WO2018008452A1

WO2018008452A1 - Method for inhibiting unauthorized control, device for inhibiting unauthorized control, and vehicle-mounted network system

Info

Publication number: WO2018008452A1
Application number: PCT/JP2017/023470
Authority: WO
Inventors: 剛岸川; 前田　学; 若林　徹; 中野　稔久; 松島　秀樹
Original assignee: パナソニックインテレクチュアルプロパティコーポレーションオブアメリカ
Priority date: 2016-07-05
Filing date: 2017-06-27
Publication date: 2018-01-11
Also published as: CN113556271A; CN113556271B

Abstract

A method for inhibiting unauthorized control in a network system provided with a plurality of electronic control units which exchange, via a communication channel, a plurality of frames including a control frame which instructs certain control of a controlled object includes: a receiving step of sequentially receiving a plurality of frames from the communication channel; and a determining step of determining, on the basis of a collection of frames received in the receiving step during a prescribed period preceded by the time of receipt of the control frame, whether or not the certain control based on the control frame received in the receiving step should be inhibited.

Description

Unauthorized control inhibition method, unauthorized control inhibition device and in-vehicle network system

This disclosure relates to a security countermeasure technique that prevents an unauthorized message from being sent to a network to control a vehicle or the like illegally.

In recent years, many systems called electronic control units (ECUs) are arranged in systems in automobiles. A network connecting these ECUs is called an in-vehicle network. There are a number of communication standards for in-vehicle networks. Among these, one of the most mainstream in-vehicle networks is a standard called CAN (Controller Area Network) defined by ISO11898.

In CAN, the communication path is a bus composed of two wires, and the ECU connected to the bus is called a node. Each node connected to the bus transmits and receives a message called a frame. A transmission node that transmits a frame applies a voltage to two wires and generates a potential difference between the wires, thereby transmitting a value of “1” called recessive and a value of “0” called dominant. When a plurality of transmitting nodes transmit recessive and dominant at exactly the same timing, the dominant is transmitted with priority. When there is an abnormality in the format of the received frame, the receiving node transmits a frame called an error frame. An error frame is a notification of frame abnormality to a transmitting node and other receiving nodes by transmitting dominants continuously for 6 bits.

In CAN, there is no identifier indicating the transmission destination or transmission source, the transmission node transmits an ID for each frame, and each reception node receives only a frame with a predetermined ID. Further, a CSMA / CA (Carrier Sense Multiple Access / Collision Avoidance) method is employed, and arbitration by ID is performed during simultaneous transmission of a plurality of nodes, and a frame having a small ID value is preferentially transmitted.

Regarding CAN's in-vehicle network system, there is a threat that an attacker can illegally control the ECU by accessing the bus and sending an illegal frame, and security measures are being studied.

For example, in Patent Document 1, when a difference between a reception interval measured for a frame transmitted to a CAN bus and a predetermined communication interval deviates from a specified range, it is determined that the frame is illegal. A method for preventing control by an illegal frame is described. Patent Document 2 describes a method for preventing control by an unauthorized frame by discarding each frame when two or more frames having the same identifier are received within a specified communication interval. Yes.

Japanese Patent No. 5664799 Japanese Patent No. 5919205

However, the method of Patent Document 1 cannot prevent unauthorized control by an unauthorized frame that does not deviate from the specified communication interval. Further, the method of Patent Document 2 discards both an illegal frame and a normal frame having the same identifier included in a defined communication interval, and is not appropriate from the viewpoint of vehicle control stability. . In addition, this method cannot cope with an illegal frame having the same identifier as a normal frame transmitted irregularly.

Therefore, the present disclosure provides a fraud control deterrence method that can deter fraud control due to a fraud frame flowing in a network appropriately. The present disclosure also provides an unauthorized control suppression device and an in-vehicle network system that can appropriately suppress unauthorized control by an unauthorized frame.

In order to solve the above-described problem, an unauthorized control suppression method according to an aspect of the present disclosure includes a plurality of electronic controls that perform transmission and reception of a plurality of frames including a control frame instructing a control target to perform predetermined control via a communication path. A method for inhibiting unauthorized control in a network system including a unit, comprising: a reception step of sequentially receiving a plurality of frames from the communication path; and whether or not the predetermined control based on the control frame received in the reception step should be suppressed. And a determination step of determining based on a set of frames received in the reception step within a predetermined period preceding the reception of the control frame.

In addition, in order to solve the above-described problem, an unauthorized control suppression device according to one aspect of the present disclosure communicates transmission / reception of a plurality of frames including a control frame in which a plurality of electronic control units instructs predetermined control with respect to a control target. An unauthorized control suppression apparatus connected to a communication path performed via a path, the receiving section receiving sequentially a plurality of frames from the communication path, and the predetermined based on the control frame received by the receiving section A fraud control inhibiting apparatus comprising: a determination unit that determines whether control should be inhibited based on a set of frames received by the receiving unit within a predetermined period preceding reception of the control frame.

In order to solve the above problem, an in-vehicle network system according to an aspect of the present disclosure includes a state frame that is a frame that includes information related to a vehicle state, and a control that is a frame that instructs the vehicle to perform predetermined control. An in-vehicle network system including a plurality of electronic control units that exchange frames via a network bus, the receiving unit sequentially receiving a status frame and a control frame from the network bus, and a control frame received by the receiving unit Whether or not to suppress the predetermined control based on the control frame is determined based on a set of state frames received by the receiving unit within a predetermined period preceding the reception of the control frame. And a determination unit that determines based on whether the state satisfies a predetermined criterion. A mounting network system.

</ RTI> According to the present disclosure, unauthorized control due to an unauthorized frame flowing in the network can be appropriately suppressed.

1 is a diagram illustrating an overall configuration of an in-vehicle network system according to Embodiment 1. FIG. It is a figure which shows the format of the data frame prescribed | regulated by a CAN protocol. It is a figure which shows the format of the error frame prescribed | regulated by a CAN protocol. 2 is a configuration diagram of a monitoring ECU according to Embodiment 1. FIG. It is a figure which shows an example of the flame | frame reception log information which monitoring ECU which concerns on Embodiment 1 uses. It is a figure which shows an example of the vehicle state information which monitoring ECU which concerns on Embodiment 1 uses. It is a figure which shows an example of the function restriction rule which monitoring ECU which concerns on Embodiment 1 uses. It is a block diagram of ECU in a vehicle-mounted network system. It is a figure which shows the example of the data frame which various ECU transmits. It is a figure which shows the processing sequence of the parking assistance function in Embodiment 1. FIG. It is a figure which shows the sequence of the attack to the parking assistance function in Embodiment 1, and an unauthorized control suppression process. 3 is a flowchart illustrating an example of a monitoring operation performed by a monitoring ECU according to the first embodiment. It is a figure which shows the whole structure of the vehicle-mounted network system which concerns on Embodiment 2. FIG. FIG. 6 is a configuration diagram of a monitoring ECU according to a second embodiment. It is a figure which shows an example of the frame reception log information which monitoring ECU which concerns on Embodiment 2 uses. It is a figure which shows an example of the function restriction rule which monitoring ECU which concerns on Embodiment 2 uses. It is a figure for demonstrating the duration of a vehicle state at the time of receiving the attack which camouflages a vehicle state. It is a figure which shows the sequence of the attack which concerns on the parking assistance function in Embodiment 2, and fraud control suppression. 6 is a flowchart illustrating an example of a monitoring operation performed by a monitoring ECU according to the second embodiment. It is a figure which shows the whole structure of the vehicle-mounted network system which concerns on Embodiment 3. FIG. It is a figure which shows the example of the data frame which ECU which concerns on Embodiment 3 transmits. FIG. 6 is a configuration diagram of a monitoring ECU according to a third embodiment. It is a figure which shows an example of the flame | frame reception log information which monitoring ECU which concerns on Embodiment 3 uses. It is a figure which shows an example of the function restriction rule which monitoring ECU which concerns on Embodiment 3 uses. It is a figure which shows an example of the measurement relevant information which monitoring ECU which concerns on Embodiment 3 uses. FIG. 11 is a diagram illustrating a sequence of an attack on a cruise control function and unauthorized control inhibition in the third embodiment. 10 is a flowchart illustrating an example of a monitoring operation performed by a monitoring ECU according to Embodiment 3. It is a figure which shows an example of a structure of the unauthorized control suppression apparatus which concerns on other embodiment.

An unauthorized control suppression method according to an aspect of the present disclosure includes an unauthorized control in a network system including a plurality of electronic control units that perform transmission / reception of a plurality of frames including a control frame instructing a control target with predetermined control via a communication path A control suppression method, wherein a reception step of sequentially receiving a plurality of frames from the communication path, and whether or not the predetermined control based on the control frame received in the reception step should be suppressed are determined when the control frame is received. And a determination step of determining based on a set of frames received in the reception step within a predetermined period preceding. This makes it possible to specify whether or not the control target in the predetermined period is in an abnormal state from the set of frames received within the predetermined period, so whether or not control by the control frame should be suppressed May be able to be performed appropriately.

The plurality of frames include a state frame including information on the state of the control target. In the determination step, whether or not the predetermined control based on the control frame received in the reception step should be suppressed is determined. Whether the state of the control target in the predetermined period specified based on the set of state frames received in the reception step within the predetermined period preceding the reception of the control frame satisfies a predetermined criterion. It is good also as judging based on. For example, a predetermined standard is set so as to capture a camouflaged state of a control target such as a vehicle. As a result, when an attacker sends an unauthorized control frame for controlling the controlled object after making preparations for impersonating the controlled object state, it is appropriate that the control by the unauthorized control frame should be suppressed It may be possible to make a determination.

Further, in the determination step, when an abnormal state frame is included in the set of state frames received in the reception step within the predetermined period, the state of the control target is specified as a camouflaged state, When the abnormal state frame is not included, the state of the control target is specified as not being a camouflaged state, and the predetermined criterion is satisfied when the specified state of the control target is a camouflaged state, and the control It is not satisfied when the target state is not a camouflaged state, and the determination step may determine that the predetermined control should be suppressed when the predetermined criterion is satisfied. The abnormal state frame is, for example, a state frame including data indicating a value different from a value that can be normally taken. As a result, when an attacker transmits an unauthorized control frame for controlling the controlled object by impersonating the state of the controlled object, the unauthorized control frame can be suppressed.

Further, in the determination step, information on the same item used for execution of the predetermined control received in a set of state frames received in the reception step within the predetermined period at a reception interval shorter than a predetermined threshold. May be specified as an impersonated state on the assumption that an abnormal state frame is included in the set. As a result, it is possible to appropriately specify the camouflaged state by appropriately setting the predetermined threshold in consideration of the margin of the transmission interval of the predetermined state frame. For example, when the predetermined control is a vehicle steering control, a plurality of status frames indicating a target steering angle used for executing the steering control are received at a reception interval shorter than a predetermined threshold based on the margin, etc. In addition, the state of the control target such as a vehicle can be specified as the camouflaged state. For this reason, it is possible to appropriately prevent unauthorized predetermined control.

In the determining step, the set of status frames received in the receiving step within the predetermined period includes more than a predetermined number of status frames indicating information on the same item used for executing the predetermined control. In such a case, the state of the control target may be specified as a camouflaged state on the assumption that an abnormal state frame is included in the set. This makes it possible to appropriately identify a camouflaged state in which the state frame is transmitted redundantly.

Further, in the determination step, two state frames indicating information of the same item used for execution of the predetermined control are included in a set of the state frames received in the reception step within the predetermined period. When the difference between the values of the information indicated by the two status frames is larger than a predetermined amount, the abnormal state frame is included in the set, and the state of the control target may be specified as a camouflaged state. good. As a result, when the state frame having a value representing the true state of the control target and the state frame representing a false state different from the true state transmitted by the attacker are mixed, information indicated by the state frame Since the value of can vary more than a predetermined amount, such a camouflaged state can be appropriately specified.

In the determination step, a set of status frames received in the reception step within the predetermined period includes a plurality of status frames indicating information on the same item used for execution of the predetermined control. If the value of the information indicated by the plurality of state frames arranged in the order in which they are arranged does not conform to a predetermined rule, the control target state is identified as a camouflaged state, assuming that an abnormal state frame is included in the set It is also good to do. Thereby, for example, when a predetermined rule that the first state and the second state are passed in this order before the state of the vehicle changes to the third state, the vehicle state is the first state. When the status frame indicating the third status is received after the status frame indicating the status, the camouflaged status is identified. For this reason, for example, by appropriately setting a predetermined rule corresponding to the specification of the vehicle or the like as the control target, it becomes possible to appropriately specify the camouflaged state.

In addition, the predetermined criterion is satisfied when the state of the control target in the predetermined period is not a stable state and is not satisfied when the state is a stable state, and the stable state is a specific state indicating the state of the control target The data value of the frame is in a certain value or within a certain range, and in the determination step, the determination related to the predetermined control based on the control frame is performed immediately before the reception at the reception of the control frame. Based on a set of state frames received in the reception step within the predetermined period, and based on the state of the control target in the predetermined period, the predetermined criterion is satisfied in the determination step In this case, it may be determined that the predetermined control should be suppressed. As a result, if the attacker sends a status frame that impersonates the state of the controlled object before sending an unauthorized control frame, and the controlled object is out of the stable state, the unauthorized control It may be possible to appropriately determine that the control by the frame should be suppressed.

The predetermined criterion is satisfied when the state of the control target in the predetermined period is a change frequent state that changes more than a predetermined number of times, and is not satisfied when the state is not a frequent change state. In the determination step, It may be determined that the predetermined control should be inhibited when a predetermined criterion is satisfied. This change is, for example, a change that exceeds a certain amount when the state is represented quantitatively, or a change that changes the division when the state is divided into a plurality of categories. As a result, frames transmitted normally and frames transmitted by attackers appear alternately on the network communication path, etc., causing inconsistencies in the information indicated by those frames when viewed in a predetermined period rather than instantaneously. When a situation occurs, it may be possible to appropriately determine that control by an unauthorized control frame transmitted to the attacker should be suppressed.

The unauthorized control suppression method further includes a processing step of executing a predetermined process for suppressing the predetermined control when it is determined in the determination step that the predetermined control based on a control frame should be suppressed. The predetermined process includes a process of discarding the control frame, a process of overwriting the control frame on the communication path, a process of suppressing transfer of the control frame to another communication path, and the control to the electronic control unit. Any one of the processes instructing not to execute the predetermined control based on the frame may be included. Thereby, the predetermined control based on the unauthorized control frame transmitted to the attacker can be appropriately suppressed.

The control target is a vehicle equipped with the network system, the communication path is a wired communication path in the vehicle, and the plurality of electronic control units are in accordance with a CAN protocol or an Ethernet (registered trademark) protocol. The plurality of frames may be exchanged. As a result, security of the in-vehicle network can be ensured.

Further, the predetermined control may be control related to traveling of the vehicle. In the receiving step, any of vehicle speed, wheel rotation speed, yaw rate, acceleration, steering angle, accelerator pedal opening, braking level, engine rotation speed, motor rotation speed, gear position, and ignition switch state It is good also as receiving sequentially the status frame which is a flame | frame containing the information about one. Thereby, it can be possible to defend against an attack by an attacker for controlling the running of the vehicle.

Further, the plurality of frames include a state frame including information on the state of the control target, and the plurality of electronic control units are connected to a network bus as the communication path, and are data frames according to a CAN protocol. When a determination is made in the determination step that the predetermined control based on the control frame should be suppressed, the illegal control suppression method overwrites at least a part of the control frame. Thus, a processing step of transmitting an error frame to the network bus may be included. As a result, the control frame can be effectively invalidated in the in-vehicle network.

In addition, in the unauthorized control suppression device according to one aspect of the present disclosure, a plurality of electronic control units perform transmission / reception of a plurality of frames including a control frame instructing predetermined control with respect to a control target via a communication path. A fraud control suppression apparatus connected to the communication path, wherein a reception unit that sequentially receives a plurality of frames from the communication path, and whether or not the predetermined control based on the control frame received by the reception unit should be suppressed Is a fraud control inhibiting device comprising a determination unit that determines a frame based on a set of frames received by the reception unit within a predetermined period preceding the reception of the control frame. Thereby, from the set of frames received within the predetermined period, when the control target in the predetermined period is in an abnormal state, it can be appropriately determined that the control by the control frame should be suppressed. Appropriate control suppression can be realized based on this appropriate determination. In addition, since the unauthorized control suppression device can be used simply by connecting to a communication path of a network system composed of a plurality of electronic control units, it can be introduced without greatly changing the configuration of the network system.

In addition, an in-vehicle network system according to an aspect of the present disclosure uses a network bus to transmit and receive a state frame that is a frame that includes information on the state of the vehicle, and a control frame that is a frame that instructs the vehicle to perform predetermined control. An in-vehicle network system comprising a plurality of electronic control units via a receiver, which sequentially receives a status frame and a control frame from the network bus, and inhibits the predetermined control based on the control frame received by the receiver Whether or not to be determined is determined based on a set of state frames received by the receiving unit within a predetermined period preceding the reception of the control frame, and the state of the vehicle in the predetermined period satisfies a predetermined criterion In-vehicle network system comprising a determination unit for determining whether or not A. Thus, for example, by setting a predetermined standard so as to capture the camouflaged state of the vehicle, an attacker transmits an unauthorized control frame for controlling the vehicle after preparing for camouflaging the vehicle state. In this case, it can be appropriately determined that the control by the unauthorized control frame should be suppressed. For this reason, this in-vehicle network system can perform appropriate defense against attacks.

These general or specific aspects may be realized by a system, a method, an integrated circuit, a computer program, or a computer-readable recording medium such as a CD-ROM. The system, method, integrated circuit, computer You may implement | achieve with arbitrary combinations of a program or a recording medium.

Hereinafter, an in-vehicle network system including a monitoring ECU that uses an unauthorized control suppression method according to an embodiment will be described with reference to the drawings. Each of the embodiments shown here shows a specific example of the present disclosure. Therefore, numerical values, components, arrangement and connection forms of components, and steps and order of steps as processing elements shown in the following embodiments are merely examples and do not limit the present disclosure. . Among the constituent elements in the following embodiments, constituent elements that are not described in the independent claims can be arbitrarily added. Each figure is a mimetic diagram and is not necessarily illustrated strictly.

(Embodiment 1)
Hereinafter, as a first embodiment of the present disclosure, an in-vehicle network system 10 including a monitoring ECU that monitors a frame flowing in an in-vehicle network will be described with reference to the drawings.

[1.1 Overall configuration of in-vehicle network system 10]
FIG. 1 is a diagram illustrating an overall configuration of an in-vehicle network system 10 according to the first embodiment.

The in-vehicle network system 10 is an example of a network communication system that performs communication according to the CAN protocol, and is a network communication system in a vehicle on which various devices such as a control device, a sensor, an actuator, and a user interface device are mounted. The in-vehicle network system 10 includes a plurality of devices that perform communication related to a frame via a bus, and uses an unauthorized control suppression method. Specifically, as shown in FIG. 1, the in-vehicle network system 10 includes a bus 300 and a monitoring ECU 100, ECUs 200a to 200d, and the like connected to the bus 300. The in-vehicle network system 10 may include a number of ECUs in addition to the monitoring ECU 100 and the ECUs 200a to 200d. Here, for the sake of convenience, the description will be given focusing on the monitoring ECU 100 and the ECUs 200a to 200d. In a vehicle equipped with the in-vehicle network system 10, a plurality of ECUs communicate and cooperate to realize, for example, a parking assistance function that is a function of an advanced driver assistance system (ADAS: Advanced Driver Assistance System). The

Each ECU is a device including, for example, a processor (microprocessor), a digital circuit such as a memory, an analog circuit, a communication circuit, and the like. The memory is a ROM, a RAM, or the like, and can store a program (computer program) executed by the processor. For example, when the processor operates according to a program, the ECU realizes various functions. The computer program is configured by combining a plurality of instruction codes indicating instructions for the processor in order to achieve a predetermined function. The ECU can be connected to various devices. The ECU 200a is connected to the speed sensor 210. The ECU 200b is connected to a rear camera 220 that is a camera that captures the rear of the vehicle and a monitor 230 that is a touch panel that displays an image, a GUI (Graphical User Interface) image, and the like and receives an operation. The ECU 200c is connected to a handle (steering wheel) 240. The ECU 200d is connected to a gear 250 that is a speed change mechanism.

Each ECU exchanges frames via the bus 300 according to the CAN protocol. Frames exchanged between ECUs include, for example, a data frame (referred to as a state frame) that includes information related to the state of the vehicle, a data frame (referred to as a control frame) that instructs the vehicle to perform control, and the like. A data frame including a state relating to the state of the vehicle and instructing the vehicle to be controlled, that is, a data frame that is a state frame and is a control frame may be exchanged between the ECUs.

The ECU 200a periodically includes the data on the vehicle speed (that is, the vehicle speed) obtained from the speed sensor 210 in a data frame and transmits the data to the bus 300. The ECU 200b displays the rear image of the vehicle acquired from the rear camera 220 on the monitor 230 to notify the driver of the vehicle of the rear state. In addition, the ECU 200b accepts a start request for a parking assist function from the driver by a touch operation on the monitor 230 or the like. Here, a description will be given assuming that the parking assist function is a function of automatically operating the steering wheel toward the parking space designated by the driver behind the vehicle. If the gear 250 is set to “reverse”, which is the gear position for the backward movement of the vehicle, and the operation for requesting the start of the parking support function is performed, the driver moves the vehicle backward and parks only by operating the accelerator and the brake. You can park in the space. When the ECU 200b receives a start request for the parking assist function from the driver, the ECU 200b calculates a target steering angle related to an angle at which the steering wheel should be turned from information of the rear camera 220, and displays a control flag and a target in a data frame indicating a steering control instruction. The data indicating the steering angle is periodically transmitted to the bus 300. Here, the control flag of the data frame indicating the handle control instruction indicates that control is performed with a value of 1, and indicates that control is not performed with a value of 0. If the control flag has a value of 1, the data frame indicating the handle control instruction is a control frame. The ECU 200c changes the traveling direction of the vehicle by controlling the handle 240 according to the control frame of the handle control instruction transmitted from the ECU 200b. Note that the ECU 200c controls the handle 240 when the vehicle speed notified from the ECU 200a is 10 km / h or less and the gear position of the gear 250 is confirmed to be “reverse”. The ECU 200d periodically transmits data indicating the current gear position of the gear 250 to the bus 300 in a data frame. The state frame indicating the vehicle speed and the state frame indicating the gear position are sequentially transmitted at a substantially constant cycle.

The monitoring ECU 100 is a kind of ECU as an unauthorized control suppression device, and is connected to the bus 300. The monitoring ECU 100 monitors data frames such as a state frame and a control frame that flow through the bus 300, and invalidates the control frame when an unauthorized control frame that instructs vehicle control transmitted by an attacker's attack is detected. This prevents unauthorized vehicle control.

[1.2 Data frame format]
Hereinafter, data frames used in a network according to the CAN protocol will be described.

FIG. 2 is a diagram showing a data frame format defined by the CAN protocol. In the figure, a data frame in a standard ID format defined by the CAN protocol is shown. The data frame includes an SOF (Start Of Frame), ID field, RTR (Remote Transmission Request), IDE (Identifier Extension), reserved bit “r”, DLC (Data Length Code), data field, CRC (Cyclic Redundancy Check) sequence. , A CRC delimiter “DEL”, an ACK (Acknowledgement) slot, an ACK delimiter “DEL”, and an EOF (End Of Frame) field.

SOF is composed of 1-bit dominant. The idle state of the bus is recessive, and changing to dominant by SOF is a notification of frame transmission start.

The ID field is a field for storing an ID that is a value indicating the type of data, which is composed of 11 bits. When a plurality of nodes start transmission at the same time, a frame having a small ID is designed to have a high priority in order to perform communication arbitration in this ID field.

RTR is a value for identifying a data frame and a remote frame, and is composed of a dominant 1 bit in the data frame.

IDE and “r” are both composed of dominant 1 bit.

DLC is composed of 4 bits and is a value indicating the length of the data field.

The data field is a value indicating the content of data to be transmitted composed of a maximum of 64 bits. The length of the data field can be adjusted every 8 bits. The specification of the data to be sent is not defined by the CAN protocol, but is defined in the in-vehicle network system 10. Therefore, the specification depends on the vehicle type, manufacturer, and the like.

CRC sequence consists of 15 bits. The CRC sequence is calculated from the transmission values of the SOF, ID field, control field, and data field.

CRC delimiter is a delimiter representing the end of a CRC sequence composed of 1-bit recessive.

ACK slot consists of 1 bit. The transmitting node performs transmission with the ACK slot being recessive. The receiving node transmits an ACK slot as a dominant if reception is successful up to the CRC sequence. Since dominant is given priority over recessive, if the ACK slot is dominant after transmission, the transmitting node can confirm that any receiving node has received successfully.

ACK delimiter is a delimiter representing the end of ACK composed of 1-bit recessive.

EOF is composed of 7 bits recessive and indicates the end of the data frame.

[1.3 Error frame format]
FIG. 3 is a diagram illustrating an error frame format defined by the CAN protocol. The error frame includes an error flag (primary), an error flag (secondary), and an error delimiter “DEL”.

The error flag (primary) is used to notify other nodes of the occurrence of an error. A node that detects an error continuously transmits a 6-bit dominant to notify other nodes of the occurrence of the error. This transmission violates the bit stuffing rule in the CAN protocol (that is, a rule that does not continuously transmit the same value of 6 bits or more), and causes an error frame (secondary) to be transmitted from another node.

The error flag (secondary) is composed of a continuous 6-bit dominant used to notify other nodes of the occurrence of an error. All nodes that have received the error flag (primary) and detected a violation of the bit stuffing rule will transmit the error flag (secondary).

The error delimiter “DEL” is an 8-bit continuous recess and indicates the end of the error frame.

[1.4 Configuration of Monitoring ECU 100]
FIG. 4 is a configuration diagram of the monitoring ECU 100. The monitoring ECU 100 includes a frame transmission / reception unit 110, a frame processing unit 120, a state camouflage detection unit 130, a function restriction unit 140, a frame generation unit 150, a reception history holding unit 160, a vehicle state holding unit 170, and a function. And a restriction rule holding unit 180. Each component of the monitoring ECU 100 shown in FIG. 4 can be realized by a storage medium such as a memory of the monitoring ECU 100, a communication circuit, a processor that executes a program stored in the memory, or the like.

The frame transmission / reception unit 110 transmits / receives a frame according to the CAN protocol to / from the bus 300. The frame transmission / reception unit 110 has a function as a reception unit that receives a frame from the bus 300 bit by bit. The frame transmitting / receiving unit 110 receives the data frame and transfers information such as ID, DLC, and data in the data frame to the frame processing unit 120. If the frame transmission / reception unit 110 determines that the data frame does not conform to the CAN protocol, the frame transmission / reception unit 110 transmits an error frame. In addition, when the frame transmission / reception unit 110 receives an error frame during reception of a data frame, that is, when it interprets that the value in the received data frame is an error frame, the data frame is discarded thereafter. To do. When receiving a data frame transmission request from the frame generation unit 150, the frame transmission / reception unit 110 transmits the contents of the data frame to the bus 300 one bit at a time.

The frame processing unit 120 receives data frame information from the frame transmitting / receiving unit 110 and interprets the contents of the data frame. Further, the frame processing unit 120 notifies the status impersonation detection unit 130 and the function restriction unit 140 of the data frame being received.

The state camouflage detection unit 130 performs a camouflage detection process that determines whether or not the vehicle state is camouflaged with reference to the reception history information held by the reception history holding unit 160. The reception history information is data frame reception history information. Based on the transmission interval of the data frame defined in advance for each ID, the state impersonation detection unit 130 includes a plurality of identical IDs within a margin range centered after the transmission interval from the previously received data frame. It is determined whether or not the state of the vehicle is camouflaged depending on whether or not the data frame is received. For example, when the transmission interval of a data frame that is a state frame related to the vehicle speed of ID “0x100” periodically transmitted by the ECU 200a is defined as 50 ms in advance, the monitoring ECU 100 determines that the data frame of a certain ID “0x100”. The number of data frames with ID “0x100” is expected to be one during the period T, which is the time from the time of receiving +50 ms−margin to the time of receiving the data frame + 50 ms + margin. However, when the attacker transmits a data frame with ID “0x100” at this time, two data frames with ID “0x100” are combined with the data frame with ID “0x100” normally transmitted from the ECU 200a. It is received by the monitoring ECU 100 within the period T. In such a case, the state camouflage detection unit 130 determines that the vehicle state is a camouflaged state in which the vehicle state is camouflaged with respect to the vehicle speed indicated by the state frame of ID “0x100”. When the monitoring ECU 100 receives the status frame that is the data frame of two IDs “0x100” in the period T, the status frame received by the monitoring ECU 100 includes an abnormal status frame. become. When such an abnormal state frame is received, the state of the vehicle indicated by the state frame having the same ID is determined by the state impersonation detection unit 130 to be in a forged state. The state impersonation detection unit 130 holds information on a transmission interval that is defined in advance for each ID of a state frame for which determination of impersonation is to be performed. In addition, the margin used by the state impersonation detection unit 130 is appropriately determined to allow fluctuations in the transmission interval of normally transmitted data frames, and is set to 3 ms, for example. Moreover, the state camouflage detection part 130 updates the vehicle state information stored in the vehicle state holding | maintenance part 170 according to the determination result in the camouflage detection process. Further, the state camouflage detection unit 130 receives the reception history stored in the reception history holding unit 160 based on the value of the state frame data transmitted from the ECU 200a, the ECU 200d, and the like and the time when the state frame was received. Update information. In this update, the state impersonation detection unit 130 acquires the time when the state frame is received, for example, by a timer that counts the elapsed time from when the monitoring ECU 100 is started or from another predetermined time, and receives the reception history. Record in information.

The function restriction unit 140 receives the control frame for controlling the vehicle, the vehicle state information stored in the vehicle state holding unit 170, and the vehicle control stored in the function restriction rule holding unit 180. It is determined whether or not the control of the vehicle should be suppressed with reference to the function restriction rule that is a criterion for determining whether or not the vehicle should be suppressed. When it is determined that the control of the vehicle should be suppressed, the function restriction unit 140 sends an error frame to the frame generation unit 150 in order to invalidate the control frame being received for the control of the vehicle. Request. With this error frame, the control frame being received is overwritten on the bus 300, and the control frame is invalidated. Due to the effect of overwriting by the error frame, the ECU such as the ECU 200c cannot completely receive the entire control frame from the bus 300, and therefore does not perform control according to the control frame.

The frame generation unit 150 causes the frame transmission / reception unit 110 to transmit the frame when transmission of the frame is requested. The frame generation unit 150 generates a data frame when transmission of a data frame is requested, and causes the frame transmission / reception unit 110 to transmit the data frame.

The reception history holding unit 160 holds a reception history of data frames received by the monitoring ECU 100. The reception history holding unit 160 holds, for example, reception history information (see FIG. 5) indicating a data value related to a state frame received within the latest 100 ms and a reception time.

The vehicle state holding unit 170 holds vehicle state information (see FIG. 6) indicating the vehicle state determined in the camouflage detection process by the state camouflage detection unit 130.

The function restriction rule holding unit 180 holds a function restriction rule (see FIG. 7), which is a criterion for determining whether or not control by the control frame being received should be suppressed.

[1.5 Receive history information]
FIG. 5 shows an example of reception history information held by the reception history holding unit 160. In the example of the figure, the reception history information includes the reception time and data value of the status frame indicating the vehicle speed of ID “0x100” and the status frame indicating the gear position of ID “0x300” received within the last 100 ms. including.

According to the reception history information of this example, regarding the state frame of ID “0x100” related to the vehicle speed, the data value at the latest reception is 42.1 km / h and the reception time is 110 ms. At the time of the previous reception, the data value of the vehicle speed state frame is 0.0 km / h, and the reception time is 61 ms. At the time of reception two times before, the data value of the vehicle speed state frame is 42.0 km / h, and the reception time is 60 ms. At the time of reception three times before, the data value of the vehicle speed state frame is 42.0 km / h, and the reception time is 10 ms. For the state frame of ID “0x300” related to the gear position, the data value at the time of the latest reception indicates “drive” which is the gear position for forward movement of the vehicle, and the reception time is 100 ms. In the previous reception, the data value indicates “drive”, and the reception time is 50 ms. In the example of FIG. 5, the status frame related to the gear position has not been received last time, or has been received before the last 100 ms and is not held.

[1.6 Vehicle status information]
FIG. 6 shows an example of vehicle state information held by the vehicle state holding unit 170. In the example of the figure, as the vehicle state information, the state of the vehicle related to the state frame of ID “0x100” related to the vehicle speed and the state of the vehicle related to the state frame of ID “0x300” related to the gear position are impersonated. It is indicated by a flag. In this example, if the camouflage flag is 1, it indicates that the vehicle is in the camouflaged state, and if it is 0, it indicates that the vehicle is not in the camouflaged state. The camouflaged state is, for example, a state in which a state frame indicating a false data value regarding the vehicle speed, gear position, etc. as the vehicle state is flowed on the bus 300, that is, a state in which the vehicle state is camouflaged. is there. In the example of FIG. 6, the state of the vehicle related to the vehicle speed indicated by the state frame of ID “0x100” indicates that it is a camouflaged state. Further, it is indicated that the state of the vehicle related to the gear position indicated by the state frame of ID “0x300” is not a camouflaged state.

[1.7 Function restriction rules]
FIG. 7 shows an example of a function restriction rule held by the function restriction rule holding unit 180.

The function restriction rule is information indicating a criterion for determining whether or not the control of the vehicle should be suppressed. In the example of the figure, the function restriction target that is information for specifying a control frame for controlling the vehicle and the reference vehicle The state conditions are associated with each other. In the figure, an example is shown in which the function restriction rule is composed of a plurality of items, but the number of items in the rule may be one or plural.

In this example, the restriction target function of rule number 1 is a data frame whose control flag is 1 (that is, a control frame related to the handle control instruction) included in the data frame with ID “0x200” related to the handle control instruction. The condition of the vehicle state for inhibiting the control is that the vehicle state related to the state frame of ID “0x100” related to the vehicle speed is the camouflaged state (that is, the camouflage flag is 1). Similarly, the restriction target function of the rule number 2 is also a control frame related to the steering wheel control instruction, and the condition of the vehicle state for inhibiting the steering wheel control is related to the state frame of ID “0x300” related to the gear position. The state of the vehicle to perform is a camouflaged state (that is, the camouflage flag is 1).

The function restriction unit 140 refers to the function restriction rule, and suppresses control of the vehicle by the control frame when the condition of the vehicle state corresponding to the function restriction target corresponding to the control frame being received is satisfied. The frame generation unit 150 is requested to transmit an error frame to invalidate the control frame. Specifically, when receiving the control frame related to the steering wheel control instruction, the function restriction unit 140 follows the ID “” in the vehicle state information held by the vehicle state holding unit 170 in accordance with the rule of the rule number 1 item in FIG. When the vehicle state related to the vehicle speed indicated by the state frame of “0x100” is a camouflaged state (that is, the camouflage flag is 1), an error frame is sent to the frame generator 150 in order to invalidate the control frame. Request to send. In accordance with the rule of the item of rule number 2 in FIG. 7, the function restriction unit 140 determines that the vehicle state related to the gear position indicated by the state frame with ID “0x300” in the vehicle state information is a camouflaged state (that is, the camouflage flag is 1). If so, an error frame transmission request is sent to the frame generation unit 150 in order to invalidate the control frame related to the handle control instruction. When receiving the control frame related to the steering wheel control instruction, the function restriction unit 140 transmits an error frame when the vehicle state related to the vehicle speed is not the camouflaged state and the vehicle state related to the gear position is not the camouflaged state. Do not make a request.

[1.8 Configuration of ECU 200a]
FIG. 8 is a configuration diagram of the ECU 200a. The ECU 200a includes a frame transmission / reception unit 201, a frame processing unit 202, a device input / output unit 203, and a frame generation unit 204. Each of these components is a functional component, and each function is realized by a communication circuit in the ECU 200a, a processor that executes a control program stored in a memory, a digital circuit, or the like. The ECU 200b, the ECU 200c, and the ECU 200d have substantially the same configuration as the ECU 200a.

The frame transmission / reception unit 201 transmits / receives a frame according to the CAN protocol to / from the bus 300. The frame transmitting / receiving unit 201 receives a data frame from the bus 300 one bit at a time, and when the reception of the data frame is completed without error, transfers information such as ID, DLC, and data in the data frame to the frame processing unit 202. If the frame transmission / reception unit 201 determines that the data frame does not conform to the CAN protocol, the frame transmission / reception unit 201 transmits an error frame. If the frame transmission / reception unit 201 receives an error frame while receiving a data frame, the frame transmission / reception unit 201 discards the data frame thereafter. The frame transmission / reception unit 201 transmits the contents of the frame received from the frame generation unit 204 to the bus 300. Processing in accordance with the CAN protocol such as communication arbitration is also realized in the frame transmission / reception unit 201.

The frame processing unit 202 interprets the contents of the received data frame. The ECU 200c having the same configuration as the ECU 200a will be described as an example. The frame processing unit 202 of the ECU 200c interprets information such as a vehicle speed, a steering wheel control instruction, and a gear position included in a data frame transmitted from the ECU 200a, the ECU 200b, and the ECU 200d. Control information for controlling the handle 240 is notified to the device input / output unit 203 as necessary. In the frame processing unit 202 of the ECU 200c, when the vehicle speed notified from the ECU 200a exceeds 10 km / h, or when the gear position notified from the ECU 200d is other than “reverse”, the steering wheel control instruction The handle 240 is not controlled even when a control frame related to (i.e., a data frame having ID “0x200” and a control flag of 1) is received.

The equipment input / output unit 203 includes a communication circuit that communicates with equipment connected to the ECU. The device input / output unit 203 of the ECU 200a acquires the current vehicle speed from the speed sensor 210, and notifies the frame generation unit 204 of the vehicle speed so as to generate and transmit a data frame indicating the vehicle speed. The device input / output unit 203 of the ECU 200b acquires video data indicating a situation behind the vehicle from the rear camera 220. In addition, the device input / output unit 203 of the ECU 200b accepts an operation of a driver's parking support function start request for the monitor 230, calculates a target steering angle for controlling the handle 240 from the situation behind the vehicle, and controls the handle. A target steering angle is notified to the frame generation unit 204 for generation of a control frame according to the instruction. The device input / output unit 203 of the ECU 200c controls the handle 240 according to control information based on a control frame or the like related to the handle control instruction notified from the ECU 200b. In addition, the device input / output unit 203 of the ECU 200d acquires the current gear position from the gear 250, and notifies the frame generation unit 204 of the gear position to generate and transmit a data frame indicating the gear position.

The frame generation unit 204 generates a data frame to be transmitted to the bus 300 based on the information notified from the device input / output unit 203, and transmits the generated data frame to the bus 300 via the frame transmission / reception unit 201. For example, in the ECU 200a, the frame generation unit 204 generates a data frame including vehicle speed information from the speed sensor 210 notified from the device input / output unit 203 at an interval of 50 ms, which is a predetermined cycle, and transmits and receives frames. Notification to the unit 201. Note that 50 ms as the data frame generation interval is merely an example of a cycle, and may be other than 50 ms. Next, examples of data frames transmitted by the ECU 200a, the ECU 200b, and the ECU 200d will be described with reference to FIG.

[1.9 Data frame transmitted by ECU]
FIG. 9 shows an example of a data frame transmitted by each of the ECU 200a, the ECU 200b, and the ECU 200d.

9 (a) is an example of a data frame transmitted by the ECU 200a, that is, a state frame related to the vehicle speed. The state frame related to this vehicle speed has ID “0x100”, DLC is 2, and the data field is 2 bytes including the first byte and the second byte, and the vehicle speed (in units of 0.1 km / h). Represents. The example of the data frame in (a) of FIG. 9 represents a state frame indicating 42.1 km / h (0x1A5) as the vehicle speed.

9B is an example of a data frame transmitted by the ECU 200b, that is, a data frame related to a handle control instruction. The data frame related to this handle control instruction has ID “0x200”, DLC is 4, and the data field is a control flag indicating whether or not handle control is performed. Indicates that the control of the handle 240 should be performed, and 0 indicates that the control of the handle 240 should not be performed. The second byte indicates whether the handle 240 should be rotated in the left or right direction when instructing handle control, with 0 on the right and 1 on the left. A target steering angle for controlling the steering wheel 240 is indicated by 2 bytes including the 3rd byte and the 4th byte of the data field. The example of the data frame in (b) of FIG. 9 represents a control frame indicating a handle control instruction to turn right by 48 degrees.

9 (c) is an example of a data frame transmitted by the ECU 200d, that is, a state frame related to a gear position. The status frame related to this gear position has ID “0x300”, DLC is 1, and its data field represents the gear position by 1 byte. The 1-byte value is 0, representing “neutral”, 1 representing “reverse”, 2 representing “drive”, and 3 representing “parking”. The example of the data frame in (c) of FIG. 9 represents a state frame indicating “reverse” as the gear position.

[1.10 Parking support function sequence]
FIG. 10 shows an example of a processing sequence related to the parking support function in a normal state.

ECU 200a transmits a state frame indicating the vehicle speed (that is, a data frame having ID “0x100”) to bus 300 (step S11). The data frame is broadcast to all ECUs connected to the bus 300. The ECU 200c responsible for controlling the steering wheel 240 receives a state frame indicating the vehicle speed from the bus 300 as a data frame of an ID to be received, and updates and holds the current vehicle speed based on the state frame. The ECU 200a transmits a state frame indicating the vehicle speed at a predetermined transmission interval of 50 ms. However, in FIG. 10, transmission of the subsequent state frame related to the vehicle speed is omitted.

Further, the ECU 200d transmits a state frame indicating the gear position (that is, a data frame having the ID “0x300”) to the bus 300 (step S12). The ECU 200c receives a status frame indicating the gear position from the bus 300 as a data frame of an ID to be received, and updates and holds the current gear position based on the status frame. Note that the ECU 200d transmits a state frame indicating a gear position at a transmission interval of 50 ms, but in FIG. 10, transmission of the subsequent state frame related to the gear position is omitted.

When the driver performs an operation for starting execution of the parking support function on the monitor 230, a parking support request is transmitted from the monitor 230 to the ECU 200b (step S13).

ECU200b will display the image | video of the back of the vehicle acquired from the rear camera 220 on the monitor 230, if a parking assistance request | requirement is transmitted (step S14).

When the driver designates a parking position by operating the monitor 230 while viewing the video displayed on the monitor 230, the monitor 230 transmits a parking position determination notification indicating the parking position to the ECU 200b (step S15).

The ECU 200b calculates the steering angle of the steering wheel 240 as a target (that is, the target steering angle) based on the parking position indicated by the parking position determination notification, sets the control flag to 1 as a data frame having ID “0x200”, Information including the steering angle is transmitted (step S16). That is, the ECU 200b transmits a control frame related to the handle control instruction. Note that the ECU 200b periodically updates the data frame having the ID “0x200” by sequentially updating the target steering angle of the handle 240 to an appropriate value, and periodically transmits the ID “0x200” in FIG. The transmission of the data frame is omitted.

The ECU 200c receives a control frame related to the steering wheel control instruction (that is, a data frame having an ID “0x200” and a control flag of 1), the current vehicle speed is 10 km / h or less, and the gear position is Only in the case of “reverse”, control is performed to turn the handle 240 to the target steering angle (step S17).

[1.11 Sequence related to deterring attacks on parking support functions]
FIG. 11 shows an example of a sequence related to an attack on the parking support function and an unauthorized control suppression process by the monitoring ECU 100. Here, it is assumed that the monitoring ECU 100 holds the function restriction rule illustrated in FIG. Further, it is assumed that the operation for starting execution of the parking support function is not performed and the vehicle is traveling forward. Further, it is assumed that the ECU 200d periodically transmits a state frame indicating that the gear position is “drive”. In FIG. 11, the description of the state frame relating to the gear position is omitted.

ECU 200a transmits a state frame indicating the vehicle speed (that is, a data frame having ID “0x100”) to bus 300 (step S21). In this example, the current vehicle speed is 42.1 km / h.

In order for the ECU 200c to control the handle 240, it is necessary to satisfy the condition that the vehicle speed is 10 km / h or less. For this reason, the attack ECU indicates a data frame indicating false information indicating that the vehicle speed is 0 km / h and having an ID “0x100”, that is, false information related to the vehicle speed, as a step before illegally controlling the steering wheel 240. A status frame is transmitted (step S22). The attack ECU is an ECU connected to the bus 300, for example, an ECU connected by the attacker to the bus 300, an ECU controlled by the attacker by hacking, or the like. The attack ECU, for example, observes the transmission cycle of the state frame related to the vehicle speed by the ECU 200a, and shows the false information related to the vehicle speed having the same ID during a predetermined transmission interval margin range. Send. Thereby, it becomes difficult to detect that the state frame indicating the false information related to the vehicle speed is simply an illegal frame from the transmission timing.

ECU200c which received the state frame which shows the false information regarding the vehicle speed transmitted in step S22 updates the current vehicle speed to be held to 0 km / h. Further, the monitoring ECU 100 detects that the state frame of the ID “0x100” related to the vehicle speed is expected to be received once by the camouflage detection process, that is, within a margin range related to a predetermined transmission interval. Since it is received twice in the period, it is determined that the vehicle state relating to the vehicle speed indicated by the state frame of ID “0x100” is the camouflaged state. Thereby, the camouflage flag regarding the vehicle speed in the vehicle state information becomes 1.

ECU 200b transmits a data frame indicating the steering wheel control instruction having ID “0x200” (step S23). At this time, since the execution of the parking support function has not started, the control flag indicating whether or not to perform the handle control is 0, and the handle 240 is not controlled. On the other hand, since the control flag included in the data frame having the ID “0x200” is 0, the monitoring ECU 100 does not transmit an error frame or the like because it is not a function restriction target of each rule of the function restriction rule. .

Next, in order to illegally control the handle 240, the attack ECU transmits a data frame having an ID “0x200” and having a control flag set to 1 (that is, a control frame related to the handle control instruction) (step S24). On the other hand, the monitoring ECU 100 determines whether or not to suppress the control of the vehicle based on the function restriction rule and the vehicle state information during reception of the control frame. The monitoring ECU 100 determines that the control frame transmitted in step S24 matches the function restriction target of the rule of the rule number 1 of the function restriction rule, and the corresponding vehicle state condition is satisfied. It is determined that control of the vehicle should be suppressed.

Subsequently, since the monitoring ECU 100 determines that the control of the vehicle by the control frame being received should be suppressed, the monitoring ECU 100 transmits an error frame to invalidate the control frame related to the steering wheel control instruction (step S25). By transmitting the error frame, the monitoring ECU 100 can suppress unauthorized control of the handle 240 due to an attack. This error frame overwrites the data frame having the ID “0x200” being transmitted, and as a result, the transmission of the data frame by the attack ECU is interrupted. The ECU 200c receives the error frame, discards the data frame being received, and does not control the handle 240 based on the data frame.

As described above, the monitoring ECU 100 transmits the error frame depending on the determination result based on the function restriction rule, thereby preventing the ECU 200c from receiving the data frame for illegally controlling the handle 240 by the attack ECU. it can.

[1.12 Monitoring Operation by Monitoring ECU 100]
FIG. 12 is a flowchart illustrating an example of a monitoring operation performed by the monitoring ECU 100. The process related to the monitoring operation is performed every time a data frame appears on the bus 300.

The monitoring ECU 100 receives the data frame, and determines whether or not the ID of the data frame being received is the ID of the data frame whose reception history should be held in the reception history holding unit 160 (step S31). Note that, in this example, the ID of the data frame to be stored in the reception history is different from the ID of the data frame to be function restricted in the function restriction rule, but this is only an example. For example, the ID related to the reception history holding target is the ID “0x100” of the state frame related to the vehicle speed and the ID “0x300” of the state frame related to the gear position (see FIG. 5).

When the ID of the data frame being received is the ID of the data frame whose reception history is to be held in the reception history holding unit 160, the monitoring ECU 100 receives the data value indicating the vehicle speed of the data frame being received, The reception history information held by the reception history holding unit 160 is updated so as to include the time (step S32). When updating the reception history information, for example, the monitoring ECU 100 may erase the reception history information whose reception time is earlier than a certain time (for example, 100 ms) from the current time.

Further, the monitoring ECU 100 performs a camouflage detection process with reference to the reception history information held by the reception history holding unit 160 (step S33). Specifically, the monitoring ECU 100 predefines, for example, at the reception time of the oldest state frame of the reception history of the state frame (data frame) related to one ID in the reception history information by the state impersonation detection unit 130. The number of state frames in a range (referred to as a reception timing range) from the time obtained by adding the transmission interval (for example, 50 ms) to the time obtained by subtracting the margin (for example, 3 ms) from the reference time. Count what you are receiving. When two or more state frames are received, it is determined that the vehicle state is camouflaged, and the camouflaged flag of the corresponding ID in the vehicle state holding unit 170 is set to 1. Similarly, the next reception timing range is obtained on the basis of a time obtained by adding a predefined transmission interval (for example, 50 ms) from the reception time of the first state frame received within the reception timing range, and the vehicle state is Repeat until the most recently received status frame for spoofing. Furthermore, when a status frame that is not included in any reception timing range is included in the reception history, the camouflage flag is updated to 1. If the camouflage flag is not set to 1 in such processing, the camouflage flag is set to 0. In this camouflage detection process, it is determined whether or not the vehicle is in a camouflaged state, but whether or not each status frame whose reception history is indicated in the reception history information held by the reception history holding unit 160 is illegal ( In other words, it is not performed until identification of whether or not it is due to an attack.

If the monitoring ECU 100 determines in step S31 that the ID of the data frame being received is not the ID of the data frame whose reception history is to be held in the reception history holding unit 160, the ID of the data frame subject to function restriction It is determined whether or not (step S34). If the monitoring ECU 100 determines that the ID of the data frame being received is not the ID of the data frame subject to function restriction, the monitoring ECU 100 ends the process.

If the monitoring ECU 100 determines in step S34 that the ID of the data frame being received is the ID of the data frame subject to function restriction, is the data frame being received the data frame subject to function restriction? It is determined whether or not (step S35). Specifically, the monitoring ECU 100 refers to the function restriction rule held by the function restriction rule holding unit 180 to determine whether or not the control frame is a control frame that is a data frame related to a handle control instruction having a control flag of 1. . If the data frame being received is not a control frame subject to function restriction, the monitoring ECU 100 ends the process.

If it is determined in step S35 that the data frame being received is a control frame subject to function restriction, the monitoring ECU 100 determines whether or not the control of the vehicle related to the control frame should be suppressed. Specifically, the monitoring ECU 100 refers to the function restriction rule and the vehicle state information held by the vehicle state holding unit 170, and whether the control frame is a function restriction target and the vehicle state condition is satisfied. The determination is made by verifying whether or not (step S36). As a result of the verification in step S36, the monitoring ECU 100 ends the process if the vehicle state condition is not satisfied for any of the rules of each item whose function restriction target is the control frame in the function restriction rule.

As a result of the verification in step S36, the monitoring ECU 100 determines that an error occurs before the last data frame being received is received in order to invalidate the data frame being received in order to invalidate the data frame being received. The frame is transmitted to the bus 300 (step S37). As a result, the error frame is overwritten on the currently received data frame, and the data frame is invalidated. For this reason, ECU (for example, ECU 200c) connected to bus 300 does not control the vehicle based on the invalidated data frame.

[1.13 Effects of Embodiment 1]
In the in-vehicle network system 10 according to the first embodiment, the monitoring ECU 100 uses a predetermined rule related to the transmission interval of the state frames based on the set of state frames received during the certain period, so that It detects that the state of the vehicle was a camouflaged state. Then, when the vehicle state is a camouflaged state, the monitoring ECU 100 disables the control of the vehicle by invalidating the control frame when the control frame for controlling the vehicle is transmitted. To do. As a result, it is possible to protect against an attack in which the vehicle state is impersonated and the vehicle is illegally controlled, and the security of the in-vehicle network can be ensured. In addition, since this method for preventing unauthorized control for defense can be realized by arranging the monitoring ECU 100 in the in-vehicle network, it is possible to protect the in-vehicle network at a reduced cost.

(Embodiment 2)
Hereinafter, an in-vehicle network system 11 obtained by modifying a part of the in-vehicle network system 10 shown in the first embodiment will be described.

The monitoring ECU in the in-vehicle network system 11 according to the present embodiment monitors the state frame flowing through the in-vehicle network, measures the time during which the current vehicle state continues, and stabilizes the vehicle state for a certain period of time. The control function by the control frame for controlling the vehicle is limited based on the criterion regarding whether or not the vehicle is in a state.

[2.1 Overall configuration of in-vehicle network system 11]
FIG. 13 is a diagram illustrating an overall configuration of the in-vehicle network system 11 according to the present disclosure.

As shown in FIG. 13, the in-vehicle network system 11 includes a bus 300, a monitoring ECU 2100 connected to the bus 300, ECUs 200 a to 200 d, and the like. The in-vehicle network system 11 is the same as the in-vehicle network system 10 (see FIG. 1) shown in the first embodiment, unless otherwise described here. Among the constituent elements of the in-vehicle network system 11, the same constituent elements as those in the in-vehicle network system 10 are denoted by the same reference numerals as those in FIG.

The monitoring ECU 2100 is a kind of ECU as an unauthorized control inhibiting device, and is connected to the bus 300. The monitoring ECU 2100 monitors data frames such as a state frame and a control frame that flow through the bus 300, and measures the duration of the vehicle state. The monitoring ECU 2100 determines whether or not the control by the control frame for controlling the vehicle should be suppressed according to the measured duration of the vehicle state, and invalidates the control frame to invalidate the control frame. Suppress control.

[2.2 Configuration of Monitoring ECU 2100]
FIG. 14 is a configuration diagram of the monitoring ECU 2100. Monitoring ECU 2100 includes a frame transmission / reception unit 110, a frame processing unit 120, a vehicle state monitoring unit 2130, a function restriction unit 2140, a frame generation unit 150, a reception history holding unit 2160, and a function restriction rule holding unit 2180. Consists of. Each component of the monitoring ECU 2100 illustrated in FIG. 14 may be realized by a storage medium such as a memory of the monitoring ECU 2100, a communication circuit, a processor that executes a program stored in the memory, or the like. The monitoring ECU 2100 is the same as the monitoring ECU 100 (see FIG. 4) shown in the first embodiment, except that it is not particularly described here. Of the constituent elements of the monitoring ECU 2100, constituent elements having the same functions as those of the monitoring ECU 100 are denoted by the same reference numerals as those in FIG. 4 in FIG.

The frame processing unit 120 notifies the vehicle state monitoring unit 2130 and the function restriction unit 2140 of the data frame being received.

The vehicle state monitoring unit 2130 updates the reception history related to the corresponding ID in the reception history information held by the reception history holding unit 2160 for the data frame notified from the frame processing unit 120. Specifically, vehicle state monitoring unit 2130 updates the reception history information based on the value of the state frame data transmitted from ECU 200a, ECU 200d, and the like, and the time when the state frame was received. In this update, the vehicle state monitoring unit 2130 obtains the time at which the state frame is received by a timer that counts the elapsed time from when the monitoring ECU 2100 is started or from another predetermined time, for example, and the latest 100 ms The reception history information is updated so as to indicate information on the status frame received within.

When the function restriction unit 2140 receives a control frame for controlling the vehicle, the function restriction rule stored in the function restriction rule holding unit 2180 and serving as a reference for whether or not to suppress the vehicle control, With reference to the reception history information held by the reception history holding unit 2160, it is determined whether or not the control of the vehicle should be suppressed. If the function restriction unit 2140 determines that the control of the vehicle should be suppressed, the function restriction unit 2140 transmits an error frame to the frame generation unit 150 in order to invalidate the control frame being received for the control of the vehicle. Request. Specifically, in order to determine whether or not the control of the vehicle should be suppressed, the function restriction unit 2140 receives the control frame that is subject to the function restriction in the function restriction rule and receives the vehicle state. Whether or not the vehicle state indicated by the reception history of the state frame indicated by the reception history information is an unstable state that satisfies the vehicle state duration time in the function restriction rule (that is, A stable state).

The reception history holding unit 2160 holds a reception history of data frames received by the monitoring ECU 2100. The reception history holding unit 2160 holds, for example, reception history information (see FIG. 15) indicating a data value related to a state frame received within the latest 100 ms and a reception time.

The function restriction rule holding unit 2180 holds a function restriction rule (see FIG. 16), which is a criterion for determining whether or not control by the control frame being received should be suppressed.

[2.3 Reception history information]
FIG. 15 shows an example of reception history information held by the reception history holding unit 2160. In the example of the figure, the reception history information includes the reception time and data value of the status frame indicating the vehicle speed of ID “0x100” and the status frame indicating the gear position of ID “0x300” received within the last 100 ms. including.

According to the reception history information of this example, regarding the state frame of ID “0x100” related to the vehicle speed, the data value at the time of the latest reception is 0.0 km / h, and the reception time is 211 ms. At the time of the previous reception, the data value of the vehicle speed state frame is 42.1 km / h, and the reception time is 210 ms. At the time of reception two times before, the data value of the vehicle speed state frame is 42.0 km / h, and the reception time is 160 ms. For the state frame with ID “0x300” related to the gear position, the data value at the time of the latest reception indicates “reverse”, and the reception time is 201 ms. At the time of reception one time before, the data value indicates “drive”, and the reception time is 200 ms. Further, at the time of reception two times before, the data value indicates “drive”, and the reception time is 150 ms.

[2.4 Function restriction rules]
FIG. 16 shows an example of a function restriction rule held by the function restriction rule holding unit 2180.

The function restriction rule is information indicating a criterion for determining whether or not the control of the vehicle should be suppressed. In the example of the figure, the function restriction target that is information for specifying a control frame for controlling the vehicle and the reference vehicle State conditions (specifically, vehicle state duration time conditions) are associated with each other. In the figure, an example is shown in which the function restriction rule is composed of a plurality of items, but the number of items in the rule may be one or plural.

In this example, the restriction target function of rule number 1 is a data frame whose control flag is 1 (that is, a control frame related to the handle control instruction) included in the data frame with ID “0x200” related to the handle control instruction. The condition of the vehicle state for determining that the control should be suppressed is that the state of the vehicle related to the state frame of ID “0x100” related to the vehicle speed is an unstable state. In the example of FIG. 16, the unstable state related to the vehicle speed means a state where the duration time in which the vehicle speed is 10 km / h or less is shorter than 60 ms. If the vehicle speed is 10 km / h or less and the duration is 60 ms or more, the vehicle is stable. In other words, if at least one state frame indicating a vehicle speed greater than 10 km / h has been received from the present to 60 ms before, the function restriction unit 2140 satisfies the condition of the vehicle state duration of rule number 1. As a result, it is determined that the control by the control frame related to the handle control instruction that is the function restriction target should be suppressed.

In the example of FIG. 16, the rule of the item of rule number 2 is that the state of the vehicle related to the state frame of ID “0x300” related to the gear position is in an unstable state. In the example of FIG. 16, the unstable state related to the gear position means a state where the duration of the state where the gear position is “reverse” is shorter than 60 ms. If at least one state frame indicating a gear position other than “reverse” is received between 60 ms and the present time, the function restriction unit 2140 satisfies the condition of the vehicle state duration time of rule number 2 As a result, it is determined that the control by the control frame related to the handle control instruction that is the function restriction target should be suppressed. It should be noted that it is useful to set the condition of the vehicle state duration in consideration of a transmission interval or the like defined in advance for the target state frame. For example, when the transmission interval of the state frame is 50 ms and the duration as the condition of the vehicle state duration is 60 ms, at least one data frame is received during 60 ms. Even when the attacker transmits a state frame indicating information that disguises the vehicle state such as the vehicle speed, the vehicle state duration time is reset to 0 by receiving the normal state frame. For this reason, it is not possible to disguise the vehicle state such as the vehicle speed over a duration longer than 60 ms so as to achieve a stable state in which the function restriction is released. FIG. 17 shows the duration of the state of the vehicle when an attack of transmitting a camouflaged frame that disguises the state of the vehicle related to the vehicle speed is made. In FIG. 17, a state frame indicating a false vehicle speed of 0.0 km / h at times t1, t3, t5 is a normal vehicle speed (for example, 42.0 km / h) periodically transmitted by the ECU 200a at times t0, t2, t4, and the like. h) is sent immediately after the status frame indicating. The time during which the vehicle speed indicated by the sequentially transmitted state frames is 10 km / h or less is shorter than 60 ms. When receiving a control frame related to the steering wheel control instruction when an attack is made in this way, the function restriction unit 2140, for example, according to the rule of the item of rule number 1 in FIG. Since the state is not stable, an error frame transmission request is sent to the frame generation unit 150 in order to invalidate the control frame related to the handle control instruction.

A data frame having an ID “0x200” and a control flag of 1 (that is, a control frame related to a steering wheel control instruction) is a bus only when the vehicle speed is 10 km / h or less and the gear position is “reverse”. The in-vehicle network system 11 is designed so as not to be flown to 300. Then, after the driver performs an operation for starting execution of the parking support function and an operation for specifying the parking position, the control frame related to the steering wheel control instruction is transmitted to the bus 300. It is considered that several seconds will elapse after the driver stops the vehicle and changes the gear position to “reverse” until the start of the parking support function is requested by operating the monitor 230 and the parking position is designated. It is done. When the parking support function is normally used, when a normal data frame subject to function restriction (that is, a control frame related to a steering wheel control instruction) is transmitted, a vehicle speed of 10 km / h or less and “reverse” The state of the vehicle related to the gear position continues for longer than 60 ms. For this reason, it is not determined that the control of the handle by the normal control frame should be inhibited by the function restriction unit 2140. Therefore, when receiving the control frame related to the steering wheel control instruction when the parking assist function is normally used without being attacked, the function restriction unit 2140 has a vehicle speed of 10 km / h or less in the latest 60 ms period. And, since the state of the vehicle related to the gear position “reverse” is a continuous stable state, no error frame transmission request is made.

[2.5 Sequence related to deterring attacks on parking support functions]
FIG. 18 shows an example of a sequence related to an attack on the parking support function and unauthorized control suppression processing by the monitoring ECU 2100. Here, it is assumed that the monitoring ECU 2100 holds the function restriction rule illustrated in FIG. Further, it is assumed that the operation for starting execution of the parking support function is not performed and the vehicle is traveling forward.

ECU 200a transmits a state frame indicating the vehicle speed (that is, a data frame having ID “0x100”) to bus 300 (step S211). In this example, the current vehicle speed is 42.1 km / h. The ECU 200c that has received the state frame related to the vehicle speed transmitted in step S211 updates the current vehicle speed to be held to 42.1 km / h. In addition, the monitoring ECU 2100 that has received the state frame updates the reception history related to the vehicle speed in the reception history information held in the reception history holding unit 2160.

In order for the ECU 200c to control the handle 240, it is necessary to satisfy the condition that the vehicle speed is 10 km / h or less. For this reason, the attack ECU indicates a data frame indicating false information indicating that the vehicle speed is 0 km / h and having an ID “0x100”, that is, false information related to the vehicle speed, as a step before illegally controlling the steering wheel 240. A status frame is transmitted (step S212). The ECU 200c that has received the state frame indicating the false information related to the vehicle speed transmitted in step S212 updates the current vehicle speed to be held to 0 km / h. Moreover, monitoring ECU2100 which received the state frame updates the reception log | history which concerns on the vehicle speed in reception log | history information.

ECU 200d transmits a state frame indicating the gear position (that is, a data frame having ID “0x300”) to bus 300 (step S213). In this example, the current gear position is “drive”. The ECU 200c that has received the state frame related to the gear position transmitted in step S213 updates the current gear position to be held to “drive”. The monitoring ECU 2100 that has received the status frame updates the reception history related to the gear position in the reception history information.

In order for the ECU 200c to control the handle 240, it is necessary to satisfy the condition that the gear position is “reverse”. For this reason, the attack ECU has a data frame indicating the false information that the ID “0x300” and the gear position is “reverse”, that is, the false information related to the gear position, as a step before illegally controlling the handle 240. Is transmitted (step S214). The ECU 200c that has received the status frame indicating the false information related to the gear position transmitted in step S214 updates the current gear position to be held to “reverse”. The monitoring ECU 2100 that has received the status frame updates the reception history related to the gear position in the reception history information.

Next, in order to illegally control the handle 240, the attack ECU transmits a data frame having an ID “0x200” and having a control flag set to 1 (that is, a control frame related to the handle control instruction) (step S215). On the other hand, the monitoring ECU 2100 determines whether or not to suppress the control of the vehicle based on the function restriction rule during reception of the control frame.

Since the control frame transmitted in step S215 matches the function restriction target of the rule of item No. 1 of the function restriction rule and the corresponding vehicle state duration condition is satisfied, the monitoring ECU 2100 performs the control. It is determined that control of the vehicle by the frame should be suppressed. It is noted that monitoring ECU 2100 also has its control frame matched with the function restriction target of the rule of item No. 2 of the function restriction rule, and the corresponding vehicle state duration condition is satisfied. It can be determined that the control of the vehicle by is to be suppressed. If the vehicle state in the predetermined period indicated by the reception history information corresponds to the vehicle state continuation condition indicated by the rule of at least one item of the function restriction rule, the monitoring ECU 2100 controls the function restriction target control frame of that rule. It can be determined that the control of the vehicle by is to be suppressed.

Since the monitoring ECU 2100 determines that the control of the vehicle by the control frame should be suppressed during reception of the control frame transmitted in step S215, an error frame is used to invalidate the control frame related to the steering wheel control instruction. Is transmitted (step S216). By transmitting the error frame, the monitoring ECU 2100 can suppress unauthorized control of the handle 240 due to an attack. This error frame overwrites the data frame having the ID “0x200” being transmitted, and as a result, the transmission of the data frame by the attack ECU is interrupted. The ECU 200c receives the error frame, discards the data frame being received, and does not control the handle 240 based on the data frame.

As described above, the monitoring ECU 2100 transmits the error frame according to the determination result based on the function restriction rule, thereby preventing the ECU 200c from receiving the data frame for illegally controlling the handle 240 by the attack ECU. Can do.

ECU 200a transmits a state frame indicating a vehicle speed of 42.1 km / h to bus 300 (step S217). The ECU 200c that has received the state frame related to the vehicle speed transmitted in step S217 updates the current vehicle speed to be held to 42.1 km / h. In addition, the monitoring ECU 2100 that has received the state frame updates the reception history related to the vehicle speed in the reception history information held in the reception history holding unit 2160.

[2.6 Monitoring Operation by Monitoring ECU 2100]
FIG. 19 is a flowchart illustrating an example of a monitoring operation performed by the monitoring ECU 2100. The process related to the monitoring operation is performed every time a data frame appears on the bus 300.

The monitoring ECU 2100 receives the data frame, and determines whether or not the ID of the data frame being received is the ID of the data frame whose reception history is to be held in the reception history holding unit 2160 (step S221). For example, the ID related to the retention target of the reception history is the ID “0x100” of the state frame related to the vehicle speed and the ID “0x300” of the state frame related to the gear position (see FIG. 15).

When the ID of the data frame being received is the ID of the data frame whose reception history is to be held in the reception history holding unit 2160, the monitoring ECU 2100 receives the data value indicating the vehicle speed of the data frame being received, The reception history related to the ID in the reception history information held by the reception history holding unit 2160 is updated so as to include the time (step S222). Note that, when updating the reception history information, the monitoring ECU 2100 may delete, for example, information on the reception history whose reception time is earlier than a certain time (for example, 100 ms) from the current time.

In step S221, the monitoring ECU 2100 determines that the ID of the data frame being received is not the ID of the data frame whose reception history is to be held in the reception history holding unit 2160, or after the processing in step S222. It is determined whether the middle data frame is a control frame subject to function restriction in the function restriction rule held in the function restriction rule holding unit 2180 (step S223). If the monitoring ECU 2100 determines in step S223 that the data frame being received is not a control frame subject to function restriction, the monitoring ECU 2100 ends the process.

If it is determined in step S223 that the data frame being received is a control frame subject to function restriction, the monitoring ECU 2100 determines whether or not to suppress control of the vehicle related to the control frame based on the function restriction rule. It is determined by verifying whether or not the state of the vehicle in the most recent period is an unstable state (step S224). Specifically, the monitoring ECU 2100 determines whether the condition of the vehicle state duration corresponding to the function restriction target that matches the control frame being received in the rule of each item of the function restriction rule satisfies the reception history holding unit 2160. Is verified by referring to the reception history of the state frame related to the state of the corresponding vehicle and the current time. As a result of the verification regarding whether or not the condition of the vehicle state duration in the function restriction rule is satisfied, the monitoring ECU 2100 does not satisfy the condition of the vehicle state duration for each item rule in the function restriction rule. The process is terminated.

As a result of the verification in step S224, if the condition of the vehicle state duration in the function restriction rule is satisfied, the reception is performed to invalidate the control frame in order to suppress the control of the vehicle by the control frame being received. An error frame is transmitted to the bus 300 before the end of the data frame, which is the middle control frame, is received (step S225). As a result, the error frame is overwritten on the currently received data frame, and the data frame is invalidated. For this reason, ECU (for example, ECU 200c) connected to bus 300 does not control the vehicle based on the invalidated data frame.

[2.7 Effects of Embodiment 2]
In the in-vehicle network system 11 according to the second embodiment, the monitoring ECU 2100 has a data value of a specific state frame indicating the state of the vehicle within a certain value or a certain range based on a set of state frames received during a certain period. It is verified whether or not there is a stable state. The specific state frame is determined corresponding to a control frame for controlling a vehicle that is a function restriction target. This verification is performed, for example, based on the function restriction rule shown in FIG. 16 depending on whether or not the continuation time that the data value of a specific state frame is within a certain value or within a certain range continues for that certain period. Then, when a control frame for controlling the vehicle is transmitted, monitoring ECU 2100 is in a case where the state of the vehicle indicated by the specific state frame is not stable for a certain period (that is, the state continues for a certain period). In the absence of the control frame, the control frame is invalidated to suppress the control of the vehicle. It is useful to set the length of the certain period to a time longer than the predetermined transmission interval of the state frame. Thus, even if the attacker impersonates the vehicle state and transmits a control frame that causes unauthorized control, the control frame is invalidated to the monitoring ECU 2100 due to the short duration of the vehicle state. Is done. Furthermore, it is useful to set the vehicle state duration as a condition for invalidating the data frame subject to function restriction in consideration of the case where the function is normally used. As a result, when the function is normally used, the data frame subject to function restriction is not invalidated, and only the data frame that causes illegal control by the attacker can be invalidated.

This monitoring ECU 2100 makes it possible to protect against an attack that impersonates the vehicle and improperly controls the vehicle, thereby ensuring the security of the in-vehicle network. In addition, since this method of preventing unauthorized control for defense can be realized by placing the monitoring ECU 2100 in the in-vehicle network, it is possible to protect the in-vehicle network at a reduced cost.

(Embodiment 3)
Hereinafter, a vehicle-mounted network system 12 obtained by modifying a part of the vehicle-mounted network system 10 shown in the first embodiment will be described.

The monitoring ECU in the in-vehicle network system 12 according to the present embodiment monitors a state frame flowing through the in-vehicle network, measures a change in the state of the vehicle, and changes in the state of the vehicle exceeding a predetermined number of times in a certain period. The control function by the control frame for controlling the vehicle is limited based on the criterion regarding whether or not the vehicle is in the frequent occurrence state. Whether or not it is in a state of frequent change is determined by observing the number of times the data value indicated by the data frame has changed more than a predetermined amount, as well as observing the time that a change exceeding a predetermined amount has occurred, etc. It is also possible to determine by. As a specific example, the monitoring ECU, for a data frame that is a state frame indicating the state of the control instruction such as whether or not in the cruise control mode, in the case where a change frequent state occurs due to the continuation of the inconsistent state where the control instruction does not match, When the data frame control instruction is a specific instruction, control by the instruction is suppressed. The data frame indicating this specific instruction is a state frame indicating the state of the control instruction and also a control frame instructing control of the vehicle. The monitoring ECU may invalidate the control frame based on the time for which the inconsistent state continues.

[3.1 Overall configuration of in-vehicle network system 12]
FIG. 20 is a diagram illustrating an overall configuration of the in-vehicle network system 12 according to the present disclosure.

The in-vehicle network system 12 includes a bus 300 and monitoring ECUs 3100, ECUs 200a, 3200e, 3200f, and the like connected to the bus 300 as shown in FIG. In a vehicle equipped with the in-vehicle network system 12, a cruise control function is realized by a plurality of ECUs communicating and cooperating with each other. The in-vehicle network system 12 is the same as the in-vehicle network system 10 (see FIG. 1) shown in the first embodiment, unless otherwise described here. Of the constituent elements of the in-vehicle network system 12, the same constituent elements as those in the in-vehicle network system 10 are denoted by the same reference numerals as those in FIG. 1, and description thereof is omitted here.

The monitoring ECU 3100 is a kind of ECU as an unauthorized control inhibiting device, and is connected to the bus 300. The monitoring ECU 3100 monitors data frames such as a state frame and a control frame that flow through the bus 300, monitors whether information such as a control instruction included in the data frame is inconsistent, and has a mismatch. The duration of inconsistency is measured. Here, assuming that the state of the control instruction, such as whether or not the cruise control mode is set, is information relating to a kind of vehicle state, the data frame including the control instruction is also expressed as a state frame. Further, the data frame when the control instruction is a specific instruction for controlling the vehicle is a control frame. The monitoring ECU 3100 determines whether or not the control by the control frame for controlling the vehicle should be suppressed according to the measured duration of inconsistency, and invalidates the vehicle by invalidating the control frame when the control is to be suppressed. Is suppressed.

The ECU 3200e and the ECU 3200f are connected to a switch 3260 and a motor 3270, respectively. ECU 3200e transmits a data frame including information related to cruise control to bus 300 at a transmission interval of 80 ms. The information related to cruise control includes a flag indicating whether or not the cruise control mode is currently entered, and acceleration / deceleration information. ECU 3200e enters cruise control mode when the driver presses switch 3260. The ECU 3200e obtains the vehicle speed from the data frame from the ECU 200a, calculates the magnitude of acceleration so as to keep the vehicle speed at the time when the cruise control mode is entered, and transmits it included in the data frame. The cruise control mode is canceled depending on whether the driver presses the switch 3260 again or steps on the brake. The ECU 3200f controls the motor 3270 to realize the function of running the vehicle. The ECU 3200f receives the data frame transmitted from the ECU 3200e, and when the cruise control mode flag is set, the ECU 3200f controls the motor 3270 based on the acceleration information to keep the vehicle speed constant. Control to sag.

[3.2 Example of Data Frame Transmitted by ECU 3200e]
FIG. 21 shows an example of a data frame transmitted by the ECU 3200e.

This data frame has ID “0x400”, DLC is 3, and in the data field, the first byte is a flag indicating whether or not the vehicle is in the cruise control mode. Indicates that the cruise control mode is OFF (that is, the non-control state), and 1 indicates that the cruise control mode is ON (that is, the control state). The second byte is a flag that indicates whether to accelerate or decelerate when the cruise control mode is ON. 0 indicates acceleration and 1 indicates deceleration. The third byte is an amount indicating the magnitude of acceleration / deceleration and is expressed in units of 0.01 m / s2. In the example of the data frame in FIG. 21, a data frame is shown that is in the cruise control mode and requests acceleration of acceleration 0.80 m / s2. That is, this data frame is a state frame in which the vehicle is in the cruise control mode, and is a control frame for requesting acceleration to control the vehicle.

[3.3 Configuration of Monitoring ECU 3100]
FIG. 22 is a configuration diagram of the monitoring ECU 3100. The monitoring ECU 3100 includes a frame transmission / reception unit 110, a frame processing unit 120, a frame generation unit 150, a control information monitoring unit 3130, a function restriction unit 3140, a reception history holding unit 3160, a function restriction rule holding unit 3180, And an alignment duration measuring unit 3190. Each component of the monitoring ECU 3100 shown in FIG. 22 can be realized by a storage medium such as a memory of the monitoring ECU 3100, a communication circuit, a processor that executes a program stored in the memory, or the like. The monitoring ECU 3100 is the same as the monitoring ECU 100 (see FIG. 4) shown in the first embodiment, except that it is not particularly described here. Of the constituent elements of the monitoring ECU 3100, constituent elements having the same functions as those of the monitoring ECU 100 are denoted by the same reference numerals in FIG. 22 as those in FIG. 4, and description thereof will be omitted as appropriate.

The frame processing unit 120 notifies the control information monitoring unit 3130 and the function restriction unit 3140 of the data frame being received.

The control information monitoring unit 3130 monitors the data frame including the control instruction, and the reception history regarding the corresponding ID in the reception history information held by the reception history holding unit 2160 for the data frame notified from the frame processing unit 120. Update. Specifically, the control information monitoring unit 3130 includes a state frame data value (for example, a control instruction flag value) including a control instruction flag indicating whether or not the cruise control mode transmitted from the ECU 3200e is ON, and the like. The reception history information is updated based on the time when the status frame is received. Furthermore, the control information monitoring unit 3130 refers to the reception history information to determine whether or not there is a mismatch in the state (for example, cruise control mode) related to the control instruction in the data frame having the same ID received in a certain period. to decide. When there is a mismatch in the state related to the control instruction, the control information monitoring unit 3130 makes a mismatch start time measurement request to the mismatch duration measurement unit 3190.

Such inconsistency in the state related to the control instruction is, for example, when the function for performing control changes from the OFF state to the ON state, such as when the driver presses the switch 3260 to turn on the cruise control mode, or It can occur when changing from the ON state to the OFF state. However, as long as the function is normally used, such inconsistency does not continue for a long time. The control information monitoring unit 3130 requests the inconsistency duration measurement unit 3190 to measure the inconsistency duration, which is the duration of the inconsistency, when the inconsistency occurs by monitoring the data frame for a certain period. If no inconsistency occurs, the inconsistency duration measuring unit 3190 is requested to reset the inconsistency duration to 0 and stop the measurement.

When the function restriction unit 3140 receives a data frame, the function restriction unit 3140 refers to the function restriction rule held in the function restriction rule holding unit 3180. If the data frame being received is a control frame subject to function restriction, the control frame It is determined whether or not the control of the vehicle by the control should be suppressed. Whether or not the control by the control frame should be suppressed is determined by referring to the mismatch duration time measured by the mismatch duration measurement unit 3190 in relation to the control frame. If the function restriction unit 3140 determines that the control of the vehicle should be suppressed, the function restriction unit 3140 transmits an error frame to the frame generation unit 150 in order to invalidate the control frame being received for the control of the vehicle. Request. Specifically, in order to determine whether or not vehicle control should be suppressed, the function restriction unit 2140 continues inconsistency when a control frame that is a function restriction target in the function restriction rule is being received. It is determined whether or not it is a kind of change frequent state that time satisfies the condition of the function restriction rule.

The reception history holding unit 3160 holds the reception history of the data frame received by the monitoring ECU 3100. The reception history holding unit 3160 receives, for example, the reception history information indicating the data value related to the state frame such as the data frame including the flag of the control instruction in the cruise control mode received within the latest 100 ms and the reception time (see FIG. 23). Hold.

The function restriction rule holding unit 3180 holds a function restriction rule (see FIG. 24) that is a criterion for determining whether or not control by the control frame being received should be suppressed. This function restriction rule can be said to be a criterion for determining whether or not to invalidate a data frame being received.

The inconsistency continuation time measuring unit 3190 measures the time during which the control instruction inconsistency continues for each control instruction, and holds measurement-related information (see FIG. 25) such as a measurement result. The inconsistency duration measurement unit 3190 receives a measurement start request from the control information monitoring unit 3130 and updates the value of the in-measurement flag as measurement related information. The inconsistency duration measuring unit 3190 holds, for each control instruction, a timer that can start or reset (that is, stop) the inconsistency duration according to the in-measurement flag.

[3.4 Reception history information]
FIG. 23 shows an example of reception history information held by the reception history holding unit 3160. In the example of the figure, the value of the control instruction flag as the data value of the data frame of ID “0x400” received within the latest 100 ms and the time of reception thereof are included.

According to this reception history information, the data frame having the ID “0x400” has been received four times in the latest 100 ms, and the flag value at the time of the latest reception is 1 (that is, the cruise control mode is ON, The time of reception is 301 ms. At the time of reception one time before, the value of the flag is 0 (that is, meaning that the cruise control mode is OFF and control is not performed), and the reception time is 300 ms. At the time of reception two times before, the value of the flag is 1, and the reception time is 221 ms. At the time of reception three times before, the value of the flag is 0 and the reception time is 220 ms.

[3.5 Function restriction rules]
FIG. 24 shows an example of the function restriction rule held by the function restriction rule holding unit 3180.

The function restriction rule is information indicating a criterion for determining whether or not to suppress the control of the vehicle. In the example in the figure, the function restriction target and the restriction function that are information for specifying a control frame for controlling the vehicle, and the reference Vehicle condition (specifically, inconsistency duration condition). In the figure, an example is shown in which the function restriction rule is composed of one item rule, but the number of rule items may be plural. The restriction function indicates a specific control instruction to be restricted when the condition of inconsistency duration is satisfied. If the restriction function is “restriction”, a flag indicating that the cruise control mode is in the ON state is displayed in the data frame subject to function restriction being received when the condition of inconsistency duration is satisfied. This means that if the control frame has the control frame, control by the control frame should be suppressed, that is, the control frame should be invalidated. For example, if the restriction function is “continuation”, it means that the control frame should be invalidated so as to maintain the state according to the control instruction before the inconsistency occurs. For example, if the flag indicating the cruise control mode is 0 before the inconsistency occurs, the control indicating that the flag indicating the cruise control mode is 1 data frame when the condition of the inconsistency duration is satisfied. Disable the frame. The inconsistency duration condition is a condition indicating the length of the inconsistency duration as a function restriction condition. When this condition is satisfied, the function restriction is performed on the data frame subject to the function restriction. In the example of FIG. 24, the function restriction target is a data frame having an ID “0x400” related to cruise control, the restriction function is “control”, and a data frame including a control instruction indicating an ON state of the cruise control mode is provided. The control frame to be invalidated. Further, in the example of FIG. 24, the condition for the mismatch duration is that the mismatch duration is 500 ms or more. The function restriction rule in the example of FIG. 24 is that the control by the specific control instruction of the cruise control should be suppressed in the frequent change state in which the inconsistency duration of the control instruction state in the cruise control mode is 500 ms or longer. It can be said that it shows the standard. In this frequent change state, the monitoring ECU 3100 invalidates a control frame, which is a data frame indicating a specific control instruction related to cruise control, by transmitting an error frame.

[3.6 Mismatch duration]
FIG. 25 shows an example of measurement related information including inconsistency duration time measured and held by the inconsistency duration time measurement unit 3190. The measurement-related information in this example is for the data frame ID, indicating the inconsistency continuation time that is the time that the inconsistency about the control instruction has continued, and whether or not the inconsistency continuation time is being measured. It includes a flag and a state before the occurrence of inconsistency indicating whether or not the control was performed before the occurrence of inconsistency. In this example, for the data frame of ID “0x400” related to cruise control, the measured inconsistency duration is 100 ms, the measurement flag is 1, meaning that the duration is being measured, and the state before the occurrence of inconsistency is “Non-control” (that is, the control instruction flag indicating the cruise control mode is 0).

[3.7 Sequence related to deterring attacks on the cruise control function]
FIG. 26 shows an example of a sequence related to an attack on the cruise control function and an unauthorized control suppression process by the monitoring ECU 3100. Here, it is assumed that the monitoring ECU 3100 holds the function restriction rule illustrated in FIG. Further, it is assumed that the switch 3260 for turning on the cruise control function is not operated. In FIG. 26, the description of the data frame related to the vehicle speed transmitted by the ECU 200a is omitted.

ECU 3200e sets a control instruction flag to 0 and transmits the data frame having ID “0x400” related to cruise control to the bus 300 to indicate that the cruise control mode is OFF (step S311). The ECU 3200f and the monitoring ECU 3100 receive this data frame. The ECU 3200f does not control the motor 3270 such as acceleration or deceleration for keeping the vehicle speed constant because the flag related to the cruise control mode is 0. The monitoring ECU 3100 updates the reception history information held in the reception history holding unit 3160 based on the received data frame.

The attack ECU transmits a data frame having an ID “0x400” related to cruise control with a control instruction flag set to 1 to indicate that the cruise control mode is ON (step S312). The ECU 3200f and the monitoring ECU 3100 receive this data frame. The ECU 3200f controls the motor 3270 according to the acceleration value indicating acceleration or deceleration of the data frame because the flag related to the cruise control mode is 1. The monitoring ECU 3100 updates the reception history information held in the reception history holding unit 3160 based on the received data frame. At this time, the monitoring ECU 3100 performs “control” (that is, a control instruction in which the cruise control mode is ON) and “non-control” (that is, the cruise control mode is OFF) from the data frame received within the last 100 ms. Since both data frames with the control instruction in the state are received, it is determined that there is a mismatch, and measurement of the mismatch duration is started.

Thereafter, transmission of a data frame having the same ID “0x400” as in step S311 and indicating “non-control” for cruise control, and data indicating “control” for cruise control having the same ID “0x400” as in step S312. The frame transmission is repeated for 500 ms (step S313).

Subsequently, ECU 3200e transmits a data frame having ID “0x400” relating to cruise control and indicating “non-control” (step S314). The ECU 3200f and the monitoring ECU 3100 receive this data frame.

Subsequently, the attack ECU transmits a data frame having ID “0x400” and indicating “control” (that is, a control instruction in which the cruise control mode is ON) (step S315).

Corresponding to the transmission in step S315, the monitoring ECU 3100 determines whether the data frame being received is a control frame specified by the function restriction target and the restriction function of the function restriction rule and the vehicle state condition of the function restriction rule. It is determined whether or not the control by the control frame should be suppressed depending on whether or not (that is, the condition of inconsistency duration) is satisfied. At this point, the control ECU 3100 is receiving a control frame that is a data frame including a control instruction indicating the cruise control mode (that is, the flag is 1) in a state where the mismatch duration has continued for 500 ms or longer. It is determined that control by frame should be suppressed. Then, an error frame is transmitted to invalidate the control frame (step S316). By transmitting the error frame, the monitoring ECU 3100 can suppress unauthorized control related to cruise control due to an attack. This error frame overwrites the control frame having the ID “0x400” being transmitted and including the control instruction indicating that the cruise control mode is in the ON state, and as a result, the attack ECU transmits the data frame. Is interrupted. The ECU 3200f receives the error frame, discards the data frame being received, and does not perform control such as acceleration or deceleration for cruise control based on the data frame.

In this way, the monitoring ECU 3100 transmits the error frame in accordance with the determination result based on the function restriction rule, thereby preventing the ECU 3200f from receiving the data frame for performing unauthorized control related to cruise control by the attack ECU. can do.

[3.8 Monitoring Operation by Monitoring ECU 3100]
FIG. 27 is a flowchart illustrating an example of a monitoring operation performed by the monitoring ECU 3100. The process related to the monitoring operation is performed every time a data frame appears on the bus 300.

The monitoring ECU 3100 receives the data frame, and determines whether or not the ID of the data frame being received is the ID of the data frame whose reception history is to be held in the reception history holding unit 3160 (step S321). For example, the ID related to the reception history holding target is the data frame ID “0x400” that is the status frame related to the cruise control mode state (see FIG. 23).

When the ID of the data frame being received is the ID of the data frame whose reception history is to be held in the reception history holding unit 3160, the monitoring ECU 3100 determines the state of the data frame being received (for example, a control instruction related to the cruise control mode). The reception history relating to the ID in the reception history information held by the reception history holding unit 3160 is updated so as to include the data value indicating the flag of ()) and the time of reception (step S322). Note that, when updating the reception history information, the monitoring ECU 3100 may delete, for example, reception history information whose reception time is earlier than a certain time (for example, 100 ms) from the current time.

Subsequently, the monitoring ECU 3100 determines whether or not there is a mismatch in the data value indicating the control instruction or the like based on the reception history information (step S323).

Next, the monitoring ECU 3100 causes the mismatch duration measurement unit 3190 to start or stop the mismatch duration measurement based on the presence / absence of the mismatch determined in step S323 (step S324).

The monitoring ECU 3100 determines that the ID of the data frame being received in step S321 is not the ID of the data frame whose reception history should be held in the reception history holding unit 3160, or is being received after the processing in step S324. It is determined whether or not the data frame is a control frame specified by the function restriction target and the restriction function in the function restriction rule held in the function restriction rule holding unit 3180 (step S325). If the monitoring ECU 3100 determines in step S325 that the data frame being received is not a control frame subject to function restriction, the monitoring ECU 3100 ends the process.

Next, the monitoring ECU 3100 determines whether or not the control by the control frame that is being received should be suppressed. The mismatch duration measured by the mismatch duration measurement unit 3190 is the mismatch duration in the function restriction rule. Is determined based on whether or not the above condition is satisfied (step S326). If the condition of the vehicle state related to the inconsistency duration is satisfied, it is determined that the control by the control frame should be suppressed. If the monitoring ECU 3100 determines that the control by the control frame should not be inhibited, that is, if the condition of the mismatch duration is not satisfied, the monitoring ECU 3100 ends the process.

If it is determined in step S326 that the control by the control frame being received should be inhibited, the monitoring ECU 3100 invalidates the control frame, so that the last of the data frames that are the control frames being received is displayed. An error frame is transmitted to the bus 300 before the tail is received (step S321). As a result, the error frame is overwritten on the currently received data frame, and the data frame is invalidated. For this reason, ECU (for example, ECU 3200f) connected to bus 300 does not control the vehicle based on the invalidated data frame.

[3.9 Effects of Embodiment 3]
In the in-vehicle network system 12 according to Embodiment 3, whether or not the monitoring ECU 3100 is a change-prone state in which a change in the state of the control instruction frequently occurs based on a set of state frames related to the control instruction received in a certain period. Verify that. This verification is performed, for example, based on the function restriction rule shown in FIG. 24, based on whether or not the inconsistency continuation time, which is the time for which inconsistency due to the state change continues, lasts for a certain period. Then, the monitoring ECU 3100 determines whether or not to invalidate the control frame specified by the function restriction target and the function restriction of the function restriction rule according to the mismatch duration. As a result, even if an attacker continues to transmit a data frame that causes unauthorized control, the attacker cannot continue to cause unauthorized control. This is an effective measure by setting a data frame related to control as a monitoring target so that damage is increased by continuing unauthorized control. Further, according to the monitoring ECU 3100, for example, when a change in the state of the control instruction occasionally occurs during normal use of a specific function such as a cruise control function (that is, when the inconsistency continuation time is a predetermined time or less). In the case of an attack in which the control is not suppressed and the change frequently occurs in a certain period, the control is suppressed. For this reason, a normal data frame is not invalidated by mistake.

(Other embodiments)
As described above, Embodiments 1 to 3 have been described as examples of the technology according to the present disclosure. However, the technology according to the present disclosure is not limited to this, and can also be applied to embodiments in which changes, replacements, additions, omissions, and the like are appropriately performed. For example, the following modifications are also included in one embodiment of the present disclosure.

(1) In the above-described embodiment, the state camouflage detection unit, the function restriction unit, the vehicle state monitoring unit, and the control information monitoring unit are connected to the bus 300 for a plurality of ECUs to exchange frames. Although described as a component of the monitoring ECU, it may be a component of one or more other ECUs. The above-described monitoring ECU need not be a dedicated monitoring ECU as long as it is an ECU connected to a bus in the in-vehicle network system, and may have a function different from monitoring and handling. Further, for example, one or more components in the monitoring ECU may be moved to another ECU. Any ECU may perform detection of a camouflaged state, detection of a control frame for which control based on a function restriction rule should be suppressed, invalidation of a control frame for control suppression, and the like. For example, an ECU or the like that receives a control frame and performs control according to the contents of the control frame may have the same components as the monitoring ECU described above. Further, for example, the above-described components of the monitoring ECU may be included in the gateway ECU that transfers data frames between the buses when the in-vehicle network is configured with a plurality of buses. This is useful because the gateway ECU can monitor the state of each bus. In the gateway ECU including the configuration of the monitoring ECU, in order to suppress control by an illegal control frame, in addition to the invalidation of the control frame by an error frame, between the buses of the control frames determined to be controlled. For example, it is possible to perform processing such as deterring transfer. In addition, since the gateway ECU can monitor information on a large number of in-vehicle networks, the range of functions that can be realized to suppress control by an unauthorized control frame is expanded.

(2) The control frame shown in the above embodiment may be any frame as long as it is a data frame including information used for vehicle control. Further, the control frame may be regarded as including a data frame for instructing suppression of vehicle control for a kind of control of suppressing vehicle control.

(3) In the above embodiment, as an example of suppressing control by a control frame subject to function restriction, an example in which the monitoring ECU overwrites a received control frame on the bus with an error frame and invalidates it. showed that. However, the method for realizing the control inhibition by the control frame is not limited to the method of transmitting the error frame while receiving the control frame. For example, an ECU that receives a control frame and performs control according to the content of the control frame discards the control frame that is determined to be inhibited as a function restriction target, and performs control corresponding to the control frame. By not performing the control, control suppression by the control frame may be realized. This is useful when the monitoring ECU dedicated to monitoring is not included in the configuration of the in-vehicle network. Further, as described above, the control of the control frame may be suppressed by suppressing the transfer of the control frame determined to be controlled by the gateway ECU. Further, as an example of a method for realizing control inhibition by a control frame, a method for transmitting a data frame for notifying other ECUs that the function related to the control is restricted, and a method for notifying the user that the function is restricted And a method of shifting the vehicle to a predetermined fail-safe mode that may include degeneration of an automatic control function such as an ADAS function.

(4) Although the data frame in the CAN protocol is described in the standard ID format in the above embodiment, the extended ID format may be used, and the ID that is the identifier of the data frame is the extended ID in the extended ID format. Etc.

(5) In the above embodiment, the monitoring ECU holds the reception history information including the information of the data frame received in the latest 100 ms in the reception history holding unit, but the holding period from the reception of the information is 100 ms. Is just an example. As the retention period, it is determined that the minimum time for obtaining information necessary to determine that the vehicle state is camouflaged, or that the inconsistency of information related to the control instruction continues. For example, it is assumed that an arbitrary period longer than the data frame transmission interval is set as a guideline. Moreover, the monitoring ECU may have one or more IDs for the data frame that is the target of the reception history recorded as the reception history information. The monitoring ECU may have one or more function restriction rule items. Further, the vehicle state information held by the monitoring ECU in the vehicle state holding unit may include a camouflaged flag related to one ID or may include a camouflaged flag related to each of a plurality of IDs.

(6) In the above embodiment, the monitoring ECU holds the reception history including the data value of the data field of the data frame and the reception time as the reception history information in the reception history holding unit. The reception time is only an example, and the holding of the data value or the reception time can be omitted. The reception history holding unit may hold other information, may hold a partial data value of the data field, or may hold the contents of all fields of the received data frame.

(7) In the above embodiment, the vehicle condition duration condition relating to the vehicle speed and the vehicle condition duration condition relating to the gear position are shown as the reference indicated by the function restriction rule held in the function restriction rule holding unit. However, each condition may be combined as a criterion, and a logical sum or a logical product of the conditions may be used. Also, the number of conditions may be increased or decreased. In the case where control of the function restriction target in the function restriction rule is normally executed, it is possible to prevent invalidating the normal data frame by mistake by setting the condition of the vehicle state based on the vehicle state that is surely generated. It becomes possible. In addition, by appropriately selecting the vehicle state that is the vehicle control condition, such as the vehicle speed and gear position, and setting the condition related to the vehicle state in the function restriction rules, the state of the vehicle by the attacker It is possible to suppress unauthorized control by the control frame after transmitting the status frame for impersonation. For example, in the example of the in-vehicle network system having the parking assist function shown in the first and second embodiments, the timing at which a control frame related to a normal steering wheel control instruction including a control flag indicating control is transmitted is This is after the driver has performed an operation to start execution of the parking assist function. Here, the driver changes the gear position to “reverse” prior to the operation for starting the execution of the parking support function, and designates the parking position while referring to the video behind the vehicle displayed on the monitor. For this reason, for example, the vehicle speed is 0 km / h at the timing at which a control frame related to a normal steering wheel control instruction including a control flag indicating control is transmitted as a condition of a vehicle state serving as a reference for the function restriction rule. May be set. In addition, when calculating the steering angle of the steering wheel with the parking assist function, when a method for requesting the driver to return the steering wheel to the straight traveling state is used, as a condition of the vehicle state serving as a reference for the function restriction rule, For example, it may be set that the steering state of the steering wheel is substantially straight at the timing at which a control frame related to a normal steering wheel control instruction including a control flag indicating control is transmitted. Further, based on the operation sequence when the driver uses the parking assist function, the vehicle state conditions include, for example, that the vehicle speed is 0 km / h, the gear position is “reverse”, and the steering state of the steering wheel is It may be set that each of the states such as being in a substantially straight traveling state occurs in order by the timing at which a control frame related to a normal handle control instruction including a control flag indicating control is transmitted.

(8) In the above-described embodiment, with respect to the detection of the camouflaged state of the vehicle, a plurality of state frames are received in a period within a margin range related to the predetermined transmission interval based on the transmission interval specified for the state frame. In this case, an example is shown in which it is determined that the state of the vehicle related to the state frame is camouflaged. However, the method of detecting the camouflage of the vehicle state is not limited to the method of this example. For example, a threshold value for the number of data frames received within a certain period may be defined in advance, and if the threshold value is exceeded, it may be determined that the state of the vehicle is camouflaged. In addition, a threshold for the amount of change in the value of a data frame within a certain period or the number of times of reception or a threshold for the number of changes in the value is defined in advance, and the vehicle state is disguised when the threshold is exceeded. May be determined. Further, camouflaging of the state of the vehicle may be determined from the collapse of the relationship based on the relationship between the data frames having different IDs. Further, information that can be acquired from other than the data frame flowing in the in-vehicle network, for example, GPS (Global Positioning System) information, map information, information on the ignition state, various sensor information, and the like may be combined to determine impersonation of the vehicle state. .

(9) In the above-described embodiment, an example in which a data frame flows in a plaintext bus is shown, but it may be encrypted. Further, the data authentication code may be included in the data frame.

(10) In the above embodiment, an example in which the function restriction rule is held in plain text is shown, but it may be held encrypted.

(11) In the above embodiment, as an example of calculating the vehicle state duration, the example in which the time during which the state of the vehicle is continued is calculated from the current time by referring to the reception history information. It is not restricted to this method. For example, as the reception history information, the time of the last reception of a state frame having a specific ID and only the data value at that time may be held to measure the duration of the vehicle state. Further, it is only necessary to determine whether or not a predetermined time has elapsed in accordance with the condition of the vehicle state duration in the function restriction rule, and it is not always necessary to calculate the duration of the vehicle state. For example, the condition in the function restriction rule is satisfied by setting a timer when the state of the vehicle satisfies a predetermined condition indicated in the function restriction rule and determining whether or not the timer is greater than a predetermined time. It may be determined whether or not. In addition, when the vehicle state satisfies a predetermined condition indicated in the function restriction rule, a countdown timer for a predetermined time is set, and whether or not the timer is 0 is determined. It may be determined whether or not the condition is satisfied.

(12) In the above embodiment, if the monitoring ECU does not pass the vehicle state duration in the function restriction rule that exceeds a predetermined threshold value, the vehicle state is not stable, so the control frame related to the function restriction target. An example of suppressing the control by. However, since the vehicle state duration time has not passed the predetermined threshold or more, it is not always necessary to immediately suppress the control by the control frame when the vehicle state is not in a stable state. It is good also as deterring when it continues for some time. This is useful for suppressing erroneous detection that erroneously invalidates a normal control frame with respect to a control frame related to control with low risk even if transmitted illegally.

(13) In the above embodiment, as the inconsistency continuation time, both a data frame including control instruction information indicating control and a data frame including control instruction information indicating non-control are observed in a certain period. Although the time is shown, the method of measuring the mismatch duration is not limited to this. For example, in a plurality of data frames including a data value used for control received for a certain period, if the amount of change in the data value exceeds a threshold value, the duration is set to be inconsistent. You may measure.

(14) In the above embodiment, examples of the vehicle speed, gear position, and the like are shown as examples of the vehicle state, but the vehicle state monitored by the monitoring ECU is not limited to this. The vehicle state includes, for example, wheel rotation speed, yaw rate, acceleration, steering angle, accelerator pedal opening, braking level, engine rotation speed, motor rotation speed, gear position, ignition switch state, steering wheel steering torque, It may be the presence / absence of a front obstacle, the presence / absence of a rear obstacle, the distance to the front obstacle, the distance to the rear obstacle, the recognition state of the left and right lane lines, the distance to the left and right lane lines, and the like. The state of the vehicle may be a state acquired by a sensor, for example.

(15) In the above embodiment, examples of control related to the parking support function and the cruise control function are shown as the control for determining whether or not to be suppressed in the monitoring ECU. The control based on the control frame to determine whether or not the vehicle is not limited to the steering wheel control related to the parking support function and the acceleration or deceleration control related to the cruise control function. The control that is a target of determination on whether or not to be suppressed in the monitoring ECU may be, for example, control related to a collision reduction brake system, an adaptive cruise control system, a lane keep assist system, or the like. In addition, the control that is a target of determination as to whether or not to be suppressed in the monitoring ECU may be control related to traveling of the vehicle, for example. The control related to running of the vehicle is one of control related to running (for example, acceleration control), control related to turning (for example, steering control), and control related to stopping (for example, braking control). In addition, the control subject to the determination as to whether or not to suppress in the monitoring ECU is a control that indirectly affects the control related to the traveling of the vehicle, such as a control for presenting information to the driver such as an instrument panel. It is good to be.

For example, when the control related to the collision mitigation brake system is a target of determination as to whether or not to be suppressed in the monitoring ECU, the monitoring ECU may, for example, up to a front obstacle as a vehicle state condition in the function restriction rule. May be determined by monitoring the reception time of the status frame indicating the distance to the obstacle ahead, the data value, and the like. The monitoring ECU, for example, determines that a disguise has been made when a forward obstacle suddenly changes from a state where there is no forward obstacle or a state where a forward obstacle exists far away to a state where the forward obstacle suddenly exists. May be. Then, when a control frame for control related to the collision mitigation brake system appears on the bus in a state of being camouflaged, the monitoring ECU invalidates the control frame.

In addition, for example, when the control related to the adaptive cruise control system is a target of determination as to whether or not the monitoring ECU should suppress, the monitoring ECU uses, for example, a preceding vehicle as a vehicle state condition in the function restriction rule. It is also possible to determine the presence or absence of camouflage by monitoring the reception time, data value, etc. of the status frame indicating the distance to the preceding vehicle. The monitoring ECU is, for example, a state where the preceding vehicle suddenly changes from a state where the preceding vehicle does not exist, or a state where the preceding vehicle exists far away, or a state where the preceding vehicle exists immediately before From the above, it may be determined that the camouflaged vehicle is disguised when the preceding vehicle suddenly exists far away or when the preceding vehicle changes to a state where no preceding vehicle exists.

Further, for example, when the control related to the lane keep assist system is a target of determination as to whether or not to be suppressed in the monitoring ECU, the monitoring ECU, for example, uses a lane marking as a vehicle state condition in the function restriction rule. The distance to the lane in which the vehicle is traveling is monitored, and the status frame indicating the distance to the lane marking on either the left or right of the lane is monitored to determine whether or not the camouflage exists. Also good. The monitoring ECU, for example, from a state in which the lane line is not recognized or a state in which the distance to the lane line is sufficiently large, the distance to the lane line suddenly decreases and the vehicle is approaching the lane line. If it has changed, it may be determined that the camouflage has been made.

(16) Although the unauthorized control suppression device is exemplified by the monitoring

ECUs

100, 2100, and 3100 in the above embodiment, the unauthorized control suppression device does not necessarily have to include all the components of the monitoring ECU described above. The unauthorized control inhibiting device may be configured as shown in FIG. In the in-vehicle network system related to the in-vehicle network conforming to the CAN protocol, the unauthorized control inhibiting device 4100 shown in the figure includes a state frame in which a plurality of ECUs includes information on the state of the vehicle, and predetermined control (for example, It is connected to a bus 300 (see FIG. 1) that transmits and receives a control frame that is a frame for instructing steering wheel control. The unauthorized control inhibition device 4100 includes a reception unit 4110 and a determination unit 4120. The receiving unit 4110 sequentially receives a status frame and a control frame from the bus 300. The receiving unit 4110 is realized by, for example, a communication circuit such as a CAN controller, a processor, a memory, and the like. The determination unit 4120 receives whether the predetermined control based on the control frame received by the reception unit 4110 should be suppressed or not by the reception unit 4110 within a predetermined period (for example, for 100 ms) preceding the reception of the control frame. Judgment is made based on whether or not the state of the vehicle in the predetermined period specified based on the set of state frames satisfies a predetermined criterion (for example, a criterion indicated by the above-described function restriction rule). For example, the determination unit 4120 can specify the state of the vehicle in the predetermined period based on the set of state frames received by the reception unit 4110 within the predetermined period. In addition, the state of the vehicle in a predetermined period may be specified from, for example, the contents of one type of state frame (for example, a state frame having the same ID), or a plurality of types of state frames (for example, states having different IDs). Frame) may be specified.

As the predetermined reference used for determination in the determination unit 4120, for example, a reference that is satisfied when the vehicle state in the predetermined period is the camouflaged state and not satisfied when the vehicle state is not the camouflaged state may be used. A criterion that is satisfied when the vehicle is not in a stable state and not satisfied when the vehicle is in a stable state may be used, or is satisfied when the vehicle state in a predetermined period is a change-prone state that changes more than a predetermined number of times. A criterion that is not satisfied when the state is not a frequent change state may be used. When any one of these criteria is used, the determination unit 4120 determines that the predetermined control should be suppressed when the predetermined criterion is satisfied. Contrary to these examples, a criterion for determining that the predetermined control should be suppressed when the determination unit 4120 does not satisfy the predetermined criterion may be set as the predetermined criterion. Note that, for example, when the abnormal state frame is included in the set of state frames received within a predetermined period, the determination unit 4120 identifies the vehicle state as a camouflaged state, and the abnormal state frame If it is not included, the vehicle state may be specified as not being a camouflaged state. In this case, the determination unit 4120 may determine by any method whether or not an abnormal state frame is included in the set of state frames. For example, a set of status frames received within a predetermined period has a plurality of identical IDs used for execution of predetermined control (ie, indicating information on the same item) received at a reception interval shorter than a predetermined threshold. May be determined that an abnormal state frame is included in the set. Further, for example, when a set of status frames received within a predetermined period includes more than a predetermined number of status frames having the same ID used for execution of predetermined control, the set is abnormal. It may be determined that a status frame is included. Further, for example, a set of status frames received within a predetermined period includes two status frames having the same ID used for execution of predetermined control, and information values indicated by the two status frames When the difference is larger than a predetermined amount, it may be determined that an abnormal state frame is included in the set. Further, for example, a set of status frames received within a predetermined period includes a plurality of status frames having the same ID used for execution of predetermined control, and the plurality of status frames arranged in the order received. If the value of the information indicated by does not conform to a predetermined rule, it may be determined that an abnormal state frame is included in the set.

The determination unit 4120 is realized by, for example, a processor, a timer, a memory, and the like. The determination unit 4120 can perform output according to the determination result. When it is determined that the predetermined control based on the control frame should be suppressed, the determination unit 4120 may transmit an error frame to the bus 300 so that at least a part of the control frame is overwritten by a CAN controller or the like. . In addition, the unauthorized control suppression device 4100 may have a transfer function for transferring frames between a plurality of communication paths, for example. In this case, the determination unit 4120 should suppress predetermined control based on the control frame. If it is determined, the control frame may be excluded from the transfer target and not transferred.

Moreover, although the unauthorized control suppression apparatus or monitoring ECU was mounted in the vehicle and the example contained in a vehicle-mounted network system was shown, even if it is contained in the network system for control of control objects other than a vehicle good. Control targets other than the vehicle are, for example, robots, aircraft, ships, machines, and the like.

(17) In the above embodiment, in the in-vehicle network, data frames such as a status frame and a control frame are transmitted according to the CAN protocol. However, the CAN protocol is used for an embedded system in an automation system. CANNOpen, or TTCAN (Time-Triggered CAN), CANFD (CAN with Flexible Data Rate), etc. The in-vehicle network may use a protocol other than the CAN protocol. As a protocol for an in-vehicle network that transmits a state frame that includes information on the state of the vehicle and a control frame that is a frame for instructing the vehicle to perform predetermined control, for example, LIN (Local Interconnect Network), MOST (Registered trademark) (Media Oriented Systems Transport), FlexRay (registered trademark), Ethernet (registered trademark), or the like may be used. Further, the in-vehicle network may be configured by combining networks using these protocols as sub-networks and combining sub-networks related to a plurality of types of protocols. The Ethernet (registered trademark) protocol includes Ethernet (registered trademark) AVB (Audio Video Bridging) according to IEEE 802.1 or Ethernet (registered trademark) TSN (Time Sensitive Network) and Ethernet (registered trademark) according to IEEE 802.1. ) / IP (Industrial Protocol), EtherCAT (registered trademark) (Ethernet (registered trademark) for Control Automation Technology), etc. Note that the communication path of the in-vehicle network may be a wired communication path constituted by a network bus (for example, bus 300) or other wires, optical fibers, or the like, or may be another communication path.

(18) A part or all of the constituent elements constituting each device in the above embodiment may be constituted by one system LSI (Large Scale Integration). The system LSI is an ultra-multifunctional LSI manufactured by integrating a plurality of components on a single chip. Specifically, the system LSI is a computer system including a microprocessor, a ROM, a RAM, and the like. . A computer program is recorded in the RAM. The system LSI achieves its functions by the microprocessor operating according to the computer program. In addition, each part of the constituent elements constituting each of the above devices may be individually made into one chip, or may be made into one chip so as to include a part or the whole. Although the system LSI is used here, it may be called IC, LSI, super LSI, or ultra LSI depending on the degree of integration. Further, the method of circuit integration is not limited to LSI's, and implementation using dedicated circuitry or general purpose processors is also possible. An FPGA (Field Programmable Gate Array) that can be programmed after manufacturing the LSI or a reconfigurable processor that can reconfigure the connection and setting of circuit cells inside the LSI may be used. Further, if integrated circuit technology comes out to replace LSI's as a result of the advancement of semiconductor technology or a derivative other technology, it is naturally also possible to carry out function block integration using this technology. Biotechnology can be applied as a possibility.

(19) A part or all of the constituent elements constituting each of the above devices may be constituted by an IC card or a single module that can be attached to and detached from each device. The IC card or the module is a computer system including a microprocessor, a ROM, a RAM, and the like. The IC card or the module may include the super multifunctional LSI described above. The IC card or the module achieves its function by the microprocessor operating according to the computer program. This IC card or this module may have tamper resistance.

(20) As one aspect of the present disclosure, for example, an unauthorized control suppression method including all or part of the processing procedure illustrated in FIGS. For example, the unauthorized control suppression method includes a plurality of ECUs that perform transmission / reception of a plurality of frames including a control frame for instructing a vehicle to perform predetermined control (for example, steering control) via a communication path (for example, the bus 300). A method for suppressing unauthorized control in an in-vehicle network system, wherein a reception step (for example, steps S31, S221, S321) for sequentially receiving a plurality of frames from the communication path and a predetermined control based on the control frame received in the reception step are suppressed. A determination step (for example, steps S36, S224, S326) for determining whether or not to be performed based on a set of frames received in the reception step within a predetermined period preceding when the control frame is received. . This unauthorized control suppression method further includes a processing step (for example, steps S37, S225, etc.) for executing a predetermined process for suppressing the predetermined control when it is determined in the determination step that the predetermined control based on the control frame should be suppressed. S327) may be included. The predetermined process for suppressing the predetermined control based on the control frame includes, for example, a process for discarding the control frame, a process for overwriting the control frame on the communication path by transmitting an error frame, and the control for another communication path. For example, processing for suppressing frame transfer or processing for instructing the ECU not to execute predetermined control based on the control frame. Moreover, it may be a program (computer program) for realizing this method by a computer, or may be a digital signal composed of the computer program. Further, as one aspect of the present disclosure, a computer-readable recording medium such as a flexible disk, a hard disk, a CD-ROM, an MO, a DVD, a DVD-ROM, a DVD-RAM, or a BD can be used as the computer program or the digital signal. (Blu-ray (registered trademark) Disc), recorded on a semiconductor memory or the like. Further, the digital signal may be recorded on these recording media. As one aspect of the present disclosure, the computer program or the digital signal may be transmitted via an electric communication line, a wireless or wired communication line, a network typified by the Internet, data broadcasting, or the like. Further, an aspect of the present disclosure may be a computer system including a microprocessor and a memory, the memory recording the computer program, and the microprocessor operating according to the computer program. . Also, by recording and transferring the program or the digital signal on the recording medium, or by transferring the program or the digital signal via the network or the like, by another independent computer system It may be carried out.

(21) Embodiments realized by arbitrarily combining the constituent elements and functions shown in the embodiment and the modified examples are also included in the scope of the present disclosure.

This disclosure can be used for an in-vehicle network system including an in-vehicle network.

10, 11, 12 In-

vehicle network system

100, 2100, 3100 Monitoring ECU
110, 201 Frame transmission /

reception unit

120, 202 Frame processing unit 130 State

impersonation detection unit

140, 2140, 3140

Function restriction unit

150, 204

Frame generation unit

160, 2160, 3160 Reception history holding unit 170 Vehicle

state holding unit

180, 2180, 3180 Function restriction rule holding unit 200a to 200d, 3200e, 3200f Electronic control unit (ECU)
DESCRIPTION OF SYMBOLS 203 Device input / output part 210 Speed sensor 220 Rear camera 230 Monitor 240 Handle 250 Gear 300 Bus 2130 Vehicle state monitoring part 3130 Control information monitoring part 3190 Inconsistency continuation time measurement part 3260 Switch 3270 Motor 4100 Unauthorized control suppression apparatus 4110 Reception part 4120 Judgment Part

Claims

A fraud control suppression method in a network system including a plurality of electronic control units that perform transmission and reception of a plurality of frames including a control frame instructing predetermined control with respect to a control target,
Receiving step of sequentially receiving a plurality of frames from the communication path;
It is determined whether or not to suppress the predetermined control based on the control frame received in the reception step based on a set of frames received in the reception step within a predetermined period preceding when the control frame is received. An unauthorized control suppression method including a determination step.
The plurality of frames include a state frame including information on the state of the control target,
In the determining step, whether or not the predetermined control based on the control frame received in the receiving step is to be suppressed is determined based on a set of status frames received in the receiving step within a predetermined period preceding the reception of the control frame. The unauthorized control suppression method according to claim 1, wherein the determination is based on whether the state of the control target in the predetermined period specified based on the condition satisfies a predetermined criterion.
In the determination step, when an abnormal state frame is included in the set of state frames received in the reception step within the predetermined period, the state of the control target is specified as a camouflaged state, If the state frame is not included, the state of the control target is identified as not being impersonated,
The predetermined criterion is satisfied when the specified state of the control target is a camouflaged state, and is not satisfied when the state of the control target is not a camouflaged state,
The unauthorized control suppression method according to claim 2, wherein the determination step determines that the predetermined control should be suppressed when the predetermined criterion is satisfied.
In the determination step, information on the same item used for execution of the predetermined control received at a reception interval shorter than a predetermined threshold is indicated in a set of state frames received in the reception step within the predetermined period. The unauthorized control suppression method according to claim 3, wherein when a plurality of state frames are included, the state of the control target is specified as a camouflaged state, assuming that an abnormal state frame is included in the set.
In the determination step, the set of state frames received in the reception step within the predetermined period includes more than a predetermined number of state frames indicating information of the same item used for execution of the predetermined control. The unauthorized control suppression method according to claim 3, wherein the control target state is specified as a camouflaged state, assuming that an abnormal state frame is included in the set.
In the determination step, two state frames indicating information of the same item used for execution of the predetermined control are included in a set of the state frames received in the reception step within the predetermined period. The state of the control object is specified as a camouflaged state, assuming that an abnormal state frame is included in the set when the difference in the value of the information indicated by the state frame is greater than a predetermined amount. Illegal control suppression method.
In the determination step, a set of status frames received in the reception step within the predetermined period includes a plurality of status frames indicating information on the same item used for execution of the predetermined control, and is received. When the value of the information indicated by the plurality of state frames arranged in order does not conform to a predetermined rule, the state to be controlled is identified as a camouflaged state, assuming that the state includes an abnormal state frame. Item 6. The unauthorized control suppression method according to item 3.
The predetermined criterion is satisfied when the state of the control target in the predetermined period is not a stable state, and is not satisfied when the state is a stable state,
The stable state is a state in which a data value of a specific state frame indicating the state of the control target is within a certain value or a certain range,
In the determination step, the determination related to the predetermined control based on the control frame is performed based on a set of state frames received in the reception step within the predetermined period immediately before the reception that is continuous when the control frame is received. Is performed based on the state of the control target in the predetermined period,
The unauthorized control suppression method according to claim 2, wherein the determination step determines that the predetermined control should be suppressed when the predetermined criterion is satisfied.
The predetermined criterion is satisfied when the state of the control target in the predetermined period is a change frequent state that changes more than a predetermined number of times, and is not satisfied when the state is not a frequent change state,
The unauthorized control suppression method according to claim 2, wherein the determination step determines that the predetermined control should be suppressed when the predetermined criterion is satisfied.
The unauthorized control suppression method further includes a processing step of executing a predetermined process for suppressing the predetermined control when it is determined in the determination step that the predetermined control based on a control frame should be suppressed,
The predetermined process includes a process of discarding the control frame, a process of overwriting the control frame on the communication path, a process of suppressing transfer of the control frame to another communication path, and the control to the electronic control unit. The unauthorized control suppression method according to any one of claims 1 to 9, further comprising any one of processing for instructing not to execute the predetermined control based on a frame.
The control target is a vehicle equipped with the network system,
The communication path is a wired communication path in the vehicle,
The unauthorized control suppression method according to any one of claims 1 to 10, wherein the plurality of electronic control units exchange the plurality of frames according to a CAN protocol or an Ethernet (registered trademark) protocol.
The unauthorized control suppression method according to claim 11, wherein the predetermined control is control related to traveling of the vehicle.
In the reception step, any one of a vehicle speed, a wheel rotation speed, a yaw rate, an acceleration, a steering angle, an accelerator pedal opening, a braking level, an engine rotation speed, a motor rotation speed, a gear position, and an ignition switch state. The unauthorized control suppression method according to claim 11 or 12, wherein a status frame, which is a frame including information on one of them, is sequentially received.
The plurality of frames include a state frame including information on the state of the control target,
The plurality of electronic control units are connected to a network bus that is the communication path, and according to a CAN protocol, exchange a status frame that is a data frame and a control frame,
The unauthorized control suppression method further transmits an error frame to the network bus so as to overwrite at least a part of the control frame when it is determined in the determination step that the predetermined control based on the control frame should be suppressed. The unauthorized control inhibiting method according to any one of claims 11 to 13, further comprising:
A plurality of electronic control units is an unauthorized control deterrent device connected to a communication path where a plurality of frames including a control frame for instructing a predetermined control to be controlled are exchanged via the communication path,
A receiver that sequentially receives a plurality of frames from the communication path;
It is determined whether or not the predetermined control based on the control frame received by the receiving unit should be suppressed based on a set of frames received by the receiving unit within a predetermined period preceding when the control frame is received. An unauthorized control deterrent device comprising a determination unit.
An in-vehicle network system comprising a plurality of electronic control units that perform transmission / reception of a state frame, which is a frame including information related to a vehicle state, and a control frame, which is a frame for instructing the vehicle to perform predetermined control, via a network bus There,
A receiving unit for sequentially receiving a status frame and a control frame from the network bus;
Whether or not to suppress the predetermined control based on the control frame received by the receiving unit is specified based on a set of status frames received by the receiving unit within a predetermined period preceding the reception of the control frame. An in-vehicle network system comprising: a determination unit that determines based on whether or not a state of the vehicle in the predetermined period satisfies a predetermined criterion.