JP2014226946A - Abnormality response system and abnormality response method for vehicular communication device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide novel abnormality response system and abnormality response method for a vehicular communication device, the system and method enabling maintaining of the reliability of the vehicular communication device through response processing appropriate for abnormality occurring to the vehicular communication device.SOLUTION: Vehicular control devices 100A-100D include: an abnormality detection part for detecting abnormality of a vehicular communication device and identifying a vehicular control device or data causing the occurrence of the abnormality; and an information substitution part for substituting a proper ID with a substituting ID, the proper ID correlated with the data identified as the cause for the abnormality occurrence.

Description

  The present invention relates to an abnormality handling system for a vehicle communication device and an abnormality handling method for a vehicle communication device.

  Vehicles such as automobiles in recent years include vehicle control devices that control navigation systems, vehicle control devices that electronically control various in-vehicle devices such as engines and brakes, meters that display various states of vehicles, etc. Many vehicle control devices such as a vehicle control device that controls equipment are mounted. Further, in the vehicle, each vehicle control device is electrically connected by a communication line to form a vehicle network. Various data is transmitted and received between the vehicle control devices via the vehicle network. In the vehicle, a plurality of vehicle control devices and a vehicle network constitute a vehicle communication device that is a vehicle communication system.

  In addition, such a vehicle network requires extremely high security because each vehicle control device connected to the vehicle network controls various in-vehicle devices such as engines and brakes mounted on the vehicle. The However, such vehicular networks are normally isolated from external networks. For this reason, the vehicle network is designed on the assumption that data transmitted and received in the vehicle network is regular data transmitted from a regular vehicle control device.

  On the other hand, recently, for example, various data can be exchanged between a vehicle network and an external network, and various data can be exchanged with an external device connected to a data link connector (DLC) provided in the vehicle. The development of the system to proceed is underway. In such a system, in order to ensure the security, for example, unauthorized access is detected by a technique such as unauthorized detection that performs signature matching with pre-registered data, or abnormal detection that detects an operation that is different from normal operation as abnormal. Introducing an intrusion detection function is also being considered.

  As an example, in the system described in Patent Document 1, for example, the reception cycle of data transmitted to the vehicle network is monitored. In this system, an abnormality of the vehicle control device or the vehicle network, that is, an abnormality of the vehicle communication device is detected based on whether or not the reception cycle to be monitored has changed.

JP 2007-31193 A

  By the way, in the conventional system, even if an abnormality of the vehicle communication device is detected, only the driver is warned of the occurrence of the abnormality, and it is considered how to solve the abnormality of the generated vehicle communication device. It has not been. In other words, the current situation is that the system has not been established for detected abnormalities.

  The present invention has been made in view of such a situation, and an object of the present invention is to be able to maintain the reliability of the vehicular communication device through an accurate response process for an abnormality occurring in the vehicular communication device. An object of the present invention is to provide an abnormality response system for a vehicle communication device and an abnormality response method for a vehicle communication device.

Hereinafter, means for solving the above-described problems and the effects thereof will be described.
An abnormality handling system for a vehicle communication device that solves the above-described problem is a vehicle communication that responds to an abnormality in a vehicle communication device in which data is communicated between a plurality of vehicle control devices via a vehicle network. An abnormality response system for an apparatus, wherein an abnormality detection unit that detects an abnormality of the vehicle communication device and identifies a vehicle control device or data that has caused an abnormality, and each of the plurality of vehicle control devices Of the unique identification information that is assigned and associated with the data transmitted by each vehicle control device, the identification information assigned to the vehicle control device identified as the cause of the abnormality or the cause of the abnormality An information substitution unit that substitutes identification information associated with the identified data with identification information for substitution.

  An abnormality response method for a vehicle communication device that solves the above-described problem is a vehicle communication that responds to an abnormality in a vehicle communication device in which data is communicated between a plurality of vehicle control devices via a vehicle network. An apparatus abnormality handling method, wherein a computer that manages an abnormality response of the vehicle communication device detects an abnormality of the vehicle communication device and identifies a vehicle control device or data that has caused the abnormality. And the identification information assigned to the specified vehicle control device or the specified data among the specified identification information assigned to each of the plurality of vehicle control devices and associated with the data. Substituting the replacement identification information with the replacement identification information.

  In the vehicle communication device, unique identification information is assigned for identifying the type of data and the transmission source of the data. For this reason, when the vehicle communication device is normal, the identification information assigned to each data and the identification information assigned to each vehicle communication device are unique.

  On the other hand, for example, there is a case where so-called impersonation is performed in which an unauthorized device or the like illegally acquires the unique identification information and illegally transmits unauthorized data to which the identification information is added. Further, when such unauthorized data is transmitted to the vehicle communication device, various abnormalities occur in the vehicle communication device.

  In this regard, according to the above configuration or method, when an abnormality occurs in the vehicle communication device, the occurrence of the abnormality is detected, and the data or the vehicle control device that causes the abnormality is specified. Then, the unique identification information given to the specified data or the unique identification information assigned to the specified vehicle control device is used as substitute identification information that can be substituted for the specific identification information. Be changed. For this reason, the data to which the genuine unique identification information is assigned and the data to which the identification information pretending to be the identification information in common with the identification information is transmitted to the vehicle communication device from different transmission sources. Is suppressed. That is, an abnormality that occurs due to the same identification information being transmitted from different transmission sources to the vehicle communication device is suppressed. Thereby, the cancellation of the abnormality of the vehicle communication device is promoted.

  As a preferred configuration, the unique identification information is defined with a priority according to the type of data associated with the identification information, and the information substitution unit identifies the identification information with a relatively high priority. The information or the identification information for substitution for at least one of the identification information associated with the data having a relatively short transmission cycle is retained more than the identification information for substitution for the identification information associated with other data. .

  In the vehicle communication device, for example, a priority according to the type of data is defined as a communication rule, and unique identification information corresponding to this priority is given to each data. On the other hand, the higher the priority, the higher the necessity for transmission to the transmission destination, and the higher the necessity for dealing with abnormalities. In addition, since regular data having a shorter transmission cycle is frequently transmitted to the vehicle communication device, regular data having a shorter transmission cycle is likely to be an object of impersonation of illegal data.

  In this regard, according to the above configuration, a relatively large amount of identification information for replacement with respect to unique identification information having a relatively high priority is prepared. For this reason, it is difficult to specify identification information for replacement. Further, for example, after substitution of identification information, even if data with unique identification information having a relatively high priority or a vehicle control device that transmits the data becomes a cause of abnormality, a different substitution Further substitution to the identification information can be performed.

  Moreover, according to the said structure, comparatively many identification information for substitution with respect to the specific identification information provided to data with a short transmission cycle is prepared. In other words, a relatively large amount of substitute identification information is prepared for unique identification information given to data that is likely to be spoofed. It is difficult to specify identification information that can be substituted for the unique identification information given to this data. For example, even if spoofing is further performed after replacement of identification information, spoofing to data with high transmission frequency is suppressed by performing replacement with different replacement identification information as needed.

As a preferred configuration, the information substitution unit holds substitution identification information shared by the plurality of vehicle control devices as the substitution identification information.
In many cases, the number of pieces of identification information that can be used in the vehicle communication device is limited. In addition, since unique identification information corresponding to various types of data has already been defined in a vehicle communication device, the number of identification information that can be used as replacement identification information is often limited. . On the other hand, a plurality of abnormalities rarely occur at the same time, and there is little need to simultaneously replace a plurality of unique information.

  Therefore, in the above configuration, replacement identification information shared by a plurality of vehicle control devices is used as replacement identification information. For this reason, limited identification information is effectively used as replacement identification information. Thereby, substitution of the identification information as a vehicle communication device is promoted. In addition, the applicability of the present system to existing vehicle communication devices is greatly enhanced.

  As a preferred configuration, the information substitution unit is identified as a cause of occurrence of the abnormality when there is identification information that is not used in the shared substitution identification information when a substitution of identification information is performed; The identification information assigned to the vehicle control device or the identification information associated with the data specified as the cause of the abnormality is replaced with the unused identification information for sharing, and the replaced identification information A process for transmitting the data associated with the data at the transmission timing or transmission cycle defined in the vehicle communication device, and b; when there is no unused identification information in the shared replacement identification information Processing for stopping transmission of data transmitted by the vehicle control device identified as the cause of the abnormality or data in which the abnormality is detected To run.

  In the above configuration, when the cause of occurrence of the abnormality is specified, it is confirmed whether there is any available replacement identification information, in other words, whether there is a vacancy in the replacement identification information. . When there is identification information for substitution that can be used, substitution with this identification information is performed. Further, data associated with the replaced identification information is transmitted at a transmission timing or a transmission cycle defined in the vehicle communication device. That is, the transmission timing or transmission cycle of data before and after substitution of identification information is common. Therefore, the data in which the identification information is replaced is transmitted according to the communication regulations, and the transmission mode of the data is common except that the identification information is replaced. As a result, it becomes easy to specify the presence or absence of substitution on the side that has received the data whose identification information has been substituted, and the type and transmission source of the data to which the substituted identification information is assigned.

  Further, in the above configuration, when there is no substitute identification information that can be used, a process of stopping transmission of data transmitted by the vehicle control device specified as the cause of the abnormality or data in which the abnormality is detected is executed. Is done. As a result, when it is difficult to replace the identification information, the transmission of data is stopped, so that the abnormality associated with the transmission of data is urged.

  As a preferred configuration, the vehicle control device that has received the data associated with the replaced identification information identifies a data type or a data transmission source based on at least one of the transmission timing and transmission cycle of the data. To do.

  In the above configuration, when data associated with the replacement identification information is received, the type of data or the transmission source of the data is identified based on at least one of the transmission timing and transmission cycle of the data. That is, since the data associated with the replaced identification information is transmitted according to the communication rule of the data, the transmission timing and transmission cycle of the data are also unique according to the communication rule. For this reason, the data receiving side can identify the data type and the data transmission source based on the transmission timing and transmission cycle of the received data. Thereby, even if the identification information is replaced, data transmission / reception after the replacement is performed smoothly.

As a preferred configuration, the information substitution unit holds unique identification information or a plurality of replacement identification information for each of the plurality of vehicle control devices, as the replacement identification information.
According to the above configuration, one or a plurality of alternative identification information is individually assigned to each of the plurality of vehicle control devices. As a result, the number of identification information that can be replaced increases, and the degree of freedom for replacement of identification information increases. In addition, by assigning one or a plurality of alternative identification information individually for each of a plurality of vehicle control devices, even if an abnormality occurs in a plurality of data or vehicle control devices, Correspondence is performed accurately.

  As a preferred configuration, the information substitution unit is assigned to the vehicle control device specified as the cause of occurrence of the abnormality when there are a plurality of substitution identification information that can be substituted, c; The identification information associated with the identification information or the data specified as the cause of the abnormality is replaced with one alternative identification information selected from the plurality of alternative identification information by a random method or a round robin method. A process of transmitting data associated with the replacement identification information at a transmission timing or a transmission cycle defined in the vehicle communication device; and d; when the replacement identification information is one, Identification information assigned to the vehicle control device specified as the cause of the abnormality or specified as the cause of the abnormality The identification information associated with the data is replaced with the one identification information for replacement, and the data associated with the replacement identification information is transmitted at the transmission timing or transmission cycle defined in the vehicle communication device. Execute the process.

  In the above configuration, when there are a plurality of substitute identification information that can be substituted, the substitution identification information is selected by a random method or a round robin method. Then, the selected replacement identification information is replaced with the target specific identification information. For this reason, the selection range concerning substitution of identification information spreads. As a result, even after the replacement of the identification information, the replacement identification information is difficult to be specified from an unauthorized device or the like.

  Further, in the above configuration, when there is one replacement identification information, this identification information is replaced with unique identification information. For this reason, substitution of identification information when the identification information for substitution is one is smoothly performed. Further, when there is only one piece of substitute identification information, the data receiving side can grasp the substitute identification information and the corresponding unique identification information as a pair. This makes it easier to specify the presence / absence of substitution on the data receiving side, the type of data, the transmission source, and the like.

  In the above configuration, data associated with the replaced identification information is transmitted at the transmission timing or transmission cycle defined in the vehicle communication device. This facilitates data identification and transmission source identification on the receiving side.

  As a preferred configuration, the plurality of vehicle control devices have correspondence information indicating a correspondence relationship between the identification information for replacement possessed by the information substitution unit and the identification information assigned to each of the vehicle control devices. The vehicle control device that has received the data associated with the replaced identification information identifies a data type or a data transmission source based on at least one of the correspondence information and the transmission timing and transmission cycle of the data. To do.

  In the above configuration, when data associated with the replacement identification information is received, the type of data or the transmission source of the data is identified based on at least one of the transmission timing and transmission cycle of the data. That is, since the data associated with the replaced identification information is transmitted according to the communication rule of the data, the transmission timing and transmission cycle of the data are also unique according to the communication rule. For this reason, the data receiving side can identify the data type and the data transmission source based on the transmission timing and transmission cycle of the received data. Thereby, even if the identification information is replaced, data transmission / reception after the replacement is performed smoothly.

  Further, in the above configuration, each vehicle control device that transmits and receives data corresponds to the correspondence between the identification information for replacement held by the information replacement unit and the identification information assigned to each vehicle control device. Hold information. For this reason, each vehicle control apparatus can identify whether the identification information given to the received data is for replacement or for specific use only by referring to the correspondence information. In addition, each vehicle control device can identify unique identification information before being replaced through such correspondence, and can easily grasp the type of data, the transmission source, and the like indicated by the identified unique identification information.

  In a preferred configuration, when the identification information is replaced, the vehicle control device shifts the data associated with the replaced identification information by a predetermined time by a transmission timing or a transmission cycle defined in the data. To the vehicle network.

  When an abnormality occurs in the vehicle communication device, the unauthorized means pretending to be a regular vehicle control device often transmit unauthorized data at the same transmission timing and transmission cycle as the regular data.

  In this regard, according to the above configuration, when transmitting data after substitution of identification information, the transmission timing or transmission cycle defined in the data is shifted by a predetermined time. As a result, collision between illegal data and regular data is avoided. Even in this case, it is possible to specify the type of data and the transmission source on the receiving side by grasping the shift amount in advance on the receiving side. Similarly, a buffer is provided at the threshold for specifying the transmission source or the like based on the transmission timing or transmission cycle for each data indicated by the communication regulations on the data receiving side, so that the data type and transmission source on the receiving side are specified. Is also possible.

  As a preferred configuration, when the information substitution unit further detects an abnormality in the substituted data after substitution by the substitution identification information, e; a plurality of substitution identification information held by the information substitution unit One of a process for sequentially substituting for and f; a process for stopping transmission of data in which the abnormality is detected.

  In the above configuration, when an abnormality is detected even if the identification information is replaced, if there are a plurality of pieces of identification information that can be replaced, sequential replacement using the replacement identification information is performed until the abnormality is resolved. At this time, if a plurality of replacement identification information is sequentially replaced from a lower priority to a higher priority, the data after replacement is more likely to be transmitted preferentially. Smooth transmission of the received data is encouraged. Then, by sequentially performing substitution using the identification information for substitution, it is difficult to impersonate the identification information for substitution, and it is promoted to eliminate the abnormality.

  Further, in the above configuration, when an abnormality is detected even when the identification information is replaced, a process of stopping transmission of data in which the abnormality is detected can be executed. As a result, when the abnormality is not resolved by the replacement of the identification information, for example, the transmission of data of the vehicle control device is stopped, assuming that the normal vehicle control device is operating abnormally. Thereby, the soundness of the vehicle communication device is accurately maintained.

  As a preferred configuration, as a communication rule of the vehicle communication device, a rule that an error frame indicating a network error is transmitted to the vehicle network when simultaneous transmission of different data associated with the same identification information is defined. The abnormality detection unit detects that an abnormality has occurred in the vehicle communication device based on whether the error frame has been detected a predetermined number of times or more, and the information substitution unit is provided with the same identification information. The unique identification information assigned to the vehicle control device that transmits the different data is substituted.

  In the vehicle communication device, the error frame may be defined as a communication rule. This error frame is different from the data transmitted by the vehicle control device although the unique identification information of the data transmitted to the network matches the identification information used by the regular vehicle control device. When the data is detected, the vehicle control device transmits that an abnormality has occurred. Therefore, when an error frame is transmitted, there is a high probability that illegal data impersonating legitimate vehicle control device data is transmitted to the network.

  Therefore, in the above configuration, when an error frame is detected a predetermined number of times or more, it is detected that an abnormality has occurred in the vehicle communication device. Of the unique identification information assigned to the vehicle control device that transmits different data to which the same identification information is assigned, the unique identification information assigned to the data transmitted simultaneously to the network is replaced. The For this reason, the collision of the data with the same identification information is avoided, and the occurrence of error frames is suppressed.

  As a preferred configuration, the abnormality detection unit is configured to determine whether the difference between a transmission interval of data transmitted to the vehicle network and a transmission interval defined in the data is less than a predetermined interval. And detecting that an abnormality has occurred in the communication device, the information replacement unit replaces the unique identification information associated with the data whose difference from the prescribed transmission interval is less than a predetermined interval.

  When unauthorized data is transmitted to the vehicle network, the communication load of the vehicle network increases, and the transmission interval of data transmitted to the vehicle network becomes relatively short. For this reason, for example, when the data transmission interval becomes shorter than the interval defined as the normal transmission interval of the vehicle network, unauthorized data is transmitted to the vehicle network in addition to the regular data. There is a high probability of being. Further, the transmission efficiency of regular data tends to decrease during a period in which the transmission interval is decreased.

  Therefore, in the above configuration, the vehicle communication device has an abnormality based on whether or not the difference between the transmission interval of data transmitted to the vehicle network and the transmission interval defined in the data is less than a predetermined interval. The occurrence is detected. Then, the unique identification information associated with the data whose difference from the prescribed transmission interval is less than the predetermined interval is substituted. For this reason, when the identification information is replaced, the priority for transmission of data to which the identification information is added changes in the vehicle network. This facilitates transmission of data in which identification information is substituted through such a change in priority.

  As a preferred configuration, the abnormality detection unit determines that an abnormality has occurred in the vehicular communication device based on whether or not the amount of data per unit time transmitted to the vehicular network has exceeded a predetermined data amount. Then, the information substitution unit substitutes the unique identification information associated with the data whose data amount per unit time is equal to or larger than a predetermined data amount.

  When unauthorized data is transmitted to the vehicle network, the communication load on the vehicle network increases, and the amount of data per unit time transmitted to the vehicle network increases. For this reason, for example, when the amount of data on the vehicle network is larger than the amount of data per unit time when the vehicle network is normal, in addition to legitimate data, unauthorized data is transmitted to the vehicle network. There is a high probability of being. In addition, during the period in which the amount of data per unit time is increasing, the transmission efficiency of regular data tends to decrease.

  Therefore, in the above configuration, it is detected that an abnormality has occurred in the vehicular communication device based on whether or not the data amount per unit time of the vehicular network is equal to or greater than a predetermined data amount. When the data amount per unit time of the vehicle network becomes equal to or greater than the predetermined data amount, the unique identification information associated with the data transmitted to the vehicle network is substituted. For this reason, when the identification information is replaced, the priority for transmission of data to which the identification information is added changes in the vehicle network. This facilitates transmission of data in which identification information is substituted through such a change in priority.

  As a preferred configuration, the vehicle network is a controller area network, and priority is defined for the unique identification information and the replacement identification information. When substituting information, alternative identification information having higher priority than specific identification information to be substituted is selected.

  In the above configuration, the data transmitted to the vehicle network is transmitted according to the priority of the identification information. For this reason, for example, when a plurality of pieces of data having different identification information are transmitted to the vehicle network within a predetermined period, data having a high priority is transmitted with priority.

  In this regard, in the above configuration, when the identification information is replaced, the replacement identification information having a higher priority than the specific identification information to be replaced is selected. For this reason, for example, even if the unique identification information to be replaced is imitated by an unauthorized device or the like, and unauthorized data to which identification information having the same priority as this identification information is given is transmitted to the vehicle network, The identification information to be replaced has a higher priority than the identification information given to illegal data. As a result, when an abnormality occurs, the priority of the data that has caused the abnormality is changed through replacement with identification information having a high priority. Therefore, accurate transmission of data to which alternative identification information is attached is prompted.

In the first embodiment of the vehicle communication device abnormality handling system and the vehicle communication device abnormality handling method according to the present invention, the vehicle communication device abnormality handling system and the vehicle communication device abnormality handling method are applied. 1 is a block diagram showing a schematic configuration of a vehicle. The block diagram which shows schematic structure of the control apparatus for vehicles to which the abnormality response system of the vehicle communication apparatus and the abnormality response method of the vehicle communication apparatus are applied. (A) is a figure which shows the transition example of a bus level. (B) is a figure showing an example of data transmitted to a network for vehicles. The figure which shows an example of the correspondence information preserve | saved at the preservation | save area | region. (A) is a figure which shows an example of the allocation aspect of unique ID and substitute ID. (B) is a figure which shows an example of the correspondence of the control apparatus for vehicles, unique ID, and substitute ID. (A) is a figure which shows an example of the allocation aspect of unique ID and substitute ID. (B) is a figure which shows an example of the correspondence of the control apparatus for vehicles at the time of substitution of identification information, unique ID, and ID for substitution. The flowchart which shows an example of the alternative procedure of the identification information in the transmission side of data. The flowchart which shows an example of the data processing procedure in the data receiving side. The figure which shows an example of the collision aspect of the two data to which the same unique ID was provided. The figure which shows an example of the example of a response | compatibility to unauthorized data. The figure which shows an example of the corresponding | compatible information of ID for replacement and unique ID shared about 2nd Embodiment of the abnormality response system of the vehicle communication apparatus concerning this invention, and the abnormality response method of the vehicle communication apparatus. (A) is a figure which shows an example of the allocation aspect of unique ID and substitute ID. (B) is a figure which shows an example of the correspondence of the control apparatus for vehicles, unique ID, and substitute ID. (A) is a figure which shows an example of the allocation aspect of unique ID and substitute ID. (B) is a figure which shows an example of the correspondence of the control apparatus for vehicles at the time of substitution of identification information, unique ID, and ID for substitution. The flowchart which shows an example of the alternative procedure of the identification information in the transmission side of data. The flowchart which shows an example of the data processing procedure in the data receiving side. An example of a correspondence relationship between a substitute ID assigned according to priority and a unique ID in the third embodiment of the vehicle communication device abnormality response system and the vehicle communication device abnormality response method according to the present invention. FIG. Other Embodiments of Vehicle Communication Device Abnormality Handling System and Vehicle Communication Device Abnormality Handling Method According to the Present Invention Correspondence between Unique ID and Alternative ID for Each Vehicle Control Device Managed by One Device The figure which shows an example of information. Other Embodiments of Vehicle Communication Device Abnormality Handling System and Vehicle Communication Device Abnormality Handling Method According to the Present Invention Correspondence between Unique ID and Alternative ID for Each Vehicle Control Device Managed by One Device The figure which shows an example of information. The figure which shows an example of the allocation aspect of specific ID and substitute ID about other embodiment of the abnormality response system of the vehicle communication apparatus concerning this invention, and the abnormality response method of the vehicle communication apparatus. The figure which shows an example of the alternative procedure of several alternative ID about other embodiment of the abnormality response system of the vehicle communication apparatus concerning this invention, and the abnormality response method of the vehicle communication apparatus.

(First embodiment)
DESCRIPTION OF THE PREFERRED EMBODIMENTS A first embodiment that embodies an abnormality handling system for a vehicle communication device and an abnormality handling method for a vehicle communication device according to the present invention will be described below with reference to FIGS. In the present embodiment, data is transmitted / received via a controller area network (CAN) mounted on a vehicle as a vehicle network. Further, in a vehicle network configured by CAN, data communication is performed in accordance with a CAN protocol that is a communication rule of CAN.

  As shown in FIG. 1, a vehicle 10 to which the vehicle communication device abnormality handling system and the vehicle communication device abnormality handling method of the present embodiment are applied is a control of various devices mounted on the vehicle 10. A plurality of vehicle control devices (ECUs) 100A to 100D are mounted. The vehicle control device 100A controls various vehicle drive system devices such as an engine, a brake, and a steering, for example. The vehicle control devices 100B and 100C control various information-related devices such as a car navigation system that performs route guidance from the current location to the destination, for example. The vehicle control device 100 </ b> D controls body-type devices such as an air conditioner and a meter that displays various states of the vehicle 10, for example.

Each of the vehicle control devices 100A to 100D constitutes a vehicle communication device by being connected to a communication bus 20 constituting a CAN bus.
The communication bus 20 is connected to a DLC (data link connector) 200 that is connected to an external device. The DLC 200 is connected to an external device such as a diagnostic device or a multifunction telephone device of the vehicle control devices 100A to 100D, for example. The DLC 200 relays data communication between these external devices and the vehicle control devices 100A to 100D.

  For this reason, when an external device that is insufficiently verified for operation when connected to the vehicle network is connected to the communication bus 20, a communication message transmitted from the external device is a part of communication in the communication bus 20 or There is also a possibility of adversely affecting the whole. For example, a non-regular external device such as a non-regular tester or a smartphone transmits a communication message improperly executed such as inappropriate software or a virus to the communication bus 20 so that a part of communication in the communication bus 20 or May cause adverse effects on the whole. Furthermore, there is a possibility that an unauthorized ECU including an intention to disturb communication in the communication bus 20 is connected to the communication bus 20. Therefore, as a communication system, it is necessary to prevent communication using a communication message that may affect communication on the communication bus 20 or to cope with communication using the communication message.

  The vehicle control devices 100A to 100D according to the present embodiment associate a unique ID, which is unique identification information defined in advance, with data when transmitting and receiving data. For example, a plurality of unique IDs corresponding to the type of data transmitted by the vehicle control devices 100A to 100D are assigned to the vehicle control devices 100A to 100D, respectively. The vehicle control devices 100A to 100D that have received the data associated with the unique ID determine the necessity of the received data and the validity of the data by identifying the unique ID. And vehicle control device 100A-100D permits acquisition of the data determined to be necessary and valid. The vehicle control devices 100A to 100D use the acquired data for various controls.

  Further, the CAN protocol defines data to be transmitted / received, that is, a frame that is a structure of a communication message. The frame includes an area for storing a “unique ID” (identifier) indicating the content of the communication message. The unique ID has a specific value for each type of communication message. Each of the vehicle control devices 100A to 100D transmits a unique ID corresponding to the content of information included in the communication message to be transmitted. In addition, vehicle control devices 100A to 100D determine the content of information included in the received communication message based on the unique ID.

  In the CAN protocol, the priority of a communication message is determined by a unique ID. As the unique ID value decreases, the priority of the communication message increases. Conversely, the priority of the communication message increases as the unique ID value increases. The degree becomes lower. For example, when three types of unique IDs “10”, “100”, and “200” are compared, the communication message with the unique ID “10” has the highest priority, and the communication message with the unique ID “100” has the highest priority. The communication message with the next highest priority and the unique ID “200” has the lowest priority.

  The communication bus 20 includes a communication line such as a twist cable, and transmits a communication message as a unit in communication in the CAN protocol via the communication line. It is possible to add a vehicle control device or the like that communicates based on the CAN protocol to the communication bus 20. Further, the added vehicle control device or the like can transmit the communication message to the communication bus 20. Note that the communication bus 20 may include wireless communication as part of a communication path, or may include a path that passes through another network via a gateway or the like.

  FIG. 2 shows a schematic configuration of the vehicle control device 100A as an example. The other vehicle control devices 100B to 100D have the same configuration as the vehicle control device 100A illustrated in FIG.

  The vehicle control device 100 </ b> A includes a driver 110 that performs communication with other vehicle control devices 100 </ b> B to 100 </ b> D and an external device connected to the DLC 200. In addition, the vehicle control device 100A includes an information processing unit 120 that performs information processing necessary for various controls based on information acquired from various sensors, information obtained by arithmetic processing, and the like.

  The information processing unit 120 is configured by a microcomputer or the like. In addition, the information processing unit 120 includes a calculation device that performs various processes, a storage device that stores calculation results, programs for providing various control functions, parameters used for the control functions, and the like. And in the information processing part 120, this control function is provided by the program which provides predetermined | prescribed control functions, such as engine control, for example being performed with an arithmetic unit.

  The driver 110 acquires the timing at which the communication message is received from the communication bus 20. The driver 110 analyzes the received communication message, and acquires a message ID included in the communication message, communication data that is a data body to be transferred, and the like. Then, the driver 110 provides the information processing unit 120 with information such as the reception timing of the communication message, message ID, and communication data. On the other hand, a message ID, communication data, transmission timing, and the like are input to the driver 110 from the information processing unit 120. Based on the input message ID and communication data, the driver 110 generates a communication message including the message ID and the communication data. Then, the driver 110 transmits the communication message generated at the input transmission timing to the communication bus 20.

  That is, the vehicle control device 100A gives communication data to be transmitted from the information processing unit 120 to the driver 110. In addition, the vehicle control device 100A causes the driver 110 to create a communication message including the communication data and the like, and causes the created communication message to be transmitted from the driver 110 to the communication bus 20. In the vehicle control device 100A, a communication message transmitted to the communication bus 20 is received by the driver 110, and communication data included in the received communication message is transferred from the driver 110 to the information processing unit 120. To be acquired.

  As a result, the information processing unit 120 of the vehicle control device 100A acquires various data transmitted from the other vehicle control devices 100B to 100D from the communication message flowing through the communication bus 20. In addition, the information processing unit 120 can transmit a communication message including various data to be transmitted to the other vehicle control devices 100 </ b> B to 100 </ b> D to the communication bus 20.

  The information processing unit 120 includes an abnormality detection unit 121 that detects an abnormality in the vehicle network and the vehicle control devices 100A to 100D, an information substitution unit 122 that responds to the detected abnormality, and the vehicle control devices 100A to 100D. A transmission / reception control unit 123 that transmits and receives data according to each control is provided. In addition, the information processing unit 120 stores a storage area 124 in which information related to a control interval that is various parameters related to the quality determination of a communication message reception interval and replacement ID that is replacement identification information used when an abnormality occurs is stored. I have.

  The abnormality detection unit 121 calculates the transmission cycle or transmission timing of the data transmitted to the communication bus 20 by the vehicle control device 100A. For example, when the transmission cycle or transmission timing of the calculated data is substantially the same as the transmission cycle or transmission timing of the data indicated by the communication rule stored in the storage area 124, the abnormality detection unit 121 stores the data. Judge that it is sent normally. On the other hand, when the difference between the transmission cycles is equal to or larger than a predetermined difference defined for detecting an abnormality, the abnormality detection unit 121 determines that the communication bus 20, the vehicle control device 100A, or the vehicle control device 100A Judge that an error occurred in the data to be transmitted.

  In addition, the abnormality detection unit 121 determines that an abnormality has occurred in the vehicle network when the number of error frames transmitted to the vehicle network is equal to or greater than a predetermined number of times defined for abnormality detection. The error frame is transmitted by the vehicle control devices 100A to 100D that have detected the simultaneous transmission when different data associated with the same unique ID are transmitted at the same time.

  Here, as shown in FIG. 3A, for example, the vehicle control device 100A sets the bus level, which is the potential of the communication bus 20, to “0” and “1” when performing data communication based on the specifications of the CAN protocol. Data communication by changing between. The driver 110 of the vehicle control device 100 </ b> A monitors whether the bus level indicating the data transmitted by itself and the bus level of each communication bus 20 match.

  Here, for example, it is assumed that an unauthorized external device illegally connected to the DLC 200 impersonates the vehicle control device 100A and transmits data imitating the data transmitted by the vehicle control device 100A.

  As a result, since the data transmitted by the vehicle control device 100A differs from the data transmitted by an unauthorized external device at the timing t1 shown in FIG. 3B, the bus level indicated by the vehicle control device 100A A difference from the bus level of the communication bus 20 occurs.

  When the driver 110 of the vehicle control device 100A recognizes the occurrence of a bit error, the driver 110 transmits an error frame indicating that a data transmission error has occurred to the communication bus 20. In addition, the driver 110 counts the number of transmissions of error frames transmitted by the driver 110 itself. Each time the driver 110 counts the error frame, the driver 110 adds, for example, “8” to the error counter managed by itself. Conversely, when the driver 110 detects that data transmission has been successful, the driver 110 subtracts “3” from the counted error counter.

  When the number of error counters counted in this way exceeds, for example, “255”, the driver 110 determines that an abnormality has occurred in data having a different bus level or in the vehicle control device 100A that transmits the data. . Then, the driver 110 outputs information indicating the occurrence of the abnormality and the unique ID associated with the data to the abnormality detection unit 121 of the information processing unit 120.

  The abnormality detection unit 121 detects the occurrence of an abnormality based on information input from the driver 110. Moreover, the abnormality detection part 121 specifies the data which became the cause of abnormality among the data which 100 A of vehicle control apparatuses transmit based on the information which shows unique ID input from the driver 110. FIG.

  Further, when information indicating the occurrence of an abnormality and the unique ID is input from the driver 110, the information substitution unit 122 illustrated in FIG. 2 is a substitution stored in the vehicle control device 100A as identification information for substitution of the unique ID. The business ID is selected with reference to the storage area 124. Then, the information replacement unit 122 outputs a command to the effect that the selected replacement ID should be replaced with a unique ID to the transmission / reception control unit 123.

  As shown in FIG. 4, in the storage area 124, correspondence information that is information related to the unique ID assigned to each data transmitted by the vehicle control device 100 </ b> A in which the storage area 124 is mounted is registered. .

  For example, as the data transmitted by the vehicle control device 100A, a plurality of types of data including the vehicle speed data indicating the traveling speed of the vehicle 10 are defined. In addition, “ID-A1”, “ID-A2”,... “ID-An” are respectively defined as unique IDs assigned to various data.

  Further, in the present embodiment, “ID-Acg1”, “ID-Acg2”,... “ID-Acgn”, which are substitute IDs, are associated with each unique ID. Each substitute ID is an ID prepared in advance for dealing with an abnormality that has occurred with the transmission of data in which each unique ID is used. The replacement ID stored in the storage area 124 is used for ID replacement by the information replacement unit 122.

  When a command to substitute the unique ID for the substitution ID selected by the information substitution unit 122 is input, the transmission / reception control unit 123 associates the substitution ID with the target data instead of the unique ID. Thereby, for example, when the vehicle speed data is specified as the cause of the abnormality, the ID associated with the vehicle speed data is changed from “ID-A1” to “ID-Acg1”. As a result, the vehicle control device 100 </ b> A transmits vehicle speed data associated with “ID-Acg <b> 1” to the communication bus 20.

  Note that the transmission / reception control unit 123 according to the present embodiment, when the ID is replaced, for example, at least one of the transmission timing, the transmission cycle, and the transmission interval of the data to which the replacement ID is assigned, within a predetermined range. Change within.

  Hereinafter, with reference to FIG. 5 and FIG. 6, an alternative mode of the unique ID by the vehicle communication apparatus abnormality handling system and the vehicle communication apparatus abnormality handling method of the present embodiment will be described. In the example of FIGS. 5 and 6, for the sake of simplicity, each of the ECUs 1 to 8 indicating the vehicle control device is assigned one unique ID and a substitute ID. Moreover, the priority according to the content of the data which they transmit to each ECU1-ECU8 is prescribed | regulated. The unique ID and the substitute ID are allocated according to such priorities.

  As shown in FIG. 5A, the unique IDs 1 to 8 that are unique IDs are assigned to the ECU1 to ECU8. In this example, “ID1” has the highest priority, and “ID2”, “ID3”,.

  Further, as shown in FIG. 5B, in this embodiment, “substitution ID1” to “substitution ID8” are set as the substitution IDs of the unique ID1 to the unique ID8, respectively. For example, “substitution ID 1” is set as the substitution ID of “unique ID”. Furthermore, “substitution ID1” to “substitution ID8” are set with higher priority than the unique ID1 to unique ID8 to be substituted, respectively. That is, “substitution ID1”, which is the substitution ID, has a higher priority based on the communication rules than the unique ID1 of ECU1.

  As shown in FIG. 6A, for example, it is assumed that an error frame has occurred due to the simultaneous transmission of data to which the same ID as the unique ID 6 associated with the data transmitted by the ECU 6 is transmitted to the vehicle network. . Then, the abnormality detection unit 121 specifies that the unique ID 6 or the ECU 6 that transmits the unique ID 6 is the cause of the abnormality.

  As shown in FIG. 6B, when it is specified that the cause of the abnormality is the unique ID 6 or the ECU 6, the information substitution unit 122 determines the ID to be given to the data to which the unique ID 6 is given from the unique ID 6. Substitute with “substitution ID 6”. Thereby, “substitution ID 6” having a higher priority than the unique ID 6 is assigned to the data to which the unique ID 6 is assigned.

  As a result, for example, even if an unauthorized external device impersonates a legitimate ECU 6 and simultaneously transmits unauthorized data with the same unauthorized ID 6 as that of the unique ID 6, the replacement ID 6 can be used instead of the unauthorized ID. Has a higher priority. For this reason, in the vehicular network, even if simultaneous transmission of data is performed, the data with the substitute ID 6 is preferentially transmitted over the data with the illegal ID. Furthermore, since the IDs of the illegal ID and the substitute ID 6 are different, the occurrence of an error frame is suppressed.

Next, with reference to FIG. 7 and FIG. 8, processing procedures on the data transmission side and the reception side will be described.
As shown in FIG. 7, on the data transmission side, first, in step S100, for example, the vehicle control device 100A has given a unique ID “ID-A1” based on the occurrence of a specific event or communication regulations. Send.

  Next, when data with the same unauthorized ID as the unique ID “ID-A1” is transmitted to the vehicle network at the transmission timing of the data with the unique ID “ID-A1”, the vehicle control device 100A transmits an error frame to the vehicle network (step S101).

  When the number of transmissions of the error frame reaches a specified number defined based on the communication rule (step S102: YES), the information substitution unit 122 refers to the communication rule defined in the storage area 124. As a result, the information substitution unit 122 selects “ID-Acg1” as a substitution ID for the unique ID “ID-A1”. In addition, the information substitution unit 122 transmits the data with the selected “ID-Acg1” to the vehicular network at the transmission timing and transmission cycle specified in the data (step S103).

In this way, when the transmission process of data to which the substitute “ID-Acg1” is assigned is completed (step S104: YES), this process ends.
On the other hand, even if the ID is replaced with the ID “ID-Acg1”, for example, an error frame is generated due to simultaneous transmission of data with the same illegal ID as the “ID-Acg1” to the vehicle network. Is not suppressed (step S104: NO), the data transmission process is temporarily stopped (step S106).

  For example, when it is confirmed that the data with the same unauthorized ID as “ID-Acg1” is not made into the vehicle network after a predetermined period of time, the vehicle control device 100A replaces the “ID-Acg1” The regular data to which "is given" is transmitted again to the vehicle network (step S107).

  Note that when an error frame continues to occur even after the predetermined period has elapsed, for example, the occurrence of an abnormality in the vehicle network is notified to the user, or the vehicle control device 100A stops operating.

  As shown in FIG. 8, for example, in the vehicle control devices 100B to 100D on the data receiving side, when data is transmitted from the vehicle control device 100A, the unique ID or replacement ID given to this data is identified. To do. Thereby, the necessity of reception of the data transmitted from the vehicle control device 100A is determined (step S200).

  Next, when reception of data is permitted and it is detected that an error frame due to the data or the transmission source of the data is generated, the data is added to the data transmitted from the vehicle control device 100A. It is determined whether the existing ID is a unique ID or an alternative ID (steps S201 and S202). Note that whether the ID assigned to the data transmitted from the vehicle control device 100A is a unique ID or an alternative ID is identified based on, for example, the list shown in FIG.

  When the ID given to the data transmitted from the vehicle control device 100A is a unique ID (step S202: NO), for example, the occurrence of an error frame is the vehicle control device 100A or the vehicle control device 100A. It is determined that it is not caused by the data transmitted from. As a result, on the data receiving side, normal processing is performed based on CAN communication regulations.

  On the other hand, when the ID assigned to the data transmitted from the vehicle control device 100A is an alternative ID (step S202: YES), the data assigned with the alternative ID or the vehicle control that is the transmission source thereof. It is determined whether or not error frames caused by the apparatus 100A are continuously generated (step S203).

  When the error frame detected in step S201 has already stopped (step S203: NO), this process is terminated, assuming that the abnormality has been eliminated by ID substitution. That is, the data to which the substitute ID is assigned is processed by the vehicle control devices 100B to 100D on the receiving side.

  On the other hand, when the error frame detected in step S201 is continuously generated (step S203: YES), the data transmitted from the vehicle control device 100A for a predetermined period, assuming that the abnormality is not solved by the ID substitution. Is temporarily permitted (step S205).

  For example, when it is confirmed that the data with the same unauthorized ID as the substitute ID is not made into the vehicle network after a predetermined period, the receiving side is permitted to receive the data once permitted or rejected. (Step S206).

  When the error frame continues to occur even after the predetermined period has elapsed, the vehicle control devices 100B to 100D on the data receiving side prohibit the reception of data transmitted from the vehicle control device 100A. To do.

Hereinafter, with reference to FIG.9 and FIG.10, the effect | action of the abnormality response system of the vehicle communication apparatus of this Embodiment and the abnormality response method of the vehicle communication apparatus is demonstrated.
As illustrated in FIG. 9, for example, it is assumed that the authorized ECU 2 transmits data to which the authorized unique ID “ID: B” is assigned to the vehicle network. In this example, the ECU 2 holds “ID: J” and “ID: Y” as substitute IDs for the unique ID “ID: B”.

  Here, when an unauthorized external device impersonates the ECU 2 and transmits unauthorized data with the same ID as the regular unique ID “ID: B” to the vehicle network, the same ID is assigned 2 Data collide.

  As shown in FIG. 10, when the legitimate ECU 2 detects a data collision, the legitimate ECU 2 substitutes the unique ID “ID: B” with, for example, the substitute ID “ID: J”. And regular ECU2 transmits the data which provided this "ID: J" to the network for vehicles. Thereby, in this Embodiment, the collision of the data provided with the same ID is eliminated, and the network error for vehicles is suppressed.

As described above, according to the abnormality handling system for a vehicle communication device and the abnormality handling method for a vehicle communication device according to the present embodiment, the following effects can be obtained.
(1) The abnormality detection unit 121 detects an abnormality in the vehicle communication device and identifies the vehicle control device or data that has caused the abnormality. In addition, the information substitution unit 122 substitutes the unique ID, which is identification information associated with the data specified as the cause of the abnormality, with the replacement ID. Thus, when an abnormality occurs in the vehicle communication device, an appropriate response to this abnormality is performed.

  (2) The information replacement unit 122 uses the replacement ID corresponding to each unique ID for each of the vehicle control devices 100A to 100D as the replacement identification information. As a result, even if the data to which each unique ID is assigned becomes a cause of an abnormality, the resolution of the abnormality is urged through the substitution of the individual unique ID.

  (3) When there is only one replacement ID corresponding to the unique ID, the information substitution unit 122 identifies the unique ID assigned to the vehicle control device identified as the abnormality occurrence factor or the occurrence factor of the abnormality. The unique ID associated with the generated data is replaced with the one replacement ID. And the information alternative part 122 was made to transmit the data with which the alternative ID for substitution was associated with the transmission timing or transmission period prescribed | regulated by the vehicle communication apparatus. For this reason, substitution of identification information is smoothly performed when there is one substitution ID corresponding to each unique ID. In addition, since there is one replacement ID corresponding to each unique ID, the data receiving side can grasp the replacement ID and the corresponding unique ID as a pair. This makes it easier to specify the presence / absence of substitution, the type of data, the transmission source, etc. on the data receiving side.

  (4) The vehicle control devices 100 </ b> A to 100 </ b> D have the storage area 124 in which correspondence information indicating the correspondence between the replacement ID and the unique ID is recorded. The vehicle control devices 100A to 100D identify the type of data or the data transmission source based on at least one of the correspondence information, the transmission timing of the data, and the transmission cycle. For this reason, the data receiving side can identify the data type and the data transmission source based on the transmission timing and transmission cycle of the received data. Thereby, even if the unique ID is replaced, data transmission / reception after replacement is performed smoothly. Accordingly, the vehicle control devices 100 </ b> A to 100 </ b> D can identify whether the ID assigned to the received data is for replacement or for specific use only by referring to the correspondence information.

  (5) When the transmission / reception control unit 123 of the vehicle control devices 100A to 100D is replaced with the replacement ID, the transmission timing specified in the data or the data associated with the replacement ID or The transmission cycle was shifted by a predetermined time and transmitted to the vehicle network. As a result, collision between illegal data and regular data is avoided. Even in this case, the shift amount is preliminarily known on the receiving side, or the data receiving side has a buffer as a threshold for specifying a transmission source or the like based on the transmission timing or transmission cycle for each data indicated by the communication rule. By being provided, it is possible to specify the type of data and the transmission source on the receiving side.

  (6) The information substitution unit 122 performs processing for stopping transmission of data in which an abnormality is detected when an abnormality in the substituted data is further detected after substitution by the substitution ID. As a result, when the abnormality is not resolved even by the replacement of the ID, for example, the transmission of data of the vehicle control device is stopped on the assumption that the normal vehicle control device is operating abnormally. Thereby, the soundness of the vehicle communication device is accurately maintained.

  (7) The abnormality detection unit 121 detects that an abnormality has occurred in the vehicle communication device based on whether or not an error frame has been detected a predetermined number of times or more. The information substitution unit 122 substitutes the unique ID associated with the data that is the source of the error frame. For this reason, the collision of data with the same unique ID is avoided, and the occurrence of error frames is suppressed.

(Second Embodiment)
Next, the second embodiment of the vehicle communication apparatus abnormality handling system and the vehicle communication apparatus abnormality handling method according to the present invention will be described with reference to FIGS. This will be described with reference to FIG. The vehicle communication device abnormality handling system and the vehicle communication device abnormality handling method according to the present embodiment also have the same basic configuration as that of the first embodiment. Also, elements that are substantially the same as those in the first embodiment are denoted by the same reference numerals, and redundant descriptions are omitted.

  As shown in FIG. 11, in the present embodiment, for example, three unique IDs “ID-A1”, “ID-A2”, “ID” are stored in the storage area 124 of each of the vehicle control devices 100A to 100D. As a substitute ID for “−A3”, a single “ID-Acg1” is defined. Similarly, a single “ID-Acg2” is defined as an alternative ID for the three unique IDs “ID-A4”, “ID-A5”, and “ID-A6”.

  Note that an ID having a higher priority than any of “ID-A1”, “ID-A2”, and “ID-A3” is used as the replacement ID “ID-Acg1”. Similarly, an ID having a higher priority than any of “ID-A4”, “ID-A5”, and “ID-A6” is used as the replacement ID “ID-Acg2”.

Thus, in the present embodiment, in view of the limitation on the number of IDs used in CAN, a single replacement ID is shared as a replacement ID for a plurality of unique IDs.
Hereinafter, with reference to FIG. 12 and FIG. 13, an alternative mode of the unique ID by the vehicle communication apparatus abnormality handling system and the vehicle communication apparatus abnormality handling method of the present embodiment will be described. In the example of FIGS. 12 and 13, for the sake of simplicity, each of the ECUs 1 to ECUn indicating the vehicle control device is assigned one unique ID. Moreover, the priority according to the content of the data which each ECU1-ECU transmits is prescribed | regulated.

  As shown in FIG. 12A, the unique IDs “ID1” to “IDn” are assigned to the ECUs 1 to ECUn. Also in this example, “ID1” has the highest priority, and “ID2”, “ID3”,.

  Also, as shown in FIG. 12B, in the present embodiment, for example, as two replacement IDs of four unique IDs “ID5” to “ID8”, two less than the total value of the number of each unique ID Replacement IDs “ID3” and “ID4” are set. Note that each of the replacement IDs “ID3” and “ID4” has a higher priority than the unique IDs “ID5” to “ID8”.

  As shown in FIG. 13A, for example, it is assumed that an error frame has occurred due to simultaneous transmission of data to which the same ID as the unique ID 8 associated with the data transmitted by the ECU 8 is transmitted to the vehicle network. . Then, the abnormality detection unit 121 specifies that the unique ID 8 or the ECU 8 that transmits the unique ID 8 is a cause of the abnormality.

  As shown in FIG. 13B, when the cause of the abnormality is identified as the unique ID 8 or the ECU 8, the information substitution unit 122 displays “substitution ID 3” and “substitution ID 4” as available substitution IDs. ”Exists. Next, the information substitution unit 122 substitutes the ID to be given to the data to which the unique ID 8 is given from the unique ID 8 with “substitution ID 3” having a higher priority than the unique ID 8. As a result, “alternative ID 3” having a higher priority than the unique ID 8 is assigned to the data to which the unique ID 8 has been assigned.

  During the use of “substitution ID3”, the substitution ID that can be substituted for the unique IDs “ID5” to “ID7” is one of “substitution ID4”. Thereafter, when the ID is replaced, the “substitution ID 4” is replaced with any one of the unique IDs “ID5” to “ID7”.

Next, with reference to FIG. 14 and FIG. 15, a processing procedure on the data transmission side and the reception side will be described.
As shown in FIG. 14, on the data transmission side, first, in step S300, for example, the vehicle control device 100A has specified a specific event or data transmission conditions are defined. Data with the unique ID “ID-A1” is transmitted based on the communication rules.

  Next, when data with the same unauthorized ID as the unique ID “ID-A1” is transmitted to the vehicle network at the transmission timing of the data with the unique ID “ID-A1”, the vehicle control device 100A transmits an error frame to the vehicle network (step S301).

  When the number of transmissions of the error frame reaches the specified number specified based on the communication specification (step S302: YES), the information replacement unit 122 confirms the usage status of the replacement ID specified in the storage area 124. (Step S303).

  When the information substitution unit 122 confirms that “ID-Acg1” for substitution exists as an available substitution ID (step S303: YES), “ID-Acg1” is once assigned to the unique ID “ID-A1”. Replace with Then, the transmission / reception control unit 123 transmits the data to which “ID-Acg1” is assigned to the vehicular network at the transmission timing and transmission cycle specified in the data (step S304).

  Thus, when the transmission process of the data to which the substitute “ID-Acg1” is assigned is completed (step S305: YES), the abnormality detection unit 121 determines whether or not the error frame has stopped.

  When the error frame is stopped, the information substitution unit 122 releases “ID-Acg1” for substitution on condition that the error frame is stopped (step S306). That is, the information substitution unit 122 selects the original unique ID “ID-A1” defined in the data as an ID to be assigned to the data to which the substituted “ID-Acg1” is assigned.

  On the other hand, even if the ID is replaced by ID “ID-Acg1”, the generation of an error frame is suppressed by simultaneously transmitting data with the same unauthorized ID as “ID-Acg1” to the vehicle network. If not (step S305: NO), the data transmission process is temporarily stopped (step S308).

  For example, when it is confirmed that the data with the same unauthorized ID as “ID-Acg1” is not made into the vehicle network after a predetermined period of time, the vehicle control device 100A replaces the “ID-Acg1” The regular data to which "is given" is transmitted again to the vehicle network (step S309).

  Note that when an error frame continues to occur even after the predetermined period has elapsed, for example, the occurrence of an abnormality in the vehicle network is notified to the user, or the vehicle control device 100A stops operating.

  If it is determined in step S303 that there are no available replacement IDs, that is, all the replacement IDs are being used, the data transmission process is stopped (step S310). For example, when it is confirmed that the data with the same unauthorized ID as the unique ID “ID-A1” is not made into the vehicle network after a predetermined period of time, the vehicle control device 100A has the unique ID “ID The regular data to which “−A1” is assigned is transmitted again to the vehicle network (step S311).

  As shown in FIG. 15, for example, in the vehicle control devices 100B to 100D on the data receiving side, when a message ID that is data is transmitted from the vehicle control device 100A, this data or the transmission source of the data is transmitted. It is determined whether or not an error frame has occurred due to the vehicle control device 100A (steps S400 and S401).

  When an error frame has occurred (step S401: YES), the vehicle control device 100A performs ID substitution. Note that whether the ID assigned to the data transmitted from the vehicle control device 100A is a unique ID or an alternative ID, and which of the shared alternative IDs is replaced, for example, The identification is performed based on at least one of the list, the data transmission timing, and the data transmission cycle shown in FIG.

  Next, it is determined whether or not the occurrence of an error frame has been eliminated by the ID substitution (step S402). When the occurrence of the error frame is resolved, the data with the substitute ID is processed by the vehicle control devices 100B to 100D on the receiving side.

  On the other hand, when the error frame is continuously generated (step S402: YES), the reception of the data transmitted from the vehicle control device 100A is temporarily permitted for a predetermined period, assuming that the abnormality is not eliminated by the replacement of the ID. (Step S403).

  For example, when it is confirmed that the data with the same unauthorized ID as the substitute ID is not made into the vehicle network after a predetermined period, the receiving side is permitted to receive the data once permitted or rejected. (Step S404).

  When the error frame continues to occur even after the predetermined period has elapsed, the vehicle control devices 100B to 100D on the data receiving side prohibit the reception of data transmitted from the vehicle control device 100A. To do.

  As described above, according to the abnormality handling system for a vehicle communication device and the abnormality handling method for a vehicle communication device according to the present embodiment, the effects (1) to (7) can be obtained, and further below. The effect will be obtained.

(8) The replacement ID is shared as a replacement for a plurality of unique IDs. For this reason, the minimum necessary ID is effectively utilized when the replacement ID is prepared.
(9) When the ID is replaced, the information replacing unit 122 performs replacement from the unique ID to the replacement ID when there is an unused replacement ID among the shared replacement IDs. Then, the information substitution unit 122 performs a process of transmitting the data associated with the substitute ID for substitution at the transmission timing or the transmission cycle defined by the communication regulations. As a result, it becomes easy to specify the presence / absence of substitution on the side that received the data with the substituted ID, the type of data to which the substituted identification information is assigned, the transmission source, and the like.

  (10) When substituting the ID, the information substituting unit 122 transmits, when there is no substituting ID that is not used among the common substituting IDs, the vehicle control device identified as the cause of the abnormality. A process to stop sending data or data for which an abnormality was detected was executed. As a result, when it is difficult to substitute the ID, the transmission of data is stopped, so that the abnormality associated with the transmission of data is urged.

  (11) On the data receiving side associated with the substitute ID, the data type or the data transmission source is identified based on at least one of the transmission timing and transmission cycle of the data. For this reason, the data receiving side can identify the data type and the data transmission source based on the transmission timing and transmission cycle of the received data. Thereby, even if the substitution from the unique ID to the substitution ID is executed, data transmission / reception after substitution is performed smoothly.

(Third embodiment)
Next, the third embodiment of the vehicle communication apparatus abnormality handling system and the vehicle communication apparatus abnormality handling method according to the present invention will be described with reference to FIG. 16, focusing on the differences from the first embodiment. The description will be given with reference. Note that the vehicle communication apparatus abnormality handling system and the vehicle communication apparatus abnormality handling method according to the present embodiment are also basically the same in configuration as in the first embodiment. Elements that are substantially the same as those in the embodiment are denoted by the same reference numerals, and redundant descriptions are omitted.

  As shown in FIG. 16, in the present embodiment, the number of replacement IDs to be assigned differs according to the priority of the unique ID and the transmission cycle. Note that the higher the priority of the unique ID, the higher the importance, and the shorter the transmission cycle, the higher the possibility of collision with illegal data. For this reason, in this embodiment, the number of replacement IDs corresponding to the unique ID to which data having a high priority and a short transmission cycle is assigned is set to be the largest.

  In this example, for example, the priority of the unique “ID1” and “ID2” is “high”, and the transmission cycle of the data to which “ID1” and “ID2” are assigned is equal to or less than a specified cycle. Short period. Therefore, for example, five alternative IDs are prepared for the unique “ID1” and “ID2”, respectively.

  On the other hand, even if the priority is “high”, the unique “ID3” and “ID4” given to the data having a long cycle because the transmission cycle is equal to or higher than the predetermined cycle have relatively high cycles. Two substitution IDs are prepared for each of the cases because they are long and are unlikely to collide with illegal data.

Note that, even in the long cycle, the unique “ID5” and “ID6” with low priority are provided with three alternative IDs, assuming that they are less important.
In the present embodiment, for example, when an error frame is generated in a unique “ID1” in which a plurality of replacement IDs are prepared, one of the five replacement IDs is selected from the five replacement IDs by the random method or the round robin method. An ID is selected. When an error frame still occurs with the selected replacement ID, one replacement ID is selected from the remaining four replacement IDs by the random method or the round robin method. When the selection is made by the round robin method, the replacement ID is selected in such a manner that the priorities are sequentially increased.

In this way, the replacement ID is changed at any time until the collision of data to which the same ID is assigned is resolved.
As described above, according to the abnormality handling system for a vehicle communication device and the abnormality handling method for a vehicle communication device according to the present embodiment, the effects (1) to (7) can be obtained, and further below. The effect will be obtained.

  (12) The number of replacement IDs corresponding to the unique ID to which data having a high priority and a short transmission cycle is assigned is set to be the largest. For this reason, diversification of substitution IDs given to data that is highly important and is likely to cause data collisions is achieved. Therefore, the use of various replacement IDs makes it difficult for the replacement IDs to be imitated.

  (13) The higher the priority, the more alternative IDs are prepared. For this reason, it is easy to avoid collision with illegal data by using a plurality of substitute IDs for data that is highly required to be transmitted at a predetermined cycle because of its high priority.

(Other embodiments)
In addition, each said embodiment can also be implemented with the following forms.
In each of the above embodiments, identification of the unique ID and the substitute ID on the receiving side is performed based on the list shown in FIG. Not limited to this, it is identified that the unique ID has been replaced with the replacement ID based on whether at least one of the data transmission timing and the data transmission cycle approximates the data to which the unique ID has been assigned. May be.

  In each of the above embodiments, the abnormality detection unit 121 and the information substitution unit 122 are arranged in the information processing unit 120. In addition, the abnormality detection unit 121 and the information substitution unit 122 may be disposed in other parts of the vehicle control devices 100A to 100D. Thereby, the freedom degree concerning design of the abnormality response system of the communication apparatus for vehicles and the abnormality response method of the communication apparatus for vehicles is raised.

  In the first and third embodiments, each of the vehicle control devices 100A to 100D includes the abnormality detection unit 121 and the information substitution unit 122. However, the present invention is not limited to this, and a dedicated control device or gateway corresponding to a vehicle network abnormality may include the abnormality detection unit 121 and the information substitution unit 122. According to this, as shown in FIG. 17, the dedicated control device or gateway holds information related to the unique ID and replacement ID assigned to the transmission data of each of the vehicle control devices 100 </ b> A to 100 </ b> D. When the vehicle control device and data serving as the error frame transmission source are specified, an ID substitution instruction is issued to the vehicle control device. Similarly, in the second embodiment, a dedicated control device or gateway corresponding to a vehicle network abnormality may include the abnormality detection unit 121 and the information substitution unit 122. In this configuration, as shown in FIG. 18, a dedicated control device and a gateway hold information related to the unique ID assigned to the transmission data of each of the vehicle control devices 100 </ b> A to 100 </ b> D and the sharing replacement ID.

  In the first and third embodiments, the unique ID and the replacement ID are alternately used in the ID order. Not limited to this, as illustrated in FIG. 19, when unique “ID1” to “ID4” and “ID5” to “ID8” are consecutive in the prescribed order of IDs, for example, other free IDs are used for substitution It may be used as an ID.

  In the first embodiment, as illustrated in FIG. 4, one replacement ID is set for each unique ID. Not limited to this, as shown in FIG. 20, a plurality of alternative IDs may be set for each unique ID. According to this, a plurality of replacement IDs are sequentially selected by, for example, a round robin method according to priority. Further, for example, a plurality of replacement IDs are sequentially selected by a random method.

  In each of the above embodiments, the abnormality detection unit 121 identifies the vehicle control devices 100A to 100D or data that has caused the abnormality. When the vehicle control devices 100A to 100D transmit one type of data, the unique ID assigned to each of the vehicle control devices 100A to 100D is one. For this reason, the abnormality detection unit 121 may identify the vehicle control device that transmits the data in which the collision has occurred as the cause of the abnormality. According to this, the information replacement unit 122 replaces a single unique ID assigned to the vehicle control device specified as the cause of the abnormality with a replacement ID.

  In each of the above embodiments, the type of data and the transmission source after substitution are specified based on the data transmission timing and transmission cycle. Not limited to this, when the information substitution unit 122 substitutes ID, information regarding the substituted unique ID and substitution ID may be sent to the data transmission destination. According to this, on the data receiving side, it is possible to specify the presence / absence of substitution, the type of data, the transmission source, and the like based on the information transmitted from the information substitution unit 122.

  In each of the above embodiments, when ID substitution is performed, at least one of the transmission timing, transmission cycle, and transmission interval of data to which the substitution ID is assigned is changed within a predetermined range. Not limited to this, when ID substitution is performed, data to which a substitution ID is assigned may be transmitted at the same transmission timing, the same transmission cycle, and the same transmission interval as before substitution.

  In each of the above embodiments, data transmitted from an unauthorized external device is targeted as unauthorized data. In addition, the illegal data may be data illegally transmitted to the communication bus 20 by unauthorized access from an external vehicle network. Further, it may be data that is illegally transmitted to the communication bus 20 from a controller that is illegally attached to the communication bus 20.

  In each of the above embodiments, the abnormality detection unit 121 detects the occurrence of an abnormality based on the number of error frames. In addition, the abnormality detection unit 121 generates an abnormality based on whether or not the difference between the transmission interval of data transmitted to the vehicle network and the transmission interval specified in the data is less than a predetermined interval. You may detect that. According to this, the information substitution unit 122 substitutes the unique ID associated with the data whose difference from the specified transmission interval is less than the predetermined difference. In addition, the abnormality detection unit 121 may detect that an abnormality has occurred based on whether or not the amount of data per unit time transmitted to the vehicle network is equal to or greater than a predetermined amount of data. According to this, the abnormality detection unit 121 detects the occurrence of an abnormality when, for example, the load on the communication bus 20 becomes about 70% or more, for example. Then, the information substitution unit 122 substitutes a unique ID associated with data whose data amount per unit time is equal to or greater than a predetermined data amount.

  In each of the above embodiments, CAN is employed as the vehicle network. The vehicle network is not limited to this, and any vehicle network may be used as long as the data communication format is defined in operating the communication protocol. For example, FlexRay, IDB-1394, BEAN, CAN, LIN, AVC-LAN, It may be MOST (registered trademark) or the like.

  -In above-mentioned embodiment, it illustrated about the case where the vehicle 10 is a motor vehicle. However, the present invention is not limited to this, and the present invention may be applied to a mobile body other than an automobile, such as a railway, an industrial machine, or a robot. Thereby, the application range of the abnormality response system of the vehicle communication device and the abnormality response method of the vehicle communication device can be expanded.

  DESCRIPTION OF SYMBOLS 10 ... Vehicle, 20 ... Communication bus, 100A-100D ... Vehicle control device, 110 ... Driver, 120 ... Information processing unit, 121 ... Abnormality detection unit, 122 ... Information substitution unit, 123 ... Transmission / reception control unit, 124 ... Save Area, 200 ... DLC.

Claims (15)

An abnormality handling system for a vehicle communication device for dealing with an abnormality in a vehicle communication device in which data is communicated between a plurality of vehicle control devices via a vehicle network,
An abnormality detection unit that detects an abnormality of the vehicle communication device and identifies the vehicle control device or data that has caused the abnormality; and
Of the unique identification information assigned to each of the plurality of vehicle control devices and associated with the data transmitted by each vehicle control device, it is assigned to the vehicle control device specified as the cause of the abnormality. An abnormality response system for a vehicle communication device, comprising: an information replacement unit that replaces identification information associated with identification information or data identified as a cause of occurrence of the abnormality with replacement identification information . In the unique identification information, a priority according to the type of data associated with the identification information is defined,
The information substitution unit may provide identification information for substitution with respect to at least one of identification information associated with data having a relatively high priority of the identification information or data having a relatively short transmission cycle. The abnormality handling system for a vehicle communication device according to claim 1, wherein the system retains more than identification information for substitution with respect to identification information associated with data. 3. The vehicle communication device abnormality handling system according to claim 1, wherein the information substitution unit holds substitution identification information shared by the plurality of vehicle control devices as the substitution identification information. The information substitution unit, when substituting identification information,
a; identification information assigned to the vehicle control device identified as the cause of the abnormality or occurrence of the abnormality when there is identification information that is not used in the shared identification information for replacement The identification information associated with the data specified as the factor is replaced with the shared identification information that is not used, and the data associated with the replaced identification information is transmitted in the vehicle communication device. A process for transmitting at a timing or a transmission cycle; and b; when there is no unused identification information in the shared replacement identification information, the vehicle control device specified as the cause of the abnormality transmits The abnormality response system of the vehicle communication device according to claim 3, wherein processing for stopping transmission of data to be performed or data in which abnormality is detected is executed. The vehicle control device that has received data associated with the replaced identification information identifies a data type or a data transmission source based on at least one of the transmission timing and transmission cycle of the data. Or an abnormality handling system for a vehicle communication device according to 4; 3. The vehicle communication according to claim 1, wherein the information substitution unit holds unique identification information or a plurality of substitution identification information for each of the plurality of vehicle control devices, as the substitution identification information. Equipment error handling system. The information substitution unit, when substituting identification information,
c: When there are a plurality of substitute identification information that can be substituted, the identification information is assigned to the vehicle control device identified as the cause of the abnormality or is associated with the data identified as the cause of the abnormality. Is replaced with one alternative identification information selected from the plurality of alternative identification information by a random method or a round robin method, and data associated with the replacement identification information is used for the vehicle A process of transmitting at a transmission timing or a transmission cycle defined in the communication device, and d; when the substitute identification information is one, assigned to the vehicle control device specified as the cause of the abnormality Identification information associated with the data identified as the cause of occurrence of the abnormality or the identification information for the one alternative. The vehicle communication device abnormality handling according to claim 6, wherein the vehicle communication device performs processing that substitutes information and transmits data associated with the replaced identification information at a transmission timing or a transmission cycle defined in the vehicle communication device. system. The plurality of vehicle control devices have correspondence information indicating a correspondence relationship between the identification information for replacement possessed by the information substitution unit and the identification information assigned to each vehicle control device,
The vehicle control device that has received the data associated with the replaced identification information identifies a data type or a data transmission source based on at least one of the correspondence information and the transmission timing and transmission cycle of the data. An abnormality handling system for a vehicle communication device according to claim 6 or 7. When the identification information is substituted, the vehicle control device shifts the data associated with the substituted identification information by shifting a transmission timing or a transmission cycle defined in the data by a predetermined time. It transmits to a network. The abnormality response system of the communication apparatus for vehicles as described in any one of Claims 1-8. The information replacement unit, after the replacement by the replacement identification information, when an abnormality in the replaced data is further detected,
2. One of a process for sequentially substituting a plurality of identification information for substitution held by the information substitution unit, and a process for stopping transmission of data in which the abnormality is detected is executed. The abnormality handling system for the vehicle communication device according to any one of? As a communication rule of the vehicle communication device, when different data associated with the same identification information is simultaneously transmitted, a rule that an error frame indicating a network error is transmitted to the vehicle network is defined.
The abnormality detection unit detects that an abnormality has occurred in the vehicle communication device based on whether or not the error frame has been detected a predetermined number of times,
The said information substitution part substitutes the specific identification information currently allocated to the control apparatus for vehicles which transmits the different data to which the said same identification information was provided. Abnormal response system for vehicle communication device. The abnormality detection unit determines whether or not the difference between the transmission interval of data transmitted to the vehicle network and the transmission interval defined in the data is less than a predetermined interval. Detect that an abnormality has occurred,
The vehicle according to any one of claims 1 to 11, wherein the information substitution unit substitutes unique identification information associated with data whose difference from the prescribed transmission interval is less than a predetermined interval. Abnormal response system for communication devices. The abnormality detection unit detects that an abnormality has occurred in the vehicle communication device based on whether the amount of data per unit time transmitted to the vehicle network is equal to or greater than a predetermined data amount,
The vehicle according to any one of claims 1 to 12, wherein the information substitution unit substitutes unique identification information associated with data whose data amount per unit time is equal to or greater than a predetermined data amount. Abnormal response system for communication devices. The vehicle network is composed of a controller area network, and priority is defined for the unique identification information and the replacement identification information,
The vehicle communication device according to any one of claims 1 to 13, wherein the information replacement unit selects replacement identification information having a higher priority than specific identification information to be replaced when replacing the identification information. Anomaly response system. An abnormality handling method for a vehicle communication device for dealing with an abnormality in a vehicle communication device in which data is communicated between a plurality of vehicle control devices via a vehicle network,
A computer that manages the response of the abnormality of the vehicle communication device,
Detecting an abnormality of the vehicle communication device and identifying a vehicle control device or data that has caused the abnormality; and
Among the prescribed identification information assigned to each of the plurality of vehicle control devices and associated with the data, the identification information assigned to the specified vehicle control device or the identification information associated with the specified data And a step of substituting for the identification information for substitution. An abnormality handling method for a vehicle communication device, characterized by:

Images