JP2023152461A - On-vehicle gateway device and injection attack detection method - Google Patents

Abstract

To detect injection attacks on an on-vehicle network using fewer resources.SOLUTION: A gateway device 2 includes gateway means 20 for relaying communication between an ECU 4 and an external device connected to a connector 3, and monitoring means 25 for monitoring the transmission status indicating that a transmission message transmitted from the gateway means 20 to the connector 3 has reached the external device. The monitoring means 25 determines that an incorrect signal has been injected into an on-vehicle communication network 1 based on the occurrence of an error in the transmission status of a transmission message, when the transmission message output from the ECU 4 is transmitted to the connector 3 via the gateway means 20.SELECTED DRAWING: Figure 3

Description

The technology disclosed herein relates to an in-vehicle gateway device and an injection attack detection method.

Intrusion detection systems that detect fraudulent data in vehicle networks are being introduced.

In order to detect attacks based on various variations of fraudulent data, an intrusion detection system must be equipped with a variety of detection logics. On the other hand, in order to reduce vehicle costs, it is desirable to be able to execute these logics with as few resources as possible.

Patent Document 1 discloses that a transmission state (transmission execution state/transmission stop state) corresponding to data sent between information processing devices is determined, and when the transmission state corresponding to the acquired data of the acquisition unit is the transmission stop state, , a technique for determining that there is an abnormality in the acquired data is shown. Specifically, in Patent Document 1, when periodic data transmitted at a predetermined period is not acquired for a predetermined period, it is determined that the periodic data is in a transmission stopped state, and the periodic data is transmitted during the transmission stopped state. An example is shown in which it is determined that there is an abnormality when the message is received.

Japanese Patent Application Publication No. 2019-220770

However, in a vehicle, a wide variety of messages are exchanged with different transmission/reception cycles, timings, data lengths, etc. Therefore, in the case of a method that determines and applies the transmission state corresponding to each message as in the conventional technology, many calculations are required to set the transmission state for each message and to memorize the transmission state. There is a problem in that resources (including arithmetic circuits and storage areas) are required. Furthermore, in recent years, as vehicles become more automated and highly functional, the number of in-vehicle ECUs, the number of types of messages, and the amount of data tend to increase, so this problem becomes more important.

In addition, in a vehicle, the limited space inside the vehicle is used for computing resources for vehicle control, computing resources for improving passenger comfort, computing resources for the above-mentioned intrusion detection system, and computing resources for vehicle theft prevention. It is necessary to install computing resources for a wide variety of purposes, such as resources. Therefore, in order to improve the performance and functionality of vehicles and improve user satisfaction, we will reduce the computational resources for intrusion detection systems that do not directly affect vehicle control and comfort as much as possible. There is great meaning in doing so.

Here, in order to save the computational resources used, it is possible to reduce the type and amount of data used to set the transmission state, but this poses a problem that the comprehensiveness with respect to detection of attacks using fraudulent data will be reduced.

The technology disclosed herein has been developed in view of the above, and its purpose is to detect injection attacks by injecting fraudulent data into an in-vehicle network using fewer resources.

In order to solve the above problem, one aspect of the technology disclosed herein targets a gateway device provided between a connector for connecting an external device to an in-vehicle communication network and an in-vehicle ECU. gateway means for relaying communication between an external device connected to the ECU and the ECU; and a monitoring means for monitoring a transmission status indicating that a transmission message transmitted from the gateway means to the connector has reached the external device. and the monitoring means, when the transmission message output from the ECU is transmitted to the connector via the gateway means, the monitoring means, based on the occurrence of an error in the transmission status of the transmission message, The system is configured to determine that a fraudulent signal has been injected into the in-vehicle communication network.

According to this configuration, an attack that illegally injects a message to be sent to an external device when no external device is connected to the connector can be detected using fewer computational resources (including arithmetic circuits and storage areas) than before.

Specifically, as mentioned above, in the case of the conventional method that determines and applies the transmission state corresponding to each data, it is necessary to allocate calculation resources to set the transmission state and to store the transmission state. There is. On the other hand, in the configuration of the above aspect, there is no need to determine the transmission state corresponding to each data or to store the state of the ECU or the state of the signal flowing on the in-vehicle communication network, so it is not necessary to determine the transmission state corresponding to each data, and therefore it is not necessary to store the state of the ECU or the signal flowing on the in-vehicle communication network. This can significantly reduce the resources required to detect when a signal is injected.

In the above aspect, the monitoring means may determine that an unauthorized transmission message has been injected into the in-vehicle communication network when an error in the transmission status equal to or greater than a predetermined threshold occurs.

According to this aspect, since a certain threshold value is provided for error determination, it is possible to avoid erroneous determination of fraudulently transmitted messages, and it is possible to improve the accuracy of error determination.

The monitoring means includes an abnormality detection unit that detects an error in the transmission status of the transmission message, and an error information indicating the details of the error when the abnormality detection unit detects an error in the transmission status. and an output unit that outputs a detection log to which additional information regarding the error is added.

Here, the additional information may include time information regarding the time when the error occurred and location information regarding the location where the error occurred.

According to this aspect, additional information is attached to the error information and saved, making it easier to analyze the error, such as determining whether it is an injection attack.

Another aspect of the technology disclosed herein is directed to a method for detecting an injection attack, and the monitoring means connects an external device to the in-vehicle communication network from an internal bus of the in-vehicle communication network via a gateway device. a monitoring step of monitoring a transmission status indicating that a transmission message transmitted to the connector of the vehicle has arrived at the external device; and a determination step of determining that an unauthorized signal has been injected into the communication network.

According to this aspect, there is no need to determine the transmission state corresponding to each data, or to store the state of the ECU or the state of the signal flowing on the in-vehicle communication network. Therefore, resources for detecting that a fraudulent signal is injected into the in-vehicle communication network can be significantly reduced.

As described above, according to the technology disclosed herein, an injection attack on an in-vehicle network can be detected with fewer resources than before.

Block diagram showing a configuration example of an in-vehicle network system Diagram showing an example of data flow of an in-vehicle network system Block diagram showing a configuration example of a gateway device Flowchart showing an example of processing of the gateway device Flowchart showing another example of processing of the gateway device Block diagram showing another configuration example of the in-vehicle network

Hereinafter, exemplary embodiments will be described in detail with reference to the drawings. Identical or corresponding parts in the figures are denoted by the same reference numerals, and repeated explanation may be omitted. Furthermore, in the following embodiments, configurations that are highly relevant to the content of the present disclosure will be mainly described.

In the following description, the term "device" may be used as a general name for external devices, connectors, ECUs, sensors, and actuators. For example, the description of connections between devices refers to connections between devices, such as connections between external devices and connectors, connections between external devices and ECUs, connections between ECUs, sensors, and actuators. Use connection as a broadly encompassing concept.

FIG. 1 shows an example of the configuration of an in-vehicle communication network 1 according to this embodiment.

As shown in FIG. 1, the in-vehicle communication network 1 includes an external bus area 5 and an internal bus area 6. In the following description, it is assumed that the in-vehicle communication network 1 is a network that complies with the CAN (Controller Area Network) communication protocol (hereinafter simply referred to as "CAN network"). Note that the in-vehicle communication network 1 may be a network of another type, such as a network based on the Ethernet (registered trademark) protocol.

In the external bus area 5, a connector 3 for connecting external devices such as a fault diagnostic machine 8 and a charging station is connected via an external bus EB. In this example, a bus forming a network outside the vehicle than the gateway device 2 is referred to as an external bus EB.

In the internal bus area 6, an in-vehicle ECU 4, sensors, actuators, etc. are connected via an internal bus IB. In this example, the bus that forms the network inside the vehicle from the gateway device 2 is referred to as an internal bus EB.

In other words, a bus that is directly connected to a device connected from outside the vehicle (external device) is called an external bus EB, and other buses are called an internal bus IB. In the following description, the external bus EB and the internal bus IB may be simply referred to as "buses" when no particular distinction is made.

A gateway device 2 is provided between the external bus area 5 and the internal bus area 6. The gateway device 2 has a function of relaying communication between devices in the in-vehicle communication network 1. Further, when an external device is connected to the connector 3, the gateway device 2 relays communication between the external device and the ECU 4.

For example, as shown in FIG. 2, when a fault diagnostic machine 8 for diagnosing a fault in the ECU 4 is connected to the connector 3, the gateway device 2 connects the fault diagnostic machine 8 and the ECU 4 to be diagnosed. Relay data communication. In the following description, for convenience of explanation, the connector 3 to which an external device such as the failure diagnosis machine 8 is connected may be designated by the symbol "31" to distinguish it from other connectors 3. Similarly, the ECU 4 to be diagnosed may be given the reference numeral "41" and explained to be distinguished from other ECUs 4. The failure diagnostic machine 8 is an example of an external device. In addition, in FIG. 2, for convenience of illustration, the fault diagnostic device 8 and the connector 31 are connected by a line CT, but there is no intention to limit the connection between the two by wiring, and the fault diagnostic device 8 and the connector 31 are connected by a wire CT. The terminals of the connector 31 may be directly connected to each other.

In the example of FIG. 2, after being connected to the connector 31, the fault diagnostic device 8 transmits a request message to the ECU 41 to be diagnosed. After the request message is output from the fault diagnosis device 8, it is input to the gateway device 2 via the connector 31 and the external bus EB. When the gateway device 2 receives the request message, it is routed by the gateway means 20 described later and output to the internal bus IB to which the ECU 41 is connected.

To give another specific example, for example, when a quick charger is connected to the connector 31 as an external device, an operation status request message is transmitted from the quick charger to the ECU 41.

Upon receiving the request message, the ECU 41 outputs a response message to the request message to the gateway device 2 via the internal bus IB. When the gateway device 2 receives a response message from the ECU 41, it is routed by the gateway means 20 and output to the connector 31 via the external bus EB. When the failure diagnostic machine 8 receives the response message via the connector 31, it transmits the response message to the server 9, and notifies the server 9 of the diagnosis result based on the response message.

In the above-mentioned other specific example, for example, in response to the above-mentioned operation status request message, the ECU 41 returns a charging permission signal and a current command value response message to the quick charger.

-Gateway device-
FIG. 3 is a block diagram showing a configuration example of the gateway device 2. As shown in FIG. Note that in FIG. 3, arrows indicate data flow when a transmission message to be transmitted from the ECU 4 to the connector 3 is received.

As shown in FIG. 3, the gateway device 2 includes a gateway means 20 and a monitoring means 25.

The gateway means 20 includes a first transmitting/receiving section 21 connected to an internal bus IB, a second transmitting/receiving section 22 connected to an external bus EB, a gateway processing section 23, and a storage section 24.

The first transmitting/receiving unit 21 transfers messages received via the internal bus IB to the gateway processing unit 23, and outputs messages to be transmitted from the gateway processing unit 23 to the ECU 4 to the internal bus IB.

The second transmitting/receiving section 22 outputs data to be transmitted from the gateway processing section 23 to the connector 3 to the external bus EB, and transfers data received via the external bus EB to the gateway processing section 23.

The gateway processing unit 23 has a function of transferring messages transmitted from each ECU 4 and messages input via each connector 3 to a bus connected to a destination device according to the routing table TB.

The routing table TB indicates a transfer destination bus according to the type and content of a message received via the bus, and is stored in the storage unit 24. For example, the connector 3 is registered in the routing table TB as a transfer destination of the above-mentioned response message.

The monitoring means 25 includes an acquisition section 26 , an abnormality detection section 27 , an output section 28 , and a storage section 29 .

The acquisition unit 26 acquires the transmission status of the transmission message transmitted from the gateway means 20 to the connector 3. The transmission status is status information indicating that the above transmission message has reached the external device. For example, in the case of a CAN network, the transmission status regarding the transmission message to each connector 3 is reflected in the register in the gateway device 2. Therefore, the acquisition unit 26 acquires the transmission status of the transmission message by checking the state of the register after the transmission message is transmitted.

For example, when a message is transferred from the internal bus IB to the external bus EB connected to the connector 31 via the gateway means 20, if no external device is connected to the external bus EB, the message is transferred to the external bus EB. After sending, CAN Ack (Acknowledgement) does not go up. Then, the AckError register inside the gateway device 2 is set based on the message transmission error. Therefore, the acquisition unit 26 can acquire the transmission status of the transmission message by checking the state of the AckError register.

Further, the acquisition unit 26 may acquire the value of a TEC (Transmit Error Counter) installed in the CAN controller as the transmission status of the transmission message. Specifically, for example, the transmission error counter is decremented when transmission is successful, and is incremented according to a predetermined rule depending on the transmission status of the transmission message, such as when an error flag is detected. Therefore, by referring to the TEC count value, the transmission status can be grasped.

Note that, for example, when the in-vehicle communication network 1 adopts a handshake protocol, the acquisition unit 26 acquires a flag indicating the handshake establishment state (response return state from the other party) as the transmission status. Good too.

The abnormality detection unit 27 detects, based on the determination conditions stored in the storage unit 29, that an error has occurred in the transmission status acquired by the acquisition unit 26. The storage unit 29 stores, for example, the aforementioned threshold value of the transmission error counter as a determination condition. The abnormality detection unit 27 determines that an incorrect signal has been injected into the in-vehicle communication network when the transmission error counter exceeds a predetermined threshold value indicated by the determination condition. In other words, it is detected that an error has occurred in the transmission status. The error detection result of the transmission status by the abnormality detection section 27 is output to the output section 28 .

Note that the determination condition is not limited to the value of the transmission error counter, and an index other than the transmission error counter may be used. For example, in the case of the handshake method described above, the number of retries or the number of times there is no response may be used as the determination condition.

Further, although the example in FIG. 3 shows an example in which the storage section 24 and the storage section 29 are provided separately, they may be combined into one storage section.

When an error in the transmission status is detected by the abnormality detection unit 27, the output unit 28 outputs a detection log in which additional information regarding the detected error is added to error information indicating the content of the detected error. The additional information includes, for example, time information indicating the time when the error occurred, location information indicating the location where the error occurred, and the like. The detection log output from the output unit 28 is stored in the storage unit 29. In this way, by saving error information with additional information attached, it becomes easier to analyze the error, such as determining whether it is an injection attack.

<Operation of gateway device>
Next, the operation of the gateway device 2 will be explained with reference to FIG. 4. Here, an example in which a response message is transmitted from the ECU 41 to the connector 31 described above will be described.

-Step S1-
In step S1, the abnormality detection unit 27 acquires the determination conditions stored in the storage unit 29. In this example, the abnormality detection unit 27 obtains a threshold value of a transmission error counter (hereinafter referred to as "error threshold value") as a determination condition.

-Step S2-
In step S2, when the request message is transferred from the internal bus IB to the external bus EB connected to the connector 31 via the gateway means 20, the acquisition unit 26 acquires the transmission status of the request message. Specifically, the acquisition unit 26 acquires the value of the above-mentioned transmission error counter.

-Step S3-
In step S3, the abnormality detection unit 27 determines whether the transmission error counter value acquired by the acquisition unit 26 is greater than or equal to the error threshold. If the transmission error counter value is greater than or equal to the error threshold, the flow proceeds to step S4, and if the transmission error counter value is less than the error threshold, the flow returns to step S2.

-Step S4-
In step S4, the abnormality detection section 27 outputs the detection result to the output section 28. Here, since the transmission error counter value is greater than or equal to the error threshold, the abnormality detection unit 27 determines that an injection attack has occurred, and notifies the output unit 28 of the determination result.

-Step S5-
When the output unit 28 receives the injection attack occurrence notification from the abnormality detection unit 27 , it generates a detection log in which additional information is added to the error information detected by the abnormality detection unit 27 , and stores it in the storage unit 29 .

Then, the operations from step S2 to step S5 are repeated.

As described above, according to the present embodiment, an attack that illegally injects a message to be sent to an external device when no external device is connected to the connector 3 can be prevented using fewer computing resources (including computing circuits and storage areas) than before. ) can be detected.

Specifically, in the case of the conventional method in which a transmission state corresponding to each data is determined and applied, it is necessary to allocate calculation resources to perform calculations for setting the transmission state and to store the transmission state.

In contrast, in the configuration of the present embodiment, it is necessary to individually determine the transmission state for exchanging messages between the external device and the ECU 4, and to memorize the state of the ECU 4 and the state of signals flowing on the in-vehicle communication network 1. There is no. Thereby, the resources for detecting that a fraudulent signal has been injected into the in-vehicle communication network 1 can be significantly reduced.

-Comparative example-
As a comparative example, for example, a method of monitoring a request message identifier (CAN Request ID) and a response message identifier (CAN Response ID) as a pair can be considered. In this case, it is necessary to store a table of paired identifiers (for example, 70 ID tables assuming 35 ECUs to communicate with) in the ROM (equivalent to a storage unit), and when a received request Although it is necessary to process and store it in a RAM (corresponding to a storage unit), this embodiment does not require such a configuration or processing.

(Other embodiments)
The technology disclosed herein is not limited to the embodiments described above, and substitutions, additions and changes of components and processes, etc. can be made without departing from the scope of the claims.

For example, in the above embodiment, an example is shown in which the monitoring means 25 is provided inside the gateway device 2, but a part or all of the configuration of the monitoring means 25 may be provided outside the gateway device 2.

For example, in the example of FIG. 4, the output unit 28 generates a detection log and stores it in the storage unit 29, but the output unit 28 may perform processing or operation using this stored detection log. FIG. 5 shows an example of an operation using a detection log. In FIG. 5, the operations from step S1 to step S5 are the same as those in FIG. 4, and the operations at steps S6 and S7 will be described here.

-Step S6-
In step S6, the gateway processing unit 23 identifies the ID (hereinafter referred to as "error ID") of the transmission message in which an error has occurred (transmission message gatewayed to an external device) in the detection log.

-Step S7-
In step S7, when a transmission message to which an error ID is attached occurs on the internal bus IB, the gateway processing unit 23 invalidates the message to which the error ID is attached (hereinafter referred to as an "invalid message"). In this way, by invalidating the illegal message itself generated on the internal bus IB, it is possible to avoid the influence on various operations caused by the illegal message.

Alternatively, in step S7, the gateway processing unit 23 notifies each ECU 4 of the error ID. Each ECU 4 will receive the fraudulent message to which the error ID has been assigned, but since it can recognize that it is a fraudulent message, it can take measures such as not using it for control.

For example, as shown in FIG. 6, the gateway device 7 includes a first gateway device 71 having the same function as the gateway device 2 described above, and a second gateway device 72 that does not have a monitoring function. It's okay. The first gateway device 71 and the second gateway device 72 are connected by an internal bus NB.

In this case, some of the ECUs 4 are directly connected to the first gateway device 71 via the internal bus IB1. Further, some of the other ECUs 4 are connected to the second gateway device 72 via the internal bus IB2, and are connected to the first gateway device 71 via the second gateway device 72. In this case, the first gateway device 71 has a configuration similar to that in FIG. 3, and the second gateway device 72 is connected via an internal bus NB instead of the internal bus IB in FIG.

Also in the configuration shown in FIG. 6, the first gateway device 72 executes the same processing as the gateway device 2 in the above-described embodiment, and the same effects as in the above-described embodiment can be obtained.

The technology disclosed herein is useful as a gateway device used in an in-vehicle network.

1 In-vehicle communication network 2 Gateway device 3 Connector 4 ECU
7 Gateway device 8 Diagnostic device (external device)
20 Gateway means 21 Monitoring means 27 Abnormality detection section 28 Output section

Claims (5)

A gateway device provided between a connector for connecting an external device to an in-vehicle communication network and an in-vehicle ECU,
gateway means for relaying communication between an external device connected to the connector and the ECU;
monitoring means for monitoring a transmission status indicating that a transmission message transmitted from the gateway means to the connector has reached the external device;
When the transmission message output from the ECU is transmitted to the connector via the gateway means, the monitoring means controls the in-vehicle communication network based on the occurrence of an error in the transmission status of the transmission message. A gateway device that determines that a fraudulent signal has been injected into the system. The monitoring means determines that an unauthorized transmission message has been injected into the in-vehicle communication network when an error in the transmission status equal to or greater than a predetermined threshold occurs.
The gateway device according to claim 1. The monitoring means includes:
an abnormality detection unit that detects that an error has occurred in the transmission status of the transmission message;
an output unit that outputs, when an error in the transmission status is detected by the abnormality detection unit, a detection log in which additional information regarding the error is added to error information indicating the content of the error;
The gateway device according to claim 1. The external device is a fault diagnostic machine that diagnoses a fault in the ECU.
The gateway device according to any one of claims 1 to 3. A method for detecting an injection attack, the method comprising:
The monitoring means monitors a transmission status indicating that a transmission message transmitted from an internal bus of the in-vehicle communication network to a connector for connecting an external device to the in-vehicle communication network via the gateway device has reached the external device. monitoring process;
a determination step in which the monitoring means determines that an incorrect signal has been injected into the in-vehicle communication network based on the occurrence of an error in the transmission status of the transmission message;
How to detect injection attacks.