle, and a communication monitoring unit that monitors the data,
    A vehicle-mounted network device, wherein the data monitoring method is changed based on the state of the host vehicle.
  2.  請求項1に記載の車載ネットワーク装置において、
     前記自車両の状態は、自車両の制御状態、自車両の走行状態、自車両の自動運転状態、自車両に搭乗する運転者の状態、自車両の周辺環境の状態、自車両の通信状態のいずれかを含むことを特徴とする車載ネットワーク装置。     The in-vehicle network device according to claim 1,
    The state of the own vehicle includes the control state of the own vehicle, the running state of the own vehicle, the automatic driving state of the own vehicle, the state of the driver on the own vehicle, the state of the surrounding environment of the own vehicle, and the communication state of the own vehicle. An in-vehicle network device comprising any one of the above.
  3.  請求項1または請求項2に記載の車載ネットワーク装置において、
     前記データの通信状態を判定する通信判定部と、
     前記通信状態の判定方法を設定する判定方法設定部4と、を有し、
     前記データの監視方法を変えることとは、前記データの監視頻度を変えること、前記データの監視の優先度を変えること、前記通信状態の判定方法を変えること、のいずれかを含むことを特徴とする車載ネットワーク装置。     In the in-vehicle network device according to claim 1 or 2,
    A communication determination unit for determining a communication state of the data;
    A determination method setting unit 4 for setting the determination method of the communication state,
    Changing the data monitoring method includes changing the data monitoring frequency, changing the data monitoring priority, or changing the communication state determination method. In-vehicle network device.
  4.  請求項3に記載の車載ネットワーク装置において、
     前記通信状態の判定方法を変えることとは、判定条件の種類を変えること、判定条件の数を変えること、判定のための閾値を変えること、のいずれかを含むことを特徴とする車載ネットワーク装置。     The in-vehicle network device according to claim 3,
    Changing the communication state determination method includes changing a type of determination condition, changing the number of determination conditions, or changing a threshold value for determination, .
  5.  請求項4に記載の車載ネットワーク装置において、
     複数の前記判定方法を保有し、保有している前記判定方法のいずれかを削除、変更、または、新たな判定方法を追加するための判定方法更新部と、を有し、
     前記自車両の状態に対応した前記判定方法がない場合には、前記判定方法を更新することを特徴とする車載ネットワーク装置。     The in-vehicle network device according to claim 4,
    A determination method update unit for holding a plurality of the determination methods, deleting one of the determination methods held, changing, or adding a new determination method,
    The in-vehicle network device, wherein the determination method is updated when there is no determination method corresponding to the state of the host vehicle.
  6.  請求項1~5のいずれかに記載の車載ネットワーク装置において、
     前記通信監視部が監視する一つ以上の前記データを纏めてグループ化し、前記グループ毎に共通の監視方法によって、前記データを監視することを特徴とする車載ネットワーク装置。     The in-vehicle network device according to any one of claims 1 to 5,
    One or more pieces of the data monitored by the communication monitoring unit are grouped together, and the data is monitored by a common monitoring method for each group.
  7.  請求項6に記載の車載ネットワーク装置において、
     複数の前記グループの情報を保有し、保有している前記グループの情報のいずれかを削除、変更、または、新たなグループの情報を追加するための監視グループ設定部と、を有し、
     前記自車両の状態に対応した前記グループの情報がない場合には、前記グループの情報を更新することを特徴とする車載ネットワーク装置。     The in-vehicle network device according to claim 6,
    A monitoring group setting unit for holding information on a plurality of the groups and deleting, changing, or adding new group information on any of the held group information,
    The in-vehicle network device, wherein when there is no information on the group corresponding to the state of the host vehicle, the information on the group is updated.
  8.  請求項6または請求項7に記載の車載ネットワーク装置において、
     前記グループ毎に前記データに関する情報から算出した判定固有情報を管理し、
     前記通信監視部は、前記データの監視において、前記判定固有情報を用いることを特徴とする車載ネットワーク装置。     In the in-vehicle network device according to claim 6 or 7,
    For each group, managing the determination specific information calculated from the information about the data,
    The in-vehicle network device, wherein the communication monitoring unit uses the determination specific information in monitoring the data.
  9.  請求項1~8のいずれかに記載の車載ネットワーク装置において、
     前記通信監視部は前記データの異常を検知した場合に、前記自車両の状態と前記検知したデータの内容に対応する異常対策を実行することを特徴とする車載ネットワーク装置。     The in-vehicle network device according to any one of claims 1 to 8,
    When the communication monitoring unit detects an abnormality in the data, the communication monitoring unit executes an abnormality countermeasure corresponding to the state of the host vehicle and the content of the detected data.
  10.  請求項9に記載の車載ネットワーク装置において、
     前記自車両の状態または異常を検知した前記データの内容に対応した異常対策方法を複数保有し、保有する複数の前記異常対策方法の中から、前記異常対策を選択し実行することを特徴とする車載ネットワーク装置。     The in-vehicle network device according to claim 9,
    A plurality of abnormality countermeasure methods corresponding to the contents of the data in which the state or abnormality of the host vehicle is detected are stored, and the abnormality countermeasure is selected and executed from among the plurality of abnormality countermeasure methods held. In-vehicle network device.
PCT/JP2016/072719 2015-09-04 2016-08-03 Onboard network device WO2017038351A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2015174303A JP6531011B2 (en) 2015-09-04 2015-09-04 In-vehicle network device
JP2015-174303 2015-09-04

Publications (1)

Publication Number Publication Date
WO2017038351A1 true WO2017038351A1 (en) 2017-03-09

Family

ID=58187146

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2016/072719 WO2017038351A1 (en) 2015-09-04 2016-08-03 Onboard network device

Country Status (2)

Country Link
JP (1) JP6531011B2 (en)
WO (1) WO2017038351A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018203119A (en) * 2017-06-06 2018-12-27 トヨタ自動車株式会社 Steering assist device
US10382466B2 (en) 2017-03-03 2019-08-13 Hitachi, Ltd. Cooperative cloud-edge vehicle anomaly detection
CN111492625A (en) * 2018-07-27 2020-08-04 松下电器(美国)知识产权公司 Illegal detection method and illegal detection device
WO2020162075A1 (en) * 2019-02-08 2020-08-13 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Abnormality determination method, abnormality determination device, and program
US11012172B2 (en) 2018-05-15 2021-05-18 Denso Corporation Relay device

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018160870A (en) * 2017-03-24 2018-10-11 オムロンオートモーティブエレクトロニクス株式会社 On-vehicle communication system and input/output device
WO2018207243A1 (en) * 2017-05-09 2018-11-15 三菱電機株式会社 Onboard authentication system, onboard authentication method, and onboard authentication program
JP2019026149A (en) * 2017-08-01 2019-02-21 トヨタ自動車株式会社 Vehicle automatic driving control device
JP6913869B2 (en) 2017-08-30 2021-08-04 パナソニックIpマネジメント株式会社 Surveillance equipment, surveillance systems and computer programs
JP6808595B2 (en) * 2017-09-01 2021-01-06 クラリオン株式会社 In-vehicle device, incident monitoring method
JP6973122B2 (en) * 2018-01-26 2021-11-24 トヨタ自動車株式会社 In-vehicle network system
JP6908549B2 (en) * 2018-03-20 2021-07-28 日立Astemo株式会社 Vehicle control device and vehicle control system
JP7231559B2 (en) * 2018-05-08 2023-03-01 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Anomaly detection electronic control unit, in-vehicle network system and anomaly detection method
CN109532847B (en) * 2018-11-19 2020-01-24 百度在线网络技术(北京)有限公司 Method and apparatus for controlling unmanned vehicle, server, medium
KR102111359B1 (en) * 2018-12-20 2020-05-15 주식회사 만도 Apparatus for OTA add-on
JP7207824B2 (en) * 2019-01-22 2023-01-18 日本電気通信システム株式会社 Network control device, method and program
JP2020154530A (en) * 2019-03-19 2020-09-24 Necソリューションイノベータ株式会社 Resource management device, user device side resource management device, resource management method, user device side resource management method, program, and storage medium
JP2021158454A (en) 2020-03-25 2021-10-07 トヨタ自動車株式会社 Vehicle control system, data transmission method, and program
WO2021240662A1 (en) * 2020-05-26 2021-12-02 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Abnormality detection device, abnormality detection system, and abnormality detection method
CN117241981A (en) 2021-05-20 2023-12-15 三菱电机株式会社 Control device
JP7403728B2 (en) 2021-10-25 2023-12-22 三菱電機株式会社 Intrusion detection system

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH03128542A (en) * 1989-10-13 1991-05-31 Toyota Motor Corp Communication control equipment in vehicle
JPH11334494A (en) * 1998-05-29 1999-12-07 Hino Motors Ltd Vehicular computer communication device
JP2002176430A (en) * 2000-12-06 2002-06-21 Auto Network Gijutsu Kenkyusho:Kk Communication controller for vehicle
JP2004090787A (en) * 2002-08-30 2004-03-25 Mitsubishi Motors Corp Communication error detecting method in bus system communication network
JP2009194497A (en) * 2008-02-13 2009-08-27 Hitachi Ltd Transmission filtering method, and onboard gateway device, and program
JP2010268066A (en) * 2009-05-12 2010-11-25 Hitachi Automotive Systems Ltd Lin communication device and lin communication control method
JP2013038711A (en) * 2011-08-10 2013-02-21 Toyota Motor Corp Vehicle network communication management device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH03128542A (en) * 1989-10-13 1991-05-31 Toyota Motor Corp Communication control equipment in vehicle
JPH11334494A (en) * 1998-05-29 1999-12-07 Hino Motors Ltd Vehicular computer communication device
JP2002176430A (en) * 2000-12-06 2002-06-21 Auto Network Gijutsu Kenkyusho:Kk Communication controller for vehicle
JP2004090787A (en) * 2002-08-30 2004-03-25 Mitsubishi Motors Corp Communication error detecting method in bus system communication network
JP2009194497A (en) * 2008-02-13 2009-08-27 Hitachi Ltd Transmission filtering method, and onboard gateway device, and program
JP2010268066A (en) * 2009-05-12 2010-11-25 Hitachi Automotive Systems Ltd Lin communication device and lin communication control method
JP2013038711A (en) * 2011-08-10 2013-02-21 Toyota Motor Corp Vehicle network communication management device

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10382466B2 (en) 2017-03-03 2019-08-13 Hitachi, Ltd. Cooperative cloud-edge vehicle anomaly detection
JP2018203119A (en) * 2017-06-06 2018-12-27 トヨタ自動車株式会社 Steering assist device
US10676086B2 (en) 2017-06-06 2020-06-09 Toyota Jidosha Kabushiki Kaisha Steering assist apparatus
US11518385B2 (en) 2017-06-06 2022-12-06 Toyota Jidosha Kabushiki Kaisha Steering assist apparatus
US11012172B2 (en) 2018-05-15 2021-05-18 Denso Corporation Relay device
CN111492625A (en) * 2018-07-27 2020-08-04 松下电器(美国)知识产权公司 Illegal detection method and illegal detection device
CN111492625B (en) * 2018-07-27 2022-07-01 松下电器(美国)知识产权公司 Illegal detection method and illegal detection device
WO2020162075A1 (en) * 2019-02-08 2020-08-13 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Abnormality determination method, abnormality determination device, and program
CN112889246A (en) * 2019-02-08 2021-06-01 松下电器(美国)知识产权公司 Abnormality determination method, abnormality determination device, and program
US11516045B2 (en) 2019-02-08 2022-11-29 Panasonic Intellectual Property Corporation Of America Anomaly determination method, anomaly determination device, and recording medium
CN112889246B (en) * 2019-02-08 2023-09-22 松下电器(美国)知识产权公司 Abnormality determination method, abnormality determination device, and program
US11843477B2 (en) 2019-02-08 2023-12-12 Panasonic Intellectual Property Corporation Of America Anomaly determination method, anomaly determination device, and recording medium

Also Published As

Publication number Publication date
JP6531011B2 (en) 2019-06-12
JP2017047835A (en) 2017-03-09

Similar Documents

Publication Publication Date Title
WO2017038351A1 (en) Onboard network device
US11190533B2 (en) Anomaly detection electronic control unit, onboard network system, and anomaly detection method
US11165851B2 (en) System and method for providing security to a communication network
US20200195472A1 (en) Security device, network system, and fraud detection method
EP3659868B1 (en) Abnormality detection device, and abnormality detection method
CN107925600B (en) Security processing method and server
US10372903B2 (en) Method of updating fraud detection rules for detecting malicious frames, fraud detecting electronic control unit, and on-board network system
CN108353014B (en) Illegal control suppression method, illegal control suppression device and vehicle-mounted network system
CN107113214B (en) Abnormality detection electronic control unit, vehicle-mounted network system, and communication method
JP2022125099A (en) Fraud detection server and method
WO2019142458A1 (en) Vehicle monitoring device, fraud detection server, and control method
US11398116B2 (en) Anomaly detection electronic control unit, in-vehicle network system, and anomaly detection method
US10986093B2 (en) Monitoring device, monitoring method, and computer program
WO2017104112A1 (en) Security processing method and server
WO2018110046A1 (en) Control apparatus, control system, control method, control program, and storage medium
JP2023171904A (en) Log management device and center device
JP2022542251A (en) Multistate messaging anomaly detection for securing broadcast networks
JP2021140460A (en) Security management apparatus
JP2019212976A (en) Electronic control device, monitoring method, program, and gateway device
CN113556271A (en) Illegal control suppression method, illegal control suppression device and vehicle-mounted network system
JP2019209962A (en) Information processor, monitoring method, program, and gateway device
JP2021145328A (en) Gateway device and data structure

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16841383

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16841383

Country of ref document: EP

Kind code of ref document: A1