WO2020158118A1 - Security apparatus, attack identification method, program, and storage medium - Google Patents

Security apparatus, attack identification method, program, and storage medium Download PDF

Info

Publication number
WO2020158118A1
WO2020158118A1 PCT/JP2019/045105 JP2019045105W WO2020158118A1 WO 2020158118 A1 WO2020158118 A1 WO 2020158118A1 JP 2019045105 W JP2019045105 W JP 2019045105W WO 2020158118 A1 WO2020158118 A1 WO 2020158118A1
Authority
WO
WIPO (PCT)
Prior art keywords
attack
abnormality
unit
data
abnormality detection
Prior art date
Application number
PCT/JP2019/045105
Other languages
French (fr)
Japanese (ja)
Inventor
泰生 山本
直樹 廣部
泰久 渡辺
徹 小河原
Original Assignee
オムロン株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from JP2019136882A external-priority patent/JP2020123307A/en
Application filed by オムロン株式会社 filed Critical オムロン株式会社
Publication of WO2020158118A1 publication Critical patent/WO2020158118A1/en

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R16/00Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
    • B60R16/02Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways

Definitions

  • the present invention relates to a security device, an attack identification method, a program, and a storage medium.
  • an abnormality detection server on a cloud accumulates information about frames received from an on-vehicle network from each vehicle, adjusts a predetermined model by machine learning or the like, and a frame received on a certain in-vehicle network.
  • a system for calculating the degree of abnormality in the above-mentioned condition by a calculation process related to a comparison between the information about the frame and a predetermined model is disclosed.
  • the amount of processing executed by the abnormality detection server is enormous, and it is difficult to implement such an abnormality detection server function in a vehicle in terms of processing capacity and cost of a device installed in the vehicle. There was a problem that was.
  • the present invention has been made in view of the above problem, and when one or more devices are subjected to a security attack on a device network connected via a communication path, the type of the attack is reduced in processing. It is an object of the present invention to provide a security device, an attack identifying method, a program, and a storage medium that can be identified by the method described above and that enables swift incident response.
  • a security device (1) is a security device included in a device network in which one or more devices are connected via a communication path.
  • An anomaly detection unit that detects an anomaly caused by an attack on the device network
  • An abnormality data collection unit that collects the data of the abnormality detected by the abnormality detection unit
  • An abnormal data holding unit that holds the abnormal data collected by the abnormal data collecting unit
  • An abnormality detection pattern holding unit that holds an abnormality detection pattern for each of the types of attacks, which is configured to include combination data of detection necessity for each of a plurality of abnormality detection items
  • An attack identification unit that identifies the type of attack corresponding to the anomaly based on the anomaly data held in the anomaly data holding unit and the anomaly detection pattern held in the anomaly detection pattern holding unit It is characterized by having and.
  • the abnormality detecting unit detects the abnormality
  • the detected abnormality data is collected by the abnormality data collecting unit
  • the collected abnormality data is stored in the abnormal data holding unit. Retained by the department.
  • the attack identifying unit identifies the type of the attack corresponding to the abnormality. Therefore, when the device network receives the attack, the type of the attack can be specified by the security device alone. Further, since the abnormality detection pattern specified for each type of the attack is used to specify the type of the attack, the load is reduced without performing a heavy load abnormality analysis with a large amount of processing such as machine learning. The type of the attack can be specified by the performed processing.
  • the communication path may be a wired communication path, a wireless communication path, or a communication path including both wired and wireless communication paths.
  • a security device (2) is the same as the security device (1), An attack estimation pattern holding unit configured to include combination data of weighting values for each of the plurality of abnormality detection items, which holds an attack estimation pattern for each type of the attack, When the type of attack cannot be specified by the attack specifying unit, the abnormal data held in the abnormal data holding unit and the attack estimation pattern held in the attack estimation pattern holding unit And an attack estimation unit that estimates the type of the attack corresponding to the abnormality based on the above.
  • the attack estimating unit estimates the attack type corresponding to the abnormality. can do. Further, since the attack estimation pattern defined for each type of the attack is used for the estimation of the type of the attack, the load is reduced without performing a heavy load abnormality analysis with a large amount of processing such as machine learning. The performed process makes it possible to deduce whether the attack is similar to any known attack.
  • a security device (3) is the same as the security device (1),
  • the abnormality data stored in the abnormality data storage unit is Including data indicating the result of detection or not for each of the plurality of abnormality detection items,
  • the attack identification unit It is characterized in that the type of the attack corresponding to the abnormality is specified by collating the data indicating the result of detection/non-detection for each of the plurality of abnormality detection items with the abnormality detection pattern.
  • the attack identifying unit collates (in other words, matches) the data indicating the result of detection of each of the plurality of abnormality detection items with the abnormality detection pattern. Identifies the type of attack corresponding to the abnormality. Therefore, the type of attack can be quickly identified by the low-load processing.
  • the security device (4) is the same as the security device (2),
  • the abnormality data stored in the abnormality data storage unit is Including data indicating the result of detection or not for each of the plurality of abnormality detection items,
  • the attack estimation pattern is A first total value indicating the sum of the combination data of the weighting values,
  • the attack estimation unit A first calculation unit that calculates, for each type of the attack, a second total value that indicates a sum of products of the data indicating the result of detection/non-detection for each of the plurality of abnormality detection items and the weighting value;
  • a second calculation unit that calculates the matching rate between the first total value and the second total value for each type of attack;
  • An estimating unit that estimates the type of the attack corresponding to the abnormality based on the matching rate calculated by the second calculating unit.
  • the attack estimation unit calculates the second total value for each type of the attack, and calculates the first total value and the second total value for each type of the attack.
  • the match rate is calculated, and the type of the attack corresponding to the abnormality is estimated based on the calculated match rate. Therefore, the low-load processing makes it possible to quickly estimate which of the known attacks the attack is most similar to.
  • the security control unit (5) in any of the security devices (1) to (4), in any of the security devices (1) to (4), in the case where the message received via the communication path is normal, a message normal value holding unit that holds a normal value for each of the plurality of abnormality detection items is provided,
  • the plurality of abnormality detection items include one or more items relating to the abnormality of the message,
  • the abnormality detection unit A message abnormality detection unit that detects a message abnormality due to the attack based on the normal value of each of the plurality of abnormality detection items held in the message normal value holding unit,
  • the abnormal data collection unit Data of the message abnormality detected by the message abnormality detection unit is collected.
  • the message abnormality is detected based on the normal value of each of the plurality of abnormality detection items held in the message normal value holding unit. Even if the number is large, the message abnormality can be detected promptly by the processing with reduced load. Further, the attack identifying unit can quickly identify the type of the attack corresponding to the message abnormality, and the attack estimating unit can quickly estimate the type of attack corresponding to the message abnormality. Is possible.
  • the security control unit (6) in any of the security devices (1) to (5), the communication path normal value holding unit for holding the normal value of each of the plurality of abnormality detection items,
  • the plurality of abnormality detection items include one or more items relating to the abnormality of the communication path,
  • the abnormality detection unit Based on the normal value of each of the plurality of abnormality detection items held in the communication path normal value holding unit, a communication path abnormality detection unit for detecting a communication path abnormality due to the attack,
  • the abnormal data collection unit It is characterized in that data of the communication path abnormality detected by the communication path abnormality detection unit is collected.
  • the communication path abnormality is detected based on the normal value of each of the plurality of abnormality detection items held in the communication path normal value holding unit. Even if the number of items is large, the communication path abnormality can be detected promptly by the processing with reduced load. Further, the attack identifying unit can quickly identify the type of the attack corresponding to the communication path abnormality, and the attack estimating unit quickly estimates the type of attack corresponding to the communication path abnormality. It becomes possible to do.
  • the security control unit (7) in any of the security devices (1) to (6), the internal processing normal value holding unit for holding the normal value of each of the plurality of abnormality detection items,
  • the plurality of abnormality detection items include one or more items related to the abnormality of the internal processing,
  • the abnormality detection unit An internal processing abnormality detection unit that detects an abnormality in the internal processing, based on the normal value of each of the plurality of abnormality detection items held in the internal processing normal value holding unit,
  • the abnormal data collection unit Data of abnormality of the internal processing detected by the internal processing abnormality detection unit is collected.
  • an abnormality in the internal processing (hereinafter, also referred to as internal processing abnormality) Since it is detected, even if the number of the plurality of abnormality detection items is large, the internal processing abnormality can be detected promptly by the processing with reduced load. Further, the attack identification unit can quickly identify the type of the attack corresponding to the internal processing abnormality, and the attack estimation unit quickly estimates the type of the attack corresponding to the internal processing abnormality. It becomes possible to do. Therefore, it becomes possible to specify or estimate an abnormality due to the attack that cannot be detected from the communication channel or a message received via the communication channel based on the internal processing abnormality, and thus more various types can be obtained. It is possible to identify or estimate the attack of.
  • the security device (8) is the security device (1) to (7) according to any one of the above security devices.
  • the abnormal data collection unit Data of the abnormality detected within a predetermined time after the abnormality is detected by the abnormality detector is collected.
  • the abnormality data collection unit collects the abnormality data detected within a predetermined time after the abnormality is detected. Therefore, by using the data of the abnormality detected within the predetermined time, it is possible to improve the accuracy of identifying the type of attack by the attack identifying unit, and estimate the type of attack by the attack estimating unit. The accuracy can be increased.
  • a security device (9) is, in any one of the security devices (1) to (8), an abnormal log accumulation unit that accumulates the abnormal data collected by the abnormal data collection unit as an abnormal log. It is characterized by having.
  • the security device (9) since the abnormality data is accumulated in the abnormality log storage unit as an abnormality log, it is possible to perform a post analysis using the abnormality log stored in the abnormality log storage unit. It will be possible.
  • the attack identifying unit identifies the type of the attack corresponding to the abnormality, It is characterized by including a first incident handling unit that performs handling processing for types.
  • the security device (10) when the type of the attack corresponding to the abnormality is identified by the first incident response unit, it is possible to quickly take measures against the identified type of the attack.
  • the estimated attack It is characterized by including a second incident handling unit that performs handling processing for types.
  • the security device (11) when the type of the attack corresponding to the abnormality is estimated by the second incident response unit, it is possible to quickly take measures against the estimated type of the attack.
  • the security device (12) is, in any of the security devices (1) to (11), provided with a notification processing unit that operates the notification unit connected to the device network to notify the abnormality. It is characterized by
  • the notification processing unit can operate the notification unit to notify the abnormality, so that the user who receives the notification can appropriately respond to the abnormality. Can be carried out.
  • the security device (13) is, in any one of the security devices (1) to (12), a notification process for operating the external notification unit connected to the device network to notify the abnormality to the outside. It is characterized by having a section.
  • the notification processing unit it is possible for the notification processing unit to operate the external notification unit to report the abnormality to the outside, so that an appropriate countermeasure is taken from the outside. can do.
  • a security device (14) according to the present disclosure is the control device according to any one of the security devices (1) to (13), wherein the device is mounted in a vehicle,
  • the device network is an in-vehicle network.
  • the security device (14) when one or more of the control devices receives a security attack on the in-vehicle network connected via the communication path, the type of the attack is loaded on the vehicle alone. It can be specified by the reduced processing. In addition, prompt incident response can be achieved, and the safety of the vehicle can be enhanced.
  • a security device (15) according to the present disclosure is the control device according to any one of the security devices (1) to (13), wherein the device is installed in an industrial device forming an FA (Factory Automation) system.
  • the device network is an industrial device network that constitutes the FA system.
  • the security device when one or more of the control devices receives the attack on the industrial device network connected via the communication path, the type of the attack in the FA system. Can be specified by the processing with reduced load. In addition, quick incident response is possible, and the user (for example, operator) of the industrial device can use the industrial device with more peace of mind without worrying about security threats.
  • the attack identifying method (1) is an attack identifying method executed by at least one computer included in a device network in which one or more devices are connected via a communication path, An anomaly detection step of detecting an anomaly caused by an attack on the device network, An abnormality data collecting step of collecting data of the abnormality detected by the abnormality detecting step; A holding step of holding the abnormal data collected by the abnormal data collecting step in an abnormal data holding unit; The type of the attack corresponding to the abnormality is identified based on the abnormality data held in the abnormal data holding unit and the abnormality detection pattern for each type of the attack held in the abnormality detection pattern holding unit Attack specific steps to The abnormality detection pattern is configured to include combination data of whether or not detection is required for each of the plurality of abnormality detection items.
  • the attack identification method (1) since the abnormality detection pattern is used to identify the type of the attack, when the device network receives the attack, the processing amount such as machine learning is enormous and the load is high.
  • the type of the attack can be specified by the processing with reduced load, without performing the abnormality analysis of 1.
  • the attack identifying method (2) is held in the abnormal data holding unit when the attack identifying step cannot identify the attack type in the attack identifying method (1).
  • an attack estimation step of estimating the type of the attack corresponding to the abnormality is configured to include combination data of weighting values for each of the plurality of abnormality detection items.
  • the attack estimating step identifies the attack type corresponding to the abnormality. Can be estimated. Further, since the attack estimation pattern defined for each type of the attack is used for the estimation of the type of the attack, the load is reduced without performing a heavy load abnormality analysis with a large amount of processing such as machine learning. The performed process makes it possible to deduce whether the attack is similar to any known attack.
  • the program (1) is a program for causing at least one or more computers included in a device network in which one or more devices are connected via a communication path, The at least one or more computers, An anomaly detection step of detecting an anomaly caused by an attack on the device network, An abnormality data collecting step of collecting data of the abnormality detected by the abnormality detecting step; A holding step of holding the abnormal data collected by the abnormal data collecting step in an abnormal data holding unit; The type of the attack corresponding to the abnormality is identified based on the abnormality data held in the abnormal data holding unit and the abnormality detection pattern for each type of the attack held in the abnormality detection pattern holding unit It is a program to execute the attack specific step
  • the abnormality detection pattern is configured to include combination data of whether or not detection is required for each of the plurality of abnormality detection items.
  • the program (1) when the attack on the device network is received, it is possible to cause the at least one or more computers to execute the process of identifying the type of the attack. Therefore, the type of the attack can be specified by the computer itself. Further, since the abnormality detection pattern is used to identify the type of the attack, it is possible to perform the processing in which the load is reduced without causing the computer to execute a heavy load abnormality analysis such as machine learning. It becomes possible to execute the processing for specifying the type of attack.
  • the program may be a program stored in a storage medium or a program that can be transferred via a communication network.
  • a program (2) according to the present disclosure is the same as the program (1) above.
  • the at least one or more computers When the type of the attack cannot be specified by the attack specifying step, the abnormal data held in the abnormal data holding unit and the type of the attack held in the attack estimated pattern holding unit
  • a program for further executing an attack estimation step of estimating the type of the attack corresponding to the abnormality based on the attack estimation pattern of The attack estimation pattern is configured to include combination data of weighting values for each of the plurality of abnormality detection items.
  • the attack estimating step causes the computer to detect the attack corresponding to the abnormality.
  • a process of estimating the type can be executed.
  • the attack estimation pattern defined for each type of the attack is used for the estimation of the type of the attack, it is necessary to cause the computer to execute an abnormality analysis with a large amount of processing such as machine learning and a high load. Instead, it is possible to execute the process of estimating whether the attack is similar to any known attack by the process of reducing the load.
  • the computer-readable storage medium (1) is a computer in which a program for executing at least one computer included in a device network in which one or more devices are connected via a communication path is stored.
  • a readable storage medium The at least one or more computers, An anomaly detection step of detecting an anomaly caused by an attack on the device network, An abnormality data collecting step of collecting data of the abnormality detected by the abnormality detecting step; A holding step of holding the abnormal data collected by the abnormal data collecting step in an abnormal data holding unit; The type of the attack corresponding to the abnormality is identified based on the abnormality data held in the abnormal data holding unit and the abnormality detection pattern for each type of the attack held in the abnormality detection pattern holding unit.
  • the abnormality detection pattern is configured to include combination data of whether or not detection is required for each of the plurality of abnormality detection items.
  • the attack when the at least one or more computers read the program and execute the steps, the attack is made on the device network, It is possible to execute processing for specifying the type of attack. Therefore, the type of the attack can be specified by the computer itself. Further, since the abnormality detection pattern is used to identify the type of the attack, it is possible to perform the processing in which the load is reduced without causing the computer to execute a heavy load abnormality analysis such as machine learning. It becomes possible to execute the processing for specifying the type of attack.
  • a computer-readable storage medium (2) is provided in the at least one computer,
  • the abnormal data held in the abnormal data holding unit and the type of the attack held in the attack estimated pattern holding unit A program for further executing an attack estimation step of estimating the type of the attack corresponding to the abnormality based on the attack estimation pattern of The attack estimation pattern is configured to include combination data of weighting values for each of the plurality of abnormality detection items.
  • the attack estimating step causes the computer to detect the abnormality.
  • a process of estimating the type of the corresponding attack can be executed.
  • the attack estimation pattern defined for each type of the attack is used for the estimation of the type of the attack, it is necessary to cause the computer to execute an abnormality analysis with a large amount of processing such as machine learning and a high load. Instead, it is possible to execute the process of estimating whether the attack is similar to any known attack by the process of reducing the load.
  • FIG. 3 is a block diagram showing a functional configuration example of a gateway ECU according to the embodiment (1).
  • FIG. 7 is a diagram for explaining an example of an abnormality detection pattern held by an abnormality detection pattern holding unit for each type of attack. It is a figure for demonstrating the case where the kind of attack was able to be specified by the attack specific process which an attack specific part performs. It is a figure for demonstrating the case where the kind of attack cannot be specified by the attack specific process which an attack specific part performs. It is a figure for demonstrating an example of the attack estimation pattern for every kind of attack currently hold
  • FIG. 6 is a configuration example of attack identification data output to the incident response unit when the attack identification unit identifies the type of attack corresponding to the abnormality. It is a structural example of the attack estimation data output to the incident response unit when the type of attack corresponding to the abnormality is specified by the attack estimation unit.
  • 7 is a schematic flowchart showing a processing operation performed by a security control unit that constitutes the gateway ECU according to the embodiment (1).
  • FIG. 7 is a flowchart showing an abnormality detection processing operation performed by a security control unit that constitutes the gateway ECU according to the embodiment (1).
  • 7 is a flowchart showing an abnormality collection processing operation performed by a security control unit that constitutes the gateway ECU according to the embodiment (1).
  • 7 is a flowchart showing an attack identifying processing operation performed by a security control unit that constitutes the gateway ECU according to the embodiment (1).
  • It is a block diagram which shows the functional structural example of the gateway ECU which concerns on embodiment (2).
  • FIG. 7 is a diagram for explaining an example of an abnormality detection pattern held by an abnormality detection pattern holding unit for each type of attack. It is a figure for demonstrating an example of the attack estimation pattern for every kind of attack currently hold
  • FIG. 7 is a flowchart showing an abnormality detection processing operation performed by a security control unit that constitutes the gateway ECU according to the embodiment (2). It is a schematic block diagram of the FA system which concerns on a modification. It is a schematic block diagram of the FA system which concerns on another modification.
  • FIG. 1 is a schematic block diagram of an in-vehicle network system to which the security device according to the embodiment (1) is applied.
  • the in-vehicle network 2 is a communication network system mounted on the vehicle 1, and includes an OBDII (On-board diagnostics II) 4, a traveling system ECU (Electronic Control Unit) group 5, a body system ECU group 6, an information system ECU group 7, And a gateway ECU 10.
  • the vehicle-mounted network 2 in the present embodiment is a network that communicates according to the CAN (Controller Area Network) protocol. Note that communication standards other than CAN may be adopted for the in-vehicle network 2.
  • the OBDII 4, the traveling system ECU group 5, the body system ECU group 6, and the information system ECU group 7 are connected to CH1, CH2, CH3, and CH4 of the gateway ECU 10 via the bus 3 which is a communication path, respectively.
  • the number of communication CHs that the gateway ECU 10 has is not limited to four.
  • a central gateway system in which the ECU group is connected to the gateway ECU 10 for each functional system is adopted, but the connection system of the gateway ECU 10 is not limited to this system, and the ECU group is connected between the ECU groups.
  • the gateway ECU 10 may be provided in the system.
  • OBDII4 is equipped with a port to which a diagnostic device or scan tool for failure diagnosis or maintenance is connected.
  • the traveling system ECU group 5 includes a drive system ECU and a chassis system ECU.
  • the drive system ECU includes a control unit for "running" functions such as engine control, motor control, fuel cell control, EV (Electric Vehicle) control, and transmission control.
  • the chassis system ECU includes a control unit for "stop, bend” functions such as brake control or steering control.
  • the body system ECU group 6 includes a control unit related to the functions of the vehicle body such as a door lock, a power window, an air conditioner, a light, or a winker.
  • the information system ECU group 7 includes infotainment devices, telematics devices, or ITS (Intelligent Transport Systems) related devices.
  • the infotainment device includes a car navigation device or an audio device
  • the telematics device includes a communication unit for connecting to a mobile phone network or the like.
  • the ITS-related device includes an ETC (Electronic Toll Collection System), a road-to-vehicle communication with a roadside device such as an ITS spot, or a communication unit for performing inter-vehicle communication.
  • a safety function system ECU group may be connected to the gateway ECU 10.
  • the safety function system ECU group includes a control unit relating to functions such as automatic braking, lane keeping control, inter-vehicle distance control, etc. that automatically improve safety or realize comfortable driving in cooperation with the traveling system ECU group 5 and the like. It is included.
  • an external interface may be connected to the gateway ECU 10.
  • the external interface includes, for example, Bluetooth (registered trademark), Wi-Fi (registered trademark), USB (Universal Serial Bus) port, memory card slot, or the like.
  • the gateway ECU 10 has a function of exchanging frames with each ECU group included in the in-vehicle network 2 according to the CAN protocol, and further functions as a security device according to the present embodiment. That is, the security device according to the present embodiment is mounted on the gateway ECU 10 connected to the bus 3 of the vehicle-mounted network 2.
  • the gateway ECU 10 determines the attack by the vehicle 1 alone, that is, in the gateway ECU 10 by the process of reducing the load (ie, the attack). , Identify or presume the type of attack) and execute incident response processing according to the determined attack. As a result, the driver of the vehicle 1 can drive the vehicle 1 without anxiety about the threat of a security attack.
  • the traveling system ECU group 5, the body system ECU group 6, the information system ECU group 7, and the gateway ECU 10 are configured by a computer device including one or more processors, a memory, a communication module, and the like, and a processor mounted in each ECU. However, by reading the program stored in the memory, interpreting and executing the program, each ECU executes predetermined control.
  • FIG. 2 is a block diagram showing a functional configuration example of the gateway ECU 10 according to the embodiment (1).
  • the gateway ECU 10 includes a gateway function unit 11 and a security control unit 12.
  • the security control unit 12 is a part in which the functions of the security device according to the present embodiment are mounted.
  • the gateway ECU 10 includes, as hardware, a memory including a ROM (Read Only Memory) and a RAM (Random Access Memory) in which a control program is stored, a processor such as a CPU (Central Processing Unit) that reads and executes the program from the memory. , And a communication module for connecting to the vehicle-mounted network 2 and the like.
  • ROM Read Only Memory
  • RAM Random Access Memory
  • CPU Central Processing Unit
  • the gateway function unit 11 has a function of performing control to transfer a frame via each ECU group and the bus 3, and includes, for example, a frame transmission/reception unit, a frame interpretation unit, and a frame conversion unit (not shown) of the vehicle-mounted network 2.
  • the configuration required for mutual communication with each ECU group according to the CAN protocol is included.
  • the bus 3 is an example of a communication path and the frame is an example of a message.
  • the -Frames in the CAN protocol are configured to include data frames, remote frames, overload frames, and error frames.
  • the data frame includes SOF (Start of Frame), ID, RTR (Remote Transmission Request), IDE (Identifier Extension), reserved bit, DLC (Data Length Code), data field, CRC (Cyclic Redundancy Check) sequence, CRC delimiter (CRC delimiter).
  • DEL Data Length Code
  • CRC Cyclic Redundancy Check
  • CRC delimiter CRC delimiter
  • DEL ACK (Acknowledgement) slot
  • ACK delimiter (DEL) and EOF (End Of Frame) fields.
  • the security control unit 12 includes a frame reception unit 21, a frame abnormality detection unit 22, a bus monitoring unit 23, a bus abnormality detection unit 24, and a normal value holding unit 25.
  • the security control unit 12 further includes an abnormal data collection unit 26, an abnormal data holding unit 27, a timer 28, an abnormality detection pattern holding unit 29, an attack identifying unit 30, an attack estimation pattern holding unit 31, an attack estimation unit 32, and an incident response. It is configured to include the portion 33.
  • the security control unit 12 is configured to include, as hardware, a ROM in which a control program is stored, a memory including a RAM, a processor that reads a program from the memory and executes the program, and the functions of the above-described units are realized by the hardware. Is being realized.
  • the frame receiving unit 21 receives, for example, a frame (CAN frame) that is a CAN signal from the gateway function unit 11, and sends the received frame to the frame abnormality detection unit 22 and the bus monitoring unit 23.
  • a frame CAN frame
  • the frame receiving unit 21 receives, for example, a frame (CAN frame) that is a CAN signal from the gateway function unit 11, and sends the received frame to the frame abnormality detection unit 22 and the bus monitoring unit 23.
  • the frame abnormality detection unit 22 checks a plurality of abnormality detection items (also referred to as parameters) to determine whether the frame received by the frame reception unit 21 has an abnormality (that is, a frame abnormality) caused by an attack on the vehicle-mounted network 2. And detect.
  • the plurality of abnormality detection items for detecting the frame abnormality may include, for example, parameters such as RTR, DLC, payload, and reception cycle set for each frame ID.
  • the frame abnormality is an abnormality of the CAN signal alone.
  • the frame abnormality detection unit 22 is an example of a message abnormality detection unit.
  • the bus monitoring unit 23 monitors the respective states of the buses 3 connected to CH1 to CH4 of the gateway ECU 10 and sends the monitoring data to the bus abnormality detection unit 24.
  • the bus abnormality detection unit 24 is an example of a communication path abnormality detection unit.
  • the bus abnormality detection unit 24 determines whether or not the bus 3 connected to CH1 to CH4 has an abnormality (that is, a bus abnormality) caused by an attack on the vehicle-mounted network 2 by using a plurality of abnormality detection items (also referred to as parameters). Check and detect.
  • the plurality of abnormality detection items for detecting a bus abnormality include, for example, a bus load factor of each bus 3 connected to CH1 to CH4, a bus state (state such as presence or absence of bus error), and an ID appearing on the bus 3. Parameters may be included.
  • the bus abnormality indicates a situation abnormality of the CAN signal.
  • the frame abnormality detection unit 22 and the bus abnormality detection unit 24 are an example of an abnormality detection unit that detects an abnormality caused by an attack on the vehicle-mounted network 2.
  • the normal value holding unit 25 holds in advance frame normal values (also referred to as normal patterns) for each of the plurality of abnormality detection items used by the frame abnormality detection unit 22 to determine whether or not there is a frame abnormality. Further, the normal value holding unit 25 holds in advance bus normal values (also referred to as normal patterns) of the plurality of abnormality detection items, which are used by the bus abnormality detection unit 24 to determine whether there is a bus abnormality. There is.
  • the normal value holding unit 25 has functions as a frame normal value holding unit (message normal value holding unit) and a bus normal value holding unit (communication path normal value holding unit), but instead of the normal value holding unit 25
  • the frame normal value holding unit and the bus normal value holding unit may be separately provided.
  • the frame normal value is composed of a normal pattern of a plurality of items such as a reception cycle, DLC data length, and payload characteristics for each ID of a frame received on each CH.
  • the bus normal value is composed of a normal pattern of a plurality of items such as a bus load factor, presence or absence of a bus error, and an appearance ID for each bus 3 connected to each CH.
  • the abnormal data collection unit 26 collects frame abnormal data detected within a predetermined time after the frame abnormal detection unit 22 detects the frame abnormal, and sends the collected frame abnormal data to the abnormal data holding unit 27. .. Further, the abnormal data collection unit 26 collects data of other bus abnormalities detected within a predetermined time after the bus abnormal detection unit 24 detects a bus abnormal condition, and retains the collected bus abnormal data as abnormal data. Send to section 27.
  • the abnormal data holding unit 27 temporarily holds the frame abnormal data and the bus abnormal data collected by the abnormal data collecting unit 26.
  • the timer 28 counts a predetermined time for the abnormal data collecting unit 26 to collect abnormal data.
  • the predetermined time is set to a time that does not hinder safe traveling even if the vehicle 1 is subjected to a security attack, for example.
  • the abnormality detection pattern holding unit 29 holds in advance an abnormality detection pattern for each type of attack.
  • the abnormality detection pattern for each type of attack is configured to include combination data of the necessity of detection for each of the plurality of abnormality detection items.
  • FIG. 3 is a diagram for explaining an example of the abnormality detection pattern held by the abnormality detection pattern holding unit 29 for each type of attack.
  • the data indicating the abnormality detection pattern 29a for each type of attack includes an item of attack type and a plurality of abnormality detection items.
  • the types of attacks that can be assumed in the in-vehicle network 2 (attacks A1 to A5,%) are set in the attack type item.
  • the attack set in the attack type column is a threat analysis for the system of the in-vehicle network 2 (that is, the gateway ECU 10, the traveling system ECU group 5, the body system ECU group 6, the information system ECU group 7, and the OBDII 4).
  • 1 is a known attack extracted by analysis of vulnerabilities and threats of devices connected to the vehicle, other communication devices connected to the in-vehicle network 2, and the like.
  • the threat analysis method for extracting these attacks is not particularly limited. For example, methods such as threat extraction using DFD (Date Flow Diagram), threat classification by STRIDE, threat tree, or threat evaluation by DREAD can be adopted.
  • the attack set in the attack type column can be set to, for example, illegal use, illegal setting, illegal relay, illegal insertion, information leakage, Dos attack, message loss, or fake message.
  • a plurality of abnormality detection items include frame abnormalities F1 to F5 and bus abnormalities B1 to B5.
  • Parameters relating to frame anomalies such as the reception cycle, payload, DLC, and RTR are set in the frame anomalies F1 to F5, respectively.
  • parameters relating to bus abnormality such as bus load factor, bus error, and appearance ID are set in the bus abnormality B1 to B5, respectively.
  • a pattern of combination data indicating whether or not detection is required for each of a plurality of abnormality detection items (frame abnormality F1 to F5 and bus abnormality B1 to B5) is set for each type of attack.
  • “AND” indicates that it is always detected
  • “NOT” indicates that it is never detected
  • “ ⁇ ” indicates that it is detected or unknown.
  • the attack A1 the frame abnormality F1 is always detected
  • the frame abnormality F3, F5 and the bus abnormality B1, B4, B5 are never detected
  • the frame abnormality F2, F4 and the bus abnormality B2, B3 are detected. Or unknown (whether or not detected).
  • the attack identifying unit 30 responds to the detected abnormality based on the abnormality data held in the abnormal data holding unit 27 and the abnormality detection pattern for each type of attack held in the abnormality detection pattern holding unit 29. Perform processing to identify the type of attack. After performing the attack identifying process, the attack identifying unit 30 also gives an instruction to reset (clear) the abnormal data (detection data) temporarily stored in the abnormal data holding unit 27.
  • FIG. 4 is a diagram for explaining a case where the type of attack can be identified by the attack identifying process performed by the attack identifying unit 30.
  • the attack identifying unit 30 collates the abnormal data 27a held in the abnormal data holding unit 27 with the abnormal detection pattern 29a for each type of attack held in the abnormal detection pattern holding unit 29 to obtain the abnormal data. Processing for identifying the type of attack corresponding to the abnormality indicated by 27a is performed.
  • the abnormality data 27a includes data indicating the results of presence or absence of detection ("1" detected, "0" not detected) for each of a plurality of abnormality detection items (frame abnormality F1 to F5 and bus abnormality B1 to B5). Has been.
  • the abnormal data 27a illustrated in FIG. 4 includes data in which frame abnormalities F1 and F2 and bus abnormalities B1 to B5 are detected, and frame abnormalities F3 to F5 are not detected.
  • the attack identifying unit 30 collating the abnormal data 27a and the abnormal detection pattern 29a for each type of attack, the abnormal data indicated by the abnormal data 27a detected this time is detected as abnormal.
  • the case where the attack A3 in the pattern 29a is identified is shown.
  • the type of attack cannot be specified by the attack specifying process performed by the attack specifying unit 30 will be described.
  • FIG. 5 is a diagram for explaining a case where the type of attack cannot be specified by the attack specifying process performed by the attack specifying unit 30.
  • the abnormality data 27b illustrated in FIG. 5 includes data in which frame abnormalities F1 and F2 and bus abnormalities B2, B4, and B5 are detected, and frame abnormalities F3 to F5 and bus abnormalities B1 and B3 are not detected. It is configured.
  • the attack identifying unit 30 collating the abnormal data 27b with the abnormal detection pattern 29a for each type of attack, the abnormal data indicated by the abnormal data 27b detected this time is detected as abnormal.
  • the attack identification process performed by the attack identification unit 30 fails to identify the type of attack (in other words, it is an unknown attack)
  • the attack estimation process by the attack estimation unit 32 is performed next.
  • the attack estimation pattern holding unit 31 holds an attack estimation pattern for each type of attack in advance.
  • the attack estimation pattern for each type of attack is configured to include combination data of weighting values for each of the plurality of abnormality detection items.
  • FIG. 6 is a diagram for explaining an example of the attack estimation pattern held by the attack estimated pattern holding unit 31 for each type of attack.
  • the data indicating the attack estimation pattern 31a for each attack type is configured to include an attack type item, a plurality of abnormality detection items, and a first total value item.
  • the type of attack that can be assumed in the in-vehicle network 2 (attacks A11 to A15,...) Is set in the attack type item.
  • the plurality of abnormality detection items include parameters of the frame abnormalities F1 to F5 and the bus abnormalities B1 to B5, like the abnormality detection pattern 29a illustrated in FIG.
  • combination data (weighting value of 0.0 to 1.0) for each of a plurality of abnormality detection items (frame abnormality F1 to F5 and bus abnormality B1 to B5) (Also referred to as a set) pattern is set.
  • the weighting value for each abnormality detection item of each attack may be set based on the result of the threat analysis performed in advance, or may be set based on the result of the machine learning performed in advance.
  • the first total value indicates the sum (also referred to as the sum of sets) of the combination data (weight set) of the weight values for each of the plurality of abnormality detection items in each attack.
  • the attack estimation unit 32 holds the abnormal data held in the abnormal data holding unit 27 and the attack estimated pattern holding unit 31 when the attack specifying unit 30 cannot specify the type of attack. A process of estimating the type of attack corresponding to the detected abnormality is performed based on the attack estimation pattern 31a for each type of attack.
  • FIG. 7 is a diagram for explaining an example of attack estimation processing performed by the attack estimation unit 32.
  • the attack estimation unit 32 for each type of attack (attacks A11 to A15,...) Held in the attack estimation pattern holding unit 31, detects each abnormality detection item (frame abnormality F1 to F5, and bus) of the abnormality data 27b.
  • a second total value also called the sum of product sets
  • Is calculated that is, it functions as a first calculation unit).
  • FIG. 8 is a diagram showing an example of the calculation result of the second total value calculated by the first calculation unit included in the attack estimation unit 32.
  • each abnormality detection item frame abnormality F1 to F5, and bus abnormality B1 to B5
  • data indicating whether or not each abnormality data 27b is detected and each estimated attack pattern 31a.
  • the product value with the weighting value is calculated, and the sum of the calculated product values is calculated as the second total value.
  • FIG. 9 is a diagram showing an example of the matching rate calculated by the second calculation unit included in the attack estimation unit 32. As shown in FIG. 9, the matching rate here is represented by [second total value/first total value] ⁇ 100 (%).
  • the attack estimation unit 32 estimates the type of attack corresponding to the abnormality that could not be identified by the attack identification unit 30, based on the match rate for each attack calculated by the second calculation unit (that is, estimation). Functions as a department).
  • the estimation unit included in the attack estimation unit 32 can estimate which existing attack type the abnormality that could not be identified by the attack identification unit 30 resembles, based on the matching rate.
  • the match rate of the attack A11 is the highest, and it is possible to estimate that the attack due to the abnormality detected this time is the most similar to the attack A11.
  • the incident handling unit 33 functions as a first incident handling unit that performs a handling process for the identified attack type when the attack identifying unit 30 identifies the type of attack corresponding to the abnormality. Further, the incident handling unit 33 functions as a second incident handling unit that performs a handling process for the estimated attack type when the attack estimating unit 32 estimates the attack type corresponding to the abnormality.
  • FIG. 10 shows an example of attack identification data output to the incident response unit 33 when the attack identification unit 30 identifies the type of attack corresponding to the abnormality.
  • the attack identification data includes CH attacked by the gateway ECU 10, a frame in which an abnormality has occurred, and data related to the identified attack.
  • the incident handling unit 33 executes a predetermined countermeasure process for the identified type of attack based on the attack identifying data acquired from the attack identifying unit 30.
  • FIG. 11 shows an example of attack estimation data output to the incident handling unit 33 when the attack estimation unit 32 estimates the type of attack corresponding to an abnormality.
  • the attack estimation data includes CH attacked by the gateway ECU 10, a frame having an abnormality, and data regarding the estimated attack.
  • the incident handling unit 33 executes a predetermined countermeasure process for the estimated attack type based on the attack estimation data acquired from the attack estimation unit 32. For example, the countermeasure process for the type of attack having the highest matching rate is executed.
  • FIG. 12 is a schematic flowchart showing a processing operation performed by the security control unit 12 included in the gateway ECU 10 according to the embodiment (1). It should be noted that the present processing operation is premised on the case where an attacker performs some security attack on the in-vehicle network 2 and the defense function of the gateway ECU 10 is broken.
  • step S1 the security control unit 12 determines whether or not an abnormality has occurred in the in-vehicle network 2 due to a security attack. If it is determined that the abnormality has not occurred, the processing is terminated, while the abnormality has occurred. If determined, the process proceeds to step S2.
  • step S2 the security control unit 12 performs a process of detecting an abnormality that has occurred in the frame received from each ECU group or the bus 3 connected to each CH, and then advances the process to step S3.
  • step S3 the security control unit 12 performs a process of collecting the data of the abnormality that has occurred in the received frame or the bus 3 (that is, the detection result of the abnormality), and then advances the process to step S4.
  • step S4 the security control unit 12 performs a process of identifying the type of security attack using the collected abnormal data, and a process of estimating the type of attack when the type of attack cannot be identified. Then, the process proceeds to step S5. In step S5, the security control unit 12 performs a process of implementing an incident countermeasure corresponding to the identified type of attack or the estimated type of attack, and then ends the process.
  • FIG. 13 is a flowchart showing an abnormality detection processing operation performed by the security control unit 12 configuring the gateway ECU 10 according to the embodiment (1).
  • This processing operation is an example of the abnormality detection processing operation performed in step S2 of FIG. 12, and is executed when a frame which is a CAN signal is received.
  • step S11 the security control unit 12 performs a process of receiving a frame that is a CAN signal (frame received from each ECU group) from the gateway function unit 11, and proceeds to step S12.
  • step S12 the security control unit 12 determines whether or not an abnormality due to a security attack has been detected in the received frame or the bus 3 that has received the frame. If it is determined that no abnormality has been detected, the CAN signal is detected. If it is determined that an abnormality has been detected while the abnormality detection processing at the time of reception is completed, the processing proceeds to step S13.
  • step S13 the security control unit 12 is currently in a state of collecting abnormal data due to a security attack (abnormality collection state) (in other words, whether the abnormal data collection unit 26 is operating or not). ), and if it is determined that abnormal data is currently being collected, the process proceeds to step S15.
  • step S13 if the security control unit 12 determines that the abnormal data is not currently collected, the process proceeds to step S14.
  • step S14 the security attack abnormal condition is collected. A process of transitioning (in other words, the abnormal data collecting unit 26 starts collecting abnormal data) is performed, and then the process proceeds to step S15.
  • step S15 the security control unit 12 determines whether or not the abnormality detected in step S12 is an abnormality already detected after transition to the abnormality collection state, and determines that the abnormality is already detected. For example, the abnormality detection process when the CAN signal is received ends.
  • step S15 determines in step S15 that the abnormality is not already detected (in other words, it is an undetected abnormality)
  • the process proceeds to step S16, and in step S16, the detected abnormality is detected.
  • the data is stored in the abnormal data holding unit 27, and then the abnormality detection process when the CAN signal is received ends.
  • the security control unit 12 may detect the frame abnormality and the bus abnormality in different processing flows.
  • the frame abnormality may be detected after the frame is received, and the bus abnormality may be detected by constantly monitoring the state of the bus 3 connected to CH1 to CH4.
  • FIG. 14 is a flowchart showing an abnormality collection processing operation performed by the security control unit 12 configuring the gateway ECU 10 according to the embodiment (1).
  • This processing operation is an example of an operation of collecting abnormal data (abnormality detection result) performed in step S3 of FIG.
  • step S21 the security control unit 12 starts counting the abnormality collection time by the timer 28, and then proceeds to step S22.
  • step S22 it is determined whether or not a predetermined time has elapsed since the count was started. to decide.
  • the predetermined time is set to a time (for example, several seconds to several tens of seconds) that does not hinder safe traveling even when the vehicle 1 receives a security attack.
  • step S22 if the security control unit 12 determines that the predetermined time has not elapsed, the timer 28 continues counting until the predetermined time has elapsed, and if it determines that the predetermined time has elapsed, the process proceeds to step S23.
  • step S23 the security control unit 12 ends the collection of abnormal data and advances the process to the next step S24.
  • step S24 the count of the timer 28 is cleared, and then the process ends.
  • FIG. 15 is a flowchart showing an attack identifying processing operation performed by the security control unit 12 configuring the gateway ECU 10 according to the embodiment (1).
  • the processing operation is an example of the attack identifying processing operation performed in step S4 of FIG. 12, and includes the attack identifying processing operation and the attack estimating processing operation.
  • the security control unit 12 reads out the abnormal data (abnormal data detected within a predetermined time) stored in the abnormal data holding unit 27, and advances the processing to step S32.
  • the abnormality data has, for example, the data configuration shown in the abnormality data 27a illustrated in FIG. 4 (the data configuration including the results of the presence/absence of detection of a plurality of abnormality detection items).
  • step S32 the security control unit 12 reads the abnormality detection pattern specified for each type of attack from the abnormality detection pattern holding unit 29, and advances the processing to the next step S33.
  • the abnormality detection pattern has, for example, the data structure shown in the abnormality detection pattern 29a for each type of attack illustrated in FIG. 3 (combination data of detection necessity for a plurality of abnormality detection items is set for each type of attack). Data structure).
  • step S33 the security control unit 12 performs a process (matching process) of matching the abnormality data read in step S31 with the abnormality detection pattern for each type of attack read in step S32, and then in step S34. Proceed with processing.
  • step S34 it is determined whether or not the same abnormality detection pattern as the abnormal data is detected as a result of the collation, and if it is determined that the same abnormality detection pattern as the abnormal data is detected, the process proceeds to step S35. ..
  • step S35 the security control unit 12 identifies that the type of attack indicated by the abnormality data is an attack indicated by the same abnormality detection pattern determined in step S34, and then proceeds to step S36.
  • step S36 the security control unit 12 performs a process of outputting information on the identified attack to the incident handling unit 33, and then advances the process to step S37.
  • step S34 the security control unit 12 determines in step S34 that the same abnormality detection pattern as the abnormality data is not detected, the process proceeds to step S38.
  • step S38 the security control unit 12 reads out the attack estimation pattern specified for each type of attack from the attack estimation pattern holding unit 31, and then advances the process to step S39.
  • the attack estimation pattern is, for example, the data structure shown in the attack estimation pattern 31a for each type of attack illustrated in FIG. 6 (combined data of weighting values for each of a plurality of abnormality detection items and data of the sum of weighting values).
  • the data structure is set for each type of attack).
  • step S39 the security control unit 12 performs a process of calculating the sum (second total value) of the products of the abnormal data and the attack estimation pattern for each attack type, and advances the process to step S40.
  • step S40 the security control unit 12 compares the first total value (sum of sets) defined in the attack estimation pattern for each type of attack with the second total value (sum of intersections) ([second total sum]. Value/first total value] ⁇ 100(%)) is calculated, and the process proceeds to step S41.
  • step S41 the security control unit 12 estimates the type of attack based on the matching rate. For example, it is estimated that the abnormality detected this time is the most similar to the attack with the highest matching rate, and the process proceeds to step S42.
  • step S42 the security control unit 12 performs a process of outputting the estimated attack information to the incident handling unit 33, and then advances the process to step S37.
  • step S37 the security control unit 12 performs a reset process for clearing the data temporarily held in the abnormal data holding unit 27, and then ends the process.
  • the gateway ECU 10 since the gateway ECU 10 according to the embodiment (1) includes the security control unit 12, the frame abnormality detection unit 22 detects a frame abnormality, and the bus abnormality detection unit 24 detects a bus abnormality.
  • the detected abnormality is collected by the abnormality data collection unit 26, and the collected abnormality data is held in the abnormality data holding unit 27.
  • the attack identifying unit 30 identifies the type of attack corresponding to the abnormality.
  • the type of the attack can be specified by the vehicle 1 alone, that is, by the gateway ECU 10.
  • the attack identification unit 30 collates (matches) the data indicating the result of detection/non-detection for each of the plurality of abnormality detection items with the abnormality detection pattern for each type of attack, whereby the type of attack corresponding to the abnormality Is specified. Therefore, it is possible to quickly identify the type of attack and reduce the device cost by performing low-load processing with a reduced load, without performing anomaly analysis that requires a large amount of processing such as machine learning. It is also possible to realize a device that is advantageous in terms of cost.
  • the incident handling unit 33 can promptly take measures against the identified type of attack. As a result, the driver of the vehicle 1 can drive with peace of mind against the threat of security.
  • the attack estimating unit 32 can estimate the type of attack similar to the abnormality.
  • an attack estimation pattern defined for each type of attack is used to estimate the type of attack, a second total value is calculated for each type of attack, and a first total value and a second total value for each type of attack are calculated.
  • the match rate with the total value is calculated, and the type of attack corresponding to the abnormality is estimated based on the calculated match rate. Therefore, it is possible to quickly estimate which known attack is most similar to the known attack by performing low-load processing with a light load, without performing anomalous analysis with a large amount of processing such as machine learning. You can
  • the incident handling unit 33 can promptly take measures against the estimated type of attack. As a result, the driver of the vehicle 1 can drive with peace of mind against the threat of security.
  • FIG. 16 is a block diagram showing a functional configuration example of the gateway ECU 10A according to the embodiment (2).
  • the components having the same functions as those of the gateway ECU 10 shown in FIG. 2 are designated by the same reference numerals, and the description thereof will be omitted here.
  • the gateway ECU 10 according to the embodiment (1) is configured to be able to detect a frame abnormality and a bus abnormality
  • the gateway ECU 10A according to the embodiment (2) is configured to be able to detect an internal processing abnormality. There is a big difference.
  • the gateway ECU 10A includes a gateway function unit 11 and a security control unit 12A.
  • the security control unit 12A is a part in which the functions of the security device according to the present embodiment are mounted.
  • the security control unit 12A monitors the internal processing in addition to the frame receiving unit 21, the frame abnormality detecting unit 22, the bus monitoring unit 23, the bus abnormality detecting unit 24, the frame normal value holding unit 25A, and the bus normal value holding unit 25B. It is configured to include a unit 34, an internal processing abnormality detection unit 35, and an internal processing normal value holding unit 36. Further, the security control unit 12A includes the abnormal data collection unit 26A, the abnormal data holding unit 27A, the timer 28, the abnormality detection pattern holding unit 29A, the attack identifying unit 30A, the attack estimation pattern holding unit 31A, the attack estimation unit 32A, and the incident handling. It is configured to include the portion 33.
  • the internal processing monitoring unit 34 monitors the state of internal control processing in the gateway ECU 10A when each function of the gateway function unit 11 (for example, a frame reception function, a transfer function, a transmission function, etc.) is being executed.
  • the monitoring target of the internal processing includes at least one or more of the control processing time of the function, the function execution frequency, the function execution processing order, and the resource of the hardware configuring the gateway ECU 10A.
  • control processing time for example, whether or not the control processing of each function is executed within a preset time is monitored.
  • function execution frequency for example, it is monitored whether or not the function execution frequency of each function of the gateway function unit 11 is within a preset numerical range.
  • function execution processing order for example, it is monitored whether or not the processing execution order of each function of the gateway function unit 11 is executed in a preset order.
  • Hardware resources include, for example, CPU usage rate, RAM usage rate, code ROM (code storage memory) usage rate, or data ROM (data storage memory) usage rate. Regarding hardware resources, for example, it is monitored whether the average usage rate of each hardware is within a preset numerical range.
  • the internal processing abnormality detection unit 35 detects whether or not there is an abnormality (that is, internal processing abnormality) in the internal processing monitored by the internal processing monitoring unit 34 by checking a plurality of abnormality detection items (also referred to as parameters). To do.
  • the plurality of abnormality detection items for detecting the internal processing abnormality include, for example, parameters such as the control processing time, the number of times of function execution, the order of function execution processing, and hardware resources.
  • the frame abnormality detection unit 22, the bus abnormality detection unit 24, and the internal processing abnormality detection unit 35 are an example of an abnormality detection unit that detects an abnormality caused by an attack on the in-vehicle network 2.
  • the internal processing normal value holding unit 36 stores in advance internal processing normal values (also referred to as normal patterns) of a plurality of abnormality detection items, which are used by the internal processing abnormality detection unit 35 to determine whether there is an internal processing abnormality. Is held.
  • the internal processing normal value is composed of a normal pattern of a plurality of items such as control processing time of each function, function execution frequency, function execution processing order, and average usage rate of hardware resources.
  • the abnormal data collection unit 26A collects frame abnormal data detected within a predetermined time after the frame abnormal detection unit 22 detects a frame abnormal, and sends the collected frame abnormal data to the abnormal data holding unit 27A. .. Further, the abnormal data collection unit 26A collects data of bus abnormalities detected within a predetermined time after the bus abnormalities are detected by the bus abnormality detection unit 24, and collects the collected data of bus abnormalities in the abnormal data holding unit 27A. Send to. Further, the abnormal data collection unit 26A collects the data of the internal processing abnormality detected within a predetermined time after the internal processing abnormality detection unit 35 detects the internal processing abnormality, and collects the collected data of the internal processing abnormality. It is sent to the data holding unit 27A.
  • the abnormal data holding unit 27A temporarily holds the frame abnormal data, the bus abnormal data, and the internal processing abnormal data collected by the abnormal data collecting unit 26A.
  • the timer 28 counts a predetermined time for collecting abnormal data by the abnormal data collecting unit 26A.
  • the predetermined time is set to a time that does not hinder safe traveling even if the vehicle 1 is subjected to a security attack, for example.
  • the abnormality detection pattern holding unit 29A holds an abnormality detection pattern for each type of attack in advance.
  • the abnormality detection pattern for each type of attack is configured to include combination data of the necessity of detection for each of the plurality of abnormality detection items.
  • FIG. 17 is a diagram for explaining an example of the abnormality detection pattern held by the abnormality detection pattern holding unit 29A for each type of attack.
  • the data indicating the abnormality detection pattern 29b for each type of attack includes an item of attack type and a plurality of abnormality detection items.
  • the difference from the abnormality detection pattern 29a shown in FIG. 3 is that a plurality of abnormality detection items further include an internal processing abnormality.
  • the types of attacks that can be assumed in the in-vehicle network 2 (attacks A21 to A25,...) are set in the attack type item.
  • the plurality of abnormality detection items include frame abnormalities F1 to F4, bus abnormalities B1 to B4, and internal processing abnormalities C1 to C4. Parameters relating to frame anomalies such as the reception cycle, payload, DLC, and RTR are set in the frame anomalies F1 to F4. Further, parameters relating to bus abnormality such as bus load factor, bus error, and appearance ID are set in the bus abnormality B1 to B4, respectively. Further, in the internal processing abnormalities C1 to C4, parameters relating to internal processing abnormalities such as control processing time of each function, function execution frequency, function execution processing order, and hardware resources are set.
  • a pattern of combination data indicating whether or not detection is necessary for each of a plurality of abnormality detection items (frame abnormality F1 to F4, bus abnormality B1 to B4, and internal processing abnormality C1 to C4) is set for each type of attack.
  • the frame abnormality F1 and the internal processing abnormality C4 are always detected, and the frame abnormality F3, the bus abnormalities B2 and B3, and the internal processing abnormalities C2 and C3 are never detected, and the frame abnormality F2, F4, and the bus abnormality are detected.
  • the abnormalities B1 and B4 and the internal processing abnormality C1 are detected or unknown (may be detected or may not be detected).
  • the attack identifying unit 30A responds to the detected abnormality based on the abnormality data held in the abnormal data holding unit 27A and the abnormality detection pattern 29b for each type of attack held in the abnormality detection pattern holding unit 29A. Perform processing to identify the type of attack to be performed. After performing the attack identifying process, the attack identifying unit 30A instructs the abnormal data holding unit 27A to reset (clear) the abnormal data (detection data). The attack identifying unit 30A executes the same processing operation as the processing operation (the processing of identifying by collating) performed by the attack identifying unit 30 illustrated in FIG.
  • the attack estimation pattern holding unit 31A holds an attack estimation pattern for each type of attack in advance.
  • the attack estimation pattern for each type of attack is configured to include combination data of weighting values for each of the plurality of abnormality detection items.
  • FIG. 18 is a diagram for explaining an example of the attack estimation pattern for each type of attack, which is held in the attack estimated pattern holding unit 31A. Similar to the attack estimation pattern 31a shown in FIG. 6, the data indicating the attack estimation pattern 31b for each type of attack is configured to include an attack type item, a plurality of abnormality detection items, and a first total value item. ing.
  • the types of attacks that can be assumed in the in-vehicle network 2 (attacks A31 to A35,...) are set in the attack type item.
  • the plurality of abnormality detection items include parameters of frame abnormalities F1 to F4, bus abnormalities B1 to B4, and internal processing abnormalities C1 to C4, like the abnormality detection pattern 29b illustrated in FIG.
  • a weighting value (any one of 0.0 to 1.0) for each of a plurality of abnormality detection items (frame abnormality F1 to F4, bus abnormality B1 to B4, and internal processing abnormality C1 to C4) is set for each type of attack.
  • a pattern of combination data (also referred to as a weighted set) of values is set.
  • the first total value indicates the sum (also referred to as the sum of sets) of the combination data (weight set) of the weight values for each of the plurality of abnormality detection items in each attack.
  • the attack estimation unit 32A holds the abnormal data held in the abnormal data holding unit 27A and the attack estimated pattern holding unit 31A when the attack specifying unit 30A cannot specify the type of attack.
  • a process of estimating the type of attack corresponding to the detected abnormality is performed based on the attack estimation pattern 31b for each type of attack.
  • each abnormality detection item (frame abnormality F1) of abnormal data.
  • frame abnormality F1 the sum of products of data (1 or 0) regarding whether or not detection is performed and the weighting value set for each abnormality detection item of the attack estimation pattern 31b is calculated.
  • the second total value shown (also referred to as the sum of product sets) is calculated (that is, it functions as the first calculator).
  • the attack estimation unit 32A calculates the matching rate between the first total value and the second total value (for example, [second total value/first total value] ⁇ 100(%)) for each type of attack. (That is, functions as the second calculation unit).
  • the attack estimation unit 32A estimates the type of attack corresponding to the abnormality that could not be identified by the attack identification unit 30A based on the match rate for each attack calculated by the second calculation unit (that is, estimation). Functions as a department).
  • the estimation unit that constitutes the attack estimation unit 32A can estimate which existing attack type is similar to the existing attack type based on the match rate.
  • the incident handling unit 33 functions as a first incident handling unit that performs a handling process for the identified attack type when the attack identifying unit 30A identifies the type of attack corresponding to the abnormality. Further, the incident handling unit 33 functions as a second incident handling unit that performs handling processing for the estimated attack type when the attack estimating unit 32A estimates the attack type corresponding to the abnormality.
  • the attack identification data output to the incident response unit 33 includes, for example, the CH attacked by the gateway ECU 10A, the frame having the abnormality, and the abnormality. Includes data about internal actions that were taken and the identified attacks.
  • the incident handling unit 33 executes a predetermined countermeasure process for the identified type of attack based on the attack identifying data acquired from the attack identifying unit 30A.
  • the attack estimation data output to the incident response unit 33 includes, for example, the CH attacked by the gateway ECU 10A and the frame having the abnormality. , Internal processing with anomalies, and data on estimated attacks.
  • the incident handling unit 33 executes a predetermined countermeasure process for the estimated attack type based on the attack estimation data acquired from the attack estimating unit 32A. For example, the countermeasure process for the type of attack having the highest matching rate is executed.
  • the processing operation performed by the security control unit 12A included in the gateway ECU 10A according to the embodiment (2) is basically performed by the security control unit 12 included in the gateway ECU 10 according to the embodiment (1). Since the operation is the same as that of the operation, the description of the same processing will be omitted.
  • the main difference from the embodiment (1) is that in the gateway ECU 10A according to the embodiment (2), in addition to the frame abnormality and the bus abnormality, an internal processing abnormality is further detected, and a combination of these abnormalities is detected. On the basis of this, processing for identifying the type of attack is performed, and if the type of attack cannot be identified, processing for estimating the type of attack is performed.
  • step S1 the security control unit 12A determines whether or not an abnormality has occurred in the in-vehicle network 2 due to a security attack. If it is determined that the abnormality has not occurred, the processing is terminated while it is determined that an abnormality has occurred. If so, the process proceeds to step S2.
  • step S2 the security control unit 12A performs a process of detecting an abnormality that has occurred in the frame received from each ECU group, the bus 3 connected to each CH, or the internal process of the gateway ECU 10A, and then the process proceeds to step S3. Proceed.
  • step S3 the security control unit 12A performs a process of collecting the data of the abnormality that has occurred in the received frame, the bus 3, or the internal processing of the gateway ECU 10A (that is, the detection result of the abnormality), and then performs the processing in step S4. Proceed.
  • step S4 the security control unit 12A performs a process of identifying the type of security attack using the collected abnormal data, and a process of estimating the type of attack when the type of attack cannot be identified. Then, the process proceeds to step S5. In step S5, the security control unit 12A performs a process of implementing an incident countermeasure corresponding to the identified type of attack or the estimated type of attack, and then ends the process.
  • the frame abnormality and bus abnormality detection processing operation performed by the security control unit 12A is substantially the same as the content described based on the flowchart shown in FIG. 13, and thus the description thereof is omitted here.
  • the internal processing abnormality detection processing operation performed by the security control unit 12A will be described based on the flowchart shown in FIG. This processing operation is executed during the operation of the gateway ECU 10A.
  • step S51 the security control unit 12A performs a process of monitoring the state of the internal control process when each function of the gateway function unit 11 (for example, a frame receiving function, a transfer function, a transmitting function, etc.) is being executed. Then, the process proceeds to step S52.
  • the gateway function unit 11 for example, a frame receiving function, a transfer function, a transmitting function, etc.
  • step S52 the security control unit 12A sets the state of the monitored internal processing to at least one of the control processing time of each function, the function execution count, the function execution processing order, and the hardware resource. Based on this, it is determined whether or not an internal processing abnormality has been detected.
  • step S52 If it is determined in step S52 that the security control unit 12A has not detected an internal process abnormality, the abnormality detection process at the time of executing the function of the gateway function unit 11 is terminated, while if it is determined that an abnormality is detected, the process proceeds to step S53. Proceed with processing.
  • step S53 the security control unit 12A is currently in a state of collecting abnormal data due to a security attack (abnormal collection state) (in other words, whether the abnormal data collection unit 26 is operating or not). ), and if it is determined that abnormal data is currently being collected, the process proceeds to step S55. On the other hand, if it is determined in step S53 that the security control unit 12A is not currently collecting the abnormal data, the process proceeds to step S54, and in step S54, the security attacking abnormal state is collected. A process of transitioning (in other words, the abnormal data collecting unit 26A starts collecting abnormal data) is performed, and then the process proceeds to step S55.
  • a security attack abnormal collection state
  • step S55 the security control unit 12A determines whether or not the internal processing abnormality detected in step S52 is an abnormality already detected after transition to the abnormality collection state, and the abnormality is already detected. If judged, the abnormality detection process of the internal process at the time of executing the function of the gateway function unit 11 is completed.
  • step S55 if it is determined in step S55 that the internal processing abnormality has not been detected (in other words, it is an undetected abnormality), the security control unit 12A advances the processing to step S56, and in step S56, it is detected.
  • the abnormal data of the internal processing is stored in the abnormal data holding unit 27A, and then the abnormality detection processing of the internal processing when the function of the gateway function unit 11 is executed is completed.
  • the attack identifying processing operation performed by the security control unit 12A configuring the gateway ECU 10A according to the embodiment (2) is substantially the same as the content described based on the flowchart shown in FIG. 15 except the following differences. Therefore, the description thereof will be omitted.
  • One of the differences is that the abnormality detection pattern 29b including the internal processing abnormality as illustrated in FIG. 17 is read from the abnormality detection pattern holding unit 29A and a process of identifying the type of attack is performed.
  • the attack estimation pattern holding unit 31A includes an attack including an internal processing abnormality as illustrated in FIG. The point is that the estimated pattern 31b is read and the type of attack is estimated.
  • gateway ECU 10A of the second embodiment it is possible to obtain the same effects as those of gateway ECU 10 of the first embodiment. Furthermore, since the security control unit 12A can detect an internal processing abnormality in addition to the frame abnormality and the bus abnormality, the type of attack is identified or the type of attack is estimated based on these internal processing abnormalities. It is possible to identify and estimate a wider variety of attacks.
  • the security control units 12 and 12A mounted on the gateway ECUs 10 and 10A may be mounted on other ECUs, or the security ECUs equipped with the security control units 12 and 12A may be connected to the in-vehicle network 2. Good.
  • the security control units 12 and 12A may further include an abnormality log accumulation unit that accumulates abnormality data collected by the abnormality data collection units 26 and 26A as an abnormality log. .. According to such a configuration, since the abnormal data is accumulated in the abnormal log accumulating unit as an abnormal log, it is possible to perform the post analysis using the abnormal log accumulated in the abnormal log accumulating unit.
  • the security control units 12 and 12A notify the passengers in the vehicle of an abnormality through the notification device included in the information system ECU group 7 connected to the vehicle-mounted network 2. You may further provide a part.
  • a navigation device, an audio device, or the like may be applied to the notification device that functions as the notification unit.
  • the notification processing unit can notify the occupant in the vehicle of the abnormality via the notification device, and thus the occupant can appropriately respond to the abnormality. ..
  • the security control units 12 and 12A report an abnormality to the outside of the vehicle via a telematics device included in the information system ECU group 7 connected to the vehicle-mounted network 2 or an ITS-related device. You may further provide the notification process part which does.
  • the notification processing unit can notify the abnormality to the outside of the vehicle through the telematics device functioning as the external notification unit or the ITS-related device. It is possible to notify a dealer, a maker, or a public institution that an abnormality has occurred, and it is possible to appropriately deal with the abnormality from outside the vehicle.
  • the vehicle-mounted network 2 is an example of a device network to which the technology according to the present invention is applied.
  • the technology according to the present invention is applied to other device networks, for example, an industrial device network in which one or more industrial devices configuring an FA (Factory Automation) system are connected via a communication path, and household devices including home appliances. It is also applicable to a security device included in a connected home device network, an office device network to which office devices are connected, or the like.
  • 1 to 19 can be applied to the industrial device network, the home device network, or the office device network. In that case, various improvements and modifications can be made without departing from the scope of the present invention so as to be compatible with each device network, and a specific configuration according to the embodiment can be appropriately adopted.
  • the FA system includes, for example, a transportation system for various items, an inspection system, an assembly system using a robot, and the like.
  • the control devices mounted on the industrial devices that configure these FA systems include, for example, programmable controllers (hereinafter referred to as PLCs), motion position control controllers, field network devices, wireless devices, sensors, actuators, robots, HMI devices. , And at least one of a data collection device.
  • PLCs programmable controllers
  • the communication path connecting various control devices in the FA system may be wired or wireless.
  • the communication protocol in the device network is not limited to the CAN protocol, and a communication protocol suitable for the device network can be adopted.
  • FIG. 20 is a schematic block diagram showing an example in which the security device according to the modified example is applied to an FA system.
  • the FA system 100 includes a security device 110, one or more PLCs 104 connected to the security device 110, an input device 105 and an output device 106 connected to the PLC 104, and these are connected via a bus 103.
  • the industrial equipment network 101 is constructed.
  • the industrial equipment network 101 is a communication network that constitutes the FA system 100, and is a network that communicates according to a predetermined communication protocol such as CAN.
  • the PLC 104 is an example of a control device that constitutes the FA system 100.
  • a SCADA (Supervisory Control And Data Acquisition) 107 and a PC (Personal Computer) 108 are connected to the security device 110.
  • the security device 110 may have the same hardware configuration and functional configuration as the security control unit 12 of the gateway ECU 10 according to the embodiment (1), or the security control unit of the gateway ECU 10A according to the embodiment (2).
  • the hardware configuration and the functional configuration similar to 12A may be provided.
  • the attack type items (see FIGS. 3, 6, 17, and 18) held in the abnormality detection pattern holding units 29 and 29A and the attack estimation pattern holding units 31 and 31A include industrial equipment.
  • the types of attacks that can be assumed in the network 101 are set, and the abnormality detection pattern and attack estimation pattern for each of these types of attacks are set.
  • the PLC 104 includes, for example, a control unit including a processor that executes a predetermined program, an input/output unit to which the input device 105 and the output device 106 are connected, and a communication unit to which the security device 110 and the like are connected. Has been done.
  • the input device 105 includes, for example, devices such as various sensors or switches.
  • the output device 106 includes control target devices such as various actuators, robots, relays, and valves.
  • the input device 105 and the output device 106 may be directly connected to the PLC 104 or may be connected via a field network.
  • the PLC 104 receives data from the input device 105, executes arithmetic processing according to a predetermined program, and outputs an operation signal such as on/off to the output device 106 based on the obtained arithmetic result.
  • the SCADA 107 is a computer device that monitors the operating state of the FA system 100 and executes process control and the like.
  • the PC 108 is a general-purpose computer device, and by operating the PC 108, maintenance operations such as setting of various devices included in the FA system 100 can be performed.
  • the security device 110 has the same configuration as the gateway ECU 10 according to the embodiment (1) or the gateway ECU 10A according to the embodiment (2), the same effect as the gateway ECU 10 or the gateway ECU 10A can be obtained. It can be obtained with the FA system 100.
  • the security device 110 when an attack is performed on the industrial equipment network 101 that constitutes the FA system 100, the attack is performed in the FA system 100, that is, in the security device 110 by a process with a reduced load. It is determined that incident response processing is performed according to the determined attack. As a result, prompt incident response can be performed, and the operator of the FA system 100 can operate the FA system with more peace of mind without worrying about security threats.
  • FIG. 21 is a schematic block diagram showing an FA system according to another modification.
  • components having the same functions as those of the FA system 100 shown in FIG. 20 are designated by the same reference numerals, and the description thereof will be omitted.
  • the security device 110 is equipped as a device different from the PLC 104, and the security device 110 is connected to the PLC 104.
  • the PLC 104A is equipped with a security processing unit 1041 that functions as a security device according to the present invention.
  • the security processing unit 1041 is composed of, for example, a software module that realizes a security function, and may be equipped with the function of each unit that forms the security control unit 12 of the gateway ECU 10 according to the embodiment (1).
  • the function of each unit forming the security control unit 12A of the gateway ECU 10A according to the form (2) may be provided.
  • the security processing unit 1041 may be installed in each of the PLCs 104A included in the FA system 100A, or the security processing unit 1041 may be provided in any one or more of the PLCs 104A included in the FA system 100A. May be equipped.
  • the PLC 104A equipped with the security processing unit 1041, it is possible to obtain the same effect as the gateway ECU 10 or the gateway ECU 10A in the FA system 100A.
  • the security processing unit 1041 when an attack is performed on the industrial equipment network 101 that constitutes the FA system 100A, the processing in which the load is reduced in the FA system 100A, that is, in the PLC 104A. Then, the attack is determined, and the incident response processing is executed according to the determined attack. As a result, prompt incident response becomes possible, and the operator of the FA system 100A can operate the FA system with more peace of mind without fear of security threats.
  • the present invention specifies or estimates the type of attack that has occurred in a device network in which one or more devices such as in-vehicle devices or industrial devices are connected via a communication path, and responds to the specified or estimated type of attack. It can be widely used in the industrial field related to security devices that execute processing.
  • a program for executing an attack identification step (S4) for identifying the type of attack A program characterized in that the abnormality detection pattern for each type of attack includes combination data indicating whether or not detection is required for each of a plurality of abnormality detection items.

Abstract

The purpose of the present invention is to provide a security apparatus that can identify an attack at reduced-load processing for a case in which a device network has been subjected to a security attack, the security apparatus included in the device network being provided with: an abnormality detection unit that detects an abnormality generated by an attack on the device network; an abnormality data collection unit that collects data on the detected abnormality; an abnormality data retention unit that retains the collected abnormality data; an abnormality detection pattern retention unit that retains an abnormality detection pattern for each attack, the abnormality detection pattern being configured so as to include combination data requiring or not requiring detection with respect to each of a plurality of abnormality detection items; and an attack identification unit that identifies, on the basis of the abnormality data and the abnormality detection pattern, the type of attack corresponding to the abnormality.

Description

セキュリティ装置、攻撃特定方法、プログラム、及び記憶媒体Security device, attack identification method, program, and storage medium
 本発明は、セキュリティ装置、攻撃特定方法、プログラム、及び記憶媒体に関する。 The present invention relates to a security device, an attack identification method, a program, and a storage medium.
 特許文献1には、クラウド上の異常検知サーバが、各車両から車載ネットワークで受信されたフレームについての情報等を集積し、機械学習等により所定モデルを調整し、ある車載ネットワークで受信されたフレームについての異常度を、そのフレームについての情報と所定モデルとの比較に係る演算処理により算定するシステムが開示されている。 In Patent Document 1, an abnormality detection server on a cloud accumulates information about frames received from an on-vehicle network from each vehicle, adjusts a predetermined model by machine learning or the like, and a frame received on a certain in-vehicle network. There is disclosed a system for calculating the degree of abnormality in the above-mentioned condition by a calculation process related to a comparison between the information about the frame and a predetermined model.
 特許文献1記載の異常検知サーバによれば、異常度を算定することにより、様々な攻撃フレームへの適切な対処が可能となり得るとしている。 According to the anomaly detection server described in Patent Document 1, it is possible to appropriately deal with various attack frames by calculating the anomaly level.
 [発明が解決しようとする課題]
 しかしながら、特許文献1記載の発明では、車両と異常検知サーバとの間で通信を行う必要があるため、攻撃フレームへの適切な対処(インシデント対応)を車両単体で完結することができず、また、通信を介すため、発生した攻撃に対するインシデント対応が遅れる場合もあり、また、通信できない状況となった場合、そもそも異常度の算定やインシデント対応を行うことができないという課題があった。 [Problems to be Solved by the Invention]
However, in the invention described in Patent Document 1, since it is necessary to communicate between the vehicle and the abnormality detection server, it is not possible to complete appropriate countermeasures (incident response) to the attack frame by the vehicle alone, and Since communication is via communication, incident response to the generated attack may be delayed, and when communication is not possible, there is a problem that the degree of abnormality cannot be calculated and incident response cannot be performed in the first place.
 また、異常検知サーバで実行される処理量は膨大であり、このような異常検知サーバの機能を車両に搭載しようとした場合、車両に搭載される装置の処理能力面、コスト面で実現が困難であるという課題があった。 In addition, the amount of processing executed by the abnormality detection server is enormous, and it is difficult to implement such an abnormality detection server function in a vehicle in terms of processing capacity and cost of a device installed in the vehicle. There was a problem that was.
特開2017-111796号公報JP, 2017-1111796, A
課題を解決するための手段及びその効果Means for solving the problem and its effect
 本発明は上記課題に鑑みなされたものであって、1以上の機器が通信路を介して接続された機器ネットワークに対してセキュリティ攻撃を受けた場合、その攻撃の種類を負荷が軽減された処理で特定することができ、迅速なインシデント対応を可能とするセキュリティ装置、攻撃特定方法、プログラム、及び記憶媒体を提供することを目的としている。 The present invention has been made in view of the above problem, and when one or more devices are subjected to a security attack on a device network connected via a communication path, the type of the attack is reduced in processing. It is an object of the present invention to provide a security device, an attack identifying method, a program, and a storage medium that can be identified by the method described above and that enables swift incident response.
 上記目的を達成するために本開示に係るセキュリティ装置(1)は、1以上の機器が通信路を介して接続された機器ネットワークに含まれるセキュリティ装置であって、
 前記機器ネットワークに対する攻撃により発生した異常を検出する異常検出部と、
 該異常検出部により検出された前記異常のデータを収集する異常データ収集部と、
 該異常データ収集部により収集された前記異常のデータを保持する異常データ保持部と、
 複数の異常検出項目それぞれに対する検出要否の組み合わせデータを含んで構成される、前記攻撃の種類ごとの異常検出パターンを保持する異常検出パターン保持部と、
 前記異常データ保持部に保持された前記異常のデータと、前記異常検出パターン保持部に保持されている前記異常検出パターンとに基づいて、前記異常に対応する前記攻撃の種類を特定する攻撃特定部とを備えていることを特徴としている。 To achieve the above object, a security device (1) according to the present disclosure is a security device included in a device network in which one or more devices are connected via a communication path.
An anomaly detection unit that detects an anomaly caused by an attack on the device network,
An abnormality data collection unit that collects the data of the abnormality detected by the abnormality detection unit;
An abnormal data holding unit that holds the abnormal data collected by the abnormal data collecting unit;
An abnormality detection pattern holding unit that holds an abnormality detection pattern for each of the types of attacks, which is configured to include combination data of detection necessity for each of a plurality of abnormality detection items,
An attack identification unit that identifies the type of attack corresponding to the anomaly based on the anomaly data held in the anomaly data holding unit and the anomaly detection pattern held in the anomaly detection pattern holding unit It is characterized by having and.
 上記セキュリティ装置(1)によれば、前記異常検出部により前記異常が検出され、検出された前記異常のデータが前記異常データ収集部により収集され、収集された前記異常のデータが前記異常データ保持部に保持される。そして、前記攻撃特定部によって、前記異常に対応する前記攻撃の種類が特定される。したがって、前記機器ネットワークが前記攻撃を受けた場合に、当該セキュリティ装置単体で、前記攻撃の種類を特定することができる。また、前記攻撃の種類の特定には、前記攻撃の種類ごとに規定された前記異常検出パターンを用いるので、機械学習等の処理量が膨大で高負荷の異常分析を行うことなく、負荷が軽減された処理によって、前記攻撃の種類を特定することができる。なお、前記通信路は、有線の通信路であってもよいし、無線の通信路であってもよいし、有線と無線とを含む通信路であってもよい。 According to the security device (1), the abnormality detecting unit detects the abnormality, the detected abnormality data is collected by the abnormality data collecting unit, and the collected abnormality data is stored in the abnormal data holding unit. Retained by the department. Then, the attack identifying unit identifies the type of the attack corresponding to the abnormality. Therefore, when the device network receives the attack, the type of the attack can be specified by the security device alone. Further, since the abnormality detection pattern specified for each type of the attack is used to specify the type of the attack, the load is reduced without performing a heavy load abnormality analysis with a large amount of processing such as machine learning. The type of the attack can be specified by the performed processing. The communication path may be a wired communication path, a wireless communication path, or a communication path including both wired and wireless communication paths.
 また本開示に係るセキュリティ装置(2)は、上記セキュリティ装置(1)において、
 前記複数の異常検出項目それぞれに対する重み付け値の組み合わせデータを含んで構成される、前記攻撃の種類ごとの攻撃推定パターンを保持する攻撃推定パターン保持部と、
 前記攻撃特定部により前記攻撃の種類を特定することができなかった場合に、前記異常データ保持部に保持された前記異常のデータと、前記攻撃推定パターン保持部に保持されている前記攻撃推定パターンとに基づいて、前記異常に対応する前記攻撃の種類を推定する攻撃推定部とを備えていることを特徴としている。 A security device (2) according to the present disclosure is the same as the security device (1),
An attack estimation pattern holding unit configured to include combination data of weighting values for each of the plurality of abnormality detection items, which holds an attack estimation pattern for each type of the attack,
When the type of attack cannot be specified by the attack specifying unit, the abnormal data held in the abnormal data holding unit and the attack estimation pattern held in the attack estimation pattern holding unit And an attack estimation unit that estimates the type of the attack corresponding to the abnormality based on the above.
 上記セキュリティ装置(2)によれば、前記攻撃特定部により前記攻撃の種類を特定することができなかった場合であっても、前記攻撃推定部によって、前記異常に対応する前記攻撃の種類を推定することができる。また、前記攻撃の種類の推定には、前記攻撃の種類ごとに規定された前記攻撃推定パターンを用いるので、機械学習等の処理量が膨大で高負荷の異常分析を行うことなく、負荷が軽減された処理によって、前記攻撃が既知のいずれの攻撃に類似しているのかを推定することができる。 According to the security device (2), even if the attack identifying unit cannot identify the attack type, the attack estimating unit estimates the attack type corresponding to the abnormality. can do. Further, since the attack estimation pattern defined for each type of the attack is used for the estimation of the type of the attack, the load is reduced without performing a heavy load abnormality analysis with a large amount of processing such as machine learning. The performed process makes it possible to deduce whether the attack is similar to any known attack.
 また本開示に係るセキュリティ装置(3)は、上記セキュリティ装置(1)において、
 前記異常データ保持部に保持される前記異常のデータが、
 前記複数の異常検出項目それぞれに対する検出有無の結果を示すデータを含み、
 前記攻撃特定部が、
 前記複数の異常検出項目それぞれに対する検出有無の結果を示すデータと、前記異常検出パターンとを照合して、前記異常に対応する前記攻撃の種類を特定するものであることを特徴としている。 A security device (3) according to the present disclosure is the same as the security device (1),
The abnormality data stored in the abnormality data storage unit is
Including data indicating the result of detection or not for each of the plurality of abnormality detection items,
The attack identification unit
It is characterized in that the type of the attack corresponding to the abnormality is specified by collating the data indicating the result of detection/non-detection for each of the plurality of abnormality detection items with the abnormality detection pattern.
 上記セキュリティ装置(3)によれば、前記攻撃特定部が、前記複数の異常検出項目それぞれに対する検出有無の結果を示すデータと、前記異常検出パターンとを照合する(換言すれば、マッチングする)ことによって、前記異常に対応する前記攻撃の種類が特定される。したがって、低負荷の処理によって、前記攻撃の種類を迅速に特定することができる。 According to the security device (3), the attack identifying unit collates (in other words, matches) the data indicating the result of detection of each of the plurality of abnormality detection items with the abnormality detection pattern. Identifies the type of attack corresponding to the abnormality. Therefore, the type of attack can be quickly identified by the low-load processing.
 また本開示に係るセキュリティ装置(4)は、上記セキュリティ装置(2)において、
 前記異常データ保持部に保持される前記異常のデータが、
 前記複数の異常検出項目それぞれに対する検出有無の結果を示すデータを含み、
 前記攻撃推定パターンが、
 前記重み付け値の組み合わせデータの和を示す第1合計値を含み、
 前記攻撃推定部が、
 前記攻撃の種類ごとに、前記複数の異常検出項目それぞれに対する検出有無の結果を示すデータと前記重み付け値との積の和を示す第2合計値を算出する第1算出部と、
 前記攻撃の種類ごとに、前記第1合計値と前記第2合計値との一致率を算出する第2算出部と、
 該第2算出部により算出された前記一致率に基づいて、前記異常に対応する前記攻撃の種類を推定する推定部とを備えていることを特徴としている。 The security device (4) according to the present disclosure is the same as the security device (2),
The abnormality data stored in the abnormality data storage unit is
Including data indicating the result of detection or not for each of the plurality of abnormality detection items,
The attack estimation pattern is
A first total value indicating the sum of the combination data of the weighting values,
The attack estimation unit
A first calculation unit that calculates, for each type of the attack, a second total value that indicates a sum of products of the data indicating the result of detection/non-detection for each of the plurality of abnormality detection items and the weighting value;
A second calculation unit that calculates the matching rate between the first total value and the second total value for each type of attack;
An estimating unit that estimates the type of the attack corresponding to the abnormality based on the matching rate calculated by the second calculating unit.
 上記セキュリティ装置(4)によれば、前記攻撃推定部によって、前記攻撃の種類ごとに前記第2合計値が算出され、前記攻撃の種類ごとの前記第1合計値と前記第2合計値との一致率が算出され、算出された前記一致率に基づいて、前記異常に対応する前記攻撃の種類が推定される。したがって、低負荷の処理によって、前記攻撃が、既知のいずれの攻撃に最も類似しているのかを迅速に推定することができる。 According to the security device (4), the attack estimation unit calculates the second total value for each type of the attack, and calculates the first total value and the second total value for each type of the attack. The match rate is calculated, and the type of the attack corresponding to the abnormality is estimated based on the calculated match rate. Therefore, the low-load processing makes it possible to quickly estimate which of the known attacks the attack is most similar to.
 また本開示に係るセキュリティ制御部(5)は、上記セキュリティ装置(1)~(4)のいずれかにおいて、
 前記通信路を介して受信したメッセージが正常である場合における、前記複数の異常検出項目それぞれの正常値を保持するメッセージ正常値保持部を備え、
 前記複数の異常検出項目には、前記メッセージの異常に関する1以上の項目を含み、
 前記異常検出部が、
 前記メッセージ正常値保持部に保持された前記複数の異常検出項目それぞれの正常値に基づいて、前記攻撃によるメッセージ異常を検出するメッセージ異常検出部を備え、
 前記異常データ収集部が、
 前記メッセージ異常検出部で検出された前記メッセージ異常のデータを収集するものであることを特徴としている。 The security control unit (5) according to the present disclosure, in any of the security devices (1) to (4),
In the case where the message received via the communication path is normal, a message normal value holding unit that holds a normal value for each of the plurality of abnormality detection items is provided,
The plurality of abnormality detection items include one or more items relating to the abnormality of the message,
The abnormality detection unit,
A message abnormality detection unit that detects a message abnormality due to the attack based on the normal value of each of the plurality of abnormality detection items held in the message normal value holding unit,
The abnormal data collection unit,
Data of the message abnormality detected by the message abnormality detection unit is collected.
 上記セキュリティ装置(5)によれば、前記メッセージ正常値保持部に保持された前記複数の異常検出項目それぞれの正常値に基づいて、前記メッセージ異常が検出されるので、前記複数の異常検出項目の数が多い場合であっても、負荷が軽減された処理で、前記メッセージ異常を迅速に検出することができる。また、前記攻撃特定部では、前記メッセージ異常に対応する前記攻撃の種類を迅速に特定することが可能となり、前記攻撃推定部では、前記メッセージ異常に対応する前記攻撃の種類を迅速に推定することが可能となる。 According to the security device (5), the message abnormality is detected based on the normal value of each of the plurality of abnormality detection items held in the message normal value holding unit. Even if the number is large, the message abnormality can be detected promptly by the processing with reduced load. Further, the attack identifying unit can quickly identify the type of the attack corresponding to the message abnormality, and the attack estimating unit can quickly estimate the type of attack corresponding to the message abnormality. Is possible.
 また本開示に係るセキュリティ制御部(6)は、上記セキュリティ装置(1)~(5)のいずれかにおいて、
 前記通信路の状態が正常である場合における、前記複数の異常検出項目それぞれの正常値を保持する通信路正常値保持部を備え、
 前記複数の異常検出項目には、前記通信路の異常に関する1以上の項目を含み、
 前記異常検出部が、
 前記通信路正常値保持部に保持された前記複数の異常検出項目それぞれの正常値に基づいて、前記攻撃による通信路異常を検出する通信路異常検出部を備え、
 前記異常データ収集部が、
 前記通信路異常検出部で検出された前記通信路異常のデータを収集するものであることを特徴としている。 The security control unit (6) according to the present disclosure, in any of the security devices (1) to (5),
When the state of the communication path is normal, the communication path normal value holding unit for holding the normal value of each of the plurality of abnormality detection items,
The plurality of abnormality detection items include one or more items relating to the abnormality of the communication path,
The abnormality detection unit,
Based on the normal value of each of the plurality of abnormality detection items held in the communication path normal value holding unit, a communication path abnormality detection unit for detecting a communication path abnormality due to the attack,
The abnormal data collection unit,
It is characterized in that data of the communication path abnormality detected by the communication path abnormality detection unit is collected.
 上記セキュリティ装置(6)によれば、前記通信路正常値保持部に保持された前記複数の異常検出項目それぞれの正常値に基づいて、前記通信路異常が検出されるので、前記複数の異常検出項目の数が多い場合であっても、負荷が軽減された処理で、前記通信路異常を迅速に検出することができる。また、前記攻撃特定部では、前記通信路異常に対応する前記攻撃の種類を迅速に特定することが可能となり、前記攻撃推定部では、前記通信路異常に対応する前記攻撃の種類を迅速に推定することが可能となる。 According to the security device (6), the communication path abnormality is detected based on the normal value of each of the plurality of abnormality detection items held in the communication path normal value holding unit. Even if the number of items is large, the communication path abnormality can be detected promptly by the processing with reduced load. Further, the attack identifying unit can quickly identify the type of the attack corresponding to the communication path abnormality, and the attack estimating unit quickly estimates the type of attack corresponding to the communication path abnormality. It becomes possible to do.
 また本開示に係るセキュリティ制御部(7)は、上記セキュリティ装置(1)~(6)のいずれかにおいて、
 当該セキュリティ装置の内部処理が正常である場合における、前記複数の異常検出項目それぞれの正常値を保持する内部処理正常値保持部を備え、
 前記複数の異常検出項目には、前記内部処理の異常に関する1以上の項目を含み、
 前記異常検出部が、
 前記内部処理正常値保持部に保持された前記複数の異常検出項目それぞれの正常値に基づいて、前記内部処理の異常を検出する内部処理異常検出部を備え、
 前記異常データ収集部が、
 前記内部処理異常検出部で検出された前記内部処理の異常のデータを収集するものであることを特徴としている。 The security control unit (7) according to the present disclosure, in any of the security devices (1) to (6),
When the internal processing of the security device is normal, the internal processing normal value holding unit for holding the normal value of each of the plurality of abnormality detection items,
The plurality of abnormality detection items include one or more items related to the abnormality of the internal processing,
The abnormality detection unit,
An internal processing abnormality detection unit that detects an abnormality in the internal processing, based on the normal value of each of the plurality of abnormality detection items held in the internal processing normal value holding unit,
The abnormal data collection unit,
Data of abnormality of the internal processing detected by the internal processing abnormality detection unit is collected.
 上記セキュリティ装置(7)によれば、前記内部処理正常値保持部に保持された前記複数の異常検出項目それぞれの正常値に基づいて、前記内部処理の異常(以下、内部処理異常ともいう)が検出されるので、前記複数の異常検出項目の数が多い場合であっても、負荷が軽減された処理で、前記内部処理異常を迅速に検出することができる。また、前記攻撃特定部では、前記内部処理異常に対応する前記攻撃の種類を迅速に特定することが可能となり、前記攻撃推定部では、前記内部処理異常に対応する前記攻撃の種類を迅速に推定することが可能となる。したがって、前記通信路や該通信路を介して受信したメッセージからでは検出できないような前記攻撃による異常を前記内部処理異常に基づいて特定したり、推定したりすることが可能となり、より多様な種類の攻撃の特定又は推定を行うことが可能となる。 According to the security device (7), based on the normal value of each of the plurality of abnormality detection items held in the internal processing normal value holding unit, an abnormality in the internal processing (hereinafter, also referred to as internal processing abnormality) Since it is detected, even if the number of the plurality of abnormality detection items is large, the internal processing abnormality can be detected promptly by the processing with reduced load. Further, the attack identification unit can quickly identify the type of the attack corresponding to the internal processing abnormality, and the attack estimation unit quickly estimates the type of the attack corresponding to the internal processing abnormality. It becomes possible to do. Therefore, it becomes possible to specify or estimate an abnormality due to the attack that cannot be detected from the communication channel or a message received via the communication channel based on the internal processing abnormality, and thus more various types can be obtained. It is possible to identify or estimate the attack of.
 また本開示に係るセキュリティ装置(8)は、上記セキュリティ装置(1)~(7)のいずれかにおいて、
 前記異常データ収集部が、
 前記異常検出部により前記異常が検出されてから所定時間内に検出された前記異常のデータを収集するものであることを特徴としている。 The security device (8) according to the present disclosure is the security device (1) to (7) according to any one of the above security devices.
The abnormal data collection unit,
Data of the abnormality detected within a predetermined time after the abnormality is detected by the abnormality detector is collected.
 上記セキュリティ装置(8)によれば、前記異常データ収集部によって、前記異常が検出されてから所定時間内に検出された前記異常のデータが収集される。したがって、前記所定時間内に検出された前記異常のデータを用いることによって、前記攻撃特定部による前記攻撃の種類の特定精度を高めることができ、また、前記攻撃推定部による前記攻撃の種類の推定精度を高めることができる。 According to the security device (8), the abnormality data collection unit collects the abnormality data detected within a predetermined time after the abnormality is detected. Therefore, by using the data of the abnormality detected within the predetermined time, it is possible to improve the accuracy of identifying the type of attack by the attack identifying unit, and estimate the type of attack by the attack estimating unit. The accuracy can be increased.
 また本開示に係るセキュリティ装置(9)は、上記セキュリティ装置(1)~(8)のいずれかにおいて、前記異常データ収集部により収集された前記異常のデータを異常ログとして蓄積する異常ログ蓄積部を備えていることを特徴としている。 Further, a security device (9) according to the present disclosure is, in any one of the security devices (1) to (8), an abnormal log accumulation unit that accumulates the abnormal data collected by the abnormal data collection unit as an abnormal log. It is characterized by having.
 上記セキュリティ装置(9)によれば、前記異常ログ蓄積部に前記異常のデータが異常ログとして蓄積されるので、前記異常ログ蓄積部に蓄積された前記異常ログを用いて事後解析を行うことが可能となる。 According to the security device (9), since the abnormality data is accumulated in the abnormality log storage unit as an abnormality log, it is possible to perform a post analysis using the abnormality log stored in the abnormality log storage unit. It will be possible.
 また本開示に係るセキュリティ装置(10)は、上記セキュリティ装置(1)又は(3)において、前記攻撃特定部により前記異常に対応する前記攻撃の種類が特定された場合、特定された前記攻撃の種類に対する対応処理を行う第1インシデント対応部を備えていることを特徴としている。 Further, in the security device (10) according to the present disclosure, in the security device (1) or (3), when the attack identifying unit identifies the type of the attack corresponding to the abnormality, It is characterized by including a first incident handling unit that performs handling processing for types.
 上記セキュリティ装置(10)によれば、前記第1インシデント対応部によって、前記異常に対応する前記攻撃の種類が特定された場合、特定された前記攻撃の種類に対する対策を迅速に行うことができる。 According to the security device (10), when the type of the attack corresponding to the abnormality is identified by the first incident response unit, it is possible to quickly take measures against the identified type of the attack.
 また本開示に係るセキュリティ装置(11)は、上記セキュリティ装置(2)又は(4)において、前記攻撃推定部により前記異常に対応する前記攻撃の種類が推定された場合、推定された前記攻撃の種類に対する対応処理を行う第2インシデント対応部を備えていることを特徴としている。 Further, in the security device (2) or (4) according to the present disclosure, when the type of the attack corresponding to the abnormality is estimated by the attack estimation unit in the security device (2) or (4), the estimated attack It is characterized by including a second incident handling unit that performs handling processing for types.
 上記セキュリティ装置(11)によれば、前記第2インシデント対応部によって、前記異常に対応する前記攻撃の種類が推定された場合、推定された前記攻撃の種類に対する対策を迅速に行うことができる。 According to the security device (11), when the type of the attack corresponding to the abnormality is estimated by the second incident response unit, it is possible to quickly take measures against the estimated type of the attack.
 また本開示に係るセキュリティ装置(12)は、上記セキュリティ装置(1)~(11)のいずれかにおいて、前記機器ネットワークに接続された報知部を作動させて前記異常を報知する報知処理部を備えていることを特徴としている。 In addition, the security device (12) according to the present disclosure is, in any of the security devices (1) to (11), provided with a notification processing unit that operates the notification unit connected to the device network to notify the abnormality. It is characterized by
 上記セキュリティ装置(12)によれば、前記報知処理部によって前記報知部を作動させて前記異常を報知することが可能となるので、前記報知を受けたユーザに、前記異常に対して適切な対応を実施させることができる。 According to the security device (12), the notification processing unit can operate the notification unit to notify the abnormality, so that the user who receives the notification can appropriately respond to the abnormality. Can be carried out.
 また本開示に係るセキュリティ装置(13)は、上記セキュリティ装置(1)~(12)のいずれかにおいて、前記機器ネットワークに接続された外部通報部を作動させて外部に前記異常を通報する通報処理部を備えていることを特徴としている。 The security device (13) according to the present disclosure is, in any one of the security devices (1) to (12), a notification process for operating the external notification unit connected to the device network to notify the abnormality to the outside. It is characterized by having a section.
 上記セキュリティ装置(13)によれば、前記通報処理部によって前記外部通報部を作動させて外部に前記異常を通報することが可能となるので、前記外部から前記異常に対して適切な対応を実施することができる。 According to the security device (13), it is possible for the notification processing unit to operate the external notification unit to report the abnormality to the outside, so that an appropriate countermeasure is taken from the outside. can do.
 また本開示に係るセキュリティ装置(14)は、上記セキュリティ装置(1)~(13)のいずれかにおいて、前記機器が、車両に搭載される制御装置であり、
 前記機器ネットワークが、車載ネットワークであることを特徴としている。 A security device (14) according to the present disclosure is the control device according to any one of the security devices (1) to (13), wherein the device is mounted in a vehicle,
The device network is an in-vehicle network.
 上記セキュリティ装置(14)によれば、1以上の前記制御装置が前記通信路を介して接続された前記車載ネットワークに対してセキュリティ攻撃を受けた場合、車両単体で、前記攻撃の種類を負荷が軽減された処理で特定することができる。また、迅速なインシデント対応が可能となり、前記車両の安全性を高めることができる。 According to the security device (14), when one or more of the control devices receives a security attack on the in-vehicle network connected via the communication path, the type of the attack is loaded on the vehicle alone. It can be specified by the reduced processing. In addition, prompt incident response can be achieved, and the safety of the vehicle can be enhanced.
 また本開示に係るセキュリティ装置(15)は、上記セキュリティ装置(1)~(13)のいずれかにおいて、前記機器が、FA(Factory Automation)システムを構成する産業機器に搭載される制御機器であり、
 前記機器ネットワークが、前記FAシステムを構成する産業機器ネットワークであることを特徴としている。 A security device (15) according to the present disclosure is the control device according to any one of the security devices (1) to (13), wherein the device is installed in an industrial device forming an FA (Factory Automation) system. ,
The device network is an industrial device network that constitutes the FA system.
 上記セキュリティ装置(15)によれば、1以上の前記制御機器が前記通信路を介して接続された前記産業機器ネットワークに対して前記攻撃を受けた場合、前記FAシステム内で、前記攻撃の種類を負荷が軽減された処理で特定することができる。また、迅速なインシデント対応が可能となり、前記産業機器のユーザ(例えば、オペレータ)は、セキュリティの脅威に対して不安を抱くことなく、より安心して前記産業機器を使用することが可能となる。 According to the security device (15), when one or more of the control devices receives the attack on the industrial device network connected via the communication path, the type of the attack in the FA system. Can be specified by the processing with reduced load. In addition, quick incident response is possible, and the user (for example, operator) of the industrial device can use the industrial device with more peace of mind without worrying about security threats.
 また本開示に係る攻撃特定方法(1)は、1以上の機器が通信路を介して接続された機器ネットワークに含まれる少なくとも1以上のコンピュータが実行する攻撃特定方法であって、
 前記機器ネットワークに対する攻撃により発生した異常を検出する異常検出ステップと、
 該異常検出ステップにより検出された前記異常のデータを収集する異常データ収集ステップと、
 該異常データ収集ステップにより収集された前記異常のデータを異常データ保持部に保持する保持ステップと、
 前記異常データ保持部に保持された前記異常のデータと、異常検出パターン保持部に保持されている前記攻撃の種類ごとの異常検出パターンとに基づいて、前記異常に対応する前記攻撃の種類を特定する攻撃特定ステップとを含み、
 前記異常検出パターンが、複数の異常検出項目それぞれに対する検出要否の組み合わせデータを含んで構成されていることを特徴としている。 The attack identifying method (1) according to the present disclosure is an attack identifying method executed by at least one computer included in a device network in which one or more devices are connected via a communication path,
An anomaly detection step of detecting an anomaly caused by an attack on the device network,
An abnormality data collecting step of collecting data of the abnormality detected by the abnormality detecting step;
A holding step of holding the abnormal data collected by the abnormal data collecting step in an abnormal data holding unit;
The type of the attack corresponding to the abnormality is identified based on the abnormality data held in the abnormal data holding unit and the abnormality detection pattern for each type of the attack held in the abnormality detection pattern holding unit Attack specific steps to
The abnormality detection pattern is configured to include combination data of whether or not detection is required for each of the plurality of abnormality detection items.
 上記攻撃特定方法(1)によれば、前記攻撃の種類の特定に、前記異常検出パターンを用いるので、前記機器ネットワークが前記攻撃を受けた場合に、機械学習等の処理量が膨大で高負荷の異常分析を行うことなく、負荷が軽減された処理によって、前記攻撃の種類を特定することができる。 According to the attack identification method (1), since the abnormality detection pattern is used to identify the type of the attack, when the device network receives the attack, the processing amount such as machine learning is enormous and the load is high. The type of the attack can be specified by the processing with reduced load, without performing the abnormality analysis of 1.
 また本開示に係る攻撃特定方法(2)は、上記攻撃特定方法(1)において、前記攻撃特定ステップにより前記攻撃の種類を特定することができなかった場合に、前記異常データ保持部に保持された前記異常のデータと、攻撃推定パターン保持部に保持されている前記攻撃の種類ごとの攻撃推定パターンとに基づいて、前記異常に対応する前記攻撃の種類を推定する攻撃推定ステップを含み、
 前記攻撃推定パターンが、前記複数の異常検出項目それぞれに対する重み付け値の組み合わせデータを含んで構成されていることを特徴としている。 The attack identifying method (2) according to the present disclosure is held in the abnormal data holding unit when the attack identifying step cannot identify the attack type in the attack identifying method (1). Based on the abnormality data and the attack estimation pattern for each type of attack held in the attack estimation pattern holding unit, an attack estimation step of estimating the type of the attack corresponding to the abnormality,
The attack estimation pattern is configured to include combination data of weighting values for each of the plurality of abnormality detection items.
 上記攻撃特定方法(2)によれば、前記攻撃特定ステップにより前記攻撃の種類を特定することができなかった場合であっても、前記攻撃推定ステップによって、前記異常に対応する前記攻撃の種類を推定することができる。また、前記攻撃の種類の推定には、前記攻撃の種類ごとに規定された前記攻撃推定パターンを用いるので、機械学習等の処理量が膨大で高負荷の異常分析を行うことなく、負荷が軽減された処理によって、前記攻撃が既知のいずれの攻撃に類似しているのかを推定することができる。 According to the attack identifying method (2), even if the attack identifying step fails to identify the attack type, the attack estimating step identifies the attack type corresponding to the abnormality. Can be estimated. Further, since the attack estimation pattern defined for each type of the attack is used for the estimation of the type of the attack, the load is reduced without performing a heavy load abnormality analysis with a large amount of processing such as machine learning. The performed process makes it possible to deduce whether the attack is similar to any known attack.
 また本開示に係るプログラム(1)は、1以上の機器が通信路を介して接続された機器ネットワークに含まれる少なくとも1以上のコンピュータに実行させるためのプログラムであって、
 前記少なくとも1以上のコンピュータに、
 前記機器ネットワークに対する攻撃により発生した異常を検出する異常検出ステップと、
 該異常検出ステップにより検出された前記異常のデータを収集する異常データ収集ステップと、
 該異常データ収集ステップにより収集された前記異常のデータを異常データ保持部に保持する保持ステップと、
 前記異常データ保持部に保持された前記異常のデータと、異常検出パターン保持部に保持されている前記攻撃の種類ごとの異常検出パターンとに基づいて、前記異常に対応する前記攻撃の種類を特定する攻撃特定ステップとを実行させるためのプログラムであり、
 前記異常検出パターンが、複数の異常検出項目それぞれに対する検出要否の組み合わせデータを含んで構成されていることを特徴としている。 Further, the program (1) according to the present disclosure is a program for causing at least one or more computers included in a device network in which one or more devices are connected via a communication path,
The at least one or more computers,
An anomaly detection step of detecting an anomaly caused by an attack on the device network,
An abnormality data collecting step of collecting data of the abnormality detected by the abnormality detecting step;
A holding step of holding the abnormal data collected by the abnormal data collecting step in an abnormal data holding unit;
The type of the attack corresponding to the abnormality is identified based on the abnormality data held in the abnormal data holding unit and the abnormality detection pattern for each type of the attack held in the abnormality detection pattern holding unit It is a program to execute the attack specific step
The abnormality detection pattern is configured to include combination data of whether or not detection is required for each of the plurality of abnormality detection items.
 上記プログラム(1)によれば、前記機器ネットワークに対する前記攻撃を受けた場合に、前記少なくとも1以上のコンピュータに、前記攻撃の種類を特定する処理を実行させることができる。したがって、当該コンピュータ単体で、前記攻撃の種類を特定することが可能となる。また、前記攻撃の種類の特定には、前記異常検出パターンを用いるので、前記コンピュータに、機械学習等の処理量が膨大で高負荷の異常分析を実行させることなく、負荷が軽減された処理によって、前記攻撃の種類を特定する処理を実行させることが可能となる。上記プログラムは、記憶媒体に保存されたプログラムであってもよいし、通信ネットワークを介して転送可能なプログラムであってもよい。 According to the program (1), when the attack on the device network is received, it is possible to cause the at least one or more computers to execute the process of identifying the type of the attack. Therefore, the type of the attack can be specified by the computer itself. Further, since the abnormality detection pattern is used to identify the type of the attack, it is possible to perform the processing in which the load is reduced without causing the computer to execute a heavy load abnormality analysis such as machine learning. It becomes possible to execute the processing for specifying the type of attack. The program may be a program stored in a storage medium or a program that can be transferred via a communication network.
 また本開示に係るプログラム(2)は、上記プログラム(1)において、
 前記少なくとも1以上のコンピュータに、
 前記攻撃特定ステップにより前記攻撃の種類を特定することができなかった場合に、前記異常データ保持部に保持された前記異常のデータと、攻撃推定パターン保持部に保持されている前記攻撃の種類ごとの攻撃推定パターンとに基づいて、前記異常に対応する前記攻撃の種類を推定する攻撃推定ステップをさらに実行させるためのプログラムであり、
 前記攻撃推定パターンが、前記複数の異常検出項目それぞれに対する重み付け値の組み合わせデータを含んで構成されていることを特徴としている。 A program (2) according to the present disclosure is the same as the program (1) above.
The at least one or more computers,
When the type of the attack cannot be specified by the attack specifying step, the abnormal data held in the abnormal data holding unit and the type of the attack held in the attack estimated pattern holding unit A program for further executing an attack estimation step of estimating the type of the attack corresponding to the abnormality based on the attack estimation pattern of
The attack estimation pattern is configured to include combination data of weighting values for each of the plurality of abnormality detection items.
 上記プログラム(2)によれば、前記攻撃特定ステップにより前記攻撃の種類を特定することができなかった場合であっても、前記攻撃推定ステップによって、前記コンピュータに、前記異常に対応する前記攻撃の種類を推定する処理を実行させることができる。また、前記攻撃の種類の推定には、前記攻撃の種類ごとに規定された前記攻撃推定パターンを用いるので、前記コンピュータに、機械学習等の処理量が膨大で高負荷の異常分析を実行させることなく、負荷が軽減された処理によって、前記攻撃が既知のいずれの攻撃に類似しているのかを推定する処理を実行させることができる。 According to the program (2), even if the type of the attack cannot be specified by the attack specifying step, the attack estimating step causes the computer to detect the attack corresponding to the abnormality. A process of estimating the type can be executed. Further, since the attack estimation pattern defined for each type of the attack is used for the estimation of the type of the attack, it is necessary to cause the computer to execute an abnormality analysis with a large amount of processing such as machine learning and a high load. Instead, it is possible to execute the process of estimating whether the attack is similar to any known attack by the process of reducing the load.
 また本開示に係るコンピュータ読み取り可能な記憶媒体(1)は、1以上の機器が通信路を介して接続された機器ネットワークに含まれる少なくとも1以上のコンピュータに実行させるためのプログラムが記憶されたコンピュータ読み取り可能な記憶媒体であって、
 前記少なくとも1以上のコンピュータに、
 前記機器ネットワークに対する攻撃により発生した異常を検出する異常検出ステップと、
 該異常検出ステップにより検出された前記異常のデータを収集する異常データ収集ステップと、
 該異常データ収集ステップにより収集された前記異常のデータを異常データ保持部に保持する保持ステップと、
 前記異常データ保持部に保持された前記異常のデータと、異常検出パターン保持部に保持されている前記攻撃の種類ごとの異常検出パターンとに基づいて、前記異常に対応する前記攻撃の種類を特定する攻撃特定ステップとを実行させるためのプログラムを記憶し、
 前記異常検出パターンが、複数の異常検出項目それぞれに対する検出要否の組み合わせデータを含んで構成されていることを特徴としている。 The computer-readable storage medium (1) according to the present disclosure is a computer in which a program for executing at least one computer included in a device network in which one or more devices are connected via a communication path is stored. A readable storage medium,
The at least one or more computers,
An anomaly detection step of detecting an anomaly caused by an attack on the device network,
An abnormality data collecting step of collecting data of the abnormality detected by the abnormality detecting step;
A holding step of holding the abnormal data collected by the abnormal data collecting step in an abnormal data holding unit;
The type of the attack corresponding to the abnormality is identified based on the abnormality data held in the abnormal data holding unit and the abnormality detection pattern for each type of the attack held in the abnormality detection pattern holding unit The program for executing the attack specific step
The abnormality detection pattern is configured to include combination data of whether or not detection is required for each of the plurality of abnormality detection items.
 上記コンピュータ読み取り可能な記憶媒体(1)によれば、前記少なくとも1以上のコンピュータに、前記プログラムを読み取らせて上記各ステップを実行させることにより、前記機器ネットワークに対する前記攻撃を受けた場合に、前記攻撃の種類を特定する処理を実行させることができる。したがって、当該コンピュータ単体で、前記攻撃の種類を特定することが可能となる。また、前記攻撃の種類の特定には、前記異常検出パターンを用いるので、前記コンピュータに、機械学習等の処理量が膨大で高負荷の異常分析を実行させることなく、負荷が軽減された処理によって、前記攻撃の種類を特定する処理を実行させることが可能となる。 According to the computer-readable storage medium (1), when the at least one or more computers read the program and execute the steps, the attack is made on the device network, It is possible to execute processing for specifying the type of attack. Therefore, the type of the attack can be specified by the computer itself. Further, since the abnormality detection pattern is used to identify the type of the attack, it is possible to perform the processing in which the load is reduced without causing the computer to execute a heavy load abnormality analysis such as machine learning. It becomes possible to execute the processing for specifying the type of attack.
 また本開示に係るコンピュータ読み取り可能な記憶媒体(2)は、前記少なくとも1以上のコンピュータに、
 前記攻撃特定ステップにより前記攻撃の種類を特定することができなかった場合に、前記異常データ保持部に保持された前記異常のデータと、攻撃推定パターン保持部に保持されている前記攻撃の種類ごとの攻撃推定パターンとに基づいて、前記異常に対応する前記攻撃の種類を推定する攻撃推定ステップをさらに実行させるためのプログラムであり、
 前記攻撃推定パターンが、前記複数の異常検出項目それぞれに対する重み付け値の組み合わせデータを含んで構成されていることを特徴としている。 Further, a computer-readable storage medium (2) according to the present disclosure is provided in the at least one computer,
When the type of the attack cannot be specified by the attack specifying step, the abnormal data held in the abnormal data holding unit and the type of the attack held in the attack estimated pattern holding unit A program for further executing an attack estimation step of estimating the type of the attack corresponding to the abnormality based on the attack estimation pattern of
The attack estimation pattern is configured to include combination data of weighting values for each of the plurality of abnormality detection items.
 上記コンピュータ読み取り可能な記憶媒体(2)によれば、前記攻撃特定ステップにより前記攻撃の種類を特定することができなかった場合であっても、前記攻撃推定ステップによって、前記コンピュータに、前記異常に対応する前記攻撃の種類を推定する処理を実行させることができる。また、前記攻撃の種類の推定には、前記攻撃の種類ごとに規定された前記攻撃推定パターンを用いるので、前記コンピュータに、機械学習等の処理量が膨大で高負荷の異常分析を実行させることなく、負荷が軽減された処理によって、前記攻撃が既知のいずれの攻撃に類似しているのかを推定する処理を実行させることができる。 According to the computer-readable storage medium (2), even if the type of the attack cannot be specified by the attack specifying step, the attack estimating step causes the computer to detect the abnormality. A process of estimating the type of the corresponding attack can be executed. Further, since the attack estimation pattern defined for each type of the attack is used for the estimation of the type of the attack, it is necessary to cause the computer to execute an abnormality analysis with a large amount of processing such as machine learning and a high load. Instead, it is possible to execute the process of estimating whether the attack is similar to any known attack by the process of reducing the load.
実施の形態(1)に係るセキュリティ装置が適用された車載ネットワークシステムの概略ブロック図である。It is a schematic block diagram of the vehicle-mounted network system to which the security device which concerns on embodiment (1) was applied. 実施の形態(1)に係るゲートウェイECUの機能構成例を示すブロック図である。FIG. 3 is a block diagram showing a functional configuration example of a gateway ECU according to the embodiment (1). 異常検出パターン保持部に保持されている、攻撃の種類ごとの異常検出パターンの一例を説明するための図である。FIG. 7 is a diagram for explaining an example of an abnormality detection pattern held by an abnormality detection pattern holding unit for each type of attack. 攻撃特定部が行う攻撃特定処理により攻撃の種類を特定できた場合を説明するための図である。It is a figure for demonstrating the case where the kind of attack was able to be specified by the attack specific process which an attack specific part performs. 攻撃特定部が行う攻撃特定処理により攻撃の種類を特定できなかった場合を説明するための図である。It is a figure for demonstrating the case where the kind of attack cannot be specified by the attack specific process which an attack specific part performs. 攻撃推定パターン保持部に保持されている、攻撃の種類ごとの攻撃推定パターンの一例を説明するための図である。It is a figure for demonstrating an example of the attack estimation pattern for every kind of attack currently hold|maintained at the attack estimation pattern holding part. 攻撃推定部が行う攻撃推定処理の一例を説明するための図である。It is a figure for explaining an example of attack presumption processing which an attack presumption part performs. 攻撃推定部を構成する第1算出部により算出された第2合計値の算出結果の一例を示す図である。It is a figure which shows an example of the calculation result of the 2nd total value calculated by the 1st calculation part which comprises an attack estimation part. 攻撃推定部を構成する第2算出部により算出された一致率の一例を示す図である。It is a figure which shows an example of the coincidence rate calculated by the 2nd calculation part which comprises an attack estimation part. 攻撃特定部により異常に対応する攻撃の種類が特定された場合に、インシデント対応部に出力される攻撃特定データの構成例である。6 is a configuration example of attack identification data output to the incident response unit when the attack identification unit identifies the type of attack corresponding to the abnormality. 攻撃推定部により異常に対応する攻撃の種類が特定された場合に、インシデント対応部に出力される攻撃推定データの構成例である。It is a structural example of the attack estimation data output to the incident response unit when the type of attack corresponding to the abnormality is specified by the attack estimation unit. 実施の形態(1)に係るゲートウェイECUを構成するセキュリティ制御部が行う処理動作を示す概略フローチャートである。7 is a schematic flowchart showing a processing operation performed by a security control unit that constitutes the gateway ECU according to the embodiment (1). 実施の形態(1)に係るゲートウェイECUを構成するセキュリティ制御部が行う異常検出処理動作を示すフローチャートである。7 is a flowchart showing an abnormality detection processing operation performed by a security control unit that constitutes the gateway ECU according to the embodiment (1). 実施の形態(1)に係るゲートウェイECUを構成するセキュリティ制御部が行う異常収集処理動作を示すフローチャートである。7 is a flowchart showing an abnormality collection processing operation performed by a security control unit that constitutes the gateway ECU according to the embodiment (1). 実施の形態(1)に係るゲートウェイECUを構成するセキュリティ制御部が行う攻撃特定処理動作を示すフローチャートである。7 is a flowchart showing an attack identifying processing operation performed by a security control unit that constitutes the gateway ECU according to the embodiment (1). 実施の形態(2)に係るゲートウェイECUの機能構成例を示すブロック図である。It is a block diagram which shows the functional structural example of the gateway ECU which concerns on embodiment (2). 異常検出パターン保持部に保持されている、攻撃の種類ごとの異常検出パターンの一例を説明するための図である。FIG. 7 is a diagram for explaining an example of an abnormality detection pattern held by an abnormality detection pattern holding unit for each type of attack. 攻撃推定パターン保持部に保持されている、攻撃の種類ごとの攻撃推定パターンの一例を説明するための図である。It is a figure for demonstrating an example of the attack estimation pattern for every kind of attack currently hold|maintained at the attack estimation pattern holding part. 実施の形態(2)に係るゲートウェイECUを構成するセキュリティ制御部が行う異常検出処理動作を示すフローチャートである。7 is a flowchart showing an abnormality detection processing operation performed by a security control unit that constitutes the gateway ECU according to the embodiment (2). 変形例に係るFAシステムの概略ブロック図である。It is a schematic block diagram of the FA system which concerns on a modification. 別の変形例に係るFAシステムの概略ブロック図である。It is a schematic block diagram of the FA system which concerns on another modification.
 以下、本発明に係るセキュリティ装置、攻撃特定方法、プログラム、及び記憶媒体の実施の形態を図面に基づいて説明する。 Embodiments of a security device, an attack identifying method, a program, and a storage medium according to the present invention will be described below with reference to the drawings.
[適用例]
 図1は、実施の形態(1)に係るセキュリティ装置が適用された車載ネットワークシステムの概略ブロック図である。 [Application example]
FIG. 1 is a schematic block diagram of an in-vehicle network system to which the security device according to the embodiment (1) is applied.
 車載ネットワーク2は、車両1に搭載された通信ネットワークシステムであり、OBDII(On-board diagnostics II)4、走行系ECU(Electronic Control Unit)群5、ボディ系ECU群6、情報系ECU群7、及びゲートウェイECU10を含んで構成されている。本実施の形態における車載ネットワーク2は、CAN(Controller Area Network)プロトコルに従って通信するネットワークである。なお、車載ネットワーク2には、CAN以外の他の通信規格が採用されてもよい。 The in-vehicle network 2 is a communication network system mounted on the vehicle 1, and includes an OBDII (On-board diagnostics II) 4, a traveling system ECU (Electronic Control Unit) group 5, a body system ECU group 6, an information system ECU group 7, And a gateway ECU 10. The vehicle-mounted network 2 in the present embodiment is a network that communicates according to the CAN (Controller Area Network) protocol. Note that communication standards other than CAN may be adopted for the in-vehicle network 2.
 OBDII4、走行系ECU群5、ボディ系ECU群6、及び情報系ECU群7は、それぞれ通信路であるバス3を介して、ゲートウェイECU10のCH1、CH2、CH3、及びCH4に接続されている。なお、ゲートウェイECU10の有する通信CH数は、この4つに限定されるものではない。また、図1の例では、ECU群が機能系統ごとにゲートウェイECU10に接続されたセントラルゲートウェイ方式が採用されているが、ゲートウェイECU10の接続方式は、この方式に限定されず、各ECU群の間にゲートウェイECU10が設けられた方式などであってもよい。 The OBDII 4, the traveling system ECU group 5, the body system ECU group 6, and the information system ECU group 7 are connected to CH1, CH2, CH3, and CH4 of the gateway ECU 10 via the bus 3 which is a communication path, respectively. The number of communication CHs that the gateway ECU 10 has is not limited to four. Further, in the example of FIG. 1, a central gateway system in which the ECU group is connected to the gateway ECU 10 for each functional system is adopted, but the connection system of the gateway ECU 10 is not limited to this system, and the ECU group is connected between the ECU groups. The gateway ECU 10 may be provided in the system.
 OBDII4は、故障診断、又は保守等を行うための診断器又はスキャンツールなどが接続されるポートを備えている。 OBDII4 is equipped with a port to which a diagnostic device or scan tool for failure diagnosis or maintenance is connected.
 走行系ECU群5には、駆動系ECUと、シャーシ系ECUとが含まれている。駆動系ECUには、エンジン制御、モータ制御、燃料電池制御、EV(Electric Vehicle)制御、又はトランスミッション制御等の「走る」機能に関する制御ユニットが含まれている。シャーシ系ECUには、ブレーキ制御、又はステアリング制御等の「止まる、曲がる」機能に関する制御ユニットが含まれている。 The traveling system ECU group 5 includes a drive system ECU and a chassis system ECU. The drive system ECU includes a control unit for "running" functions such as engine control, motor control, fuel cell control, EV (Electric Vehicle) control, and transmission control. The chassis system ECU includes a control unit for "stop, bend" functions such as brake control or steering control.
 ボディ系ECU群6には、ドアロック、パワーウインドウ、エアコン、ライト、又はウインカ等の車体の機能に関する制御ユニットが含まれている。 The body system ECU group 6 includes a control unit related to the functions of the vehicle body such as a door lock, a power window, an air conditioner, a light, or a winker.
 情報系ECU群7は、インフォテイメント装置、テレマティクス装置、又はITS(Intelligent Transport Systems)関連装置が含まれている。インフォテイメント装置には、カーナビゲーション装置、又はオーディオ機器などが含まれ、テレマティクス装置には、携帯電話網等へ接続するための通信ユニットなどが含まれている。ITS関連装置には、ETC(Electronic Toll Collection System)、又はITSスポットなどの路側機との路車間通信、若しくは車々間通信を行うための通信ユニットなどが含まれている。 The information system ECU group 7 includes infotainment devices, telematics devices, or ITS (Intelligent Transport Systems) related devices. The infotainment device includes a car navigation device or an audio device, and the telematics device includes a communication unit for connecting to a mobile phone network or the like. The ITS-related device includes an ETC (Electronic Toll Collection System), a road-to-vehicle communication with a roadside device such as an ITS spot, or a communication unit for performing inter-vehicle communication.
 これらECU群に加えて、さらに安全機能系ECU群がゲートウェイECU10に接続されてもよい。安全機能系ECU群には、自動ブレーキ、車線維持制御、又は車間距離制御等、走行系ECU群5などとの連携により自動的に安全性の向上、又は快適な運転を実現する機能に関する制御ユニットが含まれている。 In addition to these ECU groups, a safety function system ECU group may be connected to the gateway ECU 10. The safety function system ECU group includes a control unit relating to functions such as automatic braking, lane keeping control, inter-vehicle distance control, etc. that automatically improve safety or realize comfortable driving in cooperation with the traveling system ECU group 5 and the like. It is included.
 また、外部インターフェースがゲートウェイECU10に接続されてもよい。外部インターフェースには、例えば、Bluetooth(登録商標)、Wi-Fi(登録商標)、USB(Universal Serial Bus)ポート、又はメモリーカードスロットなどが含まれる。 Also, an external interface may be connected to the gateway ECU 10. The external interface includes, for example, Bluetooth (registered trademark), Wi-Fi (registered trademark), USB (Universal Serial Bus) port, memory card slot, or the like.
 ゲートウェイECU10は、車載ネットワーク2に含まれる各ECU群との間で、CANプロトコルに従ってフレームの授受を行う機能を有し、さらに本実施の形態に係るセキュリティ装置として機能する。すなわち、本実施の形態に係るセキュリティ装置は、車載ネットワーク2のバス3に接続されたゲートウェイECU10に搭載されている。 The gateway ECU 10 has a function of exchanging frames with each ECU group included in the in-vehicle network 2 according to the CAN protocol, and further functions as a security device according to the present embodiment. That is, the security device according to the present embodiment is mounted on the gateway ECU 10 connected to the bus 3 of the vehicle-mounted network 2.
 ゲートウェイECU10は、車載ネットワーク2に対する攻撃(セキュリティ攻撃、又はサイバー攻撃ともいう)が実行された場合に、車両1単体で、すなわちゲートウェイECU10において、負荷が軽減された処理でその攻撃を判定し(すなわち、攻撃の種類を特定又は推定し)、判定した攻撃に応じたインシデント対応処理を実行する。これにより、車両1の運転者は、セキュリティ攻撃の脅威に対して不安を抱くことなく、安心して車両1を運転することが可能となっている。 When an attack (also referred to as a security attack or a cyber attack) to the in-vehicle network 2 is executed, the gateway ECU 10 determines the attack by the vehicle 1 alone, that is, in the gateway ECU 10 by the process of reducing the load (ie, the attack). , Identify or presume the type of attack) and execute incident response processing according to the determined attack. As a result, the driver of the vehicle 1 can drive the vehicle 1 without anxiety about the threat of a security attack.
 走行系ECU群5、ボディ系ECU群6、情報系ECU群7、及びゲートウェイECU10は、1つ以上のプロセッサ、メモリ、及び通信モジュールなどを含むコンピュータ装置で構成され、各ECUに搭載されたプロセッサが、メモリに記憶されたプログラムを読み出し、プログラムを解釈し実行することで、各ECUで所定の制御が実行されるようになっている。 The traveling system ECU group 5, the body system ECU group 6, the information system ECU group 7, and the gateway ECU 10 are configured by a computer device including one or more processors, a memory, a communication module, and the like, and a processor mounted in each ECU. However, by reading the program stored in the memory, interpreting and executing the program, each ECU executes predetermined control.
[構成例1]
 図2は、実施の形態(1)に係るゲートウェイECU10の機能構成例を示すブロック図である。
 ゲートウェイECU10は、ゲートウェイ機能部11と、セキュリティ制御部12とを含んでいる。セキュリティ制御部12が、本実施の形態に係るセキュリティ装置の機能が実装される部分である。ゲートウェイECU10は、ハードウェアとして、制御プログラムが格納されたROM(Read Only Memory)、RAM(Random Access Memory)などを含むメモリ、該メモリからプログラムを読み出して実行するCPU(Central Processing Unit)などのプロセッサ、及び車載ネットワーク2に接続するための通信モジュールなどを含んで構成されている。 [Configuration example 1]
FIG. 2 is a block diagram showing a functional configuration example of the gateway ECU 10 according to the embodiment (1).
The gateway ECU 10 includes a gateway function unit 11 and a security control unit 12. The security control unit 12 is a part in which the functions of the security device according to the present embodiment are mounted. The gateway ECU 10 includes, as hardware, a memory including a ROM (Read Only Memory) and a RAM (Random Access Memory) in which a control program is stored, a processor such as a CPU (Central Processing Unit) that reads and executes the program from the memory. , And a communication module for connecting to the vehicle-mounted network 2 and the like.
 ゲートウェイ機能部11は、各ECU群とバス3を介してフレームを転送する制御を行う機能を備えており、例えば、図示しないフレーム送受信部、フレーム解釈部、及びフレーム変換部など、車載ネットワーク2の各ECU群との間でCANプロトコルに従って相互通信するために必要な構成が含まれている。本実施の形態では、バス3が、通信路の一例であり、フレームが、メッセージの一例である。 The gateway function unit 11 has a function of performing control to transfer a frame via each ECU group and the bus 3, and includes, for example, a frame transmission/reception unit, a frame interpretation unit, and a frame conversion unit (not shown) of the vehicle-mounted network 2. The configuration required for mutual communication with each ECU group according to the CAN protocol is included. In the present embodiment, the bus 3 is an example of a communication path and the frame is an example of a message.
 CANプロトコルにおけるフレームは、データフレーム、リモートフレーム、オーバーロードフレーム、及びエラーフレームを含んで構成されている。データフレームは、SOF(Start Of Frame)、ID、RTR(Remote Transmission Request)、IDE(Identifier Extension)、予約ビット、DLC(Data Length Code)、データフィールド、CRC(Cyclic Redundancy Check)シーケンス、CRCデリミタ(DEL)、ACK(Acknowledgement)スロット、ACKデリミタ(DEL)、及びEOF(End Of Frame)の各フィールドを含んで構成されている。 -Frames in the CAN protocol are configured to include data frames, remote frames, overload frames, and error frames. The data frame includes SOF (Start of Frame), ID, RTR (Remote Transmission Request), IDE (Identifier Extension), reserved bit, DLC (Data Length Code), data field, CRC (Cyclic Redundancy Check) sequence, CRC delimiter (CRC delimiter). DEL), ACK (Acknowledgement) slot, ACK delimiter (DEL), and EOF (End Of Frame) fields.
 セキュリティ制御部12は、フレーム受信部21、フレーム異常検出部22、バス監視部23、バス異常検出部24、及び正常値保持部25を含んで構成されている。セキュリティ制御部12は、さらに、異常データ収集部26、異常データ保持部27、タイマー28、異常検出パターン保持部29、攻撃特定部30、攻撃推定パターン保持部31、攻撃推定部32、及びインシデント対応部33を含んで構成されている。 The security control unit 12 includes a frame reception unit 21, a frame abnormality detection unit 22, a bus monitoring unit 23, a bus abnormality detection unit 24, and a normal value holding unit 25. The security control unit 12 further includes an abnormal data collection unit 26, an abnormal data holding unit 27, a timer 28, an abnormality detection pattern holding unit 29, an attack identifying unit 30, an attack estimation pattern holding unit 31, an attack estimation unit 32, and an incident response. It is configured to include the portion 33.
 セキュリティ制御部12は、ハードウェアとして、制御プログラムが格納されたROM、RAMなどを含むメモリ、該メモリからプログラムを読み出して実行するプロセッサなどを含んで構成され、これらハードウェアにより、上記各部の機能が実現されるようになっている。 The security control unit 12 is configured to include, as hardware, a ROM in which a control program is stored, a memory including a RAM, a processor that reads a program from the memory and executes the program, and the functions of the above-described units are realized by the hardware. Is being realized.
 フレーム受信部21は、例えば、ゲートウェイ機能部11からCAN信号であるフレーム(CANフレーム)を受信し、受信したフレームをフレーム異常検出部22、及びバス監視部23に送る。 The frame receiving unit 21 receives, for example, a frame (CAN frame) that is a CAN signal from the gateway function unit 11, and sends the received frame to the frame abnormality detection unit 22 and the bus monitoring unit 23.
 フレーム異常検出部22は、フレーム受信部21で受信したフレームに、車載ネットワーク2に対する攻撃により発生した異常(すなわち、フレーム異常)があるかどうかを、複数の異常検出項目(パラメータともいう)を確認して検出する。フレーム異常を検出するための複数の異常検出項目には、例えば、フレームのID毎に設定されるRTR、DLC、ペイロード、受信周期などのパラメータが含まれ得る。フレーム異常とは、CAN信号単体での異常を表している。フレーム異常検出部22が、メッセージ異常検出部の一例である。 The frame abnormality detection unit 22 checks a plurality of abnormality detection items (also referred to as parameters) to determine whether the frame received by the frame reception unit 21 has an abnormality (that is, a frame abnormality) caused by an attack on the vehicle-mounted network 2. And detect. The plurality of abnormality detection items for detecting the frame abnormality may include, for example, parameters such as RTR, DLC, payload, and reception cycle set for each frame ID. The frame abnormality is an abnormality of the CAN signal alone. The frame abnormality detection unit 22 is an example of a message abnormality detection unit.
 バス監視部23は、ゲートウェイECU10のCH1~CH4に接続されたバス3のそれぞれの状態を監視し、監視データをバス異常検出部24に送る。バス異常検出部24が、通信路異常検出部の一例である。 The bus monitoring unit 23 monitors the respective states of the buses 3 connected to CH1 to CH4 of the gateway ECU 10 and sends the monitoring data to the bus abnormality detection unit 24. The bus abnormality detection unit 24 is an example of a communication path abnormality detection unit.
 バス異常検出部24は、CH1~CH4に接続されたバス3に、車載ネットワーク2に対する攻撃により発生した異常(すなわち、バス異常)があるかどうかを、複数の異常検出項目(パラメータともいう)を確認して検出する。バス異常を検出するための複数の異常検出項目には、例えば、CH1~CH4に接続された各バス3のバス負荷率、バス状態(バスエラーの有無などの状態)、バス3に出現するIDなどのパラメータが含まれ得る。バス異常とは、CAN信号の状況的な異常を表している。フレーム異常検出部22、及びバス異常検出部24が、車載ネットワーク2に対する攻撃により発生した異常を検出する異常検出部の一例である。 The bus abnormality detection unit 24 determines whether or not the bus 3 connected to CH1 to CH4 has an abnormality (that is, a bus abnormality) caused by an attack on the vehicle-mounted network 2 by using a plurality of abnormality detection items (also referred to as parameters). Check and detect. The plurality of abnormality detection items for detecting a bus abnormality include, for example, a bus load factor of each bus 3 connected to CH1 to CH4, a bus state (state such as presence or absence of bus error), and an ID appearing on the bus 3. Parameters may be included. The bus abnormality indicates a situation abnormality of the CAN signal. The frame abnormality detection unit 22 and the bus abnormality detection unit 24 are an example of an abnormality detection unit that detects an abnormality caused by an attack on the vehicle-mounted network 2.
 正常値保持部25には、フレーム異常検出部22でフレーム異常があるかどうかを判断するために用いる、複数の異常検出項目それぞれのフレーム正常値(正常パターンともいう)が予め保持されている。また、正常値保持部25には、バス異常検出部24でバス異常があるかどうかを判断するために用いる、複数の異常検出項目それぞれのバス正常値(正常パターンともいう)が予め保持されている。正常値保持部25は、フレーム正常値保持部(メッセージ正常値保持部)及びバス正常値保持部(通信路正常値保持部)としての機能を備えているが、正常値保持部25に代えて、フレーム正常値保持部とバス正常値保持部とをそれぞれ個別に設けてもよい。 The normal value holding unit 25 holds in advance frame normal values (also referred to as normal patterns) for each of the plurality of abnormality detection items used by the frame abnormality detection unit 22 to determine whether or not there is a frame abnormality. Further, the normal value holding unit 25 holds in advance bus normal values (also referred to as normal patterns) of the plurality of abnormality detection items, which are used by the bus abnormality detection unit 24 to determine whether there is a bus abnormality. There is. The normal value holding unit 25 has functions as a frame normal value holding unit (message normal value holding unit) and a bus normal value holding unit (communication path normal value holding unit), but instead of the normal value holding unit 25 The frame normal value holding unit and the bus normal value holding unit may be separately provided.
 フレーム正常値は、例えば、各CHで受信するフレームのID毎に、受信周期、DLCのデータ長、ペイロードの特徴など、複数の項目の正常パターンで構成されている。また、バス正常値は、例えば、各CHに接続されたバス3毎に、バス負荷率、バスエラーの有無、出現IDなど、複数の項目の正常パターンで構成されている。 The frame normal value is composed of a normal pattern of a plurality of items such as a reception cycle, DLC data length, and payload characteristics for each ID of a frame received on each CH. In addition, the bus normal value is composed of a normal pattern of a plurality of items such as a bus load factor, presence or absence of a bus error, and an appearance ID for each bus 3 connected to each CH.
 異常データ収集部26は、フレーム異常検出部22によりフレーム異常が検出された後、所定時間内に検出されるフレーム異常のデータを収集し、収集したフレーム異常のデータを異常データ保持部27に送る。また、異常データ収集部26は、バス異常検出部24によりバス異常が検出された後、所定時間内に検出される他のバス異常のデータを収集し、収集したバス異常のデータを異常データ保持部27に送る。 The abnormal data collection unit 26 collects frame abnormal data detected within a predetermined time after the frame abnormal detection unit 22 detects the frame abnormal, and sends the collected frame abnormal data to the abnormal data holding unit 27. .. Further, the abnormal data collection unit 26 collects data of other bus abnormalities detected within a predetermined time after the bus abnormal detection unit 24 detects a bus abnormal condition, and retains the collected bus abnormal data as abnormal data. Send to section 27.
 異常データ保持部27には、異常データ収集部26により収集された、フレーム異常のデータと、バス異常のデータとが一時的に保持される。タイマー28は、異常データ収集部26で異常のデータを収集するための所定時間をカウントする。所定時間は、例えば、車両1がセキュリティ攻撃を受けた場合であっても安全な走行に支障をきたさない時間に設定されている。 The abnormal data holding unit 27 temporarily holds the frame abnormal data and the bus abnormal data collected by the abnormal data collecting unit 26. The timer 28 counts a predetermined time for the abnormal data collecting unit 26 to collect abnormal data. The predetermined time is set to a time that does not hinder safe traveling even if the vehicle 1 is subjected to a security attack, for example.
 異常検出パターン保持部29には、攻撃の種類ごとの異常検出パターンが予め保持されている。攻撃の種類ごとの異常検出パターンは、複数の異常検出項目それぞれに対する検出要否の組み合わせデータを含んで構成される。 The abnormality detection pattern holding unit 29 holds in advance an abnormality detection pattern for each type of attack. The abnormality detection pattern for each type of attack is configured to include combination data of the necessity of detection for each of the plurality of abnormality detection items.
 図3は、異常検出パターン保持部29に保持されている、攻撃の種類ごとの異常検出パターンの一例を説明するための図である。
 攻撃の種類ごとの異常検出パターン29aを示すデータは、攻撃種別の項目と複数の異常検出項目とを含んで構成されている。 FIG. 3 is a diagram for explaining an example of the abnormality detection pattern held by the abnormality detection pattern holding unit 29 for each type of attack.
The data indicating the abnormality detection pattern 29a for each type of attack includes an item of attack type and a plurality of abnormality detection items.
 攻撃種別の項目には、車載ネットワーク2において想定され得る攻撃の種類(攻撃A1~A5、・・)が設定されている。攻撃種別の欄に設定された攻撃は、車載ネットワーク2のシステムに対する脅威分析(すなわち、ゲートウェイECU10、これに接続される走行系ECU群5、ボディ系ECU群6、情報系ECU群7、及びOBDII4に接続される機器、その他、車載ネットワーク2に繋がる通信機器などについての脆弱性や脅威の分析)により抽出された既知の攻撃を表している。これら攻撃を抽出するための脅威分析の手法は特に限定されない。例えば、DFD(Date Flow Diagram)を用いた脅威抽出、STRIDEによる脅威分類、脅威ツリー、又はDREADによる脅威評価などの手法が採用され得る。攻撃種別の欄に設定される攻撃には、例えば、不正利用、不正設定、不正中継、不正挿入、情報漏洩、Dos攻撃、メッセージ喪失、又は偽メッセージなどの攻撃が設定され得る。 The types of attacks that can be assumed in the in-vehicle network 2 (attacks A1 to A5,...) Are set in the attack type item. The attack set in the attack type column is a threat analysis for the system of the in-vehicle network 2 (that is, the gateway ECU 10, the traveling system ECU group 5, the body system ECU group 6, the information system ECU group 7, and the OBDII 4). 1 is a known attack extracted by analysis of vulnerabilities and threats of devices connected to the vehicle, other communication devices connected to the in-vehicle network 2, and the like. The threat analysis method for extracting these attacks is not particularly limited. For example, methods such as threat extraction using DFD (Date Flow Diagram), threat classification by STRIDE, threat tree, or threat evaluation by DREAD can be adopted. The attack set in the attack type column can be set to, for example, illegal use, illegal setting, illegal relay, illegal insertion, information leakage, Dos attack, message loss, or fake message.
 複数の異常検出項目には、フレーム異常F1~F5、及びバス異常B1~B5が含まれている。フレーム異常F1~F5には、受信周期、ペイロード、DLC、RTRなどのフレーム異常に関するパラメータがそれぞれ設定されている。また、バス異常B1~B5には、バス負荷率、バスエラー、出現IDなどのバス異常に関するパラメータがそれぞれ設定されている。 A plurality of abnormality detection items include frame abnormalities F1 to F5 and bus abnormalities B1 to B5. Parameters relating to frame anomalies such as the reception cycle, payload, DLC, and RTR are set in the frame anomalies F1 to F5, respectively. Further, parameters relating to bus abnormality such as bus load factor, bus error, and appearance ID are set in the bus abnormality B1 to B5, respectively.
 そして、攻撃の種類ごとに、複数の異常検出項目(フレーム異常F1~F5、及びバス異常B1~B5)それぞれに対する検出要否の組み合わせデータのパターンが設定されている。図3において、「AND」は、必ず検出されることを示し、「NOT」は、絶対に検出されないことを示し、「-」は、検出されるか不明であることを示している。例えば、攻撃A1では、フレーム異常F1が必ず検出され、フレーム異常F3、F5、及びバス異常B1、B4、B5は絶対に検出されず、フレーム異常F2、F4、及びバス異常B2、B3は検出されるか不明(検出されても、検出されなくてもよい)であることを表している。 A pattern of combination data indicating whether or not detection is required for each of a plurality of abnormality detection items (frame abnormality F1 to F5 and bus abnormality B1 to B5) is set for each type of attack. In FIG. 3, “AND” indicates that it is always detected, “NOT” indicates that it is never detected, and “−” indicates that it is detected or unknown. For example, in the attack A1, the frame abnormality F1 is always detected, the frame abnormality F3, F5 and the bus abnormality B1, B4, B5 are never detected, and the frame abnormality F2, F4 and the bus abnormality B2, B3 are detected. Or unknown (whether or not detected).
 攻撃特定部30は、異常データ保持部27に保持された異常のデータと、異常検出パターン保持部29に保持されている攻撃の種類ごとの異常検出パターンとに基づいて、検出した異常に対応する攻撃の種類を特定する処理を行う。また、攻撃特定部30は、攻撃特定処理を行った後、異常データ保持部27に一時された異常のデータ(検出データ)のリセット(クリア)指示を行う。 The attack identifying unit 30 responds to the detected abnormality based on the abnormality data held in the abnormal data holding unit 27 and the abnormality detection pattern for each type of attack held in the abnormality detection pattern holding unit 29. Perform processing to identify the type of attack. After performing the attack identifying process, the attack identifying unit 30 also gives an instruction to reset (clear) the abnormal data (detection data) temporarily stored in the abnormal data holding unit 27.
 図4は、攻撃特定部30が行う攻撃特定処理により攻撃の種類を特定できた場合を説明するための図である。
 攻撃特定部30は、異常データ保持部27に保持された異常のデータ27aと、異常検出パターン保持部29に保持されている攻撃の種類ごとの異常検出パターン29aとを照合して、異常のデータ27aが示す異常に対応する攻撃の種類を特定する処理を行う。 FIG. 4 is a diagram for explaining a case where the type of attack can be identified by the attack identifying process performed by the attack identifying unit 30.
The attack identifying unit 30 collates the abnormal data 27a held in the abnormal data holding unit 27 with the abnormal detection pattern 29a for each type of attack held in the abnormal detection pattern holding unit 29 to obtain the abnormal data. Processing for identifying the type of attack corresponding to the abnormality indicated by 27a is performed.
 異常のデータ27aには、複数の異常検出項目(フレーム異常F1~F5、及びバス異常B1~B5)それぞれに対する検出有無(「1」検出有り、「0」検出無し)の結果を示すデータが含まれている。図4に例示した異常のデータ27aは、フレーム異常F1、F2、及びバス異常B1~B5が検出され、フレーム異常F3~F5が検出されていないデータを含んで構成されている。 The abnormality data 27a includes data indicating the results of presence or absence of detection ("1" detected, "0" not detected) for each of a plurality of abnormality detection items (frame abnormality F1 to F5 and bus abnormality B1 to B5). Has been. The abnormal data 27a illustrated in FIG. 4 includes data in which frame abnormalities F1 and F2 and bus abnormalities B1 to B5 are detected, and frame abnormalities F3 to F5 are not detected.
 図4に示す例では、攻撃特定部30により、異常のデータ27aと、攻撃の種類ごとの異常検出パターン29aとが照合された結果、今回検出された異常のデータ27aが示す異常は、異常検出パターン29a中の攻撃A3であると特定された場合を示している。次に、攻撃特定部30が行う攻撃特定処理により攻撃の種類を特定できなかった場合を説明する。 In the example shown in FIG. 4, as a result of the attack identifying unit 30 collating the abnormal data 27a and the abnormal detection pattern 29a for each type of attack, the abnormal data indicated by the abnormal data 27a detected this time is detected as abnormal. The case where the attack A3 in the pattern 29a is identified is shown. Next, a case where the type of attack cannot be specified by the attack specifying process performed by the attack specifying unit 30 will be described.
 図5は、攻撃特定部30が行う攻撃特定処理により攻撃の種類を特定できなかった場合を説明するための図である。図5に例示した異常のデータ27bは、フレーム異常F1、F2、及びバス異常B2、B4、B5が検出され、フレーム異常F3~F5、及びバス異常B1、B3が検出されていないデータを含んで構成されている。 FIG. 5 is a diagram for explaining a case where the type of attack cannot be specified by the attack specifying process performed by the attack specifying unit 30. The abnormality data 27b illustrated in FIG. 5 includes data in which frame abnormalities F1 and F2 and bus abnormalities B2, B4, and B5 are detected, and frame abnormalities F3 to F5 and bus abnormalities B1 and B3 are not detected. It is configured.
 図5に示す例では、攻撃特定部30により、異常のデータ27bと、攻撃の種類ごとの異常検出パターン29aとが照合された結果、今回検出された異常のデータ27bが示す異常は、異常検出パターン29a中のいずれの攻撃にも対応しない(一致しない)と判定された場合を示している。このように、攻撃特定部30が行う攻撃特定処理により攻撃の種類を特定できなかった(換言すれば、未知の攻撃であった)場合、次に攻撃推定部32による攻撃推定処理が行われる。 In the example shown in FIG. 5, as a result of the attack identifying unit 30 collating the abnormal data 27b with the abnormal detection pattern 29a for each type of attack, the abnormal data indicated by the abnormal data 27b detected this time is detected as abnormal. The case where it is determined that none of the attacks in the pattern 29a are matched (does not match) is shown. As described above, when the attack identification process performed by the attack identification unit 30 fails to identify the type of attack (in other words, it is an unknown attack), the attack estimation process by the attack estimation unit 32 is performed next.
 攻撃推定パターン保持部31には、攻撃の種類ごとの攻撃推定パターンが予め保持されている。攻撃の種類ごとの攻撃推定パターンは、複数の異常検出項目それぞれに対する重み付け値の組み合わせデータを含んで構成されている。 The attack estimation pattern holding unit 31 holds an attack estimation pattern for each type of attack in advance. The attack estimation pattern for each type of attack is configured to include combination data of weighting values for each of the plurality of abnormality detection items.
 図6は、攻撃推定パターン保持部31に保持されている、攻撃の種類ごとの攻撃推定パターンの一例を説明するための図である。
 攻撃の種類ごとの攻撃推定パターン31aを示すデータは、攻撃種別の項目、複数の異常検出項目、及び第1合計値の項目を含んで構成されている。 FIG. 6 is a diagram for explaining an example of the attack estimation pattern held by the attack estimated pattern holding unit 31 for each type of attack.
The data indicating the attack estimation pattern 31a for each attack type is configured to include an attack type item, a plurality of abnormality detection items, and a first total value item.
 攻撃種別の項目には、図3に例示した異常検出パターン29aと同様に、車載ネットワーク2において想定され得る攻撃の種類(攻撃A11~A15、・・)が設定されている。また、複数の異常検出項目には、図3に例示した異常検出パターン29aと同様に、フレーム異常F1~F5、及びバス異常B1~B5のパラメータが含まれている。 Similar to the abnormality detection pattern 29a illustrated in FIG. 3, the type of attack that can be assumed in the in-vehicle network 2 (attacks A11 to A15,...) Is set in the attack type item. Further, the plurality of abnormality detection items include parameters of the frame abnormalities F1 to F5 and the bus abnormalities B1 to B5, like the abnormality detection pattern 29a illustrated in FIG.
 そして、攻撃の種類ごとに、複数の異常検出項目(フレーム異常F1~F5、及びバス異常B1~B5)それぞれに対する重み付け値(0.0~1.0のいずれかの値)の組み合わせデータ(重み付け集合ともいう)のパターンが設定されている。なお、重み付け値が1.0に近いほど、その異常が発生する確率が高いことを表し、また、0.0に近いほど、その異常が発生する確率が低いことを表している。各攻撃の異常検出項目それぞれに対する重み付け値は、予め行った脅威分析の結果に基づいて設定してもよいし、予め行った機械学習などの結果に基づいて設定してもよい。第1合計値は、各攻撃における複数の異常検出項目それぞれに対する重み付け値の組み合わせデータ(重み付け集合)の和(集合の和ともいう)を示している。 Then, for each type of attack, combination data (weighting value of 0.0 to 1.0) for each of a plurality of abnormality detection items (frame abnormality F1 to F5 and bus abnormality B1 to B5) (Also referred to as a set) pattern is set. The closer the weighting value is to 1.0, the higher the probability that the abnormality will occur, and the closer the weighting value is to 0.0, the lower the probability that the abnormality will occur. The weighting value for each abnormality detection item of each attack may be set based on the result of the threat analysis performed in advance, or may be set based on the result of the machine learning performed in advance. The first total value indicates the sum (also referred to as the sum of sets) of the combination data (weight set) of the weight values for each of the plurality of abnormality detection items in each attack.
 攻撃推定部32は、攻撃特定部30により攻撃の種類を特定することができなかった場合に、異常データ保持部27に保持された異常のデータと、攻撃推定パターン保持部31に保持されている攻撃の種類ごとの攻撃推定パターン31aとに基づいて、検出された異常に対応する攻撃の種類を推定する処理を行う。 The attack estimation unit 32 holds the abnormal data held in the abnormal data holding unit 27 and the attack estimated pattern holding unit 31 when the attack specifying unit 30 cannot specify the type of attack. A process of estimating the type of attack corresponding to the detected abnormality is performed based on the attack estimation pattern 31a for each type of attack.
 図7は、攻撃推定部32が行う攻撃推定処理の一例を説明するための図である。
 攻撃推定部32は、攻撃推定パターン保持部31に保持されている攻撃の種類ごと(攻撃A11~A15、・・)に、異常のデータ27bの各異常検出項目(フレーム異常F1~F5、及びバス異常B1~B5)の検出有無のデータ(1又は0)と、攻撃推定パターン31aの各異常検出項目に設定された重み付け値との積の和を示す第2合計値(積集合の和ともいう)を算出する(すなわち、第1算出部として機能する)。 FIG. 7 is a diagram for explaining an example of attack estimation processing performed by the attack estimation unit 32.
The attack estimation unit 32, for each type of attack (attacks A11 to A15,...) Held in the attack estimation pattern holding unit 31, detects each abnormality detection item (frame abnormality F1 to F5, and bus) of the abnormality data 27b. A second total value (also called the sum of product sets) indicating the sum of products of the data (1 or 0) indicating whether or not the anomalies B1 to B5 are detected and the weighting values set for the respective anomaly detection items of the attack estimation pattern 31a ) Is calculated (that is, it functions as a first calculation unit).
 図8は、攻撃推定部32を構成する第1算出部により算出された第2合計値の算出結果の一例を示す図である。
 図8に示すように、各攻撃の異常検出項目(フレーム異常F1~F5、及びバス異常B1~B5)毎に、異常のデータ27bのそれぞれの検出有無のデータと、攻撃推定パターン31aのそれぞれの重み付け値との積の値が算出され、算出された積の値の和が第2合計値として算出される構成になっている。 FIG. 8 is a diagram showing an example of the calculation result of the second total value calculated by the first calculation unit included in the attack estimation unit 32.
As shown in FIG. 8, for each abnormality detection item (frame abnormality F1 to F5, and bus abnormality B1 to B5) of each attack, data indicating whether or not each abnormality data 27b is detected, and each estimated attack pattern 31a. The product value with the weighting value is calculated, and the sum of the calculated product values is calculated as the second total value.
 次に、攻撃推定部32は、攻撃の種類ごとに、第1合計値と第2合計値との一致率を算出する(すなわち、第2算出部として機能する)。
 図9は、攻撃推定部32を構成する第2算出部により算出された一致率の一例を示す図である。図9に示すように、ここでの一致率は、[第2合計値/第1合計値]×100(%)で表されている。 Next, the attack estimation unit 32 calculates the matching rate between the first total value and the second total value for each type of attack (that is, functions as the second calculation unit).
FIG. 9 is a diagram showing an example of the matching rate calculated by the second calculation unit included in the attack estimation unit 32. As shown in FIG. 9, the matching rate here is represented by [second total value/first total value]×100 (%).
 次に、攻撃推定部32は、第2算出部により算出された、各攻撃に対する一致率に基づいて、攻撃特定部30により特定できなかった異常に対応する攻撃の種類を推定する(すなわち、推定部として機能する)。攻撃推定部32を構成する推定部により、攻撃特定部30により特定できなかった異常が、一致率に基づいて、既存のどの攻撃の種類に類似しているのかを推定することが可能となる。図9に示す例では、攻撃A11の一致率が最も高くなっており、今回検出された異常による攻撃が、攻撃A11に最も類似していると推定することが可能となっている。 Next, the attack estimation unit 32 estimates the type of attack corresponding to the abnormality that could not be identified by the attack identification unit 30, based on the match rate for each attack calculated by the second calculation unit (that is, estimation). Functions as a department). The estimation unit included in the attack estimation unit 32 can estimate which existing attack type the abnormality that could not be identified by the attack identification unit 30 resembles, based on the matching rate. In the example shown in FIG. 9, the match rate of the attack A11 is the highest, and it is possible to estimate that the attack due to the abnormality detected this time is the most similar to the attack A11.
 インシデント対応部33は、攻撃特定部30により異常に対応する攻撃の種類が特定された場合、特定された攻撃の種類に対する対応処理を行う第1インシデント対応部として機能する。また、インシデント対応部33は、攻撃推定部32により異常に対応する攻撃の種類が推定された場合、推定された攻撃の種類に対する対応処理を行う第2インシデント対応部として機能する。 The incident handling unit 33 functions as a first incident handling unit that performs a handling process for the identified attack type when the attack identifying unit 30 identifies the type of attack corresponding to the abnormality. Further, the incident handling unit 33 functions as a second incident handling unit that performs a handling process for the estimated attack type when the attack estimating unit 32 estimates the attack type corresponding to the abnormality.
 図10は、攻撃特定部30により異常に対応する攻撃の種類が特定された場合に、インシデント対応部33に出力される攻撃特定データの一例を示している。
 図10に示すように、攻撃特定データには、ゲートウェイECU10において攻撃されたCH、異常があったフレーム、特定された攻撃に関するデータが含まれている。インシデント対応部33は、攻撃特定部30から取得した攻撃特定データに基づいて、特定された攻撃の種類に対する所定の対策処理を実行する。 FIG. 10 shows an example of attack identification data output to the incident response unit 33 when the attack identification unit 30 identifies the type of attack corresponding to the abnormality.
As shown in FIG. 10, the attack identification data includes CH attacked by the gateway ECU 10, a frame in which an abnormality has occurred, and data related to the identified attack. The incident handling unit 33 executes a predetermined countermeasure process for the identified type of attack based on the attack identifying data acquired from the attack identifying unit 30.
 図11は、攻撃推定部32により異常に対応する攻撃の種類が推定された場合に、インシデント対応部33に出力される攻撃推定データの一例を示している。
 図11に示すように、攻撃推定データには、ゲートウェイECU10において攻撃されたCH、異常があったフレーム、推定された攻撃に関するデータが含まれている。インシデント対応部33は、攻撃推定部32から取得した攻撃推定データに基づいて、推定された攻撃の種類に対する所定の対策処理を実行する。例えば、一致率が最も高い攻撃の種類に対する対策処理を実行する。 FIG. 11 shows an example of attack estimation data output to the incident handling unit 33 when the attack estimation unit 32 estimates the type of attack corresponding to an abnormality.
As shown in FIG. 11, the attack estimation data includes CH attacked by the gateway ECU 10, a frame having an abnormality, and data regarding the estimated attack. The incident handling unit 33 executes a predetermined countermeasure process for the estimated attack type based on the attack estimation data acquired from the attack estimation unit 32. For example, the countermeasure process for the type of attack having the highest matching rate is executed.
[動作例]
 図12は、実施の形態(1)に係るゲートウェイECU10を構成するセキュリティ制御部12が行う処理動作を示した概略フローチャートである。なお、本処理動作は、攻撃者により車載ネットワーク2に何らかのセキュリティ攻撃が実施され、ゲートウェイECU10の防御機能が破られた場合を想定している。 [Operation example]
FIG. 12 is a schematic flowchart showing a processing operation performed by the security control unit 12 included in the gateway ECU 10 according to the embodiment (1). It should be noted that the present processing operation is premised on the case where an attacker performs some security attack on the in-vehicle network 2 and the defense function of the gateway ECU 10 is broken.
 まず、ステップS1では、セキュリティ制御部12は、車載ネットワーク2にセキュリティ攻撃による異常が発生したか否かを判断し、異常が発生していないと判断すれば処理を終える一方、異常が発生したと判断すれば、ステップS2に処理を進める。 First, in step S1, the security control unit 12 determines whether or not an abnormality has occurred in the in-vehicle network 2 due to a security attack. If it is determined that the abnormality has not occurred, the processing is terminated, while the abnormality has occurred. If determined, the process proceeds to step S2.
 ステップS2では、セキュリティ制御部12は、各ECU群から受信したフレーム又は各CHに接続されたバス3に発生した異常を検出する処理を行い、その後ステップS3に処理を進める。 In step S2, the security control unit 12 performs a process of detecting an abnormality that has occurred in the frame received from each ECU group or the bus 3 connected to each CH, and then advances the process to step S3.
 ステップS3では、セキュリティ制御部12は、受信したフレーム又はバス3に発生した異常のデータ(すなわち、異常の検出結果)を収集する処理を行い、その後ステップS4に処理を進める。 In step S3, the security control unit 12 performs a process of collecting the data of the abnormality that has occurred in the received frame or the bus 3 (that is, the detection result of the abnormality), and then advances the process to step S4.
 ステップS4では、セキュリティ制御部12は、収集された異常のデータを用いて、セキュリティ攻撃の種類を特定する処理、また、攻撃の種類を特定できない場合に、その攻撃の種類を推定する処理を行い、その後ステップS5に処理を進める。ステップS5では、セキュリティ制御部12は、特定された攻撃の種類、又は推定された攻撃の種類に対応するインシデント対策を実施する処理を行い、その後処理を終える。 In step S4, the security control unit 12 performs a process of identifying the type of security attack using the collected abnormal data, and a process of estimating the type of attack when the type of attack cannot be identified. Then, the process proceeds to step S5. In step S5, the security control unit 12 performs a process of implementing an incident countermeasure corresponding to the identified type of attack or the estimated type of attack, and then ends the process.
 図13は、実施の形態(1)に係るゲートウェイECU10を構成するセキュリティ制御部12が行う異常検出処理動作を示したフローチャートである。本処理動作は、図12のステップS2で行われる異常検出処理動作の一例であり、CAN信号であるフレームを受信した場合に実行される。 FIG. 13 is a flowchart showing an abnormality detection processing operation performed by the security control unit 12 configuring the gateway ECU 10 according to the embodiment (1). This processing operation is an example of the abnormality detection processing operation performed in step S2 of FIG. 12, and is executed when a frame which is a CAN signal is received.
 まずステップS11では、セキュリティ制御部12は、ゲートウェイ機能部11からCAN信号であるフレーム(各ECU群から受信したフレーム)を受信する処理を行い、ステップS12に処理を進める。ステップS12では、セキュリティ制御部12は、受信したフレーム、又はフレームを受信したバス3で、セキュリティ攻撃による異常を検出したか否かを判断し、異常を検出していないと判断すれば、CAN信号受信時の異常検出処理を終える一方、異常を検出したと判断すれば、ステップS13に処理を進める。 First, in step S11, the security control unit 12 performs a process of receiving a frame that is a CAN signal (frame received from each ECU group) from the gateway function unit 11, and proceeds to step S12. In step S12, the security control unit 12 determines whether or not an abnormality due to a security attack has been detected in the received frame or the bus 3 that has received the frame. If it is determined that no abnormality has been detected, the CAN signal is detected. If it is determined that an abnormality has been detected while the abnormality detection processing at the time of reception is completed, the processing proceeds to step S13.
 ステップS13では、セキュリティ制御部12は、現在、セキュリティ攻撃による異常のデータを収集している状態(異常収集状態)であるか否か(換言すれば、異常データ収集部26が作動中か否か)を判断し、現在、異常のデータを収集している状態であると判断すれば、ステップS15に処理を進める。一方、ステップS13において、セキュリティ制御部12が、現在、異常のデータを収集している状態ではないと判断すれば、ステップS14に処理を進め、ステップS14では、セキュリティ攻撃による異常を収集する状態に遷移する(換言すれば、異常データ収集部26により異常のデータの収集を開始する)処理を行い、その後ステップS15に処理を進める。 In step S13, the security control unit 12 is currently in a state of collecting abnormal data due to a security attack (abnormality collection state) (in other words, whether the abnormal data collection unit 26 is operating or not). ), and if it is determined that abnormal data is currently being collected, the process proceeds to step S15. On the other hand, in step S13, if the security control unit 12 determines that the abnormal data is not currently collected, the process proceeds to step S14. In step S14, the security attack abnormal condition is collected. A process of transitioning (in other words, the abnormal data collecting unit 26 starts collecting abnormal data) is performed, and then the process proceeds to step S15.
 ステップS15では、セキュリティ制御部12は、ステップS12で検出された異常が、異常収集状態に遷移後、既に検出された異常であるか否かを判断し、既に検出された異常であると判断すれば、CAN信号受信時の異常検出処理を終える。 In step S15, the security control unit 12 determines whether or not the abnormality detected in step S12 is an abnormality already detected after transition to the abnormality collection state, and determines that the abnormality is already detected. For example, the abnormality detection process when the CAN signal is received ends.
 一方、ステップS15において、セキュリティ制御部12は、既に検出された異常ではない(換言すれば、未検出の異常である)と判断すればステップS16に処理を進め、ステップS16では、検出された異常のデータを異常データ保持部27に保存し、その後CAN信号受信時の異常検出処理を終える。 On the other hand, if the security control unit 12 determines in step S15 that the abnormality is not already detected (in other words, it is an undetected abnormality), the process proceeds to step S16, and in step S16, the detected abnormality is detected. The data is stored in the abnormal data holding unit 27, and then the abnormality detection process when the CAN signal is received ends.
 なお、上記異常検出処理動作では、ステップS11でフレームを受信後、ステップS12において、フレーム異常、又はバス異常を検出したか否かを判断するようになっているが、この処理形態に限定されない。別の実施の形態では、セキュリティ制御部12が、フレーム異常とバス異常とを、別々の処理フローで検出するようにしてもよい。例えば、フレーム異常の検出は、フレームを受信後に行い、バス異常の検出は、CH1~CH4に接続されたバス3の状態を常時監視して検出するようにしてもよい。 In the above abnormality detection processing operation, after receiving the frame in step S11, it is determined whether or not the frame abnormality or the bus abnormality is detected in step S12, but the processing form is not limited to this. In another embodiment, the security control unit 12 may detect the frame abnormality and the bus abnormality in different processing flows. For example, the frame abnormality may be detected after the frame is received, and the bus abnormality may be detected by constantly monitoring the state of the bus 3 connected to CH1 to CH4.
 図14は、実施の形態(1)に係るゲートウェイECU10を構成するセキュリティ制御部12が行う異常収集処理動作を示したフローチャートである。本処理動作は、図12のステップS3で行われる異常のデータ(異常検出結果)の収集処理動作の一例である。 FIG. 14 is a flowchart showing an abnormality collection processing operation performed by the security control unit 12 configuring the gateway ECU 10 according to the embodiment (1). This processing operation is an example of an operation of collecting abnormal data (abnormality detection result) performed in step S3 of FIG.
 まずステップS21では、セキュリティ制御部12は、タイマー28で異常収集時間のカウントを開始し、その後、ステップS22に処理を進め、ステップS22では、カウントを開始してから所定時間経過したか否かを判断する。所定時間は、車両1がセキュリティ攻撃を受けた場合であっても安全な走行に支障をきたさない時間(例えば、数秒から数十秒)に設定されている。 First, in step S21, the security control unit 12 starts counting the abnormality collection time by the timer 28, and then proceeds to step S22. In step S22, it is determined whether or not a predetermined time has elapsed since the count was started. to decide. The predetermined time is set to a time (for example, several seconds to several tens of seconds) that does not hinder safe traveling even when the vehicle 1 receives a security attack.
 ステップS22において、セキュリティ制御部12は、所定時間経過していないと判断すれば、所定時間経過するまでタイマー28でカウントを継続し、所定時間経過したと判断すればステップS23に進む。ステップS23では、セキュリティ制御部12は、異常のデータの収集を終了し、次のステップS24に処理を進め、ステップS24では、タイマー28のカウントをクリアして、その後処理を終える。 In step S22, if the security control unit 12 determines that the predetermined time has not elapsed, the timer 28 continues counting until the predetermined time has elapsed, and if it determines that the predetermined time has elapsed, the process proceeds to step S23. In step S23, the security control unit 12 ends the collection of abnormal data and advances the process to the next step S24. In step S24, the count of the timer 28 is cleared, and then the process ends.
 図15は、実施の形態(1)に係るゲートウェイECU10を構成するセキュリティ制御部12が行う攻撃特定処理動作を示したフローチャートである。当該処理動作は、図12のステップS4で行われる攻撃特定処理動作の一例であり、攻撃を特定する処理動作と攻撃を推定する処理動作とが含まれている。 FIG. 15 is a flowchart showing an attack identifying processing operation performed by the security control unit 12 configuring the gateway ECU 10 according to the embodiment (1). The processing operation is an example of the attack identifying processing operation performed in step S4 of FIG. 12, and includes the attack identifying processing operation and the attack estimating processing operation.
 まず、ステップS31では、セキュリティ制御部12は、異常データ保持部27に保存された異常のデータ(所定時間内に検出された異常のデータ)を読み出し、ステップS32に処理を進める。異常のデータは、例えば、図4に例示した異常のデータ27aに示したデータ構成(複数の異常検出項目の検出有無の結果を含むデータ構成)となっている。 First, in step S31, the security control unit 12 reads out the abnormal data (abnormal data detected within a predetermined time) stored in the abnormal data holding unit 27, and advances the processing to step S32. The abnormality data has, for example, the data configuration shown in the abnormality data 27a illustrated in FIG. 4 (the data configuration including the results of the presence/absence of detection of a plurality of abnormality detection items).
 ステップS32では、セキュリティ制御部12は、異常検出パターン保持部29から攻撃の種類ごとに規定された異常検出パターンを読み出し、次のステップS33に処理を進める。異常検出パターンは、例えば、図3に例示した、攻撃の種類ごとの異常検出パターン29aに示したデータ構成(複数の異常検出項目に対する検出要否の組み合わせデータが攻撃の種類ごとに設定されているデータ構成)となっている。 In step S32, the security control unit 12 reads the abnormality detection pattern specified for each type of attack from the abnormality detection pattern holding unit 29, and advances the processing to the next step S33. The abnormality detection pattern has, for example, the data structure shown in the abnormality detection pattern 29a for each type of attack illustrated in FIG. 3 (combination data of detection necessity for a plurality of abnormality detection items is set for each type of attack). Data structure).
 ステップS33では、セキュリティ制御部12は、ステップS31で読み出した異常のデータと、ステップS32で読み出した攻撃の種類ごとの異常検出パターンとを照合する処理(マッチング処理)を行い、次にステップS34に処理を進める。ステップS34では、照合の結果、異常のデータと同一の異常検出パターンが検出されたか否かを判断し、異常のデータと同一の異常検出パターンが検出されたと判断すれば、ステップS35に処理を進める。 In step S33, the security control unit 12 performs a process (matching process) of matching the abnormality data read in step S31 with the abnormality detection pattern for each type of attack read in step S32, and then in step S34. Proceed with processing. In step S34, it is determined whether or not the same abnormality detection pattern as the abnormal data is detected as a result of the collation, and if it is determined that the same abnormality detection pattern as the abnormal data is detected, the process proceeds to step S35. ..
 ステップS35では、セキュリティ制御部12は、異常のデータが示す攻撃の種類が、ステップS34で判定された同一の異常検出パターンが示す攻撃であると特定し、次にステップS36に処理を進める。 In step S35, the security control unit 12 identifies that the type of attack indicated by the abnormality data is an attack indicated by the same abnormality detection pattern determined in step S34, and then proceeds to step S36.
 ステップS36では、セキュリティ制御部12は、特定された攻撃の情報をインシデント対応部33へ出力する処理を行い、その後ステップS37に処理を進める。 In step S36, the security control unit 12 performs a process of outputting information on the identified attack to the incident handling unit 33, and then advances the process to step S37.
 一方ステップS34において、セキュリティ制御部12は、異常のデータと同一の異常検出パターンが検出されなかったと判断すれば、ステップS38に処理を進める。
 ステップS38では、セキュリティ制御部12は、攻撃推定パターン保持部31から攻撃の種類ごとに規定された攻撃推定パターンを読み出し、次にステップS39に処理を進める。攻撃推定パターンは、例えば、図6に例示した、攻撃の種類ごとの攻撃推定パターン31aに示したデータ構成(複数の異常検出項目それぞれに対する重み付け値の組み合わせデータと、重み付け値の和のデータとが攻撃の種類ごとに設定されているデータ構成)となっている。 On the other hand, if the security control unit 12 determines in step S34 that the same abnormality detection pattern as the abnormality data is not detected, the process proceeds to step S38.
In step S38, the security control unit 12 reads out the attack estimation pattern specified for each type of attack from the attack estimation pattern holding unit 31, and then advances the process to step S39. The attack estimation pattern is, for example, the data structure shown in the attack estimation pattern 31a for each type of attack illustrated in FIG. 6 (combined data of weighting values for each of a plurality of abnormality detection items and data of the sum of weighting values). The data structure is set for each type of attack).
 ステップS39では、セキュリティ制御部12は、異常のデータと、攻撃の種類ごと攻撃推定パターンとの積の和(第2合計値)を算出する処理を行い、ステップS40に処理を進める。ステップS40では、セキュリティ制御部12は、攻撃の種類ごとの攻撃推定パターンに規定された第1合計値(集合の和)に対する第2合計値(積集合の和)の一致率([第2合計値/第1合計値]×100(%))を算出する処理を行い、ステップS41に処理を進める。 In step S39, the security control unit 12 performs a process of calculating the sum (second total value) of the products of the abnormal data and the attack estimation pattern for each attack type, and advances the process to step S40. In step S40, the security control unit 12 compares the first total value (sum of sets) defined in the attack estimation pattern for each type of attack with the second total value (sum of intersections) ([second total sum]. Value/first total value]×100(%)) is calculated, and the process proceeds to step S41.
 ステップS41では、セキュリティ制御部12は、一致率に基づき攻撃の種類を推定する。例えば、今回検出された異常は、一致率が最も高い攻撃に最も類似すると推定し、ステップS42に処理を進める。ステップS42では、セキュリティ制御部12は、推定された攻撃の情報をインシデント対応部33へ出力する処理を行い、その後ステップS37に処理を進める。ステップS37では、セキュリティ制御部12は、異常データ保持部27に一時保持されたデータをクリアするリセット処理を行い、その後処理を終える。 In step S41, the security control unit 12 estimates the type of attack based on the matching rate. For example, it is estimated that the abnormality detected this time is the most similar to the attack with the highest matching rate, and the process proceeds to step S42. In step S42, the security control unit 12 performs a process of outputting the estimated attack information to the incident handling unit 33, and then advances the process to step S37. In step S37, the security control unit 12 performs a reset process for clearing the data temporarily held in the abnormal data holding unit 27, and then ends the process.
[作用・効果]
 実施の形態(1)に係るゲートウェイECU10によれば、セキュリティ制御部12を備えているので、フレーム異常検出部22によりフレーム異常が検出され、またバス異常検出部24によりバス異常が検出され、これら検出された異常が異常データ収集部26により収集され、収集された異常のデータが異常データ保持部27に保持される。そして、攻撃特定部30によって、異常に対応する攻撃の種類が特定される。 [Action/effect]
Since the gateway ECU 10 according to the embodiment (1) includes the security control unit 12, the frame abnormality detection unit 22 detects a frame abnormality, and the bus abnormality detection unit 24 detects a bus abnormality. The detected abnormality is collected by the abnormality data collection unit 26, and the collected abnormality data is held in the abnormality data holding unit 27. Then, the attack identifying unit 30 identifies the type of attack corresponding to the abnormality.
 したがって、車載ネットワーク2がセキュリティ攻撃を受けた場合に、車両1単体で、すなわち、ゲートウェイECU10で、その攻撃の種類を特定することができる。また、攻撃特定部30が、複数の異常検出項目それぞれに対する検出有無の結果を示すデータと、攻撃の種類ごとの異常検出パターンとを照合する(マッチングする)ことによって、異常に対応する攻撃の種類が特定される。したがって、機械学習等の処理量が膨大で高負荷の異常分析を行うことなく、負荷が軽減された低負荷の処理によって、攻撃の種類を迅速に特定することができ、また、装置コストを低減することもでき、コスト面でも有利な装置を実現することができる。 Therefore, when the in-vehicle network 2 receives a security attack, the type of the attack can be specified by the vehicle 1 alone, that is, by the gateway ECU 10. In addition, the attack identification unit 30 collates (matches) the data indicating the result of detection/non-detection for each of the plurality of abnormality detection items with the abnormality detection pattern for each type of attack, whereby the type of attack corresponding to the abnormality Is specified. Therefore, it is possible to quickly identify the type of attack and reduce the device cost by performing low-load processing with a reduced load, without performing anomaly analysis that requires a large amount of processing such as machine learning. It is also possible to realize a device that is advantageous in terms of cost.
 そして、異常に対応する攻撃の種類が特定された場合、インシデント対応部33によって、特定された攻撃の種類に対する対策を迅速に行うことができる。これにより、車両1の運転者は、セキュリティの脅威に対して安心して運転を行うことが可能となる。 Then, when the type of attack corresponding to the abnormality is specified, the incident handling unit 33 can promptly take measures against the identified type of attack. As a result, the driver of the vehicle 1 can drive with peace of mind against the threat of security.
 また、攻撃特定部30により攻撃の種類を特定することができなかった場合であっても、攻撃推定部32によって、異常に類似する攻撃の種類を推定することができる。また、攻撃の種類の推定には、攻撃の種類ごとに規定された攻撃推定パターンが用いられ、攻撃の種類ごとに第2合計値が算出され、攻撃の種類ごとの第1合計値と第2合計値との一致率が算出され、算出された一致率に基づいて、異常に対応する攻撃の種類が推定される。したがって、機械学習等の処理量が膨大で高負荷の異常分析を行うことなく、負荷が軽減された低負荷の処理によって、既知のいずれの攻撃に最も類似しているのかを迅速に推定することができる。 Further, even if the attack identifying unit 30 cannot identify the type of attack, the attack estimating unit 32 can estimate the type of attack similar to the abnormality. In addition, an attack estimation pattern defined for each type of attack is used to estimate the type of attack, a second total value is calculated for each type of attack, and a first total value and a second total value for each type of attack are calculated. The match rate with the total value is calculated, and the type of attack corresponding to the abnormality is estimated based on the calculated match rate. Therefore, it is possible to quickly estimate which known attack is most similar to the known attack by performing low-load processing with a light load, without performing anomalous analysis with a large amount of processing such as machine learning. You can
 そして、異常に対応する攻撃の種類が推定された場合、インシデント対応部33によって、推定された攻撃の種類に対する対策を迅速に行うことができる。これにより、車両1の運転者は、セキュリティの脅威に対して安心して運転を行うことが可能となる。 Then, when the type of attack corresponding to the abnormality is estimated, the incident handling unit 33 can promptly take measures against the estimated type of attack. As a result, the driver of the vehicle 1 can drive with peace of mind against the threat of security.
[構成例2]
 図16は、実施の形態(2)に係るゲートウェイECU10Aの機能構成例を示すブロック図である。なお、図2に示したゲートウェイECU10の機能構成と同一機能を有する構成には同一符号を付し、ここではその説明を省略する。
 実施の形態(1)に係るゲートウェイECU10では、フレーム異常とバス異常とが検出可能に構成されていたが、実施の形態(2)に係るゲートウェイECU10Aでは、さらに内部処理異常が検出可能に構成されている点が大きく相違している。 [Configuration example 2]
FIG. 16 is a block diagram showing a functional configuration example of the gateway ECU 10A according to the embodiment (2). The components having the same functions as those of the gateway ECU 10 shown in FIG. 2 are designated by the same reference numerals, and the description thereof will be omitted here.
The gateway ECU 10 according to the embodiment (1) is configured to be able to detect a frame abnormality and a bus abnormality, whereas the gateway ECU 10A according to the embodiment (2) is configured to be able to detect an internal processing abnormality. There is a big difference.
 ゲートウェイECU10Aは、ゲートウェイ機能部11と、セキュリティ制御部12Aとを含んでいる。セキュリティ制御部12Aが、本実施の形態に係るセキュリティ装置の機能が実装される部分である。 The gateway ECU 10A includes a gateway function unit 11 and a security control unit 12A. The security control unit 12A is a part in which the functions of the security device according to the present embodiment are mounted.
 セキュリティ制御部12Aは、フレーム受信部21、フレーム異常検出部22、バス監視部23、バス異常検出部24、フレーム正常値保持部25A、及びバス正常値保持部25Bの他に、さらに内部処理監視部34、内部処理異常検出部35、及び内部処理正常値保持部36を含んで構成されている。
 さらに、セキュリティ制御部12Aは、異常データ収集部26A、異常データ保持部27A、タイマー28、異常検出パターン保持部29A、攻撃特定部30A、攻撃推定パターン保持部31A、攻撃推定部32A、及びインシデント対応部33を含んで構成されている。 The security control unit 12A monitors the internal processing in addition to the frame receiving unit 21, the frame abnormality detecting unit 22, the bus monitoring unit 23, the bus abnormality detecting unit 24, the frame normal value holding unit 25A, and the bus normal value holding unit 25B. It is configured to include a unit 34, an internal processing abnormality detection unit 35, and an internal processing normal value holding unit 36.
Further, the security control unit 12A includes the abnormal data collection unit 26A, the abnormal data holding unit 27A, the timer 28, the abnormality detection pattern holding unit 29A, the attack identifying unit 30A, the attack estimation pattern holding unit 31A, the attack estimation unit 32A, and the incident handling. It is configured to include the portion 33.
 内部処理監視部34は、ゲートウェイ機能部11が有する各機能(例えば、フレームの受信機能、転送機能、送信機能など)が実行されているときの当該ゲートウェイECU10Aにおける内部制御処理の状態を監視する。
 内部処理の監視対象には、上記機能の制御処理時間、機能実行回数、機能実行処理順、及びゲートウェイECU10Aを構成するハードウェアのリソースのうちの少なくとも1つ以上が含まれる。 The internal processing monitoring unit 34 monitors the state of internal control processing in the gateway ECU 10A when each function of the gateway function unit 11 (for example, a frame reception function, a transfer function, a transmission function, etc.) is being executed.
The monitoring target of the internal processing includes at least one or more of the control processing time of the function, the function execution frequency, the function execution processing order, and the resource of the hardware configuring the gateway ECU 10A.
 制御処理時間については、例えば、予め設定された時間内で各機能の制御処理が実行されているか否かが監視される。
 機能実行回数については、例えば、ゲートウェイ機能部11が有する各機能の実行回数が予め設定されている数値の範囲内にあるか否かが監視される。
 機能実行処理順については、例えば、ゲートウェイ機能部11が有する各機能の処理実行の順番が予め設定されている順番で実行されているか否かが監視される。 Regarding the control processing time, for example, whether or not the control processing of each function is executed within a preset time is monitored.
As for the function execution frequency, for example, it is monitored whether or not the function execution frequency of each function of the gateway function unit 11 is within a preset numerical range.
Regarding the function execution processing order, for example, it is monitored whether or not the processing execution order of each function of the gateway function unit 11 is executed in a preset order.
 ハードウェアのリソースには、例えば、CPU使用率、RAM使用率、コードROM(コード格納用メモリ)使用率、又はデータROM(データ格納用メモリ)使用率などが含まれる。ハードウェアのリソースについては、例えば、各ハードウェアの平均使用率が予め設定されている数値の範囲内にあるか否かが監視される。 Hardware resources include, for example, CPU usage rate, RAM usage rate, code ROM (code storage memory) usage rate, or data ROM (data storage memory) usage rate. Regarding hardware resources, for example, it is monitored whether the average usage rate of each hardware is within a preset numerical range.
 内部処理異常検出部35は、内部処理監視部34で監視している内部処理に異常(すなわち、内部処理異常)があるかどうかを、複数の異常検出項目(パラメータともいう)を確認して検出する。内部処理異常を検出するための複数の異常検出項目には、例えば、上記した制御処理時間、機能実行回数、機能実行処理順、及びハードウェアのリソースなどのパラメータが含まれる。フレーム異常検出部22、バス異常検出部24、及び内部処理異常検出部35が、車載ネットワーク2に対する攻撃により発生した異常を検出する異常検出部の一例である。 The internal processing abnormality detection unit 35 detects whether or not there is an abnormality (that is, internal processing abnormality) in the internal processing monitored by the internal processing monitoring unit 34 by checking a plurality of abnormality detection items (also referred to as parameters). To do. The plurality of abnormality detection items for detecting the internal processing abnormality include, for example, parameters such as the control processing time, the number of times of function execution, the order of function execution processing, and hardware resources. The frame abnormality detection unit 22, the bus abnormality detection unit 24, and the internal processing abnormality detection unit 35 are an example of an abnormality detection unit that detects an abnormality caused by an attack on the in-vehicle network 2.
 内部処理正常値保持部36には、内部処理異常検出部35で内部処理異常があるかどうかを判断するために用いる、複数の異常検出項目それぞれの内部処理正常値(正常パターンともいう)が予め保持されている。内部処理正常値は、例えば、各機能の制御処理時間、機能実行回数、機能実行処理順、ハードウェアのリソースの平均使用率など複数の項目の正常パターンで構成されている。 The internal processing normal value holding unit 36 stores in advance internal processing normal values (also referred to as normal patterns) of a plurality of abnormality detection items, which are used by the internal processing abnormality detection unit 35 to determine whether there is an internal processing abnormality. Is held. The internal processing normal value is composed of a normal pattern of a plurality of items such as control processing time of each function, function execution frequency, function execution processing order, and average usage rate of hardware resources.
 異常データ収集部26Aは、フレーム異常検出部22によりフレーム異常が検出された後、所定時間内に検出されるフレーム異常のデータを収集し、収集したフレーム異常のデータを異常データ保持部27Aに送る。また、異常データ収集部26Aは、バス異常検出部24によりバス異常が検出された後、所定時間内に検出されるバス異常のデータを収集し、収集したバス異常のデータを異常データ保持部27Aに送る。また、異常データ収集部26Aは、内部処理異常検出部35により内部処理異常が検出された後、所定時間内に検出される内部処理異常のデータを収集し、収集した内部処理異常のデータを異常データ保持部27Aに送る。 The abnormal data collection unit 26A collects frame abnormal data detected within a predetermined time after the frame abnormal detection unit 22 detects a frame abnormal, and sends the collected frame abnormal data to the abnormal data holding unit 27A. .. Further, the abnormal data collection unit 26A collects data of bus abnormalities detected within a predetermined time after the bus abnormalities are detected by the bus abnormality detection unit 24, and collects the collected data of bus abnormalities in the abnormal data holding unit 27A. Send to. Further, the abnormal data collection unit 26A collects the data of the internal processing abnormality detected within a predetermined time after the internal processing abnormality detection unit 35 detects the internal processing abnormality, and collects the collected data of the internal processing abnormality. It is sent to the data holding unit 27A.
 異常データ保持部27Aには、異常データ収集部26Aにより収集された、フレーム異常のデータと、バス異常のデータと、内部処理異常のデータとが一時的に保持される。タイマー28は、異常データ収集部26Aで異常のデータを収集するための所定時間をカウントする。所定時間は、例えば、車両1がセキュリティ攻撃を受けた場合であっても安全な走行に支障をきたさない時間に設定されている。 The abnormal data holding unit 27A temporarily holds the frame abnormal data, the bus abnormal data, and the internal processing abnormal data collected by the abnormal data collecting unit 26A. The timer 28 counts a predetermined time for collecting abnormal data by the abnormal data collecting unit 26A. The predetermined time is set to a time that does not hinder safe traveling even if the vehicle 1 is subjected to a security attack, for example.
 異常検出パターン保持部29Aには、攻撃の種類ごとの異常検出パターンが予め保持されている。攻撃の種類ごとの異常検出パターンは、複数の異常検出項目それぞれに対する検出要否の組み合わせデータを含んで構成される。 The abnormality detection pattern holding unit 29A holds an abnormality detection pattern for each type of attack in advance. The abnormality detection pattern for each type of attack is configured to include combination data of the necessity of detection for each of the plurality of abnormality detection items.
 図17は、異常検出パターン保持部29Aに保持されている、攻撃の種類ごとの異常検出パターンの一例を説明するための図である。
 攻撃の種類ごとの異常検出パターン29bを示すデータは、攻撃種別の項目と複数の異常検出項目とを含んで構成されている。図3に示した異常検出パターン29aと相違する点は、複数の異常検出項目に、さらに内部処理異常が含まれている点である。 FIG. 17 is a diagram for explaining an example of the abnormality detection pattern held by the abnormality detection pattern holding unit 29A for each type of attack.
The data indicating the abnormality detection pattern 29b for each type of attack includes an item of attack type and a plurality of abnormality detection items. The difference from the abnormality detection pattern 29a shown in FIG. 3 is that a plurality of abnormality detection items further include an internal processing abnormality.
 攻撃種別の項目には、車載ネットワーク2において想定され得る攻撃の種類(攻撃A21~A25、・・)が設定されている。
 複数の異常検出項目には、フレーム異常F1~F4、バス異常B1~B4、及び内部処理異常C1~C4が含まれている。フレーム異常F1~F4には、受信周期、ペイロード、DLC、RTRなどのフレーム異常に関するパラメータがそれぞれ設定されている。また、バス異常B1~B4には、バス負荷率、バスエラー、出現IDなどのバス異常に関するパラメータがそれぞれ設定されている。また、内部処理異常C1~C4には、各機能の制御処理時間、機能実行回数、機能実行処理順、ハードウェアのリソースなどの内部処理異常に関するパラメータがそれぞれ設定されている。 The types of attacks that can be assumed in the in-vehicle network 2 (attacks A21 to A25,...) Are set in the attack type item.
The plurality of abnormality detection items include frame abnormalities F1 to F4, bus abnormalities B1 to B4, and internal processing abnormalities C1 to C4. Parameters relating to frame anomalies such as the reception cycle, payload, DLC, and RTR are set in the frame anomalies F1 to F4. Further, parameters relating to bus abnormality such as bus load factor, bus error, and appearance ID are set in the bus abnormality B1 to B4, respectively. Further, in the internal processing abnormalities C1 to C4, parameters relating to internal processing abnormalities such as control processing time of each function, function execution frequency, function execution processing order, and hardware resources are set.
 そして、攻撃の種類ごとに、複数の異常検出項目(フレーム異常F1~F4、バス異常B1~B4、及び内部処理異常C1~C4)それぞれに対する検出要否の組み合わせデータのパターンが設定されている。
 例えば、攻撃A21では、フレーム異常F1及び内部処理異常C4が必ず検出され、フレーム異常F3、バス異常B2、B3、及び内部処理異常C2、C3は絶対に検出されず、フレーム異常F2、F4、バス異常B1、B4、及び内部処理異常C1は検出されるか不明(検出されても、検出されなくてもよい)であることを表している。 Then, a pattern of combination data indicating whether or not detection is necessary for each of a plurality of abnormality detection items (frame abnormality F1 to F4, bus abnormality B1 to B4, and internal processing abnormality C1 to C4) is set for each type of attack.
For example, in the attack A21, the frame abnormality F1 and the internal processing abnormality C4 are always detected, and the frame abnormality F3, the bus abnormalities B2 and B3, and the internal processing abnormalities C2 and C3 are never detected, and the frame abnormality F2, F4, and the bus abnormality are detected. The abnormalities B1 and B4 and the internal processing abnormality C1 are detected or unknown (may be detected or may not be detected).
 攻撃特定部30Aは、異常データ保持部27Aに保持された異常のデータと、異常検出パターン保持部29Aに保持されている攻撃の種類ごとの異常検出パターン29bとに基づいて、検出した異常に対応する攻撃の種類を特定する処理を行う。また、攻撃特定部30Aは、攻撃特定処理を行った後、異常データ保持部27Aに一時された異常のデータ(検出データ)のリセット(クリア)指示を行う。攻撃特定部30Aは、図2に示した攻撃特定部30が行う処理動作(照合して特定する処理)と同様の処理動作を実行する。 The attack identifying unit 30A responds to the detected abnormality based on the abnormality data held in the abnormal data holding unit 27A and the abnormality detection pattern 29b for each type of attack held in the abnormality detection pattern holding unit 29A. Perform processing to identify the type of attack to be performed. After performing the attack identifying process, the attack identifying unit 30A instructs the abnormal data holding unit 27A to reset (clear) the abnormal data (detection data). The attack identifying unit 30A executes the same processing operation as the processing operation (the processing of identifying by collating) performed by the attack identifying unit 30 illustrated in FIG.
 攻撃推定パターン保持部31Aには、攻撃の種類ごとの攻撃推定パターンが予め保持されている。攻撃の種類ごとの攻撃推定パターンは、複数の異常検出項目それぞれに対する重み付け値の組み合わせデータを含んで構成されている。 The attack estimation pattern holding unit 31A holds an attack estimation pattern for each type of attack in advance. The attack estimation pattern for each type of attack is configured to include combination data of weighting values for each of the plurality of abnormality detection items.
 図18は、攻撃推定パターン保持部31Aに保持されている、攻撃の種類ごとの攻撃推定パターンの一例を説明するための図である。
 攻撃の種類ごとの攻撃推定パターン31bを示すデータは、図6に示した攻撃推定パターン31aと同様に、攻撃種別の項目、複数の異常検出項目、及び第1合計値の項目を含んで構成されている。 FIG. 18 is a diagram for explaining an example of the attack estimation pattern for each type of attack, which is held in the attack estimated pattern holding unit 31A.
Similar to the attack estimation pattern 31a shown in FIG. 6, the data indicating the attack estimation pattern 31b for each type of attack is configured to include an attack type item, a plurality of abnormality detection items, and a first total value item. ing.
 攻撃種別の項目には、図17に例示した異常検出パターン29bと同様に、車載ネットワーク2において想定され得る攻撃の種類(攻撃A31~A35、・・)が設定されている。また、複数の異常検出項目には、図17に例示した異常検出パターン29bと同様に、フレーム異常F1~F4、バス異常B1~B4、及び内部処理異常C1~C4のパラメータが含まれている。 Similar to the abnormality detection pattern 29b illustrated in FIG. 17, the types of attacks that can be assumed in the in-vehicle network 2 (attacks A31 to A35,...) Are set in the attack type item. Further, the plurality of abnormality detection items include parameters of frame abnormalities F1 to F4, bus abnormalities B1 to B4, and internal processing abnormalities C1 to C4, like the abnormality detection pattern 29b illustrated in FIG.
 そして、攻撃の種類ごとに、複数の異常検出項目(フレーム異常F1~F4、バス異常B1~B4、及び内部処理異常C1~C4)それぞれに対する重み付け値(0.0~1.0のいずれかの値)の組み合わせデータ(重み付け集合ともいう)のパターンが設定されている。第1合計値は、各攻撃における複数の異常検出項目それぞれに対する重み付け値の組み合わせデータ(重み付け集合)の和(集合の和ともいう)を示している。 Then, a weighting value (any one of 0.0 to 1.0) for each of a plurality of abnormality detection items (frame abnormality F1 to F4, bus abnormality B1 to B4, and internal processing abnormality C1 to C4) is set for each type of attack. A pattern of combination data (also referred to as a weighted set) of values is set. The first total value indicates the sum (also referred to as the sum of sets) of the combination data (weight set) of the weight values for each of the plurality of abnormality detection items in each attack.
 攻撃推定部32Aは、攻撃特定部30Aにより攻撃の種類を特定することができなかった場合に、異常データ保持部27Aに保持された異常のデータと、攻撃推定パターン保持部31Aに保持されている攻撃の種類ごとの攻撃推定パターン31bとに基づいて、検出された異常に対応する攻撃の種類を推定する処理を行う。 The attack estimation unit 32A holds the abnormal data held in the abnormal data holding unit 27A and the attack estimated pattern holding unit 31A when the attack specifying unit 30A cannot specify the type of attack. A process of estimating the type of attack corresponding to the detected abnormality is performed based on the attack estimation pattern 31b for each type of attack.
 より具体的には、攻撃推定部32Aは、攻撃推定パターン保持部31Aに保持されている攻撃の種類ごと(攻撃A31~A35、・・)に、異常のデータの各異常検出項目(フレーム異常F1~F4、バス異常B1~B4、及び内部処理異常C1~C4)の検出有無のデータ(1又は0)と、攻撃推定パターン31bの各異常検出項目に設定された重み付け値との積の和を示す第2合計値(積集合の和ともいう)を算出する(すなわち、第1算出部として機能する)。 More specifically, the attack estimation unit 32A, for each type of attack (attacks A31 to A35,...) Stored in the attack estimation pattern storage unit 31A, each abnormality detection item (frame abnormality F1) of abnormal data. To F4, bus abnormalities B1 to B4, and internal processing abnormalities C1 to C4), the sum of products of data (1 or 0) regarding whether or not detection is performed and the weighting value set for each abnormality detection item of the attack estimation pattern 31b is calculated. The second total value shown (also referred to as the sum of product sets) is calculated (that is, it functions as the first calculator).
 次に、攻撃推定部32Aは、攻撃の種類ごとに、第1合計値と第2合計値との一致率(例えば、[第2合計値/第1合計値]×100(%))を算出する(すなわち、第2算出部として機能する)。 Next, the attack estimation unit 32A calculates the matching rate between the first total value and the second total value (for example, [second total value/first total value]×100(%)) for each type of attack. (That is, functions as the second calculation unit).
 次に、攻撃推定部32Aは、第2算出部により算出された、各攻撃に対する一致率に基づいて、攻撃特定部30Aにより特定できなかった異常に対応する攻撃の種類を推定する(すなわち、推定部として機能する)。攻撃推定部32Aを構成する推定部により、攻撃特定部30Aにより特定できなかった異常が、一致率に基づいて、既存のどの攻撃の種類に類似しているのかを推定することが可能となる。 Next, the attack estimation unit 32A estimates the type of attack corresponding to the abnormality that could not be identified by the attack identification unit 30A based on the match rate for each attack calculated by the second calculation unit (that is, estimation). Functions as a department). The estimation unit that constitutes the attack estimation unit 32A can estimate which existing attack type is similar to the existing attack type based on the match rate.
 インシデント対応部33は、攻撃特定部30Aにより異常に対応する攻撃の種類が特定された場合、特定された攻撃の種類に対する対応処理を行う第1インシデント対応部として機能する。また、インシデント対応部33は、攻撃推定部32Aにより異常に対応する攻撃の種類が推定された場合、推定された攻撃の種類に対する対応処理を行う第2インシデント対応部として機能する。 The incident handling unit 33 functions as a first incident handling unit that performs a handling process for the identified attack type when the attack identifying unit 30A identifies the type of attack corresponding to the abnormality. Further, the incident handling unit 33 functions as a second incident handling unit that performs handling processing for the estimated attack type when the attack estimating unit 32A estimates the attack type corresponding to the abnormality.
 攻撃特定部30Aにより異常に対応する攻撃の種類が特定された場合に、インシデント対応部33に出力される攻撃特定データには、例えば、ゲートウェイECU10Aにおいて攻撃されたCH、異常があったフレーム、異常があった内部処理、及び特定された攻撃に関するデータが含まれる。インシデント対応部33は、攻撃特定部30Aから取得した攻撃特定データに基づいて、特定された攻撃の種類に対する所定の対策処理を実行する。 When the attack identification unit 30A identifies the type of attack corresponding to the abnormality, the attack identification data output to the incident response unit 33 includes, for example, the CH attacked by the gateway ECU 10A, the frame having the abnormality, and the abnormality. Includes data about internal actions that were taken and the identified attacks. The incident handling unit 33 executes a predetermined countermeasure process for the identified type of attack based on the attack identifying data acquired from the attack identifying unit 30A.
 また、攻撃推定部32Aにより異常に対応する攻撃の種類が推定された場合に、インシデント対応部33に出力される攻撃推定データには、例えば、ゲートウェイECU10Aにおいて攻撃されたCH、異常があったフレーム、異常があった内部処理、及び推定された攻撃に関するデータが含まれる。インシデント対応部33は、攻撃推定部32Aから取得した攻撃推定データに基づいて、推定された攻撃の種類に対する所定の対策処理を実行する。例えば、一致率が最も高い攻撃の種類に対する対策処理を実行する。 Further, when the attack estimation unit 32A estimates the type of attack corresponding to the abnormality, the attack estimation data output to the incident response unit 33 includes, for example, the CH attacked by the gateway ECU 10A and the frame having the abnormality. , Internal processing with anomalies, and data on estimated attacks. The incident handling unit 33 executes a predetermined countermeasure process for the estimated attack type based on the attack estimation data acquired from the attack estimating unit 32A. For example, the countermeasure process for the type of attack having the highest matching rate is executed.
[動作例]
 次に実施の形態(2)に係るゲートウェイECU10Aを構成するセキュリティ制御部12Aが行う処理動作について説明する。なお、実施の形態(2)に係るゲートウェイECU10Aを構成するセキュリティ制御部12Aが行う処理動作は、基本的には、実施の形態(1)に係るゲートウェイECU10を構成するセキュリティ制御部12が行う処理動作と同様であるので、同様の処理については、その説明を省略する。 [Operation example]
Next, a processing operation performed by the security control unit 12A included in the gateway ECU 10A according to the embodiment (2) will be described. The processing operation performed by the security control unit 12A included in the gateway ECU 10A according to the embodiment (2) is basically performed by the security control unit 12 included in the gateway ECU 10 according to the embodiment (1). Since the operation is the same as that of the operation, the description of the same processing will be omitted.
 実施の形態(1)との主な相違点は、実施の形態(2)に係るゲートウェイECU10Aでは、フレーム異常及びバス異常に加えて、さらに内部処理異常の検出を行い、これらの異常の組み合わせに基づいて、攻撃の種類を特定する処理を行い、また、攻撃の種類を特定できない場合に、その攻撃の種類を推定する処理を行う点である。 The main difference from the embodiment (1) is that in the gateway ECU 10A according to the embodiment (2), in addition to the frame abnormality and the bus abnormality, an internal processing abnormality is further detected, and a combination of these abnormalities is detected. On the basis of this, processing for identifying the type of attack is performed, and if the type of attack cannot be identified, processing for estimating the type of attack is performed.
 まず、図12に示した概略フローチャートに基づいて、実施の形態(2)に係るゲートウェイECU10Aを構成するセキュリティ制御部12Aが行う処理動作について説明する。 First, the processing operation performed by the security control unit 12A constituting the gateway ECU 10A according to the embodiment (2) will be described based on the schematic flow chart shown in FIG.
 ステップS1では、セキュリティ制御部12Aは、車載ネットワーク2にセキュリティ攻撃による異常が発生したか否かを判断し、異常が発生していないと判断すれば処理を終える一方、異常が発生したと判断すれば、ステップS2に処理を進める。 In step S1, the security control unit 12A determines whether or not an abnormality has occurred in the in-vehicle network 2 due to a security attack. If it is determined that the abnormality has not occurred, the processing is terminated while it is determined that an abnormality has occurred. If so, the process proceeds to step S2.
 ステップS2では、セキュリティ制御部12Aは、各ECU群から受信したフレーム、各CHに接続されたバス3、又はゲートウェイECU10Aの内部処理に発生した異常を検出する処理を行い、その後ステップS3に処理を進める。 In step S2, the security control unit 12A performs a process of detecting an abnormality that has occurred in the frame received from each ECU group, the bus 3 connected to each CH, or the internal process of the gateway ECU 10A, and then the process proceeds to step S3. Proceed.
 ステップS3では、セキュリティ制御部12Aは、受信したフレーム、バス3、又はゲートウェイECU10Aの内部処理に発生した異常のデータ(すなわち、異常の検出結果)を収集する処理を行い、その後ステップS4に処理を進める。 In step S3, the security control unit 12A performs a process of collecting the data of the abnormality that has occurred in the received frame, the bus 3, or the internal processing of the gateway ECU 10A (that is, the detection result of the abnormality), and then performs the processing in step S4. Proceed.
 ステップS4では、セキュリティ制御部12Aは、収集された異常のデータを用いて、セキュリティ攻撃の種類を特定する処理、また、攻撃の種類を特定できない場合に、その攻撃の種類を推定する処理を行い、その後ステップS5に処理を進める。ステップS5では、セキュリティ制御部12Aは、特定された攻撃の種類、又は推定された攻撃の種類に対応するインシデント対策を実施する処理を行い、その後処理を終える。 In step S4, the security control unit 12A performs a process of identifying the type of security attack using the collected abnormal data, and a process of estimating the type of attack when the type of attack cannot be identified. Then, the process proceeds to step S5. In step S5, the security control unit 12A performs a process of implementing an incident countermeasure corresponding to the identified type of attack or the estimated type of attack, and then ends the process.
 次に、実施の形態(2)に係るゲートウェイECU10Aを構成するセキュリティ制御部12Aが行う異常検出処理動作について説明する。セキュリティ制御部12Aが行うフレーム異常とバス異常の検出処理動作は、図13に示したフローチャートに基づいて説明した内容と略同様であるので、ここではその説明を省略する。 Next, the abnormality detection processing operation performed by the security control unit 12A configuring the gateway ECU 10A according to the embodiment (2) will be described. The frame abnormality and bus abnormality detection processing operation performed by the security control unit 12A is substantially the same as the content described based on the flowchart shown in FIG. 13, and thus the description thereof is omitted here.
 図19に示すフローチャートに基づいて、セキュリティ制御部12Aが行う内部処理異常の検出処理動作を説明する。本処理動作は、ゲートウェイECU10Aの動作中に実行される。 The internal processing abnormality detection processing operation performed by the security control unit 12A will be described based on the flowchart shown in FIG. This processing operation is executed during the operation of the gateway ECU 10A.
 まずステップS51では、セキュリティ制御部12Aは、ゲートウェイ機能部11の各機能(例えば、フレームの受信機能、転送機能、送信機能など)が実行されているときの内部制御処理の状態を監視する処理を行い、ステップS52に処理を進める。 First, in step S51, the security control unit 12A performs a process of monitoring the state of the internal control process when each function of the gateway function unit 11 (for example, a frame receiving function, a transfer function, a transmitting function, etc.) is being executed. Then, the process proceeds to step S52.
 ステップS52では、セキュリティ制御部12Aは、監視した内部処理の状態、例えば、各機能の制御処理時間、機能実行回数、機能実行処理順、及びハードウェアのリソースのうちの少なくとも1つ以上の状態に基づいて、内部処理異常を検出したか否かを判断する。 In step S52, the security control unit 12A sets the state of the monitored internal processing to at least one of the control processing time of each function, the function execution count, the function execution processing order, and the hardware resource. Based on this, it is determined whether or not an internal processing abnormality has been detected.
 ステップS52において、セキュリティ制御部12Aが内部処理異常を検出していないと判断すれば、ゲートウェイ機能部11の機能実行時における異常検出処理を終える一方、異常を検出したと判断すれば、ステップS53に処理を進める。 If it is determined in step S52 that the security control unit 12A has not detected an internal process abnormality, the abnormality detection process at the time of executing the function of the gateway function unit 11 is terminated, while if it is determined that an abnormality is detected, the process proceeds to step S53. Proceed with processing.
 ステップS53では、セキュリティ制御部12Aは、現在、セキュリティ攻撃による異常のデータを収集している状態(異常収集状態)であるか否か(換言すれば、異常データ収集部26が作動中か否か)を判断し、現在、異常のデータを収集している状態であると判断すれば、ステップS55に処理を進める。一方、ステップS53において、セキュリティ制御部12Aが、現在、異常のデータを収集している状態ではないと判断すれば、ステップS54に処理を進め、ステップS54では、セキュリティ攻撃による異常を収集する状態に遷移する(換言すれば、異常データ収集部26Aにより異常のデータの収集を開始する)処理を行い、その後ステップS55に処理を進める。 In step S53, the security control unit 12A is currently in a state of collecting abnormal data due to a security attack (abnormal collection state) (in other words, whether the abnormal data collection unit 26 is operating or not). ), and if it is determined that abnormal data is currently being collected, the process proceeds to step S55. On the other hand, if it is determined in step S53 that the security control unit 12A is not currently collecting the abnormal data, the process proceeds to step S54, and in step S54, the security attacking abnormal state is collected. A process of transitioning (in other words, the abnormal data collecting unit 26A starts collecting abnormal data) is performed, and then the process proceeds to step S55.
 ステップS55では、セキュリティ制御部12Aは、ステップS52で検出された内部処理異常が、異常収集状態に遷移後、既に検出された異常であるか否かを判断し、既に検出された異常であると判断すれば、ゲートウェイ機能部11の機能実行時における内部処理の異常検出処理を終える。 In step S55, the security control unit 12A determines whether or not the internal processing abnormality detected in step S52 is an abnormality already detected after transition to the abnormality collection state, and the abnormality is already detected. If judged, the abnormality detection process of the internal process at the time of executing the function of the gateway function unit 11 is completed.
 一方、ステップS55において、セキュリティ制御部12Aは、既に検出された内部処理異常ではない(換言すれば、未検出の異常である)と判断すればステップS56に処理を進め、ステップS56では、検出された内部処理異常のデータを異常データ保持部27Aに保存し、その後ゲートウェイ機能部11の機能実行時における内部処理の異常検出処理を終える。 On the other hand, if it is determined in step S55 that the internal processing abnormality has not been detected (in other words, it is an undetected abnormality), the security control unit 12A advances the processing to step S56, and in step S56, it is detected. The abnormal data of the internal processing is stored in the abnormal data holding unit 27A, and then the abnormality detection processing of the internal processing when the function of the gateway function unit 11 is executed is completed.
 実施の形態(2)に係るゲートウェイECU10Aを構成するセキュリティ制御部12Aが行う異常収集処理動作は、図14に示したフローチャートに基づいて説明した内容と略同様であるので、ここではその説明を省略する。 Since the abnormality collection processing operation performed by the security control unit 12A configuring the gateway ECU 10A according to the embodiment (2) is substantially the same as the content described based on the flowchart shown in FIG. 14, the description thereof is omitted here. To do.
 また、実施の形態(2)に係るゲートウェイECU10Aを構成するセキュリティ制御部12Aが行う攻撃特定処理動作は、図15に示したフローチャートに基づいて説明した内容と以下の相違点を除いて略同様であるので、その説明を省略する。
 相違点の一つは、異常検出パターン保持部29Aから図17に例示したような内部処理異常を含む異常検出パターン29bを読み出し、攻撃の種類を特定する処理を行う点である。
 他の相違点は、攻撃の種類を特定できなかった場合(同一の異常検出パターンが検出されなかった場合)に、攻撃推定パターン保持部31Aから図18に例示したような内部処理異常を含む攻撃推定パターン31bを読み出し、攻撃の種類を推定する処理を行う点である。 Further, the attack identifying processing operation performed by the security control unit 12A configuring the gateway ECU 10A according to the embodiment (2) is substantially the same as the content described based on the flowchart shown in FIG. 15 except the following differences. Therefore, the description thereof will be omitted.
One of the differences is that the abnormality detection pattern 29b including the internal processing abnormality as illustrated in FIG. 17 is read from the abnormality detection pattern holding unit 29A and a process of identifying the type of attack is performed.
Another difference is that when the type of attack cannot be specified (when the same abnormality detection pattern is not detected), the attack estimation pattern holding unit 31A includes an attack including an internal processing abnormality as illustrated in FIG. The point is that the estimated pattern 31b is read and the type of attack is estimated.
[作用・効果]
 実施の形態(2)に係るゲートウェイECU10Aによれば、実施の形態(1)に係るゲートウェイECU10と同様の作用効果を得ることができる。さらに、セキュリティ制御部12Aでは、フレーム異常とバス異常に加えて、さらに内部処理異常が検出可能となっているので、これら内部処理異常を踏まえて、攻撃の種類の特定、又は攻撃の種類の推定を行うことができ、より多様な種類の攻撃の特定や推定を行うことが可能となる。 [Action/effect]
According to gateway ECU 10A of the second embodiment, it is possible to obtain the same effects as those of gateway ECU 10 of the first embodiment. Furthermore, since the security control unit 12A can detect an internal processing abnormality in addition to the frame abnormality and the bus abnormality, the type of attack is identified or the type of attack is estimated based on these internal processing abnormalities. It is possible to identify and estimate a wider variety of attacks.
[変形例]
 以上、本発明の実施の形態を詳細に説明したが、前述までの説明はあらゆる点において本発明の例示に過ぎない。本発明の範囲を逸脱することなく、種々の改良や変更を行うことができることは言うまでもない。 [Modification]
Although the embodiments of the present invention have been described in detail above, the above description is merely an example of the present invention in all respects. It goes without saying that various improvements and changes can be made without departing from the scope of the present invention.
 例えば、ゲートウェイECU10、10Aに実装されたセキュリティ制御部12、12Aを、他のECUに搭載してもよいし、セキュリティ制御部12、12Aが装備されたセキュリティECUを車載ネットワーク2に接続する構成としてもよい。 For example, the security control units 12 and 12A mounted on the gateway ECUs 10 and 10A may be mounted on other ECUs, or the security ECUs equipped with the security control units 12 and 12A may be connected to the in-vehicle network 2. Good.
 また別の実施の形態に係るゲートウェイECUでは、セキュリティ制御部12、12Aが、異常データ収集部26、26Aにより収集された異常のデータを異常ログとして蓄積する異常ログ蓄積部をさらに備えてもよい。係る構成によれば、前記異常ログ蓄積部に異常のデータが異常ログとして蓄積されるので、前記異常ログ蓄積部に蓄積された異常ログを用いて事後解析を行うことが可能となる。 In the gateway ECU according to another embodiment, the security control units 12 and 12A may further include an abnormality log accumulation unit that accumulates abnormality data collected by the abnormality data collection units 26 and 26A as an abnormality log. .. According to such a configuration, since the abnormal data is accumulated in the abnormal log accumulating unit as an abnormal log, it is possible to perform the post analysis using the abnormal log accumulated in the abnormal log accumulating unit.
 また別の実施の形態に係るゲートウェイECUでは、セキュリティ制御部12、12Aが、車載ネットワーク2に接続された情報系ECU群7に含まれる報知装置を介して車内の乗員に異常を報知する報知処理部をさらに備えてもよい。報知部として機能する報知装置には、ナビゲーション装置、又はオーディオ機器などが適用され得る。係る構成によれば、前記報知処理部によって、報知装置を介して車内の乗員に異常を報知することが可能となるので、乗員に、異常に対して適切な対応を実施させることが可能となる。 Further, in the gateway ECU according to another embodiment, the security control units 12 and 12A notify the passengers in the vehicle of an abnormality through the notification device included in the information system ECU group 7 connected to the vehicle-mounted network 2. You may further provide a part. A navigation device, an audio device, or the like may be applied to the notification device that functions as the notification unit. According to such a configuration, the notification processing unit can notify the occupant in the vehicle of the abnormality via the notification device, and thus the occupant can appropriately respond to the abnormality. ..
 また別の実施の形態に係るゲートウェイECUでは、セキュリティ制御部12、12Aが、車載ネットワーク2に接続された情報系ECU群7に含まれるテレマティクス装置、又はITS関連装置を介して車外に異常を通報する通報処理部をさらに備えてもよい。係る構成によれば、前記通報処理部によって、外部通報部として機能するテレマティクス装置、又はITS関連装置を介して車外に異常を通報することが可能となるので、例えば、周辺の他車、インフラ設備、ディーラー、メーカー、又は公的機関に、異常の発生を知らせることができ、車外から異常に対して適切な対応を実施することが可能となる。 In the gateway ECU according to another embodiment, the security control units 12 and 12A report an abnormality to the outside of the vehicle via a telematics device included in the information system ECU group 7 connected to the vehicle-mounted network 2 or an ITS-related device. You may further provide the notification process part which does. According to such a configuration, the notification processing unit can notify the abnormality to the outside of the vehicle through the telematics device functioning as the external notification unit or the ITS-related device. It is possible to notify a dealer, a maker, or a public institution that an abnormality has occurred, and it is possible to appropriately deal with the abnormality from outside the vehicle.
 また、上記実施の形態では、車載ネットワーク2に接続されたゲートウェイECU10、10Aに本発明に係る技術が適用された例を説明した。車載ネットワーク2は、本発明に係る技術が適用される機器ネットワークの一例である。本発明に係る技術は、他の機器ネットワーク、例えば、FA(Factory Automation)システムを構成する1以上の産業機器が通信路を介して接続された産業機器ネットワーク、家電製品などを含む家庭用機器が接続されたホーム機器ネットワーク、又は事務用機器が接続された事務機器ネットワークなどに含まれるセキュリティ装置にも適用可能である。例えば、図1~図19に基づいて説明した車載ネットワーク2への適用例を、産業機器ネットワーク、ホーム機器ネットワーク、又は事務機器ネットワークに適用することが可能である。その場合、それぞれの機器ネットワークに対応できるように、本発明の範囲を逸脱することなく種々の改良や変形を行うことができ、実施形態に応じた具体的構成が適宜採用され得る。 Further, in the above embodiment, an example in which the technology according to the present invention is applied to the gateway ECUs 10 and 10A connected to the vehicle-mounted network 2 has been described. The vehicle-mounted network 2 is an example of a device network to which the technology according to the present invention is applied. The technology according to the present invention is applied to other device networks, for example, an industrial device network in which one or more industrial devices configuring an FA (Factory Automation) system are connected via a communication path, and household devices including home appliances. It is also applicable to a security device included in a connected home device network, an office device network to which office devices are connected, or the like. For example, the application example to the in-vehicle network 2 described based on FIGS. 1 to 19 can be applied to the industrial device network, the home device network, or the office device network. In that case, various improvements and modifications can be made without departing from the scope of the present invention so as to be compatible with each device network, and a specific configuration according to the embodiment can be appropriately adopted.
 上記のFAシステムには、例えば、各種物品の搬送システム、検査システム、ロボットを用いた組立システムなどが含まれる。また、これらFAシステムを構成する産業機器に搭載される制御機器には、例えば、プログラマブルコントローラ(以下、PLCという)、モーション位置制御コントローラ、フィールドネットワーク機器、無線機器、センサ、アクチュエータ、ロボット、HMI機器、及びデータ収集機器のうちの少なくとも1つが含まれてもよい。また、FAシステムにおいて各種の制御機器を接続する通信路は、有線でもよいし、無線でもよい。また、機器ネットワークにおける通信プロトコルはCANプロトコルに限定されず、機器ネットワークに適した通信プロトコルが採用され得る。 The FA system includes, for example, a transportation system for various items, an inspection system, an assembly system using a robot, and the like. Further, the control devices mounted on the industrial devices that configure these FA systems include, for example, programmable controllers (hereinafter referred to as PLCs), motion position control controllers, field network devices, wireless devices, sensors, actuators, robots, HMI devices. , And at least one of a data collection device. Further, the communication path connecting various control devices in the FA system may be wired or wireless. Further, the communication protocol in the device network is not limited to the CAN protocol, and a communication protocol suitable for the device network can be adopted.
 図20は、変形例に係るセキュリティ装置をFAシステムに適用した例を示す概略ブロック図である。
 FAシステム100は、セキュリティ装置110と、セキュリティ装置110に接続された1以上のPLC104と、PLC104に接続された入力機器105及び出力機器106とを含んで構成され、これらがバス103を介して接続されて、産業機器ネットワーク101が構築されている。産業機器ネットワーク101は、FAシステム100を構成する通信ネットワークであり、例えば、CANなどの所定の通信プロトコルに従って通信するネットワークである。 FIG. 20 is a schematic block diagram showing an example in which the security device according to the modified example is applied to an FA system.
The FA system 100 includes a security device 110, one or more PLCs 104 connected to the security device 110, an input device 105 and an output device 106 connected to the PLC 104, and these are connected via a bus 103. Thus, the industrial equipment network 101 is constructed. The industrial equipment network 101 is a communication network that constitutes the FA system 100, and is a network that communicates according to a predetermined communication protocol such as CAN.
 PLC104がFAシステム100を構成する制御機器の一例である。
 また、セキュリティ装置110には、SCADA(Supervisory Control And Data Acquisition)107とPC(Personal Computer)108とが接続されている。 The PLC 104 is an example of a control device that constitutes the FA system 100.
A SCADA (Supervisory Control And Data Acquisition) 107 and a PC (Personal Computer) 108 are connected to the security device 110.
 FAシステム100では、セキュリティ装置110に本発明に係る技術が搭載されている。セキュリティ装置110は、実施の形態(1)に係るゲートウェイECU10のセキュリティ制御部12と同様のハードウェア構成及び機能構成を備えてもよいし、実施の形態(2)に係るゲートウェイECU10Aのセキュリティ制御部12Aと同様のハードウェア構成及び機能構成を備えてもよい。 In the FA system 100, the technology according to the present invention is installed in the security device 110. The security device 110 may have the same hardware configuration and functional configuration as the security control unit 12 of the gateway ECU 10 according to the embodiment (1), or the security control unit of the gateway ECU 10A according to the embodiment (2). The hardware configuration and the functional configuration similar to 12A may be provided.
 この場合、異常検出パターン保持部29、29A、及び攻撃推定パターン保持部31、31Aに保持されている攻撃種別の項目(図3、図6、図17、図18を参照)には、産業機器ネットワーク101において想定され得る攻撃の種類が設定され、これら攻撃の種類ごとの異常検出パターン、攻撃推定パターンが設定されることとなる。 In this case, the attack type items (see FIGS. 3, 6, 17, and 18) held in the abnormality detection pattern holding units 29 and 29A and the attack estimation pattern holding units 31 and 31A include industrial equipment. The types of attacks that can be assumed in the network 101 are set, and the abnormality detection pattern and attack estimation pattern for each of these types of attacks are set.
 PLC104は、例えば、所定のプログラムを実行するプロセッサを含む制御ユニットと、入力機器105と出力機器106などが接続される入出力ユニットと、セキュリティ装置110などが接続される通信ユニットとを含んで構成されている。入力機器105には、例えば、各種のセンサ、又はスイッチなどの機器が含まれる。出力機器106には、例えば、各種のアクチュエータ、ロボット、リレー、又はバルブなどの制御対象機器が含まれる。なお、入力機器105と出力機器106は、PLC104に直接接続されてもよいし、フィールドネットワークを介して接続されてもよい。 The PLC 104 includes, for example, a control unit including a processor that executes a predetermined program, an input/output unit to which the input device 105 and the output device 106 are connected, and a communication unit to which the security device 110 and the like are connected. Has been done. The input device 105 includes, for example, devices such as various sensors or switches. The output device 106 includes control target devices such as various actuators, robots, relays, and valves. The input device 105 and the output device 106 may be directly connected to the PLC 104 or may be connected via a field network.
 PLC104は、入力機器105からデータを入力し、所定のプログラムにしたがって演算処理を実行し、得られた演算結果に基づいて、出力機器106に対し、オン/オフなどの動作信号を出力する制御などを実行する。
 SCADA107は、FAシステム100の運用状態を監視したり、プロセス制御などを実行したりするコンピュータ装置である。PC108は、汎用のコンピュータ装置であり、PC108を操作することで、FAシステム100を構成する各種機器の設定などのメンテナンス操作が行えるようになっている。 The PLC 104 receives data from the input device 105, executes arithmetic processing according to a predetermined program, and outputs an operation signal such as on/off to the output device 106 based on the obtained arithmetic result. To execute.
The SCADA 107 is a computer device that monitors the operating state of the FA system 100 and executes process control and the like. The PC 108 is a general-purpose computer device, and by operating the PC 108, maintenance operations such as setting of various devices included in the FA system 100 can be performed.
 セキュリティ装置110によれば、実施の形態(1)に係るゲートウェイECU10、又は実施の形態(2)に係るゲートウェイECU10Aと同様の構成を備えているので、ゲートウェイECU10、又はゲートウェイECU10Aと同様の効果をFAシステム100で得ることができる。 Since the security device 110 has the same configuration as the gateway ECU 10 according to the embodiment (1) or the gateway ECU 10A according to the embodiment (2), the same effect as the gateway ECU 10 or the gateway ECU 10A can be obtained. It can be obtained with the FA system 100.
 すなわち、セキュリティ装置110によれば、FAシステム100を構成する産業機器ネットワーク101に対する攻撃が実行された場合に、FAシステム100内で、すなわちセキュリティ装置110において、負荷が軽減された処理でその攻撃が判定され、判定された攻撃に応じたインシデント対応処理が実行される。これにより、迅速なインシデント対応が可能となり、FAシステム100のオペレータは、セキュリティの脅威に対して不安を抱くことなく、より安心してFAシステムを運用することが可能となる。 That is, according to the security device 110, when an attack is performed on the industrial equipment network 101 that constitutes the FA system 100, the attack is performed in the FA system 100, that is, in the security device 110 by a process with a reduced load. It is determined that incident response processing is performed according to the determined attack. As a result, prompt incident response can be performed, and the operator of the FA system 100 can operate the FA system with more peace of mind without worrying about security threats.
 図21は、別の変形例に係るFAシステムを示す概略ブロック図である。但し、図20に示したFAシステム100と同一機能を有する構成には、同一符号を付し、その説明を省略することとする。 FIG. 21 is a schematic block diagram showing an FA system according to another modification. However, components having the same functions as those of the FA system 100 shown in FIG. 20 are designated by the same reference numerals, and the description thereof will be omitted.
 図20に示したFAシステム100では、セキュリティ装置110がPLC104とは別の装置として装備され、セキュリティ装置110がPLC104にそれぞれ接続されている構成となっている。一方、図21に示すFAシステム100Aでは、PLC104Aに、本発明に係るセキュリティ装置として機能するセキュリティ処理部1041が装備されている。セキュリティ処理部1041は、例えば、セキュリティ機能を実現するソフトウェアモジュールで構成され、実施の形態(1)に係るゲートウェイECU10のセキュリティ制御部12を構成する各部の機能が装備されてもよいし、実施の形態(2)に係るゲートウェイECU10Aのセキュリティ制御部12Aを構成する各部の機能が装備されてもよい。 In the FA system 100 shown in FIG. 20, the security device 110 is equipped as a device different from the PLC 104, and the security device 110 is connected to the PLC 104. On the other hand, in the FA system 100A shown in FIG. 21, the PLC 104A is equipped with a security processing unit 1041 that functions as a security device according to the present invention. The security processing unit 1041 is composed of, for example, a software module that realizes a security function, and may be equipped with the function of each unit that forms the security control unit 12 of the gateway ECU 10 according to the embodiment (1). The function of each unit forming the security control unit 12A of the gateway ECU 10A according to the form (2) may be provided.
 この場合、FAシステム100Aに含まれる全てのPLC104Aにセキュリティ処理部1041がそれぞれ装備されてもよいし、FAシステム100Aに含まれる複数のPLC104Aのうちのいずれか1以上のPLC104Aにセキュリティ処理部1041が装備されてもよい。 In this case, the security processing unit 1041 may be installed in each of the PLCs 104A included in the FA system 100A, or the security processing unit 1041 may be provided in any one or more of the PLCs 104A included in the FA system 100A. May be equipped.
 セキュリティ処理部1041が装備されたPLC104Aによれば、ゲートウェイECU10、又はゲートウェイECU10Aと同様の効果をFAシステム100Aで得ることができる。 According to the PLC 104A equipped with the security processing unit 1041, it is possible to obtain the same effect as the gateway ECU 10 or the gateway ECU 10A in the FA system 100A.
 すなわち、セキュリティ処理部1041が搭載されたPLC104Aによれば、FAシステム100Aを構成する産業機器ネットワーク101に対する攻撃が実行された場合に、FAシステム100A内で、すなわちPLC104Aにおいて、負荷が軽減された処理でその攻撃が判定され、判定された攻撃に応じたインシデント対応処理が実行される。これにより、迅速なインシデント対応が可能となり、FAシステム100Aのオペレータは、セキュリティの脅威に対して不安を抱くことなく、より安心してFAシステムを運用することが可能となる。 That is, according to the PLC 104A in which the security processing unit 1041 is installed, when an attack is performed on the industrial equipment network 101 that constitutes the FA system 100A, the processing in which the load is reduced in the FA system 100A, that is, in the PLC 104A. Then, the attack is determined, and the incident response processing is executed according to the determined attack. As a result, prompt incident response becomes possible, and the operator of the FA system 100A can operate the FA system with more peace of mind without fear of security threats.
 なお、図21では、FAシステム100Aを構成するPLC104Aにセキュリティ処理部1041が装備されている場合について説明したが、さらに別の変形例では、FAシステムに含まれるPLCとは別の制御機器にセキュリティ処理部1041の機能が装備されてもよい。 Note that, in FIG. 21, the case where the PLC 104A configuring the FA system 100A is equipped with the security processing unit 1041 has been described, but in yet another modified example, security is provided to a control device different from the PLC included in the FA system. The function of the processing unit 1041 may be provided.
 本発明は、車載機器、又は産業機器などの1以上の機器が通信路を介して接続された機器ネットワークに発生した攻撃の種類を特定又は推定したり、特定又は推定された攻撃の種類に対する対応処理を実行したりするセキュリティ装置関連の産業分野において広く利用することができる。 The present invention specifies or estimates the type of attack that has occurred in a device network in which one or more devices such as in-vehicle devices or industrial devices are connected via a communication path, and responds to the specified or estimated type of attack. It can be widely used in the industrial field related to security devices that execute processing.
[付記]
 本発明の実施の形態は、以下の付記の様にも記載され得るが、これらに限定されない。
(付記1)
 1以上の制御装置(5、6、7)がバス(3)を介して接続された機器ネットワーク(2)に含まれるセキュリティ装置(10)であって、
 前記機器ネットワーク(2)に対する攻撃により発生した異常を検出する異常検出部(22、24)と、
 該異常検出部(22、24)により検出された前記異常のデータを収集する異常データ収集部(26)と、
 該異常データ収集部(26)により収集された前記異常のデータを保持する異常データ保持部(27)と、
 複数の異常検出項目それぞれに対する検出要否の組み合わせデータを含んで構成される、前記攻撃の種類ごとの異常検出パターンを保持する異常検出パターン保持部(29)と、
 前記異常データ保持部(27)に保持された前記異常のデータと、前記異常検出パターン保持部(29)に保持されている前記攻撃の種類ごとの異常検出パターンとに基づいて、前記異常に対応する攻撃の種類を特定する攻撃特定部(30)とを備えていることを特徴とするセキュリティ装置(10)。 [Appendix]
Embodiments of the present invention may be described as, but not limited to, the following supplementary notes.
(Appendix 1)
A security device (10) included in a device network (2) in which one or more control devices (5, 6, 7) are connected via a bus (3),
An abnormality detection unit (22, 24) for detecting an abnormality caused by an attack on the device network (2),
An abnormality data collection unit (26) for collecting data of the abnormality detected by the abnormality detection unit (22, 24);
An abnormal data holding unit (27) for holding the abnormal data collected by the abnormal data collecting unit (26);
An abnormality detection pattern holding unit (29) for holding an abnormality detection pattern for each type of attack, which includes combination data indicating whether or not detection is required for each of a plurality of abnormality detection items;
The abnormality is dealt with based on the abnormality data stored in the abnormality data storage unit (27) and the abnormality detection pattern for each type of attack stored in the abnormality detection pattern storage unit (29). A security device (10), comprising: an attack identification unit (30) that identifies the type of attack to be performed.
(付記2)
 1以上の制御装置(5、6、7)がバス(3)を介して接続された機器ネットワーク(2)に含まれる少なくとも1以上のコンピュータ(10)が実行する攻撃特定方法であって、
 前記機器ネットワーク(2)に対する攻撃により発生した異常を検出する異常検出ステップ(S2)と、
 該異常検出ステップ(S2)により検出された前記異常のデータを収集する異常データ収集ステップ(S3)と、
 該異常データ収集ステップ(S3)により収集された前記異常のデータを異常データ保持部(27)に保持する保持ステップ(S16)と、
 前記異常データ保持部(27)に保持された前記異常のデータと、異常検出パターン保持部(29)に保持されている前記攻撃の種類ごとの異常検出パターンとに基づいて、前記異常に対応する攻撃の種類を特定する攻撃特定ステップ(S4)とを含み、
 前記攻撃の種類ごとの異常検出パターンが、複数の異常検出項目それぞれに対する検出要否の組み合わせデータを含んで構成されていることを特徴とする攻撃特定方法。 (Appendix 2)
An attack identification method executed by at least one or more computers (10) included in a device network (2) in which one or more control devices (5, 6, 7) are connected via a bus (3),
An abnormality detection step (S2) of detecting an abnormality caused by an attack on the device network (2),
An abnormality data collecting step (S3) for collecting the data of the abnormality detected by the abnormality detecting step (S2),
A holding step (S16) of holding the abnormal data collected by the abnormal data collecting step (S3) in an abnormal data holding unit (27);
The abnormality is dealt with based on the abnormality data held in the abnormality data holding unit (27) and the abnormality detection pattern for each type of attack held in the abnormality detection pattern holding unit (29). An attack identification step (S4) for identifying the type of attack,
An attack identification method, wherein the abnormality detection pattern for each type of attack is configured to include combination data of detection necessity for each of a plurality of abnormality detection items.
(付記3)
 機器ネットワーク(2)に接続されたコンピュータ(10)に実行させるためのプログラムであって、
 前記コンピュータ(10)に、
 前記機器ネットワーク(2)に対する攻撃により発生した異常を検出する異常検出ステップ(S2)と、
 該異常検出ステップにより検出された前記異常のデータを収集する異常データ収集ステップ(S3)と、
 該異常データ収集ステップ(S3)により収集された前記異常のデータを異常データ保持部(27)に保持する保持ステップ(S16)と、
 前記異常データ保持部(27)に保持された前記異常のデータと、異常検出パターン保持部(29)に保持されている前記攻撃の種類ごとの異常検出パターンとに基づいて、前記異常に対応する攻撃の種類を特定する攻撃特定ステップ(S4)とを実行させるためのプログラムであり、
 前記攻撃の種類ごとの異常検出パターンが、複数の異常検出項目それぞれに対する検出要否の組み合わせデータを含んで構成されていることを特徴とするプログラム。 (Appendix 3)
A program to be executed by a computer (10) connected to a device network (2),
In the computer (10),
An abnormality detection step (S2) of detecting an abnormality caused by an attack on the device network (2),
An abnormal data collection step (S3) of collecting the data of the abnormality detected by the abnormality detection step;
A holding step (S16) of holding the abnormal data collected by the abnormal data collecting step (S3) in an abnormal data holding unit (27);
The abnormality is dealt with based on the abnormality data held in the abnormality data holding unit (27) and the abnormality detection pattern for each type of attack held in the abnormality detection pattern holding unit (29). A program for executing an attack identification step (S4) for identifying the type of attack,
A program characterized in that the abnormality detection pattern for each type of attack includes combination data indicating whether or not detection is required for each of a plurality of abnormality detection items.
1 車両
2 車載ネットワーク(機器ネットワーク)
3 バス
4 OBDII
5 走行系ECU群
6 ボディ系ECU群
7 情報系ECU群
10、10A ゲートウェイECU(セキュリティ装置)
11 ゲートウェイ機能部
12、12A セキュリティ制御部
21 フレーム受信部
22 フレーム異常検出部
23 バス監視部
24 バス異常検出部
25 正常値保持部
25A フレーム正常値保持部
25B バス正常値保持部
26、26A 異常データ収集部
27、27A 異常データ保持部
28 タイマー
29、29A 異常検出パターン保持部
30、30A 攻撃特定部
31、31A 攻撃推定パターン保持部
32、32A 攻撃推定部
33 インシデント対応部
100、100A FAシステム
101 産業機器ネットワーク(機器ネットワーク)
103 バス
104、104A PLC
1041 セキュリティ処理部
105 入力機器
106 出力機器
107 SCADA
108 PC
110 セキュリティ装置 1 Vehicle 2 In-vehicle network (device network)
3 Bus 4 OBDII
5 Travel system ECU group 6 Body system ECU group 7 Information system ECU group 10, 10A Gateway ECU (security device)
11 gateway function unit 12, 12A security control unit 21 frame receiving unit 22 frame abnormality detecting unit 23 bus monitoring unit 24 bus abnormality detecting unit 25 normal value holding unit 25A frame normal value holding unit 25B bus normal value holding unit 26, 26A abnormal data Collection unit 27, 27A Abnormal data storage unit 28 Timer 29, 29A Abnormality detection pattern storage unit 30, 30A Attack identification unit 31, 31A Attack estimation pattern storage unit 32, 32A Attack estimation unit 33 Incident response unit 100, 100A FA system 101 Industry Device network (device network)
103 Bus 104, 104A PLC
1041 Security processing unit 105 Input device 106 Output device 107 SCADA
108 PC
110 security device

Claims (21)

  1.  1以上の機器が通信路を介して接続された機器ネットワークに含まれるセキュリティ装置であって、
     前記機器ネットワークに対する攻撃により発生した異常を検出する異常検出部と、
     該異常検出部により検出された前記異常のデータを収集する異常データ収集部と、
     該異常データ収集部により収集された前記異常のデータを保持する異常データ保持部と、
     複数の異常検出項目それぞれに対する検出要否の組み合わせデータを含んで構成される、前記攻撃の種類ごとの異常検出パターンを保持する異常検出パターン保持部と、
     前記異常データ保持部に保持された前記異常のデータと、前記異常検出パターン保持部に保持されている前記異常検出パターンとに基づいて、前記異常に対応する前記攻撃の種類を特定する攻撃特定部とを備えていることを特徴とするセキュリティ装置。     A security device included in a device network in which one or more devices are connected via a communication path,
    An anomaly detection unit that detects an anomaly caused by an attack on the device network,
    An abnormality data collection unit that collects the data of the abnormality detected by the abnormality detection unit;
    An abnormal data holding unit that holds the abnormal data collected by the abnormal data collecting unit;
    An abnormality detection pattern holding unit that holds an abnormality detection pattern for each of the types of attacks, which is configured to include combination data of detection necessity for each of a plurality of abnormality detection items,
    An attack identification unit that identifies the type of attack corresponding to the anomaly based on the anomaly data held in the anomaly data holding unit and the anomaly detection pattern held in the anomaly detection pattern holding unit A security device comprising:
  2.  前記複数の異常検出項目それぞれに対する重み付け値の組み合わせデータを含んで構成される、前記攻撃の種類ごとの攻撃推定パターンを保持する攻撃推定パターン保持部と、
     前記攻撃特定部により前記攻撃の種類を特定することができなかった場合に、前記異常データ保持部に保持された前記異常のデータと、前記攻撃推定パターン保持部に保持されている前記攻撃推定パターンとに基づいて、前記異常に対応する前記攻撃の種類を推定する攻撃推定部とを備えていることを特徴とする請求項1記載のセキュリティ装置。     An attack estimation pattern holding unit configured to include combination data of weighting values for each of the plurality of abnormality detection items, which holds an attack estimation pattern for each type of the attack,
    When the type of attack cannot be specified by the attack specifying unit, the abnormal data held in the abnormal data holding unit and the attack estimation pattern held in the attack estimation pattern holding unit The security device according to claim 1, further comprising: an attack estimation unit that estimates the type of the attack corresponding to the abnormality based on the following.
  3.  前記異常データ保持部に保持される前記異常のデータが、
     前記複数の異常検出項目それぞれに対する検出有無の結果を示すデータを含み、
     前記攻撃特定部が、
     前記複数の異常検出項目それぞれに対する検出有無の結果を示すデータと、前記異常検出パターンとを照合して、前記異常に対応する前記攻撃の種類を特定するものであることを特徴とする請求項1記載のセキュリティ装置。     The abnormality data stored in the abnormality data storage unit is
    Including data indicating the result of detection or not for each of the plurality of abnormality detection items,
    The attack identification unit
    2. The type of the attack corresponding to the abnormality is identified by collating the data indicating the result of detection/non-detection for each of the plurality of abnormality detection items with the abnormality detection pattern. The described security device.
  4.  前記異常データ保持部に保持される前記異常のデータが、
     前記複数の異常検出項目それぞれに対する検出有無の結果を示すデータを含み、
     前記攻撃推定パターンが、
     前記重み付け値の組み合わせデータの和を示す第1合計値を含み、
     前記攻撃推定部が、
     前記攻撃の種類ごとに、前記複数の異常検出項目それぞれに対する検出有無の結果を示すデータと前記重み付け値との積の和を示す第2合計値を算出する第1算出部と、
     前記攻撃の種類ごとに、前記第1合計値と前記第2合計値との一致率を算出する第2算出部と、
     該第2算出部により算出された前記一致率に基づいて、前記異常に対応する前記攻撃の種類を推定する推定部とを備えていることを特徴とする請求項2記載のセキュリティ装置。     The abnormality data stored in the abnormality data storage unit is
    Including data indicating the result of detection or not for each of the plurality of abnormality detection items,
    The attack estimation pattern is
    A first total value indicating the sum of the combination data of the weighting values,
    The attack estimation unit
    A first calculation unit that calculates, for each type of the attack, a second total value that indicates a sum of products of the data indicating the result of detection/non-detection for each of the plurality of abnormality detection items and the weighting value;
    A second calculation unit that calculates the matching rate between the first total value and the second total value for each type of attack;
    The security device according to claim 2, further comprising: an estimation unit that estimates the type of the attack corresponding to the abnormality based on the matching rate calculated by the second calculation unit.
  5.  前記通信路を介して受信したメッセージが正常である場合における、前記複数の異常検出項目それぞれの正常値を保持するメッセージ正常値保持部を備え、
     前記複数の異常検出項目には、前記メッセージの異常に関する1以上の項目を含み、
     前記異常検出部が、
     前記メッセージ正常値保持部に保持された前記複数の異常検出項目それぞれの正常値に基づいて、前記攻撃によるメッセージ異常を検出するメッセージ異常検出部を備え、
     前記異常データ収集部が、
     前記メッセージ異常検出部で検出された前記メッセージ異常のデータを収集するものであることを特徴とする請求項1~4のいずれかの項に記載のセキュリティ装置。     In the case where the message received via the communication path is normal, a message normal value holding unit that holds a normal value for each of the plurality of abnormality detection items is provided,
    The plurality of abnormality detection items include one or more items relating to the abnormality of the message,
    The abnormality detection unit,
    A message abnormality detection unit that detects a message abnormality due to the attack based on the normal value of each of the plurality of abnormality detection items held in the message normal value holding unit,
    The abnormal data collection unit,
    The security device according to any one of claims 1 to 4, wherein data of the message abnormality detected by the message abnormality detection unit is collected.
  6.  前記通信路の状態が正常である場合における、前記複数の異常検出項目それぞれの正常値を保持する通信路正常値保持部を備え、
     前記複数の異常検出項目には、前記通信路の異常に関する1以上の項目を含み、
     前記異常検出部が、
     前記通信路正常値保持部に保持された前記複数の異常検出項目それぞれの正常値に基づいて、前記攻撃による通信路異常を検出する通信路異常検出部を備え、
     前記異常データ収集部が、
     前記通信路異常検出部で検出された前記通信路異常のデータを収集するものであることを特徴とする請求項1~4のいずれかの項に記載のセキュリティ装置。     When the state of the communication path is normal, the communication path normal value holding unit for holding the normal value of each of the plurality of abnormality detection items,
    The plurality of abnormality detection items include one or more items relating to the abnormality of the communication path,
    The abnormality detection unit,
    Based on the normal value of each of the plurality of abnormality detection items held in the communication path normal value holding unit, a communication path abnormality detection unit for detecting a communication path abnormality due to the attack,
    The abnormal data collection unit,
    The security device according to any one of claims 1 to 4, wherein data of the communication path abnormality detected by the communication path abnormality detection unit is collected.
  7.  当該セキュリティ装置の内部処理が正常である場合における、前記複数の異常検出項目それぞれの正常値を保持する内部処理正常値保持部を備え、
     前記複数の異常検出項目には、前記内部処理の異常に関する1以上の項目を含み、
     前記異常検出部が、
     前記内部処理正常値保持部に保持された前記複数の異常検出項目それぞれの正常値に基づいて、前記内部処理の異常を検出する内部処理異常検出部を備え、
     前記異常データ収集部が、
     前記内部処理異常検出部で検出された前記内部処理の異常のデータを収集するものであることを特徴とする請求項1~4のいずれかの項に記載のセキュリティ装置。     When the internal processing of the security device is normal, the internal processing normal value holding unit for holding the normal value of each of the plurality of abnormality detection items,
    The plurality of abnormality detection items include one or more items related to the abnormality of the internal processing,
    The abnormality detection unit,
    An internal processing abnormality detection unit that detects an abnormality in the internal processing, based on the normal value of each of the plurality of abnormality detection items held in the internal processing normal value holding unit,
    The abnormal data collection unit,
    The security device according to any one of claims 1 to 4, wherein data of an abnormality in the internal processing detected by the internal processing abnormality detection unit is collected.
  8.  前記異常データ収集部が、
     前記異常検出部により前記異常が検出されてから所定時間内に検出された前記異常のデータを収集するものであることを特徴とする請求項1~4のいずれかの項に記載のセキュリティ装置。     The abnormal data collection unit,
    5. The security device according to claim 1, wherein data of the abnormality detected within a predetermined time after the abnormality is detected by the abnormality detection unit is collected.
  9.  前記異常データ収集部により収集された前記異常のデータを異常ログとして蓄積する異常ログ蓄積部を備えていることを特徴とする請求項1~4のいずれかの項に記載のセキュリティ装置。 The security device according to any one of claims 1 to 4, further comprising an abnormal log storage unit that stores the abnormal data collected by the abnormal data collection unit as an abnormal log.
  10.  前記攻撃特定部により前記異常に対応する前記攻撃の種類が特定された場合、特定された前記攻撃の種類に対する対応処理を行う第1インシデント対応部を備えていることを特徴とする請求項1又は請求項3記載のセキュリティ装置。 The first incident handling unit that performs a handling process for the identified attack type when the attack identifying unit identifies the type of the attack corresponding to the abnormality is provided. The security device according to claim 3.
  11.  前記攻撃推定部により前記異常に対応する前記攻撃の種類が推定された場合、推定された前記攻撃の種類に対する対応処理を行う第2インシデント対応部を備えていることを特徴とする請求項2又は請求項4記載のセキュリティ装置。 When the attack estimation unit estimates the type of the attack corresponding to the abnormality, a second incident response unit that performs a response process to the estimated attack type is provided. The security device according to claim 4.
  12.  前記機器ネットワークに接続された報知部を作動させて前記異常を報知する報知処理部を備えていることを特徴とする請求項1~4のいずれかの項に記載のセキュリティ装置。 The security device according to any one of claims 1 to 4, further comprising a notification processing unit that operates the notification unit connected to the device network to notify the abnormality.
  13.  前記機器ネットワークに接続された外部通報部を作動させて外部に前記異常を通報する通報処理部を備えていることを特徴とする請求項1~4のいずれかの項に記載のセキュリティ装置。 The security device according to any one of claims 1 to 4, further comprising a notification processing unit that operates an external notification unit connected to the device network to notify the abnormality to the outside.
  14.  前記機器が、車両に搭載される制御装置であり、
     前記機器ネットワークが、車載ネットワークであることを特徴とする請求項1~4のいずれかの項に記載のセキュリティ装置。     The device is a control device mounted on a vehicle,
    The security device according to any one of claims 1 to 4, wherein the equipment network is an in-vehicle network.
  15.  前記機器が、FA(Factory Automation)システムを構成する産業機器に搭載される制御機器であり、
     前記機器ネットワークが、前記FAシステムを構成する産業機器ネットワークであることを特徴とする請求項1~4のいずれかの項に記載のセキュリティ装置。     The device is a control device installed in an industrial device that constitutes an FA (Factory Automation) system,
    The security device according to any one of claims 1 to 4, wherein the device network is an industrial device network that constitutes the FA system.
  16.  1以上の機器が通信路を介して接続された機器ネットワークに含まれる少なくとも1以上のコンピュータが実行する攻撃特定方法であって、
     前記機器ネットワークに対する攻撃により発生した異常を検出する異常検出ステップと、
     該異常検出ステップにより検出された前記異常のデータを収集する異常データ収集ステップと、
     該異常データ収集ステップにより収集された前記異常のデータを異常データ保持部に保持する保持ステップと、
     前記異常データ保持部に保持された前記異常のデータと、異常検出パターン保持部に保持されている前記攻撃の種類ごとの異常検出パターンとに基づいて、前記異常に対応する前記攻撃の種類を特定する攻撃特定ステップとを含み、
     前記異常検出パターンが、複数の異常検出項目それぞれに対する検出要否の組み合わせデータを含んで構成されていることを特徴とする攻撃特定方法。     An attack identification method executed by at least one or more computers included in a device network in which one or more devices are connected via a communication path,
    An anomaly detection step of detecting an anomaly caused by an attack on the device network,
    An abnormality data collecting step of collecting data of the abnormality detected by the abnormality detecting step;
    A holding step of holding the abnormal data collected by the abnormal data collecting step in an abnormal data holding unit;
    The type of the attack corresponding to the abnormality is identified based on the abnormality data held in the abnormal data holding unit and the abnormality detection pattern for each type of the attack held in the abnormality detection pattern holding unit Attack specific steps to
    An attack identifying method, wherein the abnormality detection pattern is configured to include combination data of detection necessity for each of a plurality of abnormality detection items.
  17.  前記攻撃特定ステップにより前記攻撃の種類を特定することができなかった場合に、前記異常データ保持部に保持された前記異常のデータと、攻撃推定パターン保持部に保持されている前記攻撃の種類ごとの攻撃推定パターンとに基づいて、前記異常に対応する前記攻撃の種類を推定する攻撃推定ステップを含み、
     前記攻撃推定パターンが、前記複数の異常検出項目それぞれに対する重み付け値の組み合わせデータを含んで構成されていることを特徴とする請求項16記載の攻撃特定方法。     When the type of the attack cannot be specified by the attack specifying step, the abnormal data held in the abnormal data holding unit and the type of the attack held in the attack estimated pattern holding unit An attack estimation step of estimating the type of the attack corresponding to the abnormality based on the attack estimation pattern of
    The attack identifying method according to claim 16, wherein the attack estimation pattern is configured to include combination data of weighting values for each of the plurality of abnormality detection items.
  18.  1以上の機器が通信路を介して接続された機器ネットワークに含まれる少なくとも1以上のコンピュータに実行させるためのプログラムであって、
     前記少なくとも1以上のコンピュータに、
     前記機器ネットワークに対する攻撃により発生した異常を検出する異常検出ステップと、
     該異常検出ステップにより検出された前記異常のデータを収集する異常データ収集ステップと、
     該異常データ収集ステップにより収集された前記異常のデータを異常データ保持部に保持する保持ステップと、
     前記異常データ保持部に保持された前記異常のデータと、異常検出パターン保持部に保持されている前記攻撃の種類ごとの異常検出パターンとに基づいて、前記異常に対応する前記攻撃の種類を特定する攻撃特定ステップとを実行させるためのプログラムであり、
     前記異常検出パターンが、複数の異常検出項目それぞれに対する検出要否の組み合わせデータを含んで構成されていることを特徴とするプログラム。     A program for causing at least one computer included in a device network in which one or more devices are connected via a communication path,
    The at least one or more computers,
    An anomaly detection step of detecting an anomaly caused by an attack on the device network,
    An abnormality data collecting step of collecting data of the abnormality detected by the abnormality detecting step;
    A holding step of holding the abnormal data collected by the abnormal data collecting step in an abnormal data holding unit;
    The type of the attack corresponding to the abnormality is identified based on the abnormality data held in the abnormal data holding unit and the abnormality detection pattern for each type of the attack held in the abnormality detection pattern holding unit It is a program to execute the attack specific step
    A program, wherein the abnormality detection pattern is configured to include combination data of whether or not detection is required for each of a plurality of abnormality detection items.
  19.  前記少なくとも1以上のコンピュータに、
     前記攻撃特定ステップにより前記攻撃の種類を特定することができなかった場合に、前記異常データ保持部に保持された前記異常のデータと、攻撃推定パターン保持部に保持されている前記攻撃の種類ごとの攻撃推定パターンとに基づいて、前記異常に対応する前記攻撃の種類を推定する攻撃推定ステップをさらに実行させるためのプログラムであり、
     前記攻撃推定パターンが、前記複数の異常検出項目それぞれに対する重み付け値の組み合わせデータを含んで構成されていることを特徴とする請求項18記載のプログラム。     The at least one or more computers,
    When the type of the attack cannot be specified by the attack specifying step, the abnormal data held in the abnormal data holding unit and the type of the attack held in the attack estimated pattern holding unit A program for further executing an attack estimation step of estimating the type of the attack corresponding to the abnormality based on the attack estimation pattern of
    The program according to claim 18, wherein the attack estimation pattern includes combination data of weighting values for each of the plurality of abnormality detection items.
  20.  1以上の機器が通信路を介して接続された機器ネットワークに含まれる少なくとも1以上のコンピュータに実行させるためのプログラムが記憶されたコンピュータ読み取り可能な記憶媒体であって、
     前記少なくとも1以上のコンピュータに、
     前記機器ネットワークに対する攻撃により発生した異常を検出する異常検出ステップと、
     該異常検出ステップにより検出された前記異常のデータを収集する異常データ収集ステップと、
     該異常データ収集ステップにより収集された前記異常のデータを異常データ保持部に保持する保持ステップと、
     前記異常データ保持部に保持された前記異常のデータと、異常検出パターン保持部に保持されている前記攻撃の種類ごとの異常検出パターンとに基づいて、前記異常に対応する前記攻撃の種類を特定する攻撃特定ステップとを実行させるためのプログラムを記憶し、
     前記異常検出パターンが、複数の異常検出項目それぞれに対する検出要否の組み合わせデータを含んで構成されていることを特徴とするコンピュータ読み取り可能な記憶媒体。     A computer-readable storage medium in which a program to be executed by at least one computer included in a device network in which one or more devices are connected via a communication path is stored,
    The at least one or more computers,
    An anomaly detection step of detecting an anomaly caused by an attack on the device network,
    An abnormality data collecting step of collecting data of the abnormality detected by the abnormality detecting step;
    A holding step of holding the abnormal data collected by the abnormal data collecting step in an abnormal data holding unit;
    The type of the attack corresponding to the abnormality is identified based on the abnormality data held in the abnormal data holding unit and the abnormality detection pattern for each type of the attack held in the abnormality detection pattern holding unit The program for executing the attack specific step
    The computer-readable storage medium, wherein the abnormality detection pattern is configured to include combination data of detection necessity for each of a plurality of abnormality detection items.
  21.  前記少なくとも1以上のコンピュータに、
     前記攻撃特定ステップにより前記攻撃の種類を特定することができなかった場合に、前記異常データ保持部に保持された前記異常のデータと、攻撃推定パターン保持部に保持されている前記攻撃の種類ごとの攻撃推定パターンとに基づいて、前記異常に対応する前記攻撃の種類を推定する攻撃推定ステップをさらに実行させるためのプログラムを記憶し、
     前記攻撃推定パターンが、前記複数の異常検出項目それぞれに対する重み付け値の組み合わせデータを含んで構成されていることを特徴とする請求項20記載のコンピュータ読み取り可能な記憶媒体。     The at least one or more computers,
    When the type of the attack cannot be specified by the attack specifying step, the abnormal data held in the abnormal data holding unit and the type of the attack held in the attack estimated pattern holding unit And a program for further executing an attack estimation step of estimating the type of the attack corresponding to the abnormality based on the attack estimation pattern of
    21. The computer-readable storage medium according to claim 20, wherein the attack estimation pattern is configured to include combination data of weighting values for each of the plurality of abnormality detection items.
PCT/JP2019/045105 2019-01-29 2019-11-18 Security apparatus, attack identification method, program, and storage medium WO2020158118A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
JP2019-012956 2019-01-29
JP2019012956 2019-01-29
JP2019-136882 2019-07-25
JP2019136882A JP2020123307A (en) 2019-01-29 2019-07-25 Security device, attack specification method, and program

Publications (1)

Publication Number Publication Date
WO2020158118A1 true WO2020158118A1 (en) 2020-08-06

Family

ID=71842027

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/045105 WO2020158118A1 (en) 2019-01-29 2019-11-18 Security apparatus, attack identification method, program, and storage medium

Country Status (1)

Country Link
WO (1) WO2020158118A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2013168763A (en) * 2012-02-15 2013-08-29 Hitachi Ltd Security monitoring system and security monitoring method
WO2018100783A1 (en) * 2016-12-01 2018-06-07 住友電気工業株式会社 Detector, detection method and detection program
WO2018186054A1 (en) * 2017-04-07 2018-10-11 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Method for determining reference for unauthorized communication detection, system for determining reference for unauthorized communication detection, and program
JP2019008618A (en) * 2017-06-26 2019-01-17 パナソニックIpマネジメント株式会社 Information processing apparatus, information processing method, and program

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2013168763A (en) * 2012-02-15 2013-08-29 Hitachi Ltd Security monitoring system and security monitoring method
WO2018100783A1 (en) * 2016-12-01 2018-06-07 住友電気工業株式会社 Detector, detection method and detection program
WO2018186054A1 (en) * 2017-04-07 2018-10-11 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Method for determining reference for unauthorized communication detection, system for determining reference for unauthorized communication detection, and program
JP2019008618A (en) * 2017-06-26 2019-01-17 パナソニックIpマネジメント株式会社 Information processing apparatus, information processing method, and program

Similar Documents

Publication Publication Date Title
JP2020123307A (en) Security device, attack specification method, and program
CN106462702B (en) Method and system for acquiring and analyzing electronic forensic data in a distributed computer infrastructure
EP3744583A1 (en) Data analysis device and program
WO2020075800A1 (en) Analyzing device, analysis system, analysis method, and program
US20210385244A1 (en) Electronic control device, fraud detection server, in-vehicle network system, in-vehicle network monitoring system, and in-vehicle network monitoring method
US10178094B2 (en) Communication system and information collection method executed in communication system
EP3744582B1 (en) Data analysis device and program
CN107845159B (en) Operation monitoring system of automatic driving vehicle evaluation system
CN112639909B (en) Apparatus, data transmission method, and recording medium
CN106919163B (en) Communication system and the formation gathering method executed in a communications system
JP7149888B2 (en) Information processing device, information processing method and program
CN113364746A (en) Equipment identification method, device, equipment and computer storage medium
JP7346688B2 (en) Information processing device, information processing method and program
CN106973034A (en) System and method for the data of connection object
WO2020158118A1 (en) Security apparatus, attack identification method, program, and storage medium
JP2014031077A (en) Vehicle operation verification system
CN110466450A (en) Automobile Safety-Detection System
JP7318710B2 (en) Security device, incident response processing method, program, and storage medium
WO2020075809A1 (en) Information processing device, data analysis method, and program
WO2020012822A1 (en) Computation system and computation device
JP7160206B2 (en) SECURITY DEVICE, ATTACK RESPONSE PROCESSING METHOD, COMPUTER PROGRAM AND STORAGE MEDIUM
JP7259966B2 (en) Security device, setting change method, program, and storage medium
US20230319085A1 (en) Attack path generation method and attack path generation device
Biswas Machine Learning Based Intrusion Detection in Controller Area Network
CN115858508A (en) Vehicle data processing method and device and vehicle

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19914013

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19914013

Country of ref document: EP

Kind code of ref document: A1