WO2022176131A1 - Communication monitoring device, communication monitoring method, and program - Google Patents

Communication monitoring device, communication monitoring method, and program Download PDF

Info

Publication number
WO2022176131A1
WO2022176131A1 PCT/JP2021/006205 JP2021006205W WO2022176131A1 WO 2022176131 A1 WO2022176131 A1 WO 2022176131A1 JP 2021006205 W JP2021006205 W JP 2021006205W WO 2022176131 A1 WO2022176131 A1 WO 2022176131A1
Authority
WO
WIPO (PCT)
Prior art keywords
communication
reconnaissance
source
destination
attack
Prior art date
Application number
PCT/JP2021/006205
Other languages
French (fr)
Japanese (ja)
Inventor
勝 松林
卓麻 小山
靖 岡野
政志 田中
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to JP2023500245A priority Critical patent/JPWO2022176131A1/ja
Priority to PCT/JP2021/006205 priority patent/WO2022176131A1/en
Publication of WO2022176131A1 publication Critical patent/WO2022176131A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Definitions

  • the present invention relates to a communication monitoring device, a communication monitoring method and a program.
  • UDS Unified Diagnostic Services
  • ECUs Electronic Control Units
  • Non-Patent Document 1 discloses a method of detecting anomalies by learning a language model of normal diagnostic communication using natural language processing.
  • the disclosed technology aims to provide a device that performs highly accurate anomaly detection by reducing the probability of erroneous detection of normal diagnostic communication.
  • the disclosed technology includes a communication source state update unit that monitors communication from a communication source to a communication destination and updates information indicating the state of the communication source including the number of requests for unlocking to the communication destination; A reconnaissance detection unit that detects reconnaissance of the unlocked state of the communication destination by the communication source based on information indicating the state of the communication source; and an attack detection unit that detects an attack.
  • FIG. 4 is a diagram for explaining an example of a communication method involving unlocking
  • FIG. FIG. 11 is a sequence diagram illustrating an example of a SecurityAccess evasion attack
  • 3 is a functional configuration diagram of a communication monitoring device
  • FIG. FIG. 4 is a diagram showing an example of communication source state information
  • It is a figure which shows an example of attack determination rule information.
  • 9 is a flowchart showing an example of the flow of communication monitoring processing
  • FIG. 11 is a flowchart showing an example of the flow of communication source status update processing
  • FIG. 9 is a flowchart showing an example of reconnaissance detection processing flow
  • It is a flowchart which shows an example of the flow of reconnaissance completion detection processing.
  • 6 is a flowchart showing an example of the flow of attack detection processing
  • FIG. 4 is a first diagram for explaining normal diagnostic communication;
  • FIG. 10 is a second diagram for explaining normal diagnostic communication;
  • FIG. 11 is a third diagram for explaining normal diagnostic communication; It is a figure which shows the hardware structural example of a communication monitoring apparatus.
  • 1 is a diagram illustrating an example hardware configuration of an automobile according to Embodiment 1;
  • FIG. 10 is a diagram showing an outline of a communication monitoring system according to a second embodiment;
  • FIG. FIG. 11 is a functional configuration diagram of a communication monitoring device according to the third embodiment;
  • FIG. 12 is a diagram showing an outline of a communication monitoring system according to a fourth embodiment;
  • Ethernet registered trademark
  • CAN Controller Area Network
  • CAN Controller Area Network
  • CAN Controller Area Network
  • an automobile or the like that performs CAN communication includes a plurality of electronic control units (ECUs). Each ECU communicates with each other by broadcasting message data using CAN. Also, message data transmitted and received in CAN contains a payload indicating the data body and an ID (called CAN-ID) used to identify the contents of the payload. Note that the CAN message data does not include information about the source and destination addresses.
  • UDS Unified Diagnostic Services
  • UDS is known as a protocol for performing fault diagnosis and reprogramming of ECUs using the above-mentioned Ethernet and CAN.
  • UDS is a protocol that defines layer 7 of the OSI (Open Systems Interconnection) reference model.
  • the UDS defines a communication method, a message format, a diagnostic service method (such as a service for rewriting a memory), and the like when the diagnostic machine performs fault diagnosis, reprogramming, and the like of an ECU.
  • UDS defines an access control mechanism to ensure that only authorized users can use the service. Specifically, with UDS, when using a service that could cause serious damage if misused by an unauthorized user (e.g., a service that reprograms the ECU), it is necessary to use the "Security Access Service” for the ECU. Unlocking is required. "Security Access Service” is an access control mechanism defined in UDS to prevent unauthorized users from misusing UDS services. Diagnostic communication by "SecurityAccessService” is an example of a communication method involving unlocking.
  • FIG. 1 is a diagram for explaining an example of a communication method involving unlocking.
  • a communication source for example, a diagnostic device
  • requests "Seed” necessary for unlocking (requestSeed).
  • the communication destination e.g. ECU
  • the communication source calculates a key from the received "Seed” and transmits it to the communication destination (sendKey).
  • This sendKey is an example of communication requesting unlocking.
  • the communication destination unlocks and transmits an unlock notification to the communication source (positive response).
  • an attacking device (hereinafter referred to as an attacking device) can identify an ECU that has been unlocked by a request from another device without requesting unlocking, it can use the UDS service. can be done.
  • the ECU In normal operation, the ECU is unlocked for a short period of time, so if the attacking equipment makes a UDS service request to any ECU without performing unlocked reconnaissance, that ECU will be locked. It is extremely likely that Therefore, it is extremely likely that the attacking device will receive a "negative response" to the service request, which means refusal.
  • a "negative response" corresponds to a system error or alert, and is a trace of an attack that is easily discovered by security administrators and systems. Therefore, it is assumed that the attacking device identifies an already unlocked ECU by a method that does not generate a "negative response" in order to execute a SecurityAccess evasion attack.
  • the UDS is defined as follows. That is, the unlocked ECU transmits "Seed” with all byte values of 0x00 in response to "requestSeed". Also, when the ECU receives an incorrect "Key” in "sendKey", it sends a "negative response”. Furthermore, even if the communication source repeatedly performs only the act of acquiring "Seed” without receiving "sendKey", the ECU does not transmit "negative response”.
  • the attacking device can execute the following SecurityAccess evasion attack. That is, the attacking device transmits "requestSeed” to any ECU at any timing and acquires "Seed”. Then, the attacking device determines whether or not all the byte values of the obtained "Seed" are 0x00, and if it determines that all the byte values are 0x00, it determines that the ECU is in the unlocked state, perform access.
  • FIG. 2 is a sequence diagram showing an example of a SecurityAccess evasion attack.
  • a communication source which is an attacking device, transmits "requestSeed” to the first communication destination, the second communication destination, etc., and acquires "Seed”. Then, the communication source determines whether or not all the byte values of the obtained "Seed” are 0x00, and if it determines that all the byte values are not 0x00, does nothing and further performs the first communication destination, the second communication destination, etc. , and determines whether or not all byte values of the obtained "Seed” are 0x00. When the source determines that all bytes of "Seed" are 0x00, it completes reconnaissance and performs unauthorized access.
  • FIG. 3 is a functional configuration diagram of the communication monitoring device.
  • the communication monitoring device 10 includes a storage unit 11 , a communication source state update unit 12 , a reconnaissance detection unit 13 , a reconnaissance completion detection unit 14 , an attack detection unit 15 , and a communication blocking unit 16 .
  • the storage unit 11 stores various types of information, specifically, source state information 901 and attack determination rule information 902 .
  • the communication source status information 901 is information indicating the status of the communication source, including the number of requests for unlocking to the communication destination.
  • the attack determination rule information 902 is information that defines rules for determining whether or not target communication is an attack.
  • the communication source status update unit 12 monitors communication from the communication source to the communication destination and updates the communication source status information 901 .
  • the reconnaissance detection unit 13 Based on the communication source status information 901, the reconnaissance detection unit 13 detects reconnaissance by the communication source that the communication destination is unlocked.
  • the reconnaissance completion detection unit 14 detects that the reconnaissance of the unlocked state from the communication source whose reconnaissance has been detected to the communication destination has been completed.
  • the attack detection unit 15 Based on the attack determination rule information 902, the attack detection unit 15 detects whether or not there is an attack on the communication destination from the communication source whose reconnaissance has been detected.
  • the communication blocking unit 16 blocks communication from the source of the detected attack to the destination of communication.
  • FIG. 4 is a diagram showing an example of communication source state information.
  • the communication source state information 901 includes, as items, a communication source address, a difference, a state, and a communication destination address.
  • the value of the item "communication source address” is a value for identifying the communication source, and is, for example, a MAC (Media Access Control) address, IP (Internet Protocol) address, or the like. If the communication source address is unknown, the value of the item "communication source address" is set to "unknown". Therefore, in the processing to be described later, the state information about the communication source whose communication source address is unknown can be obtained by referring to the record in which the value of the item "communication source address" is "unknown". For example, when the communication protocol is Ethernet, the communication monitoring device 10 can extract the communication source address from the communication data. On the other hand, when the communication protocol is CAN, it is difficult for the communication monitoring device 10 to extract the communication source address from the communication data.
  • the value of the item "difference” is the "requestSeed” from the same communication source to each communication destination. is the difference between the number of transmissions of "" and the number of transmissions of "sendKey". The greater the difference value, the greater the number of transmissions of "requestSeed” than the number of transmissions of "sendKey". This indicates that there is a high possibility that the communication source is performing the aforementioned SecurityAccess avoidance attack.
  • the number of transmissions of “requestSeed” is an example of the number of times of requesting data for unlocking to the communication destination.
  • the number of transmissions of "sendKey” is an example of the number of times of requesting unlocking based on data for unlocking to the communication destination.
  • the value of the item "Status” is a value that indicates the status of each communication source, and is one of "Normal”, “Reconnaissance in progress”, “Reconnaissance completed”, or "Blocked”.
  • the value of the item "communication destination address” is a value for identifying the communication destination, and is, for example, a MAC address, IP address, CAN-ID, or the like.
  • the communication source state information 901 is information including "difference” and "state” for each combination of communication source and communication destination.
  • the communication monitoring device 10 may initialize the communication source status information 901 periodically. For example, if neither the "difference” nor the “status” value changes for a predetermined time, the record is deleted (or the "difference” value is "0", the status value is "normal”, and the communication destination change each address value to empty).
  • FIG. 5 is a diagram showing an example of attack determination rule information.
  • the attack determination rule information 902 includes communication destination addresses and determination rules as items.
  • the value of the item "communication destination address” is a value for identifying the communication destination, such as a MAC address or IP address.
  • the value of the item "judgment rule” is a value that indicates the rule for judging an attack. For example, all messages addressed to the communication destination address are judged as an attack, all messages with no destination specified are judged as an attack, messages with an arbitrary value in the payload are judged as an attack, etc. , the item "judgment rule” defines a rule for judging an attack.
  • FIG. 6 is a flowchart showing an example of the flow of communication monitoring processing.
  • the communication monitoring device 10 executes communication monitoring processing in response to a user's operation or periodically. Specifically, the communication source status update unit 12 of the communication monitoring device 10 executes communication source status update processing for updating the communication source status information 901 (step S1). Next, the reconnaissance detection unit 13 executes reconnaissance detection processing for detecting reconnaissance by each communication source (step S2).
  • the reconnaissance completion detection unit 14 executes reconnaissance completion detection processing for detecting that reconnaissance by the communication source whose reconnaissance has been detected has been completed (step S3).
  • the attack detection unit 15 executes attack detection processing for detecting an attack by the communication source whose reconnaissance has been completed (step S4).
  • the communication blocking unit 16 blocks the attack-detected communication (step S5). Then, the communication blocking unit 16 updates the value of the item "state" of the communication source state information 901 related to the blocked communication to "blocked” (step S6).
  • FIG. 7 is a flowchart illustrating an example of the flow of communication source status update processing.
  • the communication source status update unit 12 determines whether or not the application layer protocol of the communication to be monitored is UDS (step S11). Then, when the communication source state update unit 12 determines that the protocol is not UDS (step S11: No), the communication source state update process ends.
  • step S12 determines that SID is not 0x27 (step S12: No)
  • the communication source state update process ends.
  • it subtracts 1 from the value of the item "difference" of the communication source state information 901 (step S16).
  • the communication source state update unit 12 adds 1 to the value of the item "difference” if the communication to be monitored is "requestSeed”, and if the communication to be monitored is "sendKey", the value of the item "difference” is , subtract 1 from the value of
  • FIG. 8 is a flowchart showing an example of the flow of reconnaissance detection processing.
  • the reconnaissance detection unit 13 determines whether or not the value of the item "difference" of the communication source state information 901 exceeds a preset threshold (step S21).
  • the threshold value may be set by the user as an arbitrary value of 2 or more, for example.
  • step S21: Yes When the reconnaissance detection unit 13 determines that the value of the item "difference” exceeds the threshold (step S21: Yes), it updates the value of the item "state” of the communication source state information 901 to "reconnaissance in progress” (step S22). . Further, when the reconnaissance detection unit 13 determines that the value of the item "difference” does not exceed the threshold (step S21: No), it updates the value of the item "state” of the communication source state information 901 to "normal” ( step S23).
  • FIG. 9 is a flowchart showing an example of the flow of reconnaissance completion detection processing.
  • the reconnaissance completion detection unit 14 determines whether or not the application layer protocol of the communication to be monitored is UDS (step S31). When the reconnaissance completion detection unit 14 determines that the protocol is not UDS (step S31: No), the reconnaissance completion detection process ends.
  • step S32 determines whether SID is not 0x67 (step S32: No).
  • step S33 determines whether all byte values of "Seed" are "0x00" (step S34).
  • step S34 determines whether any byte value of "Seed" is not "0x00" (step S34: No).
  • step S34 determines whether the value of the item "state" of the communication source state information 901 is "reconnaissance in progress”. It is determined whether or not (step S35).
  • step S35 determines that the value of the item "state” is not “reconnaissance in progress”
  • step S35 determines that the value of the item "status” is "reconnaissance in progress” (step S35: Yes)
  • the value of the item "status” of the communication source status information 901 is set to “reconnaissance completed”
  • the item The value of "communication destination address” is updated to the detected communication destination address (step S36).
  • FIG. 10 is a flowchart showing an example of the flow of attack detection processing.
  • the attack detection unit 15 determines whether or not the application layer protocol of the communication to be monitored is UDS (step S41). When the attack detection unit 15 determines that the protocol is not UDS (step S41: No), the attack detection process ends.
  • step S41: Yes the attack detection unit 15 determines whether the value of the item "state" of the communication source state information 901 is "reconnaissance completed” or "blocked”. (Step S42). When the attack detection unit 15 determines that the value of the item "state" of the communication source state information 901 is neither "reconnaissance completed” nor "blocked” (step S42: No), it ends the attack detection process.
  • step S42 determines whether the determination rule defined in the attack determination rule information 902 is satisfied. Determine (step S43). When the attack detection unit 15 determines that the determination rule is not satisfied (step S43: No), it ends the attack detection process.
  • step S43 determines that the determination rule is satisfied (step S43: Yes)
  • step S44 determines that the target communication is an attack
  • FIG. 11 is a first diagram for explaining normal diagnostic communication.
  • the case in FIG. 11 occurs when the diagnostic device, which is the source of communication, fails to receive "Seed” for some reason after requesting "Seed”, and re-requests "Seed”. This is the case for diagnostic communication.
  • the number of transmissions of "requestSeed” is set by appropriately setting the threshold without immediately judging that there is an abnormality with only one abnormal communication. and the number of transmissions of "sendKey” can be determined by the accumulated value. Therefore, the communication monitoring apparatus 10 according to the present embodiment can judge the case of FIG. 11 as normal communication. Further, even if the threshold value is set to 1 and the reconnaissance detection unit 13 detects reconnaissance, the communication monitoring device 10, depending on the result of determination by the reconnaissance completion detection unit 14 or the attack detection unit 15, The case of FIG. 11 can be judged as normal communication.
  • FIG. 12 is a second diagram for explaining normal diagnostic communication.
  • the case of FIG. 12 is a case of normal diagnostic communication because it occurs when the diagnostic device, which is the source of communication, evaluates the ECU of each communication destination in, for example, security evaluation at the time of model certification of an automobile.
  • the communication monitoring device 10 even if the reconnaissance detection unit 13 detects reconnaissance, depending on the result of determination by the reconnaissance completion detection unit 14 or the attack detection unit 15, 12 cases can be judged as normal communication.
  • FIG. 13 is a third diagram for explaining normal diagnostic communication.
  • the case of FIG. 13 is a case in which another diagnostic device, which is the second source of communication, accidentally sends "requestSeed" to the communication destination ECU unlocked by the diagnostic device, which is the first source of communication. This is the case for normal diagnostic communication.
  • the second communication source transmits "requestSeed", and as a response "Seed” whose all byte value is "0x00". Since reprogramming is executed after the is returned, it is considered that the probability of occurrence is low and an abnormality is detected.
  • the communication monitoring device 10 since reconnaissance such as repeatedly executing "requestSeed" is not performed in the communication from the second communication source, 13 would not detect reconnaissance. Therefore, the communication monitoring device 10 can judge the case of FIG. 13 as normal communication.
  • the communication monitoring device 10 can be implemented, for example, by causing a computer to execute a program describing the processing details described in this embodiment.
  • this "computer” may be a physical machine or a virtual machine on the cloud.
  • the "hardware” described here is virtual hardware.
  • the above program can be recorded on a computer-readable recording medium (portable memory, etc.), saved, or distributed. It is also possible to provide the above program through a network such as the Internet or e-mail.
  • FIG. 14 is a diagram showing a hardware configuration example of the computer.
  • the computer of FIG. 14 has a drive device 1000, an auxiliary storage device 1002, a memory device 1003, a CPU 1004, an interface device 1005, a display device 1006, an input device 1007, an output device 1008, etc., which are connected to each other via a bus B.
  • a program that implements the processing in the computer is provided by a recording medium 1001 such as a CD-ROM or memory card, for example.
  • a recording medium 1001 such as a CD-ROM or memory card
  • the program is installed from the recording medium 1001 to the auxiliary storage device 1002 via the drive device 1000 .
  • the program does not necessarily need to be installed from the recording medium 1001, and may be downloaded from another computer via the network.
  • the auxiliary storage device 1002 stores installed programs, as well as necessary files and data.
  • the memory device 1003 reads and stores the program from the auxiliary storage device 1002 when a program activation instruction is received.
  • the CPU 1004 implements functions related to the device according to programs stored in the memory device 1003 .
  • the interface device 1005 is used as an interface for connecting to the network.
  • a display device 1006 displays a GUI (Graphical User Interface) or the like by a program.
  • An input device 1007 is composed of a keyboard, a mouse, buttons, a touch panel, or the like, and is used to input various operational instructions.
  • the output device 1008 outputs the calculation result.
  • Example 1 Example 2, Example 3, and Example 4 will be described as specific examples of the present embodiment.
  • Embodiment 1 is an example in which the communication monitoring device 10 is installed on an in-vehicle network of an automobile.
  • FIG. 15 is a diagram showing a hardware configuration example of an automobile according to the first embodiment.
  • the automobile 1 includes a communication monitoring device 10, an ECU 20, and an interface 30 for external communication.
  • the communication monitoring device 10 can monitor communication via the external communication interface 30, identify the communication source and the communication destination ECU 20, and block communication detected as an attack. .
  • Embodiment 2 is an example in which the communication device 40 provided in the vehicle 1 has a function of executing communication monitoring in a device different from the vehicle 1 (which may be implemented by a cloud server or the like) and blocking communication.
  • FIG. 16 is a diagram showing an overview of the communication monitoring system according to the second embodiment.
  • a communication monitoring system includes a vehicle 1 and a communication monitoring device 10 .
  • the vehicle 1 and the communication monitoring device 10 are communicably connected to each other by wireless communication or the like.
  • the automobile 1 includes an ECU 20, an external communication interface 30, and a communication device 40.
  • the communication device 40 includes a communication section 41 and a communication blocking section 42 .
  • the communication monitoring device 10 includes a communication unit 17 instead of the communication blocking unit 16 of the communication monitoring device 10 shown in FIG.
  • the communication device 40 transmits data indicating the content of communication between the ECU 20 and the external device via the external communication interface 30 to the communication monitoring device 10 via the communication unit 41 . Based on the data received via the communication unit 17, the communication monitoring device 10 executes each process except for the communication blocking unit 16 according to the present embodiment described above. The communication monitoring device 10 then transmits information about the communication for which the attack was detected to the communication device 40 . The communication blocking unit 42 of the communication device 40 blocks the attack-detected communication based on the information received from the communication monitoring device 10 .
  • FIG. 17 is a functional configuration diagram of a communication monitoring apparatus according to the third embodiment;
  • the communication monitoring device 10 according to the third embodiment includes a detection result transmitting unit 18 instead of the communication blocking unit 16 of the communication monitoring device 10 shown in FIG.
  • the detection result transmission unit 18 transmits information about communications in which an attack has been detected by e-mail, message, SNS, etc. to a pre-designated destination.
  • the hardware configuration of the automobile according to Example 3 is the same as in FIG.
  • the detection result transmission unit 18 of the communication monitoring device 10 transmits the detection result to an external device via the external communication interface 30 .
  • the detection result transmitting unit 18 may display the detection result on a display device or the like provided in the automobile 1 .
  • a fourth embodiment is an example in which communication is monitored by a device (which may be implemented by a cloud server or the like) different from the vehicle 1, and the device transmits the detection result.
  • FIG. 18 is a diagram showing an overview of the communication monitoring system according to the fourth embodiment.
  • a communication monitoring system includes a vehicle 1 and a communication monitoring device 10 .
  • the vehicle 1 and the communication monitoring device 10 are communicably connected to each other by wireless communication or the like.
  • the automobile 1 includes an ECU 20, an external communication interface 30, and a communication device 40.
  • the communication device 40 includes a communication section 41 .
  • the communication monitoring device 10 has the same functional configuration as the communication monitoring device 10 shown in FIG.
  • the detection result transmission unit 18 of the communication monitoring apparatus 10 according to the fourth embodiment transmits information on communications in which an attack has been detected by e-mail, message, SNS, etc., to a predetermined destination.
  • the communication from the communication source to the communication destination is monitored, and the communication source status information 901 including the number of requests for unlocking to the communication destination is updated.
  • the reconnaissance of the unlock state to the communication destination by the communication source is detected.
  • it is possible to perform detection according to the state of the communication source and it is possible to reduce the probability of erroneous detection of normal diagnostic communication.
  • the attack detection unit 15 uses the results of various machine learning methods (detects communication in which the result of anomaly detection of diagnostic communication is abnormal), a rule using time (For example, a diagnostic communication sent within 1 second after the observation of "Seed” with all byte values of "0x00" is detected) may be used to detect an attack.
  • This specification describes at least a communication monitoring device, a communication monitoring method, and a program described in each of the following items.
  • (Section 1) a communication source status updating unit that monitors communication from a communication source to a communication destination and updates information indicating the status of the communication source including the number of requests for unlocking to the communication destination; a reconnaissance detection unit that detects reconnaissance of the unlocked state of the communication destination by the communication source based on information indicating the state of the communication source; An attack detection unit that detects an attack from the communication source whose reconnaissance has been detected to the communication destination, Communication monitoring equipment.
  • the information indicating the state of the communication source is information indicating a difference between the number of transmissions of data requests for unlocking to the communication destination and the number of transmissions of request data for unlocking based on the data,
  • the reconnaissance detection unit detects, based on the difference, reconnaissance of the unlocked state of the communication destination by the communication source.
  • a communication monitoring device according to claim 1.
  • (Section 3) further comprising a communication blocking unit that blocks communication from the communication source in which the attack has been detected to the communication destination; 3.
  • (Section 5) further comprising a reconnaissance completion detection unit that detects completion of reconnaissance from the communication source for which reconnaissance has been detected to the communication destination; 5.
  • the communication monitoring device according to any one of items 1 to 4, wherein the attack detection unit detects an attack from the communication source whose completion of reconnaissance has been detected to the communication destination.
  • the communication destination is an ECU, and the communication is communication for diagnosing the ECU; The communication monitoring device according to any one of items 1 to 5.
  • (Section 7) A computer implemented method comprising: monitoring communication from a communication source to a communication destination and updating information indicating the status of the communication source, including the number of requests for unlocking to the communication destination; Detecting reconnaissance of the unlocked state of the communication destination by the communication source based on the information indicating the state of the communication source; detecting an attack from the communication source for which the reconnaissance has been detected to the communication destination; Communication monitoring method. (Section 8) A program for causing a computer to function as each unit in the communication monitoring device according to any one of items 1 to 6.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Small-Scale Networks (AREA)

Abstract

The present invention is a communication monitoring device comprising: a communication source state update unit that monitors communication from a communication source to a communication destination, and that updates information indicating the state of the communication source, including the number of requests to the communication destination relating to lock release; a surveillance detection unit that, on the basis of the information indicating the state of the communication source, detects surveillance by the communication source of a lock release state with respect to the communication destination; and an attack detection unit that detects an attack on the communication destination from the communication source in which the surveillance was detected.

Description

通信監視装置、通信監視方法およびプログラムCOMMUNICATION MONITORING DEVICE, COMMUNICATION MONITORING METHOD AND PROGRAM
 本発明は、通信監視装置、通信監視方法およびプログラムに関する。 The present invention relates to a communication monitoring device, a communication monitoring method and a program.
 自動車等に搭載されるECU(Electronic Control Unit)の故障診断やリプログラミングに使われるUDS(Unified Diagnostic Services)を利用した異常な通信を検知する技術が開発されている。 Technology has been developed to detect abnormal communications using UDS (Unified Diagnostic Services), which is used for fault diagnosis and reprogramming of ECUs (Electronic Control Units) installed in automobiles.
 例えば、非特許文献1には、自然言語処理を用いて正常な診断通信の言語モデルを学習して異常検知を行う手法が開示されている。 For example, Non-Patent Document 1 discloses a method of detecting anomalies by learning a language model of normal diagnostic communication using natural language processing.
 サイバー攻撃において、攻撃の最初の段階として、ある要求を攻撃対象に送信し攻撃対象からの応答を得ることで、攻撃対象に対して攻撃が可能であるかどうかを偵察することが良く行われる。そこで、このような偵察行為を検知することによって、異常発生の通知、偵察行為を行った通信元からの通信の遮断等の対応を行いたいという要望がある。しかし、正常な診断通信においても、診断機がこのような偵察行為と同様の要求を送信して、対象の機器から応答を得て診断を行うことがあるため、従来技術では、正常な診断通信を誤って偵察行為と判断してしまうという問題がある。 In cyberattacks, as the first stage of an attack, it is common to reconnoiter whether an attack is possible against the attack target by sending a certain request to the attack target and getting a response from the attack target. Therefore, by detecting such reconnaissance behavior, there is a demand to take measures such as notifying the occurrence of an abnormality and blocking communication from the communication source that performed the reconnaissance behavior. However, even in normal diagnostic communication, the diagnostic machine may transmit a request similar to such reconnaissance action and receive a response from the target device to perform diagnosis. is mistakenly determined as a reconnaissance act.
 開示の技術は、正常な診断通信の誤検知の発生確率を抑えた正確性の高い異常検知を行う装置を提供することを目的とする。 The disclosed technology aims to provide a device that performs highly accurate anomaly detection by reducing the probability of erroneous detection of normal diagnostic communication.
 開示の技術は、通信元から通信先への通信を監視して、前記通信先へのロック解除に関する要求の回数を含む前記通信元の状態を示す情報を更新する通信元状態更新部と、前記通信元の状態を示す情報に基づいて、前記通信元による前記通信先へのロック解除状態の偵察を検知する偵察検知部と、前記偵察を検知された前記通信元から前記通信先への攻撃を検知する攻撃検知部と、を備える通信監視装置である。 The disclosed technology includes a communication source state update unit that monitors communication from a communication source to a communication destination and updates information indicating the state of the communication source including the number of requests for unlocking to the communication destination; A reconnaissance detection unit that detects reconnaissance of the unlocked state of the communication destination by the communication source based on information indicating the state of the communication source; and an attack detection unit that detects an attack.
 正常な診断通信の誤検知の発生確率を抑えた正確性の高い異常検知を行う装置を提供することができる。 It is possible to provide a device that performs highly accurate anomaly detection by suppressing the probability of erroneous detection of normal diagnostic communication.
ロック解除を伴う通信方法の一例について説明するための図である。FIG. 4 is a diagram for explaining an example of a communication method involving unlocking; FIG. SecurityAccess回避攻撃の一例を示すシーケンス図である。FIG. 11 is a sequence diagram illustrating an example of a SecurityAccess evasion attack; 通信監視装置の機能構成図である。3 is a functional configuration diagram of a communication monitoring device; FIG. 通信元状態情報の一例を示す図である。FIG. 4 is a diagram showing an example of communication source state information; 攻撃判定規則情報の一例を示す図である。It is a figure which shows an example of attack determination rule information. 通信監視処理の流れの一例を示すフローチャートである。9 is a flowchart showing an example of the flow of communication monitoring processing; 通信元状態更新処理の流れの一例を示すフローチャートである。FIG. 11 is a flowchart showing an example of the flow of communication source status update processing; FIG. 偵察検知処理の流れの一例を示すフローチャートである。9 is a flowchart showing an example of reconnaissance detection processing flow; 偵察完了検知処理の流れの一例を示すフローチャートである。It is a flowchart which shows an example of the flow of reconnaissance completion detection processing. 攻撃検知処理の流れの一例を示すフローチャートである。6 is a flowchart showing an example of the flow of attack detection processing; 正常な診断通信について説明するための第一の図である。FIG. 4 is a first diagram for explaining normal diagnostic communication; 正常な診断通信について説明するための第二の図である。FIG. 10 is a second diagram for explaining normal diagnostic communication; 正常な診断通信について説明するための第三の図である。FIG. 11 is a third diagram for explaining normal diagnostic communication; 通信監視装置のハードウェア構成例を示す図である。It is a figure which shows the hardware structural example of a communication monitoring apparatus. 実施例1に係る自動車のハードウェア構成例を示す図である。1 is a diagram illustrating an example hardware configuration of an automobile according to Embodiment 1; FIG. 実施例2に係る通信監視システムの概要を示す図である。FIG. 10 is a diagram showing an outline of a communication monitoring system according to a second embodiment; FIG. 実施例3に係る通信監視装置の機能構成図である。FIG. 11 is a functional configuration diagram of a communication monitoring device according to the third embodiment; 実施例4に係る通信監視システムの概要を示す図である。FIG. 12 is a diagram showing an outline of a communication monitoring system according to a fourth embodiment; FIG.
 以下、図面を参照して本発明の実施の形態(本実施の形態)を説明する。以下で説明する実施の形態は一例に過ぎず、本発明が適用される実施の形態は、以下の実施の形態に限られるわけではない。 An embodiment (this embodiment) of the present invention will be described below with reference to the drawings. The embodiments described below are merely examples, and embodiments to which the present invention is applied are not limited to the following embodiments.
 (前提となる通信方法について)
 まず、本実施の形態の前提となる通信方法について説明する。自動車の車載通信に用いられる代表的な通信プロトコルとしてEthernet(登録商標)、CAN(Controller Area Network)等が知られている。例えば、CAN通信を行う自動車等は、複数の電子制御装置(ECU:Electronic Control Unit)を備える。各ECUはCANを利用してメッセージデータをブロードキャストすることによって、互いに通信を行う。また、CANにおいて送受信されるメッセージデータには、データ本体を指すペイロードと、ペイロードの内容の識別に用いられるID(CAN-IDと呼ばれる)と、が格納される。なお、CANのメッセージデータには、送信元および宛先のアドレスに関する情報は含まれない。 (Regarding the prerequisite communication method)
First, the communication method that is the premise of this embodiment will be described. Ethernet (registered trademark), CAN (Controller Area Network), etc. are known as typical communication protocols used for in-vehicle communication of automobiles. For example, an automobile or the like that performs CAN communication includes a plurality of electronic control units (ECUs). Each ECU communicates with each other by broadcasting message data using CAN. Also, message data transmitted and received in CAN contains a payload indicating the data body and an ID (called CAN-ID) used to identify the contents of the payload. Note that the CAN message data does not include information about the source and destination addresses.
 また、上述したEthernetやCANを利用してECUの故障診断やリプログラミングを行うためのプロトコルとしてUDS(Unified Diagnostic Services)が知られている。UDSは、OSI(Open Systems Interconnection)参照モデルの第7層を規定するプロトコルである。UDSは、診断機がECUの故障診断やリプログラミング等を行う際の通信方法、メッセージフォーマット、診断サービス(メモリ書き換えを行うサービスなど)の方法等を規定している。 In addition, UDS (Unified Diagnostic Services) is known as a protocol for performing fault diagnosis and reprogramming of ECUs using the above-mentioned Ethernet and CAN. UDS is a protocol that defines layer 7 of the OSI (Open Systems Interconnection) reference model. The UDS defines a communication method, a message format, a diagnostic service method (such as a service for rewriting a memory), and the like when the diagnostic machine performs fault diagnosis, reprogramming, and the like of an ECU.
 また、UDSは、正当なユーザのみがサービスを利用できるようにするためのアクセス制御機構を規定している。具体的には、UDSでは、不正なユーザに悪用されると大きな被害の発生につながる可能性のあるサービス(ECUのリプログラミングを行うサービスなど)を利用する際は、「SecurityAccess Service」によるECUのロック解除が必要となる。「SecurityAccess Service」は、不正なユーザがUDSのサービスを悪用することを防ぐためにUDSに規定されたアクセス制御機構である。「SecurityAccessService」による診断通信は、ロック解除を伴う通信方法の一例である。 In addition, UDS defines an access control mechanism to ensure that only authorized users can use the service. Specifically, with UDS, when using a service that could cause serious damage if misused by an unauthorized user (e.g., a service that reprograms the ECU), it is necessary to use the "Security Access Service" for the ECU. Unlocking is required. "Security Access Service" is an access control mechanism defined in UDS to prevent unauthorized users from misusing UDS services. Diagnostic communication by "SecurityAccessService" is an example of a communication method involving unlocking.
 図1は、ロック解除を伴う通信方法の一例について説明するための図である。通信元(例えば診断機)は、ロック解除に必要な"Seed"を要求する(requestSeed)。なお、SID=0x27は、「SecurityAccessService」を識別するための識別子である。 FIG. 1 is a diagram for explaining an example of a communication method involving unlocking. A communication source (for example, a diagnostic device) requests "Seed" necessary for unlocking (requestSeed). SID=0x27 is an identifier for identifying "SecurityAccessService".
 次に、通信先(例えばECU)は、通信元に"Seed"を送信する。そして、通信元は、受信した"Seed"からKeyを算出して通信先に送信する(sendKey)。このsendKeyは、ロック解除を要求する通信の一例である。通信先は、ロック解除を行って、ロック解除通知を通信元に送信する(positive response)。 Next, the communication destination (e.g. ECU) sends "Seed" to the communication source. Then, the communication source calculates a key from the received "Seed" and transmits it to the communication destination (sendKey). This sendKey is an example of communication requesting unlocking. The communication destination unlocks and transmits an unlock notification to the communication source (positive response).
 上述したロック解除の方法に対し、「requestSeed」を利用したロック解除状態の偵察と偵察結果を利用したSecurityAccess回避攻撃が実現可能である。特に実装方法によっては、通信先がロックを解除すると、ロック解除を要求した通信元に限らず、すべてのロックを解除することとなる。 For the unlocking method described above, reconnaissance of the unlocked state using "requestSeed" and SecurityAccess evasion attack using reconnaissance results can be realized. In particular, depending on the implementation method, when the communication destination unlocks, not only the communication source that requested unlocking, but all locks will be unlocked.
 特に、CANを使用したECUへの通信の場合には、CANのプロトコルの仕様上、ロック解除の要求元を特定し、管理することが困難である。したがって、攻撃を行う機器(以下、攻撃機器と呼ぶ)は、ロック解除を要求することなく、他の機器による要求でロックが解除されたECUを特定することができれば、UDSのサービスを利用することができてしまう。 In particular, in the case of communication to the ECU using CAN, it is difficult to identify and manage the source of unlock request due to the specifications of the CAN protocol. Therefore, if an attacking device (hereinafter referred to as an attacking device) can identify an ECU that has been unlocked by a request from another device without requesting unlocking, it can use the UDS service. can be done.
 通常の運用では、ECUのロックが解除されている時間は短いため、攻撃機器が、仮にロック解除状態の偵察を行わずに任意のECUにUDSのサービス要求を行った場合、そのECUがロックされている可能性は極めて高い。したがって、攻撃機器は、サービス要求に対しては、拒否を意味する「negative response」の応答を受ける可能性が極めて高い。 In normal operation, the ECU is unlocked for a short period of time, so if the attacking equipment makes a UDS service request to any ECU without performing unlocked reconnaissance, that ECU will be locked. It is extremely likely that Therefore, it is extremely likely that the attacking device will receive a "negative response" to the service request, which means refusal.
 ところで、「negative response」は、システムのエラーやアラートに相当するものであり、セキュリティ管理者やシステムに発見されやすい攻撃の痕跡となる。そのため、攻撃機器は、SecurityAccess回避攻撃を実行するために、「negative response」を発生させない方法により、すでにロック解除状態となっているECUを特定することが想定される。 By the way, a "negative response" corresponds to a system error or alert, and is a trace of an attack that is easily discovered by security administrators and systems. Therefore, it is assumed that the attacking device identifies an already unlocked ECU by a method that does not generate a "negative response" in order to execute a SecurityAccess evasion attack.
 次に、その方法について具体的に説明する。前提として、UDSにおいては、次にように規定されている。すなわち、すでにロック解除状態のECUは、「requestSeed」に対して全バイト値が0x00の"Seed"を送信する。また、ECUは、「sendKey」で誤った「Key」を受信すると、「negative response」を送信する。さらに、通信元が「sendKey」は受信しないまま"Seed"を取得する行為のみを繰り返し行っても、ECUは、「negative response」を送信しない。 Next, I will explain the method in detail. As a premise, the UDS is defined as follows. That is, the unlocked ECU transmits "Seed" with all byte values of 0x00 in response to "requestSeed". Also, when the ECU receives an incorrect "Key" in "sendKey", it sends a "negative response". Furthermore, even if the communication source repeatedly performs only the act of acquiring "Seed" without receiving "sendKey", the ECU does not transmit "negative response".
 上述した仕様を前提として、攻撃機器は、次のようなSecurityAccess回避攻撃を実行することができる。すなわち、攻撃機器は、任意のタイミングで任意のECUに「requestSeed」を送信して、"Seed"を取得する。そして、攻撃機器は、取得した"Seed"の全バイト値が0x00か否かを判定し、全バイト値が0x00であると判定すると、当該ECUはロック解除状態であると判断して、不正なアクセスを実行する。 Based on the above specifications, the attacking device can execute the following SecurityAccess evasion attack. That is, the attacking device transmits "requestSeed" to any ECU at any timing and acquires "Seed". Then, the attacking device determines whether or not all the byte values of the obtained "Seed" are 0x00, and if it determines that all the byte values are 0x00, it determines that the ECU is in the unlocked state, perform access.
 図2は、SecurityAccess回避攻撃の一例を示すシーケンス図である。攻撃機器である通信元は、第一通信先、第二通信先等に「requestSeed」を送信して、"Seed"を取得する。そして、通信元は、取得した"Seed"の全バイト値が0x00か否かを判定し、全バイト値が0x00でないと判定すると、何もしないでさらに、第一通信先、第二通信先等に「requestSeed」し、取得した"Seed"の全バイト値が0x00か否かを判定する。通信元は、"Seed"の全バイト値が0x00であると判定すると、偵察行為を完了して、不正アクセスを実行する。 FIG. 2 is a sequence diagram showing an example of a SecurityAccess evasion attack. A communication source, which is an attacking device, transmits "requestSeed" to the first communication destination, the second communication destination, etc., and acquires "Seed". Then, the communication source determines whether or not all the byte values of the obtained "Seed" are 0x00, and if it determines that all the byte values are not 0x00, does nothing and further performs the first communication destination, the second communication destination, etc. , and determines whether or not all byte values of the obtained "Seed" are 0x00. When the source determines that all bytes of "Seed" are 0x00, it completes reconnaissance and performs unauthorized access.
 (本実施の形態に係る通信監視装置)
 次に、上述したSecurityAccess回避攻撃を検知することを想定した、本実施の形態に係る通信監視装置について説明する。 (Communication monitoring device according to this embodiment)
Next, a communication monitoring apparatus according to the present embodiment will be described assuming detection of the SecurityAccess evasion attack described above.
 図3は、通信監視装置の機能構成図である。通信監視装置10は、記憶部11と、通信元状態更新部12と、偵察検知部13と、偵察完了検知部14と、攻撃検知部15と、通信遮断部16と、を備える。 FIG. 3 is a functional configuration diagram of the communication monitoring device. The communication monitoring device 10 includes a storage unit 11 , a communication source state update unit 12 , a reconnaissance detection unit 13 , a reconnaissance completion detection unit 14 , an attack detection unit 15 , and a communication blocking unit 16 .
 記憶部11は、各種情報を記憶し、具体的には、通信元状態情報901と、攻撃判定規則情報902と、を記憶する。 The storage unit 11 stores various types of information, specifically, source state information 901 and attack determination rule information 902 .
 通信元状態情報901は、通信先へのロック解除に関する要求の回数を含む通信元の状態を示す情報である。攻撃判定規則情報902は、対象となる通信が攻撃であるか否かを判定する規則を規定する情報である。 The communication source status information 901 is information indicating the status of the communication source, including the number of requests for unlocking to the communication destination. The attack determination rule information 902 is information that defines rules for determining whether or not target communication is an attack.
 通信元状態更新部12は、通信元から通信先への通信を監視して、通信元状態情報901を更新する。 The communication source status update unit 12 monitors communication from the communication source to the communication destination and updates the communication source status information 901 .
 偵察検知部13は、通信元状態情報901に基づいて、通信元による通信先へのロック解除状態の偵察を検知する。 Based on the communication source status information 901, the reconnaissance detection unit 13 detects reconnaissance by the communication source that the communication destination is unlocked.
 偵察完了検知部14は、偵察を検知された通信元から通信先へのロック解除状態の偵察が完了したことを検知する。 The reconnaissance completion detection unit 14 detects that the reconnaissance of the unlocked state from the communication source whose reconnaissance has been detected to the communication destination has been completed.
 攻撃検知部15は、攻撃判定規則情報902に基づいて、偵察が完了したことを検知された通信元から通信先への攻撃の有無を検知する。 Based on the attack determination rule information 902, the attack detection unit 15 detects whether or not there is an attack on the communication destination from the communication source whose reconnaissance has been detected.
 通信遮断部16は、攻撃を検知された通信元から通信先への通信を遮断する。 The communication blocking unit 16 blocks communication from the source of the detected attack to the destination of communication.
 次に、通信監視装置10が取り扱う情報について説明する。図4は、通信元状態情報の一例を示す図である。 Next, the information handled by the communication monitoring device 10 will be explained. FIG. 4 is a diagram showing an example of communication source state information.
 通信元状態情報901は、項目として、通信元アドレスと、差分と、状態と、通信先アドレスと、を含む。 The communication source state information 901 includes, as items, a communication source address, a difference, a state, and a communication destination address.
 項目「通信元アドレス」の値は、通信元を識別するための値であって、例えば、MAC(Media Access Control)アドレス、IP(Internet Protocol)アドレス等である。なお、通信元アドレスが不明な場合は、項目「通信元アドレス」の値は、"unknown"とする。したがって、後述する処理において、通信元アドレスが不明な通信元についての状態情報は、項目「通信元アドレス」の値が"unknown"のレコードを参照すれば良い。例えば通信プロトコルがEthernetである場合は、通信監視装置10は、通信データから通信元アドレスを抽出することができる。それに対して、通信プロトコルがCANである場合は、通信監視装置10は、通信データから通信元アドレスを抽出することは困難である。 The value of the item "communication source address" is a value for identifying the communication source, and is, for example, a MAC (Media Access Control) address, IP (Internet Protocol) address, or the like. If the communication source address is unknown, the value of the item "communication source address" is set to "unknown". Therefore, in the processing to be described later, the state information about the communication source whose communication source address is unknown can be obtained by referring to the record in which the value of the item "communication source address" is "unknown". For example, when the communication protocol is Ethernet, the communication monitoring device 10 can extract the communication source address from the communication data. On the other hand, when the communication protocol is CAN, it is difficult for the communication monitoring device 10 to extract the communication source address from the communication data.
 項目「差分」の値は、同一の通信元から各通信先への「requestSeed
」の送信回数と「sendKey」の送信回数の差である。差分値が大きいほど、「requestSeed」の送信回数が「sendKey」の送信回数よりも大きい。このことは、当該通信元が前述のSecurityAccess回避攻撃を行っている可能性が高いことを示している。なお、「requestSeed」の送信回数は、通信先へのロック解除のためのデータを要求する回数の一例である。また、「sendKey」の送信回数は、通信先へのロック解除のためのデータに基づくロック解除を要求する回数の一例である。 The value of the item "difference" is the "requestSeed" from the same communication source to each communication destination.
is the difference between the number of transmissions of "" and the number of transmissions of "sendKey". The greater the difference value, the greater the number of transmissions of "requestSeed" than the number of transmissions of "sendKey". This indicates that there is a high possibility that the communication source is performing the aforementioned SecurityAccess avoidance attack. The number of transmissions of “requestSeed” is an example of the number of times of requesting data for unlocking to the communication destination. Also, the number of transmissions of "sendKey" is an example of the number of times of requesting unlocking based on data for unlocking to the communication destination.
 項目「状態」の値は、各通信元の状態を示す値であって、"正常"、"偵察中"、"偵察完了"または"遮断"のいずれかの値である。 The value of the item "Status" is a value that indicates the status of each communication source, and is one of "Normal", "Reconnaissance in progress", "Reconnaissance completed", or "Blocked".
 項目「通信先アドレス」の値は、通信先を識別するための値であって、例えば、MACアドレス、IPアドレス、CAN-ID等である。 The value of the item "communication destination address" is a value for identifying the communication destination, and is, for example, a MAC address, IP address, CAN-ID, or the like.
 上述のように、通信元状態情報901は、通信元と通信先の組み合わせごとの「差分」と「状態」とを含む情報である。 As described above, the communication source state information 901 is information including "difference" and "state" for each combination of communication source and communication destination.
 なお、通信監視装置10は、定期的に通信元状態情報901を初期化するようにしても良い。例えば、あらかじめ規定された時間、「差分」と「状態」の値がいずれも変更されないと、当該レコードは削除(または「差分」の値を"0"、状態の値を"正常"、通信先アドレスの値を空にそれぞれ変更)する。 Note that the communication monitoring device 10 may initialize the communication source status information 901 periodically. For example, if neither the "difference" nor the "status" value changes for a predetermined time, the record is deleted (or the "difference" value is "0", the status value is "normal", and the communication destination change each address value to empty).
 図5は、攻撃判定規則情報の一例を示す図である。攻撃判定規則情報902は、項目として、通信先アドレスと、判定規則と、を含む。 FIG. 5 is a diagram showing an example of attack determination rule information. The attack determination rule information 902 includes communication destination addresses and determination rules as items.
 項目「通信先アドレス」の値は、通信先を識別するための値であって、例えば、MACアドレス、IPアドレス等である。 The value of the item "communication destination address" is a value for identifying the communication destination, such as a MAC address or IP address.
 項目「判定規則」の値は、攻撃と判定する規則を示す値である。例えば、通信先アドレス宛ての全てのメッセージを攻撃と判定する、宛先を指定しない全てのメッセージを攻撃と判定する、ペイロードに任意の値が含まれているメッセージを攻撃と判定する、等のように、項目「判定規則」には、攻撃と判定するための規則(ルール)が規定される。 The value of the item "judgment rule" is a value that indicates the rule for judging an attack. For example, all messages addressed to the communication destination address are judged as an attack, all messages with no destination specified are judged as an attack, messages with an arbitrary value in the payload are judged as an attack, etc. , the item "judgment rule" defines a rule for judging an attack.
 次に、本実施の形態に係る通信監視装置10の動作について説明する。図6は、通信監視処理の流れの一例を示すフローチャートである。 Next, the operation of the communication monitoring device 10 according to this embodiment will be described. FIG. 6 is a flowchart showing an example of the flow of communication monitoring processing.
 通信監視装置10は、ユーザによる操作を受けて、または定期的に、通信監視処理を実行する。具体的には、通信監視装置10の通信元状態更新部12は、通信元状態情報901を更新するための通信元状態更新処理を実行する(ステップS1)。次に、偵察検知部13は、各通信元による偵察を検知するための偵察検知処理を実行する(ステップS2)。 The communication monitoring device 10 executes communication monitoring processing in response to a user's operation or periodically. Specifically, the communication source status update unit 12 of the communication monitoring device 10 executes communication source status update processing for updating the communication source status information 901 (step S1). Next, the reconnaissance detection unit 13 executes reconnaissance detection processing for detecting reconnaissance by each communication source (step S2).
 続いて、偵察完了検知部14は、偵察を検知された通信元による偵察が完了したことを検知するための偵察完了検知処理を実行する(ステップS3)。そして、攻撃検知部15は、偵察が完了したことを検知された通信元による攻撃を検知するための攻撃検知処理を実行する(ステップS4)。 Subsequently, the reconnaissance completion detection unit 14 executes reconnaissance completion detection processing for detecting that reconnaissance by the communication source whose reconnaissance has been detected has been completed (step S3). Then, the attack detection unit 15 executes attack detection processing for detecting an attack by the communication source whose reconnaissance has been completed (step S4).
 次に、通信遮断部16は、攻撃検知された通信を遮断する(ステップS5)。そして、通信遮断部16は、通信を遮断した通信に関連する通信元状態情報901の項目「状態」の値を"遮断"に更新する(ステップS6)。 Next, the communication blocking unit 16 blocks the attack-detected communication (step S5). Then, the communication blocking unit 16 updates the value of the item "state" of the communication source state information 901 related to the blocked communication to "blocked" (step S6).
 次に、ステップS1からステップS4までの各処理の詳細について説明する。図7は、通信元状態更新処理の流れの一例を示すフローチャートである。通信元状態更新部12は、監視対象の通信のアプリケーション層のプロトコルがUDSであるか否かを判定する(ステップS11)。そして、通信元状態更新部12は、プロトコルがUDSでないと判定すると(ステップS11:No)、通信元状態更新処理を終了する。 Next, the details of each process from step S1 to step S4 will be described. FIG. 7 is a flowchart illustrating an example of the flow of communication source status update processing. The communication source status update unit 12 determines whether or not the application layer protocol of the communication to be monitored is UDS (step S11). Then, when the communication source state update unit 12 determines that the protocol is not UDS (step S11: No), the communication source state update process ends.
 通信元状態更新部12は、プロトコルがUDSであると判定すると(ステップS11:Yes)、通信において指定されているSID=0x27であるか否かを判定する(ステップS12)。通信元状態更新部12は、SID=0x27でないと判定すると(ステップS12:No)、通信元状態更新処理を終了する。 When the communication source status update unit 12 determines that the protocol is UDS (step S11: Yes), it determines whether or not SID=0x27 specified in the communication (step S12). When the communication source state update unit 12 determines that SID is not 0x27 (step S12: No), the communication source state update process ends.
 通信元状態更新部12は、SID=0x27であると判定すると(ステップS12:Yes)、sub-function=requestSeedであるか否かを判定する(ステップS13)。そして、通信元状態更新部12は、sub-function=requestSeedであると判定すると(ステップS13:Yes)、通信元状態情報901の項目「差分」の値に1を加算する(ステップS15)。 When the communication source state update unit 12 determines that SID=0x27 (step S12: Yes), it determines whether sub-function=requestSeed (step S13). Then, when determining that sub-function=requestSeed (step S13: Yes), the communication source state update unit 12 adds 1 to the value of the item "difference" of the communication source state information 901 (step S15).
 また、通信元状態更新部12は、sub-function=requestSeedでないと判定すると(ステップS13:No)、sub-function=sendKeyであるか否かをさらに判定する(ステップS14)。通信元状態更新部12は、sub-function=sendKeyでないと判定すると(ステップS14:No)、通信元状態更新処理を終了する。 Also, when the communication source state updating unit 12 determines that sub-function=requestSeed is not true (step S13: No), it further determines whether sub-function=sendKey (step S14). If the communication source state update unit 12 determines that sub-function=sendKey is not true (step S14: No), it ends the communication source state update process.
 通信元状態更新部12は、sub-function=sendKeyであると判定すると(ステップS14:Yes)、通信元状態情報901の項目「差分」の値から1を減算する(ステップS16)。 When the communication source state update unit 12 determines that sub-function=sendKey (step S14: Yes), it subtracts 1 from the value of the item "difference" of the communication source state information 901 (step S16).
 このようにして、通信元状態更新部12は、監視対象の通信が「requestSeed」であると項目「差分」の値に1を加算し、監視対象の通信が「sendKey」であると項目「差分」の値から1を減算する。 In this way, the communication source state update unit 12 adds 1 to the value of the item "difference" if the communication to be monitored is "requestSeed", and if the communication to be monitored is "sendKey", the value of the item "difference" is , subtract 1 from the value of
 図8は、偵察検知処理の流れの一例を示すフローチャートである。偵察検知部13は、通信元状態情報901の項目「差分」の値が、あらかじめ設定された閾値を超えるか否かを判定する(ステップS21)。なお、閾値は、例えば2以上の任意の値としてユーザによる設定を可能としても良い。 FIG. 8 is a flowchart showing an example of the flow of reconnaissance detection processing. The reconnaissance detection unit 13 determines whether or not the value of the item "difference" of the communication source state information 901 exceeds a preset threshold (step S21). Note that the threshold value may be set by the user as an arbitrary value of 2 or more, for example.
 偵察検知部13は、項目「差分」の値が閾値を超えると判定すると(ステップS21:Yes)、通信元状態情報901の項目「状態」の値を"偵察中"に更新する(ステップS22)。また、偵察検知部13は、項目「差分」の値が閾値を超えていないと判定すると(ステップS21:No)、通信元状態情報901の項目「状態」の値を"正常"に更新する(ステップS23)。 When the reconnaissance detection unit 13 determines that the value of the item "difference" exceeds the threshold (step S21: Yes), it updates the value of the item "state" of the communication source state information 901 to "reconnaissance in progress" (step S22). . Further, when the reconnaissance detection unit 13 determines that the value of the item "difference" does not exceed the threshold (step S21: No), it updates the value of the item "state" of the communication source state information 901 to "normal" ( step S23).
 図9は、偵察完了検知処理の流れの一例を示すフローチャートである。偵察完了検知部14は、監視対象の通信のアプリケーション層のプロトコルがUDSであるか否かを判定する(ステップS31)。そして、偵察完了検知部14は、プロトコルがUDSでないと判定すると(ステップS31:No)、偵察完了検知処理を終了する。 FIG. 9 is a flowchart showing an example of the flow of reconnaissance completion detection processing. The reconnaissance completion detection unit 14 determines whether or not the application layer protocol of the communication to be monitored is UDS (step S31). When the reconnaissance completion detection unit 14 determines that the protocol is not UDS (step S31: No), the reconnaissance completion detection process ends.
 偵察完了検知部14は、プロトコルがUDSであると判定すると(ステップS31:Yes)、通信において指定されているSID=0x67であるか否かを判定する(ステップS32)。偵察完了検知部14は、SID=0x67でないと判定すると(ステップS32:No)、偵察完了検知処理を終了する。 When the reconnaissance completion detection unit 14 determines that the protocol is UDS (step S31: Yes), it determines whether SID=0x67 specified in the communication (step S32). When the reconnaissance completion detection unit 14 determines that SID is not 0x67 (step S32: No), the reconnaissance completion detection process ends.
 偵察完了検知部14は、SID=0x67であると判定すると(ステップS32:Yes)、sub-function=requestSeedであるか否かを判定する(ステップS33)。偵察完了検知部14は、sub-function=requestSeedでないと判定すると(ステップS33:No)、偵察完了検知処理を終了する。 When the reconnaissance completion detection unit 14 determines that SID=0x67 (step S32: Yes), it determines whether sub-function=requestSeed (step S33). When the reconnaissance completion detection unit 14 determines that sub-function=requestSeed is not true (step S33: No), the reconnaissance completion detection process ends.
 そして、偵察完了検知部14は、sub-function=requestSeedであると判定すると(ステップS33:Yes)、"Seed"の全バイト値が"0x00"であるか否かを判定する(ステップS34)。偵察完了検知部14は、"Seed"のいずれかのバイト値が"0x00"でないと判定すると(ステップS34:No)、偵察完了検知処理を終了する。 When the reconnaissance completion detection unit 14 determines that sub-function=requestSeed (step S33: Yes), it determines whether all byte values of "Seed" are "0x00" (step S34). When the reconnaissance completion detection unit 14 determines that any byte value of "Seed" is not "0x00" (step S34: No), the reconnaissance completion detection process ends.
 偵察完了検知部14は、"Seed"の全バイト値が"0x00"であると判定すると(ステップS34:Yes)、通信元状態情報901の項目「状態」の値が"偵察中"であるか否かを判定する(ステップS35)。偵察完了検知部14は、項目「状態」の値が"偵察中"でないと判定すると(ステップS35:No)、偵察完了検知処理を終了する。 When the reconnaissance completion detection unit 14 determines that all byte values of "Seed" are "0x00" (step S34: Yes), it determines whether the value of the item "state" of the communication source state information 901 is "reconnaissance in progress". It is determined whether or not (step S35). When the reconnaissance completion detection unit 14 determines that the value of the item "state" is not "reconnaissance in progress" (step S35: No), the reconnaissance completion detection process ends.
 偵察完了検知部14は、項目「状態」の値が"偵察中"であると判定すると(ステップS35:Yes)、通信元状態情報901の項目「状態」の値を"偵察完了"に、項目「通信先アドレス」の値を検知された通信先アドレスに、それぞれ更新する(ステップS36)。 When the reconnaissance completion detecting unit 14 determines that the value of the item "status" is "reconnaissance in progress" (step S35: Yes), the value of the item "status" of the communication source status information 901 is set to "reconnaissance completed", and the item The value of "communication destination address" is updated to the detected communication destination address (step S36).
 図10は、攻撃検知処理の流れの一例を示すフローチャートである。攻撃検知部15は、監視対象の通信のアプリケーション層のプロトコルがUDSであるか否かを判定する(ステップS41)。そして、攻撃検知部15は、プロトコルがUDSでないと判定すると(ステップS41:No)、攻撃検知処理を終了する。 FIG. 10 is a flowchart showing an example of the flow of attack detection processing. The attack detection unit 15 determines whether or not the application layer protocol of the communication to be monitored is UDS (step S41). When the attack detection unit 15 determines that the protocol is not UDS (step S41: No), the attack detection process ends.
 攻撃検知部15は、プロトコルがUDSであると判定すると(ステップS41:Yes)、通信元状態情報901の項目「状態」の値が"偵察完了"または"遮断"であるか否かを判定する(ステップS42)。攻撃検知部15は、通信元状態情報901の項目「状態」の値が"偵察完了"および"遮断"のいずれでもないと判定すると(ステップS42:No)、攻撃検知処理を終了する。 When the attack detection unit 15 determines that the protocol is UDS (step S41: Yes), the attack detection unit 15 determines whether the value of the item "state" of the communication source state information 901 is "reconnaissance completed" or "blocked". (Step S42). When the attack detection unit 15 determines that the value of the item "state" of the communication source state information 901 is neither "reconnaissance completed" nor "blocked" (step S42: No), it ends the attack detection process.
 攻撃検知部15は、項目「状態」の値が"偵察完了"または"遮断"であると判定すると(ステップS42:Yes)、攻撃判定規則情報902に規定された判定規則を満たすか否かを判定する(ステップS43)。攻撃検知部15は、判定規則を満たさないと判定すると(ステップS43:No)、攻撃検知処理を終了する。 When the attack detection unit 15 determines that the value of the item "state" is "reconnaissance completed" or "blocked" (step S42: Yes), it determines whether the determination rule defined in the attack determination rule information 902 is satisfied. Determine (step S43). When the attack detection unit 15 determines that the determination rule is not satisfied (step S43: No), it ends the attack detection process.
 攻撃検知部15は、判定規則を満たすと判定すると(ステップS43:Yes)、対象の通信を攻撃と判定する(ステップS44)。 When the attack detection unit 15 determines that the determination rule is satisfied (step S43: Yes), it determines that the target communication is an attack (step S44).
 (正常な診断通信に対する本実施の形態に係る通信監視装置10の動作)
 次に、正常な診断通信に対する本実施の形態に係る通信監視装置10の動作について説明する。 (Operation of communication monitoring device 10 according to the present embodiment for normal diagnostic communication)
Next, the operation of the communication monitoring device 10 according to the present embodiment for normal diagnostic communication will be described.
 図11は、正常な診断通信について説明するための第一の図である。図11のケースは、通信元である診断機が、"Seed"を要求した後に、何らかの原因で"Seed"の受信に失敗した場合に、"Seed"を再要求した場合に発生するため、正常な診断通信のケースである。 FIG. 11 is a first diagram for explaining normal diagnostic communication. The case in FIG. 11 occurs when the diagnostic device, which is the source of communication, fails to receive "Seed" for some reason after requesting "Seed", and re-requests "Seed". This is the case for diagnostic communication.
 このケースにおいて、例えば、従来のように、機械学習によって異常か否かを判定する場合、何らかの原因で"Seed"の受信に失敗するケースが稀であることから、発生する確率が低いケースであると判定され、異常と検知されると考えられる。 In this case, for example, when judging whether or not there is an abnormality by machine learning as in the conventional case, it is rare that the reception of "Seed" fails for some reason, so the probability of occurrence is low. and is considered to be detected as abnormal.
 それに対して、本実施の形態に係る通信監視装置10によれば、1回の異常な通信だけで直ちに異常と判断せず、閾値を適切に設定しておくことによって、「requestSeed」の送信回数と「sendKey」の送信回数の差を累計値によって判断することができる。したがって、本実施の形態に係る通信監視装置10は、図11のケースを正常な通信と判断することができる。また、仮に、閾値が1に設定されていて、偵察検知部13が偵察を検知した場合であっても、通信監視装置10は、偵察完了検知部14または攻撃検知部15による判定の結果によって、図11のケースを正常な通信と判断することができる。 On the other hand, according to the communication monitoring apparatus 10 according to the present embodiment, the number of transmissions of "requestSeed" is set by appropriately setting the threshold without immediately judging that there is an abnormality with only one abnormal communication. and the number of transmissions of "sendKey" can be determined by the accumulated value. Therefore, the communication monitoring apparatus 10 according to the present embodiment can judge the case of FIG. 11 as normal communication. Further, even if the threshold value is set to 1 and the reconnaissance detection unit 13 detects reconnaissance, the communication monitoring device 10, depending on the result of determination by the reconnaissance completion detection unit 14 or the attack detection unit 15, The case of FIG. 11 can be judged as normal communication.
 図12は、正常な診断通信について説明するための第二の図である。図12のケースは、通信元である診断機が、例えば自動車の型式認証時におけるセキュリティ評価において、各通信先のECUを評価する場合に発生するため、正常な診断通信のケースである。 FIG. 12 is a second diagram for explaining normal diagnostic communication. The case of FIG. 12 is a case of normal diagnostic communication because it occurs when the diagnostic device, which is the source of communication, evaluates the ECU of each communication destination in, for example, security evaluation at the time of model certification of an automobile.
 このケースにおいても、例えば、従来のように、機械学習によって異常か否かを判定する場合、複数の通信先に繰り返し「requestSeed」を送信するケースが稀であることから、発生する確率が低いケースであると判定され、異常と検知されると考えられる。 Even in this case, for example, when judging whether or not there is an abnormality by machine learning, as in the conventional case, it is rare to repeatedly send "requestSeed" to multiple communication destinations, so the probability of occurrence is low. It is considered that it is determined to be and is detected as an anomaly.
 それに対して、本実施の形態に係る通信監視装置10によれば、偵察検知部13が偵察を検知した場合であっても、偵察完了検知部14または攻撃検知部15による判定の結果によって、図12のケースを正常な通信と判断することができる。 On the other hand, according to the communication monitoring device 10 according to the present embodiment, even if the reconnaissance detection unit 13 detects reconnaissance, depending on the result of determination by the reconnaissance completion detection unit 14 or the attack detection unit 15, 12 cases can be judged as normal communication.
 図13は、正常な診断通信について説明するための第三の図である。図13のケースは、第一通信元である診断機によってロックを解除された通信先のECUに対して、偶然、第二通信元である別の診断機によって「requestSeed」が送信されたケースであって、正常な診断通信のケースである。 FIG. 13 is a third diagram for explaining normal diagnostic communication. The case of FIG. 13 is a case in which another diagnostic device, which is the second source of communication, accidentally sends "requestSeed" to the communication destination ECU unlocked by the diagnostic device, which is the first source of communication. This is the case for normal diagnostic communication.
 このケースにおいても、例えば、従来のように、機械学習によって異常か否かを判定する場合、第二通信元が「requestSeed」を送信し、応答として全バイト値が"0x00"である"Seed"を返却された後に、リプログラミングを実行していることから、発生する確率が低いケースであると判定され、異常と検知されると考えられる。 Also in this case, for example, when judging whether or not there is an abnormality by machine learning as in the conventional art, the second communication source transmits "requestSeed", and as a response "Seed" whose all byte value is "0x00". Since reprogramming is executed after the is returned, it is considered that the probability of occurrence is low and an abnormality is detected.
 それに対して、本実施の形態に係る通信監視装置10によれば、第二通信元からの通信においては、「requestSeed」を繰り返し実行するような偵察行為が行われていないことから、偵察検知部13が偵察を検知しないと考えられる。したがって、通信監視装置10は、図13のケースを正常な通信と判断することができる。 On the other hand, according to the communication monitoring device 10 according to the present embodiment, since reconnaissance such as repeatedly executing "requestSeed" is not performed in the communication from the second communication source, 13 would not detect reconnaissance. Therefore, the communication monitoring device 10 can judge the case of FIG. 13 as normal communication.
 (通信監視装置のハードウェア構成例)
 通信監視装置10は、例えば、コンピュータに、本実施の形態で説明する処理内容を記述したプログラムを実行させることにより実現可能である。なお、この「コンピュータ」は、物理マシンであってもよいし、クラウド上の仮想マシンであってもよい。仮想マシンを使用する場合、ここで説明する「ハードウェア」は仮想的なハードウェアである。 (Hardware configuration example of communication monitoring device)
The communication monitoring device 10 can be implemented, for example, by causing a computer to execute a program describing the processing details described in this embodiment. Note that this "computer" may be a physical machine or a virtual machine on the cloud. When using a virtual machine, the "hardware" described here is virtual hardware.
 上記プログラムは、コンピュータが読み取り可能な記録媒体(可搬メモリ等)に記録して、保存したり、配布したりすることが可能である。また、上記プログラムをインターネットや電子メール等、ネットワークを通して提供することも可能である。 The above program can be recorded on a computer-readable recording medium (portable memory, etc.), saved, or distributed. It is also possible to provide the above program through a network such as the Internet or e-mail.
 図14は、上記コンピュータのハードウェア構成例を示す図である。図14のコンピュータは、それぞれバスBで相互に接続されているドライブ装置1000、補助記憶装置1002、メモリ装置1003、CPU1004、インタフェース装置1005、表示装置1006、入力装置1007、出力装置1008等を有する。 FIG. 14 is a diagram showing a hardware configuration example of the computer. The computer of FIG. 14 has a drive device 1000, an auxiliary storage device 1002, a memory device 1003, a CPU 1004, an interface device 1005, a display device 1006, an input device 1007, an output device 1008, etc., which are connected to each other via a bus B.
 当該コンピュータでの処理を実現するプログラムは、例えば、CD-ROM又はメモリカード等の記録媒体1001によって提供される。プログラムを記憶した記録媒体1001がドライブ装置1000にセットされると、プログラムが記録媒体1001からドライブ装置1000を介して補助記憶装置1002にインストールされる。但し、プログラムのインストールは必ずしも記録媒体1001より行う必要はなく、ネットワークを介して他のコンピュータよりダウンロードするようにしてもよい。補助記憶装置1002は、インストールされたプログラムを格納すると共に、必要なファイルやデータ等を格納する。 A program that implements the processing in the computer is provided by a recording medium 1001 such as a CD-ROM or memory card, for example. When the recording medium 1001 storing the program is set in the drive device 1000 , the program is installed from the recording medium 1001 to the auxiliary storage device 1002 via the drive device 1000 . However, the program does not necessarily need to be installed from the recording medium 1001, and may be downloaded from another computer via the network. The auxiliary storage device 1002 stores installed programs, as well as necessary files and data.
 メモリ装置1003は、プログラムの起動指示があった場合に、補助記憶装置1002からプログラムを読み出して格納する。CPU1004は、メモリ装置1003に格納されたプログラムに従って、当該装置に係る機能を実現する。インタフェース装置1005は、ネットワークに接続するためのインタフェースとして用いられる。表示装置1006はプログラムによるGUI(Graphical User Interface)等を表示する。入力装置1007はキーボード及びマウス、ボタン、又はタッチパネル等で構成され、様々な操作指示を入力させるために用いられる。出力装置1008は演算結果を出力する。 The memory device 1003 reads and stores the program from the auxiliary storage device 1002 when a program activation instruction is received. The CPU 1004 implements functions related to the device according to programs stored in the memory device 1003 . The interface device 1005 is used as an interface for connecting to the network. A display device 1006 displays a GUI (Graphical User Interface) or the like by a program. An input device 1007 is composed of a keyboard, a mouse, buttons, a touch panel, or the like, and is used to input various operational instructions. The output device 1008 outputs the calculation result.
 次に、本実施の形態の具体例として、実施例1、実施例2、実施例3および実施例4について説明する。 Next, Example 1, Example 2, Example 3, and Example 4 will be described as specific examples of the present embodiment.
 (実施例1)
 実施例1は、自動車の車載ネットワーク上に通信監視装置10を搭載した場合の例である。 (Example 1)
Embodiment 1 is an example in which the communication monitoring device 10 is installed on an in-vehicle network of an automobile.
 図15は、実施例1に係る自動車のハードウェア構成例を示す図である。自動車1は、通信監視装置10と、ECU20と、外部通信用インタフェース30と、を備える。この構成では、通信監視装置10は、外部通信用インタフェース30を介する通信を監視し、通信元と、通信先であるECU20とを特定して、攻撃であると検知した通信を遮断することができる。 FIG. 15 is a diagram showing a hardware configuration example of an automobile according to the first embodiment. The automobile 1 includes a communication monitoring device 10, an ECU 20, and an interface 30 for external communication. In this configuration, the communication monitoring device 10 can monitor communication via the external communication interface 30, identify the communication source and the communication destination ECU 20, and block communication detected as an attack. .
 (実施例2)
 実施例2は、通信の監視を自動車1とは異なる装置(クラウドサーバ等による実装でも良い)において実行し、通信遮断する機能を自動車1が備える通信装置40が有する例である。 (Example 2)
Embodiment 2 is an example in which the communication device 40 provided in the vehicle 1 has a function of executing communication monitoring in a device different from the vehicle 1 (which may be implemented by a cloud server or the like) and blocking communication.
 図16は、実施例2に係る通信監視システムの概要を示す図である。通信監視システムは、自動車1と、通信監視装置10と、を含む。自動車1と通信監視装置10とは、無線通信等によって、互いに通信可能に接続されている。 FIG. 16 is a diagram showing an overview of the communication monitoring system according to the second embodiment. A communication monitoring system includes a vehicle 1 and a communication monitoring device 10 . The vehicle 1 and the communication monitoring device 10 are communicably connected to each other by wireless communication or the like.
 自動車1は、ECU20と、外部通信用インタフェース30と、通信装置40と、を備える。通信装置40は、通信部41と、通信遮断部42と、を備える。 The automobile 1 includes an ECU 20, an external communication interface 30, and a communication device 40. The communication device 40 includes a communication section 41 and a communication blocking section 42 .
 通信監視装置10は、図3に示した通信監視装置10の通信遮断部16の代わりに、通信部17を備える。 The communication monitoring device 10 includes a communication unit 17 instead of the communication blocking unit 16 of the communication monitoring device 10 shown in FIG.
 通信装置40は、外部通信用インタフェース30を介したECU20と外部の機器との通信の内容を示すデータを、通信部41によって通信監視装置10に送信する。通信監視装置10は、通信部17を介して受信したデータに基づいて、上述した本実施の形態に係る、通信遮断部16を除く各処理を実行する。そして、通信監視装置10は、攻撃検知された通信についての情報を通信装置40に送信する。通信装置40の通信遮断部42は、通信監視装置10から受信した情報に基づいて、攻撃検知された通信を遮断する。 The communication device 40 transmits data indicating the content of communication between the ECU 20 and the external device via the external communication interface 30 to the communication monitoring device 10 via the communication unit 41 . Based on the data received via the communication unit 17, the communication monitoring device 10 executes each process except for the communication blocking unit 16 according to the present embodiment described above. The communication monitoring device 10 then transmits information about the communication for which the attack was detected to the communication device 40 . The communication blocking unit 42 of the communication device 40 blocks the attack-detected communication based on the information received from the communication monitoring device 10 .
 (実施例3)
 実施例3は、通信の遮断を行う代わりに、検知結果をあらかじめ指定された宛先に送信する例である。図17は、実施例3に係る通信監視装置の機能構成図である。実施例3に係る通信監視装置10は、図3に示した通信監視装置10の通信遮断部16の代わりに、検知結果送信部18を備える。 (Example 3)
A third embodiment is an example in which the detection result is transmitted to a predesignated destination instead of blocking communication. FIG. 17 is a functional configuration diagram of a communication monitoring apparatus according to the third embodiment; The communication monitoring device 10 according to the third embodiment includes a detection result transmitting unit 18 instead of the communication blocking unit 16 of the communication monitoring device 10 shown in FIG.
 検知結果送信部18は、あらかじめ指定された宛先に、電子メール、メッセージ、SNS等によって攻撃検知された通信についての情報を送信する。 The detection result transmission unit 18 transmits information about communications in which an attack has been detected by e-mail, message, SNS, etc. to a pre-designated destination.
 実施例3に係る自動車のハードウェア構成は、図15と同じである。通信監視装置10の検知結果送信部18は、外部通信用インタフェース30を介して、検知結果を外部の機器に送信する。また、検知結果送信部18は、自動車1が備える表示装置等に、検知結果を表示しても良い。 The hardware configuration of the automobile according to Example 3 is the same as in FIG. The detection result transmission unit 18 of the communication monitoring device 10 transmits the detection result to an external device via the external communication interface 30 . Moreover, the detection result transmitting unit 18 may display the detection result on a display device or the like provided in the automobile 1 .
 (実施例4)
 実施例4は、通信の監視を自動車1とは異なる装置(クラウドサーバ等による実装でも良い)において実行し、当該装置が検知結果を送信する例である。 (Example 4)
A fourth embodiment is an example in which communication is monitored by a device (which may be implemented by a cloud server or the like) different from the vehicle 1, and the device transmits the detection result.
 図18は、実施例4に係る通信監視システムの概要を示す図である。通信監視システムは、自動車1と、通信監視装置10と、を含む。自動車1と通信監視装置10とは、無線通信等によって、互いに通信可能に接続されている。 FIG. 18 is a diagram showing an overview of the communication monitoring system according to the fourth embodiment. A communication monitoring system includes a vehicle 1 and a communication monitoring device 10 . The vehicle 1 and the communication monitoring device 10 are communicably connected to each other by wireless communication or the like.
 自動車1は、ECU20と、外部通信用インタフェース30と、通信装置40と、を備える。通信装置40は、通信部41を備える。 The automobile 1 includes an ECU 20, an external communication interface 30, and a communication device 40. The communication device 40 includes a communication section 41 .
 通信監視装置10は、図17に示した通信監視装置10と同様の機能構成を有する。実施例4に係る通信監視装置10の検知結果送信部18は、あらかじめ指定された宛先に、電子メール、メッセージ、SNS等によって攻撃検知された通信についての情報を送信する。 The communication monitoring device 10 has the same functional configuration as the communication monitoring device 10 shown in FIG. The detection result transmission unit 18 of the communication monitoring apparatus 10 according to the fourth embodiment transmits information on communications in which an attack has been detected by e-mail, message, SNS, etc., to a predetermined destination.
 本実施の形態に係る通信監視装置10によれば、通信元から通信先への通信を監視して、通信先へのロック解除に関する要求の回数を含む通信元状態情報901を更新し、通信元状態情報901に基づいて、通信元による通信先へのロック解除状態の偵察を検知する。これによって、通信元の状態に応じた検知が可能となり、正常な診断通信の誤検知の発生確率を抑えることができる。また、偵察を検知された通信元から通信先への攻撃を検知することによって、通信元から通信先への通信を遮断したり、検知結果を指定された宛先に送信したりすることができる。 According to the communication monitoring device 10 according to the present embodiment, the communication from the communication source to the communication destination is monitored, and the communication source status information 901 including the number of requests for unlocking to the communication destination is updated. Based on the state information 901, the reconnaissance of the unlock state to the communication destination by the communication source is detected. As a result, it is possible to perform detection according to the state of the communication source, and it is possible to reduce the probability of erroneous detection of normal diagnostic communication. Also, by detecting an attack from a communication source whose reconnaissance has been detected to a communication destination, it is possible to block communication from the communication source to the communication destination, or to transmit the detection results to a specified destination.
 上述した攻撃検知部15は、攻撃判定規則情報902の代わりに、各種の機械学習手法の結果(診断通信のアノマリ検知を行った結果が異常である通信を検知する)や、時間を用いたルール(例えば、全バイト値が"0x00"の"Seed"が観測されてから1秒以内に送信された診断通信を検知する)などを用いて攻撃を検知しても良い。 Instead of the attack determination rule information 902, the attack detection unit 15 described above uses the results of various machine learning methods (detects communication in which the result of anomaly detection of diagnostic communication is abnormal), a rule using time (For example, a diagnostic communication sent within 1 second after the observation of "Seed" with all byte values of "0x00" is detected) may be used to detect an attack.
 (実施の形態のまとめ)
 本明細書には、少なくとも下記の各項に記載した通信監視装置、通信監視方法およびプログラムが記載されている。
(第1項)
 通信元から通信先への通信を監視して、前記通信先へのロック解除に関する要求の回数を含む前記通信元の状態を示す情報を更新する通信元状態更新部と、
 前記通信元の状態を示す情報に基づいて、前記通信元による前記通信先へのロック解除状態の偵察を検知する偵察検知部と、
 前記偵察を検知された前記通信元から前記通信先への攻撃を検知する攻撃検知部と、を備える、
 通信監視装置。
(第2項)
 前記通信元の状態を示す情報は、前記通信先へのロック解除のためのデータ要求の送信回数と、前記データに基づくロック解除の要求データの送信回数との差分を示す情報であって、
 前記偵察検知部は、前記差分に基づいて、前記通信元による前記通信先へのロック解除状態の偵察を検知する、
 第1項に記載の通信監視装置。
(第3項)
 前記攻撃を検知された前記通信元から前記通信先への通信を遮断する通信遮断部をさらに備える、
 第1項または第2項に記載の通信監視装置。
(第4項)
 検知結果を示す情報を送信する検知結果送信部をさらに備える、
 第1項から第3項のいずれか1項に記載の通信監視装置。
(第5項)
 偵察を検知された通信元から前記通信先への偵察が完了したことを検知する偵察完了検知部をさらに備え、
 前記攻撃検知部は、偵察の完了を検知された前記通信元から前記通信先への攻撃を検知する
 第1項から第4項のいずれか1項に記載の通信監視装置。
(第6項)
 前記通信先は、ECUであって、前記通信は前記ECUを診断するための通信である、
 第1項から第5項のいずれか1項に記載の通信監視装置。
(第7項)
 コンピュータが実行する方法であって、
 通信元から通信先への通信を監視して、前記通信先へのロック解除に関する要求の回数を含む前記通信元の状態を示す情報を更新するステップと、
 前記通信元の状態を示す情報に基づいて、前記通信元による前記通信先へのロック解除状態の偵察を検知するステップと、
 前記偵察を検知された前記通信元から前記通信先への攻撃を検知するステップと、を備える、
 通信監視方法。
(第8項)
 コンピュータを第1項から第6項のいずれか1項に記載の通信監視装置における各部として機能させるためのプログラム。 (Summary of embodiment)
This specification describes at least a communication monitoring device, a communication monitoring method, and a program described in each of the following items.
(Section 1)
a communication source status updating unit that monitors communication from a communication source to a communication destination and updates information indicating the status of the communication source including the number of requests for unlocking to the communication destination;
a reconnaissance detection unit that detects reconnaissance of the unlocked state of the communication destination by the communication source based on information indicating the state of the communication source;
An attack detection unit that detects an attack from the communication source whose reconnaissance has been detected to the communication destination,
Communication monitoring equipment.
(Section 2)
The information indicating the state of the communication source is information indicating a difference between the number of transmissions of data requests for unlocking to the communication destination and the number of transmissions of request data for unlocking based on the data,
The reconnaissance detection unit detects, based on the difference, reconnaissance of the unlocked state of the communication destination by the communication source.
A communication monitoring device according to claim 1.
(Section 3)
further comprising a communication blocking unit that blocks communication from the communication source in which the attack has been detected to the communication destination;
3. A communication monitoring device according to claim 1 or 2.
(Section 4)
Further comprising a detection result transmission unit that transmits information indicating the detection result,
The communication monitoring device according to any one of items 1 to 3.
(Section 5)
further comprising a reconnaissance completion detection unit that detects completion of reconnaissance from the communication source for which reconnaissance has been detected to the communication destination;
5. The communication monitoring device according to any one of items 1 to 4, wherein the attack detection unit detects an attack from the communication source whose completion of reconnaissance has been detected to the communication destination.
(Section 6)
the communication destination is an ECU, and the communication is communication for diagnosing the ECU;
The communication monitoring device according to any one of items 1 to 5.
(Section 7)
A computer implemented method comprising:
monitoring communication from a communication source to a communication destination and updating information indicating the status of the communication source, including the number of requests for unlocking to the communication destination;
Detecting reconnaissance of the unlocked state of the communication destination by the communication source based on the information indicating the state of the communication source;
detecting an attack from the communication source for which the reconnaissance has been detected to the communication destination;
Communication monitoring method.
(Section 8)
A program for causing a computer to function as each unit in the communication monitoring device according to any one of items 1 to 6.
 以上、本実施の形態について説明したが、本発明はかかる特定の実施形態に限定されるものではなく、特許請求の範囲に記載された本発明の要旨の範囲内において、種々の変形・変更が可能である。 Although the present embodiment has been described above, the present invention is not limited to such a specific embodiment, and various modifications and changes can be made within the scope of the gist of the present invention described in the claims. It is possible.
 1 自動車
 10 通信監視装置
 11 記憶部
 12 通信元状態更新部
 13 偵察検知部
 14 偵察完了検知部
 15 攻撃検知部
 16 通信遮断部
 17 通信部
 18 検知結果送信部
 20 ECU
 30 外部通信用インタフェース
 40 通信装置
 41 通信部
 42 通信遮断部
 901 通信元状態情報
 902 攻撃判定規則情報
 1000 ドライブ装置
 1001 記録媒体
 1002 補助記憶装置
 1003 メモリ装置
 1004 CPU
 1005 インタフェース装置
 1006 表示装置
 1007 入力装置
 1008 出力装置 1 automobile 10 communication monitoring device 11 storage unit 12 communication source state update unit 13 reconnaissance detection unit 14 reconnaissance completion detection unit 15 attack detection unit 16 communication cutoff unit 17 communication unit 18 detection result transmission unit 20 ECU
30 external communication interface 40 communication device 41 communication unit 42 communication blocking unit 901 communication source status information 902 attack determination rule information 1000 drive device 1001 recording medium 1002 auxiliary storage device 1003 memory device 1004 CPU
1005 interface device 1006 display device 1007 input device 1008 output device

Claims (8)

  1.  通信元から通信先への通信を監視して、前記通信先へのロック解除に関する要求の回数を含む前記通信元の状態を示す情報を更新する通信元状態更新部と、
     前記通信元の状態を示す情報に基づいて、前記通信元による前記通信先へのロック解除状態の偵察を検知する偵察検知部と、
     前記偵察を検知された前記通信元から前記通信先への攻撃を検知する攻撃検知部と、を備える、
     通信監視装置。     a communication source status updating unit that monitors communication from a communication source to a communication destination and updates information indicating the status of the communication source including the number of requests for unlocking to the communication destination;
    a reconnaissance detection unit that detects reconnaissance of the unlocked state of the communication destination by the communication source based on information indicating the state of the communication source;
    An attack detection unit that detects an attack from the communication source whose reconnaissance has been detected to the communication destination,
    Communication monitoring equipment.
  2.  前記通信元の状態を示す情報は、前記通信先へのロック解除のためのデータを要求する回数と、前記データに基づくロック解除を要求する回数との差分を示す情報であって、
     前記偵察検知部は、前記差分に基づいて、前記通信元による前記通信先へのロック解除状態の偵察を検知する、
     請求項1に記載の通信監視装置。     The information indicating the state of the communication source is information indicating a difference between the number of times data for unlocking is requested from the communication destination and the number of times unlocking is requested based on the data,
    The reconnaissance detection unit detects, based on the difference, reconnaissance of the unlocked state of the communication destination by the communication source.
    The communication monitoring device according to claim 1.
  3.  前記攻撃を検知された前記通信元から前記通信先への通信を遮断する通信遮断部をさらに備える、
     請求項1または2に記載の通信監視装置。     further comprising a communication blocking unit that blocks communication from the communication source in which the attack has been detected to the communication destination;
    3. The communication monitoring device according to claim 1 or 2.
  4.  検知結果を示す情報を送信する検知結果送信部をさらに備える、
     請求項1から3のいずれか1項に記載の通信監視装置。     Further comprising a detection result transmission unit that transmits information indicating the detection result,
    The communication monitoring device according to any one of claims 1 to 3.
  5.  偵察を検知された通信元から前記通信先への偵察が完了したことを検知する偵察完了検知部をさらに備え、
     前記攻撃検知部は、偵察の完了を検知された前記通信元から前記通信先への攻撃を検知する
     請求項1から4のいずれか1項に記載の通信監視装置。     further comprising a reconnaissance completion detection unit that detects completion of reconnaissance from the communication source for which reconnaissance has been detected to the communication destination;
    The communication monitoring device according to any one of claims 1 to 4, wherein the attack detection unit detects an attack from the communication source whose completion of reconnaissance has been detected to the communication destination.
  6.  前記通信先は、ECUであって、前記通信は前記ECUを診断するための通信である、
     請求項1から5のいずれか1項に記載の通信監視装置。     the communication destination is an ECU, and the communication is communication for diagnosing the ECU;
    The communication monitoring device according to any one of claims 1 to 5.
  7.  コンピュータが実行する方法であって、
     通信元から通信先への通信を監視して、前記通信先へのロック解除に関する要求の回数を含む前記通信元の状態を示す情報を更新するステップと、
     前記通信元の状態を示す情報に基づいて、前記通信元による前記通信先へのロック解除状態の偵察を検知するステップと、
     前記偵察を検知された前記通信元から前記通信先への攻撃を検知するステップと、を備える、
     通信監視方法。     A computer implemented method comprising:
    monitoring communication from a communication source to a communication destination and updating information indicating the status of the communication source, including the number of requests for unlocking to the communication destination;
    Detecting reconnaissance of the unlocked state of the communication destination by the communication source based on the information indicating the state of the communication source;
    detecting an attack from the communication source for which the reconnaissance has been detected to the communication destination;
    Communication monitoring method.
  8.  コンピュータを請求項1から6のいずれか1項に記載の通信監視装置における各部として機能させるためのプログラム。 A program for causing a computer to function as each unit in the communication monitoring device according to any one of claims 1 to 6.
PCT/JP2021/006205 2021-02-18 2021-02-18 Communication monitoring device, communication monitoring method, and program WO2022176131A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2023500245A JPWO2022176131A1 (en) 2021-02-18 2021-02-18
PCT/JP2021/006205 WO2022176131A1 (en) 2021-02-18 2021-02-18 Communication monitoring device, communication monitoring method, and program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/006205 WO2022176131A1 (en) 2021-02-18 2021-02-18 Communication monitoring device, communication monitoring method, and program

Publications (1)

Publication Number Publication Date
WO2022176131A1 true WO2022176131A1 (en) 2022-08-25

Family

ID=82930413

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/006205 WO2022176131A1 (en) 2021-02-18 2021-02-18 Communication monitoring device, communication monitoring method, and program

Country Status (2)

Country Link
JP (1) JPWO2022176131A1 (en)
WO (1) WO2022176131A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7590113B1 (en) * 2005-12-29 2009-09-15 At&T Corp. Method and apparatus for generating a reconnaissance index
WO2020184001A1 (en) * 2019-03-14 2020-09-17 日本電気株式会社 On-vehicle security measure device, on-vehicle security measure method, and security measure system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7590113B1 (en) * 2005-12-29 2009-09-15 At&T Corp. Method and apparatus for generating a reconnaissance index
WO2020184001A1 (en) * 2019-03-14 2020-09-17 日本電気株式会社 On-vehicle security measure device, on-vehicle security measure method, and security measure system

Also Published As

Publication number Publication date
JPWO2022176131A1 (en) 2022-08-25

Similar Documents

Publication Publication Date Title
US11277427B2 (en) System and method for time based anomaly detection in an in-vehicle communication
CN108028784B (en) Abnormality detection method, monitoring electronic control unit, and vehicle-mounted network system
EP3113529B1 (en) System and method for time based anomaly detection in an in-vehicle communication network
JP5423754B2 (en) Bus monitoring security device and bus monitoring security system
JP2023068037A (en) Vehicle abnormality detection server, vehicle abnormality detection system, and vehicle abnormality detection method
US20240073233A1 (en) System and method for providing security to in-vehicle network
JP2019194830A (en) System and method of generating rules for blocking computer attack on vehicle
JP2019194831A (en) System and method of blocking computer attack on transportation means
CN114629861A (en) Enhanced intelligent process control switch port locking
EP3547190B1 (en) Attack detection device, attack detection method, and attack detection program
EP3982587A1 (en) Authentication method, device, and system
JP7149888B2 (en) Information processing device, information processing method and program
US20200389436A1 (en) On-vehicle communication device, communication control method, and communication control program
CN112669104B (en) Data processing method of leasing equipment
JP2018117254A (en) Monitoring device, monitoring method, and computer program
JP2022173394A (en) Information processing apparatus, information processing method and program
US11811922B2 (en) Key generation device, a vehicle-internal communication system, and a method for the vehicle-internal management of cryptographic keys
WO2022176131A1 (en) Communication monitoring device, communication monitoring method, and program
US10666671B2 (en) Data security inspection mechanism for serial networks
EP3904161A1 (en) Information processing device
WO2023048185A1 (en) Vehicle security analysis device, method, and program thereof
TW202335468A (en) Method and apparatus for detecting anomalies of an infrastructure in a network
CN115981274A (en) Safety protection system of industrial control system
Lee et al. Threat analysis for an in-vehicle telematics control unit
JP2021167985A (en) On-vehicle security system and attack countermeasure method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21926566

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2023500245

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21926566

Country of ref document: EP

Kind code of ref document: A1