JP2018198363A - Communication system, and communication control method - Google Patents

Abstract

To more easily detect that transmission to a network is stopped.SOLUTION: A communication system comprises: a prohibition unit prohibiting a communication unit that transmits a signal to a network from transmitting the signal; and a control unit for determining whether prohibition of transmission is normally performed on the basis of a signal received from the network.SELECTED DRAWING: Figure 3

Description

  The present invention relates to a communication system and a communication control method.

  2. Description of the Related Art In recent years, there is a communication system for controlling various functions in a vehicle by allowing a plurality of control devices provided in the vehicle to communicate using a network in the vehicle. If a specific device sharing the network is in an abnormal state in which an unnecessary signal is transmitted to the communication system, the influence may be spread to other devices. Some communication systems restrict the transmission of signals to a control device that transmits unnecessary signals to a network (see, for example, Patent Document 1). If transmission of unnecessary signals is restricted in this way, the network communication state can be changed to a desired state.

JP 2013-197982 A

  However, it is difficult to verify whether the target device whose transmission is prohibited is in an abnormal state in which a signal is transmitted regardless of the prohibition of the transmission or whether the transmission of the signal is restricted by the prohibition of the transmission. It is.

  The present invention has been made in view of such circumstances, and an object of the present invention is to provide a communication system and a communication control method that can more easily detect that transmission to the network is stopped. .

(1): a prohibition unit that prohibits transmission of a signal to a communication unit that transmits a signal to a network, and a control that determines whether the prohibition of transmission is normally performed based on a received signal from the network A communication system.

(2): In (1), the communication unit can receive a signal from the network even during a period in which transmission is prohibited by the prohibition unit, and the control unit receives the communication unit. The determination is performed based on the received signal.

(3): In (1), the communication unit that is a target for which the prohibition unit prohibits signal transmission and the control unit are included in different communication devices.

(4): In (1), the control unit prohibits the transmission when the received signal is identical to a signal generated by a transmission signal generation unit of a communication apparatus including the control unit to a predetermined degree. It is determined that it is not performed normally.

(5): In (1), the control unit is configured such that the received signal is a signal having a communication device including the control unit as a transmission source, and the signal generated by the transmission signal generation unit is identical to a predetermined degree. In this case, it is determined that the prohibition of transmission is not normally performed.

(6): In (1), the control unit is configured such that the received signal is a signal having a communication device including the control unit as a transmission source, and is identical to a signal generated by the transmission signal generation unit to a predetermined degree. If not, it is determined that there is a device impersonating the communication device.

(7): A process of allowing the communication unit that transmits a signal to the network to prohibit the transmission of the signal by the prohibition unit, and determining whether the prohibition of transmission is normally performed based on the received signal from the network Is a communication control method.

  According to (1), in the communication system, the prohibition unit that prohibits signal transmission to the communication unit that transmits a signal to the network, and the prohibition of the transmission are normally performed based on the received signal from the network. And a control unit that determines whether or not the transmission to the network is stopped more easily.

It is a figure which shows the structure of the communication system of 1st Embodiment. It is a figure which shows the hardware constitutions of ECU of this embodiment. It is a figure which shows the function structure of ECU of this embodiment. It is a figure for demonstrating the determination criterion of the transmission prohibition process of this embodiment. It is a flowchart which shows the procedure of the transmission prohibition process of this embodiment. It is a figure for demonstrating the determination criterion of the transmission prohibition process of 2nd Embodiment. It is a flowchart which shows the procedure of the transmission prohibition process of this embodiment. It is a figure which shows schematic structure of the communication system 1 of 3rd Embodiment. It is a flowchart which shows the procedure of the transmission prohibition process of this embodiment.

  Embodiments of a communication system and a communication control method of the present invention will be described below with reference to the drawings. In the following description, components having the same function are denoted by the same reference numerals.

(First embodiment)
FIG. 1 is a diagram illustrating a configuration of a communication system 1 according to the present embodiment. The communication system 1 is mounted on, for example, a vehicle 4 (moving body). The communication system 1 forms a network NW in at least the vehicle 4. In the network NW, for example, communication based on a communication method such as CAN (Controller Area Network) or IEEE 802.3 is performed via the bus 2 (communication bus).

  The communication system 1 includes ECUs 10-1 to ECU 10-3 and an interface device (IF device) 3 connected to a bus 2. Hereinafter, when the ECUs 10-1 to 10-3 are not distinguished from each other, they are simply expressed as ECU10. The descriptions such as “−1” to “−3” are the same for other configurations described below. The ECU 10 and the IF device 3 are examples of communication devices.

  In the following description, the ECU 10 is described as a control device that controls a device of the vehicle 4, but may be a relay device having a signal relay function. Although the ECU 10 is described as being connected to the common bus 2, the ECU 10 may be connected to the bus 2 and a bus other than the bus 2.

  The ECU 10 is, for example, an engine ECU that controls the engine, a seat belt ECU that controls the seat belt, or the like. The ECU 10 receives a frame transmitted to the network NW to which the own device belongs. Hereinafter, each frame transmitted to the network NW is referred to as a frame F. The frame F is identified by an identifier (hereinafter referred to as ID) attached to each frame F. The ECU 10 stores an ID for identifying the frame F related to the ECU 10 (hereinafter referred to as a reception ID) in the storage unit 12 (FIG. 2B). When the ECU 10 receives the frame F, the ECU 10 refers to an ID attached to the received frame F (hereinafter referred to as a transmission ID) and extracts the frame F attached with a transmission ID having the same value as the reception ID. Get. The ECU 10 performs an authentication process for a communication partner when communicating.

  In addition to the ECU 10, the network NW is provided with an IF device 3 to which an external device 50 is connected. For example, the IF device 3 includes a connection terminal (DLC) for communicating with the external device 50 using a wired line, or a wireless communication unit for communicating with the external device 50 using a wireless line. Yes.

  For example, the external device 50 is a measuring instrument that determines the state of the ECU 10. The external device 50 is connected to the IF device 3 as shown in FIG. The IF device 3 functions as a gateway and relays communication between the external device 50 and the ECU 10. Note that the communication system 1 can function without connecting the external device 50 to the IF device 3.

  FIG. 2 is a diagram illustrating a hardware configuration of the ECU 10 according to the present embodiment. The ECU 10 is nonvolatile in a CPU 10A, a volatile storage device 10B such as a RAM (Random Access Memory) and a register, a ROM (Read Only Memory), an EEPROM (Electrically Erasable and Programmable Read Only Memory), and an HDD (Hard Disk Drive). The computer includes a storage device 10C, a wireless communication interface 10D, an input / output device 10E, a communication interface 10F, and the like. The ECU 10 may not include either or both of the wireless communication interface 10D and the input / output device 10E depending on the type or application.

  FIG. 3 is a diagram illustrating a functional configuration of the ECU 10 of the present embodiment. The ECU 10 includes a control unit 11, a storage unit 12, a communication control unit 13 (transmission signal generation unit), and a prohibition unit 19. For example, the control unit 11 and the communication control unit 13 are realized by a processor such as the CPU 10A executing a control program (software program).

The control unit 11 controls each unit in the ECU 10. For example, the control unit 11 receives a communication request from another device such as another ECU 10, the IF device 3, or the external device 50.

  The storage unit 12 is realized by a volatile storage device 10B and a nonvolatile storage device 10C. The storage unit 12 stores a control program 125 such as an application program and a communication control program, and various types of information referred to by executing the control program. Various information includes a transmission ID 121 and a reception ID 122. The transmission ID 121 stores identification information that is given when a signal is transmitted. The reception ID 122 stores identification information for extracting a signal (reception frame) that allows reception.

  The communication control unit 13 controls communication with an external device via the communication interface 10F (communication unit). The communication interface 10 </ b> F is an interface that connects the ECU 10 to the bus 2. The transmission signal generated by the communication control unit 13 is converted by the communication interface 10F set to the valid state and output to the bus 2. Note that the communication interface 10 </ b> F set as an invalid state does not output a signal to the bus 2. The invalid state is a state in which transmission is prohibited so as not to output a signal to the bus 2, that is, a state in which functions related to transmission are restricted.

  For example, the communication interface 10 </ b> F includes a frame processing unit 15 and a driver circuit 17. The frame processing unit 15 converts the transmission signal generated by the communication control unit 13 into a transmission frame in a predetermined frame format, and transmits the transmission frame to the bus 2 via the driver circuit 17. The frame processing unit 15 extracts a reception frame in a predetermined frame format from a signal received from the bus 2 via the driver circuit 17 and supplies the reception signal to the communication control unit 13.

  The communication interface 10F receives a signal from the bus 2 even during a period in which transmission is prohibited by being controlled to the invalid state. The communication control unit 13 performs reception processing on the signal received from the bus 2 and notifies the control unit 11 of a communication request from another device.

  For example, the prohibition unit 19 prohibits signal transmission by the communication interface 10F that transmits a signal to the bus 2 when a predetermined condition is satisfied. For example, the prohibition unit 19 prohibits signal transmission from the driver circuit 17 to the bus 2.

  Here, transmission prohibition control by the control unit 11 will be described. The control unit 11 determines whether or not transmission is normally prohibited based on the received signal from the network NW.

FIG. 4 is a diagram for explaining the determination criterion of the transmission prohibition process of the present embodiment.
An example of a determination criterion in which a transmission ID and a predetermined degree of identity are determined is shown.
As a first case, when there is a certain degree of identity with the transmission ID, it is determined that the ECU 10 is likely to be in a transmission state, so that it is determined as an “abnormal state”.
As a second case, when there is no predetermined degree of identity with the transmission ID, it can be determined that a transmission transmitted by another ECU 10 has been received, so that the “normal state” is determined.
As a third case, when the transmission IDs match and there is no predetermined degree of identity, it can be determined that there is a high possibility that a device spoofing the transmission ID of the own ECU 10 is present. It is determined that there is a suspicion of “spoofing”.
As a fourth case, when the transmission IDs do not match and there is a predetermined degree of identity, there is a possibility that the signal transmitted by another ECU 10 simply includes the same information as the predetermined range. Since it can be determined to be high, it is determined as “normal state”.
The determination is performed by the control unit 11.

  FIG. 5 is a flowchart showing the procedure of the transmission prohibition process of the present embodiment. The process shown in FIG. 5 shows an example of the process according to the determination standard of FIG.

  First, the control unit 11 performs processing for setting prohibition of transmission (SA11). For example, the control unit 11 performs control so that a host process does not issue a communication request while keeping the communication interface 10F in an activated state so that a signal (transmission signal) for the communication interface 10F is not output. Although the output of the transmission signal is expected to stop due to the above control, the output of the transmission signal may not stop due to some factor. The following process detects that such a situation has occurred.

  Next, the control unit 11 detects a reception signal based on the signal received from the bus 2 and a transmission signal output from the communication control unit 13 (SA12). For example, the control unit 11 detects a reception signal included in the reception frame extracted by the frame processing unit 15 and a transmission signal generated by the communication control unit 13.

  Next, the control unit 11 determines whether or not the received signal is transmitted from the ECU 10 (for example, ECU 10-1) including the target control unit 11 (SA13). For example, whether or not the received signal is sent from the ECU 10 including the control unit 11 is determined by whether or not the transmission ID included in the received signal matches that stored in the transmission ID 121. May be used as a criterion for determination.

  When the transmission ID included in the reception signal does not match that stored in the transmission ID 121 and the reception signal is not identified as having the ECU 10-1 as the transmission source, the control unit 11 It is determined that it is in the “state” (SA14), and the above series of processing ends.

  When the transmission ID included in the received signal matches that stored in the transmission ID 121 and the received signal is identified as having the ECU 10-1 as the transmission source, the control unit 11 determines that the ECU 10-1 It is determined whether or not the signal generated by the communication control unit 13 is identical to a predetermined level (SA15).

  When the received signal is the same as the signal generated by the communication control unit 13 to a predetermined degree, the control unit 11 determines that the transmission is not normally prohibited and is in an “abnormal state” (SA16). For example, predetermined abnormality determination processing is performed such that power supplied to the communication interface 10F is cut off and transmission of signals from the communication interface 10F to the bus 2 is stopped (SA17). Thereafter, the above series of processing is completed.

  The control unit 11 determines that there is a device impersonating the ECU 10-1 (“spoofing”) when the received signal is not identical to a signal generated by the communication control unit 13 to a predetermined degree (SA18). That is, the above case corresponds to a case where the signal is transmitted from the ECU 10-1 and is not identical to a signal generated by the communication control unit 13 to a predetermined extent. The control unit 11 finishes the series of processes described above.

  In addition, the following example is mentioned that it is the same in a predetermined degree. The identity may be determined to a predetermined degree by combining any one or more of the following examples.

As a first example, there is a case where it is determined whether a predetermined number of logics of a transmission signal and a reception signal within a predetermined period coincide with each other.
As a second example, there is a case where it is determined whether or not the ratio at which the logics of the transmission signal and the reception signal match within a predetermined period is equal to or greater than a predetermined value.
As a third example, there is a case where it is determined whether or not the ratio at which the logics of the transmission signal and the reception signal do not match within a predetermined period is equal to or less than a predetermined value.
As a fourth example, it may be determined whether the characteristics of the frame structure of the transmission signal and the reception signal match. For example, the above features are a predetermined frame format, a frame length, and the like.
As a fifth example, there is a case where information of a predetermined position in a frame of a transmission signal and a reception signal matches. For example, the information is auxiliary information for detecting a communication error, an encryption key, specific identification information, and the like.

  According to the above-described embodiment, the communication system 1 uses the prohibition unit 19 that prohibits transmission of signals to the communication interface 10F that transmits signals to the network (bus 2), and the reception signal from the network (bus 2). On the basis of this, it is possible to more easily detect that transmission to the network is stopped by including the control unit 11 that determines whether or not the prohibition of transmission is normally performed.

  Note that the communication interface 10F is capable of receiving a signal from the network (bus 2) because the function is activated even during a period in which transmission is prohibited by the prohibition unit 19. The control unit 11 can make a determination based on a reception signal received by the communication interface 10F, and thereby can more easily detect that transmission to the network is stopped.

  The control unit 11 determines that the prohibition of transmission is not normally performed when the received signal is the same as the signal generated by the communication control unit 13 of the ECU 10 including the control unit 11 to a predetermined degree. Thus, it is possible to more easily detect that transmission to the network is stopped.

  The control unit 11 normally prohibits transmission when the received signal is a signal having the ECU 10 including the control unit 11 as a transmission source and is identical to a signal generated by the communication control unit 13 to a predetermined extent. It may be determined that it has not been performed.

  The control unit 11 is a device that impersonates the ECU 10 when the received signal is a signal originating from the ECU 10 including the control unit 11 and not identical to a signal generated by the communication control unit 13 to a predetermined extent. May be determined to exist.

(Modification of the first embodiment)
A modification of the first embodiment will be described. The determination criterion of the first embodiment is to determine a predetermined degree of identity with the transmission ID. Instead, the determination criterion of this modification is for determining the identity of the transmission ID, and this point is different from the determination criterion of the first embodiment. This will be described below.

  For example, by omitting the processing of SA15 and SA17 in FIG. 5, the control unit 11 correctly prohibits transmission when the received signal is the same level as the signal generated by the communication control unit 13. It may be determined that there is an “abnormal state” that has not been performed (SA16), and the above-described series of processing may be terminated.

  In this case, although it is not possible to obtain an identification result as to whether the ECU 10 itself is in an abnormal state or whether impersonation exists, it is possible to detect that an “abnormal state” has occurred in the communication system 1.

  According to this modification, although there is the above difference, the same effect as the first embodiment can be obtained.

(Second Embodiment)
A second embodiment will be described. The criterion of the first embodiment is to determine a certain degree of identity with the transmission ID. Instead, the determination criterion of this embodiment is to determine a predetermined degree of identity, and is different from the determination criterion of the first embodiment. This will be described below.

FIG. 6 is a diagram for explaining the determination criterion of the transmission prohibition process of the present embodiment.
FIG. 6 shows an example of a criterion for determining a predetermined degree of identity.
As a first case, when there is a predetermined degree of identity, it is determined that the own ECU 10 is highly likely to be in a transmission state, and therefore, it is determined as an “abnormal state”.
As a second case, when there is no predetermined degree of identity, it can be determined that a transmission transmitted by another ECU 10 has been received, so that the “normal state” is determined.

  FIG. 7 is a flowchart showing the procedure of the transmission prohibition process of the present embodiment. The process shown in FIG. 7 shows an example of the process according to the determination standard of FIG.

  First, the control unit 11 performs processing for setting prohibition of transmission (SB11).

  Next, the control unit 11 detects the signal received from the bus 2 and the signal output from the communication control unit 13 (SB12).

  Next, the control unit 11 determines whether or not the received signal is identical to a signal generated by the communication control unit 13 of the ECU 10 (for example, the ECU 10-1) including the control unit 11 to a predetermined degree. (SB13).

  When the received signal is not identical to a signal generated by the communication control unit 13 of the ECU 10-1 to a predetermined degree, the control unit 11 is expected to be transmitted by an ECU 10 different from the target ECU 10-1. It is. The control unit 11 determines that the target ECU 10-1 is in a transmission prohibited state and is in a “normal state” (SB14), and ends the above series of processes.

  When the received signal is identical to the signal generated by the communication control unit 13 of the ECU 10-1 to a predetermined degree, the control unit 11 is expected to be transmitted by the target ECU 10-1. The control unit 11 determines that the target ECU 10-1 is in an “abnormal state” in which transmission is not normally prohibited (SB16), and cuts off the power supplied to the communication interface 10F, for example. Then, a predetermined abnormality determination process is performed to perform a predetermined abnormality determination process such as stopping transmission of a signal to the bus 2 (SB17). Thereafter, the above series of processing is completed.

According to the above embodiment, it is possible to more easily detect that transmission to the network is stopped by the configuration in which a predetermined degree of identity is determined in addition to the same effects as the first embodiment. it can.
(Example of abnormality determination processing)
The “abnormality determination process” in SA17 and SB17 shown in the above-described embodiment can be implemented by combining one or more of the following, for example.
(A) The power supplied to the communication interface 10F is cut off. As a result, the communication interface 10F is deactivated, and transmission of signals to the bus 2 is stopped.
(A) When receiving a signal having the ECU 10-1 as a transmission source, a signal requesting discarding the signal is transmitted to another communication device.
The signal may be transmitted via the bus 2 by controlling the control unit, or may be transmitted via a signal line different from the bus 2 that connects the communication devices.

(Third embodiment)
A third embodiment will be described. In both cases of the first embodiment and the second embodiment, the determination process is performed in one ECU 10. Instead, in the present embodiment, the communication unit that is the target for which the prohibition unit prohibits signal transmission and the control unit (determination unit) that determines the transmission state of the ECU 10 are included in different ECUs 10. The plurality of ECUs 10 function in cooperation, and this point is different from the case of the above-described embodiment. This will be described below.

  FIG. 8 is a diagram showing a schematic configuration of the communication system 1 of the present embodiment. The communication system 1 shown in FIG. 8 includes three ECUs 10 that are in a relationship between a monitoring device and a monitored device. For example, the ECU 10-1 is a monitoring device, and the ECU 10-2 and the ECU 10-3 are monitored devices.

  The ECU 10-1 includes a control unit 11-1, a storage unit 12-1, and a communication control unit 13-1. ECU 10-2 includes a control unit 11-2, a storage unit 12-2, a communication control unit 13-2 (transmission signal generation unit), and a prohibition unit 19-2. The ECU 10-3 includes a control unit 11-3, a storage unit 12-3, a communication control unit 13-3 (transmission signal generation unit), and a prohibition unit 19-3.

  That is, the prohibition unit 19-2 is provided in the ECU 10-2 as the monitored device, and the prohibition unit 19-3 is provided in the ECU 10-3 as the monitored device. The control part 11-1 is provided in ECU10-1 as a monitoring apparatus. As described above, the vertical control unit according to the embodiment is configured separately from the prohibited unit to be controlled.

  Functions related to the prohibition unit 19-2 of the ECU 10-2 are controlled by the control unit 11-1 of the ECU 10-1. This point is different from the prohibition unit 19 shown in the first embodiment and the second embodiment. The description will focus on the differences from the above-described embodiment.

  Each ECU 10 is connected via a bus 2 and further connected by a control line different from that of the bus 2. The ECU 10-2 of the embodiment transmits a control signal at a predetermined cycle to at least the ECU 10-3 at normal times.

  FIG. 9 is a flowchart showing the procedure of the transmission prohibition process of the present embodiment.

  First, the ECU 10-2 transmits a desired control signal to the ECU 10-3 at a predetermined cycle (SC211 to SC213). The ECU 10-3 receives the control signal from the ECU 10-2, and performs predetermined processing according to the control signal (SC311 to SC313).

  Next, the control part 11-1 of ECU10-1 implements the process for instruct | indicating prohibition of transmission of ECU10-2 using the communication via the bus | bath 2 (SC111). Thereafter, the control unit 11-1 continuously receives a communication signal via the bus 2.

  The control unit 11-2 of the ECU 10-2 receives the notification regarding the prohibition of transmission from the ECU 10-1, and performs a process of setting the prohibition of transmission (SC214). For example, the control unit 11-2 controls the host processing so as not to issue a communication request while the communication interface 10F-2 is in an activated state, and the communication control unit 13-2 transmits a signal to the communication interface 10F-2. Control (transmission signal) is not output.

  Next, the control unit 11-1 receives a signal (reception signal) from the bus 2 (SC112). The same signal can also be received by other ECUs 10 connected to the bus 2. For example, the control unit 11-3 receives the same reception signal as described above from the bus 2 (SC314).

  Next, control unit 11-1 determines whether or not the received signal is sent from ECU 10-2 based on the transmission ID given to the received signal (SC113).

  When the transmission ID included in the received signal does not match the transmission ID of the ECU 10-2, the control unit 11-1 determines that the control unit 11-1 is in the “normal state” and ends the above series of processes.

When the transmission ID included in the received signal matches the transmission ID of ECU 10-2, control unit 11-1 performs a desired abnormality determination process (SC116).
For example, when a signal having the ECU 10-2 as a transmission source is received as a desired abnormality determination process, the control unit 11-1 transmits a signal (discard request signal) requesting discarding this signal to another ECU 10 (SC114). For example, the ECU 10-3 receives the discard request signal, invalidates the received signal that was previously received in the SC 314, and discards it without applying the predetermined control (SC 315).

  The control unit 11-1 instructs the prohibition unit 19-2 of the ECU 10-2 to stop transmission (SC115).

  Next, the prohibition unit 19-2 of the ECU 10-2 receives an instruction to stop transmission, and stops transmission of signals from the communication interface 10F to the bus 2 (SC215). Thereafter, the above series of processing is completed.

  According to the above embodiment, in addition to the same effects as those of the first embodiment, the communication interface 10F-2 and the control unit 11-1 are included in different ECUs 10, respectively. By linking the ECU 10, the monitored device can stop transmission to the network in accordance with an instruction from the monitoring device instructing prohibition of transmission. This monitored apparatus can detect that transmission to the network is stopped in its own apparatus, and can detect the stop of transmission by a simpler method.

(Example of abnormality determination processing)
About "the process at the time of abnormality determination" in ECU10-1 shown in the said Example, it can implement, for example, combining one or more from the following.

(A) The power supplied to the communication interface 10F-2 is cut off. As a result, the communication interface 10F-2 is deactivated, and transmission of signals to the bus 2 is stopped.

(A) When a signal having the transmission source of the ECU 10-2 is received, a signal requesting that the signal be discarded is transmitted to another communication device.
The signal may be transmitted via the bus 2 by controlling the control unit 11-1, or may be transmitted via a signal line different from the bus 2 that connects the communication devices. It should be noted that the processing for transmitting the signal via the signal line as the “abnormality determination time processing” means that the “transmission prohibited (transmission stopped)” processing in SC214 is performed, for example, on the communication interface 10F-2 It may be more preferable when the process is to inactivate the communication interface 10F-2 by cutting off the power to be supplied.

  Note that, according to the above embodiment, the output of the transmission signal from the ECU 10-2 is expected to stop due to the processing of SC111 and SC214, but the output of the transmission signal may not stop for some reason. However, the above processing can reduce the influence of such a situation.

  According to at least one embodiment described above, the communication system 1 includes a prohibition unit 19 that prohibits a communication unit that transmits a signal to the network (bus 2) and a network (bus 2) from the prohibition unit 19. And a control unit 11 that determines whether the prohibition of transmission is normally performed based on a received signal. Based on the received signal from the network (bus 2), it is determined whether the prohibition of transmission from the communication unit is normally performed, and the communication unit is prohibited from transmitting a signal based on the determination result. As a result, it is possible to more easily detect that transmission to the network is stopped.

  As mentioned above, although the form for implementing this invention was demonstrated using embodiment, this invention is not limited to such embodiment at all, In the range which does not deviate from the summary of this invention, various deformation | transformation and substitution Can be added.

DESCRIPTION OF SYMBOLS 1 ... Communication system, 2 ... Bus, 3 ... IF apparatus, 10, 10-1, 10-2, 10-3 ... ECU, 11 ... Control part, 12 ... Memory | storage part, 50 ... External device.

Claims (7)

A prohibition unit that prohibits transmission of a signal to a communication unit that transmits a signal to the network;
A control unit that determines whether the prohibition of transmission is normally performed based on a received signal from the network;
A communication system comprising: The communication unit can receive a signal from the network even during a period in which transmission is prohibited by the prohibition unit,
The control unit performs the determination based on the reception signal received by the communication unit.
The communication system according to claim 1. The communication unit, which is a target for which the prohibition unit prohibits signal transmission, and the control unit are included in different communication devices, respectively.
The communication system according to claim 1. The control unit determines that the prohibition of transmission is not normally performed when the received signal is identical to a signal generated by a transmission signal generation unit of a communication apparatus including the control unit to a predetermined degree. ,
The communication system according to any one of claims 1 to 3, characterized in that: The control unit prohibits the transmission when the received signal is a signal originating from a communication device including the control unit and is identical to a signal generated by the transmission signal generation unit to a predetermined extent. Determine that it is not done normally,
The communication system according to claim 4. When the received signal is a signal originating from a communication device including the control unit and is not identical to a signal generated by the transmission signal generation unit to a predetermined extent, the control unit The communication system according to claim 4, wherein it is determined that a spoofed device exists. Forbid the transmission of the signal to the communication unit that transmits the signal to the network,
A communication control method including a step of determining whether the prohibition of transmission is normally performed based on a received signal from the network.

Images