WO2017104096A1

WO2017104096A1 - Security device, network system and attack detection method

Info

Publication number: WO2017104096A1
Application number: PCT/JP2016/004518
Authority: WO
Inventors: 淳一鶴見; 良浩氏家; 中野　稔久; 松島　秀樹; 勇二海上
Original assignee: パナソニックインテレクチュアルプロパティコーポレーションオブアメリカ
Priority date: 2015-12-14
Filing date: 2016-10-07
Publication date: 2017-06-22
Also published as: CN112286763B; CN112286763A

Abstract

A security device 2110 connected to a bus in a vehicle is provided with: a determination unit 2113 which determines whether a predetermined condition for identifying the presence or absence of a probability that a frame received by a reception unit 2111 for receiving the frame from the bus is an attack frame is satisfied or not; an acquisition unit 2114 which performs control such that a determination request is transmitted to an external device 2200 outside the vehicle if the determination unit determines that the predetermined condition is satisfied, and acquires a determination result transmitted from the external device in response to the determination request; and an output unit 2115 which outputs first presentation information if the determination unit determines that the predetermined condition is satisfied, and outputs second presentation information if the acquisition unit acquires the determination result from the external device.

Description

Security device, network system, and attack detection method

This disclosure relates to a technique for detecting an attack frame, which is an unauthorized frame transmitted in a network in which an electronic control unit mounted on a vehicle or the like communicates.

In recent years, many systems called electronic control units (ECUs) are arranged in systems in automobiles. A network connecting these ECUs is called an in-vehicle network. There are many standards for in-vehicle networks. Among them, one of the most mainstream in-vehicle networks is a CAN (Controller Area Network) standard defined by ISO11898-1.

In CAN, the communication path is a bus composed of two wires, and the ECU connected to the bus is called a node. Each node connected to the bus transmits and receives a message called a frame.

In CAN, there is no identifier indicating a transmission destination or a transmission source, a transmission node transmits an ID called a message ID for each frame (that is, sends a signal to a bus), and each reception node has a predetermined ID. Only receive frames (ie read signals from the bus). In addition, a CSMA / CA (Carrier Sense Multiple Access / Collision Avoidance) method is employed, and arbitration is performed using a message ID during simultaneous transmission of a plurality of nodes, and a frame with a small message ID value is preferentially transmitted.

As described above, since the CAN does not verify whether or not the transmission source is correct, an attacker (illegal node) accesses the CAN bus and transmits an unauthorized frame (attack frame). Can be illegally controlled. As a defense technique against such attacks, when a frame is transmitted on the CAN bus, it is determined whether it is an illegally transmitted frame, and an action such as issuing an alarm or blocking an illegal frame is taken. A technique is known (see Patent Document 1).

JP 2015-136107 A

However, the above conventional technique requires further improvement.

A security device according to an aspect of the present disclosure is a security device connected to one or a plurality of buses in a vehicle, the reception unit receiving a frame from one bus, and the reception unit receiving the frame A determination unit that determines whether or not a predetermined condition for distinguishing whether there is a possibility of being an attack frame is satisfied for a frame, and an exterior of the vehicle when the determination unit determines that the predetermined condition is satisfied An acquisition unit that controls a determination request to be transmitted to an external device located in the network and acquires a determination result transmitted from the external device in response to the determination request; and the determination unit that satisfies the predetermined condition A first output information when the determination is made, and an output unit that outputs the second presentation information when the acquisition unit acquires a determination result from the external device. It is the location.

These general or specific aspects may be realized by a recording medium such as an apparatus, a system, an integrated circuit, a computer program, or a computer-readable CD-ROM. The apparatus, system, method, computer program, and You may implement | achieve with arbitrary combinations of a recording medium.

According to the present disclosure, an appropriate notification is made when an attack frame and a suspicious frame are transmitted, so that the driver of the vehicle can receive the notification and respond appropriately.

Note that further effects and advantages of the present disclosure will be apparent from the disclosure of the present specification and drawings. The above-described further effects and advantages may be provided individually by the various embodiments and features disclosed in this specification and the drawings, and not all effects and advantages need to be provided.

1 is a diagram illustrating an overall configuration of a network system according to a first embodiment. 6 is a sequence diagram illustrating an operation example of the network system according to Embodiment 1. FIG. It is a figure which shows the specific example of the content of the flame | frame exchanged by a gateway. It is a block diagram of steering ECU. It is a block diagram of speed notification ECU. It is a block diagram of white line angle notification ECU. It is a block diagram of automatic steering instruction | command ECU. It is a block diagram of head unit ECU. It is a figure which shows an example of the display content table which the display content holding part of head unit ECU hold | maintains. It is a figure which shows the example of a display of the warning notification in head unit ECU. It is a figure which shows the example of a display of a notification without abnormality in head unit ECU. It is a figure which shows the example of a display of the attack detection notification in head unit ECU. It is a figure which shows the example of a display of the stop recommendation in head unit ECU. 2 is a configuration diagram of a gateway according to Embodiment 1. FIG. It is a figure which shows an example of the reception ID list | wrist concerning the flame | frame which a gateway receives. It is a figure which shows an example of the frame format rule used for confirmation whether a gateway is an unauthorized frame. It is a figure which shows an example of the judgment rule used for the necessity judgment of the determination request | requirement to the exterior by a gateway. It is a figure which shows an example of the warning rule which a gateway uses for the necessity determination of a warning. It is a figure which shows an example of the notification rule which a gateway uses for determination of the content of notification. It is a figure which shows an example of the transfer rule which a gateway uses. It is a figure which shows an example of the data value memorize | stored in the state memory | storage part of a gateway. 6 is a flowchart illustrating an example of a frame reception handling process in the gateway according to the first embodiment. 7 is a flowchart illustrating an example of determination result reception handling processing in the gateway according to the first embodiment. It is a block diagram of a server. It is a flowchart which shows an example of the abnormality determination process in a server. It is a flowchart which shows the operation example of a server. FIG. 3 is a diagram illustrating an overall configuration of a network system according to a second embodiment. FIG. 10 is a sequence diagram illustrating an operation example of the network system according to the second embodiment. 6 is a configuration diagram of a gateway according to Embodiment 2. FIG. 10 is a flowchart illustrating an example of a frame reception handling process in the gateway according to the second embodiment. 10 is a flowchart illustrating an example of a determination result reception handling process in the gateway according to the second embodiment. 10 is a flowchart illustrating an operation example corresponding to a determination request in the automobile B. 1 is a schematic configuration diagram of a network system.

(Knowledge that became the basis of this disclosure)
In the technique described in Patent Document 1, when a frame is transmitted on the CAN bus, it is determined whether the frame is transmitted illegally, and an action such as issuing an alarm or blocking the unauthorized frame is taken.

However, if it is suspected that the frame sent to the in-vehicle network bus is an attack frame sent by an attacker trying to illegally control a vehicle such as an automobile, but the frame cannot be determined as an attack frame, the frame is blocked. Not necessarily.

Based on the above considerations, the present inventors have come up with each aspect of the present disclosure.

A security device according to an aspect of the present disclosure is a security device connected to one or a plurality of buses in a vehicle, the reception unit receiving a frame from one bus, and the reception unit receiving the frame A determination unit that determines whether or not a predetermined condition for distinguishing whether there is a possibility of being an attack frame is satisfied for a frame, and an exterior of the vehicle when the determination unit determines that the predetermined condition is satisfied An acquisition unit that controls a determination request to be transmitted to an external device located in the network and acquires a determination result transmitted from the external device in response to the determination request; and the determination unit that satisfies the predetermined condition A first output information when the determination is made, and an output unit that outputs the second presentation information when the acquisition unit acquires a determination result from the external device. It is the location. After performing a determination based on a predetermined condition for discriminating whether there is a possibility of being an attack frame, the security apparatus can determine whether the attack frame is awaiting a determination result by an external apparatus if the predetermined condition is satisfied . It takes a certain time to transmit a determination request to the external device, make the external device perform the determination, and receive the determination result. According to the security device having the above-described configuration, when a predetermined condition is satisfied, that is, when an attack frame and a suspicious frame are transmitted, an appropriate notification is made by outputting the first presentation information, and a certain amount of time has passed. Later, when a determination result by the external device is obtained, appropriate notification is made by outputting the second presentation information. The output of the presentation information is directed to notification (information presentation or the like) to the driver of the vehicle, a passenger or other human beings directly or via a device having a user interface. Accordingly, the vehicle driver or the like can receive the notification and respond appropriately. For example, if an attack frame and a suspicious frame are transmitted and a driver's attention is alerted by a notification based on the first presentation information, the frame can be determined to be an attack frame using an external device. When a notification based on the second presentation information is made, the driver or the like can respond smoothly. For this reason, when a frame that is suspected of being an attack frame is transmitted, adverse effects due to the frame or a frame subsequent to the frame can be reduced.

Also, for example, the vehicle may be equipped with a plurality of electronic control units that exchange frames according to a CAN (Controller Area Network) protocol via the one or more buses. Thereby, when an attack frame is transmitted in an in-vehicle network conforming to CAN for transferring frames between electronic control units (ECUs), it may be possible to appropriately notify in order to reduce the adverse effect of the attack frame. .

Further, for example, the security device may be a gateway device connected to the plurality of buses in the vehicle. As a result, a security device as a gateway device that transfers frames by connecting a plurality of buses can appropriately notify when an attack frame is transmitted to any bus.

In addition, for example, the security device further includes a confirmation unit that confirms whether or not a frame received by the receiving unit from one bus satisfies an illegal condition, and the security device uses the receiving unit to When it is confirmed that the frame received from the bus does not correspond to the illegal condition by the confirmation unit, the frame is transferred to another bus, and the confirmation unit confirms that the illegal condition is satisfied. In the case where the frame is not transferred, and the frame received by the reception unit is confirmed by the confirmation unit to satisfy the illegal condition, the determination unit satisfies the predetermined condition. The output unit outputs the first presentation information when the determination unit determines that the predetermined condition is satisfied. Good. As a result, when it is confirmed that the frame transmitted to one of the buses is an illegal frame (that is, a frame that does not conform to a predetermined rule), the security device as the gateway device transfers the data between the buses. Can be deterred. In addition, if the frame transmitted to one of the buses cannot be determined as an illegal frame, it is determined that the frame may be illegal, that is, an attack frame and a suspicious frame, and the security device transfers the frame. However, since the first presentation information is output at the time of the determination, the driver or the like can be appropriately notified by this output. For example, the driver or the like can quickly know that the vehicle may cause a behavior different from its intention. The driver or the like can drive while paying attention to the behavior of the vehicle.

In addition, for example, when the determination unit determines that the predetermined condition is satisfied, the output unit outputs the first presentation information when the warning condition is satisfied, and when the warning condition is not satisfied The first presentation information may not be output. As a result, even when an suspicious frame is transmitted as an attack frame, it is possible to determine whether or not a warning is necessary from the frame contents or the like. For this reason, it is possible to prevent the output for notification when the adverse effect of the transmitted frame is small, and to prevent confusion by not giving an unnecessary warning to the driver or the like.

Further, for example, when the acquisition unit acquires a determination result from the external device, the output unit satisfies a warning condition among a plurality of different pieces of predetermined information different from the first presentation information. It is good also as outputting the information selected according to whether it is determined and the said determination result as said 2nd information for a presentation. This makes it possible to output appropriate information in view of the necessity of performing a warning when a determination result is obtained from an external device. For this reason, an appropriate notification can be made to the driver or the like based on the determination result by the external device.

For example, the output unit may determine whether or not the warning condition is satisfied based on the contents of one or a plurality of frames received in the past by the receiving unit. As a result, for example, a warning condition can be established such that the frame is satisfied when a frame that makes the vehicle behavior abnormal is received at the present time or in the past within a certain period of time. The notification content can be changed by, for example. That is, with this configuration, for example, in a state where the abnormality has subsided, a notice that does not excessively alert the driver etc. is given, and in a state where the abnormality continues, the driver etc. is advised to stop It may be possible to make a notification.

Further, for example, the determination result from the external device alternatively indicates whether or not the output is normal, and the output unit receives the determination result from the external device when the acquisition unit acquires the first Information selected according to whether or not the determination result indicates normality may be output as the second presentation information among a plurality of predetermined different information different from the presentation information. Thereby, when the determination result by the external device is obtained, the second presentation information based on the determination result different from the first presentation information can be output. Since the presentation information output before and after the determination result by the external device is obtained in this way can be changed, for example, the display is switched on a display or the like that performs display based on the presentation information, and is appropriately applied to the driver or the like. Information can be notified.

Further, for example, the acquisition unit may include an external communication unit that transmits the determination request to the external device and receives a determination result transmitted from the external device in response to the determination request. As a result, the security device can communicate with the external device, so that it is not necessary to provide a communication device with the outside of the vehicle separately from the security device in the vehicle, and for example, communication delay can be reduced.

Further, for example, when the determination unit determines that the predetermined condition is satisfied, the output unit transmits a frame including the first presentation information to one bus in the vehicle, and from the external device When the acquisition unit acquires the determination result, a frame including the second presentation information may be transmitted to the one bus. As a result, the security device transmits the presentation information to the ECU connected to the bus and presents the information through the ECU without having a configuration for presenting (displaying) the presentation information by itself. Notification can be realized by such as.

In addition, for example, the predetermined condition used for determination of a frame by the determination unit includes a reception interval between the same type preceding frame received by the reception unit and having the same ID as the frame, and the frame, The difference between the data content of the frame and the data content of the same type preceding frame, and the content of the different type preceding frame received by the receiving unit having an ID different from that of the frame and the content of the frame It is good also as conditions regarding at least 1 among correlation. Thereby, the security device can appropriately determine whether or not the frame transmitted to the bus is suspected of being an attack frame.

A network system according to an aspect of the present disclosure includes the security device described above, the external device, the vehicle on which the communication device that communicates with the external device is mounted, the one or more buses, and the 1 A network system including a plurality of electronic control units mounted on the vehicle, which exchanges frames via one or a plurality of buses. Thereby, when an attack frame and a suspicious frame are transmitted in an in-vehicle network composed of a plurality of electronic control units (ECUs), an appropriate notification is made by outputting the first presentation information, and after a certain period of time has passed. When a determination result is obtained by an external device located outside the vehicle, appropriate notification is made by outputting the second presentation information. For this reason, when a frame that is suspected of being an attack frame is transmitted, adverse effects due to the frame or a frame subsequent to the frame can be reduced.

Also, for example, one of the plurality of electronic control units is a predetermined electronic control unit having an information presentation function, and the output unit is configured to output the predetermined electronic when the determination unit determines that the predetermined condition is satisfied. When the frame including the first presentation information is transmitted to the bus to which the control unit is connected, and the acquisition unit acquires the determination result from the external device, the bus to which the predetermined electronic control unit is connected When the frame including the second presentation information is transmitted, the predetermined electronic control unit presents the first presentation information when receiving the frame including the first presentation information, and the second presentation information The second presentation information may be presented when a frame including is received. As a result, when an suspicious frame is transmitted as an attack frame in the in-vehicle network, the predetermined electronic control unit (predetermined ECU) having the information presentation function makes an appropriate notification (presentation of information).

In addition, for example, the vehicle includes a notification device that notifies the outside of the vehicle, and the first presentation information includes control information for causing the notification device to perform notification, and the output The output of the first presentation information by the unit may include transmission of the first presentation information to the notification device. The notification device may be, for example, a siren, an emergency flashing indicator lamp (hazard lamp), or the like. Thereby, when an attack frame and a suspicious frame are transmitted to the bus of the vehicle, for example, it may be possible to call attention to other vehicles traveling around the vehicle.

Further, for example, the communication device transmits log information regarding each frame received by the reception unit of the security device to the external device, and the acquisition unit of the security device transmits the external information via the communication device. The determination request is transmitted to a device, and a determination result transmitted from the external device in response to the determination request is received via the communication device. When the external device receives the determination request, the log is The determination result may be transmitted to the communication device by determining whether an attack frame is transmitted in the vehicle based on the information. As a result, the external device can accumulate log information about the frame, and can analyze the accumulated log information and make an appropriate determination. Even in the determination using the frame information, the external device may be able to determine that the vehicle cannot be determined. For example, when a vehicle cannot store a relatively large amount of log information, or when there is no log information in a vehicle other than the vehicle, the external device collects a large amount of log information from a plurality of vehicles. It may be possible.

Further, for example, the external device transmits the determination result to the communication device by observing the operation of the vehicle from the outside of the vehicle and determining whether the operation of the vehicle is normal. Also good. Thus, the external device can determine whether or not the operation of the vehicle is normal by determining that the vehicle cannot determine. In the vehicle, it is possible to appropriately determine whether or not an attack is made using the determination result of the external device. Accordingly, when an attack frame and a suspicious frame are transmitted in the vehicle, appropriate notification can be made by the vehicle.

Also, for example, the external device may be another vehicle located around the vehicle when the determination unit determines that the predetermined condition is satisfied. As a result, when a suspicious frame and a suspicious frame are transmitted in the vehicle, the vehicle can make an appropriate notification by making a determination request to other surrounding vehicles and obtaining a determination result.

An attack detection method according to an aspect of the present disclosure is an attack detection method used in an in-vehicle network system in which a plurality of electronic control units exchange frames via one or a plurality of buses. A receiving step for receiving a frame, a determination step for determining whether or not a predetermined condition for distinguishing the possibility of being an attack frame is satisfied for the frame received in the receiving step, and the predetermined condition A first presentation step for presenting first presentation information when determined in the determination step when satisfied, and an external located outside the vehicle when determined in the determination step when the predetermined condition is satisfied Control so that a determination request is transmitted to the device, and acquire a determination result transmitted from the external device in response to the determination request And resulting step is attack detecting method and a second presentation step of presenting a second presentation information when the determination result from the external device obtained by the obtaining step. As a result, when an attack frame and a suspicious frame are transmitted to the bus in an in-vehicle network system including a plurality of electronic control units (ECUs) in the vehicle, the first presentation information is presented, and a certain amount of time has passed. The second presentation information is presented at a stage where a determination result obtained by an external device located outside the vehicle is obtained later. A driver or the like of the vehicle can recognize the first presentation information and the second presentation information. For this reason, when a frame that is suspected of being an attack frame is transmitted, adverse effects due to the frame or a frame subsequent to the frame can be reduced.

These general or specific aspects may be realized by a system, a method, an integrated circuit, a computer program, or a computer-readable recording medium such as a CD-ROM. The system, method, integrated circuit, computer You may implement | achieve with arbitrary combinations of a program or a recording medium.

Hereinafter, a network system including a gateway device as an example of a security device according to an embodiment will be described with reference to the drawings. Each of the embodiments shown here shows a specific example of the present disclosure. Therefore, numerical values, components, arrangement and connection forms of components, and steps (processes) and order of steps shown in the following embodiments are merely examples, and do not limit the present disclosure. Among the constituent elements in the following embodiments, constituent elements that are not described in the independent claims can be arbitrarily added. Each figure is a mimetic diagram and is not necessarily illustrated strictly.

(Embodiment 1)
Hereinafter, a gateway as a security device in an in-vehicle network (in-vehicle network system) in which a plurality of electronic control units (ECUs) mounted on a vehicle communicate via a bus, a network system including the vehicle and an external device, and An attack detection method used in the network system will be described. The attack detection method detects that an attack frame (including a frame that is suspected) is transmitted on a bus used for communication between ECUs mounted on a vehicle, and responds to the detection result. This is a method of outputting for notification. A security device (for example, a gateway device) in an in-vehicle network mounted on a vehicle is a device having at least a function for detecting an attack related to an attack detection method.

Here, when it is determined that the frame transmitted to the bus in the car may be an illegal frame (attack frame) and that the car may cause the driver's unintended operation. The notification content is determined according to the behavior of the vehicle when it is possible to determine whether it is an attack frame by receiving the determination result from the server outside the vehicle quickly. The network system will be described focusing on the gateway device that notifies the driver.

[1.1 Overall Configuration of Network System 100]
FIG. 1 is a diagram showing an overall configuration of a network system 100 according to the present embodiment.

The network system 100 includes an automobile 500 and a server 400, and a network 10 serving as a communication path between the automobile 500 and the server 400. The network 10 can include the Internet or the like.

The automobile 500 includes a plurality of electronic control units (ECUs) that are connected to various devices such as in-vehicle control devices, sensors, actuators, user interface devices, etc., and perform communication related to frames via the in-vehicle bus. Equipped with an in-vehicle network. In the in-vehicle network in the automobile 500, each ECU performs communication according to the CAN protocol. Frames in the CAN protocol include a data frame, a remote frame, an overload frame, and an error frame. Here, description will be given mainly focusing on the data frame. In CAN, a data frame is defined to include an ID field for storing an ID (message ID), a DLC (Data Length Code) indicating a data length, a data field for storing data, and the like.

Specifically, as shown in FIG. 1, the in-vehicle network includes a CAN bus A101, a CAN bus B102, and a CAN bus C103 mounted on the automobile 500. A steering ECU 200, a speed notification ECU 210, a white line angle notification ECU 220, and a gateway 300 are connected to the CAN bus A101. An automatic steering instruction ECU 230 and a gateway 300 are connected to the CAN bus B102. The head unit ECU 240 and the gateway 300 are connected to the CAN bus C103. The in-vehicle network may include a number of ECUs other than the ECU shown in FIG. 1, but here, for convenience, the gateway 300, the steering ECU 200, the speed notification ECU 210, the white line angle notification ECU 220, the automatic steering instruction ECU 230, The description will be made with attention paid to the head unit ECU 240. The gateway 300 is also a kind of ECU. The ECU is a device including, for example, a processor (microprocessor), a digital circuit such as a memory, an analog circuit, a communication circuit, and the like. The memory is ROM, RAM, or the like, and can store a control program (computer program as software) executed by the processor. For example, when the processor operates according to a control program (computer program), the ECU realizes various functions. The computer program is configured by combining a plurality of instruction codes indicating instructions for the processor in order to achieve a predetermined function. Note that the gateway 300 includes a communication device (communication circuit or the like) for communicating with the server 400 outside the automobile 500.

Steering ECU 200, speed notification ECU 210, and white line angle notification ECU 220 acquire the state of each connected device (sensor, etc.), and periodically display a frame (data frame) indicating the state on CAN bus (CAN buses A to C). Any). The gateway 300 transfers data frames between buses. When the automatic steering instruction ECU 230 receives the frame related to the angle of the white line transmitted by the white line angle notification ECU 220, the automatic steering instruction ECU 230 causes the steering ECU 200 to perform the next steering operation in order to adjust the car 500 to travel along the white line. A frame for indicating an angle is transmitted to the CAN bus B102.

The gateway (gateway device) 300 confirms the received frame ID based on the received reception ID list (message ID list), and performs frame filtering. The gateway 300 has a function for detecting an attack by monitoring a frame flowing through the bus, and transmits log information extracted from the received frame to the server 400. In addition, the gateway 300 may be a frame that is suspected of being illegally transmitted based on whether or not the received frame satisfies a determination condition relating to a reception period, a change amount of data in the frame, and the like that are predetermined for each ID. In other words, it is determined whether or not the frame is an attack frame and a suspicious frame. If it is determined that the attack frame is a suspicious frame, the server 400 is requested (requested) for determination.

The gateway 300 receives an attack frame and a suspicious frame from the CAN bus B102, for example, and is controlled by, for example, the steering ECU 200 by the transfer of the frame, so that the automobile 500 can cause an unintended operation of the driver. If it is determined based on a predetermined warning condition, the head unit ECU 240 is instructed to give a warning (such as a display for notifying the driver of the warning), and then the frame is sent to the CAN bus A101. Perform the transfer.

The server 400 that has received the determination request (determination request) from the gateway 300 uses the log information that has been received and accumulated so far to determine whether the frame related to the determination request is normal or abnormal based on the reception cycle or the like. And the determination result is returned to the gateway 300. The gateway 300 determines the notification content to the driver and instructs the head unit ECU 240 according to the determination result from the server 400 and the current state of the automobile 500 (steering angle, speed of the automobile 500, etc.). . In response to an instruction from the gateway 300, the head unit ECU 240 performs notification on, for example, a display provided on the instrument panel or the like (switches the display informing the driver). FIG. 2 shows an operation example of such a network system 100. Details of the operation will be described later.

[1.2 ECU]
Here, the configuration of each ECU and the contents of the generated frame will be described. In addition, about the same component between ECU, the same code | symbol is added and description is abbreviate | omitted suitably.

Steering ECU 200 periodically transmits ID1 frames at a period of 10 ms. Here, ID 1 is represented as ID1, and

IDs

2, 3, 4, and 5 are represented as ID2, ID3, ID4, and ID5, respectively. The period of 10 ms is an example, and an arbitrary value may be determined and transmitted. The frame of ID1 includes data indicating the steering angle (current steering angle). When the steering ECU 200 receives the ID4 frame transmitted from the automatic steering instruction ECU 230, the steering ECU 200 controls the steering angle in accordance with the steering instruction angle of the steering indicated by the data in the frame.

Speed notification ECU 210 periodically transmits ID2 frames at a period of 10 ms. The frame of ID2 includes data indicating the current vehicle speed.

The white line angle notification ECU 220 periodically transmits the frame of ID3 at a cycle of 10 ms. The frame of ID3 includes data indicating a white line angle (that is, an angle difference between the traveling direction which is the vehicle body longitudinal direction and the white line).

The automatic steering instruction ECU 230 periodically transmits an ID4 frame at a cycle of 10 ms. The frame of ID4 includes data indicating an automatic steering angle (that is, the angle of the next steering).

When the head unit ECU 240 receives the frame of ID5 transmitted from the gateway 300, the head unit ECU 240 switches the display content on the display on the instrument panel or the like, for example, according to the display content indicated by the data in the frame.

[1.2.1 Frames generated by each ECU]
FIG. 3 is a diagram illustrating an example of a frame (data frame) generated by each ECU. The value of DLC is predetermined for each ID. The contents indicated by the data in the data field are determined in advance for each ID. The specification of this data or the like is not defined by the CAN protocol, and is, for example, a specification that depends on the type of vehicle 500, the manufacturer (manufacturer), and the like.

Here, the frame of ID1 indicates the current steering angle of the automobile 500, and DLC is 2. In FIG. 3, the data is expressed in hexadecimal, and one digit of the data indicates a value corresponding to 4 bits. The data of the frame of ID1 indicates whether the steering is currently turning left or right at the first digit. 0 means left, 1 means right. The steering angle when the tire is aligned with the longitudinal direction of the vehicle is assumed to be 0 degree, and 0 to 360 degrees are represented in the last three digits of the data. The frame of ID2 indicates the current speed of the automobile 500, and the DLC is 2. The data represents the current speed with two digits. The frame of ID3 indicates a white line angle as an angle difference between the traveling direction of the automobile 500 and the white line direction of the road surface, and DLC is 2. The way of representing the data of the frame of ID3 is the same as that of the frame of ID1. A frame of ID4 is a frame of an automatic steering instruction (instruction for automatically controlling steering), and indicates an automatic steering angle of the automobile 500, and DLC is 2. The method of representing the data of the ID4 frame is the same as that of the ID1 frame. The frame of ID5 indicates a number (display switching signal) that designates display contents used for display switching in the head unit ECU 240, and DLC is 1. The data of the frame of ID5 is 2 digits and designates display contents. Specific display contents (screen display) and numbers for specifying the display contents will be described later with reference to FIGS.

[1.2.2 Steering ECU]
FIG. 4 is a configuration diagram of the steering ECU 200. As shown in the figure, the steering ECU 200 includes a frame transmission / reception unit 201, a frame interpretation unit 202, a reception ID determination unit 203, a reception ID list holding unit 209, a frame generation unit 208, a control unit 205, an automatic A steering motor 206 and a steering sensor 207 are included.

When the frame transmitting / receiving unit 201 receives a frame from the connected CAN bus, the frame transmitting / receiving unit 201 sends the frame to the frame interpreting unit 202. When the frame generated by the frame generating unit 208 is received, the frame transmitting / receiving unit 201 transmits the received frame to the connected CAN bus. Send to.

The frame interpretation unit 202 distinguishes and extracts each of ID, DLC, and data from the frame received from the frame transmission / reception unit 201, and sends the ID to the reception ID determination unit 203. The frame interpretation unit 202 sends the ID, DLC, and data to the control unit 205 when receiving the result from the reception ID determination unit 203 that the ID is to be received, and receives the result that the ID is not to be received. Discard.

Upon receiving the ID from the frame interpretation unit 202, the reception ID determination unit 203 determines whether the ID should be received based on the reception ID list held by the reception ID list holding unit 209, and the result is determined by the frame interpretation unit 202. Return to.

The reception ID list holding unit 209 holds a reception ID list used by the reception ID determination unit 203 to determine whether or not the ID is to be received. The steering ECU 200 holds a reception ID list for receiving an ID4 frame indicating an automatic steering angle.

The control unit 205 confirms the ID of the received frame, and if the frame is an automatic steering instruction frame (ID4 frame), the control unit 205 refers to the current steering angle obtained from the steering sensor 207 and performs automatic steering. The motor 206 is controlled.

The automatic steering motor 206 operates the steering in response to an instruction from the control unit 205.

Steering sensor 207 acquires the steering angle of automobile 500 at a cycle of 1 degree every 10 ms, and transmits it to control unit 205 and frame generation unit 208.

The frame generation unit 208 generates an ID1 frame including data indicating the steering angle of the automobile 500 transmitted from the steering sensor 207 every 10 ms, and sends the frame to the frame transmission / reception unit 201.

[1.2.3 Speed notification ECU]
FIG. 5 is a configuration diagram of the speed notification ECU 210. The speed notification ECU 210 includes a frame transmission / reception unit 201, a frame generation unit 218, and a speed sensor 211, as shown in FIG.

The speed sensor 211 transmits the speed of the automobile 500 to the frame generation unit 218 at a cycle of once every 10 ms.

The frame generation unit 218 generates an ID2 frame including data indicating the speed of the automobile 500 transmitted from the speed sensor 211 every 10 ms, and sends the frame to the frame transmission / reception unit 201.

When the frame transmission / reception unit 201 receives the frame generated by the frame generation unit 218, the frame transmission / reception unit 201 transmits the received frame to the connected CAN bus.

[1.2.4 White line angle notification ECU]
FIG. 6 is a configuration diagram of the white line angle notification ECU 220. The white line angle notification ECU 220 includes a frame transmission / reception unit 201, a frame generation unit 228, and a white line angle detection sensor 221 as shown in FIG.

The white line angle detection sensor 221 transmits the angle difference between the traveling direction which is the front-rear direction of the body of the automobile 500 and the white line on the road surface to the frame generation unit 228 at a constant cycle.

The frame generation unit 228 generates an ID3 frame including data indicating the angle difference between the automobile 500 and the white line transmitted from the white line angle detection sensor 221 every 10 ms, and sends the frame to the frame transmission / reception unit 201.

When the frame transmission / reception unit 201 receives the frame generated by the frame generation unit 228, the frame transmission / reception unit 201 transmits the received frame to the connected CAN bus.

[1.2.5 Automatic steering instruction ECU]
FIG. 7 is a configuration diagram of the automatic steering instruction ECU 230. As shown in the figure, the automatic steering instruction ECU 230 includes a frame transmission / reception unit 201, a frame interpretation unit 202, a reception ID determination unit 203, a reception ID list holding unit 239, a frame generation unit 238, and a control unit 231. It is comprised including.

The reception ID list holding unit 239 determines that the reception ID determination unit 203 receives the ID1 frame indicating the steering angle from the steering ECU 200 and the ID3 frame indicating the white line angle from the white line angle notification ECU 220. Therefore, a reception ID list including ID1 and ID3 is held.

Of the frames received from the frame interpretation unit 202, the control unit 231 controls the steering angle indicated by the data of the frame ID1 and the white line angle indicated by the data of the frame ID3 (the direction of travel of the automobile 500 and the direction of the white line on the road surface). The angle of the next steering is determined and instructed based on the difference in angle). For example, when the white line angle (angle difference) is 10 degrees to the left, for example, the next steering angle is determined to be 10 degrees to the left, and a frame that indicates the determined angle is generated in the frame generation unit 238. Let

The frame generation unit 238 generates an ID4 frame including data indicating the angle (automatic steering angle) determined by the control unit 231 every 10 ms, and sends the frame to the frame transmission / reception unit 201.

[1.2.6 Head unit ECU]
The head unit ECU 240 can cause the driver to recognize information by performing various displays on a display that includes a function such as car navigation and is provided on an instrument panel or the like.

FIG. 8 is a configuration diagram of the head unit ECU 240. As shown in the figure, the head unit ECU 240 includes a frame transmission / reception unit 201, a frame interpretation unit 202, a reception ID determination unit 203, a reception ID list holding unit 249, a display unit 241, and a display content holding unit 241a. Consists of including.

The reception ID list holding unit 249 holds a reception ID list including ID 5 in order to cause the reception ID determination unit 203 to determine that the frame of ID 5 indicating the display switching signal from the gateway 300 is received.

The display unit 241 has a function of performing various displays on the display screen, and is displayed when an ID5 frame indicating a number (display switching signal) corresponding to the display content from the gateway 300 is received by the frame transmission / reception unit 201. The display content is specified based on the display content table held by the content holding unit 241a, and the display on the display screen is switched.

The display content holding unit 241a stores a display content table.

FIG. 9 is a diagram illustrating an example of a display content table stored in the display content holding unit 241a. In the display content table, the number (display switching signal) indicated by the data of the frame of ID5 received from the gateway 300 is associated with the display content. With this display content table, when the number indicated by the received ID5 frame data is 1, the display unit 241 displays the display content (such as a message indicating that there is no abnormality) on the display. To do. In addition, when the number indicated by the received ID5 frame data is 2, the display unit 241 displays a display content as a warning notification (a message not intended by the driver, a message that calls attention to the operation of the automobile 500, etc.). Show on the display. In addition, when the number indicated by the received ID5 frame data is 3, the display unit 241 displays the display content as an attack detection notification (a message indicating that the attack frame has been transmitted in the in-vehicle network, etc.) ) Appears on the display. When the number indicated by the received ID5 frame data is 4, the display unit 241 displays the display content (such as a message recommending that the automobile 500 be stopped) on the display as a stop recommendation.

Hereinafter, specific screen display examples by the display unit 241 will be described with reference to FIGS.

FIG. 10 shows a display example of a warning notification in the head unit ECU 240. It is assumed that the screen 242a indicating the position of the automobile 500 on the road map by the car navigation function is displayed on the display by the head unit ECU 240. In this state, when the head unit ECU 240 receives an ID5 frame including data with the number 2, the head unit ECU 240 displays a screen 242b related to the warning notification on the display. The frame of ID5 including the data with the number 2 is transmitted to the CAN bus C103 when a frame that may cause an operation of the automobile 500 not intended by the driver is transferred from the gateway 300 between the CAN buses.

FIG. 11 shows a display example of a notification of no abnormality in the head unit ECU 240. After the head unit ECU 240 displays the above-described screen 242b on the display and receives an ID5 frame including data with the number 1, the head unit ECU 240 displays a screen 242c related to the notification of no abnormality on the display. The frame of ID5 including data with the number 1 is transmitted from the gateway 300 to the CAN bus C103 when it is determined that the attack frame has not been transmitted based on the determination result in the server 400.

FIG. 12 shows a display example of the attack detection notification in the head unit ECU 240. After the head unit ECU 240 displays the above-described screen 242b on the display and then receives an ID5 frame including data with the number 3, the head unit ECU 240 displays the screen 242d related to the attack detection notification on the display. It is determined that the attack frame has been transmitted from the gateway 300 based on the determination result of the server 400, and the operation unintended by the driver in the automobile 500 is currently performed on the frame of ID5 including the data with the number 3 When it is confirmed that it has not occurred, it is transmitted to the CAN bus C103.

FIG. 13 shows a display example of a stop recommendation in the head unit ECU 240. After the head unit ECU 240 displays the above-described screen 242b on the display and receives an ID5 frame including data with the number 4, the head unit ECU 240 displays a screen 242e related to the stop recommendation on the display. The frame of ID5 including the data with the number 4 is determined that the attack frame has been transmitted from the gateway 300 based on the determination result in the server 400, and the operation unintended by the driver in the automobile 500 is still present. It is transmitted to the CAN bus C103 when it is confirmed that it is happening.

[1.3 Gateway]
FIG. 14 is a configuration diagram of the gateway 300. In the figure, a server 400 is added. The gateway 300 performs a frame transfer function between the buses, and also functions as a security device having a function for detecting an attack. Therefore, as shown in FIG. 14, the gateway 300 includes a frame transmission / reception unit 301, a frame interpretation unit 302, an external communication unit 303, a reception ID determination unit 302a, a reception ID list holding unit 302b, and a confirmation unit 305. A format rule storage unit 305a, a determination unit 306, a determination rule storage unit 306a, a notification unit 307, a warning rule storage unit 307a, a state storage unit 307b, a notification rule storage unit 307c, and a transfer unit 308. A transfer rule holding unit 308a and a frame generation unit 304 are included. Each of these components is realized by a communication circuit in the gateway 300, a processor that executes a control program stored in a memory, a digital circuit, or the like.

When the frame transmission / reception unit 301 receives a frame from any of the CAN bus A101, the CAN bus B102, and the CAN bus C103, the frame transmission / reception unit 301 transmits the frame to the frame interpretation unit 302. In addition, when the frame transmission / reception unit 301 receives the frame generated by the frame generation unit 304, the frame transmission / reception unit 301 transmits the received frame to the bus determined by the transfer unit 308.

The frame interpretation unit 302 distinguishes and extracts each of ID, DLC, and data from the frame received from the frame transmission / reception unit 301, sends the ID, DLC, and data to the external communication unit 303, and sends the ID to the reception ID determination unit 302a. send. When the frame interpretation unit 302 receives the result indicating that the ID is to be received from the reception ID determination unit 302a, the frame interpretation unit 302 sends the ID, DLC, and data to the confirmation unit 305 and the state storage unit 307b, and determines that the ID is not to be received. When received, the frame is discarded.

The state storage unit 307b receives the ID, DLC, and data from the frame interpretation unit 302, and stores the ID and data. The state storage unit 307b can store, for example, data for a plurality of times (for example, twice) received in the past for each ID in a storage medium such as a memory. The data stored in the state storage unit 307b is referred to in order to know the current state of the automobile 500 in the notification unit 307. A specific example of the data stored in the state storage unit 307b will be described later with reference to FIG.

The external communication unit 303 can function as a communication device. When receiving the ID, DLC, and data from the frame interpretation unit 302, the external communication unit 303 transmits this to the server 400 as log information. When receiving a determination request (determination request) from the determination unit 306, the determination request is transmitted to the server 400. The determination request includes information indicating the communication address of the gateway 300, for example. When the determination result corresponding to the determination request is received from the server 400, the determination result is transmitted to the notification unit 307.

When receiving the ID from the frame interpretation unit 302, the reception ID determination unit 302a determines whether or not the ID should be received based on the reception ID list held by the reception ID list holding unit 302b, and the result is the frame interpretation unit 302. Return to.

The reception ID list holding unit 302b holds a reception ID list used to determine whether or not the reception ID determination unit 302a is an ID to be received. The received ID list will be described later with reference to FIG.

When the confirmation unit 305 receives the ID, DLC, and data from the frame interpretation unit 302, the confirmation unit 305 confirms (determines) whether the ID, DLC, and data are illegal based on the format rule held by the format rule holding unit 305a. When the confirmation unit 305 determines that the received ID, DLC, and data are not invalid, the confirmation unit 305 sends the ID, DLC, and data to the determination unit 306. In other cases, the confirmation unit 305 transmits the ID, DLC, and data to the determination unit 306. Discard without communicating.

The format rule holding unit 305a holds a format rule serving as a reference for determining (confirming) whether or not the received ID, DLC, and data are legitimate in the checking unit 305. It can be said that the format rule defines an illegal condition that an illegal frame satisfies. Frames confirmed by the confirmation unit 305 as not satisfying the illegal condition are transferred between the buses in the gateway 300, and frames confirmed by the confirmation unit 305 as satisfying the illegal condition are not transferred (discarded). become. The format rule will be described later with reference to FIG.

When the determination unit 306 receives the ID, DLC, and data from the confirmation unit 305, the determination unit 306 should make a determination request to the server 400 based on whether or not a predetermined condition indicated by the determination rule held in the determination rule holding unit 306a is satisfied. (That is, whether the frame related to the ID, DLC, and data is a suspicious frame as an attack frame). When the determination unit 306 determines that the server 400 should make a determination request, the determination request is sent to the external communication unit 303, and when the determination request is sent, the ID, DLC, and data are sent to the notification unit 307. If the determination unit 306 does not determine that a determination request should be made to the server 400 (that is, if the corresponding frame is not determined to be a suspicious frame as an attack frame), the transfer unit transmits the ID, DLC, and data. Send to 308.

The determination rule holding unit 306a determines whether the determination unit 306 determines whether the frame related to the received ID, DLC, and data is a suspicious frame as an attack frame (whether to make a determination request to the server) (predetermined) A determination rule indicating (condition) is held. The determination rule will be described later with reference to FIG.

When the notification unit 307 receives the ID, DLC, and data from the determination unit 306, the notification unit 307 transfers the frame received by the gateway 300 based on whether or not the warning condition indicated by the warning rule held in the warning rule holding unit 307a is satisfied. By doing so, it is determined whether or not the automobile 500 may cause an operation unintended by the driver. When the notification unit 307 determines that there is a possibility of causing an unintended operation by the driver (that is, when it is determined that the warning condition is satisfied), a number (notification switching signal) that instructs the head unit ECU 240 to issue a warning notification is displayed. The information for generating the indicated ID5 frame and the received ID, DLC, and data are sent to the transfer unit 308. If the notification unit 307 determines that there is no possibility of causing an unintended operation by the driver (that is, determines that the warning condition is not satisfied), the notification unit 307 sends the received ID, DLC, and data to the transfer unit 308. . In addition, when the notification unit 307 receives the determination result received from the server 400 from the external communication unit 303, the notification unit 307 refers to the state storage unit 307b for the current state of the automobile 500, and whether the warning condition indicated by the warning rule is satisfied. Based on whether or not, a number related to the notification content is determined according to the notification rule, and information for generating a frame of ID5 indicating a number (notification switching signal) instructing the notification content to the head unit ECU 240 is transmitted to the transfer unit 308. send.

In the notification unit 307, the warning rule holding unit 307a transfers the received ID, DLC, and data-related frames to determine whether the automobile 500 may cause an operation unintended by the driver, or When the determination result from the server 400 is received, a warning rule indicating a warning condition for determining whether or not the automobile 500 is in a state that may cause an operation unintended by the driver is held. The warning rule will be described later with reference to FIG.

The notification rule holding unit 307c holds a notification rule serving as a reference for determining notification contents from the determination result from the server 400 received by the notification unit 307 and the current state of the automobile 500. The notification rule will be described later with reference to FIG.

Upon receiving the ID, DLC, and data from the determination unit 306 or the notification unit 307, the transfer unit 308 receives an instruction to transmit to the bus determined for each ID based on the transfer rule held in the transfer rule holding unit 308a, and the reception The generated ID, DLC, and frame generation instruction corresponding to the data are sent to the frame generation unit 304. When the information for generating the ID5 frame related to the instruction to the head unit ECU 240 is received from the notification unit 307, the instruction to transmit to the CAN bus C103 and the generation instruction of the ID5 frame are sent to the frame generation unit 304. send.

The transfer rule holding unit 308a holds a transfer rule indicating to which bus the ID received by the transfer unit 308 should be transmitted. The transfer rule will be described later with reference to FIG.

The frame generation unit 304 generates a frame in response to the frame generation instruction received from the transfer unit 308, and sends the generated frame and an instruction to transmit to the designated bus to the frame transmission / reception unit 301.

[1.3.1 Reception ID List at Gateway]
FIG. 15 is a diagram illustrating an example of the reception ID list. The reception ID list indicates IDs of receivable frames for each bus (CAN bus A101, CAN bus B102, and CAN bus C103) to which the gateway 300 is connected. When the gateway 300 receives a frame having an ID not shown in the reception ID list, the gateway 300 discards the frame (the frame is not transferred between the buses).

15 shows that the IDs of the frames that can be received from the CAN bus A101 are 1, 2, and 3 and the ID of the frame that can be received from the CAN bus B102 is 4.

[1.3.2 Format rules]
FIG. 16 is a diagram illustrating an example of a format rule. The format rule defines the range of values indicated by the DLC of the regular frame and the data in the data field for each frame ID. The gateway 300 determines whether the frame is a legitimate frame (an illegal frame) according to the format rule, and discards the frame when the illegal frame is received (the frame is not transferred between the buses). .

According to the format rule in the example of FIG. 16, the gateway 300 has a frame in which the DLC is 2 for the frame of ID1 and the range of the steering angle value indicated by the data in the data field is −360 to 360. Are determined to be regular frames, and other frames are determined to be illegal frames.

[1.3.3 Judgment rules]
FIG. 17 is a diagram illustrating an example of a determination rule. The determination rule indicates a predetermined condition for determining whether or not the received frame is a suspicious frame as an attack frame (that is, whether or not a determination request should be made to the server 400). The determination rule in the example of FIG. 17 indicates, for each frame ID, a threshold value of an absolute value of a change amount of a value indicated by data in the data field, a period defined for the frame, and the like. The absolute value threshold of the change amount is the upper limit of the absolute value of the difference between the value indicated by the data field data of the received frame and the value indicated by the data field data of the previously received frame having the same ID as that frame. is there. For example, when this upper limit is exceeded, the predetermined condition is satisfied, and it is determined that the received frame is a suspicious frame as an attack frame (that is, determination by an external device located outside the automobile 500 is necessary). That is, the gateway 300 determines that the received frame is a suspicious frame as an attack frame when the change amount of the received frame exceeds the upper limit in relation to the previously received frame, and sends a determination request to the server 400. Send. Also, the prescribed cycle for a frame is a reference (a prescribed cycle) regarding the reception interval between the received frame and the previously received frame having the same ID as that frame. For example, when a predetermined margin (for example, plus or minus 1 ms, etc.) deviates from this standard, the predetermined condition is satisfied, and it is determined that the received frame is a suspicious frame as an attack frame (that is, an external located outside the automobile 500). It is determined that determination by the device is necessary). That is, the gateway 300 determines that the received frame is a suspicious frame as an attack frame when the reception interval between the received frame and the previously received frame deviates from a predetermined margin range from the reference. A determination request is transmitted to 400.

According to the determination rule in the example of FIG. 17, the gateway 300 determines whether the absolute value of the change amount has exceeded 200 in the update from the previous time, or the ID1 frame indicates the steering angle indicated by the ID1 frame data. Specified period 10 ms-a frame that is suspected of being illegally transmitted (attack frame and suspicious frame) when it is received at a reception interval shorter than the predetermined margin, or at a reception interval longer than the predetermined period 10 ms + predetermined margin. Determine (that is, determine that determination by the external server 400 is necessary). Note that the gateway 300 can store the reception time of the received frame for each ID in order to specify the reception interval.

[1.3.4 Warning rules]
FIG. 18 is a diagram illustrating an example of a warning rule. The warning rule indicates a warning condition for determining whether or not the automobile 500 is in a state that may cause an operation not intended by the driver. The warning rule in the example of FIG. 18 indicates a threshold value of an absolute value of a change amount of a value indicated by data in the data field for each frame ID. The threshold value of the absolute value of the change amount is the upper limit of the absolute value of the difference between the value updated by the frame and the value before the update. For example, when this upper limit is exceeded, it is determined that the warning condition is satisfied and the automobile 500 is in a state that may cause an operation unintended by the driver. That is, when the gateway 300 receives a frame and the change amount of the received frame exceeds the upper limit in relation to the previously received frame, the automobile 500 may cause an operation unintended by the driver. It is determined that the frame is in the state, and the frame of ID5 is transmitted to the head unit ECU 240. Also, when the gateway 300 receives the determination result from the server 400, for example, whether the change amount exceeds the upper limit with respect to the last received frame stored in the state storage unit 307b in relation to the previously received frame. It is determined whether or not the vehicle 500 is in a state that may cause an operation unintended by the driver, and the notification content is determined according to the determination and the frame of ID5 is transmitted to the head unit ECU 240. Will do.

According to the warning rule in the example of FIG. 18, the gateway 300 determines whether the absolute value of the change amount exceeds 90 in the data of the frame of ID1 indicating the steering angle or the speed of the vehicle is updated from the previous time. When the absolute value of the change amount exceeds 50 in the data of the frame of ID2 shown, it is determined that the vehicle 500 is in a state that may cause an operation that is not intended by the driver.

[1.3.5 Notification rule]
FIG. 19 shows an example of a notification rule serving as a reference for determining the notification content to be instructed to the head unit ECU 240. In the notification rule of FIG. 19, the content of notification is differentiated between a case before determination by the server 400, a case where an unauthorized (abnormal) determination result is obtained from the server 400, and a case where a normal determination result is obtained. In the case before the determination by the server 400, the notification unit 307 determines the notification content that the warning condition indicated by the warning rule is satisfied. Also, when an illegal (abnormal) determination result is obtained from the server 400, when the warning condition indicated by the warning rule is satisfied (when warning is required) and when the warning condition is not satisfied (when warning is not required) And the notification contents are distinguished.

According to the notification rule in the example of FIG. 19, the gateway 300 determines that a warning is necessary, and before the determination by the server 400, data indicating the second notification switching signal instructing the warning notification (see FIG. 9). The frame of ID5 including is transmitted to the head unit ECU 240. In addition, when it is determined that a warning is necessary when the gateway 300 obtains an abnormality determination result from the server 400, the gateway 300 transmits an ID5 frame including data indicating a fourth notification switching signal instructing a stop recommendation. It is transmitted to the head unit ECU 240. Further, when the gateway 300 determines that the warning is not required when the abnormality determination result is obtained from the server 400, the gateway 300 transmits an ID5 frame including data indicating the third notification switching signal instructing the attack detection notification. Is transmitted to the head unit ECU 240. Further, when the gateway 300 obtains a normal determination result from the server 400, the gateway 300 transmits to the head unit ECU 240 an ID5 frame including data indicating the first notification switching signal instructing a notification of no abnormality. Become.

[1.3.6 Forwarding rules]
FIG. 20 is a diagram illustrating an example of a transfer rule. The transfer rule indicates that the frame should be transferred only when the frame of the target ID is received from the transfer source bus and the transfer destination bus for the transfer. Transfer that is not indicated by the set of the target ID and the transfer source bus in the transfer rule is not performed.

According to the transfer rule in the example of FIG. 20, for example, when the gateway 300 receives a frame of ID1 from the CAN bus A101, the gateway 300 transfers this frame to the CAN bus B102 and the CAN bus C103. Further, since the frame of ID5 is a frame transmitted from the gateway 300, there is no corresponding transfer source bus in the transfer rule of FIG.

[1.3.7 Data Stored in State Storage Unit 307b]
FIG. 21 is a diagram illustrating an example of data stored in the state storage unit 307b. In the state storage unit 307b, the ID and data of a plurality of frames received by the gateway 300 in the past are stored for each ID. FIG. 21 shows one piece of data received in the past for each ID for convenience. In this example, the value of the steering angle (steering angle) indicated by the data related to the ID1 frame currently stored is 5, the value of the vehicle speed indicated by the data related to the ID2 frame is 40, and ID3 The value of the white line angle indicated by the data related to this frame is -8, and the value of the automatic steering angle (the angle related to the automatic steering instruction of the steering) indicated by the data related to the frame ID4 is 5.

[1.3.8 Frame reception processing in gateway]
FIG. 22 is a flowchart illustrating an example of a frame reception handling process in the gateway 300. The frame reception handling process will be described below with reference to FIG.

The gateway 300 receives the frame from any bus and interprets the frame (step S301). The gateway 300 transmits the ID, DLC, and data in the frame as log information to the server 400 (step S302).

Subsequently, the gateway 300 confirms whether or not the received frame is legitimate using the format rule (step S303). When the frame is not a regular frame (that is, when it is an illegal frame), the gateway 300 discards the received frame (step S304) and ends the frame reception handling process. When it is confirmed that the frame is an unauthorized frame, the gateway 300 transmits a frame indicating an instruction to notify the attack detection to the head unit ECU 240 in order to notify the driver or the like of the fraud detection. Alternatively, the gateway 300 may be configured.

When the received frame is confirmed to be legitimate by the format rule in step S303, the gateway 300 determines whether the determination by the server 400 is necessary (whether it is an attack frame or a suspicious frame) using the determination rule. Determination is made (step S305).

If it is determined in step S305 that determination by the server 400 is not necessary (not an attack frame and a suspicious frame), the gateway 300 transfers the received frame according to the transfer rule (step S306), and performs frame reception handling processing. Finish.

If it is determined in step S305 that determination by the server 400 is necessary (an attack frame and a suspicious frame), the gateway 300 transmits a determination request (determination request) to the server 400 (step S307).

Subsequently, the gateway 300 forwards the received frame to determine whether or not the automobile 500 is in a state that may cause an operation unintended by the driver (whether or not a warning is necessary). It judges using (step S308).

If it is determined in step S308 that a warning is necessary (the vehicle 500 is in a state that may cause an operation unintended by the driver), the gateway 300 sets ID5 for causing the head unit ECU 240 to perform a warning notification. A frame is generated (step S309), and the frame is transmitted to the CAN bus C103 (step S310).

When it is determined in step S308 that no warning is necessary (the vehicle 500 is not in a state that may cause an unintended operation of the driver), or after the transmission of the frame in step S310, the gateway 300 receives the signal. The transferred frame is transferred according to the transfer rule (step S311).

[1.3.9 Determination result reception processing in gateway]
FIG. 23 is a flowchart illustrating an example of determination result reception handling processing in the gateway 300. The determination result reception handling process will be described below with reference to FIG.

When the gateway 300 receives the determination result from the server, the gateway 300 determines whether or not the determination result is abnormal (incorrect frame) (step S321).

If it is determined in step S321 that there is an abnormality, the gateway 300 is currently in a state in which the automobile 500 may cause an unintended operation of the driver (for example, a state in which an unintended operation has been caused immediately before). Etc.) based on the warning rule using the data stored in the state storage unit 307b (step S322).

If it is determined in step S322 that the automobile 500 is in a state that may cause an operation unintended by the driver, the gateway 300 instructs the head unit ECU 240 to notify the driver of a stop recommendation ID5. Frame is generated (step S323). Subsequently, the gateway 300 transmits the generated frame of ID5 to the CAN bus C103 to which the head unit ECU 240 is connected (step S324), and ends the determination result reception processing.

If it is determined in step S322 that the automobile 500 is not in a state that may cause an operation unintended by the driver, the gateway 300 instructs the head unit ECU 240 to notify the driver of an attack detection notification. Frame is generated (step S325). Subsequently, the gateway 300 transmits the generated frame of ID5 to the CAN bus C103 to which the head unit ECU 240 is connected (step S324), and ends the determination result reception processing.

If it is determined that the result is normal in step S321, the gateway 300 generates a frame of ID5 instructing the head unit ECU 240 to notify the driver of no abnormality notification (step S326). Subsequently, the gateway 300 transmits the generated frame of ID5 to the CAN bus C103 to which the head unit ECU 240 is connected (step S324), and ends the determination result reception processing.

[1.4 Server]
The server 400 is a computer that is located outside the automobile 500 and includes a processor (microprocessor), a storage medium such as a memory and a hard disk, a communication circuit, and the like. The memory is ROM, RAM, or the like, and can store a control program (computer program as software) executed by the processor.

FIG. 24 is a configuration diagram of the server 400. In the figure, a gateway 300 is added. As shown in the figure, the server 400 includes a reception unit 401, a determination unit 402, a log storage unit 403, a fraud determination unit 404, and a transmission unit 405. Each of these components is realized by a communication circuit in the server 400, a processor that executes a control program stored in a memory, and the like.

The receiving unit 401 receives log information that is a set of ID, DLC, and data transmitted from the gateway 300 or a determination request (determination request).

When the reception unit 401 receives log information that is a set of ID, DLC, and data, the determination unit 402 sends the log information to the log storage unit 403. Further, when the receiving unit 401 receives a determination request, the determining unit 402 instructs the fraud determining unit 404 to determine whether it is illegal (abnormal) or normal.

When the log storage unit 403 receives log information that is a set of ID, DLC, and data from the determination unit 402, the log storage unit 403 stores the log information in association with the received time. In response to an instruction from the fraud determination unit 404, the stored time, ID, DLC, and data are sent. The log information may be transmitted from the gateway 300 including the reception time at which the gateway 300 receives the frame related to the ID, DLC, and data. In this case, the server 400 receives the reception time. It is sufficient to simply store log information including

When the fraud determination unit 404 receives an instruction to determine whether it is fraud (abnormal) or normal from the determination unit 402, the fraud determination unit 404 acquires log information by sending an instruction to the log storage unit 403, and based on the log information, fraud ( It is determined whether it is (abnormal) or not (normal).

The transmission unit 405 transmits the determination result in the fraud determination unit 404 to the gateway 300.

[1.4.1 Abnormality determination process in server]
FIG. 25 is a flowchart illustrating an example of the abnormality determination process in the server 400. Note that this is merely an example of determination performed in response to a determination request from the gateway 300 in the server 400, and the server 400 can perform determination using any determination method.

The server 400 acquires information related to the frame that triggered the determination request by referring to the log storage unit 403, and confirms the reception cycle of the frame from the past reception time corresponding to the ID of the frame. (Step S701). Then, the server 400 compares the frame having the same ID with the smallest (shortest) period based on the accumulated log information so far, and determines the trigger of the determination request. It is determined whether or not the period, which is the reception interval between the frame that has become the previous frame, is small (step S702). If the period, which is the reception interval between the frame that triggered the determination request and the previous frame, is small, the server 400 determines that it is illegal (abnormal) (step S703), and otherwise normal. Determination is made (step S704).

[1.4.2 Server operation]
FIG. 26 is a flowchart illustrating an operation example of the server 400.

The server 400 determines whether the received content is a determination request (determination request) or log information (a set of ID, DLC, and data) (step S401).

When the determination request is received, the server 400 performs an abnormality determination process (FIG. 25) for determining whether the frame related to the determination request is invalid (abnormal) or normal (step S700). Subsequently, the server 400 determines the result of the abnormality determination process (step S402), and when it is determined normal in the abnormality determination process, transmits the normal determination result to the gateway 300 (step S403). If the abnormality determination process determines that there is an abnormality, an abnormality (unauthorized) determination result is transmitted to the gateway 300 (step S404).

If it is determined in step S401 that the log information has been received, the server 400 associates the received time with the log information that is a set of ID, DLC, and data, and stores it in a storage medium such as a memory or a hard disk. Accumulate (step S405).

[1.5 Sequence related to operation of network system]
FIG. 2 is a sequence diagram illustrating an operation example of the network system 100. In this example, description will be made using an example in which the log information transmitted from the gateway 300 to the server 400 includes the frame reception time at the gateway 300.

When the gateway 300 receives a frame from each connected bus (step S1), the gateway 300 extracts the ID, DLC, and data, and transmits the log information to the server 400 as log information in association with the reception time (step S1). S2).

When the server 400 receives the log information from the gateway 300, the server 400 accumulates the log information in a storage medium (step S3).

The gateway 300 confirms whether or not the frame received from each bus is in a regular format (incorrect frame) (step S4). If it is confirmed that the frame is invalid, the gateway 300 discards the frame and suppresses the transfer (step S5).

If it is confirmed in step S4 that the frame is a legitimate format, the gateway 300 determines whether the frame needs to be determined by the server 400 (that is, whether the frame is a suspicious frame as an attack frame). Determination is made (step S6). If it is determined in step S6 that the server 400 does not need to determine, the gateway 300 transfers the frame to another bus based on the transfer rule (step S7).

When it is determined that the server 400 needs to determine the received frame, the gateway 300 transmits a determination request (determination request) to the server 400 (step S8), and issues a warning notification based on the warning rule. It is determined whether or not it is necessary (whether or not the car 500 is in a state that may cause an operation unintended by the driver by transferring the received frame) (step S9). When it is determined that the warning notification is necessary, the gateway 300 transmits an instruction related to the notification to the head unit ECU 240 (step S10), and thereby the head unit ECU 240 receives a frame instructing the warning notification (step S11).

When the head unit ECU 240 receives a warning notification instruction, the head unit ECU 240 displays the warning notification on the display (step S12).

Further, after step S9, the gateway 300 transfers the received frame to another bus (step S13).

When the server 400 receives the determination request (determination request) from the gateway 300, the server 400 uses the accumulated log information to select whether the frame is in an abnormal state in which it is transmitted illegally (normal state). The fraud determination that is the determination is performed (step S14), and the determination result is transmitted to the gateway 300 (step S15).

The gateway 300 that has received the determination result in step S15 notifies, based on the notification rule, according to the determination result and whether or not the current car 500 is in a state that may cause an operation unintended by the driver. The contents are determined (step S16). Gateway 300 transmits a frame indicating the notification content determined in step S16 to head unit ECU 240 (step S17).

When the head unit ECU 240 receives the frame indicating the notification content in step S17, the head unit ECU 240 switches the display content on the display according to the notification content (step S18).

[1.6 Effects of Embodiment 1]
In network system 100 according to the present embodiment, determination is made to server 400 outside automobile 500 with respect to an illegally transmitted frame (attack frame and suspicious frame) received by gateway 300 of the in-vehicle network in automobile 500. The control is performed to notify a warning to call attention when the vehicle 500 is in a state that may cause a dangerous operation. Further, when the gateway 300 receives a determination result indicating an abnormality from the server 400 and the automobile 500 is in a state that may cause an operation unintended by the driver (for example, the operation unintended by the driver is continued). Control) for notifying a stop recommendation. In addition, when the abnormality determination result is received, if the vehicle 500 is not in a state that may cause an operation unintended by the driver, control for notifying fraud detection is performed.

As a result, it is possible to notify the driver of the fact that a frame suspected of being illegally transmitted flows on the bus of the in-vehicle network, and to match the behavior of the vehicle based on the determination result of the server 400. By changing the notification, useful notifications can be given to the driver.

(Embodiment 2)
Hereinafter, when a part of the above-described network system 100 is modified and there is a possibility that a frame transmitted to the bus in the automobile is an illegal frame (attack frame), a determination request is transmitted to the external server 400. Instead, a network system configured to transmit a determination request to other vehicles around the vehicle will be described.

[2.1 Overall Configuration of Network System 100A]
FIG. 27 is a diagram showing an overall configuration of network system 100A according to the present embodiment.

The network system 100A promptly detects that the frame transmitted to the bus in the automobile A1000 is an suspicious frame as an attack frame and that the automobile A1000 may cause an unintended operation of the driver. When the determination result is received by requesting the determination by another vehicle B600 around the vehicle A1000, the notification content is determined according to the determination result and the behavior of the vehicle A1000. The network system is configured to notify the driver.

The network system 100A includes an automobile A1000, an automobile B600, and a network 20 serving as a communication path between these automobiles. The network 20 may include the Internet or the like, but may be a wireless communication path for directly transmitting and receiving wireless signals in vehicle-to-vehicle communication, for example.

The automobile A1000 is configured to include a plurality of electronic control units (ECUs) that are connected to various devices such as in-vehicle control devices, sensors, actuators, user interface devices, and the like and perform communication related to the frame via the in-vehicle bus. Equipped with an in-vehicle network. Specifically, as shown in FIG. 27, the in-vehicle network includes a CAN bus A101, a CAN bus B102, and a CAN bus C103 mounted on the automobile A1000. Steering ECU 200, speed notification ECU 210, white line angle notification ECU 220, and gateway 3001 are connected to CAN bus A101. An automatic steering instruction ECU 230 and a gateway 3001 are connected to the CAN bus B102. A head unit ECU 240 and a gateway 3001 are connected to the CAN bus C103. The same components as those described in Embodiment 1 are denoted by the same reference numerals as those in FIG. 1 in FIG. 27, and description thereof will be omitted as appropriate. The gateway 3001 is a partial modification of the gateway 300 shown in the first embodiment, and the points not particularly described here are the same as those of the gateway 300. The gateway 3001 includes a communication device (communication circuit or the like) for communicating with an automobile (an automobile B600 as an example of this) located around the automobile A1000 (for example, within approximately several tens of meters or the like).

The gateway 3001 transfers data frames between buses. Further, the gateway 3001 confirms the ID of the received frame based on the received reception ID list and performs frame filtering. Further, the gateway 3001 has a function for detecting an attack, and is based on whether or not a received frame satisfies a determination condition related to a reception cycle predetermined for each ID, a change amount of data in the frame, and the like. If it is determined whether the frame is suspected of being illegally transmitted (that is, an attack frame and a suspicious frame). If it is determined that the frame is an attack frame and a suspicious frame, a determination request (determination) Request). Specifically, the gateway 3001 receives, for example, an attack frame and a suspicious frame from the CAN bus B102, and the vehicle ECU 1000 is controlled by, for example, the steering ECU 200 by transferring the frame. If it is determined based on a predetermined warning condition that the operation is not performed, the head unit ECU 240 is instructed to give a warning (such as a display for notifying the driver of the warning), and then the frame Transfer to the CAN bus A101. Then, when instructing the warning, the gateway 3001 sends the position information, steering information (for example, direction information indicating the traveling direction of the automobile A1000), and speed information to the automobile B600 located around the automobile A1000. The attached determination request (determination request) is transmitted.

The automobile B600 (the in-vehicle device of the automobile B600, etc.) that has received the judgment request (judgment request) from the gateway 3001 is abnormal depending on whether or not the automobile A1000 that requested the judgment request is dangerous for the automobile B600. It is determined whether or not (normal), and the determination result is returned to the gateway 3001 of the automobile A1000.

Gateway 3001 determines the content of notification to the driver and instructs head unit ECU 240 according to the determination result from vehicle B600 and the current state of vehicle A1000 (steering angle, speed of vehicle A1000, etc.). . FIG. 28 shows an operation example of such a network system 100A. Details of the operation will be described later.

[2.2 Gateway]
FIG. 29 is a configuration diagram of the gateway 3001. In the figure, an automobile B600 is additionally shown. Similar to the gateway 300 shown in the first embodiment, the gateway 3001 executes a frame transfer function between buses, and also functions as a security device having a function for detecting an attack. As shown in FIG. 29, the gateway 3001 includes a frame transmission / reception unit 301, a frame interpretation unit 302, an external communication unit 303, a position information acquisition unit 303a, a reception ID determination unit 302a, and a reception ID list holding unit 302b. A confirmation unit 305, a format rule storage unit 305a, a determination unit 306, a determination rule storage unit 306a, a notification unit 307, a warning rule storage unit 307a, a state storage unit 307b, a notification rule storage unit 307c, A transfer unit 308, a transfer rule holding unit 308a, and a frame generation unit 304 are configured. Each of these components is realized by a communication circuit in the gateway 3001, a processor that executes a control program stored in a memory, a digital circuit, or the like. Of the constituent elements of the gateway 3001 shown in FIG. 29, the same constituent elements as those of the gateway 300 shown in the first embodiment (see FIG. 14) are denoted by the same reference numerals as in FIG. Description is omitted as appropriate.

The position information acquisition unit 303a acquires information indicating the current position of the automobile A1000 such as latitude, longitude, altitude, and the like from a GPS (Global Positioning System) receiver used for car navigation or the like, for example, to the external communication unit 303. send.

When the external communication unit 303 receives the determination request (determination request) from the determination unit 306, the external communication unit 303 attaches the position information acquired from the position information acquisition unit 303a and transmits the determination request to the vehicle B600 located around the vehicle A1000. . The external communication unit 303 transmits the determination request with the steering information and the speed information acquired from the sensors, ECUs, and the like of the respective units of the automobile A1000, similarly to the position information. In the present embodiment, the external communication unit 303 does not transmit the log information as a set of ID, DLC, and data acquired from the frame interpretation unit 302 to the outside. In addition, when the external communication unit 303 receives a determination result corresponding to the determination request from the automobile B 600, the external communication unit 303 transmits the determination result to the notification unit 307.

Upon receiving the ID, DLC, and data from the confirmation unit 305, the determination unit 306 relates to the ID, DLC, and data based on whether a predetermined condition indicated by the determination rule held in the determination rule holding unit 306a is satisfied. It is determined whether the frame is a suspicious frame as an attack frame. If the determination unit 306 determines that the received frame is a suspicious frame as an attack frame, the determination unit 306 can determine that a determination request should be made to the external automobile B600. However, in the determination unit 306 of the gateway 3001 according to the present embodiment, for example, when the received frame is a frame that is suspicious as an attack frame and the warning condition indicated by the warning rule held by the warning rule holding unit 307a is satisfied. For example, it is determined that a determination request should be made to the automobile B600. That is, the determination unit 306 of the gateway 3001 transfers the frame received by the gateway 3001 based on whether or not the warning condition indicated by the warning rule held by the warning rule holding unit 307a is satisfied, so that the automobile A1000 can drive the driver. It is determined whether there is a possibility of causing an unintended operation of the vehicle, and it is determined that a determination request should be made to the automobile B600 only when there is a possibility of causing an unintended operation of the driver. If the determination unit 306 determines that a determination request should be made to the automobile B600, the determination request is sent to the external communication unit 303, and the ID, DLC, and data are transmitted to the notification unit 307 when the determination request is sent. If determination unit 306 does not determine that a determination request should be made to automobile B 600, ID, DLC, and data are sent to transfer unit 308.

The determination rule holding unit 306a holds a determination rule indicating a determination condition as to whether or not the frame related to the received ID, DLC, and data is a suspicious frame as an attack frame.

When the notification unit 307 receives the ID, DLC, and data from the determination unit 306, the notification unit 307 generates information for generating a frame of ID5 indicating a number (notification switching signal) that instructs the head unit ECU 240 to issue a warning notification, and the received ID, The DLC and data are sent to the transfer unit 308. The notification unit 307 of the gateway 3001 according to the present embodiment does not directly determine whether or not the warning condition indicated by the warning rule is satisfied, but only when the warning condition is satisfied by the determination unit 306 Since the DLC and the data are transmitted, the control related to the instruction of the warning notification to the head unit ECU 240 is performed only when there is a possibility of causing an operation not intended by the driver. In addition, when the notification unit 307 receives the determination result received from the automobile B600 from the external communication unit 303, the state of the current automobile A1000 is referred to the state storage unit 307b and whether the warning condition indicated by the warning rule is satisfied. Based on whether or not, a number related to the notification content is determined according to the notification rule, and information for generating a frame of ID5 indicating a number (notification switching signal) instructing the notification content to the head unit ECU 240 is transmitted to the transfer unit 308. send.

The notification rule holding unit 307c holds a notification rule serving as a reference for determining notification contents from the determination result from the automobile B600 received by the notification unit 307 and the current state of the automobile A1000. This notification rule is the same as that illustrated in FIG.

[2.3 Frame reception processing in gateway]
FIG. 30 is a flowchart illustrating an example of a frame reception handling process in the gateway 3001. The frame reception handling process will be described below with reference to FIG.

The gateway 3001 receives a frame from any bus and interprets the frame (step S3001).

Subsequently, the gateway 3001 checks whether or not the received frame is legitimate using the format rule (step S3002). When the frame is not a regular frame (that is, when it is an illegal frame), the gateway 3001 discards the received frame (step S3003) and ends the frame reception processing. When it is confirmed that the frame is an unauthorized frame, the gateway 3001 transmits a frame indicating an instruction to notify the head unit ECU 240 of the detection of the attack in order to notify the driver of the fraud detection. Alternatively, the gateway 3001 may be configured.

If the received frame is confirmed to be legitimate by the format rule in step S3002, whether the gateway 3001 satisfies a condition that requires determination by an external vehicle depending on whether or not the frame is a suspicious frame as an attack frame. Whether or not is determined using a determination rule (step S3004).

If it is determined in step S3004 that determination by an external vehicle is not necessary (the attack frame is not a suspicious frame), the gateway 3001 transfers the received frame according to the transfer rule (step S3005), and frame reception handling processing is performed. Finish.

When it is determined in step S3004 that determination with an external vehicle is necessary (an attack frame and a suspicious frame), the gateway 3001 transfers the received frame so that the vehicle A1000 is not intended by the driver. It is determined using a warning rule whether or not the state is likely to cause an action (whether or not a warning is necessary) (step S3006).

When it is determined in step S3006 that a warning is necessary (the automobile A1000 is in a state that may cause an operation unintended by the driver), the gateway 3001 sets ID5 for causing the head unit ECU 240 to perform a warning notification. A frame is generated (step S3007), the frame is transmitted to the CAN bus C103 (step S3008), and a determination request (determination request) is transmitted to the external automobile B600 with position information, steering information, and speed information. (Step S3009).

If it is determined in step S3006 that no warning is necessary, or after the determination request is transmitted in step S3009, the gateway 3001 transfers the received frame according to the transfer rule (step S3010).

[2.4 Processing for reception of determination results in gateways]
FIG. 31 is a flowchart illustrating an example of determination result reception handling processing in the gateway 3001. The determination result reception handling process will be described below with reference to FIG.

When the gateway 3001 receives the determination result from the automobile B600, the gateway 3001 determines whether or not the determination result is abnormal (a state in which the automobile A1000 is dangerous for the automobile B600) (step S3101).

If it is determined in step S3101 that there is an abnormality, the gateway 3001 is currently in a state in which the automobile A1000 may cause an unintended operation of the driver (for example, a state in which an unintended operation is caused immediately before). Etc.) based on the warning rule using the data stored in the state storage unit 307b (step S3102).

In step S3102, if it is determined that the automobile A1000 is in a state that may cause an unintended operation of the driver, the gateway 3001 instructs the head unit ECU 240 to notify the driver of a stop recommendation. Frame is generated (step S3103). Subsequently, the gateway 3001 transmits the generated ID5 frame to the CAN bus C103 to which the head unit ECU 240 is connected (step S3104), and finishes the determination result reception handling process.

In step S3102, if it is determined that the automobile A1000 is not in a state that may cause an unintended operation of the driver, the gateway 3001 instructs the head unit ECU 240 to notify the driver of an attack detection notification. Frame is generated (step S3105). Subsequently, the gateway 3001 transmits the generated ID5 frame to the CAN bus C103 to which the head unit ECU 240 is connected (step S3104), and finishes the determination result reception handling process.

If the result of determination in step S3101 is normal, the gateway 3001 generates an ID5 frame that instructs the head unit ECU 240 to notify the driver of no abnormality notification (step S3106). Subsequently, the gateway 3001 transmits the generated ID5 frame to the CAN bus C103 to which the head unit ECU 240 is connected (step S3104), and finishes the determination result reception handling process.

[2.5 Example of operation of automobile B corresponding to determination request]
FIG. 32 is a flowchart illustrating an example of an operation example (abnormality determination process) corresponding to the determination request in the automobile B600. Note that this is merely an example of determination performed in response to the determination request from the gateway 3001 in the automobile B600, and the automobile B600 can perform determination using any determination method. Here, the automobile B600 determines whether or not it is abnormal depending on whether or not the automobile A1000 is in a dangerous state for the host vehicle. The abnormality determination process will be described below with reference to FIG.

The automobile B600 receives a determination request to which information indicating the position, speed, traveling direction, etc. of the automobile A1000 is attached from the automobile A1000 (step S600).

Next, the automobile B600 determines whether or not the speed of the automobile A1000 is equal to or higher than a predetermined threshold (step S601). As an example, this threshold is 60 km / h. If the speed of the automobile A1000 is less than the threshold value in step S601, the automobile B600 transmits a determination result indicating normality to the automobile A1000 (step S604). That is, if the current speed of the automobile A1000 is, for example, less than 60 km / h, the automobile B600 determines that the automobile A1000 is not dangerous (abnormal) for the automobile B600, and transmits a determination result indicating normality in response to the determination request.

If it is determined in step S601 that the speed of the automobile A1000 is equal to or greater than a predetermined threshold, the automobile B600 determines whether the distance from the automobile A1000 is equal to or less than a predetermined threshold ( Step S602). This threshold value is 5 m as an example. If it is determined in step S602 that the distance from the automobile A1000 exceeds the threshold, the automobile B600 transmits a determination result indicating normality to the automobile A1000 (step S604). That is, if the distance between the position indicated by the position information of the automobile A1000 and the current position of the automobile B600 is more than 5 m, the automobile B600 determines that the automobile A1000 is not dangerous (abnormal) for the automobile B600. Sends a judgment result of normal to the request.

If it is determined in step S602 that the distance from the automobile A1000 is equal to or less than a predetermined threshold, the automobile B600 determines whether or not the traveling direction of the automobile A1000 is directed toward the automobile B600 (step S602). S603). If it is determined in step S603 that the traveling direction of the automobile A1000 is not directed toward the automobile B600, the automobile B600 transmits a determination result indicating normality to the automobile A1000 (step S604). That is, when the position and the traveling direction of the automobile A1000 do not indicate the direction of the current position with respect to the automobile B600, the automobile B600 determines that the automobile A1000 is not dangerous (abnormal) for the automobile B600. On the other hand, a determination result of normal is transmitted.

When it is determined in step S603 that the traveling direction of the automobile A1000 is directed toward the automobile B600, the automobile B600 transmits a determination result of abnormality (danger) to the automobile A1000 (step S605).

[2.6 Sequence related to operation of network system]
FIG. 28 is a sequence diagram illustrating an operation example of the network system 100A.

The gateway 3001 receives a frame from each connected bus (step S21), and confirms whether the received frame is in a proper format (incorrect frame) (step S22). If it is confirmed that the frame is invalid, the gateway 3001 discards the frame and suppresses the transfer (step S23).

If the gateway 3001 confirms that the frame is a legitimate frame in step S22, the gateway 3001 determines whether the influence of the frame needs to be determined by an external vehicle (that is, whether the frame is a suspicious frame as an attack frame). Is determined (step S24).

If it is determined in step S24 that the received frame is an suspicious frame as an attack frame, the gateway 3001 determines whether or not a warning notification is required based on the warning rule (by transferring the received frame, It is determined whether or not the automobile A1000 is in a state that may cause an operation unintended by the driver (step S25).

If it is determined in step S24 that it is not necessary to determine with an external vehicle, or if it is determined in step S25 that a warning notification is not required, the gateway 3001 transfers the frame to another bus based on the transfer rule. (Step S26).

If it is determined in step S25 that a warning notification is required, the gateway 3001 transmits an instruction related to the notification to the head unit ECU 240 (step S27), whereby the head unit ECU 240 receives a frame instructing the warning notification. Then, display related to the warning notification is performed on the display (step S28). If it is determined that a warning notification is required, the gateway 3001 transmits a determination request (determination request) to the automobile B600 existing around the automobile A1000 (step S29), and the received frame is transmitted to another bus. (Step S30).

Upon receipt of the determination request (determination request) from the gateway 3001, the vehicle B600 performs a risk determination that is an alternative determination as to whether the vehicle A1000 is in a dangerous abnormal state (normal state) for the vehicle B600 ( In step S31), the determination result is transmitted to the gateway 3001 (step S32).

The gateway 3001 that has received the determination result in step S32 notifies, based on the notification rule, according to the determination result and whether or not the current car A1000 is in a state that may cause an unintended operation of the driver. The contents are determined (step S33). The gateway 3001 transmits a frame indicating the notification content determined in step S33 to the head unit ECU 240 (step S34).

When the head unit ECU 240 receives the frame indicating the notification content in step S34, the head unit ECU 240 switches the display content on the display according to the notification content (step S35).

[2.7 Effects of Embodiment 2]
In network system 100A according to the present embodiment, when vehicle A1000 in-vehicle network gateway 3001 of vehicle A1000 receives a suspected frame (attack frame and suspicious frame) that has been illegally transmitted, vehicle A1000 intends the driver's intention. Control for notifying a warning to call attention only in a state where there is a possibility of causing an operation not to be performed, and an external device (an in-vehicle device of another automobile B600) existing around the automobile A1000 Etc.). Further, when the gateway 3001 receives the determination result indicating the abnormality (the automobile A1000 is dangerous for the automobile B600) from the automobile B600 (the in-vehicle device of the automobile B600), the automobile A1000 performs an operation that is not intended by the driver. When the vehicle is in a state that may cause the vehicle (for example, when the operation not intended by the driver is continued), control for notifying the stop recommendation is performed. In addition, when the abnormality determination result is received, if the automobile A1000 is not in a state that may cause an operation unintended by the driver, control for notifying fraud detection is performed.

As a result, it is possible to inform the driver of the fact that a frame suspected of being illegally transmitted flows on the bus of the in-vehicle network, and whether or not the vehicle A1000 by the vehicle B600 is dangerous (abnormal). By changing the notification according to the behavior of the vehicle based on the determination result, it is possible to provide a useful notification to the driver.

(Other embodiments)
As described above,

Embodiments

1 and 2 have been described as examples of the technology according to the present disclosure. However, the technology according to the present disclosure is not limited to this, and can also be applied to embodiments in which changes, replacements, additions, omissions, and the like are appropriately performed. For example, the following modifications are also included in one embodiment of the present disclosure.

(1) In the above embodiment, an example is shown in which the head unit ECU 240 displays on the display in order to alert the driver when an attack frame and a suspicious frame are detected in the in-vehicle network (FIG. 10). The information for presentation (warning notice, stop recommendation, etc.) to be transmitted to the driver may be presented by a method other than display (for example, sound reproduction from a speaker, etc.). In addition, as a notification method such as warning notification in the network system, notification may be made by changing the lighting state of the interior light, notification may be made by changing the tightening strength of the seat belt, or steering. Or you may notify by vibrating a pedal. Further, the classification of the information for presentation, such as notification of no abnormality, warning notification, attack detection notification and stop recommendation shown in FIG. 9, may be determined in any way, and specific presentation contents ( For example, the display content is not limited to those illustrated in FIGS. 10 to 13 and may be any one.

(2) In the above embodiment, the

gateways

300 and 3001 that perform frame monitoring or the like in the in-vehicle network of the automobile perform notification (warning notification or the like) to the driver under a certain condition in cooperation with the head unit ECU 240. showed that. This in-vehicle network may be mounted on a vehicle other than an automobile (for example, a motorcycle). Further, the target of notification (warning notification or the like) is not limited to the driver of the vehicle, but may be a vehicle crew member or an apparatus (such as another vehicle) located around the vehicle. The notification for the notification target may be performed via a server or other devices. For example, in order to notify another vehicle under a certain condition based on the monitoring of the frame in the in-vehicle network of the one vehicle, the one vehicle includes a notification device that controls the lighting state of the emergency flashing indicator lamp. Also good. In the above embodiment, the

gateways

300 and 3001 have a communication function (external communication unit) that communicates with the outside. However, the vehicle has a communication device (communication unit) separately from the

gateways

300 and 3001. The

gateways

300 and 3001 may communicate with the outside of the vehicle via this communication device. FIG. 33 shows an example of a network system including this notification device, communication device, and the like.

FIG. 33 shows a configuration of a network system 2000 according to one embodiment. The network system 2000 includes a vehicle 2100 and an external device 2200.

The vehicle 2100 includes a security device 2110 that is connected to the bus 2190a, the bus 2190b, and the bus 2190c and monitors these buses, and further includes a communication device 2120 that communicates with the external device 2200, and a predetermined ECU (head) that has an information presentation function. Unit) 2140, ECUs 2150a to 2150d connected to each bus, and a notification device 2130 for notifying the outside of vehicle 2100. The notification device 2130 is, for example, an emergency blinking indicator lamp, and may be, for example, a siren. The security device 2110 includes a reception unit 2111, a confirmation unit 2112, a determination unit 2113, an acquisition unit 2114, and an output unit 2115. The reception unit 2111 corresponds to the reception function part of the frame transmission / reception unit 301 described above, and receives a frame from one bus. The confirmation unit 2112 corresponds to the above-described confirmation unit 305, and confirms whether or not the frame received by the reception unit 2111 from one bus satisfies an illegal condition. The determination unit 2113 corresponds to the determination unit 306 described above, and determines whether or not a predetermined condition for distinguishing whether or not there is a possibility of being an attack frame is satisfied for the frame received by the reception unit 2111. The determination unit 2113 does not have to determine that the predetermined condition is satisfied when the confirmation unit 2112 confirms that the frame received by the reception unit 2111 satisfies the illegal condition. Note that the predetermined condition used for determination of the frame by the determination unit 2113 is the reception interval between the same type preceding frame received by the reception unit 2111 and having the same ID as that frame, and the data of the frame. Between the content of the previous frame and the content of the data of the same type preceding frame, and the correlation between the content of the different type of previous frame received by the receiving unit 2111 having an ID different from that of the frame and the content of the frame Of these, the condition is related to at least one. The acquisition unit 2114 controls the communication device 2120 so that a determination request is transmitted to the external device 2200 when the determination unit 2113 determines that a predetermined condition is satisfied, and is transmitted from the external device 2200 in response to the determination request. The determination result is acquired via the communication device 2120. Note that the communication device 2120 may transmit log information regarding each frame received by the reception unit 2111 of the security device 2110 to the external device 2200. The output unit 2115 outputs first presentation information (for example, a warning notification) when the determination unit 2113 determines that a predetermined condition is satisfied, and the output unit 2115 receives the determination result from the external device 2200 when the acquisition unit 2114 acquires the determination result. 2 Information for presentation (for example, stop recommendation, attack detection notification, no abnormality notification, etc.) is output. The first presentation information includes control information for causing the notification device 2130 to perform notification, and the output of the first presentation information by the output unit 2115 transmits the first presentation information to the notification device 2130. May be included. The output unit 2115 may output the first presentation information and the second presentation information by presentation (display, generation of vibration, ringing of buzzer, lighting of light, voice output, etc.), predetermined ECU 2140, etc. (Transmission of frames including information for presentation to the bus 2190c to which the predetermined ECU 2140 is connected) may be performed. The predetermined ECU 2140 presents the first presentation information when the frame including the first presentation information is received, and presents the second presentation information when the frame including the second presentation information is received. Regarding the presentation timing of the first presentation information, the output unit 2115 may output the first presentation information when the determination unit 2113 determines that a predetermined condition is satisfied. When the determination unit 2113 determines that the predetermined condition is satisfied, the output unit 2115 receives the first presentation information when a warning condition (for example, a condition based on the warning rule held by the warning rule holding unit 307a) is satisfied. The first presentation information may not be output when the warning condition is not satisfied. The output unit 2115 may determine whether or not the warning condition is satisfied based on the contents of one or more frames received in the past by the receiving unit 2111. When the acquisition unit 2114 acquires the determination result from the external device 2200, the output unit 2115 determines whether or not the determination result indicates normal among a plurality of predetermined different information different from the first presentation information. Information selected according to the above may be output as second presentation information. In addition, when the acquisition unit 2114 acquires the determination result from the external device 2200, the output unit 2115 determines whether or not a warning condition is satisfied among a plurality of predetermined different information different from the first presentation information. The information selected according to the heel and the determination result may be output as the second presentation information. The security device 2110 can be a gateway device, but is not necessarily a gateway device.

The external device 2200 is a device that receives a determination request from the vehicle 2100, determines whether it is abnormal, and transmits a determination result to the vehicle 2100. The external device 2200 is located around the server (eg, the server 400) and the vehicle 2100. The vehicle may be another vehicle (for example, automobile B600), a roadside device located around the vehicle 2100, a traffic light, or the like. The vehicle 2100 is an automobile, a motorcycle, or the like, and includes a plurality of ECUs that are connected to various devices such as a control device, a sensor, an actuator, and a user interface device in the vehicle and perform communication related to the frame via a bus in the vehicle. It has an in-vehicle network that is configured.

External device 2200 may be a device that transmits a determination result to communication device 2120 by determining whether an attack frame is transmitted in the vehicle based on log information when a determination request is received. The determination result alternatively indicates, for example, whether it is normal (abnormal). The external device 2200 may be a device that transmits the determination result to the communication device 2120 by observing the operation of the vehicle from the outside of the vehicle and determining whether or not the operation of the vehicle is normal. When the determination unit 2113 determines that the condition is satisfied, it may be another vehicle located around the vehicle 2100.

(3) In the above embodiment, as a determination rule used for determining a frame that is suspected of being illegally transmitted (attack frame and suspected frame), the frame reception cycle (transmission cycle) or the amount of change in the value of the data field Although the rule is exemplified, it is possible to determine whether or not the attack frame is a suspicious frame using any property of the CAN frame.

(4) In the above embodiment, when the determination request is transmitted to the server or another vehicle and the determination result is received, only the notification content is determined (that is, only the notification is switched). In order not to transfer a frame having the same ID as the triggered frame between the buses, a rule held by the

gateways

300 and 3001 may be added or updated.

(5) In the second embodiment, the automobile B600 determines whether or not it is abnormal based on information such as the position, speed, and traveling direction attached to the determination request received from the automobile A1000. The position, speed, or traveling direction of the automobile A1000 may be measured using an in-vehicle device such as a sensor in the automobile B600, and each determination in steps S601 to S603 may be performed using the measurement result. For example, the automobile B600 may specify the position of the determination requesting automobile A1000 by observing the radio field intensity when a predetermined wireless signal is received as a determination request from the automobile A1000.

(6) In the above embodiment, the in-vehicle network that communicates according to the CAN protocol is shown. This CAN protocol should be treated as having a broad meaning including derived protocols such as CANFD (CAN Flexible Data Rate). In the network system, a communication protocol other than the CAN protocol, for example, Ethernet (registered trademark), MOST (registered trademark), FlexRay (registered trademark), or the like may be used.

(7) The order of execution of the various processing procedures shown in the above embodiment (for example, the procedures shown in FIGS. 2, 22, 23, 25, 26, 28, 30 to 32, etc.) The order is not necessarily limited as described above, and the order of execution is changed, a plurality of procedures are performed in parallel, or a part of the procedures is omitted without departing from the scope of the disclosure. Can do.

(8) The gateway and other ECUs in the above embodiment are, for example, devices including digital circuits such as processors and memories, analog circuits, communication circuits, etc., but are hard disk devices, displays, keyboards, mice, etc. Other hardware components may be included. Further, instead of the control program stored in the memory being executed by the processor and realizing the function in software, the function may be realized by dedicated hardware (digital circuit or the like).

(9) A part or all of the components constituting each device in the above embodiment may be configured by one system LSI (Large Scale Integration). The system LSI is an ultra-multifunctional LSI manufactured by integrating a plurality of components on a single chip. Specifically, the system LSI is a computer system including a microprocessor, a ROM, a RAM, and the like. . A computer program is recorded in the RAM. The system LSI achieves its functions by the microprocessor operating according to the computer program. In addition, each part of the constituent elements constituting each of the above devices may be individually made into one chip, or may be made into one chip so as to include a part or the whole. Although the system LSI is used here, it may be called IC, LSI, super LSI, or ultra LSI depending on the degree of integration. Further, the method of circuit integration is not limited to LSI's, and implementation using dedicated circuitry or general purpose processors is also possible. An FPGA (Field Programmable Gate Array) that can be programmed after manufacturing the LSI or a reconfigurable processor that can reconfigure the connection and setting of circuit cells inside the LSI may be used. Furthermore, if integrated circuit technology comes out to replace LSI's as a result of the advancement of semiconductor technology or a derivative other technology, it is naturally also possible to carry out function block integration using this technology. Biotechnology can be applied as a possibility.

(10) A part or all of the constituent elements constituting each of the above devices may be composed of an IC card that can be attached to and detached from each device or a single module. The IC card or the module is a computer system including a microprocessor, a ROM, a RAM, and the like. The IC card or the module may include the super multifunctional LSI described above. The IC card or the module achieves its function by the microprocessor operating according to the computer program. This IC card or this module may have tamper resistance.

(11) As an aspect of the present disclosure, for example, an attack detection method including all or part of the processing procedures illustrated in FIGS. 22, 23, 30, 31, and the like may be used. For example, the attack detection method is an attack detection method used in an in-vehicle network system in which a plurality of electronic control units exchange frames via one or a plurality of buses, and receives a frame from the bus; A determination step (for example, steps S305 and S3004) for determining whether or not a predetermined condition for distinguishing whether or not there is a possibility of being an attack frame is satisfied for the frame received in the reception step, and when the predetermined condition is satisfied A first presentation step (eg, steps S309, S310, S3007, S3008) that presents the first presentation information when determined in the determination step, and an exterior of the vehicle when the determination step determines that a predetermined condition is satisfied. Control so that the judgment request is transmitted to the external device located in The acquisition step (for example, S307, S3009, etc.) for acquiring the determination result transmitted from the external device, and the second presentation step for presenting the second presentation information when the determination result from the external device is acquired in the acquisition step (For example, steps S323 to S326, S3103 to S3106). Further, as an aspect of the present disclosure, the present disclosure may be a computer program that realizes the processing related to the attack detection method by a computer, or may be a digital signal that includes the computer program. Further, as one aspect of the present disclosure, a computer-readable recording medium such as a flexible disk, a hard disk, a CD-ROM, an MO, a DVD, a DVD-ROM, a DVD-RAM, or a BD can be used as the computer program or the digital signal. (Blu-ray (registered trademark) Disc), recorded on a semiconductor memory or the like. Further, the digital signal may be recorded on these recording media. As one aspect of the present disclosure, the computer program or the digital signal may be transmitted via an electric communication line, a wireless or wired communication line, a network typified by the Internet, data broadcasting, or the like. Further, an aspect of the present disclosure may be a computer system including a microprocessor and a memory, the memory recording the computer program, and the microprocessor operating according to the computer program. . Also, by recording and transferring the program or the digital signal on the recording medium, or by transferring the program or the digital signal via the network or the like, by another independent computer system It may be carried out.

(12) Embodiments realized by arbitrarily combining the constituent elements and functions shown in the embodiment and the modified examples are also included in the scope of the present disclosure.

This disclosure can be used to deal with attack frames in an in-vehicle network.

10,20 network 100,100A, 2000 network system 101 bus A
102 Bus B
103 Bus C
200 Steering ECU
201, 301 Frame transmission /

reception unit

202, 302

Frame interpretation unit

203, 302a Reception

ID determination unit

205, 231 Control unit 206 Motor for automatic steering 207

Steering sensor

208, 218, 228, 238, 304

Frame generation unit

209, 239, 249, 302b Reception ID list holding unit 210 Speed notification ECU
211 Speed sensor 220 White line angle notification ECU
221 White line angle detection sensor 230 Automatic steering instruction ECU
240 head unit ECU
241 Display unit 241a Display

content holding unit

300, 3001 Gateway (security device)
303 External communication unit 303a Position information acquisition unit 305 Confirmation unit 305a Format rule holding unit 306 Judgment unit 306a Judgment rule holding unit 307 Notification unit 307a Warning rule holding unit 307b Status storage unit 307c Notification rule holding unit 308 Transfer unit 308a Transfer rule holding unit 400

servers

401, 2111 reception unit 402 determination unit 403 log storage unit 404 fraud determination unit 405 transmission unit 500 automobile 600 automobile B
1000 Car A
2100 Vehicle 2110 Security device 2112 Confirmation unit 2113 Determination unit 2114 Acquisition unit 2115 Output unit 2120 Communication device 2130

Notification devices

2140, 2150a to 2150d Electronic control unit (ECU)
2190a to 2190c Bus 2200 External device

Claims

A security device connected to one or more buses in a vehicle,
A receiving unit for receiving a frame from one of the buses;
A determination unit that determines whether or not a predetermined condition for distinguishing whether there is a possibility of being an attack frame is satisfied for the frame received by the reception unit;
When the determination unit determines that the predetermined condition is satisfied, the determination request is transmitted to an external device located outside the vehicle, and is transmitted from the external device in response to the determination request. An acquisition unit for acquiring a determination result;
An output unit that outputs first presentation information when the determination unit determines that the predetermined condition is satisfied, and outputs second presentation information when the acquisition unit acquires a determination result from the external device. A security device comprising:
The security device according to claim 1, wherein the vehicle includes a plurality of electronic control units that exchange frames according to a CAN (Controller Area Network) protocol via the one or more buses.
The security device according to claim 1, wherein the security device is a gateway device connected to the plurality of buses in the vehicle.
The security device further includes a confirmation unit that confirms whether or not the frame received by the reception unit from one bus satisfies an illegal condition,
The security device transfers the frame to another bus when the confirmation unit confirms that the frame received from one bus by the reception unit does not satisfy the illegal condition, and the confirmation unit If it is confirmed that the illegal condition is met, the frame is not transferred,
When it is confirmed that the illegal condition is met by the confirmation unit for the frame received by the reception unit, the determination unit does not determine that the predetermined condition is satisfied,
The security device according to claim 3, wherein the output unit outputs the first presentation information when the determination unit determines that the predetermined condition is satisfied.
When the determination unit determines that the predetermined condition is satisfied, the output unit outputs the first presentation information when a warning condition is satisfied, and the first presentation when the warning condition is not satisfied The security device according to any one of claims 1 to 4, wherein no security information is output.
The output unit determines whether a warning condition is satisfied among a plurality of predetermined different information different from the first presentation information when the acquisition unit acquires a determination result from the external device. The security device according to any one of claims 1 to 4, wherein information selected according to the determination result is output as the second presentation information.
The security device according to claim 5 or 6, wherein the output unit determines whether or not the warning condition is satisfied based on contents of one or more frames received in the past by the receiving unit.
The determination result from the external device alternatively indicates whether it is normal,
If the acquisition unit acquires a determination result from the external device, the output unit indicates whether the determination result is normal among a plurality of predetermined different information different from the first presentation information. The security device according to any one of claims 1 to 5, wherein information selected according to whether or not is output as the second presentation information.
The acquisition unit includes an external communication unit that transmits the determination request to the external device and receives a determination result transmitted from the external device in response to the determination request. The security device described.
The output unit transmits a frame including the first presentation information to one bus in the vehicle when the determination unit determines that the predetermined condition is satisfied, and determines the determination result from the external device. The security device according to any one of claims 1 to 9, wherein when the acquisition unit acquires the frame, the frame including the second presentation information is transmitted to the one bus.
The predetermined condition used for determination of a frame by the determination unit is the reception interval between the same type preceding frame received by the reception unit and having the same ID as the frame, and the data of the frame. Of the difference between the content and the content of the data of the same type preceding frame, and the correlation between the content of the different type preceding frame received by the receiving unit having an ID different from that of the frame and the content of the frame The security device according to any one of claims 1 to 10, wherein the security device is a condition relating to at least one of the conditions.
A security device according to any one of claims 1 to 11;
The external device;
The vehicle equipped with a communication device for communicating with the external device;
The one or more buses;
A network system comprising: a plurality of electronic control units mounted on the vehicle that exchange frames through the one or more buses.
One of the plurality of electronic control units is a predetermined electronic control unit having an information presentation function,
The output unit transmits a frame including the first presentation information to a bus to which the predetermined electronic control unit is connected when the determination unit determines that the predetermined condition is satisfied. When the acquisition unit acquires the determination result, a frame including the second presentation information is transmitted to the bus to which the predetermined electronic control unit is connected,
The predetermined electronic control unit presents the first presentation information when receiving the frame including the first presentation information, and displays the second presentation information when receiving the frame including the second presentation information. The network system according to claim 12 presenting information.
The vehicle includes a notification device that notifies the outside of the vehicle,
The first presentation information includes control information for causing the notification device to perform notification,
The network system according to claim 12 or 13, wherein the output of the first presentation information by the output unit includes transmission of the first presentation information to the notification device.
The communication device transmits log information about each frame received by the receiving unit of the security device to the external device,
The acquisition unit of the security device transmits the determination request to the external device via the communication device, and receives the determination result transmitted from the external device according to the determination request via the communication device. And
The external device transmits the determination result to the communication device by determining whether or not an attack frame is transmitted in the vehicle based on the log information when the determination request is received. 15. The network system according to any one of items 14 to 14.
The external device transmits the determination result to the communication device by observing the operation of the vehicle from the outside of the vehicle and determining whether the operation of the vehicle is normal or not. The network system according to any one of the above.
The network system according to claim 16, wherein the external device is another vehicle located around the vehicle when the determination unit determines that the predetermined condition is satisfied.
An attack detection method used in an in-vehicle network system in which a plurality of electronic control units exchange frames via one or a plurality of buses,
Receiving a frame from the bus;
A determination step of determining whether or not a predetermined condition for distinguishing whether or not there is a possibility of being an attack frame is satisfied for the frame received in the reception step;
A first presentation step for presenting first presentation information when the determination step determines that the predetermined condition is satisfied;
If the determination step determines that the predetermined condition is satisfied, control is performed so that a determination request is transmitted to an external device located outside the vehicle, and the determination request is transmitted from the external device in response to the determination request. An acquisition step for acquiring the determination result;
A second presenting step of presenting second presentation information when a determination result from the external device is obtained in the obtaining step.