WO2022185566A1 - 車載装置、プログラム及び情報処理方法 - Google Patents
車載装置、プログラム及び情報処理方法 Download PDFInfo
- Publication number
- WO2022185566A1 WO2022185566A1 PCT/JP2021/029001 JP2021029001W WO2022185566A1 WO 2022185566 A1 WO2022185566 A1 WO 2022185566A1 JP 2021029001 W JP2021029001 W JP 2021029001W WO 2022185566 A1 WO2022185566 A1 WO 2022185566A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- received
- processing unit
- vehicle device
- same type
- Prior art date
Links
- 230000010365 information processing Effects 0.000 title claims description 5
- 238000003672 processing method Methods 0.000 title claims description 5
- 238000012545 processing Methods 0.000 claims abstract description 315
- 230000002159 abnormal effect Effects 0.000 claims description 54
- 230000005856 abnormality Effects 0.000 claims description 51
- 238000000034 method Methods 0.000 claims description 49
- 230000008569 process Effects 0.000 claims description 38
- 238000001514 detection method Methods 0.000 claims description 35
- 230000007704 transition Effects 0.000 claims description 35
- 230000005540 biological transmission Effects 0.000 claims description 23
- 238000004891 communication Methods 0.000 description 71
- 101100533725 Mus musculus Smr3a gene Proteins 0.000 description 31
- 238000013461 design Methods 0.000 description 27
- 238000010586 diagram Methods 0.000 description 24
- 101100274486 Mus musculus Cited2 gene Proteins 0.000 description 17
- 101150096622 Smr2 gene Proteins 0.000 description 17
- 238000003745 diagnosis Methods 0.000 description 13
- 230000000737 periodic effect Effects 0.000 description 7
- 238000012544 monitoring process Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 3
- 238000012806 monitoring device Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 238000005315 distribution function Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000007562 laser obscuration time method Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000002618 waking effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/30—Services specially adapted for particular environments, situations or purposes
- H04W4/40—Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]
- H04W4/44—Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for communication between vehicles and infrastructures, e.g. vehicle-to-cloud [V2C] or vehicle-to-home [V2H]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
Definitions
- the present disclosure relates to an in-vehicle device, a program, and an information processing method.
- This application claims priority based on International Application No. PCT/JP2021/007673 filed on March 1, 2021, and incorporates all the descriptions described in said international application.
- the CAN communication protocol is widely used for communication between multiple in-vehicle ECUs (Electronic Control Units) installed in vehicles.
- the in-vehicle ECUs are connected by a common communication line to exchange data with each other, and data transmission and reception between in-vehicle ECUs in different groups is relayed by an in-vehicle relay device (gateway) (for example, Patent Document 1).
- gateway for example, Patent Document 1
- the vehicle network of Patent Document 1 is equipped with a vehicle network monitoring device that is connected to each segment of the vehicle network and detects unauthorized data (messages) flowing through the vehicle network.
- a vehicle network monitoring device detects unauthorized data (message)
- it transmits warning information (message code) to an on-vehicle control device (on-vehicle ECU).
- An in-vehicle device is an in-vehicle device connected to an in-vehicle network mounted in a vehicle, the in-vehicle device includes a processing unit that performs processing related to determination of correctness of data flowing through the in-vehicle network, the processing unit receives a plurality of data flowing through the in-vehicle network, derives a reception interval when the same type of data is continuously received in the received plurality of data, and calculates the reception interval and the continuously received same type Of the data received earlier, the normal cycle range based on the reception point of time of the data received earlier is used as a reference to determine whether the data received later among the data of the same type continuously received is correct or not.
- FIG. 1 is a schematic diagram illustrating a configuration of an in-vehicle system including an in-vehicle device according to Embodiment 1;
- FIG. 2 is a block diagram illustrating a physical configuration of an in-vehicle device;
- FIG. FIG. 10 is an explanatory diagram of a data type table;
- FIG. 10 is an explanatory diagram relating to determination of data (normal determination);
- FIG. 10 is an explanatory diagram relating to determination of data (occurrence of communication disruption);
- FIG. 10 is an explanatory diagram relating to determination of data (abnormality (identification) determination);
- FIG. 4 is an explanatory diagram relating to data determination (abnormality (range) determination);
- FIG. 10 is an explanatory diagram relating to determination (combination) of data;
- FIG. 4 is an explanatory diagram regarding state transition of a processing unit of an in-vehicle device;
- FIG. 4 is an explanatory diagram relating to a determination mode by a processing unit of an in-vehicle device;
- 4 is a flowchart illustrating processing of a processing unit of an in-vehicle device;
- FIG. 11 is an explanatory diagram regarding determination of data (diagnosis mask period) according to the second embodiment;
- FIG. 4 is an explanatory diagram regarding state transition of a processing unit of an in-vehicle device;
- 4 is a flowchart illustrating processing of a processing unit of an in-vehicle device;
- the vehicle network monitoring device of Patent Literature 1 has a problem in that no consideration is given to efficiently detecting fraudulent messages based on the transmission cycle of periodically transmitted messages.
- the purpose of the present disclosure is to provide an in-vehicle device or the like that can efficiently detect unauthorized data based on the transmission cycle of periodically transmitted data.
- An in-vehicle device is an in-vehicle device connected to an in-vehicle network mounted in a vehicle, the in-vehicle device comprising a processing unit that performs processing related to determining whether data flowing through the in-vehicle network is correct,
- the processing unit receives a plurality of data flowing through the in-vehicle network, derives a reception interval when the same type of data is continuously received from the received plurality of data, and Based on the normal cycle range based on the reception time point of the data received first among the received data of the same kind, the correctness of the data received later among the data of the same kind continuously received is determined.
- the processing unit of the in-vehicle device receives (obtains) a plurality of data such as CAN messages transmitted from the in-vehicle ECU connected to the in-vehicle network.
- the plurality of data includes, for example, the same type of data with the same CAN-ID (message ID), and when the processing unit continuously receives the same type of data, the reception point of the previously received data and the reception time point of the data received later is derived.
- the processing unit determines whether the later received data (the same type of data as the previously received data) succeeds or fails based on the reception interval and the normal cycle range based on the reception point of the previously received data. , for messages sent periodically, to efficiently detect fraudulent messages based on the transmission period.
- the reception point of the earlier received data is the start of the transmission cycle of the data. Even if there is a change from the point in time to the reception point that is fixedly determined, it is possible to appropriately determine whether the data received later is correct or incorrect based on the normal cycle range.
- the normal cycle range is a range in which upper and lower limits are set using a transmission cycle determined based on the data type as a reference value.
- the processing unit of the in-vehicle device uses a transmission cycle (design cycle) determined based on the type of data as a reference value, and sets upper and lower limits using the reference value as a median value, for example, to determine the normal cycle. Identify the range.
- the transmission cycle in which the same type of data with the same CAN-ID (message ID) is transmitted is determined in advance by the type of the data (message ID). ing.
- the processing unit of the in-vehicle device takes the transmission cycle as a reference value (for example, the median value) and adds a time equivalent to a predetermined ratio (upper and lower limit ratio), such as a%, to the transmission cycle.
- the normal cycle range is defined as the upper limit and the lower limit of the subtracted value.
- the processing unit sets the reception interval to the normal cycle based on the reception time point of the data received first among the data of the same type that are consecutively received. If it is within the range, it is determined that the data received after the consecutively received data of the same type is normal, and if the reception interval is not within the normal cycle range, the consecutively received data of the same type is determined. The data received after is determined to be abnormal.
- the processing unit determines that the data received later is normal when the reception interval between two pieces of data of the same type that are consecutively received is within the normal cycle range, and determines that the data received later is normal when it is not within the normal cycle range. In other words, when the reception interval is outside the normal cycle range, it is determined that the data received later is abnormal, so it is possible to efficiently determine whether the data is correct or not.
- the normal cycle range is, for example, the range in which the upper and lower limits are set at the time of adding the transmission cycle determined based on the type of the data to the time of reception of the previously received data, so the reception interval is the normal cycle.
- the reception time point of the data received later is positioned between the lower limit time point (limit-low) and the upper limit time point (limit-upp) defined by the normal period range. If the reception interval is outside the normal cycle range, the reception time point of the data received later does not lie between the lower limit time (limit-low) and the upper limit time (limit-upp) determined by the normal cycle range, For example, it means that it is before the lower limit time (limit-low). In this way, it is possible to efficiently determine whether the data received later is correct or not based on whether the reception interval is within the normal cycle range specified based on the reception time point of the previously received data, or is outside the range. can detect invalid data.
- the processing unit of the in-vehicle device receives data after the normal cycle range, that is, after the upper limit time (limit-upp) defined in the normal cycle range (data of the same kind as the previous data). to identify the normal cycle range.
- the data can be received (re-acquired) by receiving (re-acquiring) the reference data for specifying the normal cycle range. It is possible to efficiently restart the correctness determination process for the received data after the acquisition). In this way, the processing unit of the in-vehicle device does not uniformly determine that data received after the normal cycle range is abnormal. It is possible to prevent erroneous detection as abnormal data even though the received data is normal data.
- the processing unit when the number of data of the same type received within the normal cycle range is one, the processing unit receives one data within the normal cycle range is normal, and if the number of data of the same type received within the normal cycle range is plural, any of the data included in the plurality of data received within the normal cycle range is abnormal I judge.
- the transmission cycle when a plurality of data of the same type are sequentially transmitted is determined in advance based on the type of the data, reception within the normal cycle range, that is, according to the normal cycle range
- the number of data (data of the same type as the previous data) received between the defined lower limit time (limit-low) and the upper limit time (limit-upp) is essentially one.
- the plural pieces of data include abnormal data.
- the processing unit of the in-vehicle device receives a plurality of data of the same type within the normal cycle range, it determines that abnormal data is included in the range, thereby determining the range within the predetermined reception period. Anomaly detection (range anomaly detection) can be performed efficiently.
- the processing unit of the in-vehicle device receives data within the normal cycle range, that is, data received between the lower limit time (limit-low) and the upper limit time (limit-upp) determined by the normal cycle range If the number of (data of the same type as the previous data) is two or more, the next Specify the normal cycle range used in the determination process. That is, the processing unit of the in-vehicle device determines that the plurality of data received within the normal cycle range includes at least one or more abnormal data, and any data in the plurality of data It is not used as reference data for specifying the normal cycle range used in subsequent determination processing.
- the processing unit of the in-vehicle device specifies the normal cycle range to be used in the subsequent determination process based on the reception time of the same type of data received after the upper limit time of the normal cycle range thus determined. Even if an abnormality is detected in the range during the reception period (range abnormality detection), it is possible to efficiently continue (restart) the correctness determination of the data.
- the processing unit uses the previous normal cycle range used to determine the previously received data and the reception time point of the previously received data as a reference. If data of the same type as the data is received between the current normal cycle range, the data of the same type is determined to be abnormal.
- a plurality of data of the same type are sequentially transmitted according to a predetermined transmission cycle (design cycle), and the processing unit of the in-vehicle device receives the plurality of data sequentially.
- a normal cycle range for determining whether the data to be received next is correct or not is specified. Therefore, the normal cycle range is identified sequentially according to the plurality of data received sequentially.
- the processing unit of the in-vehicle device uses the normal cycle range (previous normal cycle range) used to determine the difference in the previously received data, and the normal cycle range based on the reception point of the previously received data (this time normal cycle range), the data of the same type is determined to be abnormal (specific abnormality detection).
- the processing unit of the in-vehicle device first receives the When receiving data of the same type as the received data, it is determined that the data of the same type is abnormal. By using such determination logic, the processing unit of the in-vehicle device can efficiently determine that data received outside the normal cycle range is abnormal.
- the processing unit when the processing unit receives one piece of data of the same type as the previously received data within a normal cycle range based on the reception time of the previously received data , the same type of data is determined to be normal, and the next normal cycle range is specified based on the reception time of the data determined to be normal.
- the processing unit of the in-vehicle device between the upper limit time (limit-upp) determined by the previous normal cycle range and the lower limit time (limit-low) determined by the current normal cycle range, When data of the same type as the previously received data is received, it is determined that the data of the same type is abnormal. Furthermore, when the processing unit of the in-vehicle device receives one piece of data of the same type within the normal cycle range based on the reception point of the previously received data, that is, within the current normal cycle range, the data of the same type is Determined to be normal.
- the processing unit of the in-vehicle device From the upper limit time of the previous normal cycle range (limit-upp) to the upper limit time of the current normal cycle range (limit-upp) of the same kind of data received The number of pieces may be counted, and based on the reception interval for each piece of data of the same type counted, the correctness of each piece of data may be determined.
- the processing unit transitions to a plurality of operating states, and the plurality of operating states receives data that serves as a reference for identifying the normal cycle range. It includes a reference data reception state and a judgment execution state for judging whether or not the received data is correct based on the specified normal cycle range.
- the processing unit of the in-vehicle device for example, until any data is first received (first reception) after the IG switch of the vehicle is turned on, or within the normal cycle range If the data determined to be normal cannot be received, the state of the processing unit transitions to the reference data reception state for receiving reference data (reference data) for specifying the normal cycle range.
- the processing unit that has transitioned to the reference data reception state continues the state of waiting for reception of the reference data (reference data) in order to receive the reference data.
- the processing unit of the in-vehicle device transitions to a determination execution state for determining whether the received data is correct or not based on the specified normal cycle range. .
- the processing unit of the in-vehicle device transitions between a plurality of operation states including the reference data reception state and the judgment execution state according to whether the data is correct or not. It is possible to efficiently receive data (reference data) and efficiently identify the normal cycle range based on the reference data.
- the processing unit does not perform abnormality detection in the reference data reception state.
- the processing unit of the in-vehicle device transits to the reference data reception state, and in the reference data reception state, by prohibiting processing related to abnormality detection such as judging whether the received data is correct or not, the abnormality detection is performed. shall not be performed.
- the received data is transferred to another communication line (CAN bus) according to the routing map. It is possible to efficiently perform relay processing such as transferring to
- the processing unit does not save the security log in the reference data reception state.
- the processing unit of the in-vehicle device transitions to the reference data reception state, and in the reference data reception state, the security log (attack detection log data) based on the detection result in the determination execution state is stored in the storage unit 21. Do not save the data. By not saving the security log in the reference data reception state, the processing load on the processing unit of the in-vehicle device can be reduced.
- the processing unit determines that the received data is abnormal, it stores information corresponding to the mode of abnormality in an accessible predetermined storage area.
- the processing unit of the in-vehicle device determines that the received data is abnormal, it outputs information corresponding to the state of the abnormality or stores it in a predetermined storage area accessible from the self unit. It is possible to efficiently notify the operator or the like of the occurrence of the abnormality.
- the accessible predetermined storage area is a volatile storage area
- the processing unit when the IG switch of the vehicle is turned off, the The information stored in the volatile storage area is transferred to a predetermined accessible non-volatile storage area.
- the predetermined storage area accessible by the processing unit of the in-vehicle device includes, for example, a volatile storage area such as RAM and a non-volatile storage area such as flash memory, and the processing unit of the in-vehicle device
- a volatile storage area such as RAM
- a non-volatile storage area such as flash memory
- the processing unit of the in-vehicle device When it is determined that the received data is abnormal, information corresponding to the mode of abnormality is temporarily stored in the volatile storage area.
- the processing unit of the in-vehicle device stores information stored in the volatile storage area (information corresponding to the mode of abnormality) using the off signal as a trigger, and stores the information in the nonvolatile storage area. By storing (copying) the information, the information is migrated (saved) to a non-volatile storage area.
- the processing unit of the in-vehicle device may store the information corresponding to the mode of the abnormality in the volatile storage area as a log when the abnormality is detected. At this time, the processing unit of the in-vehicle device determines the upper limit of the number of logs to be stored (saved), and when the number of logs to be saved exceeds the upper limit, the oldest log is overwritten and the latest log is saved. It may be something to do.
- the upper limit value may be varied according to the type of data (CAN message ID) that is the target of abnormality detection. Alternatively, the upper limit may be set for all data types. By performing overwrite processing based on such an upper limit value, it is possible to prevent the storage capacity required for the volatile storage area or the nonvolatile storage area from becoming excessively large.
- the processing unit when specifying the normal cycle range based on the reception time of the received data, specifies the type of data and the reception time as the reference. Store in a predetermined storage area that can be associated and accessed.
- the processing unit of the in-vehicle device specifies the normal cycle range based on the reception time of the received data
- the type of data used as the reference and the reception time are associated with each other and output or accessed from the own unit. Since it is stored in a possible predetermined storage area, it is possible to accurately store the information at the time of transition to the reference data reception state.
- the processing unit when the IG switch of the vehicle is turned on, the processing unit receives first data and the data after a predetermined diagnosis mask period has passed.
- the reception interval of the continuously received data is within the normal cycle range based on the first received data, the continuous reception of the data is performed.
- the next normal period range is specified based on the reception time of the data received after the period.
- the processing unit of the in-vehicle device identifies reference data for identifying the normal cycle range after the diagnostic mask period, which is performed after the IG switch is turned on, has elapsed.
- the diagnosis mask period is a period during which no abnormality detection is performed for the in-vehicle device mounted in the vehicle.
- the processing unit of the in-vehicle device receives the first data and the same type of data as the data received immediately after the data (the data received later). That is, if the reception interval of these consecutively received data is within the normal cycle range based on the first received data, the next normal cycle range is specified based on the reception point of the later received data.
- the processing unit of the in-vehicle device may store the two consecutively received data of the same type (first received data and second received data) in the storage unit.
- a program causes a computer to receive a plurality of data flowing through an in-vehicle network installed in a vehicle, and when the same type of data is continuously received in the received plurality of data, based on the reception interval and the normal cycle range based on the reception point of the first received data among the consecutively received data of the same type. After the above, a process of judging whether the received data is correct or not is executed.
- the computer can be operated as an in-vehicle device that efficiently detects fraudulent data based on the transmission cycle of periodically transmitted data.
- a computer receives a plurality of data flowing through an in-vehicle network installed in a vehicle, and consecutively receives data of the same type in the received plurality of data. Based on the reception interval and the normal cycle range based on the reception time of the data received earlier among the data of the same type continuously received, the data of the same type continuously received is derived. After the data received, a process for judging whether the received data is correct or not is executed.
- FIG. 1 is a schematic diagram illustrating the configuration of an in-vehicle system including an in-vehicle device 2 according to the first embodiment.
- FIG. 2 is a block diagram illustrating the physical configuration of the in-vehicle device 2. As shown in FIG.
- the in-vehicle system S includes an in-vehicle device 2 mounted in the vehicle and an external communication device 1.
- the in-vehicle device 2 relays communication between a plurality of in-vehicle ECUs 3 mounted in the vehicle.
- the in-vehicle device 2 communicates with an external server 100 connected via an in-vehicle network N via the in-vehicle communication device 1, and relays communication between the external server 100 and an in-vehicle ECU 3 mounted in the vehicle. There may be.
- the external server 100 is, for example, a computer such as a server connected to an external network N such as the Internet or a public network, and is a storage unit or storage device such as a RAM (Random Access Memory), a ROM (Read Only Memory), or a hard disk. Prepare. A storage unit and the like of the external server 100 are included in a storage area accessible from the in-vehicle device 2 .
- the vehicle C is equipped with an external communication device 1, an in-vehicle device 2, a display device 5, and a plurality of in-vehicle ECUs 3 for controlling various in-vehicle devices.
- the in-vehicle device 2 and the external communication device 1 are communicably connected by a wire harness such as a serial cable.
- the in-vehicle device 2 and the in-vehicle ECU 3 are communicably connected by a communication line 41 and an in-vehicle network 4 corresponding to a communication protocol such as CAN (Control Area Network/registered trademark) or Ethernet (registered trademark).
- the communication protocol in the in-vehicle device 2 and the in-vehicle ECU 3 may be based on LIN, MOST, FlexRay, or the like.
- the vehicle-external communication device 1 includes a vehicle-external communication unit (not shown) and an input/output I/F (not shown) for communicating with the in-vehicle device 2 .
- the external communication unit is a communication device for wireless communication using a mobile communication protocol such as 3G, LTE, 4G, WiFi, etc., and transmits data to the external server 100 via an antenna 11 connected to the external communication unit. send and receive Communication between the external communication device 1 and the external server 100 is performed via an external network N such as a public line network or the Internet.
- the input/output I/F is a communication interface for serial communication with the in-vehicle device 2, for example.
- the external communication device 1 and the in-vehicle device 2 communicate with each other via an input/output I/F and a wire harness such as a serial cable connected to the input/output I/F.
- the vehicle-external communication device 1 is separate from the vehicle-mounted device 2, and these devices are communicably connected via an input/output I/F or the like, but the present invention is not limited to this.
- the external communication device 1 may be built in the in-vehicle device 2 as one component of the in-vehicle device 2 .
- the in-vehicle device 2 includes a processing unit 20, a storage unit 21, an input/output I/F 22, and an in-vehicle communication unit 23.
- the in-vehicle device 2 for example, integrates system segments by a plurality of communication lines 41 such as a recognition system in-vehicle ECU 3, a judgment system in-vehicle ECU 3, and an operation system in-vehicle ECU 3, and communicates between the in-vehicle ECUs 3 between these segments.
- a plurality of communication lines 41 such as a recognition system in-vehicle ECU 3, a judgment system in-vehicle ECU 3, and an operation system in-vehicle ECU 3, and communicates between the in-vehicle ECUs 3 between these segments.
- is an in-vehicle relay device such as a gateway (CAN gateway) for relaying.
- Each of the plurality of communication lines 41 corresponds to a bus (CAN bus) in each segment.
- the in-vehicle device 2 includes an in-vehicle relay device such as an Ether SW, a PLB (Power Lan Box) having a power distribution function in addition to a data communication relay function, and an integrated ECU that has a relay function and controls the entire vehicle C in an integrated manner.
- an in-vehicle relay device such as an Ether SW, a PLB (Power Lan Box) having a power distribution function in addition to a data communication relay function, and an integrated ECU that has a relay function and controls the entire vehicle C in an integrated manner.
- the in-vehicle device 2 may be configured as a functional part of the in-vehicle ECU 3, such as a body ECU that controls body system actuators of the vehicle C.
- the processing unit 20 is configured by a CPU (Central Processing Unit) or MPU (Micro Processing Unit) or the like, and by reading and executing control programs and data stored in advance in the storage unit 21, various control processes and Arithmetic processing and the like are performed.
- the processing unit 20 may determine whether the data (message) acquired (received) via the in-vehicle communication unit 23 is correct or not, and may function as a control unit that controls the in-vehicle device 2 as a whole.
- the storage unit 21 is composed of a volatile memory element such as RAM (Random Access Memory) or a non-volatile memory element such as ROM (Read Only Memory), EEPROM (Electrically Erasable Programmable ROM) or flash memory, A control program and data to be referred to during processing are stored in advance.
- the control program stored in the storage unit 21 may be a control program read from the recording medium 211 readable by the in-vehicle device 2 .
- the control program may be downloaded from an external computer (not shown) connected to a communication network (not shown) and stored in the storage unit 21 .
- the storage unit 21 stores relay route information (routing table) used for performing relay processing for communication between the in-vehicle ECUs 3 or communication between the in-vehicle ECUs 3 and the external server 100 .
- the format of the relay route information is determined based on the communication protocol.
- the relay route information for CAN includes the message identifier (CAN-ID, message ID) included in the CAN message and the relay destination (I/O of the in-vehicle communication unit 23) associated with the CAN-ID. port number).
- the input/output I/F 22 is, like the input/output I/F of the external communication device 1, a communication interface for serial communication, for example.
- the in-vehicle device 2 is communicably connected to the external communication device 1, the display device 5 (HMI device), and the IG switch 6 for starting and stopping the vehicle C via the input/output I/F 22 .
- the in-vehicle communication unit 23 is an input/output interface using a communication protocol such as CAN (Control Area Network), CAN-FD (CAN with Flexible Data Rate), or Ethernet (registered trademark). It communicates with the in-vehicle ECU 3 connected to the in-vehicle network 4 via the communication unit 23 or other in-vehicle equipment such as a relay device.
- CAN Controller Area Network
- CAN-FD CAN with Flexible Data Rate
- Ethernet registered trademark
- a plurality of in-vehicle communication units 23 are provided, and each communication line 41 (CAN bus, etc.) constituting the in-vehicle network 4 is connected to each in-vehicle communication unit 23 .
- the in-vehicle network 4 may be divided into a plurality of segments.
- the topology type of the in-vehicle network 4 is not limited to the bus type illustrated in the present embodiment.
- a cascade type in which the in-vehicle device 2 is the highest level may be used.
- the vehicle-mounted ECU 3 includes a control unit (not shown), a storage unit (not shown), and an in-vehicle communication unit (not shown), similar to the vehicle-mounted device 2 .
- the storage unit is composed of volatile memory elements such as RAM (Random Access Memory) or non-volatile memory elements such as ROM (Read Only Memory), EEPROM (Electrically Erasable Programmable ROM), or flash memory.
- RAM Random Access Memory
- ROM Read Only Memory
- EEPROM Electrical Erasable Programmable ROM
- flash memory flash memory
- a program or data for the ECU 3 is stored.
- In-vehicle ECU3 transmits a CAN message periodically, and communicates with in-vehicle device 2, for example.
- the in-vehicle ECU 3 may be a separate ECU to which a sensor or an actuator is connected and connected under the control of the integrated ECU.
- the display device 5 is, for example, an HMI (Human Machine Interface) device such as a car navigation display.
- the display device 5 is communicably connected to the input/output I/F 22 of the in-vehicle device 2 by a harness such as a serial cable. Data or information output from the processing unit 20 of the in-vehicle device 2 via the input/output I/F 22 is displayed on the display device 5 .
- HMI Human Machine Interface
- FIG. 3 is an explanatory diagram of the data type table.
- Various data referred to when the processing unit 20 performs determination processing are stored in a predetermined storage area accessible from the processing unit 20, such as the storage unit 21 of the in-vehicle device 2, the in-vehicle ECU 3, or a storage device connected to the external server 100. remembered.
- Data types to be monitored when the processing unit 20 performs determination processing are stored in the storage unit 21 or the like as, for example, a data type table configured in a table format.
- the management items (fields) defined in the data type table include, for example, message ID, design cycle, upper/lower limit value ratio, normal cycle range, and judgment execution target flag.
- a message ID (CAN-ID) indicating the type of CAN message is stored in the management item (field) of the message ID.
- the type of data to be received is determined based on the message ID. If the data to be determined is, for example, a CAN message, CAN messages with the same message ID are processed as data of the same type.
- Management items (fields) for determining the type of data are not limited to the message ID in the CAN message. number, UDP port number, or a combination thereof.
- the design cycle indicates a predetermined transmission cycle when data (message) is transmitted from one of the in-vehicle ECUs 3 or the like. Cycle.
- the design period management item (field) stores the design period (for example, x [ms]) in each piece of data.
- the upper and lower limit value ratio indicates the upper and lower limit values for specifying the normal cycle range based on the design cycle.
- the upper and lower limit value ratio may be defined as, for example, a ratio to the design period (for example, a%, where a > 0), or real time ( ⁇ x x a x 0.01 [ms]) may be indicated by Alternatively, the upper and lower limit value ratios may be different ratios between the upper and lower limits.
- the normal cycle range is a range calculated from the design cycle and the ratio of upper and lower limits, and is information used when determining whether the received data is correct or not. For example, if the design cycle is x [ms] and the upper and lower limit ratio is a% ( ⁇ x x a x 0.01 [ms]), the normal cycle range is x - x x a x 0.01 [ms] , x+xxax0.01 [ms].
- the median value of the normal cycle range is (K + x) ms
- the lower limit time (limit-low) of the normal cycle range is ⁇ (K + x ) ⁇ (x ⁇ a ⁇ 0.01) ⁇ ms
- the upper limit point (limit-upp) of the normal cycle range is ⁇ (K+x)+(x ⁇ a ⁇ 0.01) ⁇ ms.
- the data type table includes both the design cycle, the upper and lower limit value ratio, and the normal cycle range, but the data type table is not limited to this, and may include only one of them. Needless to say.
- the determination execution target flag is a flag value (1: monitoring target, 0: non-monitoring target) is stored. In this way, among the data transmitted and received through the in-vehicle network 4, by making the data of the type for which the determination execution target flag is set as the execution target (monitoring target) of the correctness determination, only the data with a relatively high degree of importance can be selected. It is possible to reduce the processing load of the in-vehicle device 2 (processing unit) by using it as a monitoring target.
- FIG. 4 is an explanatory diagram relating to data determination (normality determination).
- determination processing regarding data of a specific data type (CAN message, etc.) will be described.
- the horizontal axis indicates time (elapsed time).
- the processing unit 20 of the in-vehicle device 2 calculates, for example, reception intervals of the same type of data (same message ID) for each data (monitoring target message) defined in the data type table stored in the storage unit 21. , the data (message) is determined to be normal if the reception interval is within the normal cycle range.
- the processing unit 20 determines that the data is abnormal. If the reception interval does not fall within the normal cycle range, this indicates a state in which it is possible to identify which message is abnormal, and the processing unit 20 determines that it is a specific abnormality. When a plurality of data are received within the normal cycle range, this indicates a state in which it is detected that an abnormality is included in a certain range, and the processing unit 20 determines that the range is abnormal.
- the data (message) is determined to be normal data (message)
- the data (message) is used as the reference (reference data)
- the reception interval between the reference data and the next received data (message) is calculated.
- the reference data (reference message) is set for each data type (message ID) of the message to be monitored, and in the acquisition state of the reference data, the reception interval ( ⁇ T) between the first received message and the second received message is within the normal range. If it is within the range, the data (message) received for the second time is used as the reference data (reference message).
- the setting of the reference data is not limited to two times, and may be determined when the data is consecutively set a plurality of times. That is, for example, when the reception interval is within the normal range five times in succession, the processing unit 20 may use the data (message) received for the fifth time as the reference data (reference message).
- the vehicle C When the IG switch 6 is turned on, the vehicle C is activated, and data such as CAN messages are transmitted from each in-vehicle ECU 3 connected to the in-vehicle network 4 .
- the processing unit 20 of the in-vehicle device 2 receives data for each type classified by message ID (CAN-ID) for the first time, and the data received for the first time is the first data for specifying the normal cycle range. is set as reference data (reference message).
- the processing unit 20 refers to the data type table stored in the storage unit 21 at the time of reception, which indicates the time at which the reference data is received, etc., and determines the design cycle ( T) is added, and the normal cycle range is specified (derived) by adding and subtracting the upper and lower limits with the added time as the central value.
- the normal cycle range is defined as the range (period ).
- the transmission cycle (design cycle) is a relative time from the reception time (the reception time of the reference data).
- the processing unit 20 calculates the normal cycle range 1 with the median value after the design cycle (T) from the reference message and the lower limit time (limit-low1) and the upper limit time (limit-upp1) as upper and lower limits.
- the processing unit 20 counts the number of messages received after the reference message and the reception interval at the upper limit time (limit-upp1).
- the processing unit 20 determines that the received message 1 (Msg1) is within the normal period range 1 and the number is 1, so it determines that it is a normal message and updates (resets) the message 1 (Msg1) as a reference message.
- the processing unit 20 sets the median value to be the design period (T) after the message 1 (Msg1) (reference message at this point), and the normal A period range 2 is calculated.
- the processing unit 20 counts the number of messages received after the reference message updated (reset) by message 1 (Msg1) and the reception interval from the reference message. . Since the received message 2 (Msg2) is within the normal period range 2 and the number is 1, the processing unit 20 updates (resets) the message 2 (Msg2) as the reference message.
- the processing unit 20 of the in-vehicle device 2 updates (resets) the reference data (reference message) based on the data (message) that has been determined to be normal by repeating the above-described processing. Using the normal cycle range specified each time by the reference data, the judgment processing of the data (message) received after the reference data is repeated.
- FIG. 5 is an explanatory diagram relating to data determination (occurrence of communication disruption).
- the processing unit 20 calculates the normal cycle range 1 with the median value after the design cycle (T) from the reference message and the lower limit time (limit-low1) and the upper limit time (limit-upp1) as upper and lower limits.
- the processing unit 20 counts the number of messages received after the reference message and the reception interval at the upper limit time (limit-upp1).
- the processing unit 20 updates (resets) the received message 1 (Msg1) as the reference message because the received message 1 (Msg1) is within the normal period range 1 and the number is 1.
- the processing unit 20 sets the median value to be the design period (T) after the message 1 (Msg1) (reference message at this point), and the normal A period range 2 is calculated.
- the processing unit 20 counts the number of messages received after the reference message updated (reset) by message 1 (Msg1) and the reception interval from the reference message. .
- the processing unit 20 determines that the communication interruption has occurred because the number of messages received in the normal cycle range 2 is 0, and after the normal cycle range 2 elapses, that is, the upper limit point of the normal cycle range 2 (limit-upp2 ), the reference message is re-obtained.
- the processing unit 20 sets a message acquired (received) after the upper limit point (limit-upp2) of the normal cycle range 2 as a reference message, and specifies the normal cycle range 3 .
- FIG. 6 is an explanatory diagram relating to data determination (abnormality (identification) determination).
- the processing unit 20 calculates the normal cycle range 1 with the median value after the design cycle (T) from the reference message and the lower limit time (limit-low1) and the upper limit time (limit-upp1) as upper and lower limits.
- the processing unit 20 counts the number of messages received after the reference message and the reception interval at the upper limit time (limit-upp1).
- the processing unit 20 updates (resets) the received message 1 (Msg1) as the reference message because the received message 1 (Msg1) is within the normal period range 1 and the number is 1.
- the processing unit 20 sets the median value to be the design period (T) after the message 1 (Msg1) (reference message at this point), and the normal A period range 2 is calculated.
- the processing unit 20 counts the number of messages received after the reference message updated (reset) by message 1 (Msg1) and the reception interval from the reference message. .
- the processing unit 20 detects the message 2 (Msg2) as an anomaly because one received message is outside the normal cycle range (message 2 (Msg2)) and one is within the normal cycle range 2 (message 3 (Msg3)). (determined as a specific abnormality), and update (reset) message 3 (Msg3) as a reference message.
- the processing unit 20 repeats the above process to update (renew) the reference data (reference message) based on the data (message) determined to be normal. settings).
- the processing unit 20 repeats determination processing for data (messages) received after the reference data, using the normal period range specified each time by the updated reference data.
- FIG. 7 is an explanatory diagram relating to data determination (abnormality (range) determination).
- the processing unit 20 calculates the normal cycle range 1 with the median value after the design cycle (T) from the reference message and the lower limit time (limit-low1) and the upper limit time (limit-upp1) as upper and lower limits.
- the processing unit 20 counts the number of messages received after the reference message and the reception interval at the upper limit time (limit-upp1).
- the processing unit 20 updates (resets) the received message 1 (Msg1) as the reference message because the received message 1 (Msg1) is within the normal period range 1 and the number is 1.
- the processing unit 20 sets the median value to be the design period (T) after the message 1 (Msg1) (reference message at this point), and the normal A period range 2 is calculated.
- the processing unit 20 counts the number of messages received after the reference message updated (reset) by message 1 (Msg1) and the reception interval from the reference message. . Since the number of received messages (message 2 (Msg2), message 3 (Msg3)) is two or more within the normal period range 2, the processing unit 20 detects an abnormality (range determined to be abnormal), and after the normal cycle range 2 has passed, that is, after the upper limit time (limit-upp2) of the normal cycle range 2, the reference message is reacquired.
- the processing unit 20 sets the message acquired (received) after the upper limit point (limit-upp2) of the normal cycle range 2 as the reference message, and specifies the normal cycle range 3.
- the processing unit 20 updates (resets) the reference data (reference message) by repeating the above processing even when a plurality of data determined to be range abnormal is received, and the updated reference data Using the normal cycle range specified each time, the judgment processing of the data (message) received after the reference data is repeated.
- FIG. 8 is an explanatory diagram relating to determination (combination) of data.
- the processing unit 20 calculates the normal cycle range 1 with the median value after the design cycle (T) from the reference message and the lower limit time (limit-low1) and the upper limit time (limit-upp1) as upper and lower limits.
- the processing unit 20 counts the number of messages received after the reference message and the reception interval at the upper limit time (limit-upp1).
- the processing unit 20 updates (resets) the received message 1 (Msg1) as the reference message because the received message 1 (Msg1) is within the normal period range 1 and the number is 1.
- the processing unit 20 sets the median value to be the design period (T) after the message 1 (Msg1) (reference message at this point), and the normal A period range 2 is calculated.
- the processing unit 20 counts the number of messages received after the reference message updated (reset) by message 1 (Msg1) and the reception interval from the reference message. .
- the processing unit 20 receives two messages outside the normal period range (message 2 (Msg2), message 3 (Msg3)) and two or more messages within the normal period range 2 (message 4 (Msg4), message 5 (Msg5 )), the message 2 (Msg2) and the message 3 (Msg3) are detected as anomalies (determined as specific anomalies).
- the processing unit 20 determines that the message 4 (Msg4) and the message 5 (Msg5) are detected as abnormal (determines that the range is abnormal), and after the normal cycle range 2 has passed, reacquires the reference message.
- the processing unit 20 updates (resets) the reference data (reference message) by repeating the above-described process even when a plurality of pieces of data determined to be specific abnormality or range abnormality are received, and the updated reference data (reference message) is updated. Using the normal cycle range specified each time by the reference data obtained, the judgment processing for the data (message) received after the reference data is repeated.
- FIG. 9 is an explanatory diagram regarding the state transition of the processing unit 20 of the in-vehicle device 2.
- the processing unit 20 of the in-vehicle device 2 transitions between a plurality of states in the course of performing the determination process.
- the plurality of states are, for example, a reference data reception state (reference message acquisition state) in which reference data is received in identifying the normal cycle range, and whether the received data is correct or not based on the specified normal cycle range. and a determination execution state (periodic detection execution state) for determination.
- the processing unit 20 of the in-vehicle device 2 is in the reference data reception state, and after that, when data is received for the first time (initial reception), it transitions to the determination execution state. After that, when the processing unit 20 in the determination execution state determines that the data acquired within the normal cycle range is normal, the processing unit 20 updates (resets) the normal data as the reference data, thereby changing the determination execution state. maintain.
- the transition to the reference data reception state is not limited to the ON state of the IG switch 6, but may be the ON state of the battery or the transition at the time of wakeup from the communication sleep state.
- the triggers for the processing unit 20 of the in-vehicle device 2 to transition to the reference data reception state are when the IG switch 6 is turned on, the battery is turned on, the ACC is turned on (accessory power is turned on), and when waking up from the communication sleep state. It may be based on various power triggers (power state transitions) such as transitions (receipt of a wakeup signal). That is, the processing unit 20 of the in-vehicle device 2 may transition to the reference data reception state by detecting the event when such an event related to the power supply trigger (transition of the power supply state) occurs. .
- power state transitions such as transitions (receipt of a wakeup signal).
- the processing unit 20 in the determination execution state detects an abnormality (range abnormality) due to acquisition of a plurality of data of the same type within the normal cycle range, or when the same type of data cannot be acquired within the normal cycle range. (Communication disruption detected), transition to the reference data reception state. After the normal cycle range has passed, that is, after the upper limit time (limit-upp) of the normal cycle range has passed, the processing unit 20 that has transitioned from the determination execution state to the reference data reception state receives the first acquired data of the same type. It is used as reference data, and transitions to the determination execution state.
- range abnormality due to acquisition of a plurality of data of the same type within the normal cycle range, or when the same type of data cannot be acquired within the normal cycle range.
- FIG. 10A and 10B are explanatory diagrams relating to determination modes by the processing unit of the in-vehicle device 2.
- the processing unit 20 of the in-vehicle device 2 determines the upper limit time (limit -upp[t+1]), a unit determination period may be defined, and determination processing may be performed for each unit determination period.
- the unit judgment period set in this way starts from the upper limit of the previous normal cycle range (limit-upp[t]) to the current lower limit of the normal cycle range (limit-low[t+1]).
- the period until (period A) and the period from the lower limit of the normal cycle range (limit-low[t+1]) to the upper limit of the normal cycle range (limit-upp[t+1]) (Period B).
- the processing unit 20 counts the number of received (acquired) data (data of the same type as the reference data) in each period A and period B, and counts the number of data in each period (period A and period B). Accordingly, determination processing and updating (resetting) of reference data may be performed.
- the processing unit 20 If the number of pieces of data acquired in period A is 0 and the number of pieces of data acquired in period B is 0, the processing unit 20 experiences a communication cutoff (normal data is lost, etc.) in period B. It determines that it has been done, and transitions to the reference data reception state in order to use the data acquired after the upper limit time of the current normal cycle range as the reference data.
- the processing unit 20 determines that the data received in period B is normal, and determines that the data received in period B is normal.
- the data acquired in 2 is used as the reference data, and the judgment execution state is maintained.
- the processing unit 20 treats the plurality of data received in period B as abnormal (range abnormal ), and transitions to the reference data reception state in order to use the data acquired after the upper limit time of the current normal cycle range as the reference data.
- the processing unit 20 determines that the data received in period A is abnormal (specific abnormality). judge. The processing unit 20 determines that a communication interruption (normal data is lost, etc.) has occurred in the period B, and sets the data acquired after the upper limit time of the current normal cycle range as the reference data. Transition to receive state.
- the processing unit 20 determines that the data received in period A is abnormal (specific abnormality).
- the data received during the period B is determined to be normal, the data acquired during the period B is used as reference data, and the determination execution state is maintained.
- the processing unit 20 determines that the data received in period A is abnormal (specific abnormality). Then, the plurality of data received in the period B are determined to be abnormal (range abnormal), and the data acquired after the upper limit time of the current normal cycle range has passed. transition to
- the illustrated information in this embodiment may be stored in the storage unit 21 as a determination mode table, for example, in a table format.
- the processing unit 20 may refer to the determination mode table based on the number of pieces of data counted for each unit determination period, and perform the determination process and update (reset) the reference data.
- the processing unit 20 thus sets a different determination code for each processing mode determined by the number of received (acquired) data (data of the same type as the reference data) in each of period A and period B, For each unit determination period (upper limit time of the normal cycle range), the time information at the upper limit time and the determination code may be associated and stored in the storage unit 21 .
- FIG. 11 is a flowchart illustrating the processing of the processing unit of the in-vehicle device 2.
- the processing unit 20 of the in-vehicle device 2 steadily performs the following processing, for example, when the vehicle C is in an activated state (the IG switch 6 is on).
- the processing unit 20 of the in-vehicle device 2 receives the reference data (S101).
- the processing unit 20 transitions to the determination execution state by receiving the reference data.
- the IG switch 6 When the IG switch 6 is turned on, the vehicle C is activated, and data such as CAN messages are transmitted from each vehicle-mounted ECU 3 connected to the vehicle-mounted network 4 by, for example, broadcasting.
- the processing unit 20 of the in-vehicle device 2 performs the initial reception of data for each type classified by message ID (CAN-ID), for example.
- the data received for the first time is set as reference data for specifying the normal cycle range.
- the processing unit 20 of the in-vehicle device 2 When setting the received data as the reference data, the processing unit 20 of the in-vehicle device 2 associates the type of the data (message ID) with the reception point of time indicating the time at which the data was received, and stores them in the storage unit 21. It may be something to do. After that, the processing unit 20 of the in-vehicle device 2 performs the following processing for each data type (for example, each message ID).
- the processing unit 20 of the in-vehicle device 2 identifies the normal cycle range (S102).
- the processing unit 20 refers to the data type table stored in the storage unit 21 and identifies the normal cycle range based on the data type (message ID).
- the normal cycle range may be specified by calculating based on the design cycle and the upper/lower limit ratio. For example, the design period (T), which is a transmission period determined in advance based on the type of data, is added to the reception time point (C) of the reference data to determine the central value (C+T) in the normal period range.
- the upper and lower limit values (L) determined based on the upper and lower limit ratio are added (C+T+L) and subtracted (C+T-L) from the central value (C+T).
- a range of ⁇ L (from (C+T ⁇ L) to (C+T+L)) is determined with respect to the central value (C+T), and this range corresponds to the normal cycle range.
- the time point specified by adding the upper and lower limit values (L) to the central value (C+T) (C+T+L) corresponds to the upper limit time point (limit-upp) in the normal cycle range.
- the time point specified by subtracting the upper and lower limit values (L) from the central value (C+T) (C+T-L) corresponds to the lower limit time point (limit-low) in the normal cycle range.
- the upper and lower limit values (L) for addition and subtraction are equal to the center value (C + T), but the present invention is not limited to this, and the upper limit value (Lu) for addition and subtraction
- the lower limit value (Ll) to be used may be set to a different value.
- the processing unit 20 of the in-vehicle device 2 determines whether or not the same type of data has been acquired within the normal cycle range (S103).
- the data of the same type is data of the same type as the received reference data, and when the data is, for example, a CAN message, messages (data) having the same message ID (CAN-ID) are data of the same type.
- the processing unit 20 calculates a reception interval ( ⁇ T) from the point of time when the reference data is received to the point of time when the same type of data is received next.
- the processing unit 20 determines whether the same type of data is acquired within the normal cycle range. may be determined.
- the reception interval ( ⁇ T) from the point of reception of the reference data to the point of reception of the next received data of the same type is greater than or equal to the elapsed time from the point of reception of the reference data to the lower limit point (limit-low) of the normal cycle range. and within the elapsed time up to the upper limit point (limit-upp) of the normal cycle range, the processing unit 20 determines that the same type of data has been acquired within the normal cycle range. If the same type of data is not acquired before the upper limit point (limit-upp) of the normal cycle range elapses, the processing unit 20 determines that the same type of data was not acquired within the normal cycle range.
- the processing unit 20 receives (acquires) the same type of data in the period from the lower limit time (limit-low) to the upper limit time (limit-upp) of the normal cycle range, based on whether the same type of data is received (acquired) within the normal cycle range. may be determined whether or not it has been acquired. That is, when the same kind of data is received in the period from the lower limit time (limit-low) to the upper limit time (limit-upp) of the normal cycle range (lower limit time ⁇ same kind of data reception time ⁇ upper limit time), the processing unit 20 determines that the same type of data is acquired within the normal cycle range.
- the processing unit 20 of the in-vehicle device 2 performs loop processing to execute S101 again. If the same type of data is not acquired within the normal cycle range, it is determined that a communication interruption has occurred due to loss of the data, etc. Attempt to receive homogeneous data. The processing unit 20 transitions to the reference data reception state. If the loop processing from S103 to S101 is continuously performed, and the number of consecutive times reaches a predetermined threshold number such as 10 or exceeds the threshold number of times, the processing unit 20 returns to S101. The received data may be judged to be abnormal.
- the processing unit 20 of the in-vehicle device 2 determines whether or not the number of data is one (S104).
- the processing unit 20 of the in-vehicle device 2 counts the number of pieces of data of the same type received within the normal cycle range, that is, in the period from the lower limit time (limit-low) to the upper limit time (limit-upp) of the normal cycle range, It is determined whether the number of data is one (two or more).
- the processing unit 20 of the in-vehicle device 2 stores in the storage unit 21 the time point of reception of each piece of data and the data type such as CAN-ID for all received (acquired) data in association with each other.
- the processing unit 20 of the in-vehicle device 2 also stores the reception interval, which is the difference between the reception point of each of the data and the reception point of the reference data, in the storage unit 21 in association with the data type such as CAN-ID. There may be.
- the processing unit 20 of the in-vehicle device 2 determines that the received data is normal (S105).
- the data is data normally transmitted from one of the in-vehicle ECUs 3 based on the design cycle, and the processing unit of the in-vehicle device 2 20 determines that the received data is normal.
- the processing unit 20 of the in-vehicle device 2 sets the received data as reference data to be used in the next determination process, and identifies the normal cycle range (S106).
- the processing unit 20 of the in-vehicle device 2 sets the received data, that is, the data determined to be normal in the process of S105, as reference data used for determination processing of the same type of data to be received next. In this way, the processing unit 20 of the in-vehicle device 2 repeats setting the reference data based on the data determined to be normal in the immediately preceding process, so that the reference data corresponding to the load status of the in-vehicle network 4 in real time can be generated. setting (periodic resetting) can be continued.
- the processing unit 20 of the in-vehicle device 2 identifies the normal cycle range based on the reference data reset in this way, as in the process of S102. Based on the specified normal cycle range, the processing unit 20 repeats correctness determination of data received thereafter.
- the processing unit 20 of the in-vehicle device 2 judges that the plurality of data includes abnormal data within a predetermined range (normal cycle range), and that the range is abnormal.
- the processing unit 20 of the in-vehicle device 2 stores the data types and reception times of the plurality of data determined to be range abnormal in the storage unit 21 as attack detection log data, and outputs them to the external server 100 or the display device 5. can be anything.
- the processing unit 20 of the in-vehicle device 2 receives the reference data (S1042).
- the processing unit 20 of the in-vehicle device 2 receives the same type of data received later than the normal cycle range as the reference data. Since the plurality of data determined to be range abnormal include at least one or more abnormal data, the processing unit 20 of the in-vehicle device 2 does not set the data determined to be range abnormal as reference data. do not have. As a result, it is possible to reliably avoid the fact that the correctness determination of the data acquired thereafter is performed based on the data determined to be range abnormal.
- the processing unit 20 of the in-vehicle device 2 receives, as reference data, the same type of data received after the normal cycle range in which the plurality of data determined to be out of range are received.
- the processing unit 20 of the in-vehicle device 2 identifies the normal cycle range (S1043).
- the processing unit 20 of the in-vehicle device 2 sets the data received in S1042 as reference data to be used in the next determination process, and identifies the normal cycle range in the same manner as in the process of S102. Even when a plurality of data having range abnormality is received in this manner, the determination process can be continued or restarted by resetting the reference data based on the data received thereafter.
- the processing unit 20 of the in-vehicle device 2 may perform a process of identifying or extracting which data is abnormal among a plurality of data determined to be out of range.
- the processing unit 20 of the in-vehicle device 2 for example, among the data received within the normal range, determines that the data closest to the median of the normal range is normal data, and the other data is abnormal data. may be used. In this case, processing is performed to identify which data is abnormal on the assumption that there is always one normal data among the plurality of data.
- the processing unit 20 of the in-vehicle device 2 acquires the reception time distribution within the normal range of normal data in advance, and uses a method of determining the data closest to the median value of the distribution as normal data.
- the reception time distribution often takes a normal distribution within the normal range, but the fact that the center of the distribution does not always lie near the median of the normal range is used.
- This method is based on the assumption that if the number or type of on-vehicle devices 2 connected to the same communication line 41 (CAN bus) changes due to the options installed in the vehicle C, the reception time distribution will also change.
- the processing unit 20 of the in-vehicle device 2 may use a method of determining based on the context of CAN-IDs of other data flowing on the same communication line 41 (CAN bus).
- the order of CAN-IDs received by an in-vehicle relay device has a certain order, and the longer the design period of the data (CAN message), the more conspicuous the order of the order becomes.
- the processing unit 20 of the in-vehicle device 2 may use a method of judging together with information other than the period included in the received data, such as the contents of the data. In this case, the decision may be made in combination with other detection algorithms.
- the processing unit 20 of the in-vehicle device 2 may use a method of determining based on electrical waveform characteristics.
- the processing unit 20 of the in-vehicle device 2 identifies which data is abnormal by using all the methods described above for a plurality of data determined to be range abnormal, and based on the identification results by each method, the most The data identified as abnormal by the method of (1) may be finally determined (determined by majority vote) as abnormal data.
- the processing unit 20 of the in-vehicle device 2 determines whether or not the same type of data has been received between the previous normal cycle range and the current normal cycle range (S107).
- the normal cycle range is specified each time the reference data is set, and the specified normal cycle ranges are adjacent in time series. Since normal data is not transmitted in the period between two normal cycle ranges (T[t], T[t+1) adjacent to the time series, the data received (obtained) in that period is abnormal data.
- the processing unit 20 of the in-vehicle device 2 is between the previous normal cycle range (T[t]) and the current normal cycle range (T[t+1]), that is, the previous Whether or not the same type of data is received between the time when the upper limit of the normal cycle range (limit-upp[t]) has passed and the time when the lower limit of the current cycle range (limit-low[t+1]) has passed judge.
- the processing unit 20 of the in-vehicle device 2 determines that the received data has a specific abnormality (S108). If the number of received data is one, the processing unit 20 of the in-vehicle device 2 can individually identify the data as being abnormal, and determines that the data is specific abnormal. Moreover, even when the number of received data is two or more (plurality), the processing unit 20 of the in-vehicle device 2 determines each of these data to be a specific abnormality. The processing unit 20 of the in-vehicle device 2 stores the data type and the reception time of the single or multiple data determined as specific abnormality in the storage unit 21 as attack detection log data, and sends it to the external server 100 or the display device 5 It may be output.
- the processing unit 20 of the in-vehicle device 2 When the same type of data is not received (S107: NO), or after executing S108, the processing unit 20 of the in-vehicle device 2 performs loop processing to execute S103 again. Needless to say, the normal cycle range used when executing S103 in the loop process is the normal cycle range specified in the process of S106 or S1043.
- the processing unit 20 of the in-vehicle device 2 stores all the results (determination results) of the determination processing in this embodiment in the storage unit 21, or transmits (outputs) them to the external server 100 via the external communication device 1. There may be.
- the processing unit 20 of the in-vehicle device 2 counts the number of pieces of received data in the determination process in the present embodiment.
- a unit judgment period may be defined for the period up to the upper limit point (limit-upp[t+1]) of the current normal cycle range, and judgment processing may be performed for each unit judgment period. .
- the processing unit 20 of the in-vehicle device 2 may perform the determination process at the upper limit point of each normal cycle range.
- the unit determination period in which the processing unit 20 of the in-vehicle device 2 performs the determination process is set to the upper limit of the current normal cycle range after the upper limit time (limit-upp[t]) of the previous normal cycle range has passed.
- the lower limit time (limit-low[t+1]) may be set as the unit determination period.
- the processing unit 20 of the in-vehicle device 2 may perform processing according to individual flowcharts for each type of data when executing the flowcharts in this embodiment. That is, if the number of types (CAN-ID) of data to be determined is, for example, 10, the same number of sub-processes (10) are generated, and each sub-process The processing according to the flowchart may be performed in parallel.
- the processing unit 20 of the in-vehicle device 2 performs all the processing, but the present invention is not limited to this. It may be performed in cooperation with the external server 100 by performing inter-process communication or the like.
- FIG. 12 is an explanatory diagram relating to data determination (diagnosis mask period) according to the second embodiment.
- determination processing regarding data of a specific data type CAN message, etc.
- the horizontal axis indicates time (elapsed time).
- the processing unit 20 of the in-vehicle device 2 When the IG switch 6 is turned on, the processing unit 20 of the in-vehicle device 2 performs standby processing without receiving data to be subjected to abnormality detection until the diagnosis mask period elapses. In performing the standby process, the processing unit 20 of the in-vehicle device 2 may continue to perform the process of determining whether or not the diagnosis mask period has elapsed.
- the diagnostic mask period is stored in the storage unit 21 as, for example, several seconds.
- the diagnostic mask period is, for example, set as a period during which diagnostic processing (self-diagnostic processing) is performed for the in-vehicle ECU 3 and the in-vehicle device 2, and is a period during which no abnormality detection is performed for the in-vehicle device 2 mounted in the vehicle C. is.
- the processing unit 20 of the in-vehicle device 2 After the diagnosis mask period has passed, the processing unit 20 of the in-vehicle device 2 starts acquiring data for abnormality detection.
- the processing unit 20 of the in-vehicle device 2 receives data (in this embodiment, , message 1: Msg1), the standby state is maintained.
- the processing unit 20 of the in-vehicle device 2 receives data of the same type continuously for each data (monitoring target message) defined in the data type table stored in the storage unit 21, for example. A reception interval of data (with the same message ID) is calculated.
- the processing unit 20 of the in-vehicle device 2 uses the first received data (message 1: Msg1) after the diagnosis mask period has passed as a reference, and data (message 2: Msg2).
- data messages 1: Msg1
- data messages 2: Msg2
- these data correspond to two consecutively received data of the same type.
- the processing unit 20 of the in-vehicle device 2 calculates the reception interval between the data received first (message 1: Msg1) and the data received later (message 2: Msg2), and calculates the reception interval is within the normal cycle range based on the reception point of the first received data (message 1: Msg1), these data (message 1: Msg1, message 2: Msg2) are determined to be normal.
- the processing unit 20 of the in-vehicle device 2 sets the later received data (message 2: Msg2) among the two pieces of data of the same type received in succession as the reference data (reference message).
- the processing unit 20 of the in-vehicle device 2 receives the first data (message 1: Msg1) until it sets the later received data (message 2: Msg2) as the reference data (reference message). Maintain the data reception state (reference message acquisition state). That is, after the diagnostic mask period is completed, the processing unit 20 of the in-vehicle device 2 controls the time from the reception of the first received data (message 1: Msg1) to the reception of the later received data (message 2: Msg2). During this period, the reference data reception state (reference message acquisition state) is maintained.
- the processing unit 20 of the in-vehicle device 2 uses the reference data (reference message) set in this way to start abnormality detection for the received data in the same manner as in the first embodiment.
- the processing unit 20 of the in-vehicle device 2 transitions to a judgment execution state (periodic detection execution state).
- FIG. 13 is an explanatory diagram regarding state transition of the processing unit of the in-vehicle device.
- the processing unit 20 of the in-vehicle device 2 transits a plurality of states in the process of performing determination processing, as in the first embodiment.
- the plurality of states are identified as, for example, a standby state in which standby processing is performed during a diagnostic mask period, etc., and a reference data reception state (reference message acquisition state) in which reference data is received for identifying the normal cycle range. and a judgment execution state (cycle detection execution state) for judging whether the received data is correct or not based on the normal cycle range.
- the processing unit 20 of the in-vehicle device 2 is in a standby state, for example, immediately after the power supply (ECU power supply) of the in-vehicle device 2 is turned on.
- the processing unit 20 of the in-vehicle device 2 receives the reference data by turning on the IG switch 6, completing the diagnostic mask period (diagnostic mask is off), and acquiring the first received data. Transition to the state (reference message acquisition state).
- the processing unit 20 of the in-vehicle device 2 does not receive the reference data while the reference data is undetermined (reference message undetermined), that is, until the same type of data received later as the reference data (reference message) is acquired. Maintain the state (reference message acquisition state).
- the processing unit 20 of the in-vehicle device 2 transitions to a standby state when the IG switch 6 is turned off or when the diagnostic mask period is started (diagnostic mask is turned on) in the reference data reception state.
- the processing unit 20 of the in-vehicle device 2 receives the reference data (data of the same type received later) in the reference data reception state, it transitions to the determination execution state (periodic detection execution state).
- the processing unit 20 of the in-vehicle device 2 maintains the determination execution state (periodic detection execution state) while no abnormality is detected in the judgment execution state (periodic detection execution state) or when the detected abnormality is a specific abnormality.
- the processing unit 20 of the in-vehicle device 2 detects when the detected abnormality is the range abnormality, when the communication interruption is detected, or when the diagnostic mask period is started (diagnostic mask is turned on). If so, it transitions to the standby state.
- FIG. 14 is a flowchart illustrating the processing of the processing unit of the in-vehicle device 2.
- the processing unit 20 of the in-vehicle device 2 steadily performs the following processing, for example, when the vehicle C is in an activated state (the IG switch 6 is on).
- the processing unit 20 of the in-vehicle device 2 determines whether or not the diagnostic mask period has passed (S201).
- the diagnostic mask period is predetermined as a period during which no abnormality detection is performed for the in-vehicle device 2 mounted in the vehicle C, and is stored in the storage unit 21 of the in-vehicle device 2, for example. If the diagnosis mask period has not elapsed (S201: NO), the processing unit 20 of the in-vehicle device 2 performs standby processing by, for example, performing loop processing to perform the processing of S201 again, and maintains the standby state. .
- the processing unit 20 of the in-vehicle device 2 receives the first data after the diagnostic mask period has passed (S202).
- the processing unit 20 of the in-vehicle device 2 acquires the first received data after the diagnosis mask period has elapsed.
- the received data are multiple types of data (multiple data types), so the processing unit 20 of the in-vehicle device 2 acquires the first received data for each data type.
- the processing unit 20 of the in-vehicle device 2 was in a standby state during the diagnostic mask period, but after receiving the first received data, the processing unit 20 transitions from the standby state to the reference data reception state.
- the processing unit 20 of the in-vehicle device 2 receives the reference data (S203).
- the processing unit 20 of the in-vehicle device 2 acquires the data received first as the process of S201 and the data received immediately after the data (the data received later) which is the same type of data as the data.
- the processing unit 20 of the in-vehicle device 2 acquires two pieces of data of the same type that are consecutively received after the diagnosis mask period has elapsed.
- the processing unit 20 of the in-vehicle device 2 receives (acquires) the later received data as the reference data. , to set the reference data.
- the processing unit 20 of the in-vehicle device 2 may store the two consecutively received data of the same type (the data received first and the data received later) in the storage unit 21 .
- the processing unit 20 of the in-vehicle device 2 performs the processes from S204 to S210 in the same manner as the processes S102 to S108 of the first embodiment.
- the processing unit 20 of the in-vehicle device 2 maintains a reference data reception state for receiving reference data for specifying the normal cycle range until the processing of S201 to S203 is completed. After the processing of S203 is completed, the processing unit 20 of the in-vehicle device 2 transitions to a judgment execution state for judging the correctness of the received data based on the specified normal cycle range in performing the processing of S204.
- the processing unit 20 of the in-vehicle device 2 makes a state transition to a reference data reception state, a determination execution state, or a standby state according to each processing content when performing a series of processes after S204.
- the processing unit 20 of the in-vehicle device 2 transfers the received data to another communication line 41 (CAN bus) according to the routing map in any of the reference data reception state, determination execution state, and standby state. continue the relay processing.
- processing related to abnormality detection such as judging whether the received data is correct or not, and security logs based on detection results in the judgment execution state (attack detection log data ) are prohibited, and these processes are not performed.
- the prohibition of the processing is performed for each type of data (data type) to be received.
- the processing unit 20 of the in-vehicle device 2 when in the determination execution state, stores information corresponding to the mode of abnormality such as a security log based on the detection result in the determination execution state in a volatile storage area.
- the processing unit 20 of the in-vehicle device 2 stores (copies) the security log and the like stored in the volatile storage area in the nonvolatile storage area.
- the processing unit 20 of the in-vehicle device 2 determines the upper limit of the number of security logs to be stored (saved). may be stored.
- In-vehicle system 100 External server 1 External communication device 11 Antenna 2 In-vehicle device (in-vehicle relay device) 20 processing unit (control unit) 21 storage unit 22 input/output I/F 23 in-vehicle communication unit 3 in-vehicle ECU 4 in-vehicle network 41 communication line 5 display device (HMI device) 6 IG switch
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Small-Scale Networks (AREA)
- Debugging And Monitoring (AREA)
Abstract
Description
本出願は、2021年3月1日出願の国際出願第PCT/JP2021/007673号に基づく優先権を主張し、前記国際出願に記載された全ての記載内容を援用するものである。
特許文献1の車両ネットワーク監視装置は、周期的に送信されるメッセージに対し、当該送信周期に基づき効率的に不正なメッセージを検出する点に関する考慮がされていないという問題点がある。
本開示の一態様によれば、周期的に送信されるデータに対し、当該送信周期に基づき効率的に不正なデータを検出する車載装置等を提供することができる。
最初に本開示の実施態様を列挙して説明する。また、以下に記載する実施形態の少なくとも一部を任意に組み合わせてもよい。
[本開示の実施形態の詳細]
本開示をその実施の形態を示す図面に基づいて具体的に説明する。本開示の実施形態に係る車載装置2を、以下に図面を参照しつつ説明する。なお、本開示はこれらの例示に限定されるものではなく、請求の範囲によって示され、請求の範囲と均等の意味及び範囲内での全ての変更が含まれることが意図される。
以下、実施の形態について図面に基づいて説明する。図1は、実施形態1に係る車載装置2を含む車載システムの構成を例示する模式図である。図2は、車載装置2の物理構成を例示するブロック図である。
図12は、実施形態2に係るデータの判定(ダイアグマスク期間)に関する説明図である。本実施形態における図示において、特定のデータ種別のデータ(CANメッセージ等)に関する判定処理について説明する。当該図示において、横軸は時間(経過時間)を示す。
S 車載システム
100 外部サーバ
1 車外通信装置
11 アンテナ
2 車載装置(車載中継装置)
20 処理部(制御部)
21 記憶部
22 入出力I/F
23 車内通信部
3 車載ECU
4 車載ネットワーク
41 通信線
5 表示装置(HMI装置)
6 IGスイッチ
Claims (17)
- 車両に搭載される車載ネットワークに接続される車載装置であって、
前記車載ネットワークに流れるデータの正否の判定に関する処理を行う処理部を備え、
前記処理部は、
前記車載ネットワークに流れる複数のデータを受信し、
受信した前記複数のデータにおいて、同種のデータを連続して受信した際の受信間隔を導出し、
前記受信間隔と、連続して受信した同種のデータの内の先に受信したデータの受信時点を基準とした正常周期範囲とに基づき、連続して受信した同種のデータの内の後に受信したデータの正否の判定を行う
車載装置。 - 前記正常周期範囲は、前記データの種別に基づき決定される送信周期を基準値として上下限値が設定された範囲である
請求項1に記載の車載装置。 - 前記処理部は、
前記受信間隔が、連続して受信した同種のデータの内の先に受信したデータの受信時点を基準とした前記正常周期範囲内である場合、連続して受信した同種のデータの内の後に受信したデータは正常であると判定し、
前記受信間隔が、前記正常周期範囲内でない場合、連続して受信した同種のデータの内の後に受信したデータは異常であると判定する
請求項1又は請求項2に記載の車載装置。 - 前記処理部は、
前記正常周期範囲内に同種のデータを受信できなかった場合、前記正常周期範囲以降に受信した同種のデータの受信時点を基準に次の正常周期範囲を特定する
請求項1から請求項3のいずれか1項に記載の車載装置。 - 前記処理部は、
前記正常周期範囲内にて受信した同種のデータの個数が一つの場合、該正常周期範囲内にて受信した一つのデータは正常であると判定し、
前記正常周期範囲内にて受信した同種のデータの個数が複数の場合、該正常周期範囲内にて受信した複数のデータに含まれるいずれかのデータは異常であると判定する
請求項1から請求項4のいずれか1項に記載の車載装置。 - 前記処理部は、
前記正常周期範囲内にて受信した同種のデータの個数が複数の場合、前記正常周期範囲以降に受信した同種のデータの受信時点を基準に次の正常周期範囲を特定する
請求項1から請求項5のいずれか1項に記載の車載装置。 - 前記処理部は、
先に受信したデータの判定に用いられた前の正常周期範囲と、前記先に受信したデータの受信時点を基準とした今回の正常周期範囲との間にて、該データと同種のデータを受信した場合、該同種のデータは異常であると判定する
請求項1から請求項6のいずれか1項に記載の車載装置。 - 前記処理部は、
先に受信したデータの受信時点を基準とした正常周期範囲内にて、該データと同種のデータを1つ受信した場合、該同種のデータは正常であると判定し、
正常であると判定したデータの受信時点を基準に次の正常周期範囲を特定する
請求項1から請求項7のいずれか1項に記載の車載装置。 - 前記処理部は、複数の動作状態に遷移し、
前記複数の動作状態は、前記正常周期範囲を特定するにあたり基準となるデータの受信を行う基準データ受信状態と、特定された前記正常周期範囲に基づき受信したデータの正否を判定する判定実行状態とを含む
請求項1から請求項8のいずれか1項に記載の車載装置。 - 前記処理部は、前記基準データ受信状態では異常検知を行わない
請求項9に記載の車載装置。 - 前記処理部は、前記基準データ受信状態ではセキュリティログを保存しない
請求項9又は請求項10に記載の車載装置。 - 前記処理部は、受信したデータが異常である判定した場合、異常の態様に応じた情報をアクセス可能な所定の記憶領域に記憶する
請求項1から請求項11のいずれか1項に記載の車載装置。 - 前記アクセス可能な所定の記憶領域は、揮発性の記憶領域であり、
前記処理部は、前記車両のIGスイッチがオフにされた場合、前記揮発性の記憶領域に記憶した情報を、アクセス可能な所定の不揮発性の記憶領域に移行する
請求項12に記載の車載装置。 - 前記処理部は、受信したデータの受信時点を基準に前記正常周期範囲を特定する際、前記基準となったデータの種類と受信時点とを関連付けてアクセス可能な所定の記憶領域に記憶する
請求項1から請求項13のいずれか1項に記載の車載装置。 - 前記処理部は、前記車両のIGスイッチがオンにされた場合、
予め定められたダイアグマスク期間が経過した後、最初に受信したデータ及び該データと同種のデータを連続して受信し、
前記連続して受信したデータの受信間隔が、最初に受信したデータを基準とした前記正常周期範囲内である場合、前記連続して受信したデータの内の後に受信したデータの受信時点を基準に次の正常周期範囲を特定する
請求項1から請求項14のいずれか1項に記載の車載装置。 - コンピュータに、
車両に搭載される車載ネットワークに流れる複数のデータを受信し、
受信した前記複数のデータにおいて、同種のデータを連続して受信した際の受信間隔を導出し、
前記受信間隔と、連続して受信した同種のデータの内の先に受信したデータの受信時点を基準とした正常周期範囲とに基づき、連続して受信した同種のデータの内の後に受信したデータの正否の判定を行う
処理を実行させるプログラム。 - コンピュータに、
車両に搭載される車載ネットワークに流れる複数のデータを受信し、
受信した前記複数のデータにおいて、同種のデータを連続して受信した際の受信間隔を導出し、
前記受信間隔と、連続して受信した同種のデータの内の先に受信したデータの受信時点を基準とした正常周期範囲とに基づき、連続して受信した同種のデータの内の後に受信したデータの正否の判定を行う
処理を実行させる情報処理方法。
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2022535950A JP7184225B1 (ja) | 2021-03-01 | 2021-08-04 | 車載装置、プログラム及び情報処理方法 |
US18/250,295 US20240007831A1 (en) | 2021-03-01 | 2021-08-04 | In-vehicle apparatus, computer program and information processing method |
CN202180046362.2A CN115777191A (zh) | 2021-03-01 | 2021-08-04 | 车载装置、程序及信息处理方法 |
JP2022181151A JP7444223B2 (ja) | 2021-03-01 | 2022-11-11 | 車載装置、プログラム及び情報処理方法 |
JP2023196208A JP2024020458A (ja) | 2021-03-01 | 2023-11-17 | 車載装置、プログラム及び情報処理方法 |
JP2023196209A JP2024020459A (ja) | 2021-03-01 | 2023-11-17 | 車載装置、プログラム及び情報処理方法 |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2021/007673 WO2022185370A1 (ja) | 2021-03-01 | 2021-03-01 | 車載装置、プログラム及び情報処理方法 |
JPPCT/JP2021/007673 | 2021-03-01 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022185566A1 true WO2022185566A1 (ja) | 2022-09-09 |
Family
ID=83155203
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2021/007673 WO2022185370A1 (ja) | 2021-03-01 | 2021-03-01 | 車載装置、プログラム及び情報処理方法 |
PCT/JP2021/029001 WO2022185566A1 (ja) | 2021-03-01 | 2021-08-04 | 車載装置、プログラム及び情報処理方法 |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2021/007673 WO2022185370A1 (ja) | 2021-03-01 | 2021-03-01 | 車載装置、プログラム及び情報処理方法 |
Country Status (4)
Country | Link |
---|---|
US (1) | US20240007831A1 (ja) |
JP (4) | JP7184225B1 (ja) |
CN (1) | CN115777191A (ja) |
WO (2) | WO2022185370A1 (ja) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2000346871A (ja) * | 1999-06-02 | 2000-12-15 | Xanavi Informatics Corp | 回転角速度検出装置 |
JP2018026663A (ja) * | 2016-08-09 | 2018-02-15 | 東芝デジタルソリューションズ株式会社 | ネットワーク監視装置およびプログラム |
JP2019068253A (ja) * | 2017-09-29 | 2019-04-25 | 株式会社デンソー | 異常検知装置、異常検知方法、プログラム及び通信システム |
JP2020102771A (ja) * | 2018-12-21 | 2020-07-02 | パナソニックIpマネジメント株式会社 | 電子制御装置、電子制御装置の制御方法及びプログラム |
JP2020129785A (ja) * | 2019-02-12 | 2020-08-27 | 富士通株式会社 | 攻撃検知装置および攻撃検知方法 |
JP2020145547A (ja) * | 2019-03-05 | 2020-09-10 | トヨタ自動車株式会社 | 不正送信データ検知装置 |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP6281535B2 (ja) | 2015-07-23 | 2018-02-21 | 株式会社デンソー | 中継装置、ecu、及び、車載システム |
JP2017091456A (ja) | 2015-11-17 | 2017-05-25 | 富士通株式会社 | 制御装置、制御プログラムおよび制御方法 |
JP6684690B2 (ja) | 2016-01-08 | 2020-04-22 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America | 不正検知方法、監視電子制御ユニット及び車載ネットワークシステム |
JP6798280B2 (ja) | 2016-11-29 | 2020-12-09 | 富士通株式会社 | 攻撃検知装置、攻撃検知方法、および、攻撃検知プログラム |
JP2019160155A (ja) | 2018-03-16 | 2019-09-19 | 株式会社リコー | 情報処理装置、情報処理方法、及びプログラム |
WO2020090108A1 (ja) | 2018-11-02 | 2020-05-07 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ | 不正制御防止システムおよび、不正制御防止方法 |
CN111147448B (zh) | 2019-12-06 | 2022-06-07 | 中科曙光(南京)计算技术有限公司 | 一种can总线洪范攻击防御系统及方法 |
-
2021
- 2021-03-01 WO PCT/JP2021/007673 patent/WO2022185370A1/ja active Application Filing
- 2021-08-04 US US18/250,295 patent/US20240007831A1/en active Pending
- 2021-08-04 WO PCT/JP2021/029001 patent/WO2022185566A1/ja active Application Filing
- 2021-08-04 CN CN202180046362.2A patent/CN115777191A/zh active Pending
- 2021-08-04 JP JP2022535950A patent/JP7184225B1/ja active Active
-
2022
- 2022-11-11 JP JP2022181151A patent/JP7444223B2/ja active Active
-
2023
- 2023-11-17 JP JP2023196208A patent/JP2024020458A/ja active Pending
- 2023-11-17 JP JP2023196209A patent/JP2024020459A/ja active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2000346871A (ja) * | 1999-06-02 | 2000-12-15 | Xanavi Informatics Corp | 回転角速度検出装置 |
JP2018026663A (ja) * | 2016-08-09 | 2018-02-15 | 東芝デジタルソリューションズ株式会社 | ネットワーク監視装置およびプログラム |
JP2019068253A (ja) * | 2017-09-29 | 2019-04-25 | 株式会社デンソー | 異常検知装置、異常検知方法、プログラム及び通信システム |
JP2020102771A (ja) * | 2018-12-21 | 2020-07-02 | パナソニックIpマネジメント株式会社 | 電子制御装置、電子制御装置の制御方法及びプログラム |
JP2020129785A (ja) * | 2019-02-12 | 2020-08-27 | 富士通株式会社 | 攻撃検知装置および攻撃検知方法 |
JP2020145547A (ja) * | 2019-03-05 | 2020-09-10 | トヨタ自動車株式会社 | 不正送信データ検知装置 |
Also Published As
Publication number | Publication date |
---|---|
JP7184225B1 (ja) | 2022-12-06 |
JPWO2022185566A1 (ja) | 2022-09-09 |
US20240007831A1 (en) | 2024-01-04 |
JP7444223B2 (ja) | 2024-03-06 |
JP2023010792A (ja) | 2023-01-20 |
JP2024020459A (ja) | 2024-02-14 |
JP2024020458A (ja) | 2024-02-14 |
CN115777191A (zh) | 2023-03-10 |
WO2022185370A1 (ja) | 2022-09-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101582062B1 (ko) | 송신 메시지 생성 장치 및 차재 통신 시스템 | |
JP6780724B2 (ja) | 車載更新装置、更新処理プログラム及び、プログラムの更新方法 | |
CN108427393B (zh) | 检测电池耗尽的方法和装置 | |
JP7160111B2 (ja) | 監視装置、監視プログラム及び監視方法 | |
US20110160951A1 (en) | Control Unit for Gateway and Automotive Control System | |
WO2019116896A1 (ja) | 車載更新装置、プログラム及び、プログラム又はデータの更新方法 | |
CN106888123B (zh) | 一种can报文丢失的监测方法 | |
CN110612527A (zh) | 信息处理装置以及异常应对方法 | |
JP6418217B2 (ja) | 通信システムで実行される情報集約方法 | |
US20200412753A1 (en) | Abnormality detection device | |
US20210399942A1 (en) | Relay apparatus system and relay apparatus | |
US20040122537A1 (en) | Rewrite control apparatus for onboard program | |
CN111989678A (zh) | 信息处理装置、信息处理方法以及程序 | |
US20230367664A1 (en) | Method for managing ecu on vehicle, and ecu and readable storage medium | |
JP7184225B1 (ja) | 車載装置、プログラム及び情報処理方法 | |
JP6973120B2 (ja) | なりすまし検出装置、検出方法、およびコンピュータプログラム | |
JP2021015618A (ja) | 車載更新装置、更新処理プログラム及び、プログラムの更新方法 | |
JP4258112B2 (ja) | ノード診断方法およびノード診断システム | |
WO2020105657A1 (ja) | 車載中継装置及び中継方法 | |
JP7375619B2 (ja) | 異常検知装置 | |
CN115150007A (zh) | 一种数字钥匙系统监测方法、装置、设备及存储介质 | |
JP5700426B2 (ja) | 車両用ネットワークシステム | |
JP6172754B2 (ja) | 通信装置及び通信方法 | |
CN114051710B (zh) | 信息处理装置及正规通信判定方法 | |
US20230075593A1 (en) | Information processing device, information processing system, information processing method, and recording medium storing information processing program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
ENP | Entry into the national phase |
Ref document number: 2022535950 Country of ref document: JP Kind code of ref document: A |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21928375 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 18250295 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 21928375 Country of ref document: EP Kind code of ref document: A1 |