JP6920667B2 - Information processing equipment, information processing systems, information processing methods, and programs - Google Patents

Description

The present invention relates to an information processing device, an information processing system, an information processing method, and a program that counter attacks on a network.

In recent years, attacks (hacking) on in-vehicle networks and high risks due to attacks have been pointed out. Specifically, an attacker who accesses an information terminal of a car equipped with a wireless connection interface with the outside via wireless communication, etc., illegally rewrites the program and then transfers the information terminal to the in-vehicle network inside the car. An attack has been announced that controls an actuator connected to an electronic control unit (ECU: Electronic Control Unit, hereinafter referred to as ECU) against the driver's intention by sending an arbitrary CAN (Controller Area Network) command. Has been done.

On the other hand, there is also a risk that control contrary to the driver's intention is executed due to a failure or malfunction of the ECU.

Under such circumstances, the in-vehicle network is required to ensure functional safety and security.

As a conventional functional safety method, a method of making an ECU or the like redundant is known. For example, Patent Document 1 discloses a network system including a plurality of gateway devices.

Japanese Unexamined Patent Publication No. 2011-25598

However, security is not considered in the network system described in Patent Document 1. For example, if this network system receives an attack that injects an illegal CAN command into the global bus, the main gateway or sub-gateway sends the attack command to the local bus as it is. In other words, an attacker can break into the local bus of this network system.

Further, when the main gateway is hijacked by an attacker and the main gateway itself receives an attack that directly injects an illegal CAN command into the local bus, the network system described in Patent Document 1 detects and eliminates this attack. Can not do it.

The present invention provides an information processing device, an information processing system, an information processing method, and a program in which a redundant network system for functional safety can eliminate attacks that threaten security and maintain its functions. The purpose is to do.

In order to achieve the above object, the information processing apparatus according to one aspect of the present invention transmits / receives communication data flowing through a network to which a first gateway, a second gateway, and at least one electronic control unit are connected. Communication unit, monitoring unit that determines whether this communication data is normal, and when the monitoring unit determines that the communication data is not normal, the transfer function of the first gateway and the transfer function of the second gateway It includes a notification unit that transmits a notification for making one valid and the other invalid to at least a second gateway.

According to the present invention, in a network system that supports functional safety by redundancy, the function of this network system can be maintained even when an abnormality due to an attack is detected.

Block diagram showing the configuration of the information processing system according to the first embodiment The figure which shows the structure of the data frame specified by the CAN protocol The block diagram which shows the structure of the 1st GW in Embodiment 1. An example of the data structure of the transfer list in the first embodiment The block diagram which shows the structure of the 2nd GW in Embodiment 1. The block diagram which shows the structure of the information processing apparatus in Embodiment 1. A sequence diagram for explaining the operation of the information processing system according to the first embodiment. Block diagram showing the configuration of the information processing system according to the second embodiment The block diagram which shows the structure of the 1st GW in Embodiment 2. The block diagram which shows the structure of the 2nd GW in Embodiment 2. Block diagram showing the configuration of the information processing apparatus according to the second embodiment A sequence diagram for explaining the operation of the information processing system according to the second embodiment.

(Embodiment 1)
Hereinafter, the information processing system according to the first embodiment of the present invention will be described with reference to the drawings.

[1.1 Configuration of Information Processing System 10]
As shown in FIG. 1, the information processing system 10 includes a first gateway (hereinafter referred to as a first GW) 101, a second gateway (hereinafter referred to as a second GW) 102, and an information processing device. It includes 103, a communication ECU 104, and a plurality of ECUs 105.

In the information processing system 10, a network is formed in which each of the above components is connected using a CAN bus. In the example of FIG. 1, the ECU 105 is connected to each of the CAN bus 1, CAN bus 2, and CAN bus 3, and CAN bus 1, CAN bus 2, and CAN bus 3 (hereinafter, also referred to as CAN buses 1 to 3). Are connected to each other via a first GW101 and a second GW102.

Further, the information processing device 103 is connected to the CAN buses 1 to 3. Further, in the example of FIG. 1, the first GW 101 and the second GW 102 are also connected by a dedicated line 600 which is a wiring different from each CAN bus. The leased line 600 is used for direct communication between the first GW 101 and the second GW 102.

The information processing system 10 is, for example, a network system configured on an in-vehicle network. In this in-vehicle network, each component such as an ECU, a GW, and an information processing device transmits and receives communication data called a CAN command. , Realizes various functions. For example, in the parking assistance function, lane keeping assistance function, collision avoidance assistance function, etc., which are one of the functions of the advanced driver assistance system (ADAS: Advanced Driver Assistance System, hereinafter referred to as ADAS), electronically controlled steering is used. It is realized by controlling the actuators that operate the accelerator, brake, etc. by the CAN command flowing through the in-vehicle network.

The first GW 101 and the second GW 102 receive the CAN command flowing through such a network, and transmit (transfer) the received CAN command to the CAN bus specified for each ID (CAN ID) of the CAN command. ) Has a transfer function. For example, when the CAN ID of the CAN command received by the first GW 101 from the CAN bus 2 is "0x011" and the transfer destination specified in advance for this CAN ID is the CAN bus 1, the first GW 101 is The CAN command is transferred to the CAN bus 1. The specification of the CAN ID and the forwarding destination of the CAN command will be described later.

Further, as described above, the first GW 101 connected to the second GW 102 by the leased line 600 invalidates the transfer function (forced stop) based on the notification transmitted from the second GW 102 via the leased line 600. )do.

The information processing device 103 receives the CAN command flowing through the CAN buses 1 to 3, determines whether or not the received CAN command is normal, and determines that it is not normal (abnormal), and when it determines that it is not normal (abnormal), the second GW 102 Send the prescribed notification to.

Here, the predetermined notification transmitted by the information processing device 103 to the second GW 102 is that the transfer function of the first GW 101 is invalid and the transfer of the second GW 102 is performed on the information processing system 10 (or the in-vehicle network). This is a notification to enable the function. To give a more specific example, the communication data received by the information processing device 103 is not normal (abnormal), the transfer function of the first GW 101 is invalidated, or the transfer function of the second GW 102 is set. This is a notification indicating that it will be activated. The second GW 102 executes an operation described later in response to receiving such a notification.

The communication ECU 104 is in the connection path between the first GW 101 and the external network 500 (for example, the Internet), and is connected to the server device 11 which is an external information processing device of the information processing system 10 via the external network 500. To send and receive communication data. The information processing device 103 can provide a function realized through the exchange of data connected to the external information processing device in this way, for example, a function for driving support with higher accuracy or convenience.

However, such an interface for connecting to the outside can also be an entry point for an attacker such as a hacker to illegally access the information processing system 10. However, it is technically extremely difficult to completely prevent unauthorized access via this interface. Therefore, in order to improve the security of the information processing system 10, it is indispensable to have a technique for preventing the occurrence or spread of damage after the intrusion by an attacker and suppressing the influence thereof, and the information processing device 103 and the like in the present embodiment are also included. It also realizes such a technology.

Each ECU 105 transmits and receives a CAN command having a predetermined CAN ID via any of the CAN buses 1 to 3 to which the ECU 105 is connected.

In the information processing system 10 shown in FIG. 1, the CAN command transfer function included in the first GW 101 is effective before the attack is detected or the attack is detected (hereinafter, also referred to as a normal time). The CAN command transfer function included in the GW 102 of 2 is in an invalid state. That is, the second GW 102 is in a standby state in which the CAN command transfer process is not performed.

When the first GW 101 is hacked by an attacker via the communication ECU 104 and the program executed by the first GW 101 is illegally rewritten, the information processing system 10 receives an illegal CAN from the first GW 101 operated by the attacker. The command can be sent.

When the information processing device 103 determines that the received CAN command is abnormal (when it detects an invalid CAN command), the information processing device 103 sends the above-mentioned predetermined notification to the second via any of the CAN buses 1 to 3. Send to GW102.

Upon receiving this notification, the second GW 102 transmits a notification for disabling its own transfer function to the first GW 101 via the dedicated line 600, and further enables its own transfer function. To become. Upon receiving this notification, the first GW 101 disables its own transfer function. After that, the function of the information processing system 10 is maintained by executing the CAN data transfer process by the second GW 102.

[1.2 Data frame]
Here, a data frame, which is one of the data formats used in communication on a network according to the CAN protocol (CAN communication), will be described.

FIG. 2 is a diagram showing a structure of a data frame defined by the CAN protocol. FIG. 2 shows the structure of a data frame called a standard format among the data frames defined by the CAN protocol. The data frame is a SOF (Start Of Frame), ID field, RTR (Remote Transmission Request), IDE (Identifier Extension), reserved bit "r", DLC (Data Length Code), data field, CRC (Cyclic Redundancy Check) sequence. , CRC delimiter "DEL", ACK (Acknowledgement) slot, ACK delimiter "DEL", and EOF (End Of Frame) fields. Hereinafter, the fields separately mentioned in the description of the present invention will be briefly described.

The ID field is a field composed of 11 bits that stores an ID that is a value indicating the type of data, and this ID is the CAN ID described above. This ID is also used for communication arbitration when a plurality of nodes start transmitting at the same time, and is designed so that an ID having a smaller value is given to a frame having a higher priority.

The data field is composed of a maximum of 64 bits and is a field for storing data, and the data length of this field is shown in the immediately preceding DLC field.

The CAN command transmitted and received by each ECU in the information processing system 10 and transferred by the first GW 101 and the second GW 102 is communication data stored in the above-mentioned data frame. Each ECU stores a specified type of data in a data field and stores a specified CAN ID corresponding to the type of data in an ID field to generate a data frame. The CAN ID stored in the CAN command and the types and configurations of the corresponding data are defined in advance by the vehicle manufacturer and the like as the specifications of the in-vehicle network.

There is another type of data frame defined by the CAN protocol called an extended format. The extended format also has a field having a role corresponding to the field briefly described above, and the present invention can be applied to data in any format. However, the information processing apparatus and the like according to the present invention can also be applied to a network used for data communication other than the formats of these CAN protocols. The above format description is for convenience of understanding of the present invention and is not intended to limit the present invention.

[1.3 Configuration of the first GW101]
Subsequently, the detailed configuration of the first GW 101 will be described. FIG. 3 is a block diagram showing a functional configuration of the first GW101.

As shown in FIG. 3, the first GW 101 includes a first transmission / reception unit 201, a transfer list storage unit 202, a communication unit 203, an invalidation unit 204, and a control unit 205 as functional blocks.

The first GW 101 is composed of a microprocessor, which is an arithmetic processing unit (not specifically shown), a RAM (Random Access Memory), a ROM (Read-Only Memory), a hard disk, and the like, which are storage devices. A computer program is stored in the RAM, ROM, and hard disk, and the first GW 101 fulfills its function when the microprocessor operates according to the computer program.

The first transmission / reception unit 201, the transfer list storage unit 202, the communication unit 203, the invalidation unit 204, and the control unit 205 of the first GW 101 are typically realized as an LSI which is an integrated circuit. Each of these functional blocks may be realized by an individual chip, a plurality of functional blocks may be realized by one chip, or one functional block may be realized by a plurality of chips.

Further, although an integrated circuit that realizes these functional blocks is an LSI, it may be called an IC, a system LSI, a super LSI, or an ultra LSI depending on the degree of integration.

Further, a programmable logic device such as an FPGA (Field Programmable Gate Array) programmable after manufacturing or a reconfigurable processor capable of reconfiguring the connection and setting of internal circuit cells may be used.

In addition, the method of making an integrated circuit is not limited to LSI, and may be realized by a dedicated circuit or a general-purpose processor.

Furthermore, if an integrated circuit technology that replaces an LSI appears due to advances in semiconductor technology or another technology derived from it, it is naturally possible to integrate functional blocks using that technology. There is a possibility of applying biotechnology.

Further, each functional block may be realized by software or may be realized by a combination of LSI and software. Also, the software may be tamper resistant.

Hereinafter, each functional block of the first GW101 will be described.

(1) First transmitter / receiver 201
The first transmission / reception unit 201 receives the CAN command flowing through the CAN bus, and also transmits the CAN command to the CAN bus. Further, the first transmission / reception unit 201 determines the CAN bus to which the received CAN command is transferred based on the list stored in the transfer list storage unit 202 described later, and transmits the CAN command to the determined CAN bus. Perform transfer processing. The transfer function of the first GW 101 is provided by the first transmission / reception unit 201 that executes this transfer process.

(2) Transfer list storage unit 202
The transfer list storage unit 202 stores a transfer list indicating a pair of a CAN ID included in the CAN command and a CAN bus designated as a transfer destination of the CAN command including the CAN ID. An example of the data structure of the transfer list is shown in FIG.

In the example of FIG. 4, the pair of the CAN ID and the transfer destination specified for the CAN ID is included in the same line. For example, the transfer destination of the CAN command having the CAN ID "0x011" is the CAN bus 1, and the transfer destination of the CAN command having the CAN ID "0x021" is the CAN bus 2.

(3) Communication unit 203
The communication unit 203 transmits / receives communication data to / from the second GW 102 via the dedicated line 600. For example, from the second GW 102, communication data indicating a notification (instruction) for disabling the transfer function of the first GW 101 is transmitted to the first GW 101 via the dedicated line 600. In the first GW 101, the communication unit 203 receives this communication data.

(4) Invalidation unit 204
When the invalidation unit 204 receives the above notification from the second GW 102 via the communication unit 203, the invalidation unit 204 disables the transfer function of the first GW 101 by stopping the transfer process of the first transmission / reception unit 201. do. By disabling the transfer function of the first GW 101, an attacker's attack on the network, for example, sending an illegal CAN command is prevented, and the security of the information processing system 10 is maintained.

(5) Control unit 205
The control unit 205 manages and controls each of the functional blocks (1) to (4) above to realize the function of the first GW 101.

[1.4 Configuration of the second GW102]
Subsequently, the detailed configuration of the second GW 102 will be described. FIG. 5 is a block diagram showing a functional configuration of the second GW 102.

As shown in FIG. 5, the second GW 102 includes a second transmission / reception unit 301, a transfer list storage unit 302, a communication unit 303, an invalidation notification unit 304, an activation unit 305, and a control unit 306 as functional blocks. ..

The second GW 102 is composed of a microprocessor, which is an arithmetic processing unit (not specifically shown), and a RAM, ROM, a hard disk, and the like, which are storage devices. A computer program is stored in the RAM, ROM, and hard disk, and the second GW 102 fulfills its function when the microprocessor operates according to the computer program.

The second transmission / reception unit 301, the transfer list storage unit 302, the communication unit 303, the invalidation notification unit 304, the activation unit 305, and the control unit 306 of the second GW 102 are typically LSIs that are integrated circuits. Is realized as. Each of these functional blocks may be realized by an individual chip, a plurality of functional blocks may be realized by one chip, or each functional block may be realized by a plurality of chips.

Further, although an integrated circuit that realizes these functional blocks is an LSI, it may be called an IC, a system LSI, a super LSI, or an ultra LSI depending on the degree of integration.

In addition, programmable logic devices such as FPGAs that can be programmed after manufacturing and reconfigurable processors that can reconfigure the connections and settings of internal circuit cells may be used.

In addition, the method of making an integrated circuit is not limited to LSI, and may be realized by a dedicated circuit or a general-purpose processor.

Furthermore, if an integrated circuit technology that replaces an LSI appears due to advances in semiconductor technology or another technology derived from it, it is naturally possible to integrate functional blocks using that technology. There is a possibility of applying biotechnology.

Further, each functional block may be realized by software or may be realized by a combination of LSI and software. Also, the software may be tamper resistant.

Hereinafter, each functional block of the second GW 102 will be described.

(1) Second transmission / reception unit 301
The second transmission / reception unit 301 receives the CAN command flowing through the CAN bus, and also transmits the CAN command to the CAN bus. Further, the second transmission / reception unit 301 determines the CAN bus to which the received CAN command is transferred based on the list stored in the transfer list storage unit 302 described later, and transmits the CAN command to the determined CAN bus. Perform transfer processing. The transfer function of the second GW 102 is provided by the second transmission / reception unit 301 that executes this transfer process. However, in the normal time when no attack is detected in the information processing system 10, this transfer process of the second transmission / reception unit 301 is stopped. That is, the second GW 102 in the normal state is in a state in which the CAN command transfer function is disabled (hereinafter, also referred to as a standby state).

(2) Transfer list storage unit 302
The transfer list storage unit 302 stores a transfer list indicating a pair of the CAN ID included in the CAN command and the CAN bus of the transfer destination to which the CAN command is transferred. An example of the transfer list included in the second GW 102 is common to FIG. 4, and the description thereof will be omitted here.

(3) Communication unit 303
The communication unit 303 transmits / receives communication data to / from the first GW 101 via the dedicated line 600. For example, communication data indicating a notification (instruction) for disabling the transfer function of the first GW 101 is transmitted from the communication unit 303 to the first GW 101 via the dedicated line 600. In the first GW 101, this communication data is received by the communication unit 203.

(4) Invalidation notification unit 304
When the invalidation notification unit 304 receives the above-mentioned predetermined notification from the information processing device 103 via the second transmission / reception unit 301, the invalidation notification unit 304 first receives the above-mentioned predetermined notification from the communication unit 303 via the dedicated line 600 to the first GW 101. Communication data indicating a notification (instruction) for disabling the transfer function of the GW 101 is transmitted to the first GW 101.

(5) Activation unit 305
When the activation unit 305 receives the above-mentioned predetermined notification from the information processing device 103 via the second transmission / reception unit 301, the activation unit 305 causes the second transmission / reception unit 301 to start the transfer process, so that the second GW 102 Enable the transfer function (release the standby state). By enabling the transfer function of the second GW 102, even if the transfer function of the first GW 101 is disabled, CAN commands for electronic control and the like are continuously transferred on the network, and the information processing system 10 Function is maintained.

(6) Control unit 306
The control unit 306 manages and controls each of the functional blocks (1) to (5) above to realize the function of the second GW 102.

[1.5 Configuration of Information Processing Device 103]
Subsequently, the detailed configuration of the information processing apparatus 103 will be described. FIG. 6 is a block diagram showing a functional configuration of the information processing device 103.

As shown in FIG. 6, the information processing device 103 includes a first communication unit 401, a monitoring unit 402, a notification unit 403, and a control unit 404 as functional blocks.

The information processing device 103 includes a microprocessor, which is an arithmetic processing unit (not specifically shown), and a RAM, ROM, hard disk, and the like, which are storage devices. A computer program is stored in the RAM, ROM, and hard disk, and the information processing apparatus 103 fulfills its function when the microprocessor operates according to the computer program.

The first communication unit 401, monitoring unit 402, notification unit 403, and control unit 404 of the information processing device 103 are typically realized as an LSI which is an integrated circuit. Each of these functional blocks may be realized by an individual chip, a plurality of functional blocks may be realized by one chip, or one functional block may be realized by a plurality of chips.

Further, although an integrated circuit that realizes these functional blocks is an LSI, it may be called an IC, a system LSI, a super LSI, or an ultra LSI depending on the degree of integration.

In addition, programmable logic devices such as FPGAs that can be programmed after manufacturing and reconfigurable processors that can reconfigure the connections and settings of internal circuit cells may be used.

In addition, the method of making an integrated circuit is not limited to LSI, and may be realized by a dedicated circuit or a general-purpose processor.

Furthermore, if an integrated circuit technology that replaces an LSI appears due to advances in semiconductor technology or another technology derived from it, it is naturally possible to integrate functional blocks using that technology. There is a possibility of applying biotechnology.

Further, each functional block may be realized by software or may be realized by a combination of LSI and software. Also, the software may be tamper resistant.

Such an information processing device 103 is mounted on an information processing system 10 realized as an in-vehicle network, for example, as a monitoring ECU connected to all CAN buses of the in-vehicle network.

Hereinafter, each functional block of the information processing apparatus 103 will be described.

(1) First communication unit 401
The first communication unit 401 receives the CAN command flowing on the CAN bus, and also sends the CAN command on the CAN bus.

(2) Monitoring unit 402
The monitoring unit 402 receives and receives a CAN command flowing through a plurality of CAN buses (CAN buses 1 to 3 in the example of FIG. 1) connected to the information processing device 103 via the first communication unit 401. Determine if the CAN command is normal. Any known method can be used as a method for determining whether or not the CAN command is normal. For example, whether or not the data length shown in the DLC field of each CAN command matches the length of the data field, the type of data, that is, the value of the data field determined according to the CAN ID, or the transmission timing is within the specified range. It is possible to determine whether the CAN command is normal or not based on the presence or absence.

(3) Notification unit 403
When the monitoring unit 402 determines that the CAN command received by the first communication unit 401 is not normal (abnormal), the notification unit 403 sends the above-mentioned predetermined notification via the first communication unit 401. It is transmitted to the second GW 102.

(4) Control unit 404
The control unit 404 manages and controls each of the functional blocks (1) to (3) above to realize the function of the information processing device 103.

[1.6 Operation of Information Processing System 10]
When the information processing system 10 determines that the CAN command received by the information processing device 103 is not normal, the operation of disabling the transfer function of the first GW 101 and causing the second GW 102 to execute the transfer function instead. An example will be described with reference to FIG. FIG. 7 is a sequence diagram for explaining the operation of the information processing system 10.

In the information processing system 10 at the start stage of the operation of this example, it is assumed that the first GW 101 performs the transfer processing of the CAN command which is the communication data flowing in the network, and the second GW 102 is in the standby state.

The first communication unit 401 of the information processing device 103 receives a CAN command from each connected CAN bus (step S701).

With respect to the CAN command received by the first communication unit 401, it is determined whether or not the monitoring unit 402 is normal (step S702). If it is determined to be normal (Yes in step S702), the operation procedure in the information processing apparatus 103 returns to the reception of the CAN command (step S701), and the first communication unit 401 receives the next CAN command.

While the CAN commands received one after another are continuously determined to be normal by the monitoring unit 402, the first GW 101 continues to transfer the received CAN commands, and the second GW 102 is still in the standby state.

When the monitoring unit 402 determines that the received CAN command is not normal (No in step S702), the notification unit 403 invalidates the transfer function of the first GW 101 and enables the transfer function of the second GW. A predetermined notification is notified to the second GW 102 via the first communication unit 401 (step S703).

In the second GW 102, when the second transmission / reception unit 301 receives the above notification from the information processing device 103 (step S704), the invalidation notification unit 304 invalidates the CAN command transfer function of the first GW 101. The notification for this is transmitted from the communication unit 303 to the first GW 101 (step S705).

Further, in the second GW 102, the activation unit 305 causes the second transmission / reception unit 301 to start the transfer process. As a result, the transfer function of the second GW 102 is enabled (step S706), and the transfer of the CAN command is started. After that, in the second GW 102, the transfer process of receiving the CAN command and transmitting the received CAN command to the CAN bus of the transfer destination determined based on the transfer list in the transfer list storage unit 302 is the second transmission / reception unit. It is done by 301.

In the first GW 101, when the communication unit 203 receives a notification from the second GW 102 for disabling the transfer function of the CAN command (step S707), the disabling unit 204 transfers the transfer process of the first transmission / reception unit 201. To stop. As a result, the transfer function of the CAN command of the first GW101 is invalidated (step S708).

As described above, according to the present embodiment, in the information processing system 10, the first GW 101, the second GW 102, and the information processing device 103 are connected by the CAN buses 1 to 3 and are connected to the first GW 101. It is further connected to the second GW 102 by a dedicated line 600. When the information processing device 103 determines that the received CAN command is not normal, the information processing device 103 sends a predetermined notification to the second GW 102 via the CAN bus according to the fact that the received CAN command is not normal. Will be sent. Upon receiving this notification, the second GW 102 transmits a notification for disabling the transfer function of the first GW 101 to the first GW 101 to the first GW 101 via the leased line 600, and also sends a notification for disabling the transfer function of the first GW 101 to the first GW 101. Enable the transfer function. After that, in the information processing system 10, the function of the information processing system 10 is maintained by performing the transfer processing of the communication data by the second GW 102 in which the transfer function is enabled.

The notification for disabling the transfer function is safely and reliably transmitted using the leased line 600. As a result, the information processing system 10 that has both functional safety and security due to redundancy is provided.

(Embodiment 2)
Hereinafter, the information processing system according to the second embodiment of the present invention will be described with reference to the drawings.

[2.1 Configuration of Information Processing System 80]
As shown in FIG. 8, the information processing system 80 includes a first gateway (hereinafter referred to as a first GW) 801 and a second gateway (hereinafter referred to as a second GW) 802, and an information processing device 803. , Communication ECU 104, and a plurality of ECUs 105.

In the information processing system 80, a network is formed in which each of the above components is connected by using a CAN bus. In the example of FIG. 8, the ECU 105 is connected to each of the CAN bus 1, CAN bus 2, and CAN bus 3, and CAN bus 1, CAN bus 2, and CAN bus 3 (hereinafter, also referred to as CAN buses 1 to 3). Are connected to each other via a first GW801 and a second GW802.

Further, in the example of FIG. 8, the first GW 801 and the information processing device 803 are also connected by a dedicated line 601 which is a wiring different from each CAN bus. The leased line 601 is used for direct communication between the information processing device 803 and the first GW801. Further, the second GW 802 and the information processing device 803 are also connected by a dedicated line 602 which is a wiring different from each CAN bus. The leased line 602 is used for direct communication between the information processing device 803 and the second GW 802. The leased line 601 is an example of the second leased line and the third leased line in the present embodiment, and the leased line 602 is the first leased line and the fourth leased line in the present embodiment. This is an example.

Similar to the information processing system 10 in the first embodiment, the information processing system 80 is also, for example, an in-vehicle network, and in this in-vehicle network, each component such as an ECU, a GW, and an information processing device communicates called a CAN command. Various functions are realized by sending and receiving data. The CAN command in the information processing system 80 is also the communication data of the data frame described in the description of the first embodiment, and the description thereof will be omitted here.

The first GW801 and the second GW802 receive the CAN command flowing through such a network, and the received CAN command is sent to the specified CAN bus for each ID (CAN ID) of the CAN command. It has a transfer function to transmit (transfer). For example, when the CAN ID of the CAN command received by the first GW801 from the CAN bus 2 is "0x011" and the transfer destination specified for this CAN ID is the CAN bus 1, the first GW801 is the CAN. Transfer the command to CAN bus 1. Since the details of specifying the CAN ID and the transfer destination of the CAN command are the same as those in the first embodiment, the description thereof will be omitted here.

Further, as described above, the first GW 801 connected to the information processing device 803 by the dedicated line 601 disables (forces) the transfer function based on the notification transmitted from the information processing device 803 via the dedicated line 601. Stop. Similarly, the second GW 802 connected to the information processing device 803 by the dedicated line 602 enables the transfer function (returns from the standby state) based on the notification transmitted from the information processing device 803 via the dedicated line 602. )do.

The information processing device 803 receives the CAN command flowing through the CAN buses 1 to 3, and determines whether or not the received CAN command is normal. When it is determined that it is not normal (abnormal), the information processing device 803 transmits a predetermined notification for disabling the transfer function of the first GW 801 to the first GW 801 via the dedicated line 601. , A predetermined notification for activating the transfer function of the second GW 802 is transmitted to the second GW 802 via the dedicated line 602.

Here, the predetermined notification transmitted from the information processing device 803 to the first GW 801 means that, for example, the communication data received by the information processing device 803 is not normal (abnormal), and the transfer function of the first GW 801 is defined. This is a notification indicating that the transfer function of the second GW 102 is to be disabled or the transfer function of the second GW 102 is enabled. The first GW801 executes the operation described later in response to the reception of such a notification.

Further, the predetermined notification transmitted by the information processing device 803 to the second GW 802 is, for example, that the communication data received by the information processing device 803 is not normal (abnormal), and the transfer function of the second GW 802 is enabled. This is a notification indicating that the transfer function of the first GW801 is to be disabled. The second GW 802 executes the operation described later in response to the reception of such a notification.

Since the communication ECU 104 and the plurality of ECUs 105 are common to the first embodiment, the description thereof will be omitted here. The information processing device 803 and the like in the present invention also realize a technique for preventing the occurrence or spread of damage after an attacker invades the information processing system 80 and suppressing the influence thereof in order to improve the security of the information processing system 80. do.

In the information processing system 80 shown in FIG. 8, the CAN command transfer function included in the first GW 801 is effective in the normal time when the attack is not received (or before the attack is detected), and the second GW 802 The provided CAN command transfer function is in an invalid state. That is, the second GW 802 is in a standby state in which the CAN command transfer process is not performed.

When the first GW801 is hacked by an attacker via the communication ECU 104 and the program executed by the first GW801 is illegally rewritten, the information processing system 80 starts the illegal CAN from the first GW801 operated by the attacker. The command can be sent.

When the information processing device 803 determines that the received CAN command is abnormal (when an invalid CAN command is detected), the information processing device 803 sends a notification for disabling the transfer function to the first GW801 via the dedicated line 601. A notification for activating the transfer function is transmitted to the second GW 802 via the dedicated line 602.

The first GW801 that receives this notification from the information processing apparatus 803 disables its own transfer function. Further, the second GW 802, which has received the notification from the information processing apparatus 803, activates its own transfer function. After that, the CAN data transfer process in the information processing system 80 is executed by the second GW 802 in which the transfer function is enabled, and the function of the information processing system 80 is maintained.

[2.2 Configuration of the first GW801]
Subsequently, the detailed configuration of the first GW801 will be described. FIG. 9 is a block diagram showing a functional configuration of the first GW801.

As shown in FIG. 9, the first GW801 includes a first transmission / reception unit 901, a transfer list storage unit 902, a communication unit 903, an invalidation unit 904, and a control unit 905 as functional blocks.

The first GW801 is composed of a microprocessor, which is an arithmetic processing unit (not specifically shown), and a RAM, ROM, a hard disk, and the like, which are storage devices. A computer program is stored in the RAM, ROM, and hard disk, and the first GW801 fulfills its function when the microprocessor operates according to the computer program.

The first transmission / reception unit 901, the transfer list storage unit 902, the communication unit 903, the invalidation unit 904, and the control unit 905 of the first GW801 are typically realized as an LSI which is an integrated circuit. Each of these functional blocks may be realized by an individual chip, a plurality of functional blocks may be realized by one chip, or one functional block may be realized by a plurality of chips.

Further, although an integrated circuit that realizes these functional blocks is an LSI, it may be called an IC, a system LSI, a super LSI, or an ultra LSI depending on the degree of integration.

Further, a programmable logic device such as an FPGA (Field Programmable Gate Array) programmable after manufacturing or a reconfigurable processor capable of reconfiguring the connection and setting of internal circuit cells may be used.

In addition, the method of making an integrated circuit is not limited to LSI, and may be realized by a dedicated circuit or a general-purpose processor.

Furthermore, if an integrated circuit technology that replaces an LSI appears due to advances in semiconductor technology or another technology derived from it, it is naturally possible to integrate functional blocks using that technology. There is a possibility of applying biotechnology.

Further, each functional block may be realized by software or may be realized by a combination of LSI and software. Also, the software may be tamper resistant.

Hereinafter, each functional block of the first GW801 will be described.

(1) First transmission / reception unit 901
The first transmission / reception unit 901 receives the CAN command flowing through the CAN bus, and also transmits the CAN command to the CAN bus. Further, the first transmission / reception unit 901 determines the CAN bus to which the received CAN command is transferred based on the list stored in the transfer list storage unit 902 described later, and transmits the CAN command to the determined CAN bus. Perform transfer processing. The transfer function of the first GW801 is provided by the first transmission / reception unit 901 that executes this transfer process.

(2) Transfer list storage unit 902
The transfer list storage unit 902 stores a transfer list indicating a pair of the CAN ID assigned to the CAN command and the CAN bus designated as the transfer destination of the CAN command including the CAN ID. An example of the transfer list included in the first GW801 is common to FIG. 4, and the description thereof will be omitted here.

(3) Communication unit 903
The communication unit 903 transmits / receives communication data to / from the information processing device 803 via the dedicated line 601. For example, from the information processing device 803, communication data indicating a notification (instruction) for disabling the transfer function of the first GW 801 is transmitted via the dedicated line 601. In the first GW801, the communication unit 903 receives this communication data.

(4) Invalidation unit 904
When the invalidation unit 904 receives the above notification from the information processing device 803 via the communication unit 903, the invalidation unit 904 disables the transfer function of the first GW 801 by stopping the transfer process of the first transmission / reception unit 901. do. By disabling the transfer function of the first GW801, an attacker's attack on the network, for example, sending an illegal CAN command is prevented, and the security of the information processing system 80 is maintained.

(5) Control unit 905
The control unit 905 manages and controls each of the functional blocks (1) to (4) above to realize the function of the first GW801.

[2.3 Configuration of the second GW802]
Subsequently, the detailed configuration of the second GW 802 will be described. FIG. 10 is a block diagram showing a functional configuration of the second GW 802.

As shown in FIG. 10, the second GW 802 includes a second transmission / reception unit 1001, a transfer list storage unit 1002, a communication unit 1003, an activation unit 1004, and a control unit 1005 as functional blocks.

The second GW 802 is composed of a microprocessor, which is an arithmetic processing unit (not specifically shown), and a RAM, ROM, a hard disk, and the like, which are storage devices. A computer program is stored in the RAM, ROM, and hard disk, and the second GW 802 fulfills its function when the microprocessor operates according to the computer program.

The second transmission / reception unit 1001, the transfer list storage unit 1002, the communication unit 1003, the activation unit 1004, and the control unit 1005 of the second GW 802 are typically realized as an LSI which is an integrated circuit. Each of these functional blocks may be realized by an individual chip, a plurality of functional blocks may be realized by one chip, or each functional block may be realized by a plurality of chips.

Further, although an integrated circuit that realizes these functional blocks is an LSI, it may be called an IC, a system LSI, a super LSI, or an ultra LSI depending on the degree of integration.

In addition, programmable logic devices such as FPGAs that can be programmed after manufacturing and reconfigurable processors that can reconfigure the connections and settings of internal circuit cells may be used.

In addition, the method of making an integrated circuit is not limited to LSI, and may be realized by a dedicated circuit or a general-purpose processor.

Furthermore, if an integrated circuit technology that replaces an LSI appears due to advances in semiconductor technology or another technology derived from it, it is naturally possible to integrate functional blocks using that technology. There is a possibility of applying biotechnology.

Further, each functional block may be realized by software or may be realized by a combination of LSI and software. Also, the software may be tamper resistant.

(1) Second transmission / reception unit 1001
The second transmission / reception unit 1001 receives the CAN command flowing through the CAN bus, and also transmits the CAN command to the CAN bus. Further, the second transmission / reception unit 1001 determines the CAN bus to which the received CAN command is transferred based on the list stored in the transfer list storage unit 1002 described later, and transmits the CAN command to the determined CAN bus. Perform transfer processing. The transfer function of the second GW 802 is provided by the second transmission / reception unit 1001 that executes this transfer process. However, in the normal time when no attack is detected in the information processing system 80, this transfer process of the second transmission / reception unit 1001 is stopped. That is, the second GW 802 at the normal time is in a standby state in which the CAN command transfer function is disabled.

(2) Transfer list storage unit 1002
The transfer list storage unit 1002 stores a transfer list indicating a pair of the CAN ID included in the CAN command and the CAN bus of the transfer destination to which the CAN command is transferred. An example of the transfer list included in the second GW 802 is common to FIG. 4, and the description thereof will be omitted here.

(3) Communication unit 1003
The communication unit 1003 transmits / receives communication data to / from the information processing device 803 via the dedicated line 602. For example, the information processing device 803 transmits communication data indicating a notification (instruction) for activating the transfer function of the second GW 802 to the second GW 802 via the dedicated line 602. In the second GW 802, this communication data is received by the communication unit 1003.

(4) Activation unit 1004
When the activation unit 1004 receives the above notification from the information processing device 803 via the communication unit 1003, the activation unit 1004 causes the second transmission / reception unit 1001 to start the transfer process, thereby performing the communication data transfer function of the second GW 802. Enable (release the standby state). By enabling the transfer function of the second GW 802, even if the transfer function of the first GW 801 is disabled, CAN commands for electronic control and the like are continuously transferred on the network, and the information processing system 80 Function is maintained.

(5) Control unit 1005
The control unit 1005 manages and controls each of the functional blocks (1) to (4) above to realize the function of the second GW 802.

[2.4 Configuration of Information Processing Device 803]
Subsequently, the detailed configuration of the information processing apparatus 803 will be described. FIG. 11 is a block diagram showing a functional configuration of the information processing device 803.

As shown in FIG. 11, the information processing device 803 includes a first communication unit 1101, a monitoring unit 1102, a second communication unit 1103, a third communication unit 1104, a notification unit 1105, and a control unit 1106.

The information processing device 803 is composed of a microprocessor, which is an arithmetic processing unit (not specifically shown), and a RAM, ROM, a hard disk, and the like, which are storage devices. A computer program is stored in the RAM, ROM, and hard disk, and the information processing apparatus 803 fulfills its function when the microprocessor operates according to the computer program.

The first communication unit 1101, the monitoring unit 1102, the second communication unit 1103, the third communication unit 1104, the notification unit 1105, and the control unit 1106 of the information processing device 803 are typically integrated circuits. It is realized as an LSI. Each of these functional blocks may be realized by an individual chip, a plurality of functional blocks may be realized by one chip, or one functional block may be realized by a plurality of chips.

Further, although an integrated circuit that realizes these functional blocks is an LSI, it may be called an IC, a system LSI, a super LSI, or an ultra LSI depending on the degree of integration.

In addition, programmable logic devices such as FPGAs that can be programmed after manufacturing and reconfigurable processors that can reconfigure the connections and settings of internal circuit cells may be used.

In addition, the method of making an integrated circuit is not limited to LSI, and may be realized by a dedicated circuit or a general-purpose processor.

Furthermore, if an integrated circuit technology that replaces an LSI appears due to advances in semiconductor technology or another technology derived from it, it is naturally possible to integrate functional blocks using that technology. There is a possibility of applying biotechnology.

Further, each functional block may be realized by software or may be realized by a combination of LSI and software. Also, the software may be tamper resistant.

Such an information processing device 803 is mounted on an information processing system 80 realized as, for example, an in-vehicle network as a monitoring ECU connected to all CAN buses of the in-vehicle network.

Hereinafter, each functional block of the information processing apparatus 803 will be described.

(1) First communication unit 1101
The first communication unit 1101 receives the CAN command flowing on the CAN bus, and also sends the CAN command on the CAN bus.

(2) Monitoring unit 1102
The monitoring unit 1102 receives and receives a CAN command flowing through a plurality of CAN buses (CAN buses 1 to 3 in the example of FIG. 8) connected to the information processing device 803 via the first communication unit 1101. Determine if the CAN command is normal. The method of determining whether or not the CAN command is normal is the same as that described in the description of the information processing device 103 of the first embodiment, and the description thereof will be omitted here.

(3) Second communication unit 1103
The information processing device 803 transmits communication data from the second communication unit 1103 to the first GW 801 via the dedicated line 601. For example, in the information processing device 803, communication data indicating a notification (instruction) for disabling the transfer function of the first GW 801 is transmitted from the second communication unit 1103 to the first GW 801 via the dedicated line 601. NS. In the first GW801, this communication data is received by the communication unit 903.

(4) Third communication unit 1104
The information processing device 803 transmits communication data from the third communication unit 1104 to the second GW 802 via the dedicated line 602. For example, in the information processing device 803, communication data indicating a notification (instruction) for enabling the transfer function of the second GW 802 is transmitted from the third communication unit 1104 to the second GW 802 via the dedicated line 602. NS. In the second GW 802, this communication data is received by the communication unit 1003.

(5) Notification unit 1105
When the monitoring unit 1102 determines that the CAN command received by the first communication unit 1101 is not normal (abnormal), the notification unit 1105 transmits a predetermined notification to the first GW 801 and the second GW 802. More specifically, a notification for disabling the transfer function is transmitted from the notification unit 1105 to the first GW801 via the second communication unit 1103. Further, a notification for enabling the transfer function is transmitted from the notification unit 1105 to the second GW802 via the third communication unit 1104.

(6) Control unit 1106
The control unit 1106 manages and controls each of the functional blocks (1) to (5) above to realize the function of the information processing apparatus 803.

[2.5 Operation of information processing system 80]
In the information processing system 80, when it is determined that the CAN command received by the information processing device 803 is not normal, the transfer function of the first GW 801 is invalidated and the second GW 802 is made to execute the transfer process instead. An example will be described with reference to FIG. FIG. 12 is a sequence diagram for explaining the operation of the information processing system 80.

In the information processing system 80 at the start stage of the operation of this example, it is assumed that the first GW 801 performs the transfer processing of the CAN command which is the communication data flowing in the network, and the second GW 802 is in the standby state.

The first communication unit 1101 of the information processing device 803 receives a CAN command from each connected CAN bus (step S1201).

With respect to the CAN command received by the first communication unit 1101, it is determined whether or not the monitoring unit 1102 is normal (step S1202). If it is determined to be normal (Yes in step S1202), the operation procedure in the information processing apparatus 803 returns to the reception of the CAN command (step S1201), and the first communication unit 1101 receives the next CAN command.

While the CAN commands received one after another are continuously determined to be normal by the monitoring unit 1102, the first GW801 continues to transfer the received CAN commands, and the second GW802 continues to be in the standby state.

When the monitoring unit 1102 determines that the received CAN command is not normal (No in step S1202), the notification unit 1105 determines that the first GW 801 disables the transfer function of the first GW 801. The notification is transmitted from the second communication unit 1103 to the first GW801 (step S1203). Further, the notification unit 1105 further transmits a predetermined notification for enabling the transfer function of the second GW 802 to the second GW 802 from the third communication unit 1104 to the second GW 802 (step S1206). ..

In the first GW801, when the communication unit 903 receives the above notification from the information processing device 803 (step S1204), the invalidation unit 904 stops the transfer process of the first transmission / reception unit 901. As a result, the transfer function of the CAN command of the first GW801 is invalidated (step S1205).

In the second GW 802, when the communication unit 1003 receives the above notification from the information processing device 803 (step S1207), the activation unit 1004 causes the second transmission / reception unit 1001 to start the transfer process. As a result, the transfer function of the second GW 802 is enabled (step S1208), and the transfer of the CAN command is started. After that, in the second GW 802, the transfer process of receiving the CAN command and transmitting the transfer of the received CAN command to the CAN bus of the transfer destination determined based on the transfer list in the transfer list storage unit 1002 is the second transfer process. It is performed by the transmission / reception unit 1001.

As described above, according to the present embodiment, in the information processing system 80, the first GW801, the second GW802, and the information processing device 803 are connected by a CAN bus and a dedicated line. When the information processing device 803 determines that the received CAN command is not normal, the information processing device 803 notifies the first GW801 via the dedicated line 601 to invalidate the transfer function of the first GW801. A notification for activating the transfer function of the second GW 802 is transmitted to the second GW 802 via the dedicated line 602. The first GW801 that receives this notification from the information processing device 803 disables its own transfer function. Further, the second GW 802, which has received this notification from the information processing device 803, activates its own transfer function. After that, the function of the information processing system 80 is maintained by performing the communication data transfer process by the second GW 802 on which the transfer function is enabled. Further, the notification for enabling the transfer function and the notification for disabling the transfer function are safely and surely transmitted using the dedicated lines 601 and 602, respectively. As a result, the information processing system 80 that realizes functional safety and security by redundancy is provided.

(Modification example, etc.)
As described above, Embodiments 1 and 2 have been described as examples of the technique according to the present invention. However, the technique according to the present invention is not limited to these embodiments, and can be applied to embodiments in which modifications, replacements, additions, omissions, etc. are made as appropriate. For example, the following modifications are also included in one embodiment of the present invention.

(1) In each embodiment, the notification for enabling or disabling the transfer function of the gateway is a CAN command to which a message authentication code (hereinafter referred to as MAC, which is an acronym of Message Authentication Code) is attached. It may be transmitted by a route via the CAN bus. Specifically, it is as follows.

For example, in the first embodiment, when the information processing apparatus 103 transmits a predetermined notification to the second GW 102 via any CAN bus, the information processing device 103 may be provided with a MAC for transmitting this notification.

Further, in the first embodiment, the second GW 102 transmits a notification for invalidating the transfer function of the first GW 101 to the first GW 101 via any CAN bus instead of the dedicated line 600. Then, the second GW 102 may add a MAC to the CAN command for transmitting this notification.

Further, in the second embodiment, the information processing apparatus 803 transmits a notification for disabling the transfer function of the first GW 801 to the first GW 801 via any CAN bus instead of the dedicated line 601. However, the information processing device 803 may add a MAC to the CAN command for transmitting this notification.

Further, in the second embodiment, the information processing apparatus 803 transmits a notification for activating the transfer function of the second GW 802 to the second GW 802 via any CAN bus instead of the dedicated line 602. However, the information processing device 803 may add a MAC to the CAN command for transmitting this notification.

This prevents the forwarding function of each gateway from being disabled or enabled due to notifications that have been compromised in integrity due to tampering or errors, or notifications that have been tampered with.

In the configuration using MAC as described above, the processing load of MAC is applied to each gateway and the arithmetic processing unit of the information processing device, and a part of the data field is occupied by MAC, so that the arithmetic with high processing capacity is performed. A processing device may be used, or a MAC with a reduced data length may be used.

Further, the notification transmitted via the CAN bus in each embodiment may be transmitted via a route via a dedicated line for transmitting this notification. More specifically, in the first embodiment, the information processing apparatus 103 is connected to the second GW 102 by a dedicated line different from the dedicated line 600, which is used for direct communication with the second GW 102. The predetermined notification from the information processing device 103 to the second GW 102 may be transmitted via this dedicated line instead of the CAN bus. As a result, the predetermined notification is safely and reliably transmitted.

In the modified example of each of the above embodiments, when the notification is transmitted from the information processing device to each gateway without going through a dedicated line, for example, via a physical port for CAN communication, it is used for transmitting the notification. Each communication unit (first communication unit 401, second communication unit 1103, third communication unit 1104) may be implemented as a dedicated port for transmitting the notification.

(2) In each of the embodiments and variations thereof, the information processing apparatus uses this notification in order to make each gateway confirm the validity of each of the above notifications transmitted from the information processing apparatus to the gateway via the CAN bus. May be transmitted with the same CAN command via multiple or all CAN buses. As a result, the gateway can compare the CAN commands received from each CAN bus, and if they are different, confirm the valid CAN command by majority vote.

(3) In each embodiment and its modification, the transfer function of the gateway may be invalidated (stopping the transfer process by the transmission / reception unit) by any of electrical means, physical means, and software means. ..

For example, as an electrical means, the gateway that disables the transfer function may be shut down. Further, as a physical means, the connection between the gateway and the CAN bus may be disconnected. In addition, the operation of the gateway software that disables the transfer function may be stopped. Such a forced stop may be executed by the gateway itself that invalidates the transfer function, or may be executed from the outside by another gateway or ECU.

(4) In connection with the above-mentioned disconnection between the gateway and the CAN bus or the suspension of software operation, the transfer function of the gateway may be partially disabled.

For example, only the connection with the CAN bus in which an invalid CAN command is detected may be physically disconnected, or only the operation of the software related to the transfer function using the CAN bus as a route may be stopped. Due to such partial invalidation, the notification for disabling the transfer function of the gateway includes information indicating the CAN bus on which the CAN command determined by the monitoring unit 402 (or 1102) to be abnormal is flowing. May be included.

In response to such partial invalidation of the transfer function of the gateway, the transfer function of another gateway may be partially enabled.

(5) Further, in connection with the disconnection of the connection between the gateway and a part of the CAN bus described above, the disconnection of the connection between the gateway and the ECU may be performed step by step.

For example, a plurality of CAN buses connected to a gateway are set with a predetermined priority based on, for example, the function of the ECU connected to each CAN bus, the type of CAN command to be flown, and the like, and the priority is high. The connection between the gateway and the CAN bus may be disconnected from the other side. This priority may be set according to the magnitude of the risk (damage) caused by the attack. Taking the in-vehicle network as an example, when the ECU of the CAN bus 1 has a function of a driving operation system and the ECU of the CAN bus 2 has a function of driving a door, a mirror, a seat, etc., the CAN bus 1 has a higher priority. Is set.

Further, for example, after the detection of an illegal CAN command, the connection between the communication ECU and the gateway is first disconnected for communication between the information processing system 10 (or 80) and the outside, and then an even more illegal CAN command is detected. If so, all or part of the forwarding function of the gateway may be disabled.

(6) In each embodiment and its modification, the state of the two gateways in the normal state is not limited to the state in which one has the transfer function enabled and the other has the transfer function disabled.

For example, the two gateways are a main gateway and a sub-gateway in which the transfer function is effective in the normal state, and the sub-gateway may complement the transfer function of the main gateway. To give a more specific example of complementation, the sub-gateway may monitor each CAN bus and transfer the CAN command if there is an omission in the transfer of the CAN command by the main gateway. In an information processing system having such a configuration, the notification from the monitoring ECU when it is determined that the CAN command is not normal is a notification for invalidating the transfer function of the main gateway, but the transfer function of the sub gateway. It does not have to be a notification to activate.

(7) In each embodiment and its modification, only one of the two gateways is communicably connected to an external network via a communication ECU, but the configuration of the information processing system in the present invention is this. Not limited to. Both of the two gateways may be physically connected to communicate with an external network. In addition, normally, the communication function with the outside of one gateway may be disabled, and when the communication function of the other gateway is disabled, the communication function of the gateway may be enabled. ..

In the above, there is a description that the function of the information processing system is maintained by the transfer function that is executed instead even when an abnormal CAN command is received, but it is an external information processing device except during normal times. In an information processing system in which the communication path with is blocked, the functions that depend on this communication are restricted.

(8) The two gateways in each embodiment and its modifications are not limited to the two gateways. The two gateways are physically mounted in one ECU, and may be mounted as logically independent functional modules provided by software or the like.

Further, in each embodiment and its modification, the gateway which is normally in the standby state may be physically one with the monitoring ECU that realizes the information processing device 103 (or 803), and the gateway may be one. It may be implemented as a functional module provided by software or the like.

(9) In each embodiment and its modification, when it is determined that the CAN command is not normal in the information processing device, the ECU that receives the CAN command that determines based on the CAN ID of the CAN command , A notification for shifting to the fail-safe mode may be transmitted from the information processing device or the gateway. The means of this notification may be any of a notification via the CAN bus, a notification via a dedicated line separately provided between the ECU and the notification, and a notification with a MAC. The ECU that has received this notification can avoid the influence of control by an illegal CAN command by shifting to the fail-safe mode. The fail-safe mode here is, for example, a mode in which, in the case of an automobile, electronic control other than the minimum functions that can be driven is disabled, or the vehicle is stopped safely at the minimum.

(10) In each embodiment and its modification, if the received CAN command is not normal, the transfer function of the gateway can be enabled or disabled, but the present invention is not limited to that configuration. ..

For example, in a system on an in-vehicle network, there are cases where the ECU related to various functions of ADAS, the ECU related to the automatic driving function, and the like are made redundant (multiplexed). According to the present invention, even for such a redundant ECU, for the purpose of separating it from an attack, the function of the mainly operating ECU is invalidated (forced stop), and another ECU performs alternative processing. Therefore, the function may be enabled.

(11) Each embodiment and a modification thereof have been described as a system on a network on which CAN communication is performed, but the application of the present invention is not limited to this, and a system using a network by another communication method is used. It can also be applied to. For example, CAN FD (CAN with Flexible Data rate), TTCAN (Time Triggered CAN), Ethernet (registered trademark), LIN (Local Interconnect Network), MOST (registered trademark) (Media Oriented Systems Transport), FlexRay (registered trademark), etc. The system may be a system in which the above communication method is used.

(12) A part or all of the components constituting each of the above devices may be composed of an IC card or a single module that can be attached to and detached from each device. This IC card or module is a computer system composed of a microprocessor, ROM, RAM, and the like. Further, the IC card or module may include a super multifunctional LSI realized by an integrated circuit having a high degree of integration as described above. The IC card or module achieves its function by operating the microprocessor according to a computer program stored in ROM or RAM. This IC card or module may have tamper resistance.

(13) The present invention may be a method including a processing procedure included in the operation executed by each of the above devices. Further, it may be a computer program that realizes these methods by a computer, or it may be a digital signal composed of this computer program.

Further, the present invention relates to a recording medium capable of computer-readable reading of the above computer program or digital signal, for example, a flexible disc, a hard disk, a CD (Compact Disc) -ROM, an MO (Magneto-Optical) disc, or a DVD (Digital Versatile Disc). , DVD-ROM, DVD-RAM, BD (Blu-ray (registered trademark) Disc), semiconductor memory, or the like. Further, it may be the above-mentioned digital signal recorded on these recording media.

Further, the present invention may transmit the above-mentioned computer program or digital signal via a telecommunication line, a wireless or wired communication line, a network typified by the Internet, data broadcasting, or the like.

Further, the present invention is a computer system including a microprocessor and a memory, and the memory stores the above-mentioned computer program, and the microprocessor may operate according to the computer program.

Further, another independent computer by recording and transferring the above-mentioned computer program or digital signal on the above-mentioned recording medium, or by transferring the above-mentioned computer program or digital signal via the above-mentioned network or the like. It may be implemented by the system.

(14) Each of the above embodiments and modifications thereof may be combined.

When an information processing device, an information processing system, an information processing method, and a program according to the present invention detect unauthorized communication data injected into a network due to an attack, the function of the network is eliminated while eliminating the attack. It is possible to maintain, and the use of these information processing devices and the like is useful for improving the safety of products that operate on or include networks.

10, 80 Information processing system 11 Server device 101, 801 First GW
102, 802 Second GW
103, 803 Information processing device 104 Communication ECU
105 ECU
201,901 First transmission / reception unit 202, 302, 902, 1002 Transfer list storage unit 203, 903 Communication unit 204, 904 Invalidation unit 205, 306, 404, 905, 1005, 1106 Control unit 301, 1001 Second transmission / reception Unit 303, 1003 Communication unit 304 Invalidation notification unit 305, 1004 Activation unit 401, 1101 First communication unit 402, 1102 Monitoring unit 403, 1105 Notification unit 500 External network 600, 601, 602 Dedicated line 1103 Second communication Unit 1104 Third communication unit

Claims (14)

A first communication unit that transmits and receives communication data flowing through a network to which a first gateway, a second gateway, and at least one electronic control unit are connected.
A monitoring unit that determines whether the communication data is normal, and
When the transfer function of the first gateway is valid and the transfer function of the second gateway is invalid and the monitoring unit determines that the communication data is not normal, the second gateway is contacted. a notification order to disable the transfer function of the first gateway is sent to the first gateway sends a notification of the order to activate the transfer function of the second gateway Previous Stories second gateway Equipped with a notification unit,
Information processing device. A second communication unit different from the first communication unit is further provided.
When the monitoring unit determines that the communication data is not normal, the notification unit transmits the notification to the second gateway via the second communication unit.
The information processing device according to claim 1. The second communication unit is connected to the second gateway by a dedicated line used for direct communication with the second gateway.
The information processing device according to claim 2. The communication executed by the first communication unit is CAN communication.
The information processing device according to any one of claims 1 to 3. The notification is a notification indicating that the received communication data is not normal, the transfer function of the first gateway is invalidated, or the transfer function of the second gateway is enabled.
The information processing device according to any one of claims 1 to 4. The information processing device according to claim 1 and
With the first gateway
With the second gateway
An information processing system including the at least one electronic control unit.
The first gateway is
A first transmitter / receiver that provides a transfer function of the first gateway, and
It is provided with an invalidation unit for stopping the transfer processing of the first transmission / reception unit.
The second gateway is
A second transmitter / receiver that provides a transfer function for the second gateway, and
It is provided with an activation unit for starting the transfer processing of the second transmission / reception unit.
When the transfer function of the first gateway is valid and the transfer function of the second gateway is invalid and the monitoring unit determines that the communication data is not normal, the notification unit uses the second notification unit. the gateway, the first notification of the order to disable the transfer function of the gateway is sent to the first gateway, the prior notice SL second order to enable the transfer function of the second gateway Send to the gateway of
Information processing system. Further, it is provided with a dedicated line used only for communication between the first gateway and the second gateway.
It said second gateway further comprises an invalidation notifying unit configured to transmit the notification for disabled forwarding function of the first gateway to the first gateway to the first gateway,
When the second gateway receives the notification transmitted from the notification unit, the invalidation notification unit sends the notification for disabling the transfer function of the first gateway via the dedicated line. Send to the first gateway
When the first gateway receives the notification for disabling the transfer function of the first gateway, the disabling unit stops the transfer process of the first transmitting / receiving unit.
The information processing system according to claim 6. Further, a third dedicated line used for direct communication between the notification unit and the first gateway,
It is provided with a fourth leased line used for direct communication between the notification unit and the second gateway.
When the transfer function of the first gateway is valid and the transfer function of the second gateway is invalid, when the monitoring unit determines that the communication data is not normal, the notification unit receives the notification unit.
The notification for disabling the transfer function of the first gateway to the first gateway is transmitted to the first gateway using the third dedicated line.
The notification for enabling the transfer function of the second gateway to the second gateway is transmitted to the second gateway using the fourth dedicated line.
When the first gateway receives the notification for disabling the transfer function of the first gateway, the disabling unit stops the transfer function of the first transmission / reception unit.
When the second gateway receives the notification for activating the transfer function of the second gateway, the activation unit starts the transfer function of the second transmission / reception unit.
The information processing system according to claim 6. The first gateway has a connection path for communicating with the outside of the information processing system.
The invalidation part is
When the first gateway receives the notification for disabling the transfer function of the first gateway, the connection path is disconnected.
When the first gateway further receives the notification for invalidating the transfer function of the first gateway while the connection path is disconnected, the transfer process of the first transmission / reception unit is further stopped. ,
The information processing system according to claim 7 or 8. The first gateway is connected to a plurality of wires included in the network to which the at least one electronic control unit is connected.
The invalidation unit stops the transfer process of the first transmission / reception unit by disconnecting the connection with at least a part of the wirings selected from the plurality of wirings having a higher priority.
The information processing system according to claim 7 or 8. The first gateway is connected to a plurality of wires included in the network to which the at least one electronic control unit is connected.
The notification for disabling the transfer function of the first gateway indicates, among the plurality of wirings, the wiring through which the communication data that the monitoring unit determines to be abnormal flows.
The invalidation unit stops the transfer process of the first transmission / reception unit by disconnecting the connection with the wiring indicated by the notification.
The information processing system according to claim 7 or 8. When the monitoring unit determines that the communication data is not normal, the notification unit further notifies the electronic control unit that receives the communication data among the at least one electronic control unit to shift to the fail-safe mode. To send,
The information processing system according to any one of claims 6 to 11. A method of information processing performed in an information processing apparatus connected to a network to which a first gateway, a second gateway, and at least one electronic control unit are connected.
Send and receive communication data flowing through the network
Judging whether the communication data is normal or not,
When it is determined that the communication data is not normal when the transfer function of the first gateway is valid and the transfer function of the second gateway is invalid, the first gateway is contacted with the first. a notification order to disable the gateway forwarding function is transmitted to the first gateway sends a notification of the order to activate the transfer function of the second gateway before Symbol second gateway,
Information processing method. A program for causing the information processing apparatus to execute the information processing method according to claim 13.

Images