JP2021117568A - Cyber attack analysis support device - Google Patents

Abstract

To provide a cyber attack analysis system which can collect event information of cyber attacks to specify which of the attacks is associated with a cyber attack experienced by a driver.SOLUTION: A cyber attack analysis support device 100 includes: an input unit 101 which receives detection information transmitted via a communication network from a terminal device; a storage unit 102 which stores signals received by constituent devices constituting the terminal device and design information describing relations between the constituent devices and user interfaces which the constituent devices have; a control unit 103 which specifies an attack target constituent device being a target of a cyber attack or an attack target signal on the basis of the detection information and refers to the design information to generate abstract experience information being an event which is inferred to be experienced by a user of the terminal device due to influence of the cyber attack; and an output unit 104 which outputs the abstract experience information.SELECTED DRAWING: Figure 2

Description

The present invention is a device that analyzes a cyber attack and supports problem solving, and is a cyber attack analysis support device that mainly analyzes and supports a cyber attack on a moving body such as a vehicle, a cyber attack analysis support method, and a cyber attack analysis support method. And cyber attack analysis support program.

In recent years, technologies for driving support and automatic driving control, including V2X such as vehicle-to-vehicle communication and road-to-vehicle communication, have been attracting attention. Along with this, vehicles have come to have a communication function, and so-called vehicles are becoming more connected. As a result, vehicles are more likely to be attacked by cyber attacks.

A cyber attack on a vehicle has a high risk of causing an accident that affects the person if the vehicle loses control due to the cyber attack, so it is important to analyze the case in order to prevent this in advance.

For example, in Patent Document 1, in order to present the contents of a cyber attack to the user in an easy-to-understand manner, the registration of information on the attacker of the cyber attack, the attack method, the detection index, the observed event, the incident, the countermeasure, and the attack target is accepted. , When displaying these, it is described that they are displayed in a state of being connected as a node under the representative node.

Japanese Unexamined Patent Publication No. 2018-32355

Here, the present inventor has found the following problems.
For cyber attacks on vehicles, it is assumed that the driver, who is the user of the vehicle, requests repairs and responses from automobile manufacturers and automobile dealers. At that time, the driver may report the event that he / she experienced due to the cyber attack.

However, even if the cyber attack analysis support system collects the detection information of the cyber attack, it is difficult to identify which attack is associated with the cyber attack experienced by the driver. In other words, on the cyber attack analysis support system side, data on the cause of the problem event, including event information related to the cyber attack, is stored. However, since it is difficult to reproduce the problem event itself, it is difficult to link the report of what kind of experience the driver experienced with the cause of the problem event.

An object of the present invention is to reproduce a problem event presumed to have been experienced by a user from detection information related to a cyber attack.

The cyber attack analysis support device (100) of the present disclosure is
An input unit (101) into which detection information transmitted from a terminal device (200) is input via a communication network, and an input unit (101).
A storage unit (102) that stores design information in which signals received by the constituent devices constituting the terminal device and the relationship between the constituent devices and the user interface of the constituent devices are described.
Based on the detection information, the attack target configuration device or the attack target signal that is the target of the cyber attack is specified, and the user of the terminal device is presumed to have experienced due to the influence of the cyber attack by referring to the design information. A control unit (103) that generates some abstract experience information,
It has an output unit (104) that outputs the abstract experience information.

The claims and the numbers in parentheses attached to the constituent requirements of the invention described in this section indicate the correspondence between the present invention and the embodiments described later, and are intended to limit the present invention. do not have.

With the above configuration, it is possible to reproduce a problem event that is presumed to have been experienced by the user from the detection information related to the cyber attack.

Explanatory drawing which shows the relationship between the cyber attack analysis support apparatus and the terminal apparatus of Embodiment 1 and Embodiment 2 of this disclosure. A block diagram showing a configuration example of the cyber attack analysis support device according to the first embodiment of the present disclosure. Explanatory drawing which shows the design information stored in the storage part of the cyber attack analysis support device of Embodiment 1 of this disclosure. A block diagram showing a configuration example of the terminal device according to the first embodiment of the present disclosure. A flowchart illustrating the operation of the cyber attack analysis support device according to the first embodiment of the present disclosure. A block diagram showing a configuration example of the cyber attack analysis support device according to the second embodiment of the present disclosure. Explanatory drawing which shows the state information stored in the storage part of the cyber attack analysis support device of Embodiment 2 of this disclosure. A flowchart illustrating the operation of the cyber attack analysis support device according to the second embodiment of the present disclosure. A block diagram showing a configuration example of the cyber attack analysis support device according to the third embodiment of the present disclosure. Explanatory drawing explaining how to use abstract experience information and concrete experience information output in each embodiment of this disclosure

Hereinafter, embodiments of the present invention will be described with reference to the drawings.

The present invention means the invention described in the section of claims or means for solving the problem, and is not limited to the following embodiments. Further, at least the words and phrases in brackets mean the words and phrases described in the section of claims or means for solving the problem, and are not limited to the following embodiments.

The configurations and methods described in the dependent terms of the claims are arbitrary configurations and methods in the invention described in the independent terms of the claims. The configuration and method of the embodiment corresponding to the configuration and method described in the dependent paragraph, and the configuration and method described only in the embodiment without description in the claims are arbitrary configurations and methods in the present invention. The configuration and method described in the embodiment when the description of the claims is wider than the description of the embodiment is also an arbitrary configuration and method in the present invention in the sense that it is an example of the configuration and method of the present invention. .. In any case, by describing in the independent clause of the claims, it becomes an indispensable configuration and method of the present invention.

The effects described in the embodiments are effects in the case of having the configuration of the embodiment as an example of the present invention, and are not necessarily the effects of the present invention.

When there are a plurality of embodiments, the configuration disclosed in each embodiment is not closed only in each embodiment, but can be combined across the embodiments. For example, the configuration disclosed in one embodiment may be combined with another embodiment. Further, the disclosed configurations may be collected and combined in each of the plurality of embodiments.

The problems described in the problems to be solved by the invention are not known problems, but are independently discovered by the present inventor, and are facts that affirm the inventive step of the invention together with the structure and method of the present invention.

1. 1. Embodiment 1
(1) Relationship between Cyber Attack Analysis Support Device and Terminal Device The relationship between the cyber attack analysis support device and the terminal device of the present embodiment will be described first with reference to FIG.

The cyber attack analysis support device 100 (corresponding to the “cyber attack analysis support device”) is a terminal device 200 (corresponding to the “terminal device”) mounted on the vehicle via the communication network 10 (corresponding to the “communication network”). Is connected to. In the present embodiment, the terminal device 200 assumes an in-vehicle electronic control system in which a plurality of electronic control units (ECU (Electric Control Unit), hereinafter abbreviated as ECU) are connected by an in-vehicle network. It is not limited.

Here, the "cyber attack analysis support device" is sufficient as long as it is a device that analyzes attacks from the outside such as cyber attacks. For example, it generally corresponds to what is called a server device, a monitoring device, and a support device, and specific examples thereof include various server devices, workstations, and personal computers (PCs), such as electronic control devices (ECUs) and semiconductor circuits. It may be an element, a smartphone, a mobile phone, or the like.
The "communication network" may be a wired communication network as well as a wireless communication network. Moreover, you may combine these.
The "terminal device" refers to a device connected to the cyber attack analysis support device, and generally corresponds to an electronic control system, an in-vehicle computer, or an in-vehicle network system, and is an electronic control device (ECU). ), Semiconductor circuit elements, personal computers (PCs), smartphones, mobile phones, etc. are also included in this.

In the case of a wireless communication system, the communication network is, for example, IEEE802.11 (WiFi (registered trademark)), IEEE802.16 (WiMAX (registered trademark)), W-CDMA (Wideband Code Division Multiple Access), HSPA (High Speed Packet). Access), LTE (Long Term Evolution), LTE-A (Long Term Evolution Advanced), 4G, 5G and the like can be used. Alternatively, DSRC (Dedicated Short Range Communication) can be used.
In the case of a wired communication system, for example, a LAN (Local Area Network), the Internet, or a fixed telephone line can be used as the communication network.
The wireless communication network may be a combination of a wireless communication method and a wired communication method. For example, a wireless communication method is used between the terminal device 200 and the base station device in the cellular system, and a wired communication method such as the trunk line of a telecommunications carrier or the Internet is used between the base station device and the cyber attack analysis support device 100. , Each may be connected.

(2) Configuration of Cyber Attack Analysis Support Device The configuration of the cyber attack analysis support device 100 of the present embodiment will be described with reference to FIG.
The cyber attack analysis support device 100 includes an input unit 101, a storage unit 102, a control unit 103, and an output unit 104.

The input unit 101 inputs "detection information" transmitted from the terminal device 200 via the communication network. In the case of the present embodiment, the terminal device 200 analyzes the event log and generates detection information based on the event log generated by each ECU (corresponding to the "configuration device") constituting the terminal device 200. In the case of the present embodiment, the detection information includes an attack target ECU indicating an attack target ECU or an attack target signal indicating an attack target signal. In addition, the attack target signal may be specified in more detail to include the attack target packet, the attack target file, the attack target content, and the attack target process.
Other examples of the detection information will be described in the modified examples of each embodiment described later.

Here, the "detection information" is sufficient as long as it is information indicating that a cyber attack or an individual event or abnormality that constitutes or presupposes the cyber attack has been detected, for example, CAN data, an event log, an abnormality detection signal, or the like. included.
The “constituent device” is a device that constitutes a terminal device and refers to a device that bears all or part of the functions of the terminal device. The components are usually composed of a plurality of devices, but may be a single device. For example, when the terminal device is an electronic control system, the constituent devices correspond to individual electronic control units (ECUs).

The storage unit 102 stores signals received by each ECU constituting the terminal device 200, and design information in which the relationship between each ECU and the user interface (UI) of the ECU is described.

FIG. 3 shows a specific example of the design information of the present embodiment.
In the design information, the name of each ECU constituting the terminal device 200 and the signal name received or transmitted by each ECU are associated and stored. For example, the meter ECU that controls the display on the front panel of the vehicle has door open / closed state information indicating the open / closed state of the door, cruise control SW information indicating the state of the switch for turning on / off the cruise control function, and temperature setting of the air conditioner. It is described that the air conditioner temperature information indicating the above is received. The EPS (Electric Power steering System) ECU that controls the electric power steering receives the cruise control SW information. According to FIG. 3, the CGW (Central GateWay) that controls the information transmission of the in-vehicle network does not transmit or receive signals. The vehicle body ECU that controls the vehicle body constituting the vehicle transmits door opening / closing information.

In the design information, each ECU constituting the terminal device 200 and the UI of the vehicle related to each ECU are associated and stored. For example, since the meter ECU is an ECU that controls the display of various information, an image display unit is associated with the meter ECU. Since the EPS ECU is an ECU that controls the steering operated by the driver, an operation input unit is associated with the EPS ECU. Since CGW has nothing to do with the display on the driver or the operation of the driver, there is no associated UI. There is no UI associated with the vehicle body ECU for the same reason.

Examples of the UI include an image display unit and an operation input unit, as well as a voice output unit and a voice input unit, and at least one of these is sufficient. Examples of the image display unit include a liquid crystal display and a head-up display. Examples of the operation input unit include a touch panel, various buttons and dials, an accelerator, a brake, a clutch, a steering wheel, a parking brake, a shift lever, and the like. Examples of audio output units include speakers and headsets. An example of a voice input unit is a microphone. The UI described in the design information may specify such a specific or detailed UI.

Design information is often designed uniquely for each vehicle. In this case, by including the information that identifies the vehicle type and the manufacturer in the detection information, the cyber attack analysis support device 100 can refer to the appropriate design information according to the vehicle type.

The control unit 103 "based" on the detection information input from the input unit 101, and identifies the attack target ECU (corresponding to the "attack target configuration device") or the attack target signal that is the target of the cyber attack. In the case of the present embodiment, since the detection signal includes the information indicating the attack target ECU or the attack target signal, this information may be extracted from the detection signal. When the detection information is other information, for example, the event log of each ECU, the cyber attack analysis support device 100 analyzes the event log and identifies the attack target ECU or the attack target signal. An example of performing analysis with the cyber attack analysis support device 100 will be described in a modified example of each embodiment described later.

Here, "based on" includes not only the case where the result of analyzing the detection information is used, but also the case where the information contained in the detection information is extracted and used.

Then, the control unit 103 "generates" abstract experience information, which is an event presumed to have been experienced by the driver of the vehicle who is the user of the terminal device 200, by referring to the design information.

Here, "generate" includes not only the case of newly generating but also the case of selecting and reading the information stored in the storage unit in advance.

For example, it is assumed that the detection signal input to the input unit 101 includes information that the attack target ECU is the meter ECU. By referring to the design information in FIG. 3, the control unit 103 can see that the meter ECU is associated with the image display unit. Therefore, the control unit 103 may have affected the image display unit due to an attack on the meter ECU. Therefore, "There is a possibility that the display on the meter panel has been affected. 』Generate abstract experience information with the content.

The abstract experience information is a limit event specified by the type of attack target ECU and UI, and while the specific experience information described later is a detailed event, it is a more general event than the specific experience information. This is information indicating.

The abstract experience information may be read out in advance in the storage unit 102 according to the combination of the types of the attack target ECU and the UI, or in response to the UI. Of course, it may be used as design information including abstract experience information. Alternatively, the control unit 103 may generate new abstract experience information by itself based on artificial intelligence (AI) or machine learning.

The following are examples of abstract experience information.
If there is a possibility that the image display section has been affected, the corresponding to the image display section, "There is a possibility that the display has been affected. 』To generate abstract experience information. In addition, there is a possibility that the display of "*** may have been affected" according to the combination of the attack target ECU and the image display unit. 』To generate abstract experience information. “***” is information specified from the attack target ECU, and can be, for example, a “meter panel” in the case of a meter ECU and a “head-up display” in the case of a head-up display ECU.

If there is a possibility that the operation input section has been affected, the corresponding to the operation input section, "There is a possibility that the operation status has been affected. 』To generate abstract experience information. Also, depending on the combination of the attack target ECU and the operation input unit, "*** operation may have been affected. 』To generate abstract experience information. "***" is information specified from the attack target ECU. For example, in the case of an EPS ECU, it can be "power steering", and in the case of a car navigation ECU that controls a navigation system, it can be "input to the navigation system". ..

If there is a possibility that the audio output section has been affected, the corresponding to the audio output section, "There is a possibility that the audio has been affected. 』To generate abstract experience information. Also, depending on the combination of the attack target ECU and the voice output unit, "*** voice may have been affected. 』To generate abstract experience information. "***" is information specified by the attack target ECU, and can be "guidance" in the case of a car navigation ECU, for example.

If there is a possibility that the voice input section has been affected, the corresponding to the voice input section, "The result of voice input may have been affected. 』To generate abstract experience information. In addition, depending on the combination of the attack target ECU and the voice input unit, the result of "*** voice input may have been affected. 』To generate abstract experience information. “***” is information specified by the attack target ECU, and can be, for example, “destination information” in the case of a car navigation ECU.

These are examples when the attack target ECU is specified, but the same applies even when the attack target signal is specified. For example, it is assumed that the detection signal input to the input unit 101 includes information that the attack target signal is cruise control SW information. By referring to the design information in FIG. 3, the control unit 103 can see that the ECU that receives the cruise control SW information is associated with the meter ECU and the EPS ECU. Therefore, the control unit 103 may have affected the image display unit via the meter ECU, so "There is a possibility that the meter display has been affected. 』Generate abstract experience information with the content. In addition, the control unit 103 may have affected the operation input unit via the EPS ECU, so "There is a possibility that the operation of the power steering has been affected. 』Generate abstract experience information with the content.

The output unit 104 outputs the abstract experience information generated by the control unit 103. The output destination can be, for example, an external storage device such as a display, a printer, or a hard disk, another server, or a personal computer (PC). Alternatively, it may be transmitted to the terminal device 200 or the vehicle equipped with the terminal device 200.

The cyber attack analysis support device 100 is composed of a general-purpose CPU (Central Processing Unit), volatile memory such as RAM, non-volatile memory such as ROM, flash memory, or hard disk, various interfaces, and an internal bus connecting them. be able to. Then, by executing the software on these hardware, it can be configured to exert the function of each functional block shown in FIG. The same applies to the terminal device 200 shown in FIG. 4 described later and the cyber attack analysis support device of another embodiment.
Of course, the cyber attack analysis support device 100 or the terminal device 200 may be realized by dedicated hardware such as an LSI.

(3) Configuration of Terminal Device The configuration of the terminal device 200 of the present embodiment will be described with reference to FIG.
The terminal device 200 has a meter ECU 201, an EPS ECU 202, a vehicle body ECU 203, a CGW 204, and a communication ECU 205 as an electronic control device (corresponding to a “constituent device”).

These ECUs are connected to each other by an in-vehicle network. For example, in addition to communication methods such as CAN (Controller Area Network) and LIN (Local Interconnect Network), Ethernet (registered trademark), Wi-Fi (registered trademark), and Bluetooth ( Any communication method such as (registered trademark) can be used.

The terminal device 200 is "mounted" on a vehicle that is a "mobile body" in this embodiment. However, the terminal device 200 does not necessarily have to be mounted on the moving body, and may be mounted on a fixed object.

Here, the "moving body" refers to a movable object, and the moving speed is arbitrary. Of course, it also includes the case where the moving body is stopped. For example, including, but not limited to, automobiles, motorcycles, bicycles, pedestrians, ships, aircraft, and objects mounted on them.
The term "mounted" includes the case where it is directly fixed to the moving body and the case where it is not fixed to the moving body but moves together with the moving body. For example, it may be carried by a person riding on a moving body, or it may be mounted on a cargo placed on the moving body.

The meter ECU 201 controls the display on the front panel of the vehicle. The EPSECU 202 controls the electric power steering. The vehicle body ECU 203 controls the vehicle body. Then, each ECU transmits data according to the function of each ECU. For example, when CAN is used in the in-vehicle network, CAN data conforming to the CAN format is transmitted. In the present embodiment, CAN data is taken as an example, but this is an example, and any data format can be adopted.
In addition, each ECU analyzes CAN data, generates an event log, and transmits it. The event log includes, for example, a security event log generated when each ECU detects an abnormality in each ECU based on CAN data.

In addition, the terminal device 200 can be configured by any ECU. For example, a drive system electronic control device that controls an engine, a handle, a brake, etc., a vehicle body system electronic control device that controls a meter, a power window, etc., an information system electronic control device such as a navigation device, or an obstacle or a pedestrian. An example is a safety control system electronic control device that controls to prevent a collision with the vehicle. Further, the ECUs may be classified into a master and a slave instead of being parallel to each other.

The CGW 204 has an event log collection unit 206 that collects event logs from each ECU, and a detection information generation unit 207 that generates detection information from the event log.

The event log collecting unit 206 collects event logs from the meter ECU 201, the EPS ECU 202, and the vehicle body ECU 203. Then, the collected event log is output to the detection information generation unit 207.

The detection information generation unit 207 generates detection information based on the event log input from the event log collection unit 206. For example, detection information is generated in which the ECU that detects the abnormality is the attack target ECU and the signal in which the abnormality is detected is the abnormality detection signal.

The communication ECU 205 transmits the detection information generated by the detection information generation unit 207 to the cyber attack analysis support device 100 via the communication network 10. The timing of transmitting the detection information may be periodically and voluntarily transmitted by the vehicle side, or may be transmitted in response to a request from the cyber attack analysis support device 100. The timing of the request from the cyber attack analysis support device 100 may be periodic or when a cyber attack is detected.

In the present embodiment, the event log collecting unit 206 and the detection information generating unit 207 are provided in the CGW 204, but these may be provided in an ECU other than the CGW 204. For example, it may be provided in a dedicated detection information generation ECU or a communication ECU 205.

(4) Operation of Cyber Attack Analysis Support Device The operation of the cyber attack analysis support device 100 will be described with reference to the flowchart of FIG.
The following operation not only shows the cyber attack analysis support method in the cyber attack analysis support device 100, but also shows the processing procedure of the cyber attack analysis support program executed by the cyber attack analysis support device 100.
And these processes are not limited to the order shown in FIG. That is, the order may be changed as long as there is no restriction that the result of the previous step is used in a certain step.
As described above, the same applies not only to this embodiment but also to other embodiments and modifications.

The detection information transmitted from the terminal device 200 via the communication network is input to the input unit 101 of the cyber attack analysis support device 100 (S101). For example, in the present embodiment, it is assumed that the detection information includes information that the attack target signal is cruise control SW information.

The control unit 103 reads the design information from the storage unit 102 (S102).

The control unit 103 identifies the attack target configuration device or the attack target signal that is the target of the cyber attack based on the detection information input in S101, and also refers to the design information to the user of the terminal device 200 due to the influence of the cyber attack. Generates abstract experience information, which is an event presumed to have been experienced by (S103). In the present embodiment, cruise control SW information is extracted from the detection information as an attack target signal. Then, referring to the design information of FIG. 3 read out in S102, it is specified that the ECUs that receive the cruise control SW information are the meter ECU and the EPS ECU, and the UI associated with these is the image display unit and the operation input. Identify as a department. Then, in response to the image display section, "There is a possibility that the meter display has been affected. 』Generate abstract experience information with the content. Also, in response to the operation input section, "There is a possibility that the operation of the power steering has been affected. 』Generate abstract experience information with the content.

The output unit 104 outputs the abstract experience information generated in S103 (S104).

(5) Summary As described above, according to the cyber attack analysis support device 100 of the present embodiment and the method and program executed by the device, the design information describing the relationship between the component device and the UI of the component device. By using, it is possible to reproduce a problem event that is presumed to have been experienced by the user.

2. Embodiment 2
(1) Configuration of Cyber Attack Analysis Support Device In the first embodiment, the cyber attack analysis support device 100 generates and outputs abstract experience information with reference to design information. In this embodiment, an example of generating and outputting specific experience information by further referring to the state information is shown.
Also in this embodiment, the overall relationship between the cyber attack analysis support device and the terminal device is the same as that shown in FIG. Further, for the same configuration, function, and data as those described in the first embodiment, the description of the first embodiment is quoted.

The configuration of the cyber attack analysis support device 120 of the present embodiment of the present embodiment will be described with reference to FIG.
The cyber attack analysis support device 100 includes an input unit 121, a storage unit 122, a control unit 123, and an output unit 124.

In addition to the detection information, the "detection time" transmitted from the terminal device 200 is input to the input unit 121. The detection time refers to the time when the detection information is detected. The detection information is the same as that described in the first embodiment. The detection information generation unit 207 of the terminal device 200 generates the time when the abnormality is detected as the detection time based on the event log.

Here, the "detection time" may be the value of the timer counting from the reference time or the value of the counter indicating the order, in addition to the absolute time.

In addition to the design information, the storage unit 122 stores state information indicating the content of the signal at a specific time.

FIG. 7 shows a specific example of the design information of the present embodiment.
In the state information, the specific contents of the signals received or transmitted by each ECU constituting the terminal device 200 are stored in association with the time when each event occurs. For example, in the event of event number 1 that occurred at 17:20:31 on December 17, the door open / closed state information indicates that the door is open, while the cruise control SW information activates the cruise control function. As for the air conditioner temperature information, 30 that the set temperature of the air conditioner is 30 degrees Celsius is stored.

As the state information, when CAN is used in the in-vehicle network of the terminal device 200, CAN data conforming to the CAN format can be used as it is. That is, the state information transmitted from the terminal device 200 is input to the input unit 121 as detection information or separately from the detection information.

Other examples of signals that can be included in the status information are running status signals (high speed running, low speed running, stop), power status signals (ACC ON / OFF, IG ON / OFF, READY ON / OFF), shift status signals. (P / D / B / N / R), body switch status signal (blower air volume, A / C ON / OFF, temperature, each door open / closed), light status signal (light OFF / Lo / Hi, front / rear fog) ON / OFF). In addition, a signal indicating a signal waiting state at an intersection, an ACC operation signal, a lane keep assist signal, a pre-crash safety signal, and the like may be included.

Similar to the first embodiment, the control unit 123 identifies the attack target signal that is the target of the cyber attack "based on" the detection information input from the input unit 121. Also in the case of this embodiment, since the detection signal includes the information indicating the attack target signal, the attack target signal may be extracted from the detection signal.

Then, the control unit 123 refers to the state information in FIG. 7 and the detection time input to the input unit 121, and is presumed to have been experienced by the driver of the vehicle who is the user of the terminal device 200 due to the influence of the cyber attack. Generate concrete experience information that is a specific event.
In the case of the present embodiment, the control unit 123 may generate the abstract experience information described in the first embodiment in addition to the specific experience information.

For example, it is assumed that the detection signal input to the input unit 121 includes information that the attack target signal is the air conditioner temperature information. By referring to the content of the event time signal corresponding to the detection time in the design information of FIG. 7, the control unit 123 can see that the air conditioner temperature information is 30 degrees Celsius. Therefore, the control unit 123 says, "There is a possibility that the air conditioner temperature display is 30 ° C. 』Generate specific experience information with the content.

The specific experience information is an event specified from the content of each signal, and is a more specific event than the above-mentioned abstract experience information.

Specific experience information may also be read out in advance generated and stored in the storage unit 122 according to each signal type. Of course, the state information may include specific experience information. Alternatively, the control unit 123 may generate new specific experience information by itself based on artificial intelligence (AI) or machine learning.

The following are examples of specific experience information.
When the door open / closed status information is the target of an attack, the contents of the door open / closed status information are read from the status information, and "The door may be displayed as open. 』Generate specific experience information. Also, if the cruise control SW information is the target of an attack, the contents of the cruise control SW information may be read from the status information and "The cruise control function may be displayed as ON. 』Generate specific experience information. When the air conditioner temperature information is the target of the attack, the contents of the air conditioner temperature information are read from the status information and "The air conditioner temperature display may be *** ° C." 』Generate specific experience information. “***” is the content of the air conditioner temperature information, which is 30 in the case of FIG.

The output unit 124 outputs the specific experience information generated by the control unit 123. In the present embodiment, when the control unit 123 generates the abstract experience information, the output unit 124 may output the abstract experience information in addition to the concrete experience information. That is, the output unit 124 outputs specific experience information in addition to or in place of the abstract experience information. The output destination is the same as that of the first embodiment.

(2) Operation of Cyber Attack Analysis Support Device The operation of the cyber attack analysis support device 120 will be described with reference to the flowchart of FIG.

The detection information and the detection time transmitted from the terminal device 200 via the communication network are input to the input unit 121 of the cyber attack analysis support device 120 (S121). For example, in the present embodiment, it is assumed that the detection information includes information that the attack target signal is the air conditioner temperature information.

The control unit 123 reads the design information from the storage unit 122 (S122).

The control unit 123 identifies the attack target configuration device or the attack target signal that is the target of the cyber attack based on the detection information input in S121, and also refers to the design information to the user of the terminal device 200 due to the influence of the cyber attack. Generates abstract experience information, which is an event presumed to have been experienced by (S123). In the present embodiment, the air conditioner temperature information is extracted from the detection information as an attack target signal. Then, referring to the design information of FIG. 3 read out in S122, it is specified that the ECU that receives the air conditioner temperature information is the meter ECU, and the UI associated with these is the image display unit. Then, in response to the image display section, "There is a possibility that the meter display has been affected. 』Generate abstract experience information with the content. Alternatively, in response to the image display and air conditioner temperature information, "There is a possibility that the air conditioner temperature display has been affected. 』Generate abstract experience information with the content.

The control unit 123 reads the state information from the storage unit 122 (S124).

The control unit 123 identifies the attack target signal that is the target of the cyber attack based on the detection information input in S121, and the user of the terminal device 200 experiences the influence of the cyber attack by referring to the state information and the detection time. Generate specific experience information, which is a specific event presumed to have occurred (S125). In the present embodiment, the air conditioner temperature information is extracted from the detection information as an attack target signal. Then, referring to the state information of FIG. 7 read in S124 and the detection time input in S121, it is specified that the air conditioner temperature information is 30 degrees Celsius. Then, it generates specific experience information with the content that "the air conditioner temperature display may be 30 ° C".

The output unit 104 outputs the abstract experience information generated in S123 and the specific experience information generated in S125 (S126).

In the above example, the case where both the abstract experience information and the specific experience information are output has been described, but only the specific experience information may be output. In this case, S122 and S123 are unnecessary.

Further, these processes are not limited to the order shown in FIG. That is, the order may be changed as long as there is no restriction that the result of the previous step is used in a certain step. For example, S123 and S124 may be rearranged in order. Further, S122 and S124 may be executed at the same time.

(3) Summary In this embodiment, since the concrete experience information, which is more specific information than the abstract experience information, is output by using the state information, the problem phenomenon presumed to have been experienced by the user is reproduced. Can be done more concretely.

3. 3. Embodiment 3
(1) Configuration of Cyber Attack Analysis Support Device In the first and second embodiments, as shown in FIG. 1, the terminal device 200 is mounted on the vehicle, and the cyber attack analysis support device is provided outside the vehicle.
In this embodiment, not only the terminal device 200 but also the cyber attack analysis support device 140 is mounted on the same vehicle.

The relationship between the cyber attack analysis support device 140 and the terminal device 200 of the present embodiment will be described with reference to FIG.
The cyber attack analysis support device 140 is mounted on a vehicle that is the same mobile body as the terminal device 200. Here, the cyber attack analysis support device 140 may be either the cyber attack analysis support device 100 of the first embodiment or the cyber attack analysis support device 120 of the second embodiment.

The cyber attack analysis support device 140 and the terminal device 200 use, for example, communication methods such as CAN and LIN, as well as arbitrary communication methods such as Ethernet (registered trademark), Wi-Fi (registered trademark), and Bluetooth (registered trademark). Is connected.

In particular, when an in-vehicle network such as CAN or LIN is used, the cyber attack analysis support device 140 can be grasped as an ECU as one constituent device of the terminal device 200.

The output unit 104 or the output unit 124 of the cyber attack analysis support device 140 may output abstract experience information or specific experience information to a server device or the like outside the vehicle.

(2) Summary In the present embodiment, by mounting the cyber attack analysis support device in the same vehicle as the terminal device, the processing can be completed in the same vehicle and the load on the communication network can be reduced. ..

4. Modifications of Each Embodiment In the present embodiment, detection transmitted from the terminal device 200 to any of the cyber attack analysis support devices (hereinafter, referred to as a cyber attack analysis support device 100) according to any one of the first to third embodiments. The explanation will focus on variations of information.

(1) When the detection information is CAN data Even if the detection information transmitted from the terminal device 200 to the cyber attack analysis support device 100 is CAN data transmitted periodically or irregularly by each ECU constituting the terminal device 200. good.

In the case of this modification, the event log collection unit 206 of the terminal device 200 collects CAN data from each ECU and outputs it to the detection information generation unit 207. The detection information generation unit 207 outputs the CAN data input from the event log collection unit 206 to the communication ECU 205 as it is. The communication ECU 205 transmits CAN data as detection information to the cyber attack analysis support device 100 via the communication network 10. That is, in this case, it is not necessary for each ECU to generate an event log.

The control unit 103 of the cyber attack analysis support device 100 identifies the attack target ECU or the attack target signal by, for example, statistically analyzing the CAN data which is the detection information input to the input unit 101.
The attack target ECU and the attack target signal may be specified by first generating an event log which is an intermediate product by statistically analyzing the CAN data and then analyzing the event log.

In the case of this modification, since the detection information and the state information match, it is sufficient to transmit only the CAN data which is the detection information from the terminal device 200 to the cyber attack analysis support device 100, and it is necessary to separately transmit the state information. There is no.

(2) When the detection information is an event log The detection information transmitted from the terminal device 200 to the cyber attack analysis support device 100 may be an event log generated by each ECU constituting the terminal device 200.

In the case of this modification, the event log collecting unit 206 of the terminal device 200 collects the event log generated by each ECU and outputs it to the detection information generating unit 207. The detection information generation unit 207 outputs the event log input from the event log collection unit 206 to the communication ECU 205 as it is. The communication ECU 205 transmits the event log as detection information to the cyber attack analysis support device 100 via the communication network 10. The event log is, for example, a data string consisting of an ECU name-event content-error information-event time, but it is not necessary to have all of this information, and information other than these may be included.

The control unit 103 of the cyber attack analysis support device 100 identifies the attack target ECU or the attack target signal by, for example, statistically analyzing the event log which is the detection information input to the input unit 101.

In the case of this modification, since the detection information and the state information do not match, CAN data, which is the state information, is separately transmitted from the terminal device 200 to the cyber attack analysis support device 100.

(3) When the detection information is an analysis result The detection information transmitted from the terminal device 200 to the cyber attack analysis support device 100 is the result of analyzing the event log generated by each ECU constituting the terminal device 200. It may be information that identifies the attack target ECU and the attack target signal. This modification is the same as the example described in the first and second embodiments.

In the case of this modification, the event log collecting unit 206 of the terminal device 200 collects the event log generated by each ECU and outputs it to the detection information generating unit 207. The detection information generation unit 207 analyzes the event log input from the event log collection unit 206, generates information for identifying the attack target ECU and the attack target signal, and outputs this as a detection signal to the communication ECU 205. The communication ECU 205 transmits the detection information to the cyber attack analysis support device 100 via the communication network 10.

The control unit 103 of the cyber attack analysis support device 100 extracts the attack target ECU or the attack target signal from the detection information input to the input unit 101, and identifies the attack target ECU or the attack target signal.

In the case of this modification as well, since the detection information and the state information do not match, CAN data, which is the state information, is separately transmitted from the terminal device 200 to the cyber attack analysis support device 100.

(4) Specific Example of Identifying Attack Target ECU or Attack Target Signal An example of a method of specifying an attack target ECU from an event log will be described.
The ECU of the terminal device 200 includes a security sensor, and the security sensor detects a security abnormality and generates an event log. As an example of the event log, a data string including the ECU name-event content-error information-event time is generated. When each ECU generates an event log, the ECU that generated the event log may be the attack target ECU. However, there is a possibility that the security sensor operates due to a cause other than a cyber attack, such as a failure, and an event log is generated. Therefore, in order to identify whether the cause of the event log generation is a failure or a cyber attack, the diagnostic information at the same time as the event log generation time is confirmed. If there is no diagnostic information of the ECU that generated the event log, it is highly possible that the event log was generated by a cyber attack rather than a failure, so the ECU that generated the event log is set as the attack target ECU. If there is diagnostic information of the ECU that generated the event log, it is highly possible that the event log was generated due to a failure, so the ECU that generated the event log is not specified as the attack target ECU.

An example of how to identify the attack target signal from the event log will be described.
For example, when the CGW 204 of the terminal device 200 includes a network type IDS (Intrusion Detection System), the CGW 204 detects a security abnormality and generates an event log. As an example of the event log, a data string including signal name-event content-error information-event time is generated. Then, the signal name included in the event log is specified as the attack target signal.

The attack target ECU and the attack target signal are specified by the control unit 103 when the cyber attack analysis support device 100 is used, and by the detection information generation unit 207 when the terminal device 200 is used. For example, in the case of (1) and (2) described above, the control unit 103 is specified, and in the case of (3) described above, the detection information generation unit 207 is specified.

(5) Summary As described above, according to these modified examples, whether the processing from the CAN data to the identification of the attack target ECU or the attack target signal is performed on the terminal device 200 side or the cyber attack analysis support device 100 side. Can be appropriately distributed, and the balance between the network load and the load of the terminal device 200 can be adjusted.

5. Use of Abstract Experience Information and Specific Experience Information A method of using abstract experience information and specific experience information will be described with reference to FIG.

FIG. 10A is a report prepared based on complaints from drivers of automobile manufacturers and automobile dealers. In addition to the VIN that identifies the vehicle, the report describes the situation in which a cyber attack occurred, which was obtained by hearing from the driver. Specifically, the date and time when the phenomenon occurred, which is the date and time when the cyber attack occurred, and the phenomenon that seems to be a cyber attack are described as the driver's experience.

FIG. 10B is an output of the cyber attack analysis support device of each embodiment. In addition to the VIN that identifies the vehicle, the output includes the date and time when the phenomenon occurred, cyber attack event information, and abstract experience information and specific experience information. As the phenomenon occurrence date and time, for example, the detection time may be output. The cyber attack event information indicates the cause of the problem event, and for example, CAN data or an event log is output.

Comparing the report of FIG. 10 (a) and the output of FIG. 10 (b), the VINs match, and the date and time when the phenomenon occurs are often vaguely matched. Moreover, while the driver's experience is subjective information acquired by the driver's five senses, cyber attack event information is objective information acquired by the device, so it is difficult to link it.

However, by including the abstract experience information and the concrete experience information in the output of FIG. 10B, the abstract experience information and the concrete experience information are the same kind of information as the subjective information based on the driver's experience. Therefore, it becomes easy to link the abstract experience information and the concrete experience information with the driver's experience. Then, the driver's experience and the cyber attack event information can be linked through the abstract experience information and the concrete experience information. This makes it possible to identify and analyze the cyberattack that caused the driver's complaint.

3. 3. Summary The features of the cyber attack analysis support device and the like in each embodiment of the present invention have been described above.

Since the terms used in each embodiment are examples, they may be replaced with synonymous terms or terms including synonymous functions.

The block diagram used in the description of the embodiment is a classification and arrangement of the configuration of the device according to the function. The blocks showing each function are realized by any combination of hardware or software. Further, since the block diagram shows the function, the block diagram can be grasped as the disclosure of the invention of the method and the invention of the program that realizes the method.

The order of the processes, flows, and functional blocks that can be grasped as a method described in each embodiment is changed unless there is a restriction that one step uses the results of other steps in the previous step. May be good.

The terms first, second, and N (where N is an integer), which are used in each embodiment and in the claims, are used to distinguish two or more configurations and methods of the same type. , Does not limit the order or superiority or inferiority.

Each embodiment is premised on a terminal device for a vehicle mounted on a vehicle, but the present invention also includes a dedicated or general-purpose terminal device other than that for a vehicle, unless otherwise limited within the scope of the claims. ..

In each embodiment, the description has been made on the premise that the terminal device disclosed in each embodiment is mounted on the vehicle, but it may be assumed that the pedestrian possesses the terminal device.

Further, as an example of the form of the cyber attack analysis support device and the terminal device of the present invention, the following can be mentioned.
Examples of the form of the component include a semiconductor element, an electronic circuit, a module, and a microcomputer.
Examples of the semi-finished product include an electronic control unit (ECU) and a system board.
Examples of finished products include mobile phones, smartphones, tablets, personal computers (PCs), workstations, and servers.
In addition, it includes a device having a communication function and the like, and examples thereof include a video camera, a still camera, and a car navigation system.

In addition, necessary functions such as an antenna and a communication interface may be added to the cyber attack analysis support device and the terminal device.

It is assumed that the cyber attack analysis support device of the present invention is used for the purpose of providing various services. With the provision of such a service, the cyber attack analysis support device of the present invention is used, the method of the present invention is used, and / and the program of the present invention is executed.

In addition, the present invention can be realized not only by the dedicated hardware having the configuration and the function described in each embodiment, but also a program for realizing the present invention recorded on a recording medium such as a memory or a hard disk, and a program thereof. It can also be realized as a combination with an executable dedicated or general-purpose CPU and general-purpose hardware having a memory or the like.

Programs stored in a non-transitional substantive recording medium of dedicated or general-purpose hardware (for example, an external storage device (for example, hard disk, USB memory, CD / BD, etc.) or an internal storage device (RAM, ROM, etc.)) It can also be provided to dedicated or general-purpose hardware via a recording medium or via a communication line from a server without a recording medium. This ensures that you always have the latest features through program upgrades.

Although the cyber attack analysis support device of the present invention has been described on the premise that it is mainly connected to a terminal device mounted on an automobile, it may be connected to a normal computer not mounted on the automobile.
Further, a device used for various purposes such as a mobile phone, a tablet, and a game machine can be used as a terminal device.

100 Cyber attack analysis support device, 101 input unit, 102 storage unit, 103 control unit, 104 output unit, 200 terminal device

Claims (8)

An input unit (101) into which detection information transmitted from a terminal device (200) is input via a communication network, and an input unit (101).
A storage unit (102) that stores design information in which signals received by the constituent devices constituting the terminal device and the relationship between the constituent devices and the user interface of the constituent devices are described.
Based on the detection information, the attack target configuration device or the attack target signal that is the target of the cyber attack is specified, and the user of the terminal device is presumed to have experienced due to the influence of the cyber attack by referring to the design information. A control unit (103) that generates some abstract experience information,
A cyber attack analysis support device (100) having an output unit (104) that outputs the abstract experience information. The user interface is at least one of an image display unit, an operation input unit, a voice output unit, or a voice input unit.
The cyber attack analysis support device according to claim 1. The detection time is further input to the input unit, and the detection time is further input.
The storage unit (122) further stores state information indicating the content of the signal at a specific time, and stores the state information.
The control unit (123) identifies an attack target signal that is the target of a cyber attack based on the detection information, and the user of the terminal device experiences the influence of the cyber attack by referring to the state information and the detection time. Generate specific experience information, which is a specific event that is presumed to have occurred,
The output unit outputs the specific experience information in addition to or in place of the abstract experience information.
The cyber attack analysis support device (120) according to claim 1. The state information transmitted from the terminal device is further input to the input unit.
The cyber attack analysis support device according to claim 1. The terminal device is mounted on a mobile body.
The cyber attack analysis support device according to claims 1 to 4. The cyber attack analysis support device is mounted on the same mobile body as the terminal device.
The cyber attack analysis support device (140) according to claim 5. The detection information transmitted from the terminal device via the communication network is input (S101),
Read the design information describing the signal received by the constituent device constituting the terminal device and the relationship between the constituent device and the user interface of the constituent device from the storage unit (S102).
Based on the detection information, the attack target configuration device or the attack target signal that is the target of the cyber attack is specified, and the user of the terminal device is presumed to have experienced due to the influence of the cyber attack by referring to the design information. Generate some abstract experience information (S103),
Outputting the abstract experience information (S104),
Cyber attack analysis support method. The detection information transmitted from the terminal device via the communication network is input (S101),
Read the design information describing the signal received by the constituent device constituting the terminal device and the relationship between the constituent device and the user interface of the constituent device from the storage unit (S102).
Based on the detection information, the attack target configuration device or the attack target signal that is the target of the cyber attack is specified, and the user of the terminal device is presumed to have experienced due to the influence of the cyber attack by referring to the design information. Generate some abstract experience information (S103),
Outputting the abstract experience information (S104),
A cyber attack analysis support program that can be executed by a cyber attack analysis support device.

Images