WO2021019635A1 - Security device, attack response processing method, computer program, and storage medium - Google Patents

Security device, attack response processing method, computer program, and storage medium Download PDF

Info

Publication number
WO2021019635A1
WO2021019635A1 PCT/JP2019/029626 JP2019029626W WO2021019635A1 WO 2021019635 A1 WO2021019635 A1 WO 2021019635A1 JP 2019029626 W JP2019029626 W JP 2019029626W WO 2021019635 A1 WO2021019635 A1 WO 2021019635A1
Authority
WO
WIPO (PCT)
Prior art keywords
attack
risk
network
response
information
Prior art date
Application number
PCT/JP2019/029626
Other languages
French (fr)
Japanese (ja)
Inventor
徹 小河原
泰生 山本
直樹 廣部
Original Assignee
オムロン株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by オムロン株式会社 filed Critical オムロン株式会社
Priority to PCT/JP2019/029626 priority Critical patent/WO2021019635A1/en
Priority to JP2021536477A priority patent/JP7160206B2/en
Publication of WO2021019635A1 publication Critical patent/WO2021019635A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]

Definitions

  • the present invention relates to a security device, an attack response processing method, a computer program, and a storage medium.
  • Patent Document 1 discloses an in-vehicle communication system including a plurality of vehicle control devices connected to a vehicle network and a gateway that manages communication between these vehicle control devices.
  • the gateway is duplicated and a countermeasure table is provided.
  • This countermeasure table defines the malfunction phenomenon that can occur in communication, the method of confirming whether the malfunction phenomenon is caused by a gateway failure or a security attack on the gateway, and the corresponding countermeasure method. Has been done.
  • the in-vehicle communication system determines the cause of the detected malfunction phenomenon based on the confirmation method specified in the countermeasure table, and determines the cause of the detected malfunction phenomenon, and the gateway. It is configured to properly distinguish between a failure and a security attack on the gateway and take appropriate measures in each case.
  • the attacker first carries out a time-saving / preliminary attack until it is determined to be a security attack.
  • the attacker first disconnects the ECU 3 from the network as a preliminary attack.
  • the traffic on the communication path is once reduced.
  • the attacker connects the malicious ECU for attack to the network and starts transmitting the illegal message from this illegal ECU.
  • the traffic on the communication path will gradually increase.
  • the traffic is once lower than the normal level, and therefore, the timing at which the increase in the traffic exceeds the abnormality detection threshold Th1 is delayed.
  • the detection of attacks is delayed. Therefore, although the traffic is monitored by the gateway ECU, it takes time to detect the attack and cut off the communication, and as a result of being exposed to the attack for a long time, there is a high possibility that the damage will be large. It has been done.
  • the risk level has already increased when the determination is made.
  • the attacker applies an electrical attack to the sensor ECU (for example, applies noise to the vehicle speed pulse) and modifies the output value of the sensor.
  • an illegal ECU for attack is connected to the network, and transmission of an illegal control message is started from this illegal ECU.
  • the gateway ECU determines the consistency between the sensor value and the control message, but the sensor value is modified and an invalid control message is transmitted, so that the consistency between the sensor value and the control message cannot be correctly determined. Fall into.
  • the attack can finally be detected, and even if the attack can be detected, the risk level has already increased by the time the attack can be detected, and the damage may increase. It has become expensive.
  • the present invention has been made in view of the above problems, and also considers potential attacks on the device network, grasps the status of the risk of these attacks, and responds appropriately to the attack (security) according to the status of the risk.
  • the purpose is to provide security devices, attack response processing methods, computer programs, and storage media that can quickly implement countermeasures).
  • the security device (1) is a security device included in a device network in which one or more devices are connected via a communication path.
  • An attack detection unit that detects an attack based on an abnormality that has occurred in the device network
  • a network information acquisition unit that acquires information (hereinafter referred to as network information) related to the state of the device or sensor included in the device network
  • a risk calculation unit that calculates the current risk in the device network based on the network information
  • an attack response determination unit that determines the attack response to be implemented for the attack based on the risk level calculated by the risk calculation unit. It is characterized by having.
  • the attack response to be implemented for the attack is determined based on the risk level calculated by the risk level calculation unit. Therefore, when the risk is high, the security level can be raised more quickly, while when the risk is low, the function restriction level is lowered and the above conditions are met. Attack response can be implemented quickly.
  • the communication path may be a wired communication path, a wireless communication path, or a communication path including wired and wireless communication paths.
  • the security device (2) is the security device (1) described above.
  • the risk level calculation unit is characterized in that the risk level is calculated based on the points allocated in advance for each risk factor in the network information. Danger factors include, for example, communication interruption with the ECU, temporary communication error detection, sensor value abnormality, hardware failure, etc., and the degree of danger is considered in advance for each factor (2.0). ), (0.1) and so on.
  • the security device (2) it is possible to quickly calculate the appropriate degree of risk, and therefore, it is possible to quickly implement an appropriate attack response according to the situation of the degree of risk.
  • the security device (3) is the above-mentioned security device (1) or (2). It is provided with an execution condition storage unit in which table information indicating the relationship between the calculated risk level and the attack response is stored.
  • the attack response decision unit It is characterized in that the attack response is determined based on the table information.
  • the attack response determination unit uses the table information. By determining the attack response, it is possible to quickly determine the attack response optimized for the calculated risk level, and it is possible to realize the optimization and speeding up of the attack response.
  • the security device (4) is the security device (1) to (3) described above. It is provided with an execution condition storage unit that stores table information indicating the relationship between the attack type, the risk level, and the attack response. The attack response decision unit Based on the table information, the attack response is determined for each combination of the attack type and the calculated risk level information.
  • the attack response determination unit Determines the attack response using the table information, so that the attack response optimized for each combination of the attack type and the calculated risk level can be quickly determined, and the attack response can be determined. It is possible to realize optimization and speedup.
  • the damage caused by the attack can be expanded by promptly executing a high-level attack response using the table information. It can be stopped promptly.
  • the attack response using the table information is executed without excessively limiting the functions of the device. By doing so, it is possible to carry out an attack response without impairing the convenience of the device.
  • the security device (5) is the security device (1) to (4) described above. It is characterized in that the threshold value for abnormality detection is changed according to the situation of the attack risk to the device and the sensor included in the device network. For example, if the threshold for detecting anomalies is lowered when the risk is high, it is possible to detect anomalies earlier, detect attacks earlier, and respond to attacks at an earlier stage. It will be possible to reduce the damage caused by the attack.
  • the security device (6) is the security device (1) to (5) described above.
  • the device is a control device mounted on a vehicle.
  • the device network is characterized in that it is an in-vehicle network.
  • the security device (6) when one or more of the control devices are attacked by the in-vehicle network connected via the communication path, the vehicle alone is attacked against the attack.
  • the attack response can be efficiently and quickly executed under appropriate conditions in consideration of the risk of the attack. Therefore, the user of the vehicle can get on the vehicle with more peace of mind without worrying about the security threat.
  • the security device (7) is the security device (6) described above.
  • the control device is characterized in that at least one of a traveling system control device, a driving support system control device, a body system control device, an information system control device, and a diagnostic connector device of the vehicle is included. ..
  • the security device (7) even if an attack on any of the control devices described above is included, the above-mentioned attack is performed under appropriate conditions in consideration of the risk of these attacks. Attack response can be executed quickly and accurately.
  • the security device (8) is the security device (1) to (5) described above.
  • the device is an industrial device that constitutes an FA system.
  • the device network is characterized in that it is an industrial device network.
  • the security device when one or more control devices are attacked against the device network connected via the communication path, the industrial device alone can be attacked against the attack.
  • the attack response can be efficiently and quickly executed under appropriate conditions in consideration of the risk of these attacks. Therefore, the user of the industrial device can use the industrial device with more peace of mind without worrying about the security threat.
  • the attack response processing method (1) is an attack response processing method executed by at least one computer included in a device network in which one or more devices are connected via a communication path.
  • a risk calculation step that acquires information about the state of the device network and calculates the current risk of the device network
  • An attack detection step that detects an attack based on the abnormal situation that occurred in the device network, Based on the calculated risk level, a response determination step that determines the attack response to be implemented for the attack, and a response determination step. It is characterized in that it includes a response implementation step for implementing the determined attack response.
  • the attack response to be implemented for the attack is based on the risk level calculated in the risk level calculation step. If the risk is high, the security level can be increased promptly, while if the risk is low, the function restriction level is lowered under appropriate conditions. The attack response can be implemented quickly.
  • the attack response processing method (2) is the attack response processing method (1) described above.
  • the risk calculation step Steps to acquire communication error information and Steps to get hardware error information and
  • the step of determining the abnormality of the sensor value and creating the sensor value abnormality information It is characterized in that it is configured to include. According to the attack response processing method (2), it is possible to accurately grasp the danger that may occur in the device network, and it is possible to appropriately calculate the risk degree with high accuracy.
  • the attack response processing method (3) is the attack response processing method (2) described above. Further, a step of acquiring the score for each abnormality information from the abnormality information score table created in advance, and Steps to calculate the degree of risk from the total value of the acquired points, It is characterized by containing. According to the attack response processing method (3), it is possible to quickly calculate the appropriate risk level, and therefore, it is possible to quickly implement an appropriate attack response according to the risk situation. ..
  • the attack response processing method (4) is the attack response processing method (1) to (3) described above.
  • the correspondence determination step Steps to get the calculated risk and A step to call a table with a pre-created risk level and a defined response according to the risk level, Steps to determine the response based on the response table from the calculated risk level, It is characterized by containing.
  • the attack response processing method (4) it is possible to quickly calculate the appropriate risk level and to quickly implement the optimum attack response according to the situation of each risk level.
  • the computer program (1) causes at least one or more computers included in the device network to execute each step described in any of the attack response processing methods (1) to (4). It is characterized by.
  • the computer can be made to quickly calculate the appropriate degree of risk, and the optimum attack response according to the situation of the degree of risk can be promptly implemented.
  • the computer program may be a computer program stored in a storage medium or a computer program that can be transferred via a communication network or the like.
  • the computer-readable storage medium (1) in which the computer program according to the present disclosure is stored includes the steps described in any of the attack response processing methods (1) to (4) in the device network. It is characterized in that a computer program for being executed by at least one computer is stored.
  • the computer can be made to quickly calculate the appropriate risk level, and the optimum attack response according to the situation of the risk level can be obtained. Can be carried out quickly.
  • FIG. 1 is a schematic block diagram showing an example in which the security device according to the embodiment is applied to an in-vehicle network system.
  • the in-vehicle network 2 is a communication network system mounted on the vehicle 1, and is an OBDII (On-board diagnostics II) 4, a traveling system ECU (Electronic Control Unit) group 5, a driving support system ECU group 6, and a body system ECU group 7. , Information system ECU group 8 and gateway ECU 10 are included.
  • the vehicle-mounted network 2 in the present embodiment is a network that communicates according to the CAN (Controller Area Network) protocol. However, it is of course possible to apply a communication standard other than CAN to the in-vehicle network 2.
  • the traveling system ECU group 5, the driving support system ECU group 6, the body system ECU group 7, and the information system ECU group 8 are control devices mounted on the vehicle 1. It is given as an example, and there may be an additional group of ECUs.
  • the number of channels possessed by the gateway ECU 10 is not limited to these five.
  • the ECU group is connected to the gateway ECU 10 for each functional system, but the connection method of the gateway ECU 10 is not limited to this method, and each method is not limited to this method.
  • the gateway ECU 10 may be connected between the ECU groups, or another method may be used.
  • OBDII4 is shown as an example of a diagnostic connector device provided with a port to which a diagnostic device or a scan tool for performing failure diagnosis or maintenance or the like is connected.
  • the traveling system ECU group 5 includes a drive system ECU and a chassis system ECU.
  • the drive system ECU includes a control unit related to a "running" function such as engine control, motor control, fuel cell control, EV (Electric Vehicle) control, or transmission control.
  • the chassis-based ECU includes a control unit related to a "stop / turn” function such as brake control or steering control.
  • the driving support system ECU group 6 includes an automatic braking support function, a lane keeping support function (also called LKA / Lane Keep Assist), a constant speed driving / inter-vehicle distance support function (also called ACC / Adaptive Cruise Control), and a forward collision warning function. , Lane departure warning function, blind spot monitoring function, traffic sign recognition function, driver monitoring function, etc., automatic safety improvement function by cooperation with driving system ECU group 5, or comfortable driving realization function (driving support function, or automatic driving function) ) Is included in at least one control unit.
  • the driving support system ECU group 6 includes, for example, level 1 (driver assistance), level 2 (partially automatic driving), and level 3 (conditional automatic driving) at the automatic driving level presented by the American Society of Automotive Engineers of Japan (SAE). It may be equipped with the function of (driving). Further, the functions of level 4 (highly automatic driving) and level 5 (fully automatic driving) of the automatic driving level may be provided.
  • the body system ECU group 7 includes at least one control unit related to the function of the vehicle body such as a door lock, a smart key, a power window, an air conditioner, a light, or a winker.
  • the information system ECU group 8 includes an infotainment device, a telematics device, or an ITS (Intelligent Transport Systems) related device.
  • the infotainment device includes a car navigation device, an audio device, and the like
  • the telematics device includes a communication unit and the like for connecting to a mobile phone network and the like.
  • the ITS-related device includes an ETC (Electronic Toll Collection System), a communication unit for performing road-to-vehicle communication with a roadside unit such as an ITS spot, or an inter-vehicle communication.
  • ETC Electronic Toll Collection System
  • External interfaces include, for example, Bluetooth®, Wi-Fi®, USB (Universal Serial Bus) ports, memory card slots, and the like.
  • the gateway ECU 10 has a function of exchanging frames (messages) with each ECU group included in the in-vehicle network 2 according to the CAN protocol, and functions as a security device according to the present embodiment.
  • Each ECU of the traveling system ECU group 5, the driving support system ECU group 6, the body system ECU group 7, the information system ECU group 8, and the gateway ECU 10 is a computer device including one or more processors, a memory, a communication module, and the like. It is composed of. Then, the processor mounted on each ECU reads the program stored in the memory, interprets and executes the program, and the predetermined control is executed by each ECU.
  • FIG. 2 is a block diagram showing a functional configuration example of the gateway ECU 10 according to the embodiment.
  • the gateway ECU 10 includes a gateway function unit 11 and a security control unit 12.
  • the function of the security device according to this embodiment is implemented in the security control unit 12.
  • the gateway ECU 10 includes a memory including a ROM (Read Only Memory) for storing a program, a RAM (Random Access Memory), and a processor such as a CPU (Central Processing Unit) for reading and executing a program from these memories. It is configured to include a communication module and the like for connecting to the in-vehicle network 2.
  • ROM Read Only Memory
  • RAM Random Access Memory
  • CPU Central Processing Unit
  • the gateway function unit 11 has a function of controlling transfer of a frame (message) via each ECU group and the bus 3, and includes, for example, a frame transmission / reception unit, a frame interpretation unit, and a frame conversion unit (not shown), which are mounted on a vehicle. It includes a configuration necessary for mutual communication with each ECU group of the network 2 according to the CAN protocol.
  • Frames in the CAN protocol are configured to include, for example, data frames, remote frames, overloaded frames, and error frames.
  • Data frames include SOF (Start Of Frame), ID, RTR (Remote Transmission Request), IDE (Identifier Extension), reserved bit, DLC (Data Length Code), data field, CRC (Cyclic Redundancy Check) sequence, and CRC delimiter (Cyclic Redundancy Check) sequence. It includes DEL), ACK (Acknowledgement) slots, ACK delimiter (DEL), and EOF (End Of Frame) fields.
  • the security control unit 12 includes a network information acquisition unit 21, a risk calculation unit 22, an attack detection unit 23, an attack response determination unit 24, a response implementation unit 25, and an implementation condition storage unit 31.
  • the security control unit 12 is configured as hardware including a memory including a ROM, a RAM, etc. in which a program executed in each of the above units is stored, a processor that reads and executes a program from these memories, and the like. By collaborating with the program, the functions of the above parts are realized.
  • the network information acquisition unit 21 performs a process of acquiring network information regarding the state of each ECU group connected to the gateway ECU 10 via the bus 3. These network information includes the communication status, the status of various sensor values, the status of hardware failure, and the like, in other words, all the information regarding the status of the vehicle 1.
  • the network information acquired by the network information acquisition unit 21 is sent to the risk calculation unit 22.
  • the risk calculation unit 22 calculates the risk related to the current security attack based on the network information sent from the network information acquisition unit 21.
  • the risk factor calculation unit 22 stores a table of risk factors for risk calculation as shown in FIG. 5, and is sent from the network information acquisition unit 21 based on the risk factor table. The degree of risk is calculated based on the incoming network information.
  • the attack detection unit 23 detects an abnormality (frame abnormality, bus abnormality, etc.) that has occurred in the vehicle-mounted network 2 based on the frame acquired from the gateway function unit 11, and identifies the type of attack corresponding to the detected abnormality. Perform the processing to be performed. In addition, the attack detection unit 23 also performs a process of estimating the type of attack corresponding to the detected abnormality when the type of attack cannot be specified (for example, it is an unknown attack). Information on the attack specified or estimated by the attack detection unit 23 is sent to the attack response determination unit 24.
  • an abnormality frame abnormality, bus abnormality, etc.
  • the frame abnormality is detected by checking parameters such as RTR, DLC, payload, and reception cycle set for each frame ID, for example.
  • the frame abnormality represents an abnormality of the CAN signal alone.
  • the bus abnormality is detected by checking parameters such as the bus load factor of each bus 3 of CH1 to CH5, the bus state (state such as the presence or absence of a bus error), and the ID appearing in these buses 3. ..
  • the bus anomaly represents a situational anomaly in the CAN signal.
  • the anomaly data collected within a predetermined time after the first anomaly is detected and the anomaly detection pattern (multiple anomaly detection parameters) held in advance for each type of attack. Is collated with (including) to identify the type of attack corresponding to the detected anomaly.
  • the attack estimation pattern multiple attacks held in advance for each attack type. (Including estimation parameters) is collated to estimate the type of attack that is close to the detected anomaly.
  • the attack information sent to the attack response determination unit 24 can be, for example, the attack information acquired during the period corresponding to the predetermined time when the network information is collected by the network information acquisition unit 21 and the risk level is calculated. ..
  • the attack response determination unit 24 performs a process of determining the attack response to be implemented based on the risk level calculated by the risk level calculation unit 22 and the response information stored in the implementation condition storage unit 31.
  • the attack response information determined by the attack response determination unit 24 is sent to the response implementation unit 25.
  • the execution condition storage unit 31 stores attack response information to be executed for each risk level calculated by the risk level calculation unit 22.
  • FIG. 7 is a diagram showing an example of an attack response information table stored in the execution condition storage unit 31.
  • the calculated risk level is 0 or 1
  • communication interruption and recording in the log are specified as attack response
  • the calculated risk level is 2 or 3
  • the automatic operation is further stopped.
  • Degeneration of functions such as is stipulated as an attack response. If the calculated risk level is 9, in addition to all the measures up to the risk level 8, "There is a risk that the vehicle has been seriously attacked by security. Please have the nearest dealer check it immediately.” Warning is displayed.
  • the response implementation unit 25 implements the attack response determined by the attack response determination unit 24.
  • the configuration in which the gateway ECU 10 detects an attack is not limited to the above.
  • a function similar to that of the attack detection unit 23 is provided on the cloud computer, and attack information specified or estimated on the cloud computer side is acquired by communication via an external communication network. May be good.
  • FIG. 3 is a schematic flowchart showing a processing operation performed by the security control unit 12 constituting the gateway ECU 10 according to the embodiment.
  • step S1 the security control unit 12 performs a risk calculation process.
  • the details of this risk calculation process are shown in the flowchart of FIG.
  • step S2 a security attack detection process is performed.
  • the security attack detection process is not particularly limited here, but for example, as described above, an abnormality (frame abnormality, bus abnormality, etc.) that has occurred in the vehicle-mounted network 2 is detected based on the frame acquired from the gateway function unit 11. Performs processing to detect and identify the type of attack corresponding to the detected anomaly. In addition, when the type of attack cannot be specified (for example, it is an unknown attack), a process of estimating the type of attack corresponding to the detected abnormality is also performed.
  • an abnormality frame abnormality, bus abnormality, etc.
  • the frame abnormality is detected by checking parameters such as RTR, DLC, payload, and reception cycle set for each frame ID, for example.
  • the frame abnormality represents an abnormality of the CAN signal alone.
  • the bus abnormality is detected by checking parameters such as the bus load factor of each bus 3 of CH1 to CH5, the bus state (state such as the presence or absence of a bus error), and the ID appearing in these buses 3. ..
  • the bus anomaly represents a situational anomaly in the CAN signal.
  • the anomaly data collected within a predetermined time after the first anomaly is detected and the anomaly detection pattern (multiple anomaly detection parameters) held in advance for each type of attack. Is collated with (including) to identify the type of attack corresponding to the detected anomaly.
  • the attack estimation pattern multiple attacks held in advance for each attack type. (Including estimation parameters) is collated to estimate the type of attack that is close to the detected anomaly.
  • step S3 When the security attack detection process is completed, the process proceeds to step S3, and in step S3, the attack response determination process is performed. The details of this attack response determination process are shown in the flowchart of FIG.
  • step S4 the process proceeds to step S4, and in step S4, the determined attack response is output to the response implementation unit 25.
  • step S11 communication abnormality information is acquired.
  • communication with each ECU group if there is an ECU in which communication is interrupted, there is a high probability that it is the result of being attacked or the result of preparing for a true attack, and the risk is high. Such a situation is detected in step S11.
  • step S11 When the communication abnormality information is acquired in step S11, the process proceeds to step S12, and in step S12, the abnormality information in the hardware (different from the hardware failure information) is acquired. If an abnormality has occurred in the hardware, it is highly probable that it has also occurred due to an attack, and it is considered that the risk is higher than the communication abnormality.
  • step S12 When the abnormality information in the hardware is acquired in step S12, the process proceeds to step S13, and in step S13, the abnormality of each sensor value is determined and the abnormality information of the sensor value is created.
  • the attack detection unit 23 can immediately determine that it is due to an attack, but even if the sensor value is abnormal due to an ambiguous numerical value that cannot be immediately determined to be an attack. In fact, there is a high probability that it is caused by a preparatory attack of a true attack.
  • step S13 such an abnormality of the sensor value is also acquired and determined, the abnormality information of each sensor value is collected, and the abnormality information of the sensor value is created.
  • step S14 the score for each abnormality information is acquired.
  • the score for example, as shown in FIG. 5, a risk score table for each risk factor is stored in the risk calculation unit 22, and the risk score table for each risk factor is accessed and stored in this table. Based on this, the risk level is calculated based on all the network information sent from the network information acquisition unit 21.
  • step S15 the risk levels of security attacks are calculated by summing the risk points detected for each risk factor.
  • step S31 the attack detection result performed by the attack detection unit 23 is acquired.
  • the security attack detection process in the attack detection unit 23 is not particularly limited here, but for example, an abnormality (frame abnormality or frame abnormality) that has occurred in the vehicle-mounted network 2 based on the frame acquired from the gateway function unit 11. (Bus anomaly, etc.) is detected, and processing is performed to identify the type of attack corresponding to the detected anomaly.
  • the type of attack cannot be specified (for example, it is an unknown attack)
  • a process of estimating the type of attack corresponding to the detected abnormality is also performed.
  • step S31 When the attack detection result performed by the attack detection unit 23 is acquired in step S31, the process proceeds to step S32, and in step S32, it is determined whether or not the attack is detected based on the attack detection result. To. If it is determined in step S32 that there was no attack, the next step is step S33, and in step S33, the response when there is no attack is implemented.
  • step S32 determines whether there is an attack. If it is determined in step S32 that there is an attack, the process proceeds to step S34, and in step S34, the risk level of the attack calculated by the risk level calculation unit 22 is acquired.
  • step S35 the attack response information table as shown in FIG. 7, which is stored in the execution condition storage unit 31, is acquired from the execution condition storage unit 31.
  • the attack response information table as described above, for example, when the calculated risk level is 0 or 1, communication interruption and recording in the log are defined as attack response, and the calculated risk level is 2 or. In the case of 3, functional reduction such as stopping automatic operation is further defined as an attack response. If the calculated risk level is 9, in addition to all the measures up to the risk level 8, "There is a risk that the vehicle has been seriously attacked by security. Please have the nearest dealer check it immediately.” Warning display is specified.
  • step S35 After acquiring the attack response information table in step S35, the process proceeds to step S36, and in step S36, the risk level of the security attack acquired in step S34 is compared with the attack response information table acquired in step S35 to be dangerous. Determine the attack response according to the degree.
  • step S36 When the attack response determination process is completed in step S36, the process proceeds to step S4 shown in FIG. 3 as described above, and in step S4, a process of outputting the determined attack response to the response implementation unit 25 is performed and processed. Is finished.
  • the gateway ECU 10 as a security device according to the above embodiment, when an attack is detected by the attack detection unit 23, the attack is executed based on the risk level calculated by the risk level calculation unit 22.
  • the optimal attack response to be determined is determined. If the risk level is high, the security level can be raised more quickly, while if the risk level is low, the attack response can be swiftly under appropriate conditions with the function restriction level lowered. Can be carried out. Further, since the risk calculation unit 22 calculates the risk based on the points allocated in advance for each risk factor in the network information, it is possible to quickly calculate the appropriate risk. Therefore, , It will be possible to promptly implement an appropriate attack response according to the situation of the degree of danger.
  • FIG. 8 is a block diagram showing a functional configuration example of the gateway ECU 10A according to another embodiment.
  • the gateway ECU 10A shown in FIG. 8 differs from the gateway ECU 10 shown in FIG. 2 in that the gateway ECU 10A includes a threshold value changing unit 26 capable of changing the threshold value for detecting an abnormality when the attack detecting unit 23 detects an attack. That is the point.
  • the threshold value changing unit 26 changes the threshold value for detecting an abnormality according to the degree of risk calculated by the degree of risk calculation unit 22.
  • the threshold value for detecting the abnormality is lowered so that the attack can be detected quickly.
  • the control for accelerating the detection of the attack is performed by lowering the abnormality detection threshold Th1 shown in FIG. 11 to Th2.
  • FIG. 9 is a block diagram showing a functional configuration example of the gateway ECU 10B according to still another embodiment.
  • the gateway ECU 10B shown in FIG. 9 differs from the gateway ECU 10 shown in FIG. 2 in that the gateway ECU 10B is provided with a two-dimensional attack response database table as shown in FIG. 10 in the execution condition storage unit 31B. That is the point.
  • attack response is defined for each combination of attack type and security attack risk, and for each combination of (attack type) ⁇ (security attack risk).
  • the two-dimensional table for attack response will determine more detailed attack response according to the type and risk of the attack.
  • an abnormality (frame abnormality, bus abnormality, etc.) that has occurred in the vehicle-mounted network 2 is detected based on the frame acquired from the gateway function unit 11.
  • a process for identifying the type of attack corresponding to the detected anomaly will be performed. Further, when the type of attack cannot be specified (for example, it is an unknown attack), a process of estimating the type of attack corresponding to the detected anomaly is performed.
  • the security control unit 12 mounted on the gateway ECU 10 may be mounted on another ECU, or the security ECU equipped with the security control unit 12 may be connected to the in-vehicle network 2.
  • the security control unit 12 responds to the attack determined by the occupants in the vehicle via the notification device included in the information system ECU group 8 connected to the in-vehicle network 2.
  • a notification processing unit that notifies that an abnormality has occurred or an attack has occurred, or notifies appropriate driving operation, start, continuation, return, or cancellation of degenerate operation, response after an abnormality occurs, etc. May be equipped.
  • Such a notification device can be applied to a navigation device, an audio device, or the like.
  • the notification processing unit can notify the occupants in the vehicle of an abnormality or the like via the notification device, so that the occupants are made to take appropriate measures against the abnormality or an attack. It becomes possible.
  • the security control unit 12 is provided outside the vehicle via a telematics device included in the information system ECU group 8 connected to the vehicle-mounted network 2 or an ITS-related device. It may be equipped with a report processing unit that reports the occurrence of an abnormality or an attack. According to such a configuration, the report processing unit can report the occurrence of an abnormality or the occurrence of an attack to the outside of the vehicle via the telematics device or the ITS-related device. Therefore, for example, it is possible to notify other vehicles, infrastructure equipment, dealers, manufacturers, or public institutions in the vicinity of the occurrence of an abnormality or attack, and have them take appropriate measures against the abnormality or attack from outside the vehicle. It is also possible.
  • the in-vehicle network 2 is an example of a device network to which the technical idea according to the present invention is applied, and another device network, for example, one or more industrial devices constituting an FA (Factory Automation) system are connected via a communication path.
  • the technical idea according to the present invention can be applied to security devices included in an industrial equipment network, a home equipment network to which household equipment is connected, an office equipment network to which office equipment is connected, and the like.
  • the FA system includes, for example, a transport system for various articles, an inspection system, an assembly system using a robot, and the like.
  • the control device includes various sensor devices as well as controller devices such as a programmable controller and a motion position control controller.
  • the communication path for connecting various control devices in the FA system may be wired or wireless.
  • the communication protocol in the device network is not limited to the CAN protocol.
  • the communication protocol may be, for example, CANopen used in FA systems, or other derivative protocols.
  • the present invention can be widely used in a security device-related industrial field that executes an attack response against an attack that occurs in a device network in which one or more devices such as an in-vehicle device or an industrial device are connected via a communication path. it can.
  • Embodiments of the present invention may also be described as, but are not limited to, the following appendices.
  • Appendix 1 An attack response processing method executed by at least one computer included in an in-vehicle network (2) in which one or more ECU groups (5, 6, 7, 8) are connected via a bus (3).
  • a risk calculation step (S1) that acquires information about the state of the vehicle-mounted network (2) and calculates the current danger level of the vehicle-mounted network (2).
  • An attack detection step (S2) that detects an attack based on an abnormal situation that has occurred in the in-vehicle network (2), and Based on the calculated risk level, the response determination step (S3) for determining the attack response to be implemented for the attack, and the response determination step (S3).
  • An attack response processing method comprising a response implementation step (S4) for implementing the determined attack response.
  • Vehicle 2 In-vehicle network (equipment network) 3 Bus 4 OBDII 5 Driving system ECU group 6 Driving support system ECU group 7 Body system ECU group 8 Information system ECU group 10 Gateway ECU (security device) 11 Gateway function unit 12 Security control unit 21 Network information acquisition unit 22 Risk calculation unit 23 Attack detection unit 24 Attack response decision unit 25 Response implementation unit 26 Threshold change unit 31 Execution condition storage unit

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)

Abstract

The present invention aims to provide a security device capable of considering potential attacks on a device network, ascertaining the degree of risk of such attacks, and promptly implementing suitable responses to attacks in accordance with the degree of risk. The security device, which is included in a device network having at least one device connected via a communications path, comprises: an attack detection unit 23 that detects attacks on the basis of errors in the device network 2 ; a network information acquisition unit 21 that obtains information pertaining to the state of devices or sensors in the device network 2; a degree-of-risk calculation unit 22 that calculates the current degree of risk in the device network 2, on the basis of the network information; and an attack response determination unit 24 that, if an attack is detected by the attack detection unit 23, determines the attack response to be implemented against the attack, on the basis of the degree of risk calculated by the degree-of-risk calculation unit 22.

Description

セキュリティ装置、攻撃対応処理方法、コンピュータプログラム、及び記憶媒体Security devices, attack response processing methods, computer programs, and storage media
 本発明は、セキュリティ装置、攻撃対応処理方法、コンピュータプログラム、及び記憶媒体に関する。 The present invention relates to a security device, an attack response processing method, a computer program, and a storage medium.
 下記の特許文献1には、車両のネットワークに接続された複数の車両制御装置と、これら車両制御装置間の通信を管理するゲートウェイとを含んで構成された車載通信システムが開示されている。 Patent Document 1 below discloses an in-vehicle communication system including a plurality of vehicle control devices connected to a vehicle network and a gateway that manages communication between these vehicle control devices.
 上記車載通信システムにおいては、前記ゲートウェイが二重化され、対策テーブルが装備されている。この対策テーブルには、通信において発生し得る不具合現象と、その不具合現象が、ゲートウェイの故障に起因するのか、ゲートウェイに対するセキュリティ攻撃に起因するのかの原因の確認方法と、対応する対策方法とが規定されている。
 前記車載通信システムは、前記ゲートウェイを介する通信において不具合現象が発生したことが検出された場合には、対策テーブルに規定された確認方法に基づいて、検出された不具合現象の原因を判断し、ゲートウェイの故障と、ゲートウェイに対するセキュリティ攻撃とを適切に区別し、それぞれの場合について適切に対策するように構成されている。 In the in-vehicle communication system, the gateway is duplicated and a countermeasure table is provided. This countermeasure table defines the malfunction phenomenon that can occur in communication, the method of confirming whether the malfunction phenomenon is caused by a gateway failure or a security attack on the gateway, and the corresponding countermeasure method. Has been done.
When it is detected that a malfunction phenomenon has occurred in communication via the gateway, the in-vehicle communication system determines the cause of the detected malfunction phenomenon based on the confirmation method specified in the countermeasure table, and determines the cause of the detected malfunction phenomenon, and the gateway. It is configured to properly distinguish between a failure and a security attack on the gateway and take appropriate measures in each case.
 [発明が解決しようとする課題]
 他方、セキュリティ攻撃と判断することができるまでの上記車載通信システムにおける危険度には種々の段階がある。 [Problems to be solved by the invention]
On the other hand, there are various levels of risk in the in-vehicle communication system until it can be determined as a security attack.
 例えば、図11に示したような状況でセキュリティ攻撃と判断することができた場合には、判断を下した時点で危険度はすでにかなり高くなってしまっている。
 図11に示した状況では、攻撃者は、セキュリティ攻撃と判断されるまでの、時間稼ぎ的・予備的攻撃を先に実施している。攻撃者は、まず、予備的攻撃としてECU3をネットワークから切り離す。そうすると、通信路におけるトラフィックは、一旦減少する。その後、攻撃者は攻撃用の不正のECUをネットワークに接続し、この不正のECUから不正なメッセージの送信を開始する。
 そうすると通信路におけるトラフィックは徐々に増加してゆく。不正メッセージ送信開始当初は、トラフィックは通常の水準よりも一旦低くなっており、このため、トラフィックの増加が異常検出閾値Th1を超えるタイミングが通常より遅くなる。従って、攻撃の検知は遅くなる。このため、ゲートウェイECUにてトラフィックは監視されてはいるものの、攻撃を検知して通信を遮断するまでに時間を要し、長時間の攻撃に晒される結果、被害が大きくなる可能性が高くなってしまっている。 For example, if it can be determined as a security attack in the situation shown in FIG. 11, the risk level has already become considerably high at the time of making the determination.
In the situation shown in FIG. 11, the attacker first carries out a time-saving / preliminary attack until it is determined to be a security attack. The attacker first disconnects the ECU 3 from the network as a preliminary attack. Then, the traffic on the communication path is once reduced. After that, the attacker connects the malicious ECU for attack to the network and starts transmitting the illegal message from this illegal ECU.
Then, the traffic on the communication path will gradually increase. At the beginning of the transmission of the malicious message, the traffic is once lower than the normal level, and therefore, the timing at which the increase in the traffic exceeds the abnormality detection threshold Th1 is delayed. Therefore, the detection of attacks is delayed. Therefore, although the traffic is monitored by the gateway ECU, it takes time to detect the attack and cut off the communication, and as a result of being exposed to the attack for a long time, there is a high possibility that the damage will be large. It has been done.
 また、図12に示したような状況でセキュリティ攻撃と判断された場合にも、判断を下した時点で危険度はすでに高くなってしまっている。
 攻撃者は、まず、予備的な攻撃として、センサECUに電気的な攻撃を加え(例えば、車速パルスにノイズを印加し)、センサの出力値に改変を加える。続いて、攻撃のための不正のECUをネットワークに接続し、この不正のECUから不正な制御メッセージの送信を開始する。
 ゲートウェイECUは、センサ値と制御メッセージとの整合性を判定しているが、センサ値は改変され、不正な制御メッセージの送信を受け、センサ値と制御メッセージとの整合性を正しく判定できない状態に陥る。その後、追加の攻撃を種々受けた結果、ようやく攻撃を検知できることとなり、例え攻撃を検知できたとしても、攻撃を検知できた時点では、危険度はすでに高まっており、被害が大きくなる可能性が高くなってしまっている。 Further, even when a security attack is determined in the situation shown in FIG. 12, the risk level has already increased when the determination is made.
First, as a preliminary attack, the attacker applies an electrical attack to the sensor ECU (for example, applies noise to the vehicle speed pulse) and modifies the output value of the sensor. Subsequently, an illegal ECU for attack is connected to the network, and transmission of an illegal control message is started from this illegal ECU.
The gateway ECU determines the consistency between the sensor value and the control message, but the sensor value is modified and an invalid control message is transmitted, so that the consistency between the sensor value and the control message cannot be correctly determined. Fall into. After that, as a result of receiving various additional attacks, the attack can finally be detected, and even if the attack can be detected, the risk level has already increased by the time the attack can be detected, and the damage may increase. It has become expensive.
 特許文献1記載の上記車載通信システムにおいては、上記したような、予備的な攻撃までは察知しておらず、セキュリティ攻撃と判断が下された時点で、すでにシステムにおける危険度が高くなってしまっている状況は考慮されていない。従って、セキュリティ攻撃と判断が下された時点における攻撃による危険度の状況を把握した、危険度の状況に応じた適切な対応(セキュリティ対策)を取ることは不可能であるという課題があった。 In the above-mentioned in-vehicle communication system described in Patent Document 1, the above-mentioned preliminary attack is not detected, and when it is determined that it is a security attack, the risk in the system has already increased. The situation is not taken into account. Therefore, there is a problem that it is impossible to grasp the situation of the risk of the attack at the time when it is judged as a security attack and take appropriate measures (security measures) according to the situation of the risk.
特開2017-152762号公報JP-A-2017-152762
課題を解決するための手段及びその効果Means for solving problems and their effects
 本発明は上記課題に鑑みなされたものであって、機器ネットワークに対する潜在的な攻撃をも考慮し、これら攻撃の危険度の状況を把握し、危険度の状況に応じた適切な攻撃対応(セキュリティ対策)を迅速に実施することができるセキュリティ装置、攻撃対応処理方法、コンピュータプログラム、及び記憶媒体を提供することを目的としている。 The present invention has been made in view of the above problems, and also considers potential attacks on the device network, grasps the status of the risk of these attacks, and responds appropriately to the attack (security) according to the status of the risk. The purpose is to provide security devices, attack response processing methods, computer programs, and storage media that can quickly implement countermeasures).
 上記目的を達成するために、本開示に係るセキュリティ装置(1)は、1以上の機器が通信路を介して接続された機器ネットワークに含まれるセキュリティ装置であって、
 前記機器ネットワークに発生した異常に基づいて攻撃を検知する攻撃検知部と、
 前記機器ネットワークに含まれる前記機器やセンサの状態に関する情報(以下、ネットワーク情報という)を取得するネットワーク情報取得部と、
 前記ネットワーク情報に基づいて、前記機器ネットワークにおける現在の危険度を算出する危険度算出部と、
 前記攻撃検知部において攻撃が検知された場合、前記危険度算出部において算出された前記危険度に基づいて、前記攻撃に対して実施すべき攻撃対応を決定する攻撃対応決定部と、
 を備えていることを特徴としている。 In order to achieve the above object, the security device (1) according to the present disclosure is a security device included in a device network in which one or more devices are connected via a communication path.
An attack detection unit that detects an attack based on an abnormality that has occurred in the device network,
A network information acquisition unit that acquires information (hereinafter referred to as network information) related to the state of the device or sensor included in the device network, and
A risk calculation unit that calculates the current risk in the device network based on the network information,
When an attack is detected by the attack detection unit, an attack response determination unit that determines the attack response to be implemented for the attack based on the risk level calculated by the risk calculation unit.
It is characterized by having.
 上記セキュリティ装置(1)によれば、前記攻撃検知部において攻撃が検知された場合、前記危険度算出部において算出された前記危険度に基づいて、前記攻撃に対して実施すべき攻撃対応が決定されるので、危険度が高い場合には、より迅速にセキュリティレベルを上げた対応を実施することができ、他方、危険度が低い場合には、機能制限のレベルを下げた適切な条件で前記攻撃対応を迅速に実施することができる。
 なお、前記通信路は、有線の通信路であってもよいし、無線の通信路であってもよいし、有線と無線とを含む通信路であってもよい。 According to the security device (1), when an attack is detected by the attack detection unit, the attack response to be implemented for the attack is determined based on the risk level calculated by the risk level calculation unit. Therefore, when the risk is high, the security level can be raised more quickly, while when the risk is low, the function restriction level is lowered and the above conditions are met. Attack response can be implemented quickly.
The communication path may be a wired communication path, a wireless communication path, or a communication path including wired and wireless communication paths.
 また、本開示に係るセキュリティ装置(2)は、上記セキュリティ装置(1)において、
 前記危険度算出部が、前記ネットワーク情報における危険要因毎に予め割り振られた点数を基に危険度を算出するものであることを特徴としている。
 危険要因としては、例えば、ECUとの通信断絶、一時的な通信エラー検出、センサ値の異常、ハードウェア故障、などが挙げられ、それぞれの要因毎に予め危険度を考慮し、(2.0)、(0.1)などと点数を割り振っておく。 Further, the security device (2) according to the present disclosure is the security device (1) described above.
The risk level calculation unit is characterized in that the risk level is calculated based on the points allocated in advance for each risk factor in the network information.
Danger factors include, for example, communication interruption with the ECU, temporary communication error detection, sensor value abnormality, hardware failure, etc., and the degree of danger is considered in advance for each factor (2.0). ), (0.1) and so on.
 上記セキュリティ装置(2)によれば、適切な前記危険度を迅速に算出することができることとなり、従って、危険度の状況に応じた適切な攻撃対応を迅速に実施することができることとなる。 According to the security device (2), it is possible to quickly calculate the appropriate degree of risk, and therefore, it is possible to quickly implement an appropriate attack response according to the situation of the degree of risk.
 また、本開示に係るセキュリティ装置(3)は、上記セキュリティ装置(1)又は(2)において、
 算出された前記危険度と、攻撃対応との関係を示すテーブル情報が記憶された実施条件記憶部を備え、
 前記攻撃対応決定部が、
 前記テーブル情報に基づいて、前記攻撃対応を決定するものであることを特徴としている。 Further, the security device (3) according to the present disclosure is the above-mentioned security device (1) or (2).
It is provided with an execution condition storage unit in which table information indicating the relationship between the calculated risk level and the attack response is stored.
The attack response decision unit
It is characterized in that the attack response is determined based on the table information.
 上記セキュリティ装置(3)によれば、前記実施条件記憶部には、前記危険度と、攻撃対応との関係を示すテーブル情報が記憶されているので、前記攻撃対応決定部が前記テーブル情報を用いて攻撃対応を決定することで、算出された前記危険度に最適化された攻撃対応を迅速に決定することができ、攻撃対応の最適化・高速化を実現することができる。 According to the security device (3), since the execution condition storage unit stores table information indicating the relationship between the risk level and the attack response, the attack response determination unit uses the table information. By determining the attack response, it is possible to quickly determine the attack response optimized for the calculated risk level, and it is possible to realize the optimization and speeding up of the attack response.
 また、本開示に係るセキュリティ装置(4)は、上記セキュリティ装置(1)~(3)のいずれかにおいて、
 前記攻撃の種類と、前記危険度と、攻撃対応との関係を示すテーブル情報が記憶された実施条件記憶部を備え、
 前記攻撃対応決定部が、
 前記テーブル情報に基づいて、前記攻撃の種類及び算出された前記危険度情報の組み合わせ毎に前記攻撃対応を決定するものであることを特徴としている。 In addition, the security device (4) according to the present disclosure is the security device (1) to (3) described above.
It is provided with an execution condition storage unit that stores table information indicating the relationship between the attack type, the risk level, and the attack response.
The attack response decision unit
Based on the table information, the attack response is determined for each combination of the attack type and the calculated risk level information.
 上記セキュリティ装置(4)によれば、前記実施条件記憶部には、前記攻撃の種類と、前記危険度と、攻撃対応との関係を示すテーブル情報が記憶されているので、前記攻撃対応決定部が前記テーブル情報を用いて攻撃対応を決定することで、前記攻撃の種類と、算出された前記危険度との組み合わせ毎に最適化された攻撃対応を迅速に決定することができ、攻撃対応の最適化・高速化を実現することができる。 According to the security device (4), since the execution condition storage unit stores table information indicating the relationship between the attack type, the risk level, and the attack response, the attack response determination unit Determines the attack response using the table information, so that the attack response optimized for each combination of the attack type and the calculated risk level can be quickly determined, and the attack response can be determined. It is possible to realize optimization and speedup.
 例えば、前記攻撃の対象となった前記機器の状態が、危険度が高い状態である場合、前記テーブル情報を用いたレベルの高い攻撃対応を迅速に実行することで、前記攻撃による被害の拡大を速やかに阻止することができる。
 また、前記攻撃の対象となった前記機器の状態が、危険度がさほど高くない状態である場合、前記テーブル情報を用いた、前記機器の機能が過剰に制限されることのない攻撃対応を実行することで、前記機器の利便性が損なわれることのない攻撃対応を実行することが可能となる。 For example, when the state of the device targeted by the attack is a state of high risk, the damage caused by the attack can be expanded by promptly executing a high-level attack response using the table information. It can be stopped promptly.
In addition, when the state of the device targeted by the attack is not so high in risk, the attack response using the table information is executed without excessively limiting the functions of the device. By doing so, it is possible to carry out an attack response without impairing the convenience of the device.
 また、本開示に係るセキュリティ装置(5)は、上記セキュリティ装置(1)~(4)のいずれかにおいて、
 前記機器ネットワークに含まれる前記機器やセンサに対する攻撃危険度の状況に応じて、異常検出の閾値を変更するものであることを特徴としている。
 例えば、危険度が高い場合の、異常検出の閾値を下げておけば、異常をより早く検出することが可能となり、攻撃をより早く検知して、攻撃に対する対応をより早い段階で実施することができることとなり、攻撃による被害を低減することができる。 Further, the security device (5) according to the present disclosure is the security device (1) to (4) described above.
It is characterized in that the threshold value for abnormality detection is changed according to the situation of the attack risk to the device and the sensor included in the device network.
For example, if the threshold for detecting anomalies is lowered when the risk is high, it is possible to detect anomalies earlier, detect attacks earlier, and respond to attacks at an earlier stage. It will be possible to reduce the damage caused by the attack.
 上記セキュリティ装置(5)によれば、通信異常や制御異常を検出するのを早めることができ、攻撃に対する対応をより早い段階で実施することができ、攻撃による被害をより一層低減することが可能となる。 According to the above security device (5), it is possible to accelerate the detection of communication abnormalities and control abnormalities, respond to attacks at an earlier stage, and further reduce the damage caused by attacks. It becomes.
 また、本開示に係るセキュリティ装置(6)は、上記セキュリティ装置(1)~(5)のいずれかにおいて、
 前記機器が、車両に搭載される制御装置であり、
 前記機器ネットワークが、車載ネットワークであることを特徴としている。 Further, the security device (6) according to the present disclosure is the security device (1) to (5) described above.
The device is a control device mounted on a vehicle.
The device network is characterized in that it is an in-vehicle network.
 上記セキュリティ装置(6)によれば、1以上の前記制御装置が前記通信路を介して接続された前記車載ネットワークに対して攻撃を受けた場合、前記車両単体で、前記攻撃に対して、これら攻撃の危険度が考慮された適切な条件で前記攻撃対応を効率良く迅速に実行することができる。従って、前記車両のユーザは、セキュリティの脅威に対して不安を抱くことなく、より安心して乗車することが可能となる。 According to the security device (6), when one or more of the control devices are attacked by the in-vehicle network connected via the communication path, the vehicle alone is attacked against the attack. The attack response can be efficiently and quickly executed under appropriate conditions in consideration of the risk of the attack. Therefore, the user of the vehicle can get on the vehicle with more peace of mind without worrying about the security threat.
 また、本開示に係るセキュリティ装置(7)は、上記セキュリティ装置(6)において、
 前記制御装置には、前記車両の走行系制御装置、運転支援系制御装置、ボディ系制御装置、情報系制御装置、及び診断用コネクタ装置のうちの少なくとも1つが含まれていることを特徴としている。 Further, the security device (7) according to the present disclosure is the security device (6) described above.
The control device is characterized in that at least one of a traveling system control device, a driving support system control device, a body system control device, an information system control device, and a diagnostic connector device of the vehicle is included. ..
 上記セキュリティ装置(7)によれば、上記した制御装置のいずれかに対する攻撃が含まれている場合であっても、これら攻撃に対して、これら攻撃の危険度が考慮された適切な条件で前記攻撃対応を迅速に適確に実行することができる。 According to the security device (7), even if an attack on any of the control devices described above is included, the above-mentioned attack is performed under appropriate conditions in consideration of the risk of these attacks. Attack response can be executed quickly and accurately.
 また、本開示に係るセキュリティ装置(8)は、上記セキュリティ装置(1)~(5)のいずれかにおいて、
 前記機器が、FAシステムを構成する産業機器であり、
 前記機器ネットワークが、産業機器ネットワークであることを特徴としている。 Further, the security device (8) according to the present disclosure is the security device (1) to (5) described above.
The device is an industrial device that constitutes an FA system.
The device network is characterized in that it is an industrial device network.
 上記セキュリティ装置(8)によれば、1以上の前記制御装置が前記通信路を介して接続された前記機器ネットワークに対して攻撃を受けた場合、前記産業機器単体で、前記攻撃に対して、これら攻撃の危険度が考慮された適切な条件で前記攻撃対応を効率良く迅速に実行することができる。従って、前記産業機器のユーザは、セキュリティの脅威に対して不安を抱くことなく、より安心して産業機器を使用することが可能となる。 According to the security device (8), when one or more control devices are attacked against the device network connected via the communication path, the industrial device alone can be attacked against the attack. The attack response can be efficiently and quickly executed under appropriate conditions in consideration of the risk of these attacks. Therefore, the user of the industrial device can use the industrial device with more peace of mind without worrying about the security threat.
また、本開示に係る攻撃対応処理方法(1)は、1以上の機器が通信路を介して接続された機器ネットワークに含まれる少なくとも1以上のコンピュータが実行する攻撃対応処理方法であって、
 前記機器ネットワークの状態に関する情報を取得して前記機器ネットワークの現在の危険度を算出する危険度算出ステップと、
 前記機器ネットワークに発生した異常状況に基づいて攻撃を検知する攻撃検知ステップと、
 算出された前記危険度に基づいて、前記攻撃に対して実施すべき攻撃対応を決定する対応決定ステップと、
 決定された前記攻撃対応を実施する対応実施ステップとを含んでいることを特徴としている。 Further, the attack response processing method (1) according to the present disclosure is an attack response processing method executed by at least one computer included in a device network in which one or more devices are connected via a communication path.
A risk calculation step that acquires information about the state of the device network and calculates the current risk of the device network,
An attack detection step that detects an attack based on the abnormal situation that occurred in the device network,
Based on the calculated risk level, a response determination step that determines the attack response to be implemented for the attack, and a response determination step.
It is characterized in that it includes a response implementation step for implementing the determined attack response.
 上記攻撃対応処理方法(1)によれば、前記攻撃検知ステップにおいて攻撃が検知された場合、前記危険度算出ステップにおいて算出された前記危険度に基づいて、前記攻撃に対して実施すべき攻撃対応が決定されるので、危険度が高い場合には、セキュリティレベルを上げた対応を迅速に実施することができ、他方、危険度が低い場合には、機能制限のレベルを下げた適切な条件で前記攻撃対応を迅速に実施することができる。 According to the attack response processing method (1), when an attack is detected in the attack detection step, the attack response to be implemented for the attack is based on the risk level calculated in the risk level calculation step. If the risk is high, the security level can be increased promptly, while if the risk is low, the function restriction level is lowered under appropriate conditions. The attack response can be implemented quickly.
 また、本開示に係る攻撃対応処理方法(2)は、上記攻撃対応処理方法(1)において、
 前記危険度算出ステップが、
 通信異常情報を取得するステップと、
 ハードウェア異常情報を取得するステップと、
 センサ値の異常を判定し、センサ値異常情報を作成するステップと、
 を含んで構成されていることを特徴としている。
 上記攻撃対応処理方法(2)によれば、前記機器ネットワークに生じ得る危険を適確に把握することができ、前記危険度を高精度に適切に算出することが可能となる。 Further, the attack response processing method (2) according to the present disclosure is the attack response processing method (1) described above.
The risk calculation step
Steps to acquire communication error information and
Steps to get hardware error information and
The step of determining the abnormality of the sensor value and creating the sensor value abnormality information,
It is characterized in that it is configured to include.
According to the attack response processing method (2), it is possible to accurately grasp the danger that may occur in the device network, and it is possible to appropriately calculate the risk degree with high accuracy.
 また、本開示に係る攻撃対応処理方法(3)は、上記攻撃対応処理方法(2)において、
 さらに、各異常情報毎の点数を、予め作成された異常情報点数テーブルから取得するステップと、
 取得した点数の合計値から危険度を算出するステップと、
 を含んでいることを特徴としている。
 上記攻撃対応処理方法(3)によれば、適切な前記危険度を迅速に算出することができることとなり、従って、危険度の状況に応じた適切な攻撃対応を迅速に実施することができることとなる。 Further, the attack response processing method (3) according to the present disclosure is the attack response processing method (2) described above.
Further, a step of acquiring the score for each abnormality information from the abnormality information score table created in advance, and
Steps to calculate the degree of risk from the total value of the acquired points,
It is characterized by containing.
According to the attack response processing method (3), it is possible to quickly calculate the appropriate risk level, and therefore, it is possible to quickly implement an appropriate attack response according to the risk situation. ..
 また、本開示に係る攻撃対応処理方法(4)は、上記攻撃対応処理方法(1)~(3)のいずれかにおいて、
 前記対応決定ステップが、
 算出された危険度を取得するステップと、
 予め作成された危険度と危険度に応じた対応が定義づけられたテーブルを呼び出すステップと、
 算出された危険度から前記対応テーブルに基づいて対応を決定するステップと、
 を含んでいることを特徴としている。 Further, the attack response processing method (4) according to the present disclosure is the attack response processing method (1) to (3) described above.
The correspondence determination step
Steps to get the calculated risk and
A step to call a table with a pre-created risk level and a defined response according to the risk level,
Steps to determine the response based on the response table from the calculated risk level,
It is characterized by containing.
 上記攻撃対応処理方法(4)によれば、適切な前記危険度を迅速に算出することができると共に、各危険度の状況に応じた最適な攻撃対応を迅速に実施することができることとなる。 According to the attack response processing method (4), it is possible to quickly calculate the appropriate risk level and to quickly implement the optimum attack response according to the situation of each risk level.
 また、本開示に係るコンピュータプログラム(1)は、上記攻撃対応処理方法(1)~(4)のいずれかに記載の各ステップを、前記機器ネットワークに含まれる少なくとも1以上のコンピュータに実行させることを特徴としている。 In addition, the computer program (1) according to the present disclosure causes at least one or more computers included in the device network to execute each step described in any of the attack response processing methods (1) to (4). It is characterized by.
 上記コンピュータプログラム(1)によれば、前記コンピュータに、適切な前記危険度を迅速に算出させることができ、前記危険度の状況に応じた最適な攻撃対応を迅速に実施させることができる。 According to the computer program (1), the computer can be made to quickly calculate the appropriate degree of risk, and the optimum attack response according to the situation of the degree of risk can be promptly implemented.
 上記コンピュータプログラムは、記憶媒体に保存されたコンピュータプログラムであってもよいし、通信ネットワークなどを介して転送可能なコンピュータプログラムであってもよい。 The computer program may be a computer program stored in a storage medium or a computer program that can be transferred via a communication network or the like.
 また、本開示に係るコンピュータプログラムが記憶されたコンピュータ読み取り可能な記憶媒体(1)は、上記攻撃対応処理方法(1)~(4)のいずれかに記載の各ステップを、前記機器ネットワークに含まれる少なくとも1以上のコンピュータに実行させるためのコンピュータプログラムが記憶されていることを特徴としている。 In addition, the computer-readable storage medium (1) in which the computer program according to the present disclosure is stored includes the steps described in any of the attack response processing methods (1) to (4) in the device network. It is characterized in that a computer program for being executed by at least one computer is stored.
 上記コンピュータプログラムが記憶されたコンピュータ読み取り可能な記憶媒体(1)によれば、前記コンピュータに、適切な前記危険度を迅速に算出させることができ、前記危険度の状況に応じた最適な攻撃対応を迅速に実施させることができる。 According to the computer-readable storage medium (1) in which the computer program is stored, the computer can be made to quickly calculate the appropriate risk level, and the optimum attack response according to the situation of the risk level can be obtained. Can be carried out quickly.
本開示の実施の形態に係るセキュリティ装置が適用された車載ネットワークシステムを示す概略ブロック図である。It is a schematic block diagram which shows the in-vehicle network system to which the security device which concerns on embodiment of this disclosure is applied. 実施の形態に係るゲートウェイECUの機能構成例を示すブロック図である。It is a block diagram which shows the functional structure example of the gateway ECU which concerns on embodiment. 実施の形態に係るゲートウェイECUを構成するセキュリティ制御部が行う処理動作を示す概略フローチャートである。It is a schematic flowchart which shows the processing operation performed by the security control unit which comprises the gateway ECU which concerns on embodiment. 実施の形態に係るゲートウェイECUを構成するセキュリティ制御部が行う危険度算出処理動作を示すフローチャートである。It is a flowchart which shows the risk | risk calculation processing operation performed by the security control unit which comprises the gateway ECU which concerns on embodiment. 危険度算出部に記憶されている、テーブル情報の一例を説明するための図である。It is a figure for demonstrating an example of the table information stored in the risk calculation part. 実施の形態に係るゲートウェイECUを構成するセキュリティ制御部が行う攻撃対応処理動作を示すフローチャートである。It is a flowchart which shows the attack response processing operation performed by the security control unit which comprises the gateway ECU which concerns on embodiment. 実施条件記憶部に記憶されている、攻撃対応情報テーブルの一例を説明するための図である。It is a figure for demonstrating an example of the attack response information table stored in the execution condition storage part. 別の実施の形態に係るゲートウェイECUの機能構成例を示すブロック図である。It is a block diagram which shows the functional structure example of the gateway ECU which concerns on another embodiment. さらに別の実施の形態に係るゲートウェイECUの機能構成例を示すブロック図である。It is a block diagram which shows the functional structure example of the gateway ECU which concerns on still another Embodiment. 実施条件記憶部に記憶されている、攻撃対応情報テーブルの一例を説明するための図である。It is a figure for demonstrating an example of the attack response information table stored in the execution condition storage part. セキュリティ攻撃により危険度がより高くなる状態の例を示す模式図である。It is a schematic diagram which shows the example of the state which the risk level becomes higher by a security attack. セキュリティ攻撃により危険度がより高くなる状態の別の例を示す模式図である。It is a schematic diagram which shows another example of the state which the risk becomes higher by a security attack.
 以下、本発明に係るセキュリティ装置、攻撃対応処理方法、コンピュータプログラム、及び記憶媒体の実施の形態を図面に基づいて説明する。 Hereinafter, embodiments of the security device, attack response processing method, computer program, and storage medium according to the present invention will be described with reference to the drawings.
[適用例]
 図1は、実施の形態に係るセキュリティ装置が車載ネットワークシステムに適用された例を示す概略ブロック図である。 [Application example]
FIG. 1 is a schematic block diagram showing an example in which the security device according to the embodiment is applied to an in-vehicle network system.
 車載ネットワーク2は、車両1に搭載された通信ネットワークシステムであり、OBDII(On-board diagnostics II)4、走行系ECU(Electronic Control Unit)群5、運転支援系ECU群6、ボディ系ECU群7、情報系ECU群8、及びゲートウェイECU10を含んで構成されている。
 本実施の形態における車載ネットワーク2は、CAN(Controller Area Network)プロトコルに従って通信するネットワークとなっている。但し、車載ネットワーク2に、CAN以外の他の通信規格を適用することももちろん可能である。
 また、走行系ECU群5、運転支援系ECU群6、ボディ系ECU群7、及び情報系ECU群8(以下、これらをまとめてECU群ともいう)は、車両1に搭載される制御装置の一例として挙げられており、さらに追加のECU群があっても差し支えない。 The in-vehicle network 2 is a communication network system mounted on the vehicle 1, and is an OBDII (On-board diagnostics II) 4, a traveling system ECU (Electronic Control Unit) group 5, a driving support system ECU group 6, and a body system ECU group 7. , Information system ECU group 8 and gateway ECU 10 are included.
The vehicle-mounted network 2 in the present embodiment is a network that communicates according to the CAN (Controller Area Network) protocol. However, it is of course possible to apply a communication standard other than CAN to the in-vehicle network 2.
Further, the traveling system ECU group 5, the driving support system ECU group 6, the body system ECU group 7, and the information system ECU group 8 (hereinafter, these are collectively referred to as an ECU group) are control devices mounted on the vehicle 1. It is given as an example, and there may be an additional group of ECUs.
 OBDII4、走行系ECU群5、運転支援系ECU群6、ボディ系ECU群7、及び情報系ECU群8は、通信路であるバス3を介して、ゲートウェイECU10のCH1、CH2、CH3、CH4、及びCH5にそれぞれ接続されている。なお、ゲートウェイECU10の有するCH数は、これら5つに限定されるものではない。
 また、図1に示した例では、ECU群が機能系統ごとにゲートウェイECU10に接続されたセントラルゲートウェイ方式となっているが、ゲートウェイECU10の接続方式は、この方式に限定されるものではなく、各ECU群の間にゲートウェイECU10が接続された方式であってもよく、さらに他の方式であっても差し支えない。 The OBDII4, the traveling system ECU group 5, the driving support system ECU group 6, the body system ECU group 7, and the information system ECU group 8 via the bus 3 which is a communication path, CH1, CH2, CH3, CH4 of the gateway ECU10, And CH5, respectively. The number of channels possessed by the gateway ECU 10 is not limited to these five.
Further, in the example shown in FIG. 1, the ECU group is connected to the gateway ECU 10 for each functional system, but the connection method of the gateway ECU 10 is not limited to this method, and each method is not limited to this method. The gateway ECU 10 may be connected between the ECU groups, or another method may be used.
 OBDII4は、故障診断、又は保守等を行うための診断器又はスキャンツールなどが接続されるポートを備えた診断用コネクタ装置の一例として示されている。 OBDII4 is shown as an example of a diagnostic connector device provided with a port to which a diagnostic device or a scan tool for performing failure diagnosis or maintenance or the like is connected.
 走行系ECU群5には、駆動系ECUと、シャーシ系ECUとが含まれている。駆動系ECUには、エンジン制御、モータ制御、燃料電池制御、EV(Electric Vehicle)制御、あるいはトランスミッション制御等の「走る」機能に関する制御ユニットが含まれている。シャーシ系ECUには、ブレーキ制御、又はステアリング制御等の「止まる、曲がる」機能に関する制御ユニットが含まれている。 The traveling system ECU group 5 includes a drive system ECU and a chassis system ECU. The drive system ECU includes a control unit related to a "running" function such as engine control, motor control, fuel cell control, EV (Electric Vehicle) control, or transmission control. The chassis-based ECU includes a control unit related to a "stop / turn" function such as brake control or steering control.
 運転支援系ECU群6には、自動ブレーキ支援機能、車線維持支援機能(LKA/Lane Keep Assistともいう)、定速走行・車間距離支援機能(ACC/Adaptive Cruise Controlともいう)、前方衝突警告機能、車線逸脱警報機能、死角モニタリング機能、交通標識認識機能、ドライバモニタリング機能等、走行系ECU群5などとの連携による自動安全性向上機能、又は快適運転実現機能(運転支援機能、又は自動運転機能)に関する制御ユニットが少なくとも1つ以上含まれている。 The driving support system ECU group 6 includes an automatic braking support function, a lane keeping support function (also called LKA / Lane Keep Assist), a constant speed driving / inter-vehicle distance support function (also called ACC / Adaptive Cruise Control), and a forward collision warning function. , Lane departure warning function, blind spot monitoring function, traffic sign recognition function, driver monitoring function, etc., automatic safety improvement function by cooperation with driving system ECU group 5, or comfortable driving realization function (driving support function, or automatic driving function) ) Is included in at least one control unit.
 運転支援系ECU群6には、例えば、米国自動車技術会(SAE)が提示している自動運転レベルにおけるレベル1(ドライバ支援)、レベル2(部分的自動運転)、及びレベル3(条件付自動運転)の機能が装備されていてもよい。さらに、自動運転レベルのレベル4(高度自動運転)、レベル5(完全自動運転)の機能が装備されていてもよい。 The driving support system ECU group 6 includes, for example, level 1 (driver assistance), level 2 (partially automatic driving), and level 3 (conditional automatic driving) at the automatic driving level presented by the American Society of Automotive Engineers of Japan (SAE). It may be equipped with the function of (driving). Further, the functions of level 4 (highly automatic driving) and level 5 (fully automatic driving) of the automatic driving level may be provided.
 ボディ系ECU群7には、ドアロック、スマートキー、パワーウィンドウ、エアコン、ライト、又はウィンカ等の車体の機能に関する制御ユニットが少なくとも1つ以上含まれている。 The body system ECU group 7 includes at least one control unit related to the function of the vehicle body such as a door lock, a smart key, a power window, an air conditioner, a light, or a winker.
 情報系ECU群8には、インフォテイメント装置、テレマティクス装置、又はITS(Intelligent Transport Systems)関連装置が含まれている。
 インフォテイメント装置には、カーナビゲーション装置、あるいはオーディオ機器などが含まれ、テレマティクス装置には、携帯電話網等へ接続するための通信ユニットなどが含まれている。
 ITS関連装置には、ETC(Electronic Toll Collection System)、又はITSスポットなどの路側機との路車間通信、若しくは車々間通信を行うための通信ユニットなどが含まれている。 The information system ECU group 8 includes an infotainment device, a telematics device, or an ITS (Intelligent Transport Systems) related device.
The infotainment device includes a car navigation device, an audio device, and the like, and the telematics device includes a communication unit and the like for connecting to a mobile phone network and the like.
The ITS-related device includes an ETC (Electronic Toll Collection System), a communication unit for performing road-to-vehicle communication with a roadside unit such as an ITS spot, or an inter-vehicle communication.
 また、外部インターフェースがゲートウェイECU10に接続されていてもよい。外部インターフェースには、例えば、Bluetooth(登録商標)、Wi-Fi(登録商標)、USB(Universal Serial Bus)ポート、又はメモリーカードスロットなどが含まれる。 Further, the external interface may be connected to the gateway ECU 10. External interfaces include, for example, Bluetooth®, Wi-Fi®, USB (Universal Serial Bus) ports, memory card slots, and the like.
 ゲートウェイECU10は、車載ネットワーク2に含まれる各ECU群との間で、CANプロトコルに従ってフレーム(メッセージ)の授受を行う機能を有し、本実施の形態に係るセキュリティ装置として機能する。 The gateway ECU 10 has a function of exchanging frames (messages) with each ECU group included in the in-vehicle network 2 according to the CAN protocol, and functions as a security device according to the present embodiment.
 走行系ECU群5、運転支援系ECU群6、ボディ系ECU群7、及び情報系ECU群8、及びゲートウェイECU10の各ECUは、1つ以上のプロセッサ、メモリ、及び通信モジュールなどを含むコンピュータ装置で構成されている。そして、各ECUに搭載されたプロセッサが、メモリに記憶されたプログラムを読み出し、プログラムを解釈し実行することで、各ECUで所定の制御が実行されるようになっている。 Each ECU of the traveling system ECU group 5, the driving support system ECU group 6, the body system ECU group 7, the information system ECU group 8, and the gateway ECU 10 is a computer device including one or more processors, a memory, a communication module, and the like. It is composed of. Then, the processor mounted on each ECU reads the program stored in the memory, interprets and executes the program, and the predetermined control is executed by each ECU.
[機能構成例1]
 図2は、実施の形態に係るゲートウェイECU10の機能構成例を示すブロック図である。
 ゲートウェイECU10は、ゲートウェイ機能部11と、セキュリティ制御部12とを含んで構成されている。セキュリティ制御部12に、本実施の形態に係るセキュリティ装置の機能が実装されている。
 ゲートウェイECU10は、ハードウェアとして、プログラムが格納されるROM(Read Only Memory)、RAM(Random Access Memory)などを含むメモリ、これらメモリからプログラムを読み出して実行するCPU(Central Processing Unit)などのプロセッサ、及び車載ネットワーク2に接続するための通信モジュールなどを含んで構成されている。 [Functional configuration example 1]
FIG. 2 is a block diagram showing a functional configuration example of the gateway ECU 10 according to the embodiment.
The gateway ECU 10 includes a gateway function unit 11 and a security control unit 12. The function of the security device according to this embodiment is implemented in the security control unit 12.
As hardware, the gateway ECU 10 includes a memory including a ROM (Read Only Memory) for storing a program, a RAM (Random Access Memory), and a processor such as a CPU (Central Processing Unit) for reading and executing a program from these memories. It is configured to include a communication module and the like for connecting to the in-vehicle network 2.
 ゲートウェイ機能部11は、各ECU群とバス3を介してフレーム(メッセージ)を転送する制御を行う機能を備えており、例えば、図示しないフレーム送受信部、フレーム解釈部、及びフレーム変換部など、車載ネットワーク2の各ECU群との間でCANプロトコルに従って相互通信するために必要な構成が含まれている。 The gateway function unit 11 has a function of controlling transfer of a frame (message) via each ECU group and the bus 3, and includes, for example, a frame transmission / reception unit, a frame interpretation unit, and a frame conversion unit (not shown), which are mounted on a vehicle. It includes a configuration necessary for mutual communication with each ECU group of the network 2 according to the CAN protocol.
 CANプロトコルにおけるフレームは、例えば、データフレーム、リモートフレーム、オーバーロードフレーム、及びエラーフレームを含んで構成されている。
 データフレームは、SOF(Start Of Frame)、ID、RTR(Remote Transmission Request)、IDE(Identifier Extension)、予約ビット、DLC(Data Length Code)、データフィールド、CRC(Cyclic Redundancy Check)シーケンス、CRCデリミタ(DEL)、ACK(Acknowledgement)スロット、ACKデリミタ(DEL)、及びEOF(End Of Frame)の各フィールドを含んで構成されている。 Frames in the CAN protocol are configured to include, for example, data frames, remote frames, overloaded frames, and error frames.
Data frames include SOF (Start Of Frame), ID, RTR (Remote Transmission Request), IDE (Identifier Extension), reserved bit, DLC (Data Length Code), data field, CRC (Cyclic Redundancy Check) sequence, and CRC delimiter (Cyclic Redundancy Check) sequence. It includes DEL), ACK (Acknowledgement) slots, ACK delimiter (DEL), and EOF (End Of Frame) fields.
 セキュリティ制御部12は、ネットワーク情報取得部21、危険度算出部22、攻撃検知部23、攻撃対応決定部24、対応実施部25、実施条件記憶部31を含んで構成されている。 The security control unit 12 includes a network information acquisition unit 21, a risk calculation unit 22, an attack detection unit 23, an attack response determination unit 24, a response implementation unit 25, and an implementation condition storage unit 31.
 セキュリティ制御部12は、ハードウェアとして、上記各部で実行されるプログラムが格納されるROM、RAMなどを含むメモリ、これらメモリからプログラムを読み出して実行するプロセッサなどを含んで構成され、これらハードウェアとプログラムとが協働することによって、上記各部の機能が実現されるようになっている。 The security control unit 12 is configured as hardware including a memory including a ROM, a RAM, etc. in which a program executed in each of the above units is stored, a processor that reads and executes a program from these memories, and the like. By collaborating with the program, the functions of the above parts are realized.
 ネットワーク情報取得部21は、ゲートウェイECU10とバス3を介して接続された各ECU群の状態に関するネットワーク情報を取得する処理を行う。これらネットワーク情報には、通信状況、各種センサ値の状況、ハードウェアの故障状況なども含まれ、換言すれば、車両1の状態に関するすべての情報が含まれている。ネットワーク情報取得部21で取得された前記ネットワーク情報は危険度算出部22に送出される。 The network information acquisition unit 21 performs a process of acquiring network information regarding the state of each ECU group connected to the gateway ECU 10 via the bus 3. These network information includes the communication status, the status of various sensor values, the status of hardware failure, and the like, in other words, all the information regarding the status of the vehicle 1. The network information acquired by the network information acquisition unit 21 is sent to the risk calculation unit 22.
 危険度算出部22は、ネットワーク情報取得部21から送られてくるネットワーク情報に基づいて、現在のセキュリティ攻撃に関する危険度を算出する。
 危険度算出部22には、例えば、図5に示すような、危険度算出のための危険要因のテーブルが格納されており、この危険要因テーブルに基づいて、ネットワーク情報取得部21から送られてくるネットワーク情報を元に危険度を算出するようになっている。  The risk calculation unit 22 calculates the risk related to the current security attack based on the network information sent from the network information acquisition unit 21.
For example, the risk factor calculation unit 22 stores a table of risk factors for risk calculation as shown in FIG. 5, and is sent from the network information acquisition unit 21 based on the risk factor table. The degree of risk is calculated based on the incoming network information.
 攻撃検知部23は、ゲートウェイ機能部11から取得したフレームに基づいて、車載ネットワーク2に発生した異常(フレーム異常、又はバス異常など)を検出し、検出された異常に対応する攻撃の種類を特定する処理を行う。また、攻撃検知部23は、攻撃の種類が特定できなかった(例えば、未知の攻撃であった)場合に、検出された異常に対応する攻撃の種類を推定する処理も行う。攻撃検知部23で特定又は推定された攻撃の情報が攻撃対応決定部24に送出される。 The attack detection unit 23 detects an abnormality (frame abnormality, bus abnormality, etc.) that has occurred in the vehicle-mounted network 2 based on the frame acquired from the gateway function unit 11, and identifies the type of attack corresponding to the detected abnormality. Perform the processing to be performed. In addition, the attack detection unit 23 also performs a process of estimating the type of attack corresponding to the detected abnormality when the type of attack cannot be specified (for example, it is an unknown attack). Information on the attack specified or estimated by the attack detection unit 23 is sent to the attack response determination unit 24.
 フレーム異常は、例えば、フレームのID毎に設定されるRTR、DLC、ペイロード、受信周期などのパラメータを確認することで検出される。フレーム異常は、CAN信号単体での異常を表している。
 また、バス異常は、例えば、CH1~CH5の各バス3のバス負荷率、バス状態(バスエラーの有無などの状態)、これらバス3に出現するIDなどのパラメータを確認することで検出される。バス異常は、CAN信号の状況的な異常を表している。 The frame abnormality is detected by checking parameters such as RTR, DLC, payload, and reception cycle set for each frame ID, for example. The frame abnormality represents an abnormality of the CAN signal alone.
Further, the bus abnormality is detected by checking parameters such as the bus load factor of each bus 3 of CH1 to CH5, the bus state (state such as the presence or absence of a bus error), and the ID appearing in these buses 3. .. The bus anomaly represents a situational anomaly in the CAN signal.
 攻撃の種類を特定する処理では、例えば、最初の異常を検出してから所定時間内に収集された異常のデータと、攻撃の種類ごとに予め保持されている異常検出パターン(複数の異常検出パラメータを含む)とを照合して、検出した異常に対応する攻撃の種類を特定する処理を行う。
 また、攻撃の種別を推定する処理では、例えば、最初の異常を検出してから所定時間内に収集された異常のデータと、攻撃の種類ごとに予め保持されている攻撃推定パターン(複数の攻撃推定パラメータを含む)とを照合して、検出した異常に近い攻撃の種類を推定する処理を行う。 In the process of identifying the type of attack, for example, the anomaly data collected within a predetermined time after the first anomaly is detected and the anomaly detection pattern (multiple anomaly detection parameters) held in advance for each type of attack. Is collated with (including) to identify the type of attack corresponding to the detected anomaly.
Further, in the process of estimating the attack type, for example, the abnormality data collected within a predetermined time after the first abnormality is detected and the attack estimation pattern (multiple attacks) held in advance for each attack type. (Including estimation parameters) is collated to estimate the type of attack that is close to the detected anomaly.
 攻撃対応決定部24に送出される攻撃情報は、例えば、ネットワーク情報取得部21でネットワーク情報が収集され、危険度が算出された所定時間に対応する期間に取得された攻撃情報とすることができる。 The attack information sent to the attack response determination unit 24 can be, for example, the attack information acquired during the period corresponding to the predetermined time when the network information is collected by the network information acquisition unit 21 and the risk level is calculated. ..
 攻撃対応決定部24は、危険度算出部22で算出された危険度と、実施条件記憶部31に記憶されている対応情報とに基づいて、実施すべき攻撃対応を決定する処理を行う。攻撃対応決定部24で決定された攻撃対応の情報が対応実施部25に送出される。 The attack response determination unit 24 performs a process of determining the attack response to be implemented based on the risk level calculated by the risk level calculation unit 22 and the response information stored in the implementation condition storage unit 31. The attack response information determined by the attack response determination unit 24 is sent to the response implementation unit 25.
 実施条件記憶部31には、危険度算出部22で算出された危険度ごとに、実施すべき攻撃対応情報が記憶されている。
 図7は、実施条件記憶部31に記憶されている攻撃対応情報テーブルの一例を示した図である。
 例えば、算出された危険度が0又は1の場合は、通信の遮断とログへの記録が攻撃対応として規定され、算出された危険度が2又は3の場合には、さらに、自動運転の停止などの機能縮退が攻撃対応として規定されている。
 算出された危険度が9の場合は、危険度8までのすべての対応に加え、「車両が重大なセキュリティ攻撃を受けている虞があります。すぐに最寄りのディーラーで点検を受けてください」などの警告が表示される。 The execution condition storage unit 31 stores attack response information to be executed for each risk level calculated by the risk level calculation unit 22.
FIG. 7 is a diagram showing an example of an attack response information table stored in the execution condition storage unit 31.
For example, when the calculated risk level is 0 or 1, communication interruption and recording in the log are specified as attack response, and when the calculated risk level is 2 or 3, the automatic operation is further stopped. Degeneration of functions such as is stipulated as an attack response.
If the calculated risk level is 9, in addition to all the measures up to the risk level 8, "There is a risk that the vehicle has been seriously attacked by security. Please have the nearest dealer check it immediately." Warning is displayed.
 対応実施部25は、攻撃対応決定部24で決定された攻撃対応を実施する。 The response implementation unit 25 implements the attack response determined by the attack response determination unit 24.
 なお、ゲートウェイECU10が、攻撃を検知する構成は上記のものに限定されない。例えば、別の実施の形態では、攻撃検知部23と同様の機能をクラウドコンピュータ上に設け、クラウドコンピュータ側で特定又は推定された攻撃情報を、外部の通信ネットワークを介した通信により取得する構成としてもよい。 The configuration in which the gateway ECU 10 detects an attack is not limited to the above. For example, in another embodiment, a function similar to that of the attack detection unit 23 is provided on the cloud computer, and attack information specified or estimated on the cloud computer side is acquired by communication via an external communication network. May be good.
[処理動作例]
 図3は、実施の形態に係るゲートウェイECU10を構成するセキュリティ制御部12が行う処理動作を示した概略フローチャートである。 [Processing operation example]
FIG. 3 is a schematic flowchart showing a processing operation performed by the security control unit 12 constituting the gateway ECU 10 according to the embodiment.
 まず、ステップS1では、セキュリティ制御部12は、危険度算出処理を行う。この危険度算出処理の詳細は、図4のフローチャートに示されている。
 危険度算出処理を終えると、次にステップS2に進み、ステップS2では、セキュリティ攻撃の検知処理を行う。 First, in step S1, the security control unit 12 performs a risk calculation process. The details of this risk calculation process are shown in the flowchart of FIG.
After completing the risk calculation process, the process proceeds to step S2, and in step S2, a security attack detection process is performed.
 セキュリティ攻撃の検知処理は、ここでは特に限定されないが、例えば、上記したように、ゲートウェイ機能部11から取得したフレームに基づいて、車載ネットワーク2に発生した異常(フレーム異常、又はバス異常など)を検出し、検出された異常に対応する攻撃の種類を特定する処理を行う。
 また、攻撃の種類が特定できなかった(例えば、未知の攻撃であった)場合に、検出された異常に対応する攻撃の種類を推定する処理も行う。 The security attack detection process is not particularly limited here, but for example, as described above, an abnormality (frame abnormality, bus abnormality, etc.) that has occurred in the vehicle-mounted network 2 is detected based on the frame acquired from the gateway function unit 11. Performs processing to detect and identify the type of attack corresponding to the detected anomaly.
In addition, when the type of attack cannot be specified (for example, it is an unknown attack), a process of estimating the type of attack corresponding to the detected abnormality is also performed.
 フレーム異常は、例えば、フレームのID毎に設定されるRTR、DLC、ペイロード、受信周期などのパラメータを確認することで検出される。フレーム異常は、CAN信号単体での異常を表している。
 また、バス異常は、例えば、CH1~CH5の各バス3のバス負荷率、バス状態(バスエラーの有無などの状態)、これらバス3に出現するIDなどのパラメータを確認することで検出される。バス異常は、CAN信号の状況的な異常を表している。 The frame abnormality is detected by checking parameters such as RTR, DLC, payload, and reception cycle set for each frame ID, for example. The frame abnormality represents an abnormality of the CAN signal alone.
Further, the bus abnormality is detected by checking parameters such as the bus load factor of each bus 3 of CH1 to CH5, the bus state (state such as the presence or absence of a bus error), and the ID appearing in these buses 3. .. The bus anomaly represents a situational anomaly in the CAN signal.
 攻撃の種類を特定する処理では、例えば、最初の異常が検出されてから所定時間内に収集された異常のデータと、攻撃の種類ごとに予め保持されている異常検出パターン(複数の異常検出パラメータを含む)とを照合し、検出された異常に対応する攻撃の種類を特定する処理を行う。
 また、攻撃の種別を推定する処理では、例えば、最初の異常を検出してから所定時間内に収集された異常のデータと、攻撃の種類ごとに予め保持されている攻撃推定パターン(複数の攻撃推定パラメータを含む)とを照合し、検出された異常に近い攻撃の種類を推定する処理を行う。 In the process of identifying the type of attack, for example, the anomaly data collected within a predetermined time after the first anomaly is detected and the anomaly detection pattern (multiple anomaly detection parameters) held in advance for each type of attack. Is collated with (including) to identify the type of attack corresponding to the detected anomaly.
Further, in the process of estimating the attack type, for example, the abnormality data collected within a predetermined time after the first abnormality is detected and the attack estimation pattern (multiple attacks) held in advance for each attack type. (Including estimation parameters) is collated to estimate the type of attack that is close to the detected anomaly.
 セキュリティ攻撃の検知処理を終えると、次にステップS3に進み、ステップS3では、攻撃対応の決定処理を行う。
 この攻撃対応決定処理の詳細は、図6のフローチャートに示されている。
 攻撃対応の決定処理を終えると、次にステップS4に進み、ステップS4では、決定された攻撃対応を対応実施部25に出力する処理を行う。 When the security attack detection process is completed, the process proceeds to step S3, and in step S3, the attack response determination process is performed.
The details of this attack response determination process are shown in the flowchart of FIG.
When the attack response determination process is completed, the process proceeds to step S4, and in step S4, the determined attack response is output to the response implementation unit 25.
 図4に示した危険度算出処理のフローを説明する。
 まず、ステップS11では、通信異常情報の取得を行う。各ECU群との通信において、通信が途絶えたECUがあれば、それは攻撃を受けた結果か、あるいは真の攻撃の準備としての結果である確率が高く、危険度は高くなっている。かかる状況を、ステップS11では検出する。 The flow of the risk calculation process shown in FIG. 4 will be described.
First, in step S11, communication abnormality information is acquired. In communication with each ECU group, if there is an ECU in which communication is interrupted, there is a high probability that it is the result of being attacked or the result of preparing for a true attack, and the risk is high. Such a situation is detected in step S11.
 ステップS11で、通信異常情報の取得を行うと、次に、ステップS12に進み、ステップS12では、ハードウェアにおける異常情報(ハードウェアの故障情報とは異なる)の取得を行う。ハードウェアに異常が発生していれば、それも攻撃により発生した確率が高く、前記通信異常よりも危険度は高くなっていると考えられる。 When the communication abnormality information is acquired in step S11, the process proceeds to step S12, and in step S12, the abnormality information in the hardware (different from the hardware failure information) is acquired. If an abnormality has occurred in the hardware, it is highly probable that it has also occurred due to an attack, and it is considered that the risk is higher than the communication abnormality.
 ステップS12で、ハードウェアにおける異常情報の取得を行うと、次に、ステップS13に進み、ステップS13では、各センサ値の異常を判定し、センサ値の異常情報の作成を行う。 When the abnormality information in the hardware is acquired in step S12, the process proceeds to step S13, and in step S13, the abnormality of each sensor value is determined and the abnormality information of the sensor value is created.
 通常ではあり得ないようなセンサ値であれば、攻撃によるものと、すぐに攻撃検知部23で判断できるが、すぐに攻撃とは判断できないような曖昧な数値によるセンサ値の異常であっても、実際には真の攻撃の準備的攻撃により発生している確率も高い。
 ステップS13では、このようなセンサ値の異常も取得判定し、各センサ値の異常情報を収集し、センサ値の異常情報の作成を行う。 If it is a sensor value that cannot be normally determined, the attack detection unit 23 can immediately determine that it is due to an attack, but even if the sensor value is abnormal due to an ambiguous numerical value that cannot be immediately determined to be an attack. In fact, there is a high probability that it is caused by a preparatory attack of a true attack.
In step S13, such an abnormality of the sensor value is also acquired and determined, the abnormality information of each sensor value is collected, and the abnormality information of the sensor value is created.
 ステップS13で、各センサ値の異常を判定し、センサ値の異常情報の作成を行うと、次に、ステップS14に進み、ステップS14では、各異常情報毎の点数を取得する。
 この点数は、例えば、図5に示したような、危険要因毎の危険度点数テーブルが危険度算出部22に格納されており、この危険要因毎の危険度点数テーブルにアクセスし、このテーブルに基づいて、ネットワーク情報取得部21から送られてくるすべてのネットワーク情報を元に危険度を算出する。 When the abnormality of each sensor value is determined in step S13 and the abnormality information of the sensor value is created, the next step is to proceed to step S14, and in step S14, the score for each abnormality information is acquired.
For this score, for example, as shown in FIG. 5, a risk score table for each risk factor is stored in the risk calculation unit 22, and the risk score table for each risk factor is accessed and stored in this table. Based on this, the risk level is calculated based on all the network information sent from the network information acquisition unit 21.
 次に、ステップS15に進み、ステップS15では、各危険要因毎に検出された危険度点数を合計し、セキュリティ攻撃の危険度を算出する。 Next, the process proceeds to step S15, and in step S15, the risk levels of security attacks are calculated by summing the risk points detected for each risk factor.
 次に、図6に示した攻撃対応決定処理のフローを説明する。
 まず、ステップS31では、攻撃検知部23において行われた、攻撃の検知結果を取得する。 Next, the flow of the attack response determination process shown in FIG. 6 will be described.
First, in step S31, the attack detection result performed by the attack detection unit 23 is acquired.
 攻撃検知部23におけるセキュリティ攻撃の検知処理は、上記したように、ここでは特に限定されないが、例えば、ゲートウェイ機能部11から取得したフレームに基づいて、車載ネットワーク2に発生した異常(フレーム異常、又はバス異常など)を検出し、検出された異常に対応する攻撃の種類を特定する処理を行う。
 また、攻撃の種類が特定できなかった(例えば、未知の攻撃であった)場合に、検出された異常に対応する攻撃の種類を推定する処理も行う。 As described above, the security attack detection process in the attack detection unit 23 is not particularly limited here, but for example, an abnormality (frame abnormality or frame abnormality) that has occurred in the vehicle-mounted network 2 based on the frame acquired from the gateway function unit 11. (Bus anomaly, etc.) is detected, and processing is performed to identify the type of attack corresponding to the detected anomaly.
In addition, when the type of attack cannot be specified (for example, it is an unknown attack), a process of estimating the type of attack corresponding to the detected abnormality is also performed.
 ステップS31で、攻撃検知部23において行われた、攻撃の検知結果を取得すると、次にステップS32に進み、ステップS32では、攻撃の検知結果に基づいて攻撃が検知されたか否かの判断がなされる。ステップS32で攻撃がなかったと判断されると、次にステップS33に進み、ステップS33では、攻撃がなかった場合の対応が実施される。 When the attack detection result performed by the attack detection unit 23 is acquired in step S31, the process proceeds to step S32, and in step S32, it is determined whether or not the attack is detected based on the attack detection result. To. If it is determined in step S32 that there was no attack, the next step is step S33, and in step S33, the response when there is no attack is implemented.
 他方、ステップS32で攻撃有りと判断されると、次にステップS34に進み、ステップS34では、危険度算出部22で算出された攻撃の危険度が取得される。 On the other hand, if it is determined in step S32 that there is an attack, the process proceeds to step S34, and in step S34, the risk level of the attack calculated by the risk level calculation unit 22 is acquired.
 その後、ステップS35に進み、ステップS35では、実施条件記憶部31に格納されている、図7に示したような、攻撃対応情報テーブルを実施条件記憶部31から取得する。
 攻撃対応情報テーブルには、上記したように、例えば、算出された危険度が0又は1の場合は、通信の遮断とログへの記録が攻撃対応として規定され、算出された危険度が2又は3の場合には、さらに、自動運転の停止などの機能縮退が攻撃対応として規定されている。
 算出された危険度が9の場合は、危険度8までのすべての対応に加え、「車両が重大なセキュリティ攻撃を受けている虞があります。すぐに最寄りのディーラーで点検を受けてください」などの警告表示が規定されている。 After that, the process proceeds to step S35, and in step S35, the attack response information table as shown in FIG. 7, which is stored in the execution condition storage unit 31, is acquired from the execution condition storage unit 31.
In the attack response information table, as described above, for example, when the calculated risk level is 0 or 1, communication interruption and recording in the log are defined as attack response, and the calculated risk level is 2 or. In the case of 3, functional reduction such as stopping automatic operation is further defined as an attack response.
If the calculated risk level is 9, in addition to all the measures up to the risk level 8, "There is a risk that the vehicle has been seriously attacked by security. Please have the nearest dealer check it immediately." Warning display is specified.
 ステップS35で、攻撃対応情報テーブルを取得すると、その後、ステップS36に進み、ステップS36では、ステップS34で取得したセキュリティ攻撃の危険度と、ステップS35で取得した攻撃対応情報テーブルとを比較して危険度に応じた攻撃対応を決定する。 After acquiring the attack response information table in step S35, the process proceeds to step S36, and in step S36, the risk level of the security attack acquired in step S34 is compared with the attack response information table acquired in step S35 to be dangerous. Determine the attack response according to the degree.
 ステップS36で攻撃対応の決定処理を終えると、上記したように、図3に示したステップS4に進み、ステップS4では、決定された攻撃対応を対応実施部25に出力する処理が行われ、処理が終了する。 When the attack response determination process is completed in step S36, the process proceeds to step S4 shown in FIG. 3 as described above, and in step S4, a process of outputting the determined attack response to the response implementation unit 25 is performed and processed. Is finished.
[作用・効果]
 上記実施の形態に係るセキュリティ装置としてのゲートウェイECU10によれば、攻撃検知部23において攻撃が検知された場合、危険度算出部22において算出された危険度に基づいて、前記攻撃に対して実施すべき最適の攻撃対応が決定される。危険度が高い場合には、より迅速にセキュリティレベルを上げた対応を実施することができ、他方、危険度が低い場合には、機能制限のレベルを下げた適切な条件で前記攻撃対応を迅速に実施することができる。
 また、危険度算出部22が、前記ネットワーク情報における危険要因毎に予め割り振られた点数を基に危険度を算出するものであるので、適切な危険度を迅速に算出することができることとなり、従って、危険度の状況に応じた適切な攻撃対応を迅速に実施させることができることとなる。 [Action / Effect]
According to the gateway ECU 10 as a security device according to the above embodiment, when an attack is detected by the attack detection unit 23, the attack is executed based on the risk level calculated by the risk level calculation unit 22. The optimal attack response to be determined is determined. If the risk level is high, the security level can be raised more quickly, while if the risk level is low, the attack response can be swiftly under appropriate conditions with the function restriction level lowered. Can be carried out.
Further, since the risk calculation unit 22 calculates the risk based on the points allocated in advance for each risk factor in the network information, it is possible to quickly calculate the appropriate risk. Therefore, , It will be possible to promptly implement an appropriate attack response according to the situation of the degree of danger.
[機能構成例2]
 図8は、別の実施の形態に係るゲートウェイECU10Aの機能構成例を示すブロック図である。 [Functional configuration example 2]
FIG. 8 is a block diagram showing a functional configuration example of the gateway ECU 10A according to another embodiment.
 図8に示したゲートウェイECU10Aが、図2に示したゲートウェイECU10と異なる点は、ゲートウェイECU10Aでは、攻撃検知部23で攻撃を検知する際の異常を検出する閾値を変更できる閾値変更部26を備えている点である。この閾値変更部26は、危険度算出部22で算出された危険度に応じて異常を検出する閾値を変更する。 The gateway ECU 10A shown in FIG. 8 differs from the gateway ECU 10 shown in FIG. 2 in that the gateway ECU 10A includes a threshold value changing unit 26 capable of changing the threshold value for detecting an abnormality when the attack detecting unit 23 detects an attack. That is the point. The threshold value changing unit 26 changes the threshold value for detecting an abnormality according to the degree of risk calculated by the degree of risk calculation unit 22.
 より具体的には、危険度算出部22で算出された危険度が高い場合には、異常を検出する閾値を下げて、攻撃を早く検知できるようにする。
 例えば、攻撃の危険度が高いと判断された場合には、図11に示した、異常検出の閾値Th1をTh2に下げることにより、攻撃の検知を早める制御を実施する。 More specifically, when the risk level calculated by the risk level calculation unit 22 is high, the threshold value for detecting the abnormality is lowered so that the attack can be detected quickly.
For example, when it is determined that the risk of an attack is high, the control for accelerating the detection of the attack is performed by lowering the abnormality detection threshold Th1 shown in FIG. 11 to Th2.
 このように危険度が高い攻撃を早く検知できるようにすることにより、攻撃に対する対応をより早く実施できることとなり、セキュリティ攻撃による被害をより一層低減することが可能となる。 By making it possible to detect high-risk attacks early in this way, it is possible to respond to attacks faster, and it is possible to further reduce the damage caused by security attacks.
[機能構成例3]
 図9は、さらに別の実施の形態に係るゲートウェイECU10Bの機能構成例を示すブロック図である。 [Functional configuration example 3]
FIG. 9 is a block diagram showing a functional configuration example of the gateway ECU 10B according to still another embodiment.
 図9に示したゲートウェイECU10Bが、図2に示したゲートウェイECU10と異なる点は、ゲートウェイECU10Bでは、実施条件記憶部31Bに、図10に示したような二次元的攻撃対応データベース・テーブルを備えている点である。 The gateway ECU 10B shown in FIG. 9 differs from the gateway ECU 10 shown in FIG. 2 in that the gateway ECU 10B is provided with a two-dimensional attack response database table as shown in FIG. 10 in the execution condition storage unit 31B. That is the point.
 図10に示した攻撃対応データベース・テーブルでは、攻撃の種類とセキュリティ攻撃の危険度との組合せ毎に攻撃対応が規定されており、(攻撃の種類)×(セキュリティ攻撃の危険度)の組合せ毎の攻撃対応二次元テーブルにより、攻撃の種類・危険度に即した、よりきめの細かい攻撃対応が決定されることとなる。 In the attack response database table shown in FIG. 10, attack response is defined for each combination of attack type and security attack risk, and for each combination of (attack type) × (security attack risk). The two-dimensional table for attack response will determine more detailed attack response according to the type and risk of the attack.
 本実施の形態に係る攻撃検知部23におけるセキュリティ攻撃の検知処理では、ゲートウェイ機能部11から取得したフレームに基づいて、車載ネットワーク2に発生した異常(フレーム異常、又はバス異常など)を検出し、検出された異常に対応する攻撃の種類を特定する処理が行われることとなる。
また、攻撃の種類が特定できなかった(例えば、未知の攻撃であった)場合に、検出された異常に対応する攻撃の種類を推定する処理が行われることとなる。 In the security attack detection process in the attack detection unit 23 according to the present embodiment, an abnormality (frame abnormality, bus abnormality, etc.) that has occurred in the vehicle-mounted network 2 is detected based on the frame acquired from the gateway function unit 11. A process for identifying the type of attack corresponding to the detected anomaly will be performed.
Further, when the type of attack cannot be specified (for example, it is an unknown attack), a process of estimating the type of attack corresponding to the detected anomaly is performed.
[変形例]
 以上、本発明の実施の形態を説明したが、上記説明はあらゆる点において本発明のほんの一例に過ぎない。本発明の範囲を逸脱することなく、種々の改良や変更を実施することができることは言うまでもない。 [Modification example]
Although embodiments of the present invention have been described above, the above description is merely an example of the present invention in all respects. Needless to say, various improvements and changes can be made without departing from the scope of the present invention.
 例えば、ゲートウェイECU10に実装されたセキュリティ制御部12を、他のECUに搭載してもよいし、セキュリティ制御部12が装備されたセキュリティECUを車載ネットワーク2に接続する構成としてもよい。 For example, the security control unit 12 mounted on the gateway ECU 10 may be mounted on another ECU, or the security ECU equipped with the security control unit 12 may be connected to the in-vehicle network 2.
 また、別の実施の形態に係るゲートウェイECU10では、セキュリティ制御部12に、車載ネットワーク2に接続された情報系ECU群8に含まれる報知装置を介して車内の乗員に、決定された攻撃対応に応じて、異常が発生したこと、攻撃が発生したことを報知したり、適切な運転操作、縮退運転の開始、継続、復帰、又は解除、異常発生後の対応などを報知したりする報知処理部が装備されていてもよい。 Further, in the gateway ECU 10 according to another embodiment, the security control unit 12 responds to the attack determined by the occupants in the vehicle via the notification device included in the information system ECU group 8 connected to the in-vehicle network 2. A notification processing unit that notifies that an abnormality has occurred or an attack has occurred, or notifies appropriate driving operation, start, continuation, return, or cancellation of degenerate operation, response after an abnormality occurs, etc. May be equipped.
 このような報知装置は、ナビゲーション装置、又はオーディオ機器などに適用され得る。係る構成によれば、前記報知処理部によって、前記報知装置を介して車内の乗員に異常などを報知することが可能となるので、乗員に、異常又は攻撃などに対して適切な対応を実施させることが可能となる。 Such a notification device can be applied to a navigation device, an audio device, or the like. According to this configuration, the notification processing unit can notify the occupants in the vehicle of an abnormality or the like via the notification device, so that the occupants are made to take appropriate measures against the abnormality or an attack. It becomes possible.
 また、さらに別の実施の形態に係るゲートウェイECU10では、セキュリティ制御部12に、車載ネットワーク2に接続された情報系ECU群8に含まれるテレマティクス装置、又はITS関連装置を介して車外に、上記した異常の発生又は攻撃の発生などを通報する通報処理部が装備されていてもよい。
係る構成によれば、前記通報処理部によって、テレマティクス装置、又はITS関連装置を介して車外に異常の発生又は攻撃の発生などを通報することが可能となる。したがって、例えば、周辺の他車、インフラ設備、ディーラー、メーカー、又は公的機関に、異常又は攻撃の発生などを知らせることができ、車外から異常又は攻撃に対して適切な対応を実施してもらうことも可能となる。 Further, in the gateway ECU 10 according to still another embodiment, the security control unit 12 is provided outside the vehicle via a telematics device included in the information system ECU group 8 connected to the vehicle-mounted network 2 or an ITS-related device. It may be equipped with a report processing unit that reports the occurrence of an abnormality or an attack.
According to such a configuration, the report processing unit can report the occurrence of an abnormality or the occurrence of an attack to the outside of the vehicle via the telematics device or the ITS-related device. Therefore, for example, it is possible to notify other vehicles, infrastructure equipment, dealers, manufacturers, or public institutions in the vicinity of the occurrence of an abnormality or attack, and have them take appropriate measures against the abnormality or attack from outside the vehicle. It is also possible.
 また、上記実施の形態では、車載ネットワーク2に接続されたゲートウェイECU10、10A、10Bに本発明に係る技術思想が適用された例を説明した。車載ネットワーク2は、本発明に係る技術思想が適用される機器ネットワークの一例であり、他の機器ネットワーク、例えば、FA(Factory Automation)システムを構成する1以上の産業機器が通信路を介して接続された産業機器ネットワーク、家庭用機器が接続されたホーム機器ネットワーク、又は事務用機器が接続された事務機器ネットワークなどに含まれるセキュリティ装置にも本発明に係る技術思想は適用可能である。 Further, in the above embodiment, an example in which the technical idea according to the present invention is applied to the gateway ECUs 10, 10A, and 10B connected to the in-vehicle network 2 has been described. The in-vehicle network 2 is an example of a device network to which the technical idea according to the present invention is applied, and another device network, for example, one or more industrial devices constituting an FA (Factory Automation) system are connected via a communication path. The technical idea according to the present invention can be applied to security devices included in an industrial equipment network, a home equipment network to which household equipment is connected, an office equipment network to which office equipment is connected, and the like.
 上記のFAシステムには、例えば、各種物品の搬送システム、検査システム、ロボットを用いた組立システムなどが含まれる。また、制御装置には、プログラマブルコントローラ、モーション位置制御コントローラなどのコントローラ機器の他、各種のセンサ機器なども含まれる。
 また、FAシステムにおいて各種の制御装置を接続する通信路は、有線でもよいし、無線でもよい。
 また、機器ネットワークにおける通信プロトコルはCANプロトコルに限定されない。前記通信プロトコルは、例えば、FAシステムに用いられるCANOpen、又は他の派生的なプロトコルなどであってもよい。 The FA system includes, for example, a transport system for various articles, an inspection system, an assembly system using a robot, and the like. Further, the control device includes various sensor devices as well as controller devices such as a programmable controller and a motion position control controller.
Further, the communication path for connecting various control devices in the FA system may be wired or wireless.
Further, the communication protocol in the device network is not limited to the CAN protocol. The communication protocol may be, for example, CANopen used in FA systems, or other derivative protocols.
 本発明は、車載機器、又は産業用機器などの1以上の機器が通信路を介して接続された機器ネットワークに発生した攻撃に対する攻撃対応を実行するセキュリティ装置関連の産業分野において広く利用することができる。 INDUSTRIAL APPLICABILITY The present invention can be widely used in a security device-related industrial field that executes an attack response against an attack that occurs in a device network in which one or more devices such as an in-vehicle device or an industrial device are connected via a communication path. it can.
[付記]
 本発明の実施の形態は、以下の付記の様にも記載され得るが、これらに限定されない。
(付記1)
 1以上のECU群(5、6、7、8)がバス(3)を介して接続された車載ネットワーク(2)に含まれる少なくとも1以上のコンピュータが実行する攻撃対応処理方法であって、
 車載ネットワーク(2)の状態に関する情報を取得して車載ネットワーク(2)の現在の危険度を算出する危険度算出ステップ(S1)と、
 車載ネットワーク(2)に発生した異常状況に基づいて攻撃を検知する攻撃検知ステップ(S2)と、
 算出された前記危険度に基づいて、前記攻撃に対して実施すべき攻撃対応を決定する対応決定ステップ(S3)と、
 決定された前記攻撃対応を実施する対応実施ステップ(S4)とを、含んでいることを特徴とする攻撃対応処理方法。 [Additional Notes]
Embodiments of the present invention may also be described as, but are not limited to, the following appendices.
(Appendix 1)
An attack response processing method executed by at least one computer included in an in-vehicle network (2) in which one or more ECU groups (5, 6, 7, 8) are connected via a bus (3).
A risk calculation step (S1) that acquires information about the state of the vehicle-mounted network (2) and calculates the current danger level of the vehicle-mounted network (2).
An attack detection step (S2) that detects an attack based on an abnormal situation that has occurred in the in-vehicle network (2), and
Based on the calculated risk level, the response determination step (S3) for determining the attack response to be implemented for the attack, and the response determination step (S3).
An attack response processing method comprising a response implementation step (S4) for implementing the determined attack response.
1 車両
2 車載ネットワーク(機器ネットワーク)
3 バス
4 OBDII
5 走行系ECU群
6 運転支援系ECU群
7 ボディ系ECU群
8 情報系ECU群
10 ゲートウェイECU(セキュリティ装置)
11 ゲートウェイ機能部
12 セキュリティ制御部
21 ネットワーク情報取得部
22 危険度算出部
23 攻撃検知部
24 攻撃対応決定部
25 対応実施部
26 閾値変更部
31 実施条件記憶部
  1 Vehicle 2 In-vehicle network (equipment network)
3 Bus 4 OBDII
5 Driving system ECU group 6 Driving support system ECU group 7 Body system ECU group 8 Information system ECU group 10 Gateway ECU (security device)
11 Gateway function unit 12 Security control unit 21 Network information acquisition unit 22 Risk calculation unit 23 Attack detection unit 24 Attack response decision unit 25 Response implementation unit 26 Threshold change unit 31 Execution condition storage unit

Claims (14)

  1.  1以上の機器が通信路を介して接続された機器ネットワークに含まれるセキュリティ装置であって、
     前記機器ネットワークに発生した異常に基づいて攻撃を検知する攻撃検知部と、
     前記機器ネットワークに含まれる前記機器やセンサの状態に関する情報(以下、ネットワーク情報という)を取得するネットワーク情報取得部と、
     前記ネットワーク情報に基づいて、前記機器ネットワークにおける現在の危険度を算出する危険度算出部と、
     前記攻撃検知部において攻撃が検知された場合、算出された前記危険度情報に基づいて、前記攻撃に対して実施すべき攻撃対応を決定する攻撃対応決定部と、
     を備えていることを特徴とするセキュリティ装置。     A security device included in a device network in which one or more devices are connected via a communication path.
    An attack detection unit that detects an attack based on an abnormality that has occurred in the device network,
    A network information acquisition unit that acquires information (hereinafter referred to as network information) related to the state of the device or sensor included in the device network, and
    A risk calculation unit that calculates the current risk in the device network based on the network information,
    When an attack is detected by the attack detection unit, an attack response determination unit that determines the attack response to be implemented for the attack based on the calculated risk level information.
    A security device characterized by being equipped with.
  2.  前記危険度算出部が、前記ネットワーク情報における危険要因毎に予め割り振られた点数を基に危険度を算出するものであることを特徴とする請求項1記載のセキュリティ装置。 The security device according to claim 1, wherein the risk calculation unit calculates the risk based on points allocated in advance for each risk factor in the network information.
  3.  算出された前記危険度と、攻撃対応との関係を示すテーブル情報が記憶された実施条件記憶部を備え、
     前記攻撃対応決定部が、
     前記テーブル情報に基づいて、前記攻撃対応を決定するものであることを特徴とする請求項1又は請求項2記載のセキュリティ装置。     It is provided with an execution condition storage unit in which table information indicating the relationship between the calculated risk level and the attack response is stored.
    The attack response decision unit
    The security device according to claim 1 or 2, wherein the attack response is determined based on the table information.
  4.  前記攻撃の種類と、前記危険度と、攻撃対応との関係を示すテーブル情報が記憶された実施条件記憶部を備え、
     前記攻撃対応決定部が、
     前記テーブル情報に基づいて、前記攻撃の種類及び算出された前記危険度情報の組み合わせ毎に前記攻撃対応を決定するものであることを特徴とする請求項1又は請求項2記載のセキュリティ装置。     It is provided with an execution condition storage unit that stores table information indicating the relationship between the attack type, the risk level, and the attack response.
    The attack response decision unit
    The security device according to claim 1 or 2, wherein the attack response is determined for each combination of the attack type and the calculated risk level information based on the table information.
  5.  前記機器ネットワークに含まれる前記機器やセンサに対する攻撃危険度の状況に応じて、異常検出の閾値を変更するものであることを特徴とする請求項1~4のいずれかの項に記載のセキュリティ装置。 The security device according to any one of claims 1 to 4, wherein the threshold value for abnormality detection is changed according to the situation of the attack risk to the device or sensor included in the device network. ..
  6.  前記機器が、車両に搭載される制御装置であり、
     前記機器ネットワークが、車載ネットワークであることを特徴とする請求項1~5のいずれかの項に記載のセキュリティ装置。     The device is a control device mounted on a vehicle.
    The security device according to any one of claims 1 to 5, wherein the device network is an in-vehicle network.
  7.  前記制御装置には、
     前記車両の走行系制御装置、運転支援系制御装置、ボディ系制御装置、情報系制御装置、及び診断用コネクタ装置のうちの少なくとも1つが含まれていることを特徴とする請求項6記載のセキュリティ装置。     The control device
    The security according to claim 6, wherein at least one of a traveling system control device, a driving support system control device, a body system control device, an information system control device, and a diagnostic connector device of the vehicle is included. apparatus.
  8.  前記機器が、FAシステムを構成する産業機器であり、
     前記機器ネットワークが、産業機器ネットワークであることを特徴とする請求項1~5のいずれかの項に記載のセキュリティ装置。     The device is an industrial device that constitutes an FA system.
    The security device according to any one of claims 1 to 5, wherein the device network is an industrial device network.
  9.  1以上の機器が通信路を介して接続された機器ネットワークに含まれる少なくとも1以上のコンピュータが実行する攻撃対応処理方法であって、
     前記機器ネットワークの状態に関する情報を取得して前記機器ネットワークの現在の危険度を算出する危険度算出ステップと、
     前記機器ネットワークに発生した異常状況に基づいて攻撃を検知する攻撃検知ステップと、
     算出された前記危険度に基づいて、前記攻撃に対して実施すべき攻撃対応を決定する対応決定ステップと、
     決定された前記攻撃対応を実施する対応実施ステップとを含んでいることを特徴とする攻撃対応処理方法。     An attack response processing method executed by at least one computer included in a device network in which one or more devices are connected via a communication path.
    A risk calculation step that acquires information about the state of the device network and calculates the current risk of the device network,
    An attack detection step that detects an attack based on the abnormal situation that occurred in the device network,
    Based on the calculated risk level, a response determination step that determines the attack response to be implemented for the attack, and a response determination step.
    An attack response processing method including a response implementation step for implementing the determined attack response.
  10.  前記危険度算出ステップが、
     通信異常情報を取得するステップと、
     ハードウェア異常情報を取得するステップと、
     センサ値の異常を判定し、センサ値異常情報を作成するステップと、
     を含んでいることを特徴とする請求項9記載の攻撃対応処理方法。     The risk calculation step
    Steps to acquire communication error information and
    Steps to get hardware error information and
    The step of determining the abnormality of the sensor value and creating the sensor value abnormality information,
    9. The attack response processing method according to claim 9, wherein the method comprises.
  11.  さらに、各異常情報毎の点数を、予め作成された異常情報点数テーブルから取得するステップと、
     取得した点数の合計値から危険度を算出するステップと、
     を含んでいることを特徴とする請求項9又は請求項10記載の攻撃対応処理方法。     Further, a step of acquiring the score for each abnormality information from the abnormality information score table created in advance, and
    Steps to calculate the degree of risk from the total value of the acquired points,
    The attack response processing method according to claim 9 or 10, wherein the attack response processing method includes the above.
  12.  前記対応決定ステップが、
     算出された危険度を取得するステップと、
     予め作成された危険度と該危険度に応じた対応が定義づけられたテーブルを呼び出すステップと、
     算出された前記危険度から前記テーブル情報に基づいて対応を決定するステップと、
     を含んでいることを特徴とする請求項9~11のいずれかの項に記載の攻撃対応処理方法。     The correspondence determination step
    Steps to get the calculated risk and
    A step to call a table in which a pre-created risk level and a response according to the risk level are defined, and
    A step of determining a response based on the table information from the calculated risk level, and
    The attack response processing method according to any one of claims 9 to 11, wherein the attack response processing method comprises.
  13.  請求項9~12のいずれかの項に記載の攻撃対応処理方法の各ステップを、前記機器ネットワークに含まれる少なくとも1以上のコンピュータに実行させるためのコンピュータプログラム。 A computer program for causing at least one or more computers included in the device network to execute each step of the attack response processing method according to any one of claims 9 to 12.
  14.  請求項9~12のいずれかの項に記載の攻撃対応処理方法の各ステップを、前記機器ネットワークに含まれる少なくとも1以上のコンピュータに実行させるためのコンピュータプログラムが記憶されたコンピュータ読み取り可能な記憶媒体。 A computer-readable storage medium in which a computer program for causing at least one computer included in the device network to execute each step of the attack response processing method according to any one of claims 9 to 12 is stored. ..
PCT/JP2019/029626 2019-07-29 2019-07-29 Security device, attack response processing method, computer program, and storage medium WO2021019635A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2019/029626 WO2021019635A1 (en) 2019-07-29 2019-07-29 Security device, attack response processing method, computer program, and storage medium
JP2021536477A JP7160206B2 (en) 2019-07-29 2019-07-29 SECURITY DEVICE, ATTACK RESPONSE PROCESSING METHOD, COMPUTER PROGRAM AND STORAGE MEDIUM

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2019/029626 WO2021019635A1 (en) 2019-07-29 2019-07-29 Security device, attack response processing method, computer program, and storage medium

Publications (1)

Publication Number Publication Date
WO2021019635A1 true WO2021019635A1 (en) 2021-02-04

Family

ID=74229784

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/029626 WO2021019635A1 (en) 2019-07-29 2019-07-29 Security device, attack response processing method, computer program, and storage medium

Country Status (2)

Country Link
JP (1) JP7160206B2 (en)
WO (1) WO2021019635A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018062320A (en) * 2016-10-14 2018-04-19 日立オートモティブシステムズ株式会社 Information processing unit, information processing method and information processing system
JP2019039182A (en) * 2017-08-23 2019-03-14 大成建設株式会社 Revolving control system for work vehicle

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018062320A (en) * 2016-10-14 2018-04-19 日立オートモティブシステムズ株式会社 Information processing unit, information processing method and information processing system
JP2019039182A (en) * 2017-08-23 2019-03-14 大成建設株式会社 Revolving control system for work vehicle

Also Published As

Publication number Publication date
JP7160206B2 (en) 2022-10-25
JPWO2021019635A1 (en) 2021-02-04

Similar Documents

Publication Publication Date Title
US11217042B2 (en) Vehicle monitoring apparatus, fraud detection server, and control methods
JP6807906B2 (en) Systems and methods to generate rules to prevent computer attacks on vehicles
JP6762347B2 (en) Systems and methods to thwart computer attacks on transportation
US20190312892A1 (en) Onboard cybersecurity diagnostic system for vehicle, electronic control unit, and operating method thereof
JP7231559B2 (en) Anomaly detection electronic control unit, in-vehicle network system and anomaly detection method
US9843523B2 (en) Communication management apparatus and communication management method for vehicle network
US11440557B2 (en) Electronic control device, recording medium, and gateway device
US20210258187A1 (en) Electronic control device, electronic control method, and recording medium
JP2019008618A (en) Information processing apparatus, information processing method, and program
US20220247772A1 (en) Attack monitoring center apparatus and attack monitoring terminal apparatus
KR20190119514A (en) On-board cybersecurity diagnostic system for vehicle, electronic control unit, and operating method thereof
JP2021140460A (en) Security management apparatus
WO2021019635A1 (en) Security device, attack response processing method, computer program, and storage medium
JP2019209961A (en) Information processor, monitoring method, program, and gateway device
US11667264B2 (en) Unauthorized intrusion prevention device, unauthorized intrusion prevention method, and unauthorized intrusion prevention program
US20220019662A1 (en) Log management device and center device
JP7318710B2 (en) Security device, incident response processing method, program, and storage medium
WO2021019637A1 (en) Security device, server device, security system, and security function setting method
US20230114448A1 (en) Vehicle and method of controlling the same
JP7259966B2 (en) Security device, setting change method, program, and storage medium
KR102242228B1 (en) System and method for collecting vehicle accident-related information using vehicle gateway device
US20240111859A1 (en) Log determination device, log determination method, log determination program, and log determination system
JP6519829B1 (en) Electronic control device, monitoring method, program, and gateway device
KR102011020B1 (en) Device for detecting anomaly of vehicle networks based on hazard model
JP2024051323A (en) Log determination device, log determination method, log determination program, and log determination system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19940026

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2021536477

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19940026

Country of ref document: EP

Kind code of ref document: A1