JP7211224B2 - Management device, communication system, vehicle communication management method, and vehicle communication management program - Google Patents

Description

The present disclosure relates to a management device, a communication system, a vehicle communication management method, and a vehicle communication management program.

Conventionally, technologies have been developed to detect cyberattacks on in-vehicle networks and block unauthorized communications in the in-vehicle networks to deal with cyberattacks.

For example, Patent Literature 1 (Japanese Patent Application Laid-Open No. 2018-133721) discloses the following in-vehicle gateway device. That is, the in-vehicle gateway device is an in-vehicle gateway device that is connected to a plurality of networks to which a plurality of devices mounted on a vehicle are respectively connected, and that detects an incident occurring in one of the plurality of networks. a processing unit, when the incident is detected, determines a communication cutoff target network from among the plurality of networks based on the location of the incident and the control state of the vehicle, and communicates in the communication cutoff target network; and a communication control unit that cuts off the

JP 2018-133721 A JP 2017-111796 A JP 2018-121218 A

“To sell new technology to protect Pana self-driving cars from cyberattacks, AI-based defense measures in 2020”, [online], Sankei WEST, [searched on February 27, 2019], Internet <URL: https: //www. sankei. com/west/news/170711/wst1707110072-n1. html>

Beyond the technology described in Patent Literature 1, a technology capable of more reliably preventing the spread of unauthorized access to each vehicle is desired.

The present disclosure has been made to solve the above-described problems, and aims to provide a management device, a communication system, a vehicle communication management method, and a vehicle that can more reliably prevent the spread of unauthorized access to each vehicle. It is to provide a communication management program.

The management device of the present disclosure includes a detection unit that detects unauthorized access to a vehicle, and the state of software installed in one or more in-vehicle devices in the detected vehicle, which is the vehicle in which the unauthorized access is detected by the detection unit. a selection unit for selecting one or more target vehicles from among a plurality of vehicles based on the software information acquired by the acquisition unit; and a selection unit selected by the selection unit and a transmitting unit configured to transmit processing information for preventing the unauthorized access to the target vehicle.

A communication system of the present disclosure includes a management device and an in-vehicle device mounted in a vehicle, wherein the in-vehicle device transmits log information to the management device, and the management device receives the log received from the in-vehicle device. Software that detects unauthorized access to the vehicle based on the information, and that the management device indicates the status of software installed in one or more in-vehicle devices in the detected vehicle, which is the vehicle in which the unauthorized access has been detected. information is acquired, the management device selects one or a plurality of target vehicles from among a plurality of vehicles based on the acquired software information, and the management device performs the unauthorized access to the selected target vehicle Send processing information to prevent

A vehicle communication management method of the present disclosure is a vehicle communication management method in a management device, comprising a step of detecting unauthorized access to a vehicle; a step of acquiring software information indicating the state of software installed in the device; a step of selecting one or more target vehicles from among a plurality of vehicles based on the acquired software information; and a step of selecting the target vehicle. and sending processing information to prevent said unauthorized access.

A vehicle communication management method of the present disclosure is a vehicle communication management method in a communication system including a management device and an in-vehicle device mounted in a vehicle, wherein the in-vehicle device transmits log information to the management device. a step in which the management device detects unauthorized access to the vehicle based on the log information received from the in-vehicle device; a step of acquiring software information indicating the state of software installed in one or more in-vehicle devices; and the management device selecting one or more target vehicles from among a plurality of vehicles based on the acquired software information. and transmitting processing information for preventing the unauthorized access from the management device to the selected target vehicle.

A vehicle communication management program of the present disclosure is a vehicle communication management program used in a management device, wherein a computer comprises a detection unit that detects unauthorized access to a vehicle; an acquisition unit for acquiring software information indicating the state of software installed in one or more in-vehicle devices in the detected vehicle, and one out of a plurality of vehicles based on the software information acquired by the acquisition unit Alternatively, the program functions as a selection unit that selects a plurality of target vehicles and a transmission unit that transmits processing information for preventing unauthorized access to the target vehicles selected by the selection unit.

One aspect of the present disclosure can be implemented as a semiconductor integrated circuit that implements part or all of the management device. Also, one aspect of the present disclosure can be implemented as a semiconductor integrated circuit that implements part or all of an in-vehicle communication system. Also, one aspect of the present disclosure can be implemented as a program for causing a computer to execute processing steps in an in-vehicle communication system.

According to the present disclosure, it is possible to more reliably prevent the spread of unauthorized access to each vehicle.

FIG. 1 is a diagram showing the configuration of a communication system according to the first embodiment of the present disclosure. FIG. 2 is a diagram showing the configuration of an in-vehicle communication system according to the first embodiment of the present disclosure. FIG. 3 is a diagram showing the configuration of a bus connection device group according to the first embodiment of the present disclosure. FIG. 4 is a diagram showing the configuration of the gateway device in the in-vehicle communication system according to the first embodiment of the present disclosure. FIG. 5 is a diagram illustrating an example of log information including an access log that the gateway device according to the first embodiment of the present disclosure transmits to the management device. FIG. 6 is a diagram illustrating an example of log information including an in-vehicle communication log that the gateway device according to the first embodiment of the present disclosure transmits to the management device. FIG. 7 is a diagram illustrating an example of log information including an event log that the gateway device according to the first embodiment of the present disclosure transmits to the management device. FIG. 8 is a diagram illustrating the configuration of a management device according to the first embodiment of the present disclosure; 9 is an example of version information stored in a storage unit in the management device according to the first embodiment of the present disclosure; FIG. 10 is a diagram illustrating an example of priority order setting by a selection unit in the management device according to the first embodiment of the present disclosure; FIG. FIG. 11 is a flowchart that defines an operation procedure when the management device transmits processing information for preventing unauthorized access to the vehicle in the in-vehicle communication system according to the first embodiment of the present disclosure. FIG. 12 is a sequence of processing for preventing unauthorized access to the vehicle in the in-vehicle communication system according to the first embodiment of the present disclosure. FIG. 13 is a diagram illustrating the configuration of a management device according to the second embodiment of the present disclosure; FIG. 14 is a diagram illustrating an example of notification contents notified by a notification unit in the management device according to the second embodiment of the present disclosure;

First, the contents of the embodiments of the present disclosure will be listed and described.

(1) A management device according to an embodiment of the present disclosure includes a detection unit that detects unauthorized access to a vehicle; An acquisition unit that acquires software information indicating the state of software installed in the device, and a selection unit that selects one or more target vehicles from among a plurality of vehicles based on the software information acquired by the acquisition unit. and a transmitting unit configured to transmit processing information for preventing the unauthorized access to the target vehicle selected by the selecting unit.

In this way, the target vehicle is selected using the information of the software installed in the in-vehicle device of the detected vehicle, and the processing information for preventing unauthorized access is transmitted to the target vehicle. A priority can be set for each vehicle according to the state, and processing information for preventing unauthorized access can be transmitted according to the priority. As a result, taking into consideration the state of the software in each vehicle, it is possible to preferentially deploy defensive measures to vehicles in which unauthorized access similar to that detected in the detected vehicle may occur. Therefore, it is possible to more reliably prevent the spread of unauthorized access to each vehicle.

(2) Preferably, the transmission unit transmits, as the processing information, information for restricting communication between the target vehicle and the outside to the target vehicle.

Such a configuration can more reliably prevent unauthorized access to the target vehicle from outside the target vehicle.

(3) Preferably, the transmission unit transmits information of software to be updated in an in-vehicle device of the target vehicle to the target vehicle as the processing information.

With such a configuration, it is possible to update the software installed in the in-vehicle device of the target vehicle to, for example, software with enhanced security against unauthorized access, thereby more reliably preventing unauthorized access to the in-vehicle device of the target vehicle. be able to.

(4) Preferably, the management device further includes a storage unit that stores version information of software installed in one or more in-vehicle devices in each of the plurality of vehicles.

With such a configuration, when unauthorized access is detected in a certain vehicle, version information of software installed in the vehicle or in a plurality of in-vehicle devices can be easily obtained by referring to the storage unit. . As a result, using the acquired version information, it is possible to quickly select a target vehicle and quickly generate information on unauthorized access for notifying the user.

(5) Preferably, the acquisition unit acquires, as the software information, version information of software installed in one or more in-vehicle devices of the detection vehicle, and the selection unit acquires version information acquired by the acquisition unit. The target vehicle is selected based on a result of comparison between the version information received and version information of software installed in one or a plurality of in-vehicle devices in vehicles other than the detection vehicle.

As a result, from the viewpoint of software version information, it is possible to more accurately select vehicles in which unauthorized access similar to that detected in the detected vehicle may occur.

(6) Preferably, the management device further includes version information of software installed in the in-vehicle device in which the unauthorized access has been detected in the detection vehicle, and the in-vehicle device in which the unauthorized access has been detected in the detection vehicle. and a comparison result of version information of software installed in one or more in-vehicle devices of the detection vehicle and version information of software installed in one or more in-vehicle devices of a vehicle other than the detection vehicle and a notification unit for notifying the user of the number of vehicles searched based on at least .

With such a configuration, for example, when unauthorized access is detected in a plurality of vehicles by the detection unit, the number of vehicles having the same version information as the version information of the detected vehicle is notified to the user for each detected unauthorized access. Since the notification can be made, it is possible to notify the user of the number of vehicles in which unauthorized access similar to the unauthorized access detected in the detected vehicle may occur. This makes it easier for the user to select unauthorized accesses for which defensive measures should be preferentially deployed.

(7) A communication system according to an embodiment of the present disclosure includes a management device and an in-vehicle device mounted in a vehicle, the in-vehicle device transmits log information to the management device, and the management device: Unauthorized access to the vehicle is detected based on the log information received from the in-vehicle device, and the management device is incorporated in one or more in-vehicle devices in the detected vehicle, which is the vehicle in which the unauthorized access has been detected. the management device selects one or more target vehicles from among a plurality of vehicles based on the acquired software information; the management device selects Processing information for preventing the unauthorized access is transmitted to the target vehicle.

In this way, the target vehicle is selected using the information of the software installed in the in-vehicle device of the detected vehicle, and the processing information for preventing unauthorized access is transmitted to the target vehicle. A priority can be set for each vehicle according to the state, and processing information for preventing unauthorized access can be transmitted according to the priority. As a result, taking into consideration the state of the software in each vehicle, it is possible to preferentially deploy defensive measures to vehicles in which unauthorized access similar to that detected in the detected vehicle may occur. Therefore, it is possible to more reliably prevent the spread of unauthorized access to each vehicle.

(8) A vehicle communication management method according to an embodiment of the present disclosure is a vehicle communication management method in a management device, comprising: detecting unauthorized access to a vehicle; Acquiring software information indicating the state of software installed in one or more in-vehicle devices in the detected vehicle; selecting one or more target vehicles from among a plurality of vehicles based on the acquired software information. and transmitting processing information for preventing the unauthorized access to the selected target vehicle.

In this way, the target vehicle is selected using the information of the software installed in the in-vehicle device of the detection vehicle, and processing information for preventing unauthorized access is transmitted to the target vehicle. A priority can be set for each vehicle according to the state, and processing information for preventing unauthorized access can be transmitted according to the priority. As a result, taking into consideration the state of the software in each vehicle, it is possible to preferentially deploy defensive measures to vehicles in which unauthorized access similar to that detected in the detected vehicle may occur. Therefore, it is possible to more reliably prevent the spread of unauthorized access to each vehicle.

(9) A vehicle communication management method according to an embodiment of the present disclosure is a vehicle communication management method in a communication system including a management device and an in-vehicle device mounted in a vehicle, wherein the in-vehicle device receives log information. a step of transmitting to the management device; a step of the management device detecting unauthorized access to the vehicle based on the log information received from the in-vehicle device; a step of acquiring software information indicating the state of software installed in one or more in-vehicle devices in the detection vehicle, which is the vehicle, and the management device, based on the acquired software information, in a plurality of vehicles and transmitting processing information for preventing unauthorized access to the selected target vehicle by the management device.

In this way, the target vehicle is selected using the information of the software installed in the in-vehicle device of the detection vehicle, and processing information for preventing unauthorized access is transmitted to the target vehicle. A priority can be set for each vehicle according to the state, and processing information for preventing unauthorized access can be transmitted according to the priority. As a result, taking into consideration the state of the software in each vehicle, it is possible to preferentially deploy defensive measures to vehicles in which unauthorized access similar to that detected in the detected vehicle may occur. Therefore, it is possible to more reliably prevent the spread of unauthorized access to each vehicle.

(10) A vehicle communication management program according to an embodiment of the present disclosure is a vehicle communication management program used in a management device, comprising: a computer configured to detect unauthorized access to a vehicle; an acquisition unit for acquiring software information indicating the state of software installed in one or more in-vehicle devices in the vehicle in which unauthorized access has been detected; and based on the software information acquired by the acquisition unit. a selection unit that selects one or a plurality of target vehicles from among a plurality of vehicles; and a transmission unit that transmits processing information for preventing the unauthorized access to the target vehicles selected by the selection unit. It is a program for

In this way, the target vehicle is selected using the information of the software installed in the in-vehicle device of the detected vehicle, and the processing information for preventing unauthorized access is transmitted to the target vehicle. A priority can be set for each vehicle according to the state, and processing information for preventing unauthorized access can be transmitted according to the priority. As a result, taking into consideration the state of the software in each vehicle, it is possible to preferentially deploy defensive measures to vehicles in which unauthorized access similar to that detected in the detected vehicle may occur. Therefore, it is possible to more reliably prevent the spread of unauthorized access to each vehicle.

Embodiments of the present disclosure will be described below with reference to the drawings. The same or corresponding parts in the drawings are denoted by the same reference numerals, and the description thereof will not be repeated. Moreover, at least part of the embodiments described below may be combined arbitrarily.

<First embodiment>
[Communications system]
FIG. 1 is a diagram showing the configuration of a communication system according to the first embodiment of the present disclosure.

Referring to FIG. 1 , communication system 400 includes management device 200 and a plurality of in-vehicle communication systems 300 . A plurality of in-vehicle communication systems 300 are mounted in a plurality of vehicles 1, respectively.

[In-vehicle communication system]
FIG. 2 is a diagram showing the configuration of an in-vehicle communication system according to the first embodiment of the present disclosure.

Referring to FIG. 2 , in-vehicle communication system 300 includes gateway device 101 , multiple in-vehicle communication devices 111 , and multiple bus connection device groups 121 .

FIG. 3 is a diagram showing the configuration of a bus connection device group according to the first embodiment of the present disclosure.

Referring to FIG. 3, bus connection device group 121 includes a plurality of control devices 122 . In addition, the bus connection device group 121 is not limited to the configuration including a plurality of control devices 122 , and may be configured to include one control device 122 .

The gateway device 101, the in-vehicle communication device 111 and the control device 122 are examples of in-vehicle devices. Hereinafter, each of the gateway device 101, the vehicle-mounted communication device 111, and the control device 122 may be referred to as "vehicle-mounted device".

The gateway device 101 , the plurality of in-vehicle communication devices 111 and the plurality of control devices 122 constitute the in-vehicle network 12 .

In the in-vehicle network 12, the in-vehicle communication device 111 communicates with devices outside the vehicle 1, for example. Specifically, the in-vehicle communication device 111 is, for example, a TCU (Telematics Communication Unit), a short-range radio terminal device, and an ITS (Intelligent Transport Systems) radio.

1 and 2, the TCU can communicate with management device 200. FIG. Specifically, the TCU can communicate with the management device 200 via the radio base station device 161 using IP packets, for example.

More specifically, the TCU is capable of performing wireless communication with a wireless base station device according to a communication standard such as LTE (Long Term Evolution) or 3G, and is also capable of communicating with gateway device 101. be. The TCU relays information for services such as navigation, vehicle anti-theft, remote maintenance and FOTA (Firmware Over The Air).

Specifically, when receiving an IP packet from management apparatus 200 via external network 11, radio base station apparatus 161 includes the received IP packet in a radio signal and transmits the radio signal to the TCU.

For example, when a radio signal including an IP packet from management device 200 is received from radio base station device 161 , TCU acquires the IP packet from the received radio signal and transmits the acquired IP packet to gateway device 101 .

Also, when the TCU receives an IP packet from the gateway device 101 , the TCU includes the received IP packet in a radio signal and transmits the radio signal to the radio base station device 161 .

Upon receiving a radio signal from the TCU, radio base station apparatus 161 acquires an IP packet from the received radio signal and transmits the acquired IP packet to management apparatus 200 via external network 11 .

The short-range wireless terminal device is, for example, a smart phone held by a person riding in the vehicle 1 (hereinafter also referred to as a passenger) in accordance with communication standards such as Wi-Fi (registered trademark) and Bluetooth (registered trademark). It is possible to perform wireless communication with a wireless terminal device such as the gateway device 101 and to communicate with the gateway device 101 . The short-range wireless terminal device is installed in, for example, IVI (In-Vehicle Information) equipment, and relays information used for services such as entertainment.

In addition, the short-range wireless terminal device is, for example, in accordance with a predetermined communication standard, a wireless terminal device such as a smart key held by a passenger, a wireless terminal device provided on a tire, and an LF (Low Frequency) band or UHF (Ultra (High Frequency) band, and can communicate with the gateway device 101 . The short-range wireless terminal device relays information used for services such as smart entry and TPMS (Tire Pressure Monitoring System).

The ITS radio can perform road-to-vehicle communication with roadside devices such as optical beacons, radio wave beacons, and ITS spots installed near roads, and can communicate with in-vehicle terminals mounted on other vehicles. It is possible to communicate, and it is possible to communicate with the gateway device 101 . ITS radios relay information for services such as congestion relief, safe driving assistance, and route guidance, for example.

The gateway device 101 is connected to the in-vehicle device via buses 13 and 14, for example. Specifically, the buses 13 and 14 are, for example, CAN (Controller Area Network) (registered trademark), FlexRay (registered trademark), MOST (Media Oriented Systems Transport) (registered trademark), Ethernet (registered trademark), and LIN (Local Interconnect Network) and other standards.

In this example, the in-vehicle communication device 111 is connected to the gateway device 101 via a corresponding bus 14 conforming to the Ethernet standard. Each control device 122 in the bus connection device group 121 is connected to the gateway device 101 via a corresponding bus 13 conforming to the CAN standard. Control device 122 can control functional units in vehicle 1, for example.

Bus 13 is provided, for example, for each system. Specifically, the bus 13 is, for example, a driving system bus, a chassis/safety system bus, a body/electrical system bus, and an AV/information system bus.

An engine control device, an AT (Automatic Transmission) control device, and an HEV (Hybrid Electric Vehicle) control device, which are examples of the control device 122, are connected to the driving system bus. The engine controller, AT controller, and HEV controller control the engine, AT, and switching between the engine and motor, respectively.

A brake control device, a chassis control device, and a steering control device, which are examples of the control device 122, are connected to the chassis/safety bus. The brake controller, chassis controller and steering controller control the brakes, chassis and steering respectively.

An instrument display control device, an air conditioner control device, an anti-theft control device, an airbag control device, and a smart entry control device, which are examples of the control device 122, are connected to the body/electric system bus. The gauge display controller, air conditioner controller, anti-theft controller, airbag controller and smart entry controller control the gauges, air conditioner, anti-theft mechanism, airbag mechanism and smart entry respectively.

A navigation control device, an audio control device, an ETC (Electronic Toll Collection System) (registered trademark) control device, and a telephone control device, which are examples of the control device 122, are connected to the AV/information system bus. The navigation controller, audio controller, ETC controller and phone controller control the navigation device, audio device, ETC device and mobile phone respectively.

Further, the bus 13 is not limited to the configuration in which the control device 122 is connected, and a device other than the control device 122, such as a sensor, may be connected.

The gateway device 101 is, for example, a central gateway (CGW), and can communicate with an in-vehicle device.

FIG. 4 is a diagram showing the configuration of the gateway device in the in-vehicle communication system according to the first embodiment of the present disclosure.

Referring to FIG. 4 , gateway device 101 includes switch unit 51 , processing unit 52 , storage unit 53 , and abnormality detection unit 54 . Storage unit 53 is, for example, a flash memory.

The gateway device 101, for example, exchanges information between the control devices 122 connected to different buses 13 in the vehicle 1, information exchanged between the onboard communication devices 111, information exchanged between the control device 122 and the onboard communication devices 111, and so on. Relay processing is performed to relay the information received.

More specifically, the gateway device 101 relays messages transmitted from one vehicle-mounted device to another vehicle-mounted device. The message includes the content of the message and an ID for identifying the source and destination of the message.

For example, when receiving a message from a vehicle-mounted device via the corresponding bus 13 or 14 , the switch unit 51 transmits the received message to the destination vehicle-mounted device via the corresponding bus 13 or 14 .

Further, for example, when switch unit 51 receives a message addressed to processing unit 52 from a vehicle-mounted device via corresponding bus 13 or 14 , switch unit 51 outputs the received message to processing unit 52 .

The processing unit 52 stores access logs indicating access records to the in-vehicle network 12 by external devices outside the vehicle 1, in-vehicle communication logs indicating communication records between in-vehicle devices in the in-vehicle network 12, and records of processing executed by the in-vehicle devices. Get logs such as event logs that indicate

For example, when the in-vehicle communication device 111 receives a radio signal in which an IP packet from an external device is stored from the radio base station device 161, the reception time of the IP packet, the IP address of the external device that is the transmission source, and the in-vehicle An access log is generated that indicates the IP address of the device and the processing details for the received IP packet. Then, the in-vehicle communication device 111 transmits a message addressed to the processing unit 52 including the generated access log to the gateway device 101 .

Upon receiving the above message from the in-vehicle communication device 111 via the switch unit 51 , the processing unit 52 in the gateway device 101 acquires an access log from the received message and stores the acquired access log in the storage unit 53 .

Further, for example, when a message is transmitted and received between in-vehicle devices via the gateway device 101, the in-vehicle device that is the transmission source of the message or the in-vehicle device that is the destination of the message receives the message transmission time, the ID of the transmission source in-vehicle device, An in-vehicle communication log containing the ID of the destination in-vehicle device and the type and content of the message is generated. Then, the in-vehicle device that is the transmission source of the message or the in-vehicle device that is the transmission destination transmits to the gateway device 101 a message addressed to the processing unit 52 including the generated in-vehicle communication log.

Upon receiving the message from the in-vehicle device via the switch unit 51 , the processing unit 52 in the gateway device 101 acquires the in-vehicle communication log included in the received message and stores the acquired in-vehicle communication log in the storage unit 53 .

Also, for example, when the in-vehicle device executes processing such as password change, file authority change, and firmware update, it generates an event log including the time when the processing was executed, its own ID, and the type and content of the processing. Then, the in-vehicle device transmits a message addressed to the processing unit 52 including the generated event log to the gateway device 101 .

Upon receiving the message from the in-vehicle device via the switch unit 51 , the processing unit 52 in the gateway device 101 acquires the event log included in the received message and stores the acquired event log in the storage unit 53 .

The processing unit 52 acquires various logs as described above from the storage unit 53 at a predetermined cycle, generates log information including each log acquired from the storage unit 53 and the ID of its own vehicle 1, switches the switch unit 51 and It is transmitted to the management device 200 via the in-vehicle communication device 111 .

The anomaly detection unit 54 detects an anomaly message in the in-vehicle network 12 by monitoring messages relayed by the switch unit 51 .

More specifically, the anomaly detection unit 54 uses, for example, a machine learning method, and when a message including control details that have a low correlation with control details predicted from the running situation of the vehicle 1 is relayed by the switch unit 51, The message is determined to be an abnormal message.

For example, the abnormality detection unit 54 relays a message to the engine control device to stop the engine even though the shift lever is set to drive and the vehicle 1 is running. If so, the message is determined to be an abnormal message.

When the abnormality detection unit 54 detects an abnormality message, the abnormality detection unit 54 notifies the processing unit 52 of abnormality detection information including the transmission time, the ID of the in-vehicle device of the transmission source, the ID of the in-vehicle device of the transmission destination, and the like.

Upon receiving the abnormality detection information from the abnormality detection unit 54 , the processing unit 52 generates log information including the ID of its own vehicle 1 and the received abnormality detection information, and sends the log information to the management device 200 via the switch unit 51 and the in-vehicle communication device 111 . Send to

FIG. 5 is a diagram illustrating an example of log information including an access log that the gateway device according to the first embodiment of the present disclosure transmits to the management device.

Referring to FIG. 5, the log information including the access log transmitted from processing unit 52 to management device 200 includes IP packet reception time, vehicle ID, transmission source IP address, transmission destination IP address, and processing details for the IP packet. have.

The source IP address field in the log information stores the IP address of the external device. The destination IP address field in the log information stores the destination IP address of the in-vehicle device.

In the processing content field of the log information, for example, whether the in-vehicle communication device 111 that received the IP packet from the external device relayed the received IP packet to the destination in-vehicle device, or Information indicating whether or not the file has been discarded without being relayed is stored.

FIG. 6 is a diagram illustrating an example of log information including an in-vehicle communication log that the gateway device according to the first embodiment of the present disclosure transmits to the management device.

Referring to FIG. 6, log information including an in-vehicle communication log transmitted from processing unit 52 to management device 200 has message transmission time, vehicle ID, transmission source ID, transmission destination ID, message type, and message content.

The ID of the in-vehicle device that is the transmission source is stored in the transmission source ID field in the log information. The ID of the in-vehicle device of the transmission destination is stored in the transmission destination ID field in the log information.

The message type field in the log information stores information indicating the type of control content of the device to be controlled by the control device 122, such as accelerator actuation, brake actuation, engine start, engine stop, and door unlock. be.

In the message content field of the log information, information indicating the content of control such as the amount of acceleration due to accelerator operation and the amount of deceleration due to brake operation is stored.

FIG. 7 is a diagram illustrating an example of log information including an event log that the gateway device according to the first embodiment of the present disclosure transmits to the management device.

Referring to FIG. 7, the log information including the event log transmitted from processing unit 52 to management device 200 includes the event occurrence time that is the time when the process was executed, the vehicle ID, the in-vehicle device ID, the type of processing, and the content of the processing. have.

The ID of the in-vehicle device that executed the process is stored in the in-vehicle device ID field in the log information.

The processing type field in the log information stores, for example, information indicating the types of processing such as password change, file authority change, and firmware update.

The processing content field in the log information stores, for example, information indicating the processing content such as the changed password, the file name and data size used for updating the firmware, and the like.

[Management device]
FIG. 8 is a diagram illustrating the configuration of a management device according to the first embodiment of the present disclosure;

Referring to FIG. 8 , management device 200 includes a receiver 210 , a detector 220 , an acquirer 230 , a selector 240 , a transmitter 250 and a storage 260 . Storage unit 260 is, for example, a flash memory.

The receiving unit 210 receives log information transmitted from the gateway devices 101 in the multiple vehicles 1 and outputs the received log information to the detecting unit 220 .

The detection unit 220 detects unauthorized access to the vehicle 1 . For example, the detection unit 220 detects unauthorized access to the vehicle 1 from outside the vehicle and unauthorized access to an in-vehicle device or the like in the in-vehicle network 12 .

More specifically, the detection unit 220 detects, for example, unauthorized access to the vehicle 1 by verifying the log information received from the reception unit 210, and identifies the in-vehicle device in which the unauthorized access has occurred.

Hereinafter, the vehicle 1 in which unauthorized access has been detected by the detection unit 220 will be referred to as a detected vehicle, and the in-vehicle device in which unauthorized access has been identified by the detection unit 220 will be referred to as a detected in-vehicle device.

For example, the detection unit 220 verifies the log information as shown in FIG. In this case, the corresponding vehicle 1 is determined to be the detection vehicle, and the in-vehicle device indicated by the destination IP address in the log information is identified as the detection in-vehicle device. Furthermore, for example, the detection unit 220 determines that the external device indicated by the source IP address is an unauthorized device.

Also, for example, the detection unit 220 verifies log information such as that shown in FIG. , or if the in-vehicle device indicates that the firmware has been updated in the in-vehicle device without communicating with the management device 200 in advance, the corresponding vehicle 1 is determined to be the detection vehicle, and the in-vehicle device ID in the log information identifies the in-vehicle device indicated by as the detection in-vehicle device.

Also, for example, the detection unit 220 verifies the log information as shown in FIG. When indicating that a certain in-vehicle device has sent a message different from the message normally sent, such as sending a message containing The vehicle-mounted device and the vehicle-mounted device indicated by the destination ID are identified as the detection vehicle-mounted device.

Further, for example, as a result of verifying the log information received from the receiving unit 210, the detection unit 220 identifies the in-vehicle device that has transmitted the anomaly message as the detection in-vehicle device when the log information includes the abnormality detection information.

When the detection unit 220 determines that the vehicle 1 is the detection vehicle, it generates alert information including the ID of the detection vehicle and the ID of the detection in-vehicle device. For example, in the log information shown in FIG. Generate alert information that also includes:

Detection unit 220 outputs the generated alert information to transmission unit 250 and acquisition unit 230 .

Upon receiving the alert information from the detection unit 220, the transmission unit 250 transmits processing information for preventing unauthorized access to the detected vehicle indicated by the received alert information. More specifically, the transmitting unit 250 transmits to the detecting vehicle processing information for causing an in-vehicle device in the detecting vehicle to perform processing for preventing unauthorized access.

For example, the transmission unit 250 generates communication restriction information for restricting communication between the detection vehicle and the outside, and transmits the generated communication control information to the detection vehicle as processing information. More specifically, when the alert information received from the detection unit 220 includes the IP address of the unauthorized device, the transmission unit 250 transmits communication restriction information for limiting communication between the detected vehicle and the unauthorized device. and transmit the generated communication control information to the detection vehicle.

When receiving the communication restriction information from the transmission unit 250, the vehicle-mounted device in the detected vehicle, such as the vehicle-mounted communication device 111, performs processing to block communication with the external device, such as the unauthorized device indicated by the communication control information.

Further, for example, the transmission unit 250 generates information about software to be updated in the in-vehicle device of the detection vehicle, and transmits the generated information to the detection vehicle as processing information. More specifically, the transmission unit 250 generates update data used for updating the firmware of the in-vehicle device in the detection vehicle, and transmits the generated update data to the detection vehicle. The in-vehicle device to be updated may be the detection in-vehicle device or another in-vehicle device.

Upon receiving the update data from the transmission unit 250, the in-vehicle device in the detection vehicle updates the firmware at a predetermined timing. Then, when the update of the firmware is completed, the in-vehicle device transmits completion information indicating that the update has been completed to the management device 200 via the in-vehicle communication device 111 and the wireless base station device 161 .

The receiving unit 210 in the management device 200 outputs the received completion information to the transmitting unit 250 when receiving the completion information from the vehicle-mounted communication device 111 in the detected vehicle.

Upon receiving the completion information from the receiving unit 210, the transmitting unit 250 transmits, to the detecting vehicle, cancellation information for canceling the communication limitation between the external device and the detecting vehicle that has restricted communication.

An in-vehicle device in the detected vehicle, for example, the in-vehicle communication device 111 receives the cancellation information from the transmission unit 250, and performs processing for canceling the cutoff of communication with the external device indicated by the cancellation information.

The acquisition unit 230 acquires software information indicating the state of software installed in one or more in-vehicle devices in the detection vehicle.

More specifically, the acquisition unit 230 acquires version information of software installed in one or more in-vehicle devices of the detection vehicle as the software information of the detection vehicle.

For example, the storage unit 260 stores version information of software installed in one or more in-vehicle devices in each of the plurality of vehicles 1 .

9 is an example of version information stored in a storage unit in the management device according to the first embodiment of the present disclosure; FIG.

Referring to FIG. 9 , storage unit 260 stores version information indicating versions of software installed in a plurality of in-vehicle devices in each vehicle 1 . In this example, the software version of each in-vehicle device of the vehicle A is "1.1" for the software of the in-vehicle device A, "1.3" for the software of the in-vehicle device B, and "1.3" for the software of the in-vehicle device C. The software of the in-vehicle device D is "1.4", the software of the in-vehicle device D is "2.1", and the software of the in-vehicle device E is "2.8".

Hereinafter, the version information of the software of the vehicle-mounted devices in the vehicles A, B, C, D, E, and F will also be referred to as version information A, B, C, D, E, and F, respectively.

Upon receiving the alert information from the detection unit 220 , the acquisition unit 230 acquires from the storage unit 260 the version information of the detected vehicle indicated by the received alert information. For example, when the ID of the detected vehicle included in the alert information received from detection unit 220 is the ID of vehicle B, acquisition unit 230 acquires version information B from storage unit 260 .

For example, the acquisition unit 230 further acquires version information of the vehicle 1 other than the detected vehicle from the storage unit 260 .

The acquiring unit 230 outputs the version information of the plurality of vehicles 1 including the detected vehicle, the ID of the detected vehicle, and the ID of the detected in-vehicle device acquired from the storage unit 260 to the selection unit 240 .

The selection unit 240 selects one or more target vehicles from among the plurality of vehicles based on the version information of the detected vehicle received from the acquisition unit 230 .

More specifically, the selection unit 240 compares the version information of the detected vehicle received from the acquisition unit 230 with the version information of the software installed in one or more in-vehicle devices of the vehicle 1 other than the detected vehicle. Then, the target vehicle 1, which is the vehicle 1 on which preventive measures against unauthorized access should be preferentially implemented, is selected.

For example, the selection unit 240 selects a vehicle 1 having the same model as the model of the detected vehicle and whose version information matches or is similar to the model of the detected vehicle as the target vehicle.

For example, storage unit 260 stores model information that associates the ID of vehicle 1 with the model.

The selection unit 240 extracts one or a plurality of vehicles 1 of the same model as the detected vehicle by referring to the model information in the storage unit 260 .

Then, using the version information of a plurality of vehicles 1 including the detected vehicle received from the acquisition unit 230, the selection unit 240 compares the version information of the detected vehicle with the extracted version information of each vehicle 1. , a priority is set for each vehicle 1 extracted.

Specifically, the selection unit 240 calculates the degree of similarity between the version information of the detected vehicle and the extracted version information of each vehicle 1, and sets a higher priority in descending order of the degree of similarity.

10 is a diagram illustrating an example of priority order setting by a selection unit in the management device according to the first embodiment of the present disclosure; FIG.

Referring to FIG. 10, it is assumed that selection unit 240 extracts vehicles J, K, L, M, and N as vehicles 1 of the same type as vehicle H, which is the detected vehicle.

The selection unit 240 calculates the degree of similarity between the version information H of the vehicle H and the version information J, K, L, M, N of the vehicles J, K, L, M, N.

Specifically, the selection unit 240 compares the software version of each in-vehicle device in vehicle H with the software version of each in-vehicle device in vehicles J, K, L, M, and N for each corresponding in-vehicle device. do.

As a result of comparing each in-vehicle device in vehicle H with each in-vehicle device in vehicles J, K, L, M, and N, selection unit 240 assigns one point to each in-vehicle device whose software version matches each other. 10 points are given to each detected in-vehicle device whose software versions match each other, and the sum of the points is calculated as the degree of similarity.

For example, as a result of comparing each in-vehicle device in vehicle H with each in-vehicle device in vehicle J, selection unit 240 determines that the software versions of in-vehicle device A match each other, and in-vehicle device B, which is the detected in-vehicle device. Since the software versions of E match each other, 21 points are calculated as the degree of similarity of vehicle J. Similarly, the selection unit 240 calculates 13 points, 12 points, 22 points, and 10 points as similarities of the vehicles K, L, M, and N, respectively.

Then, the selection unit 240 sets the priority in order of the vehicle M, the vehicle J, the vehicle K, the vehicle L, and the vehicle N according to the calculated degree of similarity, and selects a predetermined number of vehicles 1, for example, the vehicles M, J and K are selected as target vehicles.

The selection unit 240 notifies the transmission unit 250 of the IDs of the vehicles M, J, and K selected as the target vehicles.

Upon receiving the notification from the selection unit 240, the transmission unit 250 transmits processing information for preventing unauthorized access to the target vehicle indicated by the notified ID. More specifically, the transmission unit 250 transmits processing information for causing an in-vehicle device in the target vehicle to perform processing for preventing unauthorized access to the detection vehicle.

For example, the transmission unit 250 generates communication restriction information for restricting communication between the target vehicle and the outside, and transmits the generated communication control information to the target vehicle as processing information. More specifically, when the alert information received from detection unit 220 includes the IP address of a disallowed device, transmission unit 250 transmits communication restriction information for restricting communication between the target vehicle and the disallowed device. and transmit the generated communication control information to the target vehicle.

When receiving the communication restriction information from the transmission unit 250, the vehicle-mounted device in the target vehicle, such as the vehicle-mounted communication device 111, performs a process of blocking communication with the disallowed device indicated by the communication control information, for example.

Further, for example, the transmission unit 250 generates information about software to be updated in the in-vehicle device of the target vehicle, and transmits the generated information to the target vehicle as processing information. More specifically, the transmission unit 250 generates update data used for updating the firmware of the in-vehicle device in the target vehicle, and transmits the generated update data to the target vehicle. The in-vehicle device to be updated may be an in-vehicle device having the same function or role as the detecting in-vehicle device in the in-vehicle network 12, or may be another in-vehicle device. Hereinafter, in the target vehicle, an in-vehicle device having the same function or role as the detection in-vehicle device in the in-vehicle network 12 is also referred to as a target in-vehicle device.

Upon receiving the update data from the transmission unit 250, the in-vehicle device in the target vehicle updates the firmware at a predetermined timing. Then, when the update of the firmware is completed, the in-vehicle device transmits completion information indicating that the update has been completed to the management device 200 via the in-vehicle communication device 111 and the wireless base station device 161 .

Upon receiving the completion information from the vehicle-mounted communication device 111 of the target vehicle, the reception unit 210 in the management device 200 outputs the received completion information to the transmission unit 250 .

Upon receiving the completion information from the receiving unit 210, the transmitting unit 250 transmits to the target vehicle release information for releasing the communication restriction between the target vehicle and the external device that has restricted communication.

When receiving the release information from the transmission unit 250, the in-vehicle device in the target vehicle, such as the in-vehicle communication device 111, performs a process of releasing the cutoff of communication with the external device indicated by the release information.

[Flow of operation]
Each device in the in-vehicle communication system 300 has a computer including a memory, and an arithmetic processing unit such as a CPU in the computer reads out from the memory and executes a program including part or all of each step of the following flowcharts and sequences. do. Programs for these multiple devices can each be installed from the outside. Programs for these devices are stored in recording media and distributed.

FIG. 11 is a flowchart that defines an operation procedure when the management device transmits processing information for preventing unauthorized access to the vehicle in the in-vehicle communication system according to the first embodiment of the present disclosure.

Referring to FIG. 11, first, management device 200 waits for a log from each vehicle 1 (NO in step S102), and upon receiving log information (YES in step S102), verifies the received log information (step S104).

Next, as a result of verifying the log information received from each vehicle 1, the management device 200 detects no unauthorized access to each vehicle 1 (NO in step S106), new log information from each vehicle 1 (NO in step S102).

On the other hand, when the management device 200 detects unauthorized access to a certain vehicle 1 as a result of verifying the log received from each vehicle 1 (YES in step S106), the management device 200 detects the vehicle 1 in which the unauthorized access occurred. A detection vehicle-mounted device, which is a device, is identified (step S108).

Next, the management device 200 transmits communication restriction information for limiting communication between the detecting vehicle and the outside and update data used for updating the firmware of the detecting in-vehicle device to the detecting vehicle (step S110).

Next, the management device 200 acquires version information of software incorporated in one or more in-vehicle devices of the detection vehicle and version information of software incorporated in one or more in-vehicle devices of the vehicle 1 other than the detection vehicle. (step S112).

Next, the management device 200 selects target vehicles for which preventive measures against unauthorized access should be preferentially implemented based on the acquired version information (step S114).

Next, the management device 200 transmits to the target vehicle communication restriction information for limiting communication between the target vehicle and the outside and update data used for updating the firmware of the target in-vehicle device and the like (step S116).

Next, the management device 200 waits for new log information from each vehicle 1 (NO in step S102).

FIG. 12 is a sequence of processing for preventing unauthorized access to the vehicle in the in-vehicle communication system according to the first embodiment of the present disclosure.

Referring to FIG. 12, first, each gateway device 101 in vehicles X, Y, Z transmits log information to management device 200 (step S202).

Next, the management device 200 detects unauthorized access to the vehicle X by verifying the log information received from each gateway device 101, and identifies the detected in-vehicle device that has caused the unauthorized access ( step S204).

Next, the management device 200 transmits communication restriction information for restricting communication with the unauthorized device and update data used for updating the firmware of the detected in-vehicle device to vehicle X, which is the detected vehicle in which unauthorized access has been detected. (step S206).

Next, based on the communication restriction information and the update data received from the management device 200, the vehicle X performs a process of blocking communication with the unauthorized device, and uses the update data to update the firmware of the detecting on-vehicle device. is started (step S208).

Next, the management device 200 acquires version information X, Y, Z of software installed in one or more in-vehicle devices in vehicles X, Y, Z (step S210).

Next, the management device 200 selects the vehicle Z as a target vehicle on which preventive measures against unauthorized access should be preferentially implemented based on the acquired version information X, Y, Z (step S212).

Next, the management device 200 transmits communication restriction information for restricting communication with the unauthorized device and update data used for updating the firmware of the target in-vehicle device to the vehicle Z, which is the target vehicle (step S214). .

Next, based on the communication restriction information and the update data received from the management device 200, the vehicle Z performs a process of blocking communication with the disallowed device indicated by the communication control information, and uses the update data to block communication with the target vehicle-mounted device. Firmware update is started (step S216).

Next, when the firmware update is completed, the vehicle X transmits completion information indicating that the update has been completed to the management device 200 (step S218).

Next, the management device 200 transmits release information to the vehicle X for releasing the communication restriction between the vehicle X and the unauthorized device (step S220).

Next, vehicle X performs a process of canceling the cutoff of communication with the unauthorized device based on the cancellation information received from management device 200 (step S222).

Next, when the firmware update is completed, the vehicle Z transmits completion information indicating that the update has been completed to the management device 200 (step S224).

Next, the management device 200 transmits to the vehicle Z release information for releasing the communication restriction between the vehicle Z and the unauthorized device (step S226).

Next, vehicle Z performs a process of canceling the cutoff of communication with the unauthorized device based on the cancellation information received from management device 200 (step S228).

Note that in the management device 200 according to the first embodiment of the present disclosure, the transmission unit 250 uses, as processing information, communication restriction information for restricting communication between the target vehicle and the outside and update in the on-vehicle device of the target vehicle. Although the configuration is such that the information on the software to be installed is transmitted to the target vehicle, the present invention is not limited to this. Transmitter 250 may be configured to transmit either one of the communication restriction information and the software information to the target vehicle, while not transmitting the other. However, since the transmission unit 250 transmits the communication restriction information to the detection vehicle, for example, it is possible to prevent remote control of the detection vehicle by an external unauthorized device, so that the detection vehicle can be stopped so as to avoid a collision accident. can.

Further, in the management device 200 according to the first embodiment of the present disclosure, the transmission unit 250 transmits update data used for updating the firmware of the in-vehicle device as information on software to be updated in the in-vehicle device of the target vehicle. However, it is not limited to this. The transmission unit 250 may be configured to transmit, as software information, a URL (Uniform Resource Locator) indicating the location of update data to the target vehicle.

Further, in the management device 200 according to the first embodiment of the present disclosure, the transmission unit 250 includes communication restriction information for restricting communication between the detection vehicle and the outside, and software to be updated in the on-vehicle device of the detection vehicle. Although the configuration is such that the information is transmitted to the detection vehicle, the configuration is not limited to this. The transmission unit 250 may be configured not to transmit both the communication restriction information and the software information to the detected vehicle. In addition, as the processing information, the transmission unit 250 transmits to the target vehicle, instead of the communication restriction information and software information, information for restricting a part or all of the functions of one or a plurality of in-vehicle devices in the target vehicle. It may be a configuration.

Further, in the management device 200 according to the first embodiment of the present disclosure, the acquisition unit 230 is configured to acquire the version information of the software installed in the in-vehicle device in the detection vehicle from the storage unit 260. It is not limited to this. The storage unit 260 may not store version information, and the acquisition unit 230 may acquire version information from outside the management device 200 .

Further, in the management device 200 according to the first embodiment of the present disclosure, the acquisition unit 230 is incorporated in the in-vehicle device in the detection vehicle as software information indicating the state of the software installed in the in-vehicle device in the detection vehicle. Although the configuration is such that software version information is acquired, the configuration is not limited to this. The acquisition unit 230 may be configured to acquire, as the software information, information other than the version, such as information on the last update date and time of the software installed in the in-vehicle device in the detection vehicle.

In addition, in the management device 200 according to the first embodiment of the present disclosure, the selection unit 240 includes version information of software installed in one or a plurality of in-vehicle devices in the detection vehicle, and version information of software installed in the vehicle 1 other than the detection vehicle. Alternatively, the target vehicle is selected based on the result of comparison with version information of software installed in a plurality of in-vehicle devices, but this is not restrictive. The selection unit 240 selects the target based on the comparison result between the last update date and time of the software incorporated in the in-vehicle device of the detection vehicle and the previous update date and time of the software incorporated in the in-vehicle device of the vehicle 1 other than the detection vehicle. It may be configured to select a vehicle.

Further, in the management device 200 according to the first embodiment of the present disclosure, the selection unit 240 compares each in-vehicle device in the detection vehicle with each in-vehicle device in the same type of vehicle as the detection vehicle. 1 point is given for each in-vehicle device whose version matches each other, 10 points are given to each detection in-vehicle device whose software version matches each other, and the sum of the points is calculated as the degree of similarity. , but not limited to. If the software version of the in-vehicle device in the vehicle of the same type as the detection vehicle matches or is lower than the software version of the in-vehicle device in the detection vehicle, the selection unit 240 gives 1 point to each in-vehicle device. However, the similarity may be calculated by assigning 10 points to each detected in-vehicle device having the same software version.

For example, in the example shown in FIG. 10, as a result of comparing each in-vehicle device in the vehicle H and each in-vehicle device in the vehicle J, the versions of the software of the in-vehicle device A match each other. Since the software versions of E match each other and the software versions of the in-vehicle devices C and D in the vehicle J are lower than the software versions of the in-vehicle devices C and D in the vehicle H, the similarity of the vehicle J is 23 points. Calculate

Further, in the management device 200 according to the first embodiment of the present disclosure, the detection unit 220 is configured to detect unauthorized access to the vehicle 1 and to identify the in-vehicle device in which the unauthorized access has occurred, that is, the detected in-vehicle device. However, it is not limited to this. The detection unit 220 may be configured to detect unauthorized access to the vehicle 1 but not to identify the detection vehicle-mounted device.

Further, in the in-vehicle communication system 300 according to the first embodiment of the present disclosure, when the in-vehicle device in the detection vehicle completes updating the firmware, it transmits completion information indicating that the update has been completed to the management device 200, When the management device 200 receives the completion information from the in-vehicle device, the management device 200 transmits to the detection vehicle release information for releasing the communication restriction between the external device and the detection vehicle that has restricted communication, and the in-vehicle device in the detection vehicle , when the release information is received from the transmission unit 250, the processing for releasing the cutoff of the communication with the external device indicated by the release information is performed. However, the present invention is not limited to this. The in-vehicle device of the detection vehicle may be configured to perform a process of canceling the cutoff of communication with the external device without transmitting completion information to the management device 200 when the update of the firmware is completed.

Further, in the in-vehicle communication system 300 according to the first embodiment of the present disclosure, when the update of the firmware is completed, the in-vehicle device in the target vehicle transmits completion information indicating that the update has been completed to the management device 200, When the management device 200 receives the completion information from the in-vehicle device, the management device 200 transmits to the target vehicle release information for releasing the communication restriction between the target vehicle and the external device that has restricted communication, and the in-vehicle device in the target vehicle , the processing for canceling the cutoff of the communication with the external device is performed when the cancellation information is received from the transmission unit 250, but the present invention is not limited to this. The in-vehicle device of the target vehicle may be configured to perform a process of canceling the interruption of communication with the external device without transmitting completion information to the management device 200 when the update of the firmware is completed.

Further, in the in-vehicle communication system 300 according to the first embodiment of the present disclosure, the management device 200 detects unauthorized access to one vehicle 1 based on the log information received from the in-vehicle device, Although it is configured to acquire version information of software installed in one or more in-vehicle devices in the detection vehicle and select one or more target vehicles based on the acquired version information, it is not limited to this. Absent. The management device 200 detects unauthorized access to a plurality of vehicles 1, acquires version information of software incorporated in one or a plurality of in-vehicle devices in the plurality of vehicles 1, that is, the detected vehicle, and obtains each version information It may be configured to select one or a plurality of target vehicles based on.

Also, part or all of the functions of the management device 200 according to the first embodiment of the present disclosure may be provided by cloud computing. That is, the management device 200 according to the embodiment of the present disclosure may be configured with a plurality of cloud servers or the like.

By the way, there is a demand for a technique that can more reliably prevent the spread of unauthorized access to each vehicle.

For example, when deploying a defense measure against unauthorized access detected in a vehicle to other vehicles, if there are many vehicles that require the deployment of the defense measure, it will take time to complete the deployment of the defense measure. . As a result, unauthorized access occurs in some vehicles for which the deployment of defensive measures was delayed, and unauthorized access expands.

In contrast, in the management device 200 according to the first embodiment of the present disclosure, the detection unit 220 detects unauthorized access to the vehicle 1 . The acquisition unit 230 acquires software information indicating the state of software installed in one or more in-vehicle devices of the vehicle 1 in which unauthorized access has been detected by the detection unit 220 . The selection unit 240 selects one or more target vehicles from the plurality of vehicles 1 based on the software information acquired by the acquisition unit 230 . The transmission unit 250 transmits processing information for preventing unauthorized access to the target vehicle selected by the selection unit 240 .

In this way, the target vehicle is selected using the information of the software installed in the in-vehicle device of the detected vehicle, and the processing information for preventing unauthorized access is transmitted to the target vehicle. A priority can be set for each vehicle 1 according to the state of , and processing information for preventing unauthorized access can be transmitted according to the priority. As a result, in consideration of the state of the software in each vehicle 1, it is possible to preferentially deploy defensive measures to vehicles 1 in which there is a possibility that unauthorized access similar to that detected in the detected vehicle may occur. can.

Therefore, the management device 200 according to the first embodiment of the present disclosure can more reliably prevent the spread of unauthorized access to each vehicle.

Further, in the management device 200 according to the first embodiment of the present disclosure, the transmission unit 250 transmits to the target vehicle, as processing information, information for restricting communication between the target vehicle and the outside.

Such a configuration can more reliably prevent unauthorized access to the target vehicle from outside the target vehicle.

Further, in the management device 200 according to the first embodiment of the present disclosure, the transmission unit 250 transmits, as processing information, information about software to be updated in the in-vehicle device of the target vehicle to the target vehicle.

With such a configuration, it is possible to update the software installed in the in-vehicle device of the target vehicle to, for example, software with enhanced security against unauthorized access, thereby more reliably preventing unauthorized access to the in-vehicle device of the target vehicle. be able to.

Also, in the management device 200 according to the first embodiment of the present disclosure, the storage unit 260 stores version information of software installed in one or more in-vehicle devices in each of the plurality of vehicles 1 .

With such a configuration, when unauthorized access is detected in a certain vehicle 1, by referring to the storage unit 260, version information of software installed in one or a plurality of in-vehicle devices in the vehicle 1 can be easily obtained. can do. As a result, using the acquired version information, it is possible to quickly select a target vehicle and quickly generate information on unauthorized access for notifying the user.

In addition, in the management device 200 according to the first embodiment of the present disclosure, the acquisition unit 230 acquires version information of software installed in one or more in-vehicle devices in the detected vehicle as software information. The selection unit 240 selects a target vehicle based on the result of comparison between the version information acquired by the acquisition unit 230 and the version information of software installed in one or more in-vehicle devices of vehicles other than the detection vehicle.

As a result, from the viewpoint of software version information, it is possible to more accurately select the vehicle 1 that is likely to undergo unauthorized access similar to that detected in the detected vehicle.

Also, the communication system 400 according to the first embodiment of the present disclosure includes a management device 200 and an in-vehicle device mounted in the vehicle 1 . The in-vehicle device transmits log information to the management device 200 . The management device 200 detects unauthorized access to the vehicle 1 based on the log information received from the in-vehicle device. The management device 200 acquires software information indicating the state of software installed in one or more in-vehicle devices in the vehicle 1 in which unauthorized access has been detected. Management device 200 selects one or a plurality of target vehicles from a plurality of vehicles based on the acquired software information. The management device 200 transmits processing information for preventing unauthorized access to the selected target vehicle.

In this way, the target vehicle is selected using the information of the software installed in the in-vehicle device of the detected vehicle, and the processing information for preventing unauthorized access is transmitted to the target vehicle. A priority can be set for each vehicle 1 according to the state of , and processing information for preventing unauthorized access can be transmitted according to the priority. As a result, in consideration of the state of the software in each vehicle 1, it is possible to preferentially deploy defensive measures to vehicles 1 in which there is a possibility that unauthorized access similar to that detected in the detected vehicle may occur. can.

Therefore, communication system 400 according to the first embodiment of the present disclosure can more reliably prevent the spread of unauthorized access to each vehicle.

Also, the vehicle communication management method according to the first embodiment of the present disclosure is a vehicle communication management method in management device 200 . In this vehicle communication management method, the management device 200 first detects unauthorized access to the vehicle 1 . Next, the management device 200 acquires software information indicating the state of software installed in one or more in-vehicle devices in the vehicle 1 in which unauthorized access has been detected. Next, management device 200 selects one or a plurality of target vehicles from a plurality of vehicles based on the acquired software information. Next, the management device 200 transmits processing information for preventing unauthorized access to the selected target vehicle.

In this way, the target vehicle is selected using the information of the software installed in the in-vehicle device of the detection vehicle, and the processing information for preventing unauthorized access is transmitted to the target vehicle. A priority can be set for each vehicle 1 according to the state of , and processing information for preventing unauthorized access can be transmitted according to the priority. As a result, in consideration of the state of the software in each vehicle 1, it is possible to preferentially deploy defensive measures to vehicles 1 in which there is a possibility that unauthorized access similar to that detected in the detected vehicle may occur. can.

Therefore, with the vehicle communication management method according to the first embodiment of the present disclosure, it is possible to more reliably prevent the spread of unauthorized access to each vehicle.

Also, the vehicle communication management method according to the first embodiment of the present disclosure is a vehicle communication management method in a communication system including the management device 200 and an in-vehicle device mounted on the vehicle 1 . In this vehicle communication management method, first, the in-vehicle device transmits log information to the management device 200 . Next, the management device 200 detects unauthorized access to the vehicle 1 based on the log information received from the in-vehicle device. Next, the management device 200 acquires software information indicating the state of software installed in one or more in-vehicle devices in the vehicle 1 in which unauthorized access has been detected. Next, management device 200 selects one or a plurality of target vehicles from a plurality of vehicles based on the acquired software information. Next, the management device 200 transmits processing information for preventing unauthorized access to the selected target vehicle.

In this way, the target vehicle is selected using the information of the software installed in the in-vehicle device of the detection vehicle, and the processing information for preventing unauthorized access is transmitted to the target vehicle. A priority can be set for each vehicle 1 according to the state of , and processing information for preventing unauthorized access can be transmitted according to the priority. As a result, in consideration of the state of the software in each vehicle 1, it is possible to preferentially deploy defensive measures to vehicles 1 in which there is a possibility that unauthorized access similar to that detected in the detected vehicle may occur. can.

Therefore, with the vehicle communication management method according to the first embodiment of the present disclosure, it is possible to more reliably prevent the spread of unauthorized access to each vehicle.

Next, another embodiment of the present disclosure will be described with reference to the drawings. The same or corresponding parts in the drawings are denoted by the same reference numerals, and the description thereof will not be repeated.

<Second Embodiment>
The present embodiment relates to an in-vehicle communication system in which a management device notifies a user of alert-related information, unlike the in-vehicle communication system according to the first embodiment. The contents other than those described below are the same as those of the in-vehicle communication system according to the first embodiment.

[Management device]
FIG. 13 is a diagram illustrating the configuration of a management device according to the second embodiment of the present disclosure;

13, management device 201 includes receiving unit 210, detecting unit 220, acquiring unit 230, selecting unit 240, transmitting unit 250, storage unit 260, searching unit 270, and notifying unit 280. and

When acquiring the version information of a plurality of vehicles 1 including the detected vehicle from the storage unit 260, the acquisition unit 230 outputs the acquired version information, the ID of the detected vehicle, and the ID of the detected in-vehicle device to the selection unit 240 and the search unit 270. .

The search unit 270 searches the vehicle 1 according to a predetermined search condition based on the comparison result between the version information of the software of one or a plurality of in-vehicle devices of the detection vehicle and the version information of the software of the in-vehicle devices of the vehicles 1 other than the detection vehicle. perform a search for

For example, the search unit 270 uses the version information received from the acquisition unit 230 to search for a vehicle 1 including an in-vehicle device of the same version as the software version of the detection in-vehicle device, among the plurality of vehicles 1 .

For example, the search unit 270 uses the version information received from the acquisition unit 230 to determine whether the detection on-board devices of the plurality of detection vehicles have the same function or role in the in-vehicle network 12. Search for detected vehicles.

For example, the search unit 270 uses the version information received from the acquisition unit 230 to search, among the plurality of detected vehicles, the detected vehicles whose on-board devices correspond to each other and whose versions are the same. .

The search unit 270 outputs the ID of the detected vehicle, the ID of the detected in-vehicle device, and the search result to the notification unit 280 .

Based on the ID of the detected vehicle, the ID of the detected in-vehicle device, and the search result received from the search unit 270, the notification unit 280 displays the content of the alert-related information on a display device (not shown). to notify.

FIG. 14 is a diagram illustrating an example of notification contents notified by a notification unit in the management device according to the second embodiment of the present disclosure;

Referring to FIG. 14, notification unit 280 provides identification information such as the time of occurrence of unauthorized access in the detecting vehicle, the ID of the detecting vehicle, the name of the detecting in-vehicle device, the version information of the software of the detecting in-vehicle device, and the software of the detecting in-vehicle device. The number of vehicles 1 including the same version of the in-vehicle device as the version of , the number of detected vehicles that the detection on-board devices correspond to each other, and the detection vehicles that correspond to each other and the version of the detection on-board device is the same A screen in which the number of alert information is displayed is displayed on a display device (not shown).

In addition, in the management device 201 according to the second embodiment of the present disclosure, the acquisition unit 230 is configured to acquire the version information of a plurality of vehicles 1 including the detected vehicle from the storage unit 260. It is not limited. The storage unit 260 may not store version information, and the acquisition unit 230 may acquire version information from outside the management device 200 .

Further, although the notification unit 280 is configured to display a screen on which various types of information are displayed as shown in FIG. 14 on a display device (not shown), the present invention is not limited to this. The notification unit 280 may be configured not to display part of each of the above information on the display device. Further, the notification unit 280 may be configured to notify the user of each of the above information by a method other than displaying the information on the display device, for example, by voice.

As described above, in the management device 201 according to the second embodiment of the present disclosure, the notification unit 280 includes version information of software incorporated in an in-vehicle device in which unauthorized access has been detected in the detected vehicle, unauthorized access in the detected vehicle, Identification information of the in-vehicle device whose access has been detected, version information of software incorporated in one or more in-vehicle devices in the detected vehicle, and version information of software incorporated in one or more in-vehicle devices in vehicles other than the detected vehicle and notifying the user of the number of vehicles retrieved based on at least the comparison result of the .

With such a configuration, for example, when unauthorized access is detected in a plurality of vehicles 1 by the detection unit 220, the number of vehicles 1 having the same version information as the version information of the detected vehicle is determined for each detected unauthorized access. can be notified to the user, it is possible to notify the user of the number of vehicles 1 that may cause unauthorized access similar to the unauthorized access detected in the detected vehicle. This makes it easier for the user to select unauthorized accesses for which defensive measures should be preferentially deployed.

Other configurations and operations are similar to those of in-vehicle communication system 300 according to the first embodiment, and thus detailed description will not be repeated here.

The above-described embodiments should be considered as illustrative in all respects and not restrictive. The scope of the present invention is indicated by the scope of the claims rather than the above description, and is intended to include all modifications within the scope and meaning equivalent to the scope of the claims.

The above description includes the features appended below.
[Appendix 1]
a detection unit that detects unauthorized access to the vehicle;
Version information of software installed in one or more in-vehicle devices in the detection vehicle, which is the vehicle in which the unauthorized access has been detected by the detection unit, and one or more in-vehicle devices in a plurality of vehicles other than the detection vehicle an acquisition unit for acquiring version information of installed software;
A selection unit that selects one or more target vehicles from among the plurality of vehicles based on the degree of similarity between the version information of the detected vehicle and the version information of the plurality of vehicles acquired by the acquisition unit. When,
A management device, comprising: a transmission unit configured to transmit processing information for preventing the unauthorized access to the detected vehicle in which the unauthorized access is detected by the detection unit and the target vehicle selected by the selection unit.

[Appendix 2]
a management device;
and an in-vehicle device mounted on a vehicle,
The in-vehicle device transmits log information to the management device,
The management device detects unauthorized access to the vehicle based on the log information received from the in-vehicle device,
The management device provides version information of software installed in one or more in-vehicle devices in the detection vehicle, which is the vehicle in which the unauthorized access has been detected, and one or more in-vehicle devices in a plurality of vehicles other than the detection vehicle. Get the version information of the software built into the
The management device selects one or more target vehicles from among the plurality of vehicles based on the degree of similarity between the version information of the detected vehicle and the version information of the plurality of vehicles,
The communication system, wherein the management device transmits processing information for preventing the unauthorized access to the detected vehicle and the selected target vehicle.

1 vehicle 11 external network 12 in-vehicle network 13 bus 14 bus 101 gateway device 51 switch unit 52 processing unit 53 storage unit 54 abnormality detection unit 111 in-vehicle communication device 121 bus connection device group 122 control device 161 radio base station device 200 management device 201 management Apparatus 210 Receiving Part 220 Detecting Part 230 Acquiring Part 240 Selecting Part 250 Transmitting Part 260 Storage Part 270 Retrieval Part 280 Notification Part 300 In-Vehicle Communication System 400 Communication System

Claims (9)

a detection unit that detects unauthorized access to the vehicle;
an acquisition unit that acquires software information indicating the state of software installed in one or more in-vehicle devices of the vehicle in which the unauthorized access has been detected by the detection unit;
a selection unit that selects one or more target vehicles from among a plurality of vehicles based on the software information acquired by the acquisition unit;
a transmission unit that transmits processing information for preventing the unauthorized access to the target vehicle selected by the selection unit ;
The acquisition unit acquires, as the software information, version information of software installed in one or more in-vehicle devices of the detection vehicle,
The selection unit, based on a comparison result between the version information acquired by the acquisition unit and version information of software installed in one or more in-vehicle devices in each of a plurality of vehicles other than the detection vehicle, A management device that sets priorities for the plurality of vehicles and selects a predetermined number of the vehicles as the target vehicles based on the set priorities . The management device according to claim 1, wherein the transmission unit transmits information for restricting communication between the target vehicle and the outside as the processing information to the target vehicle. 3. The management device according to claim 1, wherein said transmission unit transmits information of software to be updated in an in-vehicle device of said target vehicle to said target vehicle as said processing information. The management device further
4. The management device according to any one of claims 1 to 3, comprising a storage unit that stores version information of software installed in one or more in-vehicle devices in each of a plurality of vehicles. The management device further
Version information of software installed in the in-vehicle device in which the unauthorized access was detected in the detection vehicle, identification information of the in-vehicle device in which the unauthorized access was detected in the detection vehicle, and one or more in the detection vehicle The number of vehicles searched based on at least a comparison result between version information of software installed in the in-vehicle device and version information of software installed in one or more in-vehicle devices of vehicles other than the detected vehicle. The management device according to any one of claims 1 to 4 , comprising a notification unit that notifies to. a management device;
and an in-vehicle device mounted on a vehicle,
The in-vehicle device transmits log information to the management device,
The management device detects unauthorized access to the vehicle based on the log information received from the in-vehicle device,
The management device acquires software information indicating the state of software installed in one or more in-vehicle devices of the vehicle in which the unauthorized access has been detected,
The management device selects one or more target vehicles from a plurality of vehicles based on the acquired software information,
The management device transmits processing information for preventing the unauthorized access to the selected target vehicle ,
The management device acquires, as the software information, version information of software installed in one or more of the in-vehicle devices in the detection vehicle,
The management device, based on the result of comparison between the acquired version information and version information of software installed in one or more in-vehicle devices in each of the plurality of vehicles other than the detection vehicle, A communication system that sets priorities and selects a predetermined number of the vehicles as the target vehicles based on the set priorities . A vehicle communication management method in a management device,
detecting unauthorized access to the vehicle;
a step of acquiring software information indicating the state of software installed in one or more in-vehicle devices of the vehicle in which the unauthorized access has been detected;
selecting one or more target vehicles from among a plurality of vehicles based on the acquired software information;
transmitting processing information for preventing unauthorized access to the selected target vehicle ;
In the step of acquiring the software information, version information of software installed in one or more of the in-vehicle devices of the detection vehicle is acquired as the software information;
In the step of selecting the target vehicle, based on a comparison result between the acquired version information and version information of software installed in one or more in-vehicle devices in each of a plurality of vehicles other than the detection vehicle, A vehicle communication management method, wherein priority is set for the plurality of vehicles, and a predetermined number of the vehicles are selected as the target vehicles based on the set priority . A vehicle communication management method in a communication system comprising a management device and an in-vehicle device mounted in a vehicle,
a step in which the in-vehicle device transmits log information to the management device;
a step in which the management device detects unauthorized access to the vehicle based on the log information received from the in-vehicle device;
a step in which the management device acquires software information indicating the state of software installed in one or more in-vehicle devices of the vehicle in which the unauthorized access has been detected;
a step in which the management device selects one or more target vehicles from among a plurality of vehicles based on the acquired software information;
the management device transmitting processing information for preventing the unauthorized access to the selected target vehicle ;
In the step in which the management device acquires the software information, version information of software installed in one or more of the in-vehicle devices in the detection vehicle is acquired as the software information;
In the step in which the management device selects the target vehicle, a result of comparison between the acquired version information and version information of software installed in one or more in-vehicle devices in each of a plurality of vehicles other than the detected vehicle. and selecting a predetermined number of the vehicles as the target vehicles based on the set priorities . A vehicle communication management program used in a management device,
the computer,
a detection unit that detects unauthorized access to the vehicle;
an acquisition unit that acquires software information indicating the state of software installed in one or more in-vehicle devices of the vehicle in which the unauthorized access has been detected by the detection unit;
a selection unit that selects one or more target vehicles from among a plurality of vehicles based on the software information acquired by the acquisition unit;
a transmission unit configured to transmit processing information for preventing unauthorized access to the target vehicle selected by the selection unit;
It is a program for functioning as
The acquisition unit acquires, as the software information, version information of software installed in one or more in-vehicle devices of the detection vehicle,
The selection unit, based on a comparison result between the version information acquired by the acquisition unit and version information of software installed in one or more in-vehicle devices in each of a plurality of vehicles other than the detection vehicle, A vehicle communication management program for setting priorities to the plurality of vehicles and selecting a predetermined number of the vehicles as the target vehicles based on the set priorities .

Images