US20190334924A1 - System and method for detecting attack when sensor and traffic information are inconsistent - Google Patents

System and method for detecting attack when sensor and traffic information are inconsistent Download PDF

Info

Publication number
US20190334924A1
US20190334924A1 US16/507,157 US201916507157A US2019334924A1 US 20190334924 A1 US20190334924 A1 US 20190334924A1 US 201916507157 A US201916507157 A US 201916507157A US 2019334924 A1 US2019334924 A1 US 2019334924A1
Authority
US
United States
Prior art keywords
information
traffic information
vehicle
sensor
traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US16/507,157
Inventor
Tsuyoshi Toyama
Hisashi Oguma
Tsutomu Matsumoto
Hideki Gotoh
Tomokazu Moriya
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Toyota Motor Corp
Yokohama National University NUC
Original Assignee
Toyota Motor Corp
Yokohama National University NUC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Toyota Motor Corp, Yokohama National University NUC filed Critical Toyota Motor Corp
Priority to US16/507,157 priority Critical patent/US20190334924A1/en
Publication of US20190334924A1 publication Critical patent/US20190334924A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W10/00Conjoint control of vehicle sub-units of different type or different function
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W40/00Estimation or calculation of non-directly measurable driving parameters for road vehicle drive control systems not related to the control of a particular sub unit, e.g. by using mathematical models
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/567Computer malware detection or handling, e.g. anti-virus arrangements using dedicated hardware
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • G06F21/645Protecting data integrity, e.g. using checksums, certificates or signatures using a third party
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C5/00Registering or indicating the working of vehicles
    • G07C5/008Registering or indicating the working of vehicles communicating information to a remotely located station
    • GPHYSICS
    • G08SIGNALLING
    • G08GTRAFFIC CONTROL SYSTEMS
    • G08G1/00Traffic control systems for road vehicles
    • G08G1/01Detecting movement of traffic to be counted or controlled
    • G08G1/0104Measuring and analyzing of parameters relative to traffic conditions
    • G08G1/0108Measuring and analyzing of parameters relative to traffic conditions based on the source of data
    • G08G1/0112Measuring and analyzing of parameters relative to traffic conditions based on the source of data from the vehicle, e.g. floating car data [FCD]
    • GPHYSICS
    • G08SIGNALLING
    • G08GTRAFFIC CONTROL SYSTEMS
    • G08G1/00Traffic control systems for road vehicles
    • G08G1/01Detecting movement of traffic to be counted or controlled
    • G08G1/0104Measuring and analyzing of parameters relative to traffic conditions
    • G08G1/0125Traffic data processing
    • G08G1/0129Traffic data processing for creating historical data or processing based on historical data
    • GPHYSICS
    • G08SIGNALLING
    • G08GTRAFFIC CONTROL SYSTEMS
    • G08G1/00Traffic control systems for road vehicles
    • G08G1/01Detecting movement of traffic to be counted or controlled
    • G08G1/017Detecting movement of traffic to be counted or controlled identifying vehicles
    • GPHYSICS
    • G08SIGNALLING
    • G08GTRAFFIC CONTROL SYSTEMS
    • G08G1/00Traffic control systems for road vehicles
    • G08G1/09Arrangements for giving variable traffic instructions
    • G08G1/0962Arrangements for giving variable traffic instructions having an indicator mounted inside the vehicle, e.g. giving voice messages
    • G08G1/0967Systems involving transmission of highway information, e.g. weather, speed limits
    • G08G1/096708Systems involving transmission of highway information, e.g. weather, speed limits where the received information might be used to generate an automatic action on the vehicle control
    • G08G1/096716Systems involving transmission of highway information, e.g. weather, speed limits where the received information might be used to generate an automatic action on the vehicle control where the received information does not generate an automatic action on the vehicle control
    • GPHYSICS
    • G08SIGNALLING
    • G08GTRAFFIC CONTROL SYSTEMS
    • G08G1/00Traffic control systems for road vehicles
    • G08G1/09Arrangements for giving variable traffic instructions
    • G08G1/0962Arrangements for giving variable traffic instructions having an indicator mounted inside the vehicle, e.g. giving voice messages
    • G08G1/0967Systems involving transmission of highway information, e.g. weather, speed limits
    • G08G1/096733Systems involving transmission of highway information, e.g. weather, speed limits where a selection of the information might take place
    • G08G1/096741Systems involving transmission of highway information, e.g. weather, speed limits where a selection of the information might take place where the source of the transmitted information selects which information to transmit to each vehicle
    • GPHYSICS
    • G08SIGNALLING
    • G08GTRAFFIC CONTROL SYSTEMS
    • G08G1/00Traffic control systems for road vehicles
    • G08G1/09Arrangements for giving variable traffic instructions
    • G08G1/0962Arrangements for giving variable traffic instructions having an indicator mounted inside the vehicle, e.g. giving voice messages
    • G08G1/0967Systems involving transmission of highway information, e.g. weather, speed limits
    • G08G1/096766Systems involving transmission of highway information, e.g. weather, speed limits where the system is characterised by the origin of the information transmission
    • G08G1/096775Systems involving transmission of highway information, e.g. weather, speed limits where the system is characterised by the origin of the information transmission where the origin of the information is a central station
    • GPHYSICS
    • G08SIGNALLING
    • G08GTRAFFIC CONTROL SYSTEMS
    • G08G1/00Traffic control systems for road vehicles
    • G08G1/09Arrangements for giving variable traffic instructions
    • G08G1/0962Arrangements for giving variable traffic instructions having an indicator mounted inside the vehicle, e.g. giving voice messages
    • G08G1/0967Systems involving transmission of highway information, e.g. weather, speed limits
    • G08G1/096766Systems involving transmission of highway information, e.g. weather, speed limits where the system is characterised by the origin of the information transmission
    • G08G1/096791Systems involving transmission of highway information, e.g. weather, speed limits where the system is characterised by the origin of the information transmission where the origin of the information is another vehicle
    • GPHYSICS
    • G08SIGNALLING
    • G08GTRAFFIC CONTROL SYSTEMS
    • G08G1/00Traffic control systems for road vehicles
    • G08G1/20Monitoring the location of vehicles belonging to a group, e.g. fleet of vehicles, countable or determined number of vehicles
    • G08G1/205Indicating the location of the monitored vehicles as destination, e.g. accidents, stolen, rental
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/40Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system
    • G06K9/00791
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V20/00Scenes; Scene-specific elements
    • G06V20/50Context or environment of the image
    • G06V20/56Context or environment of the image exterior to a vehicle by using sensors mounted on the vehicle
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/18Self-organising networks, e.g. ad-hoc networks or sensor networks

Definitions

  • the present invention relates to a system and method for detecting an attack, and more specifically to a system and method for using traffic information transmitted to vehicles to detects an attack.
  • Japanese Patent Application Laid-open No. 2014-138380 discloses a method for detecting an attack on an in-vehicle system, the method including: receiving verification messages from both a transmission electronic control unit (ECU) and a reception ECU in the in-vehicle system; and determining whether these verification messages are consistent with each other.
  • ECU transmission electronic control unit
  • Japanese Patent Application Laid-open No. 2014-168219 discloses placing limitations on access to vehicle-network information that is generated when running a program, based on an access right level for each program and an access permission level for each information.
  • Japanese Patent Application Laid-open No. 2010-250607 discloses an invalid access analysis system in which an unregistered attack pattern is registered and a program is updated when the unregistered attack pattern is acquired through the analysis of a network attack log.
  • Japanese Patent Application Laid-open. No. 2010-250607 it is possible to analyze an attack pattern using the methods of Japanese Patent Application Laid-open Nos. 2014-138380 and 2014-168219 and register the analyzed attack pattern to detect an attack on a vehicle.
  • Japanese Patent Application Laid-open No. 2014-138380 is an attack detecting technology considering communications inside a vehicle system
  • what is disclosed by Japanese Patent Application Laid-open No. 2014-168219 is an attack detecting technology for an external apparatus accessing the internal units of a vehicle; none of the above technologies is capable of determining whether information transmitted from an outside is valid.
  • Patent Document 1 Japanese Patent Application Laid-open No. 2014-138380
  • Patent Document 2 Japanese Patent Application Laid-open No. 2014-168219
  • Patent Document 3 Japanese Patent Application Laid-open No. 2020-250607
  • the present invention has an object of providing a technology by which it is possible to detect an attack by communication in a system in which vehicles receive information from an outside through the communication.
  • the present invention compares traffic information received by vehicles through wireless communication with sensor information acquired by the vehicles through their own sensors and determines that the traffic information is invalid when the traffic information and the sensor information are inconsistent with each other.
  • Traffic information is any information associated with traffic and includes information on vehicles such as positions, movement speeds and movement directions of vehicles, information on traffic signals, information on obstacles on roads, information on traffic jams, information on road-surface conditions, etc.
  • a first aspect of the present invention provides a system for detecting attack having a server and a plurality of vehicles capable of wirelessly communicating with each other.
  • Each of the plurality of vehicles has a sensor, a sensor information acquisition unit adapted to acquire sensor information from the sensor, a traffic information reception unit adapted to receive traffic information through wireless communication, and a transmission unit adapted to transmit the sensor information and the traffic information to the server.
  • the server has a reception unit adapted to receive the sensor information and the traffic information from at least any of the plurality of vehicles, a verification unit adapted to verify whether the sensor information and the traffic information are inconsistent with each other, and a notification unit adapted to notify, when the sensor information and the traffic information are inconsistent with each other, at least any of the plurality of vehicles of the inconsistency between the sensor information and the traffic information.
  • traffic information and sensor information compared with each other may be information acquired by the same vehicle or information acquired by different vehicles.
  • a vehicle transmits acquired traffic information and sensor information to a server, and the server performs the analysis of the information.
  • the server performs the analysis of the information.
  • an attack by the traffic information may be detected.
  • the notification unit may be adapted to notify at least any of the plurality of vehicles of signature information indicating characteristics of the traffic information inconsistent with the sensor information, and each of the plurality of vehicles may have a storage unit adapted to store the signature information received from the server and may not rely on the traffic information consistent with the signature information notified from the notification unit.
  • each vehicle is allowed to detect an attack detected by a server.
  • Signature information is information indicating the characteristics of traffic information. For example, when traffic information includes the identifier of the transmitter of the traffic information, the identifier of the transmitter of the traffic information may be employed as signature information.
  • the traffic information preferably includes a position of an object existing on a road
  • the verification unit is preferably adapted to determine the inconsistency between the sensor information and the traffic information when being able to estimate from the sensor information that the object does not exist at the position of the object indicated by the traffic information.
  • an object existing on a road includes a vehicle, an obstacle, or the like.
  • the transmitter of traffic information is a vehicle
  • information indicating the position of the transmitter's vehicle corresponds to the traffic information and the transmitter's vehicle itself corresponds to an object existing on a road.
  • the inconsistency between traffic information and sensor information may be determined when the existence of an object at a position indicated by traffic information is not confirmed by the sensor information.
  • the inconsistency between traffic information and sensor information may be determined when it is understandable from the sensor information that an object different from an object (for example, a vehicle) of a type indicated by the traffic information exists even in a case in which any object exists at a position indicated by the traffic information.
  • the traffic information may further include at least any of a movement speed and a movement direction of the object
  • the verification unit may be adapted to determine the inconsistency between the sensor information and the traffic information when being able to estimate from the sensor information that one of a movement speed and a movement direction of the object existing at the position of the object indicated by the traffic information is inconsistent with one of the movement speed and the movement direction indicated by the traffic information.
  • the traffic information may include information on a road condition
  • the verification unit may be adapted to determine the inconsistency between the sensor information and the traffic information when the road condition indicated by the traffic information is inconsistent with a road condition acquired from the sensor information.
  • a road condition includes road-surface conditions such as the presence or absence of traffic jams, the presence or absence of road constructions, traffic lane limitations, and the icing of roads.
  • a second aspect of the present invention provides a system for detecting an attack including: a first acquisition unit adapted to acquire sensor information acquired from a sensor of a vehicle; a second acquisition unit adapted to acquire traffic information received by the vehicle through wireless communication; and a verification unit adapted to verify whether the sensor information and the traffic information are inconsistent with each other.
  • each of the above units of the system may be provided in an apparatus different from a vehicle, and sensor information and traffic information may be acquired from the vehicle through wireless communication.
  • each of the units of the system may be provided in a vehicle, and sensor information and traffic information may be acquired from a sensor and a wireless communication unit installed in the vehicle.
  • a third aspect of the present invention provides a vehicle including: a sensor; a sensor information acquisition unit adapted to acquire sensor information from the sensor; a traffic information reception unit adapted to receive traffic information through wireless communication; a transmission unit adapted to transmit the sensor information and the traffic information to a server; and a verification unit adapted to verify whether the sensor information and the traffic information are inconsistent with each other.
  • a vehicle determines whether traffic information is valid based on its own sensor information.
  • the vehicle preferably further includes a notification unit adapted to transmit signature information indicating characteristics of the traffic information determined by the verification unit to be inconsistent with the sensor information to one of the circumjacent vehicle and the server.
  • circumjacent vehicles may be notified of the existence of invalid traffic information directly or via a server.
  • the present invention may be regarded as a system for detecting an attack, a vehicle, or a server having at least some of the above units.
  • the present invention may be regarded as a method in which at least some of processing by the above units is performed.
  • the present invention may be regarded as a computer program for causing a computer to perform the method or may be regarded as a computer-readable storage medium storing the computer program permanently.
  • Each of the above units and the processing may be combined with each other to a maximum extent to constitute the present invention.
  • FIG. 1 is a diagram showing the outline of the system of a first embodiment
  • FIGS. 2A and 2B are a function block diagram of a vehicle and a function block diagram of a server, respectively;
  • FIGS. 3A and 3B are a diagram showing the message format of traffic information and the message format of sensor information, respectively;
  • FIG. 4 is a flowchart showing the operations of the vehicle in the first embodiment
  • FIG. 5 is a flowchart showing traffic information verification processing by the vehicle in the first embodiment
  • FIG. 6 is a flowchart showing traffic information verification processing by the server in the first embodiment
  • FIG. 7 is a diagram showing the outline of the system of a second embodiment
  • FIG. 8 is a flowchart showing traffic information verification processing by a vehicle in the second embodiment
  • FIG. 9 is a diagram showing the outline of the system of a third embodiment.
  • FIGS. 10A and 10B are a diagram for describing an attack on the communication system between vehicles and a diagram for describing a method for detecting the attack, respectively.
  • Automatic driving vehicles control themselves using sensor information acquired from their own sensors and traffic information acquired from circumjacent vehicles or roadside machines through communication. Attacks on such automatic driving vehicles by the transmission of invalid traffic information to cause traffic snarls are assumed.
  • a roadside machine X transmits traffic information on the existence of a vehicle Y that does not actually exist to a vehicle A entering an intersection ( 1001 ).
  • the vehicle A is not allowed to sense the existence of the vehicle Y by its own sensor due to the poor view of the intersection ( 1002 ), the vehicle A is forced to remain waiting to enter the intersection.
  • a vehicle B approaching the intersection from another direction is allowed to sense the fact that the vehicle Y whose existence is notified by the traffic information from the roadside machine X does not actually exist by its own sensor ( 1003 ). That is, the vehicle B is allowed to determine that the traffic information transmitted from the roadside machine X is invalid. Therefore, when the vehicle B notifies the vehicle A of the fact that the vehicle Y does not actually exist, the vehicle A is allowed to perform automatic driving without relying on the traffic information from the roadside machine X.
  • control using traffic information transmitted from circumjacent objects is not limited to automatic driving but may include driving assistance and any other control.
  • This embodiment describes a system for detecting an attack that detects invalid traffic information transmitted to vehicles.
  • the system is constituted by a plurality of vehicles 100 and a server 200 capable of wirelessly communicating with each other.
  • each of the plurality of vehicles 100 transmits traffic information received from circumjacent objects and sensor information acquired by its own sensor to the server 200 .
  • the server 200 accumulates the traffic information and the sensor information collected from the vehicles 100 and specifies traffic information inconsistent with the sensor information (hereinafter called invalid traffic information).
  • the server 200 specifies signature information indicating the characteristics of to e invalid traffic information and notifies the vehicles 100 of the same.
  • the vehicles 100 have an intrusion detection system (IDS) or an intrusion prevention system (IPS) and detect the invalid traffic information using the signature information notified from the server 200 .
  • IDS intrusion detection system
  • IPS intrusion prevention system
  • FIG. 2A is a block diagram showing the configurations of the vehicle 100 .
  • the vehicle 100 has a sensor group 102 , a wireless communication unit 104 , a vehicle control unit 106 , a memory 108 , a sub-storage unit 110 , and a calculation processing unit 112 .
  • the sensor group 102 includes a plurality of sensors used to acquire the inner statuses of the vehicle and environmental conditions around the vehicle.
  • the sensors used to acquire the inner statuses of the vehicle include a position information sensor, a direction sensor, a speed sensor, an acceleration sensor, a yaw rate sensor, a steering angle sensor, an accelerator opening sensor, a braking pressure sensor, an engine rotational speed sensor, or the like.
  • the sensors used to acquire environmental conditions around the vehicle include cameras (a visible light camera and an infrared camera), radars (a millimeter-wave radar, a quasi-millimeter-wave radar, and a near-infrared laser radar), ultrasonic sonar equipment, illumination sensors, or the like.
  • the wireless communication unit 104 is a unit used to wirelessly communicate with other vehicles 100 and the server 200 .
  • the standard of wireless communication is not limited to a specific system, and wireless LAN (IEEE 802.11a/b/g/n/ac), Mobile WiMAX (IEEE 802.16e), iBurst, WAVE (IEEE 802.20), DSRC (Dedicated Short Range Communication), mobile telephone communication (3G and LTE), or the like is available as such.
  • the wireless communication unit may be used alone to communicate with other vehicles 100 and the server 200 , or different wireless communication units may be used to separately communicate with other vehicles 100 and the server 200 .
  • the vehicle control unit 106 is constituted by one or a plurality of electronic control units (ECUs) that performs control to drive an engine (a driving force), steering, braking, or the like.
  • ECUs electronice control units
  • the memory 108 is a main storage unit such as a random access memory (RAM).
  • the sub-storage unit 110 is a magnetic disc, a semi-conductor memory, or the like.
  • the vehicle 100 preferably includes, besides these units, input units such as a touch panel and a button and output units such as a display and a speaker.
  • the calculation processing unit 112 is a processor such as a central processing unit (CPU) and a micro processing unit (MPU) and realizes various functions by reading a program stored in the sub-storage unit 110 into the memory 108 and running the same.
  • the calculation processing unit 112 realizes, for example, the respective functions of a sensor information acquisition unit 114 , a traffic information transmission unit 115 , a traffic information reception unit 116 , an information upload unit 118 , a signature information reception unit 120 , an attack detecting unit 122 , and a cryptographic processing unit 124 .
  • some or all of these functions may be realized by an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), or the like.
  • the calculation processing unit 112 is not necessarily constituted by a single processor but may be constituted by a plurality of processors.
  • the cryptographic processing unit 124 is preferably mounted by a dedicated security chip.
  • the sensor information acquisition unit 114 acquires sensor information from the sensor group 102 periodically or as occasion demands.
  • the acquired sensor information is stored in the memory 108 and the sub-storage unit 110 (hereinafter collectively called a storage unit).
  • the traffic information transmission unit 115 transmits traffic information generated based on sensor information acquired by the sensor information acquisition unit 114 .
  • the traffic information may be any information on traffic.
  • An example of the traffic information is information on the vehicle such as a position, a movement speed, and a movement direction of the vehicle, information on traffic signals, information on obstacles on roads, information on traffic jams, and information on road-surface conditions.
  • the traffic information transmission unit 115 periodically transmits traffic information 30 in a format shown in FIG. 3A .
  • the transmitted traffic information 30 includes a transmission source ID 31 , a destination ID 32 , a transmission time 33 , position information 34 , a movement speed 35 , a movement direction 36 , and a vehicle status 37 , and also includes an electronic signature 38 for these information.
  • the transmission source ID 31 is an identifier used to identify a vehicle that transmits the traffic information 30 .
  • the destination ID 32 is an identifier used to identify a destination vehicle of the traffic information 30 .
  • a value indicating that the traffic information 30 is broadcasting information is stored in the destination ID 32 .
  • the transmission. time 33 is a time at which the traffic information 30 is generated.
  • the position information 34 is, for example, information acquired from a position information sensor such as a global positioning system (GPS) and expressed in a format using a latitude, a longitude, and an altitude or a format using a map code.
  • the movement speed 35 is a movement speed of the vehicle 100 acquired from a speed sensor.
  • the movement direction 36 is a movement direction of the vehicle 100 acquired from a direction sensor.
  • the vehicle status 37 is information indicating any other statuses of the vehicle 100 .
  • the electronic signature 38 is added to detect spoofing and falsification. As the electronic signature 38 , a digital signature based on a public encryption system is, for example, available.
  • the traffic information reception unit 116 receives traffic information from circumjacent vehicles and roadside machines via the wireless communication unit 104 .
  • the cryptographic processing unit 124 verifies the electronic signature.
  • the attack detecting unit 122 verifies whether the received traffic information is valid.
  • the traffic information determined to be valid is stored in the storage unit and used for vehicle control such as automatic driving.
  • the information upload unit 118 transmits (uploads) sensor information acquired by the sensor information acquisition unit 114 and traffic information received by the traffic information reception unit 116 to the server 200 via the wireless communication unit 104 .
  • the traffic information may be uploaded in a format the same as or different from a format with which the traffic information is transmitted to the vehicle ( FIG. 3A ).
  • Uploaded sensor information 40 includes a transmission source ID 41 , a destination ID 42 , a transmission time 43 , position information 44 , a sensing time 45 , a sensing position 46 , and sensor information 47 , and also includes an electronic signature 46 for these information.
  • the transmission source ID 41 , the destination ID 42 , the transmission time 43 , the position information 44 , and the electronic signature 48 are the same as those included in the traffic information 30 .
  • the sensing time 45 is a time at which the sensor information 47 is acquired.
  • the sensing position 46 is a position of the vehicle 100 at a time at which the sensor information 47 is acquired.
  • the sensor information 47 is sensor information acquired from the sensor group 102 .
  • the embodiment describes an example in which only one sensor information is stored in one message and transmitted, but a plurality of sensor information may be stored in one message and transmitted.
  • a plurality of sensor information having almost the same sensing time and the same sensing position may be collectively transmitted, or a sensing time and a sensing position may be stored for each sensor information to collectively transmit any sensor information.
  • the signature information reception unit 120 receives signature information (different from an electronic signature) indicating the characteristics of invalid traffic information from the server 200 .
  • the received signature information is stored in the storage unit and used when the attack detecting unit 122 detects invalid information.
  • the attack detecting unit 122 detects invalid information from information received through wireless communication. Specifically, the attack detecting unit 122 determines that information consistent with signature information stored in the storage unit is invalid information.
  • the cryptographic processing unit 124 performs the addition and verification of electronic signatures, encryption processing, decryption processing, or the like. Since electronic signatures based on a public encryption system are used in the first embodiment, the cryptographic processing unit 124 performs the addition and verification of the electronic signatures. By the cryptographic processing unit 124 , the vehicle is allowed to verify whether traffic information transmitted from circumjacent vehicles 100 and signature information transmitted from the server 200 are valid. In addition, the cryptographic processing unit 124 adds electronic signatures to traffic information that is to be transmitted to circumjacent vehicles 100 and sensor information and traffic information that are to be transmitted to the server 200 .
  • FIG. 2B is a block diagram showing the configurations of the server 200 .
  • the server 200 is a general-purpose computer and has a wireless communication unit 204 , a memory 208 , an auxiliary storage unit 210 , and a calculation processing unit 212 . Since the configurations of the server 200 are the same as those of the vehicle 100 , their descriptions will be omitted.
  • the calculation processing unit 212 realizes the functions of a sensor information collection unit 214 , a traffic information collection unit 216 , a traffic information verification unit 218 , a signature information determination unit 220 , a signature information transmission unit 222 , and an cryptographic processing unit 224 .
  • the sensor information collection unit 214 receives sensor information transmitted from the vehicle 100 via the wireless communication unit 204 and stores the same in a storage unit.
  • the traffic information collection unit 216 receives traffic information transmitted from the vehicle 100 via the wireless communication unit 204 and stores the same in the storage unit.
  • the traffic information verification unit 218 verifies whether traffic information collected by the traffic information collection unit 216 is inconsistent with sensor information collected by the sensor information collection unit 214 .
  • the inconsistency between traffic information and sensor information corresponds to, for example, a case in which the traffic information indicates the existence of a vehicle at a certain position but the sensor information indicates nothing or the existence of any object other than the vehicle at the position.
  • the inconsistency between traffic information and sensor information also corresponds co a case in which a vehicle exists at a position indicated by the traffic information but a movement speed or a movement direction of the vehicle indicated by the traffic information is different from a movement speed or a movement direction of the vehicle indicated by the sensor information.
  • the traffic information verification unit 218 verifies whether associated sensor information is consistent with traffic information for each of the traffic information collected by the traffic information collection unit 216 .
  • the traffic information verification unit 218 determines that traffic information is invalid when there is a lot of sensor information inconsistent with the traffic information.
  • the signature information determination unit 220 determines signature information indicating the characteristics of traffic information determined to be invalid by the traffic information verification unit 218 .
  • the signature information is information in which the pattern of invalid information is defined. For example, when a certain vehicle transmits invalid traffic information, the signature information determination unit 220 determines as the signature information a pattern in which the transmission source ID 31 equals the ID of the vehicle.
  • the signature information determination unit 220 may determine as the signature information a pattern in which these fields have the specific values.
  • the signature information may be of any type so long as it is capable of specifying invalid traffic information.
  • the signature information transmission unit 222 transmits signature information on invalid traffic information determined by the signature information determination unit 220 to the vehicle 100 via the wireless communication unit 204 .
  • the attack detecting unit 122 of the vehicle 100 is allowed to detect an attack based on the latest signature information.
  • the cryptographic processing unit 224 performs the addition and verification of electronic signatures, encryption processing, decryption processing, or the like. By the cryptographic processing unit 224 , the server 200 is allowed to verify whether traffic information and sensor information transmitted from the vehicle 100 are valid. In addition, the cryptographic processing unit 224 adds electronic signatures to signature information that is to be transmitted to the vehicle 100 .
  • the sensor information acquisition unit 114 acquires sensor information from the sensor group 102 (S 101 ). Note that the acquisition of sensor information is periodically performed. The time interval of the acquisition may be different for each sensor or may be the same for all sensors.
  • the sensor information acquisition unit 114 stores the acquired sensor information in the storage unit.
  • the traffic information reception unit 116 receives traffic information from other vehicles via the wireless communication unit 104 (S 102 ).
  • the vehicle 100 performs the verification processing of the received traffic information (S 103 ).
  • a description will be given in detail of the verification processing S 103 of the traffic information with reference to the flowchart of FIG. 5 .
  • the vehicle 100 verifies the electronic signature 38 of the traffic information using the cryptographic processing unit 124 (S 201 ) When the verification fails (NO in S 202 ), the content of the information is falsified and thus the vehicle 100 is allowed to determine that the received traffic information is invalid (S 206 ).
  • the attack detecting unit 122 verifies the traffic information using signature information (S 203 ). The attack detecting unit 122 finds out whether the traffic information is consistent with the signature information. When the traffic information matches with the signature information (YES in S 204 ), the attack detecting unit 122 determines that the traffic information is invalid (S 206 ). On the other hand, when the received traffic information does not match with the signature information (NO in S 204 ), the attack detecting unit 122 is allowed to determine that the received traffic information is valid (S 205 ).
  • the vehicle control unit 106 performs the automatic driving control of the vehicle 100 using the sensor information acquired from the sensor group 102 and the traffic information whose validity has been verified. Note that in the processing of the flowchart of FIG. 4 , the vehicle 100 determines whether the traffic information is valid. When it is determined that the traffic information is invalid, the vehicle 100 discards the traffic information and does not use the same for the control. However, rather than discarding the traffic information, the vehicle 100 may use the traffic information for the control with the recognition that the traffic information is unreliable. For example, when unreliable traffic information is acquired, the vehicle 100 may confirm whether the traffic information is valid based on sensor information acquired from the sensor group 102 or may perform sensing again with the sensor group 102 .
  • the vehicle 100 may decelerate or take avoidance action in advance for safety with the recognition that the traffic information is invalid.
  • the vehicle 100 makes an alternative decision as to whether the traffic information is valid or invalid.
  • the vehicle 100 may evaluate the possibility of the validity of traffic information at three or more levels and use the traffic information for the automatic driving control in consideration of its evaluation value (reliability).
  • the vehicle 100 determines whether now is the time to upload the information to the server 200 (S 107 ).
  • the information upload unit 118 transmits the sensor information acquired by the sensor information acquisition unit 114 and the traffic information received by the traffic information reception unit 116 to the server 200 (S 108 ).
  • the time to upload the information to the server 200 is not particularly limited.
  • the information upload unit 118 may transmit the information at any time at which the vehicle 100 is capable of communicating with the server 200 , or may transmit the information on the condition that the vehicle 100 stops.
  • the information upload unit 118 may collectively upload the sensor information and the traffic information when the engine of the vehicle 100 stops.
  • the sensor information collection unit 214 receives sensor information from the vehicle 100 via the wireless communication unit 204 (S 301 ) and stores the same in the storage unit. Then, the traffic information collection unit 216 receives traffic information from the vehicle 100 via the wireless communication unit 204 (S 302 ) and stores the same in the storage unit.
  • the server 200 preferably verifies the electronic signatures 38 and 48 of the traffic information and the sensor information by the cryptographic processing unit 224 and discards the traffic information and sensor information when the verification of the electronic signatures fails.
  • the traffic information verification unit 218 selects traffic information that has not been verified from among the received traffic information (S 303 ). When there is a plurality of unverified traffic information, selection of the information may be made on any basis. The traffic information verification unit 218 finds out whether the selected traffic information is inconsistent with the sensor information to verify the validity of the traffic information.
  • the traffic information verification unit 218 first selects sensor information having an acquisition time and an acquisition position (the sensing time 45 and the sensing information 46 ) close to the transmission time and the transmission position (the transmission time 33 and the transmission information 34 ) of the selected traffic information (S 304 ).
  • This processing aims to narrow down sensor information capable of verifying the validity of information indicated by traffic information.
  • sensor information having a position and a time “close” to the position and the time of traffic information indicates sensor information by which the validity of information indicated by the traffic information may be determined with a high possibility. For example, when traffic information notifying the existence of a vehicle is verified, sensor information acquired from the vehicle running on the same road at almost the same time is selected.
  • the traffic information verification unit 218 determines whether each of the sensor information selected in step S 304 is inconsistent with the traffic information selected in step S 303 (S 305 ). For example, for the existence of a vehicle, when the existence of the vehicle at a position indicated by traffic information is estimated from sensor information, the traffic information verification unit 218 may determine that the traffic information is consistent with the sensor information. On the other hand, when nothing exists at a position indicated by, traffic information or when the existence of any object other than a vehicle is estimated, the traffic information verification unit 218 may determine that the traffic information is inconsistent with sensor information. In addition, when the existence of a vehicle at a position indicated by traffic information is not clear from sensor information, the traffic information verification unit 218 determines in the embodiment that the traffic information is consistent with the sensor information.
  • the embodiment describes the verification of position information on a vehicle, but the traffic information verification unit 218 also determines whether a speed or a movement direction of the vehicle is consistent with sensor information.
  • the traffic information verification unit 218 determines that the traffic information is inconsistent with the sensor information. That is, when any of traffic information is inconsistent with sensor information, the traffic information verification unit 218 determines that the traffic information is inconsistent with the sensor information.
  • the traffic information verification unit 218 determines whether the number of the sensor information inconsistent with the traffic information is a prescribed number or more (S 306 ).
  • the prescribed number may be a fixed value set in advance. However, the prescribed number may be a value corresponding to the number of the sensor information acquired in step S 304 or may be a value corresponding to the number of the sensor information consistent with the traffic information among the sensor information acquired in step S 304 .
  • the traffic information verification unit 218 determines that the traffic information is invalid. This determination may be made based on whether the number of inconsistent sensor information (simple sum) is a prescribed number or more. However, it is more preferable to put weight on each of sensor information according to its information quality to make a determination based on whether the sum of the weight of inconsistent sensor information is a prescribed number or more.
  • the signature information determination unit 220 determines signature information indicating the characteristics of the invalid traffic information (S 307 ). For example, the signature information determination unit 220 may determine the transmission source ID 31 of the invalid traffic information as the signature information.
  • the signature information transmission unit 222 transmits the determined signature information to the vehicle 100 via the wireless communication unit 204 (S 308 ). Thus, the vehicle 100 is allowed to detect the invalid traffic information using the transmitted signature information.
  • step S 306 When it is determined in step S 306 that there is small number of sensor information inconsistent with the traffic information (NO in S 306 ), the traffic information verification unit 218 determines that the traffic information is valid. Therefore, the determination and transmission processing of signature information is not performed.
  • step S 303 the processing on the traffic information selected in step S 303 is completed.
  • the processing returns to step S 303 to perform the same processing as the above on the unverified traffic information.
  • the verification processing on all the traffic information is completed (NO in S 309 )
  • the processing is completed.
  • a vehicle is allowed to determine that traffic information inconsistent with information (sensor information) acquired by its sensor is invalid traffic information, i.e., an attack. Even in a case in which a vehicle is not allowed to detect invalid traffic information with its own sensor information, the vehicle is allowed to detect an attack based on the inconsistency between the traffic information and sensor information on other vehicles via a server.
  • a vehicle Since electronic signatures are added to traffic information, a vehicle is allowed to detect an attack by spoofing or falsification. However, a vehicle is not allowed to detect an attack using the mechanism of electronic signatures when any reasonable person intentionally or unintentionally transmits invalid traffic information. However, as in the first embodiment, a vehicle is allowed to detect such an attack using signature information on invalid traffic information.
  • a server verifies traffic information using sensor information. Such verification requires relatively high calculation ability. However, since a server has higher calculation ability than that of an in-vehicle unit, the server is capable of performing a complicated analysis.
  • a vehicle makes an alternative decision as to whether traffic information is valid or invalid in the verification processing of the traffic information.
  • the reliability of traffic information may be evaluated at three or more levels.
  • the traffic information verification unit 218 may determine the reliability of traffic information according to the number of sensor information inconsistent with the traffic information.
  • the reliability of the traffic information may be determined using the accuracy.
  • traffic information transmitted from a vehicle includes a position, a movement speed, and a movement direction of the vehicle.
  • information included in traffic information is not limited so long as it is associated with traffic.
  • information on traffic signals, information on obstacles existing on roads, information on traffic jams, information on road-surface conditions, or the like may be transmitted.
  • Any traffic information transmitted from a vehicle is one capable of being generated based on sensor information the vehicle. Accordingly, the validity of such traffic information may be verified in such a way that the traffic information is compared with sensor information on a vehicle.
  • a vehicle may perform any control based on traffic information.
  • a vehicle may perform driving assistance control, information providing control for the passengers of the vehicle, or the like based on traffic information.
  • a second embodiment of the present invention describes a case in which invalid traffic information is detect only by a vehicle without a server.
  • the configurations of a vehicle according to the second embodiment are the same as those shown in FIG. 2A except that the vehicle has the same function as that of the traffic information verification unit 218 that verifies traffic information based on sensor information and the vehicle does not have a function to perform transmission/reception with a server.
  • FIG. 7 shows the outline of the system of the second embodiment.
  • a vehicle 71 compares the received traffic information with sensor information acquired by its own sensor to verify whether the received traffic information is invalid. When the received traffic information is invalid, the vehicle 71 notifies circumjacent vehicles of the fact that the traffic information is invalid. A vehicle 73 having received the notification is allowed to know the fact that the traffic information is invalid. The system is effective particularly when the vehicle 71 is allowed to verify the validity of traffic information transmitted from the vehicle 72 but the vehicle 73 is not allowed to verify the traffic information with its own sensor information.
  • FIG. 8 is a flowchart showing the flow of traffic information verification processing by a vehicle in the second embodiment.
  • the vehicle 71 verifies an electronic signature 38 of received traffic information with a cryptographic processing unit 124 (S 401 ).
  • S 401 a cryptographic processing unit 124
  • the verification fails (NO in S 402 )
  • the content of the information is falsified or spoofed and thus the vehicle 71 is allowed to determine that the received traffic information is invalid (S 407 ).
  • the verification of the signature is successful (YES in S 402 )
  • it turns out that the content of the information is neither falsified nor spoofed. Even in this case, there is a possibility that the content of the traffic information is invalid.
  • an attack detecting unit 122 determines whether the received traffic information is consistent with invalid traffic information notified by a circumjacent vehicle (S 403 ).
  • the vehicle 71 is allowed to determine that the received traffic information is invalid (S 407 ).
  • the vehicle 71 verifies whether the content of the received traffic information is inconsistent with sensor information acquired by its own sensor (S 404 ).
  • the vehicle 71 is allowed to determine that the received traffic information is invalid.
  • the vehicle 71 notifies circumjacent vehicles of the fact that the traffic information is invalid (S 405 ).
  • the vehicle 71 may notify the circumjacent vehicles of the transmission source ID of the invalid traffic information, the message ID of the invalid traffic information, or signature information as in the first embodiment.
  • the vehicle 71 is allowed to determine that the traffic information is valid (S 406 ).
  • a vehicle is allowed to detect invalid traffic information and notify circumjacent vehicles of the invalid traffic information by itself without a server. Since the validity of traffic information is verified in real time by a vehicle without a server, the second embodiment is advantageous in that invalid traffic information is promptly notified.
  • a vehicle notifies circumjacent vehicles of the fact that traffic information is invalid only when the traffic information is inconsistent with sensor information acquired by itself (NO in S 404 ).
  • a vehicle preferably transmits the above notification at any time when it is determined that traffic information is invalid.
  • a third embodiment of the present invention is almost the same as the second embodiment but is different in that the notification of invalid traffic information is transmitted not only from a vehicle but also from a server.
  • FIG. 9 shows the outline of the system of the third embodiment.
  • a vehicle 91 compares the received traffic information with sensor information acquired by its own sensor to verify whether the received traffic information is invalid.
  • the vehicle 91 notifies circumjacent vehicles of the fact that the traffic information is invalid.
  • a vehicle 93 having received the notification is allowed to know the fact that the traffic information is invalid.
  • the system is effective particularly when the vehicle 91 is allowed to verify the validity of traffic information transmitted from the vehicle 92 by its own sensor but the vehicle 93 is not allowed to verify traffic information with its own sensor information. The above point is the same as that of the second embodiment.
  • the vehicle transmits the existence of the invalid traffic information not only to the circumjacent vehicle 93 but also to a server 94 . Then, the server 94 transmits the notification of the invalid traffic information to other vehicles 95
  • the server 94 transmits information on invalid traffic information (signature information or the like) in the third embodiment, vehicles in a wide range are allowed to be notified of the invalid traffic information.
  • a server preferably verifies whether the notification of traffic information from a vehicle indicating the invalidity of the traffic information is valid. For example, when only some of vehicles receiving the same traffic information notifies that the traffic information is invalid traffic information, the sever may determine that this notification is invalid.
  • Verification by a server has the advantage that the server is allowed to perform a higher analysis based on a lot of sensor information but also has the disadvantage that a vehicle requires a long time to be capable of detecting an attack using a verification result.
  • verification by a vehicle has the advantage that the vehicle is allowed to promptly notify circumjacent vehicles of invalid traffic information although the vehicle performs an analysis based on only information acquired by its own sensor. According to the fourth embodiment, it is possible to provide a more effective system in which a vehicle and a server are complementary to each other.
  • the present invention is constituted by a general-purpose processor such as a micro processor and a central processing unit (CPU) and a computer having a program stored in a memory, and may be realized when the general-purpose processor runs the program.
  • the present invention may be realized by a dedicated processor such as an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), and a digital signal processor (DSP).
  • ASIC application specific integrated circuit
  • FPGA field programmable gate array
  • DSP digital signal processor
  • each of a dedicated processor and a general-purpose processor running a program is a processor configured to provide a specific function or a processor configured to function as a specific function unit.
  • some functions of the present invention may be provided by a general-purpose processor (and a program), and other functions may be realized by a dedicated processor.
  • one of the functions of the present invention may be realized by both a general-purpose processor (and a program) and a dedicated processor.

Abstract

Disclosed is a system for detecting an attack, which includes a server and a plurality of vehicles capable of wirelessly communicating with each other. Each of the vehicles has a sensor, a sensor information acquisition unit, a traffic information reception unit, and a transmission unit that transmits the sensor information and the traffic information to the server. The server has a reception unit that receives the sensor information and the traffic information from the vehicles, a verification unit that verifies whether the sensor information and the traffic information are inconsistent with each other, and a notification unit that notifies, when the sensor information and the traffic information are inconsistent with each other, the vehicles of the inconsistency.

Description

    BACKGROUND OF THE INVENTION
  • This application is a divisional application of U.S. patent application Ser. No. 15/210,392, filed on Jul. 14, 2016, which claims priority to JP 2015-151086, filed on Jul. 30, 2015. The disclosures of each of these applications are hereby incorporated by reference in their entireties.
    • FIELD OF THE INVENTION
  • The present invention relates to a system and method for detecting an attack, and more specifically to a system and method for using traffic information transmitted to vehicles to detects an attack.
    • DESCRIPTION OF THE RELATED ART
  • In recent years, research and development have been promoted for systems in which vehicles are equipped with communication functions and driving assistance and automatic driving are performed for the vehicles based on information transmitted from other vehicles and roadside machines. Herein, control performed based on invalid information transmitted from an outside may lead to traffic snarls. For example, an attack is assumed in which information indicating the existence of a vehicle that does not actually exist is transmitted to circumjacent objects, thereby hindering normal traffic. To cope with this, it is desired to verify the validity of information transmitted from an outside.
  • Japanese Patent Application Laid-open No. 2014-138380 discloses a method for detecting an attack on an in-vehicle system, the method including: receiving verification messages from both a transmission electronic control unit (ECU) and a reception ECU in the in-vehicle system; and determining whether these verification messages are consistent with each other.
  • Japanese Patent Application Laid-open No. 2014-168219 discloses placing limitations on access to vehicle-network information that is generated when running a program, based on an access right level for each program and an access permission level for each information.
  • Japanese Patent Application Laid-open No. 2010-250607 discloses an invalid access analysis system in which an unregistered attack pattern is registered and a program is updated when the unregistered attack pattern is acquired through the analysis of a network attack log. In the technology of Japanese Patent Application Laid-open. No. 2010-250607, it is possible to analyze an attack pattern using the methods of Japanese Patent Application Laid-open Nos. 2014-138380 and 2014-168219 and register the analyzed attack pattern to detect an attack on a vehicle.
  • However, what is disclosed by Japanese Patent Application Laid-open No. 2014-138380 is an attack detecting technology considering communications inside a vehicle system, and what is disclosed by Japanese Patent Application Laid-open No. 2014-168219 is an attack detecting technology for an external apparatus accessing the internal units of a vehicle; none of the above technologies is capable of determining whether information transmitted from an outside is valid.
  • As a technology to verify the validity of transmitted information, electronic signatures are available. With electronic signatures, however, it is only possible to verify the falsification of transmitted information and the spoofing of transmitters; verifying the validity of the transmitted information itself is not passible.
  • Patent Document 1: Japanese Patent Application Laid-open No. 2014-138380
  • Patent Document 2: Japanese Patent Application Laid-open No. 2014-168219
  • Patent Document 3: Japanese Patent Application Laid-open No. 2020-250607
    • SUMMARY OF THE INVENTION
  • In view of the above problems, the present invention has an object of providing a technology by which it is possible to detect an attack by communication in a system in which vehicles receive information from an outside through the communication.
  • In order to achieve the above object, the present invention compares traffic information received by vehicles through wireless communication with sensor information acquired by the vehicles through their own sensors and determines that the traffic information is invalid when the traffic information and the sensor information are inconsistent with each other.
  • Traffic information is any information associated with traffic and includes information on vehicles such as positions, movement speeds and movement directions of vehicles, information on traffic signals, information on obstacles on roads, information on traffic jams, information on road-surface conditions, etc.
  • For example, there is a case in which sensor information indicates that nothing exists at a position but traffic information indicates that a vehicle exists at the position. In this case, there is a high possibility that the traffic information and the sensor information are inconsistent with each other and the traffic information is invalid. Here, the position of the vehicle is just an example. The verification of the validity of traffic information using sensor information is possible so long as the traffic information can be generated based on the sensor information,
  • A first aspect of the present invention provides a system for detecting attack having a server and a plurality of vehicles capable of wirelessly communicating with each other. Each of the plurality of vehicles has a sensor, a sensor information acquisition unit adapted to acquire sensor information from the sensor, a traffic information reception unit adapted to receive traffic information through wireless communication, and a transmission unit adapted to transmit the sensor information and the traffic information to the server. The server has a reception unit adapted to receive the sensor information and the traffic information from at least any of the plurality of vehicles, a verification unit adapted to verify whether the sensor information and the traffic information are inconsistent with each other, and a notification unit adapted to notify, when the sensor information and the traffic information are inconsistent with each other, at least any of the plurality of vehicles of the inconsistency between the sensor information and the traffic information. Here, traffic information and sensor information compared with each other may be information acquired by the same vehicle or information acquired by different vehicles.
  • As described above, a vehicle transmits acquired traffic information and sensor information to a server, and the server performs the analysis of the information. Thus, an attack by the traffic information may be detected.
  • In the first aspect, the notification unit may be adapted to notify at least any of the plurality of vehicles of signature information indicating characteristics of the traffic information inconsistent with the sensor information, and each of the plurality of vehicles may have a storage unit adapted to store the signature information received from the server and may not rely on the traffic information consistent with the signature information notified from the notification unit.
  • According to this configuration, each vehicle is allowed to detect an attack detected by a server.
  • Signature information is information indicating the characteristics of traffic information. For example, when traffic information includes the identifier of the transmitter of the traffic information, the identifier of the transmitter of the traffic information may be employed as signature information.
  • In addition, in the first aspect, the traffic information preferably includes a position of an object existing on a road, and the verification unit is preferably adapted to determine the inconsistency between the sensor information and the traffic information when being able to estimate from the sensor information that the object does not exist at the position of the object indicated by the traffic information. Here, an object existing on a road includes a vehicle, an obstacle, or the like. When the transmitter of traffic information is a vehicle, information indicating the position of the transmitter's vehicle corresponds to the traffic information and the transmitter's vehicle itself corresponds to an object existing on a road.
  • It is possible to sense the presence or absence and the position of an object existing on a road with, for example, cameras (a visible light camera and an infrared camera), radars (a millimeter-wave radar, a quasi-millimeter-wave radar, and a near-infrared laser radar), and ultrasonic sonar equipment. Accordingly, the inconsistency between traffic information and sensor information may be determined when the existence of an object at a position indicated by traffic information is not confirmed by the sensor information. In addition, the inconsistency between traffic information and sensor information may be determined when it is understandable from the sensor information that an object different from an object (for example, a vehicle) of a type indicated by the traffic information exists even in a case in which any object exists at a position indicated by the traffic information.
  • In the first aspect, the traffic information may further include at least any of a movement speed and a movement direction of the object, and the verification unit may be adapted to determine the inconsistency between the sensor information and the traffic information when being able to estimate from the sensor information that one of a movement speed and a movement direction of the object existing at the position of the object indicated by the traffic information is inconsistent with one of the movement speed and the movement direction indicated by the traffic information.
  • In the first aspect, the traffic information may include information on a road condition, and the verification unit may be adapted to determine the inconsistency between the sensor information and the traffic information when the road condition indicated by the traffic information is inconsistent with a road condition acquired from the sensor information. A road condition includes road-surface conditions such as the presence or absence of traffic jams, the presence or absence of road constructions, traffic lane limitations, and the icing of roads.
  • A second aspect of the present invention provides a system for detecting an attack including: a first acquisition unit adapted to acquire sensor information acquired from a sensor of a vehicle; a second acquisition unit adapted to acquire traffic information received by the vehicle through wireless communication; and a verification unit adapted to verify whether the sensor information and the traffic information are inconsistent with each other.
  • The system according to the second aspect does not limits its configurations and acquisition method so long as it is capable of acquiring sensor information and traffic information. For example, each of the above units of the system may be provided in an apparatus different from a vehicle, and sensor information and traffic information may be acquired from the vehicle through wireless communication. Alternatively, each of the units of the system may be provided in a vehicle, and sensor information and traffic information may be acquired from a sensor and a wireless communication unit installed in the vehicle.
  • A third aspect of the present invention provides a vehicle including: a sensor; a sensor information acquisition unit adapted to acquire sensor information from the sensor; a traffic information reception unit adapted to receive traffic information through wireless communication; a transmission unit adapted to transmit the sensor information and the traffic information to a server; and a verification unit adapted to verify whether the sensor information and the traffic information are inconsistent with each other.
  • According to the third aspect, a vehicle determines whether traffic information is valid based on its own sensor information.
  • in the third aspect, the vehicle preferably further includes a notification unit adapted to transmit signature information indicating characteristics of the traffic information determined by the verification unit to be inconsistent with the sensor information to one of the circumjacent vehicle and the server.
  • According to this configuration, circumjacent vehicles may be notified of the existence of invalid traffic information directly or via a server.
  • Note that the present invention may be regarded as a system for detecting an attack, a vehicle, or a server having at least some of the above units. In addition, the present invention may be regarded as a method in which at least some of processing by the above units is performed. Moreover, the present invention may be regarded as a computer program for causing a computer to perform the method or may be regarded as a computer-readable storage medium storing the computer program permanently. Each of the above units and the processing may be combined with each other to a maximum extent to constitute the present invention.
  • According to an embodiment of the present invention, it is possible to detect an attack by communication in a system in which vehicles receive information from an outside.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a diagram showing the outline of the system of a first embodiment;
  • FIGS. 2A and 2B are a function block diagram of a vehicle and a function block diagram of a server, respectively;
  • FIGS. 3A and 3B are a diagram showing the message format of traffic information and the message format of sensor information, respectively;
  • FIG. 4 is a flowchart showing the operations of the vehicle in the first embodiment;
  • FIG. 5 is a flowchart showing traffic information verification processing by the vehicle in the first embodiment;
  • FIG. 6 is a flowchart showing traffic information verification processing by the server in the first embodiment;
  • FIG. 7 is a diagram showing the outline of the system of a second embodiment;
  • FIG. 8 is a flowchart showing traffic information verification processing by a vehicle in the second embodiment;
  • FIG. 9 is a diagram showing the outline of the system of a third embodiment; and
  • FIGS. 10A and 10B are a diagram for describing an attack on the communication system between vehicles and a diagram for describing a method for detecting the attack, respectively.
    •  DESCRIPTION OF THE EMBODIMENTS Outline of System
  • Automatic driving vehicles control themselves using sensor information acquired from their own sensors and traffic information acquired from circumjacent vehicles or roadside machines through communication. Attacks on such automatic driving vehicles by the transmission of invalid traffic information to cause traffic snarls are assumed.
  • As shown in, for example, FIG. 10A, it is assumed that a roadside machine X transmits traffic information on the existence of a vehicle Y that does not actually exist to a vehicle A entering an intersection (1001). When the vehicle A is not allowed to sense the existence of the vehicle Y by its own sensor due to the poor view of the intersection (1002), the vehicle A is forced to remain waiting to enter the intersection.
  • In such a circumstance, as shown in FIG. 10B, a vehicle B approaching the intersection from another direction is allowed to sense the fact that the vehicle Y whose existence is notified by the traffic information from the roadside machine X does not actually exist by its own sensor (1003). That is, the vehicle B is allowed to determine that the traffic information transmitted from the roadside machine X is invalid. Therefore, when the vehicle B notifies the vehicle A of the fact that the vehicle Y does not actually exist, the vehicle A is allowed to perform automatic driving without relying on the traffic information from the roadside machine X.
  • The above example assumes a case in which a roadside machine transmits invalid traffic information, but vehicles or other wireless communication machines may transmit invalid traffic information. In addition, control using traffic information transmitted from circumjacent objects is not limited to automatic driving but may include driving assistance and any other control.
    • First Embodiment Configuration
  • This embodiment describes a system for detecting an attack that detects invalid traffic information transmitted to vehicles. As shown in FIG. 1, the system is constituted by a plurality of vehicles 100 and a server 200 capable of wirelessly communicating with each other.
  • In the first embodiment, each of the plurality of vehicles 100 transmits traffic information received from circumjacent objects and sensor information acquired by its own sensor to the server 200. The server 200 accumulates the traffic information and the sensor information collected from the vehicles 100 and specifies traffic information inconsistent with the sensor information (hereinafter called invalid traffic information). The server 200 specifies signature information indicating the characteristics of to e invalid traffic information and notifies the vehicles 100 of the same. The vehicles 100 have an intrusion detection system (IDS) or an intrusion prevention system (IPS) and detect the invalid traffic information using the signature information notified from the server 200.
    • Vehicle
  • FIG. 2A is a block diagram showing the configurations of the vehicle 100. As shown in FIG. 2A, the vehicle 100 has a sensor group 102, a wireless communication unit 104, a vehicle control unit 106, a memory 108, a sub-storage unit 110, and a calculation processing unit 112.
  • The sensor group 102 includes a plurality of sensors used to acquire the inner statuses of the vehicle and environmental conditions around the vehicle. The sensors used to acquire the inner statuses of the vehicle include a position information sensor, a direction sensor, a speed sensor, an acceleration sensor, a yaw rate sensor, a steering angle sensor, an accelerator opening sensor, a braking pressure sensor, an engine rotational speed sensor, or the like. The sensors used to acquire environmental conditions around the vehicle include cameras (a visible light camera and an infrared camera), radars (a millimeter-wave radar, a quasi-millimeter-wave radar, and a near-infrared laser radar), ultrasonic sonar equipment, illumination sensors, or the like.
  • The wireless communication unit 104 is a unit used to wirelessly communicate with other vehicles 100 and the server 200. The standard of wireless communication is not limited to a specific system, and wireless LAN (IEEE 802.11a/b/g/n/ac), Mobile WiMAX (IEEE 802.16e), iBurst, WAVE (IEEE 802.20), DSRC (Dedicated Short Range Communication), mobile telephone communication (3G and LTE), or the like is available as such. The wireless communication unit may be used alone to communicate with other vehicles 100 and the server 200, or different wireless communication units may be used to separately communicate with other vehicles 100 and the server 200.
  • The vehicle control unit 106 is constituted by one or a plurality of electronic control units (ECUs) that performs control to drive an engine (a driving force), steering, braking, or the like.
  • The memory 108 is a main storage unit such as a random access memory (RAM). The sub-storage unit 110 is a magnetic disc, a semi-conductor memory, or the like. The vehicle 100 preferably includes, besides these units, input units such as a touch panel and a button and output units such as a display and a speaker.
  • The calculation processing unit 112 is a processor such as a central processing unit (CPU) and a micro processing unit (MPU) and realizes various functions by reading a program stored in the sub-storage unit 110 into the memory 108 and running the same. The calculation processing unit 112 realizes, for example, the respective functions of a sensor information acquisition unit 114, a traffic information transmission unit 115, a traffic information reception unit 116, an information upload unit 118, a signature information reception unit 120, an attack detecting unit 122, and a cryptographic processing unit 124. However, some or all of these functions may be realized by an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), or the like. In addition, the calculation processing unit 112 is not necessarily constituted by a single processor but may be constituted by a plurality of processors. For example, the cryptographic processing unit 124 is preferably mounted by a dedicated security chip.
  • The sensor information acquisition unit 114 acquires sensor information from the sensor group 102 periodically or as occasion demands. The acquired sensor information is stored in the memory 108 and the sub-storage unit 110 (hereinafter collectively called a storage unit).
  • The traffic information transmission unit 115 transmits traffic information generated based on sensor information acquired by the sensor information acquisition unit 114. The traffic information may be any information on traffic. An example of the traffic information is information on the vehicle such as a position, a movement speed, and a movement direction of the vehicle, information on traffic signals, information on obstacles on roads, information on traffic jams, and information on road-surface conditions. In the first embodiment, the traffic information transmission unit 115 periodically transmits traffic information 30 in a format shown in FIG. 3A.
  • The transmitted traffic information 30 includes a transmission source ID 31, a destination ID 32, a transmission time 33, position information 34, a movement speed 35, a movement direction 36, and a vehicle status 37, and also includes an electronic signature 38 for these information. The transmission source ID 31 is an identifier used to identify a vehicle that transmits the traffic information 30. The destination ID 32 is an identifier used to identify a destination vehicle of the traffic information 30. When the traffic information 30 is to be broadcasted, a value indicating that the traffic information 30 is broadcasting information is stored in the destination ID 32. The transmission. time 33 is a time at which the traffic information 30 is generated. The position information 34 is, for example, information acquired from a position information sensor such as a global positioning system (GPS) and expressed in a format using a latitude, a longitude, and an altitude or a format using a map code. The movement speed 35 is a movement speed of the vehicle 100 acquired from a speed sensor. The movement direction 36 is a movement direction of the vehicle 100 acquired from a direction sensor. The vehicle status 37 is information indicating any other statuses of the vehicle 100. The electronic signature 38 is added to detect spoofing and falsification. As the electronic signature 38, a digital signature based on a public encryption system is, for example, available.
  • The traffic information reception unit 116 receives traffic information from circumjacent vehicles and roadside machines via the wireless communication unit 104. When an electronic signature is added to the traffic information, the cryptographic processing unit 124 verifies the electronic signature. In addition, the attack detecting unit 122 verifies whether the received traffic information is valid. The traffic information determined to be valid is stored in the storage unit and used for vehicle control such as automatic driving.
  • The information upload unit 118 transmits (uploads) sensor information acquired by the sensor information acquisition unit 114 and traffic information received by the traffic information reception unit 116 to the server 200 via the wireless communication unit 104. The traffic information may be uploaded in a format the same as or different from a format with which the traffic information is transmitted to the vehicle (FIG. 3A).
  • The format of the uploaded sensor information is shown in FIG. 3B. Uploaded sensor information 40 includes a transmission source ID 41, a destination ID 42, a transmission time 43, position information 44, a sensing time 45, a sensing position 46, and sensor information 47, and also includes an electronic signature 46 for these information. The transmission source ID 41, the destination ID 42, the transmission time 43, the position information 44, and the electronic signature 48 are the same as those included in the traffic information 30. The sensing time 45 is a time at which the sensor information 47 is acquired. The sensing position 46 is a position of the vehicle 100 at a time at which the sensor information 47 is acquired. The sensor information 47 is sensor information acquired from the sensor group 102. Here, the embodiment describes an example in which only one sensor information is stored in one message and transmitted, but a plurality of sensor information may be stored in one message and transmitted. In this case, a plurality of sensor information having almost the same sensing time and the same sensing position may be collectively transmitted, or a sensing time and a sensing position may be stored for each sensor information to collectively transmit any sensor information.
  • The signature information reception unit 120 receives signature information (different from an electronic signature) indicating the characteristics of invalid traffic information from the server 200. The received signature information is stored in the storage unit and used when the attack detecting unit 122 detects invalid information.
  • The attack detecting unit 122 detects invalid information from information received through wireless communication. Specifically, the attack detecting unit 122 determines that information consistent with signature information stored in the storage unit is invalid information.
  • The cryptographic processing unit 124 performs the addition and verification of electronic signatures, encryption processing, decryption processing, or the like. Since electronic signatures based on a public encryption system are used in the first embodiment, the cryptographic processing unit 124 performs the addition and verification of the electronic signatures. By the cryptographic processing unit 124, the vehicle is allowed to verify whether traffic information transmitted from circumjacent vehicles 100 and signature information transmitted from the server 200 are valid. In addition, the cryptographic processing unit 124 adds electronic signatures to traffic information that is to be transmitted to circumjacent vehicles 100 and sensor information and traffic information that are to be transmitted to the server 200.
    • Server
  • FIG. 2B is a block diagram showing the configurations of the server 200. As shown in FIG. 2B, the server 200 is a general-purpose computer and has a wireless communication unit 204, a memory 208, an auxiliary storage unit 210, and a calculation processing unit 212. Since the configurations of the server 200 are the same as those of the vehicle 100, their descriptions will be omitted.
  • The calculation processing unit 212 realizes the functions of a sensor information collection unit 214, a traffic information collection unit 216, a traffic information verification unit 218, a signature information determination unit 220, a signature information transmission unit 222, and an cryptographic processing unit 224.
  • The sensor information collection unit 214 receives sensor information transmitted from the vehicle 100 via the wireless communication unit 204 and stores the same in a storage unit. The traffic information collection unit 216 receives traffic information transmitted from the vehicle 100 via the wireless communication unit 204 and stores the same in the storage unit.
  • The traffic information verification unit 218 verifies whether traffic information collected by the traffic information collection unit 216 is inconsistent with sensor information collected by the sensor information collection unit 214. The inconsistency between traffic information and sensor information corresponds to, for example, a case in which the traffic information indicates the existence of a vehicle at a certain position but the sensor information indicates nothing or the existence of any object other than the vehicle at the position. In addition, the inconsistency between traffic information and sensor information also corresponds co a case in which a vehicle exists at a position indicated by the traffic information but a movement speed or a movement direction of the vehicle indicated by the traffic information is different from a movement speed or a movement direction of the vehicle indicated by the sensor information.
  • Verification processing by the traffic information verification unit 218 is briefly described here since it will be described in detail with a flowchart later. The traffic information verification unit 218 verifies whether associated sensor information is consistent with traffic information for each of the traffic information collected by the traffic information collection unit 216. The traffic information verification unit 218 determines that traffic information is invalid when there is a lot of sensor information inconsistent with the traffic information.
  • The signature information determination unit 220 determines signature information indicating the characteristics of traffic information determined to be invalid by the traffic information verification unit 218. In other words, it can be said that the signature information is information in which the pattern of invalid information is defined. For example, when a certain vehicle transmits invalid traffic information, the signature information determination unit 220 determines as the signature information a pattern in which the transmission source ID 31 equals the ID of the vehicle. In addition, when a plurality of vehicles having different IDs transmits, for example, traffic information in which the position information 34, the movement speed 35, and the movement direction 36 have specific values, the signature information determination unit 220 may determine as the signature information a pattern in which these fields have the specific values. The signature information may be of any type so long as it is capable of specifying invalid traffic information.
  • The signature information transmission unit 222 transmits signature information on invalid traffic information determined by the signature information determination unit 220 to the vehicle 100 via the wireless communication unit 204. Thus, the attack detecting unit 122 of the vehicle 100 is allowed to detect an attack based on the latest signature information.
  • The cryptographic processing unit 224 performs the addition and verification of electronic signatures, encryption processing, decryption processing, or the like. By the cryptographic processing unit 224, the server 200 is allowed to verify whether traffic information and sensor information transmitted from the vehicle 100 are valid. In addition, the cryptographic processing unit 224 adds electronic signatures to signature information that is to be transmitted to the vehicle 100.
    • Processing Operations of Vehicle
  • A description will be given of processing by the vehicle 100 with reference to the flowcharts of FIGS. 4 and 5. Note that although each of the processing is successively performed in the flowcharts, the processing may not be necessarily performed in this order but may be performed in different orders or in parallel.
  • First, the sensor information acquisition unit 114 acquires sensor information from the sensor group 102 (S101). Note that the acquisition of sensor information is periodically performed. The time interval of the acquisition may be different for each sensor or may be the same for all sensors. The sensor information acquisition unit 114 stores the acquired sensor information in the storage unit.
  • Then, the traffic information reception unit 116 receives traffic information from other vehicles via the wireless communication unit 104 (S102). The vehicle 100 performs the verification processing of the received traffic information (S103). A description will be given in detail of the verification processing S103 of the traffic information with reference to the flowchart of FIG. 5. First, the vehicle 100 verifies the electronic signature 38 of the traffic information using the cryptographic processing unit 124 (S201) When the verification fails (NO in S202), the content of the information is falsified and thus the vehicle 100 is allowed to determine that the received traffic information is invalid (S206). On the other hand, when the verification of the signature is successful (YES in S202), it turns out that the content of the information is neither falsified nor spoofed. However, even in this case, there is a possibility that the content of the traffic information is invalid. Therefore, the attack detecting unit 122 verifies the traffic information using signature information (S203). The attack detecting unit 122 finds out whether the traffic information is consistent with the signature information. When the traffic information matches with the signature information (YES in S204), the attack detecting unit 122 determines that the traffic information is invalid (S206). On the other hand, when the received traffic information does not match with the signature information (NO in S204), the attack detecting unit 122 is allowed to determine that the received traffic information is valid (S205).
  • Reference is again made to the flowchart of FIG. 4. When it, is determined by the traffic information verification processing S103 that the traffic information is invalid (NO in S104), the vehicle 100 discards the received traffic information (S105). When it is determined that the traffic information is valid (YES in S104), the vehicle 100 receives the traffic information as it is.
  • The vehicle control unit 106 performs the automatic driving control of the vehicle 100 using the sensor information acquired from the sensor group 102 and the traffic information whose validity has been verified. Note that in the processing of the flowchart of FIG. 4, the vehicle 100 determines whether the traffic information is valid. When it is determined that the traffic information is invalid, the vehicle 100 discards the traffic information and does not use the same for the control. However, rather than discarding the traffic information, the vehicle 100 may use the traffic information for the control with the recognition that the traffic information is unreliable. For example, when unreliable traffic information is acquired, the vehicle 100 may confirm whether the traffic information is valid based on sensor information acquired from the sensor group 102 or may perform sensing again with the sensor group 102. In addition, the vehicle 100 may decelerate or take avoidance action in advance for safety with the recognition that the traffic information is invalid. Moreover, in the processing of the flowchart of FIG. 4, the vehicle 100 makes an alternative decision as to whether the traffic information is valid or invalid. However, the vehicle 100 may evaluate the possibility of the validity of traffic information at three or more levels and use the traffic information for the automatic driving control in consideration of its evaluation value (reliability).
  • The vehicle 100 determines whether now is the time to upload the information to the server 200 (S107). When now is the time to upload the information (YES in S107), the information upload unit 118 transmits the sensor information acquired by the sensor information acquisition unit 114 and the traffic information received by the traffic information reception unit 116 to the server 200 (S108). The time to upload the information to the server 200 is not particularly limited. For example, the information upload unit 118 may transmit the information at any time at which the vehicle 100 is capable of communicating with the server 200, or may transmit the information on the condition that the vehicle 100 stops. In addition, the information upload unit 118 may collectively upload the sensor information and the traffic information when the engine of the vehicle 100 stops.
    • Operations of Server
  • A description will be given of processing by the server 200 with reference to the flowchart of FIG. 6. Note that although each of the processing is successively performed in the flowchart, the processing may not be necessarily performed in this order but may be performed in different orders or in parallel.
  • The sensor information collection unit 214 receives sensor information from the vehicle 100 via the wireless communication unit 204 (S301) and stores the same in the storage unit. Then, the traffic information collection unit 216 receives traffic information from the vehicle 100 via the wireless communication unit 204 (S302) and stores the same in the storage unit. Although not shown in the flowchart, the server 200 preferably verifies the electronic signatures 38 and 48 of the traffic information and the sensor information by the cryptographic processing unit 224 and discards the traffic information and sensor information when the verification of the electronic signatures fails.
  • The traffic information verification unit 218 selects traffic information that has not been verified from among the received traffic information (S303). When there is a plurality of unverified traffic information, selection of the information may be made on any basis. The traffic information verification unit 218 finds out whether the selected traffic information is inconsistent with the sensor information to verify the validity of the traffic information.
  • Specifically, the traffic information verification unit 218 first selects sensor information having an acquisition time and an acquisition position (the sensing time 45 and the sensing information 46) close to the transmission time and the transmission position (the transmission time 33 and the transmission information 34) of the selected traffic information (S304). This processing aims to narrow down sensor information capable of verifying the validity of information indicated by traffic information. Accordingly, sensor information having a position and a time “close” to the position and the time of traffic information indicates sensor information by which the validity of information indicated by the traffic information may be determined with a high possibility. For example, when traffic information notifying the existence of a vehicle is verified, sensor information acquired from the vehicle running on the same road at almost the same time is selected.
  • The traffic information verification unit 218 determines whether each of the sensor information selected in step S304 is inconsistent with the traffic information selected in step S303 (S305). For example, for the existence of a vehicle, when the existence of the vehicle at a position indicated by traffic information is estimated from sensor information, the traffic information verification unit 218 may determine that the traffic information is consistent with the sensor information. On the other hand, when nothing exists at a position indicated by, traffic information or when the existence of any object other than a vehicle is estimated, the traffic information verification unit 218 may determine that the traffic information is inconsistent with sensor information. In addition, when the existence of a vehicle at a position indicated by traffic information is not clear from sensor information, the traffic information verification unit 218 determines in the embodiment that the traffic information is consistent with the sensor information.
  • Here, the embodiment describes the verification of position information on a vehicle, but the traffic information verification unit 218 also determines whether a speed or a movement direction of the vehicle is consistent with sensor information. When a movement speed or a movement direction of a vehicle existing at a position in by traffic information is different from a movement speed or a movement direction of the vehicle acquired from sensor information, the traffic information verification unit 218 determines that the traffic information is inconsistent with the sensor information. That is, when any of traffic information is inconsistent with sensor information, the traffic information verification unit 218 determines that the traffic information is inconsistent with the sensor information.
  • When the comparison between all the sensor information selected in step S304 and the traffic information is completed, the traffic information verification unit 218 determines whether the number of the sensor information inconsistent with the traffic information is a prescribed number or more (S306). Here, the prescribed number may be a fixed value set in advance. However, the prescribed number may be a value corresponding to the number of the sensor information acquired in step S304 or may be a value corresponding to the number of the sensor information consistent with the traffic information among the sensor information acquired in step S304.
  • When it is determined in step S306 that there is a lot of sensor information inconsistent with the traffic information (YES in S306), the traffic information verification unit 218 determines that the traffic information is invalid. This determination may be made based on whether the number of inconsistent sensor information (simple sum) is a prescribed number or more. However, it is more preferable to put weight on each of sensor information according to its information quality to make a determination based on whether the sum of the weight of inconsistent sensor information is a prescribed number or more. The signature information determination unit 220 determines signature information indicating the characteristics of the invalid traffic information (S307). For example, the signature information determination unit 220 may determine the transmission source ID 31 of the invalid traffic information as the signature information. The signature information transmission unit 222 transmits the determined signature information to the vehicle 100 via the wireless communication unit 204 (S308). Thus, the vehicle 100 is allowed to detect the invalid traffic information using the transmitted signature information.
  • When it is determined in step S306 that there is small number of sensor information inconsistent with the traffic information (NO in S306), the traffic information verification unit 218 determines that the traffic information is valid. Therefore, the determination and transmission processing of signature information is not performed.
  • In the way described above, the processing on the traffic information selected in step S303 is completed. When any unverified traffic information exists (YES in S309), the processing returns to step S303 to perform the same processing as the above on the unverified traffic information. When the verification processing on all the traffic information is completed (NO in S309), the processing is completed.
    • Advantageous Effects of Embodiment
  • According to the first embodiment, a vehicle is allowed to determine that traffic information inconsistent with information (sensor information) acquired by its sensor is invalid traffic information, i.e., an attack. Even in a case in which a vehicle is not allowed to detect invalid traffic information with its own sensor information, the vehicle is allowed to detect an attack based on the inconsistency between the traffic information and sensor information on other vehicles via a server.
  • Since electronic signatures are added to traffic information, a vehicle is allowed to detect an attack by spoofing or falsification. However, a vehicle is not allowed to detect an attack using the mechanism of electronic signatures when any reasonable person intentionally or unintentionally transmits invalid traffic information. However, as in the first embodiment, a vehicle is allowed to detect such an attack using signature information on invalid traffic information.
  • In the first embodiment, a server verifies traffic information using sensor information. Such verification requires relatively high calculation ability. However, since a server has higher calculation ability than that of an in-vehicle unit, the server is capable of performing a complicated analysis.
    • Modified Example
  • In the above description, a vehicle makes an alternative decision as to whether traffic information is valid or invalid in the verification processing of the traffic information. However, the reliability of traffic information may be evaluated at three or more levels. For example, the traffic information verification unit 218 may determine the reliability of traffic information according to the number of sensor information inconsistent with the traffic information. In addition, when it is not possible to determine whether traffic information and sensor information are definitely inconsistent with each other or definitely consistent with each other, the reliability of the traffic information may be determined using the accuracy. For a vehicle, it is preferable to determine to what extent a vehicle relies on traffic information to control the vehicle according to the reliability of the traffic information. For example, a vehicle performs control while ignoring traffic information whose reliability is the lowest. On the other hand, a vehicle may perform control on the assumption that traffic information with intermediate reliability is possibly valid or invalid.
  • The above embodiment describes a case in which traffic information transmitted from a vehicle includes a position, a movement speed, and a movement direction of the vehicle. However, information included in traffic information is not limited so long as it is associated with traffic. For example, information on traffic signals, information on obstacles existing on roads, information on traffic jams, information on road-surface conditions, or the like may be transmitted. Any traffic information transmitted from a vehicle is one capable of being generated based on sensor information the vehicle. Accordingly, the validity of such traffic information may be verified in such a way that the traffic information is compared with sensor information on a vehicle.
  • The above embodiment describes a case in which a vehicle performs automatic driving control using traffic information transmitted from circumjacent objects. However, a vehicle may perform any control based on traffic information. For example, a vehicle may perform driving assistance control, information providing control for the passengers of the vehicle, or the like based on traffic information.
    • Second Embodiment
  • A second embodiment of the present invention describes a case in which invalid traffic information is detect only by a vehicle without a server. The configurations of a vehicle according to the second embodiment are the same as those shown in FIG. 2A except that the vehicle has the same function as that of the traffic information verification unit 218 that verifies traffic information based on sensor information and the vehicle does not have a function to perform transmission/reception with a server.
  • FIG. 7 shows the outline of the system of the second embodiment. When receiving traffic information from a circumjacent vehicle 72, a vehicle 71 compares the received traffic information with sensor information acquired by its own sensor to verify whether the received traffic information is invalid. When the received traffic information is invalid, the vehicle 71 notifies circumjacent vehicles of the fact that the traffic information is invalid. A vehicle 73 having received the notification is allowed to know the fact that the traffic information is invalid. The system is effective particularly when the vehicle 71 is allowed to verify the validity of traffic information transmitted from the vehicle 72 but the vehicle 73 is not allowed to verify the traffic information with its own sensor information.
  • FIG. 8 is a flowchart showing the flow of traffic information verification processing by a vehicle in the second embodiment. The vehicle 71 verifies an electronic signature 38 of received traffic information with a cryptographic processing unit 124 (S401). When the verification fails (NO in S402), the content of the information is falsified or spoofed and thus the vehicle 71 is allowed to determine that the received traffic information is invalid (S407). On the other hand, when the verification of the signature is successful (YES in S402), it turns out that the content of the information is neither falsified nor spoofed. Even in this case, there is a possibility that the content of the traffic information is invalid. Therefore, an attack detecting unit 122 determines whether the received traffic information is consistent with invalid traffic information notified by a circumjacent vehicle (S403). Here, when the vehicle 71 has been already notified of the fact that the received traffic information is invalid (YES in S403), the vehicle 71 is allowed to determine that the received traffic information is invalid (S407). On the other hand, when the vehicle 71 has not been notified of the Fact that the received traffic information is invalid (NO in S403), the vehicle 71 verifies whether the content of the received traffic information is inconsistent with sensor information acquired by its own sensor (S404). When the content of the received traffic information is inconsistent with the sensor information (YES in S404), the vehicle 71 is allowed to determine that the received traffic information is invalid. Then, the vehicle 71 notifies circumjacent vehicles of the fact that the traffic information is invalid (S405). Here, the vehicle 71 may notify the circumjacent vehicles of the transmission source ID of the invalid traffic information, the message ID of the invalid traffic information, or signature information as in the first embodiment. When the received traffic information is consistent with the sensor information (NO in S404), the vehicle 71 is allowed to determine that the traffic information is valid (S406).
  • According to the second embodiment, a vehicle is allowed to detect invalid traffic information and notify circumjacent vehicles of the invalid traffic information by itself without a server. Since the validity of traffic information is verified in real time by a vehicle without a server, the second embodiment is advantageous in that invalid traffic information is promptly notified.
  • Note that in the above processing, a vehicle notifies circumjacent vehicles of the fact that traffic information is invalid only when the traffic information is inconsistent with sensor information acquired by itself (NO in S404). However, a vehicle preferably transmits the above notification at any time when it is determined that traffic information is invalid.
    • Third Embodiment
  • A third embodiment of the present invention is almost the same as the second embodiment but is different in that the notification of invalid traffic information is transmitted not only from a vehicle but also from a server.
  • FIG. 9 shows the outline of the system of the third embodiment. When receiving traffic information from a. circumjacent vehicle 92, a vehicle 91 compares the received traffic information with sensor information acquired by its own sensor to verify whether the received traffic information is invalid. When the received traffic information is invalid, the vehicle 91 notifies circumjacent vehicles of the fact that the traffic information is invalid. A vehicle 93 having received the notification is allowed to know the fact that the traffic information is invalid. The system is effective particularly when the vehicle 91 is allowed to verify the validity of traffic information transmitted from the vehicle 92 by its own sensor but the vehicle 93 is not allowed to verify traffic information with its own sensor information. The above point is the same as that of the second embodiment.
  • In the third embodiment, the vehicle transmits the existence of the invalid traffic information not only to the circumjacent vehicle 93 but also to a server 94. Then, the server 94 transmits the notification of the invalid traffic information to other vehicles 95
  • In the second embodiment, only a vehicle 71 having detected the inconsistency between traffic information and sensor information is allowed to notify circumjacent vehicles of the invalid traffic information. However, since the server 94 transmits information on invalid traffic information (signature information or the like) in the third embodiment, vehicles in a wide range are allowed to be notified of the invalid traffic information.
  • Note that in the third embodiment, a server preferably verifies whether the notification of traffic information from a vehicle indicating the invalidity of the traffic information is valid. For example, when only some of vehicles receiving the same traffic information notifies that the traffic information is invalid traffic information, the sever may determine that this notification is invalid.
    • Fourth Embodiment
  • It is also preferable to provide a system in which the first embodiment ice, combined with the second or the third embodiment. That is, it is also preferable to provide a system in which traffic information and sensor information are transmitted to a server so that the server detects invalid traffic information while a vehicle compares the traffic information with its own sensor information to detect the invalid traffic information.
  • Verification by a server has the advantage that the server is allowed to perform a higher analysis based on a lot of sensor information but also has the disadvantage that a vehicle requires a long time to be capable of detecting an attack using a verification result. On the other hand, verification by a vehicle has the advantage that the vehicle is allowed to promptly notify circumjacent vehicles of invalid traffic information although the vehicle performs an analysis based on only information acquired by its own sensor. According to the fourth embodiment, it is possible to provide a more effective system in which a vehicle and a server are complementary to each other.
    • Other Embodiments
  • The present invention is constituted by a general-purpose processor such as a micro processor and a central processing unit (CPU) and a computer having a program stored in a memory, and may be realized when the general-purpose processor runs the program. In addition, the present invention may be realized by a dedicated processor such as an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), and a digital signal processor (DSP). It can be said that each of a dedicated processor and a general-purpose processor running a program is a processor configured to provide a specific function or a processor configured to function as a specific function unit. In addition, some functions of the present invention may be provided by a general-purpose processor (and a program), and other functions may be realized by a dedicated processor. Moreover, one of the functions of the present invention may be realized by both a general-purpose processor (and a program) and a dedicated processor.
  • The above embodiments and the modified example are given only for illustration purpose in the present invention and do not intend to limit the present invention to their disclosed ranges. In addition, the constituent technologies described in the above embodiments and the modified example may be combined with each other to perform the present invention unless they are technologically contradictory to each other.

Claims (6)

What is claimed is:
1. A vehicle comprising:
a sensor; and
a processor configured to act as:
a sensor information acquisition unit adapted acquire sensor information from the sensor;
a traffic information reception unit adapted to receive traffic information through wireless communication; and
a verification unit adapted to verify whether the sensor information and the traffic information are inconsistent with each other,
wherein
the traffic information is information that describes a road condition around the vehicle and is sent from an outside of the vehicle; and
the sensor information and the traffic information are determined to be inconsistent with each other when the road condition indicated by the traffic information and a road condition derived from the sensor information do not match.
2. The vehicle according to claim 1, wherein the processor further acts as a notification unit adapted to transmit signature information indicating a characteristic of the traffic information determined by the verification unit to be inconsistent with the sensor information, to one of a circumjacent vehicle and a server.
3. The vehicle according to claim 2, further comprising:
a storage unit adapted to store the signature information received from another vehicle or the server, wherein
the vehicle does not rely on the traffic information consistent with the received signature information.
4. The vehicle according to claim 2, wherein
the signature information on the traffic information is the identifier of the transmitter of the traffic information.
5. The vehicle according claim 1, wherein
the road condition includes data indicating at least one of presence or absence of traffic jams, presence or absence of road constructions, traffic lane limitations, and icing of roads.
6. A method for detecting an attack, executed by a vehicle, the method comprising:
acquiring sensor information from the sensor;
receiving traffic information through wireless communication; and
verifying whether the sensor information and the traffic information are inconsistent with each other,
wherein
the traffic information is information that describes a road condition around the vehicle and is sent from an outside of the vehicle; and
the sensor information and the traffic information are determined to be inconsistent with each other when the road condition indicated by the traffic information and a road condition derived from the sensor information do not
US16/507,157 2015-07-30 2019-07-10 System and method for detecting attack when sensor and traffic information are inconsistent Abandoned US20190334924A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US16/507,157 US20190334924A1 (en) 2015-07-30 2019-07-10 System and method for detecting attack when sensor and traffic information are inconsistent

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
JP2015-151086 2015-07-30
JP2015151086A JP6298021B2 (en) 2015-07-30 2015-07-30 Attack detection system and attack detection method
US15/210,392 US10397244B2 (en) 2015-07-30 2016-07-14 System and method for detecting attack when sensor and traffic information are inconsistent
US16/507,157 US20190334924A1 (en) 2015-07-30 2019-07-10 System and method for detecting attack when sensor and traffic information are inconsistent

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US15/210,392 Division US10397244B2 (en) 2015-07-30 2016-07-14 System and method for detecting attack when sensor and traffic information are inconsistent

Publications (1)

Publication Number Publication Date
US20190334924A1 true US20190334924A1 (en) 2019-10-31

Family

ID=57882929

Family Applications (2)

Application Number Title Priority Date Filing Date
US15/210,392 Active 2037-04-27 US10397244B2 (en) 2015-07-30 2016-07-14 System and method for detecting attack when sensor and traffic information are inconsistent
US16/507,157 Abandoned US20190334924A1 (en) 2015-07-30 2019-07-10 System and method for detecting attack when sensor and traffic information are inconsistent

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US15/210,392 Active 2037-04-27 US10397244B2 (en) 2015-07-30 2016-07-14 System and method for detecting attack when sensor and traffic information are inconsistent

Country Status (4)

Country Link
US (2) US10397244B2 (en)
JP (1) JP6298021B2 (en)
CN (1) CN106407806B (en)
DE (1) DE102016114023A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022065546A1 (en) * 2020-09-24 2022-03-31 엘지전자 주식회사 Method for protecting v2x communication in wireless communication system
US11603110B2 (en) * 2019-04-18 2023-03-14 Kyndryl, Inc. Addressing vehicle sensor abnormalities
US11875612B2 (en) 2018-01-22 2024-01-16 Panasonic Intellectual Property Corporation Of America Vehicle monitoring apparatus, fraud detection server, and control methods

Families Citing this family (44)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6478935B2 (en) * 2016-03-16 2019-03-06 株式会社東芝 Vehicle communication device, roadside communication device, and communication system
JP2019008618A (en) * 2017-06-26 2019-01-17 パナソニックIpマネジメント株式会社 Information processing apparatus, information processing method, and program
JP6808595B2 (en) * 2017-09-01 2021-01-06 クラリオン株式会社 In-vehicle device, incident monitoring method
JP2019092267A (en) * 2017-11-13 2019-06-13 トヨタ自動車株式会社 Control device of electric vehicle
KR101857554B1 (en) * 2017-11-14 2018-05-14 조선대학교산학협력단 External data intrusion detection apparatus and method for vehicles
WO2019142476A1 (en) * 2018-01-22 2019-07-25 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Data analysis device and program
WO2019142456A1 (en) 2018-01-22 2019-07-25 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Abnormality determination device, abnormality detection model creation server, and program
JP7045288B2 (en) * 2018-01-22 2022-03-31 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Data analysis device, data analysis method and program
JP7118757B2 (en) * 2018-01-22 2022-08-16 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Server, program and method
CN108549377A (en) * 2018-04-16 2018-09-18 姜鹏飞 A kind of autonomous driving vehicle
JP6746038B2 (en) * 2018-04-24 2020-08-26 三菱電機株式会社 Attack detection device, attack detection method, and attack detection program
DE102018207661A1 (en) * 2018-05-16 2019-11-21 Zf Friedrichshafen Ag Verification of sensor data
DE102019113818B4 (en) 2018-05-31 2023-03-30 Panasonic Intellectual Property Management Co., Ltd. ELECTRONIC CONTROL DEVICE, MONITORING METHOD, PROGRAM AND GATEWAY DEVICE
JP6519829B1 (en) * 2018-05-31 2019-05-29 パナソニックIpマネジメント株式会社 Electronic control device, monitoring method, program, and gateway device
JP6519830B1 (en) * 2018-05-31 2019-05-29 パナソニックIpマネジメント株式会社 Electronic control device, monitoring method, program, and gateway device
EP3824404A4 (en) * 2018-07-20 2022-04-27 May Mobility, Inc. A multi-perspective system and method for behavioral policy selection by an autonomous agent
JP7033731B2 (en) * 2018-08-22 2022-03-11 パナソニックIpマネジメント株式会社 Servers, vehicles, distributed transaction certification systems and distributed transaction certification methods
JP7122195B2 (en) * 2018-08-30 2022-08-19 ヤフー株式会社 Information processing device, information processing method and information processing program
WO2020065776A1 (en) * 2018-09-26 2020-04-02 日本電気株式会社 Information processing device, control method, and program
US10878701B2 (en) 2018-10-09 2020-12-29 Ford Global Technologies, Llc Detection of attacks on vehicle networks
EP3904835A4 (en) * 2018-12-24 2022-10-05 LG Electronics Inc. Route providing device and route providing method thereof
US10955841B2 (en) 2018-12-28 2021-03-23 At&T Intellectual Property I, L.P. Autonomous vehicle sensor security system
CN109918900B (en) * 2019-01-28 2022-08-16 锦图计算技术(深圳)有限公司 Sensor attack detection method, device, equipment and computer readable storage medium
US10969470B2 (en) 2019-02-15 2021-04-06 May Mobility, Inc. Systems and methods for intelligently calibrating infrastructure devices using onboard sensors of an autonomous agent
US11255680B2 (en) 2019-03-13 2022-02-22 Here Global B.V. Maplets for maintaining and updating a self-healing high definition map
US11096026B2 (en) * 2019-03-13 2021-08-17 Here Global B.V. Road network change detection and local propagation of detected change
US11287267B2 (en) 2019-03-13 2022-03-29 Here Global B.V. Maplets for maintaining and updating a self-healing high definition map
US11402220B2 (en) 2019-03-13 2022-08-02 Here Global B.V. Maplets for maintaining and updating a self-healing high definition map
US11287266B2 (en) 2019-03-13 2022-03-29 Here Global B.V. Maplets for maintaining and updating a self-healing high definition map
US11280622B2 (en) 2019-03-13 2022-03-22 Here Global B.V. Maplets for maintaining and updating a self-healing high definition map
KR20210006143A (en) * 2019-07-08 2021-01-18 현대자동차주식회사 Traffic information service system and method
US20220338015A1 (en) * 2019-09-12 2022-10-20 Nippon Telegraph And Telephone Corporation Authentication system, authentication method and program
US11310269B2 (en) 2019-10-15 2022-04-19 Baidu Usa Llc Methods to detect spoofing attacks on automated driving systems
JP7226248B2 (en) * 2019-10-31 2023-02-21 トヨタ自動車株式会社 Communication device and abnormality determination device
US11352023B2 (en) 2020-07-01 2022-06-07 May Mobility, Inc. Method and system for dynamically curating autonomous vehicle policies
JP7327315B2 (en) * 2020-07-29 2023-08-16 トヨタ自動車株式会社 Abnormality detection method for infrastructure sensor device, and infrastructure sensor system
US20220189294A1 (en) * 2020-12-10 2022-06-16 Argo AI, LLC Data integrity verification and misbehavior detection and reporting of connected vehicles through smart infrastructure
JP2023553980A (en) 2020-12-14 2023-12-26 メイ モビリティー,インコーポレイテッド Autonomous vehicle safety platform system and method
JP2024500672A (en) 2020-12-17 2024-01-10 メイ モビリティー,インコーポレイテッド Method and system for dynamically updating an autonomous agent's environmental representation
US11472436B1 (en) 2021-04-02 2022-10-18 May Mobility, Inc Method and system for operating an autonomous agent with incomplete environmental information
US11565717B2 (en) 2021-06-02 2023-01-31 May Mobility, Inc. Method and system for remote assistance of an autonomous agent
DE102021209134A1 (en) 2021-08-19 2023-02-23 Continental Automotive Technologies GmbH Method and device for validating vehicle-to-X traffic flow control messages
WO2023154568A1 (en) 2022-02-14 2023-08-17 May Mobility, Inc. Method and system for conditional operation of an autonomous agent
CN115333938B (en) * 2022-07-19 2024-03-26 岚图汽车科技有限公司 Vehicle safety protection control method and related equipment

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7603138B2 (en) * 2005-08-22 2009-10-13 Toshiba American Research, Inc. Environmental monitoring using mobile devices and network information server
AU2009211435A1 (en) * 2008-02-04 2009-08-13 Tele Atlas B.V. Method for map matching with sensor detected objects
US8050855B2 (en) * 2008-08-07 2011-11-01 General Motors Llc Method and system for transmitting data to a traffic information server
JP5369627B2 (en) * 2008-11-10 2013-12-18 住友電気工業株式会社 Roadside communication device
JP2010250607A (en) 2009-04-16 2010-11-04 Hitachi Ltd System, method and program for analysis of unauthorized access
US8718861B1 (en) * 2012-04-11 2014-05-06 Google Inc. Determining when to drive autonomously
CN103036874B (en) * 2012-11-28 2015-10-28 大连理工大学 The guard method of prevention data injection attacks in gathering for car networking data
JP5949572B2 (en) * 2013-01-18 2016-07-06 トヨタ自動車株式会社 Vehicle improper state detection method, control method in vehicle system, and system
JP5900390B2 (en) 2013-01-31 2016-04-06 株式会社オートネットワーク技術研究所 Access restriction device, in-vehicle communication system, and communication restriction method
US10057546B2 (en) * 2014-04-10 2018-08-21 Sensormatic Electronics, LLC Systems and methods for automated cloud-based analytics for security and/or surveillance
CN104219309B (en) * 2014-09-04 2018-02-16 江苏大学 Vehicle identity authentication method based on certificate in car networking
US20160221581A1 (en) * 2015-01-29 2016-08-04 GM Global Technology Operations LLC System and method for classifying a road surface
EP3845426A1 (en) * 2015-02-10 2021-07-07 Mobileye Vision Technologies Ltd. Sparse map for autonomous vehicle navigation

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11875612B2 (en) 2018-01-22 2024-01-16 Panasonic Intellectual Property Corporation Of America Vehicle monitoring apparatus, fraud detection server, and control methods
US11603110B2 (en) * 2019-04-18 2023-03-14 Kyndryl, Inc. Addressing vehicle sensor abnormalities
WO2022065546A1 (en) * 2020-09-24 2022-03-31 엘지전자 주식회사 Method for protecting v2x communication in wireless communication system

Also Published As

Publication number Publication date
CN106407806B (en) 2020-04-07
JP6298021B2 (en) 2018-03-20
US20170032671A1 (en) 2017-02-02
CN106407806A (en) 2017-02-15
JP2017033186A (en) 2017-02-09
US10397244B2 (en) 2019-08-27
DE102016114023A1 (en) 2017-04-27

Similar Documents

Publication Publication Date Title
US20190334924A1 (en) System and method for detecting attack when sensor and traffic information are inconsistent
US10932135B2 (en) Context system for providing cyber security for connected vehicles
TWI662252B (en) Roadside detection system, roadside unit and roadside communication method thereof
KR101820658B1 (en) Device and method for c2x communication
EP2743726B1 (en) Methods and systems for assessing trust in a mobile ad hoc network
US10674359B2 (en) Method of authenticating external vehicle and vehicle capable of performing same
KR102099745B1 (en) A device, method, and computer program that generates useful information about the end of a traffic jam through a vehicle-to-vehicle interface
US20190043347A1 (en) Device, method, and computer program for providing traffic jam information via a vehicle-to-vehicle interface
Lim et al. Detecting location spoofing using ADAS sensors in VANETs
US9286798B2 (en) Speeding enforcement method of vehicle using wireless communications
US9299252B2 (en) Method for checking communication messages in vehicle-to-environment communication and suitable receiver
CN114175126A (en) Object classification based on wireless communication
US11094192B2 (en) Method and system for generating and processing safety messages for vehicle-to-everything communication
CN114248799A (en) Vehicle-to-all message misbehavior detection
JP6903598B2 (en) Information processing equipment, information processing methods, information processing programs, and mobiles
US11823554B2 (en) Methods for embedding protected vehicle identifier information in cellular vehicle-to-everything (C-V2X) messages
WO2018092577A1 (en) Object detection device for vehicles and object detection system for vehicles
US20230059220A1 (en) Method and device for validating vehicle-to-x messages in order to regulate the traffic flow
US20230422006A1 (en) Validation of a v2x message
US11613264B2 (en) Transmit-side misbehavior condition management
US20230021487A1 (en) Vehicle-To-Everything (V2X) Participant Type-Based Misbehavior Detection
US11516668B2 (en) Out-of-band authentication for vehicular communications using joint automotive radar communications
EP4301008A1 (en) Communications within an intelligent transport system to improve perception control
Banerjee et al. Vehicle Control in Vehicle to Infrastructure (V2I) Environment
Stübing et al. Facility layer security: Mobility data verification

Legal Events

Date Code Title Description
STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION COUNTED, NOT YET MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE AFTER FINAL ACTION FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: ADVISORY ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION