JP2024052533A - Attack analysis device, attack analysis method, and attack analysis program - Google Patents

Abstract

To provide a technique that can analyze cyber-attacks against vehicles with a high degree of accuracy.SOLUTION: An attack analysis device configured to analyze an attack which is an attack against an electronic control system 2 built in a vehicle 10, the attack being via a network, includes an infringement determination unit 472. The infringement determination unit 472 is configured to determine whether correspondence information matches a preset type of attack, and to determine whether a target element is infringed. The correspondence information is information that associates a system log which is a log of the electronic control system 2, with a communication log which is a log of communication between the electronic control system 2 and the outside of the vehicle 10.SELECTED DRAWING: Figure 1

Description

This disclosure relates to an attack analysis device, an attack analysis method, and an attack analysis program.

In recent years, technologies for driving assistance and autonomous driving control, including V2X (vehicle-to-vehicle communication and vehicle-to-infrastructure communication), have been attracting attention. As a result, vehicles are being equipped with communication functions, and so-called connected vehicles are becoming more common. As a result, the possibility of vehicles being subject to cyber attacks, such as unauthorized access, is increasing. For this reason, it is necessary to analyze cyber attacks against vehicles and develop countermeasures.

Patent Document 1 discloses a security device that collects data on detected anomalies and compares the combination of items in which an anomaly was detected with an anomaly detection pattern that is preset for each attack to identify the type of attack that corresponds to the anomaly.

JP 2020-123307 A

The inventors of the present application are actively researching technology for analyzing cyber attacks against vehicles based on actual anomaly information indicating anomalies detected in an electronic control system built into a vehicle, and predicted anomaly information indicating anomalies predicted to occur in the electronic control system if the vehicle is attacked. It is desirable for this type of technology to be able to analyze cyber attacks against vehicles with high accuracy.

One aspect of the present disclosure provides technology that can analyze cyber attacks against vehicles with high accuracy.

One aspect of the present disclosure is an attack analysis device configured to analyze attacks via a network against an electronic control system (2) built in a vehicle (10), and includes a determination unit (472, S102). The determination unit is configured to determine whether the correspondence information matches a preset attack type, and to determine whether a target element has been violated. The correspondence information is information that associates a system log, which is a log of the electronic control system, with a communication log, which is a log of communication between the electronic control system and the outside of the vehicle. In addition, the target element represents at least one of a component of the electronic control system and the electronic control system.

With this configuration, whether or not a breach has occurred is determined based on whether or not the correspondence information that associates system logs with communication logs matches the type of attack, making it possible to analyze attacks against vehicles via a network with high accuracy.

1 is a block diagram showing a configuration of an attack analysis system according to a first embodiment. FIG. 2 is a diagram showing an example of an arrangement of an electronic control device in an electronic control system. FIG. 2 is a diagram illustrating an example of data stored in a vehicle log DB. FIG. 2 is a block diagram showing a configuration of an inspection unit. FIG. 5A is a diagram showing an example of data of a communication analysis result table stored in a communication detection log DB of the first embodiment, and FIG. 5B is a diagram showing an example of data of a malware analysis result table stored in the communication detection log DB. FIG. 2 is a block diagram showing a configuration of an analysis unit according to the first embodiment. FIG. 11 is a diagram illustrating an example of predicted abnormality information. FIG. 11 is a diagram illustrating another example of predicted anomaly information. FIG. 11 is a sequence diagram of an attack analysis process according to the first embodiment. 10A is a diagram showing an example of information obtained by a communication data monitoring unit, FIG. 10B is a diagram showing an example of monitoring management information, and FIG. 10C is a diagram showing information inspected by an inspection unit. FIG. 13 is a block diagram showing a configuration of an attack analysis system according to a second embodiment. FIG. 13 is a block diagram showing a configuration of an analysis unit according to a second embodiment. FIG. 11 is a sequence diagram of an attack analysis process according to the second embodiment. 13 is a flowchart illustrating a log association process according to the second embodiment. 13 is a flowchart showing an intermediary communication determination process of the log association process according to the second embodiment; FIG. 11 is a diagram illustrating an example of a communication intermediation history according to the second embodiment. FIG. 11 is a diagram showing an example of function information (for example, communication-related functions) according to the second embodiment. 13 is a diagram illustrating an example of data of a communication analysis result table stored in a communication detection log DB of the second embodiment. FIG. 10 is a flowchart showing an infringement determination process according to a second embodiment. 13 is a flowchart showing an intentional communication determination process of the infringement determination process of the second embodiment. FIG. 13 is a diagram illustrating an example of data of a communication analysis result table stored in a communication detection log DB according to the third embodiment. 13 is a flowchart showing an intermediary communication determination process of the log association process according to the fourth embodiment; FIG. 13 is a diagram illustrating an example of a communication intermediation history according to the fourth embodiment. FIG. 13 is a diagram showing an example of function information (for example, communication-related functions) according to the fourth embodiment. FIG. 13 illustrates an example of an application log. 13 is a flowchart showing an intentional communication determination process of the infringement determination process of the fourth embodiment. FIG. 13 is a block diagram showing a configuration of an analysis unit according to a fifth embodiment. FIG. 23 is a sequence diagram of an attack analysis process according to the fifth embodiment.

Hereinafter, exemplary embodiments of the present disclosure will be described with reference to the drawings.
[1. First embodiment]
[1-1. Configuration]
1 is a system for analyzing attacks via a network against an electronic control system 2 built in a vehicle 10. An attack via a network means a so-called cyber attack.

The attack analysis system 1 includes an electronic control system 2 and an external vehicle device 4 .
The electronic control system 2 includes a plurality of electronic control units (hereinafter, ECUs). In the example shown in Fig. 1, the electronic control system 2 includes ECUs 2a to 2f. The ECUs 2a to 2f are connected via an in-vehicle network using CAN (registered trademark) or Ethernet (registered trademark). CAN is an abbreviation for Controller Area Network.

The ECUs 2a to 2f include monitoring units 3a to 3f, respectively. The monitoring units 3a to 3f are security sensors that monitor the programs executed by the CPUs of the ECUs and the networks to which the ECUs are connected. The ECUs 2a to 2f generate a system log when executing processing based on the programs. The system log is a log of the electronic control system 2, more specifically, a log related to the electronic control system 2 generated by the electronic control system 2. The system log includes a security log, a communication intermediation history described in detail in the second embodiment and subsequent embodiments, an application log described in detail in the fourth embodiment and subsequent embodiments, and the like, but does not include a communication log described later. The system log is also called a vehicle log when used away from the vehicle 10.
When the monitoring units 3a to 3f detect an abnormality in a program or a network, they generate a security log. The security log records information indicating the abnormality detected in the electronic control system 2, such as the time when the abnormality was detected, the abnormality position indicating the position where the abnormality occurred, and the identification information of the security sensor that detected the abnormality.

As shown in FIG. 2, the electronic control system 2 employs a multi-layer defense to enhance security against attacks. In multi-layer defense, security functions against attacks are provided hierarchically and in multiple layers, so that even if an attack occurs and the first layer is breached, the second layer may be able to defend against the attack. This configuration enhances the defense of the electronic control system 2. In this embodiment, the electronic control system 2 has three layers of defense. Note that in FIG. 2, the electronic control system 2 is equipped with a DLC 2g. DLC is an abbreviation for Data Link Connector. ECU 2e, ECU 2f, and DLC 2g belong to the first layer, ECU 2d belongs to the second layer, and ECU 2a and ECU 2b belong to the third layer. Note that the ECU 2c is omitted in FIG. 2. The number of layers of defense is not limited to three, and the system may have four or more layers of defense.

Returning to FIG. 1, in addition to the monitoring unit 3d, the ECU 2d may include an analysis unit 3g and a transmission unit 3h that transmits data to other ECUs. The analysis unit 3g manages the security log in the electronic control system 2, and may detect certain abnormal behavior before outputting the security log from the vehicle 10 to the external vehicle device 4. The ECU 2e also includes a communication unit 3i, which transmits the security log of each ECU to a communication data monitoring unit 41 described later. The ECU 2f also includes an app 3j, and executes any app function.

The off-vehicle device 4 is a computing device (i.e., a computer) installed outside the vehicle 10, and is mainly composed of a well-known computer having a CPU, ROM, RAM, flash memory, etc. The CPU executes a program stored in the ROM, which is a non-transient physical recording medium. By executing the program, a method corresponding to the program is performed. The off-vehicle device 4 may include one computer or multiple computers.

The method of realizing the functions of each part included in the external vehicle device 4 is not limited to software, and some or all of the functions may be realized using one or more pieces of hardware. For example, if the above functions are realized by electronic circuits that are hardware, the electronic circuits may be realized by digital circuits, analog circuits, or a combination of these.

The external vehicle device 4 includes a communication data monitoring unit 41, a vehicle log receiving unit 42, a vehicle log DB 43, a detection condition DB 44, an inspection unit 45, a communication detection log DB 46, and an analysis unit 47.

The communication data monitoring unit 41 is configured, for example, as a proxy that acts as an agent for access inside and outside the network, or as a full packet capture device that can collect all packets that pass through. The communication data monitoring unit 41 relays and monitors communication between each vehicle 10 and an external site 5 outside the vehicle 10, thereby generating a communication log for the vehicle 10. When the communication data monitoring unit 41 is a proxy and the vehicle 10 also has a proxy function, for example, the communication data monitoring unit 41 can be specified as the next destination by the proxy function of the vehicle 10 so that communication between the vehicle 10 and the external site 5 passes through the communication data monitoring unit 41. In addition, when the communication data monitoring unit 41 is a full packet capture device, for example, the communication between the vehicle 10 and the external site 5 can be configured to pass through the communication data monitoring unit 41 by setting a transfer policy of a firewall provided in the vehicle 10. The communication log is a log generated by the external device 4 and is a log related to communication between the electronic control system 2 and the external site 5 outside the vehicle 10. For example, as shown in FIG. 10A, the communication log records the time of communication, the source of communication (including IP address), the destination of communication (including IP address and URL), and the content of the communication.

The communication data monitoring unit 41 handles monitoring management information, such as that shown in Fig. 10B, in addition to the communication log. The monitoring management information is stored, for example, in the vehicle log DB 43. The monitoring management information includes, for example, a vehicle ID, a start time and end time of communication, an IP address of the communication source, a device of the communication source, and the like.
The monitoring and management information is acquired by actively notifying the external vehicle device 4 from the vehicle 10 when, for example, the ECU 2e is started or the IP address used by the communication unit 3i is changed. If the communication data monitoring unit 41 is a proxy, the monitoring and management information can also be acquired and generated from authentication information at the start of communication or vehicle configuration management information.

The vehicle log receiving unit 42 receives security logs from each vehicle 10 and registers them in the vehicle log DB 43 .
The vehicle log DB 43 is a database that holds security logs collected from each vehicle 10. As shown in Fig. 3, the vehicle log DB 43 stores data in which a vehicle ID, a detection time, a detection location, and a sensor ID are linked to each other.

The detection condition DB 44 is a database that holds information used by the structure analysis unit 451 of the inspection unit 45. For example, the detection condition DB 44 stores threat information, signatures, behavior patterns, etc. Threat information is known malicious communication destinations and file hash values. Signatures are pattern information that indicates malicious communication data, file data, and program functions. Behavior patterns are information that indicates the behavior patterns of malicious files, such as traces of malicious behavior and malware.

The inspection unit 45 analyzes the communication log to identify the malicious communication destination and the malicious communication content. The communication log used by the inspection unit 45 for analysis is, for example, information obtained by extracting necessary information from the communication log shown in FIG. 10A and the monitoring management information shown in FIG. 10B, as shown in FIG. 10C. This information may include, for example, the vehicle ID, the time of communication, the device from which the communication originated, the communication destination (including IP address and URL), and the content (type) of the communication data.

As shown in FIG. 4, the inspection unit 45 includes a structure analysis unit 451 , a communication destination analysis unit 452 , and a communication content analysis unit 453 .
The structure analysis unit 451 extracts, from the communication log, information to be analyzed by the structure analysis unit 451 and the communication destination analysis unit 452. Specifically, the structure analysis unit 451 analyzes the structure of a URL and extracts an IP address or a domain name, and analyzes the structure of communication contents and extracts data or files to be analyzed by the communication destination analysis unit 452.

The communication destination analysis unit 452 identifies malicious communication destinations. Specifically, the communication destination analysis unit 452 determines whether a communication destination recorded in the communication log or a communication destination extracted by the structure analysis unit 451 matches a malicious communication destination registered in the detection condition DB 44. For example, IP addresses, domains, URLs, etc. are registered as malicious communication destinations. In addition, it also determines whether a communication destination in the communication log matches a communication destination of a file determined to be malicious by the communication content analysis unit 453.

The communication content analysis unit 453 identifies malicious communication content. Specifically, the communication content analysis unit 453 performs surface analysis, static analysis, and dynamic analysis on the data and files extracted by the structure analysis unit 451, and determines whether the analysis results match the content registered in the detection condition DB 44.

Surface analysis involves collecting information about whether the file itself is malicious and meta-information about the file.
Static analysis collects information on the functions and characteristic byte sequences in the malware's program code, while dynamic analysis also targets potential functions that do not operate.

Dynamic analysis involves collecting information on what traces are left behind and what communication occurs when program code is actually run. The program code is actually run and its behavior is analyzed.

The communication detection log DB46 is a database that holds communication logs analyzed by the communication destination analysis unit 452 or the communication content analysis unit 453. Hereinafter, a communication log that is determined to match the detection conditions by the communication destination analysis unit 452 or the communication content analysis unit 453 is also referred to as a communication detection log. The communication detection log DB46 stores a communication analysis result table and a malware analysis result table. As shown in FIG. 5A, the communication analysis result table stores data that is linked to the vehicle ID, communication time, communication source, communication destination, detection reason, communication content, and malware ID. As shown in FIG. 5B, the malware analysis result table stores data that is linked to the malware ID, context type, and context.

As shown in FIG. 6 , the analysis unit 47 includes a log association unit 471 , an infringement determination unit 472 , an attack/anomaly relationship table storage unit 473 , an estimation unit 474 , and an output unit 475 .
The log association unit 471 associates the logs stored in the vehicle log DB 43 with the logs stored in the communication detection log DB 46. In this embodiment, the log association unit 471 associates the logs by the following process, and outputs correspondence information, which is the associated log, to the infringement determination unit 472.

First, the log association unit 471 extracts logs whose communication time falls within a predetermined time frame T1 from the communication detection log DB 46. The log association unit 471 also extracts logs whose detection time falls within a predetermined time frame T1 from the vehicle log DB 43. Note that the time frame T1 is one of multiple time ranges separated by a predetermined time.

Next, the log association unit 471 associates the logs from the following viewpoints.
(Viewpoint a) The vehicle ID in the communication detection log DB 46 and the vehicle ID in the vehicle log DB 43 match.

(Point b) The communication source and destination in the communication detection log DB 46 match the detection location in the vehicle log DB 43.
(Viewpoint c) The communication time in the communication detection log DB 46 and the detection time in the vehicle log DB 43 are within a predetermined time frame T2. The time frame T2 is a time range different from the time frame T1, for example, a time range in units of several seconds, and is a value smaller than the time frame T1.
As described above, the communication detection log and the security log are associated so as to be synchronized.

The infringement determination unit 472 determines whether the corresponding information matches a preset attack type. The infringement determination unit 472 makes a determination for each piece of corresponding information. Specifically, the infringement determination unit 472 identifies the position where the abnormality occurred in the electronic control system 2 based on whether the corresponding information matches one of a number of attack types. The infringement determination unit 472 can then classify the position where the abnormality occurred as either a position that has been infringed by an attack or a position that is highly likely to have been infringed by an attack. In other words, the infringement determination unit 472 analyzes the corresponding information and determines the infringement probability, which is the probability that the ECU that is the source of the communication has been infringed. The infringement probability includes two types of probability: when it is determined that there is a high possibility that an infringement has occurred, and when it is determined that an infringement has occurred.

The multiple attack types may include at least one of an attack type related to the communication destination and an attack type related to the communication content. The attack type related to the communication destination may include information indicating the communication destination itself, such as an IP address, a domain name, or a URL, and information indicating the type of the communication destination, such as a C&C server. The attack type related to the communication content may include, for example, information indicating the communication content itself, such as transmitted data or received data, as shown in FIG. 5B, and information indicating the type of communication content, such as downloading malware. In addition, malware functions other than communication may also be included. Examples of malware functions other than communication may include information regarding the operation of malware harmful to the vehicle, such as disabling the function of a security sensor. The security sensor may include security software.

In this embodiment, the intrusion determination unit 472 determines that the ECU that is the source of communication has been intruded in the following cases.
(i) When communication is occurring that downloads malware from an ECU that does not perform processing in response to user interaction.

(b) When the data transmitted by the ECU is determined to be malicious.
(C) When it is confirmed from the corresponding information that the behavior confirmed during dynamic analysis is occurring in the ECU, for example, when communication after malware infection, such as callback communication to a C&C server, is recorded, or when a CAN message specifying a suspicious ID is recorded, this corresponds to the case.

In addition, the intrusion determination unit 472 determines that there is a high possibility that the ECU that is the source of communication has been intruded into in the following cases.
(ii) When the data received by the ECU is determined to be malicious.

(e) When the ECU communicates with a destination determined to be malicious.
It should be noted that if the ECU from which communication originates corresponds to both a case where it has been compromised and a case where it is highly likely to have been compromised, it is determined that it has been compromised. Looking at Figures 5A and 5B, for example, since the first row of the communication analysis result table records that ECU-1 has accessed a malicious site, ECU-1 corresponds to a case where it is highly likely to have been compromised. Also, according to the second and third rows of the communication analysis result table, ECU-1 is communicating with communication destination C obtained in the analysis results of malware A, which is recorded in the first row of the malware analysis result table. Therefore, ECU-1 also corresponds to a case where it has been compromised. In this case, the case where it has been compromised takes precedence, and ECU-1 is determined to have been compromised.

The attack/anomaly relationship table storage unit 473 holds predicted anomaly information indicating a combination of anomalies predicted to occur in the electronic control system 2 when attacked for each type of attack. The predicted anomaly information shown in FIG. 7 and FIG. 8 indicates, for each type of attack, an anomaly that will occur when the electronic control system 2 is attacked and the location where the anomaly will occur. As shown in FIG. 7 and FIG. 8, it is assumed that anomalies will occur at multiple locations when attacked. The predicted anomaly information further indicates the correspondence between the type of attack and the assumed starting point and target of the attack when attacked. Note that in FIG. 7 and FIG. 8, the upper diagram shows the predicted anomaly information held in the attack/anomaly relationship table storage unit 473, and the lower diagram shows the predicted anomaly information after being changed by the estimation unit 474.

For example, if an attack of type Attack A occurs, the electronic control system 2 predicts that abnormalities A and C will occur in ECU-1, which is located in the first layer. The starting point of Attack A is the location indicated by 0x00, and the target of the attack is the location indicated by 0x01. Note that for the starting point and target of the attack, 0x00 indicates outside the vehicle, and 0x01 to 0x05 indicate ECU-1 to ECU-5, respectively.

The estimation unit 474 estimates the type of attack by determining the similarity between the actual anomaly information and the predicted anomaly information. The actual anomaly information is data that indicates a combination of anomalies that have actually been detected, generated based on a security log. Specifically, the actual anomaly information has items similar to the anomaly contents of the predicted anomaly information in Figures 7 and 8, and is a data string that is expressed as 1 if there is a security log indicating that an anomaly has actually been detected at the corresponding position, and 0 if there is not. Estimating the type of attack can also be thought of as estimating the attack path. This is because the "position of an anomaly predicted to occur in the event of an attack" shown in each row of the table of predicted anomaly information can be thought of as constituting the attack path.

Here, the estimation unit 474 modifies the predicted anomaly information by using the correspondence information before determining the similarity between the actually measured anomaly information and the predicted anomaly information.
In this embodiment, the estimation unit 474 changes the predicted anomaly information by performing the following processing.

(i) The coefficient of the table entry corresponding to the ECU determined to have a high probability of being hacked is increased by a predetermined number. For example, as shown in FIG. 7, if it is determined that ECU-3 has a high probability of being hacked, the coefficients of abnormalities A and B predicted to occur in ECU-3 are increased by 1, changing them from 1 to 2.

(b) The coefficient of the table entry corresponding to the ECU determined to have been compromised is increased by a predetermined number. Alternatively, the coefficient of the table entry corresponding to the ECU located in the same layer as the ECU determined to have been compromised is decreased by a predetermined number. For example, as shown in Figure 7, if ECU-1 is determined to have been compromised, the coefficients of abnormalities A and C that were predicted to occur in ECU-2 located in the same layer as ECU-1 are set to zero. This means that in the first layer, ECU-1, not ECU-2, has been identified as the entry point for the attack.

For example, when the predicted anomaly information in Figure 8 is used, if it is determined that ECU-1 has been compromised, the coefficients of HIDS anomalies and authentication anomalies predicted to occur in ECU-2, which is located in the same layer as ECU-1, are set to zero.

(a) When behavior consistent with infected malware is recorded in the security log of an ECU determined to be compromised or a network connected to the ECU, among the corresponding table entries, the coefficient of the table entry of the security sensor that recorded the security log is increased. For example, a case will be described in which the predicted anomaly information of FIG. 8 is changed based on the correspondence information including the communication detection log of FIG. 5A and FIG. 5B. According to the malware analysis result table of FIG. 5B, malware A has a function of transmitting a CAN message that may be detected by CAN-IDS. Therefore, in the predicted anomaly information of FIG. 8, among the coefficients of the CAN-IDS anomaly of ECU-3 that detects an abnormality of the CAN bus adjacent to ECU-1 determined to be compromised, in the row where the coefficient of the anomaly related to ECU-1 is greater than zero, the coefficient of the CAN-IDS anomaly of ECU-3 is increased by 1, changing it from 1 to 2.

The estimation unit 474 performs the above process and estimates the type of attack using the predicted anomaly information with the modified coefficient. In this embodiment, the actual anomaly information is compared with the predicted anomaly information, and the row in the table with the closest combination is identified. Specifically, the inner product of the data string of the actual anomaly information expressed as a vector and the data string of the predicted anomaly information expressed as a vector is calculated, and the inner product is divided by the number of elements in the vector of the predicted anomaly information that have a value greater than 0, and the row in the table of the predicted anomaly information with the highest result is extracted.

In addition to estimating the type of attack, the estimation unit 474 may also estimate the starting point of the attack and the target of the attack. Since the predicted abnormality information stores the type of attack in association with the starting point of the attack and the target of the attack, the estimation unit 474 can estimate the starting point of the attack and the target of the attack using the predicted abnormality information. Note that an ECU determined to have been invaded by the intrusion determination unit 472 may be regarded as a damaged location regardless of the result of the estimation unit 474. Looking at the example of FIG. 8, for example, if the actual measurement abnormality information has the highest similarity to the row of attack D, it can be estimated that attack D was performed from ECU-1 to ECU-3. In this way, by estimating the starting point of the attack and the target of the attack, the route of the attack can also be estimated.

The output unit 475 outputs the type of attack estimated by the estimation unit 474 to an attack countermeasure device (not shown) that takes measures against the attack.
[1-2. Processing]
The attack analysis process performed by the analysis unit 47 of the external vehicle device 4 will be described with reference to FIG.

First, in S101, the log association unit 471 acquires a security log from the vehicle log DB 43 and a communication detection log from the communication detection log DB 46. Then, the log association unit 471 associates the security log with the communication detection log, and outputs the associated log, which is the correspondence information, to the intrusion determination unit 472.

Next, in S102, the intrusion determination unit 472 analyzes the corresponding information and determines the intrusion probability of the ECU that is the communication source. The intrusion determination unit 472 outputs the determination result including the intrusion probability to the estimation unit 474.

Next, in S103, the estimation unit 474 acquires the predicted anomaly information stored in the attack/anomaly relationship table storage unit 473, and updates the predicted anomaly information using the judgment result regarding the corresponding information.

Next, in S104, the estimation unit 474 estimates the type of attack by determining the similarity between the actual anomaly information indicating the combination of anomalies actually detected based on the security log and the predicted anomaly information updated in S103. The estimation unit 474 outputs the estimated type of attack to the output unit 475.

Next, in S105, the output unit 475 outputs the type of attack to the attack countermeasure device.
[1-3. Effects]
According to the first embodiment described above in detail, the following effects can be obtained.
(1a) The off-vehicle device 4 is configured to analyze an attack via a network against an electronic control system 2 built in a vehicle 10. The off-vehicle device 4 includes an analysis unit 47. The analysis unit 47 is configured to determine whether or not correspondence information that associates a system log with a communication log matches a preset type of attack, and is configured to determine whether or not a target element has been infringed.
According to this configuration, whether or not the corresponding information has been infringed is determined based on whether or not it matches the type of attack, so that attacks against the vehicle 10 via a network can be analyzed with high accuracy.

(1b) In the above embodiment, a configuration is exemplified in which it is determined whether the corresponding information matches a preset attack type. The corresponding information is information in which a security log and a communication detection log are associated with each other. With such a configuration, in addition to the security log, it is possible to determine whether the attack type matches by taking into account the communication detection log, which includes the attack code and malware characteristics that actually caused the abnormality. Therefore, it is possible to analyze cyber attacks against vehicles with high accuracy compared to a configuration in which it is determined whether the attack type matches using only the security log.

(1c) In the above embodiment, a configuration is exemplified in which the estimation unit 474 updates the predicted anomaly information using the determination result on the corresponding information determined by the intrusion determination unit 472, and estimates the type of attack by determining the similarity between the updated predicted anomaly information and the actual anomaly information. With this configuration, it is possible to take into account the actual tendency of attacks compared to when the predicted anomaly information is used as is without updating it. Therefore, it is possible to analyze cyber attacks against vehicles with high accuracy.

(1d) In the above embodiment, a configuration was exemplified in which the inspection unit 45 analyzed the communication log and identified the malicious communication destination and the malicious communication content. With such a configuration, it is possible to analyze a cyber attack by taking into account the communication destination and communication content that are the actual cause of the abnormality.

(1e) In the above embodiment, a configuration is exemplified in which the infringement determination unit 472 can classify the infringement probability of the ECU that is the communication source depending on whether the ECU matches one of a number of attack types. With such a configuration, for example, the process of changing the predicted anomaly information can be made different depending on the infringement probability. Specifically, by making the increase rate of the coefficient of the table entry for an ECU determined to have been infringed different from the increase rate of the coefficient of the table entry for an ECU determined to have a high possibility of being infringed, more reliable predicted anomaly information can be generated.

(1f) In the above embodiment, a configuration is exemplified in which a communication detection log and a security log are associated so as to be synchronized based on the time at which an abnormality occurred, which is included in the security log, and the time of communication, which is included in the communication detection log. With such a configuration, logs that are relatively close in time can be associated with each other, thereby reducing the possibility that unrelated communication detection logs and security logs are associated with each other.

(1g) In the above embodiment, the predicted anomaly information is information that, for each type of attack, uses coefficients to represent the location where an anomaly is predicted to occur in the electronic control system 2 when attacked, and an example is given of a configuration in which the combination of predicted anomalies can be changed by changing the coefficients. With such a configuration, the likelihood of the combination of predicted anomalies can be expressed by the coefficients. In addition, the similarity can be easily visualized by vectorizing the coefficients and calculating the similarity.

(1h) In the above embodiment, the electronic control system 2 has a three-layer structure, and the estimation unit 474 estimates that other ECUs located in the same layer as an ECU in which an abnormality is predicted to occur have not been compromised. With this configuration, it becomes clearer that an ECU in which an abnormality is predicted to occur is an entry point for an attack, and more reliable predicted abnormality information can be generated.

(1i) In the above embodiment, a configuration has been exemplified in which the external vehicle device 4 is installed outside the vehicle 10 as an attack analysis device. With such a configuration, the attack analysis device receives security logs via a wireless communication network, so the processing load on the vehicle 10 can be reduced compared to when the attack analysis device is installed inside the vehicle 10.

[2. Second embodiment]
[2-1. Differences from the first embodiment]
The second and subsequent embodiments have the same basic configuration as the first embodiment, and therefore differences will be described below. Note that the same reference numerals as those in the first embodiment indicate the same configuration, and the preceding description will be referred to.

The second embodiment differs from the first embodiment in that it further includes communication intermediation units 3m, 3n and a function information DB 48. The communication intermediation units 3m, 3n are configured to mediate communication within the vehicle. The second embodiment also differs from the first embodiment in that the attack/anomaly relationship table storage unit 473 and the estimation unit 474 are not required. Note that in the second embodiment, the processing executed by the estimation unit 474 is also not required. In the second embodiment, the vehicle log receiving unit 42 of the external vehicle device 4 receives communication intermediation history from each vehicle 10 and registers it in the vehicle log DB 43.

[2-2. Configuration]
11, in the second embodiment, an ECU 2d belonging to the second layer includes a communication intermediate unit 3m, and an ECU 2e belonging to the first layer includes a communication intermediate unit 3n. An ECU 2f belonging to the first layer may further include a communication intermediate unit 3p and may further include an external device 5a. The external device 5a may be configured as a smartphone.

The communication mediation units 3m, 3n are configured to mediate communications desired by other ECUs such as ECUs 2a-2c, and to communicate with the outside of the vehicle via the communication unit 3i of other ECUs such as ECU 2e.

The function information DB 48 is provided in, for example, the external vehicle device 4, as shown in FIG. 11. The function information DB 48 is a database that stores information about the communication-related functions of each of the ECUs 2a-2f, etc. in the vehicle 10 (for example, the function information described below). The communication-related functions may include a communication destination designation function and a communication intermediation function described below, as well as information about the communication protocol, communication speed, etc.

As shown in FIG. 12, the log association unit 471 associates the logs stored in the vehicle log DB 43, the logs stored in the communication detection log DB 46, and the information stored in the function information DB 48. In this embodiment, the logs stored in the vehicle log DB 43 include communication mediation history within the vehicle. In this case, the logs stored in the vehicle log DB 43 do not need to include the logs of the security sensors.

In other words, this embodiment is configured not to use the log of the security sensor of the vehicle 10. Therefore, even if an abnormality cannot be detected using the security sensor, if a communication detection log can be obtained, it is possible to determine from the result that the communication source has been compromised. Note that cases in which an abnormality cannot be detected using the sensor include when the security sensor of the vehicle 10 breaks down, when there is a flaw in the design of the security sensor, or when attack methods have become more sophisticated.

[2-3. Processing]
The attack analysis process performed by the analysis unit 47 of the external vehicle device 4 will be described with reference to the sequence shown in FIG. 13 and the flowcharts shown in FIGS.

First, in S101, the log association unit 471 acquires the communication intermediation history obtained from the vehicle log DB 43, the communication detection log obtained from the communication detection log DB 46, and the function information obtained from the function information DB 48. Then, the log association unit 471 associates the communication intermediation history, the communication detection log, and the function information, and outputs the corresponding information, which is an associated log, to the intrusion determination unit 472. Note that, in the first embodiment, the corresponding information related to an abnormality that has occurred inside the vehicle is output, but in the second embodiment, the corresponding information that may not include information related to an abnormality that has occurred inside the vehicle is output.

Details of S101 are shown in the flowcharts of FIG. 14 and FIG. 15. FIG. 14 and FIG. 15 are flowcharts showing the log association process performed by the analysis unit 47 of the external vehicle device 4. Note that, in the log association process, although a determination is disclosed on a device-by-device basis as an example, this configuration is not limiting. For example, recording and determination may be performed on an application-by-application basis running on the device.

As shown in FIG. 14, in the log association process, the analysis unit 47 first acquires logs with the same vehicle ID and within a predetermined time period (e.g., time frame T1) from each DB 43, 46, 48 in S201, and performs association. In this process, the communication detection log, the communication intermediation history shown in FIG. 16, and the function information (e.g., communication-related functions) shown in FIG. 17 are first acquired.

As shown in FIG. 16, the communication mediation history includes information such as the ECU identifier, type of function provided, start time of mediation, end time of mediation, communication source, and communication destination. In other words, the communication mediation history is information that indicates what type of communication mediation function was used by the ECU with the corresponding identifier to mediate communication from where (communication source) to where (communication destination), and from when (start time) to when (end time).

As shown in FIG. 17, the function information includes information such as the ECU identifier, the presence or absence of a communication destination designation function, and the presence or absence of a communication intermediation function. Note that the communication destination designation function indicates a function that allows a party other than the vendor (e.g., a user) to designate a communication destination.

In particular, a vendor includes any of the following: manufacturer, supplier, and seller. Furthermore, a communication destination designation function includes, for example, an application such as a browser that allows a user to designate a communication destination, and an application such as a mailer that allows a third party to designate a communication destination. If such an application is installed, the function is associated with the device. If this function is present, there is a possibility that communication with a malicious communication destination may occur unintentionally as a result of user operation.

In addition, the communication intermediation function includes, for example, a function that mediates communication between other devices, such as a Wi-Fi (registered trademark) access point, and a function that mediates communication between other ECUs or applications, such as a proxy. If this function is present, even if communication with a malicious destination occurs, it can be determined that there is a high possibility that the cause is communication with another device or ECU.

Then, in S203 shown in FIG. 14, the analysis unit 47 determines whether or not there is an associated log. The log here is, for example, a communication detection log that is a result of inspecting information such as that shown in FIG. 10C. If there is no associated log, this process ends. If there is an associated log in S203, this process proceeds to S205, and the analysis unit 47 performs an mediated communication determination process.

The mediated communication determination process is a process for determining whether or not the ECU of the communication source has a communication mediation function, and for identifying the device of the communication source as necessary. In the mediated communication determination process, as shown in FIG. 15, the analysis unit 47 determines in S221 whether or not the communication source (hereinafter, sometimes referred to as the relevant communication source) described in the communication detection log (e.g., the log in FIG. 5A) has a communication mediation function.

If the communication source does not have a communication intermediation function, the process proceeds to S227, which will be described later. If the communication source has a communication intermediation function, the process proceeds to S223. Next, in S223, the analysis unit 47 refers to the communication intermediation history (FIG. 16). Next, in S225, it is determined whether there is an intermediation history (hereinafter, sometimes abbreviated as the corresponding intermediation history) in which the communication source intermediates a communication to the same destination as the communication destination recorded in the communication detection log during the corresponding time period corresponding to the communication time recorded in the communication detection log.

If there is no relevant intermediation history in S225, the process proceeds to S227. In this case, the analysis unit 47 determines in S227 that the communication whose content is described in the communication detection log is not a communication by a device other than the relevant communication source, i.e., it is not a communication using the communication intermediation function, and ends the intermediary communication determination process.

Furthermore, if there is a corresponding intermediation history in S225, the process proceeds to S229. In this case, in S229, the analysis unit 47 determines whether the source of the communication mediated by the corresponding communication source (hereinafter sometimes abbreviated as the source of the communication mediated within the vehicle) is another in-vehicle device (i.e., a device within the vehicle 10, and a device other than the currently recognized communication source). Note that in the example of FIG. 16, the source of the communication mediated by the corresponding communication source ECU1 is ECU6. This is because in this example, the communication intermediation history indicates that ECU1 mediated the communication mediated by ECU3, the communication source of which is ECU6.

If the source of the communication mediated within the vehicle is another in-vehicle device, the process proceeds to S231. In this case, the analysis unit 47 determines in S231 that the communication content described in the communication detection log is communication of another in-vehicle device, and ends the mediated communication determination process. Also, if the source of the communication mediated within the vehicle is not another in-vehicle device in S229, the process proceeds to S233. In this case, the analysis unit 47 determines in S233 whether the source of the communication mediated within the vehicle is an external device (for example, an external device 5a such as a smartphone).

If the source of the communication mediated within the vehicle is a device outside the vehicle, the process proceeds to S235. In this case, the analysis unit 47 determines in S235 that the communication content described in the communication detection log is communication from a device outside the vehicle, and ends the mediated communication determination process. Also, if the source of the communication mediated within the vehicle is not a device outside the vehicle in S233, the process proceeds to S237. In this case, the analysis unit 47 determines in S237 that the source of the communication content described in the communication detection log is unknown, and ends the mediated communication determination process.

When the intermediated communication determination process is completed, the process returns to FIG. 14 and proceeds to S207. In S207, the analysis unit 47 determines whether or not the source of the communication mediated in the vehicle is determined to be an external device in the intermediated communication determination process. If the source of the communication mediated in the vehicle is an external device, the process proceeds to S209. In S209, the analysis unit 47 sets the source of the communication of the communication content indicated in the communication detection log to the source described in the corresponding communication intermediate history, and proceeds to S211.

Also, if the source of the communication mediated within the vehicle is not an external vehicle device in S207, the process proceeds to S211. In this case, the analysis unit 47 determines in S211 whether or not the mediated communication determination process has determined that the source of the communication mediated within the vehicle is another in-vehicle device. If the source of the communication mediated within the vehicle is another in-vehicle device, the process proceeds to S213. In this case, the analysis unit 47 sets the source of the communication content described in the communication detection log to the source described in the corresponding communication mediation history in S213, and ends the log association process. Also, if the source of the communication mediated within the vehicle is not another in-vehicle device in S211, the mediated communication determination process ends.

When the process of S209 or S213 is performed in the above communication determination process, the analysis unit 47 rewrites the communication analysis result table (i.e., the communication detection log included in the correspondence information) as shown in FIG. 18, for example. In the communication analysis result table shown in FIG. 18, the notation "ECU1" written as the communication source in the table shown in FIG. 5A is rewritten to "ECU6". In other words, by mediating the communication within the vehicle, the apparent communication source ECU1 is rewritten to the actual communication source ECU6.

Returning to FIG. 13, in S102, the intrusion determination unit 472 analyzes the corresponding information and determines the intrusion probability of the ECU that is the communication source. The intrusion determination unit 472 outputs the determination result including the intrusion probability (e.g., the estimated type of attack) to the output unit 475.

Details of S102 are shown in the flowcharts of FIG. 19 and FIG. 20. FIG. 19 and FIG. 20 are flowcharts showing the infringement determination process performed by the analysis unit 47 (e.g., the infringement determination unit 472) of the external device 4. The infringement determination process is performed for each corresponding information. In the infringement determination process, as shown in FIG. 19, in S261, the analysis unit 47 performs an infringement determination of the communication source. In this process, an infringement determination is performed for the actual communication source. As in the first embodiment, the infringement determination procedure includes determining whether the correspondence information including the content of the communication of the communication source and the information of the communication destination matches any of a plurality of pre-set attack types, and, if it matches any of the plurality of attack types, determining the infringement probability of the communication source according to which attack type it matches. The infringement probability of the communication source includes two classifications: the communication source is highly likely to have been infringed, and the communication source has been infringed. Since the second embodiment does not use a security log, the intrusion judgment in the second embodiment uses a type of attack that can be judged without using a security log among the multiple attack types exemplified in the first embodiment. Therefore, among the (c) described in the first embodiment, "Confirm from the corresponding information that the behavior confirmed during dynamic analysis is occurring in the ECU", the one that requires confirmation that a CAN message specifying a suspicious ID is recorded is not performed in the second embodiment. In the second embodiment, the ECU in (a) to (e) described in the first embodiment is read as the communication source. The reason for this is that, as shown by the existence of the judgment in S265 described later, in the second embodiment, the communication source in S261 is premised on the possibility that it is an ECU, as well as the possibility that it is an external device such as a smartphone. In the second embodiment, (a) is defined more broadly than in the first embodiment so as to include the case where communication that downloads malware is generated from the communication source. The reason for this broad definition is that in the second embodiment, an artificial communication judgment is made in S267 described later.

Next, in S263, the analysis unit 47 determines whether or not the communication source may have been compromised. A case in which the communication source may have been compromised is when it is determined that the corresponding information matches one of a number of pre-set attack types, including cases in which the communication source is classified as "compromised" and cases in which the communication source is classified as "highly likely to have been compromised." If the communication source is not likely to have been compromised, this process ends. If the communication source is likely to have been compromised, this process proceeds to S265.

Next, in S265, the analysis unit 47 determines whether the communication source is a device outside the vehicle. If the communication source is a device outside the vehicle, the process proceeds to S273. Then, in S273, the analysis unit 47 determines that the vehicle has not been infringed, and ends the infringement determination process.

Also, in S265, if the analysis unit 47 determines that the communication source is not an external device, the process proceeds to S267. Next, in S267, the analysis unit 47 performs an intentional communication determination process. The intentional communication determination process is a process for determining whether or not the communication from the communication source is likely to be an intentional communication.

In the intentional communication determination process, as shown in FIG. 20, in S281, the analysis unit 47 determines whether the ECU from which the communication originates has a communication destination designation function. If the ECU does not have the communication destination designation function, the process proceeds to S283. Next, in S283, the analysis unit 47 determines that the communication is not intentional, and ends the intentional communication determination process.

Also, in S281, if the communication destination designation function is present, the process proceeds to S285. Next, in S285, the analysis unit 47 determines that there is a possibility of artificial communication, and ends the artificial communication determination process.

When the intentional communication determination process is completed, the process returns to Fig. 19 and proceeds to S269. Next, in S269, the analysis unit 47 determines whether or not the communication is determined to be a communication due to an intentional operation (i.e., there is a possibility of the communication being an intentional communication).
If it is determined that the communication is the result of a human operation, the infringement determination process ends. If it is determined that the communication is not the result of a human operation, the process proceeds to S271. Then, in S271, the analysis unit 47 determines that the communication source has been infringed, and the infringement determination process ends.

Returning to FIG. 13, in S105, the output unit 475 outputs the type of attack to the attack countermeasure device. Note that in this embodiment, the processes of S103 and S104 shown in FIG. 9 can be omitted.

[2-4. Effects]
According to the second embodiment described above in detail, in addition to the effect (1a) of the first embodiment described above, the following effect is further achieved.

(2a) In the configuration of the second embodiment, the system log includes a history of communication between the electronic control system 2 and the outside of the electronic control system 2, and the analysis unit 47 identifies the source of the communication in the communication detection log from the history and then determines whether the target element has been infringed. When the ECU that is the source of the communication is an electronic control device whose communication destination cannot be specified by anyone other than the vendor, the analysis unit 47 determines that there is a high probability that the target element such as the ECU has been infringed.
For example, when the electronic control system 2 performs communication with the ECU 6 as the ECU 2c shown in Fig. 1 as the transmission source, the ECU 6 accesses an external site via the ECU 2d and the ECU 2e. The content of the communication at this time is monitored by the external device 4, and the log association process described above is performed. In the log association process, it is recognized that the transmission source is the ECU 6, as shown in Fig. 18. Then, in the intrusion determination process shown in Fig. 19, if it is determined that the communication source may have been intruded (YES in S263), the communication source is not an external device (NO in S265), and the communication is not an artificial communication (NO in S269), it is determined that the ECU 6 has been intruded.
Therefore, even in a configuration in which communication is mediated, it is possible to satisfactorily determine whether or not the vehicle 100 has been invaded.

[3. Third embodiment]
[3-1. Configuration]
The third embodiment provides a configuration in which the electronic control system 2 relays communication from an external vehicle device 5a such as a smartphone, and if there is a possibility that this communication may be malicious, it can appropriately determine whether the vehicle has been hacked.

As shown in FIG. 11, in the third embodiment, the ECU 2e belonging to the first layer includes a communication intermediation unit 3n, and the ECU 2f includes a communication intermediation unit 3p. Also, an external device 5a configured as a smartphone is provided. Note that the ECU 2d belonging to the second layer may include a communication intermediation unit 3m. Also, in the third embodiment, the vehicle log receiving unit 42 of the external device 4 receives communication intermediation history from each vehicle 10 and registers it in the vehicle log DB 43, as in the second embodiment.

[3-2. Processing]
The process in this embodiment is similar to that in the second embodiment.
[3-3. Effects]
According to the third embodiment described above in detail, in addition to the effect (1a) of the first embodiment described above, the following effect is further achieved.

(3a) For example, when the electronic control system 2 communicates with the off-vehicle device 5a configured as a smartphone shown in FIG. 11 as the transmission source, the off-vehicle device 5a accesses an external site via the ECU 2f and ECU 2e. The content of the communication at this time is monitored by the off-vehicle device 4, and the log association process described above is performed. In the log association process, if the analysis unit 47 determines that the communication from the off-vehicle device 5a configured as a smartphone is likely to be malicious communication, it rewrites the communication analysis result table, for example as shown in FIG. 21.

In the communication analysis result table shown in FIG. 21, the ECU 1 described as the communication source in the table shown in FIG. 5A has been rewritten as smartphone A. In other words, by mediating the communication, the ECU 1, which was the apparent communication source, is rewritten as smartphone A, which is the actual communication source. As a result, it is recognized that the transmission source is the external vehicle device 5a as a smartphone.

Then, in the intrusion determination process shown in FIG. 19, the process proceeds with the assumption that the source of the communication may have been intruded (YES in S263) and that the source of the communication is an external device (YES in S265), in which case it is determined that the vehicle has not been intruded. This is because the source of the malicious communication is a smartphone, not the vehicle or a component of the vehicle.

That is, in this embodiment, the analysis unit 47 is configured to determine that there is a high possibility that the target element has not been infringed when the communication source of the communication is the external vehicle device 5a.
According to this configuration, even if the external vehicle device 5a is present, it is possible to appropriately determine whether or not the vehicle 100 has been intruded into.

[4. Fourth embodiment]
[4-1. Configuration]
In the fourth embodiment, the vehicle log includes an application log (see FIG. 25). The application log is a log related to an application (e.g., an application 3j of the ECU 2f) that runs on the ECU, and may include a log related to an application that has a function of specifying a communication destination of a communication source. Note that in this embodiment, the vehicle log does not necessarily need to include a log of a security sensor.
In the fourth embodiment, the vehicle log receiving unit 42 of the external vehicle device 4 receives a communication intermediation history and an application log from each vehicle 10, and registers them in the vehicle log DB 43. The configuration of the fourth embodiment may be the same as the configuration of the third embodiment (see FIG. 11).

[4-2. Processing]
The communication mediation history in this embodiment is shown, for example, in Fig. 23. Note that "-" in Fig. 23 is not included in the determination of whether or not there is a match. The communication mediation history is used to make it possible to accurately determine whether or not communication mediation was performed by comparing the time, communication source, communication destination, etc. with those recorded in the communication log.

In this embodiment, as shown in FIG. 24, the communication destination designation function and the communication mediation function for the ECU 2 are set to "Yes".
The mediated communication determination process (see S205 in FIG. 14) of the log association process of the fourth embodiment is performed as shown in the flowchart in FIG.

In the intermediation communication determination process, in S223, the analysis unit 47 refers to the communication intermediation history (FIG. 16), and then proceeds to S301. In S301, the analysis unit 47 determines whether or not a communication source with a communication destination designation function is included in the communication intermediation history. If there is no communication source with a communication destination designation function, the process proceeds to S225 and subsequent steps described above. If there is a communication source with a communication destination designation function, the process proceeds to S303. In the example of FIG. 16, the communication sources included in the communication intermediation history are ECU3 and ECU6.

Next, in S303, the analysis unit 47 refers to the application log. The application log is a log that indicates to whom an application of an ECU has communicated. For example, as shown in FIG. 25, the application log includes an ECU identifier that identifies the ECU, the type of application installed in that ECU, the start time and end time of the communication of that application, and the communication destination (e.g., URL), etc. In S303, the analysis unit 47 refers to the application log that indicates to whom an application installed in an ECU with an ECU identifier that corresponds to a communication source included in the communication intermediation history and that has a communication designation function has communicated.

Next, in S305, the analysis unit 47 judges whether or not there is a communication history to the corresponding communication destination in the application log in the time period corresponding to the communication time described in the communication detection log (hereinafter referred to as the first judgment of S305). The corresponding communication destination is the communication destination described in the communication detection log, that is, the communication destination included in the communication intermediation history. Note that there may be a communication intermediation history in which the communication destination is not recorded, such as the communication intermediation history of ECU 2 in FIG. 23 (see communication destination "-" in FIG. 23). In this case, in S305, the analysis unit 47 performs a second judgment in which the communication destination is not judged. In detail, in S305, the analysis unit 47 performs a second judgment to judge whether or not there is an application log in the time period corresponding to the communication time described in the communication detection log. If at least one of the first judgment and the second judgment of S305 is judged positive, the process proceeds to S307. If at least one of the first judgment and the second judgment of S305 is not judged positive, the process proceeds to the above-mentioned S225 and subsequent steps. Next, in S307, the analysis unit 47 determines that the communication whose content is described in the communication detection log is a communication from an in-vehicle device whose source is included in the communication intermediation history and has a communication designation function, and ends the intermediary communication determination process.

In the manual communication determination process in the log association process in this embodiment, a process as shown in FIG. 26 may be performed.
In the mediated communication determination process, in S321, the analysis unit 47 determines whether the communication source has a communication destination designation function. If the communication source does not have the communication destination designation function, the process proceeds to S283. Next, in S283, the analysis unit 47 determines that the communication is not an artificial communication, and ends the artificial communication determination process.

Also, in S321, if there is a communication destination designation function, the process proceeds to S285. Next, in S285, the analysis unit 47 determines that there is a possibility of artificial communication, and ends the artificial communication determination process.

[4-3. Effects]
According to the fourth embodiment described above in detail, in addition to the effect (1a) of the first embodiment described above, the following effect is further achieved.

(4a) In this embodiment, a communication intermediate unit 3p that intermediates communication whose source is the external vehicle device 5a, which is a smartphone, and an application 3j that performs communication whose source is the ECU 2f operate on the ECU 2f of the electronic control system 2 shown in Fig. 11. Even if the communication destination of the smartphone is not recorded in the communication intermediate unit 3p as in Fig. 23, an application log of the application 3j is recorded as in Fig. 25. With this configuration, the application log can be used to distinguish the source of communication.
This ensures that if the smartphone is the source of malicious communications, the vehicle is not compromised since the smartphone is not a vehicle or a component of the vehicle.
In addition, if the application 3j is the source of malicious communication and the communication destination designation function is "absent," it is determined that the vehicle is compromised. This indicates that malicious communication has occurred even though the communication destination cannot be designated artificially, and there is a high possibility that the communication has occurred as a result of intrusion by an attack.

[5. Fifth embodiment]
[5-1. Configuration]
The basic configuration of the fifth embodiment is a combination of the first and second embodiments. That is, as shown in Fig. 27 and Fig. 28, the fifth embodiment includes a function information DB 48, and a log association unit 471 performs a log association process using a communication detection log, a vehicle log (security log, communication intermediation history), and function information. Also, an intrusion determination unit 472 performs an intrusion determination process using the response information and function information. Also, in the fifth embodiment, a vehicle log receiving unit 42 of the external vehicle device 4 receives a communication intermediation history and a security log from each vehicle 10 and registers them in a vehicle log DB 43.
In this embodiment, the log association unit 471 may associate each log from the following viewpoints in addition to the above-mentioned (viewpoint a) to (viewpoint c).

(Point d) It is mediated communication. In this case, it is determined whether it is mediated communication or not based on the communication mediation history. If it is mediated communication, the communication source is changed to the communication source described in the corresponding communication mediation history.

In addition, in this embodiment, the infringement determination unit 472 performs the following processing on the log received from the log association unit 471, and performs an infringement determination on the communication source ECU and VM (Virtual Machine). In the infringement determination, in addition to the determinations already described, for example, the following determination is made.

- It is determined that there is a high possibility that an ECU or VM from which communication downloading malware is occurring has been compromised.
When it is determined that a "high possibility of infringement" exists, if the communication is from an ECU or VM for which a communication destination designation function is not provided, it is determined that the ECU or VM has been infringed.
If the communication source is a device outside the vehicle, the vehicle is determined to be uninvaded.

[5-2. Effects]
According to the fifth embodiment described above in detail, in addition to the effect (1a) of the first embodiment described above, the following effect is further achieved.
(5a) It is possible to determine with success that the vehicle 100 has been invaded both in the case where communication is mediated and in the case where communication is not mediated.

[6. Correspondence]
In this embodiment, the external vehicle device 4 corresponds to an example of an attack analysis device, the security log corresponds to an example of an abnormality log, and the analysis unit 47 (e.g., the intrusion determination unit 472) corresponds to an example of a determination unit.

7. Other embodiments
Although the embodiments of the present disclosure have been described above, it goes without saying that the present disclosure is not limited to the above-described embodiments and can take various forms.

(7a) In the above embodiment, a configuration has been exemplified in which the external vehicle device 4 is installed outside the vehicle 10 as an attack analysis device. However, the attack analysis device may be installed inside the vehicle 10. With such a configuration, the attack analysis device can receive security logs more quickly compared to when the attack analysis device is installed outside the vehicle 10.

(7b) In the above embodiment, the infringement determination unit 472 determines whether an infringement has occurred or whether there is a high possibility of an infringement. However, the infringement probability determined by the infringement determination unit 472 may include other patterns. For example, if the inspection unit 45 determines that there is no abnormality in the communication log, the infringement determination unit 472 may determine that there has been no infringement.

(7c) In the above embodiment, the communication destination analysis unit 452 of the inspection unit 45 performs communication destination analysis, and the communication content analysis unit 453 of the inspection unit 45 performs communication content analysis to identify malicious communication destinations and malicious communication content. However, the inspection unit 45 may be configured to identify at least one of malicious communication destinations and malicious communication content. In other words, the inspection unit 45 may be configured to perform only one of communication destination analysis and communication content analysis.

(7d) The functions of one component in the above embodiments may be distributed among multiple components, or the functions of multiple components may be integrated into one component. Also, a part of the configuration of the above embodiments may be omitted. Also, at least a part of the configuration of the above embodiments may be added to or substituted for the configuration of another of the above embodiments.
(7e) In the above embodiment, the vehicle log receiving unit 42 receives the communication intermediation history recorded in the vehicle 10 and identifies the communication source. However, if the communication protocol used by the vehicle 10 when communicating with the outside of the vehicle is a protocol that allows the communication intermediation history to be included in the communication data, the communication data monitoring unit 41 may receive the communication intermediation history included in the communication data. For example, if the communication data monitoring unit 41 is a proxy and the vehicle 10 is designed to communicate with the outside of the vehicle using the HTTP (Hypertext Transfer Protocol) protocol, the communication source may be described in an XFF (X-Forwarded-For) header defined in the HTTP protocol, and the communication data monitoring unit 41 may refer to the XFF header to identify the communication source.

(7f) The present disclosure can be realized in various forms, such as the attack analysis device described above, a system that includes the attack analysis device as a component, a program for causing a computer to function as the attack analysis device, a medium on which this program is recorded, and an attack analysis method.

[Technical idea disclosed in this specification]
[Item 1]
An attack analysis device (47) configured to analyze an attack against an electronic control system (2) built in a vehicle (10), the attack being against the electronic control system via a network, the attack analysis device (47) comprising:
a determination unit (472, S102) configured to determine whether or not correspondence information that associates a system log, which is a log of the electronic control system, with a communication log, which is a log of communication between the electronic control system and the outside of the vehicle, matches a preset type of attack, and configured to determine whether or not a target element representing at least one of a component of the electronic control system and the electronic control system has been violated;
An attack analysis device comprising:
[Item 2]
Item 1, an attack analysis device comprising:
The system log includes a history of communication between the electronic control system and an external device,
The attack analysis device is configured so that the determination unit determines whether the target element is infringed upon identifying a source of the communication in the communication log from the history.
[Item 3]
The attack analysis device according to item 1 or 2,
The determination unit is an attack analysis device configured to determine that there is a high probability that the target element has been violated when the electronic control device that is the source of the communication is an electronic control device whose communication destination cannot be specified by anyone other than the vendor.
[Item 4]
The attack analysis device according to any one of claims 1 to 3,
The attack analysis device configured to determine that the target element is highly likely not compromised when a source of the communication is an external device.
[Item 5]
An attack analysis device according to any one of claims 1 to 4,
the system log includes an abnormality log indicating an abnormality detected in the electronic control system;
an estimation unit (474, S103, S104) configured to estimate the type of the attack by determining a similarity between actual anomaly information, which is generated based on the anomaly log and indicates a combination of the anomalies that have actually been detected, and predicted anomaly information, which indicates a combination of anomalies that are predicted to occur in the electronic control system when the electronic control system is attacked, for each type of attack;
Further comprising:
The predicted anomaly information is capable of changing a combination of predicted anomalies by using the correspondence information that is determined by the determination unit to match the type of attack.
[Item 6]
An attack analysis device according to any one of claims 1 to 5,
The method further includes an inspection unit (45) configured to analyze the communication log and identify at least one of a malicious communication destination and a malicious communication content,
The communication log of the corresponding information includes at least one of a malicious communication destination and a malicious communication content.
[Item 7]
An attack analysis device according to any one of claims 1 to 6,
The determination unit is capable of identifying a location in the electronic control system where an abnormality has occurred depending on whether the corresponding information matches any of a plurality of types of attacks, and classifying the location where the abnormality has occurred as either a location that has been compromised by the attack or a location that is highly likely to have been compromised by the attack.
[Item 8]
An attack analysis device according to any one of claims 1 to 7, which cites claim 5,
The abnormality log and the communication log are associated so as to be synchronized based on a time at which an abnormality occurred, which is included in the abnormality log, and a time of communication, which is included in the communication log.
[Item 9]
An attack analysis device according to any one of claims 1 to 8, which cites claim 5,
the predicted anomaly information is information in which a position where an anomaly is predicted to occur in the electronic control system when the electronic control system is attacked is expressed by a coefficient for each type of attack;
The predicted anomaly information is capable of changing a combination of predicted anomalies by changing the coefficients.
[Item 10]
An attack analysis device according to any one of claims 1 to 9, which cites claim 5,
the electronic control system includes a plurality of electronic control devices, and has a hierarchical structure in which the plurality of electronic control devices correspond to any one of a plurality of hierarchical levels prepared in advance;
The estimation unit estimates that other electronic control devices located at the same hierarchical level as an electronic control device in which an abnormality is predicted to occur, as indicated by the correspondence information determined by the judgment unit to match the type of attack, have not been compromised.
[Item 11]
An attack analysis method for analyzing an attack via a network against an electronic control system (2) built in a vehicle (10), comprising:
The method is configured to determine whether or not correspondence information that associates a system log, which is a log of the electronic control system, with a communication log, which is a log of communication between the electronic control system and the outside of the vehicle, matches a preset type of attack, and determines whether or not a target element that represents at least one of a component of the electronic control system and the electronic control system has been violated (472, S102);
An attack analysis method including:
[Item 12]
A computer configured to analyze an attack via a network against an electronic control system (2) built in a vehicle (10),
A function (472, S102) configured to determine whether or not correspondence information that associates a system log, which is a log of the electronic control system, with a communication log, which is a log of communication between the electronic control system and the outside of the vehicle, matches a preset type of attack, and determines whether or not a target element that represents at least one of a component of the electronic control system and the electronic control system has been violated;
An attack analysis program to achieve this.

1...attack analysis system, 2...electronic control system, 2a-2f...ECU, 3a-3f...monitoring unit, 3g...analysis unit, 3h...transmission unit, 3i...communication unit, 3j...application, 4...external device, 5...external site, 10...vehicle, 41...communication data monitoring unit, 42...vehicle log receiving unit, 43...vehicle log DB, 44...detection condition DB, 45...inspection unit, 46...communication detection log DB, 47...analysis unit, 451...structure analysis unit, 452...communication destination analysis unit, 453...communication content analysis unit, 471...log association unit, 472...intrusion determination unit, 473...attack/anomaly relationship table storage unit, 474...estimation unit, 475...output unit, T1, T2...time frame.

Claims (12)

An attack analysis device (47) configured to analyze an attack against an electronic control system (2) built in a vehicle (10), the attack being against the electronic control system via a network, the attack analysis device (47) comprising:
a determination unit (472, S102) configured to determine whether or not correspondence information that associates a system log, which is a log of the electronic control system, with a communication log, which is a log of communication between the electronic control system and the outside of the vehicle, matches a preset type of attack, and configured to determine whether or not a target element representing at least one of a component of the electronic control system and the electronic control system has been violated;
An attack analysis device comprising: The attack analysis device according to claim 1 ,
The system log includes a history of communication between the electronic control system and an external device,
The attack analysis device is configured so that the determination unit determines whether the target element is infringed upon identifying a source of the communication in the communication log from the history. The attack analysis device according to claim 1 or 2,
The determination unit is an attack analysis device configured to determine that there is a high probability that the target element has been violated when the electronic control device that is the source of the communication is an electronic control device whose communication destination cannot be specified by anyone other than the vendor. The attack analysis device according to claim 1 or 2,
The attack analysis device configured to determine that the target element is highly likely not compromised when a source of the communication is an external device. The attack analysis device according to claim 1 ,
the system log includes an abnormality log indicating an abnormality detected in the electronic control system;
an estimation unit (474, S103, S104) configured to estimate the type of the attack by determining a similarity between actual anomaly information, which is generated based on the anomaly log and indicates a combination of the anomalies that have actually been detected, and predicted anomaly information, which indicates a combination of anomalies that are predicted to occur in the electronic control system when the electronic control system is attacked, for each type of attack;
Further comprising:
The predicted anomaly information is capable of changing a combination of predicted anomalies by using the correspondence information that is determined by the determination unit to match the type of attack. The attack analysis device according to claim 5,
The method further includes an inspection unit (45) configured to analyze the communication log and identify at least one of a malicious communication destination and a malicious communication content,
The communication log of the corresponding information includes at least one of a malicious communication destination and a malicious communication content. The attack analysis device according to claim 5 or 6,
The determination unit is capable of identifying a location in the electronic control system where an abnormality has occurred depending on whether the corresponding information matches any of a plurality of types of attacks, and classifying the location where the abnormality has occurred as either a location that has been compromised by the attack or a location that is highly likely to have been compromised by the attack. The attack analysis device according to claim 5 or 6,
The abnormality log and the communication log are associated so as to be synchronized based on a time at which an abnormality occurred, which is included in the abnormality log, and a time of communication, which is included in the communication log. The attack analysis device according to claim 5 or 6,
the predicted anomaly information is information in which a position where an anomaly is predicted to occur in the electronic control system when the electronic control system is attacked is expressed by a coefficient for each type of attack;
The predicted anomaly information is capable of changing a combination of predicted anomalies by changing the coefficients. The attack analysis device according to claim 5 or 6,
the electronic control system includes a plurality of electronic control devices, and has a hierarchical structure in which the plurality of electronic control devices correspond to any one of a plurality of hierarchical levels prepared in advance;
The estimation unit estimates that other electronic control devices located at the same hierarchical level as an electronic control device in which an abnormality is predicted to occur, as indicated by the correspondence information determined by the judgment unit to match the type of attack, have not been compromised. An attack analysis method for analyzing an attack via a network against an electronic control system (2) built in a vehicle (10), comprising:
The method is configured to determine whether or not correspondence information that associates a system log, which is a log of the electronic control system, with a communication log, which is a log of communication between the electronic control system and the outside of the vehicle, matches a preset type of attack, and determines whether or not a target element that represents at least one of a component of the electronic control system and the electronic control system has been violated (472, S102);
An attack analysis method comprising: A computer configured to analyze an attack via a network against an electronic control system (2) built in a vehicle (10),
A function (472, S102) configured to determine whether or not correspondence information that associates a system log, which is a log of the electronic control system, with a communication log, which is a log of communication between the electronic control system and the outside of the vehicle, matches a preset type of attack, and determines whether or not a target element that represents at least one of a component of the electronic control system and the electronic control system has been violated;
An attack analysis program to achieve this.

Images