JP2024051328A - Attack analysis device, attack analysis method, and attack analysis program - Google Patents

Abstract

[Problem] To provide an attack analysis device, method, and program that accurately analyzes cyber attacks and identifies the correct attack, even when data used for analysis is corrupted. [Solution] An attack analysis device 10 includes an attack/anomaly relationship table inspection unit and an attack estimation unit. The attack/anomaly relationship table inspection unit stores attack/anomaly relationship information indicating the relationship between predicted attack information, predicted anomaly information, and predicted anomaly location information, and first inspection information used to inspect the attack/anomaly relationship information. Furthermore, it inspects the attack/anomaly relationship information based on the first inspection information, and outputs the inspected attack/anomaly relationship information to the attack estimation unit. When the attack estimation unit acquires a security log indicating an anomaly detected in an electronic control system, it estimates the attack that the electronic control system has received based on the inspected attack/anomaly relationship information and the security log. Then, it outputs attack information indicating the estimated attack. [Selected Figure] Figure 1

Description

The present invention relates to an attack analysis device, an attack analysis method, and an attack analysis program for analyzing attacks against electronic control systems mounted on mobile objects such as automobiles.

In recent years, technologies for driving assistance and autonomous driving control, including V2X (vehicle-to-vehicle communication and vehicle-to-infrastructure communication), have been attracting attention. As a result, vehicles are being equipped with communication functions, and so-called connected vehicles are becoming more common. As a result, the possibility of vehicles being subject to cyber attacks, such as unauthorized access, is increasing. For this reason, it is necessary to analyze cyber attacks against vehicles and develop countermeasures.

There are various methods for detecting abnormalities that occur in a vehicle and analyzing cyber attacks based on the detected abnormalities. For example, Patent Document 1 describes a method for collecting detected abnormality data and identifying the type of attack corresponding to the abnormality by comparing the combination of items in which the abnormality was detected with an abnormality detection pattern that has been specified in advance for each attack.

JP 2020-123307 A

Here, the present inventors have found the following problem.
In an attack analysis device that analyzes cyber attacks, some kind of malfunction may occur due to, for example, memory corruption, electrical effects, software bugs, tampering due to an attack, etc., which may corrupt the data of anomaly detection patterns. In such cases, the data corruption may affect the analysis of cyber attacks, making it difficult to identify the correct attack.

The present invention aims to provide an attack analysis device that can accurately analyze cyber attacks and identify the correct attack, even if the data used for analysis is corrupted.

The attack analysis device (10, 20) of the present disclosure is an attack analysis device that analyzes attacks against an electronic control system installed in a moving object,
an attack/anomaly relationship information storage unit (202) for storing attack/anomaly relationship information indicating the relationship between predicted attack information indicating an attack that the electronic control system may be subjected to, predicted anomaly information indicating an anomaly that is predicted to occur if the electronic control system is subjected to the attack, and predicted anomaly position information indicating a position within the electronic control system where the predicted anomaly will occur;
a first storage unit (203) for storing first inspection information used for inspecting the attack/anomaly related information;
a first inspection unit (204) that inspects the attack/anomaly related information based on the first inspection information;
A security log acquisition unit (301) that acquires a security log indicating an abnormality detected in the electronic control system;
an estimation unit (303) for estimating an attack that the electronic control system has received based on the verified attack/anomaly related information and the security log;
an output unit (305) that outputs attack information indicating an estimated attack;
has.

The numbers in parentheses attached to the constituent elements of the invention described in the claims and this section indicate the correspondence between the present invention and the embodiments described below, and are not intended to limit the present invention.

With the above-described configuration, the attack analysis device etc. disclosed herein can reduce the impact of corrupted data on analysis even if data in the attack/anomaly relationship table is corrupted, making it possible to accurately analyze and identify cyber attacks.

FIG. 1 is a block diagram showing an example of the configuration of an attack analysis device according to a first embodiment; FIG. 1 is an explanatory diagram illustrating the arrangement of an attack analysis device according to the first embodiment. FIG. 1 is a diagram for explaining an electronic control system to be analyzed by the attack analysis device according to the first and second embodiments. FIG. 1 is a block diagram showing an example of the configuration of a vehicle configuration table inspection unit according to the first and second embodiments; FIG. 1 is a diagram for explaining a vehicle configuration information table according to the first and second embodiments. FIG. 1 is a diagram for explaining a vehicle configuration information inspection table according to the first and second embodiments. FIG. 1 is a block diagram illustrating an attack/anomaly relationship table inspection unit according to the first and second embodiments. FIG. 1 is a diagram for explaining an attack/anomaly relationship table according to the first and second embodiments. FIG. 1 is a diagram for explaining an attack/anomaly relationship inspection table according to the first and second embodiments. FIG. 1 is a block diagram showing an example of the configuration of an attack estimation unit according to the first and second embodiments. A flowchart showing the operation of the attack analysis device according to the first and second embodiments. FIG. 13 is a block diagram showing an example of the configuration of an attack analysis device and an inspection device according to a second embodiment. FIG. 13 is a block diagram showing an example of the configuration of an attack analysis device and an inspection device according to a second embodiment. FIG. 13 is an explanatory diagram for explaining the arrangement of the attack analysis device according to the second embodiment.

The following describes an embodiment of the present invention with reference to the drawings.

The present invention refers to the invention described in the claims or in the Means for Solving the Problems section, and is not limited to the following embodiments. Furthermore, at least the words in quotation marks refer to the words described in the claims or in the Means for Solving the Problems section, and are not limited to the following embodiments.

The configurations and methods described in the dependent claims of the claims are optional configurations and methods in the invention described in the independent claims of the claims. The configurations and methods of the embodiments corresponding to the configurations and methods described in the dependent claims, and the configurations and methods described only in the embodiments without being described in the claims, are optional configurations and methods in the present invention. The configurations and methods described in the embodiments when the description of the claims is broader than the description of the embodiments are also optional configurations and methods in the present invention in the sense that they are examples of the configurations and methods of the present invention. In either case, by being described in the independent claims of the claims, they become essential configurations and methods of the present invention.

The effects described in the embodiments are the effects of having the configuration of the embodiment as an example of the present invention, and are not necessarily the effects of the present invention.

When there are multiple embodiments, the configurations disclosed in each embodiment are not limited to each embodiment, but can be combined across the embodiments. For example, a configuration disclosed in one embodiment may be combined with another embodiment. Also, the configurations disclosed in each of the multiple embodiments may be collected and combined.

The problem described in the problem that the invention is intended to solve is not a publicly known problem, but was discovered independently by the inventor, and this fact, together with the configuration and method of the present invention, affirms the inventive step of the invention.

1. First embodiment (1) Overall configuration of the attack analysis device 10 The attack analysis device 10 of this embodiment will be described with reference to FIG. 1. The attack analysis device 10 is a device that analyzes attacks against an electronic control system S provided in a moving body described later. The attack analysis device 10 includes a vehicle configuration information inspection unit 100, an attack/anomaly relationship table inspection unit 200, and an attack estimation unit 300. In the following embodiment, a device having the vehicle configuration information inspection unit 100, the attack/anomaly relationship table inspection unit 200, or the vehicle configuration information inspection unit 100 and the attack/anomaly relationship table inspection unit 200 is referred to as an inspection device. Also, a device having the attack estimation unit 300 is referred to as an attack analysis device. Therefore, FIG. 1 is a diagram showing the attack analysis device 10 of this embodiment, and is also a diagram showing the inspection device 21 of this embodiment.

In each of the embodiments described below, an example will be given in which the electronic control system S that is subject to a cyber attack is an in-vehicle system installed in a vehicle, which is a "mobile body."

Fig. 2 is a diagram for explaining the arrangement of the attack analysis device 10 of this embodiment. In this embodiment, as shown in Fig. 2(a), it is assumed that the attack analysis device 10 is "mounted" on a vehicle, which is a "mobile body", and as shown in Fig. 2(b), it is assumed that the attack analysis device 10 is a server device provided outside the vehicle, which is a "mobile body".
here,
"Mobile object" refers to an object that can move and can move at any speed. It also includes cases where the mobile object is stationary. For example, it includes, but is not limited to, automobiles, motorcycles, bicycles, pedestrians, ships, aircraft, and objects mounted on these.
"Mounted" includes not only the case where the device is directly fixed to the moving body, but also the case where the device is not fixed to the moving body but moves with the moving body, such as the case where the device is carried by a person riding on the moving body, or the case where the device is mounted on cargo placed on the moving body.

As shown in FIG. 2(a), when a vehicle is equipped with an electronic control system S and an attack analysis device 10, the attack analysis device 10 can analyze a cyber attack without delay when the electronic control system S is subjected to the cyber attack, and thus can rapidly respond to the attack.

On the other hand, as shown in FIG. 2(b), when the server device is the attack analysis device 10, when an abnormality occurs in the electronic control system S installed in the vehicle, the server device receives a security log generated by a security sensor, which will be described later, from the vehicle via a wireless communication network. Therefore, compared to when the attack analysis device 10 is installed in the vehicle, it takes more time to analyze the attack and feed back the analysis results to the vehicle, but it is possible to reduce the processing load on the vehicle side.

2A, the electronic control system S and the attack analysis device 10 are connected via an in-vehicle communication network such as a Controller Area Network (CAN) or a Local Interconnect Network (LIN). Alternatively, they may be connected using any communication method, whether wired or wireless, such as Ethernet (registered trademark), Wi-Fi (registered trademark), or Bluetooth (registered trademark).
In the case of FIG. 2(b), the electronic control system S and the attack analysis device 10 are connected via a communication network such as wireless communication methods such as IEEE802.11 (Wi-Fi (registered trademark)), IEEE802.16 (WiMAX (registered trademark)), W-CDMA (Wideband Code Division Multiple Access), HSPA (High Speed Packet Access), LTE (Long Term Evolution), LTE-A (Long Term Evolution Advanced), 4G, 5G, etc. Alternatively, DSRC (Dedicated Short Range Communication) can be used. When the vehicle is parked in a parking lot or housed in a repair shop, a wired communication method can be used instead of a wireless communication method. For example, a LAN (Local Area Network), the Internet, or a fixed telephone line can be used.

(2) Configuration of Electronic Control System S The electronic control system S will be described with reference to Fig. 3. The electronic control system S is composed of multiple electronic control units (hereinafter, ECUs). In the example shown in Fig. 3, the electronic control system S is composed of ECU-A to E, and each ECU is connected via an in-vehicle network.

The ECU constituting the electronic control system S is equipped with a security sensor that monitors the inside of the ECU and the network to which the ECU is connected. When the security sensor detects an abnormality that has occurred inside the ECU or in the network, it generates and outputs a security log. Hereinafter, the log generated and output by the security sensor will be referred to as the security log. The security log includes abnormality information indicating the abnormality detected by the security sensor and abnormality position information indicating the position where the abnormality detected by the security sensor occurred. The security log may further include identification information that identifies the electronic control system S, identification information of the security sensor that detected the abnormality, identification information of the ECU in which the security sensor is mounted, the time when the abnormality was detected, the number of times when the abnormality was detected, the order in which the abnormality was detected, the contents of the data received before the abnormality was detected, and information on the IP addresses (source and destination), etc.

Many electronic control systems employ defense in depth to improve security against attacks. Defense in depth is known as a method for improving the defense of electronic control systems by providing security functions in a hierarchical and multi-layered manner as a countermeasure against attacks, so that even if one countermeasure (i.e., the first layer) is breached in the event of an attack, the next countermeasure (i.e., the second layer) can defend against the attack. Therefore, in an electronic control system employing defense in depth, there are multiple layers with different security levels. Therefore, the electronic control system S is divided into multiple layers according to the security level, and individual positions that are unique to the electronic control system S are associated with common positions according to which of the multiple layers they belong to. That is, in this example, the common positions correspond to the positions of the defense layers in the electronic control system S.

The electronic control system S shown in FIG. 3 has three layers of defense. In this example, ECU-A and ECU-B belong to the first layer, ECU-C belongs to the second layer, and ECU-D and ECU-E belong to the third layer. For example, ECU-A and ECU-B are communication ECUs having a communication function with the outside, and these ECUs are equipped with a security function that monitors data entering the inside of the vehicle from the outside of the vehicle. In this example, the area monitored by the ECU with such a security function is the first layer. On the other hand, ECU-C is, for example, a gateway ECU equipped with a security function that monitors data communicated between a network to an ECU connected to the outside of the vehicle and a network to an ECU that controls the vehicle. ECU-C implements security measures different from those of ECU-A and ECU-B described above, and the area monitored by ECU-C can be said to have a different security level from the first layer, which is the area protected by ECU-A and ECU-B. Therefore, in this example, the area monitored by ECU-C is the second layer. ECU-D and ECU-E are, for example, vehicle control ECUs that control the movement of the vehicle. Only data that has passed the security function of ECU-C is communicated between ECU-D and ECU-E, and they can be said to be areas with a different security level from the second layer. Therefore, these ECUs belong to the third layer, which is a different layer from ECU-C.

ECU-D and ECU-E can be configured with ECUs having any desired functions. Examples include drive system electronic control devices that control the engine, steering, brakes, etc., vehicle body electronic control devices that control meters and power windows, information system electronic control devices such as navigation devices, and safety control system electronic control devices that perform control to prevent collisions with obstacles and pedestrians. Furthermore, ECUs may not be parallel to each other, but may be classified as master and slave.

The defense layers of the electronic control system S shown in FIG. 3 and in this embodiment, and the security functions that make up the defense layers, are merely examples and are not limited to these. For example, the electronic control system S may have four or more defense layers. Furthermore, even if two or more ECUs have the same security function, different defense layers may be configured by monitoring different data.

Furthermore, the ECU may be a physically independent ECU, or may be a virtually implemented virtual ECU (sometimes called a virtual machine).

(2) Configuration of vehicle configuration information inspection unit 100 The configuration of the vehicle configuration information inspection unit 100 will be described with reference to Fig. 4. The vehicle configuration information inspection unit 100 includes a vehicle configuration information acquisition unit 101, a vehicle configuration information table storage unit 102, a vehicle configuration information inspection table storage unit 103, a vehicle configuration information inspection unit 104, a correction unit 105, and an attack/anomaly relationship table generation unit 106.

The vehicle configuration information acquisition unit 101 acquires vehicle configuration information related to each ECU that configures the electronic control system S. The vehicle configuration information is acquired from the vehicle, an inspection device outside the vehicle, a server, etc. The vehicle configuration information acquired by the vehicle configuration information acquisition unit 101 is recorded together as a vehicle configuration information table in the vehicle configuration information table storage unit 102.

The vehicle configuration information table is a record of vehicle configuration information, which is information about each ECU that constitutes the electronic control system S, among other information about the vehicle, and is used when generating the attack/anomaly relationship table. However, the vehicle configuration information may also be used for other purposes, such as vehicle analysis.

In the vehicle configuration information table shown in FIG. 5, information on individual positions, defense layers (common positions), security sensors, and networks is stored in association with each other as vehicle configuration information for each ECU shown in FIG. 3. Specifically, the name and identification number of each ECU is stored in association with each other for the individual positions, the layer number and its identification number for the defense layers, the type of security sensor held in the security sensors, and the connection destination and protocol for the networks. Note that the vehicle configuration information table may contain other vehicle configuration information in addition to that shown in FIG. 5.

The vehicle configuration information inspection table storage unit 103 (corresponding to the "second storage unit") records a vehicle configuration information inspection table that summarizes inspection information (corresponding to the "second inspection information") used to inspect the vehicle configuration information table.
In the vehicle configuration information inspection table shown in Fig. 6, constraint conditions related to each vehicle configuration information are recorded as inspection information. Examples of inspection information other than the constraint conditions include history information recorded together with time information (corresponding to "vehicle configuration information modification history"), vehicle configuration information acquired from an external source (corresponding to "master information"), and backups of past vehicle configuration information. This inspection information is not limited to information recorded in the vehicle configuration information inspection table, and may be information acquired from a separate external device.

The constraint conditions used in the inspection are conditions that are satisfied if the vehicle configuration information is not damaged, and a specified range, ID number, type of equipment or standard, etc. are used as the constraint conditions. An example of a constraint condition is the number of objects identified by the identification number. Since there are a total of five ECUs-A to E that make up the electronic control system S shown in Figure 3, the range of the ECU identification numbers is 1 to 5, which corresponds to the number of identification numbers. Therefore, the constraint condition for the identification number regarding the individual position of the ECU is 0x0001 to 0x0005. Furthermore, the constraint condition for the identification number of the defense layer is 0x01 to 0x03, which corresponds to the number of defense layers. For security sensors and networks, a group of configurations provided by any of the ECUs that make up the electronic control system S can be used as a constraint condition.

In the vehicle configuration information table of FIG. 5, the identification number of the underlined ECU-B is 0x0011, which does not satisfy the constraints 0x0001 to 0005 recorded in the vehicle configuration information inspection table of FIG. 6. Therefore, the vehicle configuration information inspection unit 104 can identify corruption of the identification number of ECU-B among the vehicle configuration information recorded in the vehicle configuration information table.

The vehicle configuration information inspection unit 104 uses the vehicle configuration information inspection table to inspect whether the vehicle configuration information recorded in the vehicle configuration information table storage unit 102 satisfies the constraint conditions, and outputs the inspection result. The inspection is performed on the vehicle configuration information in the vehicle configuration information table used to generate the attack/anomaly relationship table.

If the vehicle configuration information is corrupted, it can be detected by the vehicle configuration information inspection unit 104. Therefore, if the vehicle configuration information is corrupted due to tampering caused by a cyber attack or a malfunction of the device, the corruption can be detected and the generation of an attack/anomaly relationship table using the corrupted vehicle configuration information can be prevented. Examples of triggers for inspection include the passage of a predetermined period of time, a change to the vehicle configuration information, and the generation of an attack/anomaly relationship table.

Examples of historical information used as inspection information include the history of the vehicle configuration information table and the vehicle maintenance history (collectively referred to as "vehicle configuration information inspection history or correction history"). In this case, the correct vehicle configuration information is estimated in light of the history. For example, if the vehicle maintenance history does not record facts such as ECU replacement, vehicle configuration information that is included at a rate equal to or greater than a threshold in multiple histories within a specified period is determined to be correct.

For example, if all of the retained sensors of the security sensor of ECU-D are HIDPS B in multiple histories within a specified period, the vehicle configuration information inspection unit 104 presumes that HIDPS B is correct. In the vehicle configuration information table of FIG. 5, the retained sensor of the security sensor of ECU-D is HIDPS A, which is not ECU-D, which is presumed to be correct, so it is determined that the vehicle configuration information is corrupted.

In addition, when the vehicle's maintenance history is used as the inspection information, the maintenance history is checked for any differences with the latest vehicle configuration information, and if it differs from the maintenance history, it is determined that the information is damaged. Here, the maintenance history refers to records such as when an ECU has been replaced or when ECU software has been updated. For example, if the maintenance history records that ECU-D has been changed to an ECU equipped with HIDPS B, the vehicle configuration information inspection unit 104 presumes that HIDPS B is the correct vehicle configuration information. In the vehicle configuration information table of FIG. 5, the retained sensor of the security sensor is HIDPS A, so it is determined that the vehicle configuration information is damaged.

If correct vehicle configuration information (corresponding to "master information") can be acquired from the outside, the acquired vehicle configuration information may be used as inspection information to inspect the vehicle configuration information table. In this case, the vehicle configuration information inspection unit 104 determines that vehicle configuration information that does not match the acquired vehicle configuration information is corrupted.

In this way, the vehicle configuration information table that is the source of the attack/anomaly relationship table can be inspected. Note that the vehicle configuration information inspection unit 104 may inspect the rules, algorithms, and programs for generating the attack/anomaly relationship table in addition to the vehicle configuration information.

Damaged vehicle configuration information can be corrected based on history information. The correction unit 105 corrects the vehicle configuration information in the vehicle configuration information table based on the inspection results of the vehicle configuration information inspection unit 104. If the location of the damage can be identified from the inspection results, the correction unit 105 may correct the damaged vehicle configuration information to a correct value. For example, the correct vehicle configuration information can be estimated from the history of the vehicle configuration information table or the vehicle maintenance history, and the damaged vehicle configuration information can be corrected.

The correction unit 105 may use information acquired from outside the vehicle configuration information inspection unit 100 to correct the vehicle configuration information. For example, if the inspection reveals that the vehicle configuration information in the vehicle configuration information table is corrupted, the master table may be requested and acquired from an external server or vehicle, and the vehicle configuration information table being inspected may be replaced with the master table. In addition, if the corrupted vehicle configuration information is identified, only the corrupted vehicle configuration information may be acquired from outside and replaced.

In order to prevent any disruption to cyber-attack analysis when updating the vehicle configuration information table, it is preferable to back up and update the vehicle configuration information table, and then switch over after the update. Alternatively, the vehicle configuration information table before the update may be buffered (stored), and the vehicle configuration information table may be changed after the update.

The attack/anomaly relationship table generation unit 106 (corresponding to the "attack/anomaly relationship information generation unit") generates an attack/anomaly relationship table (corresponding to the "attack/anomaly relationship information") and outputs it to the attack/anomaly relationship table inspection unit 200. If the corrupted vehicle configuration information has been corrected by the correction unit 105, the attack/anomaly relationship table is generated based on the vehicle configuration information table in which the correction is reflected.

As shown in FIG. 2b, when the attack analysis device 10 is a server device, the attack analysis device 10 acquires vehicle configuration information from a large number of vehicles and generates a vehicle configuration information table. Therefore, the vehicle configuration information table storage unit 102 needs to store a large number of vehicle configuration information tables corresponding to the electronic control systems S of each vehicle. Therefore, in order to easily identify the electronic control systems S used by the vehicles, when the attack analysis device 10 is a server device, it is desirable for the vehicle configuration information table to include identification information that identifies the electronic control systems S. This allows the vehicle configuration information inspection unit 104 to easily identify the vehicle configuration information table to be used to inspect the vehicle configuration information table.

(3) Configuration of the attack/anomaly relationship table inspection unit 200 The attack/anomaly relationship table inspection unit 200 will be described with reference to Fig. 7. The attack/anomaly relationship table inspection unit 200 includes an attack/anomaly relationship table acquisition unit 201, an attack/anomaly relationship table storage unit 202, an attack/anomaly relationship inspection table storage unit 203, an attack/anomaly relationship table inspection unit 204, a correction unit 205, and an output unit 206.

The attack/anomaly relationship table acquisition unit 201 acquires an attack/anomaly relationship table. The attack/anomaly relationship table is an attack/anomaly relationship table generated based on inspected vehicle configuration information output from the vehicle configuration information inspection unit 100. The acquired attack/anomaly relationship table is recorded in the attack/anomaly relationship table storage unit 202.

The attack/anomaly relationship table storage unit 202 stores the attack/anomaly relationship table acquired by the attack/anomaly relationship table acquisition unit 201. At a stage where the attack/anomaly relationship table has not yet been generated by the vehicle configuration information inspection unit 100, the attack/anomaly relationship table is stored in advance.
The attack/anomaly relationship table is a table showing the relationship between predicted attack information indicating attacks that the electronic control system S may be subjected to, predicted anomaly information indicating anomalies predicted to occur in the event of an attack, and predicted anomaly position information indicating the position within the electronic control system S where the predicted anomaly will occur. The attack/anomaly relationship table does not necessarily have to have a table format. In other words, the attack/anomaly relationship table may also include the formats of various databases.

In the attack/abnormality relationship table shown in FIG. 8, attack types A through X are listed as the predicted attack information, and ECU-A through ECU-E are recorded as the predicted abnormality location information corresponding to each attack. In addition, abnormality contents A through D or A through C are listed as predicted abnormality information. In the figure, the abnormality predicted to occur in each ECU when subjected to each attack is indicated by flag 1.

As described below, the attack estimation unit 300 estimates the attack that the electronic control system S has received based on the attack/anomaly relationship table. If the attack/anomaly relationship table is corrupted, the corruption may cause an erroneous estimation of the attack. The attack/anomaly relationship table used for the estimation is generated using vehicle configuration information that has been inspected by the vehicle configuration information inspection unit 100, but it is possible that the attack/anomaly relationship table may be corrupted due to a malfunction during generation or a cyber attack after generation. Therefore, the attack/anomaly relationship table inspection unit 204 inspects the integrity of the attack/anomaly relationship table. For example, it inspects whether there are any corrupted parts where 0s and 1s have been swapped by bit inversion.

The attack/anomaly relationship inspection table storage unit 203 (corresponding to the "first storage unit") stores the attack/anomaly relationship inspection table (corresponding to the "first inspection information"). The attack/anomaly relationship inspection table is, for example, a table as shown in FIG. 9.

The attack/anomaly relationship table inspection unit 204 (corresponding to the "first inspection unit") compares the attack/anomaly relationship table of the inspection target in FIG. 8 with the attack/anomaly relationship inspection table in FIG. 9 to inspect whether they are a perfect match. In both tables, 0 and 1 are swapped in the content of the abnormality of ECU-C predicted to occur due to the underlined attack C, and this part is corrupted. Other methods for inspecting the attack/anomaly relationship table for corruption include, for example, calculating and comparing hash values for the attack/anomaly relationship table and the attack/anomaly relationship inspection table, inspecting by code signature, using a security chip, etc.

The inspection by the attack/anomaly relationship table inspection unit 204 is performed periodically or at a specified timing. Examples of the specified timing include when the attack/anomaly relationship table is used or when an incident such as an external cyber attack occurs.

The attack/anomaly relationship table inspection unit 204 may verify the integrity of the attack/anomaly relationship table in the attack/anomaly relationship table storage unit 202 by remote attestation (remote integrity verification). In this case, the attack/anomaly relationship table inspection unit 204 inspects the attack/anomaly relationship table in response to a request from a verifier, and sends the inspection result to the verifier as evidence. The verifier then uses the evidence to remotely verify the integrity of the attack/anomaly relationship table being inspected. For example, a hash value is used as evidence for verifying the attack/anomaly relationship table. Note that the verifier is usually configured as external dedicated hardware or software, but the attack analysis device 10 may also have the function of a verifier.

Figure 9 shows an example of an attack/anomaly relationship inspection table, which is a so-called master table, that is, an attack/anomaly relationship table obtained from outside the vehicle and known to be undamaged. Alternatively, a past backup of the attack/anomaly relationship table, or the inspection history or correction history of the attack/anomaly relationship table may be used. However, the attack/anomaly relationship inspection table is not limited to a master table, and any criteria can be used to determine whether the integrity of the attack/anomaly relationship table has been damaged.

Constraint conditions may be defined as the criteria. For example, the number of consecutive 1's in adjacent columns in the attack/anomaly relationship table, the number of ECUs in which anomalies occur, the relative positions of the ECUs in which anomalies occur, etc. can be included. Using these criteria, corruption of the attack/anomaly relationship table can be detected when the number of anomalies (fires), the positions of the ECUs in which anomalies occur, the distance between ECUs in which anomalies occur, etc. are unnatural.

The attack/anomaly relationship table inspection unit 204 may determine that the attack/anomaly relationship table is corrupted, for example, when there is no 1 in the column indicating an anomaly caused by an attack, when the number of consecutive 1s or the number of ECUs in which an anomaly occurs is greater than a predetermined number. In addition, examples of cases in which the distance between ECUs in which an anomaly occurs is unnatural include when an anomaly occurs in ECUs on both ends of a sub-gateway, when an anomaly does not occur in an ECU in which an anomaly should not normally occur, when the distance between ECUs in which an anomaly occurs is too far, etc.

Alternatively, the predetermined range, ID number, type of equipment or standard, etc., described as the constraint conditions for the vehicle configuration information, may be used as the constraint conditions for the attack/anomaly relationship information. For example, if the attack/anomaly relationship table includes identification information for the attack starting point and the attack target, damage may be determined using the criterion of whether the identification information that specifies these satisfies the constraint conditions. If the identification information does not satisfy the constraint conditions, the attack/anomaly relationship table inspection unit 204 determines that the attack/anomaly relationship table is corrupted.

The correction unit 205 corrects the damage in the attack/anomaly relationship table when the location of the damage in the attack/anomaly relationship table is identified and can be corrected. When the location of the damage is identified but cannot be corrected, the correction unit 205 corrects the damaged portion in the attack/anomaly relationship table so that it is not used in subsequent inferences.

If the attack/anomaly relationship table is corrupted but the location of the corruption is unknown, the correction unit 205 may replace the corrupted attack/anomaly relationship table with a master table stored in the attack/anomaly relationship inspection table storage unit 203. The master table may be obtained from a source other than the attack/anomaly relationship inspection table storage unit 203. For example, when a vehicle equipped with the attack/anomaly relationship table inspection unit 200 passes another vehicle, the master table may be obtained from the other vehicle. Alternatively, the correction unit 205 may instruct the vehicle configuration information inspection unit 100 to regenerate the inspected attack/anomaly relationship table until the damage is no longer detected by the attack/anomaly relationship table inspection unit 204.

The output unit 206 outputs the corrected attack/anomaly relationship table or the inspected attack/anomaly relationship table to the attack estimation unit 300. If the corrupted attack/anomaly relationship table has been corrected by the correction unit 205, an attack/anomaly relationship table reflecting the correction is generated. The attack/anomaly relationship table output by the output unit 206 is inspected and corrected for defects when generating the attack/anomaly relationship table based on the vehicle configuration information table and damage caused by cyber attacks, etc., improving the accuracy of cyber attack analysis.

In order to prevent any disruption to cyber-attack analysis when updating the attack/anomaly relationship table, it is preferable to back up and update the attack/anomaly relationship table, and then switch over after the update. Alternatively, the attack/anomaly relationship table before the update may be buffered (stored), and the vehicle configuration information table may be changed after the update.

As shown in FIG. 2(b), when the attack analysis device 10 is a server device, the attack analysis device 10 acquires and inspects inspected attack/anomaly relationship tables related to a large number of vehicles. Therefore, the attack/anomaly relationship table storage unit 202 needs to store a large number of attack/anomaly relationship tables corresponding to the electronic control systems S of each vehicle. Therefore, in order to easily identify the electronic control systems S used by the vehicles, when the attack analysis device 10 is a server device, it is desirable for the attack/anomaly relationship table to include identification information that identifies the electronic control systems S. This allows the attack/anomaly relationship table inspection unit 204 to easily identify the attack/anomaly relationship tables to be used for inspection.

(4) Configuration of the Attack Inference Unit 300 The attack inference unit 300 will be described with reference to Fig. 10. The attack inference unit 300 includes a security log acquisition unit 301, an attack/anomaly relationship table acquisition unit 302, an estimation unit 303, a matching degree calculation unit 304, and an output unit 305.

The security log acquisition unit 301 acquires a security log indicating an abnormality detected in the electronic control system S.

The attack/anomaly relationship table acquisition unit 302 acquires the corrected or inspected attack/anomaly relationship table from the attack/anomaly relationship table inspection unit 200.

The estimation unit 303 estimates the cyber-attack that the electronic control system S has received, using the modified or inspected attack/anomaly relationship table. Specifically, the estimation unit 303 identifies a combination of predicted anomaly information and predicted anomaly location that corresponds to a combination of anomaly information and anomaly location information included in the security log, from the modified or inspected attack/anomaly relationship table. If the exact same combination as that in the security log does not exist in the modified or inspected attack/anomaly relationship table, the estimation unit 303 identifies the closest combination from among the combinations included in the modified or inspected attack/anomaly relationship table. Then, the estimation unit 303 estimates that the attack type indicating the closest combination is the type of cyber-attack that the electronic control system S has received. Corresponding to a combination means that the combination is the same or similar.

If the security log includes the sequence and number of times the anomaly indicated by the anomaly information occurs, the estimation unit 303 may further use this information when estimating the attack type. In this case, the attack/anomaly relationship table includes the sequence and number of times the anomaly occurs as predicted anomaly information.

When there are multiple closest combinations (e.g., attack A, attack B), the estimation unit 303 estimates that the type of cyber-attack received by the electronic control system S is either attack A or attack B. Alternatively, the estimation unit 303 may notify that the attack type corresponding to the cyber-attack received by the electronic control system S does not exist in the corrected or inspected attack/anomaly relationship table.

The estimation unit 303 may further estimate the type of attack received by the electronic control system S, as well as the location of the attack's starting point and the location of the target of the attack.

The estimation unit 303 may further estimate future anomalies or future attacks on the electronic control system S from the difference between the combination of the anomaly information and the anomaly position information and the combination of the predicted anomaly information and the predicted anomaly position information. For example, if the number of anomalies indicated by the anomaly information is smaller than the number of anomalies indicated by the predicted anomaly information, there is a risk that anomalies not included in the anomalies indicated by the predicted anomaly information will occur in the future. Therefore, the estimation unit 303 estimates that the difference between the anomaly indicated by the predicted anomaly information and the anomaly indicated by the anomaly information is an anomaly that will occur in the electronic control system S in the future. In such a case, the output unit 305 described later may output future anomaly information indicating the difference between the anomaly indicated by the predicted anomaly information and the anomaly indicated by the anomaly information.

Furthermore, if the number of abnormalities indicated by the anomaly information is less than the number of abnormalities indicated by the predicted anomaly information, the abnormality indicated by the anomaly information is an abnormality that occurs before an attack occurs, and there is a possibility that further abnormalities will occur as a result of future attacks. Therefore, the estimation unit 303 estimates that the attack of the estimated attack type is an attack that the electronic control system S may be subjected to in the future. In such a case, the output unit 305, which will be described later, may output future attack information indicating that the attack type included in the attack information is an attack that the electronic control system will be subjected to in the future.

The matching degree calculation unit 304 calculates the matching degree of a combination of anomaly information and anomaly position information when the combination of predicted anomaly information and predicted anomaly position information is not exactly the same as the combination of predicted anomaly information and predicted anomaly position information. The matching degree is represented, for example, by a numerical value obtained by dividing the difference between the number of anomalies indicated by the anomaly information and the number of anomalies indicated by the predicted anomaly information by the number of anomalies indicated by the anomaly information or the predicted anomaly information.

The output unit 305 outputs “attack information” indicating the attack estimated by the estimation unit 303. The attack information may further include the attack starting point position and the attack target position estimated by the estimation unit 303, and the matching degree calculated by the matching degree calculation unit 304.
Here, "attack information" may be any information related to an attack, such as the type or category of the attack, the attack path such as the starting point of the attack or the target of the attack, or the damage caused by the attack.

Furthermore, as described above, if the estimation unit 303 estimates an abnormality that may occur in the electronic control system S in the future or an attack that the electronic control system S may be subjected to in the future, the output unit 305 may output attack information including future attack information or future abnormality information.

The corrected or inspected attack/anomaly relationship table used by the estimation unit 303 for estimation is generated based on the vehicle configuration information inspected by the vehicle configuration information inspection unit 104, and is inspected or corrected by the attack/anomaly relationship table inspection unit 200. Therefore, damage to the attack/anomaly relationship table or the vehicle configuration information table used to generate the attack can be detected, and the impact of the damage on the estimation result can be reduced.

(5) Operation of the attack analysis device 10 Next, the operation of the attack analysis device 10 will be described with reference to Fig. 11. Note that Fig. 11 not only shows an attack analysis method executed by the attack analysis device 10, but also shows the processing procedure of an attack analysis program that can be executed by the attack analysis device 10.

The vehicle configuration information acquisition unit 101 of the vehicle configuration information inspection unit 100 acquires vehicle configuration information from a vehicle equipped with an electronic control system S or from a device having vehicle configuration information of the electronic control system S (S101).
The vehicle configuration information inspection unit 104 inspects the vehicle configuration information table (S102). From the viewpoint of preventing new errors from occurring after the inspection, it is desirable to perform this inspection immediately before the attack/anomaly relationship table generation unit 106 generates the attack/anomaly relationship table.
If the inspection result indicates that there is an error in the vehicle configuration information, the correcting unit 105 corrects the vehicle configuration information in the vehicle configuration information table (S104).
The attack/anomaly relationship table generating unit 106 generates and outputs an attack/anomaly relationship table based on the inspected vehicle configuration information (S105).

The attack/anomaly relationship table acquisition unit 201 of the attack/anomaly relationship table inspection unit 200 acquires the attack/anomaly relationship table from the vehicle configuration information inspection unit 100 (S105).
The attack/anomaly relationship table inspection unit 204 inspects the attack/anomaly relationship table (S106). This inspection is preferably performed immediately after acquiring the attack/anomaly relationship table, for example.
If the inspection result indicates that the attack/anomaly relationship table is corrupted, the correcting unit 205 corrects the attack/anomaly relationship table (S107).
The output unit 206 generates and outputs a corrected or tested attack/anomaly relationship table based on the test result (S108).

The security log acquisition unit 301 of the attack estimation unit 300 acquires the security log (S109).
The estimation unit 303 estimates the cyber-attack that the electronic control system S has been subjected to using the corrected or inspected attack/anomaly relationship table obtained from the attack/anomaly relationship table inspection unit 200 (S110).
If there is a difference between the predicted anomaly information stored in the attack/anomaly relationship table and the anomaly information included in the security log, the matching degree calculation unit 304 calculates the matching degree between the predicted anomaly information and the anomaly information (S111).
The output unit 305 outputs the attack information including the matching degree (S112).

(6) Summary As described above, according to the attack analysis device 10 disclosed herein, when the electronic control system S is subjected to a cyber-attack, the type of the cyber-attack is estimated using the tested attack/anomaly relationship table. As a result, even if the attack/anomaly relationship table is damaged, it is possible to eliminate or suppress the effect of the damage and analyze the saber attack.
In addition, since it is possible to automate the estimation of attack/anomaly relationship tables and damage to vehicle configuration information for a large number of diverse vehicles individually, inspections can be made more efficient than if they were managed individually.
Furthermore, when inspecting the vehicle configuration information or the attack/anomaly relationship table generated based on the vehicle configuration information, inspection can be performed for each individual vehicle, taking into account the characteristics of each individual vehicle. Also, when verifying in an analysis after an anomaly occurs, verification can be performed for each individual vehicle, taking into account the characteristics of each individual vehicle.

12 is a diagram showing a second embodiment. In this embodiment, the attack/anomaly relationship table inspection unit 200 and the attack estimation unit 300 are provided in the attack analysis device 20, and the vehicle configuration information inspection unit 100 is provided in an inspection device 21 that is a device separate from the attack analysis device 20.
The configurations and operations of the vehicle configuration information inspection unit 100, the attack/anomaly relationship table inspection unit 200, and the attack estimation unit 300 are the same as those in the first embodiment, and therefore will not be described.

Alternatively, as shown in FIG. 13 , the attack estimation unit 300 may be provided in the attack analysis device 20, and the vehicle configuration information inspection unit 100 and the attack/anomaly relationship table inspection unit 200 may be provided in an inspection device 21 that is a device separate from the attack analysis device 20.
Furthermore, although not shown, an inspection device including the vehicle configuration information inspection unit 100 and an inspection device including the attack/anomaly relationship table inspection unit 200 may be provided separately.

In these cases, as shown in FIG. 14, the attack analysis device 20 may be realized as a server device external to the vehicle, and the inspection device 21 may be mounted on the vehicle.
Among the processes executed by the attack analysis system, the process of estimating the server attack received by the electronic control system S, i.e., the process in the attack estimation unit 300, places the heaviest load on the vehicle. Therefore, by providing the server device with the attack analysis device 20 having the attack estimation unit 300, it becomes possible to significantly reduce the load on the vehicle.
Furthermore, by inspecting the vehicle configuration information, which is information closely related to the vehicle, in the vehicle, the capacity of the storage device of the server device can be reduced.

3. Summary The features of the attack analysis device and the like in each embodiment of the present invention have been described above.

The terms used in each embodiment are merely examples and may be replaced with synonymous terms or terms with equivalent functions.

The block diagrams used to explain the embodiments classify and organize the device configuration by function. The blocks showing each function are realized by any combination of hardware or software. In addition, since they show functions, such block diagrams can also be understood as disclosures of method inventions and program inventions that realize the methods.

The order of the functional blocks that can be understood as processes, flows, and methods described in each embodiment may be changed as long as there are no constraints such as a relationship in which one step uses the results of another step that precedes it.

The terms 1st, 2nd, through Nth (N is an integer) used in each embodiment and in the claims are used to distinguish between two or more configurations or methods of the same type, and do not limit the order or superiority or inferiority.

Each embodiment is based on an attack analysis device for analyzing cyber attacks against electronic control systems installed in vehicles, but the present invention also includes dedicated or general-purpose devices other than those for vehicles, unless otherwise limited by the claims.

Furthermore, examples of the form of the attack analysis device or inspection device of the present invention include the following.
Examples of the component include a semiconductor element, an electronic circuit, a module, and a microcomputer.
Examples of semi-finished products include an electronic control unit (ECU) and a system board.
Finished product forms include mobile phones, smartphones, tablets, personal computers (PCs), workstations, and servers.
Other examples include devices with communication functions, such as video cameras, still cameras, and car navigation systems.

Additionally, necessary functions such as antennas and communication interfaces may be added to the attack analysis device and inspection device.

The attack analysis device and inspection device of the present invention are expected to be used, particularly on the server side, for the purpose of providing various services. In providing such services, the attack analysis device of the present invention will be used, the method of the present invention will be used, and/or the program of the present invention will be executed.

In addition, the present invention can be realized not only by dedicated hardware having the configuration and functions described in each embodiment, but also as a combination of a program for implementing the present invention recorded on a recording medium such as a memory or hard disk, and general-purpose hardware having a dedicated or general-purpose CPU and memory capable of executing the program.

Programs stored in non-transient, physical recording media (e.g., external storage devices (hard disks, USB memory, CDs/BDs, etc.) or internal storage devices (RAM, ROM, etc.)) of dedicated or general-purpose hardware can also be provided to the dedicated or general-purpose hardware via the recording media, or via a communication line from a server without using a recording media. This makes it possible to always provide the latest functions through program upgrades.

The attack analysis device and inspection device of the present invention are intended primarily for analyzing attacks on electronic control systems mounted on automobiles, but may also be intended for analyzing attacks on normal systems not mounted on automobiles.

10, 20 Attack analysis device, 100 Vehicle configuration information inspection unit, 101 Vehicle configuration information acquisition unit, 102 Vehicle configuration information table storage unit, 103 Vehicle configuration information inspection table storage unit, 104 Vehicle configuration information inspection unit, 105 Correction unit, 106 Attack/anomaly relationship table generation unit, 200 Attack/anomaly relationship table inspection unit, 201 Attack/anomaly relationship table acquisition unit, 202 Attack/anomaly relationship table storage unit, 203 Attack/anomaly relationship inspection table storage unit, 204 Attack/anomaly relationship table inspection unit, 205 Correction unit, 206 Output unit, 300 Attack estimation unit, 301 Security log acquisition unit, 302 Attack/anomaly relationship table acquisition unit, 303 Estimation unit, 304 Matching degree calculation unit, 305 Output unit, 21 Inspection device

Claims (12)

An attack analysis device that analyzes attacks against an electronic control system installed in a moving object,
an attack/anomaly relationship information storage unit (202) for storing attack/anomaly relationship information indicating the relationship between predicted attack information indicating an attack that the electronic control system may be subjected to, predicted anomaly information indicating an anomaly that is predicted to occur if the electronic control system is subjected to the attack, and predicted anomaly position information indicating a position within the electronic control system where the predicted anomaly will occur;
a first storage unit (203) for storing first inspection information used for inspecting the attack/anomaly related information;
a first inspection unit (204) that inspects the attack/anomaly related information based on the first inspection information;
A security log acquisition unit (301) that acquires a security log indicating an abnormality detected in the electronic control system;
an estimation unit (303) for estimating an attack that the electronic control system has received based on the verified attack/anomaly related information and the security log;
and an output unit (305) that outputs attack information indicating the estimated attack.
Attack analysis device (10, 20). The first inspection information is a constraint condition of the attack/anomaly relationship information.
The attack analysis device according to claim 1 . The first inspection information is a past backup of the attack/anomaly related information, an inspection history or a correction history of the attack/anomaly related information, or a master table obtained from outside the mobile body.
The attack analysis device according to claim 1 . Furthermore, a vehicle configuration information acquisition unit (101) that acquires vehicle configuration information that is information related to an electronic control device that configures the electronic control system;
A second storage unit (103) that stores second inspection information used for inspecting the vehicle configuration information;
A second inspection unit (104) that inspects the vehicle configuration information based on the second inspection information;
and an attack/anomaly relationship information generating unit (106) that generates the attack/anomaly relationship information by using inspected vehicle configuration information.
The attack analysis device according to claim 1 . The second inspection information is a constraint condition of the vehicle configuration information.
5. The attack analysis device according to claim 4. The second inspection information is a past backup of the vehicle configuration information, an inspection history or a correction history of the vehicle configuration information, or master information acquired from outside the moving body.
5. The attack analysis device according to claim 4. The attack analysis device is provided outside the moving body.
An attack analysis device according to any one of claims 1 to 6. The attack analysis device is mounted on the moving body.
An attack analysis device according to any one of claims 1 to 6. An inspection device that inspects attack/anomaly related information used in an attack analysis device that analyzes attacks against an electronic control system installed in a moving object, comprising:
an attack/anomaly relationship information acquisition unit (201) that acquires the attack/anomaly relationship information indicating the relationship between predicted attack information indicating an attack that the electronic control system may be subjected to, predicted anomaly information indicating an anomaly that is predicted to occur if the electronic control system is subjected to the attack, and predicted anomaly position information indicating a position within the electronic control system where the predicted anomaly will occur;
a first storage unit (203) for storing first inspection information used for inspecting the attack/anomaly related information;
a first inspection unit (204) that inspects the attack/anomaly related information based on the first inspection information;
and an output unit (206) that outputs the verified attack/anomaly relationship information.
Inspection device (21). Furthermore, a vehicle configuration information acquisition unit (101) that acquires vehicle configuration information that is information related to an electronic control device that configures the electronic control system;
A second storage unit (103) that stores second inspection information used for inspecting the vehicle configuration information;
A second inspection unit (104) that inspects the vehicle configuration information based on the second inspection information;
and an attack/anomaly relationship information generating unit (106) that generates the attack/anomaly relationship information by using inspected vehicle configuration information.
10. The inspection apparatus according to claim 9. An attack analysis method executed by an attack analysis device that analyzes attacks against an electronic control system installed in a moving object, comprising:
The attack analysis device includes:
an attack/anomaly relationship information storage unit (202) for storing attack/anomaly relationship information indicating the relationship between predicted attack information indicating an attack that the electronic control system may be subjected to, predicted anomaly information indicating an anomaly that is predicted to occur if the electronic control system is subjected to the attack, and predicted anomaly position information indicating a position within the electronic control system where the predicted anomaly will occur;
A first storage unit (203) for storing first inspection information used for inspecting the attack/anomaly related information,
The attack analysis method includes:
Inspect the attack/anomaly related information based on the first inspection information (S106);
A security log indicating an abnormality detected in the electronic control system is obtained (S109).
Based on the verified attack/anomaly related information and the security log, an attack on the electronic control system is estimated (S110);
Outputting attack information indicating the estimated attack (S112);
Attack analysis method. An attack analysis program executable by an attack analysis device for analyzing attacks against an electronic control system installed in a moving object,
The attack analysis device includes:
an attack/anomaly relationship information storage unit (202) for storing attack/anomaly relationship information indicating the relationship between predicted attack information indicating an attack that the electronic control system may be subjected to, predicted anomaly information indicating an anomaly that is predicted to occur if the electronic control system is subjected to the attack, and predicted anomaly position information indicating a position within the electronic control system where the predicted anomaly will occur;
A first storage unit (203) for storing first inspection information used for inspecting the attack/anomaly related information,
The attack analysis program
Inspect the attack/anomaly related information based on the first inspection information (S106);
A security log indicating an abnormality detected in the electronic control system is obtained (S109).
Based on the verified attack/anomaly related information and the security log, an attack on the electronic control system is estimated (S110);
Outputting attack information indicating the estimated attack (S112);
Attack analysis program.