JP7074030B2 - Equipment, methods, and programs for vehicles - Google Patents

Description

The present invention relates to devices, methods, and programs such as gateway devices for network systems mounted on vehicles and the like.

The vehicle is equipped with a network system that includes multiple buses. One or more in-vehicle devices called ECUs (Electronic Control Units) are connected to each bus. The ECU is typically equipped with a processor, transmits / receives data to / from each other via a bus, and divides and executes each function of the vehicle. Each bus is connected to a gateway device. The gateway device has a function of relaying data between buses.

Due to the sophistication of vehicle functions, it has become possible to carry out services by communicating with devices outside the vehicle by wireless communication. The implementation of such services may require the user's personal information. Therefore, data representing personal information may be transmitted and received between the ECUs and flow on the bus of the network system. If unauthorized equipment is attached to the network system, such personal information may be stolen and transmitted to the outside of the vehicle. In order to avoid such a situation, it is required to take measures so that if an unauthorized device is attached, it can be detected and removed.

Patent Document 1 discloses a gateway device that detects that an unauthorized device is connected to a vehicle network. In Patent Document 1, the gateway samples a plurality of signal waveforms from a bus and superimposes them to generate an eye pattern. A mask representing the permissible pattern range as a normal signal waveform is prepared in advance, and if the gateway device compares the eye pattern with the mask and the eye pattern deviates from the permissible pattern range, the device is invalid. Is determined to be connected.

JP-A-2015-5829

In the method of Patent Document 1, it is necessary to newly add a function such as a signal waveform sampling circuit in addition to the function of a general gateway, which is relatively costly. Further, even if an illegal device is connected, the eye pattern does not always deviate from a predetermined allowable pattern, so that the detection accuracy is limited.

The present invention has been made in view of the above problems, and an object of the present invention is to provide a gateway device capable of accurately detecting an unauthorized device connected to an in-vehicle network system at a low cost.

In order to solve the above problems, one aspect of the present invention is a gateway device included in a network mounted on a vehicle, and for each bus connected to the network, the device connected to the bus is in a predetermined standby state. The measurement unit that measures the current consumption in the case of It is a gateway device provided with a warning unit that outputs a warning when it is determined that the bus exceeds an allowable value.

As described above, according to the present invention, it is possible to provide a gateway device capable of accurately detecting an unauthorized device connected to an in-vehicle network system at a low cost.

Configuration diagram of the network system according to the embodiment of the present invention A flowchart showing processing of a gateway device according to an embodiment of the present invention. A flowchart showing processing of a gateway device according to an embodiment of the present invention. Configuration diagram of the network system according to the modified example of the present invention Configuration diagram of the network system according to the reference example of the present invention

In the network system according to the present invention, the gateway device puts the ECU connected to each bus into a sleep standby state, measures the current consumption in that state, and the measured current consumption exceeds the current consumption assumed in the specifications. If so, it is determined that an unauthorized device is connected.

(Embodiment)
Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings.

<Structure>
FIG. 1 shows the configuration of the network system 1 according to the present embodiment. The network system 1 is mounted on a vehicle, and as an example, an ECU 101 connected to a CAN (Controller Area Network) bus, a first bus 10, a second bus 20, a third bus 30, and a first bus 10. 102 ..., ECUs 201, 202 ... Connected to the second bus 20, ECUs 301, 302 ... Connected to the third bus 30, and connected to the first bus 10, the second bus 20, and the third bus 30. It includes a gateway device 40, a battery 2 that supplies power to each ECU, and a sensor 50 that is connected to the gateway device 40 by a LIN (Local Interconnect Network) connection or the like and measures the current consumption of the battery 2. Each ECU communicates with each other via each bus and executes various functions of the vehicle. Note that FIG. 1 shows, as an example, a state in which the fraudulent device 900 is attached to the first bus 10. The fraudulent device 900 is attached by a third party for an unreasonable purpose and operates on the power of the battery 2 like each ECU, for example, stealing data transmitted by any ECU or fraudulent to any ECU. Sends data and performs illegal or illegal operations. The number of buses to which the ECU is connected is set to three as an example, but the number is not limited to this. Further, the number of ECUs connected to each bus is not limited.

The gateway device 40 includes a measurement unit 41, a determination unit 42, a warning unit 43, and a control unit 44. The control unit 44 has a function of relaying data flowing through any of the first bus 10, the second bus 20, and the third bus 30 to any of the other buses. In order to execute the function of a general gateway device, the control unit 44 determines a relay destination bus based on, for example, an identifier attached to the data, or determines not to relay to any bus. Then, the data is relayed according to the content of the decision. Further, the control unit 44 controls the measurement unit 41, the determination unit 42, and the warning unit 43 in order to execute each process described later, and sends data to the first bus 10, the second bus 20, and the third bus 30. Can be done.

As an example, the network system 1 has a network management function compliant with the AUTOSAR (AUTomotive Open System ARchitecture) standard, and the gateway device 40 sends an NM message to each of the first bus 10, the second bus 20, and the third bus 30. You can send the called data. Further, each ECU connected to each bus can make a state transition between a sleep state in which power consumption is suppressed from a normal operating state and a wake-up state which is a normal operating state. When each ECU is in the sleep state, when it receives the NM message indicating sleep prohibition, each ECU transitions to the wake-up state, which is the normal state. Further, in the wake-up state, when the NM message is not received for a certain period, each ECU transitions to the sleep state after a sleep standby state for a certain period. In the sleep state, at least the communication function of each ECU is stopped (bus sleep state). In the sleep state, other functions of each ECU are basically stopped, but can be operated if necessary.

<Processing>
2 and 3 are flowcharts showing the processing of the gateway device 40. The process shown in FIG. 2 is a process for the measurement unit 41, the determination unit 42, and the control unit 44 of the gateway device 40 to detect that the unauthorized device 900 is connected to the network system 1. Further, the process shown in FIG. 3 is a process for the warning unit 43 and the control unit 44 of the gateway device 40 to output a warning.

First, the process shown in FIG. 2 will be described. This process is executed when the vehicle is in the ignition off state or the like and each ECU of the network system 1 is in the sleep state. In the ignition off state, the gateway device 40 may also transition to the sleep state, but in this case, the gateway device 40 wakes up by a timer or the like, executes this process, and then transitions to the sleep state again.

(Step S101): The control unit 44 sets the variable i to the initial value 1.

(Step S102): The control unit 44 targets the i-th bus as a target bus. That is, when i = 1, the first bus 10 is selected as the target bus, when i = 2, the second bus 20 is selected as the target bus, and when i = 3, the third bus 30 is selected as the target bus. select.

(Step S103): The control unit 44 transmits an NM message to the target bus. As a result, each ECU connected to the target bus is in a wake-up state. Each ECU does not receive the NM message again within a certain period after the transition to the wake-up state, and each ECU does not satisfy the unique condition that the own machine should maintain the wake-up state. It goes into sleep standby state. In this state, although it is not in the sleep state, the processor of each ECU has no processing load or is small, so that the power consumption of each ECU is suppressed, but the power for the communication function using the target bus, etc. Standby power is consumed. Therefore, in this state, the battery 2 supplies a constant electric power of about 10 to 20 mA to each ECU connected to the target bus.

(Step S104): The measuring unit 41 measures the current supplied from the battery 2 to each ECU connected to the target bus by using the sensor 50 to wait for sleep of each ECU connected to the target bus. Acquires the current consumption in the state. When the fraudulent device 900 is attached to the target bus and the communication function is operated by the power of the battery 2, the current consumption of the fraudulent device 900 is included in the acquired current consumption.

(Step S105): The determination unit 42 determines whether or not the current consumption acquired by the measurement unit 41 in step S104 is larger than a predetermined allowable value. The predetermined allowable value is a predetermined value based on the current consumption value in the sleep standby state of each regular ECU connected to the target bus, which is assumed in the specifications of the network system 1, and the current consumption is predetermined. If it is larger than the permissible value of, there is a high possibility that an abnormality has occurred, such as an unauthorized device 900 being attached to the target bus. If the current consumption acquired by the measuring unit 41 in step S104 is larger than a predetermined allowable value, the process proceeds to step S106. If the current consumption acquired by the measuring unit 41 in step S104 is equal to or less than a predetermined allowable value, the process proceeds to step S107.

(Step S106): The control unit 44 stores information indicating that there is an abnormality in the target bus in a storage unit such as a memory included in the control unit 44 or the like.

(Step S107): When each ECU connected to the target bus transitions to the sleep state after a sleep standby state for a certain period, the communication function is stopped and the bus sleep state is set.

(Step S108): The control unit 44 determines whether or not the variable i is equal to the number of buses included in the network system 1. If the variable i is equal to the number of buses included in the network system 1, the process ends. If the variable i is not equal to the number of buses, the process proceeds to step S109.

(Step S109): The control unit 44 adds 1 to the variable i. After that, the process proceeds to step S101, and the processes of steps S101 to S109 are repeated thereafter.

By the above processing, each bus is sequentially set as a target bus, and when the fraudulent device 900 is attached to the target bus, all the buses can be stored.

In the above processing, the processing for acquiring the current consumption by the measuring unit 41 and the processing for comparing the current consumption and the allowable value by the determination unit 42 are performed for each bus, but the processing for acquiring the current consumption of all the buses is performed. Then, a process of comparing the current consumption of all the buses with each permissible value may be performed.

Further, in the above example, the determination is made based on the current consumption of the battery 2, but instead, the determination may be made based on other values representing the power supply state of the battery 2, such as power consumption.

Next, the process shown in FIG. 3 will be described. This process is executed, for example, when the user gets into the vehicle and changes from the ignition off state to the ignition on state.

(Step S201): The control unit 44 refers to the storage unit, and if the storage unit stores information indicating that there is an abnormality in any of the buses, the control unit 44 acquires the information. If the storage unit stores information indicating that there is an abnormality in any of the buses, the process proceeds to step S202, and if the storage unit does not store information indicating that there is an abnormality in any of the buses, the process ends. do.

(Step S202): The warning unit 43 outputs data indicating a warning indicating that an abnormality has occurred to the bus. This data is acquired by, for example, an ECU that controls a display unit provided on an instrument panel or the like of a vehicle. The ECU that has acquired the data displays a warning on the display unit to notify the user of the abnormality.

<Effect>
In the gateway device 40 of the network system 1 according to the present invention, when the unauthorized device 900 is attached to one of the buses and the communication function using the bus is operated by the electric power from the battery 2, the current consumption of the battery 2 is consumed. This can be detected based on. In particular, since the power consumption with little fluctuation in the sleep standby state in which the communication function is operating but other processing loads are suppressed is used for the determination, the measurement error of the sensor 50 for measuring the current consumption should be within about 1 mA. For example, it is possible to accurately identify whether the measured current consumption is about the current consumption assumed in the specifications, or whether the current consumption by the fraudulent device 900 is increased from this. Therefore, the fraudulent device 900 can be detected with high accuracy. Further, the processing of each step described above can be realized by software by a program executed by the computer of the control unit 44, including the functions of the measurement unit 41, the determination unit 42, and the warning unit 43, and the sensor 50 is the battery 2. You may use the one provided in advance for charge / discharge control and the like. Therefore, the present invention can be realized at a relatively low cost as compared with the case of adding new hardware such as a circuit for sampling a signal waveform. In addition, by displaying a warning to the user when the ignition is changed from the ignition off state to the ignition on state, it is possible to prompt the user to take appropriate measures such as warehousing at the dealer at an early stage when the user starts using the vehicle. ..

(Modification example)
FIG. 4 shows the configuration of the embodiment according to the modified example of the present invention. In this example, in the above-described embodiment, the sensor 50 is connected to another ECU instead of the gateway device 40. In this way, the sensor 50 does not have to be connected to the gateway device 40. In the illustrated example, even if the ECU 302 connected to the third bus 30 is in the sleep state or the sleep standby state, for example, the sensor is set at the timing in which the ECU of each bus instructed in advance from the gateway device 40 is put into the sleep standby state. The current consumption of the battery 2 is measured and stored using the 50, and then the communication function is operated and the data representing the measured value is transmitted to the gateway device 40 using the third bus 30 to the measuring unit 41. Get the measured value. As a result, the gateway device 40 can appropriately acquire the power consumption in the sleep standby state for each bus, so that the unauthorized device 900 can be detected and a warning can be output based on the comparison with the allowable value as described above.

(Reference example)
FIG. 5 shows the configuration of the embodiment according to the reference example of the present invention. In this example, in the above embodiment, the sensor 50 is connected to another ECU instead of the gateway device 40, and the measurement unit 41, the determination unit 42, and the warning unit 43 are provided in the ECU instead of the gateway device 40. It was done. As described above, the gateway device 40 has only the network management function by the control unit 44, and other ECUs may execute the functions of the measurement unit 41, the determination unit 42, the warning unit 43, and the like. In the illustrated example, even if the ECU 302 connected to the third bus 30 instructs the gateway device 40 in advance when to put the ECU of each bus into the sleep standby state, the gateway device 40 is in the sleep state or the sleep standby state. At that timing, the current consumption of the battery 2 is measured using the sensor 50 and compared with the allowable value. Based on the result, the unauthorized device 900 is detected and a warning is output in the same manner as described above. Can be done.

As described above, according to the present invention, it is possible to provide a gateway device that can accurately detect when an unauthorized device is connected to an in-vehicle network system at low cost.

The present invention includes not only a network system, but also a fraudulent device detection method in a network system, a fraudulent device detection program executed by a computer such as a gateway device, a computer-readable non-temporary storage medium that stores the program, and a network system. It can be regarded as a vehicle or the like. Further, the present invention can be applied to a network system other than the network system mounted on the vehicle.

The present invention is useful for network systems mounted on vehicles and the like.

1 Network system 10 1st bus 20 2nd bus 30 3rd bus 40 Gateway device 41 Measurement unit 42 Judgment unit 43 Warning unit 44 Control unit 101, 102, 201, 202, 301, 302 ECU
900 fraudulent device

Claims (9)

A device mounted on a vehicle and connected to a bus ,
A control unit that controls the transmission of signals that bring the in-vehicle device connected to the bus into a wake-up state, which is a normal operating state.
The communication function using the bus is operated and other devices are provided for a certain period of time from the wake-up state to the sleep state in which the power consumption is suppressed from the wake-up state. A measuring unit that measures the current consumption of the bus in a sleep standby state in which the operation of the function is suppressed ,
A determination unit for determining whether or not the current consumption of the bus measured by the measurement unit exceeds the permissible value specified for the bus, and a determination unit.
A device including a warning unit that outputs a warning when the determination unit determines that the current consumption exceeds the allowable value. The device is connected to a plurality of the buses.
The measuring unit measures the current consumption for each of the plurality of buses.
The determination unit targets each of the plurality of buses, and determines whether or not the current consumption of the target bus exceeds the permissible value set for the target bus.
The device according to claim 1, wherein the warning unit outputs the warning when the determination unit determines that the current consumption of at least one of the target buses exceeds the permissible value. The device according to claim 2, wherein the measuring unit measures the current consumption of each of the plurality of buses in a predetermined order. The device according to any one of claims 1 to 3, wherein the device is a gateway device having a function of relaying data flowing through the bus. A vehicle comprising the device according to any one of claims 1 to 4. The vehicle according to claim 5, further comprising a display unit for notifying the user of an abnormality based on the warning output by the warning unit. The vehicle according to claim 6, wherein the display unit notifies the user of an abnormality when the vehicle changes from the ignition off state to the ignition on state. It is a method executed by a device mounted on a vehicle and connected to a bus.
A step of transmitting a signal to the in-vehicle device to bring the in-vehicle device connected to the bus into a wake-up state, which is a normal operating state, and a step of transmitting the signal to the in-vehicle device.
The communication function using the bus is operated and other devices are provided for a certain period of time from the wake-up state to the sleep state in which the power consumption is suppressed from the wake-up state. The step of measuring the current consumption of the bus in the sleep standby state in which the operation of the function is suppressed, and
A step of determining whether or not the measured current consumption of the bus exceeds the permissible value set for the bus, and
A method comprising the step of outputting a warning when it is determined that the current consumption exceeds the allowable value. A program that is installed in a vehicle and executed by a computer of a device connected to a bus.
A step of transmitting a signal to the in-vehicle device to bring the in-vehicle device connected to the bus into a wake-up state, which is a normal operating state, and a step of transmitting the signal to the in-vehicle device.
The communication function using the bus is operated and other devices are provided for a certain period of time from the wake-up state to the sleep state in which the power consumption is suppressed from the wake-up state. The step of measuring the current consumption of the bus in the sleep standby state in which the operation of the function is suppressed, and
A step of determining whether or not the measured current consumption of the bus exceeds the permissible value set for the bus, and
A program comprising a step of outputting a warning if it is determined that the current consumption exceeds the permissible value.

Images