JP2019146145A - Communication device, communication method, and program - Google Patents

Abstract

To provide a communication device capable of effectively reducing a load of communication with an external device and storage capacity of the device.SOLUTION: A communication device 101 includes: a determination unit 309 that determines an operation state of a system on the basis of communication data flowing through a network connected with a plurality of ECUs 104 in the system; a control unit 310 for sampling the communication data according to a sampling method corresponding to the determined operation state; and a transmission/reception unit 301 for transmitting the sampled communication data to a device outside the system.SELECTED DRAWING: Figure 3

Description

  The present invention relates to a communication device, a communication method, and a program for performing communication with an external device.

  Conventionally, a remote diagnostic system has been developed that transmits information obtained from an electronic control unit (ECU) connected to an in-vehicle network to an external server via a communication module in the vehicle, and analyzes the failure of the vehicle using the server. Has been. In recent years, in response to attacks (hacking) on in-vehicle networks of automobiles, information obtained from the ECU is transmitted to an external server, collected, and analyzed to detect attacks such as transmission of unauthorized messages by attackers. The importance of accumulating vehicle information in a vehicle and transmitting it to an external server is increasing. However, for such analysis and the like, a considerably large communication band is required to transmit information related to all messages flowing on the bus of the in-vehicle network from the vehicle to the server device or the like.

  Patent Document 1 discloses communication that changes the amount of data to be transmitted according to the data output pattern transmitted from the server device so that the total amount of data to be transmitted from some of the plurality of electronic control units does not exceed a predetermined value. A method is described. This makes it possible to reduce the communication load between the vehicle and the server device and the storage capacity of the server device.

JP 2007-173934 A

  However, in the communication method described in Patent Document 1, since the data output pattern is transmitted from the server without depending on the state of the vehicle, for example, the vehicle state is stopped while the vehicle is stopped. There is a possibility that a large amount of vehicle data with little change in value depending on the state of the vehicle, such as increasing the amount of vehicle data representing the vehicle speed that is almost zero, may be transmitted to a device outside the vehicle such as a server device. is there. For this reason, there is a problem that it is difficult to effectively reduce the load of communication with a device outside the vehicle and the storage capacity of the device.

  An object of the present invention is to provide a communication device and the like that can effectively reduce the communication load with an external device and the storage capacity of the device.

  In order to achieve the above object, a communication device according to an aspect of the present invention includes a determination unit that determines an operating state of the system based on communication data flowing in a network to which a plurality of electronic control units in the system are connected. A control unit that samples the communication data according to a sampling method corresponding to the determined operating state, and a transmission unit that transmits the sampled communication data to an apparatus outside the system.

  In order to achieve the above object, an information processing method according to one aspect of the present invention determines an operating state of the system based on communication data flowing in a network to which a plurality of electronic control units in the system is connected, The communication data is sampled according to a sampling method corresponding to the determined operating state, and the sampled communication data is transmitted to an apparatus outside the system.

  In order to achieve the above object, a program according to an aspect of the present invention includes a process for determining an operating state of the system based on communication data flowing in a network to which a plurality of electronic control units in the system are connected. In order to cause a computer to execute a process of sampling the communication data and a process of transmitting the sampled communication data to a device outside the system according to a sampling method corresponding to the determined operating state It is a program.

  According to the present invention, it is possible to effectively reduce the communication load with an external apparatus and the storage capacity of the apparatus.

FIG. 1 is a configuration diagram of a communication system according to the embodiment. FIG. 2 is a diagram showing a format of a data frame defined by the CAN protocol. FIG. 3 is a configuration diagram of the communication device according to the embodiment. FIG. 4 is a diagram illustrating an example of a transfer list in the embodiment. FIG. 5A is a diagram illustrating an example of a travel state pattern corresponding to a normal travel state in the embodiment. FIG. 5B is a diagram illustrating another example of the traveling state pattern corresponding to the traveling state at the normal time in the embodiment. FIG. 6 is a diagram illustrating an example of a traveling state pattern corresponding to the traveling state at the time of abnormality in the embodiment. FIG. 7 is a diagram illustrating another example of the group in the embodiment. FIG. 8 is a diagram illustrating another example of the traveling state pattern corresponding to the traveling state at the normal time in the embodiment. FIG. 9 is a flowchart illustrating an example of a sampling method determination method according to the embodiment. FIG. 10 is a flowchart illustrating another example of the sampling method determination method according to the embodiment. FIG. 11 is a flowchart illustrating an example of the operation of the communication device according to the embodiment. FIG. 12 is a configuration diagram of a communication system according to another embodiment.

(Embodiment)
Hereinafter, a communication system according to an embodiment of the present invention will be described with reference to the drawings.

[1.1 Configuration of Communication System 10]
FIG. 1 is a configuration diagram of a communication system 10 according to the embodiment. FIG. 1 also shows the server device 11 connected to the communication system 10.

  The communication system 10 is an in-vehicle network mounted on a vehicle, for example. Hereinafter, the in-vehicle network may be referred to as a network. The communication system 10 is an example of an in-vehicle network that communicates according to a CAN (Controller Area Network) protocol, for example, and is a network in a vehicle in which various devices such as a control device, a sensor, an actuator, and a user interface device are mounted. As illustrated in FIG. 1, the communication system 10 includes a communication device 101, an external communication ECU 102, a monitoring ECU 103, a plurality of ECUs 104, and a CAN bus 105. Here, the ECU means an electronic control unit. The communication device 101 is also a kind of ECU.

  The plurality of ECUs 104 are, for example, a steering control ECU, a steering ECU, an engine ECU, a brake ECU, a door opening / closing sensor ECU, a window opening / closing sensor ECU, and the like, but are not particularly limited.

  The communication device 101 and each ECU are devices including, for example, a processor (microprocessor), a digital circuit such as a memory, an analog circuit, a communication circuit, and the like. The memory is ROM, RAM, or the like, and can store a control program (computer program as software) executed by the processor. For example, when the processor operates according to a control program (computer program), the communication device 101 and each ECU realize various functions. The communication device 101 and each ECU can exchange communication data via the CAN bus 105 in the vehicle according to the CAN protocol.

  The communication apparatus 101 and each ECU transmit / receive communication data to / from the CAN bus 105 according to the CAN protocol. For example, the communication device 101 and each ECU receive communication data transmitted from other ECUs from the CAN bus 105, generate communication data including contents to be transmitted to other ECUs, and transmit the communication data to the CAN bus 105. Specifically, the communication device 101 and each ECU perform processing according to the content of the received communication data, and data indicating the state of devices, sensors, etc. connected to the communication device 101 and each ECU, or other data Communication data including data such as an instruction value (control value) to the ECU is generated and transmitted. The generated communication data includes the CANID, and the communication device 101 and each ECU can receive only the communication data including the CANID that is predetermined for itself. Communication data can be transmitted.

  In the communication system 10, a communication device 101, an external communication ECU 102, a monitoring ECU 103, and a plurality of ECUs 104 configuring an in-vehicle network are connected by a CAN bus 105. In the example of FIG. 1, a plurality of CAN buses 105 a, 105 b, and 105 c are connected to each other via the communication device 101. The in-vehicle network need not be limited to CAN, and may be a communication network based on Ethernet (registered trademark) or FlexRay (registered trademark), for example.

  In the in-vehicle network, various components such as the communication device 101, the external communication ECU 102, the monitoring ECU 103, and the plurality of ECUs 104 realize various functions by transmitting and receiving communication data (for example, CAN commands). For example, the parking assistance function, lane maintenance assistance function or collision avoidance assistance function, which is a function of the Advanced Driver Assistance System (ADAS), is an electronic control of actuators such as steering, accelerator or brake, The control is performed by communication data flowing through the in-vehicle network.

  The communication device 101 is connected to a CAN bus 105 to which an external communication ECU 102, a monitoring ECU 103, and a plurality of ECUs 104 are connected. The communication device 101 receives communication data from the CAN bus 105, and receives the received communication data from the CAN bus 105 specified by CANID. Forward to. The communication device 101 may also be called a gateway. The communication device 101 has a function of sampling communication data. Sampling means extracting communication data at a certain rate. The method of extracting communication data is not particularly limited. For example, when sampling communication data flowing through a certain CAN bus 105, data about a plurality of CANIDs flows in the CAN bus 105 in a random order as communication data, and each CANID is extracted at the same rate. The This is to prevent the sampled communication data from extracting only the data for a specific CANID. The amount of communication data to be extracted is determined by the sampling rate. For example, when the sampling rate is 100%, 100% (all) of the communication data is extracted (that is, the communication data is not reduced (not thinned out)). For example, when the sampling rate is 50%, communication data is extracted by 50% (half) (that is, the communication data is reduced by half (subtracted for half a minute)).

  The external communication ECU 102 has an external communication function for communicating with, for example, the server device 11 as a device external to the system (vehicle) via a wide area network such as the Internet. The external communication ECU 102 transmits communication data recorded by the communication device 101 to the server device 11 having an analysis function.

  Server device 11 communicates with external communication ECU 102 in communication system 10 in various vehicles. The server device 11 is, for example, a computer that receives, collects, and analyzes information related to messages transmitted / received in each in-vehicle network of a plurality of vehicles of the same type from each vehicle.

  The monitoring ECU 103 is an ECU that monitors whether the state of the in-vehicle network is normal. The monitoring ECU 103 receives communication data from the plurality of CAN buses 105, determines whether the received communication data is normal, and notifies the communication device 101 of the determination result. The communication apparatus 101 receives the determination result, extracts communication data of the CAN bus 105 determined to be not normal at a sampling rate of 100%, and transmits all the communication data to the server apparatus 11. For example, the monitoring ECU 103 holds a determination rule for determining an abnormality, and can determine whether or not there is an abnormality by comparing the communication data with the determination rule. Note that the communication device 101 may have a function of the monitoring ECU 103.

  The plurality of ECUs 104 exchange messages via the CAN bus 105 according to the CAN protocol. For example, a message including data based on information acquired by the sensor is periodically transmitted from the ECU 104 connected to the sensor to the CAN bus 105. The cycle in which the message is transmitted is, for example, several hundred milliseconds. The plurality of ECUs 104 includes an ECU 104 that determines and controls the control contents of the actuators in the vehicle. For example, the traveling state of the vehicle can be estimated from communication data exchanged by the ECU 104.

  For example, the ECUs 104 for achieving the same object among the plurality of ECUs 104 can be connected to the same CAN bus 105. For example, the ECU 104 related to ADAS is connected to the CAN bus 105a, the ECU 104 related to the power train is connected to the CAN bus 105b, and the ECU 104 related to the vehicle body (door or wiper) is connected to the CAN bus 105c. Connected.

  In the communication system 10, each ECU exchanges frames such as data frames as messages according to the CAN protocol. Frames in the CAN protocol include a data frame, a remote frame, an overload frame, and an error frame. Here, a description will be given focusing on a data frame as a message including communication data.

[1.2 Data frame format]
Hereinafter, a data frame that is one of frames used in a network according to the CAN protocol will be described.

  FIG. 2 is a diagram showing a format of a data frame defined by the CAN protocol. In the figure, a data frame in a standard ID format defined by the CAN protocol is shown. The data frame includes an SOF (Start Of Frame), an ID field, an RTR (Remote Transmission Request), an IDE (Identifier Extension), a reserved bit “r”, a DLC (Data Length Code), a data field, and a CRC (Cyclic Redundancy Check) sequence. , A CRC delimiter “DEL”, an ACK (Acknowledgement) slot, an ACK delimiter “DEL”, and an EOF (End Of Frame) field. Here, descriptions of SOF, RTR, IDE, reserved bit “r”, DLC, CRC sequence, CRC delimiter “DEL”, ACK slot, ACK delimiter “DEL”, and EOF are omitted.

  The ID field is a field for storing an ID (also referred to as a CANID) that is a value indicating the type of data, which is composed of 11 bits. When a plurality of nodes start transmission at the same time, a frame having a small ID is designed to have a high priority in order to perform communication arbitration in this ID field.

  The data field has a maximum of 64 bits and stores data.

  Each ECU that transmits the communication data stores a predetermined type of data in the data field as the specification of the in-vehicle network (communication system 10), and a predetermined CANID corresponding to the type of data in the ID field. By storing, a data frame is constructed and transmitted. As a specification of the in-vehicle network (communication system 10), a vehicle manufacturer and the like predetermine CANID used for communication data and corresponding data configuration.

[1.3 Configuration of Communication Device 101]
Subsequently, a detailed configuration of the communication apparatus 101 will be described.

  FIG. 3 is a configuration diagram of the communication apparatus 101 according to the embodiment. As illustrated in FIG. 3, the communication device 101 includes a transmission / reception unit 301, a transfer unit 302, a storage unit 303, a determination unit 309, and a control unit 310.

  The communication device 101 is configured by a microprocessor (not shown), a RAM, a ROM, a hard disk, and the like. A computer program is stored in the RAM, ROM, and hard disk, and the communication device 101 performs its function when the microprocessor operates according to the program.

  Note that the functional blocks such as the transmission / reception unit 301, the transfer unit 302, the storage unit 303, the determination unit 309, and the control unit 310 of the communication apparatus 101 are typically realized as an LSI that is an integrated circuit. These may be individually made into one chip, or may be made into one chip so as to include one or more functional blocks or a part of each functional block. Further, the functional blocks included in the monitoring ECU 103 and the functional blocks included in the communication device 101 may be integrated into one chip.

  The name used here is LSI, but it may also be called IC, system LSI, super LSI, or ultra LSI depending on the degree of integration.

  Further, the method of circuit integration is not limited to LSI's, and implementation using dedicated circuitry or general purpose processors is also possible. An FPGA (Field Programmable Gate Array) that can be programmed after manufacturing the LSI, or a reconfigurable processor that can reconfigure the connection and setting of circuit cells inside the LSI may be used.

  Further, if integrated circuit technology comes out to replace LSI's as a result of the advancement of semiconductor technology or a derivative other technology, it is naturally also possible to carry out function block integration using this technology. Biotechnology can be applied.

  Finally, each functional block may be realized by software or a combination of LSI and software. The software may be tamper resistant.

(1) Transmission / reception unit 301
The transmission / reception unit 301 is connected to the external communication ECU 102. The transmission / reception unit 301 receives the communication data flowing through the CAN bus 105, then transmits the received communication data to a device outside the vehicle, or receives the communication data transmitted from a device outside the vehicle, and then receives the CAN. The received communication data is transmitted to the bus 105. The transmission / reception unit 301 is an example of a transmission unit that transmits sampled communication data to a device outside the vehicle.

(2) Transfer unit 302
The transfer unit 302 determines the CAN bus 105 to which the communication data received by the transmission / reception unit 301 should be transferred based on a transfer list 304 (described later), and transmits the communication data to the determined CAN bus 105 via the transmission / reception unit 301. Send (transfer).

(3) Storage unit 303
In the storage unit 303, the transfer list 304 in which the CANID assigned to the communication data and the transfer destination CAN bus 105 for transferring the communication data are paired, and the state of the in-vehicle network (for example, each CAN bus 105) is abnormal. An abnormality detection flag 305 indicating whether or not the vehicle is in a running state, a running state pattern 306 in which a sampling rate corresponding to the running state is described as a sampling method corresponding to the running state, a current running state 307 of the vehicle, and each CAN bus 105 And a communication log 308 which is communication data for each of the above. An example of the transfer list 304 is shown in FIG.

  FIG. 4 is a diagram illustrating an example of the transfer list 304 according to the embodiment.

  As shown in FIG. 4, the transfer list 304 stores a transfer list in which a CAN ID assigned to communication data and a transfer destination CAN bus 105 to which the communication data is transferred are paired. In the example of FIG. 4, communication data with CANID “0x011” is transferred to the CAN bus 1, communication data with CANID “0x021” and “0x031” is transferred to the CAN bus 2, and communication data with CANID “0x041” is transmitted. Is transferred to the CAN bus 3. In the following, it is assumed that the CAN bus 1 is the CAN bus 105a, the CAN bus 2 is the CAN bus 105b, and the CAN bus 3 is the CAN bus 105c.

  The abnormality detection flag 305 is associated with each CAN bus 105 and is a plurality of flags indicating whether each CAN bus is normal. For example, when the corresponding CAN bus 105 is normal, the abnormality detection flag 305 takes a value of 0, In this case, a value of 1 is taken. For example, when the monitoring ECU 103 determines whether the communication data is normal or abnormal, and the CAN bus 105a and the CAN bus 105c are determined to be abnormal and the CAN bus 105b is determined to be normal, the monitoring ECU 103 notifies the communication device 101 accordingly. According to the notification received from the monitoring ECU 103, the communication apparatus 101 sets the abnormality detection flag corresponding to the CAN bus 105a and the CAN bus 105c determined to be abnormal to 1, and sets the abnormality detection flag corresponding to the CAN bus 105b determined to be normal. Set to zero.

  The traveling state pattern 306 indicates a sampling method of communication data, and various traveling state patterns 306 are defined in advance according to various traveling states. The traveling state is defined so as to correspond to the contents of communication data received from the CAN bus 105 (vehicle speed, ADAS function ON / OFF, network state normality / abnormality determination results, etc.). Examples of the running state pattern 306 are shown in FIGS. 5A, 5B, and 6. FIG.

  FIG. 5A is a diagram illustrating an example of a travel state pattern corresponding to a normal travel state in the embodiment.

  FIG. 5A shows a running state pattern 306 when the vehicle is stopped and there is no abnormality in the state of the in-vehicle network as the running state of the vehicle. Specifically, the vehicle speed is 0 km / h, all ADAS functions are OFF (cruise control (CC), parking assist (PA), etc. are all OFF (CC flag, PA flag = 0)), and each CAN bus 105 When there is no abnormality (abnormality detection flag = 0), a running state pattern 306 with a state name of “stopped (no abnormality)” is shown.

  FIG. 5B is a diagram illustrating another example of the traveling state pattern corresponding to the traveling state at the normal time in the embodiment.

  FIG. 5B shows a running state pattern 306 when the vehicle is in a cruise control mode at a high speed and there is no abnormality in the state of the in-vehicle network as the running state of the vehicle. Specifically, when the vehicle speed is 80 km / h or more, the cruise control (CC) is activated (CC flag = 1), a vehicle is present ahead (previous vehicle presence flag = 1), and each CAN bus 105 is abnormal. A traveling state pattern 306 having a state name of “high speed cruise control is being activated (no abnormality)” is shown when there is no abnormality (abnormality detection flag = 0).

  FIG. 6 is a diagram illustrating an example of a running state pattern 306 corresponding to the running state at the time of abnormality in the embodiment.

  FIG. 6 shows a running state pattern 306 when the vehicle is stopped and the state of the in-vehicle network is abnormal as the running state of the vehicle. Specifically, the vehicle speed is 0 km / h, the ADAS functions are all OFF (cruise control (CC), parking assist (PA), etc. are all OFF (flag = 0)), and CAN bus 1 (CAN bus 105a). In addition, a traveling state pattern 306 with a state name of stopping (CAN bus 1, CAN bus 3 abnormal) when there is an abnormality in CAN bus 3 (CAN bus 105c) (abnormality detection flag = 1) is shown.

  In the sampling method indicated by the running state pattern 306, the sampling rate is determined for each group composed of one or more ECUs 104 among the plurality of ECUs 104. For example, in the in-vehicle network, a plurality of ECUs 104 are connected to each other by a CAN bus 105 in the vehicle, and the group includes one or more ECUs 104 connected to the same CAN bus 105. That is, the sampling rate is determined for the group for the CAN bus 105a, the group for the CAN bus 105b, and the group for the CAN bus 105c.

  The sampling rate is such that a large amount of highly important communication data is transmitted to a device outside the vehicle in various driving state patterns 306 determined in advance according to various driving states (so that the sampling rate increases), It is defined for each CAN bus 105 so as to reduce the transmission amount of communication data of low importance to a device outside the vehicle (so that the sampling rate is reduced). All communication data received by the transmission / reception unit 301 of the communication apparatus 101 is sampled for each CAN bus 105 in accordance with the sampling rate defined in the running state pattern 306.

  For example, when the vehicle is stopped and the ADAS function is OFF (specifically, under the vehicle condition shown in the running state pattern 306 in FIG. 5A), the value of the running system communication data such as the vehicle speed or the engine speed Does not change much. That is, it can be said that communication data with little change such as vehicle speed or engine speed does not contain much meaningful information. In other words, in this case, it can be said that meaningful communication data does not flow through the CAN bus 105a to which the ECU 104 related to ADAS is connected and the CAN bus 105b to which the ECU 104 related to the powertrain is connected. . On the other hand, there is a possibility that body-related communication data such as information indicating the door open / close state or door lock state may change. In other words, in this case, it can be said that meaningful communication data flows through the CAN bus 105c to which the ECU 104 related to the vehicle body is connected. That is, when the vehicle is stopped, it is better to transmit the communication data of the CAN bus 105c to which the body communication data is transmitted to the server device 11 from the CAN buses 105a and 105b to which the travel communication data is transmitted. It can be said that it is useful in analyzing communication data. Thus, the driving state pattern 306 is defined so that the sampling rate of the CAN bus 105 including a lot of meaningful communication data is increased according to the driving state of the vehicle.

  The sampling rate is also defined according to the value of the abnormality detection flag 305. In order to detect an attack such as transmission of an unauthorized message by an attacker and to establish a method for determining whether or not an attack has occurred, the CAN bus 105 that is not normal, that is, the CAN bus 105 whose abnormality detection flag 305 has a value of 1 is used. It is defined that all the communication data is extracted and all the communication data is transmitted to the server device 11. For example, as shown in FIG. 6, the sampling rate of the CAN buses 105a and 105c whose abnormality detection flag 305 is 1 is 100%.

  The current traveling state 307 is information indicating the current state of the vehicle including the normal or abnormal state of the in-vehicle network, which is determined by the determination unit 309 described later from the communication data received by the transmission / reception unit 301. Although details will be described later, when the received communication data changes and the determined current driving state 307 does not satisfy the vehicle condition in the driving state pattern 306 previously selected from the plurality of driving state patterns 306. The traveling state pattern 306 selected last time is updated to one corresponding to the current traveling state 307 from among the plurality of traveling state patterns 306.

  The communication log 308 is communication data for each CAN bus 105, and communication data sampled according to the sampling rate defined in the running state pattern 306 is recorded in the storage unit 303. Note that at least the communication data that has been sampled may be transmitted to the server apparatus 11 and the storage capacity of the storage unit 303 becomes large. However, the communication data before sampling may be stored in the storage unit 303. .

(4) Determination unit 309
The determination unit 309 determines the operating state of the system (specifically, the traveling state of the vehicle (current traveling state 307)) based on communication data flowing in a network to which a plurality of ECUs 104 in the system (vehicle) are connected. To do. Also, the determination unit 309 determines whether or not the network state is normal. Specifically, the determination unit 309 determines whether each CAN bus 105 is normal from the determination result of normality / abnormality of the state of the in-vehicle network (specifically, the CAN bus 105) received by the monitoring ECU 103 via the transmission / reception unit 301. Or abnormal. For example, the determination unit 309 determines whether the network state is normal by determining whether a message included in the communication data is normal. For example, the determination unit 309 determines whether or not the network state is normal by determining whether or not the CAN bus 105 in the network is normal. Note that the monitoring ECU 103 originally performs these determinations, and the determination unit 309 receives these determination results from the monitoring ECU 103, so that the determination unit 309 can also perform these determinations. In addition, the determination unit 309 determines whether the current traveling state 307 determined from the communication data received via the transmission / reception unit 301 satisfies the vehicle condition in the selected traveling state pattern 306.

(5) Control unit 310
The control unit 310 manages and controls each of the means (1) to (4). For example, the control unit 310 sets the traveling state pattern 306 corresponding to the current traveling state 307 determined by the determining unit 309 according to the communication data received from the CAN bus 105 and the abnormality detection flag 305 to the plurality of traveling state patterns 306. Choose from. It should be noted that by selecting the driving state pattern 306 corresponding to the current driving state 307 from the plurality of driving state patterns 306, the driving state pattern 306 indicates that the driving state pattern 306 selected last time is switched to a different driving state pattern 306. Also called update. The control unit 310 samples the communication data flowing through each CAN bus 105 in accordance with the sampling rate defined in the updated updated driving state pattern 306, and the sampled communication data is set as the communication log 308 for each CAN bus 105. Stored in the storage unit 303.

[1.4 Other examples of groups]
The sampling rate defined in the running state pattern 306 is determined for each group corresponding to each CAN bus 105, but is not limited thereto. This will be described with reference to FIGS.

  FIG. 7 is a diagram illustrating another example of the group in the embodiment. FIG. 8 is a diagram illustrating another example of the traveling state pattern corresponding to the traveling state at the normal time in the embodiment.

  For example, the group in which the sampling rate is determined may not be configured only by the ECU 104 connected to the same CAN bus 105, and may be a group such as a group E shown in FIG. Further, as in groups C and D shown in FIG. 7, even ECUs 104 connected to the same CAN bus 105 may be grouped so as to belong to different groups. For example, the group in which the sampling rate is defined may be configured by one or more ECUs 104 that transmit messages related to the same function included in the communication data (for example, data about the same CANID or related CANID). For example, the ECU 104 connected to the CAN bus 105b in the group E and the ECU 104 connected to the CAN bus 105c transmit messages related to the same function. The ECUs that transmit messages related to the same function are, for example, a steering angle sensor ECU and a power steering ECU, and both belong to the same group because they transmit messages related to steering. As shown in FIG. 8, the sampling rate may be defined for each of the groups A to E, not for each group determined to correspond to each of the CAN buses 105 in the running state pattern 306. Good.

  Hereinafter, the group will be described as a group determined to correspond to each of the CAN buses 105.

[1.5 Operation of Communication System 10]
Next, the communication system 10 samples the communication data for each CAN bus 105 according to the traveling state of the vehicle using the communication data received from the CAN bus 105 and transmits the sampled data to the server device 11. This will be described with reference to FIGS.

  First, a method for determining a sampling method will be described with reference to FIG.

  FIG. 9 is a flowchart illustrating an example of a sampling method determination method according to the embodiment.

  First, in step S <b> 901, the communication apparatus 101 receives communication data transmitted from the monitoring ECU 103 and the plurality of ECUs 104 by the transmission / reception unit 301. For example, the communication data transmitted from the monitoring ECU 103 includes a determination result of whether or not the network state is normal (specifically, a determination result of whether or not each CAN bus 105 is normal), The communication data transmitted from the ECU 104 includes data for determining the traveling state of the vehicle.

  Next, in step S <b> 902, the determination unit 309 determines whether the communication data transmitted from the monitoring ECU 103 includes a notification indicating an abnormality in the CAN bus 105. If the determination unit 309 determines that the communication data includes a notification indicating an abnormality in the CAN bus 105 (YES in step S902), that is, if the network state is abnormal, the process proceeds to step S903 to indicate the abnormality. If it is determined that the notification is not included (NO in step S902), the process proceeds to step S904.

  In step S903, the control unit 310 of the communication apparatus 101 sets the value of the abnormality detection flag 305 corresponding to the CAN bus 105 that has been notified of the abnormality to 1.

  On the other hand, in step S904, the control unit 310 of the communication apparatus 101 sets the value of the abnormality detection flag 305 corresponding to the CAN bus 105 that has no abnormality notification to 0.

  Next, in step S905, the determination unit 309 determines the vehicle travel state (current travel state 307) from the communication data received from the plurality of ECUs 104 and the value of the abnormality detection flag 305. For example, the determination unit 309 determines whether the vehicle is running, stopped, whether the in-vehicle network state is normal or abnormal based on the communication data received from the plurality of ECUs 104 and the value of the abnormality detection flag 305. The traveling state 307 is determined.

  In step S906, the determination unit 309 determines whether the current traveling state 307 satisfies the vehicle condition in the traveling state pattern 306 selected last time. If the determination unit 309 determines that the current traveling state 307 does not satisfy the vehicle condition (NO in step S906), the determination unit 309 proceeds to step S907 and determines that the current traveling state 307 satisfies the vehicle condition. If yes (YES in step S906), the process advances to step S908.

  In step S907, the control unit 310 selects a traveling state pattern 306 in which the current traveling state 307 satisfies the vehicle condition from the plurality of traveling state patterns 306, that is, updates the traveling state pattern 306.

  For example, the previously determined running state is that the vehicle speed is 80 km / h or more, the CC flag is 1, the forward vehicle presence / absence flag is 1, the abnormality detection flag 305 of each CAN bus 105 is 0, and the flowchart shown in FIG. 9 starts. It is assumed that the running state pattern 306 shown in FIG. 5B is selected at the time. Then, when the traveling state of the vehicle is changed and the current traveling state 307 indicates that the vehicle speed is 0 km / h, the CC flag is 0, the PA flag is 0, and the abnormality detection flag 305 of each CAN bus 105 is 0 in step S906, The current traveling state 307 does not satisfy the vehicle condition in the traveling state pattern 306 shown in FIG. 5B. Therefore, in step S907, the traveling state pattern 306 that satisfies the current traveling state 307 is updated from the plurality of traveling state patterns 306 to the traveling state pattern 306 shown in FIG. 5A.

  In step S908, control unit 310 determines a communication data sampling method. Specifically, the control unit 310 determines a sampling method in which the sampling rate indicated by the selected running state pattern 306 is defined. In other words, the control unit 310 determines a sampling method for sampling communication data flowing in each CAN bus 105 at a sampling rate defined in the running state pattern 306.

  In the description so far, the state of the in-vehicle network (whether the CAN bus 105 is normal) is also a part of the traveling state of the vehicle, but the traveling state of the vehicle includes the state of the in-vehicle network. It does not have to be. In this case, the traveling state pattern 306 does not include information on the abnormality detection flag 305. Accordingly, the running state pattern 306 when there is an abnormality in the in-vehicle network as shown in FIG. 6 does not exist. Further, in this case, the determination unit 309 determines the traveling state of the vehicle without being based on the determination result of whether or not the network state is normal. A method for determining the sampling method in this case will be described with reference to FIG.

  FIG. 10 is a flowchart illustrating another example of the sampling method determination method according to the embodiment.

  First, in step S <b> 901, the communication apparatus 101 receives communication data transmitted from the monitoring ECU 103 and the plurality of ECUs 104 by the transmission / reception unit 301. For example, the communication data transmitted from the monitoring ECU 103 includes a determination result of whether or not the network state is normal (specifically, a determination result of whether or not each CAN bus 105 is normal), The communication data transmitted from the ECU 104 includes data for determining the traveling state of the vehicle.

  Next, in step S <b> 1001, the determination unit 309 determines the vehicle travel state (current travel state 307) from the communication data received from the plurality of ECUs 104. For example, the determination unit 309 determines the current traveling state 307 such as whether the vehicle is traveling or stopped from communication data received from the plurality of ECUs 104. In step S905 shown in FIG. 9, the determination unit 309 determines the current traveling state 307 based also on the value of the abnormality detection flag 305. For example, whether the state of the in-vehicle network is normal based on the value of the abnormality detection flag 305. The current running state 307 such as an abnormality is also determined. That is, in step S1001 shown in FIG. 10, the determination unit 309 determines the traveling state of the vehicle without being based on the determination result of whether or not the network state is normal.

  In step S1002, the determination unit 309 determines whether or not the current traveling state 307 satisfies the vehicle condition in the traveling state pattern 306 selected last time. If the determination unit 309 determines that the current traveling state 307 does not satisfy the vehicle condition (NO in step S1002), the determination unit 309 proceeds to step S1003 and determines that the current traveling state 307 satisfies the vehicle condition. If yes (YES in step S1002), the process proceeds to step S1004.

  In step S1003, the control unit 310 selects a traveling state pattern 306 in which the current traveling state 307 satisfies the vehicle condition from the plurality of traveling state patterns 306, that is, updates the traveling state pattern 306.

  In step S1004, control unit 310 determines a communication data sampling method. Specifically, the control unit 310 determines a sampling method in which the sampling rate indicated by the selected running state pattern 306 is defined. In other words, the control unit 310 determines a sampling method for sampling communication data flowing in each CAN bus 105 at a sampling rate defined in the running state pattern 306.

  Next, in step S <b> 1005, the determination unit 309 determines whether the communication data transmitted from the monitoring ECU 103 includes a notification indicating an abnormality in the CAN bus 105. If the determination unit 309 determines that the communication data includes a notification indicating an abnormality in the CAN bus 105 (YES in step S1005), that is, if the network state is abnormal, the process proceeds to step S1006 and indicates an abnormality. If it is determined that the notification is not included (NO in step S1005), the sampling method determination process ends.

  In step S1006, control unit 310 changes the sampling method determined in step S1004. Specifically, the control unit 310 changes the sampling rate for the CAN bus 105 having an abnormality in the sampling rate of each CAN bus 105 in the determined sampling method. For example, the control unit 310 sets the sampling rate for the abnormal CAN bus 105 to 100%. Specifically, if the CAN bus 105a and 105c have an abnormality when the sampling rate of each CAN bus 105 in the sampling method determined in step S1004 is as shown in FIG. 5A, the CAN bus 105a and 105c. The sampling rate is changed to 100%. That is, in this case, finally, a sampling method is determined in which the sampling rate of each CAN bus 105 is a sampling rate as shown in FIG.

  Thus, it is not necessary to prepare the running state pattern 306 when there is an abnormality in the in-vehicle network, and when there is an abnormality in the network state, the sampling rate of the group corresponding to the abnormality in the determined sampling method is changed. By doing so, the sampling method may be changed.

  Next, the operation of the communication apparatus 101 according to the determined sampling method (or the sampling method changed after the determination) will be described with reference to FIG.

  FIG. 11 is a flowchart illustrating an example of the operation of the communication apparatus 101 according to the embodiment.

  First, in step S1111, control unit 310 samples communication data according to a sampling method corresponding to the determined running state (that is, a sampling method determined or changed after determination). Specifically, the control unit 310 samples communication data received by the transmission / reception unit 301 from each CAN bus 105 according to the sampling rate for each CAN bus 105 defined in the traveling state pattern 306 corresponding to the current traveling state 307. I do.

  Next, in step S <b> 1112, the control unit 310 stores the communication log 308 as the sampled communication data in the storage unit 303 for each CAN bus 105.

  In step S <b> 1113, the transmission / reception unit 301 transmits the sampled communication data to the server device 11.

  Note that the timing at which the process in step S1113 is started is not particularly limited. For example, it may be performed every predetermined time or in response to a request from the server device 11.

[1.6 Summary]
As described above, the communication apparatus 101 according to the present embodiment determines the operating (running) state of the system (vehicle) based on the communication data flowing through the network to which the plurality of ECUs 104 in the system (vehicle) are connected. Unit 309, control unit 310 that samples communication data in accordance with the sampling method corresponding to the determined operating (running) state, and the sampled communication data as a device outside the system (vehicle) (server device 11) A transmission unit (transmission / reception unit 301).

  According to this, communication data with low importance can be sampled so that it is not extracted very much (so that it is thinned out greatly) according to the operating (running) state of the vehicle or the like. Can be sampled so that many are extracted (so that they are not thinned out very much (or not thinned out at all)). In other words, depending on the operating (running) state of the vehicle, etc., the amount of data for highly important communication data is not reduced much (or not reduced at all), while the amount of data for less important communication data is reduced. Thus, the communication load with the external device and the storage capacity of the device can be effectively reduced. Note that communication data transmitted to an external device such as a vehicle can be used for failure analysis or attack analysis of cyber attacks.

  The communication apparatus 101 may further include a storage unit 303, and the control unit 310 may store the communication data that has been sampled in the storage unit 303.

  According to this, since the sampled communication data is held in the storage unit 303, the storage capacity of the storage unit 303 can be reduced.

  In the sampling method, a sampling ratio is determined for each group including one or more ECUs 104 of the plurality of ECUs 104, and the control unit 310 determines the sampling ratio determined for the group for communication data for each group. Sampling may be performed according to the above.

  According to this, for example, the communication data of the ECU 104 related to the body is low in importance while the vehicle is running, and high in importance when the vehicle is stopped. Because the importance of communication data for each group may differ depending on the vehicle's running state, such as high importance when the vehicle is running and low importance when the vehicle is stopped. Data sampling can be performed effectively.

  In the network, a plurality of ECUs 104 may be connected to each other by a CAN bus 105 in the system (vehicle), and a group may be composed of one or more ECUs 104 connected to the same CAN bus 105.

  For example, in general, one or more ECUs 104 connected to the same CAN bus 105 often have the same function, and the communication data to be handled is often the same. Therefore, it is possible to effectively sample communication data for each group including one or more ECUs 104 connected to the same CAN bus 105.

  The group may be composed of one or more ECUs 104 that transmit messages related to the same function included in the communication data.

  According to this, it is possible to effectively perform sampling of communication data for each group including one or more ECUs 104 that transmit messages related to the same function.

  The determination unit 309 may further determine whether or not the network state is normal, and may determine the operating (running) state of the system (vehicle) based on the determination result.

  According to this, since the traveling state of the vehicle is determined according to the determination result of whether or not the network state is normal, the sampling method corresponds to the determination result. Therefore, communication data can be sampled according to whether the network state is normal or not.

  Further, the determination unit 309 may further determine whether or not the network state is normal, and the control unit 310 may change the sampling method according to whether or not the network state is normal.

  According to this, since the sampling method is changed according to the determination result of whether or not the network state is normal, it is possible to sample the communication data depending on whether or not the network state is normal.

  Specifically, the determination unit 309 may determine whether the network state is normal by determining whether a message included in the communication data is normal. In the network, a plurality of ECUs 104 are connected to each other by a CAN bus 105 in the vehicle, and the determination unit 309 determines whether the network state is normal by determining whether the CAN bus 105 in the network is normal. May be determined.

<Other embodiments, etc.>
As described above, the embodiments have been described as examples of the technology according to the present invention. However, the technology according to the present invention is not limited to this, and can also be applied to embodiments in which changes, replacements, additions, omissions, etc. are made as appropriate. For example, the following modifications are also included in one embodiment of the present invention.

  (1) In the embodiment of the present invention, when the monitoring ECU 103 notifies the communication device 101 that unauthorized communication data has been detected via the CAN bus 105, a message authentication code (MAC: Message Authentication) is added to the communication data. (Code) may be transmitted.

  (2) In the embodiment of the present invention, it is assumed that the monitoring ECU 103 periodically notifies the communication device 101 of both the normality and abnormality of the CAN bus 105, but has detected an abnormality. You may notify in an event, such as notifying only at the time.

  (3) In the embodiment of the present invention, it is assumed that the communication apparatus 101 periodically receives notifications from the monitoring ECU 103 about normality / abnormality of the CAN bus 105, but the notification of abnormality is constant. It may be determined using non-arrival or the like, for example, it is determined that it is normal if time cannot be received.

  (4) In the embodiment of the present invention, the communication device 101 is physically assumed to be one ECU, but is mounted on another ECU such as the monitoring ECU 103 as a logically independent functional module (software). It may be configured.

  (5) In the embodiment of the present invention, the communication apparatus 101 is assumed to be one ECU including a relay / transfer function. However, the relay / transfer function may be implemented in another ECU such as a relay ECU. Good.

  (6) In the embodiment of the present invention, it is assumed that the communication data of the CAN bus 105 determined as not normal by the monitoring ECU 103 is transmitted to the server apparatus 11 without sampling (that is, sampling rate 100%). However, like the CAN bus 105 determined to be normal, it may be defined to sample.

  (7) In the embodiment of the present invention, the communication device 101 and the monitoring ECU 103 are physically mounted on one ECU, and may be configured as logically independent function modules (software or the like). .

  (8) In the embodiment of the present invention, instead of CAN communication, CAN FD (CAN with Flexible Data rate), TTCAN (Time Triggered CAN), Ethernet, LIN (Local Interconnect Network), MOST (Media Oriented Systems Transport) or A configuration using a communication method such as FlexRay may be used.

  (9) A part or all of the components constituting the communication device 101 may be configured by an IC card that can be attached to and detached from the communication device 101 or a single module. The IC card or the module is a computer system including a microprocessor, a ROM, a RAM, and the like. The IC card or the module may include the super multifunctional LSI described above. The IC card or the module achieves its function by the microprocessor operating according to the computer program. This IC card or this module may have tamper resistance.

  (10) In the embodiment of the present invention, the monitoring ECU 103 notifies the communication device 101 of the result of detecting the normality or abnormality of the communication data via the CAN bus 105, but the present invention is not limited to this. This will be described with reference to FIG.

  FIG. 12 is a configuration diagram of a communication system 10a according to another embodiment.

  In the communication system 10 according to the embodiment, the CAN bus 105 is used for transmission and reception of communication data as described above. The CAN bus 105 is also used for transmission / reception of the determination result by the monitoring ECU 103 as to whether or not the state of the in-vehicle network is normal. On the other hand, in the communication system 10 a, communication via the dedicated line 106 different from the CAN bus 105 is used for transmission / reception of the determination result by the monitoring ECU 103 as to whether or not the state of the in-vehicle network is normal. For example, the dedicated line 106 is a communication line that is not connected to the outside, and is a communication line that is resistant to external attacks.

  According to this, when the CAN bus 105 is used for transmission / reception of the determination result by the monitoring ECU 103, when an unauthorized node is connected to the CAN bus 105 and unauthorized information is transmitted to the CAN bus 105, the determination result is There is a risk of unauthorized rewriting. Therefore, transmission / reception of the determination result can be prevented from being rewritten illegally, for example, by using communication via the dedicated line 106 that is resistant to external attacks.

  (11) The present invention can be realized not only as the communication apparatus 101 but also as a communication method including steps (processes) performed by each component constituting the communication apparatus 101.

  Specifically, as shown in FIGS. 9 and 11, the communication method is based on communication data flowing in a network to which a plurality of ECUs 104 in the system (vehicle) are connected (running) of the system (vehicle). The state is determined (step S905), the communication data is sampled according to the sampling method corresponding to the determined operating (running) state (step S1111), and the sampled communication data is sent to a device outside the system (vehicle). (Step S1113).

  Further, for example, the present invention can be realized as a computer program for causing a computer to execute these steps. Further, for example, these steps may be digital signals composed of the computer program.

  The present invention also provides a computer-readable recording medium such as a flexible disk, a hard disk, a CD-ROM, an MO, a DVD, a DVD-ROM, a DVD-RAM, a BD (Blu-ray ( (Registered trademark) Disc), or recorded in a semiconductor memory or the like. The digital signal may be recorded on these recording media.

  Further, the present invention may transmit the computer program or the digital signal via an electric communication line, a wireless or wired communication line, a network represented by the Internet, a data broadcast, or the like.

  The present invention may be a computer system including a microprocessor and a memory, wherein the memory stores the computer program, and the microprocessor operates according to the computer program.

  In addition, the program or the digital signal is recorded on the recording medium and transferred, or the program or the digital signal is transferred via the network or the like, and is executed by another independent computer system. It is good.

  (12) The above embodiment and the above modifications may be combined.

  (13) In the above-described embodiment, application to security measures in an in-vehicle network mounted on a vehicle (automobile) has been described as an application example of the present invention, but the scope of application of the present invention is not limited to this. For example, the present invention may be applied not only to automobiles but also to mobility such as construction machines, agricultural machines, ships, railroads, and airplanes. For example, the determination unit 309 is not limited to a vehicle such as an automobile, but based on communication data flowing in a network to which a plurality of electronic control units in a system such as a construction machine, an agricultural machine, a ship, a railroad, or an airplane is connected, The operating state may be determined. Control unit 310 may sample communication data in accordance with a sampling method corresponding to the determined operating state. The transmission unit (transmission / reception unit 301) may transmit the sampled communication data to a device outside the system.

  The present invention can be applied to an apparatus that transfers communication data flowing in a network such as an automobile, a construction machine, an agricultural machine, a ship, a railway, or an airplane to a server apparatus.

10, 10a Communication system 11 Server device 101 Communication device 102 External communication ECU
103 monitoring ECU
104 ECU
105, 105a, 105b, 105c CAN bus 106 Dedicated line 301 Transmission / reception unit 302 Transfer unit 303 Storage unit 304 Transfer list 305 Abnormality detection flag 306 Traveling state pattern 307 Current traveling state 308 Communication log 309 Determination unit 310 Control unit

Claims (11)

A determination unit for determining an operating state of the system based on communication data flowing in a network to which a plurality of electronic control units in the system are connected;
In accordance with a sampling method corresponding to the determined operating state, a control unit that samples the communication data;
A transmission unit that transmits the sampled communication data to a device outside the system;
A communication device comprising: The communication device further includes a storage unit,
The control unit stores the communication data subjected to the sampling in the storage unit.
The communication apparatus according to claim 1. In the sampling method, a sampling rate is determined for each group composed of one or more electronic control units of the plurality of electronic control units,
The control unit samples the communication data for each group according to a sampling rate determined for the group.
The communication apparatus according to claim 1 or 2. In the network, the plurality of electronic control units are connected to each other by a CAN bus in the system,
The group is composed of the one or more electronic control units connected to the same CAN bus.
The communication apparatus according to claim 3. The group is composed of the one or more electronic control units that transmit messages related to the same function included in the communication data.
The communication apparatus according to claim 3 or 4. The determination unit further determines whether or not the state of the network is normal, and determines an operating state of the system based on a result of the determination.
The communication apparatus of any one of Claims 1-5. The determination unit further determines whether or not the state of the network is normal,
The control unit changes the sampling method according to whether or not the state of the network is normal.
The communication apparatus of any one of Claims 1-5. The determination unit determines whether or not the state of the network is normal by determining whether or not a message included in the communication data is normal.
The communication apparatus according to claim 6 or 7. In the network, the plurality of electronic control units are connected to each other by a CAN bus in the system,
The determination unit determines whether the state of the network is normal by determining whether a CAN bus in the network is normal.
The communication apparatus according to any one of claims 6 to 8. Based on communication data flowing in a network to which a plurality of electronic control units in the system are connected, determine the operating state of the system,
According to the sampling method corresponding to the determined operating state, sampling the communication data,
Transmitting the sampled communication data to a device external to the system;
Communication method. A process of determining an operating state of the system based on communication data flowing in a network to which a plurality of electronic control units in the system is connected;
A process of sampling the communication data according to a sampling method corresponding to the determined operating state;
A process of transmitting the sampled communication data to a device external to the system;
A program that causes a computer to execute.

Images