JP6846706B2 - Monitoring equipment, monitoring methods and computer programs - Google Patents

Description

The present invention relates to data processing techniques, in particular to monitoring devices, monitoring methods and computer programs.

In recent years, a large number of electronic control units (Electronic Control Units, hereinafter referred to as "ECUs") are mounted on automobiles. The network connecting these ECUs is called an in-vehicle network. There are many standards for in-vehicle networks, but CAN (Controller Area Network) is a widely used standard.

With the electrification of automobiles, it is possible to control actuators such as steering via an in-vehicle network. On the other hand, in order to prevent unauthorized operation of the actuator due to transmission of unauthorized commands on the in-vehicle network, message authentication using a message authentication code (hereinafter referred to as "MAC") is executed. (See, for example, Patent Document 1).

International Publication No. 2013/065689

In the future, with the spread of vehicles that are always connected to the Internet, it is conceivable that a group of devices connected to the vehicle via the Internet (hereinafter, also referred to as "cloud") will constantly monitor the security status of the vehicle. Vehicles that use such cloud services need to report the security status of their vehicles to the cloud, but it is not desirable for the amount of communication to increase excessively.

The present invention has been made in view of the above problems, and one object is to realize a notification to an external device at an appropriate content or timing according to the security state of the own device.

In order to solve the above problems, the monitoring device of an aspect of the present invention includes a receiving unit that receives a frame from a communication network, a first determination that determines whether the frame is invalid based on the result of message authentication for the frame, and a first determination. A second determination is made to determine whether the frame is invalid based on the mode of the frame and a predetermined rule, and the external device is notified according to the combination of the result of the first determination and the result of the second determination. It includes a processing unit that changes at least one of the content or the priority of the report.

Another aspect of the present invention is a monitoring method. This method receives a frame from the communication network and determines whether the frame is invalid based on the result of message authentication for the frame, and whether the frame is invalid based on the mode of the frame and a predetermined rule. The computer determines that the second judgment is performed, and at least one of the content to be notified to the external device or the priority of the notification is changed according to the combination of the result of the first judgment and the result of the second judgment. Executes.

It should be noted that any combination of the above components and the expression of the present invention converted between a computer program, a recording medium on which the computer program is recorded, a vehicle equipped with the present device, and the like are also effective as aspects of the present invention. Is.

According to the present invention, it is possible to realize a notification to an external device at an appropriate content or timing according to the security state of the own device.

It is a figure which shows the structure of the vehicle-mounted network system of 1st Example. It is a block diagram which shows the functional structure of the CGW of FIG. It is a block diagram which shows the functional structure of the ECU of FIG. It is a figure which shows the fraud countermeasure for each fraud detection pattern. It is a flowchart which shows the operation of the CGW of FIG. It is a flowchart which shows the operation of the ECU of FIG. It is a figure which shows the hardware configuration of the CGW of a modification. It is a figure which shows the structure of the vehicle-mounted network system of 2nd Example. It is a block diagram which shows the functional structure of the ECU of FIG. It is a figure which shows the fraud detection pattern. It is a flowchart which shows the operation of the ECU of FIG.

[First Example]
Before explaining the detailed configuration of the first embodiment, an outline will be given first. In the in-vehicle network system of the embodiment, message authentication using MAC (hereinafter, also referred to as "MAC verification") and behavior verification for a frame (in other words, a command) flowing through the in-vehicle network are used together. Behavior verification can be said to be a behavior detection technology and an intrusion detection technology. For the behavior verification, for example, the technique described in "Japanese Patent Laid-Open No. 2014-146868" may be applied. In the in-vehicle network system of the embodiment, both the result of MAC verification and the result of behavior verification are comprehensively judged, and a fraud countermeasure action (in other words, a defense action) is executed.

FIG. 1 shows the configuration of the in-vehicle network system of the first embodiment. The vehicle-mounted network system 12 of the embodiment is a communication system constructed in the vehicle 10 and has a function as a fraud detection system in the vehicle-mounted network. The in-vehicle network system 12 includes an ECU 14a, an ECU 14b, an ECU 14c, an ECU 14d, an IVI device 16, an OBD adapter 18, a CGW 20, and a CMI 22 which are collectively referred to as the ECU 14. These devices are connected via CAN 24.

Each of the plurality of ECUs 14 is connected to a sensor or actuator (not shown), transmits a frame indicating the detection content by the sensor to the CAN 24, or controls the actuator based on a command indicated by the frame received from the CAN 24. Of the plurality of buses of the CAN 24, the ECU 14a connected to the power train bus 26a is, for example, an engine ECU. Further, the ECU 14b connected to the driving support bus 26b is, for example, a steering ECU. The ECU 14c connected to the chassis bus 26c is, for example, a suspension ECU. The ECU 14d connected to the body bus 26d is, for example, a power window ECU.

The IVI (In-Vehicle Infotainment) device 16 is an information device that presents various information to an occupant, for example, a car navigation device. The IVI device 16 is connected to an external communication network 28 which is a communication network (Internet or the like) outside the vehicle 10. The vehicle 10 is connected to the rule generator 29 via the external communication network 28. The rule generation device 29 is a server that generates a behavior rule described later. The OBD adapter 18 is an adapter that outputs various information flowing through the CAN 24, for example, information indicating an operating state of the vehicle 10 to an external device. The IVI device 16 and the OBD adapter 18 are connected to the external bus 26e among the plurality of buses of the CAN 24. The external bus 26e is a bus through which a frame transmitted from a device other than the ECU 14 flows. The frame flowing through the external bus 26e includes, for example, a frame transmitted from the device on the external communication network 28 side and a frame transmitted from the device connected to the OBD adapter 18.

The CGW (Central GateWay) 20 is a gateway ECU that is connected to a plurality of buses of the CAN 24 and executes frame relay processing and routing processing between the buses. The CMI (Centralized Monitoring and Interceptor) 22 is an ECU connected to a plurality of buses of the CAN 24 and monitoring a frame flowing through each bus. As a modification, the CMI 22 may be configured not to be connected to the CAN 24, in other words, the vehicle-mounted network system 12 may not include the CMI 22.

In the embodiment, the monitoring module is introduced into a plurality of devices corresponding to message authentication using MAC. Specifically, a monitoring module is introduced into the CGW 20 and some ECUs 14. The CGW 20 and the ECU 14 in which the monitoring module is introduced function as a monitoring device that monitors fraudulent frames (in other words, fraudulent commands) flowing through the CAN 24 and executes fraud countermeasures. As a modification, (1) a configuration in which the monitoring module is installed only in the CGW 20 may be used, (2) a configuration in which the monitoring module is installed only in the CMI 22 may be used, and (3) monitoring is performed only on the ECU 14 corresponding to message authentication using MAC. It may be configured to introduce a module.

FIG. 2 is a block diagram showing a functional configuration of the CGW 20 of FIG. The CGW 20 includes a frame receiving unit 30, a frame transmitting unit 32, a MAC verification unit 34, a behavior verification unit 36, and a fraud countermeasure unit 38. When the CMI 22 of FIG. 1 includes a monitoring module, the functional configuration of the CMI 22 is the same as that of FIG. Further, one processing unit may be configured as a monitoring module including the MAC verification unit 34, the behavior verification unit 36, and the fraud countermeasure unit 38.

Each block shown in the block diagram of the present specification can be realized by an element such as a computer CPU / memory or a mechanical device in terms of hardware, and can be realized by a computer program or the like in terms of software. Then, I draw a functional block realized by their cooperation. Those skilled in the art will understand that these functional blocks can be realized in various ways by combining hardware and software. For example, a computer program including a module corresponding to each block of FIG. 2 may be stored in the memory of the CGW 20. The CPU of the CGW 20 may exert the function of each block by appropriately reading and executing the computer program.

The frame receiving unit 30 receives a frame from each bus of the CAN 24. The frame receiving unit 30 inputs the data of the received frame together with the identification information of the bus that received the frame to the fraud countermeasure unit 38 via the MAC verification unit 34 and the behavior verification unit 36. The frame transmission unit 32 transmits a frame to each bus of the CAN 24. For example, the frame transmission unit 32 transfers a frame received from a certain bus to another bus other than that bus.

The MAC verification unit 34 executes message authentication for a frame received by the frame receiving unit 30 (hereinafter, also referred to as a “target frame”). For example, the MAC verification unit 34 generates a MAC based on a predetermined common key for message authentication (hereinafter referred to as “MAC key”). The MAC verification unit 34 compares the generated MAC with the MAC previously added to the target frame by the source device (for example, ECU 14). The MAC verification unit 34 determines that the message authentication was successful when both MACs match, and determines that the message authentication failed when both MACs do not match. If the message authentication is successful, the MAC verification unit 34 determines that the target frame is valid, and if the message authentication fails, the MAC verification unit 34 determines that the target frame is invalid.

The behavior verification unit 36 determines whether or not the target frame is invalid based on the mode of the target frame and the predetermined behavior rule as the behavior verification process. The behavior verification unit 36 holds the behavior rules provided by the rule generation device 29 in a predetermined storage area. Behavioral rules include provisions regarding the format of frames (in other words, messages). The rules regarding the format specifically include the rules for fixed values in ID, DLC (data length code), payload, and the like. For example, the behavior rule may specify that a specific fixed value is set at a predetermined position in the frame.

The behavior rules also include provisions regarding the behavior of the frame. The behavioral provisions specifically include variable value provisions for period, frequency, and payload. For example, the behavior rule may include provisions for a range or difference in the time interval from the previous frame reception to the current frame reception for each of the plurality of IDs (which can also be called a frame ID or CAN-ID). In addition, the behavior rule limits the difference (allowable range, etc.) from the previously received frame for the data item set at the predetermined position of the payload or the data item with the predetermined name in the payload for each frame ID. It may be included.

Note that the behavior rules can include both blacklists and whitelists. The behavior verification unit 36 determines that the target frame is invalid when the target frame satisfies the rule as a blacklist. Further, the behavior verification unit 36 determines that the target frame is invalid when the target frame deviates from the rule as a white list.

The fraud countermeasure unit 38 performs processing related to the target frame (also referred to as “command countermeasure”) and a frame transmission source according to the combination of the fraud determination result by the MAC verification unit 34 and the fraud determination result by the behavior verification unit 36. At least one of the processes related to the device (also referred to as "ECU countermeasure") is executed. When the target frame is determined to be valid by both the MAC verification and the behavior verification, the fraud countermeasure unit 38 passes the target frame to the frame transmission unit 32 and causes the CAN 24 to transmit the target frame.

The fraud countermeasure unit 38 includes an invalidation unit 40, a reception frame storage unit 42, a log storage unit 44, a rule update unit 46, a configuration information storage unit 48, a target detection unit 50, a program update unit 52, and a key update unit 54.

The invalidation unit 40 executes a process of erasing the target frame existing on the bus of the CAN 24 as a process of invalidating the target frame. Specifically, the invalidation unit 40 generates an error frame for the target frame, and causes the frame transmission unit 32 to output the error frame to the CAN 24. As a result, the target frame in another device (ECU 14 or the like) on the CAN 24 is also invalidated. For frame invalidation processing, the non-patent document "T. Matsumoto, M. Hata, M. Tanabe, K. Yoshioka, and K. Oishi," A Method of Preventing Unauthorized Data Transmission in Controller Area Network, "Vehiclular Technology Conference , 2012. ”may be applied. The CGW 20 of the embodiment executes the invalidation process for the invalid frame, but may execute the discard process (in other words, the filter process) for the invalid frame as in the ECU 14 described later.

The reception frame storage unit 42 stores and stores a plurality of frames received by the frame reception unit 30 in a predetermined storage area. The reception frame storage unit 42 may sequentially erase frames for which a predetermined time (30 minutes or the like) has passed since they were received from the storage area. The reception frame storage unit 42 may store the frame data in association with the determination result by the MAC verification unit 34 and the determination result by the behavior verification unit 36 for the frame.

When the MAC verification unit 34 determines that the target frame is invalid and the behavior verification unit 36 determines that the target frame is valid, the log storage unit 44 stores at least log data related to the target frame. Then, the stored log data is collected offline (for example, during maintenance at a dealer), and the above determination result is transmitted to the rule generation device 29. As a result, the rule generation device 29 updates the behavior rule so that the target frame is determined to be invalid in the behavior verification. Specifically, the log storage unit 44 stores the rule update instruction data including the past frame whose ID matches the target frame among the frames stored in the reception frame storage unit 42 and the target frame as log data. .. For example, both the target frame and the past frame may specify a steering control command and a steering rotation angle.

The past frame may be a frame in which the combination of the determination result by the MAC verification unit 34 and the determination result by the behavior verification unit 36 is different from the target frame. Therefore, by providing the rule generation device 29 including the past frames, it is possible to support the behavior rule update by the rule generation device 29. Further, the log storage unit 44 may include the determination result by the MAC verification unit 34 and the determination result by the behavior verification unit 36 for each of the past frame and the target frame in the rule update instruction data as log data. Further, among the frames received after the target frame, the frame whose ID matches the target frame may be included in the rule update data.

The rule generation device 29 distributes the generated or updated behavior rule to the vehicle 10 via the external communication network 28. The rule update unit 46 acquires the behavior rule provided by the rule generation device 29 via the CAN 24. Then, the rule update unit 46 passes the acquired behavior rule to the behavior verification unit 36, and updates the behavior rule held by the behavior verification unit 36.

The configuration information storage unit 48 stores attribute information (referred to here as “configuration information”) relating to various components of the CAN 24. The configuration information of the embodiment includes identification information of a bus to which each of the plurality of ECUs 14 is connected, and ID of a frame transmitted by each of the plurality of ECUs 14.

The target detection unit 50 detects an ECU (hereinafter referred to as “target ECU”) that is a target of fraud countermeasures from among the plurality of ECUs 14 based on the presence or absence of fraud in a plurality of frames transmitted from the plurality of ECUs 14. The target detection unit 50 may detect the target ECU based on the fraud rate or the number of frauds of the frame transmitted from each ECU 14. The target ECU can be said to be an illegal ECU or an ECU hijacked by an unauthorized person.

The target detection unit 50 of the embodiment accumulates the number of fraud determinations for each ID for frames determined to be fraudulent at least on one of MAC verification and behavior verification. The target detection unit 50 detects an ID for which the number of fraud determinations exceeds a predetermined threshold value (for example, 5 times), refers to the configuration information storage unit 48, and transmits the frame of the ID to the target ECU. Detect as.

Hereinafter, four types of configurations for ECU countermeasures will be described, but in reality, any one of the countermeasures may be executed, or a combination of two or more countermeasures may be executed.

(1) The invalidation unit 40 refers to the configuration information storage unit 48 and executes a process of invalidating the frames of all IDs that can be transmitted from the target ECU. (2) The invalidation unit 40 identifies the bus of the CAN 24 to which the target ECU is connected with reference to the configuration information storage unit 48, and invalidates all the frames received by the frame receiving unit 30 from the identified bus. Execute the process.

(3) The program update unit 52 executes a process (that is, reprogramming) for updating the computer program stored in the ROM of the target ECU. For example, the CGW 20 may hold a regular program for each individual ECU 14 in advance, and the program update unit 52 may overwrite and save the regular program for the target ECU in the ROM of the target ECU. Further, the program update unit 52 may acquire a regular program for the target ECU from an external server via the external communication network 28 and overwrite and save it in the ROM of the target ECU.

(4) The key update unit 54 updates the MAC key, which is a common key used across the plurality of ECUs 14. The key update unit 54 distributes the updated MAC key to a plurality of ECUs 14. As will be described later, the key update unit 54 transmits the updated MAC key to all the ECUs 14 according to the combination of the result of the MAC verification and the result of the behavior verification, and changes the MAC key used by all the ECUs 14. .. Alternatively, the key update unit 54 transmits the updated MAC key to the remaining ECU 14 excluding the target ECU to change the MAC key used by the ECU 14 other than the target ECU. The key update unit 54 may distribute a MAC key encrypted using a predetermined key (a key different from the MAC key) for each EUC to each ECU.

In the embodiment, the key update unit 54 is a case where the target frame is determined to be valid by the MAC verification unit 34 and the target frame is determined to be invalid by the behavior verification unit 36, and the target frame is transmitted from other than the ECU 14. When the frame is received from the bus (external bus 26e in the embodiment) through which the frame flows, the MAC keys used by all the ECUs 14 are updated. In the case of this judgment, the MAC key has been leaked because the MAC verification was successful. In addition, the fraudulent frame is injected from the outside. Therefore, by updating the MAC keys used by all the ECUs 14, the risk of leakage of the MAC keys is eliminated and the security is improved.

On the other hand, when an unauthorized frame is received from a bus other than the external bus 26e (powertrain bus 26a, etc.), it is assumed that the target ECU is hijacked by the unauthorized person and the MAC key can be used by the unauthorized person. .. Therefore, when the illegal frame is received from a bus other than the external bus 26e, the key update unit 54 updates the MAC key used by the ECU 14 other than the target ECU.

FIG. 3 is a block diagram showing a functional configuration of the ECU 14 of FIG. FIG. 3 shows the functional configuration of the ECU 14 corresponding to the message authentication using the MAC among the plurality of ECUs 14 of FIG. Further, in FIG. 3, the same or corresponding functional blocks as those of the CGW 20 described with reference to FIG. 2 are designated by the same reference numerals. Hereinafter, the contents described in relation to FIG. 2 will be omitted as appropriate.

The ECU 14 includes a frame receiving unit 30, a frame transmitting unit 32, a MAC verification unit 34, a behavior verification unit 36, a fraud countermeasure unit 38, a command execution unit 56, and a frame generation unit 58. The command execution unit 56 executes the command specified by the frame. For example, the command execution unit 56 controls an actuator connected to its own ECU according to a command. The frame generation unit 58 generates a frame in which a command for an external device (for example, another ECU 14) is specified, and passes the generated frame to the frame transmission unit 32 for transmission.

The fraud countermeasure unit 38 of the ECU 14 includes a reception frame storage unit 42, a log storage unit 44, a rule update unit 46, a configuration information storage unit 48, a target detection unit 50, a program update unit 52, a key update unit 54, a filter unit 60, and a mode. The switching unit 62 is included. The filter unit 60 corresponds to the invalidation unit 40 in the CGW 20 and executes a command countermeasure of the ECU 14. Specifically, the filter unit 60 discards the target frame determined to be invalid, in other words, discards the command specified by the target frame. For example, the filter unit 60 may erase the data of the target frame from the memory (not shown) inside the ECU 14.

Further, the ECU 14 executes the above-described ECU countermeasures. However, in the ECU measures (1) and (2) in the CGW 20 of the embodiment, the frame invalidation process is executed, but in the ECU measures (1) and (2) in the ECU 14, the frame is discarded, in other words, the filter process is executed. The ECU measures (3) and (4) are the same as those of the CGW 20.

When the frame transmitted via the CGW 20 is determined to be invalid by the behavior verification, the mode switching unit 62 is connected to a plurality of buses and the security function of the CGW 20, which is the key to the in-vehicle network, has been breached. It is determined that there is, and the automatic driving mode of the vehicle 10 is switched to the fail-safe mode. For example, the mode switching unit 62 may specify the transmission source ECU 14 based on the ID of the target frame determined to be invalid by referring to the configuration information storage unit 48. Then, when the transmission source ECU 14 is connected to a bus different from the bus to which the own ECU is connected, the mode switching unit 62 may determine that the target frame has been relayed by the CGW 20. Further, the fail-safe mode may be in a state in which automatic driving control (in other words, electric driving support processing) is turned off.

If the frame transmitted via the CGW 20 is invalid, it means that the CGW 20 is likely to be hijacked by the unauthorized person. The CGW 20 in the CAN 24 is the basis of communication between a plurality of ECUs 14, and the hijacking of the CGW 20 is a serious security problem. Therefore, the mode switching unit 62 of the embodiment further enhances the safety of vehicle driving by shifting the automatic driving to the fail-safe mode when the frame transmitted via the CGW 20 is invalid. When the monitoring module is introduced into the CMI 22, the CMI 22 may include a mode switching unit 62.

As a modification, the mode switching unit 62 is not limited to the case where the frame transmitted via the CGW 20 is invalid, but also when the frame transmitted from the security core device of the in-vehicle network system 12 is invalid. The automatic operation mode of 10 may be switched to the fail-safe mode. The basic security device corresponds to, for example, a device (CGW 20, ECU 14, etc.) that holds a key for each ECU 14 and distributes a MAC key encrypted with a key for each ECU to each ECU 14. The mode switching unit 62 may refer to the configuration information storage unit 48 and determine whether the source of the target frame is a security core device based on the ID of the target frame determined to be invalid.

FIG. 4 shows fraud countermeasures for each fraud detection pattern. Here, the devices (ECU 14, CGW 20, CMI 22) into which the monitoring module can be introduced are collectively referred to as "monitoring devices". The command countermeasure column of FIG. 4 shows the processing when the monitoring device is the ECU 14, the CGW 20, and the CMI 22.

If the target frame is determined to be valid by MAC verification and the target frame is determined to be invalid by behavior verification (Pattern 1 and Pattern 5), or if the target frame is determined to be invalid by MAC verification and the target frame is determined to be invalid by behavior verification. When it is determined to be fraudulent (Pattern 2), the fraud countermeasure unit 38 of the monitoring device discards or invalidates the target frame as a command countermeasure. In the pattern 2, the command countermeasure in the ECU 14 is "none" because the ECU 14 corresponding to the message authentication usually executes the error processing in accordance with the NG of the MAC verification. Further, in pattern 2, the command countermeasure of CGW 20 is invalid because it is effective as a countermeasure against DoS attack (Denial of Service attack).

In the case of pattern 1 and pattern 2, the fraud countermeasure unit 38 executes one or more of the four types of EUC countermeasures. In the case of pattern 5, the fraud countermeasure unit 38 updates the MAC keys of all ECUs 14 as EUC countermeasures.

When the target frame is determined to be invalid by MAC verification and the target frame is determined to be valid by behavior verification (Pattern 6), the fraud countermeasure unit 38 of the monitoring device determines the rule update instruction data including the target frame and the frames before and after it. Is saved as log data, so that the rule generation device 29 updates the behavior rule based on the target frame and the frames before and after the target frame. For example, when the monitoring device receives the target frame again, the rule generation device 29 updates the behavior rule so as to detect fraud in the behavior verification.

Patterns 3 and 4 in FIG. 4 are patterns in which the frame transmitted from the ECU 14 that does not support message authentication using MAC is invalid. That is, since MAC is not added to the frame, MAC verification cannot be performed, and fraud is detected in behavior verification. The pattern 3 is a pattern in which the target frame determined to be fraudulent is transmitted from the ECU 14, and the pattern 4 is a pattern in which the target frame determined to be fraudulent is injected from the outside (in other words, received from the external bus 26e). ) It is a pattern.

In both pattern 3 and pattern 4, the fraud countermeasure unit 38 of the monitoring device discards or invalidates the target frame as a command countermeasure. Pattern 4 is a situation in which an illegal frame is externally injected, and since there is no leakage of the MAC key, no ECU countermeasure is executed. On the other hand, in pattern 3, there is a high possibility that the target ECU has been hijacked, so the fraud countermeasure unit 38 executes the same ECU countermeasures as in pattern 1.

The operation of the in-vehicle network system 12 with the above configuration will be described. FIG. 5 is a flowchart showing the operation of the CGW 20 of FIG. The frame receiving unit 30 receives a frame from the CAN 24 (S10). The MAC verification unit 34 executes MAC verification for the received target frame, and determines whether the target frame is valid or invalid (S12). The behavior verification unit 36 executes behavior verification for the received target frame and determines whether the target frame is valid or invalid (S14). The execution order of S12 and S14 is not limited, and they may be executed in parallel.

When the target frame is determined to be valid by both MAC verification and behavior verification (Y in S16), the fraud countermeasure unit 38 passes the target frame to the frame transmission unit 32, and the frame transmission unit 32 uses the frame ID and transfer source. The target frame is transferred according to the routing table associated with the bus and the transfer destination bus (S18). When the target frame is determined to be invalid in the MAC verification and the target frame is determined to be valid in the behavior verification (N in S16, Y in S20), the fraud countermeasure unit 38 causes the rule generator 29 to update the behavior rule. The log data including the target frame and the frames before and after the target frame is saved (S22). When the MAC verification result is invalid and the behavior verification result is invalid, or when the MAC verification result is valid and the behavior verification result is invalid (N in S20), the fraud countermeasure unit 38 shows in FIG. Execute command countermeasures (S24).

When ECU countermeasures are required according to the fraud detection pattern (FIG. 4) (Y in S26), the fraud countermeasure unit 38 identifies the target ECU that is likely to be hijacked (S28). The fraud countermeasure unit 38 executes ECU countermeasures related to the target ECU and / or another ECU 14 (S30). If ECU countermeasures are not required (N in S26), S28 and S30 are skipped.

FIG. 6 is a flowchart showing the operation of the ECU 14 of FIG. Since the processing of S40 to S44 is the same as that of S10 to S14 of FIG. 5, the description thereof will be omitted. When the target frame is determined to be valid by both MAC verification and behavior verification (Y in S46), the fraud countermeasure unit 38 passes the target frame to the command execution unit 56, and the command execution unit 56 is designated by the target frame. Data processing is executed according to the command (S48). When the target frame is a frame via CGW20 and at least it is determined to be fraudulent by behavior verification (N in S46, Y in S50), the fraud countermeasure unit 38 shifts the automatic driving of the vehicle 10 to the fail-safe mode ( S52). Since N of S50 and thereafter, the processes of S54 to S64 are the same as those of S20 to S30 of FIG. 5, the description thereof will be omitted.

According to the monitoring device of the embodiment (for example, ECU 14, CGW 20), the type of security threat is recognized in detail based on the combination of the result of message authentication and the result of behavior verification, and an appropriate command according to the type of threat is used. Automatically execute countermeasures and ECU countermeasures. As a result, the security of the in-vehicle network system 12 can be ensured. For example, it is possible to detect leakage of a MAC key and takeover of a MAC-compatible ECU, and appropriately update the MAC key and reprogram the ECU. Further, even if the ECU 14 that does not support MAC exists in the in-vehicle network system 12 and the ECU 14 that does not support MAC is exposed to a threat, it becomes easy to ensure security.

The present invention has been described above based on the first embodiment. This embodiment is an example, and it will be understood by those skilled in the art that various modifications are possible for each of these components or combinations of each processing process, and that such modifications are also within the scope of the present invention. ..

The first modification will be described. The behavior verification unit 36 of the embodiment classifies the target frame legitimately or illegally, but as a modification, the behavior verification unit 36 depends on the degree of deviation (or the degree of agreement) between the mode of the target frame and the behavior rule. Therefore, the target frame may be classified as legitimate, fraudulent, or gray. When the target frame is classified in gray, the log storage unit 44 of the fraud countermeasure unit 38 saves the rule update instruction data including the target frame and the past frame having the same ID as log data. As described above, the rule update instruction data may include a frame of the same ID received after the target frame. As a result, the saved log data is collected offline and notified to the rule generation device 29, and the rule generation device 29 behaves and updates the rules so as to determine, for example, the target frame as invalid.

As a specific example, the behavior verification unit 36 evaluates the target frame for each of the detection parameters A to E, generates intermediate judgment results A to E for each detection parameter, and four or more intermediate judgment results are invalid. In some cases, the final judgment result may be invalid. Further, if the number of invalid intermediate determination results is 3 or less, the final determination result may be justified. In this configuration, the behavior verification unit 36 accumulates the number of times that the intermediate determination result is invalid for each frame ID (may be a command ID) specified in each frame. The behavior verification unit 36 determines that the frame of the ID whose cumulative number of invalid intermediate determination results exceeds a predetermined threshold value (for example, 10 times) is gray.

Further, the behavior verification unit 36 may accumulate the number of times that the intermediate determination result is invalid, using all the frames as the population without distinguishing by the frame ID (command ID). The behavior verification unit 36 may determine gray when the cumulative number of invalid intermediate determination results exceeds a predetermined threshold value (for example, 10 times). In this case, the log storage unit 44 may store the rule update instruction data including all frames received in the past fixed period as log data.

It is originally not desirable that the legitimacy of the frame is determined to be gray, but according to the first modification, the behavior rules can be appropriately updated to improve the security of the in-vehicle network system 12. In the behavior verification of the target frame, the behavior verification unit 36 may set the final determination result of the target frame as "illegal" when the cumulative number of fraud determinations associated with the ID of the target frame exceeds a predetermined threshold value. According to this aspect, command countermeasures and ECU countermeasures are executed based on the gray-determined frame, and the security of the in-vehicle network system 12 can be further enhanced.

A second modification will be described. FIG. 7 shows the hardware configuration of the modified CGW 20. The CGW 20 includes a CPU 70, a monitoring module 72, a LAN controller 74, and a LAN controller 76. The LAN controller 74 and the LAN controller 76 are connected to each bus of the CAN 24. The CPU 70 controls the operation of the entire CGW 20 and executes the functions of the functional blocks shown in FIG.

The monitoring module 72 is an LSI that is physically different from the CPU 70, in other words, an LSI that is physically separated or mounted independently of the CPU 70. The monitoring module 72 executes the functions of the MAC verification unit 34, the behavior verification unit 36, and the fraud countermeasure unit 38 among the functional blocks shown in FIG. The function of the fraud countermeasure unit 38 included in the monitoring module 72 includes at least a function of determining command countermeasures and ECU countermeasures for each pattern shown in FIG.

The CPU 70 and the monitoring module 72 execute fraud determination processing for the same target frame in parallel with each other. The monitoring module 72 determines whether or not the CPU 70 is normal based on the result of the fraud determination processing and the content of the frame processing in the CPU 70. For example, the monitoring module 72 has a routing function of the CPU 70 (particularly the CPU 70) when the target frame is determined to be invalid in at least one of MAC verification and behavior verification, and when the CPU 70 transmits the target frame to the CAN 24. ) Is judged to be abnormal. Further, the monitoring module 72 determines that the target frame is abnormal in both the MAC verification and the behavior verification, and when the CPU 70 discards or invalidates the target frame.

When the CPU 70 determines that there is an abnormality, the monitoring module 72 may execute at least one of a predetermined error processing, a recovery processing, and a notification processing to an occupant, an outside person, or the like. According to the second modification, even if the CPU 70 of the CGW 20 is hijacked by an unauthorized person, the monitoring module 72 can detect the fact and execute a process for eliminating the security threat. The CPU 70 and the monitoring module 72 may be mounted virtually or logically separately. Further, although an example of the CGW 20 is shown here, the configuration of this modification can be applied to the ECU 14 operating as a monitoring device.

A third modification will be described. In the above embodiment, the in-vehicle network is CAN, but as a modification, the in-vehicle network may be Ethernet (registered trademark). In this case as well, the same configuration as in the embodiment can be applied to the ECU 14 and the CGW 20.

A fourth modification will be described. In connection with the third modification, CAN and Ethernet may be mixed in the in-vehicle network. The CGW 20 as a monitoring device may further have a function of connecting the CAN and the Ethernet and converting the CAN frame and the Ethernet frame to each other. The CGW 20 suppresses the conversion of a CAN frame determined to be invalid into an Ethernet frame by at least one of MAC verification and behavior verification. Similarly, it suppresses the conversion of the Ethernet frame determined to be invalid to the CAN frame.

Further, the CGW 20 may be connected to a plurality of CAN buses and a plurality of Ethernet buses. In this case, if a frame is determined to be invalid at least in one of MAC verification and behavior verification, the CGW 20 may suppress the conversion and relay of all frames from the bus through which the frame flows to another bus. Good. Furthermore, the CGW 20 may suppress conversion and relay of all frames from another bus to the bus on which the frame determined to be invalid flows.

Furthermore, the CGW 20 may include security functions in Ethernet (for example, firewall function, MAC address filter, etc.). The CGW 20 may treat that the target frame is determined to be invalid at least one of the security function in Ethernet and the MAC verification, as in the case where it is determined to be invalid by the MAC verification in the embodiment. If the target frame is determined to be invalid by both the security function and MAC verification in Ethernet, the CGW 20 determines that the probability of the invalidity is high, and instead of executing command countermeasures and ECU countermeasures, or command countermeasures and Along with the execution of the ECU measures, the automatic driving mode of the vehicle 10 may be shifted to the fail-safe mode. The fourth modification is applicable not only to the CGW 20 but also to all devices for connecting different types of networks.

A fifth modification will be described. The ECU 14 and CGW 20 of the in-vehicle network system 12 may be equipped with a security chip (Trusted Platform Module, hereinafter referred to as “TPM”) for determining whether or not the own device has been tampered with. The target detection unit 50 of the monitoring device (for example, CGW 20, ECU 14) may inquire at least the TPM of the ECU that has transmitted the frame determined to be invalid by the behavior verification whether or not it has been tampered with (Attestation). When combined with the second modification, the target detection unit 50 may inquire of the SoC (System on Chip) of the CGW 20 whether or not it has been tampered with. When the result of the inquiry indicates that the inquiry result has been tampered with, the target detection unit 50 determines that the device (for example, CGW 20, ECU 14) of the inquiry destination is fraudulent, in other words, determines that the device is a target device for fraud countermeasures.

The techniques described in the first embodiment and the modifications may be specified by the following items.
[Item 1]
The receiver that receives the frame from the communication network, the first judgment that determines whether the frame is invalid based on the result of message authentication for the frame, and whether the frame is invalid based on the mode of the frame and predetermined rules. The second determination is performed, and a processing unit that executes at least one of the processing related to the frame and the processing related to the source device of the frame according to the combination of the result of the first determination and the result of the second determination is provided. Monitoring device.
According to this monitoring device, the security of the communication system can be improved.
[Item 2]
When the judgment target frame is determined to be valid by the first judgment and the judgment target frame is determined to be invalid by the second judgment, or when the judgment target frame is determined to be invalid by the first judgment and the judgment target frame is determined by the second judgment. If is determined to be invalid, the processing unit may execute a process of discarding or invalidating the determination target frame.
According to this aspect, the security risk due to an illegal frame can be reduced.
[Item 3]
When the judgment target frame is determined to be valid by the first judgment and the judgment target frame is determined to be invalid by the second judgment, or when the judgment target frame is determined to be invalid by the first judgment and the judgment target frame is determined by the second judgment. When is determined to be fraudulent, the target device for fraud countermeasures is detected from among the plurality of source devices based on the presence or absence of fraud in a plurality of frames transmitted from the plurality of source devices, and (1) the target device. Process to discard or invalidate the frame transmitted from, (2) Process to update the computer program in the target device, (3) Process to update the message authentication key in the source device other than the target device, (4) Target At least one of the processes of discarding or invalidating the frame received from the bus of the communication network to which the device is connected may be executed.
According to this aspect, it is possible to take measures against fraud regarding the source device of the frame based on the detection of the fraudulent frame.
[Item 4]
When the determination target frame is determined to be valid by the first determination and the determination target frame is determined to be invalid by the second determination, and the determination target frame is a frame transmitted from a device other than the predetermined source device. When it is received from the bus, the processing unit may execute a process of updating the key for message authentication in a predetermined source device.
According to this aspect, when a malicious frame is injected from the outside and the message authentication key may be leaked, the message authentication key can be updated to reduce the security risk.
[Item 5]
When the determination target frame is determined to be invalid by the first determination and the determination target frame is determined to be valid by the second determination, the processing unit may save at least the log data related to the determination target frame.
According to this aspect, when it is assumed that the rule for the second determination is incomplete, it is possible to support the improvement of the rule.
[Item 6]
The processing unit classifies the judgment target frame into either legitimate, illegal, or gray according to the degree of deviation between the mode of the judgment target frame and the rule, and when the judgment target frame is classified as gray, at least the judgment target. Log data related to the frame may be saved.
According to this aspect, it is possible to support the improvement of the rule for the second determination due to the originally undesired gray determination.
[Item 7]
The monitoring device may be an electronic control unit mounted on the vehicle. When the frame transmitted via the predetermined gateway device in the vehicle-mounted network is determined to be invalid by the second determination, the processing unit may switch the automatic driving mode of the vehicle to the fail-safe mode.
According to this aspect, the safety of vehicle driving can be further enhanced.
[Item 8]
The frame is received from the communication network, and the frame is determined based on the first judgment of determining whether the frame is invalid based on the result of message authentication for the received frame, the mode of the received frame, and a predetermined rule. At least the processing related to the received frame and the processing related to the source device of the received frame are performed according to the combination of the result of the first judgment and the result of the second judgment. A monitoring method in which a computer does one thing.
According to this monitoring method, the security of the communication system can be improved.
[Item 9]
The frame is received from the communication network, and the frame is determined based on the first judgment of determining whether the frame is invalid based on the result of message authentication for the received frame, the mode of the received frame, and a predetermined rule. A second determination for determining whether or not the image is invalid is performed, and at least the processing related to the received frame and the processing related to the source device of the received frame are performed according to the combination of the result of the first determination and the result of the second determination. A computer program that lets a computer do one thing.
According to this computer program, the security of the communication system can be improved.

[Second Example]
Before explaining the detailed configuration of the second embodiment, an outline will be given first. With the widespread use of vehicles that are always connected to the Internet, such as connected cars, it is conceivable that the cloud will constantly monitor the vehicle and provide appropriate services to the vehicle from the cloud. Vehicles that use such cloud services need to convey the security status of their vehicles to the cloud in real time, but the more emphasis is placed on real-time performance, the greater the amount of communication. Therefore, the vehicle is required to perform appropriate communication according to the detection result of the security state.

In the second embodiment, the security status of the vehicle is determined based on the result of the MAC verification and the result of the behavior verification, and the appropriate content is sent to the cloud at an appropriate timing according to the security status of the vehicle. The in-vehicle network system to be transmitted will be described. In the following drawings, the same or corresponding blocks as those in the first embodiment are designated by the same reference numerals as those in the first embodiment. In addition, the contents already explained in the first embodiment will be omitted as appropriate, and a configuration different from that in the first embodiment will be mainly described.

FIG. 8 shows the configuration of the vehicle-mounted network system of the second embodiment. The hardware configuration of the in-vehicle network system 12 is the same as that of the first embodiment. In the second embodiment, the vehicle 10 is connected to the vehicle monitoring server 100 via the external communication network 28.

The vehicle monitoring server 100 provides a service according to the security state of the vehicle 10. The vehicle monitoring server 100 may have a function corresponding to the fraud countermeasure unit 38 mounted on the CGW 20, the ECU 14, and the like in the first embodiment. For example, the vehicle monitoring server 100 may instruct the vehicle 10 to reprogram the ECU 14 or update the key according to the security state of the vehicle 10 notified from the vehicle 10. The vehicle monitoring server 100 includes the function of the rule generation device 29 of the first embodiment.

In the vehicle-mounted network system 12 of the second embodiment, the monitoring module is introduced into the ECU 14 corresponding to the message authentication using the MAC. The ECU 14 in which the monitoring module is introduced functions as a monitoring device that monitors an illegal frame (in other words, an illegal command) flowing through the CAN 24 and reports the monitoring result to the vehicle monitoring server 100. As a modification, (1) a configuration in which the monitoring module is installed only in the CGW 20 may be used, (2) a configuration in which the monitoring module is installed only in the CMI 22 may be used, and (3) the CGW 20 and the ECU 14 corresponding to message authentication using MAC may be installed. It may be configured to introduce a monitoring module.

FIG. 9 is a block diagram showing a functional configuration of the ECU 14 of FIG. The ECU 14 includes a frame receiving unit 30, a frame transmitting unit 32, a MAC verification unit 34, a behavior verification unit 36, a rule updating unit 46, a command execution unit 56, a frame generation unit 58, and a reporting unit 114. When the CGW 20 or CMI 22 of FIG. 8 includes a monitoring module, the configuration is the same as that of FIG.

The MAC verification unit 34, the behavior verification unit 36, the rule update unit 46, the notification necessity determination unit 112, and the notification unit 114 of FIG. 9 may configure the processing unit 110 as a monitoring module. Further, the frame receiving unit 30, the frame transmitting unit 32, the MAC verification unit 34, the behavior verification unit 36, the rule updating unit 46, the command execution unit 56, and the frame generation unit 58 in FIG. 9 have the same functions as those in the first embodiment. Therefore, the description is omitted.

The reporting unit 114 receives a frame received from the CAN 24 (hereinafter, also referred to as a “target frame”) from the frame receiving unit 30. Further, the reporting unit 114 acquires the result of MAC verification for the target frame from the MAC verification unit 34, and acquires the result of the behavior verification for the target frame from the behavior verification unit 36. The reporting unit 114 sets the content to be reported to the vehicle monitoring server 100 or the priority of reporting based on the combination of the result of MAC verification and the result of behavior verification for the target frame, and also sets the vehicle among the plurality of target frames. The content to be notified to the monitoring server 100 or the priority of the notification is changed. In the embodiment, both the content to be reported and the priority of the report are changed.

The reporting unit 114 includes a receiving frame storage unit 42, a configuration information storage unit 48, an analysis unit 120, a message generation unit 122, and a message output unit 124.

The reception frame storage unit 42 stores and stores a plurality of frames received by the frame reception unit 30 in a predetermined storage area. The reception frame storage unit 42 may sequentially erase frames for which a predetermined time has passed since they were received from the storage area. The reception frame storage unit 42 may store the frame data in association with the determination result by the MAC verification unit 34 and the determination result by the behavior verification unit 36.

The configuration information storage unit 48 stores attribute information (referred to here as “configuration information”) relating to various components of the CAN 24. The configuration information of the embodiment includes IDs of a plurality of ECUs 14 and IDs of commands included in frames transmitted by each of the plurality of ECUs 14. The configuration information may include a frame ID (in other words, CAN-ID) instead of the command ID. Alternatively, the configuration information may include the frame ID (CAN-ID) together with the command ID.

Further, the configuration information of the embodiment includes information in which IDs of a plurality of commands are associated with transmission frequencies of each command. The command transmission frequency may be the frequency at which the transmission source ECU transmits a frame containing the command (for example, the number of transmissions per unit time). Further, the configuration information of the embodiment includes information in which IDs of a plurality of commands are associated with IDs of other commands related to each command. Other commands associated with a particular command may be other commands that have dependencies on the particular command, or may be other commands that are sent in pairs with the particular command. For example, another command related to the vehicle speed control command may be a brake actuator control command.

The analysis unit 120 identifies the fraud detection pattern of the target frame based on the combination of the result of MAC verification for the target frame and the result of behavior verification. FIG. 10 shows a fraud detection pattern. The analysis unit 120 identifies any one of the seven fraud detection patterns shown in FIG. 10 as the fraud detection pattern of the target frame.

The method of distinguishing the pattern 1 and the pattern 5 will be described. The analysis unit 120 indicates that the MAC verification result for the frame including a certain command ID (may be a frame ID) is valid (“OK” in FIG. 10), and the behavior verification result is invalid (“NG” in FIG. 10). In this case, the reception frame storage unit 42 is referred to to specify the reception frequency of the frame including the command ID. When the specified reception frequency is consistent with the transmission frequency of the command ID stored in the configuration information storage unit 48 (for example, the difference between the specified reception frequency and the transmission frequency of the command ID is within a predetermined range). Identify as pattern 1. On the other hand, when the specified reception frequency exceeds the transmission frequency (for example, when the difference between the specified reception frequency and the transmission frequency of the command ID exceeds a predetermined threshold value), it is identified as pattern 5.

The reason for such identification is that when the ECU is hijacked (Pattern 1), the transmission frequency does not change, but when an illegal command is injected externally (Pattern 5), the command transmitted by the normal ECU and the external This is because the reception frequency increases due to the presence of both the injected commands.

The method of distinguishing the pattern 3 and the pattern 4 will be described. The target frame that can be classified into pattern 3 or pattern 4 is a frame to which a MAC code value is not added, in other words, a frame that is not subject to MAC verification by the MAC verification unit 34. When the analysis unit 120 has no MAC verification result for a frame including a certain command ID (may be a frame ID) (“n / a” in FIG. 10) and the behavior verification result is invalid (“NG” in FIG. 10). , The reception frame storage unit 42 is referred to, and the reception frequency of the frame including the command ID is specified. When the specified reception frequency matches the transmission frequency of the command ID stored in the configuration information storage unit 48, it is identified as pattern 3. On the other hand, when the specified reception frequency exceeds the transmission frequency, it is identified as pattern 4.

When the analysis unit 120 identifies the pattern 1 or the pattern 3 as the fraud detection pattern of the target frame, the analysis unit 120 identifies the ID of the ECU that may have been hijacked. For example, the analysis unit 120 refers to the configuration information storage unit 48 and identifies the ECU associated with the command ID indicated by the target frame as an ECU that may have been hijacked. The fact that the ECU has been hijacked includes the fact that an unexpected program is being executed by the ECU.

Returning to FIG. 9, the message generation unit 122 generates a message for notifying the vehicle monitoring server 100 of information about the target frame according to the fraud detection pattern of the target frame identified by the analysis unit 120. This message indicates the security status of the vehicle 10. The message generation unit 122 includes the report content and additional information of FIG. 10 corresponding to the fraud detection pattern of the target frame in the message.

The message generation unit 122 is a frame in which the above message is set in the payload, and generates a notification frame for notifying the vehicle monitoring server 100 of the security state (specifically, the fraud detection state) of the vehicle 10. The message generation unit 122 may divide the above message into a plurality of parts and generate a plurality of notification frames including the divided messages. The message output unit 124 outputs the notification frame generated by the message generation unit 122 to the frame transmission unit 32, and outputs the notification frame from the frame transmission unit 32 to the CAN 24. The notification frame is transmitted to the vehicle monitoring server 100 via CAN24, the external bus 26e, and the external communication network 28.

The details of the message content setting process will be described. When the fraud detection pattern of the target frame is pattern 1, the message generation unit 122 includes the report content of pattern 1 in FIG. 10 in the message. Further, the message generation unit 122 includes the additional information (A), (B), and (C) in the message. In any pattern, the text in the "assumed threat" column of FIG. 10 may be included in the message instead of the text in the "report content" column of FIG.

Specifically, the message generation unit 122 includes the results of MAC verification and behavior verification in the message as additional information (A). Further, the message generation unit 122 includes the command ID included in the target frame in the message as additional information (B). Further, the message generation unit 122 includes the ID of the ECU (referred to as “illegal ECU” here) specified by the analysis unit 120 in the message as additional information (C). Further, the message generation unit 122 refers to the configuration information storage unit 48, and is a command ID associated with the fraudulent ECU, that is, identifies the command ID transmitted by the fraudulent ECU, and adds the command ID to the additional information ( Include in the message as C).

When the fraud detection pattern of the target frame is pattern 2, the message generation unit 122 includes only (A) and (B) as additional information in the message. The reason for this is that both MAC verification and behavior verification are functioning, and the problem is smaller than in the case of pattern 1 (I intend, in this case, by reducing the additional information, the effect of reducing the amount of communication is enhanced. There is). As a modification, additional information similar to pattern 1 (that is, (A) to (C)) may be included in the message.

Next, the processing of the message generation unit 122 when the fraud detection pattern of the target frame is pattern 6 will be described. As mentioned in the first embodiment, in pattern 6, there is a possibility that the behavior verification should be NG, but it may be OK, that is, the behavior verification rule may be incomplete. The message generation unit 122 includes the report content of pattern 6 in FIG. 10 in the message. Further, the message generation unit 122 includes additional information (A), (B), (D), and (E) in the message.

Specifically, the message generation unit 122 is a frame in which the same ID as the frame ID of the target frame is set with reference to the reception frame storage unit 42, and a predetermined number (for example, 10) received before the target frame. ) Frames are specified. Further, the message generation unit 122 is a frame in which the same ID as the frame ID of the target frame is set with reference to the reception frame storage unit 42, and a predetermined number (for example, 10) of frames received after the target frame. To identify. The message generation unit 122 includes the command ID included in each specified frame in the message as additional information (D). As a modification, the message generation unit 122 may include the entire data of a predetermined number of frames received before and after the target frame in the message as additional information (D).

Further, the message generation unit 122 refers to the configuration information storage unit 48, identifies the IDs of other commands related to the commands included in the target frame, and uses the IDs of the other commands as additional information (E) in the message. include. As a modification, the message generation unit 122 may include the entire data of a predetermined number of frames including the IDs of the other commands in the message as additional information (E).

The message generation unit 122 separately generates the first message including the report content and the additional information (A) and (B) and the second message including the additional information (D) and (E). The reason for such generation is that, as will be described later, the notification timing of the first message and the notification timing of the second message are different.

The message generation unit 122 does not generate a frame when the fraud detection pattern of the target frame is pattern 7. However, if the fraud detection pattern pattern 7 continues for a predetermined time or longer, the message generation unit 122 may generate a frame indicating that there is no abnormality in security periodically (for example, every minute). Good.

Next, the details of the report priority setting process will be described. The message generation unit 122 sets the priority (FIG. 10) according to the fraud detection pattern of the target frame in the notification frame. When the fraud detection pattern of the target frame is pattern 1 or 5, the message generation unit 122 sets the priority to a high priority, that is, sets a higher priority to the notification frame than other communications other than the notification frame. The reason for this is that pattern 1 or 5 should be dealt with immediately because there is a high possibility that the MAC key has been leaked or the ECU has been hijacked.

When the fraud detection pattern of the target frame is patterns 2 to 4, the message generation unit 122 sets the priority to a low priority, that is, sets a priority lower than that of other communications other than the notification frame to the notification frame. The reason for this is that in patterns 2 to 4, illegal commands can be detected without any problem. Further, the reason for this is that the determination target frames of patterns 3 and 4 are not given a MAC, and the determination target frames to which the MAC is not given are of low importance in operation.

When the fraud detection pattern of the target frame is pattern 6, the message generation unit 122 sets the priority of the frame of the first message including the notification content and the additional information (A) and (B) to be medium. That is, the same priority as the communication other than the report frame is set in the report frame. The reason for this is that since the MAC verification is NG, the damage caused by the illegal command can be avoided, but the behavior verification is OK, so the behavior verification rules should be improved. Further, the message generation unit 122 sets the priority of the frame of the second message including the additional information (D) (E) to low. The reason for this is that the additional information (D) and (E) has a large amount of data. However, when the communication volume such as CAN24 is free, the priority of the frame of the second message including the additional information (D) and (E) may be set to the middle.

The message generation unit 122 may assign an ID to be preferentially transmitted by the CAN 24 to the notification frame set to have a high priority. The message output unit 124 may immediately output the notification frame set to the high priority to the CAN 24 regardless of whether another frame is being transmitted. Further, the message generation unit 122 adds data to the IVI device 16 connected to the external communication network 28, which is set to have a high priority and instructs the IVI device 16 to transmit the report frame in preference to other communications. You may. Other communications may include sending and receiving information necessary for the automatic driving of the vehicle 10, and may include, for example, uploading and downloading dynamic maps and sign information.

The message generation unit 122 may assign an ID that is handled by CAN 24 with the same priority as other types of frames to the notification frame set during the priority. The message output unit 124 may output the notification frame set during the priority to the CAN 24 while other frames are not being transmitted. Further, the message generation unit 122 adds data instructing the IVI device 16 to treat and transmit (for example, transmit on a first-come-first-served basis) in the same manner as other communications to the report frame set during the priority. You may.

The message generation unit 122 may assign an ID that is handled by CAN 24 with a lower priority than other types of frames to the notification frame set to have a low priority. The message output unit 124 may output a notification set to a low priority to the CAN 24 during a free time of communication such as ignition off or power off. Further, the message generation unit 122 may add data instructing the IVI device 16 to transmit the notification frame set to a lower priority than other communications. For example, the message generation unit 122 may add data instructing the IVI device 16 to transmit to the vehicle monitoring server 100 while the communication process is idle, to the notification frame set to have a low priority.

Note that the message generation unit 122 may save the notification frame set to a priority other than high in the non-volatile memory as a log, as in the first embodiment. The message output unit 124 may read the notification frame stored in the non-volatile memory and output the notification frame to the CAN 24 when the notification frame can be transmitted, such as when the CAN 24 is free.

A case where the vehicle 10 is connected to a plurality of types of communication networks will be described. For example, the vehicle 10 may be provided with a plurality of communication devices, for example, an IVI device 16, a TCU (Telematics. Communication Unit) (not shown), and an emergency communication unit (not shown). The IVI device 16 may be connected to WiFi®. The TCU may also be connected to a 4G / LTE (Long Term Evolution)® network. The emergency communication unit may also be connected to a 3G network. It will be understood by those skilled in the art that the above-mentioned combination with the communication network and each device is an example, and other combinations are possible.

In such a vehicle 10, if the priority of the report is high, the emergency communication unit may be used to execute the report process. Further, when the priority of the report is medium, the report process may be executed using the TCU. Further, when the priority of the report is low, the report process may be executed by using the IVI device 16. Alternatively, when the priority of the report is low, a vacant communication network may be selected from the plurality of types of communication networks and the report process may be executed. On the other hand, when the priority of the report is high, the use of the high-speed communication network by other communication may be stopped and the report process may be executed using the high-speed communication network. Those skilled in the art will understand that the priority setting and the combination with each process mentioned above are examples, and other combinations are possible.

The operation of the ECU 14 with the above configuration will be described. FIG. 11 is a flowchart showing the operation of the ECU 14 of FIG. The frame receiving unit 30 receives a frame from the CAN 24 (S70). The MAC verification unit 34 executes MAC verification for the received target frame and determines whether the target frame is valid or invalid (S72). The behavior verification unit 36 executes behavior verification for the received target frame and determines whether the target frame is valid or invalid (S74).

When the target frame is determined to be valid by both the MAC verification and the behavior verification (Y in S76), the message output unit 124 of the notification unit 114 passes the target frame to the command execution unit 56. The command execution unit 56 executes data processing according to the command specified in the target frame (S78).

Further, when the state in which the target frame is determined to be valid by both the MAC verification and the behavior verification continues, the message generation unit 122 periodically generates a frame indicating that the security state of the vehicle 10 is normal. The message output unit 124 transmits the frame to the vehicle monitoring server 100.

When the target frame is determined to be invalid (N in S76) by at least one of MAC verification and behavior verification, the analysis unit 120 of the reporting unit 114 selects the illegal detection pattern of the target frame from the seven patterns shown in FIG. One pattern is specified (S80). The message generation unit 122 sets the message to be notified to the vehicle monitoring server 100 and the priority of the notification according to the fraud detection pattern of the specified target frame (S82). The message output unit 124 transmits a notification frame including the message generated by the message generation unit 122 to the vehicle monitoring server 100 according to the priority set by the message generation unit 122 (S84). In this way, the reporting unit 114 changes the content and priority of the reporting frame for each frame in which fraud is detected, according to the fraud detection pattern.

When the fraud detection pattern of the target frame is pattern 1 or 5 (high priority), the communication unit (not shown) of the vehicle 10 downloads and uploads a dynamic map for automatic driving (hereinafter referred to as "other communication"). The notification frame may be processed with priority over the notification frame, and the notification frame may be transmitted to the vehicle monitoring server 100. Further, when the fraud detection pattern of the target frame is pattern 6, the communication unit may process the notification frame with the same priority as other communications (for example, first come, first served). Further, when the fraud detection pattern of the target frame is patterns 2 to 4, the communication unit may postpone the processing of the notification frame if other communication is being processed.

According to the ECU 14 of the second embodiment, it is possible to notify the vehicle monitoring server 100 of appropriate contents at an appropriate timing according to the security state of the vehicle 10 (in other words, each device in the vehicle-mounted network system 12). ..

The present invention has been described above based on the second embodiment. This embodiment is an example, and it will be understood by those skilled in the art that various modifications are possible for each of these components or combinations of each processing process, and that such modifications are also within the scope of the present invention. ..

The first modification will be described. This modification corresponds to the first modification of the first embodiment. The behavior verification unit 36 executes a plurality of intermediate determinations based on the mode of the target frame and a plurality of predetermined rules, and derives the behavior verification results according to the results of the plurality of intermediate determinations. The behavior verification unit 36 outputs the results of a plurality of intermediate determinations to the reporting unit 114 together with the results of the behavior verification. The message generation unit 122 generates a notification frame including a plurality of intermediate determination results when there is a result indicating that the rule is not conformed to among the plurality of intermediate determination results. The message output unit 124 transmits the above notification frame to the vehicle monitoring server 100. Further, the message generation unit 122 changes the priority of the report according to the number of intermediate determination results indicating that the rule is not conformed.

As a specific example, the behavior verification unit 36 evaluates the data of one target frame with each of a plurality of detection parameters A to E, and an intermediate judgment result (judgment result of whether or not the rule is met) by each detection parameter. May be generated. If the number of NG intermediate determination results among the plurality of intermediate determination results is 3 or more, the behavior verification unit 36 may invalidate the final determination result of the target frame. The NG includes, for example, that the data of the determination target frame does not conform to the rules of each intermediate determination.

1) The report processing for each frame will be explained. When the message generation unit 122 includes one or more results indicating rule nonconformity among the plurality of intermediate determination results, the message generation unit 122 may generate a notification frame including all the intermediate determination results. The intermediate determination result may include information on the parameters used in the intermediate determination, or may include data of frames for which correctness or rejection is determined in the intermediate determination. Further, the message generation unit 122 may change the priority of reporting to the vehicle monitoring server 100 according to the number of NG intermediate determination results. For example, when five intermediate determinations are made, if the number of NGs in the intermediate determination result is 1 or 2, the priority of the embodiment may be set low. Further, if the number of NGs in the intermediate determination result is 3 or 4, the priority in the embodiment may be set, and if the number of NGs in the intermediate determination result is 5, the high priority may be set.

Next, 2) the report processing for each command will be described. The message generation unit 122 stores the cumulative value of the number of NGs of the intermediate determination result by the behavior verification unit 36 for each command ID (or each frame ID) (here, referred to as "cumulative number of intermediate NGs by command"). May be good. When the cumulative number of intermediate NGs for each command exceeds the first threshold value (for example, 20 times), the message generation unit 122 reports that the cumulative number of intermediate NGs for each command exceeds the first threshold value and the command ID. You may generate a frame and set the report priority to low. Further, when the cumulative number of intermediate NGs for each command exceeds the second threshold value (for example, 40 times), the message generation unit 122 provides information and a command ID indicating that the cumulative number of intermediate NGs for each command exceeds the second threshold value. You may generate a reporting frame that includes it and set the reporting priority to medium.

Next, 3) the report processing of the vehicle 10 as a whole will be described. The message generation unit 122 has a cumulative value of the number of NGs of the intermediate determination result input from the behavior verification unit 36 for a plurality of commands (a plurality of target frames) regardless of the command ID (here, "total number of intermediate NGs"). Call.) May be memorized. When the total number of intermediate NGs exceeds the first threshold value (for example, 100 times), the message generation unit 122 generates a notification frame including information indicating that the total number of total intermediate NGs exceeds the first threshold value, and reports. The priority of may be set low. Further, the message generation unit 122 generates a notification frame including information that the total number of intermediate NGs exceeds the second threshold when the total number of total intermediate NGs exceeds the second threshold (for example, 200 times). , The report priority may be set to medium.

A second modification will be described. Any combination of any component of the first embodiment and any component of the second embodiment is possible. For example, as described in the first embodiment, the CGW 20 of the vehicle 10 may have a function of discarding or invalidating a frame determined to be invalid by MAC verification and behavior verification. In the second embodiment, the configuration information storage unit 48 of the ECU 14 stores the configuration information in which the command ID and the ECU-ID that transmits the command are associated with each other. As a modification, the configuration information storage unit 48 may store the configuration information in which the command ID and the ID of the CGW 20 are associated with each other for the command transmitted by the ECU connected to the bus of the CAN 24 different from the own machine. .. The reason for this is that the frame transmitted from the ECU connected to the bus of CAN24 different from the own machine is relayed by the CGW 20.

If the fraud detection pattern of the target frame is pattern 1 or pattern 3 and the target frame is received via the CGW 20, the analysis unit 120 of the second modification may have been hijacked. As a certain ECU, the ID of CGW 20 is specified. Specifically, the configuration information of the configuration information storage unit 48 associates the command ID included in the target frame with the ID of the CGW 20. By referring to the configuration information, the analysis unit 120 identifies the ID of the CGW 20 when the target frame is received via the CGW 20. The message generation unit 122 generates a notification frame indicating that the CGW 20 may have been hijacked.

As described above, if the CGW 20 is operating normally, the invalid frame is discarded or invalidated. Therefore, when the ECU 14 detects an illegality of the frame relayed by the CGW 20, the operation of the CGW 20 is abnormal and there is a possibility that the CGW 20 has been hijacked. According to the aspect of this modification, it is possible to accurately detect the abnormality of the CGW 20 and notify the vehicle monitoring server 100. The configuration of the second modification can be applied even when the monitoring module is introduced into the CMI 22.

The techniques described in the second embodiment and the modifications may be specified by the following items.
[Item 1]
A receiver that receives frames from the communication network and
A first determination for determining whether the frame is invalid based on the result of message authentication for the frame, and a second determination for determining whether the frame is invalid based on the mode of the frame and a predetermined rule. A processing unit that changes at least one of the content to be notified to the external device or the priority of the notification according to the combination of the result of the first determination and the result of the second determination.
A monitoring device equipped with.
According to this monitoring device, it is possible to execute a report to an external device at an appropriate content or timing according to the security status of the own device.
[Item 2]
When the determination target frame is determined to be valid by the first determination and the determination target frame is determined to be invalid by the second determination, the processing unit sets the priority of reporting information regarding the determination target frame. Set a higher priority than the communication of
The monitoring device according to item 1.
According to this aspect, when there is a risk that the key for message authentication is leaked, the notification to the external device can be quickly executed.
[Item 3]
When the determination target frame is determined to be invalid by the first determination and the determination target frame is determined to be invalid by the second determination, the processing unit sets the priority of reporting information regarding the determination target frame. Set to a lower priority than the communication of
The monitoring device according to item 1 or 2.
According to this aspect, when the judgment target frame is judged to be invalid in both the first judgment and the second judgment, the damage caused by the illegal frame can be avoided, so that the notification that hinders other communication is suppressed. Can be realized.
[Item 4]
When the determination target frame is determined to be invalid by the first determination and the determination target frame is determined to be valid by the second determination, the processing unit sets the priority of reporting information regarding the determination target frame. The judgment target frame is determined to be valid by the first determination, the priority is lower than the case where the determination target frame is determined to be invalid by the second determination, and the determination target frame is determined to be invalid by the first determination. Then, the priority is set higher than that when the determination target frame is determined to be invalid by the second determination.
The monitoring device according to any one of items 1 to 3.
According to this aspect, the damage caused by the fraudulent frame can be avoided by detecting the fraud in the first judgment, but the rule of the second judgment may be incomplete, so the priority is medium. Can be reported.
[Item 5]
When the determination target frame is determined to be valid by the first determination and the determination target frame is determined to be invalid by the second determination, the processing unit has at least information on the command included in the determination target frame and the determination. Report the information of the source device of the target frame,
The monitoring device according to item 1 or 2.
According to this aspect, it is possible to support appropriate data processing on the external device side by notifying the external device of the information of the ECU that may have been hijacked in addition to the command in which the fraud is detected.
[Item 6]
When the determination target frame is determined to be valid by the first determination and the determination target frame is determined to be invalid by the second determination, and the reception frequency of a frame having the same ID as the determination target frame is predetermined. When the value is exceeded, the processing unit reports at least the information of the command included in the determination target frame.
The monitoring device according to item 1 or 2.
According to this aspect, it is possible to detect that an invalid frame has been injected from the outside and report an appropriate content.
[Item 7]
When the determination target frame is determined to be invalid by the first determination and the determination target frame is determined to be invalid by the second determination, the processing unit reports at least the command information included in the determination target frame. ,
The monitoring device according to any one of items 1 to 3.
According to this aspect, since the monitoring device can correctly detect the fraud of the determination target frame, it is possible to suppress the increase in communication traffic by suppressing the content of the report to the information of the command in which the fraud is detected.
[Item 8]
When the determination target frame is determined to be invalid by the first determination and the determination target frame is determined to be valid by the second determination, the processing unit has at least information on the command included in the determination target frame and the command. Report information about other commands related to
The monitoring device according to any one of items 1 to 4.
According to this aspect, it is possible to assist in improving the rule when the rule may be incomplete.
[Item 9]
When the frame excluded from the first determination is determined to be invalid by the second determination, and the reception frequency of a frame having the same ID as the frame matches a predetermined value, the processing unit Report at least the command information included in the frame and the source device information of the frame with a lower priority than other communications.
The monitoring device according to any one of items 1 to 4.
According to this aspect, it is possible to detect that an electronic device that does not have a key for message authentication has been hijacked and report an appropriate content with an appropriate priority.
[Item 10]
When the frame excluded from the first determination is determined to be invalid by the second determination, and the reception frequency of the frame having the same ID as the frame exceeds a predetermined value, the processing unit performs the processing unit. , Report at least command information contained in the frame with a lower priority than other communications.
The monitoring device according to any one of items 1 to 4.
According to this aspect, it is a frame that does not have a code for message authentication, and it is possible to detect that an invalid frame has been injected from the outside and report an appropriate content with an appropriate priority.
[Item 11]
The processing unit executes a plurality of intermediate determinations based on the mode of the determination target frame and a plurality of predetermined rules, and derives the result of the second determination according to the results of the plurality of intermediate determinations. ,
When the processing unit has a result indicating that it does not conform to the rule among the results of the plurality of intermediate determinations, the processing unit notifies the external device of the result of the plurality of intermediate determinations and does not conform to the rule. Change the priority of the report according to the number of results showing
The monitoring device according to any one of items 1 to 10.
According to this monitoring device, the strength of security by behavior verification can be enhanced.
[Item 12]
Receive a frame from the communication network
The first determination to determine whether the frame is invalid based on the result of message authentication for the frame, and
A second determination for determining whether the frame is invalid based on the mode of the frame and a predetermined rule is performed.
Depending on the combination of the result of the first determination and the result of the second determination, at least one of the content to be notified to the external device or the priority of the notification is changed.
A monitoring method that a computer does.
According to this monitoring method, it is possible to execute a report to the external device at an appropriate content or timing according to the security status of the own device.
[Item 13]
Receive a frame from the communication network
The first determination to determine whether the frame is invalid based on the result of message authentication for the frame, and
A second determination for determining whether the frame is invalid based on the mode of the frame and a predetermined rule is performed.
Depending on the combination of the result of the first determination and the result of the second determination, at least one of the content to be notified to the external device or the priority of the notification is changed.
A computer program that lets a computer do things.
According to this computer program, it is possible to execute a report to an external device at an appropriate content or timing according to the security status of the own device.

Any combination of the examples and modifications described above is also useful as an embodiment of the present invention. The new embodiments resulting from the combination have the effects of the combined examples and the modifications. It is also understood by those skilled in the art that the functions to be fulfilled by each of the constituent elements described in the claims are realized by a single component or a cooperation thereof shown in the examples and modifications.

10 vehicles, 12 in-vehicle network system, 14 ECU, 24 CAN, 30 frame receiver, 100 vehicle monitoring server, 110 processing unit, 114 notification unit, 120 analysis unit, 122 message generation unit, 124 message output unit.

Claims (22)

A receiver that receives frames from the communication network and
A first determination for determining whether the frame is invalid based on the result of message authentication for the frame, and a second determination for determining whether the frame is invalid based on the mode of the frame and a predetermined rule. A processing unit that changes at least one of the content to be notified to the external device or the priority of the notification according to the combination of the result of the first determination and the result of the second determination.
Equipped with a,
When the determination target frame is determined to be valid by the first determination and the determination target frame is determined to be invalid by the second determination, the processing unit sets the priority of reporting information regarding the determination target frame. Set a higher priority than the communication of
Monitoring device. A receiver that receives frames from the communication network and
A first determination for determining whether the frame is invalid based on the result of message authentication for the frame, and a second determination for determining whether the frame is invalid based on the mode of the frame and a predetermined rule. A processing unit that changes at least one of the content to be notified to the external device or the priority of the notification according to the combination of the result of the first determination and the result of the second determination.
Equipped with a,
When the determination target frame is determined to be invalid by the first determination and the determination target frame is determined to be invalid by the second determination, the processing unit sets the priority of reporting information regarding the determination target frame. Set to a lower priority than the communication of
Monitoring device. A receiver that receives frames from the communication network and
A first determination for determining whether the frame is invalid based on the result of message authentication for the frame, and a second determination for determining whether the frame is invalid based on the mode of the frame and a predetermined rule. A processing unit that changes at least one of the content to be notified to the external device or the priority of the notification according to the combination of the result of the first determination and the result of the second determination.
Equipped with a,
When the determination target frame is determined to be invalid by the first determination and the determination target frame is determined to be valid by the second determination, the processing unit sets the priority of reporting information regarding the determination target frame. The judgment target frame is determined to be valid by the first determination, the priority is lower than the case where the determination target frame is determined to be invalid by the second determination, and the determination target frame is determined to be invalid by the first determination. Then, the priority is set higher than that when the determination target frame is determined to be invalid by the second determination.
Monitoring device. When the determination target frame is determined to be valid by the first determination and the determination target frame is determined to be invalid by the second determination, the processing unit has at least information on the command included in the determination target frame and the determination. Report the information of the source device of the target frame,
The monitoring device according to claim 1. When the determination target frame is determined to be valid by the first determination and the determination target frame is determined to be invalid by the second determination, and the reception frequency of a frame having the same ID as the determination target frame is predetermined. When the value is exceeded, the processing unit reports at least the information of the command included in the determination target frame.
The monitoring device according to claim 1. When the determination target frame is determined to be invalid by the first determination and the determination target frame is determined to be invalid by the second determination, the processing unit reports at least the command information included in the determination target frame. ,
The monitoring device according to claim 1 or 2. When the determination target frame is determined to be invalid by the first determination and the determination target frame is determined to be valid by the second determination, the processing unit has at least information on the command included in the determination target frame and the command. Report information about other commands related to
The monitoring device according to any one of claims 1 to 3. A receiver that receives frames from the communication network and
A first determination for determining whether the frame is invalid based on the result of message authentication for the frame, and a second determination for determining whether the frame is invalid based on the mode of the frame and a predetermined rule. A processing unit that changes at least one of the content to be notified to the external device or the priority of the notification according to the combination of the result of the first determination and the result of the second determination.
Equipped with a,
When the frame excluded from the first determination is determined to be invalid by the second determination, and the reception frequency of a frame having the same ID as the frame matches a predetermined value, the processing unit Report at least the command information included in the frame and the source device information of the frame with a lower priority than other communications.
Monitoring device. A receiver that receives frames from the communication network and
A first determination for determining whether the frame is invalid based on the result of message authentication for the frame, and a second determination for determining whether the frame is invalid based on the mode of the frame and a predetermined rule. A processing unit that changes at least one of the content to be notified to the external device or the priority of the notification according to the combination of the result of the first determination and the result of the second determination.
Equipped with a,
When the frame excluded from the first determination is determined to be invalid by the second determination, and the reception frequency of the frame having the same ID as the frame exceeds a predetermined value, the processing unit performs the processing unit. , Report at least command information contained in the frame with a lower priority than other communications.
Monitoring device. A receiver that receives frames from the communication network and
A first determination for determining whether the frame is invalid based on the result of message authentication for the frame, and a second determination for determining whether the frame is invalid based on the mode of the frame and a predetermined rule. A processing unit that changes at least one of the content to be notified to the external device or the priority of the notification according to the combination of the result of the first determination and the result of the second determination.
Equipped with a,
The processing unit executes a plurality of intermediate determinations based on the mode of the determination target frame and a plurality of predetermined rules, and derives the result of the second determination according to the results of the plurality of intermediate determinations. ,
When the processing unit has a result indicating that it does not conform to the rule among the results of the plurality of intermediate determinations, the processing unit notifies the external device of the result of the plurality of intermediate determinations and does not conform to the rule. Change the priority of the report according to the number of results showing
Monitoring device. Receive a frame from the communication network
The first determination to determine whether the frame is invalid based on the result of message authentication for the frame, and
A second determination for determining whether the frame is invalid based on the mode of the frame and a predetermined rule is performed.
A process of changing at least one of the content to be notified to the external device or the priority of the notification according to the combination of the result of the first determination and the result of the second determination.
The computer runs ,
When the determination target frame is determined to be valid by the first determination and the determination target frame is determined to be invalid by the second determination, the process sets the priority of reporting the information regarding the determination target frame to another. Including the process of setting a higher priority than communication,
Monitoring method. Receive a frame from the communication network
The first determination to determine whether the frame is invalid based on the result of message authentication for the frame, and
A second determination for determining whether the frame is invalid based on the mode of the frame and a predetermined rule is performed.
A process of changing at least one of the content to be notified to the external device or the priority of the notification according to the combination of the result of the first determination and the result of the second determination.
The computer runs ,
When the determination target frame is determined to be invalid by the first determination and the determination target frame is determined to be invalid by the second determination, the process sets the priority of reporting the information regarding the determination target frame to another. Including the process of setting the priority to lower than communication,
Monitoring method. Receive a frame from the communication network
The first determination to determine whether the frame is invalid based on the result of message authentication for the frame, and
A second determination for determining whether the frame is invalid based on the mode of the frame and a predetermined rule is performed.
A process of changing at least one of the content to be notified to the external device or the priority of the notification according to the combination of the result of the first determination and the result of the second determination.
The computer runs ,
When the determination target frame is determined to be invalid by the first determination and the determination target frame is determined to be valid by the second determination, the process sets the priority of reporting the information regarding the determination target frame to the first. The judgment target frame is determined to be valid by the first determination, the priority is lower than the case where the determination target frame is determined to be invalid by the second determination, and the determination target frame is determined to be invalid by the first determination. , Including a process of setting a higher priority than when the determination target frame is determined to be invalid by the second determination.
Monitoring method. Receive a frame from the communication network
The first determination to determine whether the frame is invalid based on the result of message authentication for the frame, and
A second determination for determining whether the frame is invalid based on the mode of the frame and a predetermined rule is performed.
A process of changing at least one of the content to be notified to the external device or the priority of the notification according to the combination of the result of the first determination and the result of the second determination.
The computer runs ,
When the frame excluded from the first determination is determined to be invalid by the second determination, and the reception frequency of the frame having the same ID as the frame matches the predetermined value, the processing is performed. , Including a process of notifying at least command information included in the frame and information of the source device of the frame with a lower priority than other communications.
Monitoring method. Receive a frame from the communication network
The first determination to determine whether the frame is invalid based on the result of message authentication for the frame, and
A second determination for determining whether the frame is invalid based on the mode of the frame and a predetermined rule is performed.
A process of changing at least one of the content to be notified to the external device or the priority of the notification according to the combination of the result of the first determination and the result of the second determination.
The computer runs ,
When the frame excluded from the first determination is determined to be invalid by the second determination, and the reception frequency of the frame having the same ID as the frame exceeds a predetermined value, the processing is performed. Includes processing to report at least command information contained in the frame with a lower priority than other communications.
Monitoring method. Receive a frame from the communication network
The first determination to determine whether the frame is invalid based on the result of message authentication for the frame, and
A second determination for determining whether the frame is invalid based on the mode of the frame and a predetermined rule is performed.
A process of changing at least one of the content to be notified to the external device or the priority of the notification according to the combination of the result of the first determination and the result of the second determination.
The computer runs ,
The process is a process of executing a plurality of intermediate determinations based on the mode of the determination target frame and a plurality of predetermined rules, and deriving the result of the second determination according to the results of the plurality of intermediate determinations. Including
In the process, when there is a result indicating that the rule is not conformed to among the results of the plurality of intermediate determinations, the result of the plurality of intermediate determinations is notified to the external device, and the fact that the rule is not conformed to the rule. Further includes processing to change the priority of the report according to the number of results shown,
Monitoring method. Receive a frame from the communication network
The first determination to determine whether the frame is invalid based on the result of message authentication for the frame, and
A second determination for determining whether the frame is invalid based on the mode of the frame and a predetermined rule is performed.
A process of changing at least one of the content to be notified to the external device or the priority of the notification according to the combination of the result of the first determination and the result of the second determination.
Cause the computer to execute,
When the determination target frame is determined to be valid by the first determination and the determination target frame is determined to be invalid by the second determination, the process sets the priority of reporting the information regarding the determination target frame to another. Including the process of setting a higher priority than communication,
Computer program. Receive a frame from the communication network
The first determination to determine whether the frame is invalid based on the result of message authentication for the frame, and
A second determination for determining whether the frame is invalid based on the mode of the frame and a predetermined rule is performed.
A process of changing at least one of the content to be notified to the external device or the priority of the notification according to the combination of the result of the first determination and the result of the second determination.
Cause the computer to execute,
When the determination target frame is determined to be invalid by the first determination and the determination target frame is determined to be invalid by the second determination, the process sets the priority of reporting the information regarding the determination target frame to another. Including the process of setting the priority to lower than communication,
Computer program. Receive a frame from the communication network
The first determination to determine whether the frame is invalid based on the result of message authentication for the frame, and
A second determination for determining whether the frame is invalid based on the mode of the frame and a predetermined rule is performed.
A process of changing at least one of the content to be notified to the external device or the priority of the notification according to the combination of the result of the first determination and the result of the second determination.
Cause the computer to execute,
When the determination target frame is determined to be invalid by the first determination and the determination target frame is determined to be valid by the second determination, the process sets the priority of reporting the information regarding the determination target frame to the first. The judgment target frame is determined to be valid by the first determination, the priority is lower than the case where the determination target frame is determined to be invalid by the second determination, and the determination target frame is determined to be invalid by the first determination. , Including a process of setting a higher priority than when the determination target frame is determined to be invalid by the second determination.
Computer program. Receive a frame from the communication network
The first determination to determine whether the frame is invalid based on the result of message authentication for the frame, and
A second determination for determining whether the frame is invalid based on the mode of the frame and a predetermined rule is performed.
A process of changing at least one of the content to be notified to the external device or the priority of the notification according to the combination of the result of the first determination and the result of the second determination.
Cause the computer to execute,
When the frame excluded from the first determination is determined to be invalid by the second determination, and the reception frequency of the frame having the same ID as the frame matches the predetermined value, the processing is performed. , Including a process of notifying at least command information included in the frame and information of the source device of the frame with a lower priority than other communications.
Computer program. Receive a frame from the communication network
The first determination to determine whether the frame is invalid based on the result of message authentication for the frame, and
A second determination for determining whether the frame is invalid based on the mode of the frame and a predetermined rule is performed.
A process of changing at least one of the content to be notified to the external device or the priority of the notification according to the combination of the result of the first determination and the result of the second determination.
Cause the computer to execute,
When the frame excluded from the first determination is determined to be invalid by the second determination, and the reception frequency of the frame having the same ID as the frame exceeds a predetermined value, the processing is performed. Includes processing to report at least command information contained in the frame with a lower priority than other communications.
Computer program. Receive a frame from the communication network
The first determination to determine whether the frame is invalid based on the result of message authentication for the frame, and
A second determination for determining whether the frame is invalid based on the mode of the frame and a predetermined rule is performed.
A process of changing at least one of the content to be notified to the external device or the priority of the notification according to the combination of the result of the first determination and the result of the second determination.
Cause the computer to execute,
The process is a process of executing a plurality of intermediate determinations based on the mode of the determination target frame and a plurality of predetermined rules, and deriving the result of the second determination according to the results of the plurality of intermediate determinations. Including
In the process, when there is a result indicating that the rule is not conformed to among the results of the plurality of intermediate determinations, the result of the plurality of intermediate determinations is notified to the external device, and the fact that the rule is not conformed to the rule. Further includes processing to change the priority of the report according to the number of results shown,
Computer program.

Images