WO2021019636A1 - セキュリティ装置、インシデント対応処理方法、プログラム、及び記憶媒体 - Google Patents

セキュリティ装置、インシデント対応処理方法、プログラム、及び記憶媒体 Download PDF

Info

Publication number
WO2021019636A1
WO2021019636A1 PCT/JP2019/029627 JP2019029627W WO2021019636A1 WO 2021019636 A1 WO2021019636 A1 WO 2021019636A1 JP 2019029627 W JP2019029627 W JP 2019029627W WO 2021019636 A1 WO2021019636 A1 WO 2021019636A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
attack
response
attacks
incident
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2019/029627
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
泰生 山本
直樹 廣部
徹 小河原
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Omron Corp
Original Assignee
Omron Corp
Omron Tateisi Electronics Co
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Omron Corp, Omron Tateisi Electronics Co filed Critical Omron Corp
Priority to PCT/JP2019/029627 priority Critical patent/WO2021019636A1/ja
Priority to JP2021536478A priority patent/JP7318710B2/ja
Publication of WO2021019636A1 publication Critical patent/WO2021019636A1/ja
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks

Definitions

  • the present invention relates to a security device, an incident response processing method, a program, and a storage medium.
  • Patent Document 1 discloses an in-vehicle communication system composed of a plurality of vehicle control devices connected to a network constructed in a vehicle and a gateway communication control device that manages communication between these vehicle control devices. ..
  • the gateway communication control device determines communication reliability (normal or abnormal) based on data or signals whose reliability can be confirmed contained in the message when the reception of a message from a certain vehicle control device is completed or during reception. .. Then, when the communication result is normal, the gateway communication control device continues the gateway transmission to the other vehicle control device, and when the communication result is abnormal, the gateway transmission is interrupted or an abnormal message is sent to the gateway transmission data. The process to be added to is executed.
  • the gateway communication control device detects an abnormality based on the information received from each of the vehicle control devices during communication between a plurality of vehicle control devices via the gateway communication control device. From the viewpoint of securing, measures are taken such as stopping the communication between the vehicle control devices and not relaying the received information.
  • the present invention has been made in view of the above problems, and even when information on a plurality of attacks on a device network is acquired, an incident is dealt with against these attacks under appropriate conditions in consideration of the state of the device. It is an object of the present invention to provide a security device, an incident response processing method, a program, and a storage medium capable of promptly implementing the above.
  • the security device (1) is a security device included in a device network in which one or more devices are connected via a communication path.
  • An attack information acquisition unit that acquires attack information (hereinafter referred to as attack information) identified or estimated based on an abnormality that has occurred in the device network.
  • a device information acquisition unit that acquires information on the state of the device (hereinafter referred to as device information),
  • a response information storage unit that stores information (hereinafter referred to as response information) associated with the incident response and the level of function restriction due to the response for each type of attack.
  • response information that determines the incident response to be implemented for the attack included in the attack information, and a response determination unit.
  • the correspondence decision unit When the acquired attack information includes two or more attacks on one communication path or one device, the level of the function limitation of these attacks and the acquired device information are taken into consideration. , Determines the implementation conditions for the incident response to the two or more attacks.
  • the corresponding implementation department It is characterized in that the incident response to the two or more attacks is carried out based on the determined execution conditions.
  • the security device (1) even if the acquired attack information includes the two or more attacks, the level of the function restriction associated with the incident response to these attacks.
  • the incident response to the two or more attacks is determined in consideration of the acquired device information, and the incident response to the two or more attacks is determined based on the determined implementation conditions. Is carried out.
  • the security device alone responds to the two or more attacks included in the attack information under appropriate conditions in consideration of the level of the function limitation of these attacks and the state of the device. It can be carried out efficiently and quickly.
  • the communication path may be a wired communication path, a wireless communication path, or a communication path including wired and wireless communication paths.
  • the security device (2) is the above-mentioned security device (1). It is provided with an execution condition storage unit that stores table information indicating the relationship between the type of the communication path included in the target of the attack, the device information, and the execution condition.
  • the correspondence decision unit When the acquired attack information includes the two or more attacks, it corresponds to the one communication path targeted by the attack and the acquired device information based on the table information. It is characterized in that it determines the above-mentioned implementation conditions.
  • the table information stores the relationship between the communication path type, the device information, and the implementation conditions, so that the correspondence determination unit stores the table information.
  • the security device (3) is the above-mentioned security device (1) or (2).
  • the implementation conditions include conditions for implementation in descending or ascending order of the functional restriction level.
  • the incident response to the attack also differs depending on the type of the attack. Therefore, if the incident response to the attack has a content that affects only a part of the equipment, for example, blocking some messages or not forwarding some messages, the incident response As a result, the level of the functional restriction becomes low. On the other hand, if the incident response to the attack affects many parts of the equipment, for example, blocking all messages or not forwarding all messages, the function limitation associated with the incident response The level goes up.
  • the incident response is executed in descending order of the function restriction level (in other words, in order from the response with the larger function restriction) for the two or more attacks. It is possible to execute the incident response in ascending order of the function restriction level (in other words, in order from the response with the smaller function restriction). Therefore, the incident response can be executed in the order suitable for the state of the device.
  • the incident response is executed in descending order of the function restriction level, thereby avoiding duplicate responses. It is possible to quickly prevent the spread of damage caused by the attack.
  • the incident response is executed in ascending order of the function restriction level to avoid duplicate responses. At the same time, it is possible to prevent the functions of the device from being excessively restricted, and it is possible to carry out the incident response so as not to impair the convenience of the device.
  • the security device (4) is the above-mentioned security device (1) or (2).
  • the implementation condition is characterized in that the implementation condition includes a condition for carrying out the incident response to the attack having a higher level or a lower level of the function restriction.
  • the incident response with the higher level of the function restriction is executed, or the incident response with the lower level of the function restriction is performed. It is possible to execute it. Therefore, the incident response that is suitable for the state of the device can be preferentially executed, and the same effect as that of the security device (3) can be obtained.
  • the security device (5) is the security device (1) to (4) described above.
  • the device is a control device mounted on a vehicle.
  • the device network is characterized in that it is an in-vehicle network.
  • the security device (5) when one or more control devices are attacked by the vehicle-mounted network connected via the communication path, the vehicle alone is included in the attack information. With respect to the two or more attacks, the incident response can be efficiently and quickly carried out under appropriate conditions in consideration of the level of the functional limitation of the attacks and the state of the equipment. Therefore, the user of the vehicle can get on the vehicle with more peace of mind without worrying about the security threat.
  • the security device (6) is the above-mentioned security device (5).
  • the control device includes at least one of a traveling system control device, a driving support system control device, a body system control device, an information system control device, and a diagnostic connector device of the vehicle.
  • the device information is characterized by including information regarding at least one vehicle state during manual driving, driving assistance, reprogramming, and parking.
  • the security device (6) even when two or more attacks on any of the above-mentioned control devices or any of the communication paths of these control devices are included, they are attacked against these attacks. , The incident response can be efficiently and promptly carried out under appropriate conditions in consideration of the level of the functional limitation of these attacks and the vehicle condition.
  • the higher level of the functional restriction is said.
  • the incident response is executed from the incident response having the lower level of the function restriction. By doing so, it is possible to execute the incident response while avoiding duplicate responses and suppressing the function of the control device from being excessively restricted.
  • the security device (7) is the security device (1) to (4) described above.
  • the device is a control device mounted on an industrial device constituting an FA (Factory Automation) system.
  • the device network is an industrial device network that constitutes the FA system.
  • the security device (7) when one or more control devices are attacked against the industrial device network connected via the communication path, the industrial device alone can be used as the attack information. With respect to the two or more of the attacks included, the incident response can be efficiently and promptly carried out under appropriate conditions in consideration of the level of the functional limitation of the attacks and the state of the control device. Therefore, the user (for example, the operator) of the industrial equipment can use the industrial equipment with more peace of mind without worrying about security threats.
  • the security device (8) is the above-mentioned security device (7).
  • the control device Includes at least one of the industrial equipment programmable controllers, field network equipment, wireless equipment, sensors, actuators, robots, HMI (Human Machine Interface) equipment, and data acquisition equipment.
  • the device information includes information on at least one of the operation phases of the industrial device, that is, during start-up, normal operation, pause, stop, and reprogramming. It is characterized by that.
  • the security device (8) even if two or more attacks against any of the above-mentioned control devices or any of the above-mentioned communication paths of these control devices are included, the attack is against these attacks.
  • the incident response can be efficiently and promptly carried out under appropriate conditions in consideration of the level of the functional limitation of these attacks and the operation phase of the industrial equipment.
  • two or more attacks on the programmable controller or the communication path of the field network device are identified or presumed during the start-up, normal operation, pause, or stop of the industrial device.
  • the incident response with the higher level of the function restriction, it is possible to promptly prevent the spread of damage due to the attack while avoiding duplicate responses.
  • the one having the lower level of the functional restriction is said.
  • the incident response processing method is an incident response processing method executed by at least one computer included in a device network in which one or more devices are connected via a communication path.
  • An attack information acquisition step for acquiring information on an attack identified or estimated based on an abnormality occurring in the device network (hereinafter referred to as attack information).
  • a device information acquisition step for acquiring information on the state of the device (hereinafter referred to as device information), and The attack information is included in the attack information based on the acquired information and the information stored in association with the incident response and the level of function restriction due to the response (hereinafter referred to as response information) for each type of attack.
  • a response decision step that determines the incident response to be implemented against the attack, and Including the response implementation step to implement the determined incident response.
  • the correspondence determination step When the acquired attack information includes two or more attacks on one communication path or one device, the level of the function limitation of these attacks and the acquired device information are taken into consideration. Including the step of determining the implementation conditions of the incident response to the two or more attacks.
  • the incident response implementation step It is characterized by including a step of carrying out the incident response to the two or more attacks based on the determined execution conditions.
  • the incident response processing method even when the acquired attack information includes the two or more attacks, the level of the function limitation of these attacks and the acquired device information are different. It is possible to determine the implementation conditions for the incident response to the two or more attacks in consideration, and to implement the incident response to the two or more attacks based on the determined implementation conditions.
  • the computer alone included in the device network is an appropriate condition in which the level of the function limitation of these attacks and the state of the device are taken into consideration.
  • the incident response can be carried out efficiently and promptly.
  • the program according to the present disclosure is characterized in that it is a program for causing at least one or more computers included in the device network to execute each step of the incident response processing method.
  • the above program at least one or more computers included in the device network are subjected to the function restriction level of the attacks and the state of the devices for the two or more attacks included in the attack information.
  • the incident response can be carried out efficiently and promptly under the appropriate conditions considered.
  • the above program may be a program stored in a storage medium, or may be a program that can be transferred via a communication network or the like.
  • the storage medium according to the present disclosure is a computer-readable storage medium that stores a program for causing at least one or more computers included in the device network to execute each step of the incident response processing method. There is.
  • the storage medium by causing at least one or more computers included in the device network to read and execute the program, the two or more attacks included in the attack information can be attacked.
  • the incident response can be carried out efficiently and promptly under appropriate conditions in consideration of the level of function limitation and the state of the device.
  • FIG. 1 is a schematic block diagram of an in-vehicle network system to which the security device according to the embodiment is applied.
  • the in-vehicle network 2 is a communication network system mounted on the vehicle 1, and is an OBDII (On-board diagnostics II) 4, a traveling system ECU (Electronic Control Unit) group 5, a driving support system ECU group 6, and a body system ECU group 7. , Information system ECU group 8 and gateway ECU 10 are included.
  • the vehicle-mounted network 2 in the present embodiment is a network that communicates according to the CAN (Controller Area Network) protocol.
  • a communication standard other than CAN may be adopted for the in-vehicle network 2.
  • the traveling system ECU group 5, the driving support system ECU group 6, the body system ECU group 7, and the information system ECU group 8 are the control devices mounted on the vehicle 1. This is an example.
  • the OBDII4, the traveling system ECU group 5, the driving support system ECU group 6, the body system ECU group 7, and the information system ECU group 8 each pass through the bus 3 which is a communication path, and CH1, CH2, CH3, and CH4 of the gateway ECU 10 respectively. , And are connected to CH5.
  • the number of channels possessed by the gateway ECU 10 is not limited to these five.
  • the central gateway method in which the ECU group is connected to the gateway ECU 10 for each functional system is adopted, but the connection method of the gateway ECU 10 is not limited to this method, and between each ECU group.
  • the gateway ECU 10 may be provided in the system.
  • OBDII4 is an example of a diagnostic connector device provided with a port to which a diagnostic device or a scan tool for performing failure diagnosis or maintenance is connected.
  • the traveling system ECU group 5 includes a drive system ECU and a chassis system ECU.
  • the drive system ECU includes control units related to "running" functions such as engine control, motor control, fuel cell control, EV (Electric Vehicle) control, and transmission control.
  • the chassis-based ECU includes a control unit related to a "stop / turn” function such as brake control or steering control.
  • the driving support system ECU group 6 includes an automatic braking support function, a lane keeping support function (also called LKA / Lane Keep Assist), a constant speed driving / inter-vehicle distance support function (also called ACC / Adaptive Cruise Control), and a forward collision warning function. , Lane departure warning function, blind spot monitoring function, traffic sign recognition function, driver monitoring function, etc., functions that automatically improve safety or realize comfortable driving in cooperation with the driving system ECU group 5 (driving support function) , Or an automatic operation function), and at least one control unit is included.
  • a lane keeping support function also called LKA / Lane Keep Assist
  • ACC / Adaptive Cruise Control constant speed driving / inter-vehicle distance support function
  • a forward collision warning function Lane departure warning function, blind spot monitoring function, traffic sign recognition function, driver monitoring function, etc., functions that automatically improve safety or realize comfortable driving in cooperation with the driving system ECU group 5 (driving support function) , Or an automatic operation function
  • the driving support system ECU group 6 includes, for example, level 1 (driver assistance), level 2 (partially automatic driving), and level 3 (conditional automatic driving) at the automatic driving level presented by the American Society of Automotive Engineers of Japan (SAE). It may be equipped with the function of (driving). Further, the functions of level 4 (highly automatic driving) and level 5 (fully automatic driving) of the automatic driving level may be equipped, or only the functions of levels 2 and 3 may be equipped.
  • the body system ECU group 7 includes at least one control unit related to the function of the vehicle body such as a door lock, a smart key, a power window, an air conditioner, a light, or a winker.
  • the information system ECU group 8 includes an infotainment device, a telematics device, or an ITS (Intelligent Transport Systems) related device.
  • the infotainment device includes a car navigation device, an audio device, and the like
  • the telematics device includes a communication unit and the like for connecting to a mobile phone network and the like.
  • the ITS-related device includes an ETC (Electronic Toll Collection System), a communication unit for performing road-to-vehicle communication with a roadside machine such as an ITS spot, or an inter-vehicle communication.
  • ETC Electronic Toll Collection System
  • External interfaces include, for example, Bluetooth®, Wi-Fi®, USB (Universal Serial Bus) ports, memory card slots, and the like.
  • the gateway ECU 10 has a function of exchanging frames (messages) with each ECU group included in the in-vehicle network 2 according to the CAN protocol, and functions as a security device according to the present embodiment.
  • the gateway ECU 10 detects an abnormality that has occurred in the in-vehicle network 2, identifies or estimates the type of attack (also referred to as a security attack or cyber attack) based on the detected abnormality, and promptly responds to the identified or estimated attack. Perform the process to be executed.
  • an abnormality that has occurred in the in-vehicle network 2
  • identifies or estimates the type of attack also referred to as a security attack or cyber attack
  • the gateway ECU 10 is an incident of these attacks even when the attack on one bus 3 or one ECU group among CH1 to CH5 includes two or more attacks.
  • the implementation conditions such as the processing order of incident response for two or more attacks are determined, and based on the determined implementation conditions, two or more Performs processing to quickly and efficiently respond to incidents against attacks.
  • the function of the vehicle 1 is not excessively restricted, in other words, the incident response is executed without impairing the convenience of the vehicle 1. Therefore, the user of the vehicle 1 can get on the vehicle 1 with peace of mind without being anxious about the threat of a security attack.
  • the traveling system ECU group 5, the driving support system ECU group 6, the body system ECU group 7, the information system ECU group 8, and the gateway ECU 10 are composed of a computer device including one or more processors, a memory, a communication module, and the like. ing. Then, the processor mounted on each ECU reads the program stored in the memory, interprets and executes the program, and the predetermined control is executed by each ECU.
  • FIG. 2 is a block diagram showing a functional configuration example of the gateway ECU 10 according to the embodiment.
  • the gateway ECU 10 includes a gateway function unit 11 and a security control unit 12.
  • the security control unit 12 is a part on which the function of the security device according to the present embodiment is implemented.
  • the gateway ECU 10 includes a memory including a ROM (Read Only Memory) for storing a program, a RAM (Random Access Memory), and a processor such as a CPU (Central Processing Unit) for reading and executing a program from the memory. It is configured to include a communication module and the like for connecting to the in-vehicle network 2.
  • ROM Read Only Memory
  • RAM Random Access Memory
  • CPU Central Processing Unit
  • the gateway function unit 11 has a function of controlling transfer of a frame (message) via each ECU group and the bus 3, and includes, for example, a frame transmission / reception unit, a frame interpretation unit, and a frame conversion unit (not shown), which are mounted on a vehicle. It includes a configuration necessary for mutual communication with each ECU group of the network 2 according to the CAN protocol.
  • the frame in the CAN protocol includes, for example, a data frame, a remote frame, an overload frame, and an error frame.
  • the data frame is SOF (Start Of Frame), ID, RTR (Remote Transmission Request), IDE (Identifier Extension), reserved bit, DLC (Data Length Code), data field, CRC (Cyclic Redundancy Check) sequence, CRC delimiter (Cyclic Redundancy Check) sequence. It is configured to include each field of DEL), ACK (Acknowledgement) slot, ACK delimiter (DEL), and EOF (End Of Frame).
  • the security control unit 12 includes an attack specific estimation unit 21, an attack information acquisition unit 22, a device information acquisition unit 23, a response decision unit 24, a response implementation unit 25, a response information storage unit 31, and an implementation condition storage unit 32. Has been done.
  • the security control unit 12 is configured as hardware including a memory including a ROM, a RAM, etc. in which a program executed in each of the above units is stored, a processor that reads a program from the memory, and executes the program. By collaborating with the program, the functions of the above parts are realized.
  • the attack specific estimation unit 21 detects an abnormality (frame abnormality, bus abnormality, etc.) that has occurred in the vehicle-mounted network 2 based on the frame acquired from the gateway function unit 11, and determines the type of attack corresponding to the detected abnormality. Perform the identification process. In addition, the attack specific estimation unit 21 performs a process of estimating the type of attack corresponding to the detected abnormality when the type of attack cannot be specified (for example, it is an unknown attack).
  • the attack information specified or estimated by the attack specific estimation unit 21 is sent to the attack information acquisition unit 22.
  • the frame abnormality is detected by checking parameters such as RTR, DLC, payload, and reception cycle set for each frame ID, for example.
  • the frame abnormality represents an abnormality of the CAN signal alone.
  • the bus abnormality is detected by checking parameters such as the bus load factor of each bus 3 of CH1 to CH5, the bus state (state such as the presence or absence of a bus error), and the ID appearing in these buses 3. ..
  • the bus anomaly represents a situational anomaly in the CAN signal.
  • the anomaly data collected within a predetermined time after the first anomaly is detected and the anomaly detection pattern (multiple anomaly detection parameters) held in advance for each type of attack You may perform a process to identify the type of attack corresponding to the detected anomaly by collating with (including).
  • the process of estimating the attack type for example, the abnormality data collected within a predetermined time after the first abnormality is detected and the attack estimation pattern (multiple attacks) held in advance for each attack type.
  • a process of estimating the type of attack close to the detected anomaly may be performed by collating with (including the estimation parameter).
  • the attack information acquisition unit 22 performs a process of acquiring the attack information (attack information) specified or estimated based on the abnormality generated in the in-vehicle network 2.
  • the attack identification estimation unit 21 Performs the process of acquiring the attack information specified or estimated in. Then, the attack information acquired by the attack information acquisition unit 22 is sent to the response determination unit 24.
  • the configuration in which the gateway ECU 10 acquires attack information is not limited to this.
  • a function similar to that of the attack specific estimation unit 21 is provided on the cloud computer, and attack information specified or estimated on the cloud computer side is acquired by communication via an external communication network. May be.
  • the device information acquisition unit 23 performs a process of acquiring information (device information) regarding the state of at least one or more of each ECU group connected to the gateway ECU 10 via the bus 3.
  • the device information acquired from any one or more ECU groups is, in other words, information regarding the state of the vehicle 1 (hereinafter, also referred to as vehicle information).
  • vehicle information acquired by the device information acquisition unit 23 is sent to the correspondence determination unit 24.
  • the vehicle information sent to the response determination unit 24 is, for example, the vehicle information acquired during the period corresponding to the predetermined time when the abnormality data is collected by the attack specific estimation unit 21 (in other words, at the timing of the attack). (Vehicle information).
  • FIG. 3 is a diagram for explaining an example of attack information acquired by the attack information acquisition unit 22 and an example of vehicle information acquired by the device information acquisition unit 23.
  • the attack information includes at least information on the type of attack identified or estimated, and may further include information on at least one of the attacked CH (bus) and the attacked ECU.
  • the identified or estimated attack type information includes information on the case where one type of attack is specified, such as "attack A” and “attack B”, as well as “attack A, attack B, and attack C”. Information when multiple attacks are identified, or information when multiple attacks are presumed (cannot be uniquely identified), such as "Attack A, Attack B, or Attack C”. included.
  • the attacked CH includes information on CH1 to CH5 that are the targets of the attack.
  • the attacked ECU includes information on the ECU identified or estimated to have been attacked among the traveling system ECU group 5, the driving support system ECU group 6, the body system ECU group 7, the information system ECU group 8, and the gateway ECU 10. Is included.
  • the traveling system ECU-1 indicates one ECU included in the traveling system ECU group 5. It also includes a direct attack on the gateway ECU 10.
  • the vehicle information includes information on the current state of the vehicle 1 (in other words, the state of the vehicle 1 at the timing of the attack). For example, a signal indicating a state during manual driving, a signal indicating a state during driving assistance (driving assistance or automatic driving), a signal indicating a state during reprogramming (rewriting the ECU program), or a parking state. Indicates a signal or the like is included.
  • the signal indicating the state during manual operation includes, for example, a signal indicating the manual operation mode acquired from the traveling system ECU group 5 or the driving support system ECU group 6.
  • the signal indicating the state during driving support includes, for example, a signal indicating a driving support mode or an automatic driving mode acquired from the driving support system ECU group 6.
  • the signal indicating the state during reprogramming includes, for example, a signal during reprogramming acquired from the ECU in which the program is being rewritten.
  • the signal indicating the parking state includes, for example, a signal indicating the state of the smart key acquired from the body system ECU group 7.
  • the attack information acquired by the attack information acquisition unit 22 and the vehicle information acquired by the device information acquisition unit 23 are sent to the response determination unit 24.
  • the response determination unit 24 should carry out an incident for the type of attack included in the attack information based on the attack information acquired by the attack information acquisition unit 22 and the response information stored in the response information storage unit 31. Performs the process of determining the correspondence.
  • the incident response information determined by the response determination unit 24 is transmitted to the response implementation unit 25.
  • the response determination unit 24 functions of these attacks. In consideration of the restriction level and the device information acquired by the device information acquisition unit 23, a process of determining the implementation conditions for incident response to two or more attacks is also performed.
  • the response implementation unit 25 implements the incident response determined by the response decision unit 24. In addition, the response implementation unit 25 implements incident response to two or more attacks based on the implementation conditions determined by the response determination unit 24.
  • the response information storage unit 31 stores information (correspondence information) in which the incident response to be implemented and the level of function restriction due to the response are associated with each type of attack.
  • FIG. 4 is a diagram for explaining an example of the correspondence information list stored in the correspondence information storage unit 31.
  • the response information list shown in FIG. 4 has a data structure in which information on an attack, the content of the response to be implemented (incident response), and the function restriction level due to the response are linked for each type of attack.
  • the information on the attack includes information on the attack type, the bus that was the target of the attack, and the ECU that was the target of the attack.
  • the types of attacks (attacks A, B, ... K, L ) that can be assumed in the in-vehicle network 2 are stored.
  • the types of these attacks are threat analysis to the system of the in-vehicle network 2 (that is, gateway ECU 10, traveling system ECU group 5 connected to the gateway ECU 10, driving support system ECU group 6, body system ECU group 7, information system ECU group 8 and so on. It represents known attacks extracted by (analysis of vulnerabilities and threats) of devices connected to OBDII4 and other communication devices connected to the in-vehicle network 2.
  • the threat analysis method for extracting these attacks is not particularly limited.
  • a method such as threat extraction using DFD (Date Flow Diagram), threat classification by STRIDE, threat tree, or threat evaluation by DREAD can be adopted.
  • These attacks include, for example, attacks such as unauthorized use, unauthorized setting, unauthorized relay, unauthorized insertion, information leakage, Dos attack, message loss, or fake message. ..
  • the bus item stores the information of the bus that was the target of the attack (in this case, any of CH1 to CH5) stored in the attack type item, and the ECU item stores it in the attack type item.
  • Information on the ECU for example, the traveling system ECU-1 or the like
  • the target of the attack is stored.
  • responses A, B, ..., K, L the content of the incident response (response A, B, ..., K, L ).
  • responses include, for example, responses such as bus blocking, message blocking, message destruction, alternative message generation, restart, or re-authentication.
  • Bus interruption may include interruption of a bidirectional, transfer destination, or transfer source bus.
  • Message blocking may include blocking of bidirectional, forwarding, or forwarding messages.
  • the function restriction level item information indicating the level at which the function of the ECU is restricted due to the incident response to be implemented is stored.
  • the attack A is an attack on the bus 3 of CH2 and the traveling system ECU-1
  • the incident response to the attack A is the response A
  • the function restriction level of the response A is 5. It is remembered that there is something.
  • the implementation condition storage unit 32 stores table information indicating the relationship between the type of bus included in the attack target, vehicle information, and implementation conditions.
  • This table information includes one bus 3 (any of CH1 to CH5) or one ECU (any ECU included in the ECU group) in the attack information acquired from the attack information acquisition unit 22 in the response determination unit 24.
  • two or more attacks types of attacks
  • it is used to determine the conditions for implementing incident response to these attacks.
  • FIG. 5 is a diagram for explaining an example of table information stored in the execution condition storage unit 32.
  • the table information shown in FIG. 5 includes buses (CH1 to CH5) included in the target of the attack, vehicle information (during manual driving, driving support, reprogramming, parking, ...), And implementation conditions (functional restriction level).
  • the data structure shows the relationship with (ascending or descending order).
  • the incident response is executed in ascending order of the function restriction level regardless of whether the vehicle information is in manual driving, driving support, reprogramming, or parking. The condition is remembered.
  • the implementation condition is that incident response is executed in descending order of function restriction level. It is stored, and when the vehicle information is being reprogrammed, the implementation condition that the incident response is executed in ascending order of the function restriction level is stored.
  • the implementation condition that the incident response is executed in descending order of the function restriction level is stored, and the vehicle information is stored.
  • the implementation condition that the incident response is executed in ascending order of the function restriction level is stored.
  • the implementation condition that the incident response is executed in ascending order of the function restriction level is stored.
  • the implementation condition that the incident response is executed in descending order of the function restriction level is stored.
  • the incident response implementation conditions may be the conditions for implementing incident response with the function restriction level above or below the predetermined level, or the incident with the highest function restriction level. It may be a condition that only the correspondence is carried out. These implementation conditions may be combined depending on the bus 3 that is the target of the attack and the vehicle information regarding the state of the vehicle 1.
  • the correspondence information list stored in the correspondence information storage unit 31 and the table information stored in the implementation condition storage unit 32 are separately provided, but these are stored in one database. You may put it together.
  • FIG. 6 is a table for explaining the attack information, the implementation conditions, and the contents of the incident response in the attack examples 1 to 4.
  • the response determination unit 24 acquires the attack information (attack A, CH2, traveling system ECU-1), the response information storage unit 31 reads the response information list (FIG. 4) stored in the response information storage unit 31, and the attack type is read from the response information list. Extracts the information of the response to be implemented (response A) and the function restriction level (5) associated with the attack A.
  • the response determination unit 24 determines that the acquired attack information does not include two or more attacks, the response determination unit 24 sends an execution command for executing the response A to the response execution unit 25.
  • the response implementation unit 25 When the response implementation unit 25 receives the execution command of the response A from the response decision unit 24, the response implementation unit 25 performs a process of executing the response A.
  • the incident response set in the response A such as message blocking or bus blocking, is executed for the attacked traveling system ECU-1 or the bus 3 of CH2.
  • the response determination unit 24 acquires the attack information (attack F, CH4), it reads out the response information list (FIG. 4) stored in the response information storage unit 31, and the attack type is associated with the attack F from this response information list. The information of the response (correspondence F) to be implemented and the function restriction level (2) is extracted. When the response determination unit 24 determines that the acquired attack information does not include two or more attacks, the response determination unit 24 sends an execution command for executing the response F to the response execution unit 25.
  • attack information attack F, CH4
  • the response information list (FIG. 4) stored in the response information storage unit 31, and the attack type is associated with the attack F from this response information list.
  • the information of the response (correspondence F) to be implemented and the function restriction level (2) is extracted.
  • the response determination unit 24 determines that the acquired attack information does not include two or more attacks, the response determination unit 24 sends an execution command for executing the response F to the response execution unit 25.
  • the response implementation unit 25 When the response implementation unit 25 receives the execution command of the response F from the response determination unit 24, the response implementation unit 25 performs a process of executing the response F. For example, the incident response set in the response F, such as bus blocking, is executed for the bus 3 of the attacked CH4.
  • the incident response set in the response F such as bus blocking
  • the response determination unit 24 acquires the attack information (attack G or attack J, CH3, driving support system ECU-1), the response determination unit 24 reads out the response information list (FIG. 4) stored in the response information storage unit 31, and this response information. From the list, information on the response to be implemented (correspondence G and response J) and the function restriction level (3 and 1) in which the attack types are associated with attack G and attack J is extracted.
  • attack information attack G or attack J, CH3, driving support system ECU-1
  • the response determination unit 24 reads out the response information list (FIG. 4) stored in the response information storage unit 31, and this response information. From the list, information on the response to be implemented (correspondence G and response J) and the function restriction level (3 and 1) in which the attack types are associated with attack G and attack J is extracted.
  • the response determination unit 24 determines that the acquired attack information includes two or more attacks, it acquires vehicle information (for example, during reprogramming) from the device information acquisition unit 23. Further, the response determination unit 24 reads out the table information (FIG. 5) stored in the implementation condition storage unit 32, and from this table information, implements the incident response corresponding to the relationship between the bus 3 to be attacked and the vehicle information. Extract the condition.
  • table information FIG. 5
  • the function restriction level ascending order is extracted as the implementation condition.
  • the response determination unit 24 sends an execution command for executing these incident responses to the response implementation unit 25 in the order of the response J having the function restriction level of 1 and the response G having the function restriction level of 3.
  • the response implementation unit 25 When the response implementation unit 25 receives an execution command from the response decision unit 24, the response implementation unit 25 performs a process of executing these incident responses in the order of response J and response G (ascending order of function restriction level). For example, for the driving support system ECU-1 connected to the bus 3 of the attacked CH3, the incident response set to the response J with the lower function restriction level, such as discarding the received message, is executed, and the abnormality is improved. If this is not done, the driving support system ECU-1 is subjected to an incident response set to the response G having the higher function restriction level, such as discarding a bidirectional message.
  • the response determination unit 24 determines that the acquired attack information includes two or more attacks, it acquires vehicle information (for example, during manual driving) from the device information acquisition unit 23. Further, the response determination unit 24 reads out the table information (FIG. 5) stored in the implementation condition storage unit 32, and from this table information, the incident response corresponds to the relationship between the bus 3 to be attacked and the vehicle information. Extract the implementation conditions.
  • the function restriction level descending order is extracted as an implementation condition.
  • the response determination unit 24 sends an execution command for executing these incident responses to the response implementation unit 25 in the order of the response D having the function restriction level of 4 and the response E having the function restriction level of 2.
  • the response implementation unit 25 When the response implementation unit 25 receives the execution command from the response decision unit 24, the response implementation unit 25 performs a process of executing these incident responses in the order of response D and response E (descending order of function restriction level). For example, for the attacked CH2 bus 3, the incident response set to the response D with the higher function restriction level, such as bidirectional bus blocking, is executed. In this case, the incident response set for the response E with the lower function restriction level may not be executed. In this way, by executing from the incident response with the higher function restriction level, it is possible to quickly prevent the spread of damage caused by the attack while avoiding duplicate responses.
  • the incident response set to the response D with the higher function restriction level such as bidirectional bus blocking
  • FIG. 7 is a schematic flowchart showing a processing operation performed by the security control unit 12 constituting the gateway ECU 10 according to the embodiment. It should be noted that this processing operation assumes a case where an attacker executes some kind of security attack on the in-vehicle network 2 and breaks the defense function of the gateway ECU 10.
  • step S1 the security control unit 12 determines whether or not an abnormality has occurred in the in-vehicle network 2, and if it is determined that no abnormality has occurred, the process ends, while if it is determined that an abnormality has occurred. , Proceed to step S2.
  • step S2 the security control unit 12 performs a process of detecting an abnormality generated in the frame received from each ECU group or the bus 3 connected to each CH, and then proceeds to the process in step S3.
  • step S3 the security control unit 12 performs a process of collecting abnormality data (that is, abnormality detection result) for a predetermined period of time that occurred in the received frame or bus 3, and then proceeds to step S4.
  • abnormality data that is, abnormality detection result
  • step S4 the security control unit 12 uses the collected abnormal data to perform a process of identifying the type of security attack, and when the type of attack cannot be specified, a process of estimating the type of the attack. After that, the process proceeds to step S5.
  • step S5 the security control unit 12 performs a process of implementing an incident countermeasure corresponding to the specified type of attack or the estimated type of attack, and then ends the process.
  • FIG. 8 is a flowchart showing an incident response processing operation performed by the security control unit 12 constituting the gateway ECU 10 according to the embodiment. This processing operation is an example of the incident response processing operation performed in step S5 of FIG. 7.
  • the security control unit 12 functions as an attack information acquisition unit 22, performs a process of acquiring attack information (attack information) specified or estimated in step S4 of FIG. 7, and performs a process in step S12. Proceed.
  • the attack information includes at least the type of attack identified or estimated, and may further include information on at least one of the CH (bus) targeted by the attack and the ECU attacked. ..
  • the security control unit 12 functions as the device information acquisition unit 23, and provides information on the state of at least one or more of the ECU groups connected via the buses 3 of CH1 to CH5 (that is,).
  • the process of acquiring the vehicle information) is performed, and the process proceeds to step S13.
  • the vehicle information includes information on the current state of the vehicle 1 (in other words, the state of the vehicle 1 at the time of the attack), for example, a signal indicating the state during manual driving shown in FIG. 3, and driving support. It includes a signal indicating a state during (driving support or automatic driving), a signal indicating a state during reprogramming (rewriting an ECU program), a signal indicating a parking state, and the like.
  • step S13 the security control unit 12 functions as a response determination unit 24, and attacks the attack information acquired in S11 with two or more attacks on the bus 3 of one of CH1 to CH5 or the ECU of one of the ECU groups. If it is determined whether or not is included and it is determined that two or more attacks are not included, the process proceeds to step S14.
  • step S14 the security control unit 12 functions as a response determination unit 24, reads a response information list (FIG. 4) from the response information storage unit 31, and types of attacks included in the acquired attack information from the response information list.
  • the process of extracting the corresponding information (correspondence to be implemented and the function restriction level) corresponding to the above is performed, and the process proceeds to step S15.
  • step S15 the security control unit 12 functions as a response determination unit 24, performs a process of sending an execution command for executing the incident response included in the extracted response information to the response execution unit 25, and performs the process in step S16. Proceed.
  • step S16 the security control unit 12 functions as the response execution unit 25, performs a process of executing the incident response included in the extracted response information based on the execution command, and then ends the process.
  • step S17 the security control unit 12 functions as a response decision unit 24, reads out the response information list (FIG. 4) stored in the response information storage unit 31, and corresponds to two or more types of attacks from this response information list.
  • a process for extracting the corresponding response information is performed, and then the process proceeds to step S18.
  • step S18 the security control unit 12 functions as a response determination unit 24, reads out the table information (FIG. 5) stored in the execution condition storage unit 32, and from this table information, the bus 3 to be attacked and the vehicle information The process of extracting the implementation conditions for incident response corresponding to the relationship of the above is performed, and then the process proceeds to step S19.
  • table information FIG. 5
  • step S19 the security control unit 12 functions as a response decision unit 24, and based on the extracted execution conditions, issues an execution command for executing an incident response to two or more attacks included in the response information.
  • the process of sending to is performed, and the process proceeds to step S20.
  • step S20 the security control unit 12 functions as a response implementation unit 25, performs a process of executing incident response to two or more attacks included in the extracted response information based on the execution conditions based on the execution command. Then the process is finished.
  • the gateway ECU 10 According to the gateway ECU 10 according to the above embodiment, even if the attack information acquired by the attack information acquisition unit 22 includes two or more attacks, the function linked to the incident response to these attacks.
  • the implementation conditions for incident response to two or more attacks are determined in consideration of the restriction level and the vehicle information acquired by the device information acquisition unit 23, and the incident response to two or more attacks is determined based on the determined implementation conditions. Is carried out.
  • the vehicle 1 alone can efficiently respond to the incident under appropriate conditions in consideration of the function restriction level of these attacks and the state of the ECU group (that is, vehicle information). It will be possible to carry out well and quickly.
  • incident response may be executed in descending order of function restriction level (in other words, in order from the response with the largest function restriction), or function restriction. It is possible to execute incident response in ascending order of level (in other words, in order from the response with the smallest function restriction). Therefore, the incident response can be executed in the order suitable for the state of the vehicle 1.
  • the incident response is executed in descending order of the function restriction level to avoid duplicate responses and to be attacked. It is possible to quickly prevent the spread of damage.
  • the incident response is executed in ascending order of the function restriction level, while avoiding duplicate responses. It is possible to prevent the function of the ECU from being excessively restricted, and it is possible to carry out incident response so as not to impair the convenience of the vehicle 1 under the control of the ECU.
  • the incident response with the higher function restriction level may be executed, or the incident response with the lower function restriction level may be executed, which is suitable for the state of the ECU. It is possible to prioritize the incident response of the other party.
  • the response determination unit 24 can efficiently determine the implementation conditions corresponding to the one bus 3 that is the target of the attack and the vehicle information acquired from the ECU group, and can process the process. The speed can be increased.
  • the security control unit 12 mounted on the gateway ECU 10 may be mounted on another ECU, or the security ECU equipped with the security control unit 12 may be connected to the in-vehicle network 2.
  • the security control unit 12 responds to the determined incident response to the occupants in the vehicle via the notification device included in the information system ECU group 8 connected to the in-vehicle network 2.
  • a notification processing unit that notifies that an abnormality has occurred, that an attack has occurred, appropriate driving operation, start, continuation, return, or cancellation of degenerate operation, response after an abnormality occurs, etc. You may also prepare.
  • a navigation device, an audio device, or the like can be applied to such a notification device.
  • the notification processing unit can notify the occupants in the vehicle of an abnormality or the like via the notification device. Therefore, the occupants are required to take appropriate measures against the abnormality or an attack. Is possible.
  • the gateway ECU 10 in the security control unit 12, the above-mentioned abnormality occurs outside the vehicle via the telematics device included in the information system ECU group 8 connected to the vehicle-mounted network 2 or the ITS-related device.
  • a report processing unit for notifying the occurrence or the occurrence of an attack may be further provided.
  • the report processing unit can report the occurrence of an abnormality or the occurrence of an attack to the outside of the vehicle via the telematics device or the ITS-related device. Therefore, for example, it is possible to notify other vehicles in the vicinity, infrastructure equipment, dealers, manufacturers, or public institutions of the occurrence of an abnormality or attack, and take appropriate measures against the abnormality or attack from outside the vehicle. It is also possible.
  • the in-vehicle network 2 is an example of a device network to which the technology according to the present invention is applied.
  • the technology according to the present invention includes another device network, for example, an industrial device network in which one or more industrial devices constituting an FA (Factory Automation) system are connected via a communication path, and a home device in which household devices are connected. It can also be applied to a security device included in a network or an office equipment network to which office equipment is connected.
  • the application example to the vehicle-mounted network 2 described with reference to FIGS. 1 to 8 can be replaced with an industrial equipment network, a home equipment network, or an office equipment network.
  • the above FA system includes, for example, a transport system for various articles, an inspection system, an assembly system using a robot, and the like.
  • the control devices installed in the industrial devices that make up these FA systems include, for example, programmable controllers, motion position control controllers, field network devices, wireless devices, sensors, actuators, robots, HMI devices, and data collection devices. At least one of them may be included.
  • the device information acquired from the above-mentioned industrial equipment by the security device equipped in the FA system includes the operation phase of the above-mentioned industrial equipment, such as start-up, normal operation, pause, stop, and reprogramming. Information about at least one operational phase may be included.
  • the communication path for connecting various control devices in the FA system may be wired or wireless.
  • the communication protocol in the device network is not limited to the CAN protocol. The communication protocol may be, for example, CANopen used in FA systems, or other derivative protocols.
  • the present invention can be widely used in a security device-related industrial field that executes incident response against an attack that occurs in a device network in which one or more devices such as an in-vehicle device or an industrial device are connected via a communication path. ..
  • Embodiments of the present invention may also be described as, but are not limited to, the following appendices.
  • Appendix 1 A security device (10) included in a device network (2) in which one or more devices (4, 5, 6, 7, 8) are connected via a communication path (3).
  • An attack information acquisition unit (22) that acquires attack information (hereinafter referred to as attack information) identified or estimated based on an abnormality that has occurred in the device network (2).
  • a device information acquisition unit (23) for acquiring information on the state of the device hereinafter referred to as device information
  • a response information storage unit (31) that stores information (hereinafter referred to as response information) in which incident response and the level of function restriction due to the response are associated with each type of attack.
  • a response determination unit (24) that determines the incident response to be implemented for the attack included in the attack information, and a response determination unit (24). It is equipped with a response implementation unit (25) that implements the determined incident response.
  • the correspondence determination unit (24) When the acquired attack information includes two or more attacks on one communication path or one device, the above-mentioned attack information is taken into consideration with the level of the function limitation of these attacks and the acquired device information. It determines the implementation conditions for the incident response to two or more of the attacks.
  • the corresponding implementation unit (25) The security device (10), characterized in that the incident response to the two or more attacks is carried out based on the determined execution conditions.
  • the attack information is included in the attack information based on the acquired information and the information stored in association with the incident response and the level of function restriction due to the response (hereinafter referred to as response information) for each type of the attack.
  • the correspondence determination step When the acquired attack information includes two or more attacks on one communication path or one device, the above-mentioned attack information is taken into consideration with the level of the function limitation of these attacks and the acquired device information. Including the step (S18) of determining the implementation conditions of the incident response to the two or more attacks.
  • the corresponding implementation step An incident response processing method comprising the step (S20) of performing the incident response to the two or more attacks based on the determined implementation conditions.
  • Vehicle 2 In-vehicle network (equipment network) 3 Bus 4 OBDII 5 Driving system ECU group 6 Driving support system ECU group 7 Body system ECU group 8 Information system ECU group 10 Gateway ECU (security device) 11 Gateway function unit 12 Security control unit 21 Attack specific estimation unit 22 Attack information acquisition unit 23 Device information acquisition unit 24 Correspondence decision unit 25 Correspondence implementation unit 32 Implementation condition storage unit

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
PCT/JP2019/029627 2019-07-29 2019-07-29 セキュリティ装置、インシデント対応処理方法、プログラム、及び記憶媒体 Ceased WO2021019636A1 (ja)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2019/029627 WO2021019636A1 (ja) 2019-07-29 2019-07-29 セキュリティ装置、インシデント対応処理方法、プログラム、及び記憶媒体
JP2021536478A JP7318710B2 (ja) 2019-07-29 2019-07-29 セキュリティ装置、インシデント対応処理方法、プログラム、及び記憶媒体

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2019/029627 WO2021019636A1 (ja) 2019-07-29 2019-07-29 セキュリティ装置、インシデント対応処理方法、プログラム、及び記憶媒体

Publications (1)

Publication Number Publication Date
WO2021019636A1 true WO2021019636A1 (ja) 2021-02-04

Family

ID=74229886

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/029627 Ceased WO2021019636A1 (ja) 2019-07-29 2019-07-29 セキュリティ装置、インシデント対応処理方法、プログラム、及び記憶媒体

Country Status (2)

Country Link
JP (1) JP7318710B2 (https=)
WO (1) WO2021019636A1 (https=)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2022153081A (ja) * 2021-03-29 2022-10-12 株式会社デンソー 攻撃分析装置、攻撃分析方法、及び攻撃分析プログラム
JP2023133208A (ja) * 2022-03-10 2023-09-22 株式会社デンソー リスクスコアに応じた事象対応
JP2024051325A (ja) * 2022-09-30 2024-04-11 株式会社デンソー 車両用攻撃分析装置、攻撃分析システム、攻撃分析方法、及び攻撃分析プログラム
JP2024532232A (ja) * 2021-08-25 2024-09-05 ロベルト・ボッシュ・ゲゼルシャフト・ミト・ベシュレンクテル・ハフツング データユニットを処理するための装置および方法
WO2025163875A1 (ja) * 2024-02-02 2025-08-07 三菱電機モビリティ株式会社 転送制御装置、フレームデータ処理装置、および車載ネットワークシステム

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017183099A1 (ja) * 2016-04-19 2017-10-26 三菱電機株式会社 中継装置
JP2018064293A (ja) * 2016-07-05 2018-04-19 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America 不正制御抑止方法、不正制御抑止装置及び車載ネットワークシステム
WO2019026310A1 (ja) * 2017-08-02 2019-02-07 三菱電機株式会社 情報処理装置、情報処理方法及び情報処理プログラム

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017183099A1 (ja) * 2016-04-19 2017-10-26 三菱電機株式会社 中継装置
JP2018064293A (ja) * 2016-07-05 2018-04-19 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America 不正制御抑止方法、不正制御抑止装置及び車載ネットワークシステム
WO2019026310A1 (ja) * 2017-08-02 2019-02-07 三菱電機株式会社 情報処理装置、情報処理方法及び情報処理プログラム

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2022153081A (ja) * 2021-03-29 2022-10-12 株式会社デンソー 攻撃分析装置、攻撃分析方法、及び攻撃分析プログラム
JP7517223B2 (ja) 2021-03-29 2024-07-17 株式会社デンソー 攻撃分析装置、攻撃分析方法、及び攻撃分析プログラム
JP2024532232A (ja) * 2021-08-25 2024-09-05 ロベルト・ボッシュ・ゲゼルシャフト・ミト・ベシュレンクテル・ハフツング データユニットを処理するための装置および方法
JP7755047B2 (ja) 2021-08-25 2025-10-15 ロベルト・ボッシュ・ゲゼルシャフト・ミト・ベシュレンクテル・ハフツング データユニットを処理するための装置および方法
JP2023133208A (ja) * 2022-03-10 2023-09-22 株式会社デンソー リスクスコアに応じた事象対応
JP7491423B2 (ja) 2022-03-10 2024-05-28 株式会社デンソー リスクスコアに応じた事象対応
JP2024051325A (ja) * 2022-09-30 2024-04-11 株式会社デンソー 車両用攻撃分析装置、攻撃分析システム、攻撃分析方法、及び攻撃分析プログラム
WO2025163875A1 (ja) * 2024-02-02 2025-08-07 三菱電機モビリティ株式会社 転送制御装置、フレームデータ処理装置、および車載ネットワークシステム

Also Published As

Publication number Publication date
JPWO2021019636A1 (https=) 2021-02-04
JP7318710B2 (ja) 2023-08-01

Similar Documents

Publication Publication Date Title
JP7318710B2 (ja) セキュリティ装置、インシデント対応処理方法、プログラム、及び記憶媒体
US11411917B2 (en) Method for detecting, blocking and reporting cyber-attacks against automotive electronic control units
US9843523B2 (en) Communication management apparatus and communication management method for vehicle network
JP6807906B2 (ja) 車両へのコンピュータ攻撃を阻止するためのルールを生成するシステムおよび方法
US11165851B2 (en) System and method for providing security to a communication network
JP6762347B2 (ja) 交通手段に対するコンピュータ攻撃を阻止するためのシステムおよび方法
CN111448783B (zh) 车载网络异常检测系统及车载网络异常检测方法
JP2020123307A (ja) セキュリティ装置、攻撃特定方法、及びプログラム
JPWO2019216306A1 (ja) 異常検知電子制御ユニット、車載ネットワークシステム及び異常検知方法
WO2019021403A1 (ja) 制御ネットワークシステム、車両遠隔制御システム及び車載中継装置
WO2019142458A1 (ja) 車両監視装置、不正検知サーバ、および、制御方法
US12294598B2 (en) Attack monitoring center apparatus and attack monitoring terminal apparatus
US11667264B2 (en) Unauthorized intrusion prevention device, unauthorized intrusion prevention method, and unauthorized intrusion prevention program
JP2019008618A (ja) 情報処理装置、情報処理方法及びプログラム
JP6839846B2 (ja) 情報処理装置、情報処理方法及びプログラム
US20210258187A1 (en) Electronic control device, electronic control method, and recording medium
JP2021140460A (ja) セキュリティ管理装置
JP7160206B2 (ja) セキュリティ装置、攻撃対応処理方法、コンピュータプログラム、及び記憶媒体
JP6191397B2 (ja) 通信中継装置、通信中継処理
JP2019209961A (ja) 情報処理装置、監視方法、プログラム及びゲートウェイ装置
JP7259966B2 (ja) セキュリティ装置、設定変更方法、プログラム、及び記憶媒体
KR20200076218A (ko) 일반 can 메시지의 전송지연을 예측하는 can 네트워크에 대한 메시지플러딩 공격 완화 시스템
WO2018179630A1 (ja) 情報処理装置、情報処理方法及びプログラム
US12515598B2 (en) Electronic control unit, electronic control system, log processing method, and non-transitory computer-readable storage medium storing log processing program
US20250350618A1 (en) Log management device, log management system, method and storage medium thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19939072

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2021536478

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19939072

Country of ref document: EP

Kind code of ref document: A1