WO2022185370A1 - 車載装置、プログラム及び情報処理方法 - Google Patents

車載装置、プログラム及び情報処理方法 Download PDF

Info

Publication number
WO2022185370A1
WO2022185370A1 PCT/JP2021/007673 JP2021007673W WO2022185370A1 WO 2022185370 A1 WO2022185370 A1 WO 2022185370A1 JP 2021007673 W JP2021007673 W JP 2021007673W WO 2022185370 A1 WO2022185370 A1 WO 2022185370A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
received
processing unit
normal cycle
same type
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2021/007673
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
直樹 足立
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sumitomo Wiring Systems Ltd
AutoNetworks Technologies Ltd
Sumitomo Electric Industries Ltd
Original Assignee
Sumitomo Wiring Systems Ltd
AutoNetworks Technologies Ltd
Sumitomo Electric Industries Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to PCT/JP2021/007673 priority Critical patent/WO2022185370A1/ja
Application filed by Sumitomo Wiring Systems Ltd, AutoNetworks Technologies Ltd, Sumitomo Electric Industries Ltd filed Critical Sumitomo Wiring Systems Ltd
Priority to US18/250,295 priority patent/US12501244B2/en
Priority to PCT/JP2021/029001 priority patent/WO2022185566A1/ja
Priority to JP2022535950A priority patent/JP7184225B1/ja
Priority to CN202180046362.2A priority patent/CN115777191B/zh
Priority to CN202511001913.XA priority patent/CN120979869A/zh
Publication of WO2022185370A1 publication Critical patent/WO2022185370A1/ja
Priority to JP2022181151A priority patent/JP7444223B2/ja
Anticipated expiration legal-status Critical
Priority to JP2023196209A priority patent/JP7622799B2/ja
Priority to JP2023196208A priority patent/JP7622798B2/ja
Priority to JP2024186951A priority patent/JP7750359B2/ja
Priority to JP2025004973A priority patent/JP7831655B2/ja
Priority to JP2025159512A priority patent/JP2025186490A/ja
Priority to JP2025159513A priority patent/JP2025186491A/ja
Priority to US19/386,904 priority patent/US20260075393A1/en
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/40Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]
    • H04W4/44Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for communication between vehicles and infrastructures, e.g. vehicle-to-cloud [V2C] or vehicle-to-home [V2H]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L12/40006Architecture of a communication node
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Definitions

  • the present disclosure relates to an in-vehicle device, a program, and an information processing method.
  • the CAN communication protocol is widely used for communication between multiple in-vehicle ECUs (Electronic Control Units) installed in vehicles.
  • the in-vehicle ECUs are connected by a common communication line to exchange data with each other, and data transmission and reception between in-vehicle ECUs in different groups is relayed by an in-vehicle relay device (gateway) (for example, Patent Document 1).
  • gateway for example, Patent Document 1
  • the vehicle network of Patent Document 1 is equipped with a vehicle network monitoring device that is connected to each segment of the vehicle network and detects unauthorized data (messages) flowing through the vehicle network.
  • a vehicle network monitoring device detects unauthorized data (message)
  • it transmits warning information (message code) to an on-vehicle control device (on-vehicle ECU).
  • An in-vehicle device is an in-vehicle device connected to an in-vehicle network mounted in a vehicle, the in-vehicle device includes a processing unit that performs processing related to determination of correctness of data flowing through the in-vehicle network, the processing unit receives a plurality of data flowing through the in-vehicle network, derives a reception interval when the same type of data is continuously received in the received plurality of data, and calculates the reception interval and the continuously received same type Of the data received earlier, the normal cycle range based on the reception point of time of the data received earlier is used as a reference to determine whether the data received later among the data of the same type continuously received is correct or not.
  • FIG. 1 is a schematic diagram illustrating a configuration of an in-vehicle system including an in-vehicle device according to Embodiment 1;
  • FIG. 2 is a block diagram illustrating a physical configuration of an in-vehicle device;
  • FIG. FIG. 10 is an explanatory diagram of a data type table;
  • FIG. 10 is an explanatory diagram relating to determination of data (normal determination);
  • FIG. 10 is an explanatory diagram relating to determination of data (occurrence of communication disruption);
  • FIG. 10 is an explanatory diagram relating to determination of data (abnormality (identification) determination);
  • FIG. 4 is an explanatory diagram relating to data determination (abnormality (range) determination);
  • FIG. 10 is an explanatory diagram relating to determination (combination) of data;
  • FIG. 4 is an explanatory diagram regarding state transition of a processing unit of an in-vehicle device;
  • FIG. 4 is an explanatory diagram relating to a determination mode by a processing unit of an in-vehicle device;
  • 4 is a flowchart illustrating processing of a processing unit of an in-vehicle device;
  • the vehicle network monitoring device of Patent Literature 1 has a problem in that no consideration is given to efficiently detecting fraudulent messages based on the transmission cycle of periodically transmitted messages.
  • the purpose of the present disclosure is to provide an in-vehicle device or the like that can efficiently detect unauthorized data based on the transmission cycle of periodically transmitted data.
  • An in-vehicle device is an in-vehicle device connected to an in-vehicle network mounted in a vehicle, the in-vehicle device comprising a processing unit that performs processing related to determining whether data flowing through the in-vehicle network is correct,
  • the processing unit receives a plurality of data flowing through the in-vehicle network, derives a reception interval when the same type of data is continuously received from the received plurality of data, and Based on the normal cycle range based on the reception time point of the data received first among the received data of the same kind, the correctness of the data received later among the data of the same kind continuously received is determined.
  • the processing unit of the in-vehicle device receives (obtains) a plurality of data such as CAN messages transmitted from the in-vehicle ECU connected to the in-vehicle network.
  • the plurality of data includes, for example, the same type of data with the same CAN-ID (message ID), and when the processing unit continuously receives the same type of data, the reception point of the previously received data and the reception time point of the data received later is derived.
  • the processing unit determines whether the later received data (the same type of data as the previously received data) succeeds or fails based on the reception interval and the normal cycle range based on the reception point of the previously received data. , for messages sent periodically, to efficiently detect fraudulent messages based on the transmission period.
  • the reception point of the earlier received data is the start of the transmission cycle of the data. Even if there is a change from the point in time to the reception point that is fixedly determined, it is possible to appropriately determine whether the data received later is correct or not based on the normal cycle range.
  • the normal cycle range is a range in which upper and lower limits are set using a transmission cycle determined based on the data type as a reference value.
  • the processing unit of the in-vehicle device uses a transmission cycle (design cycle) determined based on the type of data as a reference value, and sets upper and lower limits using the reference value as a median value, for example, to determine the normal cycle. Identify the range.
  • the transmission cycle in which the same type of data with the same CAN-ID (message ID) is transmitted is determined in advance by the type of the data (message ID). ing.
  • the processing unit of the in-vehicle device takes the transmission cycle as a reference value (for example, the median value) and adds a time equivalent to a predetermined ratio (upper and lower limit ratio), such as a%, to the transmission cycle.
  • the normal cycle range is defined as the upper limit and the lower limit of the subtracted value.
  • the processing unit sets the reception interval to the normal cycle based on the reception time point of the data received first among the data of the same type that are consecutively received. If it is within the range, it is determined that the data received after the consecutively received data of the same type is normal, and if the reception interval is not within the normal cycle range, the consecutively received data of the same type is determined. The data received after is determined to be abnormal.
  • the processing unit determines that the data received later is normal when the reception interval between two pieces of data of the same type that are consecutively received is within the normal cycle range, and determines that the data received later is normal when it is not within the normal cycle range. In other words, when the reception interval is outside the normal cycle range, it is determined that the data received later is abnormal, so it is possible to efficiently determine whether the data is correct or not.
  • the normal cycle range is, for example, the range in which the upper and lower limits are set at the time of adding the transmission cycle determined based on the type of the data to the time of reception of the previously received data, so the reception interval is the normal cycle.
  • the reception time point of the data received later is positioned between the lower limit time point (limit-low) and the upper limit time point (limit-upp) defined by the normal cycle range. If the reception interval is outside the normal cycle range, the reception time point of the data received later does not lie between the lower limit time (limit-low) and the upper limit time (limit-upp) determined by the normal cycle range, For example, it means that it is before the lower limit time (limit-low). In this way, it is possible to efficiently determine whether the data received later is correct or not based on whether the reception interval is within the normal cycle range specified based on the reception time point of the previously received data, or is outside the range. can detect invalid data.
  • the processing unit of the in-vehicle device determines the reception time point of the data received after the normal cycle range, that is, after the upper limit time (limit-upp) defined in the normal cycle range (data of the same type as the previous data). Criterion identifies the normal cycle range.
  • the data can be received (re-acquired) by receiving (re-acquiring) the reference data for specifying the normal cycle range. It is possible to efficiently restart the correctness determination process for the received data after the acquisition).
  • the processing unit when the number of data of the same type received within the normal cycle range is one, the processing unit receives one data within the normal cycle range is normal, and if the number of data of the same type received within the normal cycle range is plural, any of the data included in the plurality of data received within the normal cycle range is abnormal I judge.
  • the transmission cycle when a plurality of data of the same type are sequentially transmitted is determined in advance based on the type of the data, reception within the normal cycle range, that is, according to the normal cycle range
  • the number of data (data of the same type as the previous data) received between the defined lower limit time (limit-low) and the upper limit time (limit-upp) is essentially one.
  • the plural pieces of data include abnormal data.
  • the processing unit of the in-vehicle device receives a plurality of data of the same type within the normal cycle range, it determines that abnormal data is included in the range, thereby determining the range within the predetermined reception period. Anomaly detection (range anomaly detection) can be performed efficiently.
  • the processing unit of the in-vehicle device receives data within the normal cycle range, that is, data received between the lower limit time (limit-low) and the upper limit time (limit-upp) determined by the normal cycle range If the number of (data of the same type as the previous data) is two or more, the next Specify the normal cycle range used in the determination process. That is, the processing unit of the in-vehicle device determines that the plurality of data received within the normal cycle range includes at least one or more abnormal data, and any data in the plurality of data It is not used as reference data for specifying the normal cycle range used in subsequent determination processing.
  • the processing unit of the in-vehicle device specifies the normal cycle range to be used in the subsequent determination process based on the reception time of the same type of data received after the upper limit time of the normal cycle range thus determined. Even if an abnormality is detected in the range during the reception period (range abnormality detection), it is possible to efficiently continue (restart) the correctness determination of the data.
  • the processing unit uses the previous normal cycle range used to determine the previously received data and the reception time point of the previously received data as a reference. If data of the same type as the data is received between the current normal cycle range, the data of the same type is determined to be abnormal.
  • a plurality of data of the same type are sequentially transmitted according to a predetermined transmission cycle (design cycle), and the processing unit of the in-vehicle device receives the plurality of data sequentially.
  • a normal cycle range for determining whether the data to be received next is correct or not is specified. Therefore, the normal cycle range is identified sequentially according to the plurality of data received sequentially.
  • the processing unit of the in-vehicle device uses the normal cycle range (previous normal cycle range) used to determine the difference in the previously received data, and the normal cycle range based on the reception point of the previously received data (this time normal cycle range), the data of the same type is determined to be abnormal (specific abnormality detection).
  • the processing unit of the in-vehicle device first receives the When receiving data of the same type as the received data, it is determined that the data of the same type is abnormal. By using such determination logic, the processing unit of the in-vehicle device can efficiently determine that data received outside the normal cycle range is abnormal.
  • the processing unit when the processing unit receives one piece of data of the same type as the previously received data within a normal cycle range based on the reception time of the previously received data , the same type of data is determined to be normal, and the next normal cycle range is specified based on the reception time of the data determined to be normal.
  • the processing unit of the in-vehicle device between the upper limit time (limit-upp) determined by the previous normal cycle range and the lower limit time (limit-low) determined by the current normal cycle range, When data of the same type as the previously received data is received, it is determined that the data of the same type is abnormal. Furthermore, when the processing unit of the in-vehicle device receives one piece of data of the same type within the normal cycle range based on the reception point of the previously received data, that is, within the current normal cycle range, the data of the same type is Determined to be normal.
  • the processing unit of the in-vehicle device From the upper limit time of the previous normal cycle range (limit-upp) to the upper limit time of the current normal cycle range (limit-upp) of the same kind of data received The number of pieces may be counted, and based on the reception interval for each piece of data of the same type counted, the correctness of each piece of data may be determined.
  • the processing unit transitions to a plurality of operating states, and the plurality of operating states receives data that serves as a reference for identifying the normal cycle range. It includes a reference data reception state and a judgment execution state for judging whether or not the received data is correct based on the specified normal cycle range.
  • the processing unit of the in-vehicle device for example, until any data is first received (first reception) after the IG switch of the vehicle is turned on, or within the normal cycle range If the data determined to be normal cannot be received, the state of the processing unit transitions to the reference data reception state for receiving reference data (reference data) for specifying the normal cycle range.
  • the processing unit that has transitioned to the reference data reception state continues the state of waiting for reception of the reference data (reference data) in order to receive the reference data.
  • the processing unit of the in-vehicle device transitions to a determination execution state for determining whether the received data is correct or not based on the specified normal cycle range. .
  • the processing unit of the in-vehicle device transitions between a plurality of operation states including the reference data reception state and the judgment execution state according to whether the data is correct or not. It is possible to efficiently receive data (reference data) and efficiently identify the normal cycle range based on the reference data.
  • the processing unit determines that the received data is abnormal, it stores information corresponding to the mode of abnormality in an accessible predetermined storage area.
  • the processing unit of the in-vehicle device determines that the received data is abnormal, it outputs information corresponding to the state of the abnormality or stores it in a predetermined storage area accessible from the self unit. It is possible to efficiently notify the operator or the like of the occurrence of the abnormality.
  • the processing unit when specifying the normal cycle range based on the reception time of the received data, specifies the type of data and the reception time as the reference. Store in a predetermined storage area that can be associated and accessed.
  • the processing unit of the in-vehicle device specifies the normal cycle range based on the reception time of the received data
  • the type of data used as the reference and the reception time are associated with each other and output or accessed from the own unit. Since it is stored in a possible predetermined storage area, it is possible to accurately store the information at the time of transition to the reference data reception state.
  • a program causes a computer to receive a plurality of data flowing through an in-vehicle network installed in a vehicle, and when the same type of data is continuously received in the received plurality of data, based on the reception interval and the normal cycle range based on the reception point of the first received data among the consecutively received data of the same type. After the above, a process of judging whether the received data is correct or not is executed.
  • the computer can be operated as an in-vehicle device that efficiently detects fraudulent data based on the transmission cycle of periodically transmitted data.
  • a computer receives a plurality of data flowing through an in-vehicle network installed in a vehicle, and consecutively receives data of the same type in the received plurality of data. Based on the reception interval and the normal cycle range based on the reception time of the data received earlier among the data of the same type continuously received, the data of the same type continuously received is derived. After the data received, a process for judging whether the received data is correct or not is executed.
  • FIG. 1 is a schematic diagram illustrating the configuration of an in-vehicle system including an in-vehicle device 2 according to the first embodiment.
  • FIG. 2 is a block diagram illustrating the physical configuration of the in-vehicle device 2. As shown in FIG.
  • the in-vehicle system S includes an in-vehicle device 2 mounted in the vehicle and an external communication device 1.
  • the in-vehicle device 2 relays communication between a plurality of in-vehicle ECUs 3 mounted in the vehicle.
  • the in-vehicle device 2 communicates with an external server 100 connected via an in-vehicle network N via the in-vehicle communication device 1, and relays communication between the external server 100 and an in-vehicle ECU 3 mounted in the vehicle. There may be.
  • the external server 100 is, for example, a computer such as a server connected to an external network N such as the Internet or a public network, and is a storage unit or storage device such as a RAM (Random Access Memory), a ROM (Read Only Memory), or a hard disk. Prepare. A storage unit and the like of the external server 100 are included in a storage area accessible from the in-vehicle device 2 .
  • the vehicle C is equipped with an external communication device 1, an in-vehicle device 2, a display device 5, and a plurality of in-vehicle ECUs 3 for controlling various in-vehicle devices.
  • the in-vehicle device 2 and the external communication device 1 are communicably connected by a wire harness such as a serial cable.
  • the in-vehicle device 2 and the in-vehicle ECU 3 are communicably connected by a communication line 41 and an in-vehicle network 4 corresponding to a communication protocol such as CAN (Control Area Network/registered trademark) or Ethernet (registered trademark).
  • the communication protocol in the in-vehicle device 2 and the in-vehicle ECU 3 may be based on LIN, MOST, FlexRay, or the like.
  • the vehicle-external communication device 1 includes a vehicle-external communication unit (not shown) and an input/output I/F (not shown) for communicating with the in-vehicle device 2 .
  • the external communication unit is a communication device for wireless communication using a mobile communication protocol such as 3G, LTE, 4G, WiFi, etc., and transmits data to the external server 100 via an antenna 11 connected to the external communication unit. send and receive Communication between the external communication device 1 and the external server 100 is performed via an external network N such as a public line network or the Internet.
  • the input/output I/F is a communication interface for serial communication with the in-vehicle device 2, for example.
  • the external communication device 1 and the in-vehicle device 2 communicate with each other via an input/output I/F and a wire harness such as a serial cable connected to the input/output I/F.
  • the vehicle-external communication device 1 is separate from the vehicle-mounted device 2, and these devices are communicably connected via an input/output I/F or the like, but the present invention is not limited to this.
  • the external communication device 1 may be built in the in-vehicle device 2 as one component of the in-vehicle device 2 .
  • the in-vehicle device 2 includes a processing unit 20, a storage unit 21, an input/output I/F 22, and an in-vehicle communication unit 23.
  • the in-vehicle device 2 for example, integrates system segments by a plurality of communication lines 41 such as a recognition system in-vehicle ECU 3, a judgment system in-vehicle ECU 3, and an operation system in-vehicle ECU 3, and communicates between the in-vehicle ECUs 3 between these segments.
  • a plurality of communication lines 41 such as a recognition system in-vehicle ECU 3, a judgment system in-vehicle ECU 3, and an operation system in-vehicle ECU 3, and communicates between the in-vehicle ECUs 3 between these segments.
  • is an in-vehicle relay device such as a gateway (CAN gateway) for relaying.
  • Each of the plurality of communication lines 41 corresponds to a bus (CAN bus) in each segment.
  • the in-vehicle device 2 includes an in-vehicle relay device such as an Ether SW, a PLB (Power Lan Box) having a power distribution function in addition to a data communication relay function, and an integrated ECU that has a relay function and controls the entire vehicle C in an integrated manner.
  • an in-vehicle relay device such as an Ether SW, a PLB (Power Lan Box) having a power distribution function in addition to a data communication relay function, and an integrated ECU that has a relay function and controls the entire vehicle C in an integrated manner.
  • the in-vehicle device 2 may be configured as a functional part of the in-vehicle ECU 3, such as a body ECU that controls body system actuators of the vehicle C.
  • the processing unit 20 is configured by a CPU (Central Processing Unit) or MPU (Micro Processing Unit) or the like, and by reading and executing control programs and data stored in advance in the storage unit 21, various control processes and Arithmetic processing and the like are performed.
  • the processing unit 20 may determine whether the data (message) acquired (received) via the in-vehicle communication unit 23 is correct or not, and may function as a control unit that controls the in-vehicle device 2 as a whole.
  • the storage unit 21 is composed of a volatile memory element such as RAM (Random Access Memory) or a non-volatile memory element such as ROM (Read Only Memory), EEPROM (Electrically Erasable Programmable ROM) or flash memory, A control program and data to be referred to during processing are stored in advance.
  • the control program stored in the storage unit 21 may be a control program read from the recording medium 211 readable by the in-vehicle device 2 .
  • the control program may be downloaded from an external computer (not shown) connected to a communication network (not shown) and stored in the storage unit 21 .
  • the storage unit 21 stores relay route information (routing table) used for performing relay processing for communication between the in-vehicle ECUs 3 or communication between the in-vehicle ECUs 3 and the external server 100 .
  • the format of the relay route information is determined based on the communication protocol.
  • the relay route information for CAN includes the message identifier (CAN-ID, message ID) included in the CAN message and the relay destination (I/O of the in-vehicle communication unit 23) associated with the CAN-ID. port number).
  • the input/output I/F 22 is, like the input/output I/F of the external communication device 1, a communication interface for serial communication, for example.
  • the in-vehicle device 2 is communicably connected to the external communication device 1, the display device 5 (HMI device), and the IG switch 6 for starting and stopping the vehicle C via the input/output I/F 22 .
  • the in-vehicle communication unit 23 is an input/output interface using a communication protocol such as CAN (Control Area Network), CAN-FD (CAN with Flexible Data Rate), or Ethernet (registered trademark). It communicates with the in-vehicle ECU 3 connected to the in-vehicle network 4 via the communication unit 23 or other in-vehicle equipment such as a relay device.
  • CAN Controller Area Network
  • CAN-FD CAN with Flexible Data Rate
  • Ethernet registered trademark
  • a plurality of in-vehicle communication units 23 are provided, and each communication line 41 (CAN bus, etc.) constituting the in-vehicle network 4 is connected to each in-vehicle communication unit 23 .
  • the in-vehicle network 4 may be divided into a plurality of segments.
  • the topology type of the in-vehicle network 4 is not limited to the bus type illustrated in the present embodiment.
  • a cascade type in which the in-vehicle device 2 is the highest level may be used.
  • the vehicle-mounted ECU 3 includes a control unit (not shown), a storage unit (not shown), and an in-vehicle communication unit (not shown), similar to the vehicle-mounted device 2 .
  • the storage unit is composed of volatile memory elements such as RAM (Random Access Memory) or non-volatile memory elements such as ROM (Read Only Memory), EEPROM (Electrically Erasable Programmable ROM), or flash memory.
  • RAM Random Access Memory
  • ROM Read Only Memory
  • EEPROM Electrical Erasable Programmable ROM
  • flash memory flash memory
  • a program or data for the ECU 3 is stored.
  • In-vehicle ECU3 transmits a CAN message periodically, and communicates with in-vehicle device 2, for example.
  • the in-vehicle ECU 3 may be a separate ECU to which a sensor or an actuator is connected and connected under the control of the integrated ECU.
  • the display device 5 is, for example, an HMI (Human Machine Interface) device such as a car navigation display.
  • the display device 5 is communicably connected to the input/output I/F 22 of the in-vehicle device 2 by a harness such as a serial cable. Data or information output from the processing unit 20 of the in-vehicle device 2 via the input/output I/F 22 is displayed on the display device 5 .
  • HMI Human Machine Interface
  • FIG. 3 is an explanatory diagram of the data type table.
  • Various data referred to when the processing unit 20 performs determination processing are stored in a predetermined storage area accessible from the processing unit 20, such as the storage unit 21 of the in-vehicle device 2, the in-vehicle ECU 3, or a storage device connected to the external server 100. remembered.
  • Data types to be monitored when the processing unit 20 performs determination processing are stored in the storage unit 21 or the like as, for example, a data type table configured in a table format.
  • the management items (fields) defined in the data type table include, for example, message ID, design cycle, upper/lower limit value ratio, normal cycle range, and judgment execution target flag.
  • a message ID (CAN-ID) indicating the type of CAN message is stored in the management item (field) of the message ID.
  • the type of data to be received is determined based on the message ID. If the data to be determined is, for example, a CAN message, CAN messages with the same message ID are processed as data of the same type.
  • Management items (fields) for determining the type of data are not limited to the message ID in the CAN message. number, UDP port number, or a combination thereof.
  • the design cycle indicates a predetermined transmission cycle when data (message) is transmitted from one of the in-vehicle ECUs 3 or the like. Cycle.
  • the design period management item (field) stores the design period (for example, x [ms]) in each piece of data.
  • the upper and lower limit value ratio indicates the upper and lower limit values for specifying the normal cycle range based on the design cycle.
  • the upper and lower limit value ratio may be defined as, for example, a ratio to the design period (for example, a%, where a > 0), or real time ( ⁇ x x a x 0.01 [ms]) may be indicated by Alternatively, the upper and lower limit value ratios may be different ratios between the upper and lower limits.
  • the normal cycle range is a range calculated from the design cycle and the ratio of upper and lower limits, and is information used when determining whether the received data is correct or not. For example, if the design cycle is x [ms] and the upper and lower limit ratio is a% ( ⁇ x x a x 0.01 [ms]), the normal cycle range is x - x x a x 0.01 [ms] , x+xxax0.01 [ms].
  • the median value of the normal cycle range is (K + x) ms
  • the lower limit time (limit-low) of the normal cycle range is ⁇ (K + x ) ⁇ (x ⁇ a ⁇ 0.01) ⁇ ms
  • the upper limit point (limit-upp) of the normal cycle range is ⁇ (K+x)+(x ⁇ a ⁇ 0.01) ⁇ ms.
  • the data type table includes both the design cycle, the upper and lower limit value ratio, and the normal cycle range, but the data type table is not limited to this, and may include only one of them. Needless to say.
  • the determination execution target flag is a flag value (1: monitoring target, 0: non-monitoring target) is stored. In this way, among the data transmitted and received through the in-vehicle network 4, by making the data of the type for which the determination execution target flag is set as the execution target (monitoring target) of the correctness determination, only the data with a relatively high degree of importance can be selected. It is possible to reduce the processing load of the in-vehicle device 2 (processing unit) by using it as a monitoring target.
  • FIG. 4 is an explanatory diagram relating to data determination (normality determination).
  • determination processing regarding data of a specific data type (CAN message, etc.) will be described.
  • the horizontal axis indicates time (elapsed time).
  • the processing unit 20 of the in-vehicle device 2 calculates, for example, reception intervals of the same type of data (same message ID) for each data (monitoring target message) defined in the data type table stored in the storage unit 21. , the data (message) is determined to be normal if the reception interval is within the normal cycle range.
  • the processing unit 20 determines that the data is abnormal. If the reception interval does not fall within the normal cycle range, this indicates a state in which it is possible to identify which message is abnormal, and the processing unit 20 determines that it is a specific abnormality. When a plurality of data are received within the normal cycle range, this indicates a state in which it is detected that an abnormality is included in a certain range, and the processing unit 20 determines that the range is abnormal.
  • the data (message) is determined to be normal data (message)
  • the data (message) is used as the reference (reference data)
  • the reception interval between the reference data and the next received data (message) is calculated.
  • the reference data (reference message) is set for each data type (message ID) of the message to be monitored, and in the acquisition state of the reference data, the reception interval ( ⁇ T) between the first received message and the second received message is within the normal range. If it is within the range, the data (message) received for the second time is used as the reference data (reference message).
  • the setting of the reference data is not limited to two times, and may be determined when the data is consecutively set a plurality of times. That is, for example, when the reception interval is within the normal range five times in succession, the processing unit 20 may use the data (message) received for the fifth time as the reference data (reference message).
  • the vehicle C When the IG switch 6 is turned on, the vehicle C is activated, and data such as CAN messages are transmitted from each in-vehicle ECU 3 connected to the in-vehicle network 4 .
  • the processing unit 20 of the in-vehicle device 2 receives data for each type classified by message ID (CAN-ID) for the first time, and the data received for the first time is the first data for specifying the normal cycle range. is set as reference data (reference message).
  • the processing unit 20 refers to the data type table stored in the storage unit 21 at the time of reception, which indicates the time at which the reference data is received, etc., and determines the design cycle ( T) is added, and the normal cycle range is specified (derived) by adding and subtracting the upper and lower limits with the added time as the central value.
  • the normal cycle range is defined as the range (period ).
  • the transmission cycle (design cycle) is a relative time from the reception time (the reception time of the reference data).
  • the processing unit 20 calculates the normal cycle range 1 with the median value after the design cycle (T) from the reference message and the lower limit time (limit-low1) and the upper limit time (limit-upp1) as upper and lower limits.
  • the processing unit 20 counts the number of messages received after the reference message and the reception interval at the upper limit time (limit-upp1).
  • the processing unit 20 determines that the received message 1 (Msg1) is within the normal period range 1 and the number is 1, so it determines that it is a normal message and updates (resets) the message 1 (Msg1) as a reference message.
  • the processing unit 20 sets the median value to be the design period (T) after the message 1 (Msg1) (reference message at this point), and the normal A period range 2 is calculated.
  • the processing unit 20 counts the number of messages received after the reference message updated (reset) by message 1 (Msg1) and the reception interval from the reference message. . Since the received message 2 (Msg2) is within the normal period range 2 and the number is 1, the processing unit 20 updates (resets) the message 2 (Msg2) as the reference message.
  • the processing unit 20 of the in-vehicle device 2 updates (resets) the reference data (reference message) based on the data (message) that has been determined to be normal by repeating the above-described processing. Using the normal cycle range specified each time by the reference data, the judgment processing of the data (message) received after the reference data is repeated.
  • FIG. 5 is an explanatory diagram relating to data determination (occurrence of communication disruption).
  • the processing unit 20 calculates the normal cycle range 1 with the median value after the design cycle (T) from the reference message and the lower limit time (limit-low1) and the upper limit time (limit-upp1) as upper and lower limits.
  • the processing unit 20 counts the number of messages received after the reference message and the reception interval at the upper limit time (limit-upp1).
  • the processing unit 20 updates (resets) the received message 1 (Msg1) as the reference message because the received message 1 (Msg1) is within the normal period range 1 and the number is 1.
  • the processing unit 20 sets the median value to be the design period (T) after the message 1 (Msg1) (reference message at this point), and the normal A period range 2 is calculated.
  • the processing unit 20 counts the number of messages received after the reference message updated (reset) by message 1 (Msg1) and the reception interval from the reference message. .
  • the processing unit 20 determines that the communication interruption has occurred because the number of messages received in the normal cycle range 2 is 0, and after the normal cycle range 2 elapses, that is, the upper limit point of the normal cycle range 2 (limit-upp2 ), the reference message is re-obtained.
  • the processing unit 20 sets a message acquired (received) after the upper limit point (limit-upp2) of the normal cycle range 2 as a reference message, and specifies the normal cycle range 3 .
  • FIG. 6 is an explanatory diagram relating to data determination (abnormality (identification) determination).
  • the processing unit 20 calculates the normal cycle range 1 with the median value after the design cycle (T) from the reference message and the lower limit time (limit-low1) and the upper limit time (limit-upp1) as upper and lower limits.
  • the processing unit 20 counts the number of messages received after the reference message and the reception interval at the upper limit time (limit-upp1).
  • the processing unit 20 updates (resets) the received message 1 (Msg1) as the reference message because the received message 1 (Msg1) is within the normal period range 1 and the number is 1.
  • the processing unit 20 sets the median value to be the design period (T) after the message 1 (Msg1) (reference message at this point), and the normal A period range 2 is calculated.
  • the processing unit 20 counts the number of messages received after the reference message updated (reset) by message 1 (Msg1) and the reception interval from the reference message. .
  • the processing unit 20 detects the message 2 (Msg2) as an anomaly because one received message is outside the normal cycle range (message 2 (Msg2)) and one is within the normal cycle range 2 (message 3 (Msg3)). (determined as a specific abnormality), and update (reset) message 3 (Msg3) as a reference message.
  • the processing unit 20 repeats the above process to update (renew) the reference data (reference message) based on the data (message) determined to be normal. settings).
  • the processing unit 20 repeats determination processing for data (messages) received after the reference data, using the normal period range specified each time by the updated reference data.
  • FIG. 7 is an explanatory diagram relating to data determination (abnormality (range) determination).
  • the processing unit 20 calculates the normal cycle range 1 with the median value after the design cycle (T) from the reference message and the lower limit time (limit-low1) and the upper limit time (limit-upp1) as upper and lower limits.
  • the processing unit 20 counts the number of messages received after the reference message and the reception interval at the upper limit time (limit-upp1).
  • the processing unit 20 updates (resets) the received message 1 (Msg1) as the reference message because the received message 1 (Msg1) is within the normal period range 1 and the number is 1.
  • the processing unit 20 sets the median value to be the design period (T) after the message 1 (Msg1) (reference message at this point), and the normal A period range 2 is calculated.
  • the processing unit 20 counts the number of messages received after the reference message updated (reset) by message 1 (Msg1) and the reception interval from the reference message. . Since the number of received messages (message 2 (Msg2), message 3 (Msg3)) is two or more within the normal period range 2, the processing unit 20 detects an abnormality (range determined to be abnormal), and after the normal cycle range 2 has passed, that is, after the upper limit time (limit-upp2) of the normal cycle range 2, the reference message is reacquired.
  • the processing unit 20 sets the message acquired (received) after the upper limit point (limit-upp2) of the normal cycle range 2 as the reference message, and specifies the normal cycle range 3.
  • the processing unit 20 updates (resets) the reference data (reference message) by repeating the above processing even when a plurality of data determined to be range abnormal is received, and the updated reference data Using the normal cycle range specified each time, the judgment processing of the data (message) received after the reference data is repeated.
  • FIG. 8 is an explanatory diagram relating to determination (combination) of data.
  • the processing unit 20 calculates the normal cycle range 1 with the median value after the design cycle (T) from the reference message and the lower limit time (limit-low1) and the upper limit time (limit-upp1) as upper and lower limits.
  • the processing unit 20 counts the number of messages received after the reference message and the reception interval at the upper limit time (limit-upp1).
  • the processing unit 20 updates (resets) the received message 1 (Msg1) as the reference message because the received message 1 (Msg1) is within the normal period range 1 and the number is 1.
  • the processing unit 20 sets the median value to be the design period (T) after the message 1 (Msg1) (reference message at this point), and the normal A period range 2 is calculated.
  • the processing unit 20 counts the number of messages received after the reference message updated (reset) by message 1 (Msg1) and the reception interval from the reference message. .
  • the processing unit 20 receives two messages outside the normal period range (message 2 (Msg2), message 3 (Msg3)) and two or more messages within the normal period range 2 (message 4 (Msg4), message 5 (Msg5 )), the message 2 (Msg2) and the message 3 (Msg3) are detected as anomalies (determined as specific anomalies).
  • the processing unit 20 determines that the message 4 (Msg4) and the message 5 (Msg5) are detected as abnormal (determines that the range is abnormal), and after the normal cycle range 2 has passed, reacquires the reference message.
  • the processing unit 20 updates (resets) the reference data (reference message) by repeating the above-described process even when a plurality of pieces of data determined to be specific abnormality or range abnormality are received, and the updated reference data (reference message) is updated. Using the normal cycle range specified each time by the reference data obtained, the judgment processing for the data (message) received after the reference data is repeated.
  • FIG. 9 is an explanatory diagram regarding the state transition of the processing unit 20 of the in-vehicle device 2.
  • the processing unit 20 of the in-vehicle device 2 transitions between a plurality of states in the course of performing the determination process.
  • the plurality of states are, for example, a reference data reception state (reference message acquisition state) in which reference data is received in identifying the normal cycle range, and whether the received data is correct or not based on the specified normal cycle range. and a determination execution state (periodic detection execution state) for determination.
  • the processing unit 20 of the in-vehicle device 2 is in the reference data reception state, and after that, when data is received for the first time (initial reception), it transitions to the determination execution state. After that, when the processing unit 20 in the determination execution state determines that the data acquired within the normal cycle range is normal, the processing unit 20 updates (resets) the normal data as the reference data, thereby changing the determination execution state. maintain.
  • the transition to the reference data reception state is not limited to the ON state of the IG switch 6, but may be the ON state of the battery or the transition at the time of wakeup from the communication sleep state.
  • the triggers for the processing unit 20 of the in-vehicle device 2 to transition to the reference data reception state are when the IG switch 6 is turned on, the battery is turned on, the ACC is turned on (accessory power is turned on), and when waking up from the communication sleep state. It may be based on various power triggers (power state transitions) such as transitions (receipt of a wakeup signal). That is, the processing unit 20 of the in-vehicle device 2 may transition to the reference data reception state by detecting the event when such an event related to the power supply trigger (transition of the power supply state) occurs. .
  • power state transitions such as transitions (receipt of a wakeup signal).
  • the processing unit 20 in the determination execution state detects an abnormality (range abnormality) due to acquisition of a plurality of data of the same type within the normal cycle range, or when the same type of data cannot be acquired within the normal cycle range. (Communication disruption detected), transition to the reference data reception state. After the normal cycle range has passed, that is, after the upper limit time (limit-upp) of the normal cycle range has passed, the processing unit 20 that has transitioned from the determination execution state to the reference data reception state receives the first acquired data of the same type. It is used as reference data, and transitions to the determination execution state.
  • range abnormality due to acquisition of a plurality of data of the same type within the normal cycle range, or when the same type of data cannot be acquired within the normal cycle range.
  • FIG. 10A and 10B are explanatory diagrams relating to determination modes by the processing unit of the in-vehicle device 2.
  • the processing unit 20 of the in-vehicle device 2 determines the upper limit time (limit -upp[t+1]), a unit determination period may be defined, and determination processing may be performed for each unit determination period.
  • the unit judgment period set in this way starts from the upper limit of the previous normal cycle range (limit-upp[t]) to the current lower limit of the normal cycle range (limit-low[t+1]).
  • the period until (period A) and the period from the lower limit of the normal cycle range (limit-low[t+1]) to the upper limit of the normal cycle range (limit-upp[t+1]) (Period B).
  • the processing unit 20 counts the number of received (acquired) data (data of the same type as the reference data) in each period A and period B, and counts the number of data in each period (period A and period B). Accordingly, determination processing and updating (resetting) of reference data may be performed.
  • the processing unit 20 If the number of pieces of data acquired in period A is 0 and the number of pieces of data acquired in period B is 0, the processing unit 20 experiences a communication cutoff (normal data is lost, etc.) in period B. It determines that it has been done, and transitions to the reference data reception state in order to use the data acquired after the upper limit time of the current normal cycle range as the reference data.
  • the processing unit 20 determines that the data received in period B is normal, and determines that the data received in period B is normal.
  • the data acquired in is used as reference data, and the judgment execution state is maintained.
  • the processing unit 20 treats the plurality of data received in period B as abnormal (range abnormal ), and transitions to the reference data reception state in order to use the data acquired after the upper limit time of the current normal cycle range as the reference data.
  • the processing unit 20 determines that the data received in period A is abnormal (specific abnormality). judge. The processing unit 20 determines that a communication interruption (normal data is lost, etc.) has occurred in the period B, and sets the data acquired after the upper limit time of the current normal cycle range as the reference data. Transition to receive state.
  • the processing unit 20 determines that the data received in period A is abnormal (specific abnormality).
  • the data received during the period B is determined to be normal, the data acquired during the period B is used as reference data, and the determination execution state is maintained.
  • the processing unit 20 determines that the data received in period A is abnormal (specific abnormality). Then, the plurality of data received in the period B are determined to be abnormal (range abnormal), and the data acquired after the upper limit time of the current normal cycle range has passed. transition to
  • the illustrated information in this embodiment may be stored in the storage unit 21 as a determination mode table, for example, in a table format.
  • the processing unit 20 may refer to the determination mode table based on the number of pieces of data counted for each unit determination period, and perform the determination process and update (reset) the reference data.
  • the processing unit 20 thus sets a different determination code for each processing mode determined by the number of received (acquired) data (data of the same type as the reference data) in each of period A and period B, For each unit determination period (upper limit time of the normal cycle range), the time information at the upper limit time and the determination code may be associated and stored in the storage unit 21 .
  • FIG. 11 is a flowchart illustrating the processing of the processing unit of the in-vehicle device 2.
  • the processing unit 20 of the in-vehicle device 2 steadily performs the following processing, for example, when the vehicle C is in an activated state (the IG switch 6 is on).
  • the processing unit 20 of the in-vehicle device 2 receives the reference data (S101).
  • the processing unit 20 transitions to the determination execution state by receiving the reference data.
  • the IG switch 6 When the IG switch 6 is turned on, the vehicle C is activated, and data such as CAN messages are transmitted from each vehicle-mounted ECU 3 connected to the vehicle-mounted network 4 by, for example, broadcasting.
  • the processing unit 20 of the in-vehicle device 2 performs the initial reception of data for each type classified by message ID (CAN-ID), for example.
  • the data received for the first time is set as reference data for specifying the normal cycle range.
  • the processing unit 20 of the in-vehicle device 2 When setting the received data as the reference data, the processing unit 20 of the in-vehicle device 2 associates the type of the data (message ID) with the reception point of time indicating the time at which the data was received, and stores them in the storage unit 21. It may be something to do. After that, the processing unit 20 of the in-vehicle device 2 performs the following processing for each data type (for example, each message ID).
  • the processing unit 20 of the in-vehicle device 2 identifies the normal cycle range (S102).
  • the processing unit 20 refers to the data type table stored in the storage unit 21 and identifies the normal cycle range based on the data type (message ID).
  • the normal cycle range may be specified by calculating based on the design cycle and the upper/lower limit ratio. For example, the design period (T), which is a transmission period determined in advance based on the type of data, is added to the reception time point (C) of the reference data to determine the central value (C+T) in the normal period range.
  • the upper and lower limit values (L) determined based on the upper and lower limit ratio are added (C+T+L) and subtracted (C+T-L) from the central value (C+T).
  • a range of ⁇ L (from (C+T ⁇ L) to (C+T+L)) is determined with respect to the central value (C+T), and this range corresponds to the normal cycle range.
  • the time point specified by adding the upper and lower limit values (L) to the central value (C+T) (C+T+L) corresponds to the upper limit time point (limit-upp) in the normal cycle range.
  • the time point specified by subtracting the upper and lower limit values (L) from the central value (C+T) (C+T-L) corresponds to the lower limit time point (limit-low) in the normal cycle range.
  • the upper and lower limit values (L) for addition and subtraction are equal to the center value (C + T), but the present invention is not limited to this, and the upper limit value (Lu) for addition and subtraction
  • the lower limit value (Ll) to be used may be set to a different value.
  • the processing unit 20 of the in-vehicle device 2 determines whether or not the same type of data has been acquired within the normal cycle range (S103).
  • the data of the same type is data of the same type as the received reference data, and when the data is, for example, a CAN message, messages (data) having the same message ID (CAN-ID) are data of the same type.
  • the processing unit 20 calculates a reception interval ( ⁇ T) from the point of time when the reference data is received to the point of time when the same type of data is received next.
  • the processing unit 20 determines whether the same type of data is acquired within the normal cycle range. may be determined.
  • the reception interval ( ⁇ T) from the point of reception of the reference data to the point of reception of the next received data of the same type is greater than or equal to the elapsed time from the point of reception of the reference data to the lower limit point (limit-low) of the normal cycle range. and within the elapsed time up to the upper limit point (limit-upp) of the normal cycle range, the processing unit 20 determines that the same type of data has been acquired within the normal cycle range. If the same type of data is not acquired before the upper limit point (limit-upp) of the normal cycle range elapses, the processing unit 20 determines that the same type of data was not acquired within the normal cycle range.
  • the processing unit 20 receives (acquires) the same type of data in the period from the lower limit time (limit-low) to the upper limit time (limit-upp) of the normal cycle range, based on whether the same type of data is received (acquired) within the normal cycle range. may be determined whether or not it has been acquired. That is, when the same kind of data is received in the period from the lower limit time (limit-low) to the upper limit time (limit-upp) of the normal cycle range (lower limit time ⁇ same kind of data reception time ⁇ upper limit time), the processing unit 20 determines that the same type of data is acquired within the normal cycle range.
  • the processing unit 20 of the in-vehicle device 2 performs loop processing to execute S101 again. If the same type of data is not acquired within the normal cycle range, it is determined that a communication interruption has occurred due to loss of the data, etc. Attempt to receive homogeneous data. The processing unit 20 transitions to the reference data reception state. If the loop processing from S103 to S101 is continuously performed, and the number of consecutive times reaches a predetermined threshold number such as 10 or exceeds the threshold number of times, the processing unit 20 returns to S101. The received data may be judged to be abnormal.
  • the processing unit 20 of the in-vehicle device 2 determines whether or not the number of data is one (S104).
  • the processing unit 20 of the in-vehicle device 2 counts the number of pieces of data of the same type received within the normal cycle range, that is, in the period from the lower limit time (limit-low) to the upper limit time (limit-upp) of the normal cycle range, It is determined whether the number of data is one (two or more).
  • the processing unit 20 of the in-vehicle device 2 stores in the storage unit 21 the time point of reception of each piece of data and the data type such as CAN-ID for all received (acquired) data in association with each other.
  • the processing unit 20 of the in-vehicle device 2 also stores the reception interval, which is the difference between the reception point of each of the data and the reception point of the reference data, in the storage unit 21 in association with the data type such as CAN-ID. There may be.
  • the processing unit 20 of the in-vehicle device 2 determines that the received data is normal (S105).
  • the data is data normally transmitted from one of the in-vehicle ECUs 3 based on the design cycle, and the processing unit of the in-vehicle device 2 20 determines that the received data is normal.
  • the processing unit 20 of the in-vehicle device 2 sets the received data as reference data to be used in the next determination process, and identifies the normal cycle range (S106).
  • the processing unit 20 of the in-vehicle device 2 sets the received data, that is, the data determined to be normal in the process of S105, as reference data used for determination processing of the same type of data to be received next. In this way, the processing unit 20 of the in-vehicle device 2 repeats setting the reference data based on the data determined to be normal in the immediately preceding process, so that the reference data corresponding to the load status of the in-vehicle network 4 in real time can be generated. setting (periodic resetting) can be continued.
  • the processing unit 20 of the in-vehicle device 2 identifies the normal cycle range based on the reference data reset in this way, as in the process of S102. Based on the specified normal cycle range, the processing unit 20 repeats correctness determination of data received thereafter.
  • the processing unit 20 of the in-vehicle device 2 judges that the plurality of data includes abnormal data within a predetermined range (normal cycle range), and that the range is abnormal.
  • the processing unit 20 of the in-vehicle device 2 stores the data types and reception times of the plurality of data determined to be range abnormal in the storage unit 21 as attack detection log data, and outputs them to the external server 100 or the display device 5. can be anything.
  • the processing unit 20 of the in-vehicle device 2 receives the reference data (S1042).
  • the processing unit 20 of the in-vehicle device 2 receives the same type of data received later than the normal cycle range as the reference data. Since the plurality of data determined to be range abnormal include at least one or more abnormal data, the processing unit 20 of the in-vehicle device 2 does not set the data determined to be range abnormal as reference data. do not have. As a result, it is possible to reliably avoid the fact that the correctness determination of the data acquired thereafter is performed based on the data determined to be range abnormal.
  • the processing unit 20 of the in-vehicle device 2 receives, as reference data, the same type of data received after the normal cycle range in which the plurality of data determined to be out of range are received.
  • the processing unit 20 of the in-vehicle device 2 identifies the normal cycle range (S1043).
  • the processing unit 20 of the in-vehicle device 2 sets the data received in S1042 as reference data to be used in the next determination process, and identifies the normal cycle range in the same manner as in the process of S102. Even when a plurality of data having range abnormality is received in this manner, the determination process can be continued or restarted by resetting the reference data based on the data received thereafter.
  • the processing unit 20 of the in-vehicle device 2 determines whether or not the same type of data has been received between the previous normal cycle range and the current normal cycle range (S107).
  • the normal cycle range is specified each time the reference data is set, and the specified normal cycle ranges are adjacent in time series. Since normal data is not transmitted in the period between two normal cycle ranges (T[t], T[t+1) adjacent to the time series, the data received (obtained) in that period is abnormal data.
  • the processing unit 20 of the in-vehicle device 2 is between the previous normal cycle range (T[t]) and the current normal cycle range (T[t+1]), that is, the previous Whether or not the same type of data is received between the time when the upper limit of the normal cycle range (limit-upp[t]) has passed and the time when the lower limit of the current cycle range (limit-low[t+1]) has passed judge.
  • the processing unit 20 of the in-vehicle device 2 determines that the received data has a specific abnormality (S108). If the number of received data is one, the processing unit 20 of the in-vehicle device 2 can individually identify the data as being abnormal, and determines that the data is specific abnormal. Moreover, even when the number of received data is two or more (plurality), the processing unit 20 of the in-vehicle device 2 determines each of these data to be a specific abnormality. The processing unit 20 of the in-vehicle device 2 stores the data type and the reception time of the single or multiple data determined as specific abnormality in the storage unit 21 as attack detection log data, and sends it to the external server 100 or the display device 5 It may be output.
  • the processing unit 20 of the in-vehicle device 2 When the same type of data is not received (S107: NO), or after executing S108, the processing unit 20 of the in-vehicle device 2 performs loop processing to execute S103 again. Needless to say, the normal cycle range used when executing S103 in the loop process is the normal cycle range specified in the process of S106 or S1043.
  • the processing unit 20 of the in-vehicle device 2 stores all the results (determination results) of the determination processing in this embodiment in the storage unit 21, or transmits (outputs) them to the external server 100 via the external communication device 1. There may be.
  • the processing unit 20 of the in-vehicle device 2 counts the number of pieces of received data in the determination process in the present embodiment.
  • a unit judgment period may be defined for the period up to the upper limit point (limit-upp[t+1]) of the current normal cycle range, and judgment processing may be performed for each unit judgment period. .
  • the processing unit 20 of the in-vehicle device 2 may perform the determination process at the upper limit point of each normal cycle range.
  • the unit determination period in which the processing unit 20 of the in-vehicle device 2 performs the determination process is set to the upper limit of the current normal cycle range after the upper limit time (limit-upp[t]) of the previous normal cycle range has passed.
  • the lower limit time (limit-low[t+1]) may be set as the unit determination period.
  • the processing unit 20 of the in-vehicle device 2 may perform processing according to individual flowcharts for each type of data when executing the flowcharts in this embodiment. That is, if the number of types (CAN-ID) of data to be determined is, for example, 10, the same number of sub-processes (10) are generated, and each sub-process The processing according to the flowchart may be performed in parallel.
  • the processing unit 20 of the in-vehicle device 2 performs all the processing, but the present invention is not limited to this. It may be performed in cooperation with the external server 100 by performing inter-process communication or the like.
  • In-vehicle system 100 External server 1 External communication device 11 Antenna 2 In-vehicle device (in-vehicle relay device) 20 processing unit (control unit) 21 storage unit 22 input/output I/F 23 in-vehicle communication unit 3 in-vehicle ECU 4 in-vehicle network 41 communication line 5 display device (HMI device) 6 IG switch

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Small-Scale Networks (AREA)
  • Debugging And Monitoring (AREA)
PCT/JP2021/007673 2021-03-01 2021-03-01 車載装置、プログラム及び情報処理方法 Ceased WO2022185370A1 (ja)

Priority Applications (14)

Application Number Priority Date Filing Date Title
PCT/JP2021/007673 WO2022185370A1 (ja) 2021-03-01 2021-03-01 車載装置、プログラム及び情報処理方法
US18/250,295 US12501244B2 (en) 2021-03-01 2021-08-04 In-vehicle apparatus, computer program and information processing method
PCT/JP2021/029001 WO2022185566A1 (ja) 2021-03-01 2021-08-04 車載装置、プログラム及び情報処理方法
JP2022535950A JP7184225B1 (ja) 2021-03-01 2021-08-04 車載装置、プログラム及び情報処理方法
CN202180046362.2A CN115777191B (zh) 2021-03-01 2021-08-04 车载装置、程序及信息处理方法
CN202511001913.XA CN120979869A (zh) 2021-03-01 2021-08-04 车载装置、程序及信息处理方法
JP2022181151A JP7444223B2 (ja) 2021-03-01 2022-11-11 車載装置、プログラム及び情報処理方法
JP2023196209A JP7622799B2 (ja) 2021-03-01 2023-11-17 車載装置、プログラム及び情報処理方法
JP2023196208A JP7622798B2 (ja) 2021-03-01 2023-11-17 車載装置、プログラム及び情報処理方法
JP2024186951A JP7750359B2 (ja) 2021-03-01 2024-10-23 車載装置、プログラム及び情報処理方法
JP2025004973A JP7831655B2 (ja) 2021-03-01 2025-01-14 車載装置、プログラム及び情報処理方法
JP2025159512A JP2025186490A (ja) 2021-03-01 2025-09-25 車載装置、プログラム及び情報処理方法
JP2025159513A JP2025186491A (ja) 2021-03-01 2025-09-25 車載装置、プログラム及び情報処理方法
US19/386,904 US20260075393A1 (en) 2021-03-01 2025-11-12 In-vehicle apparatus, computer program and information processing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/007673 WO2022185370A1 (ja) 2021-03-01 2021-03-01 車載装置、プログラム及び情報処理方法

Publications (1)

Publication Number Publication Date
WO2022185370A1 true WO2022185370A1 (ja) 2022-09-09

Family

ID=83155203

Family Applications (2)

Application Number Title Priority Date Filing Date
PCT/JP2021/007673 Ceased WO2022185370A1 (ja) 2021-03-01 2021-03-01 車載装置、プログラム及び情報処理方法
PCT/JP2021/029001 Ceased WO2022185566A1 (ja) 2021-03-01 2021-08-04 車載装置、プログラム及び情報処理方法

Family Applications After (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/029001 Ceased WO2022185566A1 (ja) 2021-03-01 2021-08-04 車載装置、プログラム及び情報処理方法

Country Status (4)

Country Link
US (2) US12501244B2 (https=)
JP (8) JP7184225B1 (https=)
CN (2) CN115777191B (https=)
WO (2) WO2022185370A1 (https=)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102836887B1 (ko) * 2022-09-15 2025-07-21 고려대학교 산학협력단 Can 메시지의 난독화 방법
JP7800485B2 (ja) * 2023-03-20 2026-01-16 株式会社オートネットワーク技術研究所 車載装置、プログラム及び情報処理方法
CN120676023A (zh) * 2025-07-01 2025-09-19 陕西天行健车联网信息技术有限公司 一种车联网数据传输方法、系统、设备及介质

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018026663A (ja) * 2016-08-09 2018-02-15 東芝デジタルソリューションズ株式会社 ネットワーク監視装置およびプログラム
JP2019068253A (ja) * 2017-09-29 2019-04-25 株式会社デンソー 異常検知装置、異常検知方法、プログラム及び通信システム
JP2020102771A (ja) * 2018-12-21 2020-07-02 パナソニックIpマネジメント株式会社 電子制御装置、電子制御装置の制御方法及びプログラム
JP2020129785A (ja) * 2019-02-12 2020-08-27 富士通株式会社 攻撃検知装置および攻撃検知方法
JP2020145547A (ja) * 2019-03-05 2020-09-10 トヨタ自動車株式会社 不正送信データ検知装置

Family Cites Families (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2642084B2 (ja) * 1995-05-30 1997-08-20 日本電気フィールドサービス株式会社 マルチプロトコルネットワーク監視・診断システム
JP2000346871A (ja) * 1999-06-02 2000-12-15 Xanavi Informatics Corp 回転角速度検出装置
CN101388756B (zh) * 2007-09-11 2013-01-09 电信科学技术研究院 一种数据包的传输方法和装置
JP5522160B2 (ja) 2011-12-21 2014-06-18 トヨタ自動車株式会社 車両ネットワーク監視装置
JP6318654B2 (ja) * 2014-01-30 2018-05-09 株式会社デンソー データ中継装置、データ中継装置の診断方法、車両用通信システム
EP3142289B1 (en) * 2014-05-08 2020-10-07 Panasonic Intellectual Property Corporation of America In-vehicle network system, electronic control unit, and irregularity detection method
EP3480064B1 (en) 2014-09-12 2020-08-19 Panasonic Intellectual Property Corporation of America Vehicle communication device, in-vehicle network system, and vehicle communication method
JP6281535B2 (ja) * 2015-07-23 2018-02-21 株式会社デンソー 中継装置、ecu、及び、車載システム
JP6603617B2 (ja) * 2015-08-31 2019-11-06 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ ゲートウェイ装置、車載ネットワークシステム及び通信方法
JP2017091456A (ja) * 2015-11-17 2017-05-25 富士通株式会社 制御装置、制御プログラムおよび制御方法
JP6684690B2 (ja) * 2016-01-08 2020-04-22 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America 不正検知方法、監視電子制御ユニット及び車載ネットワークシステム
JP6798280B2 (ja) * 2016-11-29 2020-12-09 富士通株式会社 攻撃検知装置、攻撃検知方法、および、攻撃検知プログラム
JP2019160155A (ja) * 2018-03-16 2019-09-19 株式会社リコー 情報処理装置、情報処理方法、及びプログラム
WO2020021714A1 (ja) 2018-07-27 2020-01-30 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ 不正防止方法およびセキュアスターカプラ
WO2020090108A1 (ja) * 2018-11-02 2020-05-07 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ 不正制御防止システムおよび、不正制御防止方法
FR3103583B1 (fr) * 2019-11-27 2023-05-12 Commissariat Energie Atomique Système de gestion des données partagées
CN111147448B (zh) * 2019-12-06 2022-06-07 中科曙光(南京)计算技术有限公司 一种can总线洪范攻击防御系统及方法

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018026663A (ja) * 2016-08-09 2018-02-15 東芝デジタルソリューションズ株式会社 ネットワーク監視装置およびプログラム
JP2019068253A (ja) * 2017-09-29 2019-04-25 株式会社デンソー 異常検知装置、異常検知方法、プログラム及び通信システム
JP2020102771A (ja) * 2018-12-21 2020-07-02 パナソニックIpマネジメント株式会社 電子制御装置、電子制御装置の制御方法及びプログラム
JP2020129785A (ja) * 2019-02-12 2020-08-27 富士通株式会社 攻撃検知装置および攻撃検知方法
JP2020145547A (ja) * 2019-03-05 2020-09-10 トヨタ自動車株式会社 不正送信データ検知装置

Also Published As

Publication number Publication date
JP7622798B2 (ja) 2025-01-28
JP2023010792A (ja) 2023-01-20
JPWO2022185566A1 (https=) 2022-09-09
JP7184225B1 (ja) 2022-12-06
JP2024020459A (ja) 2024-02-14
JP2025186490A (ja) 2025-12-23
JP2025013939A (ja) 2025-01-28
JP7831655B2 (ja) 2026-03-17
CN115777191A (zh) 2023-03-10
JP7622799B2 (ja) 2025-01-28
WO2022185566A1 (ja) 2022-09-09
CN120979869A (zh) 2025-11-18
US12501244B2 (en) 2025-12-16
US20240007831A1 (en) 2024-01-04
JP7750359B2 (ja) 2025-10-07
JP2025061271A (ja) 2025-04-10
JP2025186491A (ja) 2025-12-23
US20260075393A1 (en) 2026-03-12
JP2024020458A (ja) 2024-02-14
CN115777191B (zh) 2025-08-12
JP7444223B2 (ja) 2024-03-06

Similar Documents

Publication Publication Date Title
JP7444223B2 (ja) 車載装置、プログラム及び情報処理方法
CN109278674B (zh) 无人驾驶汽车系统安全检测方法、装置、设备及存储介质
CN109634260B (zh) 车辆控制器在线监控方法
CN106919163A (zh) 通信系统和在通信系统中执行的信息收集方法
EP3758302A1 (en) Abnormality detection device
JP7564022B2 (ja) 分析装置
US10223319B2 (en) Communication load determining apparatus
JP7375619B2 (ja) 異常検知装置
JP6172754B2 (ja) 通信装置及び通信方法
CN116744303A (zh) 通信控制装置及方法、非暂时性计算机可读记录介质
CN114051710A (zh) 信息处理装置及正规通信判定方法
JP5700426B2 (ja) 車両用ネットワークシステム
JP2024134399A (ja) 車載装置、プログラム及び情報処理方法
JP7226248B2 (ja) 通信装置および異常判定装置
CN111429740A (zh) 异常通知装置
WO2020012822A1 (ja) 演算システム、演算装置
US20250384126A1 (en) Relay device, information processing method, and in-vehicle system
KR101231933B1 (ko) 전자 장비의 오류 관리 시스템 및 방법
JP2024134398A (ja) 車載装置、プログラム及び情報処理方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21928948

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21928948

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP