JP7507205B2 - Communication monitoring device and communication monitoring method - Google Patents

Description

The present invention relates to a communication monitoring device and a communication monitoring method for monitoring communications via an in-vehicle network.

Patent Document 1 describes a method for preventing unauthorized control in a network system equipped with multiple electronic control units that transmit and receive multiple frames via a communication path. In this method, a control frame that instructs a control target to perform a specific control and a status frame that includes information about the status of the control target are sequentially received from the communication path. Then, based on a set of status frames received within a specific period preceding the reception of the received control frame, it is determined whether or not the specific control based on the received control frame should be prevented.

International Publication No. WO 2018/008452

However, in the conventional unauthorized control prevention method, the control information and status information of the frame communicated for the control object are examined, so that the number of control objects to be the object of processing unauthorized detection increases, and the processing load for unauthorized control detection increases. For example, to prevent unauthorized control in the entry process when a person gets in the car, it is necessary to detect unauthorized control by targeting various ECUs including the key communication ECU that controls communication with the smart key, the key authentication ECU (immobilizer), and the door lock control ECU as control objects.
On the other hand, as vehicle functions become more diverse, there is a demand for faster routing processing in in-vehicle networks, making it necessary to simplify processing while maintaining high security performance, such as the detection of spoofed frames.
Furthermore, when a specific ECU is fixedly used as the control target for unauthorized control detection, as in the above-mentioned conventional technology, once the control target is identified by a third party, it is possible that a malicious person may disable the unauthorized control detection.
In light of the above background, an object of the present invention is to reduce the processing load in detecting unauthorized communications in communications between multiple electronic control devices via an in-vehicle network without reducing the probability of detecting unauthorized communications.
Detecting unauthorized communications in in-vehicle networks can effectively prevent vehicle theft by defending against communication attacks, for example, that may be carried out during vehicle theft, and can contribute to the achievement of the SDGs through the realization of a safe, secure, and sustainable automotive society (SDGs 11.2, etc.).

According to one aspect of the present invention, a communication monitoring device monitors communications between multiple electronic control devices via an in-vehicle network, the communications being composed of a series of one or more frames, and the device comprises a target determination unit that determines some or all of the fields that constitute the frames as target sections, a receiving unit that receives the frames propagating through the in-vehicle network, an extraction unit that extracts the target sections as sections of interest from the received frames received by the receiving unit, and a verification unit that verifies the validity of the received frames based on the extracted sections of interest , wherein the target determination unit divides the frames used in the communications into multiple field groups in accordance with a division rule, and determines at least one of the field groups as the target section .
According to another aspect of the present invention, the extraction unit counts the number of times each of the field groups is used to extract the section of interest, and the target determination unit determines at least one new target section from among the plurality of divided field groups excluding the field group whose number of times of use is the maximum when the difference between the maximum and minimum values of the number of times of use among the field groups becomes equal to or greater than a first predetermined value.
According to another aspect of the present invention, the target determination unit determines a new target section from among all of the divided field groups when the difference between the maximum and minimum values of the number of times of use among the field groups becomes less than a second predetermined value.
According to another aspect of the present invention, the extraction unit counts the number of times each of the field groups is used to extract the section of interest, and the target determination unit changes the division rule when the difference between the maximum and minimum numbers of times of use among the field groups becomes less than a third predetermined value, newly divides the frame into a plurality of field groups in accordance with the changed division rule, and determines at least one of the newly divided plurality of field groups as the target section.
According to another aspect of the present invention, when the target determination unit newly divides the frame into multiple field groups in accordance with the changed division rule, the extraction unit initializes the number of uses of all of the newly divided field groups to 0.
According to another aspect of the present invention, when the verification unit determines that at least one of the sections of interest extracted by the extraction unit from each of the received frames is invalid, the target determination unit increases the number of field groups determined as the target section from the divided multiple field groups.
According to another aspect of the present invention, when the verification unit determines that at least one of the sections of interest extracted by the extraction unit from each of the received frames is invalid, the target determination unit determines all of the divided multiple field groups as the target sections.
According to another aspect of the present invention, the verification unit sets a monitoring period of a predetermined length of time, and the receiving unit receives the frame propagating through the in-vehicle network during the monitoring period.
According to another aspect of the invention, the target determination unit randomly determines at least one of the field groups as a target section each time the monitoring period begins.
According to another aspect of the present invention, the verification unit verifies the legitimacy of a predetermined number of the received frames for each monitoring period, and increases the length of the monitoring period when it determines that any of the received frames is invalid.
According to another aspect of the present invention, the verification section increases the predetermined number when it determines that any of the extracted received frames is invalid.
According to another aspect of the present invention, the verification section repeatedly sets the monitoring period with a pause period therebetween, and varies the length of the pause period irregularly within a predetermined range.
The target determination unit determines, for each of the plurality of sets of received frames, a different field or set of fields as the target section for each of the monitoring periods.
Another aspect of the present invention is a communication monitoring method performed by a computer of a communication monitoring device that monitors communications between multiple electronic control devices via an in-vehicle network, the communications being composed of a series of one or more frames, the method comprising the steps of: determining some or all of the fields that constitute the frames as target sections; repeatedly receiving the frames propagating through the in-vehicle network; extracting the target sections as sections of interest from received frames, which are the frames received in the receiving step; and verifying the validity of the received frames based on the extracted sections of interest , wherein in the determining step, the frames used in the communications are divided into a plurality of field groups in accordance with a division rule, and at least one of the field groups is determined to be the target section.

The present invention makes it possible to reduce the processing load for detecting unauthorized communications in communications between multiple electronic control devices via an in-vehicle network without reducing the probability of detecting unauthorized communications.

FIG. 1 is a configuration diagram of a vehicle equipped with a communication monitoring device according to an embodiment of the present invention. FIG. 2 is a diagram showing the configuration of the communication monitoring device. FIG. 3 is a diagram for explaining the verification of frame validity in the communication monitoring device. FIG. 4 is a diagram for explaining verification of frame validity in the second modified example. FIG. 5 is a flow chart showing the procedure of the operation of the communication monitoring device.

Below, a vehicle control system equipped with a communication monitoring device according to one embodiment of the present invention will be described with reference to the drawings.

FIG. 1 is a diagram showing a control system 1 for a vehicle.
The control system 1 includes a central ECU 2 that performs overall control and information processing of the vehicle. Hereinafter, the vehicle equipped with the control system 1 will be referred to as the vehicle itself. The central ECU 2 is connected to communication lines 4a, 4b, and 4c, and also realizes a gateway function that manages the transmission and reception of communication data between these communication lines. The central ECU 2 is also connected to a wireless device (not shown) that complies with the communication standard of the mobile communication system, and performs OTA (Over The Air) management. The OTA management includes control of downloading an update program for an in-vehicle device included in the vehicle itself from a server outside the vehicle and applying the update program to the in-vehicle device.

The first zone ECU 20a, the second zone ECU 20b, and the third zone ECU 20c are connected to the communication lines 4a, 4b, and 4c, respectively. The first zone ECU 20a is connected to ECUs 30a, 30b, and 30c, and the second zone ECU 20b is connected to ECUs 30d, 30e, and 30f. The third zone ECU 20c is connected to ECUs 30g, 30h, and 30i.

Hereinafter, the first zone ECU 20a, the second zone ECU 20b, and the third zone ECU 20c will be collectively referred to as zone ECU 20, and the ECUs 30a, 30b, 30c, 30d, 30e, 30f, 30g, 30h, and 30i will be collectively referred to as ECU 30.

The ECU 30 may include, for example, an MPU (Map Positioning Unit), an MVC-ECU (MVC; Multi View Camera), a PKS-ECU (PKS; Parking Support), and/or an ADAS-ECU (ADAS; Advanced Driver- Assistance System), and other ECUs that control the operation of various devices and sensors provided in the vehicle. Such devices and sensors may include a driving motor for driving the vehicle, steering controls such as an accelerator and brake, a VSA system (VSA; Vehicle Stability Assy ), a battery, lighting bodies such as headlamps, a window motor for driving door windows, an actuator for driving a door lock mechanism, a door lock sensor, a door opening/closing sensor, a temperature sensor, an exterior camera, an interior camera, and the like.

Each zone ECU 20 is connected to a plurality of ECUs 30 arranged in the same section of the vehicle body space of the vehicle itself, or a plurality of ECUs 30 that control the operation of devices and sensors arranged in the same section.
In addition to the zone ECU 20, other control devices and devices may be connected to the central ECU 2. Such control devices and devices may include an information control box (ICB), a speaker, a microphone, a meter panel, a steering switch, a GNSS sensor, a touch panel, and the like.

In this embodiment, the communication lines 4a, 4b, and 4c are configured, for example, by a CAN bus that performs communication in accordance with the CAN communication standard. Hereinafter, the communication lines 4a, 4b, and 4c are collectively referred to as the communication lines 4. Hereinafter, the communication lines 4 correspond to the in-vehicle network in this disclosure. In addition, the zone ECUs 20 connected to the communication lines 4 correspond to the multiple electronic control devices in this disclosure.

The zone ECU 20 connected to the communication line 4 sends data to be transmitted in one frame or as a sequence of multiple frames according to the CAN communication standard, according to conventional technology, to the communication line 4. According to the CAN communication standard, each frame sent out includes an identification code (ID), and each zone ECU 20 that receives a frame determines whether the frame was sent to it based on the ID included in the frame.

In this embodiment, the control system 1 includes a communication monitoring device 40 connected to the communication lines 4a, 4b, and 4c. The communication monitoring device 40 monitors the communication between the multiple zone ECUs 20 via the communication line 4.

[Configuration of communication monitoring device]
FIG. 2 is a diagram showing the functional configuration of the communication monitoring device 40. As shown in FIG.
The communication monitoring device 40 includes a processor 41, a memory 42, and a communication device 43. The memory 42 is, for example, configured with a volatile and/or non-volatile semiconductor memory and/or a hard disk device, etc. The communication device 43 includes, for example, three CAN transceivers (not shown) connected to the communication lines 4a, 4b, and 4c, which are a CAN communication bus, respectively.

The processor 41 is a computer included in the communication monitoring device 40, and is composed of, for example, one or more CPUs (Central Processing Units).
The processor 41 includes, as functional elements or functional units, a receiving unit 45, a target determining unit 46, an extracting unit 47, and a verifying unit 48. These functional elements of the processor 41 are realized, for example, by the processor 41, which is a computer, executing a communication monitoring program 44, which is a computer program stored in the memory 42. Alternatively, all or part of the above-mentioned functional elements of the processor 41 may be configured by hardware including one or more electronic circuit components.

The receiving unit 45 receives frames propagating through each of the communication lines 4a, 4b, and 4c by the communication device 43 during the monitoring period set by the verification unit 48. The start of the monitoring period may be instructed to the receiving unit 45 by the verification unit 48, or may be determined by the receiving unit 45 according to the duration and execution interval of the monitoring period instructed by the verification unit 48.

Hereinafter, the receiving unit 45, the target determining unit 46, the extracting unit 47, and the verifying unit 48 will process frames propagating through the communication lines 4a, 4b, and 4c, respectively, independently for the communication lines 4a, 4b, and 4c.

The target determination unit 46 determines (or defines) some or all of the fields that make up the frame used in communication as the target section. Specifically, the target determination unit 46 divides the frame into a number of field groups according to a certain division rule, and determines at least one of the field groups as the target section. The target determination unit 46 randomly determines at least one target section for each monitoring period, for example.

The division rule may, for example, determine the number of field groups to be created and the number of fields that compose each field group. The number of groups and the number of fields may be determined randomly, for example, using a random number generating function. The target determination unit 46 may, for example, divide the frame into a number of field groups by creating placeholders for the field groups according to the number of groups and the number of fields determined by the division rule, and randomly assigning specific fields to each of the created placeholders.

The extraction unit 47 extracts, from the received frame, which is the frame received by the receiving unit 45, the field portion of the field group indicated by the target section determined by the target determination unit 46, as a section of interest.

The verification unit 48 verifies the validity of the received frame containing the section of interest based on the section of interest extracted by the extraction unit 47.

Specifically, the verification unit 48 sets a monitoring period of a predetermined length of time, and for each monitoring period, the verification unit 48 extracts a predetermined number of received frames from the frames received within the monitoring period, and verifies the validity of the received frames based on the predetermined number of received frames (i.e., based on the section of interest extracted from the predetermined number of received frames).

Figure 3 is a diagram for explaining the validity verification of a transmitted frame sequence. In Figure 3, the horizontal axis is time, and each vertical rectangle is a frame transmitted over the communication line 4a at the respective time. In the example of Figure 3, a rest period during which the receiver 45 does not receive frames is sandwiched between monitoring periods. There are eight received frames within the monitoring period, of which six are extracted as received frames to be used for validity verification. In Figure 3, the received frames to be used for validity verification are indicated by thick rectangles.

In FIG. 3, the first six frames received during the monitoring period are used as the received frames for validity verification, but this is just one example, and the received frames used for validity verification can be selected arbitrarily from the frames received during the monitoring period. In FIG. 3, the black portion in the thick-lined rectangle showing the received frames used for validity verification is the section of interest extracted corresponding to the target section. The target section (and therefore the section of interest) does not need to be composed of consecutive fields within the frame, and may be composed of multiple fields located at separate positions within the frame. In the example of FIG. 3, the section of interest is composed of a field group including two fields located at separate positions within the received frame during the monitoring period shown on the left side of the figure, and is composed of a field group including fields located at consecutive positions during the monitoring period shown on the right side of the figure. In addition, since the target section is determined for each monitoring period, the section of interest also occupies a different position within the received frame for each monitoring period.

The target section determined to indicate the position of the section of interest used in validity verification is selected from a number of field groups that divide the frame by the target determination unit 46. Therefore, the criteria for validity verification of the section of interest extracted from the position indicated by the target section in the received frame can be easily determined, for example, according to the content definition of the field included in the field group.

As an example, the validity of the received frames may be verified based on criteria such as whether or not the sections of interest extracted by the extraction unit 47 from each of the predetermined number of received frames have any abnormalities in their contents and/or whether or not they are consistent.

Here, the above-mentioned "content anomaly" and "consistency" can be defined in advance according to the type of field included in the section of interest.
For example, if the section of interest includes an ID field, the "abnormal content" may mean that the IDs included in the ID fields include codes other than one or more predetermined ID codes. Alternatively, if the section of interest includes a data field, the "abnormal content" may mean that the data indicated by the data field includes an abnormal value that exceeds a predetermined value range. Alternatively, the "abnormal content" may be, for example, an abnormal CRC value in a CRC field.

In addition, the above-mentioned "consistency" may mean, for example, that if a data field is included in the section of interest, there is no abnormal change (e.g., a change exceeding a predetermined threshold) in the numerical value included in the data field between the predetermined number of sections of interest.

The communication monitoring device 40 having the above configuration divides a frame into a plurality of field groups, randomly determines a target section from the plurality of field groups for each monitoring period, for example, and extracts a section of interest corresponding to the target section for each received frame. The communication monitoring device 40 then verifies the validity of the received frame based on the extracted section of interest.

In the above-mentioned communication monitoring device 40, the validity of a received frame is verified based on a section of interest that is part of the received frame, thereby reducing the processing load for validity verification compared to conventional techniques that examine the control information and status information of a frame communicated for a specific control object.
In addition, in the communication monitoring device 40, the target section that defines the section of interest can be arbitrarily selected from within the frame, for example, by randomly selecting from a plurality of field groups, so that the entire frame can ultimately be verified by repeating the verification process. Therefore, in the communication monitoring device 40, it is possible to prevent the section of interest used for verification from being fixed to a specific part of the frame, and to maintain a high probability of detecting unauthorized communications (unauthorized frames).

Next, some modified examples of the communication monitoring device 40 will be described.
[First Modification]
As a first modified example, the extraction section 47 counts the number of times each of the field groups divided by the object determination section 46 is used to extract a section of interest, and notifies the object determination section 46 of the count value.

Then, when the difference between the maximum and minimum number of times of use among the plurality of field groups becomes equal to or greater than a first predetermined value (e.g., 3), the target determination unit 46 determines at least one new target section from among the plurality of divided field groups, excluding the field group with the maximum number of times of use. This new target section may be determined, for example, randomly.
According to this configuration, the target section is selected from a field group other than the field group that is frequently used, so that the probability of detecting fraudulent frames can be maintained high more accurately.

Alternatively, the target determination unit 46 may determine a new target section from among all the divided field groups when the difference between the maximum and minimum values of the number of uses among the field groups becomes less than a second predetermined value (e.g., 3). This new target section may be determined, for example, randomly.
According to this configuration, when the difference in the number of times of use between the target section field groups becomes small, new target sections are selected from all field groups, so that the probability of detecting fraudulent frames can be maintained high more accurately.

Alternatively, when the difference between the maximum and minimum values of the number of uses among the field groups becomes less than a third predetermined value (e.g., 3), the target determination unit 46 may change the division rule and newly divide the frame into a plurality of field groups according to the changed division rule. The target determination unit 46 determines one of the newly divided plurality of field groups as a target section, for example, for each monitoring period. In this case, when the target determination unit 46 newly divides the frame into a plurality of field groups according to the changed division rule, the extraction unit 47 initializes the number of uses of all the newly divided field groups to 0. The new target section may be determined, for example, randomly.
According to this configuration, the partitioning rule of the field group is changed, so that the arbitrariness of the target sections used for verification is increased. In addition, when the difference in the number of uses between the field groups becomes small, the partitioning rule of the field group is changed, so that the probability of detecting an unauthorized frame is prevented from decreasing due to the partitioning rule being changed without each part of the frame being evenly verified. In addition, the count of the number of uses is reset when the partitioning rule is changed, so that the number of uses of the sections partitioned according to the new partitioning rule can be appropriately counted.

[Second Modification]
The target determination unit 46 may determine a different field or set of fields as the target section for each of a plurality of sets of received frames for each monitoring period. In this case, the target section may be determined from the above-mentioned field groups into which the frames are divided according to a predetermined division rule.
According to this configuration, the arbitrariness of the target sections used for verification for each monitoring period is increased, so that the probability of detecting fraudulent frames can be increased.

Figure 4 is a diagram for explaining the verification of frame validity in the second modified example. As in Figure 3, in Figure 4, the horizontal axis represents time, and each vertical rectangle represents a frame transmitted over the communication line 4a at the respective time.

In Figure 4, the black parts in the bold rectangles showing the received frames used in validity verification are sections of interest extracted in correspondence with the target sections. In the example of Figure 4, in the monitoring period on the left side of the figure, a different target section is defined for each of the sets of three received frames, each consisting of two received frames. Also, in the monitoring period on the right side of the figure, a different target section is defined for each of the two sets of received frames, each consisting of three received frames.

Note that each set of received frames during each monitoring period does not necessarily have to consist of consecutive frames, as shown in the monitoring period on the right side of Figure 4.

[Third Modification]
When the verification unit 48 determines that at least one of the sections of interest extracted by the extraction unit 47 from each of the received frames is invalid, the target determination unit 46 may increase the number of field groups determined as target sections from the multiple divided field groups.
According to this configuration, the number of field groups used for verification can be changed depending on the fraud detection situation, thereby adjusting the detection probability of fraudulent frames.

[Fourth Modification]
When the verification unit 48 determines that at least one of the sections of interest extracted by the extraction unit 47 from each of the received frames is invalid, the target determination unit 46 may determine all of the divided field groups as target sections.
According to this configuration, the validity of the received frame is verified using all field groups according to the fraud detection situation, so that the probability of detecting fraudulent frames can be adjusted to be higher.

[Fifth Modification]
The verification unit 48 may increase or extend the length of the monitoring period if it determines that any of the received frames are invalid.
According to this configuration, the probability of detecting fraudulent frames can be adjusted by extending the monitoring period (i.e., the period during which frames used for validity verification are received) depending on the fraud detection situation.

[Sixth Modification]
When the verification unit 48 determines that any of the extracted received frames is invalid, the verification unit 48 may increase the predetermined number of received frames to be extracted for each monitoring period.
According to this configuration, the probability of detecting fraudulent frames can be adjusted by increasing the number of received frames per monitoring period used for verification depending on the fraud detection situation.

[Seventh Modification]
The verification unit 48 can repeatedly set monitoring periods separated by rest periods, and can vary the length of the rest periods irregularly within a predetermined range, for example, periodically or irregularly.
According to this configuration, the monitoring period is set to start at irregular times along the flow of time, making it difficult for malicious parties to identify the monitoring period and effectively detecting attacks via the in-vehicle network.

[Operation of communication monitoring device 40]
Next, a description will be given of the procedure of operation of the communication monitoring device 40. Fig. 5 is a flow diagram showing an example of the procedure of operation of the communication monitoring device 40. The process of Fig. 5 is executed repeatedly at predetermined time intervals, for example.

When the process starts, the target determination unit 46 first divides the frames used in communication into multiple field groups according to one division rule (S100). Next, the verification unit 48 sets a monitoring period of a predetermined length of time (S102). Next, the target determination unit 46 determines whether the monitoring period has started (S104). Then, if the monitoring period has not started (S104, NO), the target determination unit 46 returns to step S104 and repeats the process, waiting for the monitoring period to start.

On the other hand, when the monitoring period starts (S104, YES), the target determination unit 46 determines at least one of the divided field groups as a target section (S106). In addition, the receiving unit 45 receives a predetermined number of frames from the communication line 4 during the monitoring period (S108), and the extraction unit 47 extracts the determined target section from each of the received predetermined number of frames as a section of interest (S110).

Next, the verification unit 48 verifies the validity of the received frame including the extracted sections of interest (S112) and outputs the verification result, for example, to the central ECU 2 (S114).

Then, the processor 41 determines whether the power supply to the communication monitoring device 40 has been cut off (S116), and if the power supply has been cut off (S116, YES), the process ends. On the other hand, if the power supply to the communication monitoring device 40 has not been cut off (S116, NO), the processor 41 returns to step S104 and repeats the process.

[Other embodiments]
The present invention is not limited to the configurations of the above-described embodiments, and can be embodied in various forms without departing from the spirit and scope of the present invention.

For example, in the above embodiment, the communication monitoring device 40 monitors communications on three communication lines 4, but it may also monitor communications on more than three communication lines in a similar manner.

In addition, although the communication monitoring device 40 is described as a separate device in the above embodiment, it may be realized as part of another vehicle-mounted ECU. For example, the communication monitoring device 40 may be realized as part of the central ECU 2 by integrating the processor 41 and memory 42 with the processor and memory (both not shown) provided in the central ECU 2.

In the above-described embodiment, the control system 1 includes one communication monitoring device 40, but may include any number of communication monitoring devices 40, including two or more. For example, the control system 1 may include two communication monitoring devices 40, one of which monitors a portion of the communication on the communication line 4, and the other of which monitors a portion of the communication on the communication line 4.

In addition, in the above embodiment, the communication monitoring device 40 monitors the validity of frames that comply with the CAN communication standard. However, the communication monitoring device 40 is not limited to CAN and can be similarly applied to other types of communication that use frames.

[Configuration supported by the above embodiment]
The above embodiment and modified examples support the following configurations.

(Configuration 1) A communication monitoring device that monitors communications between multiple electronic control devices via an in-vehicle network, the communications being composed of a sequence of one or more frames, the communication monitoring device comprising: a target determination unit that determines some or all of the fields that constitute the frames as target sections; a receiving unit that receives the frames propagating through the in-vehicle network; an extraction unit that extracts the target sections as sections of interest from the received frames received by the receiving unit; and a verification unit that verifies the legitimacy of the received frame based on the extracted sections of interest.
According to the communication monitoring device of configuration 1, the validity of a received frame is verified based on a section of interest that is a part of the received frame, so the processing load for validity verification is reduced compared to the conventional technology that examines the control information and state information of a frame communicated to a specific control target. Also, in the communication monitoring device of configuration 1, the target section that specifies the section of interest can be arbitrarily selected from within the frame, so that the entire frame is ultimately verified by repeating the verification process, and the probability of detecting unauthorized frames can be maintained high.

(Configuration 2) The communication monitoring device described in configuration 1, wherein the target determination unit divides the frame used in the communication into multiple field groups according to a division rule, and determines at least one of the field groups as a target section.
According to the communication monitoring device of configuration 2, the target section is selected from a field group, so that criteria for validity verification in the target section can be easily defined, for example, according to the content definition of the fields included in the field group.

(Configuration 3) The extraction unit counts the number of times each field group is used to extract the section of interest, and the target determination unit determines at least one new target section from among the multiple divided field groups excluding the field group whose number of times of use is the maximum when the difference between the maximum and minimum values of the number of times of use among the field groups becomes greater than or equal to a first predetermined value.The communication monitoring device described in configuration 2.
According to the communication monitoring device of configuration 3, the target section is selected from a field group other than the field group that is frequently used, so that the probability of detecting unauthorized frames can be maintained high more accurately.

(Configuration 4) The communication monitoring device described in Configuration 3, wherein the target determination unit determines a new target section from among all of the divided field groups when the difference between the maximum and minimum values of the number of times of use among the field groups becomes less than a second predetermined value.
According to the communication monitoring device of configuration 4 , when the difference in the number of times of use between field groups becomes small, new target sections are selected from all field groups, thereby making it possible to more accurately maintain a high probability of detecting fraudulent frames.

(Configuration 5) A communications monitoring device described in any of configurations 2 to 4, wherein the extraction unit counts the number of times each of the field groups is used to extract the section of interest, and the target determination unit changes the division rule when the difference between the maximum and minimum values of the number of times each of the field groups is used becomes less than a third predetermined value, newly divides the frame into a plurality of field groups according to the changed division rule, and determines at least one of the newly divided plurality of field groups as the target section.
According to the communication monitoring device of configuration 5, the field group division rule is changed, so that the arbitrariness of the target sections used for verification is increased. Also, when the difference in the number of times of use between field groups becomes small, the field group division rule is changed, so that the decrease in the probability of detecting fraudulent frames caused by changing the division rule without uniformly verifying each part of the frame is prevented.

(Configuration 6) A communication monitoring device as described in Configuration 5, wherein when the target determination unit newly divides the frame into multiple field groups in accordance with the changed division rule, the extraction unit initializes the number of uses of all of the newly divided field groups to 0.
According to the communication monitoring device of configuration 6, the count of the number of uses is reset when the classification rule is changed, so that the number of uses of the section classified according to the new classification rule can be properly counted.

(Configuration 7) A communications monitoring device described in any of configurations 2 to 6, wherein when the verification unit determines that at least one of the sections of interest extracted by the extraction unit from each of the received frames is invalid, the target determination unit increases the number of field groups determined as the target sections from the divided multiple field groups.
According to the communication monitoring device of configuration 7, the number of field groups used for verification can be changed depending on the fraud detection situation, thereby adjusting the detection probability of fraudulent frames.

(Configuration 8) A communications monitoring device described in any of configurations 2 to 6, wherein when the verification unit determines that at least one of the sections of interest extracted by the extraction unit from each of the received frames is invalid, the target determination unit determines all of the divided multiple field groups as the target sections.
According to the communication monitoring device of configuration 8, the validity of the received frame is verified using all field groups according to the fraud detection situation, so that the probability of detecting fraudulent frames can be adjusted to be higher.

(Configuration 9) A communication monitoring device described in any of configurations 2 to 8, wherein the verification unit sets a monitoring period of a predetermined length of time, and the receiving unit receives the frame propagating through the in-vehicle network during the monitoring period.
According to the communication monitoring device of configuration 9, since the frames being communicated are monitored only during a monitoring period of a predetermined length, the processing load for verifying the validity of the frames is reduced.

(Configuration 10) The communication monitoring device described in Configuration 9, wherein the target determination unit randomly determines at least one of the field groups as the target section each time the monitoring period starts.
According to the communication monitoring device of configuration 10, the target section is randomly determined for each monitoring period, so that the probability of detecting unauthorized frames can be maintained high more accurately.

(Configuration 11) A communication monitoring device described in configuration 9 or 10, wherein the verification unit verifies the legitimacy of a predetermined number of the received frames for each monitoring period, and when it determines that any of the received frames is invalid, increases the length of the monitoring period.
According to the communication monitoring device of configuration 11, the probability of detecting unauthorized frames can be adjusted by extending the monitoring period, which is the period during which frames used for validity verification are received, according to the fraud detection situation.

(Configuration 12) The communication monitoring device according to configuration 11, wherein the verification unit increases the predetermined number when it determines that any of the extracted received frames is invalid.
According to the communication monitoring device of configuration 12, the probability of detecting unauthorized frames can be adjusted by increasing the number of received frames per monitoring period used for verification depending on the status of unauthorized detection.

(Configuration 13) A communication monitoring device described in any of configurations 9 to 12, wherein the verification unit repeatedly sets the monitoring period separated by a pause period and changes the length of the pause period irregularly within a predetermined range.
According to the communication monitoring device of configuration 13, the monitoring period is set to start at an irregular time along the flow of time, making it difficult for a malicious person to identify the monitoring period and effectively detecting attacks via the in-vehicle network.

(Configuration 14) A communications monitoring device described in any of configurations 9 to 13, wherein the target determination unit determines a different field or set of fields as the target section for each of multiple sets of received frames for each monitoring period.
According to the communication monitoring device of configuration 14, the arbitrariness of the target sections used for verification for each monitoring period can be increased, thereby increasing the probability of detecting unauthorized frames.

(Configuration 15) A communication monitoring method performed by a computer of a communication monitoring device that monitors communications between multiple electronic control devices via an in-vehicle network, the communications being composed of a series of one or more frames, the method comprising the steps of determining some or all of the fields that constitute the frames as target sections, repeatedly receiving the frames propagating through the in-vehicle network, extracting the target sections as sections of interest from the received frames, which are the frames received in the receiving step, and verifying the legitimacy of the received frames based on the extracted sections of interest.
According to the communication monitoring method of configuration 15, the validity of a received frame is verified based on a section of interest that is a part of the received frame, so the processing load for validity verification is reduced compared to the conventional technology that examines the control information and state information of a frame communicated for a specific control target. Also, in the communication monitoring method of configuration 15, the target section that specifies the section of interest can be arbitrarily selected from within the frame, so that the entire frame is ultimately verified by repeating the verification process, and the probability of detecting an unauthorized frame can be maintained high.

1...control system, 2...central ECU, 4a, 4b, 4c...communication line, 20...zone ECU, 20a...first zone ECU, 20b...second zone ECU, 20c...third zone ECU, 30, 30a, 30b, 30c, 30d, 30e, 30f, 30g, 30h, 30i...ECU, 40...communication monitoring device, 41...processor, 42...memory, 43...communication device, 44...communication monitoring program, 45...receiving unit, 46...target determination unit, 47...extraction unit, 48...verification unit.

Claims (14)

A communication monitoring device that monitors communications between a plurality of electronic control devices via an in-vehicle network,
the communication comprises a sequence of one or more frames;
a target determination unit that determines a part or all of the fields that constitute the frame as a target section;
a receiving unit that receives the frame propagating through the in-vehicle network;
an extraction unit that extracts the target section as a section of interest from a received frame that is the frame received by the receiving unit;
a verification unit that verifies the validity of the received frame based on the extracted section of interest;
Equipped with
The target determination unit divides the frame used in the communication into a plurality of field groups according to a division rule, and determines at least one of the field groups as a target section.
Communications monitoring equipment. The extraction unit counts the number of times each of the field groups is used to extract the section of interest,
The target determination unit determines at least one new target section from among the divided plurality of field groups excluding the field group having the maximum number of times of use when a difference between the maximum value and the minimum value of the number of times of use among the field groups becomes equal to or greater than a first predetermined value.
The communication monitoring device according to claim 1 . The target determination unit determines a new target section from among all the divided field groups when a difference between a maximum value and a minimum value of the number of times of use among the field groups becomes less than a second predetermined value.
The communication monitoring device according to claim 2 . The extraction unit counts the number of times each of the field groups is used to extract the section of interest,
The target determination unit changes the partitioning rule when a difference between a maximum value and a minimum value of the number of times of use among the field groups becomes less than a third predetermined value, newly partitions the frame into a plurality of field groups according to the changed partitioning rule, and determines at least one of the newly partitioned plurality of field groups as a target section.
The communication monitoring device according to claim 1 . When the object determination unit newly divides the frame into a plurality of field groups according to the changed division rule, the extraction unit initializes the number of uses of all of the newly divided field groups to 0.
5. The communication monitoring device according to claim 4 . When the verification unit determines that at least one of the sections of interest extracted by the extraction unit from each of the received frames is invalid, the target determination unit increases the number of field groups determined as the target section from the divided plurality of field groups.
The communication monitoring device according to claim 1 . When the verification unit determines that at least one of the sections of interest extracted by the extraction unit from each of the received frames is invalid, the target determination unit determines all of the divided field groups as the target sections.
The communication monitoring device according to claim 1 . The verification unit sets a monitoring period of a predetermined length of time,
The receiving unit receives the frame propagating through the in-vehicle network during the monitoring period.
The communication monitoring device according to claim 1 . The target determination unit randomly determines at least one of the field groups as a target section each time the monitoring period starts.
The communication monitoring device according to claim 8 . The verification unit is
verifying the legitimacy of a predetermined number of the received frames for each monitoring period;
increasing the length of the monitoring period when any of the received frames is determined to be invalid;
The communication monitoring device according to claim 8 . When the verification unit determines that any one of the extracted received frames is invalid, the verification unit increases the predetermined number.
The communication monitoring device according to claim 10 . The verification unit is
The monitoring period is repeatedly set with a rest period therebetween, and
The length of the pause period is irregularly changed within a predetermined range.
The communication monitoring device according to claim 8 . The target determination unit determines, for each of the plurality of sets of received frames, a different field or set of fields as the target section for each of the monitoring periods.
A communication monitoring device according to any one of claims 8 to 12 . A communication monitoring method performed by a computer of a communication monitoring device that monitors communications between a plurality of electronic control devices via an in-vehicle network, comprising:
the communication comprises a sequence of one or more frames;
determining a part or all of the fields constituting the frame as a target section;
repeatedly receiving the frame propagating through the in-vehicle network;
extracting the target section as a section of interest from the received frame, which is the frame received in the receiving step;
verifying the validity of the received frame based on the extracted section of interest;
having
In the determining step, the frame used in the communication is divided into a plurality of field groups according to a division rule, and at least one of the field groups is determined as the target section.
Communications monitoring methods.

Images