JP2020173535A - Management device, communication system, vehicle communication management method, and vehicle communication management program - Google Patents

Abstract

To more surely prevent outspread of unauthorized access to each vehicle.SOLUTION: A management device comprises: a detection unit which detects unauthorized access to a vehicle; an acquisition unit which acquires software information indicative of a state of software installed in one or more in-vehicle devices of a detection vehicle being the vehicle to which the unauthorized access has been detected by the detection unit; a selection unit which selects one or more object vehicles from among a plurality of vehicles on the basis of the software information acquired by the acquisition unit; and a transmission unit which transmits processing information for preventing the unauthorized access, to the object vehicles selected by the selection unit.SELECTED DRAWING: Figure 8

Description

The present disclosure relates to management devices, communication systems, vehicle communication management methods and vehicle communication management programs.

Conventionally, a technology for dealing with a cyber attack by detecting a cyber attack on the in-vehicle network and blocking unauthorized communication in the in-vehicle network has been developed.

For example, Patent Document 1 (Japanese Unexamined Patent Publication No. 2018-133721) discloses the following in-vehicle gateway device. That is, the in-vehicle gateway device is an in-vehicle gateway device that is connected to a plurality of networks to which a plurality of devices mounted on the vehicle are connected to each other, and is an incident detection that detects an incident that occurs in any of the plurality of networks. When the incident is detected, the processing unit determines the communication blocking target network from the plurality of networks based on the incident occurrence location and the control state of the vehicle, and communicates in the communication blocking target network. It is provided with a communication control unit that shuts off.

JP-A-2018-133721 JP-A-2017-111996 Japanese Unexamined Patent Publication No. 2018-12218

"To sell new technology that protects Pana autonomous vehicles from cyber attacks In 2020, defense measures that make full use of AI", [online], Sankei WEST, [Search on February 27, 2019], Internet <URL: https: // www. sankei. com / best / news / 170711 / wst1707110072-n1. html>

Beyond such a technique described in Patent Document 1, a technique capable of more reliably preventing the spread of unauthorized access to each vehicle is desired.

The present disclosure has been made to solve the above-mentioned problems, and an object thereof is a management device, a communication system, a vehicle communication management method, and a vehicle capable of more reliably preventing the spread of unauthorized access to each vehicle. It is to provide a communication management program.

The management device of the present disclosure is a state of a detection unit that detects unauthorized access to a vehicle and a state of software incorporated in one or more in-vehicle devices in the detection vehicle that is the vehicle in which the unauthorized access is detected by the detection unit. A selection unit that acquires software information indicating the above, a selection unit that selects one or a plurality of target vehicles from a plurality of vehicles based on the software information acquired by the acquisition unit, and a selection unit that is selected by the selection unit. It is provided with a transmission unit that transmits processing information for preventing unauthorized access to the target vehicle.

The communication system of the present disclosure includes a management device and an in-vehicle device mounted on a vehicle, the in-vehicle device transmits log information to the management device, and the management device receives the log received from the in-vehicle device. Based on the information, the management device detects unauthorized access to the vehicle, and the management device indicates the state of software incorporated in one or more in-vehicle devices in the detection vehicle which is the vehicle in which the unauthorized access is detected. The information is acquired, the management device selects one or a plurality of target vehicles from a plurality of vehicles based on the acquired software information, and the management device accesses the selected target vehicle by the unauthorized access. Send processing information to prevent.

The vehicle communication management method of the present disclosure is a vehicle communication management method in a management device, in which a step of detecting unauthorized access to a vehicle and one or a plurality of vehicles in the detection vehicle which is the vehicle in which the unauthorized access is detected. A step of acquiring software information indicating the state of software incorporated in the device, a step of selecting one or a plurality of target vehicles from a plurality of vehicles based on the acquired software information, and a step of selecting the selected target vehicle. Includes a step of transmitting processing information for preventing unauthorized access to.

The vehicle communication management method of the present disclosure is a vehicle communication management method in a communication system including a management device and an in-vehicle device mounted on a vehicle, wherein the in-vehicle device transmits log information to the management device. A step in which the management device detects unauthorized access to the vehicle based on the log information received from the in-vehicle device, and a detection vehicle in which the management device is the vehicle in which the unauthorized access is detected. Based on the step of acquiring software information indicating the state of software incorporated in one or a plurality of in-vehicle devices and the acquired software information, the management device selects one or a plurality of target vehicles from a plurality of vehicles. The step includes a step of selecting, and a step of the management device transmitting processing information for preventing the unauthorized access to the selected target vehicle.

The vehicle communication management program of the present disclosure is a vehicle communication management program used in a management device, and is a vehicle communication management program in which a computer detects unauthorized access to a vehicle and the vehicle in which the unauthorized access is detected by the detection unit. An acquisition unit that acquires software information indicating the state of software incorporated in one or a plurality of in-vehicle devices in the detection vehicle, and one from a plurality of vehicles based on the software information acquired by the acquisition unit. Alternatively, it is a program for functioning as a selection unit that selects a plurality of target vehicles and a transmission unit that transmits processing information for preventing unauthorized access to the target vehicle selected by the selection unit.

One aspect of the present disclosure can be realized as a semiconductor integrated circuit that realizes a part or all of the management device. Further, one aspect of the present disclosure can be realized as a semiconductor integrated circuit that realizes a part or all of an in-vehicle communication system. Further, one aspect of the present disclosure can be realized as a program for causing a computer to execute a processing step in an in-vehicle communication system.

According to the present disclosure, it is possible to more reliably prevent the spread of unauthorized access to each vehicle.

FIG. 1 is a diagram showing a configuration of a communication system according to the first embodiment of the present disclosure. FIG. 2 is a diagram showing a configuration of an in-vehicle communication system according to the first embodiment of the present disclosure. FIG. 3 is a diagram showing a configuration of a bus connection device group according to the first embodiment of the present disclosure. FIG. 4 is a diagram showing a configuration of a gateway device in an in-vehicle communication system according to the first embodiment of the present disclosure. FIG. 5 is a diagram showing an example of log information including an access log transmitted by the gateway device according to the first embodiment of the present disclosure to the management device. FIG. 6 is a diagram showing an example of log information including an in-vehicle communication log transmitted by the gateway device according to the first embodiment of the present disclosure to the management device. FIG. 7 is a diagram showing an example of log information including an event log transmitted by the gateway device according to the first embodiment of the present disclosure to the management device. FIG. 8 is a diagram showing a configuration of a management device according to the first embodiment of the present disclosure. FIG. 9 is an example of version information stored in the storage unit in the management device according to the first embodiment of the present disclosure. FIG. 10 is a diagram showing an example of priority setting by a selection unit in the management device according to the first embodiment of the present disclosure. FIG. 11 is a flowchart defining an operation procedure when the management device transmits processing information for preventing unauthorized access to the vehicle in the in-vehicle communication system according to the first embodiment of the present disclosure. FIG. 12 is a sequence of processes for preventing unauthorized access to the vehicle in the in-vehicle communication system according to the first embodiment of the present disclosure. FIG. 13 is a diagram showing a configuration of a management device according to a second embodiment of the present disclosure. FIG. 14 is a diagram showing an example of the notification content notified by the notification unit in the management device according to the second embodiment of the present disclosure.

First, the contents of the embodiments of the present disclosure will be listed and described.

(1) The management device according to the embodiment of the present disclosure includes a detection unit that detects unauthorized access to a vehicle, and one or a plurality of vehicles in the detection vehicle that is the vehicle in which the unauthorized access is detected by the detection unit. An acquisition unit that acquires software information indicating the state of software incorporated in the device, and a selection unit that selects one or a plurality of target vehicles from a plurality of vehicles based on the software information acquired by the acquisition unit. And a transmission unit that transmits processing information for preventing unauthorized access to the target vehicle selected by the selection unit.

In this way, the target vehicle is selected using the information of the software embedded in the in-vehicle device of the detection vehicle, and the processing information for preventing unauthorized access is transmitted to the target vehicle, for example, the embedded software in each vehicle. Priority can be set for each vehicle according to the state, and processing information for preventing unauthorized access can be transmitted according to the priority. As a result, in consideration of the state of the software in each vehicle, it is possible to prioritize the development of defense measures for the vehicle in which the same unauthorized access as the unauthorized access detected in the detected vehicle may occur. Therefore, it is possible to more reliably prevent the spread of unauthorized access to each vehicle.

(2) Preferably, the transmission unit transmits information for restricting communication between the target vehicle and the outside as the processing information to the target vehicle.

With such a configuration, it is possible to more reliably prevent unauthorized access to the target vehicle from outside the target vehicle.

(3) Preferably, the transmission unit transmits information on software to be updated in the in-vehicle device of the target vehicle as the processing information to the target vehicle.

With such a configuration, the software embedded in the in-vehicle device in the target vehicle can be updated to, for example, software with enhanced security against unauthorized access, so that unauthorized access to the in-vehicle device in the target vehicle can be more reliably prevented. be able to.

(4) Preferably, the management device further includes a storage unit that stores version information of software incorporated in one or more in-vehicle devices in each of the plurality of vehicles.

With such a configuration, when an unauthorized access is detected in a certain vehicle, the version information of the software incorporated in the vehicle or a plurality of in-vehicle devices can be easily acquired by referring to the storage unit. .. As a result, the acquired version information can be used to select the target vehicle at an early stage, or to generate information on unauthorized access for notifying the user at an early stage.

(5) Preferably, the acquisition unit acquires version information of software incorporated in one or more of the in-vehicle devices in the detection vehicle as the software information, and the selection unit is acquired by the acquisition unit. The target vehicle is selected based on the result of comparison between the version information and the version information of software incorporated in one or more in-vehicle devices in a vehicle other than the detection vehicle.

As a result, from the viewpoint of software version information, it is possible to more accurately select a vehicle in which an unauthorized access similar to the unauthorized access detected in the detected vehicle may occur.

(6) Preferably, the management device further includes version information of software incorporated in the in-vehicle device in which the unauthorized access is detected in the detection vehicle, and the in-vehicle device in which the unauthorized access is detected in the detection vehicle. Identification information, and the comparison result between the version information of the software incorporated in one or more in-vehicle devices in the detection vehicle and the version information of the software incorporated in one or more in-vehicle devices in the vehicle other than the detection vehicle. A notification unit is provided to notify the user of the number of vehicles searched based on at least.

With such a configuration, for example, when unauthorized access is detected in a plurality of vehicles by the detection unit, for example, the number of vehicles having the same version information as the version information in the detected vehicle is sent to the user for each detected unauthorized access. Since it is possible to notify the user, it is possible to notify the user of the number of vehicles in which the same unauthorized access as the unauthorized access detected in the detected vehicle may occur. This facilitates the user's choice of unauthorized access to prioritize the deployment of defense measures.

(7) The communication system according to the embodiment of the present disclosure includes a management device and an in-vehicle device mounted on a vehicle, the in-vehicle device transmits log information to the management device, and the recording management device is used. Unauthorized access to the vehicle is detected based on the log information received from the in-vehicle device, and the management device is incorporated into one or more in-vehicle devices in the detection vehicle which is the vehicle in which the unauthorized access is detected. The management device acquires software information indicating the state of the software, selects one or a plurality of target vehicles from a plurality of vehicles based on the acquired software information, and the management device selects. Processing information for preventing the unauthorized access is transmitted to the target vehicle.

In this way, the target vehicle is selected using the information of the software embedded in the in-vehicle device of the detection vehicle, and the processing information for preventing unauthorized access is transmitted to the target vehicle, for example, the embedded software in each vehicle. Priority can be set for each vehicle according to the state, and processing information for preventing unauthorized access can be transmitted according to the priority. As a result, in consideration of the state of the software in each vehicle, it is possible to prioritize the development of defense measures for the vehicle in which the same unauthorized access as the unauthorized access detected in the detected vehicle may occur. Therefore, it is possible to more reliably prevent the spread of unauthorized access to each vehicle.

(8) The vehicle communication management method according to the embodiment of the present disclosure is a vehicle communication management method in a management device, which is a step of detecting unauthorized access to a vehicle and the vehicle in which the unauthorized access is detected. Based on the step of acquiring software information indicating the state of software incorporated in one or more in-vehicle devices in the detection vehicle and the acquired software information, one or a plurality of target vehicles are selected from the plurality of vehicles. The step includes a step of transmitting processing information for preventing the unauthorized access to the selected target vehicle.

In this way, by selecting the target vehicle using the information of the software embedded in the in-vehicle device in the detection vehicle and transmitting the processing information for preventing unauthorized access to the target vehicle, for example, the embedded software in each vehicle. Priority can be set for each vehicle according to the state, and processing information for preventing unauthorized access can be transmitted according to the priority. As a result, in consideration of the state of the software in each vehicle, it is possible to prioritize the development of defense measures for the vehicle in which the same unauthorized access as the unauthorized access detected in the detected vehicle may occur. Therefore, it is possible to more reliably prevent the spread of unauthorized access to each vehicle.

(9) The vehicle communication management method according to the embodiment of the present disclosure is a vehicle communication management method in a communication system including a management device and an in-vehicle device mounted on a vehicle, and the in-vehicle device outputs log information. A step of transmitting to the management device, a step of the management device detecting unauthorized access to the vehicle based on the log information received from the in-vehicle device, and a step of detecting the unauthorized access by the management device. The step of acquiring software information indicating the state of software incorporated in one or more in-vehicle devices in the detection vehicle, which is the vehicle, and the management device in the plurality of vehicles based on the acquired software information. A step of selecting one or a plurality of target vehicles from the above, and a step of the management device transmitting processing information for preventing unauthorized access to the selected target vehicle are included.

In this way, by selecting the target vehicle using the information of the software embedded in the in-vehicle device in the detection vehicle and transmitting the processing information for preventing unauthorized access to the target vehicle, for example, the embedded software in each vehicle. Priority can be set for each vehicle according to the state, and processing information for preventing unauthorized access can be transmitted according to the priority. As a result, in consideration of the state of the software in each vehicle, it is possible to prioritize the development of defense measures for the vehicle in which the same unauthorized access as the unauthorized access detected in the detected vehicle may occur. Therefore, it is possible to more reliably prevent the spread of unauthorized access to each vehicle.

(10) The vehicle communication management program according to the embodiment of the present disclosure is a vehicle communication management program used in the management device, and the computer is described by a detection unit for detecting unauthorized access to the vehicle and the detection unit. Based on the acquisition unit that acquires software information indicating the state of software incorporated in one or more in-vehicle devices in the detection vehicle that is the vehicle in which unauthorized access is detected, and the software information acquired by the acquisition unit. , A selection unit that selects one or a plurality of target vehicles from a plurality of vehicles, and a transmission unit that transmits processing information for preventing unauthorized access to the target vehicle selected by the selection unit. It is a program for.

In this way, the target vehicle is selected using the information of the software embedded in the in-vehicle device of the detection vehicle, and the processing information for preventing unauthorized access is transmitted to the target vehicle, for example, the embedded software in each vehicle. Priority can be set for each vehicle according to the state, and processing information for preventing unauthorized access can be transmitted according to the priority. As a result, in consideration of the state of the software in each vehicle, it is possible to prioritize the development of defense measures for the vehicle in which the same unauthorized access as the unauthorized access detected in the detected vehicle may occur. Therefore, it is possible to more reliably prevent the spread of unauthorized access to each vehicle.

Hereinafter, embodiments of the present disclosure will be described with reference to the drawings. The same or corresponding parts in the drawings are designated by the same reference numerals, and the description thereof will not be repeated. In addition, at least a part of the embodiments described below may be arbitrarily combined.

<First Embodiment>
[Communications system]
FIG. 1 is a diagram showing a configuration of a communication system according to the first embodiment of the present disclosure.

With reference to FIG. 1, the communication system 400 includes a management device 200 and a plurality of in-vehicle communication systems 300. The plurality of in-vehicle communication systems 300 are mounted on the plurality of vehicles 1, respectively.

[In-vehicle communication system]
FIG. 2 is a diagram showing a configuration of an in-vehicle communication system according to the first embodiment of the present disclosure.

With reference to FIG. 2, the vehicle-mounted communication system 300 includes a gateway device 101, a plurality of vehicle-mounted communication devices 111, and a plurality of bus connection device groups 121.

FIG. 3 is a diagram showing a configuration of a bus connection device group according to the first embodiment of the present disclosure.

With reference to FIG. 3, the bus connection device group 121 includes a plurality of control devices 122. The bus connection device group 121 is not limited to the configuration including a plurality of control devices 122, and may be configured to include one control device 122.

The gateway device 101, the vehicle-mounted communication device 111, and the control device 122 are examples of the vehicle-mounted device. Hereinafter, each of the gateway device 101, the vehicle-mounted communication device 111, and the control device 122 may be referred to as an “vehicle-mounted device”.

The gateway device 101, the plurality of vehicle-mounted communication devices 111, and the plurality of control devices 122 form the vehicle-mounted network 12.

In the vehicle-mounted network 12, the vehicle-mounted communication device 111 communicates with, for example, a device outside the vehicle 1. Specifically, the vehicle-mounted communication device 111 is, for example, a TCU (Telematics Communication Unit), a short-range wireless terminal device, and an ITS (Intelligent Transport Systems) radio.

With reference to FIGS. 1 and 2, the TCU is capable of communicating with the management device 200. Specifically, the TCU can communicate with the management device 200 via the radio base station device 161 using, for example, an IP packet.

More specifically, the TCU can perform wireless communication with the wireless base station device according to a communication standard such as LTE (Long Term Evolution) or 3G, and can communicate with the gateway device 101. is there. The TCU relays information used for services such as navigation, vehicle theft prevention, remote maintenance and FOTA (Firmware Over The Air).

Specifically, when the radio base station device 161 receives an IP packet from the management device 200 via the external network 11, the radio base station device 161 includes the received IP packet in the radio signal and transmits it to the TCU.

For example, when the TCU receives a radio signal including an IP packet from the management device 200 from the radio base station device 161, the TCU acquires an IP packet from the received radio signal and transmits the acquired IP packet to the gateway device 101.

When the TCU receives an IP packet from the gateway device 101, the TCU includes the received IP packet in the radio signal and transmits the received IP packet to the radio base station device 161.

When the radio base station device 161 receives a radio signal from the TCU, it acquires an IP packet from the received radio signal and transmits the acquired IP packet to the management device 200 via the external network 11.

The short-range wireless terminal device is a smartphone held by a person (hereinafter, also referred to as a passenger) who is in the vehicle 1 in accordance with communication standards such as Wi-Fi (registered trademark) and Bluetooth (registered trademark). It is possible to perform wireless communication with the wireless terminal device such as the above, and it is possible to communicate with the gateway device 101. The short-range wireless terminal device is mounted on, for example, an IVI (In-Vehicle Infotainment) device and relays information used for services such as entertainment.

Further, the short-range wireless terminal device includes, for example, a wireless terminal device such as a smart key held by a passenger, and a wireless terminal device provided on a tire and an LF (Low Frequency) band or UHF (Ultra) according to a predetermined communication standard. It is possible to perform wireless communication using radio waves in the High Frequency band, and it is possible to perform communication with the gateway device 101. The short-range wireless terminal device relays information used for services such as smart entry and TPMS (Tire Pressure Monitoring System).

The ITS radio can perform road-to-vehicle communication with roadside devices such as optical beacons, radio beacons, and ITS spots provided near the road, and is capable of inter-vehicle communication with an in-vehicle terminal mounted on another vehicle. It is possible to communicate and to communicate with the gateway device 101. The ITS radio relays information used for services such as congestion relief, safe driving support, and route guidance.

The gateway device 101 is connected to the in-vehicle device via, for example, buses 13 and 14. Specifically, the buses 13 and 14 are, for example, CAN (Control Area Network) (registered trademark), FlexRay (registered trademark), MOST (Media Oriented Systems Transport) (registered trademark), Ethernet (registered trademark), and LIN. It is a bus that complies with standards such as (Local Ethernet Network).

In this example, the vehicle-mounted communication device 111 is connected to the gateway device 101 via a corresponding bus 14 according to the Ethernet standard. Further, each control device 122 in the bus connection device group 121 is connected to the gateway device 101 via a corresponding bus 13 according to the CAN standard. The control device 122 can control the functional unit in the vehicle 1, for example.

The bus 13 is provided for each system, for example. Specifically, the bus 13 is, for example, a drive system bus, a chassis / safety system bus, a body / electrical system bus, and an AV / information system bus.

An engine control device, an AT (Automatic Transmission) control device, and a HEV (Hybrid Electric Vehicle) control device, which are examples of the control device 122, are connected to the drive system bus. The engine control device, the AT control device, and the HEV control device control the engine, the AT, and the switching between the engine and the motor, respectively.

A brake control device, a chassis control device, and a steering control device, which are examples of the control device 122, are connected to the chassis / safety system bus. The brake control device, chassis control device and steering control device control the brake, chassis and steering, respectively.

An instrument display control device, an air conditioner control device, an anti-theft control device, an airbag control device, and a smart entry control device, which are examples of the control device 122, are connected to the body / electrical system bus. The instrument display control device, the air conditioner control device, the anti-theft control device, the airbag control device and the smart entry control device control the instrument, the air conditioner, the anti-theft mechanism, the airbag mechanism and the smart entry, respectively.

A navigation control device, an audio control device, an ETC (Electronic Toll Collection System) (registered trademark) control device, and a telephone control device, which are examples of the control device 122, are connected to the AV / information system bus. The navigation control device, the audio control device, the ETC control device, and the telephone control device control the navigation device, the audio device, the ETC device, and the mobile phone, respectively.

Further, the bus 13 is not limited to the configuration in which the control device 122 is connected, and a device other than the control device 122, for example, a sensor may be connected.

The gateway device 101 is, for example, a central gateway (CGW) and can communicate with the in-vehicle device.

FIG. 4 is a diagram showing a configuration of a gateway device in an in-vehicle communication system according to the first embodiment of the present disclosure.

With reference to FIG. 4, the gateway device 101 includes a switch unit 51, a processing unit 52, a storage unit 53, and an abnormality detection unit 54. The storage unit 53 is, for example, a flash memory.

The gateway device 101 is, for example, information exchanged between the control devices 122 connected to different buses 13 in the vehicle 1, information exchanged between the in-vehicle communication devices 111, and exchanged between the control device 122 and the in-vehicle communication device 111. Performs relay processing to relay the information to be received.

More specifically, the gateway device 101 relays a message transmitted from one in-vehicle device to another in-vehicle device. The message includes the content of the message and an ID for identifying the source and destination.

For example, when the switch unit 51 receives a message from a certain vehicle-mounted device via the corresponding bus 13 or 14, the switch unit 51 transmits the received message to the destination vehicle-mounted device via the corresponding bus 13 or 14.

Further, for example, when the switch unit 51 receives a message addressed to the processing unit 52 from a certain vehicle-mounted device via the corresponding bus 13 or 14, the switch unit 51 outputs the received message to the processing unit 52.

The processing unit 52 includes an access log showing access records to the in-vehicle network 12 by an external device outside the vehicle 1, an in-vehicle communication log showing communication records between in-vehicle devices in the in-vehicle network 12, and a record of processing executed by the in-vehicle device. Get logs such as event logs that indicate.

For example, when the in-vehicle communication device 111 receives a radio signal in which an IP packet from an external device is stored from the wireless base station device 161, the in-vehicle communication device 111 receives the IP packet reception time, the IP address of the external device as the source, and the in-vehicle destination. Generates an access log showing the IP address of the device and the processing content for the received IP packet. Then, the in-vehicle communication device 111 transmits a message addressed to the processing unit 52 including the generated access log to the gateway device 101.

When the processing unit 52 in the gateway device 101 receives the above message from the in-vehicle communication device 111 via the switch unit 51, the processing unit 52 acquires an access log from the received message and stores the acquired access log in the storage unit 53.

Further, for example, when a message is transmitted / received between the in-vehicle devices via the gateway device 101, the in-vehicle device of the source of the message or the in-vehicle device of the transmission destination has the message transmission time, the ID of the in-vehicle device of the transmission source, Generates an in-vehicle communication log including the ID of the in-vehicle device of the destination and the type and content of the message. Then, the in-vehicle device of the transmission source or the in-vehicle device of the transmission destination transmits the message addressed to the processing unit 52 including the generated in-vehicle communication log to the gateway device 101.

When the processing unit 52 in the gateway device 101 receives the above message from the in-vehicle device via the switch unit 51, the processing unit 52 acquires the in-vehicle communication log included in the received message, and stores the acquired in-vehicle communication log in the storage unit 53.

Further, for example, when the in-vehicle device executes a process such as password change, file authority change, and firmware update, it generates an event log including the time when the process is executed, its own ID, and the type and content of the process. Then, the in-vehicle device transmits a message addressed to the processing unit 52 including the generated event log to the gateway device 101.

When the processing unit 52 in the gateway device 101 receives the above message from the in-vehicle device via the switch unit 51, the processing unit 52 acquires the event log included in the received message and stores the acquired event log in the storage unit 53.

The processing unit 52 acquires various logs as described above from the storage unit 53 at a predetermined cycle, generates log information including each log acquired from the storage unit 53 and the ID of its own vehicle 1, and the switch unit 51 and It is transmitted to the management device 200 via the in-vehicle communication device 111.

The abnormality detection unit 54 detects the abnormality message in the vehicle-mounted network 12 by monitoring the message relayed by the switch unit 51.

More specifically, when the abnormality detection unit 54 uses, for example, a machine learning method, the switch unit 51 relays a message including a control content having a low correlation with the control content predicted from the traveling condition of the vehicle 1. Judge that the message is an abnormal message.

For example, in the abnormality detection unit 54, the switch unit 51 relays a message to the engine control device for controlling the engine to be stopped even though the shift lever is set in the drive and the vehicle 1 is running. If so, the message is determined to be an abnormal message.

When the abnormality detection unit 54 detects the abnormality message, the abnormality detection unit 54 notifies the processing unit 52 of the abnormality detection information including the transmission time, the ID of the in-vehicle device of the transmission source, the ID of the in-vehicle device of the transmission destination, and the like of the abnormality message.

When the processing unit 52 receives the abnormality detection information from the abnormality detection unit 54, the processing unit 52 generates log information including the ID of its own vehicle 1 and the received abnormality detection information, and the management device 200 via the switch unit 51 and the in-vehicle communication device 111. Send to.

FIG. 5 is a diagram showing an example of log information including an access log transmitted by the gateway device according to the first embodiment of the present disclosure to the management device.

With reference to FIG. 5, the log information including the access log transmitted by the processing unit 52 to the management device 200 includes the IP packet reception time, the vehicle ID, the source IP address, the destination IP address, and the processing contents for the IP packet. Have.

The IP address of the external device is stored in the source IP address field in the log information. In the field of the destination IP address in the log information, the IP address of the in-vehicle device of the destination is stored.

In the field of the processing content in the log information, for example, the in-vehicle communication device 111 that has received the IP packet from the external device relays the received IP packet to the in-vehicle device of the transmission destination, or to the in-vehicle device of the transmission destination. Information such as information indicating whether or not the data was discarded without relaying is stored.

FIG. 6 is a diagram showing an example of log information including an in-vehicle communication log transmitted by the gateway device according to the first embodiment of the present disclosure to the management device.

With reference to FIG. 6, the log information including the in-vehicle communication log transmitted by the processing unit 52 to the management device 200 includes a message transmission time, a vehicle ID, a source ID, a destination ID, a message type, and a message content.

In the field of the source ID in the log information, the ID of the in-vehicle device of the source is stored. In the destination ID field in the log information, the ID of the in-vehicle device of the destination is stored.

The message type field in the log information stores information indicating the type of control content of the device to be controlled by the control device 122, such as accelerator operation, brake operation, engine start, engine stop, and door unlock. To.

In the message content field in the log information, information indicating the control content such as the acceleration amount due to the accelerator operation and the deceleration amount due to the brake operation is stored.

FIG. 7 is a diagram showing an example of log information including an event log transmitted by the gateway device according to the first embodiment of the present disclosure to the management device.

With reference to FIG. 7, the log information including the event log transmitted by the processing unit 52 to the management device 200 includes the event occurrence time, the vehicle ID, the in-vehicle device ID, the type of processing, and the processing content, which are the times when the processing is executed. Have.

In the field of the vehicle-mounted device ID in the log information, the ID of the vehicle-mounted device that executed the process is stored.

In the processing type field in the log information, information indicating various processing types such as password change, file authority change, and firmware update is stored.

In the processing content field in the log information, for example, information indicating the processing content such as the password after the change and the file name and data size used for updating the firmware is stored.

[Management device]
FIG. 8 is a diagram showing a configuration of a management device according to the first embodiment of the present disclosure.

With reference to FIG. 8, the management device 200 includes a reception unit 210, a detection unit 220, an acquisition unit 230, a selection unit 240, a transmission unit 250, and a storage unit 260. The storage unit 260 is, for example, a flash memory.

The receiving unit 210 receives the log information transmitted from the gateway devices 101 in the plurality of vehicles 1 and outputs the received log information to the detecting unit 220.

The detection unit 220 detects unauthorized access to the vehicle 1. For example, the detection unit 220 detects unauthorized access to the vehicle 1 from outside the vehicle and unauthorized access to an in-vehicle device or the like in the in-vehicle network 12.

More specifically, the detection unit 220 detects unauthorized access to the vehicle 1, for example, by verifying the log information received from the reception unit 210, and identifies the in-vehicle device in which the unauthorized access has occurred.

Hereinafter, the vehicle 1 in which unauthorized access is detected by the detection unit 220 is referred to as a detection vehicle, and the in-vehicle device specified by the detection unit 220 that unauthorized access has occurred is referred to as a detection in-vehicle device.

For example, the detection unit 220 verifies the log information as shown in FIG. 5 received from the reception unit 210, and as a result, the source IP address in the log information is an IP address that is not permitted to access the vehicle-mounted network 12. In this case, the corresponding vehicle 1 is determined to be the detection vehicle, and the in-vehicle device indicated by the destination IP address in the log information is specified as the detection in-vehicle device. Further, for example, the detection unit 220 determines that the external device indicated by the source IP address is an unauthorized device.

Further, for example, as a result of verifying the log information as shown in FIG. 7 received from the receiving unit 210, the detection unit 220 indicates that the processing content in the log information has been updated with firmware that does not match the update schedule. In this case, or when it is indicated in advance that the in-vehicle device has updated the firmware in the in-vehicle device without communicating with the management device 200, it is determined that the corresponding vehicle 1 is the detection vehicle, and the in-vehicle device ID in the log information. The in-vehicle device indicated by is identified as the detection in-vehicle device.

Further, for example, as a result of the detection unit 220 verifying the log information as shown in FIG. 6 received from the reception unit 210, the log information is the control information for the short-range wireless terminal device to stop the engine to the engine control device. When indicating that a certain in-vehicle device has transmitted a message different from the message normally transmitted, such as transmitting a message including, it is determined that the corresponding vehicle 1 is a detection vehicle, and the source ID in the log information indicates. The in-vehicle device and the in-vehicle device indicated by the destination ID are identified as the detection in-vehicle device.

Further, for example, when the detection unit 220 verifies the log information received from the reception unit 210 and the log information includes the abnormality detection information, the detection unit 220 identifies the vehicle-mounted device that is the source of the abnormality message as the detection vehicle-mounted device.

When the detection unit 220 determines that the vehicle 1 is a detection vehicle, the detection unit 220 generates alert information including the ID of the detection vehicle and the ID of the detection vehicle-mounted device. For example, when the detection unit 220 determines that the external device indicated by the source IP address is an unauthorized device in the log information as shown in FIG. 5 received from the receiving unit 210, the detection unit 220 determines the IP address of the unauthorized device. Generate alert information that also includes.

The detection unit 220 outputs the generated alert information to the transmission unit 250 and the acquisition unit 230.

When the transmission unit 250 receives the alert information from the detection unit 220, the transmission unit 250 transmits the processing information for preventing unauthorized access to the detection vehicle indicated by the received alert information. More specifically, the transmission unit 250 transmits the processing information for causing the in-vehicle device in the detection vehicle to perform the processing for preventing unauthorized access to the detection vehicle.

For example, the transmission unit 250 generates communication restriction information for restricting communication between the detection vehicle and the outside, and transmits the generated communication control information to the detection vehicle as processing information. More specifically, when the alert information received from the detection unit 220 includes the IP address of the disapproved device, the transmission unit 250 restricts communication between the detection vehicle and the disapproval device. Is generated, and the generated communication control information is transmitted to the detection vehicle.

When the in-vehicle device, for example, the in-vehicle communication device 111 in the detection vehicle receives the communication restriction information from the transmission unit 250, it performs a process of blocking communication with the external device, for example, the unauthorized device indicated by the communication control information.

Further, for example, the transmission unit 250 generates information on software to be updated in the in-vehicle device of the detection vehicle, and transmits the generated information to the detection vehicle as processing information. More specifically, the transmission unit 250 generates update data used for updating the firmware of the in-vehicle device in the detection vehicle, and transmits the generated update data to the detection vehicle. The in-vehicle device to be updated may be a detection in-vehicle device or another in-vehicle device.

When the in-vehicle device in the detection vehicle receives the update data from the transmission unit 250, the in-vehicle device updates the firmware at a predetermined timing. Then, when the firmware update is completed, the in-vehicle device transmits the completion information indicating that the update is completed to the management device 200 via the in-vehicle communication device 111 and the wireless base station device 161.

When the receiving unit 210 in the management device 200 receives the completion information from the in-vehicle communication device 111 in the detection vehicle, the receiving unit 210 outputs the received completion information to the transmitting unit 250.

When the transmission unit 250 receives the completion information from the reception unit 210, the transmission unit 250 transmits the release information for releasing the communication restriction between the external device that restricted the communication and the detection vehicle to the detection vehicle.

When the in-vehicle device in the detection vehicle, for example, the in-vehicle communication device 111 receives the release information from the transmission unit 250, the in-vehicle device 111 performs a process of releasing the interruption of communication with the external device indicated by the release information.

The acquisition unit 230 acquires software information indicating the state of software incorporated in one or more in-vehicle devices in the detection vehicle.

More specifically, the acquisition unit 230 acquires the version information of the software incorporated in one or a plurality of in-vehicle devices in the detection vehicle as the software information of the detection vehicle.

For example, the storage unit 260 stores version information of software incorporated in one or a plurality of vehicle-mounted devices in each of the plurality of vehicles 1.

FIG. 9 is an example of version information stored in the storage unit in the management device according to the first embodiment of the present disclosure.

With reference to FIG. 9, the storage unit 260 stores version information indicating the version of the software incorporated in the plurality of vehicle-mounted devices in each vehicle 1. In this example, the software version of each in-vehicle device of the vehicle A is "1.1" for the in-vehicle device A software, "1.3" for the in-vehicle device B software, and "1.3" for the in-vehicle device C software. It is "1.4", the software of the vehicle-mounted device D is "2.1", and the software of the vehicle-mounted device E is "2.8".

Hereinafter, the software version information of the in-vehicle device in the vehicles A, B, C, D, E, and F will also be referred to as version information A, B, C, D, E, and F, respectively.

When the acquisition unit 230 receives the alert information from the detection unit 220, the acquisition unit 230 acquires the version information of the detection vehicle indicated by the received alert information from the storage unit 260. For example, when the ID of the detection vehicle included in the alert information received from the detection unit 220 is the ID of the vehicle B, the acquisition unit 230 acquires the version information B from the storage unit 260.

For example, the acquisition unit 230 further acquires the version information of the vehicle 1 other than the detection vehicle from the storage unit 260.

The acquisition unit 230 outputs the version information of the plurality of vehicles 1 including the detection vehicle, the ID of the detection vehicle, and the ID of the detection vehicle-mounted device acquired from the storage unit 260 to the selection unit 240.

The selection unit 240 selects one or a plurality of target vehicles from the plurality of vehicles based on the version information of the detection vehicle received from the acquisition unit 230.

More specifically, the selection unit 240 is based on a comparison result between the version information of the detection vehicle received from the acquisition unit 230 and the version information of the software incorporated in one or more in-vehicle devices in the vehicle 1 other than the detection vehicle. Therefore, the target vehicle, which is the vehicle 1 for which preventive measures against unauthorized access should be preferentially implemented, is selected.

For example, the selection unit 240 selects a vehicle 1 having the same model as the detection vehicle and whose version information matches or is similar to the detection vehicle as the target vehicle.

For example, the storage unit 260 stores model information in which the ID of the vehicle 1 and the model are associated with each other.

The selection unit 240 extracts one or a plurality of vehicles 1 of the same model as the detection vehicle by referring to the model information in the storage unit 260.

Then, the selection unit 240 uses the version information of the plurality of vehicles 1 including the detection vehicle received from the acquisition unit 230 to compare the version information of the detection vehicle with the version information of each extracted vehicle 1. , Set the priority for each extracted vehicle 1.

Specifically, the selection unit 240 calculates the degree of similarity between the version information of the detected vehicle and the version information of each extracted vehicle 1, and sets the highest priority in order from the vehicle 1 having the highest degree of similarity.

FIG. 10 is a diagram showing an example of priority setting by a selection unit in the management device according to the first embodiment of the present disclosure.

With reference to FIG. 10, it is assumed that the selection unit 240 extracts the vehicles J, K, L, M, and N as the vehicle 1 of the same model as the vehicle H which is the detection vehicle.

The selection unit 240 calculates the degree of similarity between the version information H of the vehicle H and the version information J, K, L, M, N of the vehicles J, K, L, M, N.

Specifically, the selection unit 240 compares the software version of each in-vehicle device in the vehicle H with the software version of each in-vehicle device in the vehicles J, K, L, M, and N for each corresponding in-vehicle device. To do.

Then, as a result of comparing each in-vehicle device in the vehicle H with each in-vehicle device in the vehicles J, K, L, M, and N, the selection unit 240 gives one point for each in-vehicle device having the same software version. 10 points are given to each detection in-vehicle device whose software versions match each other, and the total of the points is calculated as the degree of similarity.

For example, as a result of comparing each in-vehicle device in the vehicle H with each in-vehicle device in the vehicle J, the selection unit 240 matches the software versions of the in-vehicle device A with each other, and the in-vehicle device B, which is a detection in-vehicle device, Since the software versions of E match each other, 21 points are calculated as the similarity of the vehicle J. In the same way, the selection unit 240 calculates 13 points, 12 points, 22 points, and 10 points as the similarity of the vehicles K, L, M, and N, respectively.

Then, the selection unit 240 sets the priority order in the order of vehicle M, vehicle J, vehicle K, vehicle L, and vehicle N according to the calculated similarity, and sets a predetermined number of vehicles 1 having a high priority, for example, vehicle M. Select J and K as the target vehicle.

The selection unit 240 notifies the transmission unit 250 of the IDs of the vehicles M, J, and K selected as the target vehicle.

Upon receiving the notification from the selection unit 240, the transmission unit 250 transmits the processing information for preventing unauthorized access to the target vehicle indicated by the notified ID. More specifically, the transmission unit 250 transmits the processing information for causing the in-vehicle device in the target vehicle to perform the processing for preventing unauthorized access to the detection vehicle.

For example, the transmission unit 250 generates communication restriction information for restricting communication between the target vehicle and the outside, and transmits the generated communication control information to the target vehicle as processing information. More specifically, when the alert information received from the detection unit 220 includes the IP address of the disallowed device, the transmitting unit 250 restricts communication between the target vehicle and the disallowed device. Is generated, and the generated communication control information is transmitted to the target vehicle.

When the in-vehicle device, for example, the in-vehicle communication device 111 in the target vehicle receives the communication restriction information from the transmission unit 250, it performs a process of blocking communication with the unauthorized device indicated by the communication control information, for example.

Further, for example, the transmission unit 250 generates information on software to be updated in the in-vehicle device of the target vehicle, and transmits the generated information to the target vehicle as processing information. More specifically, the transmission unit 250 generates update data used for updating the firmware of the in-vehicle device in the target vehicle, and transmits the generated update data to the target vehicle. The in-vehicle device to be updated may be an in-vehicle device having the same function or role as the detection in-vehicle device in the in-vehicle network 12, or may be another in-vehicle device. Hereinafter, in the target vehicle, an in-vehicle device having the same function or role in the in-vehicle network 12 as the detection in-vehicle device is also referred to as a target in-vehicle device.

When the in-vehicle device in the target vehicle receives the update data from the transmission unit 250, the in-vehicle device updates the firmware at a predetermined timing. Then, when the firmware update is completed, the in-vehicle device transmits the completion information indicating that the update is completed to the management device 200 via the in-vehicle communication device 111 and the wireless base station device 161.

When the receiving unit 210 in the management device 200 receives the completion information from the in-vehicle communication device 111 in the target vehicle, the receiving unit 210 outputs the received completion information to the transmitting unit 250.

When the transmission unit 250 receives the completion information from the reception unit 210, the transmission unit 250 transmits the release information for releasing the communication restriction between the external device that restricted the communication and the target vehicle to the target vehicle.

When the in-vehicle device, for example, the in-vehicle communication device 111 in the target vehicle receives the release information from the transmission unit 250, the in-vehicle device 111 performs a process of releasing the interruption of communication with the external device indicated by the release information.

[Operation flow]
Each device in the in-vehicle communication system 300 includes a computer including a memory, and an arithmetic processing unit such as a CPU in the computer reads a program including a part or all of each step of the following flowchart and sequence from the memory and executes the program. To do. The programs of these plurality of devices can be installed from the outside. The programs of these plurality of devices are distributed in a state of being stored in a recording medium.

FIG. 11 is a flowchart defining an operation procedure when the management device transmits processing information for preventing unauthorized access to the vehicle in the in-vehicle communication system according to the first embodiment of the present disclosure.

With reference to FIG. 11, first, when the management device 200 listens for the log from each vehicle 1 (NO in step S102) and receives the log information (YES in step S102), the management device 200 verifies the received log information (step S102). S104).

Next, when the management device 200 verifies the log information received from each vehicle 1 and as a result, no unauthorized access to each vehicle 1 is detected (NO in step S106), new log information from each vehicle 1 is used. (NO in step S102).

On the other hand, when the management device 200 detects an unauthorized access to a certain vehicle 1 as a result of verifying the log received from each vehicle 1 (YES in step S106), the vehicle in which the unauthorized access has occurred in the vehicle 1, that is, the detected vehicle. The detection vehicle-mounted device, which is a device, is specified (step S108).

Next, the management device 200 transmits the communication restriction information for restricting the communication between the detection vehicle and the outside and the update data used for updating the firmware of the detection vehicle-mounted device to the detection vehicle (step S110).

Next, the management device 200 acquires the version information of the software incorporated in one or more in-vehicle devices in the detection vehicle and the version information of the software incorporated in one or more in-vehicle devices in the vehicle 1 other than the detection vehicle. (Step S112).

Next, the management device 200 selects a target vehicle for which preventive measures against unauthorized access should be preferentially implemented based on the acquired version information (step S114).

Next, the management device 200 transmits to the target vehicle communication restriction information for restricting communication between the target vehicle and the outside and update data used for updating the firmware of the target vehicle-mounted device and the like (step S116).

Next, the management device 200 waits for new log information from each vehicle 1 (NO in step S102).

FIG. 12 is a sequence of processes for preventing unauthorized access to the vehicle in the in-vehicle communication system according to the first embodiment of the present disclosure.

With reference to FIG. 12, first, each gateway device 101 in the vehicles X, Y, and Z transmits log information to the management device 200 (step S202).

Next, the management device 200 detects unauthorized access to the vehicle X by verifying the log information received from each gateway device 101, and identifies the detection vehicle-mounted device that is the vehicle-mounted device in which the unauthorized access has occurred ( Step S204).

Next, the management device 200 transmits communication restriction information for restricting communication with the unauthorized device and update data used for updating the firmware of the detection in-vehicle device to the vehicle X, which is the detection vehicle in which unauthorized access is detected. (Step S206).

Next, the vehicle X performs a process of blocking communication with the unauthorized device based on the communication restriction information and the update data received from the management device 200, and updates the firmware of the detection in-vehicle device or the like using the update data. Is started (step S208).

Next, the management device 200 acquires the version information X, Y, Z of the software incorporated in one or more in-vehicle devices in the vehicles X, Y, Z (step S210).

Next, the management device 200 selects the vehicle Z as the target vehicle for which preventive measures against unauthorized access should be preferentially implemented based on the acquired version information X, Y, Z (step S212).

Next, the management device 200 transmits communication restriction information for restricting communication with the unauthorized device and update data used for updating the firmware of the target in-vehicle device to the vehicle Z, which is the target vehicle (step S214). ..

Next, the vehicle Z performs a process of blocking communication with the unauthorized device indicated by the communication control information based on the communication restriction information and the update data received from the management device 200, and uses the update data to perform the process of blocking the communication with the target vehicle-mounted device. The update of the firmware such as is started (step S216).

Next, when the firmware update is completed, the vehicle X transmits the completion information indicating that the update is completed to the management device 200 (step S218).

Next, the management device 200 transmits the release information for releasing the communication restriction between the vehicle X and the unauthorized device to the vehicle X (step S220).

Next, the vehicle X performs a process of releasing the interruption of communication with the unauthorized device based on the release information received from the management device 200 (step S222).

Next, when the firmware update is completed, the vehicle Z transmits the completion information indicating that the update is completed to the management device 200 (step S224).

Next, the management device 200 transmits the release information for releasing the communication restriction between the vehicle Z and the unauthorized device to the vehicle Z (step S226).

Next, the vehicle Z performs a process of releasing the interruption of communication with the unauthorized device based on the release information received from the management device 200 (step S228).

In the management device 200 according to the first embodiment of the present disclosure, the transmission unit 250 updates the communication restriction information for restricting the communication between the target vehicle and the outside and the in-vehicle device of the target vehicle as processing information. The configuration is such that information on the software to be used is transmitted to the target vehicle, but the configuration is not limited to this. The transmission unit 250 may be configured to transmit either one of the communication restriction information and the software information to the target vehicle, but not the other. However, when the transmission unit 250 transmits the communication restriction information to the detection vehicle, for example, remote control of the detection vehicle by an external unauthorized device can be prevented, so that the detection vehicle can be stopped so as to avoid a collision accident. it can.

Further, in the management device 200 according to the first embodiment of the present disclosure, the transmission unit 250 transmits update data used for updating the firmware of the vehicle-mounted device as information on software to be updated in the vehicle-mounted device of the target vehicle. Although it is said to be a configuration, it is not limited to this. The transmission unit 250 may be configured to transmit a URL (Uniform Resource Locator) indicating the location of the update data to the target vehicle as software information.

Further, in the management device 200 according to the first embodiment of the present disclosure, the transmission unit 250 contains communication restriction information for restricting communication between the detection vehicle and the outside and software to be updated in the in-vehicle device of the detection vehicle. The configuration is such that information is transmitted to the detection vehicle, but the present invention is not limited to this. The transmission unit 250 may be configured not to transmit both the communication restriction information and the software information to the detection vehicle. Further, the transmission unit 250 transmits, as the processing information, information for restricting the functions of a part or all of the in-vehicle devices in the target vehicle to the target vehicle instead of the communication restriction information and the software information. It may be a configuration.

Further, in the management device 200 according to the first embodiment of the present disclosure, the acquisition unit 230 is configured to acquire the version information of the software incorporated in the in-vehicle device in the detection vehicle from the storage unit 260. It is not limited to this. The storage unit 260 may not store the version information, and the acquisition unit 230 may be configured to acquire the version information from the outside of the management device 200.

Further, in the management device 200 according to the first embodiment of the present disclosure, the acquisition unit 230 is incorporated in the in-vehicle device in the detection vehicle as software information indicating the state of the software incorporated in the in-vehicle device in the detection vehicle. The configuration is such that software version information is acquired, but the configuration is not limited to this. The acquisition unit 230 may be configured to acquire information other than the version as software information, such as information on the previous update date and time of the software incorporated in the in-vehicle device in the detection vehicle.

Further, in the management device 200 according to the first embodiment of the present disclosure, the selection unit 240 uses the version information of software incorporated in one or a plurality of in-vehicle devices in the detection vehicle and 1 in the vehicle 1 other than the detection vehicle. Alternatively, the configuration is such that the target vehicle is selected based on the comparison result with the version information of the software incorporated in a plurality of in-vehicle devices, but the present invention is not limited to this. The selection unit 240 targets based on the comparison result between the previous update date and time of the software incorporated in the in-vehicle device in the detection vehicle and the previous update date and time of the software incorporated in the in-vehicle device in the vehicle 1 other than the detection vehicle. It may be configured to select a vehicle.

Further, in the management device 200 according to the first embodiment of the present disclosure, the selection unit 240 compares each in-vehicle device in the detection vehicle with each in-vehicle device in a vehicle of the same type as the detection vehicle, and as a result, the software One point is given to each in-vehicle device whose version matches each other, 10 points are given to each detection in-vehicle device whose software version matches each other, and the total of the points is calculated as the similarity. , Not limited to this. The selection unit 240 gives 1 point for each in-vehicle device when the software version of the in-vehicle device in the vehicle of the same model as the detection vehicle matches or is lower than the software version of the in-vehicle device in the detection vehicle. However, the configuration may be such that 10 points are given to each detection vehicle-mounted device whose software versions match each other and calculated as the degree of similarity.

For example, in the example shown in FIG. 10, as a result of comparing each in-vehicle device in the vehicle H with each in-vehicle device in the vehicle J, the software versions of the in-vehicle device A match each other, and the in-vehicle device B, which is the detection in-vehicle device, Since the software versions of E match each other and the software version of the in-vehicle devices C and D in the vehicle J is lower than the software version of the in-vehicle devices C and D in the vehicle H, the similarity of the vehicle J is 23 points. Is calculated.

Further, in the management device 200 according to the first embodiment of the present disclosure, the detection unit 220 is configured to detect unauthorized access to the vehicle 1 and identify the vehicle-mounted device in which the unauthorized access has occurred, that is, the detected vehicle-mounted device. Yes, but it is not limited to this. The detection unit 220 may be configured to detect unauthorized access to the vehicle 1 while not specifying the detection vehicle-mounted device.

Further, in the in-vehicle communication system 300 according to the first embodiment of the present disclosure, when the in-vehicle device in the detection vehicle completes the update of the firmware, the in-vehicle device transmits the completion information indicating that the update is completed to the management device 200. When the management device 200 receives the completion information from the in-vehicle device, the management device 200 transmits the release information for releasing the communication restriction between the external device that restricted the communication and the detection vehicle to the detection vehicle, and the in-vehicle device in the detection vehicle is The configuration is such that when the release information is received from the transmission unit 250, the process of releasing the interruption of communication with the external device indicated by the release information is performed, but the present invention is not limited to this. When the firmware update is completed, the in-vehicle device of the detection vehicle may be configured to release the interruption of communication with the external device without transmitting the completion information to the management device 200.

Further, in the in-vehicle communication system 300 according to the first embodiment of the present disclosure, when the in-vehicle device in the target vehicle completes the update of the firmware, the in-vehicle device transmits the completion information indicating that the update is completed to the management device 200. When the management device 200 receives the completion information from the in-vehicle device, the management device 200 transmits the release information for releasing the communication restriction between the external device that restricted the communication and the target vehicle to the target vehicle, and the in-vehicle device in the target vehicle The configuration is such that when the release information is received from the transmission unit 250, the process of canceling the interruption of communication with the external device is performed, but the present invention is not limited to this. When the firmware update is completed, the in-vehicle device of the target vehicle may be configured to release the interruption of communication with the external device without transmitting the completion information to the management device 200.

Further, in the vehicle-mounted communication system 300 according to the first embodiment of the present disclosure, the management device 200 detects unauthorized access to one vehicle 1 based on the log information received from the vehicle-mounted device, and the vehicle 1, that is, the vehicle 1 The configuration is such that the version information of the software incorporated in one or more in-vehicle devices in the detection vehicle is acquired and one or more target vehicles are selected based on the acquired version information, but the configuration is not limited to this. Absent. The management device 200 detects unauthorized access to a plurality of vehicles 1, acquires version information of software incorporated in one or a plurality of in-vehicle devices in the plurality of vehicles 1, that is, the detected vehicles, and each acquired version information. It may be configured to select one or a plurality of target vehicles based on.

In addition, a part or all of the functions of the management device 200 according to the first embodiment of the present disclosure may be provided by cloud computing. That is, the management device 200 according to the embodiment of the present disclosure may be configured by a plurality of cloud servers and the like.

By the way, a technology that can more reliably prevent the spread of unauthorized access to each vehicle is desired.

For example, when deploying defense measures against unauthorized access detected in one vehicle to another vehicle, if there are many vehicles that need to deploy defense measures, it will take time to complete the deployment of defense measures. .. As a result, unauthorized access will occur in some vehicles for which the deployment of defense measures has been delayed, and unauthorized access will increase.

On the other hand, in the management device 200 according to the first embodiment of the present disclosure, the detection unit 220 detects unauthorized access to the vehicle 1. The acquisition unit 230 acquires software information indicating the state of software incorporated in one or more in-vehicle devices in the detection vehicle, which is the vehicle 1 in which unauthorized access is detected by the detection unit 220. The selection unit 240 selects one or a plurality of target vehicles from the plurality of vehicles 1 based on the software information acquired by the acquisition unit 230. The transmission unit 250 transmits processing information for preventing unauthorized access to the target vehicle selected by the selection unit 240.

In this way, by selecting the target vehicle using the information of the software incorporated in the in-vehicle device of the detection vehicle and transmitting the processing information for preventing unauthorized access to the target vehicle, for example, the embedded software in each vehicle 1 A priority can be set for each vehicle 1 according to the state of the above, and processing information for preventing unauthorized access can be transmitted according to the priority. As a result, in consideration of the state of the software in each vehicle 1, it is possible to prioritize the development of defense measures for the vehicle 1 in which the same unauthorized access as the unauthorized access detected in the detected vehicle may occur. it can.

Therefore, the management device 200 according to the first embodiment of the present disclosure can more reliably prevent the spread of unauthorized access to each vehicle.

Further, in the management device 200 according to the first embodiment of the present disclosure, the transmission unit 250 transmits information for restricting communication between the target vehicle and the outside as processing information to the target vehicle.

With such a configuration, it is possible to more reliably prevent unauthorized access to the target vehicle from outside the target vehicle.

Further, in the management device 200 according to the first embodiment of the present disclosure, the transmission unit 250 transmits information on software to be updated in the in-vehicle device of the target vehicle as processing information to the target vehicle.

With such a configuration, the software embedded in the in-vehicle device in the target vehicle can be updated to, for example, software with enhanced security against unauthorized access, so that unauthorized access to the in-vehicle device in the target vehicle can be more reliably prevented. be able to.

Further, in the management device 200 according to the first embodiment of the present disclosure, the storage unit 260 stores version information of software incorporated in one or a plurality of in-vehicle devices in each of the plurality of vehicles 1.

With such a configuration, when an unauthorized access is detected in a certain vehicle 1, the version information of the software incorporated in one or more in-vehicle devices in the vehicle 1 can be easily acquired by referring to the storage unit 260. can do. As a result, the acquired version information can be used to select the target vehicle at an early stage, or to generate information on unauthorized access for notifying the user at an early stage.

Further, in the management device 200 according to the first embodiment of the present disclosure, the acquisition unit 230 acquires the version information of the software incorporated in one or more in-vehicle devices in the detection vehicle as software information. The selection unit 240 selects the target vehicle based on the comparison result between the version information acquired by the acquisition unit 230 and the version information of the software incorporated in one or more in-vehicle devices in the vehicle other than the detection vehicle.

Thereby, from the viewpoint of software version information, it is possible to more accurately select the vehicle 1 in which the same unauthorized access as the unauthorized access detected in the detected vehicle may occur.

Further, the communication system 400 according to the first embodiment of the present disclosure includes a management device 200 and an in-vehicle device mounted on the vehicle 1. The in-vehicle device transmits the log information to the management device 200. The management device 200 detects unauthorized access to the vehicle 1 based on the log information received from the in-vehicle device. The management device 200 acquires software information indicating the state of software incorporated in one or more in-vehicle devices in the detected vehicle, which is the vehicle 1 in which unauthorized access is detected. The management device 200 selects one or a plurality of target vehicles from a plurality of vehicles based on the acquired software information. The management device 200 transmits processing information for preventing unauthorized access to the selected target vehicle.

In this way, by selecting the target vehicle using the information of the software incorporated in the in-vehicle device of the detection vehicle and transmitting the processing information for preventing unauthorized access to the target vehicle, for example, the embedded software in each vehicle 1 A priority can be set for each vehicle 1 according to the state of the above, and processing information for preventing unauthorized access can be transmitted according to the priority. As a result, in consideration of the state of the software in each vehicle 1, it is possible to prioritize the development of defense measures for the vehicle 1 in which the same unauthorized access as the unauthorized access detected in the detected vehicle may occur. it can.

Therefore, in the communication system 400 according to the first embodiment of the present disclosure, it is possible to more reliably prevent the spread of unauthorized access to each vehicle.

Further, the vehicle communication management method according to the first embodiment of the present disclosure is the vehicle communication management method in the management device 200. In this vehicle communication management method, first, the management device 200 detects unauthorized access to the vehicle 1. Next, the management device 200 acquires software information indicating the state of software incorporated in one or more in-vehicle devices in the detected vehicle, which is the vehicle 1 in which unauthorized access is detected. Next, the management device 200 selects one or a plurality of target vehicles from the plurality of vehicles based on the acquired software information. Next, the management device 200 transmits processing information for preventing unauthorized access to the selected target vehicle.

In this way, by selecting the target vehicle using the information of the software embedded in the in-vehicle device in the detection vehicle and transmitting the processing information for preventing unauthorized access to the target vehicle, for example, the embedded software in each vehicle 1. A priority can be set for each vehicle 1 according to the state of the above, and processing information for preventing unauthorized access can be transmitted according to the priority. As a result, in consideration of the state of the software in each vehicle 1, it is possible to prioritize the development of defense measures for the vehicle 1 in which the same unauthorized access as the unauthorized access detected in the detected vehicle may occur. it can.

Therefore, the vehicle communication management method according to the first embodiment of the present disclosure can more reliably prevent the spread of unauthorized access to each vehicle.

Further, the vehicle communication management method according to the first embodiment of the present disclosure is a vehicle communication management method in a communication system including a management device 200 and an in-vehicle device mounted on the vehicle 1. In this vehicle communication management method, first, the in-vehicle device transmits log information to the management device 200. Next, the management device 200 detects unauthorized access to the vehicle 1 based on the log information received from the in-vehicle device. Next, the management device 200 acquires software information indicating the state of software incorporated in one or more in-vehicle devices in the detected vehicle, which is the vehicle 1 in which unauthorized access is detected. Next, the management device 200 selects one or a plurality of target vehicles from the plurality of vehicles based on the acquired software information. Next, the management device 200 transmits processing information for preventing unauthorized access to the selected target vehicle.

In this way, by selecting the target vehicle using the information of the software embedded in the in-vehicle device in the detection vehicle and transmitting the processing information for preventing unauthorized access to the target vehicle, for example, the embedded software in each vehicle 1. A priority can be set for each vehicle 1 according to the state of the above, and processing information for preventing unauthorized access can be transmitted according to the priority. As a result, in consideration of the state of the software in each vehicle 1, it is possible to prioritize the development of defense measures for the vehicle 1 in which the same unauthorized access as the unauthorized access detected in the detected vehicle may occur. it can.

Therefore, the vehicle communication management method according to the first embodiment of the present disclosure can more reliably prevent the spread of unauthorized access to each vehicle.

Next, other embodiments of the present disclosure will be described with reference to the drawings. The same or corresponding parts in the drawings are designated by the same reference numerals, and the description thereof will not be repeated.

<Second Embodiment>
The present embodiment relates to an in-vehicle communication system in which the management device notifies the user of alert-related information as compared with the in-vehicle communication system according to the first embodiment. Except for the contents described below, the same as the in-vehicle communication system according to the first embodiment.

[Management device]
FIG. 13 is a diagram showing a configuration of a management device according to a second embodiment of the present disclosure.

With reference to FIG. 13, the management device 201 includes a reception unit 210, a detection unit 220, an acquisition unit 230, a selection unit 240, a transmission unit 250, a storage unit 260, a search unit 270, and a notification unit 280. And.

When the acquisition unit 230 acquires the version information of the plurality of vehicles 1 including the detection vehicle from the storage unit 260, the acquisition unit 230 outputs the acquired version information, the ID of the detection vehicle, and the ID of the detection vehicle device to the selection unit 240 and the search unit 270. ..

The search unit 270 performs the vehicle 1 according to a predetermined search condition based on the comparison result between the software version information of one or more in-vehicle devices in the detection vehicle and the software version information of the in-vehicle device in the vehicle 1 other than the detection vehicle. Search for.

For example, the search unit 270 uses the version information received from the acquisition unit 230 to search for the vehicle 1 including the vehicle-mounted device having the same version as the software version of the detection vehicle-mounted device among the plurality of vehicles 1.

For example, the search unit 270 uses the version information received from the acquisition unit 230, and among the plurality of detection vehicles, the detection vehicle devices have the same function or role in the vehicle network 12, and the detection vehicle devices correspond to each other. Search for detected vehicles.

For example, the search unit 270 uses the version information received from the acquisition unit 230 to search for a detection vehicle in which the detection vehicle devices correspond to each other and the versions of the detection vehicle devices are the same among the plurality of detection vehicles. ..

The search unit 270 outputs the ID of the detection vehicle, the ID of the detection vehicle-mounted device, and the search result to the notification unit 280.

The notification unit 280 displays the content of the alert-related information on a display device (not shown) based on the ID of the detection vehicle, the ID of the detection vehicle device, and the search result received from the search unit 270, and the user of the content of the alert-related information. Notify to.

FIG. 14 is a diagram showing an example of the notification content notified by the notification unit in the management device according to the second embodiment of the present disclosure.

With reference to FIG. 14, the notification unit 280 may include identification information such as the time of occurrence of unauthorized access in the detection vehicle, the ID of the detection vehicle, the name of the detection vehicle device, version information of the software of the detection vehicle device, and software of the detection vehicle device. The number of vehicles 1 including the in-vehicle device of the same version as the version of, the number of detection vehicles corresponding to each other of the detection in-vehicle devices, and the detection vehicle in which the detection in-vehicle devices correspond to each other and the version of the detection in-vehicle device is the same. The screen in which the number of cases is displayed for each alert information is displayed on a display device (not shown).

In the management device 201 according to the second embodiment of the present disclosure, the acquisition unit 230 is configured to acquire version information of a plurality of vehicles 1 including the detection vehicle from the storage unit 260. It is not limited. The storage unit 260 may not store the version information, and the acquisition unit 230 may be configured to acquire the version information from the outside of the management device 200.

Further, the notification unit 280 is configured to display a screen on which various information as shown in FIG. 14 is displayed on a display device (not shown), but the present invention is not limited to this. The notification unit 280 may be configured not to display a part of each of the above information on the display device. Further, the notification unit 280 may be configured to notify the user by a method other than displaying each of the above information on the display device, for example, by voice.

As described above, in the management device 201 according to the second embodiment of the present disclosure, the notification unit 280 uses the version information of the software incorporated in the in-vehicle device in which unauthorized access is detected in the detection vehicle, and the detection vehicle is illegal. Identification information of the in-vehicle device for which access was detected, version information of software incorporated in one or more in-vehicle devices in the detection vehicle, and version information of software incorporated in one or more in-vehicle devices in a vehicle other than the detection vehicle. Notify the user of the number of vehicles searched based on at least the result of comparison with.

With such a configuration, for example, when unauthorized access is detected in a plurality of vehicles 1 by the detection unit 220, for example, the number of vehicles 1 having the same version information as the version information in the detected vehicle for each detected unauthorized access. Can be notified to the user, so that the user can be notified of the number of vehicles 1 in which the same unauthorized access as the unauthorized access detected in the detected vehicle may occur. This facilitates the user's choice of unauthorized access to prioritize the deployment of defense measures.

Since other configurations and operations are the same as those of the in-vehicle communication system 300 according to the first embodiment, detailed description will not be repeated here.

It should be considered that the above embodiments are exemplary in all respects and not restrictive. The scope of the present invention is shown by the scope of claims rather than the above description, and is intended to include all modifications within the meaning and scope equivalent to the scope of claims.

The above description includes the features described below.
[Appendix 1]
A detector that detects unauthorized access to the vehicle and
Version information of software incorporated in one or more in-vehicle devices in the detection vehicle which is the vehicle in which the unauthorized access is detected by the detection unit, and one or more in-vehicle devices in a plurality of vehicles other than the detection vehicle. An acquisition unit that acquires version information of the embedded software,
A selection unit that selects one or a plurality of target vehicles from the plurality of vehicles based on the degree of similarity between the version information in the detection vehicle and the version information in the plurality of vehicles acquired by the acquisition unit. When,
A management device including a detection vehicle in which unauthorized access is detected by the detection unit, and a transmission unit that transmits processing information for preventing unauthorized access to the target vehicle selected by the selection unit.

[Appendix 2]
Management device and
Equipped with an in-vehicle device mounted on the vehicle
The in-vehicle device transmits log information to the management device.
The management device detects unauthorized access to the vehicle based on the log information received from the vehicle-mounted device, and detects unauthorized access to the vehicle.
The management device includes version information of software incorporated in one or more in-vehicle devices in the detection vehicle which is the vehicle in which unauthorized access is detected, and one or more in-vehicle devices in a plurality of vehicles other than the detection vehicle. Get the version information of the software embedded in
The management device selects one or a plurality of target vehicles from the plurality of vehicles based on the degree of similarity between the version information in the detection vehicle and the version information in the plurality of vehicles.
The management device is a communication system that transmits processing information for preventing unauthorized access to the detected vehicle and the selected target vehicle.

1 Vehicle 11 External network 12 In-vehicle network 13 Bus 14 Bus 101 Gateway device 51 Switch unit 52 Processing unit 53 Storage unit 54 Abnormality detection unit 111 In-vehicle communication device 121 Bus connection device group 122 Control device 161 Radio base station device 200 Management device 201 Management Device 210 Reception unit 220 Detection unit 230 Acquisition unit 240 Selection unit 250 Transmission unit 260 Storage unit 270 Search unit 280 Notification unit 300 In-vehicle communication system 400 Communication system

Claims (10)

A detector that detects unauthorized access to the vehicle and
An acquisition unit that acquires software information indicating the state of software incorporated in one or more in-vehicle devices in the detection vehicle, which is the vehicle in which the unauthorized access is detected by the detection unit.
A selection unit that selects one or a plurality of target vehicles from a plurality of vehicles based on the software information acquired by the acquisition unit.
A management device including a transmission unit that transmits processing information for preventing unauthorized access to the target vehicle selected by the selection unit. The management device according to claim 1, wherein the transmission unit transmits information for restricting communication between the target vehicle and the outside as the processing information to the target vehicle. The management device according to claim 1 or 2, wherein the transmission unit transmits information of software to be updated in the in-vehicle device of the target vehicle as the processing information to the target vehicle. The management device further
The management device according to any one of claims 1 to 3, further comprising a storage unit for storing version information of software incorporated in one or a plurality of in-vehicle devices in each of the plurality of vehicles. The acquisition unit acquires, as the software information, version information of software incorporated in one or more of the in-vehicle devices in the detection vehicle.
The selection unit selects the target vehicle based on a comparison result between the version information acquired by the acquisition unit and the version information of software incorporated in one or more in-vehicle devices in a vehicle other than the detection vehicle. The management device according to any one of claims 1 to 4, which is selected. The management device further
Version information of software incorporated in the in-vehicle device in which the unauthorized access is detected in the detection vehicle, identification information of the in-vehicle device in which the unauthorized access is detected in the detection vehicle, and one or more of the detection vehicles. The number of vehicles searched based on at least the result of comparison between the version information of the software incorporated in the in-vehicle device and the version information of the software incorporated in one or more in-vehicle devices in a vehicle other than the detection vehicle is determined by the user. The management device according to any one of claims 1 to 5, further comprising a notification unit for notifying the user. Management device and
Equipped with an in-vehicle device mounted on the vehicle
The in-vehicle device transmits log information to the management device.
The management device detects unauthorized access to the vehicle based on the log information received from the vehicle-mounted device, and detects unauthorized access to the vehicle.
The management device acquires software information indicating the state of software incorporated in one or more in-vehicle devices in the detection vehicle which is the vehicle in which the unauthorized access is detected.
The management device selects one or a plurality of target vehicles from a plurality of vehicles based on the acquired software information.
The management device is a communication system that transmits processing information for preventing unauthorized access to the selected target vehicle. It is a vehicle communication management method in the management device.
Steps to detect unauthorized access to the vehicle and
A step of acquiring software information indicating the state of software incorporated in one or more in-vehicle devices in the detection vehicle which is the vehicle in which unauthorized access is detected, and
A step of selecting one or a plurality of target vehicles from a plurality of vehicles based on the acquired software information, and
A vehicle communication management method including a step of transmitting processing information for preventing unauthorized access to the selected target vehicle. A vehicle communication management method in a communication system including a management device and an in-vehicle device mounted on a vehicle.
A step in which the in-vehicle device transmits log information to the management device,
A step in which the management device detects unauthorized access to the vehicle based on the log information received from the in-vehicle device.
A step in which the management device acquires software information indicating the state of software incorporated in one or more in-vehicle devices in the detection vehicle which is the vehicle in which the unauthorized access is detected.
A step in which the management device selects one or a plurality of target vehicles from a plurality of vehicles based on the acquired software information.
A vehicle communication management method including a step in which the management device transmits processing information for preventing unauthorized access to the selected target vehicle. A vehicle communication management program used in a management device.
Computer,
A detector that detects unauthorized access to the vehicle and
An acquisition unit that acquires software information indicating the state of software incorporated in one or more in-vehicle devices in the detection vehicle, which is the vehicle in which the unauthorized access is detected by the detection unit.
A selection unit that selects one or a plurality of target vehicles from a plurality of vehicles based on the software information acquired by the acquisition unit.
A transmission unit that transmits processing information for preventing unauthorized access to the target vehicle selected by the selection unit.
Vehicle communication management program to function as.

Images