WO2022244200A1 - 制御装置 - Google Patents
制御装置 Download PDFInfo
- Publication number
- WO2022244200A1 WO2022244200A1 PCT/JP2021/019205 JP2021019205W WO2022244200A1 WO 2022244200 A1 WO2022244200 A1 WO 2022244200A1 JP 2021019205 W JP2021019205 W JP 2021019205W WO 2022244200 A1 WO2022244200 A1 WO 2022244200A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- monitoring
- unit
- processing
- communication
- memory
- Prior art date
Links
- 238000012544 monitoring process Methods 0.000 claims abstract description 286
- 238000012545 processing Methods 0.000 claims abstract description 129
- 238000004891 communication Methods 0.000 claims abstract description 113
- 230000005856 abnormality Effects 0.000 claims abstract description 52
- 230000002159 abnormal effect Effects 0.000 claims abstract description 14
- 238000000034 method Methods 0.000 claims description 105
- 230000008569 process Effects 0.000 claims description 60
- 238000001514 detection method Methods 0.000 description 13
- 238000010586 diagram Methods 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 6
- 230000007246 mechanism Effects 0.000 description 6
- 230000008859 change Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 230000004913 activation Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 230000007850 degeneration Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Images
Classifications
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60W—CONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
- B60W50/00—Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
- B60W50/04—Monitoring the functioning of the control system
Definitions
- Patent Document 3 another electronic control device records the operating state from the sequence processing order, execution conditions, execution timing, control values, communication items, etc., which are the operating conditions of the electronic control device. It is possible to monitor operating conditions and detect abnormalities when they deviate from normal conditions.
- Patent Document 1 The conventional technology described in Patent Document 1 has the following problems.
- Patent Document 1 it is possible to detect an abnormality in a control frame including a state frame of a control state received from a communication channel.
- An object of the present invention is to obtain a control device capable of detecting anomalies in communication data, control processing, and memory, and detecting anomalies in control processing.
- a control device disclosed in the present application is a control device that communicates data with a controlled object, and includes a control unit that executes control processing for the controlled object, a communication unit that transmits and receives communication data to and from the controlled object, A storage unit for storing a control value of the control unit and memory for control processing, a processing monitoring unit for monitoring the control processing of the control unit, a communication monitoring unit for monitoring communication data of the communication unit, and a memory for monitoring the memory of the storage unit. It comprises a memory monitoring section, a process monitoring section, a communication monitoring section, and an abnormality determination section that determines whether the control process is abnormal based on the monitoring results of the memory monitoring section.
- control device of the present application by detecting anomalies in communication data, control processing, or memory due to cyberattacks, anomalies in control processing can be detected, and controlled objects can be safely controlled.
- FIG. 2 is a functional block diagram of a control device according to Embodiment 1;
- FIG. 4 is a diagram showing combinations of monitoring methods determined by a monitoring management unit of the control device according to Embodiment 1;
- FIG. 5 is a diagram showing a combination of monitoring methods of a communication monitoring unit determined by a monitoring management unit of the control device according to Embodiment 1;
- FIG. 5 is a diagram showing a combination of monitoring methods of a process monitoring unit determined by a monitoring management unit of the control device according to Embodiment 1;
- FIG. 5 is a diagram showing a combination of monitoring methods of a memory monitoring unit determined by a monitoring management unit of the control device according to Embodiment 1; 4 is a flowchart showing control processing of the control device according to Embodiment 1; 4 is a flowchart showing abnormality determination processing of the control device according to Embodiment 1; 4 is a flow chart showing a process of determining a monitoring method of the control device according to Embodiment 1.
- FIG. 2 is a diagram illustrating an example of a hardware configuration of a control device according to Embodiment 1; FIG.
- control device Preferred embodiments of the control device disclosed in the present application will be described below with reference to the drawings.
- ECU in-vehicle control device
- FIG. 1 is a functional block diagram of an in-vehicle control unit (ECU) to which the control device according to Embodiment 1 is applied.
- An in-vehicle control device (hereinafter referred to as control device 10) according to the first embodiment includes a control unit 100, a communication unit 101, a storage unit 102, a processing monitoring unit 103, a communication monitoring unit 104, a memory monitoring unit 105, an abnormality determination unit 106 , a state management unit 107 and a monitoring management unit 108 .
- the control unit 100 has a function of controlling devices to be controlled installed in the vehicle.
- One or a plurality of controllers 100 may exist in the controller 10 .
- FIG. 1 does not show the device to be controlled, and in the following description, the device to be controlled is simply referred to as the control target.
- the controlled object mounted in the vehicle is, for example, an actuator.
- control unit 100 reads control program data corresponding to the controlled object from the ROM and RAM of the storage unit 102, and executes the read program to control the controlled object. Also, a plurality of control methods may exist.
- the processing monitoring unit 103 acquires the execution order, the number of times of execution, or the execution time of the control processing used by the control unit 100 . Other information may also be acquired.
- the target control process may be the entire control process or a partial process.
- the abnormality determination unit 106 determines that there is an abnormality when the comparison result between the monitoring result and the normal value does not match.
- the conditions for determining abnormality are that the comparison result does not match the normal value of the monitoring result of the communication monitoring unit 104, or the monitoring result of the process monitoring unit 103 does not match the normal value, or the monitoring result of the memory monitoring unit 105 does not match the normal value. is one of the cases where it does not match with
- the state management unit 107 acquires the state of the vehicle.
- Control state of the control device 10 control state of the vehicle control system, surrounding environment state of the vehicle, vehicle position information, communication state of the control device 10, state of the driver in the vehicle, processing load state of the control device 10, control device 10 Get the status of any of the cyberattack status against.
- the environmental conditions surrounding the vehicle specifically indicate traffic conditions such as congestion or weather conditions such as snow. Also, other states may be acquired.
- the communication state of the control device 10 specifically indicates whether the control device 10 is communicating or not. Further, the communication state may be classified finely.
- the state of the driver in the car specifically indicates whether the driver is asleep or tired. Also, other states may be acquired.
- the monitoring result of the communication monitoring unit 104 determines whether it is a communication abnormality state, It indicates whether the memory is in an abnormal state according to the monitoring result of the memory monitoring unit 105 .
- the monitoring management unit 108 Based on the state acquired by the state management unit 107, the monitoring management unit 108 prioritizes communication monitoring in the case of a communication abnormality, prioritizes processing monitoring in the case of a processing abnormality, and memory monitoring in the case of a memory abnormality. give priority to
- the monitoring management unit 108 monitors only the processing monitoring unit 103, monitors only the communication monitoring unit 104, monitors only the memory monitoring unit 105, or monitors the processing monitoring unit 103 and the communication monitoring unit according to the processing load state and priority of the control device 10. 104 and the memory monitoring unit 105 are selected. Combinations and priorities of monitoring methods are shown in FIG. The combination of monitoring methods may be changed according to the processing load.
- the monitoring management unit 108 determines the monitoring method for each of the processing monitoring unit 103, the communication monitoring unit 104, and the memory monitoring unit 105 according to priority.
- Fig. 3 shows the monitoring method of the communication monitoring unit 104, which is prioritized according to the vehicle state. If communication monitoring is prioritized according to the state acquired by the state management unit 107, depending on whether the control device 10 is in a communicating state or in a communication abnormal state, the communication monitoring item is preferentially monitored. As monitoring items of communication data, message ID, data, period, and frequency are monitored. Change the number of monitoring items according to the processing load. Monitoring items may be changed or added according to the processing load. Also, the state in which communication monitoring is prioritized may be another state.
- Fig. 4 shows the monitoring method of the process monitoring unit 103, which is prioritized according to the vehicle state.
- the processing monitoring item is monitored preferentially. Execution order, execution time, and number of executions are monitored as monitoring items of control processing. Change the number of monitoring items according to the processing load. Monitoring items may be changed or added according to the processing load. Also, the state in which processing monitoring is prioritized may be another state.
- FIG. 6 is a flowchart showing the flow of processing from the start of control by the control unit 100 according to the first embodiment, through abnormality detection processing, to execution of the control processing by the control unit 100.
- step S601 the control unit 100 starts control processing. After completing step S601, the process proceeds to step S602.
- step S602 abnormality detection processing is executed. After completing step S602, the process proceeds to step S603.
- step S603 If it is determined in step S603 that the abnormality detection processing result is abnormal, the process proceeds to step S604. If the abnormality detection processing result is determined to be normal, the process proceeds to step S605.
- step S604 the process for abnormality determination is executed.
- FIG. 7 is a flow chart showing the flow of abnormality detection processing of the control device 10 according to the first embodiment.
- step S702 the monitoring management unit 108 determines the monitoring method and its priority based on the state acquired by the state management unit 107. After completing step S702, the process proceeds to step S703.
- step S705 if processing monitoring is prioritized in step S702, the process proceeds to step S706. If processing monitoring is not prioritized, the process advances to step S707.
- step S708 the memory monitoring unit 105 monitors memory. After completing step S708, the process proceeds to step S709.
- step S804 if the monitoring management unit 108 determines in step S801 that process monitoring is necessary, the process proceeds to step S805. If it is determined in step S801 that processing monitoring is not necessary, the process proceeds to step S806.
- step S807 the monitoring management unit 108 determines a monitoring method for memory monitoring based on the vehicle state acquired by the state management unit 107. After completing step S807, the process proceeds to step S808.
- control device in the first embodiment described above, an example in which the control device is used as an in-vehicle control device has been described.
- the control device according to the present application is not limited to this.
- it can be used for a control device connected to a communication line that has high security strength and requires a mechanism for early detection of an abnormality in the control device.
- control device includes a state management unit that acquires the vehicle state and a monitoring management unit that determines the monitoring method to be prioritized according to the vehicle state, and can switch and combine the monitoring methods according to the vehicle state. It has a configuration that allows This enables optimal monitoring while suppressing the processing load.
- control device configured to be capable of supporting a plurality of monitoring methods including monitoring only communication data, monitoring only control processing, monitoring only memory, and monitoring by combining communication data, control processing, and memory. It has This makes it possible to combine monitoring methods according to the processing load.
- control device has a configuration that preferentially monitors the communication monitoring unit when the control device is in communication. This makes it possible to detect an abnormality in communication data.
- control device has a configuration that preferentially monitors the processing monitoring unit when the vehicle is running. This makes it possible to detect an abnormality in control processing.
- control device 100 control unit, 101 communication unit, 102 storage unit, 103 processing monitoring unit, 104 communication monitoring unit, 105 memory monitoring unit, 106 abnormality determination unit, 107 state management unit, 108 monitoring management unit
Landscapes
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Human Computer Interaction (AREA)
- Transportation (AREA)
- Mechanical Engineering (AREA)
- Small-Scale Networks (AREA)
- Debugging And Monitoring (AREA)
Abstract
Description
図1は、実施の形態1に係る制御装置を適用した車載制御装置(ECU)の機能ブロック図である。本実施の形態1における車載制御装置(以下、制御装置10と称する)は、制御部100、通信部101、記憶部102、処理監視部103、通信監視部104、メモリ監視部105、異常判定部106、状態管理部107および監視管理部108を備えて構成されている。
ステップS602終了後、ステップS603へ進む。
従来の制御装置においては、通信データに特化した異常検知方法あるいは制御処理に特化した異常検知方法であった。これに対して、本実施の形態1に係る制御装置は、通信データあるいは制御値、制御処理、メモリを監視し、監視結果と正常値が一致するか比較することで、制御装置の異常を検知する構成を備えている。
これにより、サイバー攻撃によって通信データあるいは制御値、制御処理のなりすましあるいはメモリを改ざんされても、異常を検知することができる。
従って、例示されていない無数の変形例が、本願明細書に開示される技術の範囲内において想定される。例えば、少なくとも1つの構成要素を変形する場合、追加する場合または省略する場合が含まれるものとする。
Claims (9)
- 制御対象との間でデータの通信を行う制御装置において、前記制御対象の制御処理を実行する制御部と、前記制御対象に対して通信データを送受信する通信部と、前記制御部の制御値と制御処理のメモリを記憶する記憶部と、前記制御部の制御処理を監視する処理監視部と、前記通信部の通信データを監視する通信監視部と、前記記憶部のメモリを監視するメモリ監視部と、前記処理監視部と前記通信監視部と前記メモリ監視部の監視結果から前記制御処理が異常か判定する異常判定部とを備えていることを特徴とする制御装置。
- 車両の走行を制御する車両制御システムの制御装置であって、前記制御部の制御状態、前記車両制御システムの制御状態、車両の周辺環境状態、車両の位置情報、車両との通信状態、車内の運転者の状態、前記制御部の処理負荷状態、前記車両制御システムの攻撃状態、のいずれかの状態を取得する状態管理部と、前記状態により、前記処理監視部と前記通信監視部と前記メモリ監視部の監視方法とその優先度を決定する監視管理部とを備えていることを特徴とする請求項1に記載の制御装置。
- 前記監視管理部は、監視方法とその優先度により、前記通信監視部のみ監視、前記処理監視部のみ監視、前記メモリ監視部のみ監視、もしくは、前記通信監視部、前記処理監視部、前記メモリ監視部の組み合わせによる監視、のいずれかの組み合わせによる監視方法を決定することを特徴とする請求項2に記載の制御装置。
- 前記監視管理部は、監視方法とその優先度により、前記通信監視部、前記処理監視部、前記メモリ監視部のいずれかの組み合わせによる監視方法を決定するとともに、前記通信監視部の通信データの監視方法、前記処理監視部の制御処理の監視方法、前記メモリ監視部の制御値、制御処理のメモリの監視方法を決定することを特徴とする請求項2または請求項3に記載の制御装置。
- 前記監視管理部は、前記状態管理部より前記制御装置が通信中の状態である場合、前記通信監視部の優先度を他の監視部よりも高くし、前記状態管理部より前記制御装置の処理負荷の状態によって、前記通信監視部のみ監視、前記通信監視部と前記処理監視部のみ監視、前記通信監視部と前記メモリ監視部のみ監視、記通信監視部と前記処理監視部と前記メモリ監視部の監視、のいずれかの組み合わせによる監視方法を決定するとともに、前記通信監視部の通信データの監視方法を決定することを特徴とする請求項2から請求項4のいずれか1項に記載の制御装置。
- 前記監視管理部は、前記状態管理部より車両が走行中の状態である場合、前記処理監視部の優先度を他の監視部よりも高くし、前記状態管理部より前記制御装置の処理負荷の状態によって、前記処理監視部のみ監視、前記処理監視部と前記通信監視部のみ監視、前記処理監視部と前記メモリ監視部のみ監視、前記通信監視部と前記処理監視部と前記メモリ監視部の監視、のいずれかの組み合わせによる監視方法を決定するとともに、前記処理監視部の制御処理の監視方法を決定することを特徴とする請求項2から請求項4のいずれか1項に記載の制御装置。
- 前記監視管理部は、前記状態管理部より車両が止まっている状態である場合、前記メモリ監視部の優先度を他の監視部よりも高くし、前記状態管理部より前記制御装置の処理負荷の状態によって、前記メモリ監視部のみ監視、前記メモリ監視部と前記通信監視部のみ監視、前記メモリ監視部と前記処理監視部のみ監視、前記メモリ監視部と前記通信監視部と前記処理監視部の監視、のいずれかの組み合わせによる監視方法を決定するとともに、前記メモリ監視部の制御値と制御処理のメモリの監視方法を決定することを特徴とする請求項2から請求項4のいずれか1項に記載の制御装置。
- 前記異常判定部は、前記処理監視部、前記通信監視部、前記メモリ監視部の監視対象となる監視値の正常値と監視結果を比較し、正常値と一致しなかった場合、前記制御装置が異常であると判定することを特徴とする請求項1に記載の制御装置。
- 前記状態管理部は、車両がサイバー攻撃を受けている状態かを取得し、前記通信監視部の監視結果によって前記異常判定部で異常と判定された場合、前記状態管理部は、通信攻撃状態となり、前記監視管理部は、前記通信監視部の優先度を他の監視部よりも高くし、前記処理監視部の監視結果によって前記異常判定部で異常と判定された場合、前記状態管理部は、処理攻撃状態となり、前記監視管理部は、前記処理監視部の優先度を他の監視部よりも高くし、前記メモリ監視部の監視結果によって前記異常判定部で異常と判定された場合、前記状態管理部は、メモリ攻撃状態となり、前記監視管理部は、前記メモリ監視部の優先度を他の監視部よりも高くすることを特徴とする請求項2または請求項3に記載の制御装置。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2021/019205 WO2022244200A1 (ja) | 2021-05-20 | 2021-05-20 | 制御装置 |
JP2023522130A JPWO2022244200A1 (ja) | 2021-05-20 | 2021-05-20 | |
CN202180097541.9A CN117241981A (zh) | 2021-05-20 | 2021-05-20 | 控制装置 |
DE112021007689.2T DE112021007689T5 (de) | 2021-05-20 | 2021-05-20 | Steuervorrichtung |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2021/019205 WO2022244200A1 (ja) | 2021-05-20 | 2021-05-20 | 制御装置 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022244200A1 true WO2022244200A1 (ja) | 2022-11-24 |
Family
ID=84140197
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2021/019205 WO2022244200A1 (ja) | 2021-05-20 | 2021-05-20 | 制御装置 |
Country Status (4)
Country | Link |
---|---|
JP (1) | JPWO2022244200A1 (ja) |
CN (1) | CN117241981A (ja) |
DE (1) | DE112021007689T5 (ja) |
WO (1) | WO2022244200A1 (ja) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2010092174A (ja) * | 2008-10-06 | 2010-04-22 | Nippon Telegr & Teleph Corp <Ntt> | 不正検知方法、不正検知装置、不正検知プログラムおよび情報処理システム |
JP2013131907A (ja) * | 2011-12-21 | 2013-07-04 | Toyota Motor Corp | 車両ネットワーク監視装置 |
JP2017047835A (ja) * | 2015-09-04 | 2017-03-09 | 日立オートモティブシステムズ株式会社 | 車載ネットワーク装置 |
JP2019046176A (ja) * | 2017-09-01 | 2019-03-22 | クラリオン株式会社 | 車載装置、インシデント監視方法 |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2021067960A (ja) | 2018-02-14 | 2021-04-30 | 日立Astemo株式会社 | 車両監視システム |
-
2021
- 2021-05-20 JP JP2023522130A patent/JPWO2022244200A1/ja active Pending
- 2021-05-20 CN CN202180097541.9A patent/CN117241981A/zh active Pending
- 2021-05-20 WO PCT/JP2021/019205 patent/WO2022244200A1/ja active Application Filing
- 2021-05-20 DE DE112021007689.2T patent/DE112021007689T5/de active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2010092174A (ja) * | 2008-10-06 | 2010-04-22 | Nippon Telegr & Teleph Corp <Ntt> | 不正検知方法、不正検知装置、不正検知プログラムおよび情報処理システム |
JP2013131907A (ja) * | 2011-12-21 | 2013-07-04 | Toyota Motor Corp | 車両ネットワーク監視装置 |
JP2017047835A (ja) * | 2015-09-04 | 2017-03-09 | 日立オートモティブシステムズ株式会社 | 車載ネットワーク装置 |
JP2019046176A (ja) * | 2017-09-01 | 2019-03-22 | クラリオン株式会社 | 車載装置、インシデント監視方法 |
Also Published As
Publication number | Publication date |
---|---|
JPWO2022244200A1 (ja) | 2022-11-24 |
DE112021007689T5 (de) | 2024-03-07 |
CN117241981A (zh) | 2023-12-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11934520B2 (en) | Detecting data anomalies on a data interface using machine learning | |
EP3293659A1 (en) | Network monitoring device, network system and computer-readable medium | |
JP6723955B2 (ja) | 情報処理装置及び異常対処方法 | |
US11784871B2 (en) | Relay apparatus and system for detecting abnormalities due to an unauthorized wireless transmission | |
KR101960400B1 (ko) | 제동 시스템 | |
WO2019159615A1 (ja) | 車両監視システム | |
WO2022244200A1 (ja) | 制御装置 | |
US20200177412A1 (en) | Monitoring device, monitoring system, and computer readable storage medium | |
JP7095240B2 (ja) | 電子制御装置 | |
JP4820679B2 (ja) | 車両用電子制御装置 | |
JP7471532B2 (ja) | 制御装置 | |
WO2020008872A1 (ja) | 車載セキュリティシステムおよび攻撃対処方法 | |
JP7391242B2 (ja) | 制御装置 | |
JP7361912B2 (ja) | 制御システム | |
JP7109621B1 (ja) | 制御システム | |
WO2023084624A1 (ja) | 車載制御装置 | |
JP7403728B2 (ja) | 侵入検知システム | |
US20230267206A1 (en) | Mitigation of a manipulation of software of a vehicle | |
US20230267213A1 (en) | Mitigation of a manipulation of software of a vehicle | |
JP7224536B2 (ja) | 制御装置および制御方法 | |
US20230267204A1 (en) | Mitigating a vehicle software manipulation | |
US20230267205A1 (en) | Mitigation of a manipulation of software of a vehicle | |
CN116438521A (zh) | 车载用控制系统 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21940814 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2023522130 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 202180097541.9 Country of ref document: CN |
|
WWE | Wipo information: entry into national phase |
Ref document number: 112021007689 Country of ref document: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 21940814 Country of ref document: EP Kind code of ref document: A1 |