WO2019142474A1 - Data analysis device and program - Google Patents

Data analysis device and program Download PDF

Info

Publication number
WO2019142474A1
WO2019142474A1 PCT/JP2018/042234 JP2018042234W WO2019142474A1 WO 2019142474 A1 WO2019142474 A1 WO 2019142474A1 JP 2018042234 W JP2018042234 W JP 2018042234W WO 2019142474 A1 WO2019142474 A1 WO 2019142474A1
Authority
WO
WIPO (PCT)
Prior art keywords
vehicle
data
level
abnormality
data analysis
Prior art date
Application number
PCT/JP2018/042234
Other languages
French (fr)
Japanese (ja)
Inventor
崇光 佐々木
松島 秀樹
Original Assignee
パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from JP2018161576A external-priority patent/JP2019129528A/en
Application filed by パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ filed Critical パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ
Publication of WO2019142474A1 publication Critical patent/WO2019142474A1/en

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R16/00Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
    • B60R16/02Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R25/00Fittings or systems for preventing or indicating unauthorised use or theft of vehicles
    • B60R25/10Fittings or systems for preventing or indicating unauthorised use or theft of vehicles actuating a signalling device
    • B60R25/102Fittings or systems for preventing or indicating unauthorised use or theft of vehicles actuating a signalling device a signal being sent to a remote location, e.g. a radio signal being transmitted to a police station, a security company or the owner
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R25/00Fittings or systems for preventing or indicating unauthorised use or theft of vehicles
    • B60R25/30Detection related to theft or to other events relevant to anti-theft systems
    • B60R25/32Detection related to theft or to other events relevant to anti-theft systems of vehicle dynamic parameters, e.g. speed or acceleration
    • GPHYSICS
    • G08SIGNALLING
    • G08GTRAFFIC CONTROL SYSTEMS
    • G08G1/00Traffic control systems for road vehicles
    • G08G1/09Arrangements for giving variable traffic instructions

Definitions

  • the present invention relates to security technology against cyber attacks on vehicles equipped with in-vehicle networks.
  • the present invention provides a data analysis device that can detect advanced attacks with higher accuracy.
  • a data analysis apparatus is a data acquisition unit that acquires data indicating an abnormal level based on the probability of occurrence of a cyber attack on a vehicle from each of a plurality of vehicles equipped with an in-vehicle network;
  • a data analysis unit that takes statistics of the abnormal level indicated by the data for each group in which the vehicle is classified based on a predetermined condition, and the abnormal level of the first vehicle which is one of the plurality of vehicles is less than a predetermined height And in the statistics of the group into which the first vehicle is classified, when the number of cases indicating an abnormal level equal to or higher than the predetermined height is equal to or higher than a predetermined reference, the abnormality level of the first vehicle is determined as the predetermined A determination unit that determines to change the correction level to a height higher than the height of the first vehicle, and the determination unit determines that the abnormality level of the first vehicle is changed to the correction level; An instruction to recognize the modification level as an abnormal level in-vehicle network, and an information transmitting unit that transmit
  • the data analysis apparatus can detect even advanced attacks with higher accuracy.
  • FIG. 1 is a diagram for explaining an outline of a network security system including a data analysis apparatus according to the first embodiment.
  • FIG. 2 is a view showing a configuration example of an in-vehicle network in the network security system shown in FIG.
  • FIG. 3 is a block diagram showing an example of a functional configuration of the above-mentioned in-vehicle network.
  • FIG. 4 is a block diagram showing an example of the functional configuration of the data analysis server shown in FIG.
  • FIG. 5 is a view showing an example of a data structure of vehicle data provided from the vehicle shown in FIG. 1 to the data analysis server.
  • FIG. 6 is a diagram showing another example of the data structure of vehicle data indicating the traveling state of the vehicle described above.
  • FIG. 7 is a view showing an example of the data structure of the external data provided from the traffic infrastructure system shown in FIG. 1 to the data analysis server.
  • FIG. 8 is a flow chart showing an example of the procedure of processing by the data analysis server in the first embodiment.
  • FIG. 9 is a sequence diagram when it is determined in the first embodiment that an abnormality has occurred in a vehicle.
  • FIG. 10 is a sequence diagram in the case where it is determined in the traffic base system that an abnormality has occurred in the first embodiment.
  • FIG. 11 is a flowchart showing an example of a procedure of processing by the vehicle data analysis device in the first embodiment.
  • FIG. 12 is a flow chart showing an example of the procedure of processing by the traffic infrastructure system in the first embodiment.
  • FIG. 13A is a flowchart showing one specific example of the procedure of the process by the data analysis server in the first embodiment.
  • FIG. 13B is a flowchart showing one specific example of the procedure of the process by the data analysis server in the first embodiment.
  • FIG. 13C is a flowchart showing one specific example of the procedure of the process by the data analysis server in the first embodiment.
  • FIG. 13D is a flowchart showing one specific example of the procedure of the process by the data analysis server in the first embodiment.
  • FIG. 13E is a flowchart showing one specific example of the procedure of the process by the data analysis server in the first embodiment.
  • FIG. 13F is a flowchart showing one specific example of the procedure of the process by the data analysis server in the first embodiment.
  • FIG. 14 is a flowchart showing an example of a procedure of processing by a vehicle data analysis device provided in each vehicle in the second embodiment.
  • FIG. 15 is a diagram showing an example of a data structure as a result of analysis of vehicle data executed to determine an abnormal level in the second embodiment.
  • FIG. 16A is a flowchart showing an example of a procedure of processing by the data analysis server in the second embodiment.
  • FIG. 16B is a flowchart showing another example of the procedure of the process by the data analysis server in the second embodiment.
  • FIG. 17 is a sequence diagram of the network security system in the second embodiment.
  • FIG. 18 is a flow chart showing an example of a procedure of processing by a vehicle data analysis device provided in each vehicle in the third embodiment.
  • FIG. 19 is a flow chart showing an example of a procedure of processing by the data analysis server in the third embodiment.
  • FIG. 20 is a diagram showing an example of data indicating an association between a vehicle-mounted information processing apparatus (ECU) and a transmission CAN message, which is used in the third embodiment.
  • FIG. 21 is a diagram showing an example of data indicating the association between a bus making up a vehicle-mounted network and an ECU connected to each bus, which is used in the third embodiment.
  • FIG. 22 is a sequence diagram of the network security system in the third embodiment.
  • FIG. 23 is a flow chart showing an example of the procedure of presenting information to the user of the network security system in the third embodiment.
  • ECUs Electronic Control Units
  • IVI In-Vehicle Infotainment
  • TCU Telematics Communication Unit
  • Patent Document 1 or 2 As a cyber attack on a vehicle, there has conventionally been a method of disrupting the function of the vehicle by flowing attack data from an unauthorized device connected to an in-vehicle network or an ECU whose program has been illegally rewritten.
  • the technology described in Patent Document 1 or 2 is proposed as a countermeasure against such an attack method.
  • the conventional technology is a technology for detecting attack data by comparing normal data of a target vehicle with attack data, and there is a problem that detection is difficult for attack data which imitates normal data highly.
  • the prior art can detect the transmitted fraudulent data and prevent the adverse effect of the attack, the identification of the device transmitting the fraudulent data is not targeted, and the device for transmitting the fraudulent data is stopped, etc. Sometimes the more fundamental solution is difficult.
  • a data analysis device is data indicating an abnormal level based on the probability of occurrence of a cyber attack on the vehicle from each of a plurality of vehicles equipped with an in-vehicle network.
  • a data acquisition unit for acquiring the data, a data analysis unit for taking statistics of the abnormal level indicated by the data for each group in which the plurality of vehicles are classified based on a predetermined condition, and a first one of the plurality of vehicles When the abnormal level of the vehicle is less than a predetermined height, in the statistics of the group to which the first vehicle is classified, the number of cases indicating the abnormal level equal to or higher than the predetermined height is equal to or higher than a predetermined standard; A determination unit that determines that the abnormality level of the first vehicle is to be changed to a correction level higher than the predetermined height and the determination unit change the abnormality level of the first vehicle to the correction level If it is determined that that, instructed to recognize the modification level as an abnormal level in-vehicle network of the first vehicle, and an information transmitting unit that transmits to the first vehicle.
  • the determination result is high when the probability of high level abnormality is high based on the determination result of another vehicle having commonality with the vehicle. Is changed to a higher level, so that attacks can be detected with higher accuracy.
  • the abnormal level of the predetermined height may be a level at which a countermeasure against a cyber attack is executed in the first vehicle when recognized by the in-vehicle network of the first vehicle.
  • the abnormal level of the predetermined height is a level at which a countermeasure against a cyber attack is not executed in the plurality of vehicles when recognized by the in-vehicle network of the first vehicle, and the correction level is The first vehicle may have a level at which a countermeasure against a cyber attack is executed when it is recognized in the in-vehicle network of the first vehicle.
  • the predetermined conditions include (1) traveling in a predetermined area within a predetermined period, (2) the same type of vehicle, (3) the same manufacturer, and (4) the above
  • the configuration of the in-vehicle network may be common, and (5) the time zone of generation of the data may be common, or any combination thereof.
  • FIG. 1 is a diagram for explaining an outline of a network security system including a data analysis apparatus according to the first embodiment.
  • the network security system 1 is a security system for a countermeasure against a cyber attack that targets a vehicle that performs V2X communication and the other party of the communication.
  • a vehicle 10A and a vehicle 10B (hereinafter, collectively referred to as “vehicle 10 also pointing to one without distinction or together)
  • data analysis server 200 and traffic infrastructure system 300 exchanges data via a communication network 900 established using a communication line such as the Internet.
  • the vehicle 10A and the vehicle 10B exchange data directly with each other and with the traffic infrastructure system 300.
  • the traffic base system 300 refers to various traffic base related devices installed along the road on which the vehicle 10 travels, such as traffic lights, ETC (Electronic Toll Collection) gates, traffic volume measuring devices, etc. are also referred to as roadside units (not shown), and systems for communicating with, and controlling and managing these roadside units.
  • traffic lights such as traffic lights, ETC (Electronic Toll Collection) gates, traffic volume measuring devices, etc.
  • ETC Electronic Toll Collection
  • traffic volume measuring devices etc.
  • roadside units not shown
  • a cyber attack targeting the vehicle 10 or the traffic infrastructure system 300 is accurately detected, and measures are taken to suppress the spread of damage.
  • the data analysis server 200 provides the function of the data analysis device responsible for detecting such a cyber attack.
  • FIG. 2 is a diagram showing a configuration example of the in-vehicle network 100 provided in the vehicle 10A.
  • the vehicle 10A includes an in-vehicle network 100.
  • the data transmitted from the vehicle 10A to the vehicle 10B, the data analysis server 200, and the traffic infrastructure system 300 by V2X communication is data flowing through the in-vehicle network 100.
  • the in-vehicle network 100 includes an external communication device 110, a gateway 120, a vehicle data analysis device 130, and a plurality of ECUs 150.
  • the ECU 150 in this example is connected to a common bus for each functional system such as an information system and a control system to constitute one functional system network. These functional systems are examples, and the in-vehicle network 100 may include further functional systems such as a body system.
  • a device such as an on-vehicle sensor, switch or actuator not shown is connected to each ECU 150, and the ECU 150 sends sensing data indicating the result measured by this sensor to the bus or processes the measurement result of the sensor as an input It sends control signals output by the program to the switch or actuator.
  • the in-vehicle network 100 is a CAN network
  • the present embodiment and the modifications thereof described later are also applicable to an in-vehicle network conforming to a communication protocol other than CAN. is there. Further, in the in-vehicle network 100, networks conforming to different protocols may be mixed.
  • the external communication device 110 and the gateway 120 are also realized by using the ECUs, and as described above, are indicated using names appropriate to the application.
  • the external communication device 110 is an information processing device including a communication module for communicating with an external communication network 900 or another vehicle 10B, and is called, for example, a TCU.
  • the gateway 120 has a function of transferring data between the above-described functional systems and between each functional system and the external communication apparatus 110, and at the time of this transfer, the data corresponding to the difference in the communication protocol as necessary. It is an information processing apparatus that performs conversion.
  • the vehicle data analysis device 130 analyzes the vehicle data flowing through the in-vehicle network 100, and provides the analysis result to the data analysis server 200.
  • the in-vehicle network 100 is a functional component that is realized by execution of a program by a processor included in the gateway 120.
  • FIG. 3 is a block diagram for explaining the functional configuration of the vehicle data analysis device 130 in more detail.
  • the vehicle data analysis device 130 includes a vehicle data acquisition unit 131, an external data acquisition unit 132, a traveling state analysis unit 133, an accumulation unit 135, an analysis result transmission unit 136, and a vehicle control data transmission unit 137.
  • the vehicle data acquisition unit 131 acquires vehicle data that flows through the in-vehicle network 100 and indicates the traveling state of the vehicle 10A.
  • the example of the vehicle data indicating the traveling state includes sensing data sent from the ECU 150 described above.
  • the external data acquisition unit 132 acquires data received by the external communication device 110 by V2X communication.
  • This data includes data acquired by a surrounding vehicle, in this example, the vehicle 10B or the traffic infrastructure system 300. More specifically, the vehicle 10A receives, from the vehicle 10B, vehicle data flowing through the in-vehicle network of the vehicle 10B, and from the traffic infrastructure system 300, data obtained by the measurement function or the communication function of the roadside device Get as.
  • the traveling state analysis unit 133 analyzes the vehicle data acquired by the vehicle data acquisition unit 131, and as a result, acquires information on the traveling state of the vehicle 10A.
  • This information may include, for example, vehicle speed, turning curvature, acceleration, yaw rate, accelerator opening, steering amount, shift position, position information of the vehicle, and the like.
  • the storage unit 135 holds in-vehicle data acquired by the vehicle data acquisition unit 131, external data acquired by the external data acquisition unit 132, or data of an analysis result by the traveling state analysis unit 133 as necessary.
  • the storage unit 135 is realized using a storage device provided in the gateway 120.
  • the analysis result transmission unit 136 transmits the data of the analysis result by the traveling state analysis unit 133 to the data analysis server 200 via the external communication device 110.
  • the vehicle control data transmission unit 137 transmits an instruction for a predetermined operation to be executed according to the presence or absence or level of abnormality based on the analysis result by the traveling state analysis unit 133 or the external data acquisition unit 132. This instruction is sent to the bus connected to the gateway 120 and received by the associated ECU 150.
  • the vehicle data analysis device 130 which exists on the gateway 120 as mentioned above is an example of the mounting form of the vehicle data analysis device 130 on the vehicle-mounted network 100, and may be mounted in another form.
  • it may be realized using one or more information processing devices that are connected to the in-vehicle network 100 and are separate from the gateway 120.
  • the information system with the above configuration is not essential for the vehicle 10 connected to the network security system 1.
  • the information system on the in-vehicle network 100 included in the vehicle 10B does not include the traveling state analysis unit 133, and instead of the analysis result transmission unit 136, a transmission unit that transmits unanalyzed vehicle data such as sensing data to the outside
  • the configuration may be provided.
  • the analysis of the traveling state based on the vehicle data of the vehicle 10B may be performed by the data analysis server 200 that receives the vehicle data of the vehicle 10B, for example, the vehicle 10B.
  • it may be executed by the vehicle 10A or the traffic infrastructure system 300.
  • the analysis of the traveling state of the vehicle 10B is performed by the vehicle 10A or the traffic infrastructure system 300, the result is provided to the data analysis server 200 via the communication network 900.
  • FIG. 4 is a block diagram showing an example of the functional configuration of the data analysis server 200.
  • the data analysis server 200 is realized using one or more computer resources including a processor and a memory.
  • the data analysis server 200 analyzes data received from the vehicle 10 and the traffic infrastructure system 300 via the communication network 900 to detect an abnormality due to a cyber attack, or to execute determination of an abnormality level, and the vehicle 10 as necessary. Or provide information to the traffic infrastructure system 300.
  • the data analysis server 200 provides such a function by executing a predetermined program. Also, in this program, for example, an anomaly detection model created by machine learning or a classification model is used.
  • the data analysis server 200 includes a data acquisition unit 210, a data analysis unit 220, a determination unit 230, an accumulation unit 240, an associated ECU identification unit 250, an access right management unit 260, an information transmission unit 270, and an information presentation unit 280. These are functional components, and are realized by the data analysis server 200 executing the predetermined program described above by the processor.
  • the data acquisition unit 210 acquires vehicle data indicating the traveling state of the vehicle 10.
  • the vehicle data indicating the traveling state of the vehicle 10 here is, for example, data of a result of analysis by the traveling state analysis unit 133 transmitted from the above-described vehicle 10A.
  • the data transmitted to the data analysis server 200 is unanalyzed data as in the above-described vehicle 10B, the data is a result of analysis of the data by the data analysis unit 220. That is, the data analysis unit 220 executes the same analysis as the traveling state analysis unit 133.
  • FIG.5 and FIG.6 is a figure which shows an example of the data structure of the vehicle data which show the traveling state of the vehicle 10 which the data acquisition part 210 acquires.
  • values indicating the traveling state of the vehicle 10 measured at different times at constant intervals (5 seconds in the illustrated example) are stored in time series.
  • an average value or the like calculated from measured values over a fixed period (10 minutes in the illustrated example) is stored in time series.
  • the contents of the vehicle data are not limited to these examples.
  • the items such as the speed and the turning curvature in the figure are shown for the purpose of illustration and are not essential, and further other items may be included.
  • each item is, for example, the maximum value and the minimum value for each fixed period, whether the predetermined threshold has been exceeded or fallen within a predetermined period, or the length of time the predetermined threshold is exceeded or fallen within a predetermined period Or the like.
  • the analysis result may be acquired in response to an event that occurs in the vehicle 10, for example, a predetermined driving operation (for example, start, stop, gear change) by the user or the automatic driving system. In this case, there may be further items indicating an event that has occurred. Further, in FIG. 5 and FIG. 6, although the position information is indicated by latitude and longitude, it is not limited to this.
  • the place name or road where the vehicle is traveling a road, a section, an intersection name, the name of the nearest landmark, or a zip code, or identification information indicating these (for example, a section of a road or an ID indicating its vertical direction) ) May be used.
  • identification information uniquely identifying the vehicle that is the transmission source is added to the data transmitted from each vehicle 10, and the data analysis server 200 manages each item of the vehicle data in association with the identification information. .
  • the data acquisition unit 210 further acquires, from the traffic infrastructure system 300, out-of-vehicle data indicating a situation (hereinafter referred to as an out-of-vehicle situation) recognized outside the vehicle 10 in an area where the vehicle 10 travels.
  • the out-of-vehicle condition indicated by the out-of-vehicle data is, for example, road information or traffic information.
  • FIG. 7 is a diagram showing an example of the data structure of the external data provided from the traffic infrastructure system 300 to the data analysis server 200. As shown in FIG.
  • an average value or the like calculated from measurement values over a fixed period (five minutes in the illustrated example) by the roadside device is stored in time series.
  • Such data is a result of analysis of sensing data in the roadside machine, and this analysis may be performed in the roadside machine or the traffic infrastructure system 300 or may be analyzed by the data analysis unit 220.
  • the contents of the data outside the vehicle are not limited to this example.
  • the items such as the speed limit and the restrictions in the figure are shown for the purpose of illustration and are not essential, and further other items may be included.
  • each item is, for example, the maximum value and the minimum value for each fixed period, whether the predetermined threshold has been exceeded or fallen within a predetermined period, or the length of time the predetermined threshold is exceeded or fallen within a predetermined period Or the like.
  • the analysis result may be acquired in response to an event that has occurred in the traffic infrastructure system 300, for example, a change in speed limit.
  • a road ID which is identification information indicating a section of a road on which the roadside machine is installed, is used as position information of each roadside machine that is a transmission source of data indicating the vehicle external condition. .
  • identification data that uniquely identifies a roadside device that has generated out-of-vehicle data may be added to the out-of-vehicle data transmitted from the transportation infrastructure system 300.
  • the determination unit 230 determines whether there is a mismatch between the traveling state of the vehicle 10 indicated by the vehicle data acquired by the data acquisition unit 210 and the external condition indicated by the external data, and outputs the result of this determination.
  • the storage unit 240 generates, as necessary, data generated or used by each functional component of the data analysis server 200, such as vehicle data and external data acquired by the data acquisition unit 210, data of the determination result by the determination unit 230, and the like. Hold.
  • the storage unit 240 is realized using a storage device provided in the data analysis server 200.
  • the related ECU identification unit 250 identifies an ECU associated with the abnormality.
  • the access right management unit 260 manages the access right of the user of the data analysis server 200 to data acquired by the data acquisition unit 210, data of analysis results by the data analysis unit 220, or data such as determination results by the determination unit 230.
  • the user of the data analysis server 200 here is a maker of the vehicle 10 or its components, for example.
  • the information transmission unit 270 transmits data indicating information according to the result of the determination made by the determination unit 230 to the vehicle 10, the traffic infrastructure system 300, or both.
  • the information presentation unit 280 displays, to the user, information according to the result of the determination made by the determination unit 230. Information according to the result of the determination will be described later.
  • FIG. 8 is a flowchart showing an example of the procedure of processing by the data analysis server 200. Further, the sequence diagrams of FIG. 9 and FIG. 10 showing the flow of data (information) in the network security system 1 are also referred to in this description as appropriate. Moreover, the flowcharts of FIG. 11 and FIG. 12 showing the procedure of processing executed in the vehicle 10 and the traffic base system 300 are also referred to as appropriate.
  • the data acquisition unit 210 acquires vehicle data from the vehicle 10 and external data from the traffic infrastructure system 300 (Steps S10 and S11).
  • the vehicle data is analyzed by the vehicle 10 and then provided to the data analysis server 200.
  • FIG. 11 is a flowchart showing a procedure (steps S20 to S22) from acquisition of vehicle data in the vehicle 10 to transmission to the data analysis server 200.
  • the data outside the vehicle is analyzed by the traffic infrastructure system 300 and then provided to the data analysis server 200.
  • FIG. 12 is a flow chart showing a procedure (steps S30 to S32) from acquisition of out-of-vehicle data in the traffic infrastructure system 300 to transmission to the data analysis server 200.
  • step S12 executed by the data analysis server 200, the vehicle data and the data outside the vehicle are compared to determine whether there is a mismatch between the traveling state of the vehicle 10 and the situation outside the vehicle 10. Be done.
  • the vehicle data and the data outside the vehicle may be analyzed by the procedure of this comparison and information may be prepared as exemplified in FIGS. 5 to 7, and the location (subject) of the analysis is to provide each data. It may be the original, or may be the data analysis server 200 that has been provided with data.
  • before and after this analysis is referred to vehicle data or external data without particular distinction.
  • the mismatch between the traveling state of the vehicle 10 and the external situation of the vehicle 10 will be described later using an example.
  • Step S12 is performed by the determination unit 230.
  • Determination unit 230 selects out-of-vehicle data to be compared with the vehicle data to be determined using the time and position information indicated by the vehicle data, and the time and position information indicated by the out-of-vehicle data.
  • a correspondence table (not shown) held in the storage unit 240 is referred to or calculation for conversion is performed. You may Further, the determination unit 230 does not necessarily compare data having completely matching time information and position information with each other, but may select data having partial overlap or at least one overlap as comparison targets. Good.
  • vehicle outside data indicating a time within a predetermined time period that goes back from the time indicated by the time information included in one vehicle data even if there is no overlap, or a predetermined number of vehicle outside data going back may be selected for comparison.
  • the external data indicating the external condition of the vehicle may be treated as external data indicating the external condition of the vehicle 10 and may be selected as a target of comparison with the vehicle data.
  • the data analysis server 200 determines that there is no abnormality due to the cyber attack that is known from the received data in any of the vehicle 10 and the traffic infrastructure system 300. Processing ends.
  • the determination unit 230 determines that an abnormality has occurred in either the vehicle 10 or the external data.
  • the determination unit 230 determines that an abnormality has occurred in either the vehicle 10 or the external data.
  • the determination unit 230 determines that there is a mismatch (YES in step S13)
  • the determination unit 230 further determines the vehicle data provided from another vehicle 10 whose position is indicated by the position information in the above area.
  • the determination result by comparison with the data outside the vehicle performed in the past is acquired from the storage unit 240.
  • the determination result obtained by comparing the vehicle data of the other vehicle 10 with the data outside the vehicle is managed in association with each item of the vehicle data, and is selected with reference to the identification information of the vehicle that is the transmission source. Further, at this time, other vehicle data for which the determination result is acquired may be acquired, for example, from the one whose time shown is near in time, or a certain number of cases. Good.
  • the determination unit 230 determines whether or not the number of vehicle data, which is a result indicating that there is a mismatch, is equal to or more than a predetermined reference (step S14).
  • the criteria for this determination may be set at a rate such as, for example, 50% or more, may be set as a specific number of values, or a combination of these (for example, 30% or more and 5 or more). It may be done.
  • the determination unit 230 determines that the abnormality due to cyber attack is determined to be an inconsistency in step S43. It is determined that it is generated in the vehicle 10 that is the transmission source of data (step S15).
  • the determination unit 230 outputs the determination result to the information transmission unit 270.
  • the information transmitting unit 270 that has received the input of the determination result transmits information indicating the vehicle 10 at least to the traffic base system 300 (step S16). Further, the information transmission unit 270 transmits, to the vehicle 10, information for causing the vehicle 10 to execute an operation at the time of occurrence of an abnormality (step S17). This information may simply be information indicating the result of the determination, or may be indicated by a control signal for the vehicle 10. In FIG. 8, an example in which the control signal is transmitted to the vehicle 10 is shown.
  • FIG. 9 shows the flow of the data (information) in the network security system 1 in the case of being NO by step S14 in a series of procedures shown by FIG.
  • the V2I communication vehicle and traffic infrastructure system
  • the V2I communication from the vehicle 10 is performed. Stop the use of the data received in the
  • the information provided by the vehicle 10 that has received a cyber attack may include false content. That is, if the determination using such information is performed by the traffic infrastructure system 300, there is a possibility that an adverse effect such as an operation that does not match the actual traffic situation may occur. Therefore, the spread of the adverse effect of such a cyber attack can be suppressed by providing the traffic infrastructure system 300 with information indicating the vehicle 10 that is experiencing an abnormality under the cyber attack.
  • Such information may be provided not only to the traffic infrastructure system 300 but also to other vehicles 10 traveling around the vehicle 10 in which an abnormality has occurred.
  • the operation determination may be performed based on data from other vehicles 10, and this determination may be performed based on false information.
  • the information transmission unit 270 transmits the above information or control signal to the vehicle 10, and causes the vehicle 10 to perform an operation or the like for notifying the occurrence of an abnormality to the surrounding vehicle or its driver.
  • the operation for notifying the occurrence of an abnormality is, for example, a warning by a hazard lamp or the like. Or when the said vehicle 10 respond
  • determination unit 230 determines that an abnormality due to cyber attack is inconsistent with vehicle data in step S13. It is determined that the traffic base system 300 which is the transmission source of the data outside the vehicle determined to be or the roadside machine which is a part thereof is generated (step S18). The determination unit 230 outputs the determination result to the information transmission unit 270. The information transmitting unit 270 that has received the input of the determination result transmits, to at least the traffic base system 300, information related to the roadside device that has transmitted the data outside the vehicle determined that the abnormality has occurred, for example (step S19).
  • the information related to the roadside device may be, for example, identification information uniquely indicating an abnormal roadside device that has generated the out-of-vehicle data, or may be position information indicated by the out-of-vehicle data.
  • identification information uniquely indicating an abnormal roadside device that has generated the out-of-vehicle data
  • position information indicated by the out-of-vehicle data may be position information indicated by the out-of-vehicle data.
  • FIG. 8 an example in which what is transmitted to the traffic infrastructure system 300 is information indicating an abnormal roadside machine is shown.
  • FIG. 10 shows the flow of the data (information) in the network security system 1 in the case of YES in step S14 in a series of procedures shown in FIG.
  • abnormal roadside machine information in the figure
  • the data outside the vehicle generated by measurement or the like by the roadside machine Stop the use of This suppresses the expansion of the negative effects of cyber attacks.
  • Such information may be transmitted not only to the traffic infrastructure system 300 but also to the vehicle 10 that has transmitted the vehicle data targeted for the determination in step S13 or other vehicles 10 traveling around the abnormal roadside machine. It may be provided.
  • the operation determination may be performed based on the data from the roadside device, and this is to prevent the determination from being performed based on false information.
  • the data analysis server 200 compares the external data with the vehicle data received from the vehicle 10 from the traffic infrastructure system 300
  • the data to be compared with the vehicle data Is not limited to the data from the traffic infrastructure system 300.
  • data received from a vehicle 10B traveling around the vehicle 10A may be used as external data to be compared with vehicle data received from the vehicle 10A.
  • image data generated by an image sensor for photographing the periphery mounted by the vehicle 10B is analyzed, and the data analysis server 200 analyzes the condition of the vehicle 10A shown in the image indicated by the image data and the on-vehicle network of the vehicle 10A. It may be determined whether or not the traveling state of the vehicle 10A indicated by the acquired vehicle data is inconsistent.
  • the traveling state such as acceleration / deceleration and steering of the vehicle 10A indicated by the vehicle data of the vehicle 10A and the traveling state such as acceleration / deceleration and steering of the vehicle 10B indicated by the vehicle data of the vehicle 10B are inconsistent. It may be determined. That is, the vehicle data of the vehicle 10B is external data indicating the situation recognized outside the vehicle 10A in terms of the relationship with the vehicle 10A, and the data analysis server 200 uses the vehicle data of the vehicle 10A in step S13. It can be used as a comparison object of Further, the same can be said even if the vehicle 10A and the vehicle 10B are switched.
  • FIG. 8 is the determination step regarding the inconsistency in step S13, and thus the description of the other steps is omitted.
  • step S13A of FIG. 13A a mismatch is determined between the traveling speed of the vehicle 10 indicated by the in-vehicle data and the speed limit of the area in which the vehicle 10 travels indicated by the out-of-vehicle data.
  • the information on the speed limit is, for example, one included in the "speed limit" column of the outside data from the traffic infrastructure system 300 as shown in FIG.
  • the image data transmitted to the data analysis server 200 from another vehicle may be used.
  • the display content of the road sign or road sign indicating the speed limit which is included in the analysis result of the image data, is compared with the traveling speed of the vehicle 10 indicated by the in-vehicle data. For example, if the difference between the traveling speed and the speed limit is equal to or greater than a predetermined value or outside the predetermined speed range predetermined for the speed limit indicated by the display content, YES is determined in step S13A.
  • step S13B in FIG. 13B it is determined about the mismatch between the traveling speed of the vehicle 10 indicated by the in-vehicle data and the traveling speeds of other vehicles indicated by the data outside the vehicle and traveling around the vehicle 10. .
  • the information on the traveling speed of the other vehicle is, for example, one included in the "average traveling speed" column of the traffic base system 300 outside-vehicle data as shown in FIG.
  • the speed indicated by the in-vehicle data transmitted from the other vehicle to the data analysis server 200 may be an average thereof.
  • in-vehicle data for one vehicle may be used as out-of-vehicle data for another vehicle. For example, if the difference between these traveling speeds is equal to or greater than a predetermined value, YES is determined in step S13B.
  • the data analysis server 200 is not limited to the speed limit or the traveling speed of surrounding vehicles. It can be determined whether the situation is normal or abnormal as well.
  • step S13C in FIG. 13C a mismatch is determined between the steering angle of the vehicle 10 indicated by the in-vehicle data and the road curvature of the area (road) on which the vehicle 10 travels indicated by the out-of-vehicle data.
  • the information on the road curvature is, for example, one included in the data outside the vehicle from the traffic infrastructure system 300 (not shown).
  • the road curvature included in the external data is compared with the steering angle of the vehicle 10 indicated by the in-vehicle data. For example, if the difference between the road curvature and the steering angle is equal to or greater than a predetermined value, it is determined as YES in step S13C.
  • the data analysis server 200 is normal in light of the surrounding condition of the shape of the road even if the steering angle of one vehicle 10 is within the normal range in light of the steering performance. It can be determined whether there is a possibility or an abnormality.
  • the traveling speed of the vehicle 10 indicated by the in-vehicle data and the traveling speed of the vehicle 10 measured by another vehicle traveling around the vehicle 10 indicated by the external data indicate It is determined about the inconsistency of the
  • the external data is the velocity of the vehicle obtained as an analysis result of sensing data of an apparatus capable of measuring the relative velocity of a surrounding object such as a radar provided in another vehicle.
  • it may be obtained by analysis of image data generated by an image sensor in another vehicle as described above. For example, when the difference between these traveling speeds is equal to or greater than a predetermined value, YES is determined in step S13D.
  • the data analysis server 200 detects the traveling speed of the vehicle recognized by the surrounding vehicles even if the traveling speed of one vehicle 10 is within the normal range in light of the traveling performance. It is possible to judge whether there is a possibility of being normal or abnormal in light of the surrounding situation.
  • a mismatch is determined between the operation state of the brake light of the vehicle 10 indicated by the in-vehicle data and the operation state of the brake light indicated by the outside-of-vehicle data.
  • the external data in this case may be, for example, image data transmitted from the following vehicle of the vehicle 10 to the data analysis server 200.
  • the temporal operation state of the brake light of the vehicle 10 included in the analysis result of the image data is compared with the temporal operation state of the brake light of the vehicle 10 indicated by the in-vehicle data transmitted from the vehicle 10. For example, in the case where there is a certain difference or more in this operation state, YES is determined in step S13E.
  • the data analysis server 200 is a braking light of the own vehicle recognized by surrounding vehicles even when the operation of the braking light of one vehicle 10 is within the normal range in terms of specifications. It is possible to determine whether there is a possibility of being normal or abnormal in light of the surrounding situation of the operation of the
  • step S13F of FIG. 13F it is determined about a mismatch between the traveling state of the vehicle 10 indicated by the in-vehicle data and the traveling state of another vehicle indicated by the out-of-vehicle data.
  • the external data in this case may be, for example, time-series data of the traveling state (speed, steering angle, etc.) of the leading vehicle indicated by the in-vehicle data transmitted to the data analysis server 200 from the leading vehicle of the vehicle 10 . That is, also in this example, in-vehicle data for one vehicle is used as out-of-vehicle data for other vehicles.
  • the time-series data of the traveling state included in the analysis result of the in-vehicle data of the preceding vehicle is compared with the time-series data of the traveling state included in the analysis result of the in-vehicle data of the vehicle 10. For example, when there is a difference of a certain level or more in this traveling state, YES is determined in step S13F.
  • the data analysis server 200 allows the traveling conditions of other vehicles traveling on the same road even if the overall traveling conditions of one vehicle 10 is within the normal range in light of performance or specifications. It is possible to judge whether there is a possibility of being normal or abnormal in light of the surrounding situation.
  • the determination as to the occurrence of a cyber attack on a certain vehicle includes data derived from the vehicle (vehicle data) and data derived from the outside of the vehicle to be determined, such as a traffic infrastructure system or another vehicle. Comparison with the environment where the vehicle travels or the data (data outside the vehicle) indicating the condition of the vehicle, and by checking its consistency, detection with higher accuracy than determination using only the data of the vehicle alone It will be possible.
  • the method of abnormality determination executed by the network security system 1 in the present embodiment is also useful as a means of detecting a cyber attack on the traffic base system. And, by such a series of judgments, it is possible to realize a car society that is high in detection sensitivity of cyber attacks, including vehicles and traffic infrastructure systems, and the spread of the damage can be suppressed.
  • the present embodiment is not limited to this.
  • a function equivalent to the data analysis server 200 described above may be provided by the vehicle data analysis device 130 mounted on the vehicle 10.
  • the vehicle data analysis device 130 it is not between the situation indicated by the data outside the vehicle acquired from the other surrounding vehicle or roadside machine by V2X communication via the external communication device 110 and the traveling condition of the vehicle 10 indicated by the vehicle data. It is determined whether there is a match. If there is a mismatch, information on the occurrence of the mismatch in the area where the vehicle 10 is traveling is further obtained from the data stored in the storage unit 135 or through the external communication device 110. It may be acquired by inquiring to surrounding vehicles or roadside machines.
  • Second Embodiment An embodiment according to another method for improving the accuracy of detection of a cyber attack in a situation where V2X communication is performed will be described.
  • the abnormal level is another expression in the analysis on the abnormality of the vehicle data executed by the data analysis server or the vehicle data analysis device mounted on the vehicle
  • the probability of attack occurrence may be moderate.
  • vehicle data can not be used to determine the occurrence of a cyber attack, or it takes time until it can be used with practical certainty.
  • a new method of verifying the analysis result of such vehicle data and using it to determine the occurrence of a cyber attack a more accurate and quick determination can be realized as compared with the prior art.
  • the network security system it is necessary to immediately cope with a situation in which the medium abnormality is not immediately required according to the result of the determination of the abnormality level in a plurality of vehicles. Treat as anomalous.
  • the data analysis server 200 provides the function of the data analysis device responsible for detecting a cyber attack
  • the configuration is the same as that of the first embodiment, so the description is omitted, and each component is indicated by the reference symbol shown in FIG. 1 to FIG.
  • the level of abnormality due to cyber attack is determined from the plurality of vehicles 10 based on the analysis result of the vehicle data executed by the vehicle data analysis device 130 of each vehicle 10. Data is sent to data analysis server 200.
  • FIG. 14 is a flow chart showing an example of the procedure of processing by the vehicle data analysis device 130 provided in each vehicle 10 in the present embodiment.
  • the vehicle data analysis device 130 analyzes the vehicle data to determine an abnormal level (step S41).
  • the determination of the abnormal level is determined, for example, according to the degree of deviation from the reference indicating the normal state. For example, when the reference maximum speed indicating the normal state is 100 km / h and the traveling speed indicated by the vehicle data is 180 km / h, it is determined that the abnormal level is high and the traveling speed indicated by the vehicle data is 140 km / hour If there is, the abnormal level is determined to be medium.
  • the reference maximum steering rotation angle indicating the normal state is 720 degrees
  • the steering rotation angle indicated by the vehicle data is 900 degrees
  • it is determined that the abnormal level is high and the vehicle
  • the steering rotation angle indicated by the data is 750 degrees
  • the abnormal level is medium.
  • the criteria for determining the abnormal level based on the probability of occurrence of such a cyber attack may be determined at the time of design of the information system of the vehicle 10 or may be dynamically set from the usage history.
  • step S43 When the result of the determination in step S41 is high (YES in step S42), the attack countermeasure is executed in the vehicle 10 (step S43).
  • An example of the attack response measures here is a notification to surrounding vehicles by the operation of a hazard lamp or a forced evacuation operation for stopping the vehicle 10 in a place such as a roadside zone which does not hinder traffic.
  • the analysis result executed in step S41 is transmitted to the data analysis server 200 (step S44).
  • FIG. 15 is a diagram showing an example of the data structure of the analysis result of vehicle data for determination of an abnormal level, which is transmitted to the data analysis server 200 in step S44. This example is data of an analysis result when a high level abnormality occurs in an in-vehicle network conforming to CAN.
  • the vehicle 10 is uniquely added to information on data determined to be abnormal, such as the location of the abnormality in the vehicle 10, the level of the abnormality, and the ID of the CAN message indicating the type of CAN message in which the abnormality occurred.
  • a vehicle ID for identification and information indicating the position of the vehicle 10 when an abnormality is detected are included.
  • the information included in the data transmitted to the data analysis server 200 when an abnormality occurs is not limited to these. For example, information related to a group described later may be included.
  • step S41 If the result of the determination in step S41 is medium (NO in step S42, YES in step S45), the analysis result executed in step S41 is transmitted to data analysis server 200 (step S46).
  • the data structure in this case is also similar to that shown in FIG. When the abnormal level is medium, the attack countermeasure is not performed on the vehicle 10.
  • step S45 is NO, that is, if the abnormal level is low (or normal), the process of determining the abnormal level for the vehicle data acquired in step S41 ends as it is.
  • FIG. 16A is a flow chart showing an example of the procedure of processing by the data analysis server 200 in the present embodiment.
  • the data acquisition unit 210 acquires data of an analysis result indicating an abnormal level based on the probability of occurrence of a cyber attack on the vehicle 10 from each of the plurality of vehicles 10 (step S50).
  • the abnormal level has three levels of high, medium and low.
  • the data analysis unit 220 updates the statistics of the analysis result held in the storage unit 240 based on the analysis result acquired by the data acquisition unit 210 (step S51). This statistic is taken for each group into which analysis results are classified based on predetermined conditions.
  • the predetermined conditions referred to here are: (1) traveling in a predetermined area within a predetermined period, (2) vehicle types being the same, (3) ) One or more of the same manufacturer, (4) common configuration of in-vehicle network mounted, and (5) common time zone of generation of analyzed in-vehicle data It is a combination.
  • In-vehicle networks having commonality included in such conditions may receive, for example, the same fraudulent message from the same roadside device or vehicle in V2X communication, or may have a common vulnerability.
  • the configuration of the in-vehicle network of the condition (4) relates to a compliant communication standard, a model of the connected ECU, and its firmware.
  • this group determination may be performed based on the information added to the analysis result transmitted from each vehicle 10 as described above, or is associated with each vehicle ID held in the storage unit 240 Data indicative of the selected group may be referred to and executed.
  • the determination unit 230 acquires, from the storage unit 240, statistics of the same group as the vehicle 10 that is the transmission source of the data of the analysis result that is the target of verification of the abnormal level (step S52).
  • step S53 the determination unit 230 checks whether or not the abnormal level indicated by the analysis result to be verified is high (step S53). If it is high (YES in step S53), the process ends.
  • the determination unit 230 further confirms whether the abnormal level is medium (step S54).
  • determination unit 230 determines whether the number of high abnormal levels is equal to or higher than a predetermined reference in the group acquired in step S52 (step S55A). ). That is, it is determined whether or not a high level abnormality has occurred to a certain extent or more within the group of vehicles 10 having commonality with regard to the possibility of being subjected to the cyber attack.
  • the criteria for this determination may be set at a rate such as, for example, 50% or more, may be set as a specific number of values, or a combination of these (for example, 30% or more and 5 or more). It may be done.
  • step S55A an instruction to change the abnormal level from middle to high is transmitted from the information transmission unit 270 to the vehicle 10 of the transmission source of the analysis result data to be verified (step S56). If NO in step S54 or step S55A, the process ends.
  • FIG. 16B is a flowchart showing another example of the procedure of the process by the data analysis server 200 in the present embodiment.
  • the processing in this other example is different from the processing shown in FIG. 16A in the contents of the subsequent steps when the received abnormal level is medium (YES in step S54).
  • the process shown in FIG. 16A in the verification of the data of the analysis result in which the abnormality level is medium, the number of analysis results indicating that the abnormality level is high in the vehicle 10 of the same group as the vehicle 10 of the data transmission source In this case, the abnormal level of the analysis result to be verified is raised to a high level. That is, there are many cases in which there is a high probability of being attacked by a cyber attack or a certainty that a cyber attack is under way in a group having commonality. It is a process to make a careful response.
  • the number of analysis results in which the abnormality level is medium in the vehicle 10 of the same group as the data transmission source vehicle If there is a predetermined standard (for example, 50%) or more (YES in S55B), the abnormal level of the analysis result of the verification target is raised high. In other words, even if there are not many cases in which there is a high probability of being cyber attacked or certain that they are under cyber attack within a group having commonality, there are cases where medium level abnormalities occur. Is a process that makes the vehicle more cautious in the vehicle in which the medium level abnormality has occurred if the predetermined standard (for example, 70%) or more.
  • the predetermined standard for example, 70%
  • the instruction in step S56 may be sent only to the vehicle 10 that is the source of the data of the analysis result to be verified, or in order to quickly improve the safety against traffic cyber attacks, this vehicle It may also be transmitted to all the vehicles 10 that have transmitted the analysis result that the middle level abnormality has occurred in the same group as 10.
  • FIG. 17 is a sequence diagram of the network security system 1 in the present embodiment.
  • the vehicle 10 which has transmitted the data to be verified of the analysis result is shown independently of the other vehicles 10.
  • each vehicle 10 transmits data indicating the result that the abnormal level is determined to be medium or high by analysis to the data analysis server 200.
  • the data analysis server 200 updates the statistics using the received data.
  • the statistics of the corresponding group are obtained from the latest statistics. If the analysis result of the verification target indicates the abnormal level is medium, and the number of abnormal levels indicated by the acquired statistics is high or medium or higher, the level indicated by the analysis result of the verification target is corrected to high .
  • This high level is an example of the correction level in the present embodiment.
  • an instruction to change the abnormal level to the correction level is transmitted from the data analysis server 200 to the vehicle 10.
  • the attack countermeasure in step S43 is executed as in the case where the determination in step S42 shown in FIG. 14 is YES.
  • the reference of analysis of vehicle data by the traveling state analysis unit 133 may be changed.
  • the criteria are changed so that it is determined to be high level when acquired by the vehicle data analysis device 130 next time or later. It is also good.
  • the attack response measures of the vehicle 10 to the subsequent same type of attacks are executed more quickly.
  • the number of levels to be raised may be changed according to the determination status (the number or the ratio thereof) of higher abnormal levels in the same group of statistics. That is, according to the determination situation of the abnormal level in the same group, the data analysis server 200 may issue an instruction to raise the abnormal level by two or more steps. For example, it is assumed that abnormal levels are set in ascending order to levels 1 to 5, and levels 2 to 4 are determined to be "middle" in step S54.
  • the process proceeds to level 3 If level 3 is one step to level 4, if the majority is 4 level, then if the received abnormal level is level 2 then level 4; if level 3 or 4, then level 5 , One or two steps may be raised.
  • the received anomaly level is raised from 1 to 3 steps to level 5 regardless of levels 2 to 4 It is also good.
  • the determination of the abnormal level is not executed, the vehicle data is transmitted to the data analysis server 200, and the data analysis unit 220 analyzes the vehicle data in the data analysis server 200 that has received the vehicle data. After the determination, the processes after step S51 may be performed.
  • the conventional method of detecting an anomaly due to a cyber attack using vehicle data of a single vehicle can detect fraudulent data, but due to sophisticated techniques such as impersonation or limitations of the adopted communication protocol, It may not be possible to identify the device sending the fraudulent data.
  • data to be transmitted does not include information for specifying a transmission source.
  • the message includes an ID indicating the type of message, and it is possible to identify a design source from this ID.
  • the device sending out the fraudulent data is the source of the transmission. In the present embodiment, it is possible to narrow down the devices which are the sources of generation of fraudulent data even in such a situation.
  • the device (ECU) related to any abnormality is identified from the device (ECU) related to the abnormality generated in each individual vehicle.
  • the data analysis server 200 provides the function of the data analysis device responsible for detecting a cyber attack
  • the configuration is the same as that of the first embodiment, so the description is omitted, and each component is indicated by the reference symbol shown in FIG. 1 to FIG.
  • the presence or absence of an abnormality due to a cyber attack is determined from the plurality of vehicles 10 based on the analysis result of the vehicle data executed by the vehicle data analysis device 130 of each vehicle 10. Data is sent to data analysis server 200.
  • FIG. 18 is a flow chart showing an example of a procedure of processing by the vehicle data analysis device 130 provided in each vehicle 10 in the present embodiment.
  • step S60 When the vehicle data analysis device 130 acquires vehicle data flowing through the in-vehicle network (step S60), the vehicle data analysis device 130 analyzes the vehicle data to determine an abnormal level (step S61). At this time, a CAN message (hereinafter referred to as an attack CAN message) including illegal vehicle data, in this example, illegal content for attack, is specified (step S62). If an attack CAN message is specified in step S62, that is, an attack occurs (YES in step S63), data specifying and indicating this attack CAN message is transmitted to the data analysis server 200 (step S64). The data transmitted here may be, for example, the same data as FIG. 15 referred to in the description of the second embodiment. In this data, an attack CAN message is identified using a message ID (see the attack CAN message ID column).
  • FIG. 19 is a flow chart showing an example of the procedure of processing by the data analysis server 200 in the present embodiment.
  • the data acquisition unit 210 acquires, from the vehicle 10, data of an abnormality analysis result that specifies and indicates an attack CAN message that has caused an abnormality in the vehicle 10 (step S70).
  • the attack CAN message indicated by the abnormality analysis result is an example of the abnormality data in the present embodiment.
  • the related ECU identification unit 250 is an ECU that is the original transmission source of the CAN message having the message ID of the attack CAN message (hereinafter, The primary ECU is also identified (steps S71 and S72). For this identification, reference is made to data held in the storage unit 240, in which the ID of the CAN message transmitted by the vehicle 10 is associated with the ECU that is the transmission source on the design.
  • FIG. 20 is a diagram showing an example of data indicating the association between the ECUs constituting the on-vehicle network 100 of the vehicle 10 and the CAN messages transmitted by the respective ECUs in the present embodiment.
  • step S71 when the data of the analysis result received in step S70 is as shown in FIG. 15, the data of the analysis result is referenced to acquire the ID of the attack CAN message, CAN-001 (step S71).
  • the related ECU identifying unit 250 refers to the data shown in FIG. 20, and the transmission message ID associated with the ECU ID includes the attack CAN message ID CAN-001, that is, the ECU ID is ECU in this example.
  • the ECU of -001 is specified as a primary ECU (step S72).
  • the primary ECU is an ECU that transmits a CAN message of the same message ID as the attack CAN message on the design, it can be said that the ECU has a high possibility of transmitting the attack CAN message. For example, when the primary ECU has been fraudulently taken over and is not operating in design. However, it can not be said that the attack CAN message has been sent reliably. This is because, for example, there is a possibility that an ECU other than the primary ECU is hijacked and transmits an attack CAN message having a message ID which is not transmitted in design.
  • ECUs other than the primary ECU are specified, and ECUs which may have transmitted the attack CAN message as described above are specified as the secondary ECU group.
  • the related ECU identification unit 250 identifies an ECU on the same bus as the primary ECU identified in step S72 as the secondary ECU group in the on-vehicle network 100 of the vehicle 10 (step S73).
  • data held in the storage unit 240 in which the buses in the in-vehicle network 100 of the vehicle 10 are associated with the ECUs connected to the respective buses.
  • FIG. 21 is a diagram showing an example of data indicating the association between the buses forming the in-vehicle network 100 of the vehicle 10 and the ECUs connected to the respective buses in the present embodiment.
  • the secondary ECU group identified in step S73 includes ECU-001, ECU-002, ECU-003, ECU-004, and ECU-005. If there is a secondary ECU group identified in step S74 (YES in step S74), the identified secondary ECU group is temporarily held in storage unit 240.
  • the secondary ECU group is an ECU group connected to the same bus as the bus to which the attack CAN message was sent, there is a high possibility that any ECU in this secondary ECU group sent the attack CAN message. It can be said that However, analyzing the operation or transmission / reception data of each ECU in order to investigate whether all the ECUs in the secondary ECU group have transmitted attack CAN messages consumes a lot of computational resources and time. .
  • Step S70 to S73 are executed to compare with the specified secondary ECU group to determine whether a common ECU is included (step S75).
  • the different groups mentioned here are: (1) different travel areas within a predetermined period, (2) different car types, (3) different manufacturers, (4) different in-vehicle network configurations, And (5) that the time zone in which the in-vehicle data is generated is different, means that the condition consisting of any one or a plurality of combinations is satisfied.
  • the configuration of the in-vehicle network of (4) relates to the compliant communication standard, the model of the connected ECU, and the firmware thereof.
  • the secondary ECUs of the vehicle 10 that have been attacked or have detected an abnormality are compared with each other, and if there is a common ECU, the common ECU is likely to have transmitted an attack CAN message, or an attacker It can be said that the ECU is likely to have a vulnerability that allows it to enter the in-vehicle network 100.
  • the number of common ECUs is likely to be smaller than that between the secondary ECU groups of the vehicles 10 belonging to the same group. Therefore, by comparing the secondary ECU groups of the vehicles 10 belonging to different groups, the attacked ECUs can be narrowed down to fewer candidates and efficiently specified.
  • each ECU is common (one or more of the manufacturer, model name, model number, installed processor, processor firmware version, and processor manufacturer are the same) is, for example, the storage unit 240 A database (not shown) for each ECU ID is held and is performed with reference to this database.
  • the related ECU specifying unit 250 specifies this common ECU as an attack related ECU (step S77). Further, the information presenting unit 280 presents the identified attack related ECU to the user of the data analysis server 200 (step S78).
  • the attack related ECU refers to, for example, an ECU that is a transmission source of an attack CAN message or an transmission source of an attack CAN message. It is an ECU that is likely to have a vulnerability that allows it.
  • the attack related ECU is an example of the abnormality related ECU in the present embodiment.
  • step S74 If there is no secondary ECU group at step S74 (NO at step S74), or if there is no common ECU among multiple secondary ECU groups or if there is no secondary ECU group to be compared (step S76) And the process ends without identifying the attack related ECU.
  • FIG. 22 is a sequence diagram of the network security system 1 corresponding to the processing by the data analysis server 200 shown in FIG. As shown in FIG. 22, presentation of information to the user may be made in response to the user's request. Further, the information to be presented includes not only the attack related ECU specified in step S77 but also other data contributing to the solution of the vulnerability, for example, data received from the vehicle 10 in S70, primary ECU, secondary ECU group Etc. may also be included. However, some of the users of the network security system 1 may include different manufacturers of vehicles or ECUs and other supplied components. In such a case, the information that can be presented from the data analysis server 200 may include information to be concealed by the user.
  • FIG. 23 is a flow chart showing an example of the procedure of presenting information to the user of the network security system 1 in the present embodiment.
  • the data analysis server 200 receives the information presentation request from the user via the user interface (not shown) (step S80). This user logs in to the data analysis server 200 using, for example, a unique ID and password.
  • the access right management unit 260 checks the content of the access right of the user specified by the ID with reference to the access right management information (not shown) held in the storage unit 240 (step S81). Then, the access right management unit 260 presents the information accessible by the user or the list thereof to the user through the information presentation unit 280 according to the contents of the confirmed access right (step S 82). For example, it is assumed that a user belonging to a certain vehicle manufacturer has access rights controlled so that only information on his / her vehicle can be accessed.
  • step S82 what is presented to the user in step S82 is an attack CAN message generated on a vehicle which is a product of a company to which the user belongs, a primary ECU associated with the attack CAN message, its secondary ECU group and the final It is possible to acquire only the information of the attack related ECU and the identified ECU.
  • step S75 By using such access right management together, usage of the data analysis server 200 by various users including manufacturers who handle data to be concealed from other companies is promoted. If utilization by various users is realized, vehicle data is collected from more and more diverse vehicles in data analysis server 200, and there are more secondary ECU groups to be compared in step S75 in the present embodiment. The possibility of doing is increased. As a result, the possibility of identifying attack related ECUs also increases.
  • an ECU that sends an attack CAN message as a result of a cyber attack or an ECU that is likely to be vulnerable to intrusion into the in-vehicle network 100 is a specific target.
  • the technique of the embodiment is not limited to the cyber attack, but may be applied to the identification of an ECU that is likely to have various abnormalities such as mechanical defects, bugs, or failures in use caused by manufacturing defects. it can.
  • the process shown in FIG. 19 is executed using an abnormal message instead of the attack CAN message. That is, an abnormality analysis result indicating and indicating an abnormal message transmitted from the ECU due to these abnormalities is acquired.
  • This abnormal message is another example of abnormal data in the present embodiment.
  • the related ECU specifying unit 250 specifies the found common ECU as an abnormality related ECU in step S77.
  • what the data acquisition unit 210 acquires is not limited to the result of an anomaly such as an attack analyzed in each vehicle 10.
  • the result of analysis by the data analysis unit 220 may be a CAN message transmitted from the vehicle 10 that does not have the analysis function of the presence or absence of abnormality.
  • each component may be configured by dedicated hardware or implemented by executing a software program suitable for each component.
  • Each component may be realized by a program execution unit such as a CPU or a processor reading and executing a software program recorded in a recording medium such as a hard disk or a semiconductor memory.
  • this program causes a computer including a processor and a memory to acquire data indicating an abnormal level based on the probability of occurrence of a cyber attack on each vehicle from each of a plurality of vehicles equipped with an in-vehicle network, Statistics of the abnormal level indicated by the data are taken for each group classified based on a predetermined condition, and the abnormal level of the first vehicle, which is one of the plurality of vehicles, is less than a predetermined height, In the statistics of the group in which the first vehicle is classified, when the number indicating the abnormal level higher than the predetermined height is equal to or higher than a predetermined standard, the abnormal level of the first vehicle is equal to or higher than the predetermined height When it is determined to change to the correction level, and it is determined to change the abnormal level of the first vehicle to the correction level, the in-vehicle net of the first vehicle is An instruction to recognize the modification level as an abnormal level in over click a program to be transmitted to the first vehicle.
  • the present invention is applicable to in-vehicle security systems including in-vehicle networks.
  • Network Security System 10 10A, 10B Vehicle 100 Vehicle-mounted Network 110 External Communication Device 120 Gateway 130 Vehicle Data Analysis Device 131 Vehicle Data Acquisition Unit 132 Vehicle Data Acquisition Unit 133 Running State Analysis Unit 135 Accumulation Unit 136 Analysis Result Transmission Unit 137 Vehicle Control Data transmission unit 150 ECU 200 data analysis server 210 data acquisition unit 220 data analysis unit 230 determination unit 240 storage unit 250 related ECU identification unit 260 access right management unit 270 information transmission unit 280 information presentation unit 300 transportation infrastructure system 900 communication network

Landscapes

  • Engineering & Computer Science (AREA)
  • Mechanical Engineering (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Provided is a data analysis device, comprising: a data acquisition unit (210) for acquiring data indicating an abnormality level based on occurrence probability of a cyberattack from a plurality of vehicles equipped with on-vehicle networks; a data analysis unit (220) for taking statistics of the abnormality level indicated by the data for each group of a plurality of vehicles classified on the basis of predetermined conditions; a determination unit (230) for determining, in the case where the abnormality level of a first vehicle as one of the plurality of vehicles is less than a predetermined level, when the number of cases indicating an abnormality level of the predetermined level or higher is equal to or larger than a predetermined criterion in the statistics of the group in which the first vehicle is classified, that the abnormality level of the first vehicle to a corrected level that is equal to or larger than a predetermined level; and an information transmission unit (270) for transmitting, when it has been determined to change the abnormality level of the first vehicle to the corrected level, an instruction to recognize the corrected level as an abnormality level in the on-vehicle network in the first vehicle.

Description

データ解析装置及びプログラムData analysis device and program
 本発明は、車載ネットワークを備える車両へのサイバー攻撃に対するセキュリティ技術に関する。 The present invention relates to security technology against cyber attacks on vehicles equipped with in-vehicle networks.
 車載ネットワークを備える車両へのサイバー攻撃に対するセキュリティ技術が提案されている。例えば、通信規格であるCAN(Controller Area Network)に準拠する車載ネットワークを流れるCANデータを解析することで、CANデータに潜む攻撃の不正データを検知する技術が提案されている(特許文献1及び特許文献2参照)。 Security technology against cyber attacks on vehicles equipped with in-vehicle networks has been proposed. For example, there has been proposed a technology for detecting fraudulent data of an attack hidden in CAN data by analyzing CAN data flowing through an on-vehicle network conforming to CAN (Controller Area Network) which is a communication standard (Patent Document 1 and Patent Reference 2).
特開2014-146868号公報JP 2014-146868 A 特開2008-114806号公報JP, 2008-114806, A
 しかしながら、なりすましの手法等によって高度化した攻撃を検知できない可能性がある。 However, there is a possibility that advanced attacks can not be detected by the impersonation method or the like.
 そこで本発明は、高度化した攻撃であってもより高い精度で検知することができるデータ解析装置を提供する。 Therefore, the present invention provides a data analysis device that can detect advanced attacks with higher accuracy.
 本発明の一態様に係るデータ解析装置は、車載ネットワークを搭載する複数の車両のそれぞれから、当該車両へのサイバー攻撃の発生確度に基づく異常レベルを示すデータを取得するデータ取得部と、前記複数の車両が所定の条件に基づいて分類されるグループごとに前記データが示す異常レベルの統計を取るデータ解析部と、前記複数の車両の一である第一車両の異常レベルが所定の高さ未満である場合に、前記第一車両が分類されているグループの前記統計において、前記所定の高さ以上の異常レベルを示す件数が所定基準以上であるとき、前記第一車両の異常レベルを前記所定の高さ以上の修正レベルに変更すると判定する判定部と前記判定部が前記第一車両の異常レベルを前記修正レベルに変更すると判定した場合、前記第一車両の車載ネットワークにおいて前記修正レベルを異常レベルとして認識させる指示を、前記第一車両に送信する情報送信部とを備える。 A data analysis apparatus according to an aspect of the present invention is a data acquisition unit that acquires data indicating an abnormal level based on the probability of occurrence of a cyber attack on a vehicle from each of a plurality of vehicles equipped with an in-vehicle network; A data analysis unit that takes statistics of the abnormal level indicated by the data for each group in which the vehicle is classified based on a predetermined condition, and the abnormal level of the first vehicle which is one of the plurality of vehicles is less than a predetermined height And in the statistics of the group into which the first vehicle is classified, when the number of cases indicating an abnormal level equal to or higher than the predetermined height is equal to or higher than a predetermined reference, the abnormality level of the first vehicle is determined as the predetermined A determination unit that determines to change the correction level to a height higher than the height of the first vehicle, and the determination unit determines that the abnormality level of the first vehicle is changed to the correction level; An instruction to recognize the modification level as an abnormal level in-vehicle network, and an information transmitting unit that transmits to the first vehicle.
 なお、これらの包括的又は具体的な態様は、システム、方法、集積回路、コンピュータプログラム又はコンピュータ読み取り可能なCD-ROMなどの記録媒体で実現されてもよく、システム、方法、集積回路、コンピュータプログラム及び記録媒体の任意な組み合わせで実現されてもよい。 Note that these general or specific aspects may be realized by a system, a method, an integrated circuit, a computer program, or a recording medium such as a computer readable CD-ROM, a system, a method, an integrated circuit, a computer program And any combination of recording media.
 本発明の一態様に係るデータ解析装置は、高度化した攻撃であってもより高い精度で検知することができる。 The data analysis apparatus according to an aspect of the present invention can detect even advanced attacks with higher accuracy.
図1は、実施の形態1におけるデータ解析装置を含むネットワークセキュリティシステムの概要を説明するための図である。FIG. 1 is a diagram for explaining an outline of a network security system including a data analysis apparatus according to the first embodiment. 図2は、図1に記載のネットワークセキュリティシステムにおける、車載ネットワークの構成例を示す図である。FIG. 2 is a view showing a configuration example of an in-vehicle network in the network security system shown in FIG. 図3は、上記の車載ネットワークの機能構成例を示すブロック図である。FIG. 3 is a block diagram showing an example of a functional configuration of the above-mentioned in-vehicle network. 図4は、図1に記載のデータ解析サーバの機能構成例を示すブロック図である。FIG. 4 is a block diagram showing an example of the functional configuration of the data analysis server shown in FIG. 図5は、図1に記載の車両からデータ解析サーバに提供される車両データのデータ構造の一例を示す図である。FIG. 5 is a view showing an example of a data structure of vehicle data provided from the vehicle shown in FIG. 1 to the data analysis server. 図6は、上記の車両の走行状態を示す車両データのデータ構造の他の例を示す図である。FIG. 6 is a diagram showing another example of the data structure of vehicle data indicating the traveling state of the vehicle described above. 図7は、図1に記載の交通基盤システムからデータ解析サーバに提供される車外データのデータ構造の一例を示す図である。FIG. 7 is a view showing an example of the data structure of the external data provided from the traffic infrastructure system shown in FIG. 1 to the data analysis server. 図8は、実施の形態1におけるデータ解析サーバによる処理の手順の一例を示すフロー図である。FIG. 8 is a flow chart showing an example of the procedure of processing by the data analysis server in the first embodiment. 図9は、実施の形態1において、車両で異常が発生したと判断される場合のシーケンス図である。FIG. 9 is a sequence diagram when it is determined in the first embodiment that an abnormality has occurred in a vehicle. 図10は、実施の形態1において、交通基盤システムで異常が発生したと判断される場合のシーケンス図である。FIG. 10 is a sequence diagram in the case where it is determined in the traffic base system that an abnormality has occurred in the first embodiment. 図11は、実施の形態1における車両データ解析装置による処理の手順の一例を示すフロー図である。FIG. 11 is a flowchart showing an example of a procedure of processing by the vehicle data analysis device in the first embodiment. 図12は、実施の形態1における交通基盤システムによる処理の手順の一例を示すフロー図である。FIG. 12 is a flow chart showing an example of the procedure of processing by the traffic infrastructure system in the first embodiment. 図13Aは、実施の形態1におけるデータ解析サーバによる処理の手順の一具体例を示すフロー図である。FIG. 13A is a flowchart showing one specific example of the procedure of the process by the data analysis server in the first embodiment. 図13Bは、実施の形態1におけるデータ解析サーバによる処理の手順の一具体例を示すフロー図である。FIG. 13B is a flowchart showing one specific example of the procedure of the process by the data analysis server in the first embodiment. 図13Cは、実施の形態1におけるデータ解析サーバによる処理の手順の一具体例を示すフロー図である。FIG. 13C is a flowchart showing one specific example of the procedure of the process by the data analysis server in the first embodiment. 図13Dは、実施の形態1におけるデータ解析サーバによる処理の手順の一具体例を示すフロー図である。FIG. 13D is a flowchart showing one specific example of the procedure of the process by the data analysis server in the first embodiment. 図13Eは、実施の形態1におけるデータ解析サーバによる処理の手順の一具体例を示すフロー図である。FIG. 13E is a flowchart showing one specific example of the procedure of the process by the data analysis server in the first embodiment. 図13Fは、実施の形態1におけるデータ解析サーバによる処理の手順の一具体例を示すフロー図である。FIG. 13F is a flowchart showing one specific example of the procedure of the process by the data analysis server in the first embodiment. 図14は、実施の形態2において各車両が備える車両データ解析装置による処理の手順の一例を示すフロー図である。FIG. 14 is a flowchart showing an example of a procedure of processing by a vehicle data analysis device provided in each vehicle in the second embodiment. 図15は、実施の形態2において異常レベルの判定のために実行される車両データの解析の結果のデータ構造の一例を示す図である。FIG. 15 is a diagram showing an example of a data structure as a result of analysis of vehicle data executed to determine an abnormal level in the second embodiment. 図16Aは、実施の形態2におけるデータ解析サーバによる処理の手順の一例を示すフロー図である。FIG. 16A is a flowchart showing an example of a procedure of processing by the data analysis server in the second embodiment. 図16Bは、実施の形態2におけるデータ解析サーバによる処理の手順の他の例を示すフロー図である。FIG. 16B is a flowchart showing another example of the procedure of the process by the data analysis server in the second embodiment. 図17は、実施の形態2におけるネットワークセキュリティシステムのシーケンス図である。FIG. 17 is a sequence diagram of the network security system in the second embodiment. 図18は、実施の形態3において各車両が備える車両データ解析装置による処理の手順の一例を示すフロー図である。FIG. 18 is a flow chart showing an example of a procedure of processing by a vehicle data analysis device provided in each vehicle in the third embodiment. 図19は、実施の形態3におけるデータ解析サーバによる処理の手順の一例を示すフロー図である。FIG. 19 is a flow chart showing an example of a procedure of processing by the data analysis server in the third embodiment. 図20は、実施の形態3において用いられる、車載の情報処理装置(ECU)と送信CANメッセージとの関連付けを示すデータの例を示す図である。FIG. 20 is a diagram showing an example of data indicating an association between a vehicle-mounted information processing apparatus (ECU) and a transmission CAN message, which is used in the third embodiment. 図21は、実施の形態3において用いられる、車載ネットワークを構成するバスと各バスに接続されているECUとの関連付けを示すデータの例を示す図である。FIG. 21 is a diagram showing an example of data indicating the association between a bus making up a vehicle-mounted network and an ECU connected to each bus, which is used in the third embodiment. 図22は、実施の形態3におけるネットワークセキュリティシステムのシーケンス図である。FIG. 22 is a sequence diagram of the network security system in the third embodiment. 図23は、実施の形態3におけるネットワークセキュリティシステムのユーザへの情報提示の手順の一例を示すフロー図である。FIG. 23 is a flow chart showing an example of the procedure of presenting information to the user of the network security system in the third embodiment.
 (本発明の基礎となった知見)
 本発明者は、「背景技術」の欄において記載したセキュリティ技術に関し、以下の問題が生じることを見出した。 (Findings that formed the basis of the present invention)
The inventor has found that the following problems occur with the security technology described in the "Background" section.
 今日の自動車は、ECU(Electronic Control Unit)と呼ばれる情報処理装置を複数備える。これらのECUは安全性、利便性又は快適性の向上のための様々な機能を発揮し、また、CANネットワーク等の車載ネットワークを介してデータをやり取りして連携し、自動運転を含むより高度な機能の実現も可能である。なお、本開示でのECUの語は、各々の用途に応じてIVI(In-Vehicle Infotainment)、TCU(Telematics Communication Unit)、ゲートウェイ等の他の名称で呼ばれる、車載ネットワークに接続されてデータを送信又は受信する各種の機器も含めて指して用いられる。 Today's automobiles are equipped with a plurality of information processing devices called ECUs (Electronic Control Units). These ECUs perform various functions to improve safety, convenience or comfort, and exchange and cooperate data via in-vehicle network such as CAN network, and more advanced including automatic driving. It is also possible to realize the function. In addition, the word of ECU in the present disclosure is connected to an in-vehicle network called another name such as IVI (In-Vehicle Infotainment), TCU (Telematics Communication Unit), or gateway according to each application, and is connected to an in-vehicle network to transmit data. Alternatively, it can be used to indicate various devices to be received.
 車両へのサイバー攻撃には、例えば車載ネットワークに接続された不正な機器、又はプログラムが不正に書き換えられたECUから攻撃データを流すことでその車両の機能を混乱させる手法が従来ある。特許文献1又は2に記載の技術は、そのような攻撃手法への対抗手段として提案されるものである。 As a cyber attack on a vehicle, there has conventionally been a method of disrupting the function of the vehicle by flowing attack data from an unauthorized device connected to an in-vehicle network or an ECU whose program has been illegally rewritten. The technology described in Patent Document 1 or 2 is proposed as a countermeasure against such an attack method.
 しかしながら、従来技術は対象車両の正常データと攻撃データを比べることで攻撃データを検知する技術であり、正常データを高度に模した攻撃データに対しては、検知が困難であるという課題がある。また従来技術は、送信された不正データを検知して攻撃による悪影響を防ぐことはできても、不正データを送信している機器の特定は対象としておらず、不正データを送信する機器の停止などのより根本的な解決が困難な場合もある。 However, the conventional technology is a technology for detecting attack data by comparing normal data of a target vehicle with attack data, and there is a problem that detection is difficult for attack data which imitates normal data highly. Also, although the prior art can detect the transmitted fraudulent data and prevent the adverse effect of the attack, the identification of the device transmitting the fraudulent data is not targeted, and the device for transmitting the fraudulent data is stopped, etc. Sometimes the more fundamental solution is difficult.
 また、さらに高度な機能を実現するために、他の車両又は交通基盤システム等の外部と、直接、又はインターネット等の通信ネットワークを介してデータを送受信する車載ネットワークを搭載する車両も登場している。このように拡大したデータの流通経路は、不正なデータの伝播経路にもなり得、被害を拡大させかねない。しかしながら従来技術は、被害拡大に繋がる不正データの伝搬を防止することができない。 In addition, vehicles equipped with in-vehicle networks that transmit and receive data to and from other vehicles or traffic infrastructure systems directly or via communication networks such as the Internet have also appeared to realize more advanced functions. . The data distribution channel expanded in this way can also be an unauthorized data transmission channel, which may cause damage. However, the prior art can not prevent the propagation of fraudulent data leading to the spread of damage.
 このような問題を解決するために、本発明の一態様に係るデータ解析装置は、車載ネットワークを搭載する複数の車両のそれぞれから、当該車両へのサイバー攻撃の発生確度に基づく異常レベルを示すデータを取得するデータ取得部と、前記複数の車両が所定の条件に基づいて分類されるグループごとに前記データが示す異常レベルの統計を取るデータ解析部と、前記複数の車両の一である第一車両の異常レベルが所定の高さ未満である場合に、前記第一車両が分類されているグループの前記統計において、前記所定の高さ以上の異常レベルを示す件数が所定基準以上であるとき、前記第一車両の異常レベルを前記所定の高さ以上の修正レベルに変更すると判定する判定部と前記判定部が前記第一車両の異常レベルを前記修正レベルに変更すると判定した場合、前記第一車両の車載ネットワークにおいて前記修正レベルを異常レベルとして認識させる指示を、前記第一車両に送信する情報送信部とを備える。 In order to solve such a problem, a data analysis device according to an aspect of the present invention is data indicating an abnormal level based on the probability of occurrence of a cyber attack on the vehicle from each of a plurality of vehicles equipped with an in-vehicle network. A data acquisition unit for acquiring the data, a data analysis unit for taking statistics of the abnormal level indicated by the data for each group in which the plurality of vehicles are classified based on a predetermined condition, and a first one of the plurality of vehicles When the abnormal level of the vehicle is less than a predetermined height, in the statistics of the group to which the first vehicle is classified, the number of cases indicating the abnormal level equal to or higher than the predetermined height is equal to or higher than a predetermined standard; A determination unit that determines that the abnormality level of the first vehicle is to be changed to a correction level higher than the predetermined height and the determination unit change the abnormality level of the first vehicle to the correction level If it is determined that that, instructed to recognize the modification level as an abnormal level in-vehicle network of the first vehicle, and an information transmitting unit that transmits to the first vehicle.
 これにより、例えば車両単体のデータでは中レベルと判定された場合も、当該車両と共通性のある他の車両での判定結果に基づいて高レベルの異常である蓋然性が高い場合には、判定結果は高レベルに変更されることで、攻撃がより高い精度で検知できる。 Thus, for example, even when the data of a single vehicle is determined to be medium level, the determination result is high when the probability of high level abnormality is high based on the determination result of another vehicle having commonality with the vehicle. Is changed to a higher level, so that attacks can be detected with higher accuracy.
 例えば、前記所定の高さの異常レベルは、前記第一車両の車載ネットワークで認識されると、前記第一車両においてサイバー攻撃への対応措置が実行されるレベルであってもよい。また、例えば、前記所定の高さの異常レベルは、前記第一車両の車載ネットワークで認識されると、前記複数の車両においてサイバー攻撃への対応措置が実行されないレベルであり、前記修正レベルは、前記第一車両の車載ネットワークで認識されると、前記第一車両においてサイバー攻撃への対応措置が実行されるレベルであってもよい。 For example, the abnormal level of the predetermined height may be a level at which a countermeasure against a cyber attack is executed in the first vehicle when recognized by the in-vehicle network of the first vehicle. Also, for example, the abnormal level of the predetermined height is a level at which a countermeasure against a cyber attack is not executed in the plurality of vehicles when recognized by the in-vehicle network of the first vehicle, and the correction level is The first vehicle may have a level at which a countermeasure against a cyber attack is executed when it is recognized in the in-vehicle network of the first vehicle.
 これにより、車両単体のデータの解析では攻撃対応措置に至らなかった場合でも、対応措置が実行されるようになり、車両のサイバー攻撃に対するセキュリティが強化され、不正データの拡散が抑えられる。 As a result, even if the analysis of the data of the vehicle itself does not lead to the attack countermeasure, the countermeasure is executed, the security against the cyber attack of the vehicle is strengthened, and the spread of the fraudulent data is suppressed.
 例えば、前記所定の条件は、(1)所定期間内に所定の地域内を走行していること、(2)車種が同一であること、(3)メーカーが同一であること、(4)前記車載ネットワークの構成が共通であること、及び(5)前記データの生成の時間帯が共通であることのいずれか一つ又は複数の組み合わせであってもよい。 For example, the predetermined conditions include (1) traveling in a predetermined area within a predetermined period, (2) the same type of vehicle, (3) the same manufacturer, and (4) the above The configuration of the in-vehicle network may be common, and (5) the time zone of generation of the data may be common, or any combination thereof.
 これにより、車載ネットワークが類似又は同一であるなど、攻撃に関する条件の近い車両から解析結果の異常レベルのデータを集めて統計を取ることができ、中間的な異常レベルについてのより明確な判定が可能になる。 As a result, it is possible to collect data on abnormal levels of analysis results from vehicles close to attack conditions, such as similar or identical in-vehicle networks, and to take statistics, allowing a clearer determination of intermediate abnormal levels become.
 なお、これらの包括的又は具体的な態様は、システム、方法、集積回路、コンピュータプログラム又はコンピュータで読み取り可能なCD-ROM等の記録媒体で実現されても良く、システム、方法、集積回路、コンピュータプログラム又は記録媒体の任意な組み合わせで実現されても良い。 Note that these general or specific aspects may be realized by a system, a method, an integrated circuit, a computer program, or a recording medium such as a computer readable CD-ROM, and the system, the method, the integrated circuit, the computer It may be realized by any combination of programs or recording media.
 以下、実施の形態に係るデータ解析装置について、図面を参照しながら説明する。 Hereinafter, a data analysis apparatus according to an embodiment will be described with reference to the drawings.
 なお、以下の各実施の形態は、いずれも本発明の包括的又は具体的な例を示すものである。したがって、以下の実施の形態で示される数値、構成要素、構成要素の配置及び接続形態、並びに、ステップ(工程)及びステップの順序等は、一例であって本発明を限定するものではない。以下の実施の形態における構成要素のうち、独立請求項に記載されていない構成要素については、任意に付加可能な構成要素である。また、各図は、模式図であり、必ずしも厳密に図示されたものではない。 Each of the following embodiments is a generic or specific example of the present invention. Therefore, the numerical values, the components, the arrangements and the connection forms of the components, the order of steps (steps) and steps, and the like described in the following embodiments are merely examples and do not limit the present invention. Among the components in the following embodiments, components not described in the independent claims are components that can be added arbitrarily. Further, each drawing is a schematic view, and is not necessarily illustrated exactly.
 (実施の形態1)
 [1.概要]
 図1は、実施の形態1におけるデータ解析装置を含むネットワークセキュリティシステムの概要を説明するための図である。ネットワークセキュリティシステム1は、V2X通信をする車両及びその通信相手を攻撃対象とするサイバー攻撃への対策のためのセキュリティシステムである。図1に示されるように、ネットワークセキュリティシステム1では、車両10A及び車両10B(以下、これらをまとめて、又は区別せずに一方を指して車両10ともいう)、データ解析サーバ200及び交通基盤システム300は、インターネットなどの通信回線を用いて構築される通信ネットワーク900を介してデータをやり取りする。また、車両10A及び車両10Bは相互に、また交通基盤システム300と直接データをやり取りする。なお、交通基盤システム300とは、信号機、ETC(Electronic Toll Collection)ゲート、交通量計測装置等の、車両10が走行する道路沿いに設置される各種の交通基盤関連機器(本開示ではこれらの機器を路側機ともいう、図示なし)、及びこれらの路側機と通信し、制御及び管理するためのシステムを指す。 Embodiment 1
[1. Overview]
FIG. 1 is a diagram for explaining an outline of a network security system including a data analysis apparatus according to the first embodiment. The network security system 1 is a security system for a countermeasure against a cyber attack that targets a vehicle that performs V2X communication and the other party of the communication. As shown in FIG. 1, in the network security system 1, a vehicle 10A and a vehicle 10B (hereinafter, collectively referred to as “vehicle 10 also pointing to one without distinction or together), data analysis server 200 and traffic infrastructure system 300 exchanges data via a communication network 900 established using a communication line such as the Internet. Also, the vehicle 10A and the vehicle 10B exchange data directly with each other and with the traffic infrastructure system 300. The traffic base system 300 refers to various traffic base related devices installed along the road on which the vehicle 10 travels, such as traffic lights, ETC (Electronic Toll Collection) gates, traffic volume measuring devices, etc. Are also referred to as roadside units (not shown), and systems for communicating with, and controlling and managing these roadside units.
 ネットワークセキュリティシステム1では、車両10又は交通基盤システム300を対象とするサイバー攻撃が精度よく検知され、被害の拡大を抑えるための措置が図られる。以下、このようなサイバー攻撃の検知を担うデータ解析装置の機能がデータ解析サーバ200によって提供される場合を例に本実施の形態を説明する。 In the network security system 1, a cyber attack targeting the vehicle 10 or the traffic infrastructure system 300 is accurately detected, and measures are taken to suppress the spread of damage. Hereinafter, the present embodiment will be described by way of example in which the data analysis server 200 provides the function of the data analysis device responsible for detecting such a cyber attack.
 [2.構成]
 [2-1.車両の情報システム構成]
 車両10の情報システム構成について、車両10Aを例に説明する。図2は、車両10Aが備える車載ネットワーク100の構成例を示す図である。 [2. Constitution]
[2-1. Vehicle Information System Configuration]
The information system configuration of the vehicle 10 will be described using the vehicle 10A as an example. FIG. 2 is a diagram showing a configuration example of the in-vehicle network 100 provided in the vehicle 10A.
 車両10Aは車載ネットワーク100を備える。車両10AからV2X通信で車両10B、データ解析サーバ200及び交通基盤システム300に送信されるデータは、車載ネットワーク100を流れるデータである。 The vehicle 10A includes an in-vehicle network 100. The data transmitted from the vehicle 10A to the vehicle 10B, the data analysis server 200, and the traffic infrastructure system 300 by V2X communication is data flowing through the in-vehicle network 100.
 車載ネットワーク100は、外部通信装置110、ゲートウェイ120、車両データ解析装置130及び複数のECU150を含む。この例におけるECU150は、情報系、制御系等の機能系統ごとに共通のバスに接続されてひとつの機能系統ネットワークを構成している。これらの機能系統は例であり、車載ネットワーク100には、例えばボディ系統等のさらに別の機能系統が含まれ得る。各ECU150には、図示しない車載のセンサ、スイッチ又はアクチュエータ等の機器が接続され、ECU150は、このセンサが計測した結果を示すセンシングデータをバスに送出したり、センサの計測結果を入力として処理したプログラムが出力する制御信号をスイッチ又はアクチュエータに送出したりする。なお、以下の説明では、車載ネットワーク100がCANネットワークである例を用いることがあるが、本実施の形態及び後述のその変形例は、CAN以外の通信プロトコルに準拠する車載ネットワークにも適用可能である。また、車載ネットワーク100には、異なるプロトコルに準拠するネットワークが混在してもよい。 The in-vehicle network 100 includes an external communication device 110, a gateway 120, a vehicle data analysis device 130, and a plurality of ECUs 150. The ECU 150 in this example is connected to a common bus for each functional system such as an information system and a control system to constitute one functional system network. These functional systems are examples, and the in-vehicle network 100 may include further functional systems such as a body system. A device such as an on-vehicle sensor, switch or actuator not shown is connected to each ECU 150, and the ECU 150 sends sensing data indicating the result measured by this sensor to the bus or processes the measurement result of the sensor as an input It sends control signals output by the program to the switch or actuator. In the following description, an example in which the in-vehicle network 100 is a CAN network may be used, but the present embodiment and the modifications thereof described later are also applicable to an in-vehicle network conforming to a communication protocol other than CAN. is there. Further, in the in-vehicle network 100, networks conforming to different protocols may be mixed.
 外部通信装置110及びゲートウェイ120もそれぞれECUを用いて実現され、上記のように用途に応じた呼称を用いて示すものである。外部通信装置110は、外部の通信ネットワーク900又は他の車両10Bと通信するための通信モジュールを備える情報処理装置であり、例えばTCUと呼ばれる。ゲートウェイ120は、上記の各機能系統間、及び各機能系統と外部通信装置110との間のデータの転送機能を備え、この転送の際に、必要に応じて通信プロトコルの違いに応じたデータの変換を行う情報処理装置である。 The external communication device 110 and the gateway 120 are also realized by using the ECUs, and as described above, are indicated using names appropriate to the application. The external communication device 110 is an information processing device including a communication module for communicating with an external communication network 900 or another vehicle 10B, and is called, for example, a TCU. The gateway 120 has a function of transferring data between the above-described functional systems and between each functional system and the external communication apparatus 110, and at the time of this transfer, the data corresponding to the difference in the communication protocol as necessary. It is an information processing apparatus that performs conversion.
 車両データ解析装置130は、車載ネットワーク100を流れる車両データを解析し、解析結果をデータ解析サーバ200に提供する。本実施の形態の説明に用いる構成例では、車載ネットワーク100は、ゲートウェイ120が備えるプロセッサがプログラムを実行することで実現される機能的な構成要素である。図3は、車両データ解析装置130の機能構成をさらに詳細に説明するためのブロック図である。 The vehicle data analysis device 130 analyzes the vehicle data flowing through the in-vehicle network 100, and provides the analysis result to the data analysis server 200. In the configuration example used for describing the present embodiment, the in-vehicle network 100 is a functional component that is realized by execution of a program by a processor included in the gateway 120. FIG. 3 is a block diagram for explaining the functional configuration of the vehicle data analysis device 130 in more detail.
 車両データ解析装置130は、車両データ取得部131、車外データ取得部132、走行状態解析部133、蓄積部135、解析結果送信部136及び車両制御データ送信部137を備える。 The vehicle data analysis device 130 includes a vehicle data acquisition unit 131, an external data acquisition unit 132, a traveling state analysis unit 133, an accumulation unit 135, an analysis result transmission unit 136, and a vehicle control data transmission unit 137.
 車両データ取得部131は、車載ネットワーク100を流れる、車両10Aの走行状態を示す車両データを取得する。この走行状態を示す車両データの例には、上記のECU150から送出されるセンシングデータが含まれる。 The vehicle data acquisition unit 131 acquires vehicle data that flows through the in-vehicle network 100 and indicates the traveling state of the vehicle 10A. The example of the vehicle data indicating the traveling state includes sensing data sent from the ECU 150 described above.
 車外データ取得部132は、外部通信装置110がV2X通信で受信したデータを取得する。このデータには、周辺の車両、この例では車両10B、若しくは交通基盤システム300で取得されたデータが含まれる。より具体的には、車両10Aは、車両10Bからは、車両10Bの車載ネットワークを流れる車両データを、交通基盤システム300からは、路側機が有する測定機能又は通信機能によって得られたデータを車外データとして取得する。 The external data acquisition unit 132 acquires data received by the external communication device 110 by V2X communication. This data includes data acquired by a surrounding vehicle, in this example, the vehicle 10B or the traffic infrastructure system 300. More specifically, the vehicle 10A receives, from the vehicle 10B, vehicle data flowing through the in-vehicle network of the vehicle 10B, and from the traffic infrastructure system 300, data obtained by the measurement function or the communication function of the roadside device Get as.
 走行状態解析部133は、車両データ取得部131が取得した車両データを解析し、その結果として車両10Aの走行状態の情報を得る。この情報には、例えば、車速、旋回曲率、加速度、ヨーレート、アクセル開度、操舵量、シフトポジション、車両の位置情報等が含まれ得る。 The traveling state analysis unit 133 analyzes the vehicle data acquired by the vehicle data acquisition unit 131, and as a result, acquires information on the traveling state of the vehicle 10A. This information may include, for example, vehicle speed, turning curvature, acceleration, yaw rate, accelerator opening, steering amount, shift position, position information of the vehicle, and the like.
 蓄積部135は、車両データ取得部131が取得した車内データ、車外データ取得部132が取得した車外データ、又は走行状態解析部133による解析結果のデータを必要に応じて保持する。この例では、蓄積部135はゲートウェイ120が備える記憶装置を用いて実現される。 The storage unit 135 holds in-vehicle data acquired by the vehicle data acquisition unit 131, external data acquired by the external data acquisition unit 132, or data of an analysis result by the traveling state analysis unit 133 as necessary. In this example, the storage unit 135 is realized using a storage device provided in the gateway 120.
 解析結果送信部136は、走行状態解析部133による解析結果のデータを、外部通信装置110を介してデータ解析サーバ200へ送信する。 The analysis result transmission unit 136 transmits the data of the analysis result by the traveling state analysis unit 133 to the data analysis server 200 via the external communication device 110.
 車両制御データ送信部137は、走行状態解析部133による解析結果又は車外データ取得部132に基づいて、異常の有無又はレベルに応じて実行すべき所定の動作のための指示を発信する。この指示は、ゲートウェイ120に接続されるバスに送出されて関連するECU150によって受信される。 The vehicle control data transmission unit 137 transmits an instruction for a predetermined operation to be executed according to the presence or absence or level of abnormality based on the analysis result by the traveling state analysis unit 133 or the external data acquisition unit 132. This instruction is sent to the bus connected to the gateway 120 and received by the associated ECU 150.
 なお、上記のようにゲートウェイ120上にある車両データ解析装置130は、車載ネットワーク100上における車両データ解析装置130の実装形態の一例であり、他の形態で実装されてもよい。例えば車載ネットワーク100に接続される、ゲートウェイ120とは別個の一台以上の情報処理装置を用いて実現されてもよい。 In addition, the vehicle data analysis device 130 which exists on the gateway 120 as mentioned above is an example of the mounting form of the vehicle data analysis device 130 on the vehicle-mounted network 100, and may be mounted in another form. For example, it may be realized using one or more information processing devices that are connected to the in-vehicle network 100 and are separate from the gateway 120.
 また、ネットワークセキュリティシステム1に接続する車両10にとって上記の構成の情報システムが必須というわけではない。例えば、車両10Bが備える車載ネットワーク100上の情報システムは、走行状態解析部133を備えず、解析結果送信部136に代えて、センシングデータ等の未解析の車両データを外部に送信する送信部を備える構成であってもよい。この場合、車両10Bの車両データに基づく走行状態の解析は、車両10Bの外部、例えば車両10Bの車両データを受信するデータ解析サーバ200で実行されてもよい。あるいは、車両10A又は交通基盤システム300で実行されてもよい。車両10Bの走行状態の解析が車両10A又は交通基盤システム300で実行された場合、その結果は、通信ネットワーク900を介してデータ解析サーバ200に提供される。 Further, the information system with the above configuration is not essential for the vehicle 10 connected to the network security system 1. For example, the information system on the in-vehicle network 100 included in the vehicle 10B does not include the traveling state analysis unit 133, and instead of the analysis result transmission unit 136, a transmission unit that transmits unanalyzed vehicle data such as sensing data to the outside The configuration may be provided. In this case, the analysis of the traveling state based on the vehicle data of the vehicle 10B may be performed by the data analysis server 200 that receives the vehicle data of the vehicle 10B, for example, the vehicle 10B. Alternatively, it may be executed by the vehicle 10A or the traffic infrastructure system 300. When the analysis of the traveling state of the vehicle 10B is performed by the vehicle 10A or the traffic infrastructure system 300, the result is provided to the data analysis server 200 via the communication network 900.
 [2-2.データ解析サーバの構成]
 次に、データ解析サーバ200の構成について説明する。図4は、データ解析サーバ200の機能構成例を示すブロック図である。なお、データ解析サーバ200は、プロセッサ及びメモリを備える一台以上のコンピュータ資源を用いて実現される。データ解析サーバ200は、通信ネットワーク900を介して車両10及び交通基盤システム300から受信するデータを解析してサイバー攻撃による異常を検知、又はさらに異常レベルの判定を実行し、必要に応じて車両10又は交通基盤システム300に情報を提供する。このような機能を、データ解析サーバ200は所定のプログラムを実行して提供する。また、このプログラムでは、例えば機械学習によって作成された異常検知モデル、又はさらに分類モデルが用いられる。 [2-2. Data Analysis Server Configuration]
Next, the configuration of the data analysis server 200 will be described. FIG. 4 is a block diagram showing an example of the functional configuration of the data analysis server 200. As shown in FIG. The data analysis server 200 is realized using one or more computer resources including a processor and a memory. The data analysis server 200 analyzes data received from the vehicle 10 and the traffic infrastructure system 300 via the communication network 900 to detect an abnormality due to a cyber attack, or to execute determination of an abnormality level, and the vehicle 10 as necessary. Or provide information to the traffic infrastructure system 300. The data analysis server 200 provides such a function by executing a predetermined program. Also, in this program, for example, an anomaly detection model created by machine learning or a classification model is used.
 データ解析サーバ200は、データ取得部210、データ解析部220、判定部230、蓄積部240、関連ECU特定部250、アクセス権管理部260、情報送信部270及び情報提示部280を備える。これらは機能的な構成要素であり、データ解析サーバ200で、プロセッサによって上記の所定のプログラムが実行されることで実現される。 The data analysis server 200 includes a data acquisition unit 210, a data analysis unit 220, a determination unit 230, an accumulation unit 240, an associated ECU identification unit 250, an access right management unit 260, an information transmission unit 270, and an information presentation unit 280. These are functional components, and are realized by the data analysis server 200 executing the predetermined program described above by the processor.
 データ取得部210は、車両10の走行状態を示す車両データを取得する。ここでの車両10の走行状態を示す車両データとは、例えば上述の車両10Aから送信される、走行状態解析部133による解析の結果のデータである。また、データ解析サーバ200に送信されるデータが上述の車両10Bのように未解析のデータである場合には、データ解析部220によってこのデータに対する解析が行われた結果のデータである。つまりデータ解析部220は、走行状態解析部133と同様の解析を実行する。 The data acquisition unit 210 acquires vehicle data indicating the traveling state of the vehicle 10. The vehicle data indicating the traveling state of the vehicle 10 here is, for example, data of a result of analysis by the traveling state analysis unit 133 transmitted from the above-described vehicle 10A. In addition, when the data transmitted to the data analysis server 200 is unanalyzed data as in the above-described vehicle 10B, the data is a result of analysis of the data by the data analysis unit 220. That is, the data analysis unit 220 executes the same analysis as the traveling state analysis unit 133.
 図5及び図6は、データ取得部210が取得する、車両10の走行状態を示す車両データのデータ構造の一例を示す図である。 FIG.5 and FIG.6 is a figure which shows an example of the data structure of the vehicle data which show the traveling state of the vehicle 10 which the data acquisition part 210 acquires.
 図5に示される例では、一定間隔(図示の例では5秒)の異なる時刻に測定された車両10の走行状態を示す値が時系列で格納されている。図6に示される例では、車両10の走行状態を示す値として、一定期間(図示の例では10分間)にわたる測定値から算出された平均値等が時系列で格納されている。なお、車両データの内容はこれらの例に限定されない。図中の速度、旋回曲率などの各項目は例示の目的で示すものであって必須ではなく、また、さらに他の項目が含まれてもよい。また、各項目の値は、例えば一定期間ごとの最大値と最小値、一定期間内に所定の閾値を超えた又は下回ったか否か、一定期間内に所定の閾値を超えた又は下回った時間長等であってもよい。また、解析結果は、車両10で発生した事象、例えばユーザ又は自動運転システムによる所定の運転操作(例えば発進、停止、ギヤチェンジ)を契機に取得されてもよい。この場合には、発生した事象を示す項目がさらにあってもよい。また図5及び図6では、位置情報は経緯度で示されているが、これに限定されない。例えば、車両が走行している場所の地名若しくは道路、区間、交差点名、最寄りのランドマークの名称、若しくは郵便番号等、又はこれらを示す識別情報(例えば道路の区間又はさらにその上下方向を示すID)が用いられてもよい。また、各車両10から送信されるデータには、送信元である車両を一意に識別する識別情報が付加され、データ解析サーバ200は車両データの各件と、この識別情報とを関連付けて管理する。 In the example shown in FIG. 5, values indicating the traveling state of the vehicle 10 measured at different times at constant intervals (5 seconds in the illustrated example) are stored in time series. In the example shown in FIG. 6, as a value indicating the traveling state of the vehicle 10, an average value or the like calculated from measured values over a fixed period (10 minutes in the illustrated example) is stored in time series. The contents of the vehicle data are not limited to these examples. The items such as the speed and the turning curvature in the figure are shown for the purpose of illustration and are not essential, and further other items may be included. In addition, the value of each item is, for example, the maximum value and the minimum value for each fixed period, whether the predetermined threshold has been exceeded or fallen within a predetermined period, or the length of time the predetermined threshold is exceeded or fallen within a predetermined period Or the like. In addition, the analysis result may be acquired in response to an event that occurs in the vehicle 10, for example, a predetermined driving operation (for example, start, stop, gear change) by the user or the automatic driving system. In this case, there may be further items indicating an event that has occurred. Further, in FIG. 5 and FIG. 6, although the position information is indicated by latitude and longitude, it is not limited to this. For example, the place name or road where the vehicle is traveling, a road, a section, an intersection name, the name of the nearest landmark, or a zip code, or identification information indicating these (for example, a section of a road or an ID indicating its vertical direction) ) May be used. Moreover, identification information uniquely identifying the vehicle that is the transmission source is added to the data transmitted from each vehicle 10, and the data analysis server 200 manages each item of the vehicle data in association with the identification information. .
 データ取得部210はさらに、交通基盤システム300から、車両10が走行するエリアにおける車両10の車外で認識された状況(以下、車外状況という)を示す車外データを取得する。 The data acquisition unit 210 further acquires, from the traffic infrastructure system 300, out-of-vehicle data indicating a situation (hereinafter referred to as an out-of-vehicle situation) recognized outside the vehicle 10 in an area where the vehicle 10 travels.
 車外データが示す車外状況とは、より具体的には、例えば道路情報又は交通情報である。 More specifically, the out-of-vehicle condition indicated by the out-of-vehicle data is, for example, road information or traffic information.
 図7は、交通基盤システム300からデータ解析サーバ200に提供される車外データのデータ構造の一例を示す図である。 FIG. 7 is a diagram showing an example of the data structure of the external data provided from the traffic infrastructure system 300 to the data analysis server 200. As shown in FIG.
 図7に示される例では、車外状況を示すデータとして、路側機による一定期間(図示の例では5分間)にわたる測定値から算出された平均値等が時系列で格納されている。このようなデータは路側機におけるセンシングデータの解析の結果であり、この解析は、路側機又は交通基盤システム300において実行されてもよいし、データ解析部220によって解析されてもよい。なお、車外データの内容はこの例に限定されない。図中の制限速度、規制などの各項目は例示の目的で示すものであって必須ではなく、また、さらに他の項目が含まれてもよい。また、各項目の値は、例えば一定期間ごとの最大値と最小値、一定期間内に所定の閾値を超えた又は下回ったか否か、一定期間内に所定の閾値を超えた又は下回った時間長等であってもよい。また、解析結果は、交通基盤システム300で発生した事象、例えば制限速度の変更を契機に取得されてもよい。この場合には、発生した事象を示す項目がさらにあってもよい。なお、図7の例では、車外状況を示すデータの送信元である各路側機の位置情報として、当該路側機が設置されている道路の区間を示す識別情報である道路IDが用いられている。また、交通基盤システム300から送信される車外データには、車外データを生成した路側機を一意に識別する識別情報が付加されてもよい。 In the example shown in FIG. 7, as the data indicating the vehicle external condition, an average value or the like calculated from measurement values over a fixed period (five minutes in the illustrated example) by the roadside device is stored in time series. Such data is a result of analysis of sensing data in the roadside machine, and this analysis may be performed in the roadside machine or the traffic infrastructure system 300 or may be analyzed by the data analysis unit 220. The contents of the data outside the vehicle are not limited to this example. The items such as the speed limit and the restrictions in the figure are shown for the purpose of illustration and are not essential, and further other items may be included. In addition, the value of each item is, for example, the maximum value and the minimum value for each fixed period, whether the predetermined threshold has been exceeded or fallen within a predetermined period, or the length of time the predetermined threshold is exceeded or fallen within a predetermined period Or the like. Further, the analysis result may be acquired in response to an event that has occurred in the traffic infrastructure system 300, for example, a change in speed limit. In this case, there may be further items indicating an event that has occurred. In the example of FIG. 7, a road ID, which is identification information indicating a section of a road on which the roadside machine is installed, is used as position information of each roadside machine that is a transmission source of data indicating the vehicle external condition. . In addition, identification data that uniquely identifies a roadside device that has generated out-of-vehicle data may be added to the out-of-vehicle data transmitted from the transportation infrastructure system 300.
 判定部230は、データ取得部210が取得した、車両データが示す車両10の走行状態と、車外データが示す車外状況とに不整合があるかを判定し、この判定の結果を出力する。 The determination unit 230 determines whether there is a mismatch between the traveling state of the vehicle 10 indicated by the vehicle data acquired by the data acquisition unit 210 and the external condition indicated by the external data, and outputs the result of this determination.
 蓄積部240は、データ取得部210が取得した車両データ及び車外データ、判定部230による判定結果のデータ等、データ解析サーバ200の各機能的構成要素が生成した又は用いるデータを、必要に応じて保持する。この例では、蓄積部240はデータ解析サーバ200が備える記憶装置を用いて実現される。 The storage unit 240 generates, as necessary, data generated or used by each functional component of the data analysis server 200, such as vehicle data and external data acquired by the data acquisition unit 210, data of the determination result by the determination unit 230, and the like. Hold. In this example, the storage unit 240 is realized using a storage device provided in the data analysis server 200.
 関連ECU特定部250は、判定部230によって、車両10で異常の発生があると判定された場合に、この異常に関連するECUを特定する。 If the determination unit 230 determines that there is an abnormality in the vehicle 10, the related ECU identification unit 250 identifies an ECU associated with the abnormality.
 アクセス権管理部260は、データ取得部210が取得したデータ、データ解析部220による解析結果のデータ、又は判定部230による判定結果等のデータに対する、データ解析サーバ200のユーザのアクセス権を管理する。なお、ここでのデータ解析サーバ200のユーザとは、例えば車両10又はその部品のメーカーである。 The access right management unit 260 manages the access right of the user of the data analysis server 200 to data acquired by the data acquisition unit 210, data of analysis results by the data analysis unit 220, or data such as determination results by the determination unit 230. . In addition, the user of the data analysis server 200 here is a maker of the vehicle 10 or its components, for example.
 情報送信部270は、判定部230がした判定の結果に応じた情報を示すデータを、車両10若しくは交通基盤システム300、又はその両方に送信する。情報提示部280は、判定部230がした判定の結果に応じた情報をユーザに表示する。判定の結果に応じた情報については後述する。 The information transmission unit 270 transmits data indicating information according to the result of the determination made by the determination unit 230 to the vehicle 10, the traffic infrastructure system 300, or both. The information presentation unit 280 displays, to the user, information according to the result of the determination made by the determination unit 230. Information according to the result of the determination will be described later.
 [3.動作]
 次に、本実施の形態においてデータ解析装置の機能を提供するデータ解析サーバ200の動作について説明する。図8は、データ解析サーバ200による処理の手順の一例を示すフロー図である。また、ネットワークセキュリティシステム1におけるデータ(情報)の流れを示す、図9及び図10のシーケンス図もこの説明の中で適宜参照する。また、車両10及び交通基盤システム300において実行される処理の手順を示す図11及び図12のフロー図も適宜参照する。 [3. Operation]
Next, the operation of the data analysis server 200 that provides the function of the data analysis device in the present embodiment will be described. FIG. 8 is a flowchart showing an example of the procedure of processing by the data analysis server 200. Further, the sequence diagrams of FIG. 9 and FIG. 10 showing the flow of data (information) in the network security system 1 are also referred to in this description as appropriate. Moreover, the flowcharts of FIG. 11 and FIG. 12 showing the procedure of processing executed in the vehicle 10 and the traffic base system 300 are also referred to as appropriate.
 データ解析サーバ200では、データ取得部210が、車両10から車両データを、交通基盤システム300から車外データを受信して取得する(ステップS10、S11)。この例では、車両データは、車両10で解析がなされてからデータ解析サーバ200に提供される。図11は、車両10における車両データの取得からデータ解析サーバ200への送信までの手順(ステップS20~S22)を示すフロー図である。また、車外データは、交通基盤システム300で解析がなされてからデータ解析サーバ200に提供される。図12は、交通基盤システム300における車外データの取得からデータ解析サーバ200への送信までの手順(ステップS30~S32)を示すフロー図である。 In the data analysis server 200, the data acquisition unit 210 acquires vehicle data from the vehicle 10 and external data from the traffic infrastructure system 300 (Steps S10 and S11). In this example, the vehicle data is analyzed by the vehicle 10 and then provided to the data analysis server 200. FIG. 11 is a flowchart showing a procedure (steps S20 to S22) from acquisition of vehicle data in the vehicle 10 to transmission to the data analysis server 200. Further, the data outside the vehicle is analyzed by the traffic infrastructure system 300 and then provided to the data analysis server 200. FIG. 12 is a flow chart showing a procedure (steps S30 to S32) from acquisition of out-of-vehicle data in the traffic infrastructure system 300 to transmission to the data analysis server 200.
 次にデータ解析サーバ200で実行されるステップS12では、車両データと車外データとを比較して、車両10の走行状態と当該車両10の車外状況との間に不整合があるか否かを判定される。この車両データ及び車外データは、この比較の手順までに解析がなされて図5から図7に例示されるよう情報が整えられていればよく、その解析の場所(主体)は、各データの提供元であってもよいし、データの提供を受けたデータ解析サーバ200であってもよい。本開示では、この解析の前後を特に区別せず車両データ又は車外データと呼んでいる。なお、車両10の走行状態と当該車両10の車外状況との間の不整合については、例を用いて後述する。 Next, in step S12 executed by the data analysis server 200, the vehicle data and the data outside the vehicle are compared to determine whether there is a mismatch between the traveling state of the vehicle 10 and the situation outside the vehicle 10. Be done. The vehicle data and the data outside the vehicle may be analyzed by the procedure of this comparison and information may be prepared as exemplified in FIGS. 5 to 7, and the location (subject) of the analysis is to provide each data. It may be the original, or may be the data analysis server 200 that has been provided with data. In the present disclosure, before and after this analysis is referred to vehicle data or external data without particular distinction. The mismatch between the traveling state of the vehicle 10 and the external situation of the vehicle 10 will be described later using an example.
 ステップS12は、判定部230によって実行される。判定部230は、車両データが示す時刻及び位置情報と、車外データが示す時刻及び位置情報とを用いて、判定対象の車両データと比較する車外データを選択する。時刻又は位置情報が車両データと車外データとで異なる形式で表現されている場合には、蓄積部240に保持されている対応テーブル(図示なし)を参照したり、換算のための計算を実行したりしてもよい。また、判定部230では、時刻情報及び位置情報が必ずしも完全に一致するデータ同士で比較するのではなく、それぞれが部分的に、又は少なくとも一方が重複するデータ同士を比較の対象として選択してもよい。また、重複がなくてもある一件の車両データが含む時刻情報が示す時刻から遡る所定時間内の時刻を示す車外データ、又は遡る所定件数の車外データが比較の対象に選択されてもよい。時間的に近いために現在の交通量、現在の交通規制など現在の車外状況をよりよく反映する可能性の高い車外データを用いることで、より現状に適した異常判定の結果を得ることができる。また、車両データが含む位置情報が示す位置と地理的に近隣(例えば一定の距離若しくは道程範囲内、又は所定のグリッドで画定される領域のうち、同一の領域若しくはさらにその周囲の領域)のエリアの車外状況を示す車外データであれば、車両10の車外状況を示す車外データとして扱い、当該車両データとの比較の対象に選択されてもよい。 Step S12 is performed by the determination unit 230. Determination unit 230 selects out-of-vehicle data to be compared with the vehicle data to be determined using the time and position information indicated by the vehicle data, and the time and position information indicated by the out-of-vehicle data. When the time or position information is expressed in different formats in the vehicle data and the vehicle external data, a correspondence table (not shown) held in the storage unit 240 is referred to or calculation for conversion is performed. You may Further, the determination unit 230 does not necessarily compare data having completely matching time information and position information with each other, but may select data having partial overlap or at least one overlap as comparison targets. Good. In addition, vehicle outside data indicating a time within a predetermined time period that goes back from the time indicated by the time information included in one vehicle data even if there is no overlap, or a predetermined number of vehicle outside data going back may be selected for comparison. By using data outside the vehicle that is likely to reflect current traffic conditions and current traffic conditions better because it is close in time, it is possible to obtain anomaly judgment results that are more suitable for the current situation. . In addition, the area indicated by the position information included in the vehicle data and the area geographically adjacent (for example, the same area or a surrounding area within a certain distance or travel range, or an area defined by a predetermined grid) The external data indicating the external condition of the vehicle may be treated as external data indicating the external condition of the vehicle 10 and may be selected as a target of comparison with the vehicle data.
 不整合はないと判定部230が判定した場合(ステップS13でNO)、車両10及び交通基盤システム300のいずれでも、受信した各データから判るサイバー攻撃による異常はないものとして、データ解析サーバ200での処理は終了する。 If the determination unit 230 determines that there is no inconsistency (NO in step S13), the data analysis server 200 determines that there is no abnormality due to the cyber attack that is known from the received data in any of the vehicle 10 and the traffic infrastructure system 300. Processing ends.
 不整合があると判定部230が判定した場合(ステップS13でYES)、判定部230は車両10及び車外データのいずれかに異常が発生しているものと判定する。このように車両データだけでなく、車外データも用いて異常判定することで、車両データ単体で異常判定する場合より高精度に異常を判定することができる。つまり、ある車両10がサイバー攻撃により不正制御されたケースにおいて、不正制御による走行状態が、当該車両10単体の走行状態としてあり得る範疇のものである場合、車両単体データにより異常を検知することは困難である。例えば、ある車両10が時速30km/hで走行中に、サイバー攻撃の結果、時速100km/hで走行してしまったとする。このとき、当該車両10は時速100km/hで走行すること自体はあり得ることであるから、このことだけで異常と判定することはできない。しかしながら、車両データと車外データとを比較することで、このように不正制御の範疇が当該車両単体の走行状態としてあり得る走行状態であった場合でも、異常を検知できるようになる。例えば、先の例において、サイバー攻撃を受けた車両10の周辺車両がいずれも時速30km/hで走行しているという車外データがあったとする。すると、車両10の走行状態は、周辺車両と調和的に走行可能な走行状態から明らかに逸脱していることが分かり、車両10に異常が発生していると判定することができる。 If the determination unit 230 determines that there is a mismatch (YES in step S13), the determination unit 230 determines that an abnormality has occurred in either the vehicle 10 or the external data. As described above, by making abnormality determination using not only vehicle data but also out-of-vehicle data, it is possible to determine abnormality with higher accuracy than in the case of making abnormality determination with vehicle data alone. That is, in a case where a vehicle 10 is illegally controlled by a cyber attack, if the traveling state by the illegal control is in a possible category of the traveling state of the vehicle 10 alone, detecting abnormality by vehicle single data Have difficulty. For example, it is assumed that a certain vehicle 10 travels at 100 km / h as a result of a cyber attack while traveling at 30 km / h. At this time, since it is possible that the vehicle 10 travels at 100 km / h per hour, it can not be determined as abnormal only by this. However, by comparing the vehicle data with the data outside the vehicle, it is possible to detect an abnormality even in the case where the category of the unauthorized control is likely to be the traveling state of the vehicle itself. For example, in the above example, it is assumed that there is out-of-vehicle data that all vehicles surrounding the cyber attacked vehicle 10 are traveling at a speed of 30 km / h. Then, it can be understood that the traveling state of the vehicle 10 clearly deviates from the traveling state in which the vehicle 10 can travel in harmony with the surrounding vehicles, and it can be determined that the vehicle 10 has an abnormality.
 また、不整合があると判定部230が判定した場合(ステップS13でYES)、判定部230はさらに、位置情報が示す位置が上記のエリア内にある他の車両10から提供された車両データについて過去に行われた車外データとの比較による判定結果を、蓄積部240から取得する。他の車両10の車両データと車外データとの比較による判定結果は、上述のように、車両データの各件と関連付けて管理され、送信元である車両の識別情報を参照して選択される。また、このとき判定結果が取得される他の車両データは、例えば示す時刻が時間的に近いものから一定件数取得されてもよいし、示す時刻が一定期間遡る範囲にある全件であってもよい。 In addition, when the determination unit 230 determines that there is a mismatch (YES in step S13), the determination unit 230 further determines the vehicle data provided from another vehicle 10 whose position is indicated by the position information in the above area. The determination result by comparison with the data outside the vehicle performed in the past is acquired from the storage unit 240. As described above, the determination result obtained by comparing the vehicle data of the other vehicle 10 with the data outside the vehicle is managed in association with each item of the vehicle data, and is selected with reference to the identification information of the vehicle that is the transmission source. Further, at this time, other vehicle data for which the determination result is acquired may be acquired, for example, from the one whose time shown is near in time, or a certain number of cases. Good.
 そして判定部230は、不整合のあることを示す結果であった車両データの件数が所定基準以上であるか否かを判定する(ステップS14)。この判定の基準は、例えば50%以上のように割合で設定されてもよいし、具体的な件数の値で設定されてもよいし、又はこれらが併用(例えば30%以上かつ5件以上)されてもよい。 Then, the determination unit 230 determines whether or not the number of vehicle data, which is a result indicating that there is a mismatch, is equal to or more than a predetermined reference (step S14). The criteria for this determination may be set at a rate such as, for example, 50% or more, may be set as a specific number of values, or a combination of these (for example, 30% or more and 5 or more). It may be done.
 不整合のあることを示す結果であった車両データの件数が所定基準未満である場合(ステップS14でNO)、判定部230は、サイバー攻撃による異常が、ステップS43で不整合と判定された車両データの送信元である車両10で発生していると判定する(ステップS15)。判定部230からは、この判定結果が情報送信部270に出力される。この判定結果の入力を受けた情報送信部270は、少なくとも交通基盤システム300に当該車両10を示す情報を送信する(ステップS16)。また、情報送信部270は、当該車両10に、異常発生時の動作を実行させる情報を送信する(ステップS17)。この情報は、単に判定の結果を示す情報であってもよいし、当該車両10に対する制御信号で示されるものであってもよい。図8では、車両10に送信されるのは制御信号である例が示されている。 If the number of vehicle data, which is a result indicating that there is an inconsistency, is less than the predetermined standard (NO in step S14), the determination unit 230 determines that the abnormality due to cyber attack is determined to be an inconsistency in step S43. It is determined that it is generated in the vehicle 10 that is the transmission source of data (step S15). The determination unit 230 outputs the determination result to the information transmission unit 270. The information transmitting unit 270 that has received the input of the determination result transmits information indicating the vehicle 10 at least to the traffic base system 300 (step S16). Further, the information transmission unit 270 transmits, to the vehicle 10, information for causing the vehicle 10 to execute an operation at the time of occurrence of an abnormality (step S17). This information may simply be information indicating the result of the determination, or may be indicated by a control signal for the vehicle 10. In FIG. 8, an example in which the control signal is transmitted to the vehicle 10 is shown.
 図8に示される一連の手順で、ステップS14でNOである場合のネットワークセキュリティシステム1におけるデータ(情報)の流れを示すのが図9である。 It is FIG. 9 which shows the flow of the data (information) in the network security system 1 in the case of being NO by step S14 in a series of procedures shown by FIG.
 ステップS16で情報送信部270から送信された、異常な車両10を示す情報(図中「異常車両情報」)を受信した交通基盤システム300では、当該車両10からV2I通信(車両と交通基盤システムとが行う通信)で受信したデータの利用を停止する。サイバー攻撃を受けた車両10から提供される情報は、虚偽の内容を含んでいる可能性がある。つまり、このような情報を用いた判定が交通基盤システム300で行われれば、実際の交通状況に合わない動作をする等の悪影響が出るおそれがある。したがって、交通基盤システム300に、サイバー攻撃を受けて異常が発生している車両10を示す情報が提供されることで、このようなサイバー攻撃の悪影響の拡大が抑えられる。なお、このような情報は、交通基盤システム300のみならず、異常が発生している車両10の周辺を走行する他の車両10にも提供されてもよい。V2V通信(車両と車両とが直接行う通信)を行う車両10では、他の車両10からのデータに基づいて動作の判定が行われることがあり、この判定が虚偽の情報に基づいて行われることを防ぐためである。 In the traffic infrastructure system 300 that receives the information ("abnormal vehicle information" in the figure) indicating the abnormal vehicle 10 transmitted from the information transmission unit 270 in step S16, the V2I communication (vehicle and traffic infrastructure system) from the vehicle 10 is performed. Stop the use of the data received in the The information provided by the vehicle 10 that has received a cyber attack may include false content. That is, if the determination using such information is performed by the traffic infrastructure system 300, there is a possibility that an adverse effect such as an operation that does not match the actual traffic situation may occur. Therefore, the spread of the adverse effect of such a cyber attack can be suppressed by providing the traffic infrastructure system 300 with information indicating the vehicle 10 that is experiencing an abnormality under the cyber attack. Such information may be provided not only to the traffic infrastructure system 300 but also to other vehicles 10 traveling around the vehicle 10 in which an abnormality has occurred. In the vehicle 10 performing V2V communication (communication in which the vehicle and the vehicle directly perform), the operation determination may be performed based on data from other vehicles 10, and this determination may be performed based on false information. To prevent
 また、サイバー攻撃を受けている車両10は、異常な動作をする可能性がある。したがって、情報送信部270からこの車両10に上記の情報又は制御信号を送信して、周辺の車両又はそのドライバーに、異常の発生を報知するための動作等を当該車両10にさせることで、事故の発生の可能性を抑えることができる。異常の発生を報知するための動作とは、例えばハザードランプによる警告等である。または、当該車両10が遠隔操作に対応する場合には、退避動作を実行させてもよい。 In addition, vehicles 10 undergoing a cyber attack may perform abnormal operations. Therefore, the information transmission unit 270 transmits the above information or control signal to the vehicle 10, and causes the vehicle 10 to perform an operation or the like for notifying the occurrence of an abnormality to the surrounding vehicle or its driver. Can reduce the possibility of The operation for notifying the occurrence of an abnormality is, for example, a warning by a hazard lamp or the like. Or when the said vehicle 10 respond | corresponds to remote control, you may perform retraction | saving operation.
 一方、不整合のあることを示す結果であった車両データの件数が所定基準以上である場合(ステップS14でYES)、判定部230は、サイバー攻撃による異常が、ステップS13で車両データと不整合と判定された車外データの送信元である交通基盤システム300又はその一部である路側機で発生していると判定する(ステップS18)。判定部230からは、この判定結果が情報送信部270に出力される。この判定結果の入力を受けた情報送信部270は、少なくとも交通基盤システム300に、例えば当該異常が発生していると判定された車外データを送信した路側機に関する情報を送信する(ステップS19)。路側機に関する情報とは、例えば、当該車外データを生成した異常な路側機を一意に示す識別情報であってもよいし、また、当該車外データが示す位置情報であってもよい。図8では、交通基盤システム300に送信されるのは、異常な路側機を示す情報である例が示されている。 On the other hand, when the number of vehicle data, which is a result indicating that there is inconsistency, is equal to or greater than a predetermined reference (YES in step S14), determination unit 230 determines that an abnormality due to cyber attack is inconsistent with vehicle data in step S13. It is determined that the traffic base system 300 which is the transmission source of the data outside the vehicle determined to be or the roadside machine which is a part thereof is generated (step S18). The determination unit 230 outputs the determination result to the information transmission unit 270. The information transmitting unit 270 that has received the input of the determination result transmits, to at least the traffic base system 300, information related to the roadside device that has transmitted the data outside the vehicle determined that the abnormality has occurred, for example (step S19). The information related to the roadside device may be, for example, identification information uniquely indicating an abnormal roadside device that has generated the out-of-vehicle data, or may be position information indicated by the out-of-vehicle data. In FIG. 8, an example in which what is transmitted to the traffic infrastructure system 300 is information indicating an abnormal roadside machine is shown.
 また、図8に示される一連の手順で、ステップS14でYESである場合のネットワークセキュリティシステム1におけるデータ(情報)の流れを示すのが図10である。 Moreover, it is FIG. 10 which shows the flow of the data (information) in the network security system 1 in the case of YES in step S14 in a series of procedures shown in FIG.
 ステップS19で情報送信部270から送信された、異常な車両10を示す情報(図中「異常路側機情報」)を受信した交通基盤システム300では、当該路側機で計測などにより生成された車外データの利用を停止する。これにより、サイバー攻撃の悪影響の拡大が抑えられる。なお、このような情報は、交通基盤システム300のみならず、ステップS13での判定の対象となった車両データを送信した車両10、又は異常な路側機の周辺を走行する他の車両10にも提供されてもよい。V2I通信を行う車両10では、路側機からのデータに基づいて動作の判定が行われることがあり、この判定が虚偽の情報に基づいて行われることを防ぐためである。 In the traffic infrastructure system 300 that has received the information ("abnormal roadside machine information" in the figure) indicating the abnormal vehicle 10 transmitted from the information transmission unit 270 in step S19, the data outside the vehicle generated by measurement or the like by the roadside machine Stop the use of This suppresses the expansion of the negative effects of cyber attacks. Such information may be transmitted not only to the traffic infrastructure system 300 but also to the vehicle 10 that has transmitted the vehicle data targeted for the determination in step S13 or other vehicles 10 traveling around the abnormal roadside machine. It may be provided. In the vehicle 10 that performs V2I communication, the operation determination may be performed based on the data from the roadside device, and this is to prevent the determination from being performed based on false information.
 なお、ここまでの説明では、データ解析サーバ200が車両10から受信した車両データと比較する車外データは交通基盤システム300から提供されたものである例を用いたが、車両データと比較されるデータは交通基盤システム300からのデータに限定されない。例えば、車両10Aの周辺を走行する車両10Bから受信したデータが、車両10Aから受信した車両データと比較する車外データとして用いられてもよい。例えば車両10Bが搭載する周辺を撮影するためのイメージセンサが生成した画像データが解析されて、データ解析サーバ200では、この画像データが示す画像に映る車両10Aの状況と、車両10Aの車載ネットワークから取得された車両データが示す車両10Aの走行状態とが不整合であるか否かが判定されてもよい。また、車両10Aの車両データが示す車両10Aの加減速、操舵等の走行状態と、車両10Bの車両データが示す車両10Bの加減速、操舵等の走行状態とが不整合であるか否かが判定されてもよい。つまり、車両10Bの車両データは、車両10Aとの関係で言えば、車両10Aの車外で認識された状況を示す車外データであり、データ解析サーバ200では、ステップS13での車両10Aの車両データとの比較対象として用いられ得る。また、車両10Aと車両10Bとを入れ替えても同様のことが言える。 In the description so far, the example in which the data analysis server 200 compares the external data with the vehicle data received from the vehicle 10 from the traffic infrastructure system 300 has been used, but the data to be compared with the vehicle data Is not limited to the data from the traffic infrastructure system 300. For example, data received from a vehicle 10B traveling around the vehicle 10A may be used as external data to be compared with vehicle data received from the vehicle 10A. For example, image data generated by an image sensor for photographing the periphery mounted by the vehicle 10B is analyzed, and the data analysis server 200 analyzes the condition of the vehicle 10A shown in the image indicated by the image data and the on-vehicle network of the vehicle 10A. It may be determined whether or not the traveling state of the vehicle 10A indicated by the acquired vehicle data is inconsistent. In addition, whether the traveling state such as acceleration / deceleration and steering of the vehicle 10A indicated by the vehicle data of the vehicle 10A and the traveling state such as acceleration / deceleration and steering of the vehicle 10B indicated by the vehicle data of the vehicle 10B are inconsistent. It may be determined. That is, the vehicle data of the vehicle 10B is external data indicating the situation recognized outside the vehicle 10A in terms of the relationship with the vehicle 10A, and the data analysis server 200 uses the vehicle data of the vehicle 10A in step S13. It can be used as a comparison object of Further, the same can be said even if the vehicle 10A and the vehicle 10B are switched.
 以下、このような判定が実行される場合も含めて、不整合の具体的な例を挙げる。 Hereinafter, including the case where such a determination is performed, a specific example of the inconsistency will be described.
 図13Aから図13Fは、それぞれ本実施の形態において、データ解析サーバ200による処理の手順の一具体例を示すフロー図である。ただし、いずれも図8のフロー図との差異はステップS13の不整合に関する判定のステップであるため、他のステップについての説明は省略する。 13A to 13F are flowcharts showing one specific example of the procedure of the process by the data analysis server 200 in the present embodiment. However, the difference from the flow chart of FIG. 8 is the determination step regarding the inconsistency in step S13, and thus the description of the other steps is omitted.
 図13AのステップS13Aでは、車内データが示す車両10の走行速度と、車外データが示す、車両10が走行するエリアの制限速度との間での不整合について判定される。この制限速度の情報は、例えば図7に示されるような交通基盤システム300からの車外データの「制限速度」の欄に含まれているものが利用される。また別の例として、他の車両からデータ解析サーバ200に送信された画像データであってもよい。この場合、この画像データの解析結果に含まれる、制限速度を示す道路標識又は道路標示の表示内容が、車内データが示す車両10の走行速度と比較される。例えばこの走行速度と制限速度との差が所定の大きさ以上である、又は表示内容が示す制限速度について予め定められた所定の速度範囲外である場合に、ステップS13AでYESと判定される。 In step S13A of FIG. 13A, a mismatch is determined between the traveling speed of the vehicle 10 indicated by the in-vehicle data and the speed limit of the area in which the vehicle 10 travels indicated by the out-of-vehicle data. The information on the speed limit is, for example, one included in the "speed limit" column of the outside data from the traffic infrastructure system 300 as shown in FIG. As another example, the image data transmitted to the data analysis server 200 from another vehicle may be used. In this case, the display content of the road sign or road sign indicating the speed limit, which is included in the analysis result of the image data, is compared with the traveling speed of the vehicle 10 indicated by the in-vehicle data. For example, if the difference between the traveling speed and the speed limit is equal to or greater than a predetermined value or outside the predetermined speed range predetermined for the speed limit indicated by the display content, YES is determined in step S13A.
 図13BのステップS13Bでは、車内データが示す車両10の走行速度と、車外データが示す、この車両10の周辺を走行している他の車両の走行速度との間での不整合について判定される。この、他の車両の走行速度の情報は、例えば図7に示されるような交通基盤システム300車外データの「平均走行速度」の欄に含まれるものが利用される。また別の例として、他の車両からデータ解析サーバ200に送信された車内データが示す速度又はその平均であってもよい。このように、ネットワークセキュリティシステム1では、ある車両にとっての車内データは、その他の車両にとっての車外データとして利用される場合もある。例えばこれらの走行速度間との差が所定の大きさ以上である場合に、ステップS13BでYESと判定される。 In step S13B in FIG. 13B, it is determined about the mismatch between the traveling speed of the vehicle 10 indicated by the in-vehicle data and the traveling speeds of other vehicles indicated by the data outside the vehicle and traveling around the vehicle 10. . The information on the traveling speed of the other vehicle is, for example, one included in the "average traveling speed" column of the traffic base system 300 outside-vehicle data as shown in FIG. As another example, the speed indicated by the in-vehicle data transmitted from the other vehicle to the data analysis server 200 may be an average thereof. Thus, in the network security system 1, in-vehicle data for one vehicle may be used as out-of-vehicle data for another vehicle. For example, if the difference between these traveling speeds is equal to or greater than a predetermined value, YES is determined in step S13B.
 これらの例に示されるように、データ解析サーバ200は、ある一台の車両10の速度が、走行性能に照らせば正常範囲内である場合でも、制限速度又は周囲の車両の走行速度という周囲の状況に照らしても正常であるか又は異常の可能性があるか判定をすることができる。 As shown in these examples, even if the speed of one vehicle 10 is within the normal range in light of the traveling performance, the data analysis server 200 is not limited to the speed limit or the traveling speed of surrounding vehicles. It can be determined whether the situation is normal or abnormal as well.
 図13CのステップS13Cでは、車内データが示す車両10の操舵角度と、車外データが示す、車両10が走行するエリア(道路)の道路曲率との間での不整合について判定される。この道路曲率の情報は、例えば交通基盤システム300からの車外データに含まれているものが利用される(図示なし)。この場合、車外データに含まれる道路曲率と、車内データが示す車両10の操舵角度とが比較される。例えばこの道路曲率と操舵角度との差が所定の大きさ以上である場合に、ステップS13CでYESと判定される。 In step S13C in FIG. 13C, a mismatch is determined between the steering angle of the vehicle 10 indicated by the in-vehicle data and the road curvature of the area (road) on which the vehicle 10 travels indicated by the out-of-vehicle data. The information on the road curvature is, for example, one included in the data outside the vehicle from the traffic infrastructure system 300 (not shown). In this case, the road curvature included in the external data is compared with the steering angle of the vehicle 10 indicated by the in-vehicle data. For example, if the difference between the road curvature and the steering angle is equal to or greater than a predetermined value, it is determined as YES in step S13C.
 この例に示されるように、データ解析サーバ200は、ある一台の車両10の操舵角度が、操舵性能に照らせば正常範囲内である場合でも、道路の形状という周囲の状況に照らして正常であるか又は異常の可能性があるか判定をすることができる。 As shown in this example, the data analysis server 200 is normal in light of the surrounding condition of the shape of the road even if the steering angle of one vehicle 10 is within the normal range in light of the steering performance. It can be determined whether there is a possibility or an abnormality.
 図13DのステップS13Dでは、車内データが示す車両10の走行速度と、車外データが示す、この車両10の周辺を走行している他の車両で計測された当該車両10の走行速度との間での不整合について判定される。この車外データは、他の車両が備えるレーダー等の周囲の物体の相対速度を計測可能な機器のセンシングデータの解析結果として得られる当該車両の速度である。または、上記のような他の車両でのイメージセンサで生成された画像データの解析によって得られてもよい。例えばこれらの走行速度間との差が所定の大きさ以上である場合に、ステップS13DでYESと判定される。 In step S13D of FIG. 13D, the traveling speed of the vehicle 10 indicated by the in-vehicle data and the traveling speed of the vehicle 10 measured by another vehicle traveling around the vehicle 10 indicated by the external data indicate It is determined about the inconsistency of the The external data is the velocity of the vehicle obtained as an analysis result of sensing data of an apparatus capable of measuring the relative velocity of a surrounding object such as a radar provided in another vehicle. Alternatively, it may be obtained by analysis of image data generated by an image sensor in another vehicle as described above. For example, when the difference between these traveling speeds is equal to or greater than a predetermined value, YES is determined in step S13D.
 この例に示されるように、データ解析サーバ200は、ある一台の車両10の走行速度が、走行性能に照らせば正常範囲内である場合でも、周囲の車両で認識された自車の走行速度という周囲の状況に照らして正常であるか又は異常の可能性があるか判定をすることができる。 As shown in this example, the data analysis server 200 detects the traveling speed of the vehicle recognized by the surrounding vehicles even if the traveling speed of one vehicle 10 is within the normal range in light of the traveling performance. It is possible to judge whether there is a possibility of being normal or abnormal in light of the surrounding situation.
 図13EのステップS13Eでは、車内データが示す車両10の制動灯の動作状態と、車外データが示す、車両10の制動灯の動作状態の間での不整合について判定される。この場合の車外データは、例えば、車両10の後続車からデータ解析サーバ200に送信された画像データあってもよい。この画像データの解析結果に含まれる、車両10の制動灯の経時的な動作状態が、車両10から送信された車内データが示す車両10の制動灯の経時的な動作状態と比較される。例えばこの動作状態に一定以上の相違がある場合に、ステップS13EでYESと判定される。 In step S13E of FIG. 13E, a mismatch is determined between the operation state of the brake light of the vehicle 10 indicated by the in-vehicle data and the operation state of the brake light indicated by the outside-of-vehicle data. The external data in this case may be, for example, image data transmitted from the following vehicle of the vehicle 10 to the data analysis server 200. The temporal operation state of the brake light of the vehicle 10 included in the analysis result of the image data is compared with the temporal operation state of the brake light of the vehicle 10 indicated by the in-vehicle data transmitted from the vehicle 10. For example, in the case where there is a certain difference or more in this operation state, YES is determined in step S13E.
 この例に示されるように、データ解析サーバ200は、ある一台の車両10の制動灯の動作が、仕様上は正常範囲内である場合でも、周囲の車両で認識された自車の制動灯の動作という周囲の状況に照らして正常であるか又は異常の可能性があるか判定をすることができる。 As shown in this example, the data analysis server 200 is a braking light of the own vehicle recognized by surrounding vehicles even when the operation of the braking light of one vehicle 10 is within the normal range in terms of specifications. It is possible to determine whether there is a possibility of being normal or abnormal in light of the surrounding situation of the operation of the
 図13FのステップS13Fでは、車内データが示す車両10の走行状態と、車外データが示す、他の車両の走行状態との間での不整合について判定される。この場合の車外データは、例えば、車両10の先行車からデータ解析サーバ200に送信された車内データが示す、この先行車の走行状態(速度、操舵角等)の時系列データであってもよい。つまりこの例でも、ある車両にとっての車内データが、その他の車両にとっての車外データとして利用される。この先行車の車内データの解析結果に含まれる走行状態の時系列データが、車両10の車内データの解析結果に含まれる走行状態の時系列データと比較される。例えばこの走行状態に一定以上の相違がある場合に、ステップS13FでYESと判定される。 In step S13F of FIG. 13F, it is determined about a mismatch between the traveling state of the vehicle 10 indicated by the in-vehicle data and the traveling state of another vehicle indicated by the out-of-vehicle data. The external data in this case may be, for example, time-series data of the traveling state (speed, steering angle, etc.) of the leading vehicle indicated by the in-vehicle data transmitted to the data analysis server 200 from the leading vehicle of the vehicle 10 . That is, also in this example, in-vehicle data for one vehicle is used as out-of-vehicle data for other vehicles. The time-series data of the traveling state included in the analysis result of the in-vehicle data of the preceding vehicle is compared with the time-series data of the traveling state included in the analysis result of the in-vehicle data of the vehicle 10. For example, when there is a difference of a certain level or more in this traveling state, YES is determined in step S13F.
 この例に示されるように、データ解析サーバ200は、ある一台の車両10の走行状態全般が、性能又は仕様に照らせば正常範囲内である場合でも、同じ道路を走る他の車両の走行状態という周囲の状況に照らして正常であるか又は異常の可能性があるか判定をすることができる。 As shown in this example, the data analysis server 200 allows the traveling conditions of other vehicles traveling on the same road even if the overall traveling conditions of one vehicle 10 is within the normal range in light of performance or specifications. It is possible to judge whether there is a possibility of being normal or abnormal in light of the surrounding situation.
 このように、ある車両へのサイバー攻撃の発生についての判定は、当該車両由来のデータ(車両データ)と、交通基盤システム又は他の車両等、判定対象の車両の外部由来のデータであって当該車両が走行する環境又は当該車両の状況を示すデータ(車外データ)とを比較し、その整合性を確認することで、当該車両単体のデータのみで判定するよりも、より高い精度での検知が可能になる。 As described above, the determination as to the occurrence of a cyber attack on a certain vehicle includes data derived from the vehicle (vehicle data) and data derived from the outside of the vehicle to be determined, such as a traffic infrastructure system or another vehicle. Comparison with the environment where the vehicle travels or the data (data outside the vehicle) indicating the condition of the vehicle, and by checking its consistency, detection with higher accuracy than determination using only the data of the vehicle alone It will be possible.
 また、精度よくサイバー攻撃が検知されることで、データ通信が頻繁なV2X通信の普及が進んだ状況においても、不正データの拡散による被害の拡大を抑制することができる。 Also, by accurately detecting a cyber attack, it is possible to suppress the spread of damage due to the spread of unauthorized data even in the situation where the spread of V2X communication, which is frequent in data communication, has progressed.
 また、交通基盤システムも情報化が進むことでサイバー攻撃の対象となる可能性がある。本実施の形態におけるネットワークセキュリティシステム1で実行される異常判定の手法は、その交通基盤システムへのサイバー攻撃の検知の手段としても有用である。そして、このような一連の判定により、車両も交通基盤システムも含めて、サイバー攻撃の検出感度がより高く、その被害の拡大を抑えることができる車社会を実現することができる。 In addition, there is a possibility that the traffic infrastructure system will be the target of cyber attacks as the computerization progresses. The method of abnormality determination executed by the network security system 1 in the present embodiment is also useful as a means of detecting a cyber attack on the traffic base system. And, by such a series of judgments, it is possible to realize a car society that is high in detection sensitivity of cyber attacks, including vehicles and traffic infrastructure systems, and the spread of the damage can be suppressed.
 なお、上記の説明では、車両へのサイバー攻撃の検知を担うデータ解析装置の機能がデータ解析サーバ200によって提供される場合を例に用いたが、本実施の形態はこれに限定されない。例えば車両10に車載の車両データ解析装置130によって、上述のデータ解析サーバ200に相当する機能が提供されてもよい。例えば、車両データ解析装置130において、外部通信装置110を介するV2X通信で周囲の他の車両又は路側機から取得する車外データが示す状況と、車両データが示す車両10の走行状態との間に不整合があるか否かが判定される。不整合がある場合には、さらに車両10の走行しているエリアでの不整合の発生状況についての情報を、蓄積部135に蓄積されているデータから取得したり、外部通信装置110を介して周辺の車両又は路側機に問い合わせたりして取得してもよい。 In the above description, although the case where the data analysis server 200 provides the function of the data analysis device responsible for detecting a cyber attack on a vehicle is used as an example, the present embodiment is not limited to this. For example, a function equivalent to the data analysis server 200 described above may be provided by the vehicle data analysis device 130 mounted on the vehicle 10. For example, in the vehicle data analysis device 130, it is not between the situation indicated by the data outside the vehicle acquired from the other surrounding vehicle or roadside machine by V2X communication via the external communication device 110 and the traveling condition of the vehicle 10 indicated by the vehicle data. It is determined whether there is a match. If there is a mismatch, information on the occurrence of the mismatch in the area where the vehicle 10 is traveling is further obtained from the data stored in the storage unit 135 or through the external communication device 110. It may be acquired by inquiring to surrounding vehicles or roadside machines.
 (実施の形態2)
 [1.概要]
 V2X通信が実行される状況においてサイバー攻撃の検知の精度を向上させる、別の手法に係る実施の形態を説明する。 Second Embodiment
[1. Overview]
An embodiment according to another method for improving the accuracy of detection of a cyber attack in a situation where V2X communication is performed will be described.
 V2X通信が実行される状況で利用されるネットワークセキュリティシステムでは、データ解析サーバ又は車載の車両データ解析装置で実行された車両データの異常に関する解析で、異常レベル、別の表現をすると、車両におけるサイバー攻撃の発生確度が、中程度という結果になる場合がある。従来の仕組みでは、車両単体のデータからでは、このような車両データは、サイバー攻撃の発生の判定には利用できないか、実用的な確実性をもって利用できるようになるまでに時間がかる。本実施の形態では、このような車両データの解析結果を検証してサイバー攻撃の発生の判定に利用する新たな手法をもって、従来に比べて精度よくかつ迅速な判定を実現する。 In the network security system used in the situation where V2X communication is executed, if the abnormal level is another expression in the analysis on the abnormality of the vehicle data executed by the data analysis server or the vehicle data analysis device mounted on the vehicle, The probability of attack occurrence may be moderate. According to the conventional mechanism, from the data of a single vehicle, such vehicle data can not be used to determine the occurrence of a cyber attack, or it takes time until it can be used with practical certainty. In the present embodiment, with a new method of verifying the analysis result of such vehicle data and using it to determine the occurrence of a cyber attack, a more accurate and quick determination can be realized as compared with the prior art.
 より具体的には、本実施の形態におけるネットワークセキュリティシステムでは、複数の車両における異常レベルの判定の結果に応じて、対応が即必要ではない中程度の異常としていた状況を、直ちに対応が必要な異常として扱うようにする。 More specifically, in the network security system according to the present embodiment, it is necessary to immediately cope with a situation in which the medium abnormality is not immediately required according to the result of the determination of the abnormality level in a plurality of vehicles. Treat as anomalous.
 本実施の形態も、サイバー攻撃の検知を担うデータ解析装置の機能がデータ解析サーバ200によって提供される場合を例に説明する。構成については、実施の形態1と共通であるため説明を省略し、各構成要素は図1から図4に示す参照符号をもって示す。 Also in the present embodiment, a case where the data analysis server 200 provides the function of the data analysis device responsible for detecting a cyber attack will be described as an example. The configuration is the same as that of the first embodiment, so the description is omitted, and each component is indicated by the reference symbol shown in FIG. 1 to FIG.
 以下、本実施の形態におけるデータ解析サーバ200の動作について説明する。 Hereinafter, the operation of the data analysis server 200 in the present embodiment will be described.
 [2.動作]
 本実施の形態におけるネットワークセキュリティシステム1では、複数の車両10から、各車両10の車両データ解析装置130で実行された車両データの解析結果に基づいて判定される、サイバー攻撃による異常のレベルを示すデータがデータ解析サーバ200に送信される。 [2. Operation]
In the network security system 1 according to the present embodiment, the level of abnormality due to cyber attack is determined from the plurality of vehicles 10 based on the analysis result of the vehicle data executed by the vehicle data analysis device 130 of each vehicle 10. Data is sent to data analysis server 200.
 図14は、本実施の形態において各車両10が備える車両データ解析装置130による処理の手順の一例を示すフロー図である。 FIG. 14 is a flow chart showing an example of the procedure of processing by the vehicle data analysis device 130 provided in each vehicle 10 in the present embodiment.
 車両データ解析装置130は、車載ネットワークを流れる車両データを取得すると(ステップS40)、その車両データを解析して異常レベルを判定する(ステップS41)。異常レベルの判定は、例えば正常状態を示す基準との乖離の程度に応じて決定される。例えば正常状態を示す基準の最大速度が時速100kmである場合に、車両データが示す走行速度が時速180kmであれば、異常レベルは高であると判定され、車両データが示す走行速度が時速140kmであれば、異常レベルは中であると判定される。別の例を挙げると、正常状態を示す基準の最大ステアリング回転角が720度である場合に、車両データが示すステアリング回転角が900度であれば、異常レベルは高であると判定され、車両データが示すステアリング回転角が750度であれば、異常レベルは中であると判定される。このようなサイバー攻撃の発生確度に基づく異常レベルの判定の基準は、車両10の情報システムの設計時に定められてもよいし、使用履歴から動的に設定されてもよい。 When the vehicle data analysis device 130 acquires vehicle data flowing through the in-vehicle network (step S40), the vehicle data analysis device 130 analyzes the vehicle data to determine an abnormal level (step S41). The determination of the abnormal level is determined, for example, according to the degree of deviation from the reference indicating the normal state. For example, when the reference maximum speed indicating the normal state is 100 km / h and the traveling speed indicated by the vehicle data is 180 km / h, it is determined that the abnormal level is high and the traveling speed indicated by the vehicle data is 140 km / hour If there is, the abnormal level is determined to be medium. As another example, if the reference maximum steering rotation angle indicating the normal state is 720 degrees, if the steering rotation angle indicated by the vehicle data is 900 degrees, it is determined that the abnormal level is high and the vehicle If the steering rotation angle indicated by the data is 750 degrees, it is determined that the abnormal level is medium. The criteria for determining the abnormal level based on the probability of occurrence of such a cyber attack may be determined at the time of design of the information system of the vehicle 10 or may be dynamically set from the usage history.
 ステップS41での判定の結果が高である場合(ステップS42でYES)、車両10では攻撃対応措置が実行される(ステップS43)。ここでの攻撃対応措置の例としては、ハザードランプの動作による周辺車両への告知、又は車両10を路側帯など交通の妨げにならない場所に停める強制退避動作である。また、ステップS41で実行された解析結果がデータ解析サーバ200に送信される(ステップS44)。図15は、ステップS44においてデータ解析サーバ200に送信される、異常レベルの判定のための車両データの解析結果のデータ構造の一例を示す図である。この例は、CANに準拠する車載ネットワークで高レベルの異常が発生した場合の解析結果のデータである。この例では、車両10での異常の発生箇所、異常のレベル及び異常があったCANメッセージの種類を示すCANメッセージのIDといった、異常と判定されたデータに関する情報に加えて、車両10を一意に識別するための車両ID、異常が検知された時の車両10の位置を示す情報が含められている。なお、異常の発生時にデータ解析サーバ200に送信されるデータに含まれる情報はこれらに限定されない。例えば後述する、グループに関連する情報が含まれていてもよい。 When the result of the determination in step S41 is high (YES in step S42), the attack countermeasure is executed in the vehicle 10 (step S43). An example of the attack response measures here is a notification to surrounding vehicles by the operation of a hazard lamp or a forced evacuation operation for stopping the vehicle 10 in a place such as a roadside zone which does not hinder traffic. Further, the analysis result executed in step S41 is transmitted to the data analysis server 200 (step S44). FIG. 15 is a diagram showing an example of the data structure of the analysis result of vehicle data for determination of an abnormal level, which is transmitted to the data analysis server 200 in step S44. This example is data of an analysis result when a high level abnormality occurs in an in-vehicle network conforming to CAN. In this example, the vehicle 10 is uniquely added to information on data determined to be abnormal, such as the location of the abnormality in the vehicle 10, the level of the abnormality, and the ID of the CAN message indicating the type of CAN message in which the abnormality occurred. A vehicle ID for identification and information indicating the position of the vehicle 10 when an abnormality is detected are included. Note that the information included in the data transmitted to the data analysis server 200 when an abnormality occurs is not limited to these. For example, information related to a group described later may be included.
 ステップS41での判定の結果が中である場合(ステップS42でNO、ステップS45でYES)、ステップS41で実行された解析結果がデータ解析サーバ200に送信される(ステップS46)。この場合のデータ構造も、図15に示されるものと同様である。なお、異常レベルが中である場合には、車両10では攻撃対応措置は実行されない。 If the result of the determination in step S41 is medium (NO in step S42, YES in step S45), the analysis result executed in step S41 is transmitted to data analysis server 200 (step S46). The data structure in this case is also similar to that shown in FIG. When the abnormal level is medium, the attack countermeasure is not performed on the vehicle 10.
 ステップS45がNOの場合、つまり異常レベルは低(又は正常)である場合、ステップS41で取得された車両データに対する異常レベルの判定の処理はそのまま終了する。 If step S45 is NO, that is, if the abnormal level is low (or normal), the process of determining the abnormal level for the vehicle data acquired in step S41 ends as it is.
 次に、複数の車両10からステップS44又はステップS46で送信される解析結果のデータを受信するデータ解析サーバ200の処理の手順について説明する。図16Aは、本実施の形態におけるデータ解析サーバ200による処理の手順の一例を示すフロー図である。 Next, a procedure of processing of the data analysis server 200 that receives data of analysis results transmitted from the plurality of vehicles 10 in step S44 or step S46 will be described. FIG. 16A is a flow chart showing an example of the procedure of processing by the data analysis server 200 in the present embodiment.
 データ解析サーバ200において、データ取得部210は、複数の車両10のそれぞれから、当該車両10へのサイバー攻撃の発生確度に基づく異常レベルを示す解析結果のデータを取得する(ステップS50)。なお、この処理の説明では、異常レベルは、高、中、低の三段階であるとの前提を便宜上用いる。 In the data analysis server 200, the data acquisition unit 210 acquires data of an analysis result indicating an abnormal level based on the probability of occurrence of a cyber attack on the vehicle 10 from each of the plurality of vehicles 10 (step S50). In the description of this process, it is assumed for the sake of convenience that the abnormal level has three levels of high, medium and low.
 次に、データ解析部220が、データ取得部210が取得した解析結果に基づいて、蓄積部240に保持される解析結果の統計を更新する(ステップS51)。この統計は、解析結果を、所定の条件に基づいて分類されるグループごとに取られる。ここでいう所定の条件とは、解析結果の送信元である車両10に関して、(1)所定期間内に所定の地域内を走行していること、(2)車種が同一であること、(3)メーカーが同一であること、(4)搭載する車載ネットワークの構成が共通であること、及び(5)解析された車内データの生成の時間帯が共通であることのいずれか一つ又は複数の組み合わせである。このような条件に含まれる共通性がある車載ネットワーク同士では、例えば同じ路側機又は車両からV2X通信で同じ不正メッセージを受信していたり、共通の脆弱性を有していたりする可能性がある。つまり、このような条件で絞られた車両10のグループは、同じサイバー攻撃を受ける可能性が高い。したがって、このような条件で絞った車両10のグループ単位で見ることで、異常のレベルについてより高い精度で判定できる可能性が高まる。なお、条件(4)の車載ネットワークの構成とは、準拠する通信規格、接続されているECUの機種及びそのファームウェアに関する。 Next, the data analysis unit 220 updates the statistics of the analysis result held in the storage unit 240 based on the analysis result acquired by the data acquisition unit 210 (step S51). This statistic is taken for each group into which analysis results are classified based on predetermined conditions. The predetermined conditions referred to here are: (1) traveling in a predetermined area within a predetermined period, (2) vehicle types being the same, (3) ) One or more of the same manufacturer, (4) common configuration of in-vehicle network mounted, and (5) common time zone of generation of analyzed in-vehicle data It is a combination. In-vehicle networks having commonality included in such conditions may receive, for example, the same fraudulent message from the same roadside device or vehicle in V2X communication, or may have a common vulnerability. That is, a group of vehicles 10 squeezed under such conditions is likely to be subjected to the same cyber attack. Therefore, by looking at the group unit of vehicles 10 narrowed down under such conditions, the possibility of being able to determine the level of abnormality with higher accuracy is increased. The configuration of the in-vehicle network of the condition (4) relates to a compliant communication standard, a model of the connected ECU, and its firmware.
 なお、このグループの判別は、上記のように各車両10から送信される解析結果に付加される情報に基づいて実行されてもよいし、蓄積部240に保持される、各車両IDに対応付けられたグループを示すデータが参照されて実行されてもよい。 Note that this group determination may be performed based on the information added to the analysis result transmitted from each vehicle 10 as described above, or is associated with each vehicle ID held in the storage unit 240 Data indicative of the selected group may be referred to and executed.
 次に、判定部230が、異常レベルの検証の対象である解析結果のデータの送信元の車両10と同グループの統計を蓄積部240から取得する(ステップS52)。 Next, the determination unit 230 acquires, from the storage unit 240, statistics of the same group as the vehicle 10 that is the transmission source of the data of the analysis result that is the target of verification of the abnormal level (step S52).
 次に、判定部230は、検証の対象である解析結果が示す異常レベルが高であるか否か確認する(ステップS53)。高である場合(ステップS53でYES)、処理は終了する。 Next, the determination unit 230 checks whether or not the abnormal level indicated by the analysis result to be verified is high (step S53). If it is high (YES in step S53), the process ends.
 ステップS53でNOの場合、判定部230はさらに、その異常レベルが中であるか否かを確認する(ステップS54)。 In the case of NO at step S53, the determination unit 230 further confirms whether the abnormal level is medium (step S54).
 異常レベルが中の場合(ステップS54でYES)、次に判定部230は、ステップS52で取得したグループ内で、異常レベルが高の件数が所定基準以上であるか否かを判定する(ステップS55A)。つまり、サイバー攻撃を受ける可能性に関して共通性のある車両10のグループ内で高レベルの異常がある程度より多く発生しているか否か判定する。この判定の基準は、例えば50%以上のように割合で設定されてもよいし、具体的な件数の値で設定されてもよいし、又はこれらが併用(例えば30%以上かつ5件以上)されてもよい。 If the abnormal level is medium (YES in step S54), determination unit 230 then determines whether the number of high abnormal levels is equal to or higher than a predetermined reference in the group acquired in step S52 (step S55A). ). That is, it is determined whether or not a high level abnormality has occurred to a certain extent or more within the group of vehicles 10 having commonality with regard to the possibility of being subjected to the cyber attack. The criteria for this determination may be set at a rate such as, for example, 50% or more, may be set as a specific number of values, or a combination of these (for example, 30% or more and 5 or more). It may be done.
 ステップS55AでYESの場合、情報送信部270から、当該検証の対象である解析結果のデータの送信元の車両10へ、異常レベルを中から高へ変更する指示が送信される(ステップS56)。なお、ステップS54又はステップS55AでNOの場合、処理は終了する。 In the case of YES at step S55A, an instruction to change the abnormal level from middle to high is transmitted from the information transmission unit 270 to the vehicle 10 of the transmission source of the analysis result data to be verified (step S56). If NO in step S54 or step S55A, the process ends.
 図16Bは、本実施の形態におけるデータ解析サーバ200による処理の手順の他の例を示すフロー図である。 FIG. 16B is a flowchart showing another example of the procedure of the process by the data analysis server 200 in the present embodiment.
 この他の例における処理は、図16Aに示される処理と、受信した異常レベルが中である場合(ステップS54でYES)の以降のステップの内容が異なる。図16Aに示される処理では、異常レベルが中である解析結果のデータの検証において、そのデータ送信元の車両10と同一グループの車両10で異常レベルが高という解析結果の件数が所定基準以上ある場合に、その検証対象の解析結果の異常レベルが高に引き上げられる。つまり、共通性のあるグループの中で、サイバー攻撃を受けている確度が高い又はサイバー攻撃を受けていることが確実であるという事例が多いため、中レベルの異常が発生した車両においても、より慎重な対応を取らせる処理である。 The processing in this other example is different from the processing shown in FIG. 16A in the contents of the subsequent steps when the received abnormal level is medium (YES in step S54). In the process shown in FIG. 16A, in the verification of the data of the analysis result in which the abnormality level is medium, the number of analysis results indicating that the abnormality level is high in the vehicle 10 of the same group as the vehicle 10 of the data transmission source In this case, the abnormal level of the analysis result to be verified is raised to a high level. That is, there are many cases in which there is a high probability of being attacked by a cyber attack or a certainty that a cyber attack is under way in a group having commonality. It is a process to make a careful response.
 これに対し、図16Bに示される処理では、異常レベルが中である解析結果のデータの検証において、そのデータ送信元の車両10と同一グループの車両10で異常レベルが中という解析結果の件数が所定基準(例えば50%)以上ある場合(S55BでYES)に、その検証対象の解析結果の異常レベルが高に引き上げられる。つまり、共通性のあるグループの中で、サイバー攻撃を受けている確度が高い又はサイバー攻撃を受けていることが確実であるという事例は多くなくても、中レベルの異常が発生している事例が所定基準(例えば70%)以上ある場合には、中レベルの異常が発生した車両においてより慎重な対応を取らせる処理である。この場合、ステップS56の指示は、検証の対象である解析結果のデータの送信元の車両10のみへ送られてもよいし、交通のサイバー攻撃に対する安全性を速効的に高めるために、この車両10と同一グループで中レベルの異常が発生したという解析結果を送信したすべての車両10にも送信されてもよい。 On the other hand, in the process shown in FIG. 16B, in the verification of the data of the analysis result in which the abnormality level is medium, the number of analysis results in which the abnormality level is medium in the vehicle 10 of the same group as the data transmission source vehicle If there is a predetermined standard (for example, 50%) or more (YES in S55B), the abnormal level of the analysis result of the verification target is raised high. In other words, even if there are not many cases in which there is a high probability of being cyber attacked or certain that they are under cyber attack within a group having commonality, there are cases where medium level abnormalities occur. Is a process that makes the vehicle more cautious in the vehicle in which the medium level abnormality has occurred if the predetermined standard (for example, 70%) or more. In this case, the instruction in step S56 may be sent only to the vehicle 10 that is the source of the data of the analysis result to be verified, or in order to quickly improve the safety against traffic cyber attacks, this vehicle It may also be transmitted to all the vehicles 10 that have transmitted the analysis result that the middle level abnormality has occurred in the same group as 10.
 図17は、本実施の形態におけるネットワークセキュリティシステム1のシーケンス図である。図17では便宜的に、解析結果の検証対象であるデータを送信した車両10を、他の車両10から独立させて示している。 FIG. 17 is a sequence diagram of the network security system 1 in the present embodiment. In FIG. 17, for convenience, the vehicle 10 which has transmitted the data to be verified of the analysis result is shown independently of the other vehicles 10.
 図17に示されるように、各車両10から、解析によって異常レベルが中又は高と判定された結果を示すデータがデータ解析サーバ200に送信される。データ解析サーバ200では、受信したデータを用いて統計が更新される。解析結果の検証時には、最新の統計から該当するグループの統計が取得される。検証の対象の解析結果が示す異常レベルが中であり、取得した統計が示す異常レベルが高又は中の件数が所定基準以上の場合、検証の対象の解析結果が示すレベルは高に修正される。この高レベルは、本実施の形態における修正レベルの例である。そして、異常レベルの修正レベルへの変更指示がデータ解析サーバ200から車両10に送信される。この変更指示を受信した車両10では、図14に示すステップS42でYESと判定された場合と同様に、ステップS43での攻撃対応措置が実行される。 As shown in FIG. 17, each vehicle 10 transmits data indicating the result that the abnormal level is determined to be medium or high by analysis to the data analysis server 200. The data analysis server 200 updates the statistics using the received data. When validating the analysis results, the statistics of the corresponding group are obtained from the latest statistics. If the analysis result of the verification target indicates the abnormal level is medium, and the number of abnormal levels indicated by the acquired statistics is high or medium or higher, the level indicated by the analysis result of the verification target is corrected to high . This high level is an example of the correction level in the present embodiment. Then, an instruction to change the abnormal level to the correction level is transmitted from the data analysis server 200 to the vehicle 10. In the vehicle 10 that has received this change instruction, the attack countermeasure in step S43 is executed as in the case where the determination in step S42 shown in FIG. 14 is YES.
 なお、ステップS56の変更指示を受信した車両10では、攻撃対応措置に加えて、走行状態解析部133による車両データの解析の基準を変更してもよい。つまり、従前は解析によって中レベルの異常と判定していた車両データに対しても、次回以降に車両データ解析装置130で取得されたときには、高レベルであると判定するように基準を変更してもよい。これにより、車載ネットワーク100では、以降の同種の攻撃に対する車両10の攻撃対応措置は、より速やかに実行される。 In the vehicle 10 that has received the change instruction of step S56, in addition to the attack countermeasure, the reference of analysis of vehicle data by the traveling state analysis unit 133 may be changed. In other words, even for vehicle data that was previously determined to be an intermediate level abnormality by analysis, the criteria are changed so that it is determined to be high level when acquired by the vehicle data analysis device 130 next time or later. It is also good. As a result, in the on-vehicle network 100, the attack response measures of the vehicle 10 to the subsequent same type of attacks are executed more quickly.
 また、上記では便宜上、高中低の3段階の異常レベル間での検証、修正で説明をしたが、本実施の形態の発想は、2段階又は4段階以上の異常レベル間での検証、修正にも適用できる。つまり、設定された異常レベルの段階数を問わず、車両での解析によって判定される異常レベルについて、同じサイバー攻撃による影響を受ける可能性の高い他の車両で判定された異常レベルを用いて検証及び修正がなされてもよい。 Also, for convenience, in the above description, verification and correction between high, middle, and low three-step abnormal levels are described, but the idea of the present embodiment is to verify and correct between two or four or more abnormal levels. Is also applicable. In other words, regardless of the number of levels of abnormal levels set, the abnormal levels determined by analysis at the vehicle are verified using abnormal levels determined by other vehicles that are likely to be affected by the same cyber attack. And modifications may be made.
 また、4段階以上の異常レベルが設定されている場合において、同一グループの統計でのより高い異常レベルの判定状況(件数又はその割合)に応じて、引き上げるレベル数が変更されてもよい。つまり、同一グループ内での異常レベルの判定状況に応じてに、異常レベルをいちどに2段階以上引き上げる指示がデータ解析サーバ200から出されてもよい。例えば、異常レベルが昇順でレベル1~5まで設定され、レベル2~4がステップS54で「中」と判定される場合を想定する。この場合の以降のステップでは、例えば「中」の件数は所定以上で、かつその過半数を占めるのがレベル2又は3である場合には、受信した異常レベルがレベル2であればレベル3へ、レベル3であればレベル4へと1段階、過半数を占めるのがレベル4である場合には、受信した異常レベルがレベル2であればレベル4に、レベル3又は4であればレベル5へと、1段階又は2段階引き上げられてもよい。別の例として、「中」の件数は所定以上で、かつその過半数を占めるのがレベル2又は3である場合には、受信した異常レベルがレベル2であってもレベル3であってもレベル4へと1段階又は2段階引き上げられ、過半数を占めるのがレベル4である場合には、受信した異常レベルがレベル2~4のいずれであってもレベル5へと1から3段階引き上げられてもよい。 In addition, in the case where four or more stages of abnormal levels are set, the number of levels to be raised may be changed according to the determination status (the number or the ratio thereof) of higher abnormal levels in the same group of statistics. That is, according to the determination situation of the abnormal level in the same group, the data analysis server 200 may issue an instruction to raise the abnormal level by two or more steps. For example, it is assumed that abnormal levels are set in ascending order to levels 1 to 5, and levels 2 to 4 are determined to be "middle" in step S54. In the subsequent steps in this case, if, for example, the number of “medium” is a predetermined number or more, and the level 2 or 3 occupies the majority, then if the received abnormality level is level 2, the process proceeds to level 3 If level 3 is one step to level 4, if the majority is 4 level, then if the received abnormal level is level 2 then level 4; if level 3 or 4, then level 5 , One or two steps may be raised. As another example, if the number of "medium" is more than a predetermined number and the majority is occupied by level 2 or 3, even if the received abnormal level is level 2 or level 3 If one or two steps are raised to 4 and the majority is at level 4, the received anomaly level is raised from 1 to 3 steps to level 5 regardless of levels 2 to 4 It is also good.
 また、車両10では異常レベルの判定が実行されず、車両データをデータ解析サーバ200に送信し、車両データを受信したデータ解析サーバ200において、データ解析部220が車両データを解析して異常レベルを判定してからステップS51以降の処理が行われてもよい。 Further, in the vehicle 10, the determination of the abnormal level is not executed, the vehicle data is transmitted to the data analysis server 200, and the data analysis unit 220 analyzes the vehicle data in the data analysis server 200 that has received the vehicle data. After the determination, the processes after step S51 may be performed.
 (実施の形態3)
 [1.概要]
 V2X通信が実行される状況において、サイバー攻撃の検知の精度を向上させるさらに別の手法に係る実施の形態を説明する。 Third Embodiment
[1. Overview]
In a situation where V2X communication is performed, an embodiment according to still another method for improving the accuracy of detection of a cyber attack will be described.
 従来の車両単体の車両データを用いてサイバー攻撃による異常検知をする手法では、不正データの検出は可能であっても、なりすまし等の高度な手法、又は採用されている通信プロトコルの制約によって、その不正データを送出している機器の特定までは不可能な場合がある。例えばCANでは、送信されるデータ(メッセージ)に送信元を特定する情報は含まれない。メッセージには、メッセージの種類を示すIDが含まれており、このIDから設計上の送信元を特定することは可能である。しかしながら、不正データを送出する機器がその送信元になりすますことも技術上可能である。本実施の形態では、このような状況でも不正データの発生源である機器を絞り込むことができる。 The conventional method of detecting an anomaly due to a cyber attack using vehicle data of a single vehicle can detect fraudulent data, but due to sophisticated techniques such as impersonation or limitations of the adopted communication protocol, It may not be possible to identify the device sending the fraudulent data. For example, in CAN, data to be transmitted (message) does not include information for specifying a transmission source. The message includes an ID indicating the type of message, and it is possible to identify a design source from this ID. However, it is also technically possible that the device sending out the fraudulent data is the source of the transmission. In the present embodiment, it is possible to narrow down the devices which are the sources of generation of fraudulent data even in such a situation.
 より具体的には、本実施の形態におけるネットワークセキュリティシステムでは、個別の車両それぞれで発生した異常に関連した機器(ECU)から、いずれの異常にも関連した機器を割り出す。 More specifically, in the network security system according to the present embodiment, the device (ECU) related to any abnormality is identified from the device (ECU) related to the abnormality generated in each individual vehicle.
 本実施の形態も、サイバー攻撃の検知を担うデータ解析装置の機能がデータ解析サーバ200によって提供される場合を例に説明する。構成については、実施の形態1と共通であるため説明を省略し、各構成要素は図1から図4に示す参照符号をもって示す。 Also in the present embodiment, a case where the data analysis server 200 provides the function of the data analysis device responsible for detecting a cyber attack will be described as an example. The configuration is the same as that of the first embodiment, so the description is omitted, and each component is indicated by the reference symbol shown in FIG. 1 to FIG.
 以下、本実施の形態におけるデータ解析サーバ200の動作について説明する。 Hereinafter, the operation of the data analysis server 200 in the present embodiment will be described.
 [2.動作]
 本実施の形態におけるネットワークセキュリティシステム1では、複数の車両10から、各車両10の車両データ解析装置130で実行された車両データの解析結果に基づいて判定される、サイバー攻撃による異常の有無を示すデータがデータ解析サーバ200に送信される。 [2. Operation]
In the network security system 1 according to the present embodiment, the presence or absence of an abnormality due to a cyber attack is determined from the plurality of vehicles 10 based on the analysis result of the vehicle data executed by the vehicle data analysis device 130 of each vehicle 10. Data is sent to data analysis server 200.
 図18は、本実施の形態において各車両10が備える車両データ解析装置130による処理の手順の一例を示すフロー図である。 FIG. 18 is a flow chart showing an example of a procedure of processing by the vehicle data analysis device 130 provided in each vehicle 10 in the present embodiment.
 車両データ解析装置130は、車載ネットワークを流れる車両データを取得すると(ステップS60)、その車両データを解析して異常レベルを判定する(ステップS61)。このとき、不正な車両データ、この例では攻撃のための不正な内容を含むCANメッセージ(以下、攻撃CANメッセージという)が特定される(ステップS62)。ステップS62で攻撃CANメッセージが特定される、つまり攻撃が発生すると(ステップS63でYES)、この攻撃CANメッセージを特定して示すデータがデータ解析サーバ200に送信される(ステップS64)。ここで送信されるデータは、例えば実施の形態2の説明で参照した図15と同様のデータであってもよい。このデータでは、攻撃CANメッセージがメッセージIDを用いて特定されている(攻撃CANメッセージIDの欄を参照)。 When the vehicle data analysis device 130 acquires vehicle data flowing through the in-vehicle network (step S60), the vehicle data analysis device 130 analyzes the vehicle data to determine an abnormal level (step S61). At this time, a CAN message (hereinafter referred to as an attack CAN message) including illegal vehicle data, in this example, illegal content for attack, is specified (step S62). If an attack CAN message is specified in step S62, that is, an attack occurs (YES in step S63), data specifying and indicating this attack CAN message is transmitted to the data analysis server 200 (step S64). The data transmitted here may be, for example, the same data as FIG. 15 referred to in the description of the second embodiment. In this data, an attack CAN message is identified using a message ID (see the attack CAN message ID column).
 次に、複数の車両10のそれぞれからステップS64で送信されるデータを受信するデータ解析サーバ200の処理の手順について説明する。図19は、本実施の形態におけるデータ解析サーバ200による処理の手順の一例を示すフロー図である。 Next, a procedure of processing of the data analysis server 200 that receives data transmitted in step S64 from each of the plurality of vehicles 10 will be described. FIG. 19 is a flow chart showing an example of the procedure of processing by the data analysis server 200 in the present embodiment.
 データ解析サーバ200において、データ取得部210は、車両10から、当該車両10に異常を発生させた攻撃CANメッセージを特定して示す異常解析結果のデータを取得する(ステップS70)。異常解析結果が示す攻撃CANメッセージは、本実施の形態における異常データの一例である。 In the data analysis server 200, the data acquisition unit 210 acquires, from the vehicle 10, data of an abnormality analysis result that specifies and indicates an attack CAN message that has caused an abnormality in the vehicle 10 (step S70). The attack CAN message indicated by the abnormality analysis result is an example of the abnormality data in the present embodiment.
 次に、関連ECU特定部250が、データ取得部210が取得した異常解析結果のデータを用いて、攻撃CANメッセージのメッセージIDを持つCANメッセージの設計上の本来の送信元であるECU(以下、一次ECUともいう)を特定する(ステップS71、S72)。この特定には、蓄積部240に保持される、当該車両10で送信されるCANメッセージのIDと設計上の送信元であるECUとを関連付けたデータが参照される。図20は、本実施の形態における、車両10の車載ネットワーク100を構成するECUと各ECUが送信するCANメッセージとの関連付けを示すデータの例を示す図である。例えばステップS70で受信された解析結果のデータが図15に示すものである場合、この解析結果のデータを参照して攻撃CANメッセージのID、CAN-001を取得する(ステップS71)。次に関連ECU特定部250は図20のデータを参照し、ECU IDが関連付けられた送信メッセージIDに攻撃CANメッセージIDであるCAN-001が含まれているECU、つまりこの例ではECU IDがECU-001のECUを一次ECUとして特定する(ステップS72)。 Next, using the data of the abnormality analysis result acquired by the data acquisition unit 210, the related ECU identification unit 250 is an ECU that is the original transmission source of the CAN message having the message ID of the attack CAN message (hereinafter, The primary ECU is also identified (steps S71 and S72). For this identification, reference is made to data held in the storage unit 240, in which the ID of the CAN message transmitted by the vehicle 10 is associated with the ECU that is the transmission source on the design. FIG. 20 is a diagram showing an example of data indicating the association between the ECUs constituting the on-vehicle network 100 of the vehicle 10 and the CAN messages transmitted by the respective ECUs in the present embodiment. For example, when the data of the analysis result received in step S70 is as shown in FIG. 15, the data of the analysis result is referenced to acquire the ID of the attack CAN message, CAN-001 (step S71). Next, the related ECU identifying unit 250 refers to the data shown in FIG. 20, and the transmission message ID associated with the ECU ID includes the attack CAN message ID CAN-001, that is, the ECU ID is ECU in this example. The ECU of -001 is specified as a primary ECU (step S72).
 一次ECUは、攻撃CANメッセージと同じメッセージIDのCANメッセージを設計上で送信するECUであるから、攻撃CANメッセージを送信した可能性が高いECUといえる。例えば、一次ECUが不正に乗っ取られ、設計上は意図されていない動作をしている場合である。しかしながら、確実に攻撃CANメッセージを送信したとは言えない。なぜなら例えば、一次ECU以外のECUが乗っ取られ、設計上は送信することのないメッセージIDを持つ攻撃CANメッセージを送信している可能性があるからである。 Since the primary ECU is an ECU that transmits a CAN message of the same message ID as the attack CAN message on the design, it can be said that the ECU has a high possibility of transmitting the attack CAN message. For example, when the primary ECU has been fraudulently taken over and is not operating in design. However, it can not be said that the attack CAN message has been sent reliably. This is because, for example, there is a possibility that an ECU other than the primary ECU is hijacked and transmits an attack CAN message having a message ID which is not transmitted in design.
 そこで次に、一次ECU以外のECUも含めて、上記のような攻撃CANメッセージを送信した可能性のあるECUを二次ECU群として特定する。 Therefore, next, ECUs other than the primary ECU are specified, and ECUs which may have transmitted the attack CAN message as described above are specified as the secondary ECU group.
 関連ECU特定部250は、車両10の車載ネットワーク100において、ステップS72で特定した一次ECUと同一のバス上にあるECUを二次ECU群として特定する(ステップS73)。この特定には、蓄積部240に保持される、当該車両10の車載ネットワーク100におけるバスと各バスに接続されるECUとを関連付けたデータが参照される。図21は、本実施の形態における、車両10の車載ネットワーク100を構成するバスと各バスに接続されるECUとの関連付けを示すデータの例を示す図である。ステップS72で特定された一次ECUの例を用いると、ステップS73で特定される二次ECU群には、ECU-001、ECU-002、ECU-003、ECU-004及びECU-005が含まれる。ステップS74で特定された二次ECU群がある場合(ステップS74でYES)、この特定された二次ECU群はいったん蓄積部240に保持される。 The related ECU identification unit 250 identifies an ECU on the same bus as the primary ECU identified in step S72 as the secondary ECU group in the on-vehicle network 100 of the vehicle 10 (step S73). For this specification, reference is made to data held in the storage unit 240, in which the buses in the in-vehicle network 100 of the vehicle 10 are associated with the ECUs connected to the respective buses. FIG. 21 is a diagram showing an example of data indicating the association between the buses forming the in-vehicle network 100 of the vehicle 10 and the ECUs connected to the respective buses in the present embodiment. Using the example of the primary ECU identified in step S72, the secondary ECU group identified in step S73 includes ECU-001, ECU-002, ECU-003, ECU-004, and ECU-005. If there is a secondary ECU group identified in step S74 (YES in step S74), the identified secondary ECU group is temporarily held in storage unit 240.
 二次ECU群は、攻撃CANメッセージが送信されたバスと同じバスに接続されたECU群であるから、この二次ECU群の中のいずれかのECUが攻撃CANメッセージを送信した可能性が非常に高いと言える。しかしながら、二次ECU群の中のすべてのECUについて、攻撃CANメッセージを送信したか否か調査するために各ECUの動作又は送受信データの解析を行うことは、多くの計算資源及び時間を消費する。 Since the secondary ECU group is an ECU group connected to the same bus as the bus to which the attack CAN message was sent, there is a high possibility that any ECU in this secondary ECU group sent the attack CAN message. It can be said that However, analyzing the operation or transmission / reception data of each ECU in order to investigate whether all the ECUs in the secondary ECU group have transmitted attack CAN messages consumes a lot of computational resources and time. .
 そこで次に、この二次ECU群の中から攻撃CANメッセージを送信した可能性が高いECUをさらに絞り込むため、関連ECU特定部250は、この二次ECU群と、別のグループに属する車両10についてステップS70からS73までを実行して特定した二次ECU群とを比較して共通のECUを含むか否か判定する(ステップS75)。ここでいう別グループとは、(1)所定期間内の走行地域が異なること、(2)車種が異なること、(3)メーカーが異なること、(4)搭載する車載ネットワークの構成が異なること、及び(5)車内データが生成された時間帯が異なること、のいずれか一つ又は複数の組み合わせからなる条件を満たすことを指す。なお、(4)の車載ネットワークの構成とは、準拠する通信規格、接続されているECUの機種及びそのファームウェアに関する。 Then, next, in order to further narrow down the ECUs having a high possibility of transmitting the attack CAN message from among the secondary ECU group, the related ECU specifying unit 250 relates to the secondary ECU group and the vehicle 10 belonging to another group. Steps S70 to S73 are executed to compare with the specified secondary ECU group to determine whether a common ECU is included (step S75). The different groups mentioned here are: (1) different travel areas within a predetermined period, (2) different car types, (3) different manufacturers, (4) different in-vehicle network configurations, And (5) that the time zone in which the in-vehicle data is generated is different, means that the condition consisting of any one or a plurality of combinations is satisfied. The configuration of the in-vehicle network of (4) relates to the compliant communication standard, the model of the connected ECU, and the firmware thereof.
 攻撃を受けた、又は異常が検知された車両10の二次ECU群どうしを比較し、共通するECUがあれば、その共通ECUが、攻撃CANメッセージを送信した可能性が高いECU、又は攻撃者に車載ネットワーク100への侵入を許す脆弱性を抱える可能性が高いECUと言える。ここで、上記の条件で分けられる別グループに属する車両10の二次ECU群間では、同グループに属する車両10の二次ECU群間と比べ、共通ECUの数は少ない可能性が高い。したがって、別グループに属する車両10の二次ECU群どうしを比較することで、攻撃を受けたECUをより少ない候補に絞り込んで効率的に特定することができる。 The secondary ECUs of the vehicle 10 that have been attacked or have detected an abnormality are compared with each other, and if there is a common ECU, the common ECU is likely to have transmitted an attack CAN message, or an attacker It can be said that the ECU is likely to have a vulnerability that allows it to enter the in-vehicle network 100. Here, among the secondary ECU groups of the vehicles 10 belonging to another group divided under the above conditions, the number of common ECUs is likely to be smaller than that between the secondary ECU groups of the vehicles 10 belonging to the same group. Therefore, by comparing the secondary ECU groups of the vehicles 10 belonging to different groups, the attacked ECUs can be narrowed down to fewer candidates and efficiently specified.
 なお、各ECUが共通(メーカー、機種名、型番、搭載するプロセッサ、プロセッサのファームウェアのバージョン、及びプロセッサのメーカーのうち、一つ以上が同じ)であるか否かの判定は、例えば蓄積部240にECU IDごとのデータベース(図示なし)を保持し、このデータベースを参照して行われる。 Note that the determination as to whether each ECU is common (one or more of the manufacturer, model name, model number, installed processor, processor firmware version, and processor manufacturer are the same) is, for example, the storage unit 240 A database (not shown) for each ECU ID is held and is performed with reference to this database.
 ステップS75の比較の結果、1個以上の共通のECUが存在する場合(ステップS76でYES)、関連ECU特定部250はこの共通ECUを攻撃関連ECUとして特定する(ステップS77)。また、情報提示部280が、特定された攻撃関連ECUをデータ解析サーバ200のユーザに提示する(ステップS78)。ここでいう攻撃関連ECUとは、例えば攻撃CANメッセージの送信元である可能性が高いECU、又は攻撃CANメッセージの送信元であるか否かに拘わらず、攻撃者に車載ネットワーク100への侵入を許す脆弱性を抱える可能性が高いECUである。攻撃関連ECUは、本実施の形態における異常関連ECUの一例である。 If one or more common ECUs exist as a result of comparison in step S75 (YES in step S76), the related ECU specifying unit 250 specifies this common ECU as an attack related ECU (step S77). Further, the information presenting unit 280 presents the identified attack related ECU to the user of the data analysis server 200 (step S78). Here, the attack related ECU refers to, for example, an ECU that is a transmission source of an attack CAN message or an transmission source of an attack CAN message. It is an ECU that is likely to have a vulnerability that allows it. The attack related ECU is an example of the abnormality related ECU in the present embodiment.
 ステップS74で二次ECU群がなかった場合(ステップS74でNO)、又は複数の二次ECU群で共通ECUが存在しなかった若しくは比較対象の二次ECU群が存在しなかった場合(ステップS76でNO)には、攻撃関連ECUの特定がされないで処理が終了する。 If there is no secondary ECU group at step S74 (NO at step S74), or if there is no common ECU among multiple secondary ECU groups or if there is no secondary ECU group to be compared (step S76) And the process ends without identifying the attack related ECU.
 このように、本実施の形態におけるデータ解析サーバ200の処理では、複数の車両10に対する解析結果を組み合わせることにより、攻撃を受けたECUを効率的に特定することができる。 As described above, in the process of the data analysis server 200 in the present embodiment, by combining the analysis results for a plurality of vehicles 10, it is possible to efficiently identify the ECU that has received an attack.
 図22は、図19で示したデータ解析サーバ200による処理に対応する、ネットワークセキュリティシステム1のシーケンス図である。図22に示されるように、ユーザへの情報の提示は、ユーザの要求に応じてなされてもよい。また、提示される情報には、ステップS77で特定された攻撃関連ECUのみならず、脆弱性の解決に資するその他のデータ、例えばS70で車両10から受信されたデータ、一次ECU、二次ECU群等の情報も含まれてもよい。ただし、ネットワークセキュリティシステム1の複数のユーザの中には、車両又はECUその他供給部品の異なるメーカーが含まれる場合もある。このような場合には、データ解析サーバ200から提示可能な情報には、ユーザによって秘匿すべき情報が含まれることもある。このような場合、データ解析サーバ200では、ユーザのアクセス権を管理するアクセス権管理部260が、各データ(情報)に対するユーザごとのアクセス権を管理し、このアクセス権に応じた情報の提示がなされる。図23は、本実施の形態における、ネットワークセキュリティシステム1のユーザへの情報提示の手順の一例を示すフロー図である。 FIG. 22 is a sequence diagram of the network security system 1 corresponding to the processing by the data analysis server 200 shown in FIG. As shown in FIG. 22, presentation of information to the user may be made in response to the user's request. Further, the information to be presented includes not only the attack related ECU specified in step S77 but also other data contributing to the solution of the vulnerability, for example, data received from the vehicle 10 in S70, primary ECU, secondary ECU group Etc. may also be included. However, some of the users of the network security system 1 may include different manufacturers of vehicles or ECUs and other supplied components. In such a case, the information that can be presented from the data analysis server 200 may include information to be concealed by the user. In such a case, in the data analysis server 200, the access right management unit 260 that manages the access right of the user manages the access right to each data (information) for each user, and the presentation of the information according to the access right Is done. FIG. 23 is a flow chart showing an example of the procedure of presenting information to the user of the network security system 1 in the present embodiment.
 データ解析サーバ200が、図示しないユーザインタフェースを介してユーザからの情報提示要求を受信する(ステップS80)。このユーザは、例えば一意のIDとパスワードを用いてデータ解析サーバ200にログインしている。アクセス権管理部260は、IDで特定されるこのユーザのアクセス権の内容を、蓄積部240に保持されているアクセス権管理情報(図示なし)を参照して確認する(ステップS81)。そして、アクセス権管理部260は、この確認したアクセス権の内容にしたがって、当該ユーザがアクセス可能な情報又はその一覧を、情報提示部280を通じてユーザに提示する(ステップS82)。例えばある車両メーカーに属するユーザは、自社の車両の情報のみにアクセスできるようアクセス権が管理されているとする。この場合、ステップS82で当該ユーザに提示されるのは、このユーザの属する会社の製品である車両で発生した攻撃CANメッセージ、この攻撃CANメッセージと関連付けられた一次ECU、その二次ECU群及び最終的に攻撃関連ECUと特定されたECUの情報のみを取得することができる。 The data analysis server 200 receives the information presentation request from the user via the user interface (not shown) (step S80). This user logs in to the data analysis server 200 using, for example, a unique ID and password. The access right management unit 260 checks the content of the access right of the user specified by the ID with reference to the access right management information (not shown) held in the storage unit 240 (step S81). Then, the access right management unit 260 presents the information accessible by the user or the list thereof to the user through the information presentation unit 280 according to the contents of the confirmed access right (step S 82). For example, it is assumed that a user belonging to a certain vehicle manufacturer has access rights controlled so that only information on his / her vehicle can be accessed. In this case, what is presented to the user in step S82 is an attack CAN message generated on a vehicle which is a product of a company to which the user belongs, a primary ECU associated with the attack CAN message, its secondary ECU group and the final It is possible to acquire only the information of the attack related ECU and the identified ECU.
 このようなアクセス権管理を併用することで、他社に対して秘匿すべきデータを扱うメーカーを含む多様なユーザによるデータ解析サーバ200の利用が促される。多様なユーザによる利用が実現すれば、データ解析サーバ200にはより多く、より多様な車両から車両データが集められ、本実施の形態におけるステップS75で比較対象となる二次ECU群がより多く存在する可能性が高まる。その結果、攻撃関連ECUを特定できる可能性も高まる。 By using such access right management together, usage of the data analysis server 200 by various users including manufacturers who handle data to be concealed from other companies is promoted. If utilization by various users is realized, vehicle data is collected from more and more diverse vehicles in data analysis server 200, and there are more secondary ECU groups to be compared in step S75 in the present embodiment. The possibility of doing is increased. As a result, the possibility of identifying attack related ECUs also increases.
 なお、上記の説明ではサイバー攻撃の結果として攻撃CANメッセージを送信するようになったECU、又は車載ネットワーク100への侵入に対する脆弱性を抱える可能性が高いECUが特定の対象であったが、本実施の形態の技術は、サイバー攻撃に限らず、製造不良に起因する機械的な欠陥、バグ、又は使用上の故障等の各種の異常を抱える可能性が高いECUの特定にも適用することができる。この場合、データ解析サーバ200では、図19に示される処理が、攻撃CANメッセージに代えて異常なメッセージを用いて実行される。つまり、これらの異常に起因してECUから送信される異常なメッセージを特定して示す異常解析結果が取得される。この異常なメッセージは、本実施の形態における、異常データの他の例である。また、関連ECU特定部250は、見出した共通ECUを、ステップS77で異常関連ECUとして特定する。 In the above description, an ECU that sends an attack CAN message as a result of a cyber attack or an ECU that is likely to be vulnerable to intrusion into the in-vehicle network 100 is a specific target. The technique of the embodiment is not limited to the cyber attack, but may be applied to the identification of an ECU that is likely to have various abnormalities such as mechanical defects, bugs, or failures in use caused by manufacturing defects. it can. In this case, in the data analysis server 200, the process shown in FIG. 19 is executed using an abnormal message instead of the attack CAN message. That is, an abnormality analysis result indicating and indicating an abnormal message transmitted from the ECU due to these abnormalities is acquired. This abnormal message is another example of abnormal data in the present embodiment. Further, the related ECU specifying unit 250 specifies the found common ECU as an abnormality related ECU in step S77.
 また、本実施の形態においても、データ取得部210が取得するのは、各車両10において解析された攻撃などの異常の結果に限定されない。例えば、異常の有無の解析機能を有さない車両10から送信されたCANメッセージがデータ解析部220によって解析された結果でもよい。 Also in the present embodiment, what the data acquisition unit 210 acquires is not limited to the result of an anomaly such as an attack analyzed in each vehicle 10. For example, the result of analysis by the data analysis unit 220 may be a CAN message transmitted from the vehicle 10 that does not have the analysis function of the presence or absence of abnormality.
 (他の実施の形態)
 以上のように、本発明に係る技術の例示として実施の形態を説明した。しかしながら、本発明に係る技術は、これに限定されず、適宜、変更、置き換え、付加、省略等を行った実施の形態にも適用可能である。 (Other embodiments)
As described above, the embodiment has been described as an example of the technology according to the present invention. However, the technology according to the present invention is not limited to this, and is also applicable to an embodiment in which changes, replacements, additions, omissions, and the like are appropriately made.
 例えば、上記の各実施の形態において、各構成要素は、専用のハードウェアで構成されるか、各構成要素に適したソフトウェアプログラムを実行することによって実現されてもよい。各構成要素は、CPUまたはプロセッサなどのプログラム実行部が、ハードディスクまたは半導体メモリなどの記録媒体に記録されたソフトウェアプログラムを読み出して実行することによって実現されてもよい。 For example, in each of the above-described embodiments, each component may be configured by dedicated hardware or implemented by executing a software program suitable for each component. Each component may be realized by a program execution unit such as a CPU or a processor reading and executing a software program recorded in a recording medium such as a hard disk or a semiconductor memory.
 このプログラムとは、例えばプロセッサ及びメモリを備えるコンピュータに、車載ネットワークを搭載する複数の車両のそれぞれから、当該車両へのサイバー攻撃の発生確度に基づく異常レベルを示すデータを取得させ、前記複数の車両が所定の条件に基づいて分類されるグループごとに前記データが示す異常レベルの統計を取らせ、前記複数の車両の一である第一車両の異常レベルが所定の高さ未満である場合に、前記第一車両が分類されているグループの前記統計において、前記所定の高さ以上の異常レベルを示す件数が所定基準以上であるとき、前記第一車両の異常レベルを前記所定の高さ以上の修正レベルに変更すると判定させ、前記第一車両の異常レベルを前記修正レベルに変更すると判定した場合、前記第一車両の車載ネットワークにおいて前記修正レベルを異常レベルとして認識させる指示を、前記第一車両に送信させるプログラムである。 For example, this program causes a computer including a processor and a memory to acquire data indicating an abnormal level based on the probability of occurrence of a cyber attack on each vehicle from each of a plurality of vehicles equipped with an in-vehicle network, Statistics of the abnormal level indicated by the data are taken for each group classified based on a predetermined condition, and the abnormal level of the first vehicle, which is one of the plurality of vehicles, is less than a predetermined height, In the statistics of the group in which the first vehicle is classified, when the number indicating the abnormal level higher than the predetermined height is equal to or higher than a predetermined standard, the abnormal level of the first vehicle is equal to or higher than the predetermined height When it is determined to change to the correction level, and it is determined to change the abnormal level of the first vehicle to the correction level, the in-vehicle net of the first vehicle is An instruction to recognize the modification level as an abnormal level in over click a program to be transmitted to the first vehicle.
 また、上記実施の形態及び上記変形例で示した各構成要素及び機能を任意に組み合わせることで実現される形態も本発明の範囲に含まれる。 Further, an embodiment realized by arbitrarily combining each component and function shown in the above embodiment and the above modification is also included in the scope of the present invention.
 本発明は、車載ネットワークを含む車載セキュリティシステムに利用可能である。 The present invention is applicable to in-vehicle security systems including in-vehicle networks.
 1 ネットワークセキュリティシステム
 10、10A、10B 車両
 100 車載ネットワーク
 110 外部通信装置
 120 ゲートウェイ
 130 車両データ解析装置
 131 車両データ取得部
 132 車外データ取得部
 133 走行状態解析部
 135 蓄積部
 136 解析結果送信部
 137 車両制御データ送信部
 150 ECU
 200 データ解析サーバ
 210 データ取得部
 220 データ解析部
 230 判定部
 240 蓄積部
 250 関連ECU特定部
 260 アクセス権管理部
 270 情報送信部
 280 情報提示部
 300 交通基盤システム
 900 通信ネットワーク 1 Network Security System 10, 10A, 10B Vehicle 100 Vehicle-mounted Network 110 External Communication Device 120 Gateway 130 Vehicle Data Analysis Device 131 Vehicle Data Acquisition Unit 132 Vehicle Data Acquisition Unit 133 Running State Analysis Unit 135 Accumulation Unit 136 Analysis Result Transmission Unit 137 Vehicle Control Data transmission unit 150 ECU
200 data analysis server 210 data acquisition unit 220 data analysis unit 230 determination unit 240 storage unit 250 related ECU identification unit 260 access right management unit 270 information transmission unit 280 information presentation unit 300 transportation infrastructure system 900 communication network

Claims (5)

  1.  車載ネットワークを搭載する複数の車両のそれぞれから、当該車両へのサイバー攻撃の発生確度に基づく異常レベルを示すデータを取得するデータ取得部と、
     前記複数の車両が所定の条件に基づいて分類されるグループごとに前記データが示す異常レベルの統計を取るデータ解析部と、
     前記複数の車両の一である第一車両の異常レベルが所定の高さ未満である場合に、前記第一車両が分類されているグループの前記統計において、前記所定の高さ以上の異常レベルを示す件数が所定基準以上であるとき、前記第一車両の異常レベルを前記所定の高さ以上の修正レベルに変更すると判定する判定部と、
     前記判定部が前記第一車両の異常レベルを前記修正レベルに変更すると判定した場合、前記第一車両の車載ネットワークにおいて前記修正レベルを異常レベルとして認識させる指示を、前記第一車両に送信する情報送信部と
     を備えるデータ解析装置。     A data acquisition unit that acquires data indicating an abnormal level based on the probability of occurrence of a cyber attack on a vehicle from each of a plurality of vehicles equipped with an in-vehicle network;
    A data analysis unit that takes statistics of the abnormal level indicated by the data for each group in which the plurality of vehicles are classified based on a predetermined condition;
    When the abnormality level of the first vehicle, which is one of the plurality of vehicles, is less than a predetermined height, in the statistics of the group to which the first vehicle is classified, the abnormality level equal to or higher than the predetermined height A determination unit that determines that the abnormality level of the first vehicle is to be changed to a correction level equal to or higher than the predetermined height when the number of cases indicated is equal to or higher than the predetermined reference;
    Information that transmits an instruction to cause the first vehicle to recognize the correction level as an abnormality level in the in-vehicle network of the first vehicle when the determination unit determines that the abnormality level of the first vehicle is to be changed to the correction level A data analysis apparatus comprising: a transmission unit.
  2.  前記所定の高さの異常レベルは、前記第一車両の車載ネットワークで認識されると、前記第一車両においてサイバー攻撃への対応措置が実行されるレベルである、
     請求項1に記載のデータ解析装置。     The abnormal level of the predetermined height is a level at which a countermeasure against a cyber attack is executed in the first vehicle when recognized in the in-vehicle network of the first vehicle.
    The data analysis device according to claim 1.
  3.  前記所定の高さの異常レベルは、前記第一車両の車載ネットワークで認識されると、前記複数の車両においてサイバー攻撃への対応措置が実行されないレベルであり、
     前記修正レベルは、前記第一車両の車載ネットワークで認識されると、前記第一車両においてサイバー攻撃への対応措置が実行されるレベルである、
     請求項1に記載のデータ解析装置。     The abnormal level of the predetermined height is a level at which a countermeasure against a cyber attack is not executed in the plurality of vehicles when recognized in the in-vehicle network of the first vehicle,
    The correction level is a level at which a countermeasure against a cyber attack is executed in the first vehicle when recognized in the in-vehicle network of the first vehicle.
    The data analysis device according to claim 1.
  4.  前記所定の条件は、
     (1)所定期間内に所定の地域内を走行していること、
     (2)車種が同一であること、
     (3)メーカーが同一であること、
     (4)前記車載ネットワークの構成が共通であること、及び
     (5)前記データの生成の時間帯が共通であること
    のいずれか一つ又は複数の組み合わせである、
     請求項1から3のいずれか一項に記載のデータ解析装置。     The predetermined condition is
    (1) Traveling in a predetermined area within a predetermined period,
    (2) Car model is the same,
    (3) The manufacturer is the same,
    (4) The configuration of the in-vehicle network is common, and (5) the time zone of generation of the data is common.
    The data analysis device according to any one of claims 1 to 3.
  5.  プロセッサ及びメモリを備えるコンピュータに、
     車載ネットワークを搭載する複数の車両のそれぞれから、当該車両へのサイバー攻撃の発生確度に基づく異常レベルを示すデータを取得させ、
     前記複数の車両が所定の条件に基づいて分類されるグループごとに前記データが示す異常レベルの統計を取らせ、
     前記複数の車両の一である第一車両の異常レベルが所定の高さ未満である場合に、前記第一車両が分類されているグループの前記統計において、前記所定の高さ以上の異常レベルを示す件数が所定基準以上であるとき、前記第一車両の異常レベルを前記所定の高さ以上の修正レベルに変更すると判定させ、
     前記第一車両の異常レベルを前記修正レベルに変更すると判定した場合、前記第一車両の車載ネットワークにおいて前記修正レベルを異常レベルとして認識させる指示を、前記第一車両に送信させる、
     プログラム。     A computer comprising a processor and a memory,
    The data indicating the abnormal level based on the probability of occurrence of the cyber attack on the vehicle is acquired from each of the plurality of vehicles equipped with the in-vehicle network,
    The statistics of the abnormal level indicated by the data are taken for each group in which the plurality of vehicles are classified based on a predetermined condition,
    When the abnormality level of the first vehicle, which is one of the plurality of vehicles, is less than a predetermined height, in the statistics of the group to which the first vehicle is classified, the abnormality level equal to or higher than the predetermined height When the number of cases indicated is equal to or greater than a predetermined reference, it is determined that the abnormal level of the first vehicle is to be changed to a correction level equal to or higher than the predetermined height,
    If it is determined that the abnormality level of the first vehicle is to be changed to the correction level, an instruction to cause the first vehicle to recognize the correction level as an abnormality level in the in-vehicle network of the first vehicle is transmitted to the first vehicle.
    program.
PCT/JP2018/042234 2018-01-22 2018-11-15 Data analysis device and program WO2019142474A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US201862620180P 2018-01-22 2018-01-22
US62/620,180 2018-01-22
JP2018-161576 2018-08-30
JP2018161576A JP2019129528A (en) 2018-01-22 2018-08-30 Data analysis device and program

Publications (1)

Publication Number Publication Date
WO2019142474A1 true WO2019142474A1 (en) 2019-07-25

Family

ID=67301724

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2018/042234 WO2019142474A1 (en) 2018-01-22 2018-11-15 Data analysis device and program

Country Status (1)

Country Link
WO (1) WO2019142474A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111431855A (en) * 2020-02-26 2020-07-17 宁波吉利罗佑发动机零部件有限公司 Vehicle CAN signal analysis method, device, equipment and medium
CN114677779A (en) * 2022-03-30 2022-06-28 广州文远知行科技有限公司 Vehicle configuration state monitoring method and device, storage medium and computer equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2017112594A (en) * 2015-12-14 2017-06-22 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America Security device, network system and attack detection method
JP2017111796A (en) * 2015-12-16 2017-06-22 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America Security processing method and server
US20170230385A1 (en) * 2014-09-25 2017-08-10 Tower-Sec Ltd. Vehicle correlation system for cyber attacks detection and method thereof

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170230385A1 (en) * 2014-09-25 2017-08-10 Tower-Sec Ltd. Vehicle correlation system for cyber attacks detection and method thereof
JP2017112594A (en) * 2015-12-14 2017-06-22 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America Security device, network system and attack detection method
JP2017111796A (en) * 2015-12-16 2017-06-22 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America Security processing method and server

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111431855A (en) * 2020-02-26 2020-07-17 宁波吉利罗佑发动机零部件有限公司 Vehicle CAN signal analysis method, device, equipment and medium
CN114677779A (en) * 2022-03-30 2022-06-28 广州文远知行科技有限公司 Vehicle configuration state monitoring method and device, storage medium and computer equipment
CN114677779B (en) * 2022-03-30 2024-05-28 广州文远知行科技有限公司 Vehicle configuration state monitoring method and device, storage medium and computer equipment

Similar Documents

Publication Publication Date Title
JP7045288B2 (en) Data analysis device, data analysis method and program
JP7045286B2 (en) Data analysis device, data analysis method and program
US11363045B2 (en) Vehicle anomaly detection server, vehicle anomaly detection system, and vehicle anomaly detection method
US11575699B2 (en) Security processing method and server
WO2019142475A1 (en) Data analysis device and program
US11949705B2 (en) Security processing method and server
CN110226310B (en) Electronic control device, fraud detection server, in-vehicle network system, in-vehicle network monitoring system, and method
US10880415B2 (en) Detecting device, gateway device, and detecting method
WO2020075826A1 (en) Apparatus, data transmission method and program
WO2020075809A1 (en) Information processing device, data analysis method, and program
WO2019142474A1 (en) Data analysis device and program
WO2019142476A1 (en) Data analysis device and program
Stachowski et al. An assessment method for automotive intrusion detection system performance
CN112600839A (en) Method and device for constructing security threat association view based on Internet of vehicles platform
CN115550880A (en) Exception handling method, device and storage medium for certificate of V2X device
JP2019129528A (en) Data analysis device and program
CN114297222A (en) Vehicle misbehavior management method, device, storage medium, and apparatus
JP2024505423A (en) Local malfunction prevention system for cooperative intelligent transportation systems

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18900715

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18900715

Country of ref document: EP

Kind code of ref document: A1