JP6669154B2 - Vehicle data conversion device and vehicle data output method - Google Patents

Description

  The present invention relates to a vehicle data conversion device for outputting data from the inside of a vehicle to the outside of the vehicle, and a data output method for a vehicle.

  For example, as means for restricting devices that can be used by individual users, a technology has been developed that classifies users according to attributes such as job title and affiliation, and restricts the use of devices according to this classification (for example, Patent Documents). 1). According to the technology described in Patent Document 1, the user management table stores user identification information, authentication information, and usable function information. When user authentication information is registered by the user registration deletion unit, user authentication is performed. When the means determines that the user is a valid user of the device, the device can be used only by the functions permitted to use by the user.

JP-A-2006-344128

  In recent years, for example, it has been performed to request vehicle information used inside a vehicle from outside the vehicle and utilize vehicle data outside the vehicle. However, if highly confidential vehicle data can be directly accessed from outside the vehicle, highly important vehicle data may be directly operated from outside the vehicle, or the read vehicle data may be misused. For example, even if the user authentication technology described in Patent Literature 1 is applied, it is insufficient to enhance the security performance of vehicle data.

An object of the present invention is to provide a vehicle data conversion apparatus and a vehicle data output method to be able to output the vehicle data by changing the security level.

According to the first and eighth aspects of the invention, the acquisition means acquires the vehicle data from inside the vehicle, and the first storage means responds to the security classification level corresponding to the vehicle data acquired by the acquisition means. The data processing method for output outside the vehicle is stored, and the data processing method is stored for each application requesting vehicle data from the external device or for each application group in which the application is classified. The conversion means converts the data in accordance with the data processing method stored in the first storage means, which corresponds to the external device requesting the vehicle data and which corresponds to the security classification level of the vehicle data. The conversion unit determines an application that requests vehicle data or an application group that classifies the application, and converts the data processing method stored in the first storage unit for each application or each application group. The output means outputs the converted vehicle data to an external device on condition that the output is determined to be possible by the determination means . For this reason, it becomes possible to output the vehicle data by changing the security level.

FIG. 1 is a block diagram schematically showing an electrical configuration of a vehicle data transmission / reception system according to a first embodiment. FIG. 1 is a block diagram schematically showing an electric configuration of a vehicle data processing device. Explanatory diagram showing the contents of an access control list for an example of a vehicle data classification and data processing method Sequence diagram schematically showing the overall flow Flow chart schematically showing processing contents of the data processing device Flow chart schematically showing the contents of data processing and data update processing Example of mask data for resolution calculation processing Flow chart schematically showing the contents of data update control processing FIG. 2 is a block diagram schematically showing an electric configuration of a vehicle data transmission / reception system according to a second embodiment. Flow chart schematically showing processing contents of the data processing device Flowchart schematically showing the contents of data processing in the third embodiment Explanatory diagram showing the contents of an access control list for an example of a classification of a person or an application and a data processing method

  Hereinafter, some embodiments of a vehicle data conversion device and a vehicle data output method will be described with reference to the drawings. In the embodiments, the same or similar operations are denoted by the same or similar reference numerals, and description thereof will be omitted as necessary.

(1st Embodiment)
First, a schematic configuration of the vehicle transmission / reception system 1 will be described with reference to FIG. As shown in FIG. 1, a large number of ECUs 3 and 4 are installed in a vehicle 2, and these ECUs 3 and 4 are connected through an in-vehicle LAN (Local Area Network) 5. The ECUs 3 and 4 acquire sensor information from a sensor (not shown) installed in the vehicle 2 and drive an actuator (not shown) such as a motor based on the sensor information. At this time, due to the effects of the development of vehicle environmental performance, safety, comfort, ecology technology, and the like, these many ECUs 3 and 4 are capable of realizing higher performance technology as compared with the related art. Thousands to tens of thousands of vehicle data are handled in one vehicle, and the vehicle data is constantly updated in accordance with the technological evolution related to daily vehicle control (for example, PHV (Plug-in Hybrid Vehicle)). The content is updated.

  In recent years, for example, as shown in FIG. 1, a center device 6 outside the vehicle accesses the ECUs 3 and 4 in the vehicle through a communication network 7 outside the vehicle (which may include a wired communication network such as a mobile phone network). A system that requests vehicle data to be used in the vehicle and the center device 6 utilizes the vehicle data is being developed. In addition, with the development of short-range wireless communication technology, wireless LAN technology, and the like in recent years, mobile terminals 8 such as tablet terminals installed inside and outside a vehicle have become able to access vehicle data using external communication 9. . As a method of the external communication 9, a wireless LAN, short-range wireless communication (for example, Bluetooth) (registered trademark), or the like is used. However, if the center device 6 or the portable terminal 8 can directly access the highly confidential vehicle data held in the vehicle, the devices 6 and 8 directly operate the highly important vehicle data, The read vehicle data may be misused. For this reason, in this embodiment, as shown in FIG. 1, the ECU 4 for security measures is connected to the in-vehicle LAN 5. Hereinafter, the ECU 4 for security measures is referred to as a data processing device 4 in order to distinguish and represent the ECU 4 for security measures from other ECUs 3.

  The schematic configuration of the data processing device 4 as a vehicle data conversion device will be described with reference to FIG. FIG. 2 is a block diagram schematically showing the electrical configuration of the data processing device. The data processing device 4 performs processing as needed when vehicle data is requested from outside the vehicle, and determines whether or not to output the non-processed or processed vehicle data outside the vehicle. Has become. The processing includes processing for limiting the resolution of data accuracy, changing the data update cycle, and changing the data encryption method according to the level of confidentiality. The data processing device 4 enables only data determined to be output outside the vehicle to be output outside the vehicle through the communication device. This prevents highly confidential information such as the control content inside the vehicle from being grasped from outside the vehicle.

  The data processing device 4 includes a CAN (Controller Area Network) controller (transceiver) 11, a communication controller (transceiver) 12 for connection outside the vehicle, and a microcomputer (microcomputer) 13. The CAN controller 11 performs communication connection with the in-vehicle network 5 by, for example, CAN. The microcomputer 13 is connected to the CAN controller 11 by a CAN driver 14 and communicates with another ECU 3 connected to the in-vehicle network 5.

  The microcomputer 13 mainly includes a communication module (Com) 15, a data storage unit 16 for storing various data, an information control unit 17 as a conversion unit, and an access control list storage unit for storing an access control list L (see FIG. 3). (Equivalent to a first storage unit) 18 and a stack for external connection (equivalent to an output unit) 19, so that the application 100 can use data processed by the information control unit 17.

  The access control list storage unit 18 is configured by, for example, a volatile memory or a nonvolatile memory, and stores the access control list L. The access control list storage unit 18 allows the information control unit 17 to rewrite the storage contents. In the present embodiment, the data storage unit 16 is constituted by, for example, a register, and is provided separately in an in-vehicle communication buffer (corresponding to an acquisition unit) 16a and an out-of-vehicle communication buffer (corresponding to a second storage unit) 16b. In the in-vehicle communication buffer 16a in the data storage unit 16, the unit of the CAN data frame 16c is 1 to 8 bytes, and the data of the frame 16c is divided into individual data and received from the in-vehicle network 5. It is updated periodically by a signal.

  Here, in the present embodiment, a mode in which CAN is used for in-vehicle communication is described, but in-vehicle communication may be connected using LIN. Note that the data format of the frame 16c and the in-vehicle communication buffer 16a handled at a lower layer than the communication module 15 can be the same as that shown in FIG. 2 for both CAN and LIN.

  The vehicle data acquired from the in-vehicle network 5 is periodically stored in the in-vehicle communication buffer 16a. The information control unit 17 stores the access control list L (see FIG. 3) stored in the access control list storage unit 18. ), The stored vehicle data is processed and, if necessary, stored in the external communication buffer 16b. As for the data in which the update cycle of the data described later is defined, only the classification defined in the access control list L for the individual storage data of the in-vehicle communication buffer 16a may be prepared for the external communication buffer 16b. .

  The external connection stack 19 collectively stores data held in the external communication buffer 16b. The microcomputer 13 is connected to the communication controller 12 for connection outside the vehicle by the communication driver 20 for connection outside the vehicle, and the communication controller 12 for connection outside the vehicle is connected to the communication network 7 outside the vehicle through, for example, a wireless communication module 21 or the like. As a result, the microcomputer 13 of the data processing device 4 can be communicatively connected to the communication network 7 and can communicate with an external device such as the center device 6 or the portable terminal 8.

  Here, classification of vehicle data will be described. As described above, there are, for example, thousands to tens of thousands of vehicle data handled in one vehicle, and these vehicle data are classified into several types in advance, and corresponding to the security level according to this classification. The classification level is determined. Here, an example in which the confidentiality and importance (security level) are classified into classification levels I to IV from low to high will be described.

  The vehicle data of the classification level I is, for example, information that can be directly confirmed by a vehicle user. For example, it is meter display information (for example, speedometer information) obtained by the user viewing the instrument panel in the vehicle. Here, since the meter display information is data processed for meter display by the ECU 3 installed in the vehicle 2, the meter display information itself has the lowest confidentiality and importance, and the classification level. I is set. The vehicle data of the classification level I is grouped according to this type.

  The vehicle data of the classification level II is, for example, sensor information such as a retrofit sensor by a user of the vehicle 2. For example, when a user of the vehicle 2 purchases a vehicle body and then externally attaches a navigation device (not shown) to the vehicle 2, the external navigation device uses various types of road information (latitude / longitude information, gradient values on the ground surface). Such information may be output to the various ECUs 3 through the in-vehicle network 5. Various types of information output from such external devices have relatively low confidentiality and importance, and are set to the classification level II. These vehicle data of classification level II are also grouped according to this type.

  The vehicle data of the classification level III is, for example, information by an assembling module that has been assembled in the vehicle 2 in advance. The vehicle-installed navigation system (not shown) transmits information such as various road information (latitude / longitude information, estimated gradient value of the ground surface) to various ECUs 3 through the in-vehicle network 5 in substantially the same manner as the above-described external navigation device. Output. Also, raw data of various sensors (all not shown) such as a vehicle speed sensor, a rainfall sensor, and various pressure sensors have relatively high confidentiality and importance, and are set to the classification level III. These vehicle data of the classification level III are also grouped according to the type.

  The vehicle data of the classification level IV is, for example, raw information of an estimated value depending on the estimation logic. As such vehicle data, for example, raw data of an estimated torque of an axle or an estimated gradient value of a ground surface can be exemplified. Such information is information that depends on know-how possessed by the supplier of the assembly module of the vehicle 2. If such information is output to the outside, the estimation logic of the estimation logic according to the raw information of the estimated value is output. It can also expose know-how. Therefore, such data is set to the classification level IV having the highest confidentiality and importance. These vehicle data of the classification level IV are also grouped according to the type.

  Next, the contents of the access control list L stored in the access control list storage unit 18 will be described. The access control list L stores a data processing method when the vehicle data is output to the outside of the vehicle in accordance with the vehicle data acquired from the inside of the vehicle according to the degree of importance of the data and the degree of confidentiality. FIG. 3 schematically shows the contents of the access control list L when data is transferred inside and outside the vehicle.

  In the access control list L, for example, data resolution, update timing, and a data processing method related to an encryption method are described according to the above-described classification levels I to IV. Note that this data processing method is not limited to these three types, and one or two of the above-described processing methods or various other data processing methods can be used.

  As shown in FIG. 3, a data processing method is stored in the access control list storage unit 18 so as to increase the security level of the vehicle data as the above-described classification level increases (I → II → III → IV). I have. The access control list storage unit 18 stores, for example, as the data resolution, that the raw data itself can be output at the classification level I, whereas the raw data at the classification level II is rounded down to the decimal point. The so-called rounding process is stored.

  Further, the access control list storage unit 18 stores a process of increasing the resolution to A1 times the raw data at the classification level III. Also, it is stored that the update timing is not limited in the classification levels I and II, whereas the output processing is performed only in the update cycle A2 (> basic cycle) in the classification level III. Furthermore, as for the encryption method, it is stored that the encryption is not performed at the classification level I, whereas it is possible to adopt the RSA (registered trademark), AES, and the high security encryption method at the classification levels II and III. It is remembered. The access control list storage unit 18 stores that data is not output at the classification level IV in the first place. As described above, the access control list storage unit 18 stores data processing methods corresponding to the respective classification levels I to IV.

  Next, for example, an operation procedure when the center device 6 or the mobile terminal 8 serving as a device outside the vehicle accesses vehicle data flowing through the vehicle-mounted network 5 through the vehicle-external network and requests vehicle data will be described with reference to FIG. explain. FIG. 4 shows an overall schematic operation sequence diagram. It should be noted that the processing by the data processing device 4 in FIG.

  First, when the center device 6 or the mobile terminal 8 wants to acquire vehicle data in the vehicle 2, device authentication registration is performed in advance. When the user of the mobile terminal 8 performs authentication registration of the mobile terminal 8 with the data processing device 4 in the vehicle, first, the mobile terminal 8 requests connection to the data processing device 4 (S1). At this time, the mobile terminal 8 transmits the device ID and the security code of the mobile terminal 8 to the data processing device 4 to request authentication, and the data processing device 4 transmits the authentication data corresponding to the device ID and the security code. The device registration is completed by replying to the portable terminal 8 (S2). The method of the authentication procedure of the mobile terminal 8 is not limited to this method.

  Then, when the mobile terminal 8 requests transmission of vehicle data (S3), the mobile terminal 8 transmits the data type (data ID) requested for data to the data processing device 4 together with the device ID. The data processing device 4 confirms the device ID of the portable terminal 8 (S4), and after confirming the data ID (S5), can output data at the classification level described in the access control list L (S6a: YES). The output of the vehicle data is permitted under the condition (S6b). Conversely, when this condition is not satisfied (S6a: NO), the data processing device 4 does not permit the output of the vehicle data (S6c).

  When the output of the vehicle data is permitted, the data processing device 4 performs data processing as needed, and outputs the processed data to the portable terminal while controlling the communication timing (S7). Then, the portable terminal 8 can perform data processing using this data (S8). Similar processing is performed when the center device 6 connects to the data processing device 4 to request data (S11 to S18).

  Next, the internal processing of the data processing device 4 will be described with reference to FIGS. The microcomputer 13 in the data processing device 4 extracts data from the in-vehicle network 5 in frame units (T1) and copies the data to the in-vehicle communication buffer 16a (T2). The information control unit 17 performs data processing (T3), and copies data to the external communication buffer 16b (T4). FIG. 6 schematically shows the contents of the data processing. As shown in FIG. 6, the information control unit 17 reads out the data processing method from the access control list L in the access control list storage unit 18 (U1), calculates the resolution (U2), and stores the data processing method in the access control list L. The storage of the encryption processing is stored (U3), and the data is written (U4). Note that data alteration detection processing according to the classification levels I to IV may be performed between these data processing processings. In this data tampering detection process, the certainty may be confirmed by giving a certificate, or when the stored value of the in-vehicle communication buffer 16a is different between the previous data and the current data, the change amount may be changed. The detection may be performed based on whether or not the threshold level is exceeded, or may be detected using an error detection code such as a checksum. Then, the reliability of data accumulated in the in-vehicle communication buffer 16a or the out-of-vehicle communication buffer 16b can be improved.

  FIG. 7 shows mask data for resolution calculation processing according to the data classification level. When the digit of the mask data is "1", the process for validating the data is performed as it is, and for the digit of "0", the data is masked and invalidated. That is, data processing can be performed with only the upper digit valid and the lower digit invalid. The mask data shown in FIG. 7 indicates data to be masked in a binary unit, but is not limited to this, and may be performed in a decimal unit (for example, “Truncation after decimal point” shown in classification level II in FIG. 3). Can also. As described above, in the present embodiment, the data processing device 4 performs data processing in advance before a data request is made from the outside.

  The information control unit 17 performs data processing in step T3 of FIG. 5 and copies data to the external communication buffer 16b in step T4. The copied data is, for example, every predetermined basic period (for example, 1 ms). It is determined whether or not to perform the update process, and the update process is performed as necessary. FIG. 8 schematically shows the contents of the data update control process performed by the information control unit 17.

  As shown in FIG. 8, the information control unit 17 refers to the in-vehicle communication buffer 16a and determines whether or not data to be updated as needed exists in the in-vehicle communication buffer 16a (V1). If the information control unit 17 determines that the update target data exists (V1: YES), the information control unit 17 increments an update time counter (not shown) corresponding to all the update target data to be updated (V2), and executes the target access. It is determined whether or not there is an update control at the level (classification level) (V3). Note that the update time counter is prepared in advance in the microcomputer 13 corresponding to, for example, individual update target data.

  Here, when it is determined that the target access level (classification level) has update control, the information control unit 17 determines whether or not the time indicated by the update time counter of the target data has passed the update cycle. (V4). When it is determined that the update cycle has elapsed, the information control unit 17 updates the data in the external communication buffer 16b (V5) and sets the update time counter to 0 (V6). The processing of V3 to V6 is performed for all data to be updated (V7: YES).

  As a result, the update target data is updated in the out-of-vehicle communication buffer 16b at any time according to the update timing corresponding to the classification levels I to IV held in the access control list L. Explaining with the example shown in the access control list L of FIG. 3, the data classified into the classification levels I and II is the same as the routine shown in FIG. As a result, the data is updated immediately in synchronization with the update period of the CAN data, and the data classified into the classification level III is updated by the update period A2 of the update counter (> basic period: for example, a fixed period of 100 ms). Will be updated accordingly. Thus, the data update timing can be changed and controlled according to the security level.

  For example, the timing at which the center device 6 or the portable terminal 8 outside the vehicle requests transmission of data into the vehicle 2 does not coincide with the timing desired for the configuration inside the vehicle 2 (ECUs 3 and 4). For this reason, the data processing device 4 causes the external communication buffer 16b to update the processed data in advance according to the update cycle of the update counter corresponding to the security level. Thus, no matter what timing the center device 6 or the portable terminal 8 requests data transmission, vehicle data can be immediately output in response to the transmission request in accordance with the security level of each data. .

  The reference drawing is returned to FIG. As shown in FIG. 5, in step T4, the microcomputer 13 in the data processing device 4 processes the data by the information control unit 17 and copies the data to the out-of-vehicle communication buffer 16b. Update control is performed. At that time, it is determined whether there is a data transmission request (T5). If there is a data transmission request (T5: YES), data is acquired from the external communication buffer 16b and the external connection stack 19 is obtained. (T6). Then, the microcomputer 13 performs the encryption processing stored in step U3 and writes it from the stack 19 for connection outside the vehicle to the communication controller 12 for connection outside the vehicle (T7). The data is output to the transmission request source device such as the external portable terminal 8 or the center device 6 (T8). In this way, when data is requested, data can be output to the external device that has requested transmission.

<Specific examples>
(Specific example 1)
Hereinafter, a specific example will be described. For example, a case where the center device 6 outside the vehicle requests to periodically provide the wheel speed information communicated through the multiplex bus in the in-vehicle network 5 will be described. The wheel speed information is communicated through the in-vehicle network 5, and is periodically stored in the in-vehicle communication buffer 16a. The information control unit 17 reads the data processing method stored in the access control list L from the access control list storage unit 18. The information control unit 17 determines that the wheel speed information acquired through the in-vehicle network 5 is, for example, data classified into the classification level III, and determines the data processing method stored in the access control list L by the access control list storage unit 18. Read from. Here, for example, it is assumed that the “data resolution” of the wheel speed information is 10 times the resolution, and the “update timing” is information that is provided once (= A2) times through the in-vehicle network and provided once.

Here, the resolution of 10 times means, for example, that the data is “50.23”, “50.35”, “51.23”, “51.20”, “51.25”, “50.10” in decimal. , "50.33", "50.40", "50.45", "51.10", "51.21", "51.00", the second digit of the decimal point is rounded down, and "50. .2 "," 50.3 "," 51.2 "," 51.2 "," 51.2 "," 50.1 "," 50.3 "," 50.4 "," 50.4 " , "51.1", "51.2", and "51.0". It should be noted that rounding may be performed. If the data is provided once after receiving the data ten times, the first data “50.2” and the eleventh data “51.2” are output to the external communication buffer 16b. The center device 6 issues a data transmission request after being authenticated by the data processing device 4 in the vehicle. Upon receiving the transmission request, the data processing device 4 acquires data from the external communication buffer 16b and transmits the data to the center device 6 through the wireless communication module 21. Then, the center device 6 can receive the data “50.2” and “51.2” from the data processing device 4.
(Specific example 2)
Specific example 2 describes a case where, for example, the mobile terminal 8 requests data of the engine water temperature communicated through the in-vehicle network 5. The engine water temperature data is communicated through the in-vehicle network 5 and is periodically stored in the in-vehicle communication buffer 16a. The information control unit 17 reads the data processing method stored in the access control list storage unit 18 from the access control list L. Here, for example, the information of the engine water temperature is rounded down to the decimal point as “data resolution”, the update timing is not limited, and the encryption is RSA. The information control unit 17 truncates the engine water temperature data below the decimal point and stores the data in the external communication buffer 16b.

  The portable terminal 8 makes a data transmission request after being authenticated by the data processing device 4 in the vehicle. When the data processing device 4 receives the transmission request, the data of the engine water temperature stored in the external communication buffer 16b is encrypted by RSA and transmitted to the portable terminal 8 through the wireless communication module 21. Then, the mobile terminal 8 can receive the data of the engine water temperature from the data processing device 4.

  As described above, according to the present embodiment, the access control list storage unit 18 stores the data processing method for output outside the vehicle according to the classification levels I to IV. The converted data converted based on the data processing method corresponding to .about.IV is output from the outside connection stack 19. Thereby, the security of the vehicle data stored in the vehicle can be enhanced.

  For example, if security measures are set for each vehicle or for each vehicle data, enormous man-hours are required not only for the set man-hours but also for quality assurance.In the present embodiment, the security measures are classified according to the type of the vehicle data. The data is managed for each group of data groups, and these data are managed separately for classification levels I to IV.

  For this reason, even if a new security policy is formulated, it is not necessary to individually change the security level for vehicle data. In addition, even when vehicle data is added, it can be dealt with simply by making settings that belong to a group of classification levels I to IV that have been classified in advance.

  A vehicle device development company sometimes defines vehicle data as a new parameter during the development of the device, and performs development using the vehicle data. Among them, as shown in the present embodiment, the security level can be secured by classifying the vehicle data into the classification levels I to IV. However, while many development companies participate in the development, Security policies may differ between these many developers.

  Therefore, according to the present embodiment, the vehicle data is grouped at the classification levels I to IV, and the information control unit 17 selects one of the classification levels I to IV of the access control list L stored in the access control list storage unit 18. The vehicle data can be changed and set. As a result, even if the security policies differ from one development company to another, it is possible to change the security level to meet the needs of these development companies, and it is possible to flexibly cope with these policies.

  The out-of-vehicle communication buffer 16b stores pre-converted data after conversion, and outputs the converted data when externally requested vehicle data. Can also respond immediately.

  The external communication buffer 16b stores the converted data pre-processed for each of the classification levels I to IV of the vehicle data at the update timing stored in the access control list L of the access control list storage unit 18. For this reason, the converted data can be prepared in the external communication buffer 16b in advance even if the update cycle is synchronized with the data update cycle by CAN or the update cycle A2 is longer than the basic cycle. It is possible to immediately respond to a data transmission request from outside.

Further, the microcomputer 13 changes the data update timing according to the data update cycle to, for example, the update cycle A2, and outputs the data in an asynchronous manner between the internal update timing of the vehicle data and the output timing of the vehicle data. Therefore, it is difficult to externally estimate the vehicle control cycle, the control timing of the actuator by the ECU 3, and the like.
Further, since data processing is performed in accordance with the attributes of the vehicle data, it is possible to prevent information with high confidentiality and security such as control contents of the vehicle from being grasped from outside the vehicle.

(2nd Embodiment)
9 and 10 show a second embodiment. In the second embodiment, a configuration in which the external communication buffer 16b is not provided is shown. In the first embodiment, before the data processing device 4 receives a transmission request from a device such as the portable terminal 8 or the center device 6, the data processing device 4 processes the data in advance and stores the processed data in the external communication buffer 16b. Indicated. In the second embodiment, a mode in which the data processing device 104 processes data when the data processing device 104 receives a transmission request from the device 8 or 6 will be described.

  The data processing device 104 shown in FIG. 9 instead of the data processing device 4 of FIG. 1 includes an in-vehicle communication buffer 16a as a data storage unit 116 instead of the data storage unit 16, but includes an out-of-vehicle communication buffer 16b. Absent. As shown in the flowchart of FIG. 10 instead of FIG. 5, the microcomputer 13 in the data processing device 104 takes out data in frame units through the in-vehicle network 5 (W1) and copies the data to the in-vehicle communication buffer 16a (W2). Up to this point, the processing is the same as the processing in steps T1 and T2 shown in FIG. 5, but here the microcomputer 13 waits without processing the data in advance.

  When there is a data transmission request (W3: YES), the information control unit 17 in the data processing device 104 acquires data from the in-vehicle communication buffer 16a (W4) and performs data processing (W5). The details of the data processing are the same as those in FIG. The data after the data processing is directly stored in the external connection stack 19. Then, the microcomputer 13 writes (W6) from the external connection stack 19 to the external connection communication controller 12 (W6), and the external connection communication controller 12 transmits the external mobile terminal 8 or the center device 6 via the wireless communication module 21 or the like. The data is output to the requesting device (W7). In this way, when data is requested, data can be output to the transmission requesting device 6 or 8.

  As described above, according to the present embodiment, the microcomputer 13 converts the vehicle data according to the data processing method described in the access control list L when the vehicle data is requested from the outside. Even in such a case, the data processing method of the vehicle data can be changed according to the classification levels I to IV, and the security level of the vehicle data can be changed according to the classification levels I to IV. Thereby, the same effect as in the above-described embodiment can be obtained.

(Third embodiment)
11 to 12 show a third embodiment. In the third embodiment, a form is described in which security measures are taken for each data transmission request source or application classification. In the first embodiment, the form in which the security measures are changed for each of the classification levels I to IV of the vehicle data has been described. However, in the present embodiment, in addition to this, the data transmission request source or the use case of each application is used. , Security measures can be changed.

  An application is incorporated in an external device such as the portable terminal 8 or the center device 6, and when the application operates, the data processing device 4 in the vehicle can be accessed from outside the vehicle. The access source changes according to information (terminal information, device information) such as the ID attribute of the portable terminal 8 and the center device 6, personal information (privacy information) of the owner, an application used, and the like. As described in the embodiment, the ID information of the transmission request source is registered in advance before the data transmission request (see FIG. 4 and its description).

  In this case, even if the access right (access permission, security countermeasure method (data processing method)) is set for each of these devices, each application, each user (user) of the application, or each developer of the application. good. Further, it may be set for each group of these users, for example, the occupation type and affiliation of the developer, and / or for each group of applications, for example, a category, a genre, and the like.

  For example, when the data request source is the center device 6, the security level (classification level) is kept low for the operator of the center device 6, and the borrower of the portable terminal 8 (for example, a service provider such as a home delivery company) For ()), it is preferable to increase the security level (classification level).

  When another viewpoint is considered, if the data request source is the device of the center device 6 and the security (such as confidentiality) of the communication network 7 between the center device 6 and the vehicle 2 is sufficiently ensured, In addition, the security level (classification level) of the center device 6 is kept low, and when the data request source is the device of the portable terminal 8 and the security of the communication outside the vehicle 9 is not sufficiently ensured, on the other hand, The security level (classification level) of the terminal 8 may be increased.

At this time, when a more detailed security measure is taken, the classification levels I to IV shown in the first embodiment and the classification level of a person (equivalent to a user) or an application may be classified in a plurality of dimensions. FIG. 12A shows an outline of the classification levels, and FIG. 12B shows a form in which the classification is performed in a plurality of dimensions. The contents shown in FIGS. 12A and 12B are stored in the access control list storage unit 18 as the access control list L.

  The vertical axis shows the classification levels I to IV described in the first embodiment, and the horizontal axis shows the application classification levels X to Z. However, the classification levels I to IV on the vertical axis are levels at which individual levels are subdivided into two (in the vertical axis in FIG. 12B, the classification level with “_1” is low security level, The classification level with “_2” indicates a high security level).

If the horizontal axis is considered to be the classification of a person (equivalent to a user) , the classification level X on the horizontal axis is a person who has a relatively high authority to handle data, such as the owner of the mobile terminal 8 or the trusted operator of the center device 6 (Equivalent to a user) . The classification level Y on the horizontal axis is assigned to ID information of a relatively reliable person (corresponding to a user) , although it does not have the authority of the owner such as a vehicle dealer (dealer). Moreover, classification level Z on the abscissa, ID borrowers of the portable terminal 8, allocated to the ID information of the specific service provider, such as courier, for example as compared to the owner unreliable human product (user or equivalent) Assigned to information.

If the horizontal axis is considered as application classification, the classification level X on the horizontal axis is an application that requires personal authentication (for example, an application that requires a login password), and the classification levels Y and Z are, for example, usable by any ordinary person. Applications, etc. Further, these classifications may be performed for each group of persons (equivalent to a user) or for each group of applications.

As shown in the two-dimensional security level of FIG. 12B, the security level of the classification level X is set to be low, and the security level of the classification level Z is set to be high. This means that security may be kept low when vehicle data is requested to be transmitted from a highly reliable person or application, and when vehicle data is requested to be transmitted from an unreliable person (equivalent to a user) or an application. This is because security must be kept high.

  As schematically shown in FIG. 11 by the data processing method by the data processing device 4, when the data processing device acquires a data request source (device ID) and a target data name (data ID) (X1), FIG. ), The data classification levels I to IV and X to Z are acquired from the access control list L shown in FIG. 12B (X2), and the resolution is calculated according to the classification levels described in the access control list L ( X3), an encryption process is performed (X4). Then, the microcomputer 13 in the data processing device 4 transmits the processed vehicle data to the data request source. In this case, the pre-processed converted data may be prepared in the external communication buffer 16b as shown in the first embodiment, or the external communication buffer 16b may be prepared as shown in the second embodiment. Alternatively, when a data transmission request is received from the outside, the data may be converted and transmitted to the data request source. Thus, the processing of the present embodiment is realized.

  According to the present embodiment, if the access control list storage unit 18 stores the data processing method in the access control list L for each application that requests vehicle data or for each application group that classifies the application, information The control unit 17 can convert and process the vehicle data by dividing the data processing method for each application or group thereof. Thereby, security can be improved.

Further, when the access control list storage unit 18 stores a data processing method for each user who uses the vehicle data or its group, the information control unit 17 classifies the data processing method for each user or its group. To convert and process vehicle data. Thereby, security can be improved.
If the access control list storage unit 18 stores data processing methods in a plurality of dimensions for each of the classification levels I to IV and for each application or group thereof described in the first embodiment, for example, Security can be improved as compared with the processing of the first embodiment.
In the case where the access control list storage unit 18 stores data processing methods in multiple dimensions for each of the classification levels I to IV and for each user or group, as described in the first embodiment, for example, Security can be improved as compared with the processing of the first embodiment.
When the external communication buffer 16b stores converted data pre-processed for each application requesting vehicle data or for each application group in which the application is classified, the buffer 16b immediately responds to an external data transmission request. be able to.
When the external communication buffer 16b stores converted data pre-processed for each user or group requesting vehicle data, the buffer 16b can immediately respond to an external data transmission request.

(Other embodiments)
The present invention is not limited to the above-described embodiment, and for example, the following modifications or extensions are possible.
The access control list storage unit 18 has been described as storing the data processing method itself corresponding to the classification levels I to IV. However, the access control list storage unit 18 stores ID information of the data processing method corresponding to the classification levels I to IV, and stores them. The details of the data processing method may be stored separately. The “data processing method” described in the present invention includes this content.

  For example, an intrusion sensor (not shown) may be installed in the vehicle 2 in preparation for theft. In such a case, the sensor information of the intrusion sensor is stored in the in-vehicle communication buffer 16a through the in-vehicle network 5. When an internal event related to, for example, intrusion detection by an intrusion sensor (not shown) installed in the vehicle 2 occurs, the microcomputer 13 may be applied to a mode in which vehicle data is automatically output to the external center device 6. Even in such a case, the effects described in the above embodiment can be obtained. The configuration of each embodiment described above can be applied individually or in combination.

  In the drawings, 4 and 104 are data processing devices (vehicle data conversion devices), 16a is an in-vehicle communication buffer (acquisition unit), 16b is an out-of-vehicle communication buffer (second storage unit), and 17 is an information control unit (conversion unit). ) And 18 indicate an access control list storage unit (first storage unit), and 19 indicates an external connection stack (output unit).

Claims (8)

Determining means for determining whether to output unconverted or converted vehicle data to an external device,
Acquisition means (16a) for acquiring vehicle data from inside the vehicle;
A data processing method for out-of-vehicle output according to a security classification level corresponding to vehicle data obtained by the obtaining means, wherein the application requests the vehicle data from an external device or an application group in which the application is classified. First storage means (18) for storing a data processing method;
Conversion means (17) for converting according to a data processing method stored in the first storage means and corresponding to the external device as a request source of the vehicle data and corresponding to a security classification level of the vehicle data;
An output unit (19) that outputs the converted vehicle data to the external device, on condition that the output unit determines that the output is possible .
The conversion unit (17) determines the application requesting the vehicle data or the application group in which the application is classified, and executes the data processing method stored in the first storage unit for each application or each application group. A vehicle data converter that converts and converts data.   The vehicle data conversion device according to claim 1, wherein the first storage unit stores a data processing method for each group classified according to the vehicle data.   3. The vehicle data conversion device according to claim 1, wherein the first storage unit is configured to be able to change and set a data processing method corresponding to the vehicle data according to a change in security policy.   2. The vehicular data conversion device according to claim 1, wherein the first storage unit stores a data processing method for each user or a group of persons who use the vehicle data. Determining means for determining whether to output unconverted or converted vehicle data to an external device,
Acquisition means (16a) for acquiring vehicle data from inside the vehicle;
A data processing method for output outside a vehicle according to a security classification level corresponding to vehicle data acquired by said acquisition means, wherein each of the security classification levels classified according to the vehicle data and an external device A first storage unit (18) for storing an application requesting the vehicle data from the storage unit or a data processing method for each application group in which the application is classified;
Conversion means (17) for converting according to a data processing method stored in the first storage means and corresponding to the external device as a request source of the vehicle data and corresponding to a security classification level of the vehicle data;
An output unit (19) that outputs the converted vehicle data to the external device, on condition that the output unit determines that the output is possible .
The conversion unit (17) determines the application requesting the vehicle data or the application group in which the application is classified, and executes the data processing method stored in the first storage unit for each application or each application group. A vehicle data converter that converts and converts data.   The first storage means may use, as the data processing method, one of a resolution processing method of the vehicle data, a data update cycle, a data encryption method, or a combination of any two or more thereof. The vehicle data converter according to any one of claims 1 to 5, which stores the data.   The vehicle according to any one of claims 1 to 6, wherein the conversion unit (17) performs conversion according to a data processing method stored in the first storage unit when vehicle data is requested from outside. Data converter. A vehicle data output method for outputting vehicle data after determining by the determination unit whether or not to output the unconverted or converted vehicle data to the external device,
Acquiring means (16a) for acquiring vehicle data from inside the vehicle;
The first storage means (18) is a data processing method for output outside the vehicle according to a security classification level corresponding to the vehicle data acquired by the acquisition means, wherein an application or a request for the vehicle data from an external device is provided. When the data processing method is stored for each application group that classifies the application,
A conversion unit (17) corresponding to the external device which requests the vehicle data from the external device and is stored in the first storage unit for each application group or an application group in which the application is classified; The application or the application group is configured to be converted according to a data processing method corresponding to a security classification level of the vehicle data, and determines the application requesting the vehicle data or the application group in which the application is classified. Converting the data processing method stored by the first storage means separately for each
A vehicle data output method for outputting the converted vehicle data to the external device on the condition that the output means (19) determines that the output is possible by the determination means .

Images