JP2019219709A - Cyber attack notification apparatus and notification method - Google Patents

Abstract

To provide an apparatus and a method, which is an apparatus for detecting cyber attack to a vehicle and notifying the attack, that enable notification by an appropriate notification method according to a status of a driver.SOLUTION: A cyber attack notification apparatus (10) is installed on a vehicle, and is an apparatus for notifying a cyber attack to the vehicle. The cyber attack notification apparatus includes cyber attack detection unit (330) that detects the cyber attack to the vehicle, a driver status input unit (310a) that acquires information indicating the status of a driver, a notification method determination unit (360) that determines which device should notify among a first device (520) in the vehicle and a second device (510) outside of the vehicle, and an abnormal notification unit (380) that notifies information relating to the cyber attack to the determined device. The notification method determination unit determines a device to be notified of the information based on whether the driver is in or out of the vehicle.SELECTED DRAWING: Figure 3

Description

  The present invention relates to an apparatus and a method for notifying devices inside and outside a vehicle of a cyber attack on the vehicle.

  Patent Literature 1 discloses an in-vehicle device capable of notifying an appropriate external institution even when the owner of a vehicle cannot cope with an emergency such as vandalism or theft of a parked vehicle. Specifically, an in-vehicle device disclosed in Patent Literature 1 includes an abnormality detection unit that detects an abnormality of a vehicle, a vehicle status acquisition unit that acquires an image inside the vehicle, an abnormality that is detected by the abnormality detection unit, Based on the image acquired by the situation acquisition unit, the content of the abnormality of the vehicle is specified, and it is determined whether or not the abnormality is a highly important abnormality. A security control unit that instructs a pre-registered notification destination to notify the contents of the abnormality. According to this in-vehicle device, even when the owner of the vehicle cannot cope in the event of an emergency such as vandalism or theft of a parked vehicle, it notifies an appropriate external organization, so that damage to the vehicle can be quickly done. You can take action.

JP-A-2005-89781

  The present invention provides an apparatus and a method for notifying a cyber attack by an appropriate method according to the state of a driver when a cyber attack on a vehicle is detected.

  According to a first aspect of the present disclosure, there is provided a cyber attack notification device that is mounted on a vehicle and notifies a cyber attack on the vehicle. The cyber attack notification device includes a cyber attack detection unit that detects a cyber attack on the vehicle, a driver state input unit that inputs information indicating the state of the driver, a driver characteristic input unit that inputs information indicating the characteristics of the driver, And a notification method determining unit for determining a device to be notified from among the first device and a second device outside the vehicle such as a mobile phone having a telephone number, a mail address, etc. registered in advance. An abnormality notification unit that notifies the device of information on the detected cyber attack. The notification method determination unit determines whether the driver is inside or outside the vehicle, and determines a device to which information is to be notified based on the determination result.

  According to a second aspect of the present disclosure, there is provided a method for notifying information relating to a cyber attack on a vehicle by a cyber attack notification device mounted on the vehicle. The method includes a step in which the control unit of the cyber attack notification device detects a cyber attack on the vehicle, a step in which the control unit acquires the state of the driver, and a step in which the control unit acquires information indicating the characteristics of the driver, A control unit for determining whether the driver is in the vehicle or outside the vehicle; and a control unit configured to control the first device in the vehicle and a mobile phone having a telephone number, a mail address, and the like registered in advance based on the determination result. Determining a device to notify information related to the detected cyber attack from among the second devices outside the vehicle, and a step in which the control unit notifies the determined device of information about the cyber attack, including.

  According to the present invention, when a cyber attack on a vehicle is detected, the cyber attack can be notified by an appropriate method according to the driver's state (for example, the driver's position, mental state, and the like).

Diagram showing an application example of the cyber attack notification device of the present disclosure to an in-vehicle network Block diagram showing the configuration of the cyber attack notification device Diagram showing the hardware configuration of the gateway ECU Block diagram showing a more specific configuration of the cyber attack notification device Diagram illustrating the configuration of the cyber attack detection DB Diagram explaining the configuration of the risk analysis DB Diagram explaining points for each viewpoint of risk analysis The figure which shows the specific example of a driver state acquisition part, a vehicle state acquisition part, an external notification device, and an in-vehicle notification device. Flow chart showing cyber attack notification processing by the cyber attack notification device Diagram showing conditions for determining notification method Diagram illustrating the arrangement of cameras and sensors for acquiring the driver's mental state Diagram illustrating the arrangement of the perspiration sensor attached to the handle Diagram showing various parameters that are factors for determining notification contents Diagram for explaining how to obtain information on the mental state of the driver Diagram for explaining how to obtain information on the mental state of the driver Diagram showing an example of attack information Diagram showing an example of correspondence information

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings as appropriate.

(Background of the disclosure)
2. Description of the Related Art Conventionally, there has been a mechanism for notifying a driver in a vehicle by turning on a warning lamp on an instrument panel when a failure occurs in the vehicle. There is also a mechanism that notifies a physical attack on a vehicle, such as a vandalism theft, to an external device such as a smartphone and notifies a driver outside the vehicle. However, there is no mechanism for notifying the driver of an abnormality caused by a cyber attack on the vehicle, and therefore, there is a problem that the driver cannot quickly cope with the cyber attack. Therefore, there is a demand for the development of a technology for notifying a driver of a cyber attack.

  The inventor of the present application has discovered the following problems in the process of developing a technology for notifying a driver of a cyber attack.

  There are various types of cyber attacks, such as those that directly affect driving, those that have no direct effect such as eavesdropping, and those that have no effect. Therefore, if the driver is notified every time a cyber attack is detected, the driver may overlook an important notification that has a really high impact.

  Further, unlike a physical attack such as a vandalism that occurs during parking, a cyber attack may occur regardless of whether or not the driver is in the vehicle. For example, if a notification device outside the vehicle, such as a smartphone, is notified during driving, the driver may be distracted and hinder driving. In addition, even if the notification device notifies the in-vehicle notification device while the driver is away from the parked vehicle, the driver may not notice the notification and may not be able to cope with the cyber attack. As described above, there are cases where the driver cannot be reliably notified of the cyber attack.

  Furthermore, in cyber attacks, the general driver's understanding (recognition) is low, and there is an individual difference in responding to it, and it is erroneously judged that there is no problem with the driver simply by notifying that a cyber attack has been received And the response may be delayed. Also, being attacked may frustrate the driver and may hinder driving.

  Therefore, the present inventor has devised a cyber attack notification device described below in consideration of the above problems.

(Embodiment 1)
The cyber attack notification device of the present embodiment detects a cyber attack (for example, a DoS attack) in a vehicle based on information on the state of the driver of the vehicle and information on the state of the vehicle, and outputs information on the detected cyber attack to an abnormal state. Notify the appropriate device and the appropriate device according to the content.

1. Configuration FIG. 1 is a diagram showing a network configuration in a vehicle to which the cyber attack notification device of the present embodiment is applied. As shown in FIG. 1, the vehicle 50 is provided with in-vehicle networks 200a and 200b. A plurality of ECUs (Electronic Control Units) 305 are connected to the in-vehicle networks 200a and 200b. The ECU 305 is a device that electronically controls a device connected thereto and collects various information from the device. The ECU 305 is connected to controlled devices such as actuators of an engine, a brake, and a power window, and sensors such as a camera and various sensors. In the following, for convenience of explanation, the in-vehicle network 200a and the in-vehicle network 200b are collectively referred to as an "in-vehicle network 200".

  The vehicle-mounted network 200a and the vehicle-mounted network 200b are connected by the gateway ECU 100. The gateway ECU 100 detects a cyber attack and notifies information on the cyber attack to at least one of a device inside the vehicle (for example, an indicator) and a device 500 outside the vehicle (for example, a smartphone). The notified device presents information on the cyber attack to the driver or the like, so that the driver or the like recognizes that the cyber attack has been received and can take necessary measures.

  FIG. 2 is a diagram illustrating a hardware configuration of the gateway ECU 100. As shown in the figure, the gateway ECU 100 includes a CPU 110, and realizes a predetermined function described later by executing a predetermined program. Instead of the CPU 110, another type of general-purpose processor, for example, an MPU may be used. Alternatively, instead of the CPU 110, a processor specially designed to realize a predetermined function may be used. That is, the gateway ECU 100 can include various processors such as a CPU, an MPU, a GPU, a DSP, an FPGA, and an ASIC.

  Further, gateway ECU 100 includes RAM 120, ROM 130, and data storage unit 140. The RAM 120 is a memory for temporarily storing information and programs necessary for the CPU 110 to execute an operation, and is a work area appropriately accessed by the CPU 110. The ROM 130 is a memory for storing a program executed by the CPU 110. The program executed by the CPU 110 may be downloaded from a server via a communication line, or may be downloaded from an internal recording medium on a board such as a nonvolatile memory or an external recording medium such as an optical disk or a memory card. It may be provided to the ECU 100.

  The data storage unit 140 is a recording medium that records various types of information referred to in the control of the gateway ECU 100. The data storage unit 140 can be configured by, for example, an internal recording medium such as a nonvolatile memory or an external recording medium such as a hard disk (HDD), a solid state drive (SSD), or an optical disk device.

  Further, the gateway ECU 100 includes first and second communication interfaces 150 and 160. The first communication interface 150 is a communication circuit or a communication module for exchanging data with the ECU connected to the vehicle-mounted network 200a. The second communication interface 160 is a communication circuit or a communication module for exchanging data with an ECU connected to the vehicle-mounted network 200b. In the present embodiment, the first and second communication interfaces 150 and 160 perform communication according to a CAN (Controller Area Network) protocol widely used in a vehicle-mounted network. Note that the first and second communication interfaces 150 and 160 may perform communication according to a protocol other than the CAN protocol. For example, communication may be performed according to the CAN FD protocol.

  Returning to FIG. 1, the gateway ECU 100 and the ECU 305 constitute an attack notification device of the present embodiment.

  FIG. 3 is a diagram illustrating a functional configuration of the cyber attack notification device according to the present embodiment. FIG. 4 is a diagram showing each configuration of the cyber attack notification device more specifically.

  The cyber attack notification device 10 includes a driver state acquisition unit 310 that acquires the state of the driver, a vehicle state acquisition unit 320 that acquires the state of the vehicle 50, and a notification that detects a cyber attack and controls the notification of the detected cyber attack. The control unit 300 includes a control unit 300 and an abnormality notification unit 380 for notifying that a cyber attack has been received.

  The driver state acquisition unit 310 acquires the driver's movement, facial expression, and biological information (heart rate, respiratory state, sweating state, etc.) for determining the mental state of the driver. Driver state obtaining section 310 includes various ECUs, for example, ECUs 311 to 315. The ECU 311 is connected to the camera 401 that captures an image, and acquires an image from the camera 401. The ECU 313 is connected to the seat sensor 403 and receives a detection signal from the seat sensor 403. The ECU 313 is connected to the perspiration sensor 405 that detects the state of perspiration of the driver, and inputs a detection signal from the perspiration sensor 405.

  The vehicle state acquisition unit 320 acquires various operation states of the vehicle 50, such as the speed, the power supply state, and the shift position of the vehicle 50. Vehicle state acquisition section 320 includes various ECUs, for example, ECUs 321-325. The ECU 321 is connected to a speed sensor 407 that detects the speed of the vehicle 50. The ECU 323 is connected to the ignition and acquires a power supply state. The ECU 325 is connected to a sensor that detects a shift position, and acquires information on the shift position.

  The notification control unit 300 includes a cyber attack detection unit 330 that detects a cyber attack, a risk analysis unit 340 that analyzes the risk of a cyber attack, a driver characteristic storage unit 350 that stores information indicating characteristics unique to the driver, and a cyber attack. And a notification method determination unit 360 that determines the notification method of the notification. Notification control section 300 further includes driver state input section 310a for inputting information obtained by driver state obtaining section 310, vehicle state input section 320a for inputting information obtained by vehicle state obtaining section 320, and abnormality notification section 380. And output units 380a and 380b for outputting a control signal. The notification control unit 300 is realized by the gateway ECU 100. The functions of the first input unit 310a, the second input unit 320a, and the output units 380a and 380b are realized by the first communication interface 150 or the second communication interface 160.

  The cyber attack detection unit 330 can detect an attack target and an attack method using a predetermined function. More specifically, the cyber attack detection unit 330 can detect the target of the attack and the attack method by monitoring the communication and monitoring the deviation from the normal system by the communication monitoring function. Further, the cyber attack detection unit 330 uses the control / information monitoring function to monitor the control processing time and stored information to monitor the deviation from the normal system and the presence or absence of rewriting, and to determine the target of the attack and the attack method. Can be detected. Further, the cyber attack detection unit 330 can monitor the current consumption by the current consumption monitoring function, monitor whether or not an unauthorized device is connected to the bus, and perform an attack method with an attack target.

  Here, the attack method includes DoS attack, spoof insertion, message falsification, message eavesdropping, program rewriting, and the like. The attack target includes the entire traveling system, an ECU connected to the traveling system, a message output from the ECU connected to the traveling system, information assets, personal information, money assets, and the like.

  The cyber attack detection unit 330 includes a cyber attack detection database (hereinafter, referred to as “cyber attack detection DB”) 332. FIG. 5 shows the configuration of the cyber attack detection DB 332. The cyber attack detection DB 332 is a database that manages an attack target, an attack method, an attack content, and an ID for identifying the attack content in association with each other. The cyber attack detection DB 332 is stored in the data storage unit 140. The cyber attack detection unit 330 specifies the content of the attack with reference to the cyber attack detection DB 332.

  The risk analysis unit 340 analyzes the risk of the attack content specified by the server attack detection unit 330. The risk analysis unit 340 includes a risk analysis database (hereinafter, referred to as “risk analysis DB”) 342. FIG. 6 shows the configuration of the risk analysis DB 342. The risk analysis DB 342 manages, for each attack content, the score of each viewpoint of security, privacy, financial aspect, operability, and controllability, and the sum of the scores of each viewpoint. The score indicates the degree of risk, and the higher the score, the higher the risk. The total score for each attack content indicates the degree of risk for that attack content.

 FIG. 7 is a diagram for explaining a criterion for determining a score for each viewpoint in the risk analysis DB 342. For example, regarding safety, a score when there is no damage is set to “0”, and a score for a risk that surely threatens life is set to “4”. The score of each viewpoint in the risk analysis DB 342 is set in advance according to the criterion shown in FIG.

  The driver characteristic holding unit 350 holds information on characteristics (characters) related to driving of the driver. In the present embodiment, according to the classification based on the OD-type safety test, the driver characteristics (character) are classified into “safe driving type”, “caution required type”, “received accident tendency type”, “serious accident tendency type”, and “ Accident Violation Frequent Type ". The driver characteristic holding unit 350 holds, as driver characteristic information, information indicating the type of each driver according to the above classification. Here, the type obtained based on the OD type safety test is used as the driver characteristic, but the driver characteristic is not limited to this. The driver characteristics may be any information as long as the characteristics of the driver affect the driving, and may be, for example, information indicating the tendency of the driver to drive or information indicating the character of the driver.

  When detecting a cyber attack, the notification method determination unit 360 determines the cyber attack based on information from the driver status acquisition unit 310, the vehicle status acquisition unit 320, the risk analysis unit 340, and the driver characteristic storage unit 350. Determine the notification method.

  The abnormality notification unit 380 notifies the detected abnormality to at least one of a device arranged inside the vehicle 50 and a device arranged outside the vehicle 50. The device arranged inside the vehicle 50 is, for example, an indicator, a buzzer, or a speaker of an instrument panel. The devices arranged outside the vehicle 50 are, for example, a smartphone, a smart key, a mobile phone, and a server. For these devices, their identification numbers, telephone numbers, mail addresses, and the like are registered in the notification method determination unit 360 in advance. The abnormality notification unit 380 includes various ECUs, for example, ECUs 381 to 389. The ECU 381 communicates with the smartphone 511 and transmits predetermined information to the smartphone 511. The ECU 383 communicates with the smart key 512 and transmits predetermined information to the smart key 512. The ECU 385 controls the indicator 521 in the vehicle 50 to display predetermined information. The ECU 387 controls the buzzer 523 in the vehicle 50 to notify information by voice output. The ECU 389 controls the speaker 525 in the vehicle 50 to output a sound indicating predetermined information.

  FIG. 8 is a diagram illustrating an example of specific information acquired or monitored by the driver state acquisition unit 310, the vehicle state acquisition unit 320, and the cyber attack detection unit 330. For example, the driver state acquisition unit 310 acquires information on the driver's heart rate, heartbeat fluctuation, respiratory activity, and riding state based on the output signal from the seat sensor 403. In addition, the driver state acquisition unit 310 acquires information on the mental sweating state of the driver based on the output signal from the sweat sensor 405. In addition, the driver state acquisition unit 310 acquires information on the driver's riding state and the driver's facial expression based on the image captured by the camera 401.

  The cyber attack detection unit 330 monitors communication cycles, communication data, control processing time, and information protection assets on the networks 200a and 200b via various monitoring devices.

2. Operation FIG. 9 is a flowchart showing a cyber attack notification process by the cyber attack notification device 10. The processing shown in the flowchart of FIG. 9 is repeatedly executed at predetermined intervals.

  The cyber attack detection unit 330 detects the presence or absence of a cyber attack on the vehicle 50 based on at least one of the communication cycle, the communication data, and the control processing time (S11). Cyber attacks can be detected based on known techniques. For example, the cyber attack detection unit 330 can determine that a cyber attack has been received when the communication cycle of a frame transmitted on the bus is significantly different from the basic cycle (for example, International Publication No. WO 2014/115455). The cyber attack detection unit 330 specifies the content of the attack (the attack target and the attack method) based on the communication cycle and the like, and transmits the ID indicating the specified content of the attack to the risk analysis unit 340. For example, when detecting that a Dos attack (attack method) has been received in the traveling system (attack target), the cyber attack detection unit 330 transmits an ID (= 123) indicating the content of the attack to the risk analysis unit 340 ( (See FIG. 5). Further, the cyber attack detection unit 330 notifies the notification method determination unit 360 that a cyber attack has been detected.

  When the cyber attack detection unit 330 detects a cyber attack (YES in S11), the risk analysis unit 340 analyzes the risk for the detected cyber attack (S12). Specifically, when the risk analysis unit 340 receives the ID indicating the content of the attack from the cyber attack detection unit 330, the risk analysis unit 340 refers to the risk analysis DB 342 and acquires the total score (degree of risk) for the attack indicated by the received ID. Then, information indicating the total points is transmitted to notification method determining section 360. For example, when receiving “123” as the ID, the risk analysis unit 340 refers to the risk analysis DB 342, acquires “12” as the total score for the attack indicated by the received ID, and transmits the total score to the notification method determination unit 360. (See FIG. 6).

  The notification method determination unit 360 determines whether to notify the driver of the vehicle 50 based on the received score (S13). Specifically, the notification method determination unit 360 compares the received score with a threshold, and determines that it is necessary to notify the driver when the received score is larger than the threshold. In the following cases, it is determined that there is no need to notify the driver. As described above, when the risk of the cyber attack is low, the driver is not notified that the attack has been received, but is notified only when the risk of the cyber attack is high. Thus, it is possible to reduce disturbing the driver's concentration due to notification of a low-risk cyber attack to the driver while driving.

  When determining to notify the driver (YES in S13), notification method determining section 360 acquires information (vehicle speed, shift position, power supply state) regarding the vehicle state from vehicle state acquisition section 320 (S14). Further, notification method determining section 360 determines whether or not the vehicle is running based on at least one of the vehicle speed and the shift position. For example, when the vehicle speed is equal to or higher than a certain speed, it can be determined that the vehicle is running. Also, it can be determined that the vehicle is running based on the shift position.

  Next, the notification method determination unit 360 determines the state of the driver, here, the position of the driver, based on the information regarding the vehicle state (S15). For example, when the vehicle speed is equal to or higher than a certain speed, the vehicle is running and it is considered that the driver is driving the vehicle. Therefore, when the vehicle speed is equal to or higher than the certain speed, the notification method determination unit 360 determines that the driver is in the vehicle. Also, based on the shift position, it can be determined whether the vehicle is running, that is, whether the driver is driving the vehicle. Therefore, when the shift position satisfies the predetermined condition, the notification method determination unit 360 determines that the driver is in the vehicle. Further, when an air conditioner or the like is used in the vehicle, the power supply state also changes. Accordingly, when the power supply state satisfies the predetermined condition, the notification method determination unit 360 determines that the driver is in the vehicle.

  Next, the notification method determination unit 360 determines a notification method to the driver based on the driver position and the vehicle state (S16). Here, the notification method determination unit 360 determines whether to notify the notification device inside the vehicle, the notification device outside the vehicle, or both the notification devices.

  FIG. 10 is a diagram showing conditions for determining a notification method. The notification method determining unit 360 determines which of the in-vehicle notification device and the out-of-vehicle notification device is based on the driver's position (inside or outside the vehicle) and the vehicle state (whether the vehicle is running) according to the conditions shown in FIG. Decide whether to notify or both.

  Specifically, when it is determined that the driver is in the vehicle and the vehicle is running, the driver is very likely to be in the vehicle, and thus the notification is performed only to the notification device in the vehicle. If it is determined that the driver is inside the vehicle but the vehicle is not running, the driver may be outside the vehicle in addition to the inside of the vehicle, so the notification is sent to both the in-vehicle notification device and the outside notification device. Do. When it is determined that the driver is outside the vehicle and that the vehicle is not running, the driver is very likely to be outside the vehicle, and thus notifies only the notification device outside the vehicle.

  After that, the notification method determination unit 360 notifies at least one of the in-vehicle notification device and the out-of-vehicle notification device according to the determined notification method (S17 to S28).

  When notifying both the in-vehicle notification device and the out-of-vehicle notification device (YES in S17), the notification method determination unit 360 acquires information on the driver's state (mental state) from the driver state acquisition unit 310 (S18). . As the information on the driver's state (mental state), the driver's facial expression, respiratory activity, heart rate, heart rate fluctuation, and riding state are acquired.

  FIGS. 11A and 11B are diagrams illustrating the arrangement of the camera 401 and the sensors 403 and 405 for acquiring information on the state (mental state) of such a driver. As shown in FIG. 11A, the camera 401 is arranged at a front part in the vehicle cabin so as to capture the facial expression of the driver 30. The seat sensor 403 is arranged in the driver seat 62. Further, as shown in FIG. 11B, the perspiration sensor 405 is attached to the left and right portions of the handle 64 which is frequently held by the driver during normal driving.

  The notification method determination unit 360 analyzes the image captured by the camera 401 and recognizes the expression of the driver. Further, the notification method determination unit 360 grasps the fluctuation of the heartbeat of the driver, the heart rate, the respiratory activity, and the riding state (presence or absence of seating) based on the detection signal from the seating sensor 403. In addition, the notification method determination unit 360 detects the state of mental sweating of the driver from the sweat sensor 405.

  The notification method determination unit 360 determines a driver state (mental state) based on information acquired from the camera 401 and the sensors 403 and 405. Hereinafter, a method of determining the driver state (mental state) will be described.

  FIG. 12 is a diagram showing the correspondence between information acquired from the camera 401 and the sensors 403 and 405 and parameters for determining the mental state of the driver. The notification method determination unit 360 sets parameters based on information acquired from the camera 401 and the sensors 403 and 405 according to the correspondence shown in FIG.

  Specifically, the notification method determination unit 360 analyzes the image acquired from the camera 401 and determines “joy,” “surprise,” “anger,” “sadness,” or “true face” as a parameter related to the expression of the driver. obtain. In addition, the notification method determination unit 360 obtains “increase” or “steady” as a parameter of the amount of mental sweating from the detection signal of the sweat sensor 405. In addition, the notification method determination unit 360 obtains parameters relating to heartbeat fluctuation, heart rate, and respiratory activity from the detection signal from the sitting sensor 403. For example, the parameter of the heartbeat fluctuation is set based on the ratio of the low-frequency signal (LF value) of the detection signal from the seat sensor 403 to the wide-area signal (HF value).

  FIG. 13 is a diagram showing the correspondence between parameters set based on information acquired from the camera 401 and the sensors 403 and 405, and driver states (mental states). The notification method determination unit 360 determines the mental state based on the set parameters according to the correspondence shown in FIG.

  For example, the value of the “expression” parameter is “anger”, the value of the “mental sweating” parameter is “increase”, the value of the “heartbeat fluctuation” parameter is “LF / HF value rise”, and the “heartbeat fluctuation” When the “number” parameter is “increase” and the “respiratory activity” parameter is “frequency decrease”, “upset / irritated” is obtained as the driver state (mental state).

  Returning to FIG. 9, after acquiring the driver state (mental state), the notification method determining unit 360 acquires the driver characteristics (character) from the driver characteristic holding unit 350 (S19).

  Thereafter, the notification method determination unit 360 determines the content of the notification to the driver based on the driver state (mental state) and the driver characteristics (S20). The notification method determination unit 360 generates attack information and correspondence information as information to be notified to the driver. The attack information includes information (for example, a text message) indicating the content of the attack (that is, the attack target and the attack method). The response information includes information (for example, a text message) indicating a response method that the driver should take in response to the attack. By referring to the attack information, the driver can grasp the details of the cyber attack. By referring to the response information, the driver can understand the countermeasures to be taken by the driver in response to the cyber attack.

  In particular, the notification method determination unit 360 determines the degree of detail (or simplicity) of the content of the attack information and the correspondence information based on the driver state (mental state) and the driver characteristics (character). FIG. 14 is a diagram showing the relationship between the driver state (mental state), the driver characteristics (character), and the degree of detail (simplicity) of the notification content. The notification method determination unit 360 determines the detail level of the notification content based on the correspondence shown in FIG. 14 based on the driver state (mental state) and the driver characteristic (character).

  For example, when the driver characteristic is “safe driving type” and the driver state (mental state) is “normal”, the attack information and the correspondence information are set to detailed contents. As described above, when the driver of the safe driving type is normal, detailed attack information and response information are notified. As a result, it is considered that sufficient information can be transmitted to the driver, and appropriate measures can be expected.

  On the other hand, if the driver characteristic is “safe driving type” but the driver state (mental state) is “belly / irritated”, the attack information and the correspondence information are set to simple contents. Notifying a frustrated driver of detailed attack information may increase frustration and disrupt the driver's mental state. For this reason, it is considered that the information can be transmitted more safely and reliably to the driver by notifying the information of the simple content.

  As described above, the cyber attack notification device 10 changes the degree of detail (in other words, simplicity) of the information to be notified according to the driver's character and the driver's mental state. This makes it possible to appropriately transmit cyber attack information according to the driver's state at that time. In addition, the notification method determination unit 360 internally stores table information indicating the correspondence shown in FIGS. 12 to 14 in order to perform the above-described processing.

  FIG. 15 shows an example of the content of attack information having different levels of detail. FIG. 16 shows an example of the content of the correspondence information having different levels of detail. In FIGS. 15 and 16, the level indicating the degree of detail is set to four levels of “more detailed”, “detailed”, “simplified”, and “simplified”. From “more detail” to “more succinct”, the amount of information conveyed in a message decreases. A message having a level of detail (simplicity) corresponding to each level is set in the notified message.

  Returning to FIG. 9, the notification method determination unit 360 notifies the in-vehicle notification device and the out-of-vehicle notification device of the cyber attack with the determined notification content (S21, S22).

  On the other hand, when it is determined that the notification is to be made only to the notification device in the vehicle (NO in S17 and YES in S23), the notification method determination unit 360 acquires the driver state (mental state) from the driver state acquisition unit 310 ( (S24), driver characteristics are acquired from the driver characteristic holding unit 350 (S25). The notification method determining unit 360 determines the content of notification to the driver based on the driver state (mental state) and the driving characteristics of the driver (S26), and transmits the determined notification content to a notification device outside the vehicle (S27).

  Alternatively, when it is determined that the notification is to be made only to the notification device outside the vehicle (NO in S17 and NO in S23), the notification method determination unit 360 notifies the notification device outside the vehicle of the attack content (the attack target and the attack method). (S28).

  As described above, according to the cyber attack notification device 10 of the present embodiment, it is determined whether or not to notify the driver according to the degree of the risk of the cyber attack (S12, S13). This prevents the driver from being notified when a cyber attack with a low risk is received, so that the driver's concentration due to frequent notifications can be prevented.

  Further, the cyber attack notification device 10 determines a device to be notified (a notification device inside the vehicle, a notification device outside the vehicle, or both) based on the driver state (driver position) and the vehicle state. As a result, it is possible to reliably and appropriately notify the driver of information regarding the cyber attack.

  Further, when a cyber attack is received, the cyber attack notification device 10 notifies attack information indicating the content of the cyber attack and correspondence information indicating a method of coping with the cyber attack. As a result, the driver can recognize the content of the cyber attack, and can also recognize a method of coping with the cyber attack, so that an appropriate response can be quickly taken.

  Further, the cyber attack notification device 10 determines the degree of detail of the information to be notified based on the mental state of the driver and the characteristics (character) of the driver. As a result, the driver is notified in an appropriate manner according to the state of the driver (particularly, mental state) at the time of receiving the cyber attack, so that the driver can take appropriate measures against the cyber attack. .

3. Conclusion As described above, the cyber attack notification device 10 of the present embodiment is a device that is mounted on the vehicle 50 and notifies the vehicle 50 of a cyber attack. The cyber attack notification device 10 includes a cyber attack detection unit 330 that detects a cyber attack on the vehicle 50, a driver status input unit 310a that inputs a driver status, and an in-vehicle notification device 520 (an example of a first device). A notification method determining unit 360 that determines a device to be notified from among external notification devices 510 (an example of a second device) outside the vehicle such as a mobile phone having a telephone number, a mail address, and the like registered in advance. And an abnormality notification unit 380 that notifies the determined device of information on the detected cyber attack. The notification method determination unit 360 determines whether the driver is inside or outside the vehicle (S15), and determines a device to which information is to be notified based on the determination result (S16).

  With the above configuration, when a cyber attack is detected, it is possible to notify a driver inside or outside the vehicle of information regarding the cyber attack via the notification device.

  At this time, it is determined whether the driver is inside or outside the vehicle, and a device to which information is to be notified is determined based on the determination result. Therefore, information can be reliably and appropriately transmitted to the driver. For example, it is possible to prevent the smartphone of the driver who is driving from being notified, and to prevent the driver from being distracted by the smartphone. Also, when the driver is outside the vehicle, the information can be reliably transmitted to the driver by notifying the notification device outside the vehicle.

  In addition, the contents of the information to be notified are determined based on the state of the driver and the characteristics of the driver. As a result, it is possible to notify the driver of information having appropriate contents according to the state and personality of the driver. Thus, when the driver is notified of the cyber attack, the driver can act calmly without panic.

  Further, the cyber attack notification device 10 further includes a risk analysis unit 340 that analyzes a risk of the detected cyber attack. Then, the notification method determination unit 360 determines whether notification is necessary according to the analysis result (S12, S13). Accordingly, only when the risk of the cyber attack is high, that is, when the importance is high, the notification is made, so that the driver can be prevented from overlooking the important notification with high impact.

  The notification method determination unit 360 determines the mental state of the driver based on the state of the driver (S18, S24), and changes the details of the information to be notified according to the mental state of the driver and the characteristics of the driver (S20, S26, FIG. 14). This makes it possible to create a message according to the driver's character and the mental state at that time. It is possible to prevent or reduce a driver who is in a state of being frustrated, impatient, nervous, etc. from feeling anxious, impatient, or the like when notified of a cyber attack.

  The cyber attack notification device 10 notifies attack information including information indicating a target that has been subjected to a cyber attack and information indicating a method of a cyber attack. Further, the cyber attack notification device 10 transmits correspondence information for instructing how to deal with the detected cyber attack. As a result, the notified driver can grasp the content of the cyber attack and the countermeasures.

  Further, the present embodiment discloses a cyber attack notification method for notifying information about a cyber attack on a vehicle by a cyber attack notification device.

The cyber attack notification method is
A step (S11) in which the control unit (110, 300) of the cyber attack notification device mounted on the vehicle detects a cyber attack on the vehicle;
A step in which the control unit acquires the state of the driver (S18, S24);
A step in which the control unit acquires information indicating the characteristics of the driver (S19, S25);
A step in which the control unit determines whether the driver is inside or outside the vehicle (S15);
Based on the determination result, the control unit selects one of the first device (520) inside the vehicle and the second device (510) outside the vehicle such as a mobile phone having a telephone number, a mail address, and the like registered in advance. Determining a device to notify information related to the detected cyber attack (S16);
A step of the control unit notifying the determined device of information on the cyber attack (S21, S22, S27, S28).

  The above-described cyber attack notification method may further include a step of the control unit analyzing the risk of the cyber attack (S12), and a step of the control unit determining whether or not the notification is necessary according to the analysis result (S13). .

  In the above cyber attack notification method, the control unit determines the content (for example, text, degree of detail) of the information to be notified according to the mental state of the driver and the characteristics of the driver (S20, S26); May be further provided.

(Other embodiments)
The information obtained by the driver state obtaining unit 310 described in the above embodiment is an example, and other types of information may be obtained as long as the driver's mental state can be detected. The information acquired by the vehicle state acquisition unit 320 described in the above embodiment is an example, and other types of information may be acquired as long as the state of the vehicle can be detected. Further, the external notification device 510 may be a device installed in an external organization such as a certification organization or a government organization.

  Information notified when a cyber attack is received is not limited to the above example. The information to be notified may include at least one of the date and time of the cyber attack, the location, the information for identifying the driver, and the information for identifying the vehicle.

  The specific examples of the external notification device 510 and the in-vehicle notification device 520 described in the above embodiment are merely examples, and the present invention is not limited thereto. These devices 510 and 520 can be composed of various devices as long as they can present information in a predetermined format (image, sound, text, light, etc.).

  In the above-described embodiment, the cyber attack notification device 10 holds the information on the driver characteristics (character) in the internal driver identification holding unit 350. However, the information on the driver characteristics (character) is stored in an external device (for example, a cloud device). (The above server).

  In the above-described embodiment, the driver status acquisition unit 310, the vehicle status acquisition unit 320, the notification control unit 300, and the abnormality notification unit 380 have been described as being each configured by an ECU, but these functional units may not be the ECUs. . As long as each function can be realized, these functional units can be realized by any electronic device (or electronic circuit).

  The embodiments described above are intended to exemplify the technology in the present disclosure, and various changes, replacements, additions, omissions, and the like can be made in the scope of the claims or the scope of equivalents thereof.

10 cyber attack notification device 50 vehicle 100 gateway ECU
300 Notification control unit 305 ECU
310 Driver status acquisition unit 310a Driver status input unit 320 Vehicle status acquisition unit 320a Vehicle status input unit 330 Cyber attack detection unit 340 Risk analysis unit 350 Driver characteristic storage unit 380 Abnormality notification unit 380a, 380b Output unit 510 External notification device 520 Internal notification machine

Claims (15)

A cyber attack notification device mounted on a vehicle and notifying a cyber attack on the vehicle,
A cyber attack detection unit that detects a cyber attack on the vehicle,
A driver status input unit for inputting information indicating a driver status;
A notification method determining unit that determines a device to be notified from among a first device in the vehicle and a second device outside the vehicle such as a mobile phone having a telephone number, a mail address, and the like registered in advance;
An abnormality notification unit that notifies the determined device of information on the detected cyber attack,
The notification method determination unit,
Determine whether the driver is inside or outside the vehicle, based on the determination result, determine the device to notify the information,
Cyber attack notification device. Further comprising a risk analysis unit for analyzing the risk of the detected cyber attack,
The notification method determination unit determines whether or not notification is necessary according to the analysis result.
The cyber attack notification device according to claim 1. A vehicle state input unit that inputs information indicating a state of the vehicle,
The notification method determination unit determines whether the driver is inside or outside the vehicle based on the state of the vehicle,
The cyber attack notification device according to claim 1. The notification method determination unit determines the content of information to be notified based on the state of the driver and the characteristics of the driver,
The cyber attack notification device according to claim 1. The notification method determination unit determines the mental state of the driver based on the state of the driver, and changes the details of the information to be notified according to the mental state of the driver and the characteristics of the driver.
The cyber attack notification device according to claim 4. A driver characteristic holding unit that holds information indicating characteristics of the driver,
The notification method determination unit acquires information indicating the characteristics of the driver from the driver characteristic holding unit,
The cyber attack notification device according to claim 4.   2. The cyber attack notification device according to claim 1, wherein the information to be notified includes information indicating a target that has been subjected to a cyber attack and information indicating a method of the cyber attack.   The cyber attack notification device according to claim 1, wherein the information to be notified includes information for instructing a countermeasure against the detected cyber attack.   9. The driver state input unit according to claim 1, wherein the driver state input unit acquires at least one of an image obtained by capturing the driver, information about a driver's sweating state, information about a driver's heartbeat, and information about a driver's respiratory activity. 10. The cyber attack notification device according to any one of the above.   The cyber attack notification according to any one of claims 1 to 8, wherein the vehicle state input unit inputs at least one of information indicating a power state of the vehicle, information indicating a vehicle speed, and information indicating a shift position. apparatus.   9. The cyber attack notification device according to claim 1, wherein the first device includes at least one of a speaker, a buzzer, and an indicator.   The cyber attack notification device according to any one of claims 1 to 8, wherein the second device includes at least one of a smartphone and a smart key. A method of notifying information about a cyber attack on a vehicle by a cyber attack notification device mounted on the vehicle,
A step in which the control unit of the cyber attack notification device detects a cyber attack on the vehicle;
The control unit acquires a state of the driver;
The control unit acquires information indicating the characteristics of the driver;
A step in which the control unit determines whether the driver is inside or outside the vehicle;
Based on the determination result, the control unit detects a cyber attack detected from the first device inside the vehicle and the second device outside the vehicle such as a mobile phone having a pre-registered telephone number, mail address, and the like. Determining a device to be notified of information related to
(S21, S22, S27, S28) in which the control unit notifies the determined device of information related to a cyber attack.
Cyber attack notification method. The control unit analyzes the risk of the cyber attack,
The control unit, further comprising the step of determining the need for notification according to the analysis result,
The cyber attack notification method according to claim 13. The control unit, further comprising: determining the content of the information to be notified based on the mental state of the driver and the characteristics of the driver,
The cyber attack notification method according to claim 13.

Images