WO2024089723A1 - Cyber attack detection device and cyber attack detection method - Google Patents

Cyber attack detection device and cyber attack detection method Download PDF

Info

Publication number
WO2024089723A1
WO2024089723A1 PCT/JP2022/039427 JP2022039427W WO2024089723A1 WO 2024089723 A1 WO2024089723 A1 WO 2024089723A1 JP 2022039427 W JP2022039427 W JP 2022039427W WO 2024089723 A1 WO2024089723 A1 WO 2024089723A1
Authority
WO
WIPO (PCT)
Prior art keywords
communication
additional information
unit
header
communication data
Prior art date
Application number
PCT/JP2022/039427
Other languages
French (fr)
Japanese (ja)
Inventor
俊樹 池頭
克久 小笠原
祐介 瀬戸
Original Assignee
三菱電機株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機株式会社 filed Critical 三菱電機株式会社
Priority to PCT/JP2022/039427 priority Critical patent/WO2024089723A1/en
Publication of WO2024089723A1 publication Critical patent/WO2024089723A1/en

Links

Images

Definitions

  • This disclosure relates to cyber attack detection technology.
  • Patent Document 1 discloses, as an example of a cyber-attack detection technology, a technology relating to an in-vehicle network device that communicates data between multiple in-vehicle devices, which has a status acquisition unit that acquires the status of the vehicle itself and a communication monitoring unit that monitors the data, and which changes the method of monitoring the data based on the status of the vehicle itself.
  • Patent Document 1 only changes the monitoring method depending on the state, so there is a problem that the communication monitoring unit may stop functioning if it is attacked by sending a large amount of communication data, known as a DoS (Denial of Service) attack.
  • DoS Delivery of Service
  • This disclosure has been made to solve these problems, and aims to provide cyber-attack detection technology that can deal with DoS attacks.
  • One aspect of the cyber attack detection device disclosed herein includes a communication header monitoring unit that monitors the header of received communication data, a communication monitoring unit that monitors the payload of the communication data, an attack detection unit that detects from the communication data a sign of a DoS attack that will cause the communication monitoring unit to malfunction, an additional information request unit that, when the sign is detected, identifies a sender from the communication data and requests the identified sender to add additional information to the header of newly sent communication data, and an update unit that makes an update decision to add the additional information as a monitoring item when the sign is detected, and the communication header monitoring unit adds the additional information as a monitoring item based on the update decision, and if the additional information has not been added to the header of the newly received communication data or if the information added to the header of the newly received communication data does not match the additional information, determines that the newly received communication data is abnormal.
  • the cyber attack detection technology disclosed herein can deal with DoS attacks.
  • FIG. 2 is a functional block diagram of a control device.
  • 11 is an explanatory diagram for explaining an operation of a communication header monitoring unit for determining that communication data is abnormal;
  • FIG. 11 is an explanatory diagram for explaining an operation of a communication header monitoring unit for determining that communication data is abnormal;
  • FIG. 11 is an explanatory diagram for explaining an operation of a communication header monitoring unit for determining that communication data is abnormal;
  • FIG. 11 is a flowchart showing an abnormality detection process when no DoS attack is occurring;
  • 11 is a flowchart showing a sign determination process for determining a sign of a DoS attack.
  • 11 is a flowchart showing an anomaly detection process when a sign of a DoS attack is detected.
  • Control device 1 is a functional block diagram of an on-vehicle electronic control device (hereinafter, simply referred to as a "control device") when the cyber-attack detection device of the present disclosure is applied as the control device.
  • the control device 10 is a device that controls a vehicle (not shown).
  • the control device 10 is connected to another control device (not shown) inside the vehicle via a communication line (not shown), for example, Ethernet or a CAN (Controller Area Network).
  • the control device 10 includes a VM (Virtual Machine) 20, a network switch 30, hardware 40, and a hypervisor 50.
  • VM Virtual Machine
  • the network switch 30 is a network switch that connects the control device 10 to another control device (not shown) inside the vehicle.
  • the network switch 30 is, for example, an Ethernet switch equipped with a security function.
  • the network switch 30 may include a communication header monitoring unit 100 and monitor the header of communication data. The function or operation of the communication header monitoring unit 100 will be described in more detail later.
  • the VM (Virtual Machine) 20 is a virtual machine that has a function of controlling a vehicle.
  • the VM 20 includes Linux (registered trademark) which is an operating system (OS).
  • the VM 20 includes a communication monitoring unit 101, an attack detection unit 103, an additional information request unit 104, an update unit 105, and an encryption unit 109. Details of these functional units will be described later.
  • the hardware 40 is the hardware of the control device 10, and includes a processor 401 and a memory 402.
  • the hardware 40 may include a function of routing communication data and a security function.
  • the processor 401 executes the programs stored in the memory 402 to perform the functions executed by each functional unit of the VM 20.
  • the processor 401 also executes the programs stored in the memory 402 to perform the functions executed by the communication header monitoring unit 100.
  • Examples of the memory 402 include non-volatile or volatile semiconductor memory such as RAM (random access memory), ROM (read-only memory), flash memory, EPROM (erasable programmable read-only memory), and EEPROM (electrically erasable programmable read-only memory), as well as magnetic disks, flexible disks, optical disks, compact disks, mini disks, and DVDs.
  • the hypervisor 50 is a hypervisor for the control device 10, and is software for running one or more VMs 20 on the hardware 40.
  • a hypervisor is software for running a plurality of different operating systems simultaneously on the hardware, so when the control device 10 includes a single VM 20, the hypervisor 50 may not be necessary.
  • the hypervisor 50 may include a function for routing communication data and a security function.
  • the network switch 30 may include a communication header monitoring unit 100 that includes an abnormality determination unit 102A.
  • the communication header monitoring unit 100 is a functional unit that has a function of transmitting and receiving communication data to and from a control device (not shown) other than the control device 10, and inspecting the header of the communication data.
  • the communication header monitoring unit 100 transmits and receives communication data, for example, of Ethernet communication, and inspects the header of the communication data.
  • the abnormality determination unit 102A holds a list of normal communication data as normal values, and has the function of comparing the monitoring results with the normal values using newly acquired communication data as the monitoring results.
  • the list of normal communication data is created by a control unit (not shown) of the VM 20 when the control device 10 is operating normally, and is held in memory.
  • the abnormality determination unit 102A acquires and holds this created list by referring to the memory.
  • Inspection of the header of communication data includes, for example, layer 2 inspection, layer 3 inspection, or layer 4 inspection for Ethernet communication data.
  • Layer 2 inspections include, for example, inspection of the source MAC (Media Access Control) address, the destination MAC address, and inspection of the VLAN (Virtual LAN) port.
  • Layer 3 inspections include, for example, inspection of the source IP (Internet Protocol) address and the destination IP address.
  • Layer 4 inspections include, for example, inspection of source port number, destination port number, and TCP (Transmission Control Protocol) flags.
  • TCP Transmission Control Protocol
  • the network switch 30 is shown equipped with a communication header monitoring unit 100, but the communication header monitoring unit 100 may be located in any of the hardware 40, the hypervisor 50, or the VM 20. A communication header monitoring unit may also be located for each layer.
  • the network switch 30 may be provided with a communication header monitoring unit that inspects layer 2
  • the hardware 40 may be provided with a communication header monitoring unit that inspects layers 3 and 4.
  • the communication monitoring unit 101 includes an abnormality determination unit 102B, and monitors the area other than the header of the communication data monitored by the communication header monitoring unit 100, i.e., the payload information.
  • the payload information includes, for example, the data, reception cycle, and reception frequency of the communication data.
  • the communication monitoring unit 101 may monitor the headers of the communication data monitored by the communication header monitoring unit 100. By configuring the communication monitoring unit 101 to monitor the headers of the communication data in addition to the communication header monitoring unit 100, it is possible for the communication monitoring unit 101 to monitor the headers of the communication data even when the communication header monitoring unit 100 is not operating normally.
  • the abnormality determination unit 102B holds a list of normal communication data as normal values, and has the function of comparing the monitoring results with normal values using newly acquired communication data as monitoring results.
  • the list of normal communication data is created by a control unit (not shown) of the VM 20 when the control device 10 is operating normally, and is stored in memory.
  • the abnormality determination unit 102B acquires and stores this created list by referencing the memory. If the comparison result between the monitoring results and the normal values does not match, the abnormality determination unit 102B determines that the newly acquired communication data is abnormal.
  • abnormality determination unit 102B determines that the newly acquired communication data is abnormal, it can cut off communication as an abnormality response process. Other abnormality response processes may also be implemented. Other abnormality response processes include, for example, switching the communication line, switching the control device 10 to a standby control device, and degrading the functions of the control device 10. If it determines that the newly acquired communication data is normal, the normal control process of the control device 10 continues to be executed.
  • the attack detection unit 103 is a functional unit that performs a sign determination function to determine whether or not there is a sign of a DoS attack as an incident. If a DoS attack occurs, the communication monitoring unit 101 will not function, so by detecting a sign of a DoS attack, the communication monitoring unit 101 is prevented from malfunctioning. Additionally, the attack detection unit 103 may perform an attack end determination function to determine that there is no attack when the DoS attack subsides. In order to perform the sign determination function and the additional attack end determination function, the attack detection unit 103 includes a communication bandwidth monitoring unit 106, a resource monitoring unit 107, a memory monitoring unit 108, and an attack determination unit 120.
  • the communication band monitoring unit 106 is a functional unit that monitors the communication band usage, which is the usage of the communication band used by the communication monitoring unit 101 when receiving communication data, and determines whether there is a margin in the communication band. For example, an upper limit is set from the normal communication band, and if the communication band exceeds the set upper limit, it is determined that there is an abnormality.
  • the resource monitoring unit 107 has a function of monitoring the processing load of the communication monitoring unit 101 and judging whether there is a margin for the processing load. For example, the resource monitoring unit 107 compares the normal processor usage rate with the current processor usage rate for the processor assigned to the resource monitoring unit 107 and judges whether there is an abnormality.
  • the memory monitoring unit 108 has a function of monitoring the memory usage of the communication monitoring unit 101 and determining whether there is sufficient memory space. For example, the memory monitoring unit 108 compares the normal memory usage with the current memory usage of the memory allocated to the memory monitoring unit 108 and determines whether there is an abnormality.
  • the attack determination unit 120 determines whether there is a sign of an incident due to a DoS attack based on the monitoring results of the communication band monitoring unit 106, the resource monitoring unit 107, and the memory monitoring unit 108.
  • the attack determination unit 120 may determine that there is a sign when all of the monitoring results of the communication band monitoring unit 106, the resource monitoring unit 107, and the memory monitoring unit 108 are abnormal, or may determine that there is a sign when any one of the monitoring results is abnormal.
  • the state of the vehicle may also be taken into consideration to determine whether there is a sign of an incident. For example, a strict upper limit on the processing load may be set while the vehicle is traveling.
  • the attack detection unit 103 may operate based on the abnormality result of the communication monitoring unit 101. For example, it may be configured to operate when the abnormality result of the communication monitoring unit 101 is a periodic abnormality.
  • the attack detection unit 103 When the attack detection unit 103 detects a sign of an incident, it transmits the detection result indicating the presence of the sign to the additional information request unit 104 and the update unit 105.
  • the additional information requesting unit 104 is a functional unit that, when the attack detection unit 103 determines that there is a sign of an incident, identifies a sender from a large amount of received communication data and requests the sender to add additional information to the header of communication data to be newly sent. For example, in the case of an attack in which the IP address of a legitimate device is spoofed, a large amount of communication data of the spoofed legitimate device is received, so the additional information requesting unit 104 requests the sender to add additional information to the header, with the spoofed legitimate device as the sender.
  • identifying the sender includes not only uniquely identifying the sender's address, but also narrowing it down to a certain extent.
  • the additional information is dynamic information that changes with each transmission or over time, or encrypted information in which dynamic information is encrypted.
  • Examples of dynamic information include counter values and timestamps.
  • the additional information requesting unit 104 may select a random value or a random item as the additional information. As one example, the additional information requesting unit 104 selects a counter value that counts up from a random number as the additional information. As one example, the additional information requesting unit 104 randomly selects a counter value and a timestamp as the additional information. In other words, rather than selecting a counter value every time, sometimes the counter value is selected and sometimes the timestamp is selected.
  • the additional information request unit 104 may request that information encrypted using a specific encryption key, which will be described later, be added as additional information.
  • the additional information requesting unit 104 may issue a removal request to the sender to remove the additional information that it has requested the sender to add.
  • the additional information requested by the additional information request unit 104 is sent to the sender and also transmitted to the update unit 105.
  • the additional information may also be transmitted to the encryption unit 109.
  • the encryption unit 109 is a functional unit that encrypts the additional information requested by the additional information request unit 104.
  • the encryption unit 109 encrypts, for example, a counter value or a timestamp.
  • For encryption for example, a Message Authentication Code (MAC), a common key encryption, or a public key encryption is used.
  • MAC Message Authentication Code
  • the encryption key used by the encryption unit 109 is assumed to be held in advance by the legitimate sender. In other words, the control device 10 and the legitimate sender hold the same common key.
  • the encryption process is performed by the VM 20 or the hardware 40.
  • the encryption is performed using a high-speed HSM (Hardware Security Module).
  • the update unit 105 is a functional unit that makes an update judgment to add additional information to the monitoring items of the communication data when the additional information request unit 104 requests the sender to add additional information to the header of the communication data. Based on this update judgment, the monitoring items by the communication header monitoring unit 100 are updated. The updating of the monitoring items may be performed by the update unit 105 or the communication header monitoring unit 100. When the communication header monitoring unit 100 updates the monitoring items, the updating unit 105 transmits an instruction to the communication header monitoring unit 100 to update the monitoring items based on the update judgment. A part of the communication data may be monitored as binary.
  • the updating unit 105 may make a removal update judgment to remove the additional information from the monitoring items of the communication data. Based on this update judgment, the monitoring items by the communication header monitoring unit 100 are updated. In other words, the additional information is removed from the monitoring items by the communication header monitoring unit 100.
  • Figure 2 shows a method in which additional information is added to the monitoring items of the communication header monitoring unit 100, and a case in which no additional information is present in the header of the communication data is determined to be an abnormality.
  • the newly connected unauthorized device B is attempting to launch a DoS attack on the control device 10 by spoofing the IP address in the header of legitimate device A.
  • the attack detection unit 103 detects signs of an incident (DoS attack). If a sign is detected, the additional information request unit 104 identifies the sender from the large amount of communication data received and requests the sender to add additional information. Also, if a sign is detected, the update unit 105 makes an update decision to add the additional information as a monitoring item in the communication header monitoring unit 100, and the additional information is added as a monitoring item in the communication header monitoring unit 100 based on this update decision.
  • DoS attack signs of an incident
  • the control device 10 (additional information request unit 104) requests the legitimate device A, which is the sender, to add additional information.
  • the fraudulent device B since the fraudulent device B is merely masquerading as legitimate device A, the communication data requesting additional information does not reach the fraudulent device B.
  • regular device A After requesting to add the additional information, regular device A sends communication data with the additional information added to the header to the control device 10.
  • the abnormality determination unit 102A determines that the communication data from regular device A is normal based on the monitoring results of the communication header monitoring unit 100.
  • the unauthorized device B transmits communication data to the control device 10 without adding any additional information to the header.
  • the abnormality determination unit 102A determines that the communication data from the unauthorized device B is abnormal based on the monitoring results of the communication header monitoring unit 100. If an abnormality is determined, the communication header monitoring unit 100 may block communication with the unauthorized device B.
  • Figure 3 shows a method in which additional information is added to the monitoring items of the communication header monitoring unit 100, and if the additional information added to the header of the communication data is incorrect, it is determined to be an anomaly.
  • the newly connected fraudulent device B is eavesdropping on the communication of legitimate device A, spoofing the IP address in the header of legitimate device A, and adding mimicking additional information, in an attempt to perform a DoS attack on the control device 10.
  • the attack detection unit 103 detects signs of an incident. If a sign is detected, the additional information request unit 104 identifies the sender from the large amount of communication data received and requests the sender to add additional information. In the example of Figure 3, the additional information is a counter value. Furthermore, if a sign is detected, the update unit 105 makes an update decision to add the additional information as a monitoring item in the communication header monitoring unit 100, and the additional information is added as a monitoring item in the communication header monitoring unit 100 based on this update decision.
  • the control device 10 (additional information request unit 104) requests the legitimate device A, which is the sender, to add additional information.
  • additional information request unit 104 requests the legitimate device A, which is the sender, to add additional information.
  • the unauthorized device B since the unauthorized device B is merely masquerading as legitimate device A, the communication data requesting additional information does not reach unauthorized device B. However, unauthorized device B eavesdrops on the communication of legitimate device A and confirms that additional information has been added.
  • regular device A After requesting to add the additional information, regular device A sends communication data to the control device 10 with the correct additional information counter value of 1 added to the header.
  • the abnormality determination unit 102A determines that the communication data from regular device A is normal based on the monitoring results of the communication header monitoring unit 100.
  • unauthorized device B eavesdrops on legitimate device A's communications, spoofs the IP address in the header of legitimate device A, and sends communication data to the control device 10 with the intercepted additional information of a counter value of 1.
  • the abnormality determination unit 102A determines that the communication data from unauthorized device B is abnormal based on the monitoring results of the communication header monitoring unit 100, since the counter value has not been counted up. If an abnormality is determined, the communication header monitoring unit 100 may block communication with unauthorized device B.
  • FIG. 4 shows a method in which additional information is added to the monitoring items of the communication header monitoring unit 100, and an abnormality is determined if the encrypted additional information added to the header of the communication data is incorrect.
  • the newly connected fraudulent device B is eavesdropping on the communication of legitimate device A, spoofing the MAC address in the header of legitimate device A, and impersonating legitimate device A to add imitation additional information to the control device 10, in an attempt to launch a DoS attack.
  • the attack detection unit 103 detects signs of an incident. If a sign is detected, the additional information request unit 104 identifies the sender from the large amount of communication data received, and requests the sender to add additional information in which specified information is encrypted. In the example of Figure 4, the additional information is an encrypted counter value. Furthermore, if a sign is detected, the update unit 105 makes an update decision to add the additional information as a monitoring item in the communication header monitoring unit 100, and the additional information is added as a monitoring item in the communication header monitoring unit 100 based on this update decision.
  • the control device 10 (additional information request unit 104) requests the legitimate device A, which is the sender, to add additional information in which the counter value is encrypted.
  • the unauthorized device B since the unauthorized device B has spoofed the MAC address of the legitimate device A, the communication data requesting additional information also reaches the unauthorized device B.
  • regular device A After requesting to add the additional information, regular device A sends additional information 0110, which is an encrypted counter value, to the header of the control device 10.
  • additional information 0110 which is an encrypted counter value
  • the abnormality determination unit 102A determines that the communication data from regular device A is normal based on the monitoring results of the communication header monitoring unit 100.
  • the abnormality determination unit 102 determines that the communication data from unauthorized device B is abnormal because the counted-up counter value is not encrypted additional information, based on the monitoring results of the communication header monitoring unit 100. If an abnormality is determined, the communication header monitoring unit 100 may block communication with unauthorized device B.
  • Fig. 5 is a flowchart showing the flow of a series of processes from the communication data reception process, through the abnormality determination process, to the execution of the determination result process.
  • step S201 the communication header monitoring unit 100 receives communication data. After the processing in step S201 ends, the processing proceeds to step S202.
  • step S202 the communication header monitoring unit 100 inspects the header of the communication data.
  • the abnormality determination unit 102A compares the monitoring result of the communication header monitoring unit 100 with a list of normal communication data, and determines whether the abnormality is due to invalid data. If an abnormality is determined in step S202, processing proceeds to step S204. If no abnormality (normality) is determined in step S202, processing proceeds to step S203.
  • step S203 the communication monitoring unit 101 inspects the data in the areas other than the header of the communication data.
  • the abnormality determination unit 102B compares the monitoring results of the communication monitoring unit 101 with a list of normal communication data, and determines whether the abnormality is due to invalid data. If an abnormality is determined in step S203, the process proceeds to step S204. If a normality is determined in step S203, the process proceeds to step S205.
  • step S204 the abnormality determination unit 102A or the abnormality determination unit 102B performs abnormality processing. For example, the abnormality determination unit 102A or the abnormality determination unit 102B cuts off communication that has been determined to be abnormal. After step S204 ends, the abnormality detection processing ends.
  • abnormality determination unit 102A and abnormality determination unit 102B determine that the system is normal in step S205, abnormality determination unit 102A and abnormality determination unit 102B perform normal processing. Normal processing refers to normal control processing. After step S205 ends, the abnormality detection processing ends.
  • Fig. 6 is a flow chart showing the flow of a series of processes from determining whether there is a sign of an incident (DoS attack), identifying the source of transmission, requesting the source of transmission to add additional information, and updating the header monitoring items to add the additional information.
  • step S301 the communication bandwidth monitoring unit 106 monitors the communication bandwidth of the communication monitoring unit 101. If the communication bandwidth exceeds a predetermined threshold, it is determined that an abnormality has occurred. If an abnormality has been determined in step S301, the process proceeds to step S302.
  • step S302 the resource monitoring unit 107 monitors the processing load of the communication monitoring unit 101. If the processing load exceeds a predetermined threshold, it is determined that an abnormality exists. If an abnormality is determined in step S302, the process proceeds to step S303.
  • step S303 the memory monitoring unit 108 monitors the memory usage of the communication monitoring unit 101. If the memory usage exceeds a predetermined threshold, it is determined to be an abnormality. After step S303 is completed, if an abnormality is determined, the process proceeds to step S304. Note that steps S301, S302, and S303 may be performed in any order.
  • step S304 the attack determination unit 120 determines whether there are signs of an incident caused by a DoS attack based on the abnormality result of the communication bandwidth monitoring unit 106, the abnormality result of the resource monitoring unit 107, and the abnormality determination result of the memory monitoring unit 108.
  • the attack determination unit 120 may determine that there are signs of an incident when any of the abnormality determination results indicate an abnormality. If it is determined in step S304 that there are signs of an incident, the process proceeds to step S305.
  • step S305 the additional information request unit 104 identifies the sender from the large amount of received data. After the process in step S305 ends, the process proceeds to step S306.
  • step S306 the additional information requesting unit 104 requests the identified sender to add additional information.
  • the additional information requesting unit 104 may request encrypted information as additional information.
  • the encryption unit 109 encrypts the expected value of the monitored item (e.g., a counter value) and sets the encrypted data as additional information.
  • step S307 the update unit 105 makes an update decision to add the additional information requested by the additional information request unit 104 to the sender as a monitoring item of the communication data. Based on this update decision, as one example, the update unit 105 adds the requested additional information to the monitoring items of the communication header monitoring unit 100. As another example, the communication header monitoring unit 100 may add the requested additional information to the monitoring items.
  • the incident sign determination processing ends.
  • Fig. 7 is a flowchart showing the flow of a series of processes from the communication data reception process, through the abnormality detection process, to the execution of the determination result process.
  • step S401 the communication header monitoring unit 100 receives communication data. After the processing in step S401 ends, the processing proceeds to step S402.
  • step S402 the communication header monitoring unit 100 inspects the header of the communication data.
  • the abnormality determination unit 102A compares the monitoring result of the communication header monitoring unit 100 with a list of normal communication data to which additional information has been added, and determines whether the abnormality is due to invalid data. If an abnormality is determined in step S402, processing proceeds to step S404. If no abnormality (normality) is determined in step S402, processing proceeds to step S403.
  • step S403 the communication monitoring unit 101 inspects the data in the areas other than the header of the communication data.
  • the abnormality determination unit 102B compares the monitoring results of the communication monitoring unit 101 with a list of normal communication data, and determines whether the abnormality is due to invalid data. If an abnormality is determined in step S403, the process proceeds to step S404. If a normality is determined in step S403, the process proceeds to step S405.
  • step S404 the abnormality determination unit 102A or the abnormality determination unit 102B performs abnormality processing. For example, the abnormality determination unit 102A or the abnormality determination unit 102B cuts off communication that has been determined to be abnormal. After step 404 ends, the abnormality detection processing ends.
  • abnormality determination unit 102A and abnormality determination unit 102B determine that the system is normal in step S405, abnormality determination unit 102A and abnormality determination unit 102B perform normal processing. Normal processing refers to normal control processing. After step 405 ends, the abnormality detection processing ends.
  • the cyber-attack detection device according to the present disclosure is used as an in-vehicle electronic control device.
  • the cyber-attack detection device according to the present disclosure is not limited to this example.
  • it can also be used as a device connected to a communication line that has high security strength and requires a mechanism for early detection of abnormalities.
  • control device includes a communication header monitoring unit (100) that monitors the header of received communication data, a communication monitoring unit (101) that monitors the payload of the communication data, an attack detection unit (103) that detects from the communication data a sign of a DoS attack that will cause the communication monitoring unit to malfunction, an additional information request unit (104) that identifies a source from the communication data when the sign is detected and requests the identified source to add additional information to the header of communication data to be newly sent, and an update unit (105) that makes an update decision to add the additional information as a monitoring item when the sign is detected, and the communication header monitoring unit (100) adds the additional information as a monitoring item based on the update decision, and if the additional information has not been added to the header of the newly received communication data or if the information added to the header of the newly received communication data does not match the additional information, determines that the newly received communication data is abnormal.
  • the control device (cyber attack detection device) disclosed herein can deal with DoS attacks.
  • control device chip attack detection device
  • the communication header monitoring unit determines that the newly received communication data is abnormal, it blocks communication with the sender. Therefore, since there is no need for the communication monitoring unit, which monitors the payload, to process a large amount of received data, the processing load on the communication monitoring unit can be reduced.
  • control device chip attack detection device
  • a request is made to remove the additional information for which the request to add was made. In this way, by dynamically adding additional information, it is possible to increase the possibility of preventing eavesdropping and spoofing attacks carried out through guesswork.
  • the additional information is dynamic information that changes with each transmission or over time. In this way, by adding additional information whose value changes dynamically, it is possible to prevent attacks even if the data is intercepted and a replay attack is carried out.
  • the dynamic information is a timestamp or a counter value
  • the additional information request unit randomly selects the timestamp or counter value as the additional information, and when the counter value is selected, the counter value is counted up from a random value. Therefore, it is possible to increase the possibility of preventing eavesdropping and spoofing attacks carried out by guessing.
  • control device further includes an encryption unit (109) that encrypts the dynamic information into encrypted information using a predetermined encryption key, and the additional information request unit requests the sender to add information obtained by encrypting the dynamic information using the encryption key as the additional information, and the update unit makes a further update decision to add the encrypted information as a monitoring item when the symptom is detected, and the communication header monitoring unit adds the encrypted information as a monitoring item based on the further update decision, and when the encrypted information has not been added to the header of the newly received communication data or when the information added to the header of the newly received communication data does not match the encrypted information, the newly received communication data is determined to be abnormal.
  • an encryption unit (109) that encrypts the dynamic information into encrypted information using a predetermined encryption key
  • the additional information request unit requests the sender to add information obtained by encrypting the dynamic information using the encryption key as the additional information
  • the update unit makes a further update decision to add the encrypted information as a monitoring item when the symptom is detected
  • the communication header monitoring unit adds the encrypted
  • This configuration makes it possible to deal with DoS attacks that involve spoofing MAC addresses.
  • the cyberattack detection device disclosed herein can be used, for example, as an electronic control device mounted on a vehicle.
  • Control device (cyber attack detection device), 30 Network switch, 40 Hardware, 50 Hypervisor, 100 Communication header monitoring unit, 101 Communication monitoring unit, 102 (102A, 102B) Anomaly determination unit, 103 Attack detection unit, 104 Additional information request unit, 105 Update unit, 106 Communication bandwidth monitoring unit, 107 Resource monitoring unit, 108 Memory monitoring unit, 109 Encryption unit, 120 Attack determination unit, 401 Processor, 402 Memory.

Abstract

This cyber attack detection device comprises: a communication header monitoring unit that monitors a header of received communication data; a communication monitoring unit that monitors a payload of the communication data; an attack detection unit that detects, from the communication data, signs of a DoS attack which would lead to the function failure of the communication monitoring unit; an additional information request unit that identifies a transmission source from the communication data when the signs are detected, and requests the identified transmission source to add additional information to a header of communication data to be newly transmitted; and an update unit that, when the signs are detected, performs an update determination for adding the additional information as a monitored item. The communication header monitoring unit adds the additional information as a monitored item on the basis of the update determination, and determines that newly received communication data is abnormal when the additional information has not been added to the header of the newly received communication data, or when the information added to the header of the newly received communication data does not match the additional information.

Description

サイバー攻撃検知装置およびサイバー攻撃検知方法Cyber attack detection device and cyber attack detection method
 本開示は、サイバー攻撃検知技術に関する。 This disclosure relates to cyber attack detection technology.
 特許文献1には、サイバー攻撃検知技術の例として、複数の車載装置間でデータの通信を行う車載ネットワーク装置において、自車両の状態を取得する状態取得部と、前記データを監視する通信監視部と、を有し、前記自車両の状態に基づいて、前記データの監視方法を変えることを特徴とする車載ネットワーク装置に関する技術が開示されている。 Patent Document 1 discloses, as an example of a cyber-attack detection technology, a technology relating to an in-vehicle network device that communicates data between multiple in-vehicle devices, which has a status acquisition unit that acquires the status of the vehicle itself and a communication monitoring unit that monitors the data, and which changes the method of monitoring the data based on the status of the vehicle itself.
特開2017-47835号公報JP 2017-47835 A
 特許文献1に開示された装置は、状態に応じて監視方法を変えるだけであるので、DoS(Denial of Service)攻撃と称される大量の通信データを送る攻撃を受けると、通信監視部が機能しなくなる可能性があるという問題がある。 The device disclosed in Patent Document 1 only changes the monitoring method depending on the state, so there is a problem that the communication monitoring unit may stop functioning if it is attacked by sending a large amount of communication data, known as a DoS (Denial of Service) attack.
 本開示は、このような問題を解決するためになされたものであり、DoS攻撃に対処できるサイバー攻撃検知技術を提供することを目的とする。 This disclosure has been made to solve these problems, and aims to provide cyber-attack detection technology that can deal with DoS attacks.
 本開示のサイバー攻撃検知装置の一側面は、受信する通信データのヘッダを監視する通信ヘッダ監視部と、前記通信データのペイロードを監視する通信監視部と、前記通信データから、前記通信監視部の機能不全を招来するDoS攻撃の予兆を検知する攻撃検知部と、前記予兆が検知された場合に、前記通信データから送信元を特定し、特定された送信元に対して新たに送信する通信データのヘッダに付加情報を追加するように依頼する付加情報依頼部と、前記予兆が検知された場合に、前記付加情報を監視項目として追加するとの更新判断をする更新部と、を備え、前記通信ヘッダ監視部は、前記更新判断に基づいて監視項目として前記付加情報を追加し、新たに受信する通信データのヘッダに前記付加情報が追加されていない場合、または前記新たに受信する通信データのヘッダに追加された情報が前記付加情報と一致しない場合、前記新たに受信する通信データは異常であると判定する。 One aspect of the cyber attack detection device disclosed herein includes a communication header monitoring unit that monitors the header of received communication data, a communication monitoring unit that monitors the payload of the communication data, an attack detection unit that detects from the communication data a sign of a DoS attack that will cause the communication monitoring unit to malfunction, an additional information request unit that, when the sign is detected, identifies a sender from the communication data and requests the identified sender to add additional information to the header of newly sent communication data, and an update unit that makes an update decision to add the additional information as a monitoring item when the sign is detected, and the communication header monitoring unit adds the additional information as a monitoring item based on the update decision, and if the additional information has not been added to the header of the newly received communication data or if the information added to the header of the newly received communication data does not match the additional information, determines that the newly received communication data is abnormal.
 本開示のサイバー攻撃検知技術によれば、DoS攻撃に対処できる。 The cyber attack detection technology disclosed herein can deal with DoS attacks.
制御装置の機能ブロック図である。FIG. 2 is a functional block diagram of a control device. 通信ヘッダ監視部が通信データを異常であると判定する動作を説明するための説明図である。11 is an explanatory diagram for explaining an operation of a communication header monitoring unit for determining that communication data is abnormal; FIG. 通信ヘッダ監視部が通信データを異常であると判定する動作を説明するための説明図である。11 is an explanatory diagram for explaining an operation of a communication header monitoring unit for determining that communication data is abnormal; FIG. 通信ヘッダ監視部が通信データを異常であると判定する動作を説明するための説明図である。11 is an explanatory diagram for explaining an operation of a communication header monitoring unit for determining that communication data is abnormal; FIG. DoS攻撃を受けていない場合における異常検知処理を示すフローチャートである。11 is a flowchart showing an abnormality detection process when no DoS attack is occurring; DoS攻撃の予兆を判定する予兆判定処理を示すフローチャートである。11 is a flowchart showing a sign determination process for determining a sign of a DoS attack. DoS攻撃の予兆を検出した場合における異常検知処理を示すフローチャートである。11 is a flowchart showing an anomaly detection process when a sign of a DoS attack is detected.
 以下、添付の図面を参照して、本開示における種々の実施形態について詳細に説明する。なお、図面において同一または類似の符号を付された構成要素は、同一または類似の構成または機能を有するものであり、そのような構成要素についての重複する説明は省略する。 Various embodiments of the present disclosure will be described in detail below with reference to the attached drawings. Note that components with the same or similar reference numerals in the drawings have the same or similar configurations or functions, and redundant descriptions of such components will be omitted.
 実施の形態1.
<構成の概略>
(制御装置)
 図1は、本開示のサイバー攻撃検知装置を車載電子制御装置(以下、単に「制御装置」と称する。)として適用した場合における、制御装置の機能ブロック図である。制御装置10は、不図示の車両の制御を行う装置である。制御装置10は、車両内部の不図示の他の制御装置と、不図示の通信線、例えばEthernetまたはCAN(Controller Area Network)を介して接続されている。制御装置10は、VM(Virtual Machine)20、ネットワークスイッチ30、ハードウェア40、およびハイパーバイザ50を備える。 Embodiment 1.
<Outline of configuration>
(Control device)
1 is a functional block diagram of an on-vehicle electronic control device (hereinafter, simply referred to as a "control device") when the cyber-attack detection device of the present disclosure is applied as the control device. The control device 10 is a device that controls a vehicle (not shown). The control device 10 is connected to another control device (not shown) inside the vehicle via a communication line (not shown), for example, Ethernet or a CAN (Controller Area Network). The control device 10 includes a VM (Virtual Machine) 20, a network switch 30, hardware 40, and a hypervisor 50.
(ネットワークスイッチ)
 ネットワークスイッチ30は、制御装置10と車両内部の不図示の他の制御装置とを接続するネットワークスイッチである。ネットワークスイッチ30は、例えばセキュリティ機能を搭載するイーサネットスイッチである。一例として、図1に示されているように、ネットワークスイッチ30は、通信ヘッダ監視部100を備え、通信データのヘッダを監視してもよい。通信ヘッダ監視部100の機能または動作については、より詳細に後述する。 (Network Switch)
The network switch 30 is a network switch that connects the control device 10 to another control device (not shown) inside the vehicle. The network switch 30 is, for example, an Ethernet switch equipped with a security function. As an example, as shown in Fig. 1, the network switch 30 may include a communication header monitoring unit 100 and monitor the header of communication data. The function or operation of the communication header monitoring unit 100 will be described in more detail later.
(VM)
 VM(Virtual Machine)20は、車両の制御を行う機能がある仮想マシンである。例えば、VM20は、オペレーティングシステム(OS)であるLinux(登録商標)を備える。VM20は、通信監視部101、攻撃検知部103、付加情報依頼部104、更新部105、および暗号部109を備える。これらの機能部の詳細については後述する。 (VM)
The VM (Virtual Machine) 20 is a virtual machine that has a function of controlling a vehicle. For example, the VM 20 includes Linux (registered trademark) which is an operating system (OS). The VM 20 includes a communication monitoring unit 101, an attack detection unit 103, an additional information request unit 104, an update unit 105, and an encryption unit 109. Details of these functional units will be described later.
(ハードウェア)
 ハードウェア40は、制御装置10のハードウェアであり、プロセッサ401とメモリ402を備える。ハードウェア40は、通信データをルーティングする機能やセキュリティ機能を備えていてもよい。 (hardware)
The hardware 40 is the hardware of the control device 10, and includes a processor 401 and a memory 402. The hardware 40 may include a function of routing communication data and a security function.
 プロセッサ401は、メモリ402に格納されたプログラムを実行することにより、VM20の各機能部により実行される機能を行う。また、プロセッサ401は、メモリ402に格納されたプログラムを実行することにより、通信ヘッダ監視部100により実行される機能を行う。メモリ402の例には、RAM(random access memory)、ROM(read-only memory)、フラッシュメモリ、EPROM(erasable programmable read only memory)、EEPROM(electrically erasable programmable read-only memory)等の、不揮発性または揮発性の半導体メモリや、磁気ディスク、フレキシブルディスク、光ディスク、コンパクトディスク、ミニディスク、DVDが含まれる。 The processor 401 executes the programs stored in the memory 402 to perform the functions executed by each functional unit of the VM 20. The processor 401 also executes the programs stored in the memory 402 to perform the functions executed by the communication header monitoring unit 100. Examples of the memory 402 include non-volatile or volatile semiconductor memory such as RAM (random access memory), ROM (read-only memory), flash memory, EPROM (erasable programmable read-only memory), and EEPROM (electrically erasable programmable read-only memory), as well as magnetic disks, flexible disks, optical disks, compact disks, mini disks, and DVDs.
(ハイパーバイザ)
 ハイパーバイザ50は、制御装置10のハイパーバイザであり、1つまたは2つ以上のVM20をハードウェア40上で動作させるためのソフトウェアである。一般に、ハイパーバイザは複数の異なるオペレーティングシステムをハードウェア上で同時に稼働させるためのソフトウェアであるので、制御装置10が単一のVM20を備える場合にはハイパーバイザ50はなくてもよい。ハイパーバイザ50は、通信データをルーティングする機能およびセキュリティ機能を備えていてもよい。 (Hypervisor)
The hypervisor 50 is a hypervisor for the control device 10, and is software for running one or more VMs 20 on the hardware 40. Generally, a hypervisor is software for running a plurality of different operating systems simultaneously on the hardware, so when the control device 10 includes a single VM 20, the hypervisor 50 may not be necessary. The hypervisor 50 may include a function for routing communication data and a security function.
<構成の詳細>
(通信ヘッダ監視部)
 一例として、ネットワークスイッチ30は、異常判定部102Aを備える通信ヘッダ監視部100を備えてもよい。 <Details of configuration>
(Communication header monitoring unit)
As an example, the network switch 30 may include a communication header monitoring unit 100 that includes an abnormality determination unit 102A.
 通信ヘッダ監視部100は、制御装置10以外の不図示の制御装置と通信データを送受信し、通信データのヘッダを検査する機能を有する機能部である。通信ヘッダ監視部100は、例えばEthernet通信の通信データを送受信し、通信データのヘッダを検査する。 The communication header monitoring unit 100 is a functional unit that has a function of transmitting and receiving communication data to and from a control device (not shown) other than the control device 10, and inspecting the header of the communication data. The communication header monitoring unit 100 transmits and receives communication data, for example, of Ethernet communication, and inspects the header of the communication data.
 異常判定部102Aは、正常時の通信データのリストを正常値として保持しており、新たに取得した通信データを監視結果として、監視結果と正常値を比較する機能を有している。なお、正常時の通信データのリストは、制御装置10が正常に動作している際にVM20の不図示の制御部により作成され、メモリに保持される。異常判定部102Aは、この作成されたリストをメモリを参照して取得して保持する。 The abnormality determination unit 102A holds a list of normal communication data as normal values, and has the function of comparing the monitoring results with the normal values using newly acquired communication data as the monitoring results. The list of normal communication data is created by a control unit (not shown) of the VM 20 when the control device 10 is operating normally, and is held in memory. The abnormality determination unit 102A acquires and holds this created list by referring to the memory.
 通信データのヘッダの検査には、例えば、Ethernet通信の通信データであれば、レイヤ2の検査、レイヤ3の検査、またはレイヤ4の検査のいずれかが含まれる。 Inspection of the header of communication data includes, for example, layer 2 inspection, layer 3 inspection, or layer 4 inspection for Ethernet communication data.
 レイヤ2の検査には、例えば、送信元MAC(Media Access Control)アドレスの検査、送信先MACアドレスの検査、およびVLAN(Virtual LAN)ポートの検査が含まれる。 Layer 2 inspections include, for example, inspection of the source MAC (Media Access Control) address, the destination MAC address, and inspection of the VLAN (Virtual LAN) port.
 レイヤ3の検査には、例えば、送信元IP(Internet Protocol)アドレスの検査および送信先IPアドレスの検査が含まれる。 Layer 3 inspections include, for example, inspection of the source IP (Internet Protocol) address and the destination IP address.
 レイヤ4の検査には、例えば、送信元ポート番号、送信先ポート番号、およびTCP(Transmission Control Protocol)フラグの検査が含まれる。 Layer 4 inspections include, for example, inspection of source port number, destination port number, and TCP (Transmission Control Protocol) flags.
 図1ではネットワークスイッチ30が通信ヘッダ監視部100を備える構成が図示されているが、通信ヘッダ監視部100は、ハードウェア40、ハイパーバイザ50、またはVM20のいずれかに配置されてもよい。また、レイヤごとに通信ヘッダ監視部を配置してもよい。例えば、ネットワークスイッチ30にはレイヤ2の検査を行う通信ヘッダ監視部が配置され、ハードウェア40にはレイヤ3およびレイヤ4の検査を行う通信ヘッダ監視部が配置されてもよい。 In FIG. 1, the network switch 30 is shown equipped with a communication header monitoring unit 100, but the communication header monitoring unit 100 may be located in any of the hardware 40, the hypervisor 50, or the VM 20. A communication header monitoring unit may also be located for each layer. For example, the network switch 30 may be provided with a communication header monitoring unit that inspects layer 2, and the hardware 40 may be provided with a communication header monitoring unit that inspects layers 3 and 4.
(通信監視部)
 通信監視部101は、異常判定部102Bを備え、通信ヘッダ監視部100で監視した通信データのヘッダ以外の領域、すなわちペイロードの情報を監視する。ペイロードの情報とは、例えば、通信データのデータ、受信周期、および受信頻度である。 (Communications Monitoring Department)
The communication monitoring unit 101 includes an abnormality determination unit 102B, and monitors the area other than the header of the communication data monitored by the communication header monitoring unit 100, i.e., the payload information. The payload information includes, for example, the data, reception cycle, and reception frequency of the communication data.
 通信監視部101は、通信ヘッダ監視部100で監視した通信データのヘッダを監視してもよい。通信ヘッダ監視部100に加え、通信監視部101も通信データのヘッダを監視するように二重でチェックするように構成することにより、通信ヘッダ監視部100が正常に動作しない場合においても通信監視部101により通信データのヘッダを監視することができる。 The communication monitoring unit 101 may monitor the headers of the communication data monitored by the communication header monitoring unit 100. By configuring the communication monitoring unit 101 to monitor the headers of the communication data in addition to the communication header monitoring unit 100, it is possible for the communication monitoring unit 101 to monitor the headers of the communication data even when the communication header monitoring unit 100 is not operating normally.
 異常判定部102Bは、正常時の通信データのリストを正常値として保持しており、新たに取得した通信データを監視結果として、監視結果と正常値を比較する機能を有している。なお、正常時の通信データのリストは、制御装置10が正常に動作している際にVM20の不図示の制御部により作成され、メモリに保持される。異常判定部102Bは、この作成されたリストをメモリを参照して取得して保持する。異常判定部102Bは、監視結果と正常値の比較結果が一致しない場合、新たに取得した通信データは異常であると判定する。 The abnormality determination unit 102B holds a list of normal communication data as normal values, and has the function of comparing the monitoring results with normal values using newly acquired communication data as monitoring results. The list of normal communication data is created by a control unit (not shown) of the VM 20 when the control device 10 is operating normally, and is stored in memory. The abnormality determination unit 102B acquires and stores this created list by referencing the memory. If the comparison result between the monitoring results and the normal values does not match, the abnormality determination unit 102B determines that the newly acquired communication data is abnormal.
 異常判定部102Bは、新たに取得した通信データが異常であると判定した場合、異常対応処理として通信の遮断をすることができる。他の異常対応処理を実施してもよい。他の異常対応処理には、例えば、通信線の切り替え、制御装置10の待機用制御装置への切り替え、および制御装置10の機能縮退が含まれる。新たに取得した通信データは正常である判定した場合には、制御装置10の通常の制御処理が引き続き実行される。 If the abnormality determination unit 102B determines that the newly acquired communication data is abnormal, it can cut off communication as an abnormality response process. Other abnormality response processes may also be implemented. Other abnormality response processes include, for example, switching the communication line, switching the control device 10 to a standby control device, and degrading the functions of the control device 10. If it determines that the newly acquired communication data is normal, the normal control process of the control device 10 continues to be executed.
(攻撃検知部)
 攻撃検知部103は、インシデントとしてのDoS攻撃の予兆の有無を判定する予兆判定機能を行う機能部である。もし、DoS攻撃を受けた場合には通信監視部101が機能しなくなるので、DoS攻撃の予兆を検知することにより、通信監視部101が機能不全に陥ることを防止する。追加的に、攻撃検知部103は、DoS攻撃が収まった場合には、攻撃されてないと判定する攻撃終了判定機能を行ってもよい。予兆判定機能および追加的に攻撃終了判定機能を行うために、攻撃検知部103は、通信帯域監視部106、リソース監視部107、メモリ監視部108、および攻撃判定部120を備える。 (Attack detection section)
The attack detection unit 103 is a functional unit that performs a sign determination function to determine whether or not there is a sign of a DoS attack as an incident. If a DoS attack occurs, the communication monitoring unit 101 will not function, so by detecting a sign of a DoS attack, the communication monitoring unit 101 is prevented from malfunctioning. Additionally, the attack detection unit 103 may perform an attack end determination function to determine that there is no attack when the DoS attack subsides. In order to perform the sign determination function and the additional attack end determination function, the attack detection unit 103 includes a communication bandwidth monitoring unit 106, a resource monitoring unit 107, a memory monitoring unit 108, and an attack determination unit 120.
(通信帯域監視部)
 通信帯域監視部106は、通信監視部101が通信データの受信時に利用する通信帯域の使用量である通信帯域使用量を監視し、通信帯域に余裕があるかを判定する機能部である。例えば、通常時の通信帯域から上限値を設定し、通信帯域が設定した上限値を超えた場合に異常ありと判定する。 (Communication Bandwidth Monitoring Unit)
The communication band monitoring unit 106 is a functional unit that monitors the communication band usage, which is the usage of the communication band used by the communication monitoring unit 101 when receiving communication data, and determines whether there is a margin in the communication band. For example, an upper limit is set from the normal communication band, and if the communication band exceeds the set upper limit, it is determined that there is an abnormality.
(リソース監視部)
 リソース監視部107は、通信監視部101の処理負荷を監視し、処理負荷に余裕があるかを判定する機能を有している。リソース監視部107は、例えば、リソース監視部107に割り当てられているプロセッサについて、通常時のプロセッサ使用率と現在のプロセッサ使用率とを比較し、異常の有無を判定する。 (Resource Monitoring Unit)
The resource monitoring unit 107 has a function of monitoring the processing load of the communication monitoring unit 101 and judging whether there is a margin for the processing load. For example, the resource monitoring unit 107 compares the normal processor usage rate with the current processor usage rate for the processor assigned to the resource monitoring unit 107 and judges whether there is an abnormality.
(メモリ監視部)
 メモリ監視部108は、通信監視部101のメモリ使用量を監視し、メモリに余裕があるかを判定する機能を有している。メモリ監視部108は、例えば、メモリ監視部108に割り当てられているメモリについて、通常時のメモリ使用量と現在のメモリ使用量とを比較し、異常の有無を判定する。 (Memory monitoring section)
The memory monitoring unit 108 has a function of monitoring the memory usage of the communication monitoring unit 101 and determining whether there is sufficient memory space. For example, the memory monitoring unit 108 compares the normal memory usage with the current memory usage of the memory allocated to the memory monitoring unit 108 and determines whether there is an abnormality.
(攻撃判定部)
 攻撃判定部120は、通信帯域監視部106、リソース監視部107、およびメモリ監視部108の監視結果に基づいて、DoS攻撃によるインシデントの予兆があるかどうかを判定する。攻撃判定部120は、通信帯域監視部106、リソース監視部107、およびメモリ監視部108による監視結果のすべてが異常である場合に予兆ありと判定してもよいし、いずれか1つの監視結果が異常である場合に予兆ありと判定してもよい。さらに、車両の状態を含めてインシデントの予兆であるか判定してもよい。例えば、車両の走行中は処理負荷の上限を厳しく設定してもよい。 (Attack determination section)
The attack determination unit 120 determines whether there is a sign of an incident due to a DoS attack based on the monitoring results of the communication band monitoring unit 106, the resource monitoring unit 107, and the memory monitoring unit 108. The attack determination unit 120 may determine that there is a sign when all of the monitoring results of the communication band monitoring unit 106, the resource monitoring unit 107, and the memory monitoring unit 108 are abnormal, or may determine that there is a sign when any one of the monitoring results is abnormal. Furthermore, the state of the vehicle may also be taken into consideration to determine whether there is a sign of an incident. For example, a strict upper limit on the processing load may be set while the vehicle is traveling.
 攻撃検知部103は、通信監視部101の異常結果をもとに動作してもよい。例えば、通信監視部101の異常結果が周期異常だった場合に動作するように構成されていてもよい。 The attack detection unit 103 may operate based on the abnormality result of the communication monitoring unit 101. For example, it may be configured to operate when the abnormality result of the communication monitoring unit 101 is a periodic abnormality.
 攻撃検知部103は、インシデントの予兆を検出した場合、予兆があることを示す検出結果を付加情報依頼部104および更新部105へ伝送する。 When the attack detection unit 103 detects a sign of an incident, it transmits the detection result indicating the presence of the sign to the additional information request unit 104 and the update unit 105.
(付加情報依頼部)
 付加情報依頼部104は、付加情報依頼部104は、攻撃検知部103がインシデントの予兆があると判定した場合、大量に受信した通信データから送信元を特定し、送信元に対して新たに送信する通信データのヘッダに付加情報を付けるように依頼する機能部である。例えば、正規装置のIPアドレスをなりすました攻撃の場合、なりすまされた正規装置の通信データを大量に受信しているので、なりすまされた正規装置を送信元として、送信元に付加情報をヘッダに付けるように依頼する。 (Additional Information Request Department)
The additional information requesting unit 104 is a functional unit that, when the attack detection unit 103 determines that there is a sign of an incident, identifies a sender from a large amount of received communication data and requests the sender to add additional information to the header of communication data to be newly sent. For example, in the case of an attack in which the IP address of a legitimate device is spoofed, a large amount of communication data of the spoofed legitimate device is received, so the additional information requesting unit 104 requests the sender to add additional information to the header, with the spoofed legitimate device as the sender.
 なお、送信元を特定することには、送信元のアドレスを一意に同定する場合の他、ある程度の範囲内まで絞り込むことが含まれる。 In addition, identifying the sender includes not only uniquely identifying the sender's address, but also narrowing it down to a certain extent.
 付加情報は、送信ごとに若しくは経時的に変化する動的情報、または動的情報が暗号化された暗号化情報である。動的情報の例には、カウンタ値およびタイムスタンプが含まれる。 The additional information is dynamic information that changes with each transmission or over time, or encrypted information in which dynamic information is encrypted. Examples of dynamic information include counter values and timestamps.
 付加情報依頼部104は、付加情報として、ランダムな値またはランダムな項目を選択してもよい。一例として、付加情報依頼部104は、ランダムな数からカウントアップするカウンタ値を付加情報として選択する。一例として、付加情報依頼部104は、カウンタ値とタイムスタンプを付加情報としてランダムに選択する。すなわち、毎回カウンタ値を選択するのではなく、ある時はカウンタ値を選択し、ある時はタイムスタンプを選択する。 The additional information requesting unit 104 may select a random value or a random item as the additional information. As one example, the additional information requesting unit 104 selects a counter value that counts up from a random number as the additional information. As one example, the additional information requesting unit 104 randomly selects a counter value and a timestamp as the additional information. In other words, rather than selecting a counter value every time, sometimes the counter value is selected and sometimes the timestamp is selected.
 付加情報依頼部104は、付加情報として、後述する所定の暗号鍵を用いて暗号化した情報を追加するように依頼してもよい。 The additional information request unit 104 may request that information encrypted using a specific encryption key, which will be described later, be added as additional information.
 また、付加情報依頼部104は、付加情報を付けるように依頼した後、攻撃検知部103によりインシデントの予兆が検知されなくなった場合、送信元に対して追加するように依頼した付加情報を外すように除去依頼をしてもよい。 In addition, if the attack detection unit 103 no longer detects any signs of an incident after requesting that additional information be added, the additional information requesting unit 104 may issue a removal request to the sender to remove the additional information that it has requested the sender to add.
 付加情報依頼部104により依頼される付加情報は、送信元に対して送信される他、更新部105へ伝送される。また、一実施形態において、付加情報は、暗号部109へ伝送されてもよい。 The additional information requested by the additional information request unit 104 is sent to the sender and also transmitted to the update unit 105. In one embodiment, the additional information may also be transmitted to the encryption unit 109.
(暗号部)
 暗号部109は、付加情報依頼部104により依頼する付加情報を暗号化する機能部である。暗号部109は、例えば、カウンタ値またはタイムスタンプを暗号化する。暗号化には、例えば、MAC(Message Authentication Code)、共通鍵暗号、公開鍵暗号を使用する。 (Encryption section)
The encryption unit 109 is a functional unit that encrypts the additional information requested by the additional information request unit 104. The encryption unit 109 encrypts, for example, a counter value or a timestamp. For encryption, for example, a Message Authentication Code (MAC), a common key encryption, or a public key encryption is used.
 暗号部109が使用する暗号鍵は、事前に正規の送信元にも保持されているものとする。すなわち、制御装置10と正規の送信元は、同じ共通鍵を保持する。 The encryption key used by the encryption unit 109 is assumed to be held in advance by the legitimate sender. In other words, the control device 10 and the legitimate sender hold the same common key.
 暗号化処理は、VM20もしくはハードウェア40で実施する。例えば、暗号化は高速なHSM(Hardware Security Module)を使用する。 The encryption process is performed by the VM 20 or the hardware 40. For example, the encryption is performed using a high-speed HSM (Hardware Security Module).
(更新部)
 更新部105は、付加情報依頼部104が送信元に対して通信データのヘッダに付加情報を付けるよう依頼する場合に、通信データの監視項目としてその付加情報を追加するように更新判断をする機能部である。この更新判断に基づいて、通信ヘッダ監視部100による監視項目が更新される。監視項目の更新は、更新部105が行ってもよいし、通信ヘッダ監視部100が行ってもよい。通信ヘッダ監視部100が監視項目の更新を行う場合、更新部105は更新判断に基づいて通信ヘッダ監視部100に対して監視項目を更新するように指示を伝送する。通信データの一部は、バイナリとして監視されてよい。 (Update Department)
The update unit 105 is a functional unit that makes an update judgment to add additional information to the monitoring items of the communication data when the additional information request unit 104 requests the sender to add additional information to the header of the communication data. Based on this update judgment, the monitoring items by the communication header monitoring unit 100 are updated. The updating of the monitoring items may be performed by the update unit 105 or the communication header monitoring unit 100. When the communication header monitoring unit 100 updates the monitoring items, the updating unit 105 transmits an instruction to the communication header monitoring unit 100 to update the monitoring items based on the update judgment. A part of the communication data may be monitored as binary.
 また、更新部105は、付加情報依頼部104により付加情報を外すように除去依頼がなされた場合、通信データの監視項目から付加情報を除去するように除去更新判断をしてもよい。この更新判断に基づいて、通信ヘッダ監視部100による監視項目が更新される。すなわち、通信ヘッダ監視部100による監視項目から付加情報が除去される。 In addition, when a removal request is made by the additional information requesting unit 104 to remove the additional information, the updating unit 105 may make a removal update judgment to remove the additional information from the monitoring items of the communication data. Based on this update judgment, the monitoring items by the communication header monitoring unit 100 are updated. In other words, the additional information is removed from the monitoring items by the communication header monitoring unit 100.
(異常判定手法の詳細)
 以下、図2~図4を参照して、通信ヘッダ監視部100が通信データを異常であると判定する異常判定手法の詳細な手順について説明する。 (Details of the abnormality detection method)
Hereinafter, a detailed procedure of an anomaly determination method in which the communication header monitoring unit 100 determines that communication data is abnormal will be described with reference to FIG. 2 to FIG.
 図2は、通信ヘッダ監視部100の監視項目に付加情報が追加され、通信データのヘッダに付加情報がない場合を異常と判定する手法を示している。新たに接続された不正装置Bは、正規装置AのヘッダであるIPアドレスをなりすまして制御装置10にDoS攻撃を行おうとしている。 Figure 2 shows a method in which additional information is added to the monitoring items of the communication header monitoring unit 100, and a case in which no additional information is present in the header of the communication data is determined to be an abnormality. The newly connected unauthorized device B is attempting to launch a DoS attack on the control device 10 by spoofing the IP address in the header of legitimate device A.
 制御装置10において、攻撃検知部103がインシデント(DoS攻撃)の予兆を検知する。予兆が検知された場合、付加情報依頼部104は大量に受信した通信データから送信元を特定して、付加情報を付けるよう送信元に依頼する。また、予兆が検知された場合、更新部105は通信ヘッダ監視部100の監視項目として付加情報を追加するよう更新判断を行い、この更新判断に基づいて通信ヘッダ監視部100の監視項目として付加情報が追加される。 In the control device 10, the attack detection unit 103 detects signs of an incident (DoS attack). If a sign is detected, the additional information request unit 104 identifies the sender from the large amount of communication data received and requests the sender to add additional information. Also, if a sign is detected, the update unit 105 makes an update decision to add the additional information as a monitoring item in the communication header monitoring unit 100, and the additional information is added as a monitoring item in the communication header monitoring unit 100 based on this update decision.
 制御装置10(付加情報依頼部104)は、送信元となる正規装置Aに付加情報をつけるよう依頼する。他方、不正装置Bは正規装置Aになりすましただけなので、不正装置Bには付加情報を依頼する通信データは届かない。 The control device 10 (additional information request unit 104) requests the legitimate device A, which is the sender, to add additional information. On the other hand, since the fraudulent device B is merely masquerading as legitimate device A, the communication data requesting additional information does not reach the fraudulent device B.
 付加情報の追加依頼の後、正規装置Aは、制御装置10に対して、ヘッダに付加情報を付けて通信データを送信する。この通信データを受信する制御装置10において、通信ヘッダ監視部100の監視結果より、異常判定部102Aは正規装置Aからの通信データは正常であると判定する。 After requesting to add the additional information, regular device A sends communication data with the additional information added to the header to the control device 10. In the control device 10 that receives this communication data, the abnormality determination unit 102A determines that the communication data from regular device A is normal based on the monitoring results of the communication header monitoring unit 100.
 他方、不正装置Bは、制御装置10に対して、ヘッダに付加情報を付けないで通信データを送信する。この通信データを受信する制御装置10において、通信ヘッダ監視部100の監視結果より、異常判定部102Aは不正装置Bからの通信データは異常であると判定する。異常との判定がなされた場合、通信ヘッダ監視部100は、不正装置Bとの通信を遮断してもよい。 On the other hand, the unauthorized device B transmits communication data to the control device 10 without adding any additional information to the header. In the control device 10 that receives this communication data, the abnormality determination unit 102A determines that the communication data from the unauthorized device B is abnormal based on the monitoring results of the communication header monitoring unit 100. If an abnormality is determined, the communication header monitoring unit 100 may block communication with the unauthorized device B.
 このように、IPアドレスをなりすました攻撃がなされた場合において通信データの異常を検知することができる。また、DoS攻撃の予兆に基づいて異常な通信を遮断するので、DoS攻撃がなされても対処できる。 In this way, it is possible to detect abnormalities in communication data when an attack using a spoofed IP address is made. In addition, since abnormal communication is blocked based on the signs of a DoS attack, it is possible to deal with a DoS attack.
 図3は、通信ヘッダ監視部100の監視項目に付加情報が追加され、通信データのヘッダに付された付加情報が正しくない場合を異常と判定する手法を示す。新たに接続された不正装置Bは、正規装置Aの通信を盗聴して、正規装置AのヘッダであるIPアドレスをなりすまして付加情報を真似して追加して、制御装置10にDoS攻撃を行おうとしている。 Figure 3 shows a method in which additional information is added to the monitoring items of the communication header monitoring unit 100, and if the additional information added to the header of the communication data is incorrect, it is determined to be an anomaly. The newly connected fraudulent device B is eavesdropping on the communication of legitimate device A, spoofing the IP address in the header of legitimate device A, and adding mimicking additional information, in an attempt to perform a DoS attack on the control device 10.
 制御装置10において、攻撃検知部103がインシデントの予兆を検知する。予兆が検知された場合、付加情報依頼部104は大量に受信した通信データから送信元を特定して、付加情報を付けるよう送信元に依頼する。図3の例における付加情報は、カウンタ値であるとする。また、予兆が検知された場合、更新部105は通信ヘッダ監視部100の監視項目として付加情報を追加するよう更新判断を行い、この更新判断に基づいて通信ヘッダ監視部100の監視項目として付加情報が追加される。 In the control device 10, the attack detection unit 103 detects signs of an incident. If a sign is detected, the additional information request unit 104 identifies the sender from the large amount of communication data received and requests the sender to add additional information. In the example of Figure 3, the additional information is a counter value. Furthermore, if a sign is detected, the update unit 105 makes an update decision to add the additional information as a monitoring item in the communication header monitoring unit 100, and the additional information is added as a monitoring item in the communication header monitoring unit 100 based on this update decision.
 制御装置10(付加情報依頼部104)は、送信元となる正規装置Aに付加情報をつけるよう依頼する。他方、不正装置Bは、正規装置Aになりすましただけなので、不正装置Bには付加情報を依頼した通信データは届かない。しかしながら、不正装置Bは、正規装置Aの通信を盗聴することで付加情報がついていることを確認する。 The control device 10 (additional information request unit 104) requests the legitimate device A, which is the sender, to add additional information. On the other hand, since the unauthorized device B is merely masquerading as legitimate device A, the communication data requesting additional information does not reach unauthorized device B. However, unauthorized device B eavesdrops on the communication of legitimate device A and confirms that additional information has been added.
 付加情報の追加依頼の後、正規装置Aは、制御装置10に対して、ヘッダに正しい付加情報のカウンタ値1を付けて通信データを送信する。この通信データを受信する制御装置10において、通信ヘッダ監視部100の監視結果より、異常判定部102Aは正規装置Aからの通信データは正常であると判定する。 After requesting to add the additional information, regular device A sends communication data to the control device 10 with the correct additional information counter value of 1 added to the header. In the control device 10 that receives this communication data, the abnormality determination unit 102A determines that the communication data from regular device A is normal based on the monitoring results of the communication header monitoring unit 100.
 他方、不正装置Bは、制御装置10に対して、正規装置Aの通信を盗聴し、正規装置AのヘッダであるIPアドレスをなりすまして、盗聴した付加情報のカウンタ値1をつけて通信データを送信する。この通信データを受信する制御装置10において、通信ヘッダ監視部100の監視結果より、異常判定部102Aは、カウンタ値がカウントアップしてないので、不正装置Bからの通信データは異常であると判定する。異常との判定がなされた場合、通信ヘッダ監視部100は、不正装置Bとの通信を遮断してもよい。 On the other hand, unauthorized device B eavesdrops on legitimate device A's communications, spoofs the IP address in the header of legitimate device A, and sends communication data to the control device 10 with the intercepted additional information of a counter value of 1. In the control device 10 that receives this communication data, the abnormality determination unit 102A determines that the communication data from unauthorized device B is abnormal based on the monitoring results of the communication header monitoring unit 100, since the counter value has not been counted up. If an abnormality is determined, the communication header monitoring unit 100 may block communication with unauthorized device B.
 このように、IPアドレスをなりすましてリプレイ攻撃がなされた場合において通信データの異常を検知することができる。また、DoS攻撃の予兆に基づいて異常な通信を遮断するので、DoS攻撃がなされても対処できる。 In this way, it is possible to detect abnormalities in communication data when a replay attack is launched by spoofing an IP address. In addition, since abnormal communication is blocked based on the signs of a DoS attack, it is possible to deal with a DoS attack.
 図4は、通信ヘッダ監視部100の監視項目に付加情報が追加され、通信データのヘッダに付された暗号化された付加情報が正しくない場合を異常と判定する手法を示す。新たに接続された不正装置Bは、正規装置Aの通信を盗聴して、正規装置AのヘッダであるMACアドレスを偽装し、正規装置Aになりすまして制御装置10に付加情報を真似して追加して、DoS攻撃を行おうとしている。 FIG. 4 shows a method in which additional information is added to the monitoring items of the communication header monitoring unit 100, and an abnormality is determined if the encrypted additional information added to the header of the communication data is incorrect. The newly connected fraudulent device B is eavesdropping on the communication of legitimate device A, spoofing the MAC address in the header of legitimate device A, and impersonating legitimate device A to add imitation additional information to the control device 10, in an attempt to launch a DoS attack.
 制御装置10において、攻撃検知部103がインシデントの予兆を検知する。予兆が検知された場合、付加情報依頼部104は大量に受信した通信データから送信元を特定し、所定の情報が暗号化された付加情報を付けるよう送信元に依頼する。図4の例における付加情報は、カウンタ値が暗号化された情報であるとする。また、予兆が検知された場合、更新部105は通信ヘッダ監視部100の監視項目として付加情報を追加するよう更新判断を行い、この更新判断に基づいて通信ヘッダ監視部100の監視項目として付加情報が追加される。 In the control device 10, the attack detection unit 103 detects signs of an incident. If a sign is detected, the additional information request unit 104 identifies the sender from the large amount of communication data received, and requests the sender to add additional information in which specified information is encrypted. In the example of Figure 4, the additional information is an encrypted counter value. Furthermore, if a sign is detected, the update unit 105 makes an update decision to add the additional information as a monitoring item in the communication header monitoring unit 100, and the additional information is added as a monitoring item in the communication header monitoring unit 100 based on this update decision.
 制御装置10(付加情報依頼部104)は、送信元となる正規装置Aにカウンタ値が暗号化された付加情報をつけるよう依頼する。他方、不正装置Bは、正規装置AのMACアドレスを偽装しているので、不正装置Bにも付加情報を依頼した通信データが届いてしまう。 The control device 10 (additional information request unit 104) requests the legitimate device A, which is the sender, to add additional information in which the counter value is encrypted. On the other hand, since the unauthorized device B has spoofed the MAC address of the legitimate device A, the communication data requesting additional information also reaches the unauthorized device B.
 付加情報の追加依頼の後、正規装置Aは、制御装置10に対して、ヘッダにカウンタ値を暗号化した付加情報0110を付けて送信する。この通信データを受信する制御装置10において、通信ヘッダ監視部100の監視結果より、異常判定部102Aは正規装置Aからの通信データは正常であると判定する。 After requesting to add the additional information, regular device A sends additional information 0110, which is an encrypted counter value, to the header of the control device 10. In the control device 10 that receives this communication data, the abnormality determination unit 102A determines that the communication data from regular device A is normal based on the monitoring results of the communication header monitoring unit 100.
 他方、不正装置Bは、制御装置10に対して、正規装置Aの通信を盗聴し、正規装置Aのヘッダをなりすまして、盗聴した付加情報0110をつけて送信する。この通信データを受信する制御装置10において、通信ヘッダ監視部100の監視結果より、異常判定部102はカウントアップされたカウンタ値が暗号化された付加情報になってないので、不正装置Bからの通信データは異常であると判定する。異常との判定がなされた場合、通信ヘッダ監視部100は、不正装置Bとの通信を遮断してもよい。 On the other hand, unauthorized device B eavesdrops on legitimate device A's communications with the control device 10, spoofs the header of legitimate device A, and sends the eavesdropped additional information 0110 to the control device 10. In the control device 10 that receives this communication data, the abnormality determination unit 102 determines that the communication data from unauthorized device B is abnormal because the counted-up counter value is not encrypted additional information, based on the monitoring results of the communication header monitoring unit 100. If an abnormality is determined, the communication header monitoring unit 100 may block communication with unauthorized device B.
 このように、MACアドレスを偽装してリプレイ攻撃がなされた場合において通信データの異常を検知することができる。また、DoS攻撃の予兆に基づいて異常な通信を遮断するので、DoS攻撃がなされても対処できる。 In this way, it is possible to detect abnormalities in communication data when a replay attack is launched by spoofing a MAC address. In addition, since abnormal communication is blocked based on the signs of a DoS attack, it is possible to deal with a DoS attack.
<動作>
 以下、図5~図7を参照して、制御装置10によるサイバー攻撃検知方法に係る動作について説明をする。 <Operation>
Hereinafter, the operation of the control device 10 in relation to the cyber-attack detection method will be described with reference to FIGS.
(DoS攻撃を受けていない場合における異常検知処理)
 まず、制御装置10がDoS攻撃を受けていないときに行う異常検知処理について、図5を用いて詳細に説明する。図5は、通信データの受信処理から、異常判定処理を経て、判定結果の処理を実行するまでの一連の処理の流れを示すフローチャートである。 (Abnormality detection process when no DoS attack is occurring)
First, the abnormality detection process performed by the control device 10 when it is not under a DoS attack will be described in detail with reference to Fig. 5. Fig. 5 is a flowchart showing the flow of a series of processes from the communication data reception process, through the abnormality determination process, to the execution of the determination result process.
 ステップS201において、通信ヘッダ監視部100は、通信データを受信する。ステップS201における処理が終了した後、処理はステップS202へ進む。 In step S201, the communication header monitoring unit 100 receives communication data. After the processing in step S201 ends, the processing proceeds to step S202.
 ステップS202において、通信ヘッダ監視部100は、通信データのヘッダを検査する。異常判定部102Aは、通信ヘッダ監視部100の監視結果と正常時の通信データのリストとを比較し、不正データによる異常であるか判定する。ステップS202において異常と判定された場合、処理はステップS204へ進む。ステップS202において異常でない(正常である)と判定された場合、処理はステップS203へ進む。 In step S202, the communication header monitoring unit 100 inspects the header of the communication data. The abnormality determination unit 102A compares the monitoring result of the communication header monitoring unit 100 with a list of normal communication data, and determines whether the abnormality is due to invalid data. If an abnormality is determined in step S202, processing proceeds to step S204. If no abnormality (normality) is determined in step S202, processing proceeds to step S203.
 ステップS203において、通信監視部101は、通信データのヘッダ以外の領域のデータを検査する。異常判定部102Bは、通信監視部101の監視結果と正常時の通信データのリストとを比較し、不正データによる異常であるか判定する。ステップS203において異常と判定された場合、処理はステップS204へ進む。ステップS203において正常と判定された場合、処理はステップS205へ進む。 In step S203, the communication monitoring unit 101 inspects the data in the areas other than the header of the communication data. The abnormality determination unit 102B compares the monitoring results of the communication monitoring unit 101 with a list of normal communication data, and determines whether the abnormality is due to invalid data. If an abnormality is determined in step S203, the process proceeds to step S204. If a normality is determined in step S203, the process proceeds to step S205.
 異常判定部102Aまたは異常判定部102Bにより異常と判定された場合、ステップS204において、異常判定部102Aまたは異常判定部102Bは、異常処理を行う。例えば、異常判定部102Aまたは異常判定部102Bは、異常と判定した通信を遮断する。ステップS204の終了後、異常検知処理は終了される。 If the abnormality determination unit 102A or the abnormality determination unit 102B determines that an abnormality exists, in step S204, the abnormality determination unit 102A or the abnormality determination unit 102B performs abnormality processing. For example, the abnormality determination unit 102A or the abnormality determination unit 102B cuts off communication that has been determined to be abnormal. After step S204 ends, the abnormality detection processing ends.
 ステップS205において、異常判定部102Aおよび異常判定部102Bにより正常と判定された場合、異常判定部102Aおよび異常判定部102Bは正常処理を行う。正常処理とは、通常どおりの制御処理をさす。ステップS205の終了後、異常検知処理は終了される。 If abnormality determination unit 102A and abnormality determination unit 102B determine that the system is normal in step S205, abnormality determination unit 102A and abnormality determination unit 102B perform normal processing. Normal processing refers to normal control processing. After step S205 ends, the abnormality detection processing ends.
(DoS攻撃の予兆を判定する予兆判定処理)
 次に、制御装置10がDoS攻撃の予兆を判定する予兆判定処理について、図6を用いて詳細に説明する。図6は、インシデント(DoS攻撃)の予兆判定を行い、送信元を特定し、送信元に付加情報を追加するよう依頼し、ヘッダ監視項目に付加情報を追加するよう更新するまでの一連の処理の流れを示すフローチャートである。 (Process for determining a DoS attack sign)
Next, the sign determination process in which the control device 10 determines whether there is a sign of a DoS attack will be described in detail with reference to Fig. 6. Fig. 6 is a flow chart showing the flow of a series of processes from determining whether there is a sign of an incident (DoS attack), identifying the source of transmission, requesting the source of transmission to add additional information, and updating the header monitoring items to add the additional information.
 ステップS301において、通信帯域監視部106は、通信監視部101の通信帯域を監視する。通信帯域が予め定められた閾値を超えた場合を異常と判定する。ステップS301において異常と判定された場合、処理はステップS302へ進む。 In step S301, the communication bandwidth monitoring unit 106 monitors the communication bandwidth of the communication monitoring unit 101. If the communication bandwidth exceeds a predetermined threshold, it is determined that an abnormality has occurred. If an abnormality has been determined in step S301, the process proceeds to step S302.
 ステップS302において、リソース監視部107は、通信監視部101の処理負荷を監視する。処理負荷が予め定められた閾値を超えた場合を異常と判定する。ステップS302において異常と判定された場合、処理はステップS303へ進む。 In step S302, the resource monitoring unit 107 monitors the processing load of the communication monitoring unit 101. If the processing load exceeds a predetermined threshold, it is determined that an abnormality exists. If an abnormality is determined in step S302, the process proceeds to step S303.
 ステップS303において、メモリ監視部108は、通信監視部101のメモリ使用量を監視する。メモリ使用量が予め定められた閾値を超えた場合を異常と判定する。ステップS303終了後、異常と判定された場合、ステップS304へ進む。なお、ステップS301、ステップS302、およびステップS303は順不同でもよい。 In step S303, the memory monitoring unit 108 monitors the memory usage of the communication monitoring unit 101. If the memory usage exceeds a predetermined threshold, it is determined to be an abnormality. After step S303 is completed, if an abnormality is determined, the process proceeds to step S304. Note that steps S301, S302, and S303 may be performed in any order.
 ステップS304において、攻撃判定部120は、通信帯域監視部106の異常結果、リソース監視部107の異常結果、およびメモリ監視部108の異常判定結果に基づいて、DoS攻撃によるインシデントの予兆の存在を判定する。攻撃判定部120は、いずれかの異常判定結果が異常であることを示すときに、インシデントの予兆があると判定してもよい。ステップS304においてインシデントの予兆があると判定された場合、処理はステップS305へ進む。 In step S304, the attack determination unit 120 determines whether there are signs of an incident caused by a DoS attack based on the abnormality result of the communication bandwidth monitoring unit 106, the abnormality result of the resource monitoring unit 107, and the abnormality determination result of the memory monitoring unit 108. The attack determination unit 120 may determine that there are signs of an incident when any of the abnormality determination results indicate an abnormality. If it is determined in step S304 that there are signs of an incident, the process proceeds to step S305.
 ステップS305において、付加情報依頼部104は、大量に受信した受信データから送信元を特定する。ステップS305における処理が終了した後、処理はステップS306へ進む。 In step S305, the additional information request unit 104 identifies the sender from the large amount of received data. After the process in step S305 ends, the process proceeds to step S306.
 ステップS306において、付加情報依頼部104は、特定した送信元に付加情報を追加するよう依頼する。付加情報依頼部104は付加情報として暗号化された情報を依頼してもよい。この場合、暗号部109は、監視項目の期待値(例えば、カウンタ値)を暗号化し、暗号化後のデータを付加情報とする。ステップS306における処理が終了した後、処理はステップS307へ進む。 In step S306, the additional information requesting unit 104 requests the identified sender to add additional information. The additional information requesting unit 104 may request encrypted information as additional information. In this case, the encryption unit 109 encrypts the expected value of the monitored item (e.g., a counter value) and sets the encrypted data as additional information. After the processing in step S306 is completed, the process proceeds to step S307.
 ステップS307において、更新部105は、付加情報依頼部104が送信元に依頼した付加情報を通信データの監視項目として追加するように更新判断をする。この更新判断に基づいて、一例として、更新部105は、依頼した付加情報を通信ヘッダ監視部100の監視項目に追加する。別の例として、通信ヘッダ監視部100が、依頼した付加情報を監視項目に追加してもよい。ステップS307における処理が終了した後、インシデント予兆判定処理は終了される。 In step S307, the update unit 105 makes an update decision to add the additional information requested by the additional information request unit 104 to the sender as a monitoring item of the communication data. Based on this update decision, as one example, the update unit 105 adds the requested additional information to the monitoring items of the communication header monitoring unit 100. As another example, the communication header monitoring unit 100 may add the requested additional information to the monitoring items. After the processing in step S307 ends, the incident sign determination processing ends.
(DoS攻撃の予兆を検出した場合における異常検知処理)
 次に、制御装置10がDoS攻撃の予兆を検出した場合における異常検知処理について、図7を用いて詳細に説明する。図7は、通信データの受信処理から、異常検知処理を経て、判定結果の処理を実行するまでの一連の処理の流れを示すフローチャートである。 (Abnormality detection process when a DoS attack sign is detected)
Next, the abnormality detection process when the control device 10 detects a sign of a DoS attack will be described in detail with reference to Fig. 7. Fig. 7 is a flowchart showing the flow of a series of processes from the communication data reception process, through the abnormality detection process, to the execution of the determination result process.
 ステップS401において、通信ヘッダ監視部100は、通信データを受信する。ステップS401における処理が終了した後、処理はステップS402へ進む。 In step S401, the communication header monitoring unit 100 receives communication data. After the processing in step S401 ends, the processing proceeds to step S402.
 ステップS402において、通信ヘッダ監視部100は、通信データのヘッダを検査する。異常判定部102Aは、通信ヘッダ監視部100の監視結果と、付加情報が追加された正常時の通信データのリストとを比較し、不正データによる異常であるか判定する。ステップS402において異常と判定された場合、処理はステップS404へ進む。ステップS402において異常でない(正常である)と判定された場合、処理はステップS403へ進む。 In step S402, the communication header monitoring unit 100 inspects the header of the communication data. The abnormality determination unit 102A compares the monitoring result of the communication header monitoring unit 100 with a list of normal communication data to which additional information has been added, and determines whether the abnormality is due to invalid data. If an abnormality is determined in step S402, processing proceeds to step S404. If no abnormality (normality) is determined in step S402, processing proceeds to step S403.
 ステップS403において、通信監視部101は、通信データのヘッダ以外の領域のデータを検査する。異常判定部102Bは、通信監視部101の監視結果と正常時の通信データのリストとを比較し、不正データによる異常であるか判定する。ステップS403において異常と判定された場合、処理はステップS404へ進む。ステップS403において正常と判定された場合、処理はステップS405へ進む。 In step S403, the communication monitoring unit 101 inspects the data in the areas other than the header of the communication data. The abnormality determination unit 102B compares the monitoring results of the communication monitoring unit 101 with a list of normal communication data, and determines whether the abnormality is due to invalid data. If an abnormality is determined in step S403, the process proceeds to step S404. If a normality is determined in step S403, the process proceeds to step S405.
 異常判定部102Aまたは異常判定部102Bにより異常と判定された場合、ステップS404において、異常判定部102Aまたは異常判定部102Bは異常処理を行う。例えば、異常判定部102Aまたは異常判定部102Bは、異常と判定した通信を遮断する。ステップ404の終了後、異常検知処理は終了される。 If the abnormality determination unit 102A or the abnormality determination unit 102B determines that there is an abnormality, in step S404, the abnormality determination unit 102A or the abnormality determination unit 102B performs abnormality processing. For example, the abnormality determination unit 102A or the abnormality determination unit 102B cuts off communication that has been determined to be abnormal. After step 404 ends, the abnormality detection processing ends.
 ステップS405において、異常判定部102Aおよび異常判定部102Bにより正常と判定された場合、異常判定部102Aおよび異常判定部102Bは正常処理を行う。正常処理とは、通常どおりの制御処理をさす。ステップ405の終了後、異常検知処理は終了される。 If abnormality determination unit 102A and abnormality determination unit 102B determine that the system is normal in step S405, abnormality determination unit 102A and abnormality determination unit 102B perform normal processing. Normal processing refers to normal control processing. After step 405 ends, the abnormality detection processing ends.
 なお、以上説明した実施の形態1では、本開示に係るサイバー攻撃検知装置を車載電子制御装置として使用する例について説明した。しかしながら、本開示に係るサイバー攻撃検知装置は、この例に限られるものでない。例えば、高いセキュリティ強度を有し、かつ、早期に異常を検知する仕組みを必要とする、通信線に接続された装置として利用することもできる。 In the above-described first embodiment, an example has been described in which the cyber-attack detection device according to the present disclosure is used as an in-vehicle electronic control device. However, the cyber-attack detection device according to the present disclosure is not limited to this example. For example, it can also be used as a device connected to a communication line that has high security strength and requires a mechanism for early detection of abnormalities.
 以上で説明した実施の形態1によれば、以下のような効果が得られる。 The above-described embodiment 1 provides the following advantages:
 本開示の制御装置(サイバー攻撃検知装置)の一側面は、受信する通信データのヘッダを監視する通信ヘッダ監視部(100)と、前記通信データのペイロードを監視する通信監視部(101)と、前記通信データから、前記通信監視部の機能不全を招来するDoS攻撃の予兆を検知する攻撃検知部(103)と、前記予兆が検知された場合に、前記通信データから送信元を特定し、特定された送信元に対して新たに送信する通信データのヘッダに付加情報を追加するように依頼する付加情報依頼部(104)と、前記予兆が検知された場合に、前記付加情報を監視項目として追加するとの更新判断をする更新部(105)と、を備え、前記通信ヘッダ監視部(100)は、前記更新判断に基づいて監視項目として前記付加情報を追加し、新たに受信する通信データのヘッダに前記付加情報が追加されていない場合、または前記新たに受信する通信データのヘッダに追加された情報が前記付加情報と一致しない場合、前記新たに受信する通信データは異常であると判定する。 One aspect of the control device (cyber attack detection device) of the present disclosure includes a communication header monitoring unit (100) that monitors the header of received communication data, a communication monitoring unit (101) that monitors the payload of the communication data, an attack detection unit (103) that detects from the communication data a sign of a DoS attack that will cause the communication monitoring unit to malfunction, an additional information request unit (104) that identifies a source from the communication data when the sign is detected and requests the identified source to add additional information to the header of communication data to be newly sent, and an update unit (105) that makes an update decision to add the additional information as a monitoring item when the sign is detected, and the communication header monitoring unit (100) adds the additional information as a monitoring item based on the update decision, and if the additional information has not been added to the header of the newly received communication data or if the information added to the header of the newly received communication data does not match the additional information, determines that the newly received communication data is abnormal.
 このように、DoS攻撃の予兆が検知され、送信元に対して送信データのヘッダに付加情報を追加するように依頼がなされ、依頼した付加情報が追加されているかの監視がなされる。したがって、DoS攻撃が行われる前に事前に対処するので、本開示の制御装置(サイバー攻撃検知装置)によれば、DoS攻撃に対処できる。 In this way, a sign of a DoS attack is detected, a request is made to the sender to add additional information to the header of the transmitted data, and monitoring is performed to see whether the requested additional information has been added. Therefore, since a DoS attack is dealt with in advance before it is carried out, the control device (cyber attack detection device) disclosed herein can deal with DoS attacks.
 また、本開示の制御装置(サイバー攻撃検知装置)の一側面によれば、前記通信ヘッダ監視部は、前記新たに受信する通信データは異常であると判定する場合、前記送信元との通信を遮断する。したがって、大量の受信データを、ペイロードを監視する通信監視部で処理する必要がないので、通信監視部の処理負荷を軽減することができる In addition, according to one aspect of the control device (cyber attack detection device) disclosed herein, if the communication header monitoring unit determines that the newly received communication data is abnormal, it blocks communication with the sender. Therefore, since there is no need for the communication monitoring unit, which monitors the payload, to process a large amount of received data, the processing load on the communication monitoring unit can be reduced.
 また、本開示の制御装置(サイバー攻撃検知装置)の一側面によれば、付加情報の追加の依頼がなされた後、DoS攻撃の予兆が検知されない場合、追加の依頼がなされた付加情報を除去する除去依頼がなされる。このように、動的に付加情報を付与することにより、盗聴および推測して行われるなりすまし攻撃を防ぐ可能性を上げることができる。 Furthermore, according to one aspect of the control device (cyber attack detection device) of the present disclosure, if no signs of a DoS attack are detected after a request to add additional information is made, a request is made to remove the additional information for which the request to add was made. In this way, by dynamically adding additional information, it is possible to increase the possibility of preventing eavesdropping and spoofing attacks carried out through guesswork.
 また、本開示の制御装置(サイバー攻撃検知装置)の一側面によれば、付加情報は送信ごとにまたは経時的に変化する動的情報である。このように、動的に値が変化する付加情報を付与することで、盗聴されてリプレイ攻撃をされたとしても攻撃を防ぐことができる。 Furthermore, according to one aspect of the control device (cyber attack detection device) disclosed herein, the additional information is dynamic information that changes with each transmission or over time. In this way, by adding additional information whose value changes dynamically, it is possible to prevent attacks even if the data is intercepted and a replay attack is carried out.
 また、本開示の制御装置(サイバー攻撃検知装置)の一側面によれば、動的情報はタイムスタンプまたはカウンタ値であり、付加情報依頼部は、付加情報として、前記タイムスタンプまたはカウンタ値をランダムに選択し、前記カウンタ値を選択する場合には、前記カウンタ値はランダムな値からカウントアップされる。したがって、盗聴および推測して行われるなりすまし攻撃を防ぐ可能性を上げることができる。 Furthermore, according to one aspect of the control device (cyberattack detection device) of the present disclosure, the dynamic information is a timestamp or a counter value, and the additional information request unit randomly selects the timestamp or counter value as the additional information, and when the counter value is selected, the counter value is counted up from a random value. Therefore, it is possible to increase the possibility of preventing eavesdropping and spoofing attacks carried out by guessing.
 また、本開示の制御装置(サイバー攻撃検知装置)の一側面は、予め定められた暗号鍵を用いて前記動的情報を暗号化情報に暗号化する暗号部(109)を更に備え、前記付加情報依頼部は、前記送信元に対して、前記暗号鍵を用いて前記動的情報を暗号化した情報を前記付加情報として追加するように依頼し、前記更新部は、前記予兆が検知された場合に、前記暗号化情報を監視項目として追加するとの更なる更新判断をし、前記通信ヘッダ監視部は、前記更なる更新判断に基づいて監視項目として前記暗号化情報を追加し、新たに受信する通信データのヘッダに前記暗号化情報が追加されていない場合、または前記新たに受信する通信データのヘッダに追加された情報が前記暗号化情報と一致しない場合、前記新たに受信する通信データは異常であると判定する。 In addition, one aspect of the control device (cyber attack detection device) disclosed herein further includes an encryption unit (109) that encrypts the dynamic information into encrypted information using a predetermined encryption key, and the additional information request unit requests the sender to add information obtained by encrypting the dynamic information using the encryption key as the additional information, and the update unit makes a further update decision to add the encrypted information as a monitoring item when the symptom is detected, and the communication header monitoring unit adds the encrypted information as a monitoring item based on the further update decision, and when the encrypted information has not been added to the header of the newly received communication data or when the information added to the header of the newly received communication data does not match the encrypted information, the newly received communication data is determined to be abnormal.
 このような構成によれば、MACアドレスを偽装したなりすましによるDoS攻撃に対処できる。 This configuration makes it possible to deal with DoS attacks that involve spoofing MAC addresses.
 なお、実施形態を組み合わせたり、各実施形態を適宜、変形、省略したりすることが可能である。 In addition, it is possible to combine the embodiments, and modify or omit each embodiment as appropriate.
 本開示のサイバー攻撃検知装置は、例えば、車両に搭載される電子制御装置として用いることができる。 The cyberattack detection device disclosed herein can be used, for example, as an electronic control device mounted on a vehicle.
 10 制御装置(サイバー攻撃検知装置)、30 ネットワークスイッチ、40 ハードウェア、50 ハイパーバイザ、100 通信ヘッダ監視部、101 通信監視部、102(102A、102B) 異常判定部、103 攻撃検知部、104 付加情報依頼部、105 更新部、106 通信帯域監視部、107 リソース監視部、108 メモリ監視部、109 暗号部、120 攻撃判定部、401 プロセッサ、402 メモリ。 10 Control device (cyber attack detection device), 30 Network switch, 40 Hardware, 50 Hypervisor, 100 Communication header monitoring unit, 101 Communication monitoring unit, 102 (102A, 102B) Anomaly determination unit, 103 Attack detection unit, 104 Additional information request unit, 105 Update unit, 106 Communication bandwidth monitoring unit, 107 Resource monitoring unit, 108 Memory monitoring unit, 109 Encryption unit, 120 Attack determination unit, 401 Processor, 402 Memory.

Claims (10)

  1.  受信する通信データのヘッダを監視する通信ヘッダ監視部と、
     前記通信データのペイロードを監視する通信監視部と、
     前記通信データから、前記通信監視部の機能不全を招来するDoS攻撃の予兆を検知する攻撃検知部と、
     前記予兆が検知された場合に、前記通信データから送信元を特定し、特定された送信元に対して新たに送信する通信データのヘッダに付加情報を追加するように依頼する付加情報依頼部と、
     前記予兆が検知された場合に、前記付加情報を監視項目として追加するとの更新判断をする更新部と、
    を備え、
     前記通信ヘッダ監視部は、前記更新判断に基づいて監視項目として前記付加情報を追加し、新たに受信する通信データのヘッダに前記付加情報が追加されていない場合、または前記新たに受信する通信データのヘッダに追加された情報が前記付加情報と一致しない場合、前記新たに受信する通信データは異常であると判定する、
    サイバー攻撃検知装置。     a communication header monitoring unit that monitors the header of received communication data;
    a communication monitoring unit that monitors a payload of the communication data;
    an attack detection unit that detects a sign of a DoS attack that may cause a malfunction of the communication monitoring unit from the communication data;
    an additional information request unit that, when the sign is detected, identifies a source from the communication data and requests the identified source to add additional information to a header of communication data to be newly transmitted;
    an update unit that determines whether to add the additional information as a monitoring item when the symptom is detected;
    Equipped with
    the communication header monitoring unit adds the additional information as a monitoring item based on the update determination, and if the additional information has not been added to a header of the newly received communication data, or if the information added to the header of the newly received communication data does not match the additional information, determines that the newly received communication data is abnormal.
    Cyber attack detection device.
  2.  前記通信ヘッダ監視部は、前記新たに受信する通信データは異常であると判定する場合、前記送信元との通信を遮断する、
    請求項1に記載されたサイバー攻撃検知装置。     When the communication header monitoring unit determines that the newly received communication data is abnormal, the communication header monitoring unit cuts off communication with the transmission source.
    The cyber attack detection device according to claim 1.
  3.  前記攻撃検知部は、
     前記通信監視部が使用する通信帯域の通信帯域使用量を監視する通信帯域監視部と、
     前記通信監視部の処理負荷を監視するリソース監視部と、
     前記通信監視部のメモリ使用量を監視するメモリ監視部と、
     前記通信帯域使用量、前記処理負荷および前記メモリ使用量の全部または一部に基づいて、前記予兆の存在を判定する攻撃判定部と、
    を備える、
    請求項1または2に記載されたサイバー攻撃検知装置。     The attack detection unit is
    a communication band monitoring unit that monitors a communication band usage amount of the communication band used by the communication monitoring unit;
    a resource monitoring unit that monitors a processing load of the communication monitoring unit;
    a memory monitoring unit that monitors the memory usage of the communication monitoring unit;
    an attack determination unit that determines the presence of the warning sign based on all or a part of the communication bandwidth usage, the processing load, and the memory usage;
    Equipped with
    A cyber attack detection device according to claim 1 or 2.
  4.  前記依頼がなされた後、前記予兆が検知されない場合に、
     -前記付加情報依頼部は、追加の依頼がなされた付加情報を除去するように前記特定された送信元に対して除去依頼をし、
     -前記更新部は、前記付加情報を監視項目から除去するとの除去更新判断をし、
     前記通信ヘッダ監視部は、前記除去更新判断に基づいて、監視項目として追加された付加情報を除去する、
    請求項1から3のいずれか1項に記載されたサイバー攻撃検知装置。     If the sign is not detected after the request is made,
    the additional information request unit issues a removal request to the identified transmission source to remove the additional information for which addition has been requested;
    the update unit makes a removal/update decision to remove the additional information from the monitoring items,
    the communication header monitoring unit removes the additional information that has been added as a monitoring item based on the removal/update determination.
    A cyber attack detection device according to any one of claims 1 to 3.
  5.  前記付加情報は送信ごとにまたは経時的に変化する動的情報である、請求項1から4のいずれか1項に記載されたサイバー攻撃検知装置。 The cyber attack detection device according to any one of claims 1 to 4, wherein the additional information is dynamic information that changes with each transmission or over time.
  6.  前記通信ヘッダ監視部は、前記動的情報の値が、増加せずまたは予め定められた上限値を超える場合、前記新たに受信する通信データは異常であると判定する、
    請求項5に記載されたサイバー攻撃検知装置。     the communication header monitoring unit determines that the newly received communication data is abnormal if the value of the dynamic information does not increase or exceeds a predetermined upper limit value;
    A cyber attack detection device according to claim 5.
  7.  前記動的情報はタイムスタンプまたはカウンタ値であり、
     前記付加情報依頼部は、前記付加情報として、前記タイムスタンプまたはカウンタ値をランダムに選択し、前記カウンタ値を選択する場合には、前記カウンタ値はランダムな値からカウントアップされる、
    請求項5または6に記載されたサイバー攻撃検知装置。     the dynamic information is a timestamp or a counter value;
    the additional information request unit randomly selects the time stamp or the counter value as the additional information, and when the counter value is selected, the counter value is counted up from a random value;
    A cyber attack detection device according to claim 5 or 6.
  8.  予め定められた暗号鍵を用いて前記動的情報を暗号化情報に暗号化する暗号部を更に備え、
     前記付加情報依頼部は、前記送信元に対して、前記暗号鍵を用いて前記動的情報を暗号化した情報を前記付加情報として追加するように依頼し、
     前記更新部は、前記予兆が検知された場合に、前記暗号化情報を監視項目として追加するとの更なる更新判断をし、
     前記通信ヘッダ監視部は、前記更なる更新判断に基づいて監視項目として前記暗号化情報を追加し、新たに受信する通信データのヘッダに前記暗号化情報が追加されていない場合、または前記新たに受信する通信データのヘッダに追加された情報が前記暗号化情報と一致しない場合、前記新たに受信する通信データは異常であると判定する、
    請求項5に記載されたサイバー攻撃検知装置。     An encryption unit that encrypts the dynamic information into encrypted information using a predetermined encryption key,
    the additional information request unit requests the transmission source to add information obtained by encrypting the dynamic information using the encryption key as the additional information;
    the update unit, when the symptom is detected, makes a further update decision to add the encryption information as a monitoring item;
    the communication header monitoring unit adds the encryption information as a monitoring item based on the further update determination, and if the encryption information has not been added to a header of the newly received communication data, or if the information added to the header of the newly received communication data does not match the encryption information, determines that the newly received communication data is abnormal.
    A cyber attack detection device according to claim 5.
  9.  前記動的情報はタイムスタンプまたはカウンタ値である、請求項8に記載されたサイバー攻撃検知装置。 The cyber attack detection device according to claim 8, wherein the dynamic information is a timestamp or a counter value.
  10.  通信ヘッダ監視部と、通信監視部と、攻撃検知部と、付加情報依頼部と、更新部とを備えるサイバー攻撃検知装置が行うサイバー攻撃検知方法であって、
     前記通信ヘッダ監視部が、受信する通信データのヘッダを監視するステップと、
     前記通信監視部が、前記通信データのペイロードを監視するステップと、
     前記攻撃検知部が、前記通信データから、前記通信監視部の機能不全を招来するDoS攻撃の予兆を検知するステップと、
     前記付加情報依頼部が、前記予兆が検知された場合に、前記通信データから送信元を特定し、特定された送信元に対して新たに送信する通信データのヘッダに付加情報を追加するように依頼するステップと、
     前記更新部が、前記予兆が検知された場合に、前記付加情報を監視項目として追加するとの更新判断をするステップと、
    を備え、
     前記通信ヘッダ監視部が、前記更新判断に基づいて監視項目として前記付加情報を追加し、新たに受信する通信データのヘッダに前記付加情報が追加されていない場合、または前記新たに受信する通信データのヘッダに追加された情報が前記付加情報と一致しない場合、前記新たに受信する通信データは異常であると判定するステップ、
    を更に備える、
    サイバー攻撃検知方法。     A cyber-attack detection method performed by a cyber-attack detection device including a communication header monitoring unit, a communication monitoring unit, an attack detection unit, an additional information request unit, and an update unit,
    a step of the communication header monitoring unit monitoring a header of the communication data to be received;
    a step of the communication monitoring unit monitoring a payload of the communication data;
    a step of the attack detection unit detecting, from the communication data, a sign of a DoS attack that may cause a malfunction of the communication monitoring unit;
    a step of the additional information request unit, when the sign is detected, identifying a source from the communication data and requesting the identified source to add additional information to a header of communication data to be newly transmitted;
    a step of the update unit making an update decision to add the additional information as a monitoring item when the symptom is detected;
    Equipped with
    a step of the communication header monitoring unit adding the additional information as a monitoring item based on the update determination, and determining that the newly received communication data is abnormal if the additional information has not been added to the header of the newly received communication data or if the information added to the header of the newly received communication data does not match the additional information;
    Further comprising:
    Methods for detecting cyber attacks.
PCT/JP2022/039427 2022-10-24 2022-10-24 Cyber attack detection device and cyber attack detection method WO2024089723A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/039427 WO2024089723A1 (en) 2022-10-24 2022-10-24 Cyber attack detection device and cyber attack detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/039427 WO2024089723A1 (en) 2022-10-24 2022-10-24 Cyber attack detection device and cyber attack detection method

Publications (1)

Publication Number Publication Date
WO2024089723A1 true WO2024089723A1 (en) 2024-05-02

Family

ID=90830305

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/039427 WO2024089723A1 (en) 2022-10-24 2022-10-24 Cyber attack detection device and cyber attack detection method

Country Status (1)

Country Link
WO (1) WO2024089723A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004229125A (en) * 2003-01-24 2004-08-12 Sony Corp Transmitter and receiver
JP2007104307A (en) * 2005-10-04 2007-04-19 Matsushita Electric Ind Co Ltd DoS ATTACK DETECTION DEVICE AND METHOD
WO2015159486A1 (en) * 2014-04-17 2015-10-22 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Vehicle-mounted network system, invalidity detection electronic control unit, and invalidity detection method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004229125A (en) * 2003-01-24 2004-08-12 Sony Corp Transmitter and receiver
JP2007104307A (en) * 2005-10-04 2007-04-19 Matsushita Electric Ind Co Ltd DoS ATTACK DETECTION DEVICE AND METHOD
WO2015159486A1 (en) * 2014-04-17 2015-10-22 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Vehicle-mounted network system, invalidity detection electronic control unit, and invalidity detection method

Similar Documents

Publication Publication Date Title
US9203802B2 (en) Secure layered iterative gateway
US8566941B2 (en) Method and system for cloaked observation and remediation of software attacks
US11848947B2 (en) System and method for providing security to in-vehicle network
EP1895738B1 (en) Intelligent network interface controller
US8595817B2 (en) Dynamic authenticated perimeter defense
CA3021285C (en) Methods and systems for network security
EP2600566B1 (en) Unauthorized access blocking control method
CN110401601B (en) Mimicry routing protocol system and method
JP2015035724A (en) Network control device
US9298175B2 (en) Method for detecting abnormal traffic on control system protocol
WO2024089723A1 (en) Cyber attack detection device and cyber attack detection method
KR101343693B1 (en) Network security system and method for process thereof
KR20200098181A (en) Network security system by integrated security network card
CN114285602B (en) Distributed service security detection method
US20100157806A1 (en) Method for processing data packet load balancing and network equipment thereof
CN112839009B (en) Method, device and system for processing message
JP2018129712A (en) Network monitoring system
JP5879223B2 (en) Gateway device, gateway system and computer system
US8995271B2 (en) Communications flow analysis
KR20130116456A (en) Distributed denial of service attack protection system and method
US11303677B2 (en) Method and system for managing the operation of a group of several connected objects
JP2017092933A (en) Controller and control system
KR101196366B1 (en) Security NIC system
WO2005010703A2 (en) Method for detecting, reporting and responding to network node-level events and a system thereof
CN117255994A (en) Automatic firewall configuration for control systems in critical infrastructure