JP2022007238A - Information processing device, information processing method and program - Google Patents

Abstract

To provide an information processing device that can enhance security measures.SOLUTION: An information processing device 10 includes: a pattern storage unit 105 which stores patterns indicating attacks with respect to abnormality occurring parts and abnormality contents at the abnormality occurring parts; a log acquisition unit 108 which acquires a log pertaining to a phenomenon that has occurred in a mobility network; and a determination unit 106 which determines whether an attack is underway on the basis of phenomenon occurring parts and phenomenon contents included in the log and the patterns stored in the pattern storage unit 105.SELECTED DRAWING: Figure 1

Description

The present disclosure relates to information processing devices, information processing methods and programs.

Patent Document 1 proposes a detection device for correctly detecting an unauthorized message in an in-vehicle communication network. The detection device described in Patent Document 1 calculates a message transmission interval for each CANID in advance, confirms the height in the stored histogram, and determines that the height is normal if the height is equal to or higher than the threshold value and invalid if the height is lower than the threshold value. ..

JP-A-2018-46432

However, in a configuration that detects fraud based on changes in the transmission cycle, such as the detection device described in Patent Document 1, it is necessary to identify whether it is a fraudulent attack or another abnormality such as a bug, failure, or disturbance. Is difficult, and there is a possibility that bugs and failures are falsely detected as attacks, and there is a problem that security measures are not always sufficient.

Therefore, the present disclosure provides an information processing device, an information processing method, and a program capable of enhancing security measures.

The information processing apparatus according to one aspect of the present disclosure has a pattern storage unit that stores a pattern indicating an attack regarding an abnormality occurrence location and an abnormality content at the abnormality occurrence location, and a log that acquires a log regarding an event that has occurred in a mobility network. An acquisition unit, a determination unit for determining whether or not an attack has occurred, based on the location where the event occurred and the content of the event included in the log, and the pattern stored in the pattern storage unit. , Equipped with.

It should be noted that these comprehensive or specific embodiments may be realized by a recording medium such as a system, a method, an integrated circuit, a computer program, or a computer-readable CD-ROM (Compact Disc-Read Only Memory). It may be realized by any combination of a system, a method, an integrated circuit, a computer program and a recording medium.

According to the information processing device or the like according to one aspect of the present disclosure, security measures can be enhanced.

FIG. 1 is a diagram showing an example of an information processing system including an information processing device according to an embodiment. FIG. 2 is a diagram schematically showing an example of a functional block of the information processing apparatus according to the embodiment. FIG. 3 is a diagram showing an example of a pattern showing an attack with respect to an abnormality occurrence location and an abnormality content at the abnormality occurrence location. FIG. 4 is a diagram showing an example of an abnormality log. FIG. 5 is a flowchart showing an example of the flow of processing by the information processing apparatus according to the embodiment. FIG. 6 is a diagram showing an image of unauthorized access from the outside by an attacker. FIG. 7 is a diagram for explaining the correction of the log order.

The information processing apparatus according to one aspect of the present disclosure has a pattern storage unit that stores a pattern indicating an attack regarding an abnormality occurrence location and an abnormality content at the abnormality occurrence location, and a log that acquires a log regarding an event that has occurred in a mobility network. An acquisition unit, a determination unit for determining whether or not an attack has occurred, based on the location where the event occurred and the content of the event included in the log, and the pattern stored in the pattern storage unit. , Equipped with.

According to the above aspect, the information processing apparatus determines whether or not an event that has occurred in the mobility network has been attacked, including not only information about the location of the event but also the content of the event that has occurred. Can be done. As a result, when the information processing device integrates the detection results of an abnormality detector such as IDS and makes a fraud determination, the information processing device comprehensively considers the contents of the abnormality, so that the dependence on the detection result by the abnormality detector is reduced. It is possible to appropriately determine whether or not an unauthorized attack has been received.

For example, whether or not the determination unit has been attacked based on the result of comparing the location of the event and the content of the event included in the log with the pattern stored in the pattern storage unit. It may be configured to determine whether or not.

According to the above aspect, the information processing apparatus determines whether or not it has been attacked based on the result of comparing the occurrence location and the content of the event included in the log with the pattern stored in the pattern storage unit. do. As a result, it is possible to more appropriately determine whether or not an unauthorized attack has been received.

For example, as a result of comparing the occurrence location of the event and the content of the event included in the log with the pattern stored in the pattern storage unit, the determination unit determines the degree of matching indicating the degree of matching. If it exceeds the threshold value of, it may be configured to determine that it is under attack.

According to the above aspect, as a result of comparing the occurrence location and the content of the event included in the log with the pattern stored in the pattern storage unit, the information processing apparatus sets a predetermined threshold value for the matching degree indicating the degree of matching. If it exceeds, it is judged that it is under attack. As a result, it is possible to more appropriately determine whether or not the user has been subjected to an unauthorized attack.

For example, the log acquisition unit may be configured to acquire abnormality detection information from an abnormality detector connected to the mobility network as the log.

According to the above aspect, the information processing device, as a device having an integrated monitoring function, collects abnormality detection information from an abnormality detector connected to the mobility network as a log, and detects various abnormalities connected to the mobility network. It is possible to determine whether or not an attack has been made after comprehensively considering the information. As a result, it is possible to improve the accuracy of determination as to whether or not an unauthorized attack has been received. In addition, if the judgment is made based only on the location of the event included in the log, even if it is correct that the event related to the abnormality is detected by the abnormality detector, if the content of the event cannot be detected correctly, it is detected. I can't realize that the content of the event was wrong. However, by making a judgment based on the location of the event and the content of the event included in the log, what kind of false detection is made by the anomaly detector when the content of the event is incorrect, although the location of the event is correct. It becomes possible to judge whether or not it has been done. Therefore, according to the above aspect, the information processing apparatus can feed back the information that can be used for updating the detection rule of the abnormality detector.

For example, the information processing apparatus selects the abnormality detection information used as the log when it is determined by the determination unit to be attacked from the abnormality detection information from the abnormality detector. It may be configured to further include an output unit for transmitting to an external device.

According to the above aspect, the information processing device selectively selects the abnormality detection information used as a log when it is determined by the determination unit to be attacked from the abnormality detection information from the abnormality detector. Can be sent to. As a result, it is possible to prevent the abnormality detection information that may be erroneously detected from the log from being transmitted to the SOC server or the like. Therefore, it is possible to prevent unnecessary logs from being uploaded to the server and reduce the amount of communication data.

For example, as a result of comparing the occurrence location of the event and the content of the event included in the log with the pattern stored in the pattern storage unit, the determination unit determines the degree of matching indicating the degree of matching. If the threshold value is not exceeded, it may be configured to determine that the abnormality detection information may be due to false detection in the abnormality detector.

According to the above aspect, as a result of comparing the occurrence location and the content of the event included in the log with the pattern stored in the pattern storage unit, the information processing apparatus sets a predetermined threshold value for the matching degree indicating the degree of matching. If it does not exceed, it can be determined that there is a possibility of false detection. This makes it possible to separate the log indicating that an attack has been received from the log that may be falsely detected, and preferentially upload only information related to events with a high probability of attack to the SOC server. can.

For example, as a result of comparing the occurrence location of the event and the content of the event included in the log with the pattern stored in the pattern storage unit, the determination unit determines the degree of matching indicating the degree of matching. If the threshold value is not exceeded, it may be configured to determine that there is a possibility of an unknown attack or a failure.

According to the above aspect, as a result of comparing the occurrence location and the content of the event included in the log with the pattern stored in the pattern storage unit, the information processing apparatus sets a predetermined threshold value for the matching degree indicating the degree of matching. If it does not exceed, there is a possibility of an unknown attack or a failure. As a result, it is possible to separate the log indicating that the attack has been received from the log indicating the possibility of an unknown attack or the possibility of failure, and preferentially prioritize only the information related to the event with high accuracy of the attack and selectively SOC. Can be uploaded to the server.

For example, the pattern storage unit stores, as the pattern, a pattern defined for the abnormality occurrence location and the abnormality content including the order of occurrence, and the determination unit stores the event included in the log. The location of occurrence of the above and the content of the event may be compared with the pattern including the order of the time series.

According to the above aspect, the information processing apparatus includes the pattern defined for the abnormality occurrence location and the abnormality content including the occurrence order, and the occurrence location of the event included in the log and the event content including the time-series order. Compare with the pattern to determine if you are under attack. As a result, the information processing apparatus can more appropriately determine whether or not it has been subjected to an unauthorized attack.

For example, the information processing apparatus has the time series based on the hierarchical distance from the own device in the network of the occurrence location of the event included in the log and the time when the log was acquired in the own device. It may be configured to further include a correction unit for correcting the order of.

According to the above aspect, the information processing device is based on the hierarchical distance from the own device in the network of the event occurrence location included in the log, that is, the information on the network configuration and the time when the log is acquired in the own device. Correct the time series order to the order in which the event actually occurred. As a result, even if the order in which the events actually occur and the order in which the logs are acquired in the information processing apparatus are different, it is possible to appropriately determine whether or not an unauthorized attack has been received.

The information processing method according to one aspect of the present disclosure is an information processing method in an information processing apparatus provided with a pattern storage unit that stores a pattern related to an attack with respect to an abnormality occurrence location and an abnormality content at the abnormality occurrence location, and is within mobility. Attack based on the log acquisition step of acquiring the log related to the event that occurred in the network, the location where the event occurred and the content of the event included in the log, and the pattern stored in the pattern storage unit. Includes a determination step for determining whether or not the user has received.

According to the above aspect, the same effect as that of the information processing apparatus is obtained.

The program according to one aspect of the present disclosure is a program for executing the above information processing method.

According to the above aspect, the same effect as that of the information processing apparatus is obtained.

It should be noted that these comprehensive or specific embodiments may be realized by a recording medium such as a system, a method, an integrated circuit, a computer program or a computer-readable CD-ROM, and the system, a method, an integrated circuit, or a computer. It may be realized by any combination of a program or a recording medium.

Hereinafter, embodiments will be specifically described with reference to the drawings.

It should be noted that all of the embodiments described below show comprehensive or specific examples. The numerical values, shapes, materials, components, arrangement positions and connection forms of the components, steps, the order of steps, etc. shown in the following embodiments are examples, and are not intended to limit the present disclosure. Further, among the components in the following embodiments, the components not described in the independent claim indicating the highest level concept are described as arbitrary components.

(Embodiment)
First, the configuration of the information processing apparatus 10 according to the embodiment will be described with reference to FIGS. 1 and 2. FIG. 1 is a diagram showing an example of an information processing system including the information processing apparatus 10 according to the embodiment. FIG. 2 is a diagram schematically showing an example of a functional block of the information processing apparatus 10 according to the embodiment.

The information processing system 3 according to the present embodiment includes a vehicle 1 and an external device 2. The vehicle 1 is, for example, an automobile, which is an example of mobility. The external device 2 is, for example, a server of SOC (Security Operation Center), but may be a server for purposes other than SOC, and is not particularly limited.

As shown in FIG. 1, the vehicle 1 includes an information processing device 10, an abnormality detector (IDS: Information Detection System) 20a, 20b, 20c, and a communication device 30.

The information processing device 10 is configured as, for example, an integrated ECU (Electronic Control Unit), but may be configured as a device other than the integrated ECU, and is not particularly limited.

The anomaly detectors 20a, 20b, and 20c are examples, and the vehicle 1 is not limited to three, and the vehicle 1 may be provided with other anomaly detectors. Further, the abnormality detectors 20a, 20b, and 20c are not always provided in the vehicle 1 as independent devices, but may be incorporated in an ECU or the like, or may be incorporated in an information processing device 10. .. The abnormality detectors 20a, 20b, and 20c can detect unauthorized communication, intrusion, and the like, and notify the information processing device 10 of the detection result.

The communication device 30 is, for example, a TCU (Telematics Control Unit). The vehicle 1 can communicate data with the external device 2 via an external network such as the Internet via the communication device 30.

Inside the vehicle 1, the information processing device 10, the abnormality detectors 20a, 20b, 20c, and the communication device 30 are connected by a network capable of communicating with each other. This network is an example of a mobility network.

The information processing apparatus 10 can make an integrated determination regarding unauthorized communication or the like based on the detection results from the abnormality detectors 20a, 20b, and 20c. The information processing device 10 can transmit such a determination result to the external device 2 via the communication device 30.

Further, the information processing device 10 can transmit the detection results acquired from the abnormality detectors 20a, 20b, and 20c as detection logs to the external device 2 via the communication device 30. Further, the information processing device 10 uses various logs related to the vehicle acquired from various devices connected to the mobility network, including IDS, an ECU and a sensor (not shown), as vehicle logs, and is an external device via the communication device 30. Can be sent to 2.

As shown in FIG. 2, the vehicle 1 includes an information processing device 10 (for example, an integrated ECU) and an abnormality detector (for example, IDS) 20a, 20b, 20c. The information processing apparatus 10 includes a detection information receiving unit 101, a log storage unit 102, a correction unit 103, a log extraction unit 104, a pattern storage unit 105, a determination unit 106, and an output unit 107.

The detection information receiving unit 101 acquires a log related to an event that has occurred in the network in the mobility. When the abnormality detectors 20a, 20b, and 20c detect an abnormality, for example, the detection information receiving unit 101 acquires information on the abnormality as detection information. The detection information receiving unit 101 may receive, for example, vehicle information received from an ECU or a sensor (not shown) as detection information. The detection information receiving unit 101 transmits the detection information to the log storage unit 102.

The log storage unit 102, for example, stores the detection information received from the detection information receiving unit 101 as log information in the log storage unit 102. For example, it may be configured as a memory, a solid state drive, a hard disk, or the like. The log storage unit 102 may store the log information including vehicle information received from an ECU or a sensor (not shown), for example.

The correction unit 103 corrects the log information stored in the log storage unit 102. For example, the correction unit 103 corrects the detected order of the logs stored in the log storage unit 102. The details of the correction contents in the correction unit 103 will be described later.

The log extraction unit 104 extracts the log to be determined by the determination unit 106 from the log information stored in the log storage unit 102. The detection information receiving unit 101, the log storage unit 102, and the log extraction unit 104 may be integrally configured, for example, in the form of a log acquisition unit 108, and are not particularly limited.

The pattern storage unit 105 stores the pattern indicating the attack with respect to the abnormality occurrence location and the abnormality content at the abnormality occurrence location. Here, a pattern showing an attack will be described with reference to FIG.

FIG. 3 is a diagram showing an example of a pattern showing an attack with respect to an abnormality occurrence location and an abnormality content at the abnormality occurrence location. In the example shown in FIG. 3, in the attack pattern 1 (an example of the attack pattern), first (Step 1), a port scan occurs in the ECU that controls the IVI (In-System Interface) function, and then (Step 2), then the GW. When an illegal reprogramming occurs in the ECU that controls the (GateWay) function, and finally (Step 3), a command injection occurs in the ECU that controls the ADAS (Advanced Driver Assistance System) function, it is a pattern of being attacked. It shows that.

The determination unit 106 determines whether or not an attack has occurred based on the location and content of the event that occurred in the network in the mobility included in the log and the pattern stored in the pattern storage unit 105.

For example, the determination unit 106 determines whether or not an attack has been received based on the result of comparing the occurrence location and the content of the event included in the log with the pattern stored in the pattern storage unit 105.

For example, the determination unit 106 attacks when the matching degree indicating the degree of matching exceeds a predetermined threshold value as a result of comparing the event occurrence location and event content included in the log with the pattern stored in the pattern storage unit 105. It is determined that the item has been received.

If the judgment is made based only on the occurrence location of the event included in the log, even if it is correct that the event related to the abnormality is detected by the anomaly detector, the detected event is detected when the content of the event cannot be detected correctly. I can't realize that the content of was incorrect. However, by making a judgment based on the location of the event and the content of the event included in the log, what kind of false detection is made by the anomaly detector when the content of the event is incorrect, although the location of the event is correct. It becomes possible to judge whether or not it has been done. Therefore, it is possible to feed back to the update of the detection rule of the abnormality detector in the server or the like.

The determination process in the determination unit 106 will be described more specifically with reference to FIG. 4. FIG. 4 is a diagram showing an example of a log related to an abnormality (abnormality log) among the logs. As shown in FIG. 4, the abnormality log includes the abnormality occurrence location and the abnormality content at the abnormality occurrence location. The abnormality log also includes the detection time.

The detection time here is, for example, the time when the detection information receiving unit 101 receives the detection information. The log storage unit 102 stores log information with this time as the detection time. The log extraction unit 104 extracts a log related to an abnormality (abnormality log) from the log information stored in the log storage unit 102 as a log to be determined by the determination unit 106. The log storage unit 102 may manage a table for each type of log, or may hold a flag indicating the type of log, and is not particularly limited.

The determination unit 106 searches for a pattern (attack pattern) indicating an attack stored in the pattern storage unit 105 from the abnormality log extracted by the log extraction unit 104. The determination unit 106 may search the abnormality log including a pattern similar to the attack pattern. The search for the attack pattern included in the abnormality log by the determination unit 106 may use a known algorithm such as pattern matching.

For example, the determination unit 106 searches the abnormality log shown in FIG. 4 for the same or similar pattern as the attack pattern 1 shown in FIG. In the example shown in FIG. 4, the log surrounded by the broken line (abnormal log matching the attack pattern) matches the attack pattern 1 shown in FIG.

In FIG. 4, the detection time is set to the earliest time in order from the upper line. That is, in the log shown in FIG. 4, the detection time of the first first line (abnormality occurrence location: IVI, abnormality content: port scan) is the earliest time, and the last sixth line (abnormality occurrence location::). The detection time of ADAS ECU, abnormality content: command injection) is the latest time.

In this case, the determination unit 106 determines that the matching degree is 100%. For example, when a value of 100% is set as a predetermined threshold value for the matching degree, the determination unit 106 attacks when a pattern (matching degree = 100%) that completely matches the attack pattern 1 is found. It is determined that the user has received the message.

Regarding pattern matching, it is not necessary to search only for exact matches. For example, when only a series of sequences of abnormality occurrence locations match and the abnormality contents do not match, a search may be performed as a similar pattern.

In this case, for example, in FIG. 4, even if the fifth line is "abnormality occurrence location: GW, abnormality content: access right rewriting", the determination unit 106 is the search target. Then, the matching degree is calculated by a predetermined algorithm.

For example, in the case of a weighting setting that emphasizes that the sequence of abnormal occurrence locations matches, the matching degree is set to 70% when the sequence of abnormality occurrence locations matches, and the rest. 30% of the above may be determined by the matching rate of the abnormality content corresponding to the abnormality occurrence location.

In the above example (when the 5th line is "Abnormality occurrence location: GW, Abnormal content: Access right rewriting"), only one of the three abnormal contents does not match, so the abnormal content is 20%. As the matching degree, it may be determined that the matching degree is 90% in total. In this case, for example, when the predetermined threshold value is set to 95%, the matching degree is 90% (70% + 20%), so that the user is not necessarily attacked (the possibility of not being attacked). There is a possibility of an unknown attack or a failure).

On the other hand, for example, when a predetermined threshold value is set to 80%, it is determined that the user is under attack (high possibility of attack) because the matching degree is 90%.

Note that this example of calculating the degree of matching is a kind of calculation method of the evaluation value of the attack possibility based on the comparison between the attack pattern and the pattern included in the log, and any comparison method or matching is performed according to the specifications. The algorithm may be selected and is not particularly limited. In addition, the evaluation values for the degree of matching and the possibility of other attacks are not limited to those evaluated by percentage, and are evaluated as "high", "medium", and "low" as the possibility of being attacked. Also, it is not particularly limited.

Further, not only the attack pattern but also similar patterns and other patterns are comprehensively stored in the pattern storage unit 105 in advance, and the degree of possibility of attack is set in association with each pattern. It may be configured to be stored, and is not particularly limited. In this case, the determination unit 106 determines the possibility of an attack according to which pattern the log stored in the log storage unit 102 corresponds to in the pattern storage unit 105.

The output unit 107 outputs a determination result or the like regarding the possibility of an attack by the determination unit 106. Information such as the determination result output from the output unit 107 is transmitted to the external device (SOC server) 2 via a network such as the Internet via a communication device such as a TCU.

FIG. 5 is a flowchart showing an example of the flow of processing by the information processing apparatus 10. The processing in the information processing apparatus 10 will be described with reference to FIG.

In the information processing apparatus 10, the detection information receiving unit 101 receives information related to the abnormality from the abnormality detectors 20a, 20b, 20c, etc. as detection information (step S501). The log storage unit 102 stores the detection information received by the detection information receiving unit 101 as log information (step S502).

Subsequently, for example, the correction unit 103 determines at a predetermined timing whether the order of the time series of the log information stored in the log storage unit 102 is correct (step S503). The predetermined timing may be a periodic timing, or may be determined, for example, at a timing requested by the determination unit 106.

If the time-series order of the log information is incorrect (NO in step S503), the correction unit 103 corrects the order of the log information stored in the log storage unit 102 (step S504). Here, the correction of the time-series order of the log information will be described with reference to FIGS. 6 and 7.

FIG. 6 is a diagram showing an image of unauthorized access from the outside by an attacker. The attacker first breaks into the network inside the vehicle from the outside, for example, through the first layer TCU. After that, it invades the ADAS ECU of the third layer via the integrated ECU of the second layer connected to the TCU, and attacks by instructing illegal control to the vehicle via the ADAS ECU.

As shown in FIG. 6, the network inside the vehicle has a hierarchical structure such as the first layer (TCU), the second layer (integrated ECU), and the third layer (ADAS ECU). The hierarchical structure shown in FIG. 6 is an example and is not limited to the three-layer structure.

Further, a plurality of devices may be connected to each layer, and the present invention is not particularly limited. This hierarchical structure is defined as, for example, assuming that the integrated ECU is the Nth layer, the layer of the TCU that is one layer closer to the outside is the N-1th layer, and the layer of the ADAS ECU that is one layer advanced to the inside is the N + 1th layer. can do.

For example, when an attacker invades the network inside the vehicle from the outside, it first invades the first layer, then the second layer, and finally the third layer. That is, when an attack from the outside occurs, an abnormal event occurs in the order closer to the external network, that is, the order of the first layer node, the second layer node, and the third layer node.

By the way, in an integrated ECU such as the information processing device 10, integrated monitoring is performed. That is, log information regarding the detected abnormality is transmitted from each node connected to the network inside the vehicle to the integrated ECU, and the integrated ECU aggregates the log information, integrates them, and comprehensively considers them. It will be determined whether or not the abnormal event is caused by the attack.

As described above, the mobility network inside the vehicle has a hierarchical structure, and there is a hierarchical distance on the network between the integrated ECU and each node. Therefore, the order of timing when the integrated ECU receives information about the abnormality from each node and detects the abnormality, and IDS such as the abnormality detectors 20a, 20b, and 20c incorporated in each node actually detect the abnormality. It may not match the timing order.

Therefore, when the timing of receiving the detection information from each IDS in the integrated ECU is stored in the log storage unit 102 as the detection time in the integrated ECU, the time-series order of the log information is actually an abnormality detected in each IDS. It may not match the order in chronological order.

FIG. 7 is a diagram for explaining the correction of the log order. The log A shown in FIG. 7 is a log showing that the abnormality of "abnormality occurrence location: integrated ECU, abnormality content: command injection" is detected at the timing of the detection time t in the integrated ECU.

In the log B shown in FIG. 7, after the abnormality of the log A is detected, the abnormality of "abnormality occurrence location: TCU, abnormality content: port scan" is detected at the timing of the detection time t + 1 within a certain time. It is a log when it is. The log C shown in FIG. 7 is a log when no other abnormality is detected in the integrated ECU at the timing of the detection time t + 1 within a certain time after the detection of the log A.

In the log B, the log of the port scan in the TCU is t + 1 as the detection time in the integrated ECU, but as described above, the TCU exists in the first layer and within a predetermined time (for example, from the TCU to the integrated ECU). If it occurs within the range expected as the communication time of the above, it is considered that it actually occurs before the command injection in the integrated ECU of the second layer, which is the log of the detection time t. ..

Therefore, in such a case, the correction unit 103 has a log of "abnormality occurrence location: integrated ECU, error content: command injection" at the detection time t, and "abnormality occurrence location: TCU" at the detection time t + 1 within a predetermined time from the log. , Abnormal content: Change the order with the log of "Port scan". At this time, the correction unit 103 may change the time-series order of the logs by adding a sequence number or the like indicating the time-series order.

On the other hand, the log C indicates that no other log exists at the timing of time t + 1 within a certain time after the detection of the log A in the integrated ECU. In this case, the log C is a log in which "abnormality occurrence location: integrated ECU, abnormality content: command injection" occurs in a single shot, or a log that may match the attack pattern in combination with a log at another timing. Alternatively, it is possible that the log is erroneously detected by the integrated ECU.

When the order of the log information in time series is correct (YES in step S503), the log extraction unit 104 extracts the log to be determined from the log storage unit 102 (step S505). For example, when the detection information receiving unit 101 receives the detection information at a certain timing, the log within a predetermined time range is extracted from the log information stored in the log storage unit 102 based on the timing. ..

The determination unit 106 calculates the degree of matching of the log extracted by the log extraction unit 104 with the pattern stored in the pattern storage unit 105 (step S506). Then, the determination unit 106 determines whether or not the matching degree exceeds a predetermined threshold value (step S507).

When the matching degree exceeds a predetermined threshold value (YES in step S507), the determination unit 106 determines that an attack corresponding to the pattern used for calculating and determining the matching degree has occurred (step S508).

On the other hand, when the degree of matching does not exceed a predetermined threshold value (NO in step S507), the determination unit 106 determines that there is a possibility of false detection, unknown attack, failure, or the like in the IDS (step S509).

After that, the output unit 107 outputs the determination result in the determination unit 106 (step S510). For example, the output unit 107 transmits the determination result and the information related to the determination result (detection information regarding the abnormality used as the log targeted for the determination, etc.) to the external device 2 via the external network via the TCU. Send. At this time, the output unit 107 selects the determination result when it is determined that an attack has occurred and the information related to the determination result (detection information regarding the abnormality used as the log targeted for the determination, etc.) and externally. It may be configured to transmit to the device 2.

With such a configuration, it is possible to separate the log indicating that an attack has been received from the log indicating that there is a possibility of false detection or unknown attack or failure, and it is related to an event with high accuracy of attack. Only information can be preferentially uploaded to the SOC server. Therefore, it is possible to prevent unnecessary logs from being uploaded to the server and reduce the amount of communication data.

The determination result when it is determined that there is a possibility of false detection in IDS, unknown attack, failure, etc. is temporarily stored in the storage unit in the vehicle 1, and the external device 2 is stored at another timing. May be sent to. In the external device 2, for example, when the content of the event is erroneous, the detection rule in the abnormality detector can be updated based on the content of the erroneous detection.

Although the information processing apparatus and the information processing method according to one or more embodiments have been described above based on the above-described embodiment, the present disclosure is not limited to the above-described embodiment. As long as it does not deviate from the gist of the present disclosure, a form in which various modifications conceived by those skilled in the art are applied to the above-described embodiment or a form constructed by combining components in different embodiments is also within the scope of one or a plurality of embodiments. May be included within.

In the above embodiment, as an application example of the information processing apparatus according to the present disclosure, application to security measures in an in-vehicle network mounted on a vehicle such as an automobile has been described, but the scope of application of the electronic control system according to the present disclosure is Not limited to this. The electronic control system according to the present disclosure is not limited to vehicles such as automobiles, and may be applied to any mobility such as construction machinery, agricultural machinery, ships, railways, and airplanes.

In the above embodiment, each component may be configured by dedicated hardware or may be realized by executing a software program suitable for each component. Each component may be realized by a program execution unit such as a CPU or a processor reading and executing a software program recorded on a recording medium such as a hard disk or a semiconductor memory.

Further, a part or all of the functions of the information processing apparatus according to the above embodiment may be realized by executing a program by a processor such as a CPU.

A part or all of the components constituting each of the above devices may be composed of an IC card or a single module that can be attached to and detached from each device. The IC card or the module is a computer system composed of a microprocessor, ROM, RAM and the like. The IC card or the module may include the above-mentioned super multifunctional LSI. When the microprocessor operates according to a computer program, the IC card or the module achieves its function. This IC card or this module may have tamper resistance.

The present disclosure may be the method shown above. Further, it may be a computer program that realizes these methods by a computer, or it may be a digital signal composed of the computer program. Further, the present disclosure discloses a recording medium capable of computer-readable reading of the computer program or the digital signal, such as a flexible disk, a hard disk, a CD-ROM, MO, DVD, a DVD-ROM, a DVD-RAM, or a BD (Blu-ray). It may be recorded in a trademark) Disc), a semiconductor memory, or the like. Further, it may be the digital signal recorded on these recording media. Further, in the present disclosure, the computer program or the digital signal may be transmitted via a telecommunication line, a wireless or wired communication line, a network typified by the Internet, data broadcasting, or the like. Further, the present disclosure is a computer system including a microprocessor and a memory, in which the memory stores the computer program, and the microprocessor may operate according to the computer program. Further, it is carried out by another independent computer system by recording and transferring the program or the digital signal on the recording medium, or by transferring the program or the digital signal via the network or the like. It may be.

The information processing device, information processing method and program according to the present disclosure can be applied to, for example, a security system for protecting a vehicle from an unauthorized attack.

1 Vehicle 2 External device 3 Information processing system 10 Information processing device 20a Anomaly detector (IDS)
20b Anomaly detector (IDS)
20c Anomaly detector (IDS)
101 Detection information receiving unit 102 Log storage unit 103 Correction unit 104 Log extraction unit 105 Pattern storage unit 106 Judgment unit 107 Output unit 108 Log acquisition unit

Claims (11)

A pattern storage unit that stores a pattern indicating an attack with respect to the location where the abnormality occurred and the content of the abnormality at the location where the abnormality occurred.
A log acquisition unit that acquires logs related to events that have occurred in the mobility network,
A determination unit for determining whether or not an attack has been made based on the occurrence location of the event included in the log, the content of the event, and the pattern stored in the pattern storage unit is provided.
Information processing equipment. The determination unit determines whether or not the user has been attacked based on the result of comparing the location of the event and the content of the event included in the log with the pattern stored in the pattern storage unit. judge,
The information processing apparatus according to claim 1. As a result of comparing the occurrence location of the event and the content of the event included in the log with the pattern stored in the pattern storage unit, the determination unit determines the degree of matching indicating the degree of matching as a predetermined threshold value. If it exceeds, it is judged that it is under attack,
The information processing apparatus according to claim 2. The log acquisition unit acquires abnormality detection information from an abnormality detector connected to the network as the log.
The information processing apparatus according to any one of claims 1 to 3. Among the abnormality detection information from the abnormality detector, an output unit that selects the abnormality detection information used as the log when it is determined by the determination unit to be attacked and transmits it to an external device. Further prepare
The information processing apparatus according to claim 4. As a result of comparing the occurrence location of the event and the content of the event included in the log with the pattern stored in the pattern storage unit, the determination unit determines the degree of matching indicating the degree of matching as a predetermined threshold value. If it does not exceed, it is determined that the abnormality detection information may be due to false detection in the abnormality detector.
The information processing apparatus according to claim 5. As a result of comparing the occurrence location of the event and the content of the event included in the log with the pattern stored in the pattern storage unit, the determination unit determines the degree of matching indicating the degree of matching as a predetermined threshold value. If it does not exceed, it is determined that there is a possibility of an unknown attack or a failure.
The information processing apparatus according to claim 5. The pattern storage unit stores, as the pattern, a pattern defined for the abnormality occurrence location and the abnormality content including the order of occurrence.
The determination unit determines whether or not the location of the event and the content of the event included in the log have been attacked, including the time-series order.
The information processing apparatus according to any one of claims 1 to 7. A correction unit that corrects the order of the time series based on the hierarchical distance from the own device in the network of the occurrence location of the event included in the log and the time when the log was acquired in the own device. Further prepare
The information processing apparatus according to claim 8. It is an information processing method in an information processing apparatus provided with a pattern storage unit that stores a pattern related to an attack regarding an abnormality occurrence location and an abnormality content at the abnormality occurrence location.
A log acquisition step to acquire a log of events that have occurred in the network within mobility, and
A determination step for determining whether or not an attack has been made based on the occurrence location of the event and the content of the event included in the log and the pattern stored in the pattern storage unit is included.
Information processing method. A program for causing a computer to execute the information processing method according to claim 10.

Images