WO2017047469A1 - Communication control device and communication system - Google Patents

Communication control device and communication system Download PDF

Info

Publication number
WO2017047469A1
WO2017047469A1 PCT/JP2016/076308 JP2016076308W WO2017047469A1 WO 2017047469 A1 WO2017047469 A1 WO 2017047469A1 JP 2016076308 W JP2016076308 W JP 2016076308W WO 2017047469 A1 WO2017047469 A1 WO 2017047469A1
Authority
WO
WIPO (PCT)
Prior art keywords
communication
data
unit
ecu
communication line
Prior art date
Application number
PCT/JP2016/076308
Other languages
French (fr)
Japanese (ja)
Inventor
好邦 下村
Original Assignee
株式会社オートネットワーク技術研究所
住友電装株式会社
住友電気工業株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社オートネットワーク技術研究所, 住友電装株式会社, 住友電気工業株式会社 filed Critical 株式会社オートネットワーク技術研究所
Publication of WO2017047469A1 publication Critical patent/WO2017047469A1/en

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R16/00Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
    • B60R16/02Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
    • B60R16/023Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements for transmission of signals between vehicle parts or subsystems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks

Definitions

  • the present invention relates to a communication control device and a communication system for controlling communication by a plurality of communication devices connected to a communication line.
  • a communication system mounted on a vehicle there has been proposed a communication system in which a plurality of ECUs (Electronic Control Units) for controlling electric devices mounted on a vehicle are connected to one of a plurality of communication lines and communicate with each other. ing.
  • ECUs Electronic Control Units
  • each of a plurality of communication lines is connected to a gateway, and the gateway relays communication between an ECU connected to one communication line and an ECU connected to another communication line. Functions as a communication control device.
  • the gateway relays communication, since there are a large number of ECUs that can be mounted, various control processes for linking a plurality of electric devices are realized.
  • Patent Document 1 A technique for preventing connection of an unauthorized ECU is disclosed in Patent Document 1.
  • the vehicle network monitoring device described in Patent Document 1 is provided with a vehicle-mounted control device for monitoring that detects illegal data through monitoring of a data communication format defined in operating a communication protocol used in the vehicle network. ing.
  • the monitoring in-vehicle control device performs processing for transmitting warning information to each ECU and processing for prohibiting routing of unauthorized data by the gateway when detecting unauthorized data different from the prescribed communication format.
  • the present invention has been made in view of such circumstances, and an object of the present invention is to provide a communication control device and a communication system that can suppress the influence of a communication device that transmits illegal data on other communication devices. There is to do.
  • a communication control device in a communication control device that controls communication by a plurality of communication devices connected to a communication line, a receiving unit that receives data from each of the plurality of communication devices via the communication line; Based on the data received by the receiving unit, a determination unit that determines whether or not communication of the communication device that is the transmission source of the data should be prohibited, and communication of the transmission source communication device by the determination unit When it is determined to be prohibited, a specifying unit for specifying the transmission source communication device from among the plurality of communication devices and a communication line connection to the communication device specified by the specifying unit are disconnected. And an output unit for outputting a control signal.
  • data is received from a communication device via a communication line, and based on the received data, it is determined whether communication of the communication device that is the transmission source of the data should be prohibited, When it is determined to be prohibited, the transmission source communication device is identified from among the plurality of communication devices, and a control signal is output to disconnect the communication line from the identified communication device. Therefore, by controlling the communication devices that should be prohibited from communication from the communication system, it is possible to suppress the influence of the communication device that transmits illegal data on other communication devices.
  • the communication system disconnects the connection of the communication line to the communication device specified by the specifying unit when a control signal is output from the communication control device, the plurality of communication devices, and the output unit. And a cutting portion to be provided.
  • the control signal is specified by the communication control device when the control signal is output by the communication control device. Disconnect the communication line from the communication device. Thereby, the influence which the communication apparatus which transmits illegal data has on other communication apparatuses can be suppressed.
  • each of the plurality of communication devices repeatedly transmits data to the reception unit via the communication line, and the determination unit receives the reception unit from the same communication device.
  • the time interval of data is less than a predetermined time, it is determined that communication of the communication device should be prohibited.
  • the present invention based on the time interval of the data received from the communication device, it is determined whether or not the communication of the communication device should be prohibited. Therefore, when one communication device transmits data at short intervals and occupies the communication line, communication of this communication device can be prohibited.
  • identification information is assigned to each of the plurality of communication devices, each of the plurality of communication devices transmits data including the identification information of the device itself,
  • the source communication device is specified based on the identification information included in the data received by the receiving unit.
  • the transmitted communication device is specified based on the identification information previously assigned to each communication device. Therefore, the transmitted communication device can be easily identified.
  • the present invention it is possible to provide a communication system and a communication control device that can suppress the influence of the communication device on other communication devices by cutting the connection of the communication line to the communication device that transmits illegal data. Can do.
  • FIG. 1 is a block diagram showing a configuration of a communication system according to an embodiment.
  • the communication system is mounted on a vehicle.
  • the communication system includes a gateway 2, communication lines 3 and 4, ECUs 31, 32, 33, 41, 42 and 43, and joint connectors 5 and 6.
  • the gateway 2 is connected with two communication lines 3 and 4.
  • Each of the communication lines 3 and 4 is, for example, a CAN (Controller Area ⁇ Network) bus used in a vehicle.
  • Each of the ECUs 31 to 33 is connected to the communication line 3 via communication lines 30, 30,.
  • Each of the ECUs 41 to 43 is connected to the communication line 4 via communication lines 40, 40,.
  • Each of the ECUs 31 to 33 and 41 to 43 controls an electric device (not shown) mounted on the vehicle, communicates with each other, and realizes various control processes for interlocking a plurality of electric devices.
  • Each of the ECUs 31 to 33 and 41 to 43 functions as a communication device.
  • Each of the ECUs 31 to 33 and the ECUs 41 to 43 is assigned with identification information (hereinafter referred to as “ID”) in advance. Further, each of the ECUs 31 to 33 and the ECUs 41 to 43 repeatedly transmits data to be communicated every predetermined time, for example, according to a predetermined communication format. The data is given IDs of the transmission source and the transmission destination. The transmission destination is at least one of the ECUs 31 to 33 and the ECUs 41 to 43.
  • ID identification information
  • the joint connector 5 connects the communication line 3 and the communication lines 30, 30,..., And includes switches 51, 52, 53 and a control circuit 54.
  • the switch 51 is provided in the middle of the communication line 30 that connects the ECU 31 and the communication line 3. When the switch 51 is turned on, the ECU 31 is connected to the communication line 3. When the switch 51 is turned off, the connection of the communication line 30 to the ECU 31 is disconnected.
  • the switch 52 is provided in the middle of the communication line 30 that connects the ECU 32 and the communication line 3. When the switch 52 is turned on, the ECU 32 is connected to the communication line 3. When the switch 52 is turned off, the connection of the communication line 30 to the ECU 32 is disconnected.
  • the switch 53 is provided in the middle of the communication line 30 that connects the ECU 33 and the communication line 3. When the switch 53 is turned on, the ECU 33 is connected to the communication line 3. When the switch 53 is turned off, the connection of the communication line 30 to the ECU 33 is disconnected.
  • the control circuit 54 is a circuit that controls the on / off of each of the switches 51, 52, and 53. In the embodiment, the control circuit 54 always turns on the switches 51 to 53. However, as will be described later, when a control signal is given from the gateway 2, any of the switches 51 to 53 is selected according to the control signal. Turn off.
  • the joint connector 6 connects the communication line 4 and the communication lines 40, 40,..., And includes switches 61, 62, 63 and a control circuit 64.
  • the switch 61 is provided in the middle of the communication line 40 that connects the ECU 41 and the communication line 4.
  • the switch 62 is provided in the middle of the communication line 40 that connects the ECU 42 and the communication line 4.
  • the switch 63 is provided in the middle of the communication line 40 that connects the ECU 43 and the communication line 4.
  • the switches 61, 62, and 63 are turned on to connect the ECUs 41, 42, and 43 to the communication line 4, and are turned off to turn on the ECUs 41, 42, and 43, respectively.
  • the connection of the communication line 40 to is disconnected.
  • the control circuit 64 is a circuit for controlling on / off of each of the switches 61, 62, and 63. In the embodiment, the control circuit 64 always turns on the switches 61 to 63. However, as will be described later, when a control signal is given from the gateway 2, any of the switches 61 to 63 is selected according to the control signal. Turn off.
  • the gateway 2 relays communication between the ECUs 31 to 33 connected to the communication line 3 and the ECUs 41 to 43 connected to the communication line 4.
  • the two communication lines 3 and 4 are connected to the gateway 2, but the number of communication lines is not limited to two, and may be arbitrarily set as necessary. Further, the number of ECUs connected to each communication line is not particularly limited, and may be arbitrarily set as necessary. Furthermore, one switch may be installed corresponding to one ECU.
  • the gateway 2 includes a control unit 21, communication units 22 and 23, an output unit 24, and a storage unit 25.
  • the control unit 21, the communication units 22 and 23, the output unit 24, and the storage unit 25 are connected to the bus 26.
  • the communication unit 22 is connected to the communication line 3, and the communication unit 23 is connected to the communication line 4.
  • the communication unit 22 receives data from each of the ECUs 31 to 33 via the communication line 3.
  • the communication unit 22 transmits data to the ECUs 31 to 33 via the communication line 3 in accordance with instructions from the control unit 21.
  • the communication unit 23 receives data from each of the ECUs 41 to 43.
  • the communication unit 23 transmits data to the ECUs 41 to 43 via the communication line 4 in accordance with instructions from the control unit 21.
  • the output unit 24 is connected to the control circuit 54 of the joint connector 5 and the control circuit 64 of the joint connector 6. As will be described later, the output unit 24 outputs a control signal for turning off the specified switch to the specified control circuit in accordance with an instruction from the control unit 21.
  • the storage unit 25 is a nonvolatile memory and stores a control program. In the storage unit 25, various correspondence tables for processing of the control unit 21 are stored.
  • FIG. 2A and 2B are tables showing examples of the first correspondence table and the second correspondence table stored in the storage unit 25.
  • FIG. 1A IDs of the ECUs 31, 32, 33, 41, 42, and 43 are registered. Specifically, IDs 31, 32, and 33 are assigned to ECUs 31, 32, and 33, and IDs 41, 42, and 43 are assigned to ECUs 41, 42, and 43, respectively.
  • switches connected to the ECUs and control circuits for controlling the switches are registered in association with the IDs of the ECUs.
  • IDs 31, 32, and 33 correspond to the switches 51, 52, and 53, respectively, and correspond to the control circuit 54.
  • IDs 41, 42, and 43 correspond to the switches 61, 62, and 63, respectively, and correspond to the control circuit 64.
  • the shape and contents of the processing correspondence table are not limited to these, and may be stored in advance as necessary.
  • the first correspondence table and the second correspondence table may be stored together as one.
  • the control unit 21 has a CPU (Central Processing Unit) (not shown), and executes a communication relay process and a communication prohibition process by executing a control program stored in the storage unit 25.
  • CPU Central Processing Unit
  • the control unit 21 selects the transmission destination from the ECUs 31 to 33 and the ECUs 41 to 43 based on the transmission destination ID and the first correspondence table given to the received data. To decide.
  • the control unit 21 determines a transmission target to transmit data from the communication units 22 and 23 based on the determined transmission destination.
  • the controller 21 causes the determined transmission target to transmit the received data to the transmission destination.
  • the control unit 21 transmits the data based on the transmission destination ID and the first correspondence table given to the data received by the communication unit 22.
  • the ECU 41 is determined first, and the communication unit 23 is determined as a transmission target for transmitting data.
  • the control unit 21 causes the communication unit 23 to transmit the data received by the communication unit 22 to the ECU 41.
  • the transmission destination ID need not be assigned to the data frame.
  • the correspondence relationship between the transmission source, the transmission destination, and the transmission target is stored in the storage unit 25, and the control unit 21 determines the transmission destination and the transmission target based on the transmission source ID and the above-described correspondence relationship. Also good.
  • the control unit 21 determines based on the received data whether communication of the ECU that transmitted the data should be prohibited. .
  • an example of the determination method will be described.
  • the fraudulent ECU in the communication system repeatedly transmits data at intervals shorter than a predetermined time that should hinder communication. For this reason, the communication line is occupied by such illegal data, and an excessive load is applied.
  • the control unit 21 determines that communication of the unauthorized ECU should be prohibited.
  • the control unit 21 acquires the transmission source ID given to the data from the unauthorized ECU. Thereby, the data transmission source is specified. Based on the acquired ID and the second correspondence table, the control unit 21 specifies a switch connected to the unauthorized ECU and a control circuit that controls the switch. The control unit 21 causes the output unit 24 to output a control signal to the specified control circuit so that the specified switch is turned off. In this way, the specified control circuit turns off the specified switch in accordance with the control signal. As a result, the connection of the communication line to the unauthorized ECU is disconnected.
  • the control unit 21 determines that the communication of the ECU 33 should be prohibited based on the time interval of the data received by the communication unit 22 from the ECU 33.
  • the control unit 21 outputs a control signal to the control circuit 54 of the joint connector 5 so as to turn off the switch 53 between the ECU 33 and the communication line 3 via the output unit 24.
  • FIG. 3 is an explanatory diagram of the state of the joint connector 5 when the communication of the ECU 33 is prohibited.
  • the control circuit 54 turns off the switch 53 in response to the control signal from the output unit 24.
  • the switches 51 and 52 are turned on and the ECUs 31 and 32 are connected to the communication line 3, but the switch 53 is turned off and the connection of the communication line 30 to the ECU 33 is disconnected. ing.
  • FIG. 4 is a flowchart showing a processing procedure of the control unit 21.
  • the control part 21 performs a process, when the communication part 22 or 23 receives data.
  • the control unit 21 determines whether or not the time interval of the received data is less than a predetermined time (step S1).
  • step S1 When the time interval of the received data is not less than the predetermined time (step S1: NO), the control unit 21 performs a relay process for relaying the data (step S2) and ends the process.
  • step S1 When the time interval of the received data is less than the predetermined time (step S1: YES), the control unit 21 acquires the transmission source ID from the received data (step S3), and acquires the acquired ID and the second correspondence. Based on the table, the switch corresponding to the ID and the control circuit that controls the switch are specified (step S4).
  • the control unit 21 outputs a control signal for turning off the specified switch to the specified control circuit via the output unit 24 (step S5), and ends the process.
  • the unauthorized ECU when it is determined that the communication of the unauthorized ECU should be prohibited, the unauthorized ECU can be excluded from the communication system by disconnecting the connection of the communication line to the unauthorized ECU. Therefore, it is possible to suppress the influence of the unauthorized ECU on the communication system. For example, even in the case of a DoS attack, the gateway 2 does not have a high processing load and can operate normally and relay data from other ECUs. Further, since only the unauthorized ECU is excluded from the communication system, it is not necessary to disconnect the communication for each communication line 3 or 4, and data transmitted by other ECUs connected to the communication lines 3 and 4 is relayed. In this way, since the normally operating ECU continues to operate, the in-vehicle function to be stopped can be minimized.
  • the determination method is not limited to this.
  • the determination may be made by an authentication technique using a common key encryption algorithm.
  • an ECU that transmits data generates an authentication code from the data to be transmitted using a common key encryption algorithm, and transmits the authentication code attached to the data.
  • the control unit 21 calculates an authentication code from the received data using a common key encryption algorithm and compares it with the authentication code given to the data. When the comparison result does not match, the control unit 21 determines that communication of the ECU that transmitted the data should be prohibited.
  • the unauthorized ECU can be excluded from the communication system by identifying the unauthorized ECU and disconnecting the communication line from the unauthorized ECU. Therefore, the influence which fraud ECU exerts on other ECUs can be suppressed.
  • the ECU transmitted based on the ID assigned in advance to each ECU is specified. Therefore, the unauthorized ECU can be easily identified.
  • the unauthorized ECU can be easily excluded from the communication system by identifying the unauthorized ECU and disconnecting the connection of the communication line to the unauthorized ECU. Therefore, it is possible to suppress the influence of the unauthorized ECU on the communication system.
  • Gateway (communication control device) 21 Control part (determination part, specific part) 22, 23 Communication unit 24 Output unit 25 Storage unit 26 Buses 3, 30, 4, 40 Communication lines 31, 32, 33, 41, 42, 43 ECU (communication device) 5, 6 Joint connector 51, 52, 53, 61, 62, 63 Switch (cutting part) 54, 64 control circuit

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mechanical Engineering (AREA)
  • Small-Scale Networks (AREA)

Abstract

Provided are a communication control device and a communication system that can suppress the impact that communication devices transmitting invalid data have on other communication devices. The communication control device controls communication by a plurality of ECUs (31, 32, 33, 41, 42, 43) connected to communication lines (3, 4). The communication control device comprises: a communication unit (22, 23) that receives data from each of the plurality of ECUs (31, 32, 33, 41, 42, 43) via the communication lines (3, 4); a control unit (21) that determines, on the basis of received data, whether or not the communication with the ECU that sent said data should be prohibited, and if it is determined that the communication should be prohibited, identifies the ECU that transmitted said data from among the plurality of ECUs (31, 32, 33, 41, 42, 43); and an output unit (24) that outputs a control signal so as to disconnect the communication line to the identified ECU.

Description

通信制御装置及び通信システムCommunication control device and communication system
 本発明は、通信線に接続されている複数の通信装置による通信を制御する通信制御装置及び通信システムに関する。 The present invention relates to a communication control device and a communication system for controlling communication by a plurality of communication devices connected to a communication line.
 車両に搭載される通信システムとして、車両に搭載された電気機器を制御する複数のECU(Electronic Control Unit)夫々が、複数の通信線中の1つに接続され、互いに通信する通信システムが提案されている。この通信システムでは、複数の通信線夫々はゲートウェイに接続されており、ゲートウェイは、一の通信線に接続されているECUと、他の通信線に接続されているECUとの間の通信を中継する通信制御装置として機能する。このようにゲートウェイが通信を中継する通信システムでは、搭載することが可能なECUの数が多いため、複数の電気機器を連動させる多様な制御処理が実現される。 As a communication system mounted on a vehicle, there has been proposed a communication system in which a plurality of ECUs (Electronic Control Units) for controlling electric devices mounted on a vehicle are connected to one of a plurality of communication lines and communicate with each other. ing. In this communication system, each of a plurality of communication lines is connected to a gateway, and the gateway relays communication between an ECU connected to one communication line and an ECU connected to another communication line. Functions as a communication control device. Thus, in the communication system in which the gateway relays communication, since there are a large number of ECUs that can be mounted, various control processes for linking a plurality of electric devices are realized.
 また、ゲートウェイを備える通信システムの中には、セキュリティーを確保するために、不正ECUからの不正なアクセスを検知して、不正ECUと他のECUとの通信を防止する必要がある。不正ECUの接続を防止する技術が特許文献1に開示されている。特許文献1に記載の車両ネットワーク監視装置には、同車両ネットワークで用いられる通信プロトコルを運用する上で規定されたデータの通信形式の監視を通じて不正データを検知する監視用の車載制御装置が設けられている。監視用の車載制御装置は、規定された通信形式と異なる不正データを検知したとき、各ECUに警告情報を送信する処理を行うとともに、ゲートウェイによる不正データのルーティングを禁止させる処理を行う。 Also, in a communication system including a gateway, in order to ensure security, it is necessary to detect unauthorized access from an unauthorized ECU and prevent communication between the unauthorized ECU and another ECU. A technique for preventing connection of an unauthorized ECU is disclosed in Patent Document 1. The vehicle network monitoring device described in Patent Document 1 is provided with a vehicle-mounted control device for monitoring that detects illegal data through monitoring of a data communication format defined in operating a communication protocol used in the vehicle network. ing. The monitoring in-vehicle control device performs processing for transmitting warning information to each ECU and processing for prohibiting routing of unauthorized data by the gateway when detecting unauthorized data different from the prescribed communication format.
特開2013-131907号公報JP 2013-131907 A
 しかし、特許文献1に記載の車両ネットワーク監視装置では、不正ECUを検知した場合、ゲートウェイによる不正データの中継を禁止させることに過ぎず、不正ECUから通信線への送信が停止しないため、通信システムへの影響が解消されない。例えば、DoS(Denial of Service)攻撃のような場合、不正ECUにより通信線を継続的にドミナント状態にしたり、優先度の高い不正データを連続送信したりすることで、通信線に過剰な負荷がかかる。このため、その通信線に接続された他のECUが送信できず、ゲートウェイの処理負荷が高まり、正しく動作できない虞がある。 However, in the vehicle network monitoring device described in Patent Document 1, when the unauthorized ECU is detected, the relay of unauthorized data by the gateway is merely prohibited, and transmission from the unauthorized ECU to the communication line does not stop. The influence on the is not resolved. For example, in the case of a DoS (Denial of Service) attack, an excessive load is imposed on the communication line by continuously setting the communication line to a dominant state by the unauthorized ECU or continuously transmitting high-priority unauthorized data. Take it. For this reason, other ECUs connected to the communication line cannot transmit, and there is a possibility that the processing load of the gateway increases and the gateway cannot operate correctly.
 本発明は斯かる事情に鑑みてなされたものであり、その目的とするところは、不正データを送信する通信装置が他の通信装置に及ぼす影響を抑えることができる通信制御装置及び通信システムを提供することにある。 The present invention has been made in view of such circumstances, and an object of the present invention is to provide a communication control device and a communication system that can suppress the influence of a communication device that transmits illegal data on other communication devices. There is to do.
 本発明に係る通信制御装置は、通信線に接続される複数の通信装置による通信を制御する通信制御装置において、前記複数の通信装置夫々から前記通信線を介してデータを受信する受信部と、該受信部により受信されたデータに基づいて、該データの送信元の通信装置の通信が禁止されるべきか否かを判定する判定部と、該判定部により前記送信元の通信装置の通信が禁止されるべきと判定された場合、前記複数の通信装置の中から、前記送信元の通信装置を特定する特定部と、該特定部により特定された通信装置に対する通信線の接続を切断するように制御信号を出力する出力部とを備えることを特徴とする。 A communication control device according to the present invention, in a communication control device that controls communication by a plurality of communication devices connected to a communication line, a receiving unit that receives data from each of the plurality of communication devices via the communication line; Based on the data received by the receiving unit, a determination unit that determines whether or not communication of the communication device that is the transmission source of the data should be prohibited, and communication of the transmission source communication device by the determination unit When it is determined to be prohibited, a specifying unit for specifying the transmission source communication device from among the plurality of communication devices and a communication line connection to the communication device specified by the specifying unit are disconnected. And an output unit for outputting a control signal.
 本発明にあっては、通信線を介して通信装置からデータを受信し、受信されたデータに基づいて、該データの送信元の通信装置の通信が禁止されるべきか否かを判定し、禁止されるべきと判定された場合、複数の通信装置の中から該送信元の通信装置を特定し、特定された通信装置に対する通信線の接続を切断する旨の制御信号を出力する。よって、通信が禁止されるべき通信装置を通信システムから排除するように制御することにより、不正データを送信する通信装置が他の通信装置に及ぼす影響を抑えることができる。 In the present invention, data is received from a communication device via a communication line, and based on the received data, it is determined whether communication of the communication device that is the transmission source of the data should be prohibited, When it is determined to be prohibited, the transmission source communication device is identified from among the plurality of communication devices, and a control signal is output to disconnect the communication line from the identified communication device. Therefore, by controlling the communication devices that should be prohibited from communication from the communication system, it is possible to suppress the influence of the communication device that transmits illegal data on other communication devices.
 本発明に係る通信システムは、前記通信制御装置と、前記複数の通信装置と、前記出力部により制御信号が出力された場合に、前記特定部により特定された通信装置に対する通信線の接続を切断する切断部とを備えることを特徴とする。 The communication system according to the present invention disconnects the connection of the communication line to the communication device specified by the specifying unit when a control signal is output from the communication control device, the plurality of communication devices, and the output unit. And a cutting portion to be provided.
 本発明にあっては、複数の通信装置とこれらの通信装置による通信を制御する通信制御装置とを備えるシステムにおいて、通信制御装置により制御信号を出力された場合に、通信制御装置により特定された通信装置に対する通信線の接続を切断する。これにより、不正データを送信する通信装置が他の通信装置に及ぼす影響を抑えることができる。 In the present invention, in a system including a plurality of communication devices and a communication control device that controls communication by these communication devices, the control signal is specified by the communication control device when the control signal is output by the communication control device. Disconnect the communication line from the communication device. Thereby, the influence which the communication apparatus which transmits illegal data has on other communication apparatuses can be suppressed.
 本発明に係る通信システムは、前記複数の通信装置夫々は、前記通信線を介してデータを前記受信部に繰り返し送信し、前記判定部は、前記受信部が同一の前記通信装置から受信した前記データの時間間隔が所定時間未満である場合、該通信装置の通信が禁止されるべきと判定することを特徴とする。 In the communication system according to the present invention, each of the plurality of communication devices repeatedly transmits data to the reception unit via the communication line, and the determination unit receives the reception unit from the same communication device. When the time interval of data is less than a predetermined time, it is determined that communication of the communication device should be prohibited.
 本発明にあっては、通信装置から受信したデータの時間間隔に基づいて、該通信装置の通信が禁止されるべきか否かを判定する。よって、1つの通信装置がデータを短い間隔で送信して通信線を占有した場合に、この通信装置の通信を禁止することができる。 In the present invention, based on the time interval of the data received from the communication device, it is determined whether or not the communication of the communication device should be prohibited. Therefore, when one communication device transmits data at short intervals and occupies the communication line, communication of this communication device can be prohibited.
 本発明に係る通信システムは、前記複数の通信装置夫々に識別情報が割り当てられており、前記複数の通信装置夫々は、自装置の前記識別情報を含むデータを送信し、前記特定部は、前記受信部により受信されたデータに含まれる前記識別情報に基づいて、前記送信元の通信装置を特定することを特徴とする。 In the communication system according to the present invention, identification information is assigned to each of the plurality of communication devices, each of the plurality of communication devices transmits data including the identification information of the device itself, The source communication device is specified based on the identification information included in the data received by the receiving unit.
 本発明にあっては、各通信装置に予め割り当てられた識別情報に基づいて、送信した通信装置を特定する。よって、送信した通信装置を簡単に識別することができる。 In the present invention, the transmitted communication device is specified based on the identification information previously assigned to each communication device. Therefore, the transmitted communication device can be easily identified.
 本発明によれば、不正データを送信する通信装置に対する通信線の接続を切断することにより、該通信装置が他の通信装置に及ぼす影響を抑えることができる通信システム及び通信制御装置を提供することができる。 According to the present invention, it is possible to provide a communication system and a communication control device that can suppress the influence of the communication device on other communication devices by cutting the connection of the communication line to the communication device that transmits illegal data. Can do.
実施の形態に係る通信システムの構成を示すブロック図である。It is a block diagram which shows the structure of the communication system which concerns on embodiment. 記憶部に記憶されている第1対応表の例を示す図表である。It is a chart which shows the example of the 1st correspondence table memorized by the storage part. 記憶部に記憶されている第2対応表の例を示す図表である。It is a chart which shows the example of the 2nd correspondence table memorized by the storage part. ECUの通信が禁止される場合のジョイントコネクタの状態の説明図である。It is explanatory drawing of the state of a joint connector in case communication of ECU is prohibited. 制御部の処理手順を示すフローチャートである。It is a flowchart which shows the process sequence of a control part.
 以下、本発明をその実施の形態を示す図面に基づいて具体的に説明する。
 図1は実施の形態に係る通信システムの構成を示すブロック図である。通信システムは車両に搭載されている。通信システムは、ゲートウェイ2、通信線3,4、ECU31,32,33,41,42,43、及びジョイントコネクタ5,6を備える。 Hereinafter, the present invention will be specifically described with reference to the drawings showing embodiments thereof.
FIG. 1 is a block diagram showing a configuration of a communication system according to an embodiment. The communication system is mounted on a vehicle. The communication system includes a gateway 2, communication lines 3 and 4, ECUs 31, 32, 33, 41, 42 and 43, and joint connectors 5 and 6.
 ゲートウェイ2には2本の通信線3,4が接続されている。通信線3,4夫々は例えば車両において使用されているCAN(Controller Area Network)バスである。通信線3には、通信線30,30,…を介してECU31~33夫々が接続されている。通信線4には、通信線40,40,…を介してECU41~43夫々が接続されている。 The gateway 2 is connected with two communication lines 3 and 4. Each of the communication lines 3 and 4 is, for example, a CAN (Controller Area 使用 Network) bus used in a vehicle. Each of the ECUs 31 to 33 is connected to the communication line 3 via communication lines 30, 30,. Each of the ECUs 41 to 43 is connected to the communication line 4 via communication lines 40, 40,.
 ECU31~33,41~43夫々は、車両に搭載された図示しない電気機器を制御し、互いに通信し、複数の電気機器を連動させる多様な制御処理を実現する。ECU31~33,41~43夫々は通信装置として機能する。 Each of the ECUs 31 to 33 and 41 to 43 controls an electric device (not shown) mounted on the vehicle, communicates with each other, and realizes various control processes for interlocking a plurality of electric devices. Each of the ECUs 31 to 33 and 41 to 43 functions as a communication device.
 ECU31~33及びECU41~43夫々は、識別情報(以下、IDと記す)が予め割り当てられている。また、ECU31~33及びECU41~43夫々は、例えば、所定の通信形式に従い、所定時間おきに通信すべきデータを繰り返し送信する。当該データには、送信元及び送信先夫々のIDが付与されている。送信先は、ECU31~33及びECU41~43中の少なくとも1つである。 Each of the ECUs 31 to 33 and the ECUs 41 to 43 is assigned with identification information (hereinafter referred to as “ID”) in advance. Further, each of the ECUs 31 to 33 and the ECUs 41 to 43 repeatedly transmits data to be communicated every predetermined time, for example, according to a predetermined communication format. The data is given IDs of the transmission source and the transmission destination. The transmission destination is at least one of the ECUs 31 to 33 and the ECUs 41 to 43.
 ジョイントコネクタ5は通信線3及び通信線30,30,…を接続するものであり、スイッチ51,52,53及び制御回路54を有する。 The joint connector 5 connects the communication line 3 and the communication lines 30, 30,..., And includes switches 51, 52, 53 and a control circuit 54.
 スイッチ51は、ECU31と通信線3とを接続する通信線30の中途に設けられている。スイッチ51がオンとされた場合には、ECU31が通信線3に接続される。スイッチ51がオフとされた場合には、ECU31に対する通信線30の接続が切断される。 The switch 51 is provided in the middle of the communication line 30 that connects the ECU 31 and the communication line 3. When the switch 51 is turned on, the ECU 31 is connected to the communication line 3. When the switch 51 is turned off, the connection of the communication line 30 to the ECU 31 is disconnected.
 スイッチ52は、ECU32と通信線3とを接続する通信線30の中途に設けられている。スイッチ52がオンとされた場合には、ECU32が通信線3に接続される。スイッチ52がオフとされた場合には、ECU32に対する通信線30の接続が切断される。 The switch 52 is provided in the middle of the communication line 30 that connects the ECU 32 and the communication line 3. When the switch 52 is turned on, the ECU 32 is connected to the communication line 3. When the switch 52 is turned off, the connection of the communication line 30 to the ECU 32 is disconnected.
 スイッチ53は、ECU33と通信線3とを接続する通信線30の中途に設けられている。スイッチ53がオンとされた場合には、ECU33が通信線3に接続される。スイッチ53がオフとされた場合には、ECU33に対する通信線30の接続が切断される。 The switch 53 is provided in the middle of the communication line 30 that connects the ECU 33 and the communication line 3. When the switch 53 is turned on, the ECU 33 is connected to the communication line 3. When the switch 53 is turned off, the connection of the communication line 30 to the ECU 33 is disconnected.
 制御回路54は、スイッチ51,52,53夫々のオンオフを制御する回路である。実施の形態では、制御回路54は、スイッチ51~53を常にオンにしているが、後述するように、ゲートウェイ2からの制御信号が与えられた場合、制御信号に応じてスイッチ51~53のいずれかをオフする。 The control circuit 54 is a circuit that controls the on / off of each of the switches 51, 52, and 53. In the embodiment, the control circuit 54 always turns on the switches 51 to 53. However, as will be described later, when a control signal is given from the gateway 2, any of the switches 51 to 53 is selected according to the control signal. Turn off.
 ジョイントコネクタ6は通信線4及び通信線40,40,…を接続するものであり、スイッチ61,62,63及び制御回路64を有する。 The joint connector 6 connects the communication line 4 and the communication lines 40, 40,..., And includes switches 61, 62, 63 and a control circuit 64.
 スイッチ61は、ECU41と通信線4とを接続する通信線40の中途に設けられている。スイッチ62は、ECU42と通信線4とを接続する通信線40の中途に設けられている。スイッチ63は、ECU43と通信線4とを接続する通信線40の中途に設けられている。 The switch 61 is provided in the middle of the communication line 40 that connects the ECU 41 and the communication line 4. The switch 62 is provided in the middle of the communication line 40 that connects the ECU 42 and the communication line 4. The switch 63 is provided in the middle of the communication line 40 that connects the ECU 43 and the communication line 4.
 スイッチ51,52,53と同様に、スイッチ61,62,63夫々は、オンとすることによりECU41,42,43夫々を通信線4に接続し、オフとすることにより、ECU41,42,43夫々に対する通信線40の接続を切断する。 Similarly to the switches 51, 52, and 53, the switches 61, 62, and 63 are turned on to connect the ECUs 41, 42, and 43 to the communication line 4, and are turned off to turn on the ECUs 41, 42, and 43, respectively. The connection of the communication line 40 to is disconnected.
 制御回路64は、スイッチ61,62,63夫々のオンオフを制御する回路である。実施の形態では、制御回路64は、スイッチ61~63を常にオンにしているが、後述するように、ゲートウェイ2からの制御信号が与えられた場合、制御信号に応じてスイッチ61~63のいずれかをオフする。 The control circuit 64 is a circuit for controlling on / off of each of the switches 61, 62, and 63. In the embodiment, the control circuit 64 always turns on the switches 61 to 63. However, as will be described later, when a control signal is given from the gateway 2, any of the switches 61 to 63 is selected according to the control signal. Turn off.
 ゲートウェイ2は、通信線3に接続されているECU31~33と、通信線4に接続されているECU41~43との間の通信を中継する。実施の形態では、ゲートウェイ2に2本の通信線3,4が接続されているが、通信線の本数は2に限らず、必要に応じて任意に設定すればよい。また、各通信線に接続されているECUの個数は、特に限定されず、必要に応じて任意に設定すればよい。さらに、1つのスイッチは1つのECUに対応して設置すればよい。 The gateway 2 relays communication between the ECUs 31 to 33 connected to the communication line 3 and the ECUs 41 to 43 connected to the communication line 4. In the embodiment, the two communication lines 3 and 4 are connected to the gateway 2, but the number of communication lines is not limited to two, and may be arbitrarily set as necessary. Further, the number of ECUs connected to each communication line is not particularly limited, and may be arbitrarily set as necessary. Furthermore, one switch may be installed corresponding to one ECU.
 ゲートウェイ2は、制御部21、通信部22,23、出力部24、記憶部25を有する。制御部21、通信部22,23、出力部24、及び記憶部25はバス26に接続されている。 The gateway 2 includes a control unit 21, communication units 22 and 23, an output unit 24, and a storage unit 25. The control unit 21, the communication units 22 and 23, the output unit 24, and the storage unit 25 are connected to the bus 26.
 通信部22は通信線3に接続され、通信部23は通信線4に接続されている。通信部22は、通信線3を介して、ECU31~33夫々からデータを受信する。通信部22は、制御部21の指示に従って、通信線3を介して、データをECU31~33に送信する。 The communication unit 22 is connected to the communication line 3, and the communication unit 23 is connected to the communication line 4. The communication unit 22 receives data from each of the ECUs 31 to 33 via the communication line 3. The communication unit 22 transmits data to the ECUs 31 to 33 via the communication line 3 in accordance with instructions from the control unit 21.
 通信部23はECU41~43夫々からデータを受信する。通信部23は、制御部21の指示に従って、通信線4を介して、データをECU41~43に送信する。 The communication unit 23 receives data from each of the ECUs 41 to 43. The communication unit 23 transmits data to the ECUs 41 to 43 via the communication line 4 in accordance with instructions from the control unit 21.
 出力部24は、ジョイントコネクタ5の制御回路54及びジョイントコネクタ6の制御回路64夫々に接続されている。出力部24は、後述するように、制御部21の指示に従って、特定されたスイッチをオフする旨の制御信号を、特定された制御回路に出力する。 The output unit 24 is connected to the control circuit 54 of the joint connector 5 and the control circuit 64 of the joint connector 6. As will be described later, the output unit 24 outputs a control signal for turning off the specified switch to the specified control circuit in accordance with an instruction from the control unit 21.
 記憶部25は不揮発性メモリであり、制御プログラムが記憶してある。記憶部25には、制御部21の処理用の各種の対応表が記憶されている。 The storage unit 25 is a nonvolatile memory and stores a control program. In the storage unit 25, various correspondence tables for processing of the control unit 21 are stored.
 図2A及び図2Bは記憶部25に記憶されている第1対応表及び第2対応表の例を示す図表である。第1対応表は、図2Aに示すように、各ECU31,32,33,41,42,43のIDが登録してある。具体的には、ECU31,32,33夫々にID31,32,33夫々が割り当てられており、ECU41,42,43夫々にID41,42,43夫々が割り当てられている。 2A and 2B are tables showing examples of the first correspondence table and the second correspondence table stored in the storage unit 25. FIG. In the first correspondence table, as shown in FIG. 2A, IDs of the ECUs 31, 32, 33, 41, 42, and 43 are registered. Specifically, IDs 31, 32, and 33 are assigned to ECUs 31, 32, and 33, and IDs 41, 42, and 43 are assigned to ECUs 41, 42, and 43, respectively.
 第2対応表は、図2Bに示すように、各ECUのIDに対応付けて、各ECUに接続されたスイッチ及び該スイッチを制御する制御回路が登録してある。具体的には、ID31,32,33夫々がスイッチ51,52,53夫々に対応し、制御回路54に対応している。ID41,42,43夫々は、スイッチ61,62,63夫々に対応し、制御回路64に対応している。 In the second correspondence table, as shown in FIG. 2B, switches connected to the ECUs and control circuits for controlling the switches are registered in association with the IDs of the ECUs. Specifically, IDs 31, 32, and 33 correspond to the switches 51, 52, and 53, respectively, and correspond to the control circuit 54. IDs 41, 42, and 43 correspond to the switches 61, 62, and 63, respectively, and correspond to the control circuit 64.
 なお、処理用の対応表の形及び内容はこれらに限らず、必要に応じて予め記憶すればよい。例えば、第1対応表及び第2対応表を1つにまとめて記憶してもよい。 The shape and contents of the processing correspondence table are not limited to these, and may be stored in advance as necessary. For example, the first correspondence table and the second correspondence table may be stored together as one.
 制御部21は、図示しないCPU(Central Processing Unit)を有し、記憶部25に記憶されている制御プログラムを実行することによって、通信の中継処理と、通信の禁止処理とを行う。 The control unit 21 has a CPU (Central Processing Unit) (not shown), and executes a communication relay process and a communication prohibition process by executing a control program stored in the storage unit 25.
 中継処理では、データを受信した場合、制御部21は、受信されたデータに付与された送信先のIDと第1対応表とに基づいて、ECU31~33及びECU41~43の中から、送信先を決定する。制御部21は、決定した送信先に基づいて、通信部22,23の中からデータを送信する送信対象を決定する。制御部21は、決定した送信対象に、受信されたデータを送信先へ送信させる。 In the relay process, when data is received, the control unit 21 selects the transmission destination from the ECUs 31 to 33 and the ECUs 41 to 43 based on the transmission destination ID and the first correspondence table given to the received data. To decide. The control unit 21 determines a transmission target to transmit data from the communication units 22 and 23 based on the determined transmission destination. The controller 21 causes the determined transmission target to transmit the received data to the transmission destination.
 例えば、通信部22がECU31からECU41へ送信すべきデータを受信した場合、制御部21は、通信部22が受信したデータに付与された送信先のIDと第1対応表とに基づいて、送信先としてECU41を決定し、データを送信する送信対象として通信部23を決定する。制御部21は、通信部23に、通信部22が受信したデータをECU41へ送信させる。なお、データフレームに送信先のIDを付与しなくてもよい。この場合、送信元、送信先及び送信対象の対応関係を記憶部25に記憶しておき、制御部21にて送信元のID及び上記の対応関係に基づいて送信先及び送信対象を決定してもよい。 For example, when the communication unit 22 receives data to be transmitted from the ECU 31 to the ECU 41, the control unit 21 transmits the data based on the transmission destination ID and the first correspondence table given to the data received by the communication unit 22. The ECU 41 is determined first, and the communication unit 23 is determined as a transmission target for transmitting data. The control unit 21 causes the communication unit 23 to transmit the data received by the communication unit 22 to the ECU 41. Note that the transmission destination ID need not be assigned to the data frame. In this case, the correspondence relationship between the transmission source, the transmission destination, and the transmission target is stored in the storage unit 25, and the control unit 21 determines the transmission destination and the transmission target based on the transmission source ID and the above-described correspondence relationship. Also good.
 禁止処理では、通信部22又は23がデータを受信した場合、制御部21は、受信されたデータに基づいて、該データを送信したECUの通信が禁止されるべきであるか否かを判定する。以下、判定方法の一例について説明する。 In the prohibition process, when the communication unit 22 or 23 receives data, the control unit 21 determines based on the received data whether communication of the ECU that transmitted the data should be prohibited. . Hereinafter, an example of the determination method will be described.
 正常に動作するECUは、前述したように、所定時間おきにデータを繰り返し送信する。しかし、通信システムに不正ECUは、通信を妨害すべき、所定時間より短い間隔でデータを繰り返し送信する。このため、通信線はこのような不正データにより占有され、過剰な負荷がかかる。 The ECU that operates normally repeatedly transmits data at predetermined intervals as described above. However, the fraudulent ECU in the communication system repeatedly transmits data at intervals shorter than a predetermined time that should hinder communication. For this reason, the communication line is occupied by such illegal data, and an excessive load is applied.
 不正ECUからのデータがゲートウェイ2により中継される場合、通信部22,23が不正ECUから受信したデータの時間間隔が所定時間未満である。このため、制御部21は、該不正ECUの通信が禁止されるべきと判定する。 When the data from the unauthorized ECU is relayed by the gateway 2, the time interval of the data received from the unauthorized ECU by the communication units 22 and 23 is less than the predetermined time. For this reason, the control unit 21 determines that communication of the unauthorized ECU should be prohibited.
 制御部21は、不正ECUからのデータに付与されている送信元のIDを取得する。これにより、データの送信元は特定される。制御部21は、取得したID及び第2対応表に基づいて、不正ECUに接続されたスイッチ、及び該スイッチを制御する制御回路を特定する。制御部21は、特定された制御回路への制御信号を出力部24に出力させて、特定されたスイッチをオフさせるようにする。このように、特定された制御回路は、制御信号に応じて、特定されたスイッチをオフする。これにより、不正ECUに対する通信線の接続が切断される。 The control unit 21 acquires the transmission source ID given to the data from the unauthorized ECU. Thereby, the data transmission source is specified. Based on the acquired ID and the second correspondence table, the control unit 21 specifies a switch connected to the unauthorized ECU and a control circuit that controls the switch. The control unit 21 causes the output unit 24 to output a control signal to the specified control circuit so that the specified switch is turned off. In this way, the specified control circuit turns off the specified switch in accordance with the control signal. As a result, the connection of the communication line to the unauthorized ECU is disconnected.
 例えば、ECU33が不正ECUである場合には、制御部21は、通信部22がECU33から受信したデータの時間間隔に基づいて、ECU33の通信が禁止されるべきと判定する。制御部21は、出力部24を介して、ECU33と通信線3との間のスイッチ53をオフするように、制御信号をジョイントコネクタ5の制御回路54へ出力する。 For example, when the ECU 33 is an unauthorized ECU, the control unit 21 determines that the communication of the ECU 33 should be prohibited based on the time interval of the data received by the communication unit 22 from the ECU 33. The control unit 21 outputs a control signal to the control circuit 54 of the joint connector 5 so as to turn off the switch 53 between the ECU 33 and the communication line 3 via the output unit 24.
 図3は、ECU33の通信が禁止される場合のジョイントコネクタ5の状態の説明図である。制御回路54は出力部24からの制御信号に応じて、スイッチ53をオフする。このとき、図3に示すように、スイッチ51,52がオンとされ、ECU31,32は通信線3に接続されているが、スイッチ53がオフとされ、ECU33に対する通信線30の接続は切断されている。 FIG. 3 is an explanatory diagram of the state of the joint connector 5 when the communication of the ECU 33 is prohibited. The control circuit 54 turns off the switch 53 in response to the control signal from the output unit 24. At this time, as shown in FIG. 3, the switches 51 and 52 are turned on and the ECUs 31 and 32 are connected to the communication line 3, but the switch 53 is turned off and the connection of the communication line 30 to the ECU 33 is disconnected. ing.
 図4は制御部21の処理手順を示すフローチャートである。制御部21は、通信部22又は23がデータを受信した場合、処理を実行する。 FIG. 4 is a flowchart showing a processing procedure of the control unit 21. The control part 21 performs a process, when the communication part 22 or 23 receives data.
 制御部21は、受信されたデータの時間間隔が所定時間未満であるか否かを判定する(ステップS1)。 The control unit 21 determines whether or not the time interval of the received data is less than a predetermined time (step S1).
 受信されたデータの時間間隔が所定時間未満ではない場合(ステップS1:NO)、制御部21はデータを中継する中継処理を行い(ステップS2)、処理を終了する。 When the time interval of the received data is not less than the predetermined time (step S1: NO), the control unit 21 performs a relay process for relaying the data (step S2) and ends the process.
 受信されたデータの時間間隔が所定時間未満である場合(ステップS1:YES)、制御部21は受信されたデータから送信元のIDを取得し(ステップS3)、取得されたID及び第2対応表に基づいて、該IDに対応するスイッチ、及び当該スイッチを制御する制御回路を特定する(ステップS4)。 When the time interval of the received data is less than the predetermined time (step S1: YES), the control unit 21 acquires the transmission source ID from the received data (step S3), and acquires the acquired ID and the second correspondence. Based on the table, the switch corresponding to the ID and the control circuit that controls the switch are specified (step S4).
 制御部21は、出力部24を介して、特定されたスイッチをオフさせる旨の制御信号を、特定された制御回路へ出力し(ステップS5)、処理を終了する。 The control unit 21 outputs a control signal for turning off the specified switch to the specified control circuit via the output unit 24 (step S5), and ends the process.
 実施の形態では、不正ECUの通信が禁止されるべきと判定した場合、不正ECUに対する通信線の接続を切断することにより、不正ECUを通信システムから排除することができる。よって、不正ECUが通信システムに及ぼす影響を抑えることができる。例えば、DoS攻撃のような場合でも、ゲートウェイ2は、処理負荷が高くならず、正常に動作して、他のECUからのデータを中継することができる。また、不正ECUのみを通信システムから排除するため、通信線3又は4ごとに通信の切断を必要とせず、通信線3,4に接続されている他のECUが送信したデータは中継される。このように、正常に動作しているECUが動作を続けるため、停止する車載機能を最小限にすることができる。 In the embodiment, when it is determined that the communication of the unauthorized ECU should be prohibited, the unauthorized ECU can be excluded from the communication system by disconnecting the connection of the communication line to the unauthorized ECU. Therefore, it is possible to suppress the influence of the unauthorized ECU on the communication system. For example, even in the case of a DoS attack, the gateway 2 does not have a high processing load and can operate normally and relay data from other ECUs. Further, since only the unauthorized ECU is excluded from the communication system, it is not necessary to disconnect the communication for each communication line 3 or 4, and data transmitted by other ECUs connected to the communication lines 3 and 4 is relayed. In this way, since the normally operating ECU continues to operate, the in-vehicle function to be stopped can be minimized.
 なお、実施の形態では、受信されたデータの時間間隔に基づいて、ECUの通信が禁止されるべきか否かを判定する例について説明したが、判定方法はこれに限らない。例えば、共通鍵暗号アルゴリズムを用いた認証技術により判定してもよい。例えば、データを送信するECUは、共通鍵暗号アルゴリズムを用いて、送信すべきデータから認証コードを生成し、認証コードをデータに付与して送信する。通信部22,23がデータを受信した場合、制御部21は共通鍵暗号アルゴリズムを用いて受信されたデータから認証コードを計算し、データに付与された認証コードと比較する。制御部21は、比較結果が一致しない場合、データを送信したECUの通信が禁止されるべきと判定する。 In the embodiment, the example in which it is determined whether the communication of the ECU should be prohibited based on the time interval of the received data has been described, but the determination method is not limited to this. For example, the determination may be made by an authentication technique using a common key encryption algorithm. For example, an ECU that transmits data generates an authentication code from the data to be transmitted using a common key encryption algorithm, and transmits the authentication code attached to the data. When the communication units 22 and 23 receive data, the control unit 21 calculates an authentication code from the received data using a common key encryption algorithm and compares it with the authentication code given to the data. When the comparison result does not match, the control unit 21 determines that communication of the ECU that transmitted the data should be prohibited.
 以上の実施の形態では、不正ECUを識別し、不正ECUに対する通信線の接続を切断することにより、不正ECUを通信システムから排除することができる。よって、不正ECUが他のECUに及ぼす影響を抑えることができる。 In the above embodiment, the unauthorized ECU can be excluded from the communication system by identifying the unauthorized ECU and disconnecting the communication line from the unauthorized ECU. Therefore, the influence which fraud ECU exerts on other ECUs can be suppressed.
 また、受信されたデータの時間間隔に基づいて、ECUの通信が禁止されるべきか否かを判定する。よって、送信したECUが不正ECUであるか否かを簡単に判断することができる。これにより、不正ECUの通信を禁止することができる。 Also, based on the time interval of the received data, it is determined whether ECU communication should be prohibited. Therefore, it can be easily determined whether or not the transmitted ECU is an unauthorized ECU. Thereby, communication of unauthorized ECU can be prohibited.
 また、各ECUに予め割り当てられたIDに基づいて送信したECUを特定する。よって、不正ECUを簡単に識別することができる。 Also, the ECU transmitted based on the ID assigned in advance to each ECU is specified. Therefore, the unauthorized ECU can be easily identified.
 さらに、不正ECUを識別し、不正ECUに対する通信線の接続を切断することにより、不正ECUを通信システムから簡単に排除することができる。よって、不正ECUが通信システムに及ぼす影響を抑えることができる。 Furthermore, the unauthorized ECU can be easily excluded from the communication system by identifying the unauthorized ECU and disconnecting the connection of the communication line to the unauthorized ECU. Therefore, it is possible to suppress the influence of the unauthorized ECU on the communication system.
 今回開示された実施の形態はすべての点で例示であって、制限的なものではないと考えられるべきである。本発明の範囲は、上記した意味ではなく、特許請求の範囲によって示され、特許請求の範囲と均等の意味及び範囲内でのすべての変更が含まれることが意図される。 It should be considered that the embodiment disclosed this time is illustrative in all respects and not restrictive. The scope of the present invention is defined by the terms of the claims, rather than the meanings described above, and is intended to include any modifications within the scope and meaning equivalent to the terms of the claims.
2 ゲートウェイ(通信制御装置)
21 制御部(判定部、特定部)
22,23 通信部
24 出力部
25 記憶部
26 バス
3,30,4,40 通信線
31,32,33,41,42,43 ECU(通信装置)
5,6 ジョイントコネクタ
51,52,53,61,62,63 スイッチ(切断部)
54,64 制御回路
  2 Gateway (communication control device)
21 Control part (determination part, specific part)
22, 23 Communication unit 24 Output unit 25 Storage unit 26 Buses 3, 30, 4, 40 Communication lines 31, 32, 33, 41, 42, 43 ECU (communication device)
5, 6 Joint connector 51, 52, 53, 61, 62, 63 Switch (cutting part)
54, 64 control circuit

Claims (4)

  1.  通信線に接続される複数の通信装置による通信を制御する通信制御装置において、
     前記複数の通信装置夫々から前記通信線を介してデータを受信する受信部と、
     該受信部により受信されたデータに基づいて、該データの送信元の通信装置の通信が禁止されるべきか否かを判定する判定部と、
     該判定部により前記送信元の通信装置の通信が禁止されるべきと判定された場合、前記複数の通信装置の中から、前記送信元の通信装置を特定する特定部と、
     該特定部により特定された通信装置に対する通信線の接続を切断するように制御信号を出力する出力部と
     を備えることを特徴とする通信制御装置。     In a communication control device that controls communication by a plurality of communication devices connected to a communication line,
    A receiving unit that receives data from each of the plurality of communication devices via the communication line;
    A determination unit that determines whether or not communication of a communication device that is a transmission source of the data is to be prohibited based on data received by the reception unit;
    When the determination unit determines that communication of the transmission source communication device should be prohibited, a specifying unit that specifies the transmission source communication device from the plurality of communication devices;
    An output unit that outputs a control signal so as to disconnect the connection of the communication line to the communication device specified by the specifying unit.
  2.  請求項1に記載の通信制御装置と、
     前記複数の通信装置と、
     前記出力部により制御信号が出力された場合に、前記特定部により特定された通信装置に対する通信線の接続を切断する切断部と
     を備えることを特徴とする通信システム。     A communication control device according to claim 1;
    The plurality of communication devices;
    And a disconnecting unit that disconnects a communication line from the communication device specified by the specifying unit when a control signal is output by the output unit.
  3.  前記複数の通信装置夫々は、前記通信線を介してデータを前記受信部に繰り返し送信し、
     前記判定部は、前記受信部が同一の前記通信装置から受信した前記データの時間間隔が所定時間未満である場合、該通信装置の通信が禁止されるべきと判定すること
     を特徴とする請求項2に記載の通信システム。     Each of the plurality of communication devices repeatedly transmits data to the receiving unit via the communication line,
    The said determination part determines that communication of this communication apparatus should be prohibited when the time interval of the said data which the said receiving part received from the same said communication apparatus is less than predetermined time. 2. The communication system according to 2.
  4.  前記複数の通信装置夫々に識別情報が割り当てられており、
     前記複数の通信装置夫々は、自装置の前記識別情報を含むデータを送信し、
     前記特定部は、前記受信部により受信されたデータに含まれる前記識別情報に基づいて、前記送信元の通信装置を特定すること
     を特徴とする請求項2又は請求項3に記載の通信システム。
          Identification information is assigned to each of the plurality of communication devices,
    Each of the plurality of communication devices transmits data including the identification information of its own device,
    The communication system according to claim 2 or 3, wherein the specifying unit specifies the transmission source communication device based on the identification information included in the data received by the receiving unit.
PCT/JP2016/076308 2015-09-17 2016-09-07 Communication control device and communication system WO2017047469A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2015-184498 2015-09-17
JP2015184498A JP2017060057A (en) 2015-09-17 2015-09-17 Communication control device and communication system

Publications (1)

Publication Number Publication Date
WO2017047469A1 true WO2017047469A1 (en) 2017-03-23

Family

ID=58289175

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2016/076308 WO2017047469A1 (en) 2015-09-17 2016-09-07 Communication control device and communication system

Country Status (2)

Country Link
JP (1) JP2017060057A (en)
WO (1) WO2017047469A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021152900A1 (en) * 2020-01-28 2021-08-05 住友電気工業株式会社 Detection device, management device, detection method, and detection program

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109017196B (en) * 2018-08-13 2021-04-02 盐城工学院 Automatic leveling device for vehicle body
JP7409247B2 (en) 2020-07-14 2024-01-09 株式会社デンソー Unauthorized intrusion prevention device, unauthorized intrusion prevention method, and unauthorized intrusion prevention program

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS6424651A (en) * 1987-07-21 1989-01-26 Nec Corp Faulty location detecting system for network system
JPH01208932A (en) * 1988-02-17 1989-08-22 Hitachi Ltd Safety protection system for local area network
JPH0522301A (en) * 1991-07-10 1993-01-29 Nec Eng Ltd Communication control system
JP2008059448A (en) * 2006-09-01 2008-03-13 Hitachi Ltd Bus system and bus system control method
JP2009171310A (en) * 2008-01-17 2009-07-30 Fujitsu Ten Ltd Communication apparatus, and fault determination method in communication apparatus
JP2016129314A (en) * 2015-01-09 2016-07-14 トヨタ自動車株式会社 On-vehicle network

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS6424651A (en) * 1987-07-21 1989-01-26 Nec Corp Faulty location detecting system for network system
JPH01208932A (en) * 1988-02-17 1989-08-22 Hitachi Ltd Safety protection system for local area network
JPH0522301A (en) * 1991-07-10 1993-01-29 Nec Eng Ltd Communication control system
JP2008059448A (en) * 2006-09-01 2008-03-13 Hitachi Ltd Bus system and bus system control method
JP2009171310A (en) * 2008-01-17 2009-07-30 Fujitsu Ten Ltd Communication apparatus, and fault determination method in communication apparatus
JP2016129314A (en) * 2015-01-09 2016-07-14 トヨタ自動車株式会社 On-vehicle network

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021152900A1 (en) * 2020-01-28 2021-08-05 住友電気工業株式会社 Detection device, management device, detection method, and detection program
JP7480790B2 (en) 2020-01-28 2024-05-10 住友電気工業株式会社 DETECTION APPARATUS, MANAGEMENT APPARATUS, DETECTION METHOD, AND DETECTION PROGRAM

Also Published As

Publication number Publication date
JP2017060057A (en) 2017-03-23

Similar Documents

Publication Publication Date Title
US11381420B2 (en) In-vehicle relay device, in-vehicle monitoring device, in-vehicle network system, communication monitoring method, and recording medium
US20190281052A1 (en) Systems and methods for securing an automotive controller network
CN107683589B (en) Vehicle-mounted relay device and vehicle-mounted communication system
US10298578B2 (en) Communication relay device, communication network, and communication relay method
US10875502B2 (en) Monitoring and modifying motor vehicle functions in a motor vehicle
JP6747361B2 (en) Communication system, communication device, relay device, communication IC (Integrated Circuit), control IC, and communication method
CN110832486B (en) Authentication control device, authentication control method, and authentication control program
WO2017098977A1 (en) Onboard communication device, abnormality notification system, and abnormality notification method
JP2016092645A (en) On-vehicle communication system
JP6047623B2 (en) Vehicle external interface device and method for vehicle internal network protection
WO2017047469A1 (en) Communication control device and communication system
WO2017038422A1 (en) Communication device
KR101966345B1 (en) Method and System for detecting bypass hacking attacks based on the CAN protocol
JP7178408B2 (en) Abnormality detection device, abnormality detection system and control method
WO2017047462A1 (en) Communication system
CN112703706A (en) Relay device system and relay device
US11438343B2 (en) Motor vehicle having a data network which is divided into multiple separate domains and method for operating the data network
JP5712995B2 (en) COMMUNICATION SYSTEM, COMMUNICATION DEVICE, AND COMMUNICATION METHOD
JP5720618B2 (en) Security equipment
WO2019225317A1 (en) Vehicle-mounted communication device and communication method
WO2020044638A1 (en) Vehicle-mounted communication system, data acquisition device, management device, and monitoring method
KR101694457B1 (en) Vehicle network control system and vehicel network control method
CN108076046B (en) Communication system
KR101633063B1 (en) A link duality system and method for an Ethernet based car network using a wireless link
KR20120010693A (en) Authntication method between electronic control units and electronic control unit using the same

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16846340

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16846340

Country of ref document: EP

Kind code of ref document: A1