JP6520515B2 - Network monitoring system, network monitoring program, and network monitoring method - Google Patents

Description

  The present invention relates to monitoring communication between communication devices.

  A network technology called CAN (Controller Area Network) may be used to transmit and receive data and control information between devices used for in-vehicle networks of vehicles, factory automation, and the like. A system in which CAN is used includes a plurality of ECUs (Electronic Control Units). The ECUs communicate by transmitting and receiving messages. The message used for CAN communication includes identification information (ID) of the message. In addition, each ECU stores in advance the ID of the message to be received. The message is broadcasted, and each ECU receives the message including the set ID, but discards the message including the ID not set for reception.

  With respect to CAN networks, techniques are known to determine whether the main message is legitimate. Each ECU counts the number of times a message has been transmitted for each CANID. The transmitting node and the receiving node prevent retransmission attacks by using a MAC (Message Authentication Code) (see, for example, Patent Document 1).

JP, 2013-98719, A

  In CAN, it is assumed that a communication node (ECU) is replaced by a malicious third party with another communication node (ECU). From the replaced communication node, a message with a spoofed ID is issued, and this message reaches all the communication nodes. A communication node whose spoofed ID is an ID to be received by its own device may receive this message, and as a result, may cause an unintended operation.

  As measures against the attack, it is conceivable to register an ID that may be transmitted by the communication node itself to each communication node and compare the ID contained in the received data with the registered ID. If the message received from the other communication node includes an ID that it may transmit, it is possible to recognize that one of the other communication nodes is replaced with an unauthorized communication node and is spoofing itself.

  In CAN in which a plurality of communication nodes may transmit messages having the same ID, even if the same communication node receives the same ID as a message which may be transmitted by itself, the communication node transmits the messages. It can not be determined whether the node is legitimate or invalid.

  An object of the present invention is, in one aspect, to provide a method for detecting an illegally replaced communication node.

  A plurality of communication nodes each transmit a message with an ID set in advance. The relay device is provided corresponding to the communication node, has a first counter that sends a message received from the corresponding communication node to the bus and counts the received message for each ID. The management device has a second counter connected to the bus, receives a message transmitted by the communication node via the bus, and counts the received message for each ID, A comparison unit is provided that acquires the value of the second counter and compares the values of the first and second counters for each ID.

  According to the present invention, it is possible to detect an illegally replaced communication node.

It is a figure explaining the example of CAN including a plurality of ECUs provided with a detector. It is a figure explaining the example of the system concerning this embodiment. It is a figure explaining the example of the system concerning this embodiment. It is a figure explaining the example of the system concerning this embodiment. It is a figure explaining the example of hardware constitutions. The figure explaining the concrete example of processing of the child machine and the master machine concerning this embodiment in the system in which different ECUs transmit the message containing the same ID. It is a flowchart explaining the example of processing of the main phone concerning this embodiment. It is a flow chart explaining an example of processing of a child machine concerning this embodiment. It is a figure explaining an example of a child machine and a parent machine processing when ECU connected with a child machine is replaced illegally.

Hereinafter, embodiments will be described in detail with reference to the drawings.
FIG. 1 is a diagram for explaining an example of a CAN including a plurality of ECUs equipped with a detector. The system 1001 includes the CAN 101 and the ECUs 111 (111a to 111f). Each of the ECUs 111 a to 111 f is connected by the CAN 101. The ECUs can send and receive messages via the CAN 101. Each of the ECUs 111a to 111f includes detectors 112a (corresponding to the ECU 111a) to 112f (corresponding to the ECU 111f) in the interface connected to the CAN 101. The detector holds the IDs of the messages sent by the ECU as a white list. Here, each of the ECUs can transmit a plurality of types of messages, and an ID corresponding to each type of message is set. Note that different ECUs in the system 1001 do not transmit messages having the same ID. The detector detects an abnormality when it receives a message including any one of the IDs of a plurality of types of messages that its own ECU may transmit. In addition, the detector can detect that there is an abnormality in the system 1001 when receiving a message including any one of the IDs of a plurality of types of messages that the ECU may transmit.

  The system 1002 is an example of a system in which the ECU 111 b of the system 1001 has been illegally replaced by the ECU 111 g. The CAN 101, the ECU 111a, and the ECUs 111c to 111f in the system 1002 are the same as the system 1001. The ECU 111 g transmits a message including any one of the IDs of a plurality of types of messages that the ECU 111 a may transmit. When the ECU 111 g transmits a message, the message reaches the ECU 111 a and the ECUs 111 c to 111 f. Then, the detector 112a of the ECU 111a can detect an abnormality because it receives a message including any one of the IDs of a plurality of types of messages that may be transmitted by the ECU 111a.

  In the system 1002 of FIG. 1, the ECU 111 a receives a message including any of the IDs of a plurality of types of messages that it may transmit, thereby replacing any ECU 111 in the system 1002 by someone. Can be detected. On the other hand, although it is detectable in the system 1002 of FIG. 1 that any one of the ECUs 111 has been replaced by someone, it can not be specified until which of the ECUs 111 (hereinafter also referred to as “communication node”) has been replaced. Also, the system 1001 of FIG. 1 operates under the premise that different ECUs do not transmit messages having the same ID. The system 1001 does not function when different ECUs transmit messages with the same ID.

  In the in-vehicle network (CAN), there are unauthorized replacement of ECUs and threats to be tampered with. It is also conceivable to solve these threats by performing authentication between ECUs. However, in order for the ECUs to perform authentication, the ECUs are modified so as to have an authentication function, and can not be applied to CAN as it is. There is a need for an in-vehicle network that can counter these threats without modifying the ECU.

  Therefore, in the present invention, a master unit and a plurality of slave units are connected by CAN, and one ECU is connected to each slave unit. The slave unit passes only data from the correspondingly connected (pre-registered) ECU to the CAN side. In the slave unit, a whitelist of IDs corresponding to messages transmitted by the corresponding connected ECUs is registered. Furthermore, the slave includes a counter and a counter control unit. The counter stores the count number for each ID held in the white list. When receiving the message from the corresponding ECU, the counter control unit of the slave increments the counter corresponding to the ID included in the message. In the parent device, a whitelist of IDs that may be included in messages transmitted by all ECUs connected to CAN is registered. Further, the master holds a counter for every ID registered in the white list. The counter control unit in the master unit increments a counter corresponding to the ID included in the received message. The slave unit notifies the master unit of the ID information when the value of any ID of the counter reaches a predetermined value. If the notified ID and the value of the counter of the same ID possessed by the parent device have not reached a predetermined value, it can be judged as “abnormal” and notified to the user. By doing this, when an attack message is transmitted from an ECU not connected to a child device, an attack message using an ID that any of the ECUs connected to the child device may transmit Even in this case, an abnormality can be detected. Also, the master unit can use the ID to specify an ECU that transmits a message including an abnormal ID.

  2A to 2C are diagrams for explaining an example of a system according to the present embodiment. The system 2000 includes a CAN 210, an ECU 201 (201 a to 201 f), a child device 202 (202 a to 202 f), and a parent device 220. Each slave unit is connected by CAN 210. The CAN 210 is, for example, a CAN bus. Also, the parent device 220 is communicably connected to the child device via the CAN 210. The ECUs 201a to 201f are associated with the child devices 202a (corresponding to the ECU 201a) to 202f (corresponding to the ECU 201f), and are communicably connected via the CAN 210. The slave unit 202 is communicably connected to the ECU 201 on a one-on-one basis via the CAN 210.

  In FIG. 2B, functional units of a parent device 220 and a child device 202b included in the system 2000 of FIG. 2A are shown. The slave unit 202 b includes a CAN transceiver 231, a CAN transceiver 232, a counter control unit 233, and a storage unit 234. Each of the slaves 202a to 202f is the same as the slave 202b. The CAN transceiver 231 is a communication interface used when the slave device 202 b communicates with another slave device, the master device 220, via the CAN 210. The CAN transceiver 232 is a communication interface used when the slave device 202b communicates with the ECU 201b set in association with itself. The storage unit 234 stores, as a white list 235, IDs of a plurality of types of messages that the ECU 201b may transmit. In the whitelist 235, an ID corresponding to a message transmitted by the ECU installed in advance in a one-to-one relationship with the slave device 202 is registered. The storage unit 234 further includes a counter 236. The counter 236 stores the number of receptions indicating the number of times the handset 202 b receives a message including the ID registered in the white list 235. The counter control unit 233 actually counts the number of times the handset 202 b receives a message including the ID registered in the white list 235, and reflects the count on the counter 236. Note that the message from the ECU 201 b is broadcasted to the CAN 210 via the slave device 202 b.

  The parent device 220 includes a CAN transceiver 221, a counter control unit 222, and a storage unit 223. The CAN transceiver 221 is a communication interface used when communicating with the slaves 202 a to 202 f via the CAN 210. The storage unit 223 stores, as a white list 224, all the IDs included in messages that may be transmitted by all the ECUs in the system 2000. The storage unit 223 stores the ID included in the message in the white list 224 in association with identification information (child device ID) for identifying a child device (ECU) that sends the ID. The storage unit 223 further includes a counter 225. The counter 225 stores the number of receptions indicating the number of times the parent device 220 has received a message including the ID registered in the whitelist 224. The counter control unit 222 actually counts the number of times the parent device 220 has received a message including the ID registered in the white list 224, and reflects the number on the counter 225.

  Hereinafter, an example of processing of the parent device 220 and the child device 202b according to the present embodiment will be described in order.

    (A1) A message is transmitted from the ECU 201b to the child device 202b.

    (A2) The CAN transceiver 232 of the child device 202b receives a message from the ECU 201b.

    (A3) The counter control unit 232 of the slave unit 202b determines whether the ID included in the received message is included in the white list 235 stored in the storage unit 234. Here, it is assumed that the ECU 201 b has not been illegally replaced with the ECU 201 ′. If it is determined that the ID included in the message received from the ECU 201 b is held in the white list 235, the counter control unit 233 increments the number of receptions corresponding to the ID included in the received message in the counter 236 by one. In this case, the ECU 201b connected to the child device 202b is considered to be transmitting the correct ID.

    (A4) In parallel with the processing of (A3), the CAN transceiver 231 broadcasts a message from the ECU 201b received by the CAN transceiver 232 to the CAN 210 side.

    (A5) The CAN transceiver 221 of the parent device 220 receives a message from the ECU 201b via the child device 202b.

    (A6) The counter control unit 222 of the parent device 220 determines whether the ID included in the received message is included in the white list 224 stored in the storage unit 223. It is assumed that the ECU 201 b has not been illegally replaced by the ECU 201 ′. If it is determined that the ID included in the message transmitted from the ECU 201b is held in the white list 224, the counter control unit 222 increments the reception count corresponding to the ID included in the received message in the counter 225 by one. .

    (A7) Every time a message is transmitted from the ECU 201b, the processes of (A2) to (A6) are repeatedly executed. The slave 202 b and the master 220 count the number of times of reception corresponding to the ID included in the message received by each. The value of the number of receptions for each ID in the counter 236 of the slave unit 202b is the same value as the value of the number of receptions corresponding to the message ID of the slave unit 202b in the counter 225 of the master unit 220.

    (A8) The counter control unit 234 of the slave unit 202b determines whether or not any of the reception counts in the counter 225 has reached a predetermined value (for example, ten times). If there is an ID of a message for which the number of receptions exceeds a predetermined value, the CAN transceiver 231 sends a notification message including the ID of the message exceeding the predetermined value to the parent device 220 under the control of the counter control unit 234. Notice. This notification message may be encrypted. At the same time, the counter control unit 234 resets the number of receptions corresponding to the ID of the message whose number of receptions exceeds the predetermined value.

    (A9) The CAN transceiver 221 of the parent device 220 receives the notification message from the child device 202b. The counter control unit 222 of the parent device 220 checks the number of receptions corresponding to the message ID (ID of the message for which the number of receptions of messages has reached a predetermined number on the side of the child device 202) included in the notification message. When the number of receptions corresponding to the message ID included in the notification message in the counter 225 is a predetermined value, the counter control unit 222 resets the number of receptions corresponding to the message ID.

  As described above, in a system in which there is no problem in the ECU 201, the number of times of message reception on the side of the master unit 220 and the number of times of reception of messages on the side of the slave unit 202 are the same. The timing when the number of receptions on the side of the slave unit 202 and the master unit 220 reaches a predetermined value is also the same timing.

  Here, it is assumed that the ECU 201a and the child device 202a are replaced with an invalid ECU 201 '. FIG. 3C is an example of a system in which the ECU 201a and the child device 202a are replaced with an incorrect ECU 201 '. The ECU 201 ′ can transmit a message including an ID of a message that the ECU 201a does not transmit, and an ID of a message that the ECU 201b transmits. In other words, the ECU 201 'is a communication node capable of spoofing the ECU 201b and transmitting a message.

    (B1) The unauthorized ECU 201 'transmits a message by spoofing the ECU 201b by broadcast.

    (B2) The CAN transceiver 221 of the parent device 220 receives a message from the ECU 201 '.

    (B3) The counter control unit 222 of the parent device 220 determines whether the ID included in the received message is included in the white list 224 stored in the storage unit 223. Since the ECU 201 ′ spoofs the ECU 201 b and transmits a message, the counter control unit 222 determines that the ID included in the message received from the ECU 201 ′ is held in the white list 224. The counter control unit 222 increments the number of receptions corresponding to the ID included in the received message in the counter 225 by one.

    (B4) The message transmission by the ECU 201 'and the message transmission by the ECUs 201b to 201f continue to be executed in the system 2000. Then, the number of receptions in the counter 225 in the parent device 220 is incremented by the message transmission by the ECU 201 '. Further, the number of receptions of the counters in the slave unit 202 and the master unit 220 is incremented by the message transmission by the ECU 201 b.

    (B5) The counter control unit 234 of the slave device 202b determines whether or not any of the reception numbers in the counter 225 has reached a predetermined value (for example, 10 times). If there is an ID of a message for which the number of receptions exceeds a predetermined value, the CAN transceiver 231 sends a notification message including the ID of the message exceeding the predetermined value to the parent device 220 under the control of the counter control unit 234. Notice. At the same time, the counter control unit 234 resets the number of receptions corresponding to the ID of the message whose number of receptions exceeds the predetermined value.

    (B6) The CAN transceiver 221 of the parent device 220 receives the notification message from the child device 202b. The counter control unit 222 of the parent device 220 checks the number of receptions corresponding to the message ID (ID of the message for which the number of receptions of messages has reached a predetermined number on the side of the child device 202) included in the notification message. The reception frequency of the parent device 220 is a value obtained by adding the value of the reception frequency of the message from the ECU 201 ′ and the reception frequency of the message from the ECU 201b. The number of receptions corresponding to the message ID included in the notification message in the counter 225 is not a predetermined value (for example, 10). The counter control unit 222 determines that there is an unauthorized ECU 201 and notifies the user.

  The slave unit 202 and the master unit 220 respectively have counters, and by counting the number of times of reception of the message, the master unit 220 can detect that the unauthorized ECU 201 'is installed. The counter control unit 222 of the parent device 220 may display, for example, the presence of the ECU 201 ′ that has been illegally replaced on a screen or the like, and notify the user of an abnormality. Further, the counter control unit 222 of the parent device 220 may notify a system outside the system 2000 that there is an incorrectly substituted ECU 201 ′. In the system 2000, although the child device 202 and the parent device 220 are described, the child device 202 may be referred to as a "relaying device", and the parent device 220 may be referred to as a "management device" that manages relay devices and ECUs. .

  FIG. 3 is a diagram for explaining an example of the hardware configuration. Both the parent device 220 and the child device 202 are realized by the hardware shown in FIG. The slave unit 202 includes a CAN transceiver 301, a CAN controller 302, and a processing circuit 303. The processing circuit 303 includes a processor 304 and a memory 305.

  The CAN transceiver 301 performs processing for the slave device 202 to communicate with other devices via the CAN network. The CAN controller 302 extracts data, an ID and the like in the received message. The CAN controller 302 outputs data to the processor 304. Processor 304 is an optional processing circuit. The processor reads a program stored in the memory 305 and performs processing.

  In parent device 220, CAN transceiver 221 is realized by CAN transceiver 301 and CAN controller 302. The processor 304 operates as a counter control unit 222. The memory 305 operates as the storage unit 223.

  The CAN transceiver 231 and the CAN transceiver 232 of the slave unit 202 are realized by the CAN transceiver 301 and the CAN controller 302. The processor 304 operates as a counter control unit 233. The memory 305 operates as the storage unit 234. In the above description, the base unit is notified when the counter of the slave unit reaches a certain value, but when the counter of the master unit reaches a certain value, the counter value is requested to the slave unit, or It may be in the form of confirming that it is a constant value. Alternatively, it may be determined that an abnormality is detected when there is no notification from the slave when the counter reaches a predetermined value in the master. Also, the child device does not have a white list, but may be simply counted for each ID, transmitted to the parent device at regular time intervals, and checked for consistency at the parent device.

<A specific example using a system in which different ECUs do not send messages containing the same ID>
A specific example of processing of the child device 202 and the parent device 220 according to the present embodiment in a system in which different ECUs do not transmit a message including the same ID will be described using FIGS. 2B and 2C. The ECU 201 b transmits a message including any one of three IDs of 0x123, 0x456, and 0x789. The ECU 201a transmits a message including one of two IDs of 0x222 and 0x333. The white list 224 of the master unit 220 and the white list 235 of the slave unit 202 store 0x123, 0x456, and 0x789, respectively, as IDs that may be transmitted from the ECU. The counter 225 of the master unit 220 and the counter 236 of the slave unit 202b store the number of receptions corresponding to 0x123, 0x456, and 0x789, respectively. Hereinafter, processing of the child device 202 and the parent device 220 according to the present embodiment in a system in which different ECUs do not transmit messages including the same ID will be sequentially described using a specific example.

    (C1) A message including an ID of 0x123 is transmitted from the ECU 201b to the child device 202b.

    (C2) The CAN transceiver 232 of the child device 202b receives the message from the ECU 201b.

    (C3) The counter control unit 232 of the slave unit 202b determines whether the ID included in the received message is included in the white list 235 stored in the storage unit 234. The whitelist 235 holds 0x123 which is an ID included in the received message. The counter control unit 233 increments the reception count corresponding to the ID (0x123) included in the received message in the counter 236 by one.

    (C4) In parallel with the processing of (C3), the CAN transceiver 231 broadcasts a message from the ECU 201b received by the CAN transceiver 232 to the CAN 210 side.

    (C5) The CAN transceiver 221 of the parent device 220 receives a message from the ECU 201b via the child device 202b.

    (C6) The counter control unit 222 of the parent device 220 determines whether the ID (0x123) included in the received message is included in the white list 224 stored in the storage unit 223. The counter control unit 222 determines that the white list 224 holds the ID (0x123) included in the message transmitted from the ECU 201 b. The counter control unit 222 increments the number of receptions corresponding to the ID (0x123) included in the received message in the counter 225 by one.

    (C7) When the processes of (C1) to (C6) are repeated five times, the number of receptions of the message including the ID of 0x123 of the counter 236 of the parent device 220 and the counter 225 of the child device 202b is five.

  Here, it is assumed that the ECU 201a and the child device 202a are replaced with an invalid ECU 201 '. The ECU 201 ′ transmits a message of an ID (0x123) different from the message (0x222, 0x333) transmitted by the ECU 201a. The ECU 201 ′ is a communication node capable of spoofing the ECU 201b and transmitting a message.

    (C8) The unauthorized ECU 201 'spoofs the ECU 201b by broadcast and transmits a message including the ID 0x123.

    (C9) The CAN transceiver 221 of the parent device 220 receives the message from the ECU 201 ′.

    (C10) The counter control unit 222 of the parent device 220 determines whether the ID (0x123) included in the received message is included in the white list 224 stored in the storage unit 223. Since the ECU 201 'spoofs the ECU 201b and transmits a message, the counter control unit 222 determines that the ID (0x123) included in the message received from the ECU 201' is held in the white list 224. The counter control unit 222 increments the number of receptions corresponding to the ID (0x123) included in the received message in the counter 225 by one. As a result, the number of receptions for ID 0x123 in the counter 236 of the parent device 220 is set to six.

    (C11) After that, a message including an ID of 0x123 is transmitted five times from the ECU 201b to the child device 202b, and the processes of (C2) to (C6) are repeatedly executed. Then, the number of receptions for ID 0x123 in the counter 236 of the slave unit 202 is ten. The number of receptions for ID 0x123 in the counter 225 of the parent device 220 is 11 times.

    (C12) The counter control unit 234 of the slave unit 202b determines that the number of times of reception of the ID 0x123 in the counter 235 has reached a predetermined value (for example, 10 times). Under the control of the counter control unit 234, the CAN transceiver 231 notifies the parent device 220 of a notification message (for example, including the notification ID 0x777) including the ID (0x123) of the message exceeding the predetermined value. The notification message includes a handset ID (for example, 0x1). At the same time, the counter control unit 234 resets the number of receptions corresponding to the ID (0x123) of the message whose number of receptions exceeds the predetermined value.

    (C13) The CAN transceiver 221 of the parent device 220 receives the notification message from the child device 202b. The counter control unit 222 of the parent device 220 acquires, from the notification message, information indicating that the number of times of reception of the ID 0x123 has become a predetermined value in the child device 202b.

    (C14) The counter control unit 222 of the parent device 220 confirms the number of receptions corresponding to the message ID (0x123) included in the notification message. In the counter 225, since the number of receptions corresponding to ID 0x123 is 11, the counter control unit 222 determines that there is an unauthorized ECU 201 and notifies the user that there is an unauthorized ECU.

  The slave unit 202 and the master unit 220 respectively have counters, and by counting the number of times of reception of the message, the master unit 220 can detect that the unauthorized ECU 201 'is installed. The counter control unit 222 of the parent device 220 may notify the user of the abnormality by a method such as notifying that there is the ECU 201 ′ illegally replaced on the screen or the like. Further, the counter control unit 222 of the parent device 220 may notify a system outside the system 2000 that there is an incorrectly substituted ECU 201 ′. In a system in which different ECUs do not transmit a message including the same ID, parent device 220 can detect the presence of an unauthorized ECU.

<A specific example using a system in which different ECUs transmit messages including the same ID>
FIG. 4 is a diagram for explaining a specific example of processing of the child device 202 and the parent device 220 according to the present embodiment in a system in which different ECUs transmit messages including the same ID. In the system 2000 of FIG. 4, the child device 202 f is not connected, and the ECU 201 f not provided with the child device 202 is connected to the CAN. As described above, when the user does not want to detect abnormality of the ECU 201 f, the child device 202 may not be provided. The ECU 201a transmits a message including any one of three IDs of 0x123, 0x456, and 0x789. The ECU 201 b transmits a message including one of two IDs of 0x112 and 0x456. The ECU 201 f transmits a message including one of two IDs of 0x222 and 0x333.

  The whitelist 224 of the parent device 220 and the whitelist 235 of the child device 202a store 0x123, 0x456, and 0x789, respectively, as message IDs transmitted by the ECU 201a. The whitelist 224 of the parent device 220 and the whitelist 235 of the child device 202b store 0x112 and 0x456, respectively, as message IDs transmitted by the ECU 201b. Here, the message including the ID of 0x456 is transmitted from the ECU 201a and the ECU 201b. The counter 236 of the slave unit 202a stores the number of receptions corresponding to each ID of 0x123, 0x456, and 0x789. The counter 236 of the slave unit 202b stores the number of receptions corresponding to each ID of 0x112 and 0x456. The counter 225 of the parent device 220 stores the number of receptions corresponding to each ID of 0x123, 0x456, 0x789, 0x112. Note that each time the counter control unit 222 receives a message including an ID of 0x456 from the ECU 201a and the ECU 201b, the counter control unit 222 increments the reception number corresponding to the ID of the counter 225. The number of receptions corresponding to 0x456 in the counter 225 is a total value of the number of transmissions of messages of the ECU 201a and the ECU 201b. Hereinafter, processing of the child device 202 and the parent device 220 according to the present embodiment in a system in which different ECUs transmit messages including the same ID will be sequentially described using a specific example.

    (D1) A message including an ID of 0x456 is transmitted from the ECU 201a to the child device 202a.

    (D2) The CAN transceiver 232 of the slave unit 202a receives a message from the ECU 201a.

    (D3) The counter control unit 232 of the slave unit 202a determines whether the ID 0x456 included in the received message is included in the white list 235 stored in the storage unit 234. The whitelist 235 holds 0x456, which is an ID included in the received message. The counter control unit 233 increments the reception number corresponding to the ID (0x456) included in the received message in the counter 236 by one.

    (D4) In parallel with the processing of (D3), the CAN transceiver 231 broadcasts a message from the ECU 201a received by the CAN transceiver 232 to the CAN 210 side.

    (D5) The CAN transceiver 221 of the parent device 220 receives a message from the ECU 201a via the child device 202a.

    (D6) The counter control unit 222 of the parent device 220 determines whether or not the ID (0x456) included in the received message is included in the white list 224 stored in the storage unit 223. The counter control unit 222 determines that the whitelist 224 holds the ID (0x456) included in the message transmitted from the ECU 201a. The counter control unit 222 increments the number of receptions corresponding to the ID (0x456) included in the received message in the counter 225 by one.

    (D7) When the processing of (D1) to (D7) is repeated three times, the number of receptions of the message including the ID of 0x456 of the counter 236 of the parent device 220 and the counter 225 of the child device 202a becomes 3 times.

    (D8) A message including an ID of 0x456 is transmitted from the ECU 201b to the child device 202b.

    (D9) The CAN transceiver 232 of the child device 202b receives the message from the ECU 201b.

    (D10) The counter control unit 232 of the slave unit 202b determines whether or not the ID 0x456 included in the received message is included in the white list 235 stored in the storage unit 234. The whitelist 235 holds 0x456, which is an ID included in the received message. The counter control unit 233 increments the reception number corresponding to the ID (0x456) included in the received message in the counter 236 by one.

    (D11) In parallel with the process of (D10), the CAN transceiver 231 broadcasts a message from the ECU 201b received by the CAN transceiver 232 to the CAN 210 side.

    (D12) The CAN transceiver 221 of the parent device 220 receives a message from the ECU 201b via the child device 202b.

    (D13) The counter control unit 222 of the parent device 220 determines whether or not the ID (0x456) included in the received message is included in the whitelist 224 stored in the storage unit 223. The counter control unit 222 determines that the white list 224 holds the ID (0x456) included in the message transmitted from the ECU 201 b. The counter control unit 222 increments the number of receptions corresponding to the ID (0x456) included in the received message in the counter 225 by one.

    (D14) When the processes of (D8) to (D13) are repeated four times, the number of receptions of the message including the ID of 0x456 of the counter 225 of the slave device 202b is four times. The number of times of reception of the message including the ID of 0x456 of the counter 236 of the parent device 220 is seven.

  Here, it is assumed that the ECU 201 f is replaced with an incorrect ECU 201 ′. The ECU 201 ′ transmits a message with an ID of ID 0x456 that is not transmitted by the ECU 201 f. The ECU 201 ′ is a communication node capable of spoofing the ECU 201a or the ECU 201b and transmitting a message.

    (D15) The unauthorized ECU 201 'transmits a message including ID 0x456 by broadcast.

    (D16) The CAN transceiver 221 of the parent device 220 receives the message from the ECU 201 ′.

    (D17) The counter control unit 222 of the parent device 220 determines whether or not the ID (0x455) included in the received message is included in the whitelist 224 stored in the storage unit 223.

    (D18) The counter control unit 222 determines that the ID (0x456) included in the message received from the ECU 201 'is held in the white list 224. The counter control unit 222 increments the number of receptions corresponding to the ID (0x456) included in the received message in the counter 225 by one. As a result, the number of receptions for ID 0x456 in the counter 236 of the parent device 220 is set to eight.

    (D19) Thereafter, the ECU 201a and the ECU 201b also communicate with each other, and each transmit a message of ID 0x456 six times. Then, the number of receptions corresponding to ID 0x456 in the counter 225 of the parent device 220 is 20 times. The number of receptions corresponding to ID 0x456 in the counter 236 of the slave device 201a is nine. The number of receptions corresponding to ID 0x456 in the counter 236 of the slave device 201b is 10 times.

    (D20) The counter control unit 222 of the parent device 220 determines that the number of times of reception of the ID 0x456 in the counter 225 has reached a predetermined value (for example, 20 times in this case). Then, the counter control unit 222 transmits the message to be transmitted by the notification ID (for example, 0x777) to all the slaves 202 including the ID to be collected (0x456).

    (D21) When receiving the message of the notification ID (0x777), each counter control unit 234 of the slave unit 202 determines whether the counter 236 holds the number of receptions for the collection target ID (0x456). Under control of the counter control unit 234 of the slave unit 202 holding the number of receptions for the collection target ID (0x456) in the counter 236, the CAN transceiver 231 determines the number of receptions of the ID (0x456) and an ID for identifying the slave unit itself. Is included in the message together with the notification ID (0x777) to notify the parent device 220. Then, information indicating the reception number of 9 times corresponding to 0x456 is notified from the child device 202a, and information indicating 10 times of reception number corresponding to 0x456 is notified from the child device 202b to the parent device 220.

    (D22) When the counter control unit 222 of the parent device 220 receives a message including the notification ID 0x777, the counter control unit 222 acquires the number of receptions and the child device ID from the message.

    (D23) The counter control unit 222 of the parent device 220 adds up the number of times of reception of 0x456. In this case, the number of 0x456 receptions of the slave 202a and the number of receptions of 0x456 of the slave 202b are summed up to nineteen times. Next, the counter control unit 222 of the parent device 220 determines whether the value obtained by adding the number of receptions of 0x456 is consistent with the number of receptions of 0x456 in the counter 225 or not. In this case, since the sum value is 19 and the number of receptions in the counter 225 is 20, consistency can not be achieved. The counter control unit 222 determines that there is an unauthorized ECU 201, and notifies the user that there is an unauthorized ECU.

  The slave unit 202 and the master unit 220 respectively have counters, and by counting the number of times of reception of the message, the master unit 220 can detect that the unauthorized ECU 201 'is installed. In addition, even when the same ID is transmitted by a plurality of ECUs, the parent device 220 designates the ID and collects the corresponding number of receptions from the child device 202 counting the number of receptions of all the IDs. By doing this, you can check the integrity. By confirming this consistency, parent device 220 can detect that there is an unauthorized ECU 201 'in system 2000. Note that the master unit 220 may periodically collect the number of receptions from the slave unit 202 to check the consistency. The counter control unit 222 of the parent device 220 may notify the user of the abnormality by a method such as notifying that there is the ECU 201 ′ illegally replaced on the screen or the like. Further, the counter control unit 222 of the parent device 220 may notify a system outside the system 2000 that there is an incorrectly substituted ECU 201 ′.

  FIG. 5 is a flow chart for explaining an example of processing of the parent device according to the present embodiment. The CAN transceiver 221 of the parent device 220 receives a message from the ECU 201 via the child device 202 (step S101). The counter control unit 222 determines whether or not the received message includes information indicating that the child device 202 has detected an unauthorized ECU (step S102). If the received message does not include information indicating that the child device 202 detected an invalid ECU (NO in step S102), the counter control unit 222 causes the white list 224 to include the ID included in the received message. It is determined whether or not there is (step S103). When the ID included in the received message is held in white list 224 (YES in step S103), counter control unit 222 increments the reception count corresponding to the ID included in the received message in counter 225 by one. (Step S104). The counter control unit 222 determines whether the number of receptions corresponding to the received ID in the counter 225 has reached a predetermined value (step S105). If the number of receptions corresponding to the received ID in the counter 225 has reached a predetermined value (YES in step S105), the CAN transceiver 221 receives the number of receptions of the ID from each slave device 202 under the control of the counter control unit 222. Are collected (step S106). The counter control unit 222 checks the consistency between the number of receptions of the collected ID on the side of the child device 202 and the number of receptions of the ID on the side of the parent device 220, and determines whether or not there is a problem (step S107) . If there is no problem with the consistency (NO in step S107), the master device 220 repeats the process from step S101. If there is a problem with the consistency, the parent device 220 notifies the user of an abnormality (step S108). If the received message includes information indicating that the child device 202 has detected an incorrect ECU (YES in step S102), the parent device 220 notifies the user of an abnormality (step S108). Similarly, when the ID included in the received message is not included in the whitelist (NO in step S103), the parent device 220 notifies the user of an abnormality (step S108).

  FIG. 6 is a flow chart for explaining an example of processing of a child device according to the present embodiment. The CAN transceiver 232 of the slave unit 202 receives the message from the ECU 201 (step S201). The counter control unit 232 of the slave unit 202 determines whether the ID included in the received message is included in the whitelist 235 stored in the storage unit 234 (step S202). If the ID included in the received message is held in white list 235 (YES in step S 202), counter control unit 233 increments the reception count corresponding to the ID included in the received message in counter 236 by 1 (Step S203). The counter control unit 234 of the slave unit 202 determines whether or not the number of receptions corresponding to the received ID in the counter 236 has reached a predetermined value (for example, ten times) (step S204). If the number of receptions corresponding to the ID of the received message exceeds the predetermined value (YES in step S204), the CAN transceiver 231 transmits the notification message including the ID of the number of receptions exceeding the predetermined value to the parent device It notifies 220 (step S205). The counter control unit 234 resets the number of receptions corresponding to the ID of the message whose number of receptions exceeds the predetermined value (step S206). If the number of times of reception corresponding to the ID of the received message does not exceed the predetermined value (NO in step S204), the child device 202 repeats the process from step S201. If the ID of the received message is not included in the whitelist (NO in step S202), the CAN transceiver 231 notifies the parent device 220 that the ECU connected to the child device 202 is abnormal (step S207). ). The slave unit 202 ends the process when steps S206 and S207 end. Step S204 may be replaced by a step of determining the presence or absence of a counter value request from the parent device 220. In this case, if there is a request for the counter value, the base unit 220 is notified of the counter value of the requested ID, and the counter value is reset. If there is no request for the counter value, the process is repeated from step S201.

  The slave unit 202 and the master unit 220 respectively have counters, and by counting the number of times of reception of the message, the master unit 220 can detect that the unauthorized ECU 201 'is installed. In addition, even when the same ID is transmitted by a plurality of ECUs, the parent device 220 designates the ID and collects the corresponding number of receptions from the child device 202 counting the number of receptions of all the IDs. By doing this, you can check the integrity. By confirming this consistency, parent device 220 can detect that there is an unauthorized ECU 201 'in system 2000. Note that the master unit 220 may periodically collect the number of receptions from the slave unit 202 to check the consistency. The counter control unit 222 of the parent device 220 may notify the user of the abnormality by a method such as notifying that there is the ECU 201 ′ illegally replaced on the screen or the like. Further, the counter control unit 222 of the parent device 220 may notify a system outside the system 2000 that there is an incorrectly substituted ECU 201 ′. In the present embodiment, the child device may be used as a pair with an ECU that wants to detect an abnormality when it is replaced illegally.

<Others>
FIG. 7 is a diagram for explaining an example of a slave unit process and a master unit process when an ECU connected to a slave unit is illegally replaced. The system 2000 of FIG. 7 is an example of the case where the ECU 201 d is replaced with an incorrect ECU 201 ′. An example of processing of the child device 202 d and the parent device 220 when the ECU 201 d is replaced with an invalid ECU 201 ′ will be described in order below.

    (E1) A message is transmitted from the ECU 201 'to the child device 202d.

    (E2) The CAN transceiver 232 of the child device 202d receives the message from the ECU 202 '.

    (E3) The counter control unit 232 of the slave unit 202d determines whether the ID included in the received message is included in the white list 235 stored in the storage unit 234. Here, it is assumed that the whitelist 235 does not hold the ID included in the message transmitted by the unauthorized ECU 201 ′.

    (E4) The counter control unit 232 of the child device 202d determines that the ID included in the received message is not included in the white list 235.

    (E5) Under the control of the counter control unit 232 of the child device 202d, the CAN transceiver 231 notifies the parent device 220 of an abnormality (the detection of an incorrect ECU).

    (E6) The CAN transceiver 221 of the parent device 220 receives a notification of abnormality from the child device 202d. At this time, the notification includes a handset ID for identifying the handset 202 d.

    (E7) When the child device 202 has notified of information indicating that an illegal ECU has been detected, the parent device 220 notifies the user of an abnormality.

  As described above, the abnormal notification is received from the child device 202 that has detected an incorrect ECU, and the ID of the child device 202 that the parent device 220 has sent the notification to specifies the child device 202 that has detected the abnormality. Can. Therefore, the parent device 220 can identify the illegitimate ECU 201 ′ connected to the child device 202 and notify the user of it.

1001, 1002, 2000 System 101, 210 CAN
111, 111a to 111f, 111b 'ECU
112, 112a-112f Detector 201, 201a-201f ECU
202, 202a to 202f slave unit 220 master unit 221, 231, 232 CAN transceiver 222, 233 counter control unit 223, 234 storage unit 224, 235 white list 225, 236 counter

Claims (11)

A plurality of communication nodes each transmitting a message with an ID set in advance;
A relay apparatus provided corresponding to the communication node, having a first counter that sends out a message received from the corresponding communication node to the bus and counts the received message for each ID.
And a second counter connected to the bus for receiving a message originated by the communication node via the bus and counting the received message for each ID, wherein the first and second counters A management apparatus including a comparison unit that acquires a value of a counter and compares the values of the first and second counters for each ID;
A network monitoring system comprising: The management device is
When the second counter corresponding to the received ID reaches a predetermined value, the value of the first counter corresponding to the received ID is acquired from the relay device. The network monitoring system according to 1. The relay device is
When the first counter corresponding to the received ID reaches a predetermined value, the value of the first counter corresponding to the received ID is notified to the management apparatus, and the processing to the comparison unit is performed. The network monitoring system according to claim 1, characterized in that it is executed. The management device is
The network monitoring system according to claim 1, wherein the value of the first counter is periodically acquired from the relay device, and the comparison unit is caused to execute processing.   The relay device has a list of IDs which may be included in the message transmitted by the corresponding communication node, and an ID in which the ID included in the message from the corresponding communication node is registered in the list The network monitoring system according to claim 1, wherein the network monitoring system matches with. A relay device provided corresponding to a plurality of communication nodes transmitting messages with a preset ID, respectively,
Sending a message received from the corresponding communication node to a bus and counting the received message as a first counter for each of the IDs;
A management device connected to the bus and receiving a message originated by the communication node via the bus;
The received message is counted as a second counter for each ID, the values of the first and second counters are obtained, and the values of the first and second counters are compared for each ID. Network monitoring program characterized by. The management device
When the second counter corresponding to the received ID reaches a predetermined value, the value of the first counter corresponding to the received ID is acquired from the relay device. Network monitoring program described in 6. The relay device is
When said first counter corresponding to the ID thus received has reached a predetermined value, executes a process of a value of said first counter corresponding to the ID the received notification to the management apparatus, wherein the comparing The network monitoring program according to claim 6, characterized in that: In a system comprising a relay device, a management device, and a plurality of nodes,
The relay device provided corresponding to a plurality of communication nodes transmitting messages with a preset ID, respectively,
Sending a message received from the corresponding communication node to a bus and counting the received message as a first counter for each of the IDs;
The management device connected to the bus and receiving a message originated by the communication node via the bus;
The received message is counted as a second counter for each ID, the values of the first and second counters are obtained, and the values of the first and second counters are compared for each ID. A network monitoring method characterized by The management device
When the second counter corresponding to the received ID reaches a predetermined value, the value of the first counter corresponding to the received ID is acquired from the relay device. The network monitoring method according to 9. The relay device is
When said first counter corresponding to the ID thus received has reached a predetermined value, executes a process of a value of said first counter corresponding to the ID the received notification to the management apparatus, wherein the comparing The network monitoring method according to claim 9, characterized in that:

Images