KR20180029848A - System for verification of non-registered device based on imformation of ethernet switch and method for the same - Google Patents

Abstract

A method for operating a communication node according to an embodiment of the present invention, as a method for operating a first communication node among a plurality of communication nodes constituting an Ethernet-based vehicle network, includes the steps of: receiving a message from a second communication node; determining whether a source address of the message exists in a first address table stored in a memory of the first communication node; and transmitting the message and the source address to a management node if the source address does not exist in the address table. Accordingly, the present invention can diagnose faults of internal and external communication devices connected to an Ethernet network.

Description

FIELD OF THE INVENTION [0001] The present invention relates to a system and method for verifying unregistered devices based on Ethernet switch information,

The present invention relates to a system and method for diagnosing a failure of an external communication device connected to an Ethernet network of a vehicle, and more particularly to a system and method for diagnosing a failure of a communication device based on Ethernet switch information, And to a method and system.

2. Description of the Related Art [0002] With the rapid progress of electronic components for vehicle components, the types and number of electronic devices (for example, electronic control units (ECUs)) mounted on the vehicles have been greatly increased. Electronic devices can be largely used in a power train control system, a body control system, a chassis control system, a vehicle network, a multimedia system, and the like. The powertrain control system may mean an engine control system, an automatic shift control system, and the like. The body control system may refer to a body electrical equipment control system, a convenience device control system, a lamp control system, and the like. The chassis control system may refer to a steering control system, a brake control system, a suspension control system, and the like. The vehicle network may refer to a controller area network (CAN), a FlexRay-based network, or a MOST (media oriented system transport) based network. The multimedia system may refer to a navigation system, a telematics system, an infotainment system, or the like.

The electronic devices constituting each of these systems and systems are connected through a vehicle network, and a vehicle network is required to support the functions of each of the electronic devices. CAN can support transmission rates of up to 1Mbps, support automatic retransmission of collided frames, and error detection based on cycle redundancy check (CRC). FlexRay-based networks can support transmission speeds of up to 10 Mbps, support simultaneous transmission of data over two channels, and synchronous data transmission. The MOST-based network is a communication network for high-quality multimedia and can support transmission rates of up to 150Mbps.

On the other hand, vehicle telematics systems, infotainment systems, and advanced safety systems require high transmission speeds and system scalability, and CAN and FlexRay-based networks do not fully support them. MOST-based networks can support higher transmission speeds than CAN- and FlexRay-based networks, but MOST-based networks are costly for all vehicle networks. Due to these problems, an ethernet-based network can be considered as a vehicle network. An Ethernet-based network can support bidirectional communication through a pair of windings and can support transmission rates up to 10 Gbps.

The system configuration of the vehicle communication system is expanding in terms of connectivity with the outside in comparison with the existing internal CAN-based communication network as well as the in-vehicle network. Communication with a cloud server for communication devices and connected cars, and so on.

However, when the Ethernet communication is applied to the interior of the vehicle, the possibility of malfunction due to security threats to the vehicle and communication failures may increase as communication with an external device that can not be considered in advance increases. Therefore, there is a need for measures to counter such security threats and communication failures. In addition, an unintentional malfunction may occur due to a system failure or an error of an internal device as well as an external device, and a method for diagnosing such a malfunction is needed.

According to an embodiment of the present invention, there is provided a system and method for verifying unregistered devices based on Ethernet switch information, the method comprising: diagnosing a failure of an internal / external device connected to an Ethernet network based on Ethernet switch information; .

According to an embodiment of the present invention, there is provided a system and method for verifying an unregistered device based on Ethernet switch information, which verifies an unregistered device connected to an Ethernet network.

According to an embodiment of the present invention, there is provided a system and method for verifying unregistered devices based on Ethernet switch information, which detects malfunction caused by security threats and communication failures of an unregistered device.

According to another aspect of the present invention, there is provided a method for operating a first communication node among a plurality of communication nodes constituting an ethernet-based vehicle network, The method comprising the steps of: receiving a message from a second communication node; determining whether a source address of the message exists in a first address table stored in a memory of the first communication node; and if the source address does not exist in the address table, And sending the message and the source address to a management node.

The method of operating a communication node according to an embodiment of the present invention further comprises receiving a verification result for the source address from the management node.

The operation method of the communication node according to the embodiment of the present invention is characterized in that when the source address exists in the second address table stored in the memory of the management node based on the verification result, .

The operation method of the communication node according to the embodiment of the present invention is characterized in that when the source address exists in the second address table stored in the memory of the management node based on the verification result, It is judged as an error.

In the method of operating a communication node according to an embodiment of the present invention, when the source address exists in the second address table stored in the memory of the management node based on the verification result, the third communication node To the source address.

The method of operating a communication node according to an embodiment of the present invention further includes receiving an authentication result for the message from the management node.

The method of operating a communication node according to an embodiment of the present invention further includes adding the source address to the first address table when it is determined that the message is authenticated by the authentication result.

The method of operating a communication node according to an embodiment of the present invention further comprises transmitting the source address to a third communication node connected to the first communication node.

The method of operating a communication node according to an embodiment of the present invention further includes releasing a communication connection between the first communication node and the second communication node when the message is not authenticated by the authentication result.

A method of operating a managed node in an Ethernet-based vehicle network, the method comprising: receiving a message from a first communication node and a source address of the message; Determining whether the source address exists in the entire address table of all the communication nodes included in the network stored in the memory; and if the source address exists in the entire address table, 1 to the communication node; and performing authentication of the message if the source address does not exist in the entire address table.

The method of operating a management node according to an embodiment of the present invention includes the steps of transmitting a verification result of the source address and the source address to a second communication node connected to the management node when the source address exists in the entire address table .

According to an embodiment of the present invention, there is provided a method of operating a management node, the method comprising: storing a fault code indicating a communication connection error in the memory when the source address exists in the entire address table; And displaying the failure code in at least one of an auditory and visual manner.

The method of operating a management node according to an embodiment of the present invention further includes transmitting the failure code to a diagnosis unit connected to the management node.

The method of operating a management node according to an embodiment of the present invention further includes transmitting an authentication result of the message to the first communication node.

The operation method of the management node according to the embodiment of the present invention further includes adding the source address of the message to the entire address table when it is determined that the message is authenticated by the authentication result.

The method of operating a management node according to an embodiment of the present invention includes transmitting the authentication result and the source address to a second communication node connected to the management node when it is determined that the message is authenticated according to the authentication result .

The operation method of a management node according to an embodiment of the present invention is a method of operating a management node that discards the message if the message is not authenticated by the authentication result and transmits the authentication result and the source address to the first communication node and the management node To the second communication node.

A management node according to an embodiment of the present invention is a management node constituting an ethernet-based vehicle network, and includes a processor and a memory. The memory stores at least one command executed by the processor and a total address table of all communication nodes included in the Ethernet network. Here, the at least one command determines whether a source address of the message is present in the entire address table when a message is received from the first communication node. When the source address exists in the entire address table, the verification result of the source address is transmitted to the first communication node. If the source address does not exist in the global address table, the authentication is performed.

In a managed node according to an embodiment of the present invention, the at least one command transmits an authentication result of the message to the first communication node.

In a management node according to an embodiment of the present invention, the at least one command adds the source address to the entire address table if the message is authenticated by the authentication result.

The non-registered device verification system and method based on the Ethernet switch information according to the embodiment of the present invention can diagnose a failure of the internal / external communication device connected to the Ethernet network based on the Ethernet switch information.

The non-registered device verification system and method based on the Ethernet switch information according to the embodiment of the present invention can check the source address of the message received at the communication node and confirm whether the device transmitting the message is registered / unregistered.

The non-registered device verification system and method based on the Ethernet switch information according to the embodiment of the present invention can determine whether the non-registered device is authenticated and whether the communication is continued, thereby blocking communication with the non-registered device.

The non-registered device verification system and method based on the Ethernet switch information according to the embodiment of the present invention may determine whether the non-registered device is authenticated and whether the communication is continued, and add the source address of the non-registered device to the address table.

The non-registered device verification system and method based on the Ethernet switch information according to the embodiment of the present invention can prevent the unauthorized operation due to the system failure or error of the internal / external device of the vehicle, Or the failure of the switch itself.

1 is a block diagram illustrating an embodiment of a topology of a vehicle network.
2 is a block diagram showing an embodiment of a communication node constituting a vehicle network.
3 is a diagram illustrating a fault diagnosis and detection system of an unregistered apparatus based on Ethernet switch information according to an embodiment of the present invention.
4 is a conceptual diagram showing the configuration of an Ethernet switch.
5 is a conceptual diagram showing an Ethernet data frame format.
6 is a conceptual diagram showing source address information included in a received message of an end node.
7 is a conceptual diagram showing an embodiment of vehicle Ethernet application.
8 is a diagram showing an operation of a non-registered apparatus based on Ethernet switch information according to an embodiment of the present invention in a communication node (controller) as a method of detecting and updating a source address.
9 is a diagram illustrating an operation of a non-registered device based on Ethernet switch information according to an embodiment of the present invention in a management node (gateway).

While the invention is susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. It should be understood, however, that the invention is not intended to be limited to the particular embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.

The terms first, second, etc. may be used to describe various components, but the components should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from another. For example, without departing from the scope of the present invention, the first component may be referred to as a second component, and similarly, the second component may also be referred to as a first component. And / or < / RTI > includes any combination of a plurality of related listed items or any of a plurality of related listed items.

It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between.

The terminology used in this application is used only to describe a specific embodiment and is not intended to limit the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In the present application, the terms "comprises" or "having" and the like are used to specify that there is a feature, a number, a step, an operation, an element, a component or a combination thereof described in the specification, But do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, or combinations thereof.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries should be interpreted as having a meaning consistent with the meaning in the context of the relevant art and are to be interpreted in an ideal or overly formal sense unless explicitly defined in the present application Do not.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. In order to facilitate the understanding of the present invention, the same reference numerals are used for the same constituent elements in the drawings and redundant explanations for the same constituent elements are omitted.

When the devices constituting the Ethernet communication-based network are dynamically variable over time, the address table in the switch itself can be updated through MAC learning, which is a basic function of the Ethernet switch . In case of a limited network environment in which the position and address of the device can be defined as static in advance like an in-vehicle network, an unnecessary MAC learning process is predefined by predefining an address table in the switch It can be eliminated. This makes it possible to improve the efficiency of network communication processing and the efficiency of network management. The communication failure diagnosis system of the unregistered device based on the Ethernet switch information that can diagnose the failure of the non-registered device and the communication error when communicating between the vehicle and the external device using the Ethernet network, Method.

1 is a block diagram illustrating one embodiment of a network topology of a vehicle network.

1, a communication node constituting a vehicle network may refer to a gateway, a switch (or a bridge), an end node, or the like. The gateway 100 may be connected to at least one switch 110, 110-1, 110-2, 120, or 130, and may connect different networks. For example, the gateway 100 may include a communication node that supports a controller area network (CAN) (or FlexRay, a media oriented system transport (MOST), a local interconnect network (LIN) ) Protocol can be connected between the switches. Each of the switches 110, 110-1, 110-2, 120 and 130 may be connected to at least one end node 111, 112, 113, 121, 122, 123, 131, 132, Each of the switches 110, 110-1, 110-2, 120 and 130 may interconnect the end nodes 111, 112, 113, 121, 122, 123, 131, 132 and 133, It is possible to control the nodes 111, 112, 113, 121, 122, 123, 131, 132,

The end nodes 111, 112, 113, 121, 122, 123, 131, 132 and 133 may mean an electronic control unit (ECU) for controlling various devices included in the vehicle. For example, end nodes 111, 112, 113, 121, 122, 123, 131, 132 and 133 may be infotainment devices (e.g., display devices, navigation devices, (An around view monitoring device), and the like.

The communication nodes (i.e., gateways, switches, end nodes, etc.) that constitute the vehicle network may be a star topology, a bus topology, a ring topology, a tree topology, Topology, and so on. Further, each of the communication nodes constituting the vehicle network may support the CAN protocol, the FlexRay protocol, the MOST protocol, the LIN protocol, the Ethernet protocol, and the like. Embodiments according to the present invention can be applied to the network topology described above, and the network topology to which the embodiments according to the present invention are applied is not limited to this, and can be variously configured.

2 is a block diagram showing an embodiment of a communication node constituting a vehicle network.

Referring to FIG. 2, a communication node 200 constituting a network may include a PHY layer unit 210 and a controller unit 220. In addition, the communication node 200 may further include a regulator (not shown) for supplying power. At this time, the controller unit 220 may be implemented including a medium access control (MAC) layer. PHY layer unit 210 may receive signals from other communication nodes or may transmit signals to other communication nodes. The controller unit 220 may control the PHY layer unit 210 and may perform various functions (e.g., infotainment function, etc.). The PHY layer unit 210 and the controller unit 220 may be implemented as one SoC (System on Chip) or a separate chip.

The PHY layer unit 210 and the controller unit 220 may be connected through a media independent interface (MII) 230. The MII 230 may refer to an interface defined in IEEE 802.3, and may be configured as a data interface and a management interface between the PHY layer unit 210 and the controller unit 220. One of the interfaces of RMII (reduced MII), GMII (gigabit MII), RGMII (reduced GMII), SGMII (serial GMII) and XGMII (10 GMII) may be used instead of MII 230. The data interface may include a transmission channel and a reception channel, and each of the channels may have independent clock, data, and control signals. The management interface may be configured as a two-signal interface, one for the clock and the other for the data.

The PHY layer unit 210 may include a PHY layer interface unit 211, a PHY layer processor 212 and a PHY layer memory 213 and the like. The configuration of the PHY layer unit 210 is not limited thereto, and the PHY layer unit 210 may be configured in various ways. The PHY layer interface unit 211 may transmit signals received from the controller unit 220 to the PHY layer processor 212 and may transmit signals received from the PHY layer processor 212 to the controller unit 220. [ PHY layer processor 212 may control the operation of PHY layer interface unit 211 and PHY layer memory 213, respectively. The PHY layer processor 212 may perform modulation of the signal to be transmitted or demodulation of the received signal. The PHY layer processor 212 may control the PHY layer memory 213 to input or output a signal. The PHY layer memory 213 can store the received signal and output the stored signal upon request of the PHY layer processor 212. [

The controller unit 220 may perform monitoring and control for the PHY layer unit 210 via the MII 230. The controller unit 220 may include a controller interface unit 221, a controller processor 222, a main memory 223, an auxiliary memory 224, and the like. The configuration of the controller unit 220 is not limited thereto, and the controller unit 220 can be configured in various ways. The controller interface unit 221 can receive signals from the PHY layer unit 210 (i.e., the PHY layer interface unit 211) or an upper layer (not shown) and send the received signals to the controller processor 222 And may transmit signals received from the controller processor 222 to the PHY layer unit 210 or higher layer. The controller processor 222 may further include independent memory control logic or integrated memory control logic for controlling the controller interface unit 221, the main memory 223 and the auxiliary memory 224. The memory control logic may be included in the main memory 223 and the auxiliary memory 224, or may be included in the controller processor 222 and implemented.

Each of the main memory 223 and the auxiliary memory 224 may store the signal processed by the controller processor 222 and output the stored signal at the request of the controller processor 222. [ The main memory 223 may mean a volatile memory (e.g., random access memory (RAM), etc.) that temporarily stores data necessary for the operation of the controller processor 222. [ The auxiliary memory 224 includes an operating system code (e.g., a kernel and a device driver) and an application program code for performing functions of the controller processor 220 May be stored in the nonvolatile memory. A flash memory having a high processing speed can be used as a nonvolatile memory or a hard disk drive (HDD), a compact disc-read only memory (CD-ROM), etc. for storing a large amount of data Can be used. Controller processor 222 may typically be comprised of logic circuitry including at least one processing core. As the controller processor 222, an ARM (Advanced RISC Machines Ltd.) series core, an atom series core, or the like may be used.

Hereinafter, a method performed in a communication node belonging to a vehicle network and a corresponding counterpart communication node will be described. Hereinafter, even when a method (e.g., transmission or reception of a signal) to be performed at the first communication node is described, the corresponding second communication node can perform a method corresponding to the method performed at the first communication node For example, receiving or transmitting a signal). That is, when the operation of the first communication node is described, the corresponding second communication node can perform an operation corresponding to the operation of the first communication node. Conversely, when the operation of the second communication node is described, the corresponding first communication node can perform an operation corresponding to the operation of the switch

FIG. 3 is a diagram showing a fault diagnosis and detection system of an unregistered device based on Ethernet switch information according to an embodiment of the present invention, and FIG. 4 is a conceptual diagram illustrating an Ethernet switch configuration.

3 and 4, an unregistered device verification system 300 based on Ethernet switch information according to an embodiment of the present invention includes a diagnosis unit 310, a management node 320, and at least one communication node 330 . Here, the management node 320 and the communication node 330 may be located inside the vehicle, and the diagnosis unit 310 may be located outside the vehicle. In FIG. 4, a switch may be located between the PHY layer unit and the communications port of the communications node 330, which may be a physical or logical configuration.

The diagnosis unit 310 may be connected to the Ethernet network of the vehicle to diagnose the failure and the failure type of the communication node 330 (e.g., the control apparatus of the vehicle) of the vehicle. The diagnosis unit 310 can load the fault record of the individual vehicle by using the self diagnosis function and display it on the screen, and can update the firmware of the end node, the switch and the gateway of the vehicle. In addition, the diagnosis unit 310 may update the source address information of the pre-registered external device connected to the Ethernet network of the vehicle to the memory of the in-vehicle devices (end node, switch, gateway, etc.). In addition, the diagnosis unit 310 can update the source address (e.g., source MAC address) information of an unregistered (or unauthenticated) external device in the memory of the vehicle internal devices by being connected to the vehicle's Ethernet network.

The communication node 330 may include an ECU (Electronic Control Unit), a memory (not shown), and a plurality of communication ports. As such a communication node 330, a switch and an end node can be applied. As examples of end nodes, various controllers of the vehicle can be applied.

The communication node 330 can know from which controller the message is received based on the address information of each communication port since the communication connection relation between the controllers disposed therein does not change during the vehicle operation.

As an example, an address table for each communication port described in Table 1 below may be stored in the memory of the communication node 330. Here, the source MAC address for each communication port can be stored in the address table.

5 is a conceptual diagram showing an Ethernet data frame format.

5, a communication node (e.g., a gateway, a switch, or an end node) of the vehicle can transmit and receive Ethernet data using the frame format shown in FIG. The frame format of the Ethernet data includes a preamble (not shown), a MAC (Media Access Control) header, a data payload, and a frame check sequence.

The preamble may be added and transmitted at the PHY layer of the transmitting side so that the receiving system can synchronize with the input timing. Although not shown in the figure, a start of frame delimiter (SFD) may be placed after the preamble to indicate the beginning of a normal frame. The MAC header includes a Destination MAC Address field indicating a destination MAC address of the data to be received, a Source MAC Address field indicating a data sender's physical address, And an Ethernet type field that defines the type of the Ethernet packet. The data payload includes data encapsulated from a protocol of a higher layer. The frame check sequence is used to discriminate an error of a received frame. The CRC is added at the transmitting side and the CRC is checked at the receiving side, so that the received frame can be checked for errors.

The communication node 330 (switch or end node) can send and receive data to and from other communication nodes (switches or end nodes) or gateways of the vehicle via the Ethernet data frame format. That is, the communication node 330 can transmit and receive data with an internal controller or an external controller disposed in the vehicle.

The message transmitted and received between the management node 320 and the communication node 330 located in the vehicle may include authentication information. Here, the authentication information may be included in the message to verify whether the transmission / reception of the message is successful / unsuccessful and whether the communication connection with the normal communication node 330 in the vehicle is a communication connection. In addition, the authentication information may be included in the message to verify whether the transmission / reception of the message received from the device outside the vehicle to the communication node 330 is successful / failed and the communication connection of the communication node (device) outside the vehicle.

For example, the communication node 330 may check the destination address field and the source address field of the MAC header included in the data frame to identify the source and destination of the data. In addition, the communication node 330 may check the destination address field and the source address field of the MAC header included in the data frame to determine whether a message is received from a normal controller capable of connecting to the Ethernet network of the vehicle. That is, the communication node 330 can check the destination address field and the source address field of the MAC header included in the data frame to check whether the message is normally received from the registered vehicle internal controller and the vehicle external controller.

Upon receiving the message, the communication node 330 may compare the source address of the received message, e.g., the source MAC address, with the information in the address table stored in the memory. At this time, the communication node 330 can determine whether the information of the address table stored in the memory matches the source address of the message received from the internal or external controller of the vehicle. That is, the communication node 330 compares the address table information stored in the memory with the source address of the received message, so that the source address of the message received at the communication node 330 is present in the address table of the memory of the communication node 330 . Thus, it can be determined whether the message received at the communication node 330 is a normal message sent from the in-vehicle apparatus or the registered external apparatus.

As a result of the determination, when a message having a source address not matched with the address table stored in the memory of the communication node 330 is received, the communication node 330 transmits the message to the management node 320 and the port information (number) on which the message is received. That is, if the source address of the message received at the communication node 330 is not present in the address table stored in the memory of the communication node 330, then the communication node 330 sends information about the received message and the source address To the management node 320.

As an example, an address table is stored in the memory of the management node 320. [ The address table stores the source addresses of the gateways, switches, end nodes, and communication nodes connected to the outside of the vehicle, which are disposed inside the vehicle. Accordingly, the management node 320 can verify the source addresses of the gateways, switches, end nodes, and external communication nodes in the vehicle using the address table. The communication node 330 may communicate the source address information shown in Fig. 6 with a specific communication port connected to the management node 320 for authentication with the source address of the received message.

3 and 4 illustrate that communication ports of the communication node 330 and the management node 320 are arranged in five communication ports, The number of communication ports can be changed according to the number.

The management node 320 includes a memory (not shown) and a plurality of communication ports and is capable of receiving messages and source address information of the messages from the communication node 330 via a particular communication port. As an example, the communication node 330 may send the source address information shown in FIG. 6 to the management node 320.

A gateway (GW) may be applied as the management node 320, and at least one command executed by the PHY layer unit and the control unit is stored in the memory of the management node 320. [ In addition, the memory of the management node 320 may store an address table including a source address (for example, a source MAC address) of all the communication nodes (gateways, switches, end nodes, etc.) of the vehicle. Further, the memory of the management node 320 may store a source address table of a communication node connected from outside the vehicle.

For example, as shown in Table 2 below, a source MAC address for each communication port of the management node 320 is stored in a memory of the management node 320 in the form of a table. Also, in the memory of the management node 320, a source MAC address for each communication port of the communication node 330 is stored in a table form.

In Table 2, GW means the management node 320, and the ECU 1 means the communication node 330 connected to the management node 320. [ In addition, Switch1 Port # indicates the communication port number of the management node 320, and Switch2 Port # indicates the communication port number of the communication node.

When the source address of the message is received from the communication node 330 to the management node 320, the management node 320 can compare the received source address with the address table stored in the memory. Accordingly, the management node 320 can determine whether or not the address table information stored in the memory matches the source address of the message received at the communication node 330. That is, the management node 320 can determine whether a message is normally received from a controller (an internal device and an external device of the vehicle) that has been defined. Here, the address table stored in the memory of the management node 320 includes the MAC address information of the in-vehicle controllers and the MAC address information of the controllers connectable from outside the vehicle.

The management node 320 may determine that a message has been received from the vehicle's internal controller when the information in the address table stored in the memory matches the source address information received at the communication node 330. [ Accordingly, the management node 320 can determine that a communication connection error has occurred between the internal controllers of the vehicle. That is, the management node 320 can determine that there is a communication connection error between the internal controllers of the vehicle when the source address received from the communication node 330 exists in the address table stored in the memory. At this time, the management node 320 may transmit the source address information of the received message to the communication node 330. The communication node 330 may add the source address received at the management node 320 to the address table stored in the memory.

Then, the management node 320 may store in the memory of the management node 320 a failure code (DTC) indicating a communication connection error between the internal controllers of the vehicle. That is, although the source address information received at the communication node 330 does not match the MAC address information of the address table stored in the memory of the communication node 330, the MAC address information of the address table stored in the memory of the management node 320 A match may occur. In this case, the management node 320 determines that a communication connection error has occurred when receiving a message from the controller located inside the vehicle, and transmits a failure code (DTC) indicating a communication connection error between the internal controllers of the vehicle to the management node 320). ≪ / RTI >

In addition, the management node 320 may display a failure code (DTC) indicating a communication connection error between the internal controllers of the vehicle to the driver in at least one of a visual and an auditory manner. That is, it is possible to light a warning indicating the trouble code (DTC) or display a trouble code (DTC) on the display screen. It is also possible to output a warning sound indicating a trouble code (DTC) or to output a trouble code (DTC) through audio broadcasting. This allows the driver to be alerted of communication connection errors between the vehicle's internal controllers. In addition, the management node 320 transmits a failure code (DTC) indicating a communication connection error between the internal controllers of the vehicle to the diagnosis unit 310 to update the firmware of the gateway, switch, and end nodes of the vehicle can do. In addition, the management node 320 may guide the driver of the service requirements for reestablishing the connection of the controllers.

As another example, if the MAC address information of the address table stored in the memory and the source address information received from the communication node 330 do not match, the management node 320 performs an authentication procedure of the device that transmitted the message . At this time, when the MAC address information of the address table stored in the memory and the source address information received at the communication node 330 do not match, the management node 320 receives the message from the external communication node newly connected to the network of the vehicle .

Then, the management node 320 can confirm the authentication information included in the received message. That is, when the authentication information for the received message does not exist or the authentication information included in the message does not match the preset authentication information, the unauthenticated external device connects to the vehicle's Ethernet network It can be determined that the message is transmitted. That is, the management node 320 may determine that a message has been received from an unauthenticated external device.

If the external device that transmitted the message has been authenticated by the manufacturer of the vehicle, the management node 320 may be determined as a communication error because the communication node 330 does not recognize the new communication node.

In addition, the management node 320 may add the source address information of the normal external device authenticated by the manufacturer to the address table stored in the memory of the management node 320. [

In addition, when the management node 320 receives the message from the normal external device authenticated by the manufacturer as a result of checking the authentication information of the message, the management node 320 can transmit the authentication result to the communication node 330.

 Also, the management node 320 may transmit source address information of a normal external device authenticated by the manufacturer to another communication node, a switch, or a gateway connected thereto.

The communication node 330 receiving the authentication result from the management node 320 may add the source address information of the normal external device authenticated by the manufacturer to the address table stored in the memory of the communication node 330. Further, the communication node 330 may transmit the authentication result and the source address of the received message to another communication node, a switch, and a gateway connected to the communication node 330 so as to update the address table of the other communication node, the switch, and the gateway have.

If the management node 320 determines that the authentication information included in the received message is not an external device (mobile communication device or IoT device) authenticated by the manufacturer of the vehicle, the management node 320 may transmit an external security threat (e.g., hacking) It can be determined that a communication error has occurred. That is, when a message is received from an external device that is not authenticated by a vehicle manufacturer, it can be determined that a communication error due to an external security threat (e.g., hacking) has occurred. The management node 320 may transmit the authentication result to the communication node 330 to notify that a communication error has occurred due to an external security threat (e.g., hacking). Upon receiving the authentication result from the management node 320, the communication node 330 can release the communication connection of the communication port connected to the unauthorized external device. At this time, the communication node 330 turns off the switch connecting the PHY layer unit and the communication ports, and can release the communication connection between the communication port and the unauthorized external device.

As described above, when the management node 320 receives a message from an abnormal external device not authenticated by the manufacturer as a result of checking the authentication information of the message, the management node 320 can determine that it is a security threat of the vehicle network. That is, the management node 320 can determine that a hacking attempt is made from the outside to the vehicle.

Accordingly, the management node 320 may discard the message received from the device that attempted to hack. In addition, since a hacking threat may continuously occur from an abnormal external device in the future, the management node 320 may notify the source address information of the external device attempting to hack the communication with the external device to the management node 320 As shown in FIG. The management node 320 may block communication with an abnormal external device when communication access from an abnormal external device is attempted in the future based on the source address information of the abnormal external device stored in the memory.

In addition, the management node 320 may transmit the source address information of the external device attempting to hack to the communication node 330. The communication node 330 separately stores the source address information of the external device attempting to hack into the memory of the communication node 330. [ The communication node 330 may block communication with an abnormal external device when communication access from an abnormal external device is attempted in the future based on the source address information of the abnormal external device stored in the memory.

As described above, the communication failure diagnosis system of the non-registered device based on the Ethernet switch information stores and manages the source address information of the internal devices and external devices of the vehicle in the memory of the management node 320, By confirming the information, it is possible to prevent the change of the in-vehicle address information due to the communication connection and the hacking of the unauthorized external device.

The communication failure diagnosis system and method of the non-registered device based on the Ethernet switch information of the present invention restricts update of the address table of the controllers disposed in the vehicle in order to prevent communication connection and hacking of the unauthorized external device.

For example, a maker drives an initial mode before leaving the vehicle, connects the diagnostic unit 310 to the vehicle's Ethernet network, and learns McLearning of the communication node 330 and the management node 320 disposed in the vehicle Can be performed. The source address of the controllers connected to the communication node 330 through the diagnosis unit 310 can be updated to the address table stored in the memory of the communication node 330. [ In addition, the source address of the controllers connected to the management node 320 through the diagnosis unit 310 can be updated to the address table stored in the memory of the management node 320. [ That is, the MAC address of all the controllers disposed in the vehicle can be updated in the memory of the management node 320. [

Here, the ECU of the management node 320 and the ECU of the communication node 330 may be set not to update the address table separately except for the initial mode. When a change is made to the address table stored in the memory of the management node 320, information on the change is transmitted to the server, so that management of the vehicle can be systematically performed. That is, information on the change of the address table, which the driver does not intend, is transmitted to the server so that the risk of vehicle hacking due to the access of the external device can be managed.

Accordingly, the communication failure diagnosis system of the unregistered device based on the Ethernet switch information does not update the firmware every time the source address of the vehicle interior is changed, but updates the firmware of the source address and the firmware only in a predetermined mode . This makes it possible to prevent a change in data in the vehicle due to communication connection and hacking of an unauthorized external device.

7 is a conceptual diagram showing an embodiment of vehicle Ethernet application.

7, the vehicle's Ethernet network includes a management node 320, a first communication node 330, and a second communication node 340. [ The diagnosis unit 310 may be located outside the vehicle and the management node 320, the first communication node 330 and the second communication node 340 may be located inside the vehicle.

In FIG. 7, an example in which a camera controller (for example, an ambient view monitor, AVM) is applied to the second communication node 340 is shown. A camera 342 (CAM) for capturing an external environment may be disposed in the vehicle, and a second communication node 340 (AVM) and a camera 342 (CAM) may be connected through a communication port.

Replacement can be made by failure or breakage of the controller disposed in the vehicle. For example, when replacing the second communication node 340 (AVM), the source address of each communication port of the second communication node 340 may be changed. Since the source address of the existing second communication node 340 (AVM) is stored in the address table stored in the memory of each of the first communication node 330 and the management node 320, The source address of the second communication node 340 (AVM) becomes inconsistent. Namely, the source address of the existing second communication node 340 (AVM) stored in the address table stored in the memory of the first communication node 330 and the management node 320, and the newly replaced second communication node 340, The source address of the AVM becomes inconsistent.

An unregistered device verification system and method based on Ethernet switch information according to an embodiment of the present invention includes a source address of a new controller (e.g., second communication node 340, AVM) to be replaced upon replacement of a controller located in the vehicle To the address table stored in the memory of the first communication node 330 and the management node 320, respectively.

For example, the Ethernet network of the vehicle may be connected to the diagnosis unit 310, and the diagnosis unit 310 may be used to transmit a command to the management node 320 to enter a diagnostic mode. The management node 320 may cause the update of the address table of the entire controller disposed in the vehicle based on the received diagnosis mode entry command. Specifically, the management node 320 may transmit a diagnosis mode entry command to a controller (a communication node, a switch, a gateway, and the like) connected thereto. Each controller (a communication node, a switch, a gateway, and the like) that receives a diagnosis mode entry command from the management node 320 may perform a learning operation to update the address table.

Here, the ECU of the second communication node 340 (AVM) to be newly replaced can transmit an address table including its source address information to the first communication node 330.

The first communication node 330 may update the source address information of the second communication node 340 (AVM) to be replaced with its address table (the address table of the first end node switch). The first communication node 330 may transmit source address information of the second communication node 340 (AVM) that is newly replaced to other controllers connected thereto. Each of the controllers that have received the source address information of the newly-replaced second communication node 340 (AVM) may update the source address information of the second communication node 340 (AVM) to its own address table. Each of the controllers may then transmit each updated address table to the management node 320. [ The management node 320 can update the address table only when it is in the diagnostic mode in order to prevent communication connection and hacking of the unauthorized external communication node.

8 is a diagram showing an operation of a non-registered apparatus based on Ethernet switch information according to an embodiment of the present invention in a communication node (controller) as a method of detecting and updating a source address.

Referring to FIG. 8, when a message is received from the second communication node 340 to the first communication node 330 (S110), the first communication node 330 transmits the address table stored in the memory and the source address (S120). < / RTI > Thus, it is possible to judge whether the message received by the controller is a normal message sent from an in-vehicle apparatus or a registered normal external apparatus.

Then, as a result of the comparison in S120, if the source address of the received message is present in the address table stored in the memory, the first communication node 330 determines that a normal message is received from the second communication node 340. [ Then, the first communication node 330 maintains a communication connection with the second communication node 340 that has sent the message (S130). That is, if the source address of the received message is present in the address table stored in the memory, the first communication node 330 determines a normal communication connection with another communication node.

On the other hand, if it is determined in step S120 that the source address of the message received from the second communication node 340 to the first communication node 330 does not exist in the address table stored in the memory of the first communication node 330 , The first communication node 330 may transmit information on the received message and the source address to the management node 320 (S140). At this time, the first communication node 330 may transmit the source address information and the received message shown in FIG. 6 to a specific communication port connected to the management node 320 for authentication of the source address of the received message .

Here, the memory of the management node 320 stores the source addresses of the entire vehicle controllers (internal devices and external devices), so that verification of the source addresses of all the controllers and authentication of the messages are possible.

Subsequently, when the message and the source address are received from the first communication node 330 to the management node 320, the management node 320 may compare the received source address and the address table stored in the memory (S150).

That is, the management node 320 determines whether the source address of the received message matches the address table stored in the memory of the management node 320, Can be determined.

When the source address of the received message is present in the address table stored in the memory of the management node 320 as a result of the comparison of S150, the management node 320 determines that the communication connection error (S160). That is, the management node 320 can determine that there is a communication connection error between the internal controllers of the vehicle when the source address received from the communication node 330 exists in the address table stored in the memory.

Subsequently, the management node 320 may transmit the verification result of the source address of the received message to the first communication node 330 (S170).

Then, the first communication node 330 may add the source address to the address table stored in the memory based on the verification result of the source address of the received message (S180).

On the other hand, the management node 320 stores in the memory of the management node 320 a failure code (DTC) indicating a communication connection error between the internal controllers of the vehicle, The code DTC can be displayed to the driver (S190).

9 is a diagram illustrating an operation of a non-registered device based on Ethernet switch information according to an embodiment of the present invention in a management node (gateway).

Referring to FIG. 9, the operation of S110 to S150 is the same as that of FIG. 8, and a detailed description thereof will be omitted.

As a result of the comparison of S150, if there is no source address of the received message in the address table stored in the memory of the management node 320, the authentication process of the device that transmitted the message may be further performed. The management node 320 can confirm the authentication information included in the received message (S260).

Here, when the MAC address information of the address table stored in the memory and the source address information received by the communication node 330 do not match, the management node 320 may determine that a message has been received from an external device of the vehicle.

If the authentication information for the received message does not exist or the authentication information included in the message does not coincide with the preset authentication information, the management node 320 processes the authentication failure as a result of the authentication of S260, Hacking attempt) has occurred (S270).

Specifically, when the authentication information for the received message does not exist or the authentication information included in the message does not match the preset authentication information, the unauthenticated external device connects to the Ethernet network of the vehicle It can be determined that the message is transmitted. That is, the management node 320 can determine that a security threat (hacking attempt) has occurred by receiving a message from an unauthorized external device. As described above, the management node 320 can discard a message received from an unauthorized external device when a message is received from an abnormal external device that is not authenticated by the manufacturer as a result of checking the authentication information of the message.

On the other hand, if it is determined in step S260 that the authentication information included in the message is identical to the preset authentication information, the management node 320 processes authentication success, and determines that the message is received from the external device authenticated by the vehicle manufacturer . The management node 320 may add the source address of the authenticated external device to the address table stored in the memory of the management node 320 (S270).

Then, the management node 320 may transmit the authentication result to the first communication node 330 (S280).

If the authentication fails in S270, the first communication node 330 may block the communication connection with the unauthorized device since the message is received from the unauthenticated external device (S290). The first communication node 330 can immediately block communication from the external device and discard the received message when a message is received from an abnormal external device not authenticated by the manufacturer.

Also, if the authentication fails in S270, the first communication node 330 may add the source address of the authenticated external device to the address table stored in the memory (S290).

Then, the management node 320 may transmit the source address information of the external device, which has attempted to hack the external device, to the management node 320 so that the communication with the external device is interrupted, As shown in FIG.

In addition, the management node 320 may transmit the authentication result of the received message and the source address information to another controller (an end node, a switch, a gateway, etc.) connected to the management node 320 (S300).

Each of the end node, the switch, and the gateway receiving the authentication result and the source address information from the management node 320 may update the address table stored in the memory based on the authentication result.

As described above, the non-registered device verification system and method based on the Ethernet switch information according to the embodiment of the present invention stores and manages the source address information of the internal devices and external devices of the vehicle in the memory of the management node 320, By confirming the authentication information of the message received from the device, it is possible to prevent the change of the in-vehicle address information due to the communication connection and the hacking of the unauthorized external device.

The non-registered device verification system and method based on the Ethernet switch information according to the embodiment of the present invention restricts the update of the address table of the controllers placed in the vehicle in order to prevent communication connection and hacking of the unauthorized external device .

The methods according to the present invention can be implemented in the form of program instructions that can be executed through various computer means and recorded on a computer readable medium. The computer readable medium may include program instructions, data files, data structures, and the like, alone or in combination. The program instructions recorded on the computer readable medium may be those specially designed and constructed for the present invention or may be available to those skilled in the computer software.

Examples of computer readable media include hardware devices that are specially configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code such as those generated by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate with at least one software module to perform the operations of the present invention, and vice versa.

It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined in the appended claims. It will be possible.

200: communication node 210: PHY layer unit
220: controller unit 300: non-registered device verification system
310: diagnosis unit 320: management node
330, 340: communication node

Claims (20)

A method of operating a first communication node among a plurality of communication nodes constituting an ethernet-based vehicle network,
Receiving a message from a second communication node;
Determining whether a source address of the message exists in a first address table stored in a memory of the first communication node; And
And if the source address does not exist in the address table, transmitting the message and the source address to a management node.
A method of operating a communication node. The method according to claim 1,
And receiving a verification result for the source address from the management node.
A method of operating a communication node. The method of claim 2,
And adding the source address to the first address table if the source address exists in a second address table stored in the memory of the management node based on the verification result.
A method of operating a communication node. The method of claim 2,
And if the source address exists in the second address table stored in the memory of the management node based on the verification result, it is determined that a communication connection error occurs between the communication nodes constituting the vehicle network,
A method of operating a communication node. The method of claim 2,
And transmitting the source address to a third communication node connected to the first communication node if the source address exists in the second address table stored in the memory of the management node based on the verification result.
A method of operating a communication node. The method according to claim 1,
And receiving an authentication result for the message from the management node.
A method of operating a communication node. The method of claim 6,
And adding the source address to the first address table when it is determined that the message is authenticated by the authentication result.
A method of operating a communication node. The method of claim 7,
And transmitting the source address to a third communication node coupled to the first communication node.
A method of operating a communication node. The method of claim 6,
And releasing a communication connection between the first communication node and the second communication node when the message is not authenticated by the authentication result.
A method of operating a communication node. A method of operating in a management node of an ethernet-based vehicle network,
Receiving a message from the first communication node and a source address of the message;
Determining whether the source address exists in the entire address table of all the communication nodes included in the network stored in the memory;
Transmitting the verification result of the source address to the first communication node if the source address exists in the global address table; And
And authenticating the message if the source address does not exist in the global address table.
How a managed node works. The method of claim 10,
And transmitting the source address verification result and the source address to a second communication node connected to the management node if the source address exists in the global address table.
How a managed node works. The method of claim 10,
If the source address exists in the entire address table,
Storing a failure code in the memory indicating a communication connection error; And
And displaying the failure code in at least one of an auditory and visual manner.
How a managed node works. The method of claim 12,
And transmitting the failure code to a diagnosis unit connected to the management node.
How a managed node works. The method of claim 10,
And transmitting the authentication result of the message to the first communication node.
How a managed node works. 15. The method of claim 14,
And adding the source address of the message to the entire address table when it is determined that the message is authenticated by the authentication result.
How a managed node works. 15. The method of claim 14,
And transmitting the authentication result and the source address to a second communication node connected to the management node when it is determined by the authentication result that the message is authenticated.
How a managed node works. 16. The method of claim 15,
Discarding the message if the message is not authenticated by the authentication result,
And transmitting the authentication result and the source address to a second communication node connected to the first communication node and the management node.
How a managed node works. As a management node constituting an ethernet-based vehicle network,
A processor; And
And a memory in which at least one command executed by the processor and an entire address table of all communication nodes included in the Ethernet network are stored,
Wherein the at least one instruction comprises:
When a message is received from the first communication node, judges whether the source address of the message exists in the entire address table,
If the source address exists in the global address table, transmitting the verification result of the source address to the first communication node,
And if the source address does not exist in the entire address table,
Managed node. 19. The method of claim 18,
Wherein the at least one instruction comprises:
Transmitting an authentication result of the message to the first communication node,
Managed node. The method of claim 19,
Wherein the at least one instruction comprises:
And adding the source address to the entire address table if the message is authenticated by the authentication result,
Managed node.

Images