WO2017119027A1 - Procédé de détection d'état inapproprié, unité de commande électronique de surveillance, et système de réseau embarqué - Google Patents

Procédé de détection d'état inapproprié, unité de commande électronique de surveillance, et système de réseau embarqué Download PDF

Info

Publication number
WO2017119027A1
WO2017119027A1 PCT/JP2016/004993 JP2016004993W WO2017119027A1 WO 2017119027 A1 WO2017119027 A1 WO 2017119027A1 JP 2016004993 W JP2016004993 W JP 2016004993W WO 2017119027 A1 WO2017119027 A1 WO 2017119027A1
Authority
WO
WIPO (PCT)
Prior art keywords
frame
fraud
condition
ecu
fraud detection
Prior art date
Application number
PCT/JP2016/004993
Other languages
English (en)
Japanese (ja)
Inventor
剛 岸川
良浩 氏家
安齋 潤
松島 秀樹
正人 田邉
Original Assignee
パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from JP2016208084A external-priority patent/JP6684690B2/ja
Application filed by パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ filed Critical パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ
Priority to EP16883533.8A priority Critical patent/EP3402125B1/fr
Priority to CN201680051842.7A priority patent/CN108028784B/zh
Publication of WO2017119027A1 publication Critical patent/WO2017119027A1/fr
Priority to US16/011,677 priority patent/US10992688B2/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks

Definitions

  • This disclosure relates to a technique for detecting transmission of an illegal frame in an in-vehicle network in which an electronic control unit communicates.
  • ECUs electronice control units
  • in-vehicle network A network connecting these ECUs.
  • ISO11898-1 A network connecting these ECUs.
  • CAN Controller Area Network
  • the communication path is a bus composed of two wires, and the ECU connected to the bus is called a node.
  • Each node connected to the bus transmits and receives a message called a frame.
  • a transmission node that transmits a frame applies a voltage to two buses to generate a potential difference between the buses, thereby transmitting a value of “1” called recessive and a value of “0” called dominant.
  • the dominant is transmitted with priority.
  • the receiving node transmits a frame called an error frame.
  • An error frame is a notification of frame abnormality to a transmitting node or another receiving node by transmitting dominants continuously for 6 bits.
  • the transmission node transmits an ID for each frame (that is, sends a signal to the bus), and each reception node only has a frame with a predetermined ID. (I.e. read a signal from the bus).
  • a CSMA / CA Carrier Sense Multiple Access / Collision Avoidance
  • arbitration is performed using a message ID during simultaneous transmission of a plurality of nodes, and a frame with a small message ID value is preferentially transmitted.
  • the in-vehicle network monitoring device described in Patent Document 1 is configured to detect a frame when a difference between a reception interval measured for a frame transmitted to a CAN bus and a predetermined communication interval is out of a prescribed reference range.
  • a fraud detection method that determines that
  • the present disclosure detects that an illegal state (abnormality) has occurred by monitoring frames transmitted over the bus even when the ECU becomes in an illegal state due to unauthorized rewriting of firmware, execution of malware, etc.
  • a possible fraud detection method is provided.
  • the present disclosure also provides an in-vehicle network system that uses the fraud detection method and a monitoring electronic control unit (monitoring ECU) that performs fraud detection in the in-vehicle network system.
  • a fraud detection method is a fraud detection method for detecting that an improper state has occurred in an in-vehicle network system including a plurality of electronic control units that communicate via a bus.
  • fraud detection rule information indicating a first condition, which is a condition regarding a relationship between contents of a frame having an identifier and a frame having an identifier different from the first identifier
  • a set of frames received from the bus This is a fraud detection method that determines whether or not a first condition is satisfied and detects that an unauthorized state has occurred when the first condition is not satisfied.
  • a recording medium such as an apparatus, a system, an integrated circuit, a computer program, or a computer-readable CD-ROM.
  • the apparatus, system, method, computer program, and You may implement
  • an ECU when an ECU becomes in an unauthorized state due to unauthorized rewriting of firmware or execution of malware, the relationship between a frame transmitted by the ECU and a frame transmitted by another ECU is disturbed. It can be detected that a condition has occurred.
  • FIG. 1 is a diagram illustrating an overall configuration of an in-vehicle network system according to Embodiment 1.
  • FIG. It is a figure which shows the format of the data frame prescribed
  • 2 is a configuration diagram of a monitoring ECU according to Embodiment 1.
  • FIG. It is a figure which shows an example of the frame reception log
  • FIG. 1 is a configuration diagram of an ECU according to Embodiment 1.
  • FIG. 1 It is a figure which shows an example of the data frame which ECU which concerns on Embodiment 1 transmits.
  • 3 is a flowchart illustrating an example of an operation of a monitoring ECU according to the first embodiment.
  • 6 is a diagram illustrating an example of bus monitoring operation in the in-vehicle network system according to Embodiment 1.
  • FIG. FIG. 6 is a configuration diagram of a monitoring ECU according to a second embodiment. It is a figure which shows an example of the frame reception log
  • FIG. 10 is a diagram showing an operation example 1 of bus monitoring in the in-vehicle network system according to the second embodiment.
  • FIG. 10 is a diagram showing an operation example 2 of bus monitoring in the in-vehicle network system according to the second embodiment. It is a figure which shows the whole structure of the vehicle-mounted network system which concerns on Embodiment 3.
  • FIG. FIG. 6 is a configuration diagram of a monitoring ECU according to a third embodiment.
  • FIG. 10 is a configuration diagram of a MAC verification unit of a monitoring ECU according to a third embodiment. It is a figure which shows an example of the frame reception log
  • FIG. 5 is a configuration diagram of an ECU according to a third embodiment.
  • FIG. 10 is a diagram showing an operation example 1 of bus monitoring in the in-vehicle network system according to the third embodiment.
  • FIG. 11 is a diagram showing an operation example 2 of bus monitoring in the in-vehicle network system according to the third embodiment.
  • a fraud detection method is a fraud detection method for detecting that an improper state has occurred in an in-vehicle network system including a plurality of electronic control units that communicate via a bus.
  • fraud detection rule information indicating a first condition, which is a condition regarding a relationship between contents of a frame having an identifier and a frame having an identifier different from the first identifier
  • a set of frames received from the bus This is a fraud detection method that determines whether or not a first condition is satisfied and detects that an unauthorized state has occurred when the first condition is not satisfied.
  • the ECU electronice control unit
  • the ECU transmits Since the first condition may not be satisfied because the relationship between a frame to be transmitted and a frame transmitted by another ECU, for example, may not be satisfied, it can be detected that an illegal state has occurred by monitoring the bus.
  • the plurality of electronic control units exchange data frames according to a CAN (Controller Area Network) protocol via the bus, and the fraud detection rule information is a first type that is a data frame having the first identifier.
  • the connected monitoring electronic control unit sequentially receives the data frame transmitted on the bus, and the fraud detection rule includes the first type frame and the second type frame received in the receiving step.
  • a fraud determination step for determining whether or not the first condition indicated by the information is satisfied may be included. This makes it possible to appropriately detect when an unauthorized state occurs in the in-vehicle network that conforms to the CAN for transferring frames between ECUs.
  • the fraud detection rule information includes, as the first condition, a value specified based on the content of a data field in one or more first type frames and a data field of one or more second type frames.
  • the determination may be performed by executing a predetermined calculation process for distinguishing whether or not the first condition is satisfied.
  • the fraud detection rule information includes, as the first condition, a value specified based on data field contents in a plurality of the first type frames and contents of one or more second type frame data fields.
  • the fraud determination step the first value based on the contents of the data field in each first type frame received in the reception step in each of the plurality of unit times, and the plurality of unit times Whether the first condition is satisfied using the second value based on the content of the data field in each second type frame received in the reception step in each of one or more unit times from the last. It is good also as performing the said determination by performing the predetermined calculation process which distinguishes these. As a result, operations such as the difference (change amount), total (integrated amount), etc.
  • the predetermined calculation processing is performed on the basis of a quantitative variable that is calculated using the second value as the value of the qualitative variable based on a standard that defines a range of the value of the quantitative variable for each value of the qualitative variable. It may be a process of discriminating whether or not the first condition is satisfied depending on whether or not the first value falls within a value range.
  • a quantitative variable that is calculated using the second value as the value of the qualitative variable based on a standard that defines a range of the value of the quantitative variable for each value of the qualitative variable. It may be a process of discriminating whether or not the first condition is satisfied depending on whether or not the first value falls within a value range.
  • the predetermined calculation process may include the second value within a range of the value of the objective variable calculated using the first value as the value of the explanatory variable based on a relational expression indicating a relationship between the objective variable and the explanatory variable. It is good also as a process which distinguishes whether said 1st condition is satisfy
  • the relationship is determined as a condition. Thus, it may be possible to detect the occurrence of an unauthorized state.
  • the fraud detection rule information includes, as the first condition, a relationship between contents of data fields in one or more first type frames and contents of data fields of one or more second type frames, It may be defined by a relational expression using a Pearson product-moment correlation coefficient, a maximum information coefficient, or a canonical correlation coefficient. Accordingly, it may be possible to detect the occurrence of an illegal state based on a condition in which the contents of two types of data frames having different IDs are defined by relational expressions.
  • the fraud detection rule information further includes a relationship of data field contents between the first type frame and a third type frame that is a data frame having a third identifier different from both the first identifier and the second identifier.
  • the first type frame and the third type frame received in the reception step further indicate the second condition indicated by the fraud detection rule information.
  • the fraud detection method further determines whether the first type frame is in accordance with the number of conditions determined not to be satisfied in the fraud determination step among the first condition and the second condition.
  • the monitoring electronic control unit electronic control unit for transmitting the frame so that can be received may be include a transmission step of transmitting a predetermined frame.
  • the fraud detection method may further use intrusion detection rule information indicating a condition for the data frame defined for each identifier of the data frame, so that the data frame received from the bus in the receiving step is the intrusion detection rule.
  • Intrusion determination step for determining whether or not the corresponding condition indicated by the information is satisfied, and determining the content of the countermeasure processing according to the combination of the determination result in the fraud determination step and the determination result in the intrusion determination step,
  • the coping step of executing coping processing according to the determination wherein the condition for the data frame of one identifier indicated by the intrusion detection rule information is received within a predetermined interval and a receiving interval between the data frames having the identifier Number of data frames having the identifier and data between the data frames having the identifier It may include a condition relating to any of the differences is that the variation of the value to be extracted from the field.
  • the fraud detection method further includes a verification step of verifying the authenticity of the authenticator for authentication in the data frame received from the bus.
  • the determination result in the fraud determination step and the intrusion The determination of the content of the countermeasure process is performed according to the combination of the determination result in the determination step and the verification result in the verification step, and the key update relating to the update of the authentication key is performed as the content of the countermeasure process under a certain condition
  • the processing may be determined. As a result, it is possible to classify the content or impact of an attack by an attacker by combining the fraud determination based on the fraud detection rule information, the intrusion determination based on the intrusion detection rule information, and the verification result of the authenticator. It may be possible to determine (select) appropriate response processing for an attack, such as updating a key related to authentication.
  • the fraud detection method may further include the determination at the fraud determination step and the determination at the intrusion determination step for the data frame received at the reception step after the key update process is executed at the handling step. And the verification in the verification step, and when the combination of the determination result in the fraud determination step, the determination result in the intrusion determination step and the verification result in the verification step satisfies a predetermined condition, An additional coping step for performing coping processing different from the key update processing may be included. As a result, by defining a predetermined condition so that the case where the situation is not improved by the execution of the key update process can be detected, the situation that is not improved by the key update process can be appropriately dealt with by another countermeasure process. could be possible.
  • the fraud detection method detects that the fraud state has occurred, a subnetwork to which a frame related to the occurrence of the fraud state is transmitted, an electronic control unit that transmits the frame, One of the identifiers of the frame may be specified.
  • information related to the occurrence of an unauthorized state is specified, it is possible to classify the details of the attack by the attacker in more detail, so that it is possible to respond more appropriately to the attack.
  • the fraud detection method further executes a countermeasure process when it is detected that the fraud state has occurred, so that the specific electronic control unit connected to the bus can receive the countermeasure process.
  • Transmitting a diagnostic frame confirming the correctness of a specific electronic control unit connected to the bus by challenge response authentication, and performing a notification to prompt confirmation of a diagnostic port in the bus; , Notifying the driver of the vehicle equipped with the in-vehicle network system to stop or slow down, and notifying the driver of the vehicle equipped with the in-vehicle network system to go to the dealer And notifying a driver of a vehicle equipped with the in-vehicle network system that an unauthorized state has occurred, The electronic control unit connected to the network is notified that the data frame having the specific identifier is illegal, and the illegal data frame is transmitted to a server outside the vehicle equipped with the in-vehicle network system.
  • a multivariate analysis based on a set of frames received from the bus is used to specify a relationship between frame contents between frames having different identifiers, and to indicate the specified relationship.
  • the fraud detection rule information may be generated or updated so as to indicate a condition. Thereby, it is possible to appropriately generate fraud detection rule information so that the occurrence of the fraud state can be appropriately detected.
  • a monitoring electronic control unit (monitoring ECU) is a monitoring electronic control unit connected to the bus in an in-vehicle network system including a plurality of electronic control units that communicate via a bus.
  • a fraud detection rule holding unit that holds fraud detection rule information indicating a first condition that is a condition regarding a relationship between contents of a frame having a first identifier and a frame having an identifier different from the first identifier;
  • a fraud determination unit that determines whether a set of frames received from the bus by the reception unit satisfies the first condition indicated by the fraud detection rule information.
  • the electronic control unit enters an unauthorized state due to unauthorized rewriting of firmware or execution of malware
  • the unauthorized state is caused by a disturbance in the relationship between a frame transmitted by the ECU and a frame having another identifier. It can be detected that.
  • An in-vehicle network system is an in-vehicle network system including a plurality of electronic control units that communicate via a bus, and a frame having a first identifier and an identifier different from the first identifier
  • a fraud detection rule holding unit for holding fraud detection rule information indicating a first condition, which is a condition regarding a content relationship with a frame having a reception, and received from the bus to determine whether or not an illegal state has occurred
  • An in-vehicle network system including a fraud determination unit that determines whether or not a set of frames that have been satisfied satisfies the first condition indicated by the fraud detection rule information.
  • the fraud detection method is a method for detecting that an illegal frame is transmitted to a bus from an unauthorized node (for example, an ECU controlled by an attacker), and is mainly executed by a monitoring ECU connected to the bus.
  • the monitoring ECU in the in-vehicle network system detects an illegal state (an illegal data frame has been transmitted) based on the relationship between the contents of data frames (messages) having two different identifiers (message IDs). Detect.
  • FIG. 1 is a diagram showing an overall configuration of the in-vehicle network system 10.
  • the in-vehicle network system 10 is an example of a network communication system that performs communication according to the CAN protocol, and is a network communication system in a vehicle on which various devices such as a control device, a sensor, an actuator, and a user interface device are mounted.
  • the in-vehicle network system 10 includes a plurality of devices that perform communication related to a frame via a CAN bus that configures the in-vehicle network, and uses a fraud detection method.
  • the in-vehicle network system 10 includes a bus 300, a monitoring ECU 100, nodes connected to the bus 300 such as ECUs 200 a, ECU 200 b, ECU 200 c, and ECU 200 d connected to various devices.
  • the in-vehicle network system 10 may include a number of ECUs in addition to the monitoring ECU 100 and the ECUs 200a, 200b, 200c, and 200d.
  • the ECU is a device including, for example, a processor (microprocessor), a digital circuit such as a memory, an analog circuit, a communication circuit, and the like.
  • the memory is a ROM, a RAM, or the like, and can store a control program (computer program) executed by the processor.
  • the processor operates according to a control program (computer program)
  • the ECU realizes various functions.
  • the computer program is configured by combining a plurality of instruction codes indicating instructions for the processor in order to achieve a predetermined function.
  • ECU 200a, ECU 200b, ECU 200c, and ECU 200d are connected to bus 300, and are connected to speed sensor 210, acceleration sensor 220, gear (transmission mechanism) 230, and instrument panel (instrument panel) 240, respectively.
  • the ECU 200a periodically acquires the speed of the vehicle from the speed sensor 210, and periodically transmits a data frame notifying the acquired speed to the bus 300.
  • the ECU 200b periodically acquires the acceleration of the vehicle from the acceleration sensor 220, and periodically transmits a data frame that notifies the acquired acceleration to the bus 300.
  • the ECU 200 c periodically acquires the state of the gear 230 and periodically transmits a data frame notifying the state of the gear 230 to the bus 300.
  • the ECU 200d receives each data frame notifying the speed of the vehicle or the state of the gear, and updates the information displayed on the instrument panel 240.
  • the monitoring ECU 100 is a kind of ECU that is connected to the bus 300, and monitors data frames that flow on the bus (that is, data frames that appear on the bus) to determine whether or not an unauthorized data frame has been transmitted (unauthorized). Fraud detection processing for performing (determination).
  • each ECU exchanges frames according to the CAN protocol.
  • Frames in the CAN protocol include a data frame, a remote frame, an overload frame, and an error frame.
  • the explanation will focus on data frames.
  • FIG. 2 is a diagram showing a data frame format defined by the CAN protocol.
  • a data frame in a standard ID format defined by the CAN protocol is shown.
  • the data frame includes an SOF (Start Of Frame), ID field, RTR (Remote Transmission Request), IDE (Identifier Extension), reserved bit “r”, DLC (Data Length Code), data field, CRC (Cyclic Redundancy Check) sequence.
  • SOF is composed of 1-bit dominant. When the bus is idle, it is recessive, and the start of frame transmission is notified by changing to dominant by SOF.
  • the ID field is a field for storing an ID (message ID) that is a value indicating the type of data, which is composed of 11 bits.
  • ID message ID
  • a frame having a small ID is designed to have a high priority in order to perform communication arbitration in this ID field.
  • RTR is a value for identifying a data frame and a remote frame, and is composed of a dominant 1 bit in the data frame.
  • IDE and “r” are both composed of dominant 1 bit.
  • DLC is composed of 4 bits and is a value indicating the length of the data field.
  • the data field is a value indicating the content of data to be transmitted composed of a maximum of 64 bits. The length can be adjusted every 8 bits.
  • the specification of the data to be sent is not defined by the CAN protocol, but is defined in the in-vehicle network system 10. Therefore, the specification depends on the vehicle type, manufacturer (manufacturer), and the like.
  • CRC sequence consists of 15 bits. It is calculated from the transmission values of the SOF, ID field, control field and data field.
  • CRC delimiter is a delimiter representing the end of a CRC sequence composed of 1-bit recessive.
  • the CRC sequence and the CRC delimiter are collectively referred to as a CRC field.
  • ACK slot consists of 1 bit.
  • the transmitting node performs transmission with the ACK slot being recessive.
  • the receiving node transmits an ACK slot as a dominant if reception is successful up to the CRC sequence. Since dominant is given priority over recessive, if the ACK slot is dominant after transmission, the transmitting node can confirm that any receiving node has received successfully.
  • ACK delimiter is a delimiter representing the end of ACK composed of 1-bit recessive.
  • EOF is composed of 7 bits recessive and indicates the end of the data frame.
  • FIG. 3 is a diagram illustrating an error frame format defined by the CAN protocol.
  • the error frame includes an error flag (primary), an error flag (secondary), and an error delimiter.
  • the error flag (primary) is used to notify other nodes of the occurrence of an error.
  • a node that detects an error continuously transmits a 6-bit dominant to notify other nodes of the occurrence of the error. This transmission violates the bit stuffing rule in the CAN protocol (the same value is not transmitted continuously for 6 bits or more), and causes the transmission of an error frame (secondary) from another node.
  • the error flag (secondary) is composed of a continuous 6-bit dominant used to notify other nodes of the occurrence of an error. All nodes that have received the error flag (primary) and detected a violation of the bit stuffing rule will transmit the error flag (secondary).
  • the error delimiter “DEL” is an 8-bit continuous recess and indicates the end of the error frame.
  • FIG. 4 is a configuration diagram of the monitoring ECU 100.
  • the monitoring ECU 100 includes a frame transmission / reception unit 110, a frame processing unit 120, a fraud determination unit 130, a fraud handling unit 140, a frame generation unit 150, a frame reception history holding unit 160, a fraud detection rule holding unit 170, The fraud determination result holding unit 180 and the ECU information table holding unit 190 are configured.
  • Each component of the monitoring ECU 100 shown in FIG. 4 can be realized by a storage medium such as a memory of the monitoring ECU 100, a communication circuit, a processor that executes a program stored in the memory, or the like.
  • the frame transmission / reception unit 110 transmits / receives a frame (data frame or the like) according to the CAN protocol to the bus 300.
  • the frame transmission / reception unit 110 has a function as a reception unit that receives a frame from the bus 300 bit by bit.
  • the frame transmission / reception unit 110 transfers information such as ID, DLC, and data in the data frame to the frame processing unit 120. If the frame transmission / reception unit 110 determines that the data frame does not conform to the CAN protocol, the frame transmission / reception unit 110 transmits an error frame.
  • the frame transmission / reception unit 110 receives an error frame during reception of a data frame, that is, when it interprets that the value in the received data frame is an error frame, the data frame is discarded thereafter. To do.
  • the frame transmission / reception unit 110 transmits the contents of the data frame to the bus 300 one bit at a time. Processing in accordance with the CAN protocol such as communication arbitration is also realized in the frame transmission / reception unit 110.
  • the frame processing unit 120 receives data frame information from the frame transmitting / receiving unit 110 and interprets the contents of the data frame.
  • the frame processing unit 120 acquires information such as vehicle speed, acceleration, or gear state indicated by the data frame transmitted from each of the ECUs 200a, 200b, and 200c, and based on the acquired information, the frame reception history holding unit 160
  • the information (frame reception history) related to each data frame stored in is updated.
  • the fraud determination unit 130 determines whether or not an illegal data frame has been received (fraud determination related to whether or not an illegal data frame has been transmitted) and fraud detection rule information held by the fraud detection rule holding unit 170. Based on the frame reception history held by the frame reception history holding unit 160, the predetermined period of time (for example, 100 ms) is periodically performed. The fraud determination unit 130 performs fraud determination depending on whether the condition is satisfied for each condition related to the relationship between frames having a plurality of different IDs indicated by the fraud detection rule information. For example, when the condition is not satisfied Judged as illegal. The fraud determination unit 130 updates the fraud determination result held by the fraud determination result holding unit 180 based on the fraud determination result.
  • the fraud determination unit 130 determines that each frame ID is abnormal depending on the number of fraud detected based on the condition indicated by the fraud detection rule information regarding the frame of the ID (for example, the number of conditions that are not satisfied). The degree of abnormality is calculated, and the degree of abnormality is added to the fraud determination result held by the fraud determination result holding unit 180. If the number detected as illegal is 0, the degree of abnormality is 0, and the degree of abnormality of 0 indicates that no abnormality was detected. The fraud determination unit 130 also notifies the fraud handling unit 140 that fraud has been detected when it is determined as fraudulent as a result of the fraud determination (that is, when the occurrence of a fraud state is detected).
  • the fraud handling unit 140 When the fraud handling unit 140 is notified from the fraud determination unit 130 that fraud has been detected, the fraud determination result stored in the fraud determination result holding unit 180 and the ECU stored in the ECU information table holding unit 190 Referring to the information table, the content of the countermeasure processing as a countermeasure against fraud is determined.
  • the fraud handling unit 140 performs control for executing the handling process when the handling process is determined. For example, the fraud handling unit 140 detects that fraud is detected in relation to a data frame having a specific ID from the fraud determination result (for example, when fraud is detected and the calculated abnormality degree is the highest).
  • the frame generation unit 150 is requested to generate a diagnostic message for the ECU that transmits the corresponding data frame.
  • the frame generation unit 150 When the generation of a data frame to be transmitted is requested, the frame generation unit 150 generates the data frame and causes the frame transmission / reception unit 110 to transmit the data frame. For example, when the generation of a diagnostic message is requested, the frame generation unit 150 generates a data frame representing a predetermined diagnostic message and transmits the data frame to the bus 300 via the frame transmission / reception unit 110. To do.
  • the frame reception history holding unit 160 holds a frame reception history (see FIG. 5), which is information on data frames received sequentially by the monitoring ECU 100.
  • the fraud detection rule holding unit 170 holds fraud detection rule information (see FIG. 6) that the fraud determination unit 130 refers to for fraud determination.
  • the fraud determination result holding unit 180 holds the fraud determination result (see FIG. 7) as a result of the fraud determination unit 130 determining whether or not the rule (condition) indicated by the fraud detection rule information is met.
  • the ECU information table holding unit 190 holds an ECU information table (see FIG. 8) configured by associating information on an ECU that transmits a data frame of the ID for each ID.
  • FIG. 5 shows an example of a frame reception history held by the frame reception history holding unit 160.
  • the frame reception history is information relating to the contents of the data frame received by the monitoring ECU 100 from the past to the present.
  • three times from the current (latest) for each of the three IDs in the frame reception history three times from the current (latest) for each of the three IDs in the frame reception history.
  • Specific values values indicated by the contents of the data frame received every unit time (for example, 100 ms) up to the previous time are shown.
  • the value of the vehicle speed indicated by the latest received data frame is 18.0 km / h
  • the value of the vehicle speed of the data frame received one time before is 19 2 km / h
  • the value received 2 times before is 19.6 km / h
  • the value received 3 times before is 20.0 km / h.
  • the acceleration values indicated by the data frames received three times before the latest are 0.10 m / s ⁇ 2, 0.10 m / s ⁇ 2, 0, respectively. .20 m / s ⁇ 2, 0.20 m / s ⁇ 2.
  • all the values of the gear state indicated by the data frame received from the latest three times before represent the state of “D” (drive). It shows that.
  • the frame reception history is used by the fraud determination unit 130 to confirm the relationship of contents between data frames having different IDs (determination as to whether or not the conditions indicated by the fraud detection rule information are satisfied).
  • FIG. 5 only the value indicated by the content of the data frame received three times before the latest is shown, but the frame reception history is information necessary for fraud determination performed by the fraud determination unit 130 using fraud detection rule information.
  • the frame reception history may be information indicating the contents of all data frames received by the monitoring ECU 100 after the vehicle starts to travel (for example, when the engine is started).
  • the frame reception history holding unit 160 may have, for example, one area for storing the integral value of acceleration.
  • FIG. 6 shows an example of fraud detection rule information held by the fraud detection rule holding unit 170.
  • the fraud detection rule information includes one or more conditions (rules) relating to the relationship between the contents of data frames having different IDs (three in the example of FIG. 6).
  • the fraud detection rule information includes, as the rule of rule number 1, a condition regarding the relationship between the content (vehicle speed) of the data frame with ID 0x100 and the content (acceleration) of the data frame with ID 0x200. It is out.
  • This condition is that the value of the vehicle speed (speed) indicated by the data frame whose ID is 0x100 received within a certain unit time (for example, 100 ms) is the unit time and the past unit time (for example, when the vehicle starts to travel).
  • the condition is that the acceleration value is within a range of ⁇ 1 km / h of the integrated value of acceleration, which is obtained by accumulating the acceleration value indicated by the data frame whose ID is 0x200 received in each subsequent unit time).
  • the integrated value of acceleration can be calculated by the following formula including unit conversion, for example.
  • Integral value ( ⁇ (acceleration indicated by received ID0x200 data frame ⁇ 3.6)) / (1 / ID0x200 data frame transmission cycle)
  • the fraud detection rule information includes a rule with rule number 2 and the relationship between the content of the data frame with ID 0x100 (vehicle speed) and the content of the data frame with ID 0x300 (gear state). Including the conditions. This condition is that when the value of the state of the gear indicated by the data frame with ID 0x300 received within a certain unit time represents “D” (drive), the ID received within the same unit time is 0x100.
  • the amount of change (for example, difference) of the vehicle speed indicated by the data frame from the vehicle speed indicated by the data frame received within the previous unit time is suppressed to 1.0 km / h or less, and is not “D” but “R” ( In the case of representing (reverse), it is a condition that the amount of change in the vehicle speed is suppressed to 0.5 km / h or less. If this condition is not satisfied, the fraud determination unit 130 determines that it is illegal.
  • the fraud detection rule information includes, as a rule with rule number 3, a relationship between the contents (acceleration) of the data frame with ID 0x200 and the contents (gear state) of the data frame with ID 0x300. Including the conditions.
  • This condition is that when the value of the state of the gear indicated by the data frame with ID 0x300 received within a certain unit time represents “D” (drive), the ID received within the same unit time is 0x200.
  • the change amount (for example, difference) of the acceleration indicated by the data frame from the acceleration indicated by the data frame received within the previous unit time is suppressed to 1.0 m / s ⁇ 2 or less, and “R” instead of “D”.
  • "(Reverse)" represents a condition that the amount of change in acceleration is suppressed to 0.5 m / s ⁇ 2 or less. If this condition is not satisfied, the fraud determination unit 130 determines that it is illegal.
  • FIG. 7 shows an example of the fraud determination result held by the fraud determination result holding unit 180.
  • the fraud determination result is obtained based on the condition relating to the relationship between the data frame of the ID and the data frame of another ID for each ID of the data frame (the left end in the figure). 130 indicates whether it is determined to be fraudulent or not (whether determined to be appropriate).
  • a rule number for a rule (condition) in fraud detection rule information used for the determination is appended.
  • the fraud determination unit 130 determines that the condition of rule number 1 and the condition of rule number 2 are not satisfied (that is, it is determined to be illegal), and the condition of rule number 3 is determined to be satisfied.
  • An example that is, determined to be appropriate is shown.
  • the degree of abnormality calculated according to the number of fraud determination (detection) for each ID frame by the fraud determination unit 130 is added.
  • the data frame with ID 0x100 is determined to be illegal under the condition of rule number 1 and determined to be illegal under the condition of rule number 2, so the degree of abnormality is calculated as 2.
  • a data frame with an ID of 0x200 is determined to be illegal under the condition of rule number 1, but is not determined to be illegal under the condition of rule number 3, so the degree of abnormality is calculated as 1.
  • the data frame with ID 0x300 is determined to be illegal under the condition of rule number 2, but is not determined to be illegal under the condition of rule number 3, so the degree of abnormality is calculated as 1.
  • FIG. 8 shows an example of an ECU information table held by the ECU information table holding unit 190.
  • the ECU information table is a table in which information (transmission ECU information) about the ECU that is the transmission source of the data frame of the ID is associated with each ID of the data frame.
  • the example of FIG. 8 indicates that the data frame with ID 0x100 is transmitted from the ECU 200a, the data frame with ID 0x200 is transmitted from the ECU 200b, and the data frame with 0x300 is transmitted from the ECU 200c. Although omitted in FIG.
  • the transmission ECU information about the ECU indicated by the ECU information table is, for example, the contents of a diagnostic message that is a data frame transmitted to the ECU to diagnose the state of the ECU. It may include information necessary for specifying
  • the diagnosis message transmitted to diagnose the state of a certain ECU includes, for example, identification information for identifying the ECU, information necessary for diagnosis of the ECU, and the like.
  • the ECU diagnosis that is started when the monitoring ECU 100 transmits a diagnosis message is, for example, a diagnosis of whether or not the firmware of the ECU has been illegally rewritten according to a predetermined method.
  • a predetermined process such as transmitting diagnostic information (for example, a hash value of memory contents) to the monitoring ECU 100 is performed.
  • FIG. 9 is a configuration diagram of the ECU 200a.
  • the ECU 200a includes a frame transmission / reception unit 201, a frame processing unit 202, a device input / output unit 203, and a frame generation unit 204.
  • Each of these components is a functional component, and each function is realized by a communication circuit in the ECU 200a, a processor that executes a control program stored in a memory, a digital circuit, or the like.
  • the ECU 200b, the ECU 200c, and the ECU 200d have substantially the same configuration as the ECU 200a.
  • the frame transmission / reception unit 201 transmits / receives a frame (data frame or the like) according to the CAN protocol to the bus 300.
  • the frame transmitting / receiving unit 201 receives a data frame from the bus 300 one bit at a time, and when the reception of the data frame is completed without error, transfers information such as ID, DLC, and data in the data frame to the frame processing unit 202. If the frame transmission / reception unit 201 determines that the data frame does not conform to the CAN protocol, the frame transmission / reception unit 201 transmits an error frame. If the frame transmission / reception unit 201 receives an error frame while receiving a data frame, the frame transmission / reception unit 201 discards the data frame thereafter.
  • the frame transmission / reception unit 201 transmits the contents of the frame received from the frame generation unit 204 to the bus 300. Processing in accordance with the CAN protocol such as communication arbitration is also realized in the frame transmission / reception unit 201.
  • the frame processing unit 202 interprets the contents of the received data frame.
  • the ECU 200d having the same configuration as the ECU 200a will be described as an example.
  • Information necessary for updating the display of the instrument panel 240 and the like is notified to the device input / output unit 203 of the ECU 200d.
  • the frame processing unit 202 performs a predetermined process so that the monitoring ECU 100 can receive diagnostic information. It can be transmitted to the bus 300 via 201.
  • the device input / output unit 203 communicates with devices connected to the ECU 200a, ECU 200b, or ECU 200c.
  • the device input / output unit 203 acquires the current vehicle speed from the speed sensor 210 and notifies the frame generation unit 204 of it.
  • the device input / output unit 203 acquires the current vehicle acceleration from the acceleration sensor 220 and notifies the frame generation unit 204 of the acceleration.
  • the device input / output unit 203 acquires the current gear shift position and notifies the frame generation unit 204 of it.
  • the device input / output unit 203 updates the display of the instrument panel 240 by sending control information to the instrument panel 240 based on the value notified from the frame processing unit 202.
  • the frame generation unit 204 generates a data frame to be transmitted to the bus 300 based on the information notified from the device input / output unit 203, and transmits the generated data frame to the bus via the frame transmission / reception unit 201.
  • the frame generation unit 204 generates a data frame including vehicle speed information from the speed sensor 210 notified from the device input / output unit 203 at a predetermined cycle (for example, at an interval of 100 ms). Notify the transmission / reception unit 201.
  • a predetermined cycle for example, at an interval of 100 ms
  • FIG. 10 shows an example of a data frame transmitted by each of the ECU 200a, the ECU 200b, and the ECU 200c.
  • the data frame 401 transmitted by the ECU 200a has an ID of 0x100 and a DLC of 2, and the data field indicates the vehicle speed (0.1 km / h unit) with 2 bytes including the first byte and the second byte. To express. In FIG. 10, the example which shows the vehicle speed of 20.0 km / h (0xC8) is shown.
  • the data frame 402 transmitted by the ECU 200b has an ID of 0x200 and a DLC of 2, and the data field has an acceleration (0.01 m / s ⁇ 2 units) with 2 bytes including the first byte and the second byte. ).
  • the example which shows the acceleration of 0.10 m / s ⁇ 2 is shown.
  • the ID is 0x200
  • the DLC is 1
  • the data field indicates a value indicating the state of the gear 230. This value is 0 when the gear 230 is in the “N” (neutral) state, 1 when the gear 230 is in the “R” (reverse) state, and 2 when the gear 230 is in the “D” (drive) state.
  • FIG. 10 shows an example indicating that the state of the gear 230 is “D”.
  • FIG. 11 is a flowchart illustrating an operation example of the monitoring ECU 100.
  • the monitoring ECU 100 periodically performs fraud detection processing (fraud determination) every predetermined unit time (for example, 100 ms).
  • the monitoring ECU 100 waits until the timing of fraud determination performed periodically (step S1101), and performs fraud determination by monitoring the bus 300 (step S1102).
  • step S1102 the monitoring ECU 100 refers to the frame reception history held in the frame reception history holding unit 160 by the fraud determination unit 130 and indicates the fraud detection rule information held in the fraud detection rule holding unit 170. Whether each rule (condition) is satisfied or not is determined as appropriate or illegal.
  • the monitoring ECU 100 records the determination result in step S1102 as the fraud determination result in the fraud determination result holding unit 180 by the fraud determination unit 130, calculates the degree of abnormality according to the fraud determination result, and calculates the calculated degree of abnormality. Is added to the fraud determination result (step S1103). For example, if the calculated degree of abnormality is 0, it indicates that no abnormality has been detected, and if the degree of abnormality is greater than 0, it indicates that an abnormality has been detected.
  • Monitoring ECU100 discriminate
  • the monitoring ECU 100 determines the content of the handling process as a response to the unauthorized operation by the unauthorized response unit 140. Specifically, when an abnormality is detected, the monitoring ECU 100 displays information about the ECU that transmits the data frame having the highest abnormality degree ID in the fraud determination result held in the fraud determination result holding unit 180.
  • the ECU is acquired by referring to the ECU information table of the ECU information table holding unit 190, the ECU is identified (step S1105), and a diagnostic message for the identified ECU is transmitted to the ECU.
  • the state of the ECU is confirmed by receiving information or the like (step S1106).
  • step S1106 the monitoring ECU 100 proceeds to step S1101 and waits for the next timing of fraud determination. If it is detected in step S1106 that an abnormality has occurred in the ECU, the monitoring ECU 100 sends a warning notification to the vehicle driver, information notification to an external server, etc. Control for coping with this can be performed.
  • FIG. 12 is a diagram illustrating an operation example of monitoring the bus 300 in the in-vehicle network system 10.
  • a data frame (data frame indicating a vehicle speed) with an ID of 0x100, a data frame (data frame indicating an acceleration) with an ID of 0x200, and a data frame (gear with an ID of 0x300) are respectively sent from the ECUs 200a, 200b, and 200c.
  • the data frame indicating the state of (1) is periodically transmitted to the bus 300.
  • the firmware of the ECU 200a is illegally rewritten by the attacker, and the ECU 200a falsifies the vehicle speed notified from the speed sensor 210 from a certain point in time, and sends a data frame indicating the unauthorized vehicle speed to the bus 300.
  • An example of transmission is shown.
  • the monitoring ECU 100 performs fraud determination (fraud detection processing) periodically at a period of 100 ms immediately after the timing when the data frame with the ID of 0x300 is received. Assuming that the timing of performing the fraud determination is the end of each unit time (100 ms), the data frame received from the bus 300 in each of the first three unit times is stored in the fraud detection rule holding unit 170. No fraud is detected in any of the rule numbers 1 to 3 indicated by the fraud detection rule information. It is assumed that the integrated value of acceleration is 20.0 km / h at the first time point in this example. For this reason, the integrated value of acceleration sequentially changes to 20.072, 20.144, 20.18, 20.21 km / h by receiving each data frame indicating the first to fourth accelerations.
  • fraud determination fraud detection processing
  • the monitoring ECU 100 has a difference (change amount) between the vehicle speed (18.0 km / h) indicated by the vehicle speed data frame received the fourth time and the integral value (20.2 km / h) based on the acceleration indicated by the acceleration data frame. Since it exceeds 1.0 km / h, the rule (condition) of rule number 1 is not satisfied and fraud is detected. Further, when the gear state indicated by the data frame received for the fourth time is “D” (drive), the monitoring ECU 100 changes the speed change (the vehicle speed of 18.0 km indicated by the data frame of the vehicle speed received for the fourth time). Since the difference between / h and the vehicle speed of 19.2 km / h indicated by the previously received data frame exceeds 1.0 km / h, the fraud of rule number 2 is detected.
  • the monitoring ECU 100 is the ECU in which the ECU information table holding unit 190 holds the transmission source of the data frame with the ID of 0x100, which is calculated as 2 with the highest degree of abnormality because the two rules (conditions) are not satisfied.
  • the ECU 200a is specified.
  • monitoring ECU100 transmits a diagnostic message with respect to ECU200a.
  • monitoring ECU 100 detects fraud based on the relationship between the contents of data frames having a plurality of different IDs.
  • the ID The transmission of an illegal data frame can be detected from the collapse of the content relationship between different data frames. For example, even if an attacker controls an ECU and transmits an illegal data frame, the fraud is detected based on the relationship with the data frame transmitted by another ECU. It becomes difficult for an attacker to attack.
  • the monitoring ECU 100 narrows down the ID of the illegal data frame and the ECU of the transmission source by calculating the degree of abnormality based on the result of the fraud determination based on the plurality of conditions indicated by the fraud detection rule information, and efficiently Send diagnostic messages.
  • narrowing down the ECUs to transmit diagnostic messages corresponding to the ECUs is useful for suppressing an increase in the traffic volume of the bus 300, and even when taking measures other than transmitting diagnostic messages.
  • it is useful to narrow down the ECUs by calculating the degree of abnormality.
  • the monitoring ECU in the in-vehicle network system 11 is a method for detecting the occurrence of a fraud state based on the relationship between the contents of data frames having different IDs (the fraud determination shown in the first embodiment).
  • a countermeasure process is comprehensively determined using a method for detecting the occurrence of an unauthorized state based on a rule (condition) defined for each ID for a data frame having a single ID.
  • FIG. 13 is a diagram showing the overall configuration of the in-vehicle network system 11.
  • the in-vehicle network system 11 includes a bus 300 and nodes connected to the bus 300 such as ECUs 200a, 200b, 200c, 200d connected to various devices such as a monitoring ECU 2100 and sensors. In the in-vehicle network system 11, there is further a diagnostic port 2400 connected to the bus 300.
  • the in-vehicle network system 11 is the same as the in-vehicle network system 10 (see FIG. 1) shown in the first embodiment except for points that are not particularly described here.
  • the same components as the in-vehicle network system 10 are shown in FIG. 1 are denoted by the same reference numerals as those in FIG. 1, and description thereof is omitted here.
  • the monitoring ECU 2100 is a partial modification of the monitoring ECU 100 shown in the first embodiment.
  • the monitoring ECU 2100 monitors data frames flowing through the bus 300 and determines whether or not an unauthorized data frame has been transmitted (unauthorized determination and Intrusion detection) to detect the occurrence of an unauthorized state. Furthermore, the monitoring ECU 2100 determines the content of the countermeasure process according to the situation (the result of the fraud determination and the intrusion determination) in which the unauthorized data frame is transmitted, and performs the countermeasure process.
  • the diagnostic port 2400 is a port that can access the bus 300. Via the diagnostic port 2400, the bus 300 can be accessed by a device such as a diagnostic tool. That is, a diagnosis tool or the like can be connected to the diagnosis port 2400 to diagnose the state of the ECU connected to the bus 300. Since it is possible to transmit / receive data frames to / from the bus 300 from the diagnostic port 2400, it is also conceivable that an attacker transmits an illegal data frame via the diagnostic port 2400. Here, injection (transmission) of an unauthorized data frame to the bus 300 via the diagnostic port 2400 is also referred to as intrusion.
  • FIG. 14 is a configuration diagram of the monitoring ECU 2100.
  • the monitoring ECU 2100 includes a frame transmission / reception unit 110, a frame processing unit 120, a fraud determination unit 130, an intrusion determination unit 2131, an abnormality handling unit 2140, a frame generation unit 150, a frame reception history holding unit 2160, and fraud detection.
  • the rule holding unit 170, the intrusion detection rule holding unit 2171, the fraud determination result holding unit 180, the intrusion determination result holding unit 2181, the ECU information table holding unit 190, and the abnormality correspondence table holding unit 2191 are configured.
  • the Components having the same functions as those in the first embodiment are denoted by the same reference numerals as those in FIG. 4 in FIG.
  • Each component of the monitoring ECU 2100 illustrated in FIG. 14 can be realized by a storage medium such as a memory of the monitoring ECU 2100, a communication circuit, a processor that executes a program stored in the memory, or the like.
  • the intrusion detection unit 2131 holds an intrusion detection rule holding unit 2171 for determining whether or not an illegal data frame is injected into the bus 300 from the outside (intrusion determination related to whether or not an illegal data frame is injected). Based on the intrusion detection rule information to be performed and the frame reception history held by the frame reception history holding unit 2160, it is periodically performed with a predetermined unit time (for example, 100 ms) as a cycle.
  • the intrusion determination unit 2131 updates the intrusion determination result held by the intrusion determination result holding unit 2181 based on the result of the intrusion determination.
  • the intrusion determination unit 2131 notifies the abnormality handling unit 2140 that an intrusion has been detected when it is determined as an intrusion as a result of the intrusion determination, that is, when an abnormality has been detected.
  • the abnormality handling unit 2140 When the abnormality handling unit 2140 is notified from the fraud determination unit 130 or the intrusion determination unit 2131 that fraud or intrusion is detected (occurrence of abnormality), the fraud determination result stored in the fraud determination result holding unit 180, Refer to the intrusion determination result stored in the intrusion determination result holding unit 2181, the ECU information table stored in the ECU information table holding unit 190, and the abnormality correspondence table stored in the abnormality correspondence table holding unit 2191. Then, the content of the countermeasure processing as a response to the abnormality is determined. The abnormality handling unit 2140 performs control for executing the handling process when the handling process is determined.
  • the abnormality handling unit 2140 determines that the data frame including the specific ID is abnormal (for example, illegal and has the highest degree of abnormality calculated), and determines that the data frame including the specific ID is intrusion. If the intrusion determination result is acquired, there is a high possibility that an unauthorized data frame is injected through the diagnostic port 2400. Therefore, the user is requested to confirm whether an unauthorized device is connected to the diagnostic port 2400.
  • the frame generation unit 150 is requested to generate a data frame for transmission to prompt the driver (such as a driver). Further, for example, the abnormality handling unit 2140 obtains an intrusion determination result that an intrusion of a data frame including a specific ID is not detected, and an injustice determination result that an abnormality of the data frame including the specific ID is detected. If acquired, it is highly likely that the firmware of the ECU has been illegally rewritten, and referring to the ECU information table, a diagnostic message is generated for the ECU that transmits the corresponding data frame. Request to unit 150.
  • the frame reception history holding unit 2160 holds a frame reception history (see FIG. 15) that is information on data frames received sequentially by the monitoring ECU 2100.
  • the intrusion detection rule holding unit 2171 holds intrusion detection rule information (see FIG. 16) indicating the conditions defined for each ID for the data frame of a single ID that the intrusion determination unit 2131 refers to for intrusion determination.
  • the intrusion determination result holding unit 2181 holds the intrusion determination result (see FIG. 17) as a result of determining whether or not the intrusion determination unit 2131 satisfies the condition indicated by the intrusion detection rule information.
  • the anomaly correspondence table holding unit 2191 holds an anomaly correspondence table (see FIG. 18) that is used to determine the content of appropriate countermeasure processing for the occurrence of fraud or intrusion according to the fraud determination result and the intrusion determination result. To do.
  • FIG. 15 shows an example of a frame reception history held by the frame reception history holding unit 2160.
  • the frame reception history is information relating to the contents of the data frame received by the monitoring ECU 2100 from the past to the present.
  • twice from the current (latest) for each of the three IDs in the frame reception history twice from the current (latest) for each of the three IDs in the frame reception history.
  • the reception time of the data frame received before and the specific value (the value indicating each of the vehicle speed, acceleration, and gear state) indicated by the content of the data frame are shown.
  • the reception time of the latest data frame among data frames having an ID of 0x100 related to vehicle speed is 210 ms
  • the value of the vehicle speed indicated by the received data frame is 18.0 km / h.
  • the vehicle speed value of the received data frame was 19.2 km / h
  • the previous reception time was 10 ms
  • the received value was 19.6 km / h It is shown that.
  • the reception times of the data frames received from the latest two times before are 220 ms, 120 ms, and 20 ms, respectively, and the acceleration value indicated by each received data frame is It shows that they were 0.10 m / s ⁇ 2, 0.10 m / s ⁇ 2, and 0.20 m / s ⁇ 2, respectively.
  • the reception times of the data frames received from the latest to the previous two times are 230 ms, 130 ms, and 30 ms, respectively.
  • the state values all indicate the state of “D” (drive).
  • This frame reception history is used in fraud determination by the fraud determination unit 130 and intrusion determination by the intrusion determination unit 2131.
  • the frame reception history is information necessary for fraud determination performed by the fraud determination unit 130 using fraud detection rule information.
  • the information required in the intrusion determination performed by the intrusion determination unit 2131 using the intrusion detection rule information may be included.
  • the frame reception history may be information indicating the contents of all the data frames received by the monitoring ECU 2100 after the vehicle starts to travel (for example, when the engine is started).
  • the frame reception history holding unit 2160 may have, for example, one area for storing an integral value of acceleration.
  • FIG. 16 shows an example of intrusion detection rule information held by the intrusion detection rule holding unit 2171.
  • the intrusion detection rule information includes a condition (rule) that should be satisfied for a data frame having the ID for each ID. Whether or not the condition indicated by the intrusion detection rule information is satisfied is checked by the intrusion determination unit 2131 for intrusion determination.
  • the intrusion determining unit 2131 detects an intrusion by detecting a data frame that does not satisfy this condition.
  • the intrusion detection rule information indicates a reception interval, a margin, and a data change amount for defining a condition for each ID.
  • the reception interval indicates an interval at which the data frame with the corresponding ID is received, and the margin indicates an allowable range of fluctuation of the reception interval.
  • the reception interval is 100 ms and the margin is 5 ms. Therefore, the interval at which the data frame with an ID of 0x100 is received is within the range of 95 ms to 105 ms. If the condition is satisfied, the intrusion determination is normal (not intrusion). If this condition is not satisfied, it is determined that there is an abnormality (intrusion detection) in the intrusion determination.
  • the data change amount is the change amount (value of the value) of the corresponding ID that changes from the data value extracted from the data field of the previously received data frame to the data value extracted from the data field of the currently received data frame. This indicates the condition of the upper limit of (difference).
  • the data change amount for the data frame (vehicle speed) with ID 0x100 is 2 km / h, so the change amount between the data frames (vehicle speed) of the continuously received data frames with ID 0x100 is If the change is within 2 km / h, the upper limit condition is satisfied, and if the condition is satisfied, it is determined that the intrusion determination is normal (not intrusion).
  • the monitoring ECU 2100 receives a data frame with an ID of 0x100 indicating a vehicle speed of 19.2 km / h
  • the value of the vehicle speed of the data frame with an ID of 0x100 is 17.2 to 21.2 km / h If h, it is determined to be normal. If this condition is not satisfied, it is determined that there is an abnormality (intrusion) in the intrusion determination.
  • a condition for a data frame whose ID is 0x200 a reception interval of 100 ms, a margin of 5 ms, and a data change amount of 5 m / s ⁇ 2 are defined.
  • condition for a data frame whose ID is 0x300 a reception interval of 100 ms and a margin of 5 ms are defined, but a data change amount is not defined. This means that there is no condition regarding the data change amount.
  • the condition for the data frame of each ID indicated by the intrusion detection rule information is that an illegal data frame having the ID is externally transmitted in a situation where normal data frames of the ID are periodically transmitted. It is useful to define conditions such that when injected, the condition is not met due to wrinkling with a normal data frame. In the example of FIG. 16, the condition is defined in view of the possibility that the condition related to the reception interval and the data change amount may not be satisfied due to the mixture of the normal data frame and the illegal data frame injected from the outside. Yes.
  • FIG. 17 shows an example of the intrusion determination result held by the intrusion determination result holding unit 2181.
  • the intrusion determination result indicates that each ID of the data frame is determined to be normal (not intrusion) by the intrusion determination unit 2131 based on the condition relating to the data frame of the ID, or abnormal (intrusion detection). It is determined whether or not.
  • the intrusion determination unit 2131 determines that the data frame with the ID of 0x100 is normal, determines that the data frame with the ID of 0x200 is abnormal, and determines that the data frame with the ID of 0x300 is normal. Show.
  • FIG. 18 shows an example of the abnormality correspondence table held by the abnormality correspondence table holding unit 2191.
  • the abnormality handling unit 2140 determines the content of the countermeasure processing as a response to the abnormality based on the fraud determination result and the intrusion determination result.
  • the correspondence changes depending on the combination of the fraud determination result and the intrusion determination result.
  • the fraud determination result is normal (for example, the degree of abnormality is 0) and the intrusion determination result is normal
  • the abnormality correspondence table does nothing particularly as a countermeasure process (no action is taken). Not).
  • the abnormality correspondence table of this example shows that when the fraud determination result is abnormal (for example, the degree of abnormality is greater than 0) and the intrusion determination result is normal, the ECU corresponding to the transmission source of the abnormal data frame is sent to the ECU. This indicates that checking the situation by sending a diagnostic message is the content of the countermeasure processing.
  • the transmission of the diagnostic message to the relevant ECU is based on the fact that the relationship between the contents of the data frames with different IDs is broken, although an illegal message (data frame for attack) is not injected from the outside. This is a useful process to deal with this because there is a possibility that the firmware of the system is illegally rewritten.
  • the abnormality correspondence table of this example performs notification that prompts the user to confirm an interface for connecting an external device such as the diagnostic port 2400 when the fraud determination result is normal and the intrusion determination result is abnormal. Indicates the content of the countermeasure processing.
  • the notification to this user is not controlled by the ECU in rewriting the firmware of the ECU by the attacker, but there is a possibility that an attack attempt such as resending a normal message from the outside is made, This is a useful process to cope with this.
  • the notification to the user is performed, for example, by transmitting a data frame having a predetermined ID from the monitoring ECU 2100 to the bus 300 and controlling the display of a predetermined message on the instrument panel 240 when the ECU 200d receives the data frame having the predetermined ID. Can be realized.
  • the abnormality correspondence table of this example performs notification that prompts the user to confirm an interface for connecting an external device such as the diagnostic port 2400 when the fraud determination result is abnormal and the intrusion determination result is also abnormal. And transmitting a frame (abnormality notification message) for notifying each ECU that an abnormality has occurred is the content of the countermeasure process. This is an example of a response to a case where there is a possibility that an attack frame is injected from the outside and the ECU is controlled and the risk of control of the vehicle is high.
  • each ECU in the in-vehicle network system 11 is configured to perform predetermined security measures (for example, traveling control such as decelerating and stopping the vehicle, degeneration of the automatic traveling function, etc.) when the abnormality notification message is received. Can be done.
  • predetermined security measures for example, traveling control such as decelerating and stopping the vehicle, degeneration of the automatic traveling function, etc.
  • FIG. 19 is a flowchart illustrating an operation example of the monitoring ECU 2100.
  • the monitoring ECU 2100 periodically performs fraud detection processing (fraud determination) and intrusion detection processing (intrusion determination), for example, every 100 ms.
  • the monitoring ECU 2100 waits until the timing of fraud determination performed periodically (step S2101), and performs fraud determination by monitoring the bus 300 (step S2102).
  • the monitoring ECU 2100 refers to the frame reception history held in the frame reception history holding unit 2160 by the fraud determination unit 130, and indicates the fraud detection rule information held in the fraud detection rule holding unit 170. Whether each rule (condition) is satisfied or not is determined as appropriate or illegal.
  • the fraud determination unit 130 stores the fraud determination result in the fraud determination result holding unit 180 and adds the abnormality degree calculation result to the fraud determination result.
  • the monitoring ECU 2100 performs intrusion determination (step S2103).
  • step S ⁇ b> 2103 the monitoring ECU 2100 refers to the frame reception history held in the frame reception history holding unit 2160 by the intrusion determination unit 2131 and indicates the intrusion detection rule information held in the intrusion detection rule holding unit 2171. Whether it is normal or abnormal (intrusion detection) is determined based on whether the condition is satisfied.
  • the intrusion determination unit 2131 stores the intrusion determination result in the intrusion determination result holding unit 2181.
  • the monitoring ECU 2100 determines the content of the handling process according to the abnormality handling table held by the abnormality handling table holding unit 2191 (step S2104).
  • the monitoring ECU 2100 executes the processing for the content determined in step S2104 (step S2105), and proceeds to step S2101. Note that the monitoring ECU 2100 does not particularly perform the countermeasure process when both the fraud determination result and the intrusion determination result are normal.
  • FIG. 20 shows a first operation example of monitoring the bus 300 in the in-vehicle network system 11.
  • a data frame (data frame indicating a vehicle speed) with an ID of 0x100, a data frame (data frame indicating an acceleration) with an ID of 0x200, and a data frame (gear with an ID of 0x300) are respectively sent from the ECUs 200a, 200b, and 200c.
  • the data frame indicating the state of (1) is periodically transmitted to the bus 300.
  • This example further shows an example in which an illegal data frame having an ID of 0x200 is injected (transmitted) from the diagnostic port 2400 by an attacker at a certain point in time.
  • the monitoring ECU 2100 monitors the bus 300, and when a fraudulent data frame (data frame indicating acceleration-1.50) with an ID of 0x200 is injected from the diagnostic port 2400, fraud detection rule information (see FIG. 6) is displayed.
  • the condition of rule number 3 shown (the condition relating to the relationship between the gear state “D” and the amount of change in acceleration) is not satisfied. For this reason, the monitoring ECU 2100 detects an abnormality by determining that it is illegal in the fraud determination.
  • the reception interval of the data frame with ID 0x200 becomes 50 ms, and is specified by the reception interval and margin for the data frame with ID 0x200 indicated by the intrusion detection rule information (see FIG. 16).
  • the monitoring ECU 2100 detects an abnormality in the intrusion determination.
  • the monitoring ECU 2100 prompts the user to confirm the diagnostic port 2400 according to the abnormality correspondence table (see FIG. 18) and detects an abnormality in the in-vehicle network to each ECU because an abnormality is detected in both the fraud determination and the intrusion determination.
  • a coping process (such as transmission of a predetermined data frame) for notifying that occurrence has occurred is executed.
  • FIG. 21 shows an operation example 2 of monitoring the bus 300 in the in-vehicle network system 11.
  • the ECU 200a, the ECU 200b, and the ECU 200c periodically transmit a data frame indicating the vehicle speed, a data frame indicating the acceleration, and a data frame indicating the gear state to the bus 300, respectively. It shows how it is done.
  • This example further shows an example in which an unauthorized data frame having an ID of 0x100 is injected (transmitted) from the diagnostic port 2400 by an attacker at a certain point in time.
  • the reception interval of the data frame with ID 0x100 becomes 80 ms, and the reception interval for the data frame with ID 0x100 indicated by the intrusion detection rule information and The condition specified by the margin is not satisfied.
  • the fraud determination in the monitoring ECU 2100 does not determine fraud (that is, no abnormality is detected), but the abnormality is detected in the intrusion determination. Since the abnormality is detected only by the intrusion determination, the monitoring ECU 2100 performs a countermeasure process (such as transmission of a predetermined data frame) that prompts the user to confirm the diagnostic port 2400 according to the abnormality correspondence table (see FIG. 18). Execute.
  • the monitoring ECU 2100 has a single ID data frame in addition to the fraud determination in which fraud is detected based on the relationship between the contents of data frames having different IDs.
  • An intrusion determination for detecting an intrusion is performed based on conditions defined for each ID.
  • the content of the countermeasure process is determined according to the combination of the fraud determination result and the intrusion determination result, and the countermeasure process is executed.
  • the ID The transmission of an illegal data frame can be detected from the collapse of the content relationship between different data frames. For example, even if an attacker controls an ECU and transmits an illegal data frame, the fraud is detected based on the relationship with the data frame transmitted by another ECU. It becomes difficult for an attacker to attack. Furthermore, even when an attacker injects an unauthorized data frame from the outside, it can be detected appropriately, and an appropriate response according to the attack situation can be made according to the combination of the fraud determination result and the intrusion determination result. .
  • the monitoring ECU in the in-vehicle network system 12 uses a method for detecting the occurrence of an illegal state based on the relationship between the contents of data frames having different IDs, and IDs for data frames having a single ID.
  • a method for determining success or failure of verification of a message authentication code (MAC) attached to a data frame is used. And comprehensively determine the handling process.
  • MAC message authentication code
  • FIG. 22 is a diagram illustrating the overall configuration of the in-vehicle network system 12.
  • the in-vehicle network system 12 is connected to the bus 300 and each node connected to the bus 300 such as each ECU such as the ECU 3200a, the ECU 3200b, the ECU 3200c, and the ECU 3200d connected to various devices such as the monitoring ECU 3100 and sensors. And a diagnostic port 2400.
  • the in-vehicle network system 12 is the same as the in-vehicle network system 11 (see FIG. 13) shown in the second embodiment except for points that are not particularly described here, and the same components as the in-vehicle network system 11 are shown in FIG. , The same reference numerals as those in FIG. 13 are attached, and the description thereof is omitted here.
  • the monitoring ECU 3100 is a partial modification of the monitoring ECU 2100 shown in the second embodiment.
  • the monitoring ECU 3100 monitors a data frame flowing through the bus 300 and determines whether or not an unauthorized data frame has been transmitted (incorrect determination and Intrusion detection) to detect the occurrence of an unauthorized state. Further, the monitoring ECU 3100 verifies the MAC attached to the data frame flowing through the bus 300, and performs countermeasure processing according to the MAC verification result and the situation (the result of the fraud determination and the intrusion determination) that the illegal data frame is transmitted. Decide the contents and take corrective action.
  • ECU 3200a, ECU 3200b, ECU 3200c, and ECU 3200d are connected to bus 300, and are connected to speed sensor 210, acceleration sensor 220, gear 230, and instrument panel 240, respectively.
  • the ECU 3200a periodically acquires the speed of the vehicle from the speed sensor 210, and periodically transmits a data frame including information indicating the acquired speed and the MAC to the bus 300.
  • ECU 3200b periodically acquires the acceleration of the vehicle from acceleration sensor 220, and periodically transmits a data frame including information indicating the acquired acceleration and MAC to bus 300.
  • the ECU 3200c periodically acquires the state of the gear 230, and periodically transmits a data frame including information indicating the state of the gear 230 and the MAC to the bus 300.
  • the ECU 200d receives each data frame including information indicating the speed of the vehicle or information indicating the state of the gear, verifies the MAC attached to the data frame, and if the verification is successful (verifies that the MAC is valid). If it can, the information displayed on the instrument panel 240 is updated.
  • the monitoring ECU 3100, ECU 3200a, ECU 3200b, ECU 3200c, and ECU 3200d share a common secret key, and generate and verify a MAC by, for example, an AES (Advanced Encryption Standard) -CMAC (Cipher-based MAC) algorithm.
  • AES Advanced Encryption Standard
  • CMAC Cipher-based MAC
  • FIG. 23 is a configuration diagram of the monitoring ECU 3100.
  • the monitoring ECU 3100 includes a frame transmission / reception unit 110, a frame processing unit 120, a fraud determination unit 3130, an intrusion determination unit 3131, an abnormality handling unit 3140, a frame generation unit 150, a MAC verification unit 3500, and a MAC generation unit 3510.
  • Each component of the monitoring ECU 3100 shown in FIG. 23 can be realized by a storage medium such as a memory of the monitoring ECU 3100, a communication circuit, a processor that executes a program stored in the memory, or the like.
  • the fraud determination unit 3130 is a partial modification of the fraud determination unit 130 shown in the first embodiment, and determines whether or not an illegal data frame has been received (whether or not an illegal data frame has been transmitted). Fraud determination) based on fraud detection rule information held by the fraud detection rule holding unit 170 and a frame reception history held by the frame reception history holding unit 3160 including the MAC verification result. For example, 100 ms) is periodically performed.
  • the fraud determination unit 3130 is the same as the fraud determination unit 130, unless otherwise specified.
  • the fraud determination unit 3130 updates the fraud determination result held by the fraud determination result holding unit 3180 based on the fraud determination result. Also, the fraud determination unit 3130 notifies the abnormality handling unit 3140 that fraud has been detected when it is determined as fraud as a result of the fraud determination (that is, when the occurrence of a fraud state is detected).
  • the intrusion detection unit 3131 holds the intrusion detection rule holding unit 2171 for determining whether or not an illegal data frame is injected into the bus 300 from the outside (intrusion determination related to whether or not an illegal data frame is injected). Based on the intrusion detection rule information to be performed and the frame reception history held by the frame reception history holding unit 3160, it is periodically performed with a predetermined unit time (for example, 100 ms) as a cycle. The intrusion determination unit 3131 updates the intrusion determination result held by the intrusion determination result holding unit 3181 based on the result of the intrusion determination. The intrusion determination unit 3131 notifies the abnormality handling unit 3140 that an intrusion has been detected when it is determined as an intrusion as a result of the intrusion determination, that is, when an abnormality has been detected.
  • a predetermined unit time for example, 100 ms
  • the abnormality handling unit 3140 When notified by the fraud determination unit 3130 or the intrusion determination unit 3131 that the fraud or intrusion is detected (abnormality occurrence), the abnormality handling unit 3140 receives the fraud determination result stored in the fraud determination result holding unit 3180, and Referring to the intrusion determination result stored in intrusion determination result holding unit 3181, the ECU information table stored in ECU information table holding unit 190, and the abnormality handling table stored in abnormality handling table holding unit 3191. Then, the content of the countermeasure processing as a response to the abnormality is determined. The abnormality handling unit 3140 performs control for executing the handling process when the handling process is determined.
  • the abnormality handling unit 3140 when the MAC verification is successful but the fraud determination result indicates an abnormality and the intrusion detection result does not indicate an abnormality, the ECU firmware is rewritten illegally and the authentication key ( The secret key used for generating the MAC is highly likely to be used, so the frame generation unit 150 is requested to generate a diagnostic message to be transmitted to the ECU that is the transmission source of the data frame related to the abnormality. The frame generation unit 150 is requested to generate a predetermined update message (update data frame) to be transmitted to prompt the other ECUs to update the secret key.
  • a predetermined update message update data frame
  • the MAC verification unit 3500 includes a MAC generation unit 3510 and a MAC comparison unit 3520 as shown in FIG.
  • the MAC generation unit 3510 includes a data processing unit 3511, an AES encryption unit 3512, and a secret key holding unit 3513.
  • the data processing unit 3511 extracts a portion of the received data frame that is determined to be used for generating a MAC (for example, concatenates an ID and a portion other than the MAC in the data field), and an AES encryption unit 3512. Processes such as padding to match the input size.
  • the AES encryption unit 3512 is implemented as an encryption function, for example, and encrypts the data processed by the data processing unit 3511 using the secret key held by the secret key holding unit 3513, and the value obtained by encryption Is generated as a MAC and notified to the MAC comparison unit 3520.
  • the data processing unit 3511 may include, in the data to be encrypted, a counter value that is sequentially counted up as a countermeasure against retransmission attacks.
  • the MAC comparison unit 3520 determines whether the MAC notified from the MAC generation unit 3510 is equal to the MAC included in the data field of the received data frame.
  • the MAC verification unit 3500 gives a verification result indicating that the MAC is valid (successful verification) when both MACs are equal by the comparison of the MAC comparison unit 3520, and when the MACs are not equal, the MAC is invalid. A verification result indicating that (verification failed) is output. Note that the MAC verification result by the MAC verification unit 3500 is notified to the frame processing unit 120 together with the data frame information received by the frame transmission / reception unit 110. The frame processing unit 120 updates information (frame reception history) regarding each data frame stored in the frame reception history holding unit 3160 based on the acquired data frame information and the MAC verification result.
  • the frame reception history holding unit 3160 holds a frame reception history (see FIG. 25) that is information on the data frames sequentially received by the monitoring ECU 3100 and is information including a MAC verification result.
  • the fraud determination result holding unit 3180 holds the fraud determination result (see FIG. 26) as a result of the fraud determination unit 3130 determining whether or not the rule (condition) indicated by the fraud detection rule information is met.
  • the intrusion determination result holding unit 3181 holds the intrusion determination result (see FIG. 27) as a result of determining whether or not the intrusion determination unit 3131 satisfies the condition indicated by the intrusion detection rule information.
  • the anomaly correspondence table holding unit 3191 is an anomaly correspondence table (see FIG. 5) used to determine the content of appropriate countermeasure processing for the occurrence of fraud or intrusion according to the fraud determination result, the intrusion determination result, and the MAC verification result. 28).
  • FIG. 25 shows an example of a frame reception history held by the frame reception history holding unit 3160.
  • the frame reception history is information on the contents of the data frame and the MAC verification result received by the monitoring ECU 3100 from the past to the present.
  • It shows the reception time of the data frame received two times before the latest), the MAC verification result, and specific values (values indicating the vehicle speed, acceleration, and gear state) indicated by the contents of the data frame. .
  • the reception time of the latest data frame is 210 ms
  • the MAC is valid
  • the value of the vehicle speed indicated by the received data frame is 18.0 km / h
  • the reception time one time before is 110 ms
  • the MAC is valid
  • the value of the vehicle speed of the received data frame is 19.2 km / h
  • the reception time two times before is 10 ms. This indicates that the MAC is invalid and the received value is 0.0 km / h.
  • the reception times of the data frames received from the latest two times before are 220 ms, 120 ms, and 20 ms, respectively, and the acceleration value indicated by each received data frame is They are 0.10 m / s ⁇ 2, 0.10 m / s ⁇ 2, and 0.20 m / s ⁇ 2, respectively, indicating that the MACs were all valid.
  • the reception times of the data frames received from the latest to the previous two times are 230 ms, 130 ms, and 30 ms, respectively.
  • the state values all represent the state of “D” (drive), and all the MACs are valid.
  • This frame reception history is used in fraud determination by the fraud determination unit 3130 and intrusion determination by the intrusion determination unit 3131.
  • the frame reception history is information necessary for fraud determination performed by the fraud determination unit 3130 using fraud detection rule information.
  • the information required in the intrusion determination performed by the intrusion determination unit 3131 using the intrusion detection rule information may be included.
  • the frame reception history may be information indicating the contents of all data frames received by the monitoring ECU 3100 after the vehicle starts to travel (for example, when the engine is started).
  • the frame reception history holding unit 3160 may have one area for storing the integral value of acceleration, for example.
  • FIG. 26 shows an example of the fraud determination result held by the fraud determination result holding unit 3180.
  • the fraud determination result is obtained based on the condition relating to the relationship between the data frame of the ID and the data frame of another ID for each ID of the data frame (the left end of the figure). 130 indicates whether it is determined to be fraudulent or not (whether determined to be appropriate).
  • a rule number for a rule (condition) in fraud detection rule information used for the determination is appended.
  • the fraud determination unit 3130 determines that the rule number 1 condition and the rule number 2 condition are not satisfied (that is, it is determined to be illegal), and it is determined that the rule number 3 condition is satisfied.
  • An example that is, determined to be appropriate) is shown.
  • the degree of abnormality calculated according to the number of fraud determination (detection) for each ID frame by the fraud determination unit 3130 is added.
  • the degree of abnormality is calculated as 2.
  • a data frame with an ID of 0x200 is determined to be illegal under the condition of rule number 1, but is not determined to be illegal under the condition of rule number 3, so the degree of abnormality is calculated as 1.
  • the data frame with ID 0x300 is determined to be illegal under the condition of rule number 2, but is not determined to be illegal under the condition of rule number 3, so the degree of abnormality is calculated as 1.
  • the fraud determination result is added by the fraud determination unit 3130 for each ID, the number of MAC verification results for the data frame of the ID being fraudulent.
  • the fraud determination unit 3130 adds the count result to the fraud determination result as the number of frauds in the MAC by counting the number of MAC verification results that have become illegal based on the frame reception history.
  • FIG. 27 shows an example of the intrusion determination result held by the intrusion determination result holding unit 3181.
  • the intrusion determination result is determined as normal (not intrusion) by the intrusion determination unit 3131 or abnormal (intrusion detection) for each ID of the data frame based on the condition relating to the data frame of the ID. It is determined whether or not.
  • the intrusion determination result is added with a MAC verification result for the data frame of the ID for each ID by the intrusion determination unit 3131.
  • the intrusion determination unit 3131 adds the MAC validity verification result to the intrusion determination result based on the frame reception history.
  • the intrusion determination unit 3131 determines that the data frame with the ID of 0x100 is normal, and similarly determines that the data frames with the IDs of 0x200 and 0x300 are normal. This example also shows that an illegal MAC is added to the data frame with ID 0x100, and that a valid MAC is added to each data frame with ID 0x200 and 0x300. Show.
  • FIG. 28 shows an example of the abnormality correspondence table held by the abnormality correspondence table holding unit 3191.
  • the abnormality handling unit 3140 determines the content of the countermeasure processing as a response to the abnormality based on the fraud determination result, the intrusion determination result, and the MAC verification result (whether or not the MAC is valid).
  • the correspondence changes depending on the combination of the fraud determination result, the intrusion determination result, and the MAC verification result.
  • the abnormality correspondence table shows that the fraud determination result is normal (for example, the degree of abnormality is 0) and the intrusion determination result is normal, and when the MAC is valid, what is the countermeasure process?
  • the abnormality correspondence table in this example corresponds to the transmission source of the data frame to which the invalid MAC is added.
  • Checking the situation by sending a diagnostic message to the ECU, and performing key update (key update processing) (for example, sending an update message related to updating a secret key for MAC generation) Indicates the content of the countermeasure process.
  • This countermeasure processing is a response in view of the possibility that there is a problem in the sharing of the secret key in the ECU, the synchronization of the counter used as a countermeasure against the retransmission attack, etc., because the MAC is illegal.
  • Each ECU may be configured to perform key update, counter reset, and the like when an update message is received.
  • the monitoring ECU 3100 updates the secret key in the secret key holding unit 3513 by the same method corresponding to the update.
  • the abnormality correspondence table of this example shows that when the fraud determination result is abnormal (for example, the degree of abnormality is greater than 0) and the intrusion determination result is normal and the MAC is valid, the abnormal data frame
  • the contents of the coping process include confirming the situation by transmitting a diagnostic message to the ECU corresponding to the transmission source and performing the key update process.
  • the firmware of the corresponding ECU is illegally rewritten because the relation between the contents of the data frames with different IDs is broken, although no illegal message (data frame for attack) is injected from the outside. This is a useful process to deal with this because there is a possibility that the secret key is leaked because the MAC is valid.
  • the abnormality correspondence table of this example shows that when the fraud determination result is abnormal and the intrusion determination result is normal and the MAC is invalid, a diagnostic message is sent to the ECU corresponding to the abnormal data frame transmission source. It is shown that confirming the situation by sending "" is the content of the countermeasure processing.
  • the firmware of the relevant ECU has been illegally rewritten because the relationship between the contents of the data frames with different IDs is broken, although no unauthorized message has been injected from the outside. Since it is assumed that there is a high possibility that the secret key is not leaked because the password is illegal, this is a useful measure.
  • the abnormality correspondence table of this example confirms the interface for connecting an external device such as the diagnostic port 2400. This indicates that the notification to prompt the user and the key update process are the contents of the countermeasure process.
  • the relationship between the contents of data frames with different IDs is not broken, an illegal message is injected from the outside, and the MAC is valid, so an attack such as retransmitting a normal data frame This is a useful process in order to cope with this.
  • the key update process in this coping process it is possible to prevent injection of a data frame including a valid MAC from the outside.
  • the abnormality correspondence table in this example shows confirmation of an interface for connecting an external device such as the diagnostic port 2400 when the fraud determination result is normal and the intrusion determination result is abnormal and the MAC is invalid.
  • the notification of prompting the user is the content of the handling process. This is a useful measure because there is a possibility that an attempt to attack such as resending a normal message from the outside is made, but it is highly likely that the secret key is not leaked.
  • the notification to the user is performed, for example, by transmitting a data frame having a predetermined ID from the monitoring ECU 3100 to the bus 300 and controlling the display of a predetermined message on the instrument panel 240 when the ECU 3200d receives the data frame having the predetermined ID. Can be realized.
  • the abnormality correspondence table of this example confirms the interface for connecting an external device such as the diagnostic port 2400 when the MAC is valid when the fraud determination result is abnormal and the intrusion determination result is also abnormal.
  • the content of the coping process includes notifying the user, transmitting a frame (abnormality notification message) for notifying each ECU that an abnormality has occurred, and performing key update processing. Show.
  • This countermeasure process is a useful countermeasure because it is highly possible that an unauthorized message has been injected from the outside, the secret key is also leaked, and the adverse effect on the control of the vehicle is great.
  • the abnormality correspondence table of this example confirms the interface for connecting an external device such as the diagnostic port 2400 when the fraud determination result is abnormal and the intrusion determination result is also abnormal and the MAC is illegal. It indicates that the notification of prompting the user and the transmission of the abnormality notification message to each ECU are the contents of the countermeasure processing. This is a useful measure because it is assumed that there is a high possibility that the secret key is not leaked although there is a possibility that the ECU is controlled by injecting an attack frame from the outside.
  • each ECU in the in-vehicle network system 12 is configured to perform predetermined security measures (for example, traveling control such as decelerating and stopping the vehicle, degeneration of the automatic traveling function, etc.) when the abnormality notification message is received. Can be done.
  • FIG. 29 is a configuration diagram of the ECU 3200a.
  • the ECU 3200a includes a frame transmission / reception unit 201, a frame processing unit 202, a device input / output unit 203, a frame generation unit 204, a MAC verification unit 3500, and a MAC generation unit 3510.
  • Each of these components is a functional component, and each function is realized by a communication circuit in the ECU 3200a, a processor that executes a control program stored in a memory, a digital circuit, or the like.
  • ECU 3200b, ECU 3200c, and ECU 3200d have substantially the same configuration as ECU 3200a. 29, the same components as those of ECU 200a (see FIG.
  • the MAC verification unit 3500 and the MAC generation unit 3510 are the same as the components of the monitoring ECU 3100 shown in FIG.
  • the frame processing unit 3202 interprets the content of the data frame that is received by the frame transmission / reception unit 201 and in which the MAC is valid as the verification result in the MAC verification unit 3500. For example, in the frame processing unit 3202 of the ECU 3200d having the same configuration as the ECU 3200a, the vehicle speed (information of the speed sensor 210) and the gear state (information of the state of the gear 230) included in the data frames respectively transmitted from the ECU 3200a and the ECU 3200c are displayed. Interpretation and notify the device input / output unit 203 of the ECU 3200d of information necessary for updating the display of the instrument panel 240 and the like. For example, when a data frame that is a diagnostic message is received from the monitoring ECU 3100, the frame processing unit 3202 performs a predetermined process so that the monitoring ECU 3100 can receive diagnostic information. It can be transmitted to the bus 300 via 201.
  • the monitoring ECU 3100 periodically performs fraud detection processing (fraud determination) and intrusion detection processing (intrusion determination) every 100 ms, for example (see FIG. 19).
  • the MAC reception result in the data frame received from the bus 300 is also stored in the frame reception history.
  • the monitoring ECU 3100 determines the content of the countermeasure process according to the abnormality correspondence table based on the fraud determination result, the intrusion determination result, and the MAC verification result. Then, the monitoring ECU 3100 executes the processing for the determined content.
  • FIG. 30 shows a first operation example of monitoring the bus 300 in the in-vehicle network system 12.
  • a data frame (data frame indicating a vehicle speed) having an ID of 0x100, a data frame (data frame indicating an acceleration) having an ID of 0x200, and a data frame (gear having an ID of 0x300), respectively.
  • the data frame indicating the state of (1) is periodically transmitted to the bus 300.
  • the firmware of ECU 3200a is illegally rewritten by an attacker, and ECU 3200a falsifies the vehicle speed notified from speed sensor 210 from a certain point in time, and sends a data frame indicating the incorrect vehicle speed to bus 300.
  • An example of transmission is shown. In this example, it is assumed that the secret key is leaked and the MAC included in all data frames is valid.
  • the monitoring ECU 3100 periodically performs fraud determination (fraud detection processing) at a period of 100 ms immediately after the timing when the data frame with the ID of 0x300 is received. Assuming that the timing of performing the fraud determination is the end of each unit time (100 ms), the data frame received from the bus 300 in each of the first three unit times is stored in the fraud detection rule holding unit 170. No fraud is detected in any of the rule numbers 1 to 3 indicated by the fraud detection rule information. It is assumed that the integrated value of acceleration is 20.0 km / h at the first time point in this example. Therefore, the integrated value of acceleration sequentially changes to 20.072, 20.144, 20.18 km / h by receiving each data frame indicating the acceleration from the first time to the third time.
  • fraud determination fraud detection processing
  • the monitoring ECU 3100 has a difference (amount of change) between the vehicle speed (18.0 km / h) indicated by the vehicle speed data frame received the third time and the integrated value (20.18 km / h) based on the acceleration indicated by the acceleration data frame. Since it exceeds 1.0 km / h, the rule (condition) of rule number 1 is not satisfied and fraud is detected. Further, when the gear state indicated by the received data frame is “D” (drive), the monitoring ECU 3100 sets the speed change amount (the vehicle speed 18.0 km / h indicated by the third data frame of the received vehicle speed). The difference between the vehicle speed of 19.6 km / h indicated by the data frame received last time) exceeds 1.0 km / h, and therefore the fraud of rule number 2 is detected.
  • the monitoring ECU 3100 transmits the diagnostic message to the ECU according to the abnormality correspondence table because the fraud determination result is abnormal, the intrusion determination result is normal, and the MAC verification result is valid.
  • the key update process is determined as the content of the countermeasure process, and the countermeasure process is performed. That is, the monitoring ECU 3100 does not satisfy the two rules (conditions), and the ECU information that the ECU information table holding unit 190 holds the transmission source of the data frame with the ID of 0x100 that is calculated to have the highest degree of abnormality is 2.
  • the ECU 3200a is specified, and a diagnostic message is transmitted to the ECU 3200a.
  • the monitoring ECU 3100 notifies each ECU of a key update process (transmission of an update message related to the secret key update).
  • FIG. 31 shows an operation example 2 of monitoring the bus 300 in the in-vehicle network system 12.
  • Operation example 2 in FIG. 31 is similar to operation example 1 of monitoring ECU 3100, but the secret key is not leaked, and the MAC included in the data frame transmitted by ECU 3200a is illegal.
  • An example is shown.
  • the monitoring ECU 3100 indicates that the fraud determination result is abnormal, the intrusion determination result is normal, and the MAC verification result is incorrect. Therefore, according to the abnormality correspondence table, the monitoring ECU 3100 The transmission of the diagnostic message is determined as the content of the countermeasure process, and the countermeasure process is performed.
  • the monitoring ECU 3100 detects fraud based on the relationship between the contents of data frames having a plurality of different IDs, and the ID for a single ID data frame.
  • the content of the countermeasure process is determined according to the combination of the intrusion determination for detecting the intrusion based on the condition determined for each and the verification result of the validity of the MAC, and the countermeasure process is executed.
  • the ID The transmission of an illegal data frame can be detected from the collapse of the content relationship between different data frames. For example, even if an attacker controls an ECU and transmits an illegal data frame, the fraud is detected based on the relationship with the data frame transmitted by another ECU. It becomes difficult for an attacker to attack. Furthermore, even when an attacker injects illegal data frames from the outside, it can be detected appropriately, and depending on the combination of the fraud determination result, the intrusion determination result, and the MAC verification result, an appropriate response according to the situation of the attack Correspondence becomes possible.
  • Embodiments 1 to 3 have been described as examples of the technology according to the present disclosure.
  • the technology according to the present disclosure is not limited to this, and can also be applied to embodiments in which changes, replacements, additions, omissions, and the like are appropriately performed.
  • the following modifications are also included in one embodiment of the present disclosure.
  • the monitoring ECU that monitors the bus 300 and takes measures according to the monitoring result has been described.
  • the monitoring ECU is an ECU connected to the bus in the in-vehicle network system
  • the monitoring ECU is dedicated to monitoring.
  • the ECU does not need to be an ECU, and may have functions different from monitoring and coping.
  • one or more components in the monitoring ECU may be moved to another ECU.
  • other ECUs may include a configuration for fraud determination (such as a fraud determination unit) and a configuration for intrusion determination (such as an intrusion determination unit) in the monitoring ECU.
  • the gateway ECU that transfers data frames between the buses may have a fraud determination unit, or the key management master ECU that manages the secret key is illegal. It is good also as having a determination part, an intrusion determination part, a MAC verification part, etc.
  • the data frame in the CAN protocol is described in the standard ID format.
  • the extended ID format may be used, and the ID that is the identifier of the data frame is the extended ID in the extended ID format. Etc.
  • the monitoring ECU periodically performs fraud detection processing (fraud determination) and intrusion detection processing (intrusion determination) at a cycle of, for example, 100 ms, but the cycle is arbitrary. Moreover, it is not always necessary to carry out periodically. For example, the monitoring ECU may perform fraud determination or intrusion determination every time a data frame is received. Further, the fraud determination and the intrusion determination may be executed at different timings.
  • fraud determination fraud determination
  • intrusion detection processing intrusion determination
  • the frame reception history holding unit shown in the above embodiment may hold the reception history for how many times as the frame reception history. Further, the frame reception history holding unit may hold information as a reception history at a time not actually received as a frame reception history by data interpolation based on information of the actually received data frame. .
  • the frame reception history holding unit has shown an example of holding the reception time, the MAC validity verification result, the value indicated by the contents of the data field, etc. as the frame reception history. Other information may be held.
  • the frame reception history holding unit may hold arbitrary information necessary for fraud detection processing (fraud determination) or intrusion detection processing (intrusion determination).
  • each value may be distinguished and held, and the monitoring ECU displays fraud detection rule information indicating conditions related to each value or intrusion detection. It is good also as performing fraud determination or intrusion determination using rule information.
  • the rule (condition) indicated by the fraud detection rule information includes a condition related to the relationship between the speed (vehicle speed) and the acceleration, and a condition related to the relationship between the gear state and the amount of change in the vehicle speed.
  • the conditions relating to the relationship between the state of the gear and the amount of change in acceleration are exemplified, but this is only an example. Any data can be used as long as a certain relationship is maintained between data indicated by a plurality of data frames having different IDs at normal times. It is particularly useful to use the relationship between data measured by sensors.
  • the fraud detection rule information includes, for example, a relationship between a value y indicated by the content of the data field of the data frame having one ID and a value x indicated by the content of the data field of the data frame having another ID as a condition.
  • the relational expression y f (x) or the like indicating that it is within a certain error range may be used.
  • the fraud detection rule information includes a first type frame that is a data frame having a certain ID (first identifier) and a second type frame that is a data frame having an ID (second identifier) different from the first identifier.
  • the conditions indicated by the fraud detection rule information are, for example, a value specified based on the content of the data field in one or more (or plural) first type frames and the content of the data field in one or more second type frames. Defines the relationship.
  • the value specified based on the content of the data field in the first type frame may be a numerical value, a value indicating the degree of large, medium, small, or a character string that distinguishes the state.
  • condition indicated by the fraud detection rule information is the relationship between the content of the data field in one or more first type frames and the content of the data field in one or more second type frames, and the Pearson product moment relationship It may be defined by a relational expression using a number, a maximum information coefficient, or a canonical correlation coefficient.
  • the height of the correlation coefficient You may specify conditions, you may specify conditions for the height of the maximum information coefficient as an index that can also represent non-linear relationships, or when multiple variables make up two variable groups in multivariate data.
  • a condition regarding the height of the canonical correlation coefficient as an index representing the mutual relationship between the variable groups may be defined.
  • the condition may be defined by obtaining the correlation coefficient for each time series data of the vehicle speed and the rotation speed of the tire.
  • the condition may be defined by obtaining a relational expression between the vehicle speed and the rotation speed of the tire.
  • a relational expression for example, a combination of acceleration and vehicle speed change amount, accelerator displacement and vehicle speed change amount Examples include a set, a set of brake displacement and a change in vehicle speed, and a set of steering angle (steering angle) and yaw rate.
  • the fraud determination unit determines whether or not the condition indicated by the fraud detection rule information is satisfied based on the information (frame reception history) about the data frame received from the bus. It was.
  • This determination can be realized by any specific method according to the condition indicated by the fraud detection rule information.
  • This fraud determination includes, for example, a first value based on the contents of the data field in each of the above-described first type frames received from the bus at each of one or more unit times, and the one or more unit times. Whether the condition indicated by the fraud detection rule information is satisfied using the second value based on the contents of the data field in each second type frame received from the bus at each of one or more unit times from the end.
  • the predetermined calculation process may be any calculation process as long as it uses at least the first value and the second value to distinguish whether the condition indicated by the fraud detection rule information is satisfied.
  • the predetermined arithmetic processing is based on a standard that defines the range of the value of the quantitative variable for each value of the qualitative variable, and the value of the quantitative variable calculated using the second value as the value of the qualitative variable. It may be a process of discriminating whether or not the condition indicated by the fraud detection rule information is satisfied depending on whether or not the first value falls within the range.
  • the first value may be a value related to a physical quantity or the like measured by a sensor (a vehicle speed, a change amount of the vehicle speed, or the like).
  • the second value is a flag value indicating the vehicle state (a flag value indicating the gear state, a flag value indicating the operating state of the lane keeping function, a flag value indicating the operating state of the automatic parking assist function, the cruise control function Or a flag value indicating an operating state).
  • the predetermined calculation process includes, for example, a second value within a range of the value of the objective variable calculated using the first value as the value of the explanatory variable based on a relational expression indicating the relationship between the objective variable and the explanatory variable. A process for distinguishing whether or not the condition indicated by the fraud detection rule information is satisfied may be performed depending on whether or not it is applicable.
  • the first value and the second value are values related to physical events having a causal relationship, for example.
  • the relationship between the contents of two types (two different IDs) of data frames is used as the condition indicated by the fraud detection rule information.
  • a result of a predetermined operation for example, arithmetic operation, logical operation, etc.
  • a predetermined operation for example, arithmetic operation, logical operation, etc.
  • the fraud determination unit of the monitoring ECU calculates the abnormality level and adds it to the fraud determination result. However, it is not always necessary to calculate the abnormality level.
  • the monitoring ECU may perform diagnosis by transmitting a diagnostic message to the transmission source ECU of each of the plurality of data frames determined to be fraudulent. It should be noted that, by calculating the degree of abnormality, narrowing down the target for transmitting a diagnostic message among the ECUs of the transmission sources of each of the plurality of data frames determined to be illegal by not satisfying the condition indicated by the fraud detection rule information This is useful for suppressing an increase in traffic volume.
  • Data having fraud detection rule information having a first type frame that is a data frame having a certain ID (first identifier, for example, ID of 0x100) and an ID different from the first identifier (second identifier, for example, ID of 0x200)
  • a first condition for example, the condition of rule number 1 shown in FIG. 6 regarding the relationship of the contents of the data field with the second type frame that is a frame is shown.
  • both the first type frame and the first identifier A second condition (for example, the rule number shown in FIG. 6) that is a condition regarding the relationship of the contents of the data field with the third type frame that is a data frame having an ID different from the two identifiers (third identifier, for example, ID of 0x300).
  • Abnormality level relating to the transmission of the first type frame according to the number of conditions can be calculated. Then, when the calculated abnormality degree satisfies a predetermined abnormality condition (for example, higher than a threshold value or higher than an abnormality degree relating to transmission of another type of frame calculated separately), the ECU that transmits the first type frame receives By transmitting a predetermined frame (such as a diagnostic message) so as to be possible, an increase in bus traffic can be suppressed.
  • a predetermined abnormality condition for example, higher than a threshold value or higher than an abnormality degree relating to transmission of another type of frame calculated separately
  • the monitoring ECU has shown an example in which the fraud determination result is held in the form of a table in which IDs are associated with each other.
  • the fraud determination unit has a set of frames received from the bus.
  • some information indicating the determination result for example, information indicating a set of a rule number and a determination result based on the condition relating to the rule number
  • a storage medium such as a memory or a hard disk provided in the ECU, and information may be held in any format.
  • the condition indicated by the intrusion detection rule information the condition related to the reception interval and the data change amount related to the data frame of the single ID is exemplified, but this is only an example, and other conditions For example, it may be a condition related to the reception frequency (the number of data frames having the single ID received within a certain time).
  • a condition indicated by the intrusion detection rule information a condition to be satisfied by a normal data frame is defined. When a data frame for an attack is injected from the outside and both an illegal data frame and a normal data frame flow into the bus, the condition is set so that the condition is not satisfied. It is useful to be prescribed.
  • the intrusion determination result holding unit holds an intrusion determination result that distinguishes between normal and abnormal (intrusion detection) for each ID.
  • the intrusion determination result may be the number determined to be normal or the number determined to be abnormal within a certain period without distinguishing the ID.
  • the intrusion determination result may be information related to the result of the intrusion determination based on the intrusion detection rule information. Accordingly, the surveillance ECU determines the intrusion determination result based on the intrusion detection rule information and the fraud determination result based on the fraud detection rule information. Based on the combination, the coping process corresponding to the abnormality can be determined.
  • the ID and the value of the data field are input to the AES encryption unit (for example, an encryption function) for generating the MAC, but the input value is not limited to this.
  • the input value is not limited to this.
  • only the value of the data field may be input, or DLC may be included in the input.
  • time information or the like may be included in the input in addition to the counter value.
  • the coping process is, for example, transmitting a diagnostic frame so that a specific ECU connected to the bus can receive, confirming the validity of the specific ECU connected to the bus by challenge response authentication, Notifying the driver of the vehicle equipped with the in-vehicle network system, notifying the driver of the vehicle equipped with the in-vehicle network system, notifying the driver of the vehicle equipped with the in-vehicle network system to stop or slow down To notify the driver connected to the bus, to notify the driver of the vehicle equipped with the in-vehicle network system that an illegal state has occurred, and to the ECU connected to the bus, a specific ID (identifier ) To notify that the data frame is illegal, and to provide a service outside the vehicle equipped with the in-vehicle network system.
  • a specific ID identifier
  • the monitoring ECU can execute any one or more of the above-described countermeasures when the degree of abnormality calculated by the fraud determination unit satisfies a predetermined abnormality condition (for example, exceeds a threshold). In addition, the monitoring ECU may change the content of the countermeasure process so as to reflect the high degree of abnormality calculated by the fraud determination unit.
  • the monitoring ECU determines the result of the determination (injustice determination) by the fraud determination unit (the fraud determination result) and the result of the determination (intrusion determination) by the intrusion determination unit (intrusion determination result).
  • the content of the countermeasure processing is determined according to the combination with the verification result of the authenticity of the authenticator (MAC) in the MAC verification unit, and the MAC is determined under certain conditions (for example, the fraud determination result or the intrusion determination result is abnormal.
  • the key update process related to the update of the authentication key is determined as the countermeasure process and executed.
  • the monitoring ECU After executing the key update process, the monitoring ECU performs fraud determination, intrusion determination, and MAC verification on the data frame received from the bus, and the fraud determination result, the intrusion determination result, and the verification result (For example, when the MAC is valid but the fraud determination result or the intrusion determination result is in an abnormal state), a different handling process (to the user) Notification of the dangerous state of the user, notification to the server, etc.).
  • This countermeasure process different from the key update process can be useful when the key update does not work effectively.
  • the fraud detection rule holding unit holds fraud detection rule information indicating a condition related to the relationship between the contents of data frames having different IDs.
  • the information may be updated as needed using the results of learning by monitoring and analyzing data frames flowing through the bus.
  • the correlation coefficient between the contents of the data frames of different IDs is obtained and determined in advance.
  • the relation between the contents of the data frame that results in a correlation coefficient value equal to or greater than the threshold value may be included in the fraud detection rule information as a new condition to be satisfied.
  • the relation between the explanatory variable and the objective variable may be included in the fraud detection rule information as a condition.
  • the monitoring ECU specifies the relationship of the contents of the data frames between the data frames having different IDs by multivariate analysis based on the set of data frames received from the bus, and represents the specified relationship. It is good also as generating or updating fraud detection rule information so that conditions may be shown.
  • the fraud determination unit adds the MAC fraud count to the fraud determination result, and the intrusion determination unit adds the MAC validity to the intrusion determination result.
  • information based on the MAC verification result may not be included in the fraud determination result and the intrusion determination result.
  • the abnormality handling unit can acquire the MAC verification result from the frame reception history held by the frame reception history holding unit.
  • the fraud determination unit specifies the fraud determination result based on the MAC verification result, the fraud determination result can be used when the abnormality handling unit performs various measures.
  • the monitoring ECU determines that the key is leaked when the fraud determination result or the intrusion determination result is abnormal and the MAC is valid as the MAC verification result.
  • whether or not the key update process is the content of the countermeasure process may be distinguished based on the number of times the MAC is valid as the verification result.
  • the fraud determination result or the intrusion determination result is abnormal, for example, the monitoring ECU is likely to leak the key when the MAC verification is successful a predetermined number of times N. It is good also as performing a process.
  • the number N for example, when a data frame to which a sequential random value is added as a MAC is sequentially transmitted, the probability that the MAC is determined to be valid in N verifications is sufficiently low. It is useful to set the number of times.
  • the monitoring ECU has shown an example in which the content of the corresponding process is determined (selected) according to the combination of the fraud determination result, the intrusion determination result, and the MAC verification result.
  • the fraud state abnormality of data frame with specific ID, data frame with high degree of abnormality, ECU with high possibility of abnormality, data frame with different ID
  • the monitoring ECU may determine the countermeasure processing using any one or more of the fraud determination result, the intrusion determination result, and the MAC verification result, and further distinguish the attack range and use the distinction.
  • the monitoring ECU detects that an unauthorized state has occurred, the subnetwork to which the data frame related to the occurrence of the unauthorized state is transmitted, the ECU that transmits the frame, and the ID of the data frame It is also possible to specify one of the above and record the specified one on a storage medium such as a memory. By using the identified subnetwork, ECU, ID, etc.
  • abnormality for example, based on the ID, It is possible to grasp the occurrence of an abnormality in a group of data frames related to a specific function such as a driving support function, and the collection of information related to such an illegal state can be useful in specifying an attack purpose, an attack range, and the like.
  • an in-vehicle network that communicates according to the CAN protocol is shown.
  • This CAN protocol should be treated as having a broad meaning including derived protocols such as CANFD (CAN Flexible Data Rate).
  • communication protocols other than the CAN protocol for example, Ethernet (registered trademark), LIN (Local Interconnect Network), MOST (registered trademark) (Media Oriented Systems Transport), FlexRay (registered trademark), etc. are used. Also good.
  • the monitoring ECU and other ECUs in the above embodiment are devices including a digital circuit such as a processor and a memory, an analog circuit, a communication circuit, and the like.
  • a digital circuit such as a processor and a memory
  • an analog circuit such as a communication circuit, and the like.
  • a hard disk device such as a hard disk device, a display, a keyboard, a mouse, etc.
  • the hardware components may be included.
  • each device (monitoring ECU or the like) shown in the above embodiment has a dedicated hardware (digital circuit or the like) instead of the control program stored in the memory being executed by the processor to realize the function as software. It is good also as realizing the function.
  • a part or all of the components constituting each device in the above embodiment may be configured by one system LSI (Large Scale Integration).
  • the system LSI is an ultra-multifunctional LSI manufactured by integrating a plurality of components on a single chip.
  • the system LSI is a computer system including a microprocessor, a ROM, a RAM, and the like. .
  • a computer program is recorded in the RAM.
  • the system LSI achieves its functions by the microprocessor operating according to the computer program.
  • each part of the constituent elements constituting each of the above devices may be individually made into one chip, or may be made into one chip so as to include a part or the whole.
  • the system LSI is used here, it may be called IC, LSI, super LSI, or ultra LSI depending on the degree of integration.
  • the method of circuit integration is not limited to LSI's, and implementation using dedicated circuitry or general purpose processors is also possible.
  • An FPGA Field Programmable Gate Array
  • a reconfigurable processor that can reconfigure the connection and setting of circuit cells inside the LSI may be used.
  • integrated circuit technology comes out to replace LSI's as a result of the advancement of semiconductor technology or a derivative other technology, it is naturally also possible to carry out function block integration using this technology. Biotechnology can be applied as a possibility.
  • a part or all of the constituent elements constituting each of the above devices may be composed of an IC card or a single module that can be attached to and detached from each device.
  • the IC card or the module is a computer system including a microprocessor, a ROM, a RAM, and the like.
  • the IC card or the module may include the super multifunctional LSI described above.
  • the IC card or the module achieves its function by the microprocessor operating according to the computer program. This IC card or this module may have tamper resistance.
  • the fraud detection method is a fraud detection method for detecting the occurrence of an illegal state in an in-vehicle network system including a plurality of ECUs that communicate via a bus, and includes a frame having a first identifier, Whether or not a set of frames received from the bus satisfies the first condition by using fraud detection rule information indicating a first condition that is a condition for a relationship between contents having a different identifier from one identifier.
  • This is a method of determining and detecting that an illegal state has occurred when the first condition is not satisfied.
  • the plurality of ECUs exchange data frames according to the CAN protocol via the bus
  • the fraud detection rule information includes a first type frame that is a data frame having an ID (first identifier), a first identifier, Indicates the first condition regarding the relationship of the contents of the data field with the second type frame which is a data frame having a different ID (second identifier).
  • the fraud detection method is performed by the monitoring ECU connected to the bus
  • a determination step (for example, steps S1102 and S2102) may be included.
  • the fraud determination step it is determined whether or not a second condition relating to a relationship between contents of the first type frame and the third type frame (a data frame having an ID different from the first identifier and the second identifier) is satisfied.
  • the fraud detection method may calculate the degree of abnormality related to the transmission of the first type frame according to the number of conditions determined to be satisfied in the fraud determination step among the first condition and the second condition. Steps (for example, step S1103) may be included.
  • the monitoring ECU makes a predetermined frame (for example, a diagnostic frame) so that the ECU that transmits the first type frame can receive it.
  • the fraud detection method uses intrusion detection rule information indicating conditions for data frames determined for each data frame ID (identifier), and the data frame received from the bus in the reception step is converted into intrusion detection rule information.
  • the content of the countermeasure process is determined according to the combination of the intrusion determination step (for example, step S2103) for determining whether or not the corresponding condition shown is satisfied and the determination result at the fraud determination step and the determination result at the intrusion determination step.
  • a coping step for example, steps S2104 and S2105) for executing the coping process in accordance with the determination.
  • the fraud detection method may include a verification step of verifying the authenticity of the authenticator for authentication in the data frame received from the bus.
  • the present invention may be a computer program that realizes the processing related to the fraud detection method by a computer, or may be a digital signal that includes the computer program.
  • a computer-readable recording medium such as a flexible disk, a hard disk, a CD-ROM, an MO, a DVD, a DVD-ROM, a DVD-RAM, or a BD can be used as the computer program or the digital signal.
  • the computer program or the digital signal may be transmitted via an electric communication line, a wireless or wired communication line, a network typified by the Internet, data broadcasting, or the like.
  • an aspect of the present disclosure may be a computer system including a microprocessor and a memory, the memory recording the computer program, and the microprocessor operating according to the computer program. . Also, by recording and transferring the program or the digital signal on the recording medium, or by transferring the program or the digital signal via the network or the like, by another independent computer system It may be carried out.
  • This disclosure can be used to detect an attack on the in-vehicle network and appropriately deal with it.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)

Abstract

L'invention concerne un procédé de détection d'état inapproprié par lequel, dans un système de réseau embarqué comprenant une pluralité d'unités de commande électronique (ECU) qui exécutent une communication via un bus, l'occurrence d'un état inapproprié peut être détectée via la surveillance de trames transmises par le bus, même si une ECU est passée sous le contrôle d'un attaquant via la réécriture d'un micrologiciel ou similaire. Le procédé de détection d'état inapproprié, utilisé pour détecter l'occurrence d'un état inapproprié dans un système de réseau embarqué, comprend les étapes consistant à : déterminer si une série de trames reçues du bus remplissent une première condition, ladite détermination étant réalisée au moyen d'informations de règle de détection d'état inapproprié qui indiquent la première condition qui est une condition relative à la relation des contenus entre une trame ayant un premier identifiant et une trame ayant un identifiant différent du premier identifiant ; et, si la première condition n'est pas remplie, détecter qu'un état inapproprié s'est produit.
PCT/JP2016/004993 2016-01-08 2016-11-29 Procédé de détection d'état inapproprié, unité de commande électronique de surveillance, et système de réseau embarqué WO2017119027A1 (fr)

Priority Applications (3)

Application Number Priority Date Filing Date Title
EP16883533.8A EP3402125B1 (fr) 2016-01-08 2016-11-29 Procédé de détection d'état inapproprié, unité de commande électronique de surveillance, et système de réseau embarqué
CN201680051842.7A CN108028784B (zh) 2016-01-08 2016-11-29 不正常检测方法、监视电子控制单元以及车载网络系统
US16/011,677 US10992688B2 (en) 2016-01-08 2018-06-19 Unauthorized activity detection method, monitoring electronic control unit, and onboard network system

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US201662276400P 2016-01-08 2016-01-08
US62/276,400 2016-01-08
JP2016208084A JP6684690B2 (ja) 2016-01-08 2016-10-24 不正検知方法、監視電子制御ユニット及び車載ネットワークシステム
JP2016-208084 2016-10-24

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US16/011,677 Continuation US10992688B2 (en) 2016-01-08 2018-06-19 Unauthorized activity detection method, monitoring electronic control unit, and onboard network system

Publications (1)

Publication Number Publication Date
WO2017119027A1 true WO2017119027A1 (fr) 2017-07-13

Family

ID=59273391

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2016/004993 WO2017119027A1 (fr) 2016-01-08 2016-11-29 Procédé de détection d'état inapproprié, unité de commande électronique de surveillance, et système de réseau embarqué

Country Status (1)

Country Link
WO (1) WO2017119027A1 (fr)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019021922A1 (fr) * 2017-07-26 2019-01-31 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Dispositif de détection d'anomalie et procédé de détection d'anomalie
JP2019029993A (ja) * 2017-07-26 2019-02-21 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America 異常検知装置および異常検知方法
WO2019216295A1 (fr) * 2018-05-08 2019-11-14 日本電気株式会社 Dispositif de surveillance, dispositif d'apprentissage, procédé de surveillance, procédé d'apprentissage et support de stockage
EP3693233A1 (fr) 2019-02-11 2020-08-12 Giesecke+Devrient Mobile Security GmbH Mode de sécurité en cas de calculateurs moteur remplacés
JP2020145490A (ja) * 2019-03-04 2020-09-10 三菱電機株式会社 通信監視装置
CN111966083A (zh) * 2020-09-18 2020-11-20 大连理工大学 一种汽车can总线信息安全模拟装置
US20200377057A1 (en) * 2020-08-14 2020-12-03 Intel Corporation One-Point Relative Voltage Fingerprinting
EP3696025A4 (fr) * 2017-10-13 2021-03-17 Hitachi Automotive Systems, Ltd. Dispositif de commande de véhicule
CN112688922A (zh) * 2020-12-11 2021-04-20 深圳前海微众银行股份有限公司 数据传输方法、系统、设备及介质
CN113079072A (zh) * 2020-01-06 2021-07-06 广州汽车集团股份有限公司 一种车辆数据采集方法及其系统、计算机设备、存储介质
CN113169979A (zh) * 2018-12-10 2021-07-23 戴姆勒股份公司 用于检测对网络的分布式现场总线的入侵的方法及其系统
CN114264936A (zh) * 2021-12-28 2022-04-01 苏州日月新半导体有限公司 集成电路测试方法和集成电路测试系统
US20220158843A1 (en) * 2020-11-13 2022-05-19 Ford Global Technologies, Llc Diagnostic over ip authentication
CN114690745A (zh) * 2022-04-07 2022-07-01 中国海洋大学 一种车内can总线的入侵检测方法
CN114973695A (zh) * 2021-02-26 2022-08-30 长沙智能驾驶研究院有限公司 一种车辆优先通行控制方法及相关设备

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2013043575A (ja) * 2011-08-25 2013-03-04 Nissan Motor Co Ltd 車両システムの異常判断装置
JP2014146868A (ja) * 2013-01-28 2014-08-14 Hitachi Automotive Systems Ltd ネットワーク装置およびデータ送受信システム

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2013043575A (ja) * 2011-08-25 2013-03-04 Nissan Motor Co Ltd 車両システムの異常判断装置
JP2014146868A (ja) * 2013-01-28 2014-08-14 Hitachi Automotive Systems Ltd ネットワーク装置およびデータ送受信システム

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
DIANE KELLY, METHODS FOR EVALUATING INTERACTIVE INFORMATION RETRIEVAL SYSTEMS WITH USERS, 24 April 2014 (2014-04-24), pages 168 - 169, XP019891008 *
See also references of EP3402125A4 *

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11539727B2 (en) 2017-07-26 2022-12-27 Panasonic Intellectual Property Corporation Of America Abnormality detection apparatus and abnormality detection method
JP2019029993A (ja) * 2017-07-26 2019-02-21 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America 異常検知装置および異常検知方法
JP7033499B2 (ja) 2017-07-26 2022-03-10 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ 異常検知装置および異常検知方法
WO2019021922A1 (fr) * 2017-07-26 2019-01-31 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Dispositif de détection d'anomalie et procédé de détection d'anomalie
EP3696025A4 (fr) * 2017-10-13 2021-03-17 Hitachi Automotive Systems, Ltd. Dispositif de commande de véhicule
WO2019216295A1 (fr) * 2018-05-08 2019-11-14 日本電気株式会社 Dispositif de surveillance, dispositif d'apprentissage, procédé de surveillance, procédé d'apprentissage et support de stockage
WO2019215807A1 (fr) * 2018-05-08 2019-11-14 日本電気株式会社 Dispositif de surveillance, dispositif d'apprentissage, procédé de surveillance, procédé d'apprentissage et support de stockage
JPWO2019216295A1 (ja) * 2018-05-08 2021-05-27 日本電気株式会社 監視装置、学習装置、監視方法、学習方法及びプログラム
US11682217B2 (en) 2018-05-08 2023-06-20 Nec Corporation Surveillance device, learning device, surveillance method and storage medium
JP7156372B2 (ja) 2018-05-08 2022-10-19 日本電気株式会社 監視装置、学習装置、監視方法、学習方法及びプログラム
CN113169979B (zh) * 2018-12-10 2023-04-04 梅赛德斯-奔驰集团股份公司 用于检测对网络的分布式现场总线的入侵的方法及其系统
CN113169979A (zh) * 2018-12-10 2021-07-23 戴姆勒股份公司 用于检测对网络的分布式现场总线的入侵的方法及其系统
DE102019000976A1 (de) * 2019-02-11 2020-08-13 Giesecke+Devrient Mobile Security Gmbh Sicherheitsmodus bei ersetzten ECUs
EP3693233A1 (fr) 2019-02-11 2020-08-12 Giesecke+Devrient Mobile Security GmbH Mode de sécurité en cas de calculateurs moteur remplacés
JP2020145490A (ja) * 2019-03-04 2020-09-10 三菱電機株式会社 通信監視装置
JP6997124B2 (ja) 2019-03-04 2022-01-17 三菱電機株式会社 通信監視装置
CN113079072A (zh) * 2020-01-06 2021-07-06 广州汽车集团股份有限公司 一种车辆数据采集方法及其系统、计算机设备、存储介质
CN113079072B (zh) * 2020-01-06 2022-11-11 广州汽车集团股份有限公司 一种车辆数据采集方法及其系统、计算机设备、存储介质
US20200377057A1 (en) * 2020-08-14 2020-12-03 Intel Corporation One-Point Relative Voltage Fingerprinting
CN111966083A (zh) * 2020-09-18 2020-11-20 大连理工大学 一种汽车can总线信息安全模拟装置
US20220158843A1 (en) * 2020-11-13 2022-05-19 Ford Global Technologies, Llc Diagnostic over ip authentication
CN112688922A (zh) * 2020-12-11 2021-04-20 深圳前海微众银行股份有限公司 数据传输方法、系统、设备及介质
CN114973695A (zh) * 2021-02-26 2022-08-30 长沙智能驾驶研究院有限公司 一种车辆优先通行控制方法及相关设备
CN114973695B (zh) * 2021-02-26 2023-09-26 长沙智能驾驶研究院有限公司 一种车辆优先通行控制方法及相关设备
CN114264936A (zh) * 2021-12-28 2022-04-01 苏州日月新半导体有限公司 集成电路测试方法和集成电路测试系统
CN114690745A (zh) * 2022-04-07 2022-07-01 中国海洋大学 一种车内can总线的入侵检测方法

Similar Documents

Publication Publication Date Title
JP6887040B2 (ja) 不正検知方法、監視電子制御ユニット及び車載ネットワークシステム
WO2017119027A1 (fr) Procédé de détection d'état inapproprié, unité de commande électronique de surveillance, et système de réseau embarqué
US10951631B2 (en) In-vehicle network system, fraud-detection electronic control unit, and fraud-detection method
JP6908563B2 (ja) セキュリティ処理方法及びサーバ
JP7008100B2 (ja) 不正対処方法、不正検知電子制御ユニットおよびネットワーク通信システム
US10137862B2 (en) Method for handling transmission of fraudulent frames within in-vehicle network
US11277427B2 (en) System and method for time based anomaly detection in an in-vehicle communication
CN110226310B (zh) 电子控制装置、不正当检测服务器、车载网络系统、车载网络监视系统以及方法
US11115433B2 (en) System and method for content based anomaly detection in an in-vehicle communication network
CN112437056B (zh) 安全处理方法以及服务器
JP7182559B2 (ja) ログ出力方法、ログ出力装置及びプログラム
JP6698190B2 (ja) 不正対処方法、不正検知電子制御ユニット、および、ネットワーク通信システム
JP7199467B2 (ja) 不正対処方法、および電子制御ユニット

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16883533

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2016883533

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 2016883533

Country of ref document: EP

Effective date: 20180808