[go: up one dir, main page]

WO2022091786A1 - Information processing device, monitoring method, program, and security system - Google Patents

Information processing device, monitoring method, program, and security system Download PDF

Info

Publication number
WO2022091786A1
WO2022091786A1 PCT/JP2021/037912 JP2021037912W WO2022091786A1 WO 2022091786 A1 WO2022091786 A1 WO 2022091786A1 JP 2021037912 W JP2021037912 W JP 2021037912W WO 2022091786 A1 WO2022091786 A1 WO 2022091786A1
Authority
WO
WIPO (PCT)
Prior art keywords
abnormality
attack
severity
determination unit
progress
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2021/037912
Other languages
French (fr)
Japanese (ja)
Inventor
章人 竹内
薫 横田
稔久 中野
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Panasonic Intellectual Property Management Co Ltd
Original Assignee
Panasonic Intellectual Property Management Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Panasonic Intellectual Property Management Co Ltd filed Critical Panasonic Intellectual Property Management Co Ltd
Publication of WO2022091786A1 publication Critical patent/WO2022091786A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R16/00Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
    • B60R16/02Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/22Arrangements for preventing the taking of data from a data transmission channel without authorisation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks

Definitions

  • This disclosure relates to information processing devices, monitoring methods, programs and security systems.
  • This automatic driving system that automatically performs driving operations such as acceleration / deceleration, steering, and braking of a vehicle has been known.
  • This automatic driving system is equipped with a plurality of ECUs (Electronic Control Units) for controlling the driving operation of the vehicle.
  • a plurality of ECUs are connected to a common CAN (Controller Area Network) bus.
  • CAN Controller Area Network
  • the ECU may malfunction when an illegal CAN frame invades the CAN bus due to, for example, hacking. Therefore, a monitoring device for detecting an attack such as an unauthorized CAN frame intrusion has been proposed (see, for example, Patent Document 1).
  • the above-mentioned conventional monitoring device has a problem that security measures for vehicles are not sufficient.
  • the present disclosure provides information processing devices, monitoring methods, programs, and security systems that can enhance security measures in mobility.
  • the information processing device is an information processing device that monitors the presence or absence of an abnormality in each of a plurality of devices connected to a mobility network mounted on the mobility, and is among the plurality of devices.
  • a receiver that receives anomaly detection information indicating that an abnormality has been detected in the specific device from a specific device, and a specific device that identifies an abnormality occurrence location based on the anomaly detection information received by the receiver.
  • the attack route indicating the route of the attack causing the abnormality via one or more of the plurality of devices, and the severity of the abnormality.
  • a determination unit for determining the progress of the attack based on the determined attack route and the severity.
  • a recording medium such as a system, a method, an integrated circuit, a computer program, or a computer-readable CD-ROM (Compact Disc-Read Only Memory). It may be realized by any combination of a system, a method, an integrated circuit, a computer program and a recording medium.
  • security measures in mobility can be enhanced.
  • FIG. 1 is a block diagram showing an outline of a communication system according to an embodiment.
  • FIG. 2 is a block diagram showing a functional configuration of the monitoring ECU according to the embodiment.
  • FIG. 3 is a diagram for explaining the function of the determination unit of the monitoring ECU according to the embodiment.
  • FIG. 4 is a diagram showing an example of a correspondence list stored in the storage unit of the monitoring ECU according to the embodiment.
  • FIG. 5 is a flowchart showing the operation flow of the monitoring ECU according to the embodiment.
  • FIG. 6 is a diagram showing an example of a rule table according to a modified example of the embodiment.
  • the information processing device is an information processing device that monitors the presence or absence of an abnormality in each of a plurality of devices connected to a mobility network mounted on the mobility, and is among the plurality of devices.
  • a receiver that receives anomaly detection information indicating that an abnormality has been detected in the specific device from a specific device, and a specific device that identifies an abnormality occurrence location based on the anomaly detection information received by the receiver.
  • the attack route indicating the route of the attack causing the abnormality via one or more of the plurality of devices, and the severity of the abnormality.
  • a determination unit for determining the progress of the attack based on the determined attack route and the severity.
  • the determination unit determines the progress of the attack based on the attack route and the severity. As a result, it is possible to appropriately take measures according to the progress of the attack, and it is possible to enhance security measures in mobility.
  • each of the plurality of devices is given a score according to the depth of intrusion of the attack on the plurality of devices, and the determination unit determines each of the one or more devices included in the attack path.
  • the cumulative value of the score and the severity which is a weight according to the content of the abnormality, the degree of progress of the attack may be determined.
  • the progress of the attack can be accurately determined by considering the depth of the invasion of the attack and the content of the abnormality.
  • the determination unit may be configured to determine the degree of progress of the attack by multiplying or adding the cumulative value of the score and the severity.
  • the determination unit may be configured to determine the severity by multiplying the weight related to the type of abnormality and the weight related to the state of mobility.
  • the severity can be accurately determined.
  • the determination unit may be configured to determine the severity by multiplying the weight regarding the type of the abnormality, the weight regarding the state of the mobility, and the weight regarding the frequency of occurrence of the abnormality.
  • the severity can be determined more accurately.
  • the information processing apparatus is further specified by the specific unit and a storage unit that stores correspondence information indicating a correspondence relationship between the progress of the attack and the response to the abnormality for each abnormality occurrence location. It may be configured to include the abnormality occurrence location and the determination unit that determines the response to the abnormality from the response information based on the progress of the attack determined by the determination unit.
  • the information processing apparatus may be further configured to include a determination unit that determines a response to the anomaly based on a rule base for deriving a response to the anomaly from the attack path and the severity. good.
  • the monitoring method is a monitoring method for monitoring the presence or absence of an abnormality in each of a plurality of devices connected to the mobility network mounted on the mobility, and (a) the plurality of devices.
  • an attack route indicating a route through which the attack causing the abnormality has passed through one or more of the plurality of devices based on the abnormality detection information and the abnormality occurrence location. It includes a step of determining the severity of the abnormality and determining the degree of progress of the attack based on the determined attack route and the severity.
  • the progress of the attack is determined based on the attack route and the severity. As a result, it is possible to appropriately take measures according to the progress of the attack, and it is possible to enhance security measures in mobility.
  • the program according to one aspect of the present disclosure causes a computer to execute the above-mentioned monitoring method.
  • the security system is a security system including a mobility network mounted on the mobility and an information processing device for monitoring the presence or absence of an abnormality in each of a plurality of devices connected to the mobility network.
  • the information processing device is received by a receiving unit that receives abnormality detection information indicating that an abnormality has been detected in the specific device from a specific device among the plurality of devices, and a receiving unit.
  • a specific unit that identifies the abnormality occurrence location, and based on the abnormality detection information and the abnormality occurrence location, the attack that is the cause of the abnormality is one or more of the plurality of devices. It is provided with an attack route indicating a route via the above, a determination unit for determining the severity of the abnormality, and a determination unit for determining the progress of the attack based on the determined attack route and the severity.
  • the determination unit of the information processing device determines the progress of the attack based on the attack route and the severity. As a result, it is possible to appropriately take measures according to the progress of the attack, and it is possible to enhance security measures in mobility.
  • a recording medium such as a system, a method, an integrated circuit, a computer program or a computer-readable CD-ROM, and the system, a method, an integrated circuit, or a computer. It may be realized by any combination of a program or a recording medium.
  • FIG. 1 is a block diagram showing an outline of the communication system 2 according to the embodiment.
  • the communication system 2 is applied to an automatic driving system for automatically performing a driving operation of a vehicle 4 mounted on a vehicle 4 such as an automobile, for example.
  • Communication system 2 is an example of a security system.
  • the communication system 2 includes a CAN bus 6, a TCU (Telematics Control Unit) 8, an IVI (In-Vehicle Interface) 10, an integrated ECU 12, a body ECU 14, and an ADAS (Advanced Driver Assistance). It includes a System) system ECU 16 and a monitoring ECU 18.
  • the vehicle 4 is an example of mobility
  • the CAN bus 6 is an example of a mobility network.
  • Each of TCU8, IVI10, integrated ECU12, body-based ECU14 and ADAS-based ECU16 is an example of equipment.
  • the monitoring ECU 18 is an example of an information processing device.
  • the CAN bus 6 is an in-vehicle network that communicates according to, for example, the CAN protocol, and is mounted on the vehicle 4.
  • the TCU 8, IVI10, integrated ECU 12, body ECU 14, ADAS ECU 16 and monitoring ECU 18 are communicably connected to each other via the CAN bus 6.
  • the TCU 8 is a communication module for executing wireless communication with the outside of the vehicle 4.
  • the TCU 8 is connected to the integrated ECU 12 via the CAN bus 6. Further, the TCU 8 can be connected to a network (for example, the Internet or the like) outside the vehicle 4.
  • the TCU 8 has a defense block 20 and an HIDS (Host-based Intrusion Detection System) 22.
  • the defense blocks 20 and HIDS 22 are connected to each other inside the TCU 8.
  • the defense block 20 has a function of detecting an abnormality (for example, an authentication error) in the TCU 8.
  • the defense block 20 transmits the abnormality detection information indicating that the abnormality is detected in the TCU 8 to the monitoring ECU 18 via the CAN bus 6.
  • the HIDS 22 is a host-based intrusion detection system (IDS) for detecting anomalies in the TCU 8 (eg, unauthorized CAN frame intrusion, etc.).
  • IDS intrusion detection system
  • the HIDS 22 transmits the abnormality detection information indicating that the abnormality is detected in the TCU 8 to the monitoring ECU 18 via the CAN bus 6.
  • the IVI10 is an information device for displaying various information to the occupants of the vehicle 4, for example, a car navigation device.
  • the IVI 10 is connected to the integrated ECU 12 via the CAN bus 6. Further, the IVI 10 can be connected to a network (for example, the Internet or the like) outside the vehicle 4.
  • IVI10 has a defense block 24 and an HIDS 26. The defense blocks 24 and HIDS 26 are connected to each other inside the IVI10.
  • the defense block 24 has a function of detecting an abnormality in IVI10. When the abnormality is detected, the defense block 24 transmits the abnormality detection information indicating that the abnormality is detected in the IVI 10 to the monitoring ECU 18 via the CAN bus 6.
  • HIDS26 is a host-based intrusion detection system for detecting anomalies in IVI10. When the HIDS 26 detects an abnormality, the HIDS 26 transmits the abnormality detection information indicating that the abnormality is detected in the IVI 10 to the monitoring ECU 18 via the CAN bus 6.
  • the integrated ECU 12 has NIDS 28, 30 and defense blocks 32, 34.
  • the NIDS 28 and the defense block 32 are connected to each other inside the integrated ECU 12.
  • the NIDS 28 is connected to the HIDS 22 of the TCU 8 via the CAN bus 6.
  • the defense block 32 is connected to the body system ECU 14 via the CAN bus 6.
  • the NIDS 30 and the defense block 34 are connected to each other inside the integrated ECU 12.
  • the NIDS 30 is connected to the HIDS 26 of the IVI 10 via the CAN bus 6.
  • the defense block 34 is connected to the ADAS system ECU 16 via the CAN bus 6.
  • NIDS 28 is a network-based intrusion detection system for detecting an abnormality in the integrated ECU 12 (for example, an illegal CAN frame intrusion, etc.).
  • the NIDS 28 detects an abnormality
  • the NIDS 28 transmits the abnormality detection information indicating that the abnormality has been detected in the integrated ECU 12 to the monitoring ECU 18 via the CAN bus 6.
  • the defense block 32 has a function of detecting an abnormality in the integrated ECU 12.
  • the defense block 32 transmits the abnormality detection information indicating that the abnormality is detected in the integrated ECU 12 to the monitoring ECU 18 via the CAN bus 6.
  • NIDS 30 is a network-based intrusion detection system for detecting abnormalities in the integrated ECU 12.
  • the NIDS 30 transmits abnormality detection information indicating that the abnormality has been detected in the integrated ECU 12 to the monitoring ECU 18 via the CAN bus 6.
  • the defense block 34 has a function of detecting an abnormality in the integrated ECU 12.
  • the defense block 34 transmits the abnormality detection information indicating that the abnormality is detected in the integrated ECU 12 to the monitoring ECU 18 via the CAN bus 6.
  • the body system ECU 14 is an electronic control unit for controlling the functions of the vehicle body such as the door lock, power window, air conditioner, light and winker of the vehicle 4, for example.
  • the body system ECU 14 has an intrusion detection system for detecting an abnormality in the body system ECU 14.
  • the intrusion detection system detects an abnormality
  • the intrusion detection system transmits the abnormality detection information indicating that the abnormality has been detected in the body system ECU 14 to the monitoring ECU 18 via the CAN bus 6.
  • the ADAS system ECU 16 is an electronic control unit for controlling the driving operation of the vehicle 4 in the advanced driver assistance system (ADAS), for example, acceleration / deceleration, steering and braking of the vehicle 4.
  • ADAS advanced driver assistance system
  • the ADAS system ECU 16 has an intrusion detection system for detecting an abnormality in the ADAS system ECU 16.
  • the intrusion detection system detects an abnormality
  • the intrusion detection system transmits the abnormality detection information indicating that the abnormality has been detected in the ADAS system ECU 16 to the monitoring ECU 18 via the CAN bus 6.
  • the monitoring ECU 18 is connected to the integrated ECU 12 via the CAN bus 6.
  • the monitoring ECU 18 monitors whether or not an abnormality has occurred in the TCU 8, IVI10, integrated ECU 12, body system ECU 14, and ADAS system ECU 16.
  • the functional configuration of the monitoring ECU 18 will be described later.
  • the defense block 20 of the TCU 8, the HIDS 22 of the TCU 8, the NIDS 28 of the integrated ECU 12, the defense block 32 of the integrated ECU 12, and the body system ECU 14 are connected in series in this order. Further, the defense block 24 of the IVI10, the HIDS26 of the IVI10, the NIDS30 of the integrated ECU 12, the defense block 34 of the integrated ECU 12, and the ADAS system ECU 16 are connected in series in this order.
  • An attack on the communication system 2 (for example, an unauthorized CAN frame intrusion) is carried out along an attack path from the defense block 20 of the TCU 8 closest to the external network of the vehicle 4 to the body system ECU 14 farthest from the external network. It progresses sequentially. For example, if the defense block 20 of the TCU 8 closest to the external network of the vehicle 4 is attacked, the HIDS 22 of the TCU 8 is attacked next. After that, the NIDS 28 of the integrated ECU 12 and the defense block 32 of the integrated ECU 12 are attacked in this order, and finally the body system ECU 14 is attacked.
  • the attack on the communication system 2 proceeds sequentially along the attack route from the defense block 24 of the IVI 10 closest to the external network of the vehicle 4 to the ADAS system ECU 16 farthest from the external network. For example, if the defense block 24 of IVI10 closest to the external network of vehicle 4 is attacked, the HIDS26 of IVI10 is attacked next. After that, the NIDS 30 of the integrated ECU 12 and the defense block 34 of the integrated ECU 12 are attacked in this order, and finally the ADAS system ECU 16 is attacked.
  • the extent to which an attack has invaded communication system 2 can be expressed as the depth of intrusion. If the location of the intrusion is closest to the network outside the vehicle 4, the depth of intrusion can be described as the shallowest. On the other hand, if the location of the intrusion is the furthest from the external network of the vehicle 4, the depth of the intrusion can be described as the deepest. In the present embodiment, the depth of intrusion is expressed in five stages of "1" to "5", where "1" is the shallowest depth and "5" is the deepest depth.
  • the depth is "1" at the position of the defense block 20 of the TCU 8
  • the depth is “2” at the position of the HIDS 22 of the TCU 8
  • the depth is "3” at the position of the NIDS 28 of the integrated ECU 12.
  • the depth is "4" at the position of the defense block 32 of the ECU 12, and the depth is "5" at the position of the body system ECU 14.
  • the depth is "1" at the position of the defense block 24 of IVI10, the depth is “2” at the position of HIDS26 of IVI10, and the depth is “3” at the position of NIDS30 of the integrated ECU 12.
  • the depth is "4" at the position of the defense block 34 of the integrated ECU 12, and the depth is "5" at the position of the ADAS system ECU 16.
  • FIG. 2 is a block diagram showing a functional configuration of the monitoring ECU 18 according to the embodiment.
  • FIG. 3 is a diagram for explaining the function of the determination unit 40 of the monitoring ECU 18 according to the embodiment.
  • FIG. 4 is a diagram showing an example of a correspondence list stored in the storage unit 48 of the monitoring ECU 18 according to the embodiment.
  • the monitoring ECU 18 includes a receiving unit 36, a specific unit 38, a determination unit 40, a storage unit 48, a determination unit 50, and a control unit 52.
  • the receiving unit 36 receives the abnormality detection information transmitted from a specific device among the TCU8, IVI10, integrated ECU12, body system ECU14 and ADAS system ECU16.
  • the identification unit 38 identifies the abnormality occurrence location based on the abnormality detection information received by the reception unit 36.
  • the determination unit 40 has an attack route determination unit 42, a severity determination unit 44, and an attack progress degree determination unit 46.
  • the attack route determination unit 42 determines the attack route based on the abnormality occurrence location specified by the specific unit 38.
  • the attack route is a route in which the attack that is the cause of the abnormality passes through one or more of the TCU8, IVI10, integrated ECU12, body-based ECU14, and ADAS-based ECU16.
  • the attack route determination unit 42 determines “TCU 8 defense block 20 ⁇ TCU 8 HIDS 22” based on the abnormality occurrence location specified by the specific unit 38. The attack route is determined.
  • the attack route determination unit 42 determines the “defense block 24 of IVI10 ⁇ ” based on the abnormality occurrence location specified by the specific unit 38.
  • HIDS26 of IVI10 ⁇ NIDS30 of integrated ECU12 ⁇ defense block 34 of integrated ECU12 ” is determined.
  • each of the TCU8, IVI10, integrated ECU12, body-based ECU14, and ADAS-based ECU16 is given a score in advance according to the depth of intrusion of an attack on these plurality of devices.
  • the score is a preset score (numerical value) based on the security strength of each device and the degree of influence on the vehicle 4, and increases as the depth of intrusion of an attack increases.
  • the defense block 20 of the TCU 8 has a score of "1"
  • the HIDS 22 of the TCU 8 has a score of "2”
  • the NIDS 28 of the integrated ECU 12 has a score of "4"
  • the defense block 32 of the integrated ECU 12 has a score of "4". Is given a score of "6”
  • the body ECU 14 is given a score of "8".
  • the defense block 24 of IVI10 has a score of "3"
  • the HIDS26 of IVI10 has a score of "4"
  • the NIDS30 of the integrated ECU 12 has a score of "6”
  • the defense block 34 of the integrated ECU 12 has a score of "8”.
  • a score of "10" is given to each of the ECUs 16.
  • the attack route determination unit 42 determines the attack route of "IVI10 defense block 24-> IVI10 HIDS26-> integrated ECU12 NIDS30-> integrated ECU12 defense block 34"
  • the score "4" of HIDS26 of IVI10 the score "6" of NIDS30 of the integrated ECU12
  • the severity determination unit 44 determines the severity, which is a weight according to the content of the abnormality, based on the abnormality detection information received by the reception unit 36. Specifically, as shown in FIG. 3B, the severity determination unit 44 determines the severity by multiplying the weight related to the abnormality type and the weight related to the vehicle state. Examples of the abnormality type include “cycle abnormality” and "payload abnormality”, and the weight of "cycle abnormality” is set to “1" and the weight of "payload abnormality” is set to "3" in advance. Further, the vehicle state includes, for example, “stopped” and “high-speed running”, and the weight of "stopped” is set to "1” and the weight of "stopped” is set to "4" in advance.
  • the severity determination unit 44 determines that the abnormality type is "cycle abnormality” and the vehicle state is “stopped” based on the abnormality detection information received by the reception unit 36.
  • the attack progress determination unit 46 determines the progress of the attack based on the attack route determined by the attack route determination unit 42 and the severity determined by the severity determination unit 44. Specifically, as shown in FIG. 3B, the attack progress degree determination unit 46 has the cumulative value of the score calculated by the attack route determination unit 42 and the severity determined by the severity determination unit 44. By multiplying with and (an example of calculation), the progress of the attack is determined.
  • the storage unit 48 stores a plurality of correspondence lists.
  • the response list is an example of response information showing the correspondence relationship between the progress of the attack and the response to the abnormality for each abnormality occurrence location. In the response list, the greater the progress of the attack, the more urgent the response is associated.
  • the correspondence list is, for example, a data table as shown in FIGS. 4A to 4C.
  • the location where the abnormality occurs is HIDS26 of IVI10, and the response to the attack progress degree "5" is to be dealt with “notify the driver” and the attack progress degree is "10".
  • Correspondence "notification to center” is associated with “network cutoff” and attack progress degree "15" respectively.
  • the location where the abnormality occurs is NIDS28 of the integrated ECU 12, and the response is to "notify the driver” for the attack progress "10" and for the attack progress "15".
  • the response "notify the center” and the response “signal invalidation” are associated with the progress of the attack "20”.
  • the location where the abnormality occurs is the ADAS system ECU 16, which corresponds to the attack progress degree “15” and corresponds to the attack progress degree “20”.
  • Correspondence “degenerate operation” is associated with “notification to center” and attack progress degree “25” respectively.
  • the storage unit 48 responds not only to the data tables shown in FIGS. I remember multiple lists.
  • the determination unit 50 responds to the abnormality from the response list stored in the storage unit 48 based on the abnormality occurrence location specified by the specific unit 38 and the progress of the attack determined by the attack progress determination unit 46. decide.
  • the determination unit 50 determines.
  • the correspondence "network cutoff" associated with the attack progress degree "10" is determined.
  • the determination unit 50 may be used.
  • the correspondence "degenerate operation" associated with the attack progress degree "25" is determined by referring to the correspondence list shown in FIG. 4 (c).
  • the control unit 52 controls the body system ECU 14, the ADAS system ECU 16, and the like so as to execute the correspondence determined by the determination unit 50. For example, when the determination unit 50 determines the "degenerate operation" as a response to an abnormality, the control unit 52 controls the ADAS system ECU 16 and the like so as to cause the vehicle 4 to perform a degenerate operation (an operation of decelerating and stopping the vehicle 4). do.
  • a degenerate operation an operation of decelerating and stopping the vehicle 4.
  • FIG. 5 is a flowchart showing the operation flow of the monitoring ECU 18 according to the embodiment.
  • the receiving unit 36 receives the abnormality detection information transmitted from a specific device among the TCU8, IVI10, integrated ECU12, body system ECU14, and ADAS system ECU16 (S101).
  • the identification unit 38 identifies an abnormality occurrence location based on the abnormality detection information received by the reception unit 36 (S102).
  • the attack route determination unit 42 determines the attack route based on the abnormality occurrence location specified by the specific unit 38. Further, the severity determination unit 44 determines the severity based on the abnormality detection information received by the reception unit 36. The attack progress determination unit 46 determines the progress of the attack based on the attack route determined by the attack route determination unit 42 and the severity determined by the severity determination unit 44 (S103).
  • the determination unit 50 corresponds to the response list stored in the storage unit 48 based on the abnormality occurrence location specified by the specific unit 38 and the progress of the attack determined by the attack progress determination unit 46. It is determined whether or not it exists (S104).
  • the determination unit 50 determines the response to the abnormality from the response list. As a result, the control unit 52 controls the body-based ECU 14, the ADAS-based ECU 16, and the like, and executes the response determined by the determination unit 50 (S105).
  • step S104 if there is no corresponding correspondence in the correspondence list (NO in S104), the process ends.
  • the attack progress determination unit 46 determines the progress of the attack based on the attack route determined by the attack route determination unit 42 and the severity determined by the severity determination unit 44. .. As a result, it is possible to appropriately take measures according to the progress of the attack, and it is possible to enhance security measures in the vehicle 4.
  • the determination unit 50 stores the correspondence stored in the storage unit 48 based on the abnormality occurrence location specified by the specific unit 38 and the progress of the attack determined by the attack progress determination unit 46.
  • the response to the anomaly was decided from the list.
  • the determination unit 50 may determine the response to the abnormality, for example, as follows.
  • the determination unit 50 is based on the attack route determined by the attack route determination unit 42 and the rule base for deriving the response to the abnormality from the severity determined by the severity determination unit 44. Determine the response to the anomaly.
  • the storage unit 48 is a rule base for deriving a response to an abnormality from the attack route determined by the attack route determination unit 42 and the severity determined by the severity determination unit 44.
  • the table is a rule base for deriving a response to an abnormality from the attack route determined by the attack route determination unit 42 and the severity determined by the severity determination unit 44.
  • FIG. 6 is a diagram showing an example of a rule table according to a modified example of the embodiment.
  • the rule table has a) abnormality occurrence location 1, b) abnormality occurrence location 2, c) abnormality occurrence location 3, d) abnormality occurrence location 4, e) abnormality type, f) vehicle status, and , G) Includes correspondence.
  • the attack route determined by the attack route determination unit 42 is "defense block 24 of IVI10 ⁇ HIDS26 of IVI10 ⁇ NIDS30 of the integrated ECU 12", and the abnormality type determined by the severity determination unit 44 is “cycle abnormality”.
  • the determination unit 50 determines the No. 1 of the rule table shown in FIG. The corresponding "signal invalidation" is derived from the third line.
  • the determination unit 50 has described an example of determining the response to the abnormality using the rule table, but the present invention is not limited to this, and the response to the abnormality may be determined by, for example, fuzzy reasoning.
  • the determination unit 50 may determine the response to the abnormality by using a machine learning model such as a neural network.
  • the determination unit 50 may acquire an attack route, an abnormality type, a vehicle state, and a machine learning model, and determine a response to the abnormality based on the acquired attack route, an abnormality type, a vehicle state, and a machine learning model. ..
  • the acquisition of a machine learning model is, for example, reading information such as network parameters and an algorithm for calculation (machine learning algorithm) in the machine learning model from a storage unit.
  • the machine learning model is learned by machine learning using at least one of the items shown in FIG. 6 as input information and the correspondence corresponding to the input information as teacher data.
  • the determination unit 50 acquires the output obtained by inputting the current attack route, abnormality type, and vehicle state into the trained machine learning model as the determined response.
  • the machine learning model is not limited to the neural network, and may be, for example, a random forest or a decision tree.
  • monitoring ECU 18 As an application example of the monitoring ECU 18 according to the present disclosure, application to security measures in an in-vehicle network mounted on a vehicle 4 such as an automobile has been described, but the scope of application of the monitoring ECU 18 according to the present disclosure is this. Not limited to.
  • the monitoring ECU 18 according to the present disclosure is not limited to the vehicle 4 such as an automobile, and may be applied to any mobility such as construction machinery, agricultural machinery, ships, railways, and airplanes.
  • the severity determination unit 44 determines the severity by multiplying the weight related to the abnormality type and the weight related to the vehicle state, but the severity is not limited to this, and the weight related to the abnormality type and the weight related to the abnormality type are used.
  • the severity may be determined by multiplying the weight related to the vehicle state and the weight related to the frequency of occurrence of anomalies (the number of times anomaly detection information is received per unit time).
  • the attack progress determination unit 46 attacks by multiplying the cumulative value of the score calculated by the attack route determination unit 42 and the severity determined by the severity determination unit 44.
  • the degree of progress was determined, but it is not limited to this.
  • the attack progress determination unit 46 determines the progress of the attack by adding the cumulative value of the score calculated by the attack route determination unit 42 and the severity determined by the severity determination unit 44. You may.
  • the information processing device (monitoring ECU 18) is mounted on the vehicle 4
  • the present invention is not limited to this, and the information processing device may be arranged outside the vehicle 4.
  • the information processing device is composed of, for example, a server installed in an SOC (Security Operation Center) outside the vehicle 4, and the security system is composed of the information processing device and the mobility network (CAN bus 6).
  • the server or the like (information processing device) installed in the SCO has the function of the monitoring ECU 18 described above. Therefore, in the SOC, for example, the progress of the attack is determined, and the response to the abnormality is determined.
  • the alert is not notified to the SOC analyst (the alert is discarded), and if the progress of the attack is more than the above threshold value, the SOC analyst is not notified. May be notified of an alert.
  • each component may be configured by dedicated hardware or may be realized by executing a software program suitable for each component.
  • Each component may be realized by a program execution unit such as a CPU or a processor reading and executing a software program recorded on a recording medium such as a hard disk or a semiconductor memory.
  • a part or all of the functions of the information processing apparatus according to the above embodiment may be realized by executing a program by a processor such as a CPU.
  • a part or all of the components constituting each of the above devices may be composed of an IC card or a single module that can be attached to and detached from each device.
  • the IC card or the module is a computer system composed of a microprocessor, ROM, RAM and the like.
  • the IC card or the module may include the above-mentioned super multifunctional LSI.
  • the microprocessor operates according to a computer program, the IC card or the module achieves its function. This IC card or this module may have tamper resistance.
  • the present disclosure may be the method shown above. Further, it may be a computer program that realizes these methods by a computer, or it may be a digital signal composed of the computer program.
  • the present disclosure also discloses a non-temporary recording medium such as a flexible disk, a hard disk, a CD-ROM, an MO, a DVD, a DVD-ROM, a DVD-RAM, or a BD (Blu) that can read the computer program or the digital signal by a computer.
  • -It may be recorded on a ray (registered trademark) Disc), a semiconductor memory, or the like. Further, it may be the digital signal recorded on these recording media.
  • the computer program or the digital signal may be transmitted via a telecommunication line, a wireless or wired communication line, a network typified by the Internet, data broadcasting, or the like.
  • the present disclosure is a computer system including a microprocessor and a memory, in which the memory stores the computer program, and the microprocessor may operate according to the computer program. It is also carried out by another independent computer system by recording and transferring the program or the digital signal on the recording medium, or by transferring the program or the digital signal via the network or the like. It may be.
  • the information processing device can be applied to, for example, an automatic driving system mounted on a vehicle.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mechanical Engineering (AREA)
  • Computer Security & Cryptography (AREA)
  • Small-Scale Networks (AREA)

Abstract

A monitoring ECU (18) comprises: a reception unit (36) that receives abnormality detection information from a specific instrument among a plurality of instruments connected to a CAN bus (6), said abnormality detection information indicating that an abnormality was detected in the specific device; an identification unit (38) that identifies the location of occurrence of the abnormality on the basis of the abnormality detection information received by the reception unit (36); and a determination unit (40) whereby an attack route indicating the route by which an attack that is the cause of the abnormality passed through one or more of the instruments among the plurality of instruments and the severity of the abnormality are determined on the basis of the abnormality detection information and the location of occurrence of the abnormality, and the progress of the attack is determined on the basis of the determined attack route and the severity.

Description

情報処理装置、監視方法、プログラム及びセキュリティシステムInformation processing equipment, monitoring methods, programs and security systems

 本開示は、情報処理装置、監視方法、プログラム及びセキュリティシステムに関する。 This disclosure relates to information processing devices, monitoring methods, programs and security systems.

 近年、車両の加減速、操舵及び制動等の運転操作を自動で行う自動運転システムが知られている。この自動運転システムは、車両の運転操作を制御するための複数のECU(Electronic Control Unit)を備えている。複数のECUは、共通のCAN(Controller Area Network)バスに接続されている。これにより、送信側のECUから送信されたCANフレームは、CANバスを介して受信側のECUで受信される。 In recent years, an automatic driving system that automatically performs driving operations such as acceleration / deceleration, steering, and braking of a vehicle has been known. This automatic driving system is equipped with a plurality of ECUs (Electronic Control Units) for controlling the driving operation of the vehicle. A plurality of ECUs are connected to a common CAN (Controller Area Network) bus. As a result, the CAN frame transmitted from the ECU on the transmitting side is received by the ECU on the receiving side via the CAN bus.

 上述した自動運転システムでは、例えばハッキング等により不正なCANフレームがCANバス上に侵入した場合に、ECUが誤動作するおそれがある。そのため、不正なCANフレームの侵入等の攻撃を検出するための監視装置が提案されている(例えば、特許文献1参照)。 In the above-mentioned automatic operation system, the ECU may malfunction when an illegal CAN frame invades the CAN bus due to, for example, hacking. Therefore, a monitoring device for detecting an attack such as an unauthorized CAN frame intrusion has been proposed (see, for example, Patent Document 1).

国際公開第2016/080422号International Publication No. 2016/080422

 しかしながら、上述した従来の監視装置では、車両におけるセキュリティ対策が十分とは言えないという課題が生じる。 However, the above-mentioned conventional monitoring device has a problem that security measures for vehicles are not sufficient.

 そこで、本開示は、モビリティにおけるセキュリティ対策を高めることができる情報処理装置、監視方法、プログラム及びセキュリティシステムを提供する。 Therefore, the present disclosure provides information processing devices, monitoring methods, programs, and security systems that can enhance security measures in mobility.

 本開示の一態様に係る情報処理装置は、モビリティに搭載されたモビリティネットワークに接続された複数の機器の各々における異常の発生の有無を監視する情報処理装置であって、前記複数の機器のうち特定の機器から、当該特定の機器において異常が検出されたことを示す異常検出情報を受信する受信部と、前記受信部により受信された前記異常検出情報に基づいて、異常発生箇所を特定する特定部と、前記異常検出情報及び前記異常発生箇所に基づいて、前記異常の原因である攻撃が前記複数の機器のうち1以上の機器を経由した経路を示す攻撃経路と、前記異常に関する深刻度と、を判定し、判定した前記攻撃経路及び前記深刻度に基づいて、前記攻撃の進行度合を判定する判定部と、を備える。 The information processing device according to one aspect of the present disclosure is an information processing device that monitors the presence or absence of an abnormality in each of a plurality of devices connected to a mobility network mounted on the mobility, and is among the plurality of devices. A receiver that receives anomaly detection information indicating that an abnormality has been detected in the specific device from a specific device, and a specific device that identifies an abnormality occurrence location based on the anomaly detection information received by the receiver. Based on the abnormality detection information and the abnormality occurrence location, the attack route indicating the route of the attack causing the abnormality via one or more of the plurality of devices, and the severity of the abnormality. , And a determination unit for determining the progress of the attack based on the determined attack route and the severity.

 なお、これらの包括的又は具体的な態様は、システム、方法、集積回路、コンピュータプログラム又はコンピュータで読み取り可能なCD-ROM(Compact Disc-Read Only Memory)等の記録媒体で実現されてもよく、システム、方法、集積回路、コンピュータプログラム及び記録媒体の任意な組み合わせで実現されてもよい。 It should be noted that these comprehensive or specific embodiments may be realized by a recording medium such as a system, a method, an integrated circuit, a computer program, or a computer-readable CD-ROM (Compact Disc-Read Only Memory). It may be realized by any combination of a system, a method, an integrated circuit, a computer program and a recording medium.

 本開示の一態様に係る情報処理装置等によれば、モビリティにおけるセキュリティ対策を高めることができる。 According to the information processing device or the like according to one aspect of the present disclosure, security measures in mobility can be enhanced.

図1は、実施の形態に係る通信システムの概要を示すブロック図である。FIG. 1 is a block diagram showing an outline of a communication system according to an embodiment. 図2は、実施の形態に係る監視ECUの機能構成を示すブロック図である。FIG. 2 is a block diagram showing a functional configuration of the monitoring ECU according to the embodiment. 図3は、実施の形態に係る監視ECUの判定部の機能を説明するための図である。FIG. 3 is a diagram for explaining the function of the determination unit of the monitoring ECU according to the embodiment. 図4は、実施の形態に係る監視ECUの記憶部に記憶された対応リストの一例を示す図である。FIG. 4 is a diagram showing an example of a correspondence list stored in the storage unit of the monitoring ECU according to the embodiment. 図5は、実施の形態に係る監視ECUの動作の流れを示すフローチャートである。FIG. 5 is a flowchart showing the operation flow of the monitoring ECU according to the embodiment. 図6は、実施の形態の変形例に係るルールテーブルの一例を示す図である。FIG. 6 is a diagram showing an example of a rule table according to a modified example of the embodiment.

 本開示の一態様に係る情報処理装置は、モビリティに搭載されたモビリティネットワークに接続された複数の機器の各々における異常の発生の有無を監視する情報処理装置であって、前記複数の機器のうち特定の機器から、当該特定の機器において異常が検出されたことを示す異常検出情報を受信する受信部と、前記受信部により受信された前記異常検出情報に基づいて、異常発生箇所を特定する特定部と、前記異常検出情報及び前記異常発生箇所に基づいて、前記異常の原因である攻撃が前記複数の機器のうち1以上の機器を経由した経路を示す攻撃経路と、前記異常に関する深刻度と、を判定し、判定した前記攻撃経路及び前記深刻度に基づいて、前記攻撃の進行度合を判定する判定部と、を備える。 The information processing device according to one aspect of the present disclosure is an information processing device that monitors the presence or absence of an abnormality in each of a plurality of devices connected to a mobility network mounted on the mobility, and is among the plurality of devices. A receiver that receives anomaly detection information indicating that an abnormality has been detected in the specific device from a specific device, and a specific device that identifies an abnormality occurrence location based on the anomaly detection information received by the receiver. Based on the abnormality detection information and the abnormality occurrence location, the attack route indicating the route of the attack causing the abnormality via one or more of the plurality of devices, and the severity of the abnormality. , And a determination unit for determining the progress of the attack based on the determined attack route and the severity.

 本態様によれば、判定部は、攻撃経路及び深刻度に基づいて、攻撃の進行度合を判定する。これにより、攻撃の進行度合に応じた対応を適切に実行することができ、モビリティにおけるセキュリティ対策を高めることができる。 According to this aspect, the determination unit determines the progress of the attack based on the attack route and the severity. As a result, it is possible to appropriately take measures according to the progress of the attack, and it is possible to enhance security measures in mobility.

 例えば、前記複数の機器の各々には、前記複数の機器に対する前記攻撃の侵入の深度に応じたスコアが付与されており、前記判定部は、前記攻撃経路に含まれる前記1以上の機器の各々の前記スコアの累積値と、前記異常の内容に応じた重みである前記深刻度と、を演算することにより、前記攻撃の進行度合を判定するように構成してもよい。 For example, each of the plurality of devices is given a score according to the depth of intrusion of the attack on the plurality of devices, and the determination unit determines each of the one or more devices included in the attack path. By calculating the cumulative value of the score and the severity, which is a weight according to the content of the abnormality, the degree of progress of the attack may be determined.

 本態様によれば、攻撃の侵入の深度と、異常の内容とを考慮することにより、攻撃の進行度合を精度良く判定することができる。 According to this aspect, the progress of the attack can be accurately determined by considering the depth of the invasion of the attack and the content of the abnormality.

 例えば、前記判定部は、前記スコアの累積値と、前記深刻度と、を乗算又は加算することにより、前記攻撃の進行度合を判定するように構成してもよい。 For example, the determination unit may be configured to determine the degree of progress of the attack by multiplying or adding the cumulative value of the score and the severity.

 本態様によれば、攻撃の進行度合の演算を容易に行うことができる。 According to this aspect, it is possible to easily calculate the degree of progress of an attack.

 例えば、前記判定部は、前記異常の種別に関する重みと、前記モビリティの状態に関する重みと、を乗算することにより、前記深刻度を判定するように構成してもよい。 For example, the determination unit may be configured to determine the severity by multiplying the weight related to the type of abnormality and the weight related to the state of mobility.

 本態様によれば、深刻度を精度良く判定することができる。 According to this aspect, the severity can be accurately determined.

 例えば、前記判定部は、前記異常の種別に関する重みと、前記モビリティの状態に関する重みと、異常発生頻度に関する重みと、を乗算することにより、前記深刻度を判定するように構成してもよい。 For example, the determination unit may be configured to determine the severity by multiplying the weight regarding the type of the abnormality, the weight regarding the state of the mobility, and the weight regarding the frequency of occurrence of the abnormality.

 本態様によれば、深刻度をより精度良く判定することができる。 According to this aspect, the severity can be determined more accurately.

 例えば、前記情報処理装置は、さらに、前記異常発生箇所毎に、前記攻撃の進行度合と、前記異常に対する対応との対応関係を示す対応情報を記憶する記憶部と、前記特定部により特定された前記異常発生箇所、及び、前記判定部により判定された前記攻撃の進行度合に基づいて、前記対応情報から前記異常に対する対応を決定する決定部と、を備えるように構成してもよい。 For example, the information processing apparatus is further specified by the specific unit and a storage unit that stores correspondence information indicating a correspondence relationship between the progress of the attack and the response to the abnormality for each abnormality occurrence location. It may be configured to include the abnormality occurrence location and the determination unit that determines the response to the abnormality from the response information based on the progress of the attack determined by the determination unit.

 本態様によれば、対応情報に基づいて、異常に対する対応を適切に決定することができる。 According to this aspect, it is possible to appropriately determine the response to the abnormality based on the response information.

 例えば、前記情報処理装置は、さらに、前記攻撃経路及び前記深刻度から前記異常に対する対応を導出するためのルールベースに基づいて、前記異常に対する対応を決定する決定部を備えるように構成してもよい。 For example, the information processing apparatus may be further configured to include a determination unit that determines a response to the anomaly based on a rule base for deriving a response to the anomaly from the attack path and the severity. good.

 本態様によれば、ルールベースに基づいて、異常に対する対応を適切に決定することができる。 According to this aspect, it is possible to appropriately determine the response to the abnormality based on the rule base.

 本開示の一態様に係る監視方法は、モビリティに搭載されたモビリティネットワークに接続された複数の機器の各々における異常の発生の有無を監視する監視方法であって、(a)前記複数の機器のうち特定の機器から、当該特定の機器において異常が検出されたことを示す異常検出情報を受信するステップと、(b)前記(a)で受信された前記異常検出情報に基づいて、異常発生箇所を特定するステップと、(c)前記異常検出情報及び前記異常発生箇所に基づいて、前記異常の原因である攻撃が前記複数の機器のうち1以上の機器を経由した経路を示す攻撃経路と、前記異常に関する深刻度と、を判定し、判定した前記攻撃経路及び前記深刻度に基づいて、前記攻撃の進行度合を判定するステップと、を含む。 The monitoring method according to one aspect of the present disclosure is a monitoring method for monitoring the presence or absence of an abnormality in each of a plurality of devices connected to the mobility network mounted on the mobility, and (a) the plurality of devices. Among them, a step of receiving anomaly detection information indicating that an abnormality has been detected in the specific device from a specific device, and (b) an abnormality occurrence location based on the abnormality detection information received in (a) above. And (c) an attack route indicating a route through which the attack causing the abnormality has passed through one or more of the plurality of devices based on the abnormality detection information and the abnormality occurrence location. It includes a step of determining the severity of the abnormality and determining the degree of progress of the attack based on the determined attack route and the severity.

 本態様によれば、攻撃経路及び深刻度に基づいて、攻撃の進行度合を判定する。これにより、攻撃の進行度合に応じた対応を適切に実行することができ、モビリティにおけるセキュリティ対策を高めることができる。 According to this aspect, the progress of the attack is determined based on the attack route and the severity. As a result, it is possible to appropriately take measures according to the progress of the attack, and it is possible to enhance security measures in mobility.

 本開示の一態様に係るプログラムは、上述した監視方法をコンピュータに実行させる。 The program according to one aspect of the present disclosure causes a computer to execute the above-mentioned monitoring method.

 本開示の一態様に係るセキュリティシステムは、モビリティに搭載されたモビリティネットワークと、前記モビリティネットワークに接続された複数の機器の各々における異常の発生の有無を監視する情報処理装置と、を含むセキュリティシステムであって、前記情報処理装置は、前記複数の機器のうち特定の機器から、当該特定の機器において異常が検出されたことを示す異常検出情報を受信する受信部と、前記受信部により受信された前記異常検出情報に基づいて、異常発生箇所を特定する特定部と、前記異常検出情報及び前記異常発生箇所に基づいて、前記異常の原因である攻撃が前記複数の機器のうち1以上の機器を経由した経路を示す攻撃経路と、前記異常に関する深刻度と、を判定し、判定した前記攻撃経路及び前記深刻度に基づいて、前記攻撃の進行度合を判定する判定部と、を備える。 The security system according to one aspect of the present disclosure is a security system including a mobility network mounted on the mobility and an information processing device for monitoring the presence or absence of an abnormality in each of a plurality of devices connected to the mobility network. The information processing device is received by a receiving unit that receives abnormality detection information indicating that an abnormality has been detected in the specific device from a specific device among the plurality of devices, and a receiving unit. Based on the abnormality detection information, a specific unit that identifies the abnormality occurrence location, and based on the abnormality detection information and the abnormality occurrence location, the attack that is the cause of the abnormality is one or more of the plurality of devices. It is provided with an attack route indicating a route via the above, a determination unit for determining the severity of the abnormality, and a determination unit for determining the progress of the attack based on the determined attack route and the severity.

 本態様によれば、情報処理装置の判定部は、攻撃経路及び深刻度に基づいて、攻撃の進行度合を判定する。これにより、攻撃の進行度合に応じた対応を適切に実行することができ、モビリティにおけるセキュリティ対策を高めることができる。 According to this aspect, the determination unit of the information processing device determines the progress of the attack based on the attack route and the severity. As a result, it is possible to appropriately take measures according to the progress of the attack, and it is possible to enhance security measures in mobility.

 なお、これらの包括的又は具体的な態様は、システム、方法、集積回路、コンピュータプログラム又はコンピュータで読み取り可能なCD-ROM等の記録媒体で実現されてもよく、システム、方法、集積回路、コンピュータプログラム又は記録媒体の任意な組み合わせで実現されてもよい。 It should be noted that these comprehensive or specific embodiments may be realized by a recording medium such as a system, a method, an integrated circuit, a computer program or a computer-readable CD-ROM, and the system, a method, an integrated circuit, or a computer. It may be realized by any combination of a program or a recording medium.

 以下、実施の形態について、図面を参照しながら具体的に説明する。 Hereinafter, embodiments will be specifically described with reference to the drawings.

 なお、以下で説明する実施の形態は、いずれも包括的又は具体的な例を示すものである。以下の実施の形態で示される数値、形状、材料、構成要素、構成要素の配置位置及び接続形態、ステップ、ステップの順序等は、一例であり、本開示を限定する主旨ではない。また、以下の実施の形態における構成要素のうち、最上位概念を示す独立請求項に記載されていない構成要素については、任意の構成要素として説明される。 Note that all of the embodiments described below show comprehensive or specific examples. The numerical values, shapes, materials, components, arrangement positions and connection forms of the components, steps, the order of steps, etc. shown in the following embodiments are examples, and are not intended to limit the present disclosure. Further, among the components in the following embodiments, the components not described in the independent claim indicating the highest level concept are described as arbitrary components.

 (実施の形態)
 [1.通信システムの概要]
 まず、図1を参照しながら、実施の形態に係る通信システム2の概要について説明する。図1は、実施の形態に係る通信システム2の概要を示すブロック図である。 (Embodiment)
[1. Overview of communication system]
First, the outline of the communication system 2 according to the embodiment will be described with reference to FIG. FIG. 1 is a block diagram showing an outline of the communication system 2 according to the embodiment.

 実施の形態に係る通信システム2は、例えば自動車等の車両4に搭載された、車両4の運転操作を自動で行うための自動運転システムに適用される。通信システム2は、セキュリティシステムの一例である。図1に示すように、通信システム2は、CANバス6と、TCU(Telematics Control Unit)8と、IVI(In-Vehicle Infotainment)10と、統合ECU12と、ボディ系ECU14と、ADAS(Advanced Driver Assistance System)系ECU16と、監視ECU18とを備えている。 The communication system 2 according to the embodiment is applied to an automatic driving system for automatically performing a driving operation of a vehicle 4 mounted on a vehicle 4 such as an automobile, for example. Communication system 2 is an example of a security system. As shown in FIG. 1, the communication system 2 includes a CAN bus 6, a TCU (Telematics Control Unit) 8, an IVI (In-Vehicle Interface) 10, an integrated ECU 12, a body ECU 14, and an ADAS (Advanced Driver Assistance). It includes a System) system ECU 16 and a monitoring ECU 18.

 なお、車両4はモビリティの一例であり、CANバス6はモビリティネットワークの一例である。TCU8、IVI10、統合ECU12、ボディ系ECU14及びADAS系ECU16の各々は、機器の一例である。また、監視ECU18は、情報処理装置の一例である。 The vehicle 4 is an example of mobility, and the CAN bus 6 is an example of a mobility network. Each of TCU8, IVI10, integrated ECU12, body-based ECU14 and ADAS-based ECU16 is an example of equipment. Further, the monitoring ECU 18 is an example of an information processing device.

 CANバス6は、例えばCANプロトコルに従って通信する車載ネットワークであり、車両4に搭載されている。TCU8、IVI10、統合ECU12、ボディ系ECU14、ADAS系ECU16及び監視ECU18は、CANバス6を介して互いに通信可能に接続されている。 The CAN bus 6 is an in-vehicle network that communicates according to, for example, the CAN protocol, and is mounted on the vehicle 4. The TCU 8, IVI10, integrated ECU 12, body ECU 14, ADAS ECU 16 and monitoring ECU 18 are communicably connected to each other via the CAN bus 6.

 TCU8は、車両4の外部との無線通信を実行するための通信モジュールである。TCU8は、CANバス6を介して統合ECU12に接続されている。また、TCU8は、車両4の外部のネットワーク(例えば、インターネット等)に接続可能である。TCU8は、防御ブロック20と、HIDS(Host-based Intrusion Detection System)22とを有している。防御ブロック20及びHIDS22は、TCU8の内部で互いに接続されている。 The TCU 8 is a communication module for executing wireless communication with the outside of the vehicle 4. The TCU 8 is connected to the integrated ECU 12 via the CAN bus 6. Further, the TCU 8 can be connected to a network (for example, the Internet or the like) outside the vehicle 4. The TCU 8 has a defense block 20 and an HIDS (Host-based Intrusion Detection System) 22. The defense blocks 20 and HIDS 22 are connected to each other inside the TCU 8.

 防御ブロック20は、TCU8における異常(例えば、認証エラー等)を検出する機能を有している。防御ブロック20は、異常を検出した際に、TCU8において異常が検出されたことを示す異常検出情報を、CANバス6を介して監視ECU18に送信する。HIDS22は、TCU8における異常(例えば、不正なCANフレームの侵入等)を検出するためのホストベースの侵入検出システム(IDS)である。HIDS22は、異常を検出した際に、TCU8において異常が検出されたことを示す異常検出情報を、CANバス6を介して監視ECU18に送信する。 The defense block 20 has a function of detecting an abnormality (for example, an authentication error) in the TCU 8. When the abnormality is detected, the defense block 20 transmits the abnormality detection information indicating that the abnormality is detected in the TCU 8 to the monitoring ECU 18 via the CAN bus 6. The HIDS 22 is a host-based intrusion detection system (IDS) for detecting anomalies in the TCU 8 (eg, unauthorized CAN frame intrusion, etc.). When the HIDS 22 detects an abnormality, the HIDS 22 transmits the abnormality detection information indicating that the abnormality is detected in the TCU 8 to the monitoring ECU 18 via the CAN bus 6.

 IVI10は、種々の情報を車両4の乗員に対して表示するための情報機器であり、例えばカーナビゲーション装置である。IVI10は、CANバス6を介して統合ECU12に接続されている。また、IVI10は、車両4の外部のネットワーク(例えばインターネット等)に接続可能である。IVI10は、防御ブロック24と、HIDS26とを有している。防御ブロック24及びHIDS26は、IVI10の内部で互いに接続されている。 The IVI10 is an information device for displaying various information to the occupants of the vehicle 4, for example, a car navigation device. The IVI 10 is connected to the integrated ECU 12 via the CAN bus 6. Further, the IVI 10 can be connected to a network (for example, the Internet or the like) outside the vehicle 4. IVI10 has a defense block 24 and an HIDS 26. The defense blocks 24 and HIDS 26 are connected to each other inside the IVI10.

 防御ブロック24は、IVI10における異常を検出する機能を有している。防御ブロック24は、異常を検出した際に、IVI10において異常が検出されたことを示す異常検出情報を、CANバス6を介して監視ECU18に送信する。HIDS26は、IVI10における異常を検出するためのホストベースの侵入検出システムである。HIDS26は、異常を検出した際に、IVI10において異常が検出されたことを示す異常検出情報を、CANバス6を介して監視ECU18に送信する。 The defense block 24 has a function of detecting an abnormality in IVI10. When the abnormality is detected, the defense block 24 transmits the abnormality detection information indicating that the abnormality is detected in the IVI 10 to the monitoring ECU 18 via the CAN bus 6. HIDS26 is a host-based intrusion detection system for detecting anomalies in IVI10. When the HIDS 26 detects an abnormality, the HIDS 26 transmits the abnormality detection information indicating that the abnormality is detected in the IVI 10 to the monitoring ECU 18 via the CAN bus 6.

 統合ECU12は、NIDS28,30と、防御ブロック32,34とを有している。NIDS28及び防御ブロック32は、統合ECU12の内部で互いに接続されている。NIDS28は、CANバス6を介してTCU8のHIDS22に接続されている。防御ブロック32は、CANバス6を介してボディ系ECU14に接続されている。また、NIDS30及び防御ブロック34は、統合ECU12の内部で互いに接続されている。NIDS30は、CANバス6を介してIVI10のHIDS26に接続されている。防御ブロック34は、CANバス6を介してADAS系ECU16に接続されている。 The integrated ECU 12 has NIDS 28, 30 and defense blocks 32, 34. The NIDS 28 and the defense block 32 are connected to each other inside the integrated ECU 12. The NIDS 28 is connected to the HIDS 22 of the TCU 8 via the CAN bus 6. The defense block 32 is connected to the body system ECU 14 via the CAN bus 6. Further, the NIDS 30 and the defense block 34 are connected to each other inside the integrated ECU 12. The NIDS 30 is connected to the HIDS 26 of the IVI 10 via the CAN bus 6. The defense block 34 is connected to the ADAS system ECU 16 via the CAN bus 6.

 NIDS28は、統合ECU12における異常(例えば、不正なCANフレームの侵入等)を検出するためのネットワークベースの侵入検出システムである。NIDS28は、異常を検出した際に、統合ECU12において異常が検出されたことを示す異常検出情報を、CANバス6を介して監視ECU18に送信する。防御ブロック32は、統合ECU12における異常を検出する機能を有している。防御ブロック32は、異常を検出した際に、統合ECU12において異常が検出されたことを示す異常検出情報を、CANバス6を介して監視ECU18に送信する。 NIDS 28 is a network-based intrusion detection system for detecting an abnormality in the integrated ECU 12 (for example, an illegal CAN frame intrusion, etc.). When the NIDS 28 detects an abnormality, the NIDS 28 transmits the abnormality detection information indicating that the abnormality has been detected in the integrated ECU 12 to the monitoring ECU 18 via the CAN bus 6. The defense block 32 has a function of detecting an abnormality in the integrated ECU 12. When the abnormality is detected, the defense block 32 transmits the abnormality detection information indicating that the abnormality is detected in the integrated ECU 12 to the monitoring ECU 18 via the CAN bus 6.

 NIDS30は、統合ECU12における異常を検出するためのネットワークベースの侵入検出システムである。NIDS30は、異常を検出した際に、統合ECU12において異常が検出されたことを示す異常検出情報を、CANバス6を介して監視ECU18に送信する。防御ブロック34は、統合ECU12における異常を検出する機能を有している。防御ブロック34は、異常を検出した際に、統合ECU12において異常が検出されたことを示す異常検出情報を、CANバス6を介して監視ECU18に送信する。 NIDS 30 is a network-based intrusion detection system for detecting abnormalities in the integrated ECU 12. When an abnormality is detected, the NIDS 30 transmits abnormality detection information indicating that the abnormality has been detected in the integrated ECU 12 to the monitoring ECU 18 via the CAN bus 6. The defense block 34 has a function of detecting an abnormality in the integrated ECU 12. When the abnormality is detected, the defense block 34 transmits the abnormality detection information indicating that the abnormality is detected in the integrated ECU 12 to the monitoring ECU 18 via the CAN bus 6.

 ボディ系ECU14は、例えば、車両4のドアロック、パワーウインドウ、エアコン、ライト及びウインカ等の車体の機能を制御するための電子制御ユニットである。図示しないが、ボディ系ECU14は、当該ボディ系ECU14における異常を検出するための侵入検出システムを有している。侵入検出システムは、異常を検出した際に、ボディ系ECU14において異常が検出されたことを示す異常検出情報を、CANバス6を介して監視ECU18に送信する。 The body system ECU 14 is an electronic control unit for controlling the functions of the vehicle body such as the door lock, power window, air conditioner, light and winker of the vehicle 4, for example. Although not shown, the body system ECU 14 has an intrusion detection system for detecting an abnormality in the body system ECU 14. When the intrusion detection system detects an abnormality, the intrusion detection system transmits the abnormality detection information indicating that the abnormality has been detected in the body system ECU 14 to the monitoring ECU 18 via the CAN bus 6.

 ADAS系ECU16は、先進運転者支援システム(ADAS)における車両4の運転操作、例えば車両4の加減速、操舵及び制動等を制御するための電子制御ユニットである。図示しないが、ADAS系ECU16は、当該ADAS系ECU16における異常を検出するための侵入検出システムを有している。侵入検出システムは、異常を検出した際に、ADAS系ECU16において異常が検出されたことを示す異常検出情報を、CANバス6を介して監視ECU18に送信する。 The ADAS system ECU 16 is an electronic control unit for controlling the driving operation of the vehicle 4 in the advanced driver assistance system (ADAS), for example, acceleration / deceleration, steering and braking of the vehicle 4. Although not shown, the ADAS system ECU 16 has an intrusion detection system for detecting an abnormality in the ADAS system ECU 16. When the intrusion detection system detects an abnormality, the intrusion detection system transmits the abnormality detection information indicating that the abnormality has been detected in the ADAS system ECU 16 to the monitoring ECU 18 via the CAN bus 6.

 監視ECU18は、CANバス6を介して統合ECU12に接続されている。監視ECU18は、TCU8、IVI10、統合ECU12、ボディ系ECU14及びADAS系ECU16における異常の発生の有無を監視する。監視ECU18の機能構成については後述する。 The monitoring ECU 18 is connected to the integrated ECU 12 via the CAN bus 6. The monitoring ECU 18 monitors whether or not an abnormality has occurred in the TCU 8, IVI10, integrated ECU 12, body system ECU 14, and ADAS system ECU 16. The functional configuration of the monitoring ECU 18 will be described later.

 上述した通信システム2では、TCU8の防御ブロック20、TCU8のHIDS22、統合ECU12のNIDS28、統合ECU12の防御ブロック32及びボディ系ECU14は、この順に直列的に接続されている。また、IVI10の防御ブロック24、IVI10のHIDS26、統合ECU12のNIDS30、統合ECU12の防御ブロック34及びADAS系ECU16は、この順に直列的に接続されている。 In the communication system 2 described above, the defense block 20 of the TCU 8, the HIDS 22 of the TCU 8, the NIDS 28 of the integrated ECU 12, the defense block 32 of the integrated ECU 12, and the body system ECU 14 are connected in series in this order. Further, the defense block 24 of the IVI10, the HIDS26 of the IVI10, the NIDS30 of the integrated ECU 12, the defense block 34 of the integrated ECU 12, and the ADAS system ECU 16 are connected in series in this order.

 通信システム2に対する攻撃(例えば、不正なCANフレームの侵入等)は、車両4の外部のネットワークに最も近いTCU8の防御ブロック20から、外部のネットワークから最も遠いボディ系ECU14に向かう攻撃経路に沿って順次進行する。例えば、車両4の外部のネットワークに最も近いTCU8の防御ブロック20が攻撃を受けた場合には、TCU8のHIDS22が次に攻撃を受ける。その後、統合ECU12のNIDS28、統合ECU12の防御ブロック32がこの順に攻撃を受け、最終的に、ボディ系ECU14が攻撃を受ける。 An attack on the communication system 2 (for example, an unauthorized CAN frame intrusion) is carried out along an attack path from the defense block 20 of the TCU 8 closest to the external network of the vehicle 4 to the body system ECU 14 farthest from the external network. It progresses sequentially. For example, if the defense block 20 of the TCU 8 closest to the external network of the vehicle 4 is attacked, the HIDS 22 of the TCU 8 is attacked next. After that, the NIDS 28 of the integrated ECU 12 and the defense block 32 of the integrated ECU 12 are attacked in this order, and finally the body system ECU 14 is attacked.

 また、通信システム2に対する攻撃は、車両4の外部のネットワークに最も近いIVI10の防御ブロック24から、外部のネットワークから最も遠いADAS系ECU16に向かう攻撃経路に沿って順次進行する。例えば、車両4の外部のネットワークに最も近いIVI10の防御ブロック24が攻撃を受けた場合には、IVI10のHIDS26が次に攻撃を受ける。その後、統合ECU12のNIDS30、統合ECU12の防御ブロック34がこの順に攻撃を受け、最終的に、ADAS系ECU16が攻撃を受ける。 Further, the attack on the communication system 2 proceeds sequentially along the attack route from the defense block 24 of the IVI 10 closest to the external network of the vehicle 4 to the ADAS system ECU 16 farthest from the external network. For example, if the defense block 24 of IVI10 closest to the external network of vehicle 4 is attacked, the HIDS26 of IVI10 is attacked next. After that, the NIDS 30 of the integrated ECU 12 and the defense block 34 of the integrated ECU 12 are attacked in this order, and finally the ADAS system ECU 16 is attacked.

 攻撃が通信システム2に対してどの程度侵入しているかは、侵入の深度として表現され得る。侵入の位置が車両4の外部のネットワークに最も近い場合、侵入の深度は最も浅いと表現され得る。一方、侵入の位置が車両4の外部のネットワークから最も遠い場合、侵入の深度は最も深いと表現され得る。本実施の形態では、侵入の深度を「1」~「5」の5段階で表現し、「1」は最も浅い深度であり、「5」は最も深い深度である。 The extent to which an attack has invaded communication system 2 can be expressed as the depth of intrusion. If the location of the intrusion is closest to the network outside the vehicle 4, the depth of intrusion can be described as the shallowest. On the other hand, if the location of the intrusion is the furthest from the external network of the vehicle 4, the depth of the intrusion can be described as the deepest. In the present embodiment, the depth of intrusion is expressed in five stages of "1" to "5", where "1" is the shallowest depth and "5" is the deepest depth.

 図1に示すように、TCU8の防御ブロック20の位置では深度「1」であり、TCU8のHIDS22の位置では深度「2」であり、統合ECU12のNIDS28の位置では深度「3」であり、統合ECU12の防御ブロック32の位置では深度「4」であり、ボディ系ECU14の位置では深度「5」である。 As shown in FIG. 1, the depth is "1" at the position of the defense block 20 of the TCU 8, the depth is "2" at the position of the HIDS 22 of the TCU 8, and the depth is "3" at the position of the NIDS 28 of the integrated ECU 12. The depth is "4" at the position of the defense block 32 of the ECU 12, and the depth is "5" at the position of the body system ECU 14.

 また、図1に示すように、IVI10の防御ブロック24の位置では深度「1」であり、IVI10のHIDS26の位置では深度「2」であり、統合ECU12のNIDS30の位置では深度「3」であり、統合ECU12の防御ブロック34の位置では深度「4」であり、ADAS系ECU16の位置では深度「5」である。 Further, as shown in FIG. 1, the depth is "1" at the position of the defense block 24 of IVI10, the depth is "2" at the position of HIDS26 of IVI10, and the depth is "3" at the position of NIDS30 of the integrated ECU 12. The depth is "4" at the position of the defense block 34 of the integrated ECU 12, and the depth is "5" at the position of the ADAS system ECU 16.

 [2.監視ECUの機能構成]
 次に、図2~図4を参照しながら、実施の形態に係る監視ECU18の機能構成について説明する。図2は、実施の形態に係る監視ECU18の機能構成を示すブロック図である。図3は、実施の形態に係る監視ECU18の判定部40の機能を説明するための図である。図4は、実施の形態に係る監視ECU18の記憶部48に記憶された対応リストの一例を示す図である。 [2. Function configuration of monitoring ECU]
Next, the functional configuration of the monitoring ECU 18 according to the embodiment will be described with reference to FIGS. 2 to 4. FIG. 2 is a block diagram showing a functional configuration of the monitoring ECU 18 according to the embodiment. FIG. 3 is a diagram for explaining the function of the determination unit 40 of the monitoring ECU 18 according to the embodiment. FIG. 4 is a diagram showing an example of a correspondence list stored in the storage unit 48 of the monitoring ECU 18 according to the embodiment.

 図2に示すように、監視ECU18は、受信部36と、特定部38と、判定部40と、記憶部48と、決定部50と、制御部52とを備えている。 As shown in FIG. 2, the monitoring ECU 18 includes a receiving unit 36, a specific unit 38, a determination unit 40, a storage unit 48, a determination unit 50, and a control unit 52.

 受信部36は、TCU8、IVI10、統合ECU12、ボディ系ECU14及びADAS系ECU16のうち特定の機器から送信された異常検出情報を受信する。 The receiving unit 36 receives the abnormality detection information transmitted from a specific device among the TCU8, IVI10, integrated ECU12, body system ECU14 and ADAS system ECU16.

 特定部38は、受信部36により受信された異常検出情報に基づいて、異常発生箇所を特定する。 The identification unit 38 identifies the abnormality occurrence location based on the abnormality detection information received by the reception unit 36.

 判定部40は、攻撃経路判定部42と、深刻度判定部44と、攻撃進行度合判定部46とを有している。 The determination unit 40 has an attack route determination unit 42, a severity determination unit 44, and an attack progress degree determination unit 46.

 攻撃経路判定部42は、特定部38により特定された異常発生箇所に基づいて、攻撃経路を判定する。攻撃経路とは、異常の原因である攻撃が、TCU8、IVI10、統合ECU12、ボディ系ECU14及びADAS系ECU16のうち1以上の機器を経由した経路である。 The attack route determination unit 42 determines the attack route based on the abnormality occurrence location specified by the specific unit 38. The attack route is a route in which the attack that is the cause of the abnormality passes through one or more of the TCU8, IVI10, integrated ECU12, body-based ECU14, and ADAS-based ECU16.

 例えば、特定部38がTCU8のHIDS22を異常発生箇所として特定した場合、攻撃経路判定部42は、特定部38により特定された異常発生箇所に基づいて、「TCU8の防御ブロック20→TCU8のHIDS22」という攻撃経路を判定する。 For example, when the specific unit 38 identifies the HIDS 22 of the TCU 8 as an abnormality occurrence location, the attack route determination unit 42 determines “TCU 8 defense block 20 → TCU 8 HIDS 22” based on the abnormality occurrence location specified by the specific unit 38. The attack route is determined.

 また例えば、特定部38が統合ECU12の防御ブロック34を異常発生箇所として特定した場合、攻撃経路判定部42は、特定部38により特定された異常発生箇所に基づいて、「IVI10の防御ブロック24→IVI10のHIDS26→統合ECU12のNIDS30→統合ECU12の防御ブロック34」という攻撃経路を判定する。 Further, for example, when the specific unit 38 specifies the defense block 34 of the integrated ECU 12 as the abnormality occurrence location, the attack route determination unit 42 determines the “defense block 24 of IVI10 →” based on the abnormality occurrence location specified by the specific unit 38. HIDS26 of IVI10 → NIDS30 of integrated ECU12 → defense block 34 of integrated ECU12 ”is determined.

 また、TCU8、IVI10、統合ECU12、ボディ系ECU14及びADAS系ECU16の各々には、これらの複数の機器に対する攻撃の侵入の深度に応じたスコアが予め付与されている。スコアは、各機器のセキュリティ強度及び車両4への影響度合に基づいて予め設定されたスコア(数値)であり、攻撃の侵入の深度が深くなるのに従って大きくなる。 Further, each of the TCU8, IVI10, integrated ECU12, body-based ECU14, and ADAS-based ECU16 is given a score in advance according to the depth of intrusion of an attack on these plurality of devices. The score is a preset score (numerical value) based on the security strength of each device and the degree of influence on the vehicle 4, and increases as the depth of intrusion of an attack increases.

 図3の(a)に示すように、TCU8の防御ブロック20にはスコア「1」、TCU8のHIDS22にはスコア「2」、統合ECU12のNIDS28にはスコア「4」、統合ECU12の防御ブロック32にはスコア「6」、ボディ系ECU14にはスコア「8」がそれぞれ付与されている。 As shown in FIG. 3A, the defense block 20 of the TCU 8 has a score of "1", the HIDS 22 of the TCU 8 has a score of "2", the NIDS 28 of the integrated ECU 12 has a score of "4", and the defense block 32 of the integrated ECU 12 has a score of "4". Is given a score of "6", and the body ECU 14 is given a score of "8".

 また、IVI10の防御ブロック24にはスコア「3」、IVI10のHIDS26にはスコア「4」、統合ECU12のNIDS30にはスコア「6」、統合ECU12の防御ブロック34にはスコア「8」、ADAS系ECU16にはスコア「10」がそれぞれ付与されている。 Further, the defense block 24 of IVI10 has a score of "3", the HIDS26 of IVI10 has a score of "4", the NIDS30 of the integrated ECU 12 has a score of "6", and the defense block 34 of the integrated ECU 12 has a score of "8". A score of "10" is given to each of the ECUs 16.

 さらに、攻撃経路判定部42は、上述のように判定した攻撃経路に含まれる1以上の機器の各スコアの累積値を算出する。例えば、攻撃経路判定部42は、「TCU8の防御ブロック20→TCU8のHIDS22」という攻撃経路を判定した場合には、TCU8の防御ブロック20のスコア「1」と、TCU8のHIDS22のスコア「2」との累積値「3(=1+2)」を算出する。 Further, the attack route determination unit 42 calculates the cumulative value of each score of one or more devices included in the attack route determined as described above. For example, when the attack route determination unit 42 determines the attack route "TCU8 defense block 20 → TCU8 HIDS22", the TCU8 defense block 20 score "1" and the TCU8 HIDS22 score "2". And the cumulative value "3 (= 1 + 2)" is calculated.

 また例えば、攻撃経路判定部42は、「IVI10の防御ブロック24→IVI10のHIDS26→統合ECU12のNIDS30→統合ECU12の防御ブロック34」という攻撃経路を判定した場合には、IVI10の防御ブロック24のスコア「3」と、IVI10のHIDS26のスコア「4」と、統合ECU12のNIDS30のスコア「6」と、統合ECU12の防御ブロック34のスコア「8」との累積値「21(=3+4+6+8)」を算出する。 Further, for example, when the attack route determination unit 42 determines the attack route of "IVI10 defense block 24-> IVI10 HIDS26-> integrated ECU12 NIDS30-> integrated ECU12 defense block 34", the score of the IVI10 defense block 24 Calculate the cumulative value "21 (= 3 + 4 + 6 + 8)" of "3", the score "4" of HIDS26 of IVI10, the score "6" of NIDS30 of the integrated ECU12, and the score "8" of the defense block 34 of the integrated ECU12. do.

 深刻度判定部44は、受信部36により受信された異常検出情報に基づいて、異常の内容に応じた重みである深刻度を判定する。具体的には、図3の(b)に示すように、深刻度判定部44は、異常種別に関する重みと、車両状態に関する重みとを乗算することにより、深刻度を判定する。異常種別としては、例えば「周期異常」及び「ペイロード異常」等があり、「周期異常」の重みは「1」、「ペイロード異常」の重みは「3」にそれぞれ予め設定されている。また、車両状態としては、例えば「停車中」及び「高速走行中」等があり、「停車中」の重みは「1」、高速走行中の重みは「4」にそれぞれ予め設定されている。 The severity determination unit 44 determines the severity, which is a weight according to the content of the abnormality, based on the abnormality detection information received by the reception unit 36. Specifically, as shown in FIG. 3B, the severity determination unit 44 determines the severity by multiplying the weight related to the abnormality type and the weight related to the vehicle state. Examples of the abnormality type include "cycle abnormality" and "payload abnormality", and the weight of "cycle abnormality" is set to "1" and the weight of "payload abnormality" is set to "3" in advance. Further, the vehicle state includes, for example, "stopped" and "high-speed running", and the weight of "stopped" is set to "1" and the weight of "stopped" is set to "4" in advance.

 例えば、深刻度判定部44は、受信部36により受信された異常検出情報に基づいて、異常種別が「周期異常」であり、且つ、車両状態が「停車中」であると判定した場合には、「周期異常」の重み「1」と「停車中」の重み「1」とを乗算することにより、深刻度「1(=1×1)」を判定する。 For example, when the severity determination unit 44 determines that the abnormality type is "cycle abnormality" and the vehicle state is "stopped" based on the abnormality detection information received by the reception unit 36. , The severity "1 (= 1 × 1)" is determined by multiplying the weight "1" of "period abnormality" and the weight "1" of "stopped".

 また例えば、深刻度判定部44は、受信部36により受信された異常検出情報に基づいて、異常種別が「ペイロード異常」であり、且つ、車両状態が「高速走行中」であると判定した場合には、「ペイロード異常」の重み「3」と「高速走行中」の重み「4」とを乗算することにより、深刻度「12(=3×4)」を判定する。 Further, for example, when the severity determination unit 44 determines that the abnormality type is "payload abnormality" and the vehicle state is "high-speed traveling" based on the abnormality detection information received by the reception unit 36. By multiplying the weight "3" of "payload abnormality" and the weight "4" of "running at high speed", the severity "12 (= 3 × 4)" is determined.

 攻撃進行度合判定部46は、攻撃経路判定部42により判定された攻撃経路と、深刻度判定部44により判定された深刻度とに基づいて、攻撃の進行度合を判定する。具体的には、図3の(b)に示すように、攻撃進行度合判定部46は、攻撃経路判定部42により算出されたスコアの累積値と、深刻度判定部44により判定された深刻度とを乗算(演算の一例)することにより、攻撃の進行度合を判定する。 The attack progress determination unit 46 determines the progress of the attack based on the attack route determined by the attack route determination unit 42 and the severity determined by the severity determination unit 44. Specifically, as shown in FIG. 3B, the attack progress degree determination unit 46 has the cumulative value of the score calculated by the attack route determination unit 42 and the severity determined by the severity determination unit 44. By multiplying with and (an example of calculation), the progress of the attack is determined.

 例えば、攻撃経路判定部42により算出されたスコアの累積値が「3」であり、且つ、深刻度判定部44により判定された深刻度が「1」である場合には、攻撃進行度合判定部46は、スコアの累積値「3」と深刻度「1」とを乗算することにより、攻撃の進行度合「3(=3×1)」を判定する。 For example, when the cumulative value of the score calculated by the attack route determination unit 42 is "3" and the severity determined by the severity determination unit 44 is "1", the attack progress degree determination unit 46 determines the degree of progress of the attack “3 (= 3 × 1)” by multiplying the cumulative value “3” of the score and the severity “1”.

 記憶部48は、複数の対応リストを記憶する。対応リストは、異常発生箇所毎に、攻撃の進行度合と、異常に対する対応との対応関係を示す対応情報の一例である。対応リストでは、攻撃の進行度合が大きくなるほど、緊急性の高い対応が対応付けられている。対応リストは、例えば図4の(a)~(c)に示すようなデータテーブルである。 The storage unit 48 stores a plurality of correspondence lists. The response list is an example of response information showing the correspondence relationship between the progress of the attack and the response to the abnormality for each abnormality occurrence location. In the response list, the greater the progress of the attack, the more urgent the response is associated. The correspondence list is, for example, a data table as shown in FIGS. 4A to 4C.

 図4の(a)に示す対応リストでは、異常発生箇所がIVI10のHIDS26であり、攻撃の進行度合「5」に対して対応「ドライバへ通知」、攻撃の進行度合「10」に対して対応「ネットワーク遮断」、攻撃の進行度合「15」に対して対応「センタへ通知」がそれぞれ対応付けられている。 In the correspondence list shown in FIG. 4A, the location where the abnormality occurs is HIDS26 of IVI10, and the response to the attack progress degree "5" is to be dealt with "notify the driver" and the attack progress degree is "10". Correspondence "notification to center" is associated with "network cutoff" and attack progress degree "15" respectively.

 図4の(b)に示す対応リストでは、異常発生箇所が統合ECU12のNIDS28であり、攻撃の進行度合「10」に対して対応「ドライバへ通知」、攻撃の進行度合「15」に対して対応「センタへ通知」、攻撃の進行度合「20」に対して対応「信号無効化」がそれぞれ対応付けられている。 In the correspondence list shown in FIG. 4 (b), the location where the abnormality occurs is NIDS28 of the integrated ECU 12, and the response is to "notify the driver" for the attack progress "10" and for the attack progress "15". The response "notify the center" and the response "signal invalidation" are associated with the progress of the attack "20".

 図4の(c)に示す対応リストでは、異常発生箇所がADAS系ECU16であり、攻撃の進行度合「15」に対して対応「ドライバへ通知」、攻撃の進行度合「20」に対して対応「センタへ通知」、攻撃の進行度合「25」に対して対応「縮退動作」がそれぞれ対応付けられている。 In the correspondence list shown in FIG. 4 (c), the location where the abnormality occurs is the ADAS system ECU 16, which corresponds to the attack progress degree “15” and corresponds to the attack progress degree “20”. Correspondence "degenerate operation" is associated with "notification to center" and attack progress degree "25" respectively.

 なお、図示しないが、記憶部48は、図4の(a)~(c)に示すデータテーブルだけでなく、上述したIVI10のHIDS26、統合ECU12のNIDS28及びADAS系ECU16以外の異常発生箇所に関する対応リストを複数記憶している。 Although not shown, the storage unit 48 responds not only to the data tables shown in FIGS. I remember multiple lists.

 決定部50は、特定部38により特定された異常発生箇所、及び、攻撃進行度合判定部46により判定された攻撃の進行度合に基づいて、記憶部48に記憶された対応リストから異常に対する対応を決定する。 The determination unit 50 responds to the abnormality from the response list stored in the storage unit 48 based on the abnormality occurrence location specified by the specific unit 38 and the progress of the attack determined by the attack progress determination unit 46. decide.

 例えば、特定部38により特定された異常発生箇所がIVI10のHIDS26であり、且つ、攻撃進行度合判定部46により判定された攻撃の進行度合が「10」である場合には、決定部50は、図4の(a)に示す対応リストを参照することにより、攻撃進行度合「10」に対応付けられた対応「ネットワーク遮断」を決定する。 For example, when the abnormality occurrence location specified by the specific unit 38 is HIDS26 of IVI10 and the progress of the attack determined by the attack progress determination unit 46 is “10”, the determination unit 50 determines. By referring to the correspondence list shown in FIG. 4 (a), the correspondence "network cutoff" associated with the attack progress degree "10" is determined.

 また例えば、特定部38により特定された異常発生箇所がADAS系ECU16であり、且つ、攻撃進行度合判定部46により判定された攻撃の進行度合が「25」である場合には、決定部50は、図4の(c)に示す対応リストを参照することにより、攻撃進行度合「25」に対応付けられた対応「縮退動作」を決定する。 Further, for example, when the abnormality occurrence location specified by the specific unit 38 is the ADAS system ECU 16 and the attack progress degree determined by the attack progress determination unit 46 is “25”, the determination unit 50 may be used. , The correspondence "degenerate operation" associated with the attack progress degree "25" is determined by referring to the correspondence list shown in FIG. 4 (c).

 制御部52は、決定部50により決定された対応を実行するように、ボディ系ECU14及びADAS系ECU16等を制御する。例えば、決定部50が異常に対する対応として「縮退動作」を決定した場合には、制御部52は、車両4を縮退動作(車両4を減速させ停止させる動作)させるようにADAS系ECU16等を制御する。 The control unit 52 controls the body system ECU 14, the ADAS system ECU 16, and the like so as to execute the correspondence determined by the determination unit 50. For example, when the determination unit 50 determines the "degenerate operation" as a response to an abnormality, the control unit 52 controls the ADAS system ECU 16 and the like so as to cause the vehicle 4 to perform a degenerate operation (an operation of decelerating and stopping the vehicle 4). do.

 [3.監視ECUの動作]
 図5を参照しながら、実施の形態に係る監視ECU18の動作について説明する。図5は、実施の形態に係る監視ECU18の動作の流れを示すフローチャートである。 [3. Operation of monitoring ECU]
The operation of the monitoring ECU 18 according to the embodiment will be described with reference to FIG. FIG. 5 is a flowchart showing the operation flow of the monitoring ECU 18 according to the embodiment.

 図5に示すように、まず、受信部36は、TCU8、IVI10、統合ECU12、ボディ系ECU14及びADAS系ECU16のうち特定の機器から送信された異常検出情報を受信する(S101)。 As shown in FIG. 5, first, the receiving unit 36 receives the abnormality detection information transmitted from a specific device among the TCU8, IVI10, integrated ECU12, body system ECU14, and ADAS system ECU16 (S101).

 特定部38は、受信部36により受信された異常検出情報に基づいて、異常発生箇所を特定する(S102)。 The identification unit 38 identifies an abnormality occurrence location based on the abnormality detection information received by the reception unit 36 (S102).

 攻撃経路判定部42は、特定部38により特定された異常発生箇所に基づいて、攻撃経路を判定する。また、深刻度判定部44は、受信部36により受信された異常検出情報に基づいて、深刻度を判定する。攻撃進行度合判定部46は、攻撃経路判定部42により判定された攻撃経路と、深刻度判定部44により判定された深刻度とに基づいて、攻撃の進行度合を判定する(S103)。 The attack route determination unit 42 determines the attack route based on the abnormality occurrence location specified by the specific unit 38. Further, the severity determination unit 44 determines the severity based on the abnormality detection information received by the reception unit 36. The attack progress determination unit 46 determines the progress of the attack based on the attack route determined by the attack route determination unit 42 and the severity determined by the severity determination unit 44 (S103).

 決定部50は、特定部38により特定された異常発生箇所、及び、攻撃進行度合判定部46により判定された攻撃の進行度合に基づいて、記憶部48に記憶された対応リストに該当する対応が存在するか否かを判定する(S104)。 The determination unit 50 corresponds to the response list stored in the storage unit 48 based on the abnormality occurrence location specified by the specific unit 38 and the progress of the attack determined by the attack progress determination unit 46. It is determined whether or not it exists (S104).

 対応リストに該当する対応が存在する場合には(S104でYES)、決定部50は、対応リストから異常に対する対応を決定する。これにより、制御部52は、ボディ系ECU14及びADAS系ECU16等を制御することにより、決定部50により決定された対応を実行する(S105)。 If there is a corresponding response in the response list (YES in S104), the determination unit 50 determines the response to the abnormality from the response list. As a result, the control unit 52 controls the body-based ECU 14, the ADAS-based ECU 16, and the like, and executes the response determined by the determination unit 50 (S105).

 上述したステップS104に戻り、対応リストに該当する対応が存在しない場合には(S104でNO)、処理を終了する。 Returning to step S104 described above, if there is no corresponding correspondence in the correspondence list (NO in S104), the process ends.

 [4.効果]
 本実施の形態では、攻撃進行度合判定部46は、攻撃経路判定部42により判定された攻撃経路と、深刻度判定部44により判定された深刻度とに基づいて、攻撃の進行度合を判定する。これにより、攻撃の進行度合に応じた対応を適切に実行することができ、車両4におけるセキュリティ対策を高めることができる。 [4. effect]
In the present embodiment, the attack progress determination unit 46 determines the progress of the attack based on the attack route determined by the attack route determination unit 42 and the severity determined by the severity determination unit 44. .. As a result, it is possible to appropriately take measures according to the progress of the attack, and it is possible to enhance security measures in the vehicle 4.

 [5.変形例]
 本実施の形態では、決定部50は、特定部38により特定された異常発生箇所、及び、攻撃進行度合判定部46により判定された攻撃の進行度合に基づいて、記憶部48に記憶された対応リストから異常に対する対応を決定した。このような構成に代えて、決定部50は、例えば次のようにして異常に対する対応を決定してもよい。 [5. Modification example]
In the present embodiment, the determination unit 50 stores the correspondence stored in the storage unit 48 based on the abnormality occurrence location specified by the specific unit 38 and the progress of the attack determined by the attack progress determination unit 46. The response to the anomaly was decided from the list. Instead of such a configuration, the determination unit 50 may determine the response to the abnormality, for example, as follows.

 本変形例では、決定部50は、攻撃経路判定部42により判定された攻撃経路、及び、深刻度判定部44により判定された深刻度から異常に対する対応を導出するためのルールベースに基づいて、異常に対する対応を決定する。 In this modification, the determination unit 50 is based on the attack route determined by the attack route determination unit 42 and the rule base for deriving the response to the abnormality from the severity determined by the severity determination unit 44. Determine the response to the anomaly.

 具体的には、記憶部48は、攻撃経路判定部42により判定された攻撃経路、及び、深刻度判定部44により判定された深刻度から、異常に対する対応を導出するためのルールベースであるルールテーブルを記憶する。 Specifically, the storage unit 48 is a rule base for deriving a response to an abnormality from the attack route determined by the attack route determination unit 42 and the severity determined by the severity determination unit 44. Remember the table.

 ここで、図6を参照しながら、記憶部48に記憶されたルールテーブルの一例について説明する。図6は、実施の形態の変形例に係るルールテーブルの一例を示す図である。図6に示す例では、ルールテーブルは、a)異常発生箇所1、b)異常発生箇所2、c)異常発生箇所3、d)異常発生箇所4、e)異常種別、f)車両状態、及び、g)対応を含んでいる。 Here, an example of the rule table stored in the storage unit 48 will be described with reference to FIG. FIG. 6 is a diagram showing an example of a rule table according to a modified example of the embodiment. In the example shown in FIG. 6, the rule table has a) abnormality occurrence location 1, b) abnormality occurrence location 2, c) abnormality occurrence location 3, d) abnormality occurrence location 4, e) abnormality type, f) vehicle status, and , G) Includes correspondence.

 例えば、攻撃経路判定部42により判定された攻撃経路が「IVI10の防御ブロック24→IVI10のHIDS26→統合ECU12のNIDS30」であり、且つ、深刻度判定部44により判定された異常種別が「周期異常」、車両状態が「低速走行中」である場合には、決定部50は、図6に示すルールテーブルのNo.3の行から対応「信号無効化」を導出する。 For example, the attack route determined by the attack route determination unit 42 is "defense block 24 of IVI10 → HIDS26 of IVI10 → NIDS30 of the integrated ECU 12", and the abnormality type determined by the severity determination unit 44 is “cycle abnormality”. When the vehicle state is "running at low speed", the determination unit 50 determines the No. 1 of the rule table shown in FIG. The corresponding "signal invalidation" is derived from the third line.

 なお、本変形例では、決定部50は、ルールテーブルを用いて異常に対する対応を決定する例について説明したが、これに限定されず、例えばファジー推論により異常に対する対応を決定してもよい。 In this modification, the determination unit 50 has described an example of determining the response to the abnormality using the rule table, but the present invention is not limited to this, and the response to the abnormality may be determined by, for example, fuzzy reasoning.

 あるいは、決定部50は、ニューラルネットワーク等の機械学習モデルを用いて、異常に対する対応を決定してもよい。例えば、決定部50は、攻撃経路、異常種別、車両状態及び機械学習モデルを取得し、取得した攻撃経路、異常種別、車両状態及び機械学習モデルに基づいて、異常に対する対応を決定してもよい。なお、機械学習モデルの取得とは、例えば、機械学習モデルにおけるネットワークパラメータ及び演算のアルゴリズム(機械学習アルゴリズム)等の情報を記憶部から読み出すことである。当該機械学習モデルは、図6に示す各項目の少なくとも1つを入力情報とし、当該入力情報に対応する対応を教師データとして機械学習により学習される。決定部50は、現時点の攻撃経路、異常種別及び車両状態を学習済みの機械学習モデルに入力することで得られる出力を、決定された対応として取得する。なお、機械学習モデルは、ニューラルネットワークに限定されず、例えば、ランダムフォレスト又は決定木等であってもよい。 Alternatively, the determination unit 50 may determine the response to the abnormality by using a machine learning model such as a neural network. For example, the determination unit 50 may acquire an attack route, an abnormality type, a vehicle state, and a machine learning model, and determine a response to the abnormality based on the acquired attack route, an abnormality type, a vehicle state, and a machine learning model. .. The acquisition of a machine learning model is, for example, reading information such as network parameters and an algorithm for calculation (machine learning algorithm) in the machine learning model from a storage unit. The machine learning model is learned by machine learning using at least one of the items shown in FIG. 6 as input information and the correspondence corresponding to the input information as teacher data. The determination unit 50 acquires the output obtained by inputting the current attack route, abnormality type, and vehicle state into the trained machine learning model as the determined response. The machine learning model is not limited to the neural network, and may be, for example, a random forest or a decision tree.

 (他の変形例)
 以上、一つ又は複数の態様に係る情報処理装置、監視方法及びセキュリティシステムについて、上記実施の形態に基づいて説明したが、本開示は、上記実施の形態に限定されるものではない。本開示の趣旨を逸脱しない限り、当業者が思い付く各種変形を上記実施の形態に施したものや、異なる実施の形態における構成要素を組み合わせて構築される形態も、一つ又は複数の態様の範囲内に含まれてもよい。 (Other variants)
The information processing apparatus, monitoring method, and security system according to one or more embodiments have been described above based on the above-described embodiment, but the present disclosure is not limited to the above-described embodiment. As long as it does not deviate from the gist of the present disclosure, a form in which various modifications conceived by those skilled in the art are applied to the above-described embodiment or a form constructed by combining components in different embodiments is also within the scope of one or a plurality of embodiments. May be included within.

 上記実施の形態では、本開示に係る監視ECU18の適用例として、自動車等の車両4に搭載された車載ネットワークにおけるセキュリティ対策への適用について説明したが、本開示に係る監視ECU18の適用範囲はこれに限定されない。本開示に係る監視ECU18は、自動車等の車両4に限定されず、例えば、建機、農機、船舶、鉄道又は飛行機等の任意のモビリティに適用してもよい。 In the above embodiment, as an application example of the monitoring ECU 18 according to the present disclosure, application to security measures in an in-vehicle network mounted on a vehicle 4 such as an automobile has been described, but the scope of application of the monitoring ECU 18 according to the present disclosure is this. Not limited to. The monitoring ECU 18 according to the present disclosure is not limited to the vehicle 4 such as an automobile, and may be applied to any mobility such as construction machinery, agricultural machinery, ships, railways, and airplanes.

 また、上記実施の形態では、深刻度判定部44は、異常種別に関する重みと、車両状態に関する重みとを乗算することにより深刻度を判定したが、これに限定されず、異常種別に関する重みと、車両状態に関する重みと、異常発生頻度(単位時間当たりの異常検出情報の受信回数)に関する重みとを乗算することにより、深刻度を判定してもよい。 Further, in the above embodiment, the severity determination unit 44 determines the severity by multiplying the weight related to the abnormality type and the weight related to the vehicle state, but the severity is not limited to this, and the weight related to the abnormality type and the weight related to the abnormality type are used. The severity may be determined by multiplying the weight related to the vehicle state and the weight related to the frequency of occurrence of anomalies (the number of times anomaly detection information is received per unit time).

 また、上記実施の形態では、攻撃進行度合判定部46は、攻撃経路判定部42により算出されたスコアの累積値と、深刻度判定部44により判定された深刻度とを乗算することにより、攻撃の進行度合を判定したが、これに限定されない。例えば、攻撃進行度合判定部46は、攻撃経路判定部42により算出されたスコアの累積値と、深刻度判定部44により判定された深刻度とを加算することにより、攻撃の進行度合を判定してもよい。 Further, in the above embodiment, the attack progress determination unit 46 attacks by multiplying the cumulative value of the score calculated by the attack route determination unit 42 and the severity determined by the severity determination unit 44. The degree of progress was determined, but it is not limited to this. For example, the attack progress determination unit 46 determines the progress of the attack by adding the cumulative value of the score calculated by the attack route determination unit 42 and the severity determined by the severity determination unit 44. You may.

 また、上記実施の形態では、情報処理装置(監視ECU18)が車両4に搭載されている場合について説明したが、これに限定されず、情報処理装置は車両4の外部に配置されていてもよい。この場合、情報処理装置は、例えば車両4の外部のSOC(Security Operation Center)に設置されたサーバ等で構成され、当該情報処理装置とモビリティネットワーク(CANバス6)とでセキュリティシステムが構成される。すなわち、SCOに設置されたサーバ等(情報処理装置)は、上述した監視ECU18の機能を有する。そのため、SOCにおいて、例えば攻撃の進行度合が判定され、異常に対する対応が決定される。また例えば、攻撃の進行度合が閾値未満である場合には、SOCのアナリストにアラートを通知せず(アラートを破棄)、攻撃の進行度合が上記閾値以上である場合には、SOCのアナリストにアラートを通知してもよい。 Further, in the above embodiment, the case where the information processing device (monitoring ECU 18) is mounted on the vehicle 4 has been described, but the present invention is not limited to this, and the information processing device may be arranged outside the vehicle 4. .. In this case, the information processing device is composed of, for example, a server installed in an SOC (Security Operation Center) outside the vehicle 4, and the security system is composed of the information processing device and the mobility network (CAN bus 6). .. That is, the server or the like (information processing device) installed in the SCO has the function of the monitoring ECU 18 described above. Therefore, in the SOC, for example, the progress of the attack is determined, and the response to the abnormality is determined. For example, if the progress of the attack is less than the threshold value, the alert is not notified to the SOC analyst (the alert is discarded), and if the progress of the attack is more than the above threshold value, the SOC analyst is not notified. May be notified of an alert.

 なお、上記実施の形態において、各構成要素は、専用のハードウェアで構成されるか、各構成要素に適したソフトウェアプログラムを実行することによって実現されてもよい。各構成要素は、CPU又はプロセッサ等のプログラム実行部が、ハードディスク又は半導体メモリなどの記録媒体に記録されたソフトウェアプログラムを読み出して実行することによって実現されてもよい。 In the above embodiment, each component may be configured by dedicated hardware or may be realized by executing a software program suitable for each component. Each component may be realized by a program execution unit such as a CPU or a processor reading and executing a software program recorded on a recording medium such as a hard disk or a semiconductor memory.

 また、上記実施の形態に係る情報処理装置の機能の一部又は全てを、CPU等のプロセッサがプログラムを実行することにより実現してもよい。 Further, a part or all of the functions of the information processing apparatus according to the above embodiment may be realized by executing a program by a processor such as a CPU.

 上記の各装置を構成する構成要素の一部又は全部は、各装置に脱着可能なICカード又は単体のモジュールから構成されているとしても良い。前記ICカード又は前記モジュールは、マイクロプロセッサ、ROM、RAM等から構成されるコンピュータシステムである。前記ICカード又は前記モジュールは、上記の超多機能LSIを含むとしても良い。マイクロプロセッサが、コンピュータプログラムにしたがって動作することにより、前記ICカード又は前記モジュールは、その機能を達成する。このICカード又はこのモジュールは、耐タンパ性を有するとしても良い。 A part or all of the components constituting each of the above devices may be composed of an IC card or a single module that can be attached to and detached from each device. The IC card or the module is a computer system composed of a microprocessor, ROM, RAM and the like. The IC card or the module may include the above-mentioned super multifunctional LSI. When the microprocessor operates according to a computer program, the IC card or the module achieves its function. This IC card or this module may have tamper resistance.

 本開示は、上記に示す方法であるとしても良い。また、これらの方法をコンピュータにより実現するコンピュータプログラムであるとしても良いし、前記コンピュータプログラムからなるデジタル信号であるとしても良い。また、本開示は、前記コンピュータプログラム又は前記デジタル信号をコンピュータ読み取り可能な非一時的な記録媒体、例えばフレキシブルディスク、ハードディスク、CD-ROM、MO、DVD、DVD-ROM、DVD-RAM、BD(Blu-ray(登録商標) Disc)、半導体メモリ等に記録したものとしても良い。また、これらの記録媒体に記録されている前記デジタル信号であるとしても良い。また、本開示は、前記コンピュータプログラム又は前記デジタル信号を、電気通信回線、無線又は有線通信回線、インターネットを代表とするネットワーク、データ放送等を経由して伝送するものとしても良い。また、本開示は、マイクロプロセッサとメモリを備えたコンピュータシステムであって、前記メモリは、上記コンピュータプログラムを記憶しており、前記マイクロプロセッサは、前記コンピュータプログラムにしたがって動作するとしても良い。また、前記プログラム又は前記デジタル信号を前記記録媒体に記録して移送することにより、又は前記プログラム又は前記デジタル信号を前記ネットワーク等を経由して移送することにより、独立した他のコンピュータシステムにより実施するとしても良い。 The present disclosure may be the method shown above. Further, it may be a computer program that realizes these methods by a computer, or it may be a digital signal composed of the computer program. The present disclosure also discloses a non-temporary recording medium such as a flexible disk, a hard disk, a CD-ROM, an MO, a DVD, a DVD-ROM, a DVD-RAM, or a BD (Blu) that can read the computer program or the digital signal by a computer. -It may be recorded on a ray (registered trademark) Disc), a semiconductor memory, or the like. Further, it may be the digital signal recorded on these recording media. Further, in the present disclosure, the computer program or the digital signal may be transmitted via a telecommunication line, a wireless or wired communication line, a network typified by the Internet, data broadcasting, or the like. Further, the present disclosure is a computer system including a microprocessor and a memory, in which the memory stores the computer program, and the microprocessor may operate according to the computer program. It is also carried out by another independent computer system by recording and transferring the program or the digital signal on the recording medium, or by transferring the program or the digital signal via the network or the like. It may be.

 本開示に係る情報処理装置は、例えば車両に搭載された自動運転システム等に適用可能である。 The information processing device according to the present disclosure can be applied to, for example, an automatic driving system mounted on a vehicle.

2 通信システム
4 車両
6 CANバス
8 TCU
10 IVI
12 統合ECU
14 ボディ系ECU
16 ADAS系ECU
18 監視ECU
20,24,32,34 防御ブロック
22,26 HIDS
28,30 NIDS
36 受信部
38 特定部
40 判定部
42 攻撃経路判定部
44 深刻度判定部
46 攻撃進行度合判定部
48 記憶部
50 決定部
52 制御部 2 Communication system 4 Vehicle 6 CAN bus 8 TCU
10 IVI
12 Integrated ECU
14 Body ECU
16 ADAS ECU
18 Monitoring ECU
20, 24, 32, 34 Defense block 22, 26 HIDS
28,30 NIDS
36 Receiving unit 38 Specific unit 40 Judgment unit 42 Attack route judgment unit 44 Severity judgment unit 46 Attack progress judgment unit 48 Storage unit 50 Determination unit 52 Control unit

Claims (10)

 モビリティに搭載されたモビリティネットワークに接続された複数の機器の各々における異常の発生の有無を監視する情報処理装置であって、
 前記複数の機器のうち特定の機器から、当該特定の機器において異常が検出されたことを示す異常検出情報を受信する受信部と、
 前記受信部により受信された前記異常検出情報に基づいて、異常発生箇所を特定する特定部と、
 前記異常検出情報及び前記異常発生箇所に基づいて、前記異常の原因である攻撃が前記複数の機器のうち1以上の機器を経由した経路を示す攻撃経路と、前記異常に関する深刻度と、を判定し、判定した前記攻撃経路及び前記深刻度に基づいて、前記攻撃の進行度合を判定する判定部と、を備える
 情報処理装置。 An information processing device that monitors the presence or absence of abnormalities in each of multiple devices connected to the mobility network installed in mobility.
A receiving unit that receives anomaly detection information indicating that an abnormality has been detected in the specific device from a specific device among the plurality of devices.
A specific unit that identifies an abnormality occurrence location based on the abnormality detection information received by the reception unit, and a specific unit.
Based on the abnormality detection information and the abnormality occurrence location, it is determined that the attack route indicating the route of the attack causing the abnormality via one or more of the plurality of devices and the severity of the abnormality. An information processing device including a determination unit for determining the degree of progress of the attack based on the determined attack route and the severity.  前記複数の機器の各々には、前記複数の機器に対する前記攻撃の侵入の深度に応じたスコアが付与されており、
 前記判定部は、前記攻撃経路に含まれる前記1以上の機器の各々の前記スコアの累積値と、前記異常の内容に応じた重みである前記深刻度と、を演算することにより、前記攻撃の進行度合を判定する
 請求項1に記載の情報処理装置。 Each of the plurality of devices is given a score according to the depth of intrusion of the attack on the plurality of devices.
The determination unit calculates the cumulative value of the scores of each of the one or more devices included in the attack path and the severity, which is a weight according to the content of the abnormality, to obtain the attack. The information processing apparatus according to claim 1, wherein the degree of progress is determined.  前記判定部は、前記スコアの累積値と、前記深刻度と、を乗算又は加算することにより、前記攻撃の進行度合を判定する
 請求項2に記載の情報処理装置。 The information processing apparatus according to claim 2, wherein the determination unit determines the degree of progress of the attack by multiplying or adding the cumulative value of the score and the severity.  前記判定部は、前記異常の種別に関する重みと、前記モビリティの状態に関する重みと、を乗算することにより、前記深刻度を判定する
 請求項2又は3に記載の情報処理装置。 The information processing apparatus according to claim 2 or 3, wherein the determination unit determines the severity by multiplying the weight related to the type of abnormality and the weight related to the state of mobility.  前記判定部は、前記異常の種別に関する重みと、前記モビリティの状態に関する重みと、異常発生頻度に関する重みと、を乗算することにより、前記深刻度を判定する
 請求項4に記載の情報処理装置。 The information processing apparatus according to claim 4, wherein the determination unit determines the severity by multiplying the weight regarding the type of the abnormality, the weight regarding the state of the mobility, and the weight regarding the frequency of occurrence of the abnormality.  前記情報処理装置は、さらに、
 前記異常発生箇所毎に、前記攻撃の進行度合と、前記異常に対する対応との対応関係を示す対応情報を記憶する記憶部と、
 前記特定部により特定された前記異常発生箇所、及び、前記判定部により判定された前記攻撃の進行度合に基づいて、前記対応情報から前記異常に対する対応を決定する決定部と、を備える
 請求項2~5のいずれか1項に記載の情報処理装置。 The information processing device further
A storage unit that stores response information indicating the correspondence relationship between the progress of the attack and the response to the abnormality for each abnormality occurrence location.
2. Claim 2 comprising the abnormality occurrence location specified by the specific unit, and a determination unit for determining a response to the abnormality from the response information based on the progress of the attack determined by the determination unit. The information processing apparatus according to any one of 5 to 5.  前記情報処理装置は、さらに、前記攻撃経路及び前記深刻度から前記異常に対する対応を導出するためのルールベースに基づいて、前記異常に対する対応を決定する決定部を備える
 請求項1に記載の情報処理装置。 The information processing device according to claim 1, further comprising a determination unit for determining a response to the abnormality based on a rule base for deriving a response to the abnormality from the attack route and the severity. Device.  モビリティに搭載されたモビリティネットワークに接続された複数の機器の各々における異常の発生の有無を監視する監視方法であって、
 (a)前記複数の機器のうち特定の機器から、当該特定の機器において異常が検出されたことを示す異常検出情報を受信するステップと、
 (b)前記(a)で受信された前記異常検出情報に基づいて、異常発生箇所を特定するステップと、
 (c)前記異常検出情報及び前記異常発生箇所に基づいて、前記異常の原因である攻撃が前記複数の機器のうち1以上の機器を経由した経路を示す攻撃経路と、前記異常に関する深刻度と、を判定し、判定した前記攻撃経路及び前記深刻度に基づいて、前記攻撃の進行度合を判定するステップと、を含む
 監視方法。 It is a monitoring method that monitors the presence or absence of abnormalities in each of multiple devices connected to the mobility network installed in mobility.
(A) A step of receiving anomaly detection information indicating that an abnormality has been detected in the specific device from a specific device among the plurality of devices.
(B) A step of identifying an abnormality occurrence location based on the abnormality detection information received in the above (a), and
(C) Based on the abnormality detection information and the abnormality occurrence location, an attack route indicating a route in which the attack causing the abnormality has passed through one or more of the plurality of devices, and the severity of the abnormality. , A monitoring method including a step of determining the degree of progress of the attack based on the determined attack route and the severity of the attack.  請求項8に記載の監視方法をコンピュータに実行させる
 プログラム。 A program that causes a computer to execute the monitoring method according to claim 8.  モビリティに搭載されたモビリティネットワークと、前記モビリティネットワークに接続された複数の機器の各々における異常の発生の有無を監視する情報処理装置と、を含むセキュリティシステムであって、
 前記情報処理装置は、
 前記複数の機器のうち特定の機器から、当該特定の機器において異常が検出されたことを示す異常検出情報を受信する受信部と、
 前記受信部により受信された前記異常検出情報に基づいて、異常発生箇所を特定する特定部と、
 前記異常検出情報及び前記異常発生箇所に基づいて、前記異常の原因である攻撃が前記複数の機器のうち1以上の機器を経由した経路を示す攻撃経路と、前記異常に関する深刻度と、を判定し、判定した前記攻撃経路及び前記深刻度に基づいて、前記攻撃の進行度合を判定する判定部と、を備える
 セキュリティシステム。 A security system including a mobility network mounted on mobility and an information processing device that monitors the presence or absence of an abnormality in each of a plurality of devices connected to the mobility network.
The information processing device is
A receiving unit that receives anomaly detection information indicating that an abnormality has been detected in the specific device from a specific device among the plurality of devices.
A specific unit that identifies an abnormality occurrence location based on the abnormality detection information received by the reception unit, and a specific unit.
Based on the abnormality detection information and the abnormality occurrence location, it is determined that the attack route indicating the route of the attack causing the abnormality via one or more of the plurality of devices and the severity of the abnormality. A security system including a determination unit for determining the progress of the attack based on the determined attack route and the severity.
PCT/JP2021/037912 2020-10-27 2021-10-13 Information processing device, monitoring method, program, and security system Ceased WO2022091786A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2020179769 2020-10-27
JP2020-179769 2020-10-27

Publications (1)

Publication Number Publication Date
WO2022091786A1 true WO2022091786A1 (en) 2022-05-05

Family

ID=81383800

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/037912 Ceased WO2022091786A1 (en) 2020-10-27 2021-10-13 Information processing device, monitoring method, program, and security system

Country Status (1)

Country Link
WO (1) WO2022091786A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2019125344A (en) * 2018-01-12 2019-07-25 パナソニックIpマネジメント株式会社 System for vehicle and control method
WO2020080047A1 (en) * 2018-10-17 2020-04-23 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Incursion location identification device and incursion location identification method
JP2020065242A (en) * 2018-10-17 2020-04-23 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America Information processing device, information processing method, and program
US20200296138A1 (en) * 2015-10-28 2020-09-17 Qomplx, Inc. Parametric analysis of integrated operational technology systems and information technology systems
JP2020160611A (en) * 2019-03-25 2020-10-01 クラリオン株式会社 Test scenario generation device and test scenario generation method and test scenario generation program

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200296138A1 (en) * 2015-10-28 2020-09-17 Qomplx, Inc. Parametric analysis of integrated operational technology systems and information technology systems
JP2019125344A (en) * 2018-01-12 2019-07-25 パナソニックIpマネジメント株式会社 System for vehicle and control method
WO2020080047A1 (en) * 2018-10-17 2020-04-23 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Incursion location identification device and incursion location identification method
JP2020065242A (en) * 2018-10-17 2020-04-23 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America Information processing device, information processing method, and program
JP2020160611A (en) * 2019-03-25 2020-10-01 クラリオン株式会社 Test scenario generation device and test scenario generation method and test scenario generation program

Similar Documents

Publication Publication Date Title
JP7573585B2 (en) Fraud detection server and control method
JP7410223B2 (en) Fraud detection server and method
US11949705B2 (en) Security processing method and server
US11575699B2 (en) Security processing method and server
CN111052681B (en) Anomaly detection electronic control unit, in-vehicle network system and anomaly detection method
US11469921B2 (en) Security device, network system, and fraud detection method
US11943243B2 (en) Anomaly detection method and anomaly detection device
US10798114B2 (en) System and method for consistency based anomaly detection in an in-vehicle communication network
US20200213149A1 (en) Electronic control system, electronic control device, control method, and recording medium
US12537831B2 (en) Threat information deploying system, threat information deploying method, and recording medium
Lampe et al. IDS for CAN: A practical intrusion detection system for CAN bus security
US10944775B2 (en) Authentication device for a vehicle
JP2019219709A (en) Cyber attack notification apparatus and notification method
US20230247037A1 (en) Information processing device and method of controlling information processing device
CN111754815A (en) Control device, server, security system, and control method for control device
WO2022091786A1 (en) Information processing device, monitoring method, program, and security system
US12417280B2 (en) Vehicle control system and method for controlling vehicle control system
US20250214534A1 (en) Vehicle control system and control method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21885905

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21885905

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP