WO2020105657A1 - Dispositif relais embarqué et procédé de relais - Google Patents

Dispositif relais embarqué et procédé de relais

Info

Publication number
WO2020105657A1
WO2020105657A1 PCT/JP2019/045350 JP2019045350W WO2020105657A1 WO 2020105657 A1 WO2020105657 A1 WO 2020105657A1 JP 2019045350 W JP2019045350 W JP 2019045350W WO 2020105657 A1 WO2020105657 A1 WO 2020105657A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
vehicle
ecu
identifier
relay device
Prior art date
Application number
PCT/JP2019/045350
Other languages
English (en)
Japanese (ja)
Inventor
慎一 相羽
宮下 之宏
浩史 上田
直樹 足立
翔悟 上口
史也 石川
Original Assignee
株式会社オートネットワーク技術研究所
住友電装株式会社
住友電気工業株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社オートネットワーク技術研究所, 住友電装株式会社, 住友電気工業株式会社 filed Critical 株式会社オートネットワーク技術研究所
Publication of WO2020105657A1 publication Critical patent/WO2020105657A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]

Definitions

  • the present disclosure relates to an in-vehicle relay device and a relay method.
  • the present application claims priority based on Japanese application No. 2018-219313 filed on Nov. 22, 2018, and incorporates all the contents described in the Japanese application.
  • the CAN communication protocol has been widely adopted for communication between a plurality of in-vehicle ECUs (Electronic Control Units) mounted on a vehicle.
  • the number of in-vehicle ECUs mounted tends to increase as vehicles become more multifunctional and more sophisticated.
  • the in-vehicle ECUs may be divided into groups (segments) to form a vehicle network, and a plurality of vehicles may belong to the same group.
  • the in-vehicle ECUs are connected by a common communication line to mutually transmit and receive data, and the in-vehicle relay device (gateway) relays the transmission and reception of data between in-vehicle ECUs of different groups (for example, Patent Document 1).
  • the vehicle network of Patent Document 1 is equipped with a vehicle network monitoring device that is connected to each segment of the vehicle network and detects unauthorized data (message) flowing in the vehicle network.
  • the vehicle network monitoring device detects illegal data (message)
  • the vehicle network monitoring device transmits warning information (message code) to the vehicle-mounted control device (vehicle-mounted ECU).
  • An in-vehicle relay device includes a plurality of in-vehicle communication units that are mounted in a vehicle and to which communication lines for communicating with a plurality of in-vehicle ECUs are connected, and a message transmitted from the in-vehicle ECU is transmitted in the in-vehicle.
  • An in-vehicle relay device that relays between communication units, A control unit for controlling the relay of the message, The control unit determines whether the message is correct, stores the message identifier of the message that is determined to be invalid in an empty area in a data field of an existing message transmitted to the plurality of vehicle-mounted ECUs, and transmits the message.
  • FIG. 1 is a schematic diagram illustrating a system configuration including an in-vehicle relay device according to a first embodiment. It is a block diagram which illustrates the internal composition of an in-vehicle relay device etc. It is an explanatory view which illustrates one mode of a frame of a CAN message. It is explanatory drawing which illustrates one aspect of the configuration information of vehicle-mounted ECU. It is a flow chart which illustrates processing of a control part of an in-vehicle relay device. 9 is a flowchart illustrating a process of a control unit of the vehicle-mounted relay device according to the second embodiment.
  • the vehicle network monitoring device of Patent Document 1 has a problem that traffic of the vehicle network increases due to the warning information (message code).
  • the object of the present disclosure is to provide an in-vehicle relay device or the like that can suppress an increase in traffic of a vehicle network (in-vehicle LAN) when notifying an in-vehicle ECU that illegal data (message) has been detected.
  • a vehicle network in-vehicle LAN
  • an in-vehicle relay device or the like that can suppress an increase in traffic of a vehicle network (in-vehicle LAN) when notifying an in-vehicle ECU that illegal data (message) has been detected is provided. can do.
  • An in-vehicle relay device is installed in a vehicle, includes a plurality of in-vehicle communication units connected to communication lines for communicating with a plurality of in-vehicle ECUs, and transmits a message from the in-vehicle ECU.
  • control unit stores the message identifier of the message determined to be invalid, for example, in an empty area in the data field of the existing message transmitted to the plurality of vehicle-mounted ECUs and transmits the message. Therefore, it is not necessary to transmit a dedicated message for transmitting the message identifier of the message determined to be incorrect to a plurality of vehicle-mounted ECUs, and the traffic of the communication line (in-vehicle LAN) to which the relay device and the vehicle-mounted ECU are connected is increased. Can be suppressed.
  • the existing message is a message generated by the control unit.
  • the in-vehicle relay device is not limited to the relay timing of the message between the in-vehicle ECUs, and is not limited to the data field of the message generated by the own device. It is possible to store and send the message identifier of a message determined to be invalid in the free area. In this way, by making the message generated by the control unit, which is a message other than the message relayed between the vehicle-mounted ECUs, the existing message, the existing message can be efficiently transmitted. Further, when the existing message is the message generated by the control unit, the message generated by the vehicle-mounted ECU is not processed, so that it is possible to prevent the message generated by the vehicle-mounted ECU from being affected.
  • the existing message is a message relayed from any vehicle-mounted ECU among the plurality of vehicle-mounted ECUs to another vehicle-mounted ECU.
  • the existing message is a message relayed from any on-vehicle ECU among the plurality of on-vehicle ECUs to another on-vehicle ECU, the data field of the message relayed as a part of the relay processing by the on-vehicle relay device. It is possible to store the message identifier of the message determined to be invalid in an empty area in the file and send it. In this way, by making the message relayed between the vehicle-mounted ECUs the existing message, the existing message can be efficiently transmitted.
  • the existing message is a message that is periodically transmitted to the vehicle-mounted ECU.
  • the existing message is, for example, a polling message (polling frame), a network management frame (NM frame) for confirming alive information of the vehicle-mounted ECU or another vehicle-mounted relay device, or the like periodically.
  • the message to be sent Therefore, when the in-vehicle relay device determines that one of the messages is invalid, the message identifier of the message determined to be invalid in the empty area in the data field of the existing message that is periodically transmitted is relatively early. Can be stored and sent.
  • the existing message is a message transmitted based on a determination of active and sleep in the vehicle-mounted ECU.
  • the existing message is a message generated by some event or the like, and for example, a message that causes a communication device in a sleep mode to transition to a normal mode (wakeup message) or a communication device in a normal mode to transition to a sleep mode.
  • the message (sleep message) or the like is a message transmitted based on the determination of active and sleep in the vehicle-mounted ECU. Therefore, the message identifier of the message determined to be invalid can be efficiently transmitted by utilizing the empty area in the data field of the message transmitted based on the determination of active and sleep in the vehicle-mounted ECU.
  • the ECU identifier of the vehicle-mounted ECU and the message identifier included in the message when the vehicle-mounted ECU transmits the message are stored in association with each other. Equipped with storage
  • the control unit reads the ECU identifier associated with the message identifier of the message determined to be incorrect by referring to the storage unit after determining whether the message is correct,
  • the vehicle-mounted ECU corresponding to the read ECU identifier transmits a message
  • all the message identifiers corresponding to the read ECU identifier are read, stored in the empty area of the message, and transmitted.
  • the control unit reads from the message identifier of the message determined to be invalid, the in-vehicle ECU of the ECU identifier that transmits the message, and all the message identifiers included in the message to be transmitted from the in-vehicle ECU of the read ECU identifier. Is transmitted to a plurality of vehicle-mounted ECUs. Since the in-vehicle ECU of the read ECU identifier is likely to perform illegal processing due to a virus or the like, the message identifier included in the message transmitted from the in-vehicle ECU is stored in the empty area of the existing message. Therefore, the message transmitted from such an unauthorized vehicle-mounted ECU can be efficiently dealt with.
  • the control unit acquires a message including a message identifier that is the same as the message identifier of the message that is determined to be incorrect by determining whether the message is correct, When it is determined that the acquired message is valid, the message identifier of the acquired message is stored in the empty area and transmitted.
  • the control unit determines whether the acquired message is correct or not even when the message including the message identifier of the message determined to be invalid in the previous process is acquired. If the obtained message is valid as a result of the determination, the control unit stores the message identifier of the obtained message in the empty area of the existing message and transmits it. Therefore, when the vehicle-mounted ECU that transmits the message determined to be incorrect is excluded, and a valid message including the same message identifier as the message identifier of the message determined to be incorrect is transmitted from the normal vehicle-mounted ECU, The in-vehicle relay device and the in-vehicle ECU can appropriately handle the valid message.
  • An on-vehicle relay device is a relay method for relaying a message transmitted from a plurality of vehicle-mounted ECUs mounted on a vehicle, Acquire messages sent from multiple in-vehicle ECUs installed in the vehicle, Determine the correctness of the acquired message, The message identifier of the message determined to be invalid is stored in the empty area in the data field of the existing message transmitted to the plurality of vehicle-mounted ECUs and transmitted.
  • a relay method for suppressing an increase in traffic of the vehicle network can be provided when notifying the in-vehicle ECU that the illegal data (message) has been detected.
  • the computer can be made to function as an in-vehicle relay device.
  • FIG. 1 is a schematic diagram illustrating a system configuration including an in-vehicle relay device 2 according to the first embodiment.
  • FIG. 2 is a block diagram illustrating an internal configuration of the vehicle-mounted relay device 2 and the like.
  • the vehicle C is equipped with an external communication device 1, an in-vehicle relay device 2, and a plurality of in-vehicle ECUs 3 communicatively connected to the in-vehicle relay device 2.
  • the vehicle-mounted relay device 2 relays the message transmitted and received among the plurality of vehicle-mounted ECUs 3.
  • the in-vehicle relay device 2 also transmits a program or data acquired from the program providing device S1 connected to the in-vehicle network N via the in-vehicle communication device 1 to an in-vehicle ECU 3 (Electronic Control Unit) mounted in the vehicle C. It may be one that does.
  • ECU 3 Electronic Control Unit
  • the program providing device S1 is, for example, a computer such as a server connected to an external network N such as the Internet or a public line network, and has a storage unit S11 such as a RAM (Random Access Memory), a ROM (Read Only Memory), or a hard disk. It is provided and corresponds to an external server outside the vehicle.
  • a program or data created by a manufacturer or the like of the vehicle-mounted ECU 3 for controlling the vehicle-mounted ECU 3 is stored in the storage unit S11.
  • the program or data is transmitted to the vehicle C as an update program and is used to update the program or data of the vehicle-mounted ECU 3 mounted on the vehicle C.
  • the program providing device S1 (external server) configured as described above is also referred to as an OTA (Over The Air) server.
  • the vehicle-mounted ECU 3 installed in the vehicle acquires the update program transmitted by wireless communication from the program providing device S1 and applies the update program as a program for executing the update program, thereby updating the program executed by the own ECU (repro). can do.
  • the vehicle C is equipped with an on-vehicle communication device 1, an in-vehicle relay device 2, a display device 5, and a plurality of in-vehicle ECUs 3 for controlling various in-vehicle devices.
  • the vehicle exterior communication device 1 and the vehicle-mounted relay device 2 are communicatively connected by a harness such as a serial cable.
  • the in-vehicle relay device 2 and the in-vehicle ECU 3 are communicatively connected by an in-vehicle LAN 4 that supports a communication protocol such as CAN (Control Area Network / registered trademark).
  • the external communication device 1 includes an external communication unit 11 and an input / output I / F (interface) 12 for communicating with the in-vehicle relay device 2.
  • the external communication unit 11 is a communication device for performing wireless communication using a mobile communication protocol such as 3G, LTE, 4G, or WiFi, and is a program providing device via an antenna 13 connected to the external communication unit 11. Data is transmitted / received to / from S1. Communication between the vehicle exterior communication device 1 and the program providing device S1 is performed via an external network such as a public line network or the Internet.
  • the input / output I / F 12 is a communication interface for serial communication with the vehicle-mounted relay device 2, for example.
  • the vehicle exterior communication device 1 and the vehicle-mounted relay device 2 communicate with each other via an input / output I / F 12 and a harness such as a serial cable connected to the input / output I / F 12.
  • the vehicle exterior communication device 1 is a device separate from the vehicle-mounted relay device 2, and these devices are communicatively connected by the input / output I / F 12 or the like, but the invention is not limited to this.
  • the vehicle exterior communication device 1 may be incorporated in the vehicle-mounted relay device 2 as a component of the vehicle-mounted relay device 2.
  • the in-vehicle relay device 2 includes a control unit 20, a storage unit 21, an in-vehicle communication unit 23, and an input / output I / F 24.
  • the in-vehicle relay device 2 controls, for example, a segment of communication lines 41 (CAN bus / CAN cable) of a plurality of systems, such as a control system vehicle-mounted ECU 3, a safety system vehicle-mounted ECU 3, and a body system vehicle-mounted ECU 3, and the like. It is a gateway (relay device) that relays communication between the vehicle-mounted ECUs 3 between them.
  • the vehicle-mounted relay device 2 may be configured as one functional unit of the body ECU that controls the entire vehicle C.
  • the storage unit 21 is configured by a volatile memory device such as a RAM (Random Access Memory) or a non-volatile memory device such as a ROM (Read Only Memory), an EEPROM (Electrically Erasable Programmable ROM) or a flash memory, A control program and data to be referred to during processing are stored in advance.
  • the control program stored in the storage unit 21 may store the control program read from the recording medium 22 readable by the in-vehicle relay device 2. Alternatively, the control program may be downloaded from an external computer (not shown) connected to a communication network (not shown) and stored in the storage unit 21.
  • the storage unit 21 stores the configuration information of all the vehicle-mounted ECUs 3 mounted on the vehicle C and the route information (routing table) used for performing the relay process.
  • the in-vehicle communication unit 23 is, for example, an input / output interface (CAN transceiver) using a communication protocol of CAN (Control Area Network), and the control unit 20 is connected to the in-vehicle LAN 4 via the in-vehicle communication unit 23. It mutually communicates with vehicle-mounted devices such as the ECU 3 and other relay devices.
  • a plurality of (in the drawing, three) in-vehicle communication units 23 are provided, and each of the in-vehicle communication units 23 is connected to the communication line 41 that constitutes the in-vehicle LAN 4.
  • the in-vehicle LAN 4 is divided into a plurality of segments, and each of the vehicle-mounted ECUs has a function (control system function, safety system function, body system function) of the vehicle-mounted ECU. Connect accordingly.
  • the control unit 20 is configured by a CPU (Central Processing Unit), an MPU (Micro Processing Unit), or the like, and reads and executes a control program and data stored in advance in the storage unit 21 to perform various control processes and Arithmetic processing and the like are performed.
  • the control unit 20 receives a message transmitted from the vehicle-mounted ECU 3 connected to each of the communication lines 41 or transmits a message to the vehicle-mounted ECU 3, and functions as, for example, a CAN controller. Further, the control unit 20 refers to the message identifier such as CAN-ID included in the received message, and refers to the referred message identifier (CAN-ID) and the route information (routing table) stored in the storage unit 21.
  • CAN-ID referred message identifier
  • the in-vehicle communication unit 23 corresponding to the segment that is the transmission destination is specified.
  • the control unit 20 functions as a CAN gateway that relays the received message by transmitting the received message from the specified in-vehicle communication unit 23.
  • the control unit 20 functions as a CAN controller, the present invention is not limited to this.
  • the in-vehicle communication unit 23 may function as a CAN transceiver and a CAN controller.
  • the control unit 20 functions as a determination unit that determines the correctness of the message by analyzing the received message. In determining whether the message is correct or not, an invalid message is, for example, an in-vehicle ECU that is in an abnormal state due to a virus or the like that has entered from outside the vehicle via the in-vehicle communication device 1 or the like, or an in-vehicle ECU that has been illegally replaced. This is a message transmitted from the vehicle-mounted ECU.
  • the control unit 20 executes a diagnostic program (diagnosis process) on the received message or performs the function of IDS (Intrusion Detection System) to analyze the message and determine whether the message is correct.
  • diagnostic program diagnostic program
  • control unit 20 may determine, as an invalid message, a message that is transmitted in a cycle different from the prescribed transmission cycle for transmitting the message.
  • the control unit 20 analyzes the message received by such a method to determine whether the message is correct or not. For example, the message transmitted from the illegal (abnormal) vehicle-mounted ECU 3 that is spoofed as the legitimate (normal) vehicle-mounted ECU 3 is illegal. Can be determined as a message.
  • the control unit 20 sends a message identifier such as CAN-ID included in the message determined to be invalid to a data field of an existing message such as a wake-up message that is regularly or irregularly transmitted.
  • the existing message is not an error message determined to be invalid, but a message other than the error message, a message generated by the control unit 20 or a message generated by the vehicle-mounted ECU 3 and relayed by the control unit 20. It may be a message. Alternatively, it may be both messages generated by the control unit 20 and the vehicle-mounted ECU 3.
  • the in-vehicle ECU 3 includes a control unit 30, a storage unit 31, and an in-vehicle communication unit 32 similar to the in-vehicle communication unit 23 of the in-vehicle relay device 2.
  • the storage unit 31 is configured by a volatile memory device such as a RAM (Random Access Memory) or a non-volatile memory device such as a ROM (Read Only Memory), an EEPROM (Electrically Erasable Programmable ROM), or a flash memory,
  • the program or data of the vehicle-mounted ECU 3 is stored.
  • the storage unit 31 of the vehicle-mounted ECU 3 stores the message identifier stored in the empty area in the data field of the existing message transmitted from the vehicle-mounted relay device 2.
  • the control unit 30 of the vehicle-mounted ECU 3 is configured by a CPU (Central Processing Unit), an MPU (Micro Processing Unit), or the like, and reads and executes programs and data stored in the storage unit 31 to perform control processing and the like.
  • the in-vehicle device including the in-vehicle ECU 3 or the actuator is controlled.
  • the control unit 30 of the vehicle-mounted ECU 3 stores the message identifier stored in the empty area in the data field of the existing message transmitted from the vehicle-mounted relay device 2 in the storage unit 31 so that the same message identifier as the message identifier is stored. It is recognized that the included message is an illegal message and is not relayed by the vehicle-mounted relay device 2.
  • the display device 5 is, for example, an HMI (Human Machine Interface) device such as a car navigation display.
  • the display device 5 is communicatively connected to the input / output I / F 24 of the in-vehicle relay device 2 by a harness such as a serial cable.
  • the display device 5 displays data or information output from the control unit 20 of the in-vehicle relay device 2 via the input / output I / F 24.
  • the in-vehicle relay device 2 determines that the received message is an invalid message as described above, the in-vehicle relay device 2 transmits information such as a message identifier included in the invalid message to the display device 5, and the display device 5 receives the information. May be displayed.
  • connection form between the display device 5 and the onboard relay device 2 is not limited to the connection form by the input / output I / F 24 and the like, and the display device 5 and the onboard relay device 2 may be connected via the in-vehicle LAN 4. Good.
  • An IG switch 6 (ignition switch) for starting or stopping the vehicle C is communicably connected to the input / output I / F 24 of the in-vehicle relay device 2 by a wire harness such as a serial cable.
  • the control unit 20 of the in-vehicle relay device 2 acquires (receives) the signal output (transmitted) from the IG switch 6 via the input / output I / F 24.
  • the control unit 20 of the in-vehicle relay device 2 transmits information regarding ON or OFF of the IG switch 6 to all the in-vehicle ECUs 3 via the in-vehicle communication unit 23 based on the acquired signal.
  • the vehicle-mounted relay device 2 transmits a message indicating that the IG switch 6 is turned on to all the vehicle-mounted ECUs 3 regularly or irregularly.
  • the vehicle-mounted ECU 3 acquires information regarding ON or OFF of the IG switch 6 based on the information transmitted from the vehicle-mounted relay device 2 and performs a predetermined operation based on the acquired information. For example, the vehicle-mounted ECU that has received the message indicating that the IG switch 6 is in the on state determines whether or not to transition its own ECU to the sleep state corresponding to power saving, continue the sleep state, or transition to the active state. I do.
  • the existing message caused by the on / off of the IG switch is a message used when transitioning from the active state to the sleep state, when continuing the sleep state, or when transitioning from the sleep state to the active state. It is included in the existing message used when the message identifier is stored in the empty area in the data field and transmitted. Such a message is transmitted at the time of wakeup or sleep and is called a wakeup message or a sleep message.
  • the wake-up message and the sleep message may be transmitted by a network management frame (NW frame) transmitted regularly or an event frame transmitted irregularly.
  • NW frame network management frame
  • the wake-up message or the like transmitted regularly or irregularly is a message already used in the communication between the plurality of vehicle-mounted ECUs 3 and the vehicle-mounted relay device 2 by CAN, and is included in the existing message.
  • FIG. 3 is an explanatory diagram illustrating an example of a frame of a CAN message.
  • CAN is a communication protocol defined by ISO11898 and the like, and the frame types of CAN messages (frames) transmitted and received are classified into data frames, remote frames, error frames and overload frames. In FIG. 3, one mode of the data frame in these frame types is illustrated.
  • the data frame of the CAN message is classified into four fields of CAN-ID, DLC, DATA (data) and CRC.
  • the CAN-ID field stores a message identifier for identifying a message and indicating (determining) the priority of the message.
  • the message identifier is called a CAN-ID or an arbitration ID and is represented by 11-bit data, for example.
  • the vehicle-mounted relay device 2 and the vehicle-mounted ECU 3 extract (reference) the message identifier (CAN-ID) stored in the CAN-ID field of the received message, and determine whether or not to process the message based on the message identifier. To do.
  • Information indicating a data length code is stored in the DLC field, and indicates the number of bytes of data stored in the DATA field (data field).
  • the DATA field stores content data up to 8 bytes.
  • a cyclic redundancy check code and a recessive delimiter bit are stored in the CRC field, and are used for error detection when the content data stored in the DATA field is bit-inverted.
  • the CAN message of the data frame includes SOF (Start Of Frame), IDE (Identifier Extension), and ACK in addition to the above fields, but description thereof will be omitted.
  • the message (wakeup message) transmitted at wakeup belongs to the data frame.
  • the wake-up message is transmitted by the vehicle-mounted relay device 2 to all vehicle-mounted ECUs 3 connected to the in-vehicle communication unit 23 regularly or irregularly, triggered by an event caused by turning on the IG switch 6 or the like.
  • the DATA field (data field) of the wakeup message the entire area of 8 bytes is not used and there is a free area (free bit area).
  • the vehicle-mounted relay device 2 stores the message identifier (CAN-ID) of the message determined to be invalid in the empty area of the DATA field (data field), and transmits the wake-up message.
  • CAN-ID message identifier
  • the wake-up message is transmitted by multicast to all vehicle-mounted ECUs 3, and each vehicle-mounted ECU 3 can receive the wake-up message.
  • the wake-up message is an existing message that the in-vehicle relay device 2 periodically or irregularly transmits in order to determine whether the in-vehicle ECU 3 makes a transition to the sleep state.
  • the message identifier of the message determined to be invalid can be transmitted. It is possible to eliminate the process of generating and transmitting a dedicated message. That is, the in-vehicle relay device 2 suppresses an increase in traffic of the in-vehicle LAN 4 to which the in-vehicle ECU 3 is connected by effectively utilizing the empty area of the existing message when transmitting the message identifier of the message determined to be invalid. it can. Further, since the vehicle-mounted relay device 2 does not generate a dedicated message for transmitting the message identifier of the message determined to be invalid, the processing load of the control unit 20 of the vehicle-mounted relay device 2 can be reduced.
  • the existing message transmitted by the vehicle-mounted relay device 2 regularly or irregularly is the wake-up message, but the present invention is not limited to this.
  • the existing message may be a message that has a purpose other than the purpose of transmitting the message identifier of the message determined to be invalid and that the vehicle-mounted relay device 2 transmits regularly or irregularly.
  • a polling message transmitted periodically or irregularly to confirm the state of the vehicle-mounted ECU 3 a message periodically transmitted irregularly to request transmission of configuration information of the vehicle-mounted ECU 3, or due to some event
  • a message or the like that is transmitted irregularly is included in the existing message.
  • the existing message may be a network management frame (NM frame) for confirming alive information of the vehicle-mounted ECU 3 or another vehicle-mounted relay device connected to the in-vehicle LAN 4.
  • the existing message is not limited to a message generated by the control unit 20 of the in-vehicle relay device 2, such as a wake-up message or a network management frame, and may be a message generated by the in-vehicle ECU 3 and relayed by the control unit 20. ..
  • FIG. 4 is an explanatory diagram illustrating an example of the configuration information of the vehicle-mounted ECU 3.
  • the in-vehicle relay device 2 stores the configuration information of all in-vehicle ECUs 3 connected to the in-vehicle communication unit 23.
  • the configuration information is based on, for example, an information group (configuration information master table) indicated by the items in the table shown in FIG.
  • the configuration information includes, for example, a serial number of the vehicle-mounted ECU 3 and a CAN-ID (message identifier) included in a message transmitted by each vehicle-mounted ECU 3, and a serial number set so as not to be duplicated in each vehicle-mounted ECU 3. Is managed in association with the ECU-ID (ECU identifier).
  • the vehicle-mounted relay device 2 extracts the CAN-ID (message identifier) stored in the CAN-ID field of the received message, and uses the configuration information (configuration information master table) of the vehicle-mounted ECU 3 stored in the storage unit 21.
  • the in-vehicle ECU 3 that refers to and includes the extracted CAN-ID in the message is read out and specified (derived). Further, the vehicle-mounted relay device 2 can identify all CAN-IDs included in the message transmitted by the identified vehicle-mounted ECU 3.
  • the in-vehicle relay device 2 identifies that the in-vehicle ECU 3 that has transmitted the message in which the CAN-ID is 2 is the in-vehicle ECU 3 whose ECU-ID is 003. can do. Furthermore, the vehicle-mounted relay apparatus 2 can specify that CAN-IDs (message identifiers) included in the message transmitted by the specified vehicle-mounted relay apparatus 2 (stored in the CAN-ID field) are 2 and 9.
  • FIG. 5 is a flowchart illustrating the process of the control unit 20 of the vehicle-mounted relay device 2.
  • the control unit 20 of the in-vehicle relay device 2 constantly performs the following processing when the vehicle C is in the activated state (the IG switch 6 is on) or in the stopped state (the IG switch 6 is off).
  • the control unit 20 of the in-vehicle relay device 2 acquires the message (S10).
  • the control unit 20 acquires a message transmitted from any of the vehicle-mounted ECUs 3 by receiving the message via the in-vehicle communication unit 23, and stores the acquired message in the storage unit 21.
  • the control unit 20 of the in-vehicle relay device 2 determines whether the message is invalid (S11).
  • the control unit 20 analyzes the message acquired by exhibiting a function such as IDS, and determines whether the message is an unauthorized message transmitted from the unauthorized vehicle-mounted ECU 3, that is, whether the message is correct or not. Make a decision.
  • the control unit 20 of the in-vehicle relay device 2 stores the message identifier (S12).
  • the control unit 20 determines that the message is an invalid message, it extracts the CAN-ID (message identifier) stored in the CAN-ID field of the message and prohibits the CAN-ID (message identifier) from relaying. It is stored in the storage unit 21 as a message identifier (relay prohibition message identifier) to be used.
  • the control unit 20 of the in-vehicle relay device 2 determines whether it is the transmission timing of the existing message (S13).
  • the control unit 20 determines whether or not a predetermined operation such as turning on the IG switch 6 has been executed as a determination as to whether the present time is the transmission timing of the existing message.
  • the control unit 20 exerts a time counting function, and determines whether or not the present time is the transmission timing of the existing message, based on whether or not a predetermined cycle has elapsed while the IG switch 6 is in the ON state. For example, when a predetermined operation such as turning on the IG switch 6 is executed or when a predetermined period elapses while the IG switch 6 is on, the control unit 20 determines that the present time is the transmission timing of the existing message. ..
  • the control unit 20 of the in-vehicle relay device 2 When it is determined that it is not the transmission timing of the existing message (S13: NO), the control unit 20 of the in-vehicle relay device 2 performs a loop process to execute the process of S13 again. That is, the control unit 20 performs a standby process until the timing of transmitting an existing message.
  • the control unit 20 acquires the message transmitted from the vehicle-mounted ECU 3 even while performing the standby process, determines whether the acquired message is illegal, and detects an illegal message.
  • the message identifier of the message may be stored in the storage unit 21, and the relay prohibition message identifier stored in the storage unit 21 may be added.
  • the control unit 20 of the in-vehicle relay device 2 stores the message identifier in the empty area in the data field of the existing message and transmits it (S14).
  • the control unit 20 determines that the present time is the transmission timing of the existing message, the control unit 20 stores the relay prohibition message identifier stored in the storage unit 21 in the empty area of the DATA field of the existing message such as the wakeup message.
  • the existing message is transmitted to the vehicle-mounted ECU 3.
  • the control unit 20 stores the relay prohibition message identifier in the empty area, information indicating that the message including the same message identifier as the relay prohibition message identifier (stored in the CAN-ID field) is an invalid message. Alternatively, it may be stored together with the free area.
  • the control unit 20 of the vehicle-mounted relay device 2 causes the message identifier of the illegal message to be transmitted. It may be unnecessary to generate and send a dedicated message for sending the. Therefore, it is possible to reduce the processing load of the in-vehicle relay device 2 and suppress an increase in traffic of the in-vehicle LAN 4.
  • the vehicle-mounted ECU 3 that has received the existing message extracts the relay prohibition message identifier stored in the DATA field of the existing message and stores it in the storage unit 31 of its own ECU.
  • the vehicle-mounted ECU 3 that stores the relay prohibition message identifier in the storage unit 31 can recognize that the message including the same message identifier as the relay prohibition message identifier in the CAN-ID field is an invalid message. Therefore, the in-vehicle ECU 3 discards the unauthorized message without using it for controlling the own ECU, even if an unauthorized message including the same message identifier as the relay prohibition message identifier is transmitted to the own ECU. I do.
  • the vehicle-mounted ECU 3 that stores the relay prohibition message identifier in the storage unit 31 recognizes that the message including the same message identifier as the relay prohibition message identifier in the CAN-ID field is a message that is not relayed by the vehicle-mounted relay device 2. To do.
  • the control unit 20 of the in-vehicle relay device 2 prohibits relay of a message including the message identifier (S15).
  • the control unit 20 prohibits the relay of a message including the same message identifier as the relay prohibition message identifier (stored in the CAN-ID field).
  • the unauthorized message transmitted from the unauthorized vehicle-mounted ECU 3 becomes the communication line 41 (segment) to which the unauthorized vehicle-mounted ECU 3 is connected. It is possible to suppress the transmission (relay) to the vehicle-mounted ECU 3 connected to the different communication line 41 (segment).
  • the control unit 20 of the in-vehicle relay device 2 determines whether it corresponds to the relay prohibition message identifier. Is performed (S111).
  • the control unit 20 determines that the received message is a valid message, the control unit 20 stores the message identifier (CAN-ID) stored in the CAN-ID field of the message and the relay prohibition stored in the storage unit 21. By comparing with the message identifier, it is determined whether or not the message identifier (CAN-ID) corresponds to the relay prohibition message identifier.
  • the control unit 20 of the in-vehicle relay device 2 stores the message identifier in the empty area of the existing message and transmits it (S112).
  • the message identifier of the received message corresponds to the relay prohibition message identifier stored in the storage unit 21
  • the message including the message identifier is determined to be an invalid message in the previous process. ..
  • the in-vehicle ECU 3 that has transmitted an incorrect message is replaced with the in-vehicle ECU 3, or the program executed by the in-vehicle ECU 3 is restored so that the in-vehicle ECU 3 is in a normal state.
  • the control unit 20 determines that the message includes the same message identifier as the relay prohibition message identifier (stored in the CAN-ID field) and is not an invalid message, the control unit 20 stores the message identifier in the empty area of the existing message. Information indicating that the message including the message identifier is a valid message is stored and transmitted to the vehicle-mounted ECU 3. Alternatively, the control unit 20 informs the vehicle-mounted ECU 3 that the control for processing as an invalid message such as relay prohibition processing for the message identifier of the message determined to be normal (the message determined not to be invalid) is invalid (released). May be stored and transmitted to the vehicle-mounted ECU 3. When storing the message identifier of the message determined to be valid in the free space of the existing message and transmitting the message, the control unit 20 performs the transmission process based on the transmission timing of the existing message as in the process S13. Good.
  • the vehicle-mounted ECU 3 that has received the existing message transmitted from the vehicle-mounted relay device 2 is based on information indicating that the message identifier stored in the empty area of the existing message and the message including the message identifier are valid messages. Process the messages received by. That is, the vehicle-mounted ECU 3 receives the message including the message identifier and uses it for control of its own ECU or the like as necessary.
  • the control unit 20 of the in-vehicle relay device 2 determines whether the message including the message identifier is correct or not, and the message is valid (normal). If it is determined that the relay prohibition message identifier is deleted from the storage unit 21.
  • the control unit 20 of the in-vehicle relay device 2 restarts relaying the message including the message identifier (S113).
  • the message identifier stored in the storage unit 21 as the relay prohibition message identifier is deleted from the storage unit 21. Therefore, the control unit 20 specifies the message including the message identifier (stored in the CAN-ID field) on the basis of the route information stored in the storage unit 21, the in-vehicle communication unit 23 as the relay destination, and identifies the in-vehicle specified. The process of transmitting and relaying the message via the communication unit 23 is restarted.
  • the vehicle-mounted ECU 3 when the illegal (abnormal) vehicle-mounted ECU 3 that has transmitted the illegal message is restored to the legitimate (normal) vehicle-mounted ECU 3 that transmits the legitimate message, the vehicle-mounted ECU 3 or the vehicle-mounted relay device 2 returns the restored legitimate message.
  • the message transmitted from the vehicle-mounted ECU 3 can be received or relayed.
  • the control unit 20 of the in-vehicle relay device 2 relays the message (S1111).
  • the control unit 20 determines that the message is a valid message and performs the relay process based on the message identifier (CAN-ID) included in the CAN-ID field.
  • CAN-ID message identifier
  • control unit 20 After executing the processing of S15, S113, or S1111, the control unit 20 performs the loop processing to execute the processing of S10 again.
  • the control unit 20 of the in-vehicle relay device 2 uses the free space of the existing message that is transmitted regularly or irregularly to transmit the message identifier of the message determined to be incorrect to the in-vehicle ECU 3, the traffic of the in-vehicle LAN 4 increases. Can be suppressed. Further, even if the message includes the same message identifier as the message identifier of the message determined to be invalid, if the message is determined to be valid, information indicating that the message identifier is a valid message is added to the existing message. The message is stored in the empty area and transmitted to the vehicle-mounted ECU 3. Therefore, it is possible to allow the vehicle-mounted ECU 3 or the vehicle-mounted relay device 2 to receive or relay a valid message including the message identifier while suppressing an increase in traffic of the in-vehicle LAN 4.
  • the existing message for example, by using the wakeup message transmitted by the vehicle-mounted relay device 2 at the timing when the IG switch 6 is turned on (at the time of wakeup), the empty area of the DATA field of the wakeup message is used.
  • the message identifier of the message determined to be incorrect can be transmitted to the vehicle-mounted ECU 3.
  • the communication protocol of the vehicle-mounted relay device 2 and the vehicle-mounted ECU 3 is described based on CAN, but is not limited to this.
  • the communication between the vehicle-mounted relay device 2 and the vehicle-mounted ECU 3 may be a communication protocol other than CAN, and a communication protocol capable of transmitting an existing message having an empty area in the data field to a plurality of vehicle-mounted ECUs 3 by multicast or broadcast. What is necessary is to use.
  • FIG. 6 is a flowchart illustrating a process of the control unit 20 of the vehicle-mounted relay device 2 according to the second embodiment.
  • the process of the control unit 20 of the in-vehicle relay device 2 according to the second embodiment identifies the in-vehicle ECU 3 that has transmitted the message that is determined to be incorrect, and uses the message identifier that the identified in-vehicle ECU 3 may include in the message as the relay prohibition message. It differs from the first embodiment in that it is handled as an identifier.
  • the control unit 20 of the in-vehicle relay device 2 performs the process of (S20, S21) as in the process of (S10, S11) of the first embodiment.
  • the control unit 20 of the in-vehicle relay device 2 identifies the in-vehicle ECU 3 that has transmitted the message (S22).
  • the control unit 20 extracts the message identifier (CAN-ID) stored in the CAN-ID field of the received message, and extracts the extracted message identifier and the configuration information (configuration of the vehicle-mounted ECU 3 stored in the storage unit 21).
  • the vehicle-mounted ECU 3 that includes the message identifier (stores in the CAN-ID field) in the message is specified.
  • the control unit 20 of the in-vehicle relay device 2 stores the message identifier (S23).
  • the control unit 20 refers to the configuration information of the vehicle-mounted ECU 3 stored in the storage unit 21, identifies all message identifiers (CAN-ID) that may be included in the message transmitted by the identified vehicle-mounted ECU 3, and identifies the message identifiers. All the message identifiers (CAN-IDs) that have been processed are stored in the storage unit 21 as relay prohibition message identifiers.
  • the in-vehicle ECU 3 that has transmitted the illegal message has a high probability of being an illegal (abnormal) in-vehicle ECU 3. Therefore, the control unit 20 of the vehicle-mounted relay device 2 identifies the illegal (abnormal) vehicle-mounted ECU 3, and all the message identifiers (CAN-) that the illegal (abnormal) vehicle-mounted ECU 3 may include when transmitting a message. ID) is stored in the storage unit 21 as a relay prohibition message identifier. As a result, it is possible to efficiently cope with the illegal (abnormal) vehicle-mounted ECU 3, such as prohibiting the relay of the illegal message from the illegal (abnormal) vehicle-mounted ECU 3.
  • the control unit 20 of the vehicle-mounted relay device 2 performs the processing of (S24, S25, S26), similar to the processing of (S13, S14, S15) of the first embodiment.
  • the message identifiers (CAN-IDs) that are prohibited from being transmitted in S25 and relayed in S26 are all the message identifiers (CAN-IDs) included in the message transmitted by the unauthorized (abnormal) vehicle-mounted ECU 3 specified in S22.
  • the in-vehicle ECU 3 that has received the existing message transmitted from the in-vehicle relay device 2 receives the invalid message transmitted from the in-vehicle ECU 3 that is illegal (abnormal) based on the message identifier (CAN-ID) stored in the empty area of the existing message. Can be dealt with appropriately, such as discarding
  • the control unit 20 of the in-vehicle relay device 2 performs (S211, S212, S2111) similarly to the process of (S111, S112, S1111, S113) of the first embodiment. , S213) is performed.
  • the control unit 20 performs the process of S26, S213, or S2111, and then performs the loop process to perform the process of S20 again, as in the process of the first embodiment.
  • C vehicle S1 program providing device S11 storage unit 1 vehicle outside communication device 11 vehicle outside communication unit 12 input / output I / F 13 antenna 2 vehicle-mounted relay device 20 control unit 21 storage unit 22 recording medium 23 in-vehicle communication unit (CAN transceiver) 24 Input / output I / F 3 In-vehicle ECU 30 control unit 31 storage unit 32 in-vehicle communication unit (CAN transceiver) 4 Car LAN 41 communication line 5 display device 6 IG switch

Abstract

Ce dispositif de relais embarqué est monté dans un véhicule et est pourvu d'une pluralité d'unités de communication embarquées auxquelles sont connectées une pluralité de lignes de communication pour communiquer avec une pluralité d'ECU embarquées, par un message transmis d'une ECU embarquée qui est relayé entre les unités de communication embarquées; le dispositif de relais embarqué est pourvu d'une unité de commande pour commander le relais du message; et l'unité de commande évalue la légitimité du message, stocke l'identifiant d'un message évalué comme étant illégitime dans un espace libre à l'intérieur du champ de données de messages existants transmis à la pluralité d'ECU embarquées, et transmet l'identifiant du message.
PCT/JP2019/045350 2018-11-22 2019-11-20 Dispositif relais embarqué et procédé de relais WO2020105657A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2018-219312 2018-11-22
JP2018219312 2018-11-22

Publications (1)

Publication Number Publication Date
WO2020105657A1 true WO2020105657A1 (fr) 2020-05-28

Family

ID=70773809

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/045350 WO2020105657A1 (fr) 2018-11-22 2019-11-20 Dispositif relais embarqué et procédé de relais

Country Status (1)

Country Link
WO (1) WO2020105657A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022264762A1 (fr) * 2021-06-15 2022-12-22 株式会社オートネットワーク技術研究所 Dispositif embarqué, procédé de traitement d'informations et programme

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002073433A (ja) * 2000-08-28 2002-03-12 Mitsubishi Electric Corp 侵入検知装置及び不正侵入対策管理システム及び侵入検知方法
JP2012249107A (ja) * 2011-05-27 2012-12-13 Toshiba Corp 通信システム
JP2017007401A (ja) * 2015-06-17 2017-01-12 株式会社オートネットワーク技術研究所 車載中継装置、車載通信システム及び中継プログラム
JP2017092634A (ja) * 2015-11-06 2017-05-25 日立オートモティブシステムズ株式会社 情報処理装置および不正メッセージ検知方法
JP2018160786A (ja) * 2017-03-22 2018-10-11 パナソニックIpマネジメント株式会社 監視装置、監視方法およびコンピュータプログラム

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002073433A (ja) * 2000-08-28 2002-03-12 Mitsubishi Electric Corp 侵入検知装置及び不正侵入対策管理システム及び侵入検知方法
JP2012249107A (ja) * 2011-05-27 2012-12-13 Toshiba Corp 通信システム
JP2017007401A (ja) * 2015-06-17 2017-01-12 株式会社オートネットワーク技術研究所 車載中継装置、車載通信システム及び中継プログラム
JP2017092634A (ja) * 2015-11-06 2017-05-25 日立オートモティブシステムズ株式会社 情報処理装置および不正メッセージ検知方法
JP2018160786A (ja) * 2017-03-22 2018-10-11 パナソニックIpマネジメント株式会社 監視装置、監視方法およびコンピュータプログラム

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022264762A1 (fr) * 2021-06-15 2022-12-22 株式会社オートネットワーク技術研究所 Dispositif embarqué, procédé de traitement d'informations et programme

Similar Documents

Publication Publication Date Title
US10462226B2 (en) Method for detecting fraudulent frame sent over an in-vehicle network system
US10909237B2 (en) Method of updating fraud detection rules for detecting malicious frames, fraud detecting electronic control unit, and on-board network system
US10693905B2 (en) Invalidity detection electronic control unit, in-vehicle network system, and communication method
CN105981336B (zh) 不正常检测电子控制单元、车载网络系统以及不正常检测方法
US10432645B2 (en) In-vehicle network system, fraud-detection electronic control unit, and fraud-detection method
CN106031098B (zh) 不正常帧应对方法、不正常检测电子控制单元以及车载网络系统
JP5522160B2 (ja) 車両ネットワーク監視装置
JP6807906B2 (ja) 車両へのコンピュータ攻撃を阻止するためのルールを生成するシステムおよび方法
JP6762347B2 (ja) 交通手段に対するコンピュータ攻撃を阻止するためのシステムおよび方法
JP5919205B2 (ja) ネットワーク装置およびデータ送受信システム
US10135866B2 (en) Method of preventing drive-by hacking, and apparatus and system therefor
US10462161B2 (en) Vehicle network operating protocol and method
US20200014758A1 (en) On-board communication device, computer program, and message determination method
CN109076016B9 (zh) 非法通信检测基准决定方法、决定系统以及记录介质
WO2019116896A1 (fr) Dispositif de mise à jour embarqué, programme, et procédé de mise à jour de programme ou de données
WO2018110046A1 (fr) Appareil de commande, système de commande, procédé de commande, programme de commande et support de stockage
JP2015199444A (ja) 電子制御装置
JP7412506B2 (ja) 不正検知ルール更新方法、不正検知電子制御ユニット及び車載ネットワークシステム
KR101714526B1 (ko) 차량 네트워크 해킹 방지 방법 및 장치
WO2020105657A1 (fr) Dispositif relais embarqué et procédé de relais
JP2018160888A (ja) 更新処理方法、車載ネットワークシステムおよび電子制御ユニット
JP6913869B2 (ja) 監視装置、監視システムおよびコンピュータプログラム
JP7192747B2 (ja) 車載中継装置及び情報処理方法
WO2021241415A1 (fr) Système de détection d'anomalies et procédé de détection d'anomalies
JP2023096727A (ja) 車載装置、プログラム及び、情報処理方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19886071

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19886071

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP