WO2023188356A1 - Système d'identification de source d'attaque, procédé d'identification de source d'attaque et programme - Google Patents

Système d'identification de source d'attaque, procédé d'identification de source d'attaque et programme Download PDF

Info

Publication number
WO2023188356A1
WO2023188356A1 PCT/JP2022/016778 JP2022016778W WO2023188356A1 WO 2023188356 A1 WO2023188356 A1 WO 2023188356A1 JP 2022016778 W JP2022016778 W JP 2022016778W WO 2023188356 A1 WO2023188356 A1 WO 2023188356A1
Authority
WO
WIPO (PCT)
Prior art keywords
attack
identification
ids
attack source
charger
Prior art date
Application number
PCT/JP2022/016778
Other languages
English (en)
Japanese (ja)
Inventor
弘樹 長山
幸雄 永渕
麻美 宮島
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to PCT/JP2022/016778 priority Critical patent/WO2023188356A1/fr
Publication of WO2023188356A1 publication Critical patent/WO2023188356A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Definitions

  • the present invention relates to an attack source identification system, an attack source identification method, and a program.
  • Intrusion detection systems for automobiles have been known for a long time.
  • IDS Intrusion detection systems
  • ECUs Electronic Control Units
  • CAN Controller Area Network
  • a technique for identifying the original device is also known (for example, Non-Patent Document 1).
  • EVs electric vehicles
  • EVSE Electric Vehicle Supply Equipment
  • the charging ECU the charging ECU on the EVSE side
  • An incorrect CAN message may be sent from the EVSE side to the EV side.
  • the charging ECU on the EV side has already been attacked and an unauthorized CAN message is sent from the EV side to the EVSE side.
  • the combination of EV and EVSE often changes each time charging is performed. Therefore, the IDS on the EV side often does not learn in advance the communication characteristics of the charging ECU on the EVSE side, and cannot identify the charging ECU as the source of the unauthorized CAN message. Similarly, even if an IDS exists on the ESVE side, the IDS often does not learn in advance the communication characteristics of the charging ECU on the EV side, and may identify that charging ECU as the source of the unauthorized CAN message. I can't. Such problems may similarly exist with respect to various electric transportation devices other than EVs (for example, electrically driven motorcycles, tractors, ships, etc.) and their chargers.
  • One embodiment of the present invention was made in view of the above points, and aims to identify the source of an attack between an electric transportation device and a charger for the electric transportation device.
  • an attack source identification system is an attack source identification system that identifies an attack source device of an attack on an electric transportation device or a charger of the electric transportation device,
  • Each of the IDSs installed in each of the chargers uses a pre-trained learning model to identify whether or not the attack source device of the attack is a charging control device that has been trained by the learning model.
  • an identification unit configured to transmit first identification information indicating the identification result by the identification unit to the other IDS, and a second identification information indicating the identification result by the identification unit included in the other IDS.
  • a specific information transmitting/receiving unit configured to receive information; and a matching unit configured to collate the first specific information and second specific information to identify the attack source device of the attack. and has.
  • the source of the attack can be identified between the electric transportation device and the electric transportation device charger.
  • FIG. 1 is a diagram showing an example of the overall configuration of an attack source identification system according to the present embodiment.
  • 1 is a diagram illustrating an example of a functional configuration of an attack source identification system in Example 1.
  • FIG. 7 is a flowchart showing the flow of pre-learning processing in Example 1.
  • FIG. 5 is a flowchart showing the flow of attack detection and attack source identification processing in the first embodiment.
  • 3 is a diagram illustrating an example of a functional configuration of an attack source identification system in Example 2.
  • FIG. 7 is a flowchart showing the flow of attack detection and attack source identification processing in Example 2.
  • FIG. FIG. 7 is a diagram illustrating an example of a functional configuration of an attack source identification system according to a third embodiment.
  • 12 is a flowchart showing the flow of attack detection and attack source identification processing in Example 3.
  • FIG. 7 is a diagram illustrating an example of a functional configuration of an attack source identification system according to a fourth embodiment. 12 is a flowchart showing the flow of attack detection and attack source identification
  • an electric vehicle which is an example of electric transportation equipment, and its charger (EVSE)
  • EVSE electric vehicle
  • the source identification system 1 will be explained. Note that the case where EV and EVSE are connected typically refers to the case where the EV is being charged by the EVSE, but it is not limited to this, and for example, the case where the EV is being discharged from the EVSE. This may be the case.
  • an electric vehicle is an example of electric transportation equipment, and the present embodiment is not limited to electric vehicles, but includes general electric transportation equipment such as motorcycles, tractors, ships, etc. that are driven by electricity, and their charging. The same can be applied to containers.
  • FIG. 1 shows an example of the overall configuration of an attack source identification system 1 according to this embodiment.
  • the attack source identification system 1 according to the present embodiment includes at least an EV 10 and an EVSE 20 that is communicably connected to the EV 10 via a charging cable or the like on the same CAN bus.
  • the EV 10 includes an IDS 110 that can detect an attack from a CAN message within the EV 10 and identify the source of the attack, and a charging ECU 120 that controls charging of the EV 10. It is assumed that IDS 110 is placed at a position where it can receive CAN messages transmitted and received by charging ECU 120.
  • the EVSE 20 includes an IDS 210 that can detect an attack from a CAN message within the EVSE 20 and identify the source of the attack, and a charging ECU 220 that controls charging of the EV 10. It is assumed that IDS 210 is placed at a position where it can receive CAN messages transmitted and received by charging ECU 220.
  • the IDS 110 is also referred to as “EV side IDS 110" and the charging ECU 120 is also referred to as “EV side charging ECU 120.”
  • the IDS 210 will also be referred to as “EVSE side IDS 210” and the charging ECU 220 will also be referred to as “EVSE side charging ECU 220.”
  • the present embodiment can be applied similarly even if, for example, another ECU has already been attacked and that ECU sends an unauthorized CAN message.
  • the present embodiment can be similarly applied when an unauthorized device (hereinafter also referred to as an unauthorized connection device) is connected to the EV10 or EVSE 20 and the unauthorized connection device sends an unauthorized CAN message. It is possible to do so.
  • the attack source identification system 1 includes an external server 30 installed in a SOC (Security Operation Center) or the like, and this external server 30 may identify the attack source.
  • SOC Security Operation Center
  • Example 1 will be described below.
  • the source of the attack is identified by exchanging information indicating whether or not the source of the attack is a pre-learned ECU. do.
  • FIG. 2 shows an example of the functional configuration of the attack source identification system 1 in this embodiment.
  • the EV side IDS 110 in this embodiment includes a CAN message receiving section 111, a learning section 112, a detecting section 113, a specifying section 114, a specific information transmitting/receiving section 115, and a collating section 116.
  • a CAN message receiving section 111 receives a packet from a packet from a packet.
  • a learning section 112 receives a packet from a packet.
  • the CAN message receiving unit 111 receives a CAN message on the CAN bus within the EV 10.
  • the learning unit 112 learns the communication characteristics of the EV side charging ECU 120.
  • This feature is stored in the storage unit 117 as a learning model.
  • the communication feature it is possible to use a feature amount that is uniquely determined for each ECU and that is associated with the CAN message. For example, it is possible to use a rise pattern of the voltage generated in the CAN line when the EV side charging ECU 120 transmits the CAN message, an offset of the transmission timing when transmitting the CAN message, etc.
  • the detection unit 113 detects the occurrence of an attack from the CAN message received by the CAN message reception unit 111.
  • any known attack detection method (or anomaly detection method) may be used as a method for detecting the occurrence of an attack from a CAN message.
  • the occurrence of an attack may be detected using the method described in Non-Patent Document 1 mentioned above.
  • the identification unit 114 uses the learning model stored in the storage unit 117 to identify the source of the attack. That is, the identifying unit 114 identifies whether or not the source of the attack is the EV-side charging ECU 120.
  • the specific information transmitting/receiving unit 115 transmits information indicating the specific result by the specifying unit 114 (hereinafter also referred to as specific information) to the EVSE side IDS 210, and receives specific information from the EVSE side IDS 210.
  • the matching unit 116 matches the specific information indicating the identification result by the identifying unit 114 with the specific information received from the EVSE side IDS 210, and determines whether the attack source is the EV side charging ECU 120, the EVSE side IDS 210, or something else. to identify. Further, the matching unit 116 notifies a predetermined notification destination (for example, an application used by the user of the EV 10, etc.) of the identification result of the attack source.
  • a predetermined notification destination for example, an application used by the user of the EV 10, etc.
  • the storage unit 117 stores the learning model learned by the learning unit 112 (that is, the feature quantity representing the communication characteristics of the EV-side charging ECU 120).
  • the EVSE side IDS 210 in this embodiment includes a CAN message receiving section 211, a learning section 212, a detecting section 213, a specifying section 214, a specific information transmitting/receiving section 215, and a collating section 216.
  • Each of these units is realized, for example, by a process in which one or more programs that implement the EVSE side IDS 210 are executed by an arithmetic device such as a processor.
  • the EVSE side IDS 210 includes a storage section 217.
  • the storage unit 217 is realized by various storage devices such as memory.
  • the CAN message receiving unit 211 receives CAN messages on the CAN bus within the EVSE 20.
  • the learning unit 212 learns the communication characteristics of the EVSE side charging ECU 220. This feature is stored in the storage unit 217 as a learning model.
  • the detection unit 213 detects the occurrence of an attack from the CAN message received by the CAN message reception unit 211.
  • the identification unit 214 uses the learning model stored in the storage unit 217 to identify the source of the attack. That is, the identification unit 214 identifies whether the source of the attack is the EVSE-side charging ECU 220 or not.
  • the specific information transmitting/receiving unit 215 transmits specific information indicating the specific result by the specifying unit 214 to the EV side IDS 110, and receives the specific information from the EV side IDS 110.
  • the matching unit 216 matches the specific information indicating the identification result by the identifying unit 214 with the specific information received from the EV side IDS 110, and determines whether the attack source is the EV side charging ECU 120, the EVSE side IDS 210, or something else. to identify. Further, the collation unit 216 notifies a predetermined notification destination (for example, a charging service provider, an administrator of the EVSE 20, etc.) of the identification result of the attack source.
  • a predetermined notification destination for example, a charging service provider, an administrator of the EVSE 20, etc.
  • the storage unit 217 stores the learning model learned by the learning unit 212 (that is, the feature amount representing the communication characteristics of the EVSE-side charging ECU 220).
  • Example 1 ⁇ Flow of pre-learning processing (Example 1)> The flow of pre-learning processing in the first embodiment will be described with reference to FIG. 3. Note that in the pre-learning process, the EV 10 and the EVSE 20 do not need to be connected.
  • Step S101 The CAN message receiving unit 111 of the EV side IDS 110 receives the CAN message transmitted from the EV side charging ECU 120. Similarly, the CAN message receiving unit 211 of the EVSE side IDS 210 receives a CAN message transmitted from the EVSE side charging ECU 220.
  • Step S102 The learning unit 112 of the EV side IDS 110 uses the CAN message received by the CAN message receiving unit 111 to store feature quantities representing the communication characteristics of the EV side charging ECU 120 in the storage unit 117 as a learning model.
  • the learning unit 212 of the EVSE-side IDS 210 uses the CAN message received by the CAN message receiving unit 211 to store feature quantities representing characteristics of communication of the EVSE-side charging ECU 220 in the storage unit 217 as a learning model.
  • Step S201 The CAN message receiving unit 111 of the EV side IDS 110 receives a CAN message on the CAN bus within the EV 10. Similarly, the CAN message receiving unit 211 of the EVSE side IDS 210 receives a CAN message on the CAN bus within the EVSE 20.
  • Step S202 The detection unit 113 of the EV side IDS 110 detects the occurrence of an attack from the CAN message received by the CAN message reception unit 111. Similarly, the detection unit 213 of the EVSE side IDS 210 detects the occurrence of an attack from the CAN message received by the CAN message reception unit 211.
  • the EV side IDS 110 and the EVSE side IDS 210 proceed to step S203.
  • the EV side IDS 110 and the EVSE side IDS 210 end the process without doing anything. Note that since the EV side IDS 110 and the EVSE side IDS 210 are connected to the same CAN bus, generally either they both detect the occurrence of an attack, or neither of them detect the occurrence of an attack. Please note that.
  • the detection unit 113 of the EV-side IDS 110 and the detection unit 213 of the EVSE-side IDS 210 use different attack detection methods and there is a difference in detection accuracy, the occurrence of an attack may be detected only in one of them. It is possible that
  • Step S203 The identification unit 114 of the EV side IDS 110 uses the learning model stored in the storage unit 117 to identify whether the attack source is the EV side charging ECU 120. Similarly, the identification unit 214 of the EVSE side IDS 210 uses the learning model stored in the storage unit 217 to identify whether the attack source is the EVSE side charging ECU 220.
  • Step S204 The specific information transmitting/receiving unit 115 of the EV side IDS 110 transmits specific information (hereinafter referred to as first specific information) indicating whether the attack source is the EV side charging ECU 120 to the EVSE side IDS 210.
  • the specific information transmitting/receiving unit 215 of the EVSE side IDS 210 transmits specific information (hereinafter referred to as second specific information) indicating whether the attack source is the EVSE side charging ECU 220 to the EV side IDS 110.
  • Step S205 The specific information transmitting/receiving unit 115 of the EV side IDS 110 receives the second specific information from the EVSE side IDS 210. Similarly, the specific information transmitting/receiving unit 215 of the EVSE side IDS 210 receives the first specific information from the EV side IDS 110.
  • Step S206 The collation unit 116 of the EV side IDS 110 collates the first specific information and the second specific information, and determines whether the attack source is the EV side charging ECU 120, the EVSE side IDS 210, or something else. Identify. Similarly, the collation unit 216 of the EVSE side IDS 210 collates the first specific information and the second specific information, and determines whether the attack source is the EV side charging ECU 120, the EVSE side IDS 210, or something else. Identify.
  • the attack source is the EV side charging ECU 120
  • x 1
  • the attack source is not the EV side charging ECU 120
  • both "EV side charging ECU 120" and “EVSE side charging ECU 220" may be identified as attack sources, or they may be identified by attack detection or learning model. Information such as “unidentifiable” may be used as the identification result, indicating that there is an error.
  • Step S207 The verification unit 116 of the EV-side IDS 110 notifies a predetermined notification destination (for example, an application used by the user of the EV 10) of the attack source identification result.
  • the collation unit 216 of the EVSE side IDS 210 notifies a predetermined notification destination (for example, a charging service provider, an administrator of the EVSE 20, etc.) of the identification result of the attack source.
  • a predetermined notification destination for example, a charging service provider, an administrator of the EVSE 20, etc.
  • Example 2 will be described below. In this embodiment, a case will be described in which the external server 30 collates the first specific information and the second specific information.
  • Example 1 Note that in this example, differences from Example 1 will be mainly described, and descriptions of components similar to Example 1 will be omitted as appropriate.
  • FIG. 5 shows an example of the functional configuration of the attack source identification system 1 in this embodiment.
  • the EV side IDS 110 in this embodiment differs from the first embodiment in that it does not have a specific information transmitting/receiving section 115 and a collating section 116, but does have a specific information transmitting section 118.
  • the specific information transmitter 118 is realized, for example, by a process in which one or more programs that implement the EV side IDS 110 are executed by an arithmetic device such as a processor.
  • the specific information transmitting unit 118 transmits first specific information indicating the specific result by the specifying unit 114 to the external server 30.
  • the EVSE side IDS 210 in this embodiment differs from the first embodiment in that it does not have a specific information transmitting/receiving section 215 and a collating section 216, but does have a specific information transmitting section 218.
  • the specific information transmitting unit 218 transmits second specific information indicating the specific result by the specifying unit 214 to the external server 30.
  • the external server 30 in this embodiment includes a collation unit 301.
  • the matching unit 301 is realized, for example, by a process in which one or more programs installed in the external server 30 are caused to be executed by an arithmetic device such as a processor.
  • the collation unit 301 collates the first specific information and the second specific information, and specifies whether the attack source is the EV side charging ECU 120, the EVSE side IDS 210, or something else. Further, the collation unit 301 notifies a predetermined notification destination (for example, an application used by the user of the EV 10, a charging service provider, an administrator of the EVSE 20, etc.) of the identification result of the attack source.
  • a predetermined notification destination for example, an application used by the user of the EV 10, a charging service provider, an administrator of the EVSE 20, etc.
  • Example 2 ⁇ Flow of pre-learning processing (Example 2)> Since this is the same as in Example 1, the explanation thereof will be omitted.
  • Steps S301 to S303 are the same as steps S201 to S203 of Example 1, respectively, so their description will be omitted.
  • Step S304 The specific information transmitting unit 118 of the EV side IDS 110 transmits the first specific information to the external server 30. Similarly, the specific information transmitting unit 218 of the EVSE side IDS 210 transmits the second specific information to the external server 30.
  • Step S305 The collation unit 301 of the external server 30 collates the first specific information and the second specific information, and determines whether the attack source is the EV-side charging ECU 120, the EVSE-side IDS 210, or something else. Identify. Note that the verification unit 301 may perform verification and identify the source of the attack using the same method as in step S206 of the first embodiment.
  • Step S306 The verification unit 301 of the external server 30 notifies a predetermined notification destination (for example, an application used by the user of the EV 10, a charging service provider, an administrator of the EVSE 20, etc.) of the identification result of the attack source.
  • a predetermined notification destination for example, an application used by the user of the EV 10, a charging service provider, an administrator of the EVSE 20, etc.
  • the user of the EV 10, the charging service provider, the administrator of the EVSE 20, etc. can confirm that the EV-side charging ECU 120 or the EVSE-side charging ECU 220 has already been attacked and fraudulently operated. You can know that you are attacking other devices by sending CAN messages.
  • Example 3 will be described below. In this embodiment, a case will be described in which an IDS for attack detection exists in the EV 10 separately from the EV side IDS 110, and an IDS for attack detection exists in the EVSE 20 separately from the EVSE side IDS 210.
  • Example 1 Note that in this example, differences from Example 1 will be mainly described, and descriptions of components similar to Example 1 will be omitted as appropriate.
  • FIG. 7 shows an example of the functional configuration of the attack source identification system 1 in this embodiment.
  • the EV side IDS 110 in this embodiment differs from the first embodiment in that it does not have a detection unit 113 but has an alert information receiving unit 119.
  • the alert information receiving unit 119 is realized, for example, by a process in which one or more programs that implement the EV side IDS 110 are executed by an arithmetic device such as a processor.
  • the alert information receiving unit 119 receives the alert information transmitted from the detection IDS 130.
  • the detection IDS 130 is an IDS for attack detection, detects an attack using some attack detection method (or abnormality detection method), and transmits alert information.
  • the EVSE side IDS 210 in this embodiment differs from the first embodiment in that it does not have a detection unit 213 but has an alert information receiving unit 219.
  • the alert information receiving unit 219 is realized, for example, by a process in which one or more programs that implement the EVSE side IDS 210 are executed by an arithmetic device such as a processor.
  • the alert information receiving unit 219 receives the alert information transmitted from the detection IDS 230.
  • the detection IDS 230 is an IDS for attack detection, detects an attack using some attack detection method (or abnormality detection method), and transmits alert information.
  • Example 3 ⁇ Flow of pre-learning processing (Example 3)> Since this is the same as in Example 1, the explanation thereof will be omitted.
  • Step S401 is the same as step S201 of the first embodiment, so its description will be omitted.
  • Step S402 The alert information receiving unit 119 of the EV side IDS 110 determines whether alert information has been received from the detection IDS 130. Similarly, the alert information receiving unit 219 of the EVSE side IDS 210 determines whether alert information has been received from the detection IDS 230.
  • the EV side IDS 110 and the EVSE side IDS 210 proceed to step S403.
  • the EV side IDS 110 and the EVSE side IDS 210 end the process without doing anything.
  • the EV side IDS 110 and the EVSE side IDS 210 are connected to the same CAN bus, generally either they both receive alert information, or neither of them receives alert information.
  • the attack detection method is different between the detection IDS 130 of the EV side IDS 110 and the detection IDS 230 of the EVSE side IDS 210, and there is a difference in detection accuracy, the occurrence of an attack will be detected only on one of them. It is possible that
  • Steps S403 to S407 are the same as steps S203 to S207 of Example 1, respectively, so their explanation will be omitted.
  • both the EV 10 and the EVSE 20 have IDS for attack detection, but for example, either one may have the same configuration as in the first embodiment.
  • either the EV side IDS 110 or the EVSE side IDS 210 has the same functional configuration as in the first embodiment.
  • Example 4 will be described below. This example describes a case where Example 2 and Example 3 are combined.
  • Example 1 Note that in this example, differences from Example 1 will be mainly described, and descriptions of components similar to Example 1 will be omitted as appropriate.
  • FIG. 9 shows an example of the functional configuration of the attack source identification system 1 in this embodiment.
  • the EV side IDS 110 in this embodiment does not have a detection section 113, a specific information transmitting/receiving section 115, and a collating section 116, but has a specific information transmitting section 118 and an alert information receiving section. 119.
  • the alert information receiving unit 119 receives the alert information transmitted from the detection IDS 130.
  • the specific information transmitting unit 118 transmits first specific information indicating the specific result by the specifying unit 114 to the external server 30.
  • the EVSE side IDS 210 in this embodiment does not have a detection section 213, a specific information transmitting/receiving section 215, and a collation section 216, but has a specific information transmitting section 218 and an alert information receiving section. 219.
  • the alert information receiving unit 219 receives the alert information transmitted from the detection IDS 230.
  • the specific information transmitting unit 218 transmits second specific information indicating the specific result by the specifying unit 214 to the external server 30.
  • the external server 30 in this embodiment includes a collation unit 301.
  • the collation unit 301 collates the first specific information and the second specific information, and specifies whether the attack source is the EV-side charging ECU 120, the EVSE-side IDS 210, or something else. Further, the collation unit 301 notifies a predetermined notification destination (for example, an application used by the user of the EV 10, a charging service provider, an administrator of the EVSE 20, etc.) of the identification result of the attack source.
  • a predetermined notification destination for example, an application used by the user of the EV 10, a charging service provider, an administrator of the EVSE 20, etc.
  • Example 4 ⁇ Flow of pre-learning process (Example 4)> Since this is the same as in Example 1, the explanation thereof will be omitted.
  • Step S501 is the same as step S201 of the first embodiment, so its description will be omitted.
  • Step S502 The alert information receiving unit 119 of the EV side IDS 110 determines whether alert information has been received from the detection IDS 130. Similarly, the alert information receiving unit 219 of the EVSE side IDS 210 determines whether alert information has been received from the detection IDS 230.
  • the EV side IDS 110 and the EVSE side IDS 210 proceed to step S503.
  • the EV side IDS 110 and the EVSE side IDS 210 end the process without doing anything.
  • the EV side IDS 110 and the EVSE side IDS 210 are connected to the same CAN bus, generally either they both receive alert information, or neither of them receives alert information.
  • the attack detection method is different between the detection IDS 130 of the EV side IDS 110 and the detection IDS 230 of the EVSE side IDS 210, and there is a difference in detection accuracy, the occurrence of an attack will be detected only on one of them. It is possible that
  • Step S503 is the same as step S203 of the first embodiment, so its description will be omitted.
  • Step S504 The specific information transmitting unit 118 of the EV side IDS 110 transmits the first specific information to the external server 30. Similarly, the specific information transmitting unit 218 of the EVSE side IDS 210 transmits the second specific information to the external server 30.
  • Step S505 The collation unit 301 of the external server 30 collates the first specific information and the second specific information, and determines whether the attack source is the EV side charging ECU 120, the EVSE side IDS 210, or something else. Identify. Note that the verification unit 301 may perform verification and identify the source of the attack using the same method as in step S206 of the first embodiment.
  • Step S506 The verification unit 301 of the external server 30 notifies a predetermined notification destination (for example, an application used by the user of the EV 10, a charging service provider, an administrator of the EVSE 20, etc.) of the identification result of the attack source.
  • a predetermined notification destination for example, an application used by the user of the EV 10, a charging service provider, an administrator of the EVSE 20, etc.
  • the user of the EV 10, the charging service provider, the administrator of the EVSE 20, etc. can confirm that the EV-side charging ECU 120 or the EVSE-side charging ECU 220 has already been attacked and fraudulently operated. You can know that you are attacking other devices by sending CAN messages.
  • both the EV 10 and the EVSE 20 are equipped with IDS, and these IDS identify whether or not the attack source device is a device that has been learned in advance.
  • the final attack source device can be identified from the determination result. Therefore, according to the attack source identification system 1 according to the present embodiment, when EV10 becomes more widespread and various EV10 and various EVSE20 are connected to charge EV10, the security of both EV10 and EVSE20 is improved. It becomes possible to further improve the attack source identification system 1 according to the present embodiment
  • Attack source identification system 10 EV 20 EVSE 30 External server 110 IDS 111 CAN message receiving section 112 Learning section 113 Detection section 114 Specification section 115 Specific information transmission/reception section 116 Collation section 117 Storage section 118 Specific information transmission section 119 Alert information reception section 120 Charging ECU 130 IDS for detection 210 IDS 211 CAN message receiving section 212 Learning section 213 Detection section 214 Specification section 215 Specific information transmission/reception section 216 Collation section 217 Storage section 218 Specific information transmission section 219 Alert information reception section 220 Charging ECU 230 IDS for detection 301 Verification section

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Un système d'identification de source d'attaque selon un mode de réalisation de cette invention identifie un dispositif de source d'attaque d'une attaque sur un équipement de transport électrique ou un chargeur d'un tel équipement de transport électrique, chaque IDS étant installé dans chacun de l'équipement de transport électrique et du chargeur comportant : une unité d'identification configurée pour utiliser un modèle d'apprentissage entraîné à l'avance pour identifier si oui ou non le dispositif de source d'attaque de l'attaque est un dispositif de commande de charge déjà appris par le modèle d'apprentissage ; une unité de transmission et de réception d'informations d'identification configurée pour transmettre des premières informations d'identification indiquant un résultat d'identification par l'unité d'identification à un autre IDS et recevoir des secondes informations d'Identification indiquant un résultat d'identification par l'unité d'identification incluse dans l'autre IDS ; et une unité de comparaison configurée pour comparer les première et seconde informations d'identification et identifier le dispositif de source d'attaque de l'attaque.
PCT/JP2022/016778 2022-03-31 2022-03-31 Système d'identification de source d'attaque, procédé d'identification de source d'attaque et programme WO2023188356A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/016778 WO2023188356A1 (fr) 2022-03-31 2022-03-31 Système d'identification de source d'attaque, procédé d'identification de source d'attaque et programme

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/016778 WO2023188356A1 (fr) 2022-03-31 2022-03-31 Système d'identification de source d'attaque, procédé d'identification de source d'attaque et programme

Publications (1)

Publication Number Publication Date
WO2023188356A1 true WO2023188356A1 (fr) 2023-10-05

Family

ID=88200377

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/016778 WO2023188356A1 (fr) 2022-03-31 2022-03-31 Système d'identification de source d'attaque, procédé d'identification de source d'attaque et programme

Country Status (1)

Country Link
WO (1) WO2023188356A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2014106801A (ja) * 2012-11-28 2014-06-09 Pioneer Electronic Corp 情報処理装置、情報処理方法、情報処理装置用プログラム、および、記録媒体
WO2020080047A1 (fr) * 2018-10-17 2020-04-23 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Dispositif d'identification d'emplacement d'incursion et procédé d'identification d'emplacement d'incursion
US20200233956A1 (en) * 2019-01-23 2020-07-23 General Electric Company Framework for cyber-physical system protection of electric vehicle charging stations and power grid

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2014106801A (ja) * 2012-11-28 2014-06-09 Pioneer Electronic Corp 情報処理装置、情報処理方法、情報処理装置用プログラム、および、記録媒体
WO2020080047A1 (fr) * 2018-10-17 2020-04-23 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Dispositif d'identification d'emplacement d'incursion et procédé d'identification d'emplacement d'incursion
US20200233956A1 (en) * 2019-01-23 2020-07-23 General Electric Company Framework for cyber-physical system protection of electric vehicle charging stations and power grid

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
YUKIO NAGABUCHI, HIROKI NAGAYAMA, MASAHIRO SHIRAISHI, ASAMI MIYAJIMA: "A-7-1 Research on cyber-attack countermeasures for the realization of a safe and secure electric vehicle society", PROCEEDINGS OF THE IEICE ENGINEERING SCIENCES SOCIETY/NOLTA SOCIETY CONFERENCE, IEICE, JP, 31 August 2021 (2021-08-31) - 17 September 2021 (2021-09-17), JP , pages 35, XP009549995, ISSN: 2189-700X *

Similar Documents

Publication Publication Date Title
Kim et al. Cybersecurity for autonomous vehicles: Review of attacks and defense
CN110324301B (zh) 生成用于阻止对车辆的计算机攻击的规则的系统和方法
US20180196941A1 (en) Security system and methods for identification of in-vehicle attack orginator
US11451579B2 (en) System and method for protecting electronics systems of a vehicle from cyberattacks
CN104145467B (zh) 使用所需节点路径和加密签名的安全分组传输的策略
Bhatia et al. Evading Voltage-Based Intrusion Detection on Automotive CAN.
US8374911B2 (en) Vehicle usage-based tolling privacy protection architecture
US10652256B2 (en) Real-time active threat validation mechanism for vehicle computer systems
US11528325B2 (en) Prioritizing data using rules for transmission over network
Otsuka et al. CAN security: Cost-effective intrusion detection for real-time control systems
EP3547191B1 (fr) Système et procédé permettant de générer des normes de blocage d'une attaque informatique sur un véhicule
Studnia et al. Security of embedded automotive networks: state of the art and a research proposal
CN112615716B (zh) 通过用户归档进行数字秘钥不良行为和女巫攻击检测的方法
Cheng et al. Security patterns for automotive systems
Ahmad et al. Machine learning and blockchain technologies for cybersecurity in connected vehicles
Lee et al. Ttids: Transmission-resuming time-based intrusion detection system for controller area network (can)
WO2023188356A1 (fr) Système d'identification de source d'attaque, procédé d'identification de source d'attaque et programme
US11528284B2 (en) Method for detecting an attack on a control device of a vehicle
Kim et al. Shadowauth: Backward-compatible automatic can authentication for legacy ecus
Liu et al. Secure and safe automated vehicle platooning
US11178162B2 (en) Method and device for detecting anomalies in a computer network
Sharma et al. Review of the Security of Backward-Compatible Automotive Inter-ECU Communication
JP2013142963A (ja) 車載制御装置の認証システム
CN112689982B (zh) 数据验证方法、装置及存储介质
CN112615766A (zh) 用于车用网络的安全监控装置及方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22935496

Country of ref document: EP

Kind code of ref document: A1