JP2019209961A - Information processor, monitoring method, program, and gateway device - Google Patents

Abstract

To provide an information processor appropriately coping with illegal attack frames sent to a network included in mobility.SOLUTION: An information processor 100 includes: an acquisition part 1101 acquiring mobility-related information showing at least one of a mobility condition and an external situation where the mobility moves, and an acceleration control instruction for accelerating the mobility; and a determination part 3101 determining whether or not the acceleration control instruction is an illegal control instruction on the basis of the mobility-related information and the acceleration control instruction.SELECTED DRAWING: Figure 6

Description

  The present invention relates to a security technique for dealing with a vehicle speed control instruction message transmitted in an in-vehicle network in which an electronic control unit mounted on a vehicle communicates, for example.

  2. Description of the Related Art In recent years, many information processing devices called electronic control units (ECUs) are arranged in systems in automobiles. A network connecting these ECUs is called an in-vehicle network. There are many standards for in-vehicle networks. Among them, one of the most mainstream in-vehicle networks is a standard called CAN (Controller Area Network) defined by ISO11898-1.

  In CAN, the communication path is a bus composed of two wires (CAN bus), and the ECU connected to the bus is called a node. Each node connected to the CAN bus transmits and receives a frame (message). A transmission node that transmits a frame applies a voltage to two buses to generate a potential difference between the buses, thereby transmitting a value of “1” called recessive and a value of “0” called dominant. When a plurality of transmitting nodes transmit recessive and dominant at exactly the same timing, the dominant is transmitted with priority. When there is an abnormality in the format of the received frame, the receiving node transmits a frame called an error frame. An error frame is a notification of frame abnormality to a transmitting node or another receiving node by transmitting dominants continuously for 6 bits.

  In CAN, there is no identifier indicating a transmission destination or a transmission source, the transmission node transmits an ID called a message ID for each frame (that is, sends a signal to the bus), and each reception node is predetermined. Only the received message ID is received (ie, the signal is read from the bus). In addition, CAN employs a CSMA / CA (Carrier Sense Multiple Access / Collision Avoidance) method, and arbitration is performed using a message ID during simultaneous transmission of a plurality of nodes, and a frame with a small message ID value is preferentially transmitted. Is done. In a system in an automobile, each of a large number of ECUs exchanges frames including various information. For example, a vehicle speed control support function of an advanced driver assistance system (ADAS) is realized by each ECU exchanging a frame and cooperating with each other. Examples of vehicle speed control support functions include vehicle speed maintenance function (Cruise Control), inter-vehicle distance maintenance function (Adaptive Cruise Control), and inter-vehicle distance adjustment function (Cooperative Adaptive Cruise Control (Cooperative Adaptive)). Cruise Control)). In order to realize these functions, an accelerator ECU that controls the output of a prime mover such as an engine or a motor, a sensor ECU that recognizes and detects an object around the vehicle, such as a preceding vehicle, a road marking line, and the like, A vehicle speed control support ECU or the like that detects a situation that requires acceleration and issues an acceleration control instruction frame cooperates.

  By the way, an attacker can connect an unauthorized node to the CAN bus or attack an ECU having a function of communicating with a portable information terminal, a communication device outside the vehicle, etc. There is a threat of sending frames to the CAN bus to illegally control the car. The attack frame is a frame transmitted to the CAN bus by an unauthorized attacker, and is a frame (illegal frame) that is not originally transmitted in a normal state of the in-vehicle network. For example, if an attacker sends an acceleration control instruction frame that activates rapid acceleration to a CAN bus with a short distance from the preceding vehicle, an accident such as a rear-end collision with the preceding vehicle may occur. .

  As a technique for detecting and defending against such attack frames, a physical value such as a wheel speed detected by a sensor, an engine speed, or a predetermined value for a numerical value indicating a selective state is registered in advance as a reference. A technique for performing abnormality determination on a value included in a frame based on this is known (see Patent Document 1).

JP 2008-114806 A

  However, the technique of Patent Document 1 is not useful for appropriately dealing with an attack frame of an unauthorized acceleration control instruction transmitted by an attacker.

  Therefore, the present invention provides an information processing apparatus, a control system, a control method, and an illegal processing apparatus that appropriately copes with an attack frame of an unauthorized acceleration control instruction transmitted to a bus of a network (for example, an in-vehicle network) in a moving body by an attacker. Provided are a program and a gateway device used for appropriately dealing with a frame.

  In order to solve the above-described problem, an information processing apparatus according to an aspect of the present invention provides mobility-related information indicating at least one of a mobility state and an external environment in which the mobility moves, and for accelerating the mobility. An acquisition unit that acquires an acceleration control instruction, a determination unit that determines whether the acceleration control instruction is an unauthorized control instruction based on the mobility related information information and the acceleration control instruction.

  In order to solve the above-described problem, a monitoring method according to an aspect of the present invention is a monitoring method by an information processing device, which is related to mobility indicating at least one of a mobility state and an external environment in which the mobility moves. Information and an acceleration control instruction for accelerating the mobility are acquired, and it is determined whether the acceleration control instruction is an unauthorized control instruction based on the mobility related information and the acceleration control instruction .

  In order to solve the above-described problem, a program according to an aspect of the present invention provides mobility-related information indicating at least one of a mobility state and an external environment in which the mobility moves, and a program for accelerating the mobility. In order to cause a computer to execute a process of obtaining an acceleration control instruction, and a process of determining whether the acceleration control instruction is an unauthorized control instruction based on the mobility related information and the acceleration control instruction It is a program.

  In order to solve the above-described problem, a gateway device according to an aspect of the present invention provides mobility-related information indicating at least one of a mobility state and an external environment in which the mobility moves, and accelerates the mobility. A determination unit that determines whether the acceleration control instruction is an illegal control instruction based on the acquisition unit that acquires the acceleration control instruction, the mobility related information, and the acceleration control instruction; and the determination unit And an invalidating unit that does not transfer the acceleration control instruction when it is determined that the acceleration control instruction is an unauthorized control instruction.

  ADVANTAGE OF THE INVENTION According to this invention, the invalid frame (attack frame) concerning the acceleration control instruction | indication transmitted to the bus | bath of the network in a mobile body can be made invalid.

FIG. 1 is a diagram illustrating an overall configuration of an in-vehicle network system according to an embodiment. FIG. 2 is a diagram showing a format of a data frame defined by the CAN protocol. FIG. 3 is a diagram illustrating an error frame format defined by the CAN protocol. FIG. 4 is a block diagram illustrating a configuration example of the accelerator ECU according to the embodiment. FIG. 5 is a diagram for explaining an example of the control content indicated by the value of the data field of the data frame related to the acceleration control instruction transmitted by the vehicle speed control support ECU. FIG. 6 is a block diagram illustrating a configuration example of the security ECU (monitoring device) according to the embodiment. FIG. 7 is a diagram for explaining the conditions for determining whether the acceleration control instruction has been illegally determined based on the relationship between the vehicle speed and the inter-vehicle distance controlled by the vehicle speed control support function. FIG. 8 is a flowchart illustrating an example of a procedure of monitoring processing executed by the security ECU according to the embodiment. FIG. 9 is a diagram illustrating an example of a processing sequence according to the acceleration control in the embodiment. FIG. 10 is a block diagram illustrating a configuration example of an accelerator ECU according to a modification of the embodiment. FIG. 11 is a flowchart illustrating an example of a procedure of a monitoring process executed by the monitoring device according to the modification. FIG. 12 is a diagram illustrating an example of a processing sequence related to acceleration control in the above modification.

(Knowledge that became the basis of the present invention)
In the advanced driver support system for vehicles, the vehicle speed control support ECU that tries to keep the vehicle speed or the inter-vehicle distance constant includes a communication line such as a CAN bus from other ECUs on the network including a sensor ECU that detects the vehicle speed and the like. On the basis of the information acquired via the interface, when a situation requiring acceleration occurs, an acceleration control instruction (that is, an acceleration control instruction frame) is transmitted to the CAN bus. In accordance with the acceleration control instruction, the accelerator ECU controls the output of a prime mover such as an engine or a motor to accelerate the vehicle. In addition to the instruction to increase the output of the prime mover for acceleration, the contents of the acceleration control instruction include, for example, an instruction to increase or suppress the output of the prime mover to maintain the vehicle speed, and increase the output of the prime mover to adjust the acceleration. Or instructions to suppress may be included. Actually, these instructions may be expressed by, for example, an accelerator opening.

  In the case where an attacker sends an attack frame (illegal frame) of an unauthorized acceleration control instruction, and the unauthorized acceleration control instruction is different from an appropriate acceleration control instruction transmitted by the vehicle speed control support ECU. , May lead to accidents such as vehicles. Appropriate acceleration control instructions are the actual speed of the vehicle, the setting by the driver for the vehicle speed, or the vehicle status such as the driving support function effective in the vehicle, or the restriction on the speed at the place where the vehicle is traveling, or with the preceding vehicle The content should correspond to the situation of the outside world where the vehicle travels, such as the inter-vehicle distance.

  Therefore, the acceleration control instruction transmitted to the CAN bus is an appropriate acceleration control instruction according to the state of the vehicle or the external environment of the vehicle, or an incorrect acceleration control instruction having contents inconsistent with these states. I came up with a method to judge. A vehicle is an example of an application target of this method, and this method can be applied to other moving objects.

  In an electronic control device or the like that realizes a monitoring device according to an aspect of the present invention, the method is executed to specify an unauthorized acceleration control instruction. Further, by invalidating an invalid acceleration control instruction, execution of the acceleration control according to the acceleration control instruction is suppressed. As a result, it is possible to prevent an accident caused by an unauthorized acceleration control instruction attack frame.

  An information processing apparatus according to an aspect of the present invention acquires mobility-related information indicating at least one of a mobility state and an external environment in which the mobility moves, and an acceleration control instruction for accelerating the mobility And a determination unit that determines whether or not the acceleration control instruction is an unauthorized control instruction based on the mobility related information information and the acceleration control instruction. Thereby, it is determined whether or not the acceleration control instruction transmitted to the network is an unauthorized control instruction based on whether the vehicle state or the external environment of the vehicle and the acceleration instruction are appropriate. The result can be used.

  In addition, for example, when the determination unit determines that the data on the mobility network is invalid data, the determination unit may further include an invalidation unit that invalidates or discards the data on the mobility network. This suppresses adverse effects on the mobility network due to unauthorized data.

  In addition, for example, the determination unit may determine that the acceleration control instruction is an unauthorized control instruction when the acceleration control instruction indicates a control content that does not match the mobility related information. Thereby, for example, an acceleration control instruction that contradicts the situation of the vehicle or the like is determined to be an unauthorized control instruction.

  In addition, for example, the determination unit may be configured such that the mobility related information indicates a set speed of the mobility or a restriction speed of a place where the mobility moves, and the acceleration control instruction indicates the mobility at the set speed or the restriction. When the control content to be moved at a speed exceeding the speed is indicated, it may be determined that the acceleration control instruction is an unauthorized control instruction. In addition, for example, the determination unit indicates that the mobility related information indicates a speed at which the mobility should move from the preceding mobility of the mobility, and the acceleration control instruction exceeds a speed at which the received mobility should move. When the control content to be moved at a speed is indicated, it may be determined that the acceleration control instruction is an unauthorized control instruction. As a result, the acceleration control instruction for causing the vehicle to travel at a speed limit set by the driver for the vehicle or exceeding the official limit is determined to be an unauthorized control instruction.

  Further, for example, the determination unit may be configured such that the mobility related information indicates a vehicle speed of the mobility or a relative speed with an object in the traveling direction of the mobility, and the acceleration control instruction indicates the mobility as a first predetermined value. When the control content to be moved at a speed exceeding the value is indicated, it may be determined that the acceleration control instruction is an unauthorized control instruction. Further, for example, the determination unit may be configured such that the mobility-related information indicates a distance from an object in the mobility traveling direction, and the acceleration control instruction indicates the mobility corresponding to the distance from the object. When the control content for moving at a speed exceeding one predetermined value is indicated, it may be determined that the acceleration control instruction is an unauthorized control instruction. As a result, for example, an acceleration control instruction for causing the vehicle to travel at a speed that would excessively reduce the inter-vehicle distance from the preceding vehicle is determined to be an unauthorized control instruction.

  Further, for example, the determination unit indicates a control content in which the mobility-related information indicates a situation in which the mobility should be decelerated, and the acceleration control instruction moves the mobility at a speed exceeding a second predetermined value. In the case of showing, the acceleration control instruction may be determined to be an illegal control instruction. Thereby, it is determined that the acceleration control instruction for accelerating the vehicle in a situation where deceleration is executed is an unauthorized control instruction.

  Further, for example, the determination unit (1) indicates that the mobility-related information indicates that the advanced driver assistance system included in the mobility is off, and the acceleration control instruction exceeds a third predetermined value. Or (2) the mobility related information indicates that the advanced driver support system included in the mobility is off, and the acquisition unit performs the acceleration control within a predetermined period. When the instruction is acquired, it may be determined that the acceleration control instruction is an unauthorized control instruction. Thereby, in a situation where the ADAS function is invalid, it is determined that an acceleration control instruction that may be disguised as an acceleration control instruction from the ADAS function is an unauthorized control instruction.

  The monitoring method according to one aspect of the present invention is a monitoring method by an information processing device, and includes mobility-related information indicating at least one of a mobility state and an external environment in which the mobility moves, and the mobility. An acceleration control instruction for accelerating is acquired, and it is determined based on the mobility related information and the acceleration control instruction whether the acceleration control instruction is an unauthorized control instruction. Thereby, it is determined whether or not the acceleration control instruction transmitted to the network is an illegal control instruction based on whether it is appropriate in light of the state of the vehicle or the external environment of the vehicle and the acceleration control instruction. The determination result can be used.

  In addition, the program according to one aspect of the present invention is a process for acquiring mobility-related information indicating at least one of a mobility state and an external environment in which the mobility moves, and an acceleration control instruction for accelerating the mobility And a program for causing a computer to execute a process of determining whether or not the acceleration control instruction is an unauthorized control instruction based on the mobility related information and the acceleration control instruction. When this program is installed in a computer having a processor (microprocessor) and the program is executed by the processor of the computer, it is appropriately determined whether or not the acceleration control instruction appearing on the bus is illegal. .

  Further, the gateway device according to one aspect of the present invention acquires mobility-related information indicating at least one of a mobility state and an external environment where the mobility moves, and an acceleration control instruction for accelerating the mobility. Based on the acquisition unit, the mobility related information, and the acceleration control instruction, a determination unit that determines whether the acceleration control instruction is an unauthorized control instruction, and the acceleration control instruction is illegal by the determination unit. And an invalidating unit that does not transfer the acceleration control instruction when it is determined that the control instruction is correct. Thus, the gateway device determines whether the acceleration control instruction transmitted to the network is an unauthorized control instruction based on whether the vehicle state or the external environment of the vehicle is appropriate in light of the acceleration control instruction. Can be determined, and the determination result can be used. For example, by not transferring an acceleration control instruction determined to be an unauthorized control instruction, it is possible to prevent the mobility acceleration control from being disturbed by an attack.

  These general or specific aspects may be realized by a system, a method, an integrated circuit, a computer program, or a computer-readable recording medium such as a CD-ROM. The system, method, integrated circuit, computer You may implement | achieve with arbitrary combinations of a program or a recording medium.

  Hereinafter, a monitoring device or the like that executes a monitoring method according to an embodiment will be described with reference to the drawings. The embodiment shown here shows a specific example of the present invention. Therefore, numerical values, components, arrangement and connection forms of components, and steps (processes) and order of steps shown in the following embodiments are merely examples, and do not limit the present invention. Among the constituent elements in the following embodiments, constituent elements that are not described in the independent claims can be arbitrarily added. Each figure is a mimetic diagram and is not necessarily illustrated strictly.

  In the following embodiments, a security measure in an in-vehicle network mounted on an automobile will be described, but the scope of application is not limited to this. You may apply not only to a motor vehicle but to the mobility network with which various mobility, such as a construction machine, an agricultural machine, a ship, a railroad, an airplane, is equipped.

(Embodiment)
Hereinafter, as an embodiment of the present invention, a security ECU (monitoring device) that invalidates a frame related to an unauthorized acceleration control instruction transmitted to a bus (CAN bus) constituting an in-vehicle network in a vehicle as an example of mobility An in-vehicle network system including the above will be described with reference to the drawings. It should be understood that when the technology described below is applied to a ship or an airplane, the traveling is navigation or flight, and the lane is appropriately read as a moving route.

[1.1 Configuration of in-vehicle network system 10]
FIG. 1 is a diagram illustrating an overall configuration of an in-vehicle network system 10 according to an embodiment.

  As illustrated in FIG. 1, the in-vehicle network system 10 includes various ECUs (security ECU 100, accelerator ECU 310, sensor ECU 320, brake ECU 330, vehicle speed control assist ECU 350, and communication ECU 380) mounted on the vehicle 20, and a bus (CAN bus). 30). The in-vehicle network system 10 may include other ECUs such as an ECU related to steering control, for example, but illustration thereof is omitted. The in-vehicle network system 10 constitutes a control network system for the vehicle 20 together with a server device outside the vehicle with which any ECU including those not shown in the figure communicates through a communication network such as the Internet. May be. Note that the communication path with the outside can be used for cyber attacks to the in-vehicle network system 10 as an intrusion path for injecting (transmitting) unauthorized frames to the in-vehicle network system 10 or hijacking any ECU.

  Each ECU on the in-vehicle network system 10 is a device including, for example, a processor (microprocessor), a digital circuit such as a memory, an analog circuit, a communication circuit, and the like. The memory is a ROM (Read-Only Memory), a RAM (Random Access Memory), or the like, and can store a control program (computer program as software) executed by the processor. For example, the ECU implements various functions by the processor operating in accordance with a control program (computer program). The computer program is configured by combining a plurality of instruction codes indicating instructions for the processor in order to achieve a predetermined function. These ECUs can exchange frames via the bus 30 according to the CAN protocol.

  Some ECUs on the in-vehicle network system 10 are connected to various devices such as sensors, actuators, and user interface devices through communication paths other than the bus 30. For example, the accelerator ECU 310 is connected to a prime mover 311 (a throttle, a fuel injection device, a motor drive circuit, etc.) and controls the prime mover 311. The brake ECU 330 is connected to the brake 331 (actuator thereof) and controls the brake 331. In FIG. 1, individual illustrations of actuators and the like that control each of the above-described components are omitted, and for the sake of simplicity, the control instructions for the actuators and the like are expressed as control instructions for the respective components below. There are things to do. The communication ECU 380 is connected to the antenna 381 and performs communication with the outside of the in-vehicle network system 10 via the antenna 381. In FIG. 1, another vehicle 21 is shown as an example of a communication partner. In other words, vehicle-to-vehicle communication is realized by communication ECU 380. The sensor ECU 320 is connected to the object detection sensor 321 and the speed sensor 322, and periodically transmits a frame (data frame) representing measurement information measured by each sensor to the bus 30. In the in-vehicle network system 10, there may be a plurality of sensor ECUs 320 corresponding to individual sensors. However, for convenience of explanation, one sensor ECU 320 that can transmit a frame representing measurement information measured by each of the plurality of sensors is provided. An example that exists. However, not all sensors on the in-vehicle network system 10 need be connected to the sensor ECU 320, and there may be sensors connected to an ECU other than the sensor ECU 320, such as the accelerator ECU 310 or the engine ECU 340. The object detection sensor 321 detects an object to be detected such as a traveling direction of the vehicle 20 or a surrounding vehicle, an obstacle, a passerby, and a road marking line. Further, the distance between the vehicle 20 and the object to be detected is measured. More specifically, it can be realized by, for example, a camera (image sensor) such as a camera that captures the front, side, rear, or the entire periphery, a radar, a rider, or a combination thereof. The speed sensor 322 is a sensor for detecting the speed of the vehicle 20. Here, the speed of the vehicle 20 is, for example, the absolute speed of the vehicle 20, but may be a relative speed of the vehicle 20 with respect to the detected object detected by the object detection sensor 321. The absolute speed of the vehicle 20 is equal to the relative speed of the vehicle 20 with respect to the detected object that is not moving.

  The vehicle speed control support ECU 350 is an ECU that has a vehicle speed control support function of the advanced driver support system. The vehicle speed control assisting ECU 350 sends an acceleration control instruction frame of control contents determined based on information acquired from other ECUs such as measurement information acquired from the sensor ECU 320 to the accelerator 30 in order to request acceleration control from the accelerator ECU 310. Send periodically. The vehicle speed control assistance ECU 350 may be integrated or directly connected to another ECU such as the sensor ECU 320, for example, and may acquire various types of information such as measurement information without going through the bus 30. Further, the direct connection between the vehicle speed control support ECU 350 and another ECU may be made via a dedicated line.

  The diagnostic port 390 is a terminal connected to the bus 30 such as OBD2 (On-Board Diagnostics 2) and the bus 30 is accessed by a device such as a diagnostic tool (fault diagnostic tool) via the diagnostic port 390. Is possible.

  The communication ECU 380 and the diagnostic port 390 can also be used for attacks on the in-vehicle network system 10.

  The security ECU 100 has a function for ensuring the security of the in-vehicle network system 10. In the present embodiment, the security ECU 100 is a device that monitors a frame flowing through the bus 30 and invalidates a data frame related to an unauthorized acceleration control instruction appearing on the bus 30 by transmitting an error frame. Functions as a monitoring device to deal with attack frames of control instructions. Note that the security ECU 100 has a function of determining whether or not the data frame on the bus 30 is illegal as well as an illegal acceleration control instruction frame and invalidating the illegal data frame. May be.

[1.2 Data frame format]
Hereinafter, a data frame (message) which is one of the frames used in the network according to the CAN protocol will be described.

  FIG. 2 is a diagram showing a format of a data frame defined by the CAN protocol. In the figure, a data frame in a standard ID format defined by the CAN protocol is shown. The data frame includes an SOF (Start Of Frame), an ID field, an RTR (Remote Transmission Request), an IDE (Identifier Extension), a reserved bit “r”, a DLC (Data Length Code), a data field, and a CRC (Cyclic Redundancy Check) sequence. , A CRC delimiter “DEL”, an ACK (Acknowledgement) slot, an ACK delimiter “DEL”, and an EOF (End Of Frame) field.

  The SOF is composed of a 1-bit dominant. An idle bus in which no message is transmitted is recessive, and an ECU serving as a transmission node notifies the start of frame transmission by changing the bus to dominant.

  The ID field is a field for storing an ID (message ID) that is a value indicating the type of data, which is composed of 11 bits. When a plurality of nodes start transmission at the same time, communication arbitration is performed by giving priority to a frame having a small ID.

  The RTR is a value for identifying a data frame and a remote frame used for requesting the data frame, and is composed of a dominant 1 bit in the data frame.

  IDE and “r” are both composed of a dominant 1 bit.

  DLC is composed of 4 bits and is a value indicating the length of the following data field. Note that IDE, “r”, and DLC are collectively referred to as a control field.

  The data field includes the content of data transmitted in a frame composed of a maximum of 64 bits. The length is variable in units of 8 bits. The CAN protocol does not define data specifications and can be determined by the designer. Therefore, the data specifications of the in-vehicle network system depend on the vehicle type, manufacturer (manufacturer), and the like.

  The CRC sequence is composed of 15 bits. A result calculated by the transmission node from the transmission values of the SOF, ID field, control field, and data field is entered. The receiving node compares the result calculated in the same manner from the reception of these fields with the CRC sequence value to determine whether the frame has been normally received.

  The CRC delimiter is a delimiter representing the end of a CRC sequence composed of 1-bit recessive. The CRC sequence and the CRC delimiter are collectively referred to as a CRC field.

  The ACK slot is composed of 1 bit. The transmitting node performs transmission with the ACK slot being recessive. The receiving node transmits a dominant as an acknowledgment at the timing of the ACK slot if it has successfully received the CRC sequence. Since dominant is given priority over recessive, if the ACK slot is dominant after transmission, the transmitting node can confirm that any receiving node connected to the CAN bus has received the frame normally.

  The ACK delimiter is a delimiter representing the end of ACK composed of 1-bit recessive.

  The EOF is composed of 7 bits recessive and indicates the end of the data frame.

[1.3 Error frame format]
FIG. 3 is a diagram illustrating an error frame format defined by the CAN protocol. The error frame includes an error flag (primary), an error flag (secondary), and an error delimiter.

  The error flag (primary) is used to notify other nodes of the occurrence of an error. A node that detects an error continuously transmits a 6-bit dominant to notify other nodes of the occurrence of the error. This transmission violates the bit stuffing rule in the CAN protocol (the same value is not transmitted continuously for 6 bits or more), and causes transmission of an error frame (secondary) from another node.

  The error flag (secondary) is composed of a continuous 6-bit dominant used to notify other nodes of the occurrence of an error. All nodes that have received the error flag (primary) and detected a violation of the bit stuffing rule will transmit the error flag (secondary).

  The error delimiter “DEL” is a continuous recess of 8 bits and indicates the end of the error frame.

[1.4 Configuration of Accelerator ECU 310]
FIG. 4 is a block diagram illustrating a configuration example of the accelerator ECU 310. In order to control the prime mover 311, the accelerator ECU 310 includes a communication unit 1310, a data buffer 2310, and a control processing unit 3310.

  The communication unit 1310 is an integrated circuit (for example, a communication circuit, a memory, a processor, etc.) that controls communication on the bus 30. The communication unit 1310 includes, for example, a frame transmission / reception function unit and a received frame interpretation function unit as functional components.

  The frame transmission / reception function unit performs frame transmission / reception (sequential transmission / reception of each frame by one bit) according to the CAN protocol, for example.

  The received frame interpretation function unit interprets the value of the frame received by the frame transmission / reception function unit so as to be mapped to each field in the frame format defined by the CAN protocol. The received frame interpretation function unit determines whether or not the data frame (message) is to be received by the accelerator ECU 310 based on the value determined to be the ID field, and if the ID is not to be received, the interpretation of the frame is stopped. In addition, when the received frame interpretation function unit determines that the frame does not comply with the CAN protocol, for example, the CRC value does not match or the dominant fixed item is recessive, the frame transmission / reception function unit To send an error frame. In addition, when the received frame interpretation function unit receives an error frame, that is, when it is interpreted as an error frame from the value in the received frame, the frame is discarded after that, that is, the interpretation of the frame is stopped. . If the ID of the received data frame is an ID indicating that the frame is an acceleration control instruction frame predetermined in the specifications of the in-vehicle network system 10, it is determined as a data frame to be received by the received frame interpretation function unit of the communication unit 1310. Is done. The received frame interpretation function unit stores the contents (ID, data field data, etc.) of the frame determined as the data frame to be received in the data buffer 2310.

  The data buffer 2310 is a storage area of a storage medium such as a memory or a register. The data buffer 2310 stores an ID as the content of the data frame received by the communication unit 1310 and information indicated by the value of the data field (for example, information indicating an acceleration control instruction). Communication arbitration by ID is performed when data frames are simultaneously transmitted from a plurality of nodes onto the bus 30. For this reason, the timing at which the accelerator ECU 310 receives the data frame related to the acceleration control instruction transmitted from the vehicle speed control support ECU 350 from the bus 30 does not necessarily exactly coincide with a certain period (for example, 50 ms). May deviate somewhat. Accelerator ECU 310 uses data buffer 2310 so that it can efficiently process received data frames in response to fluctuations in reception timing caused by the influence of such communication arbitration.

  The control processing unit 3310 determines that the contents of the frame stored in the data buffer 2310 (information indicating an acceleration control instruction or the like) periodically or a certain condition (such as a condition related to frame storage in the data buffer 2310) is satisfied. The prime mover 311 is controlled by transmitting a control signal to the prime mover 311 according to the acceleration control instruction indicated by the obtained information.

  Note that an ECU such as the brake ECU 330 that can control the actuator includes a communication unit, a data buffer, and a control processing unit for controlling the actuator. Further, for sensor ECU 320 connected to the sensor, processing for obtaining a measurement result at the sensor, generating a data frame including measurement information indicating the measurement result in a data field with a predetermined message ID attached thereto And a communication unit for transmitting the data frame to the bus 30 in accordance with the CAN protocol. This measurement information shows the measurement result regarding the recognition result of the detected object, the distance between the vehicle 20 and the detected object, the speed of the vehicle 20, and the like. In addition, even if it is ECU other than sensor ECU320, when connected with a sensor, each such component with which sensor ECU320 is provided may be provided. For the communication ECU 380 connected to the antenna, a wireless communication unit that receives communication data from the outside of the in-vehicle network system 10, information to be transferred to the in-vehicle network system 10 is extracted from the received communication data, and the information is stored in the data field. A processing unit that generates a data frame included therein with a predetermined message ID, a CAN communication unit for transmitting the data frame to the bus 30 according to the CAN protocol, and the like. The information transmitted by being included in the data frame is information indicating the state of the outside world in which the vehicle 20 travels, such as the state of travel control of the vehicle 21 and the measurement result obtained by the measurement by the sensor of the vehicle 21.

[1.5 Acceleration control instructions]
FIG. 5 is a diagram illustrating an example of a data field of a frame related to an acceleration control instruction transmitted by the vehicle speed control support ECU 350. In this example, the data field of the acceleration control instruction frame includes an output designation for the prime mover 311. FIG. 5 shows an example of the correspondence between the value of the data field and the accelerator opening. Here, the accelerator opening is not an opening corresponding to the actual position of the accelerator pedal operated by the driver, but the vehicle speed control assist ECU 350 causes the accelerator ECU 310 to designate and use the output for the prime mover 311. It is an example of a parameter. Information other than the accelerator opening may be added to the data field of the acceleration control instruction frame, but here, for convenience of explanation, only the accelerator opening will be described. In this example, the accelerator opening is represented by an 8-bit value, the value 255 (11111111) indicates the accelerator opening 0, and the value 55 (00110111) indicates the maximum value of the accelerator opening (100 in this example). The value indicates the output in 0.5 increments.

  When the accelerator ECU 310 receives an acceleration control instruction including designation of the accelerator opening from the vehicle speed control support ECU 350, the accelerator 311 is operated according to the accelerator opening. More specifically, when the accelerator opening degree of the acceleration control instruction is the maximum amount (100 in this example), the control processing unit 3310 of the accelerator ECU 310 performs the same control as when the accelerator pedal is fully depressed. A signal is transmitted to activate the prime mover 311. When an acceleration control instruction that designates the accelerator opening as zero is received from the vehicle speed control support ECU 350, the control processing unit 3310 of the accelerator ECU 310 transmits the same control signal to the prime mover 311 as when the accelerator pedal is not depressed. To do. The accelerator ECU 310 performs control of the prime mover 311 reflecting the operation of the accelerator pedal by the driver and control of the prime mover 311 according to the acceleration control instruction from the vehicle speed control support ECU 350 in accordance with the setting related to the automatic control of the acceleration of the vehicle 20. Sometimes one is given priority over the other.

[1.6 Configuration of Security ECU 100]
FIG. 6 is a block diagram illustrating a configuration example of the security ECU 100. The security ECU 100 has a function as a control device that monitors a frame flowing through the bus 30 and invalidates a data frame related to an unauthorized acceleration control instruction that appears on the bus 30 by transmitting an error frame. For realization, a communication unit 1100, a storage unit 2100, and a monitoring processing unit 3100 are provided. Each function of these components is realized by, for example, a communication circuit in the security ECU 100, a storage medium such as a memory, a processor that executes a control program stored in the memory, a digital circuit, or the like.

  The communication unit 1100 is realized by a communication circuit, a processor that executes a control program, and the like. The communication unit 1100 includes a reception unit 1101 and a transmission unit 1102 for performing transmission / reception of frames with the bus 30 according to the CAN protocol (sequential transmission / reception of each frame by 1 bit). The receiving unit 1101 receives a frame from the bus 30. When a frame is received from the bus 30 by the receiving unit 1101, the communication unit 1100 interprets the frame value to map to each field in the frame format defined by the CAN protocol, thereby obtaining an ID (message ID), DLC and data field data are distinguished from each other and extracted from the frame. The communication unit 1100 determines whether or not the extracted ID is an ID of a frame to be received by the security ECU 100 among the IDs determined in advance in the specifications of the in-vehicle network system 10. If the ID of the frame to be received is not received, the communication unit 1100 stops the interpretation of the frame. Receiving unit 1101 is an example of an acquiring unit in the present embodiment. Further, the communication unit 1100 stores the contents (ID, data, etc.) of the frame acquired by interpreting the frame received by the receiving unit 1101 in the storage unit 2100. Further, the communication unit 1100 receives an error frame transmission instruction from the monitoring processing unit 3100, and transmits the error frame to the bus 30 by the transmission unit 1102.

  The frame to be received by the security ECU 100 includes an acceleration control instruction frame transmitted from the vehicle speed control support ECU 350. Further, information indicating the state of the vehicle 20 and information indicating the situation of the outside world where the vehicle 20 travels (hereinafter, information indicating at least one of these states and conditions is also referred to as status information for convenience, The security ECU 100 also receives a frame indicating at least one of mobility-related information in the form. The frame indicating the state of the vehicle 20 includes, for example, a data frame indicating a valid (on) or invalid (off) vehicle speed control support function transmitted from the vehicle speed control support ECU 350. Moreover, the data frame which shows the setting value by the effective (on) or invalidity (off) of various assistance functions of an advanced driver assistance system including those other than a vehicle speed control assistance function, a driver, or various functions is also mentioned. Further, the data frame indicating the current accelerator opening degree transmitted from the accelerator ECU 310 can also be received by the security ECU 100 as a frame indicating the status information indicating the state of the vehicle 20. Security ECU 100 also receives a data frame including measurement information transmitted from another ECU such as sensor ECU 320. The measurement information includes information indicating the state of the vehicle 20 (for example, vehicle speed, water temperature, voltage) depending on the measurement object, and information indicating the external environment (for example, temperature outside the vehicle, road surface condition, object recognition result). is there. Furthermore, the security ECU 100 also receives information (for example, the traveling control status of the vehicle 21 and the measurement result obtained by the measurement of the sensor of the vehicle 21) that is acquired by the communication ECU 380 through communication with the vehicle 21 and transferred to the in-vehicle network system 10. To do. This information indicates the external environment of the vehicle 20.

  The storage unit 2100 is a storage area of a storage medium such as a memory for storing the contents of the frame received by the reception unit 1101. For example, the above-described situation information, that is, measurement information transmitted from the sensor ECU 320 or the like, information on a valid or invalid vehicle speed control support function transmitted from the vehicle speed control support ECU 350, and the accelerator ECU 310 are transmitted to the storage unit 2100, for example. The current accelerator opening or information provided from the vehicle 21 transmitted from the communication ECU 380 is stored.

  The monitoring processing unit 3100 is realized by a processor or the like that executes a control program, and has a function of performing invalidation processing for invalidating a data frame of an acceleration control instruction on the bus 30 under a certain condition. The monitoring processing unit 3100 includes a determination unit 3101 and an invalidation unit 3102.

  The determination unit 3101 determines an acceleration control instruction based on at least one of the state of the vehicle 20 and the external environment in which the vehicle 20 travels when the reception unit 1101 receives the data frame of the acceleration control instruction, and the acceleration control instruction. Is invalid (that is, whether the data frame of the acceleration control instruction is an invalid frame to be invalidated). The determination unit 3101 performs this determination based on the situation information received by the reception unit 1101 and stored in the storage unit 2100 and the acceleration control instruction received by the reception unit 1101. This determination is performed until the entire data frame of the acceleration control instruction is received from the bus 30 by the receiving unit 1101 (that is, before the end of the data frame, for example, immediately after receiving the data field or immediately after receiving the CRC sequence). Is called. If the determination unit 3101 determines that the acceleration control instruction is invalid, the determination unit 3101 outputs the result and notifies the invalidation unit 3102 of the result.

  When the determination unit 3101 determines that the acceleration control instruction is invalid, the invalidation unit 3102 sends a bus 110 to the transmission unit 1102 to invalidate the data frame of the acceleration control instruction appearing on the bus 30. The invalidation process is performed by causing 30 to transmit an error frame. The invalidation process by the invalidation unit 3102 is realized by transmitting an error frame to the bus 30 before the end of the data frame (EOF) of the acceleration control instruction is completed. When the invalidation processing is performed, the data frame of the acceleration control instruction on the bus 30 is overwritten, so that the accelerator ECU 310 discards the data frame of the incorrect acceleration control instruction, and the acceleration control according to this acceleration control instruction. Is avoided.

[1.7 Unauthorized discrimination of acceleration control instructions]
Hereinafter, a method for determining whether or not the acceleration control instruction in the determination unit 3101 of the monitoring processing unit 3100 in the security ECU 100 (monitoring device) is illegal will be described.

  Based on the acceleration control instruction acquired from the data frame received by the reception unit 1101 and the situation information stored in the storage unit 2100, the determination unit 3101 determines whether the acceleration control instruction indicates the state indicated by the situation information or Control contents that are not consistent with the situation (hereinafter simply referred to as the situation for the sake of convenience without distinguishing whether the vehicle 20 is in the state of the vehicle 20 or the outside environment where the vehicle 20 travels) If it is indicated, that is, if the situation and the control content are inconsistent, it is determined that the acceleration control instruction is an illegal control instruction. Hereinafter, the inconsistency between this situation and the control content will be described with an example.

[1.7.1 Inconsistency with setting or speed limit]
For example, when the situation indicated by the situation information indicates the set speed of the vehicle 20 and the acceleration control instruction indicates the control content for causing the vehicle 20 to travel at a speed exceeding the set speed, the determination unit 3101 It is determined that the control instruction is an illegal control instruction that is inconsistent with the situation indicated by the situation information.

  The set speed here is, for example, a speed set by the driver with the vehicle speed maintenance function enabled. Alternatively, the set speed may be a speed set by the vehicle speed control support function when a vehicle speed control support function such as an inter-vehicle distance maintaining function or an inter-vehicle distance adjustment function is effective in the vehicle 20. These set speeds are examples of the situation of the vehicle 20. The security ECU 100 can acquire status information indicating this status from a data frame indicating the setting status of the vehicle speed control support function transmitted from the vehicle speed control support ECU 350.

  In addition, when the situation indicated by the situation information indicates the regulated speed of the place where the vehicle 20 travels, and the acceleration control instruction indicates the control content for causing the vehicle 20 to travel at a speed exceeding the regulated speed, the determination unit 3101. Determines that this acceleration control instruction is an illegal control instruction that is inconsistent with the situation indicated by the situation information.

  The speed limit here is, for example, a speed determined by related laws or regulations, or an upper limit speed determined and posted by the user on private land or a building (for example, a parking lot of a retail store). These regulated speeds are examples of the external environment in which the vehicle 20 travels. The security ECU 100 can obtain status information indicating this status from a data frame indicating the result of recognition of an object (character) in the outside world provided from the sensor ECU 320, for example. Or security ECU100 acquires the information which shows the regulation speed extracted from the map information which the car navigation system with which vehicles 20 are equipped, or the automatic driving system holds, or the map information provided by the service outside vehicles 20, or traffic information May be used. This extraction may be performed by either the transmission side or the security ECU 100.

[1.7.2 Mismatch with distance from object in traveling direction]
This mismatch will be described using a preceding vehicle as an example of an object in the traveling direction and an inter-vehicle distance as an example of a distance from the object. For example, when the situation indicated by the situation information indicates the inter-vehicle distance between the vehicle 20 and the preceding vehicle, and the acceleration control instruction indicates the control content for causing the vehicle 20 to travel at a speed exceeding the first predetermined value. The unit 3101 determines that this acceleration control instruction is an illegal control instruction that is inconsistent with the situation indicated by the situation information.

  Here, the first predetermined value is, for example, a value of the absolute speed of the vehicle 20 that is predetermined with respect to the inter-vehicle distance from the preceding vehicle. For example, the inter-vehicle distance that is necessary for safety based on the stop distance with respect to the speed. It may be determined in relation to the distance. In this case, the speed value may be a value determined based on the relationship between the vehicle speed and the inter-vehicle distance in the control by the vehicle speed control assist ECU 350. FIG. 7 is a diagram for explaining the conditions for determining whether or not the acceleration control instruction has been determined in this way. In FIG. 7, a black dot is based on the absolute speed of the vehicle by the acceleration control support performed by the vehicle speed control support function in a state where the vehicle is not subjected to any cyber attack (that is, in a normal state) and the inter-vehicle distance from the preceding vehicle at that time. Is plotted in the graph area. That is, these points indicate a case where the situation of the inter-vehicle distance from the preceding vehicle is consistent with the control content by the acceleration control support instruction. Therefore, the acceleration control that reaches the speed of entering a certain distance range from the line that approximates these points (broken line in the figure) shall be consistent with the situation, and the acceleration that will reach the speed of entering other areas. Control can treat the content as inconsistent with the situation. In FIG. 7, a right-angled triangular area shaded with a diagonal line in the lower right corner of the graph area has an excessive speed with respect to the inter-vehicle distance that is not executed by the acceleration control support in the normal state, which is inconsistent with the situation. The area | region where acceleration control assistance is plotted is shown. The first predetermined value is a value on the horizontal axis indicating the vehicle speed with respect to the value on the vertical axis based on the inter-vehicle distance on the hypotenuse of the right triangle. Further, the first predetermined value may be a value of the relative speed of the vehicle 20 with respect to the preceding vehicle. For example, it is a value of a relative speed that is predetermined according to the distance between the vehicles. As the determination method, as exemplified by the absolute speed described above, the relationship between the relative speed of the vehicle with respect to the preceding vehicle and the inter-vehicle distance according to the acceleration control support instruction performed by the vehicle speed control support function in a normal state may be used. . As another example, the relative speed may be a value that makes the inter-vehicle distance less than the inter-vehicle distance required for safety within a predetermined time (for example, 0.5 seconds).

  The inter-vehicle distance from the preceding vehicle can be considered as either the situation of the vehicle 20 or the situation of the outside world where the vehicle 20 travels. The security ECU 100 can acquire the situation information indicating the situation from, for example, a data frame that is transmitted from the sensor ECU 320 and indicates the result of object recognition and the measurement result by the distance measuring sensor. Further, the vehicle speed is the state of the vehicle 20, and the security ECU 100 can acquire the state information indicating this state from, for example, a data frame indicating the measurement result by the speed sensor transmitted from the sensor ECU 320. The relative speed may be calculated by the determination unit 3101 from a data frame indicating the speed of the vehicle 21 received by the communication ECU 380 from the vehicle 21.

  As described above, the preceding vehicle is an example of an object in the traveling direction, and the inter-vehicle distance is an example of a distance from the object. The object in the traveling direction is not limited to mobility such as a vehicle, and may be various objects that are not intended to be contacted at the time of traveling.

[1.7.3 Mismatch in deceleration control]
For example, when the situation indicated by the situation information indicates a situation where the vehicle 20 should be decelerated, and the acceleration control instruction indicates the control content for causing the vehicle 20 to travel at a speed exceeding the second predetermined value, the determination unit 3101. Determines that this acceleration control instruction is an illegal control instruction that is inconsistent with the situation indicated by the situation information.

  The situation where the vehicle 20 should be decelerated here is simply a situation where the brake control is being executed by the driver's operation on the vehicle 20, but is not limited to this. As another example, there is a situation in which a brake control instruction for the vehicle 20 is issued by any function provided by the advanced driver assistance system. The brake control here is not limited to braking with frictional force by the brake pads. Control of engine brakes or exhaust brakes by aggressive downshifting is also included. Further, when the motor is a motor vehicle and the regenerative brake is actively used for deceleration, control of the regenerative brake is also included. In addition, the situation where the brake control is to be performed by the driver or the advanced driver support system, more specifically, for example, in the range of less than a predetermined distance in the traveling direction of the vehicle 20 when the preceding vehicle decelerates or the brake control occurs. When a stopped vehicle, building or passerby is detected, or when a vehicle 20 enters a curve, or when entering a zone with a regulated speed lower than the current vehicle speed, the vehicle 20 should be decelerated. Included in the situation.

  The situation in which the brake control is performed by the driver or the advanced driver assistance system is the situation of the vehicle 20, and the security ECU 100 transmits the brake application status transmitted from the brake ECU 330 or the ECU responsible for the advanced driver assistance system. Can be obtained from the frame. The occurrence of deceleration or brake control of the preceding vehicle, detection of a person or an object in the traveling direction, entry to a curve, and entry to an area having a regulated speed lower than the vehicle speed are external circumstances where the vehicle 20 travels, and the security ECU 100 Can acquire status information indicating this status from a data frame indicating the result of object recognition transmitted from the sensor ECU 320, for example. Further, the situation information on the occurrence of deceleration or brake control of the preceding vehicle may be acquired from a data frame received by the communication ECU 380 from the vehicle 21. In addition, the security ECU 100 provides map information held by a car navigation system included in the vehicle 20 or a map provided by a service outside the vehicle 20 for information on the status of entering a curve and entering an area with a regulated speed lower than the vehicle speed. You may acquire from the data frame containing the information which shows the control speed extracted from information or traffic information.

[1.7.4 Inconsistency with vehicle speed determined based on external information]
For example, the situation indicated by the situation information indicates that information indicating the speed at which the vehicle 20 should travel from the preceding vehicle of the vehicle 20 is received, and the acceleration control instruction travels at a speed exceeding the speed indicated by the received information. When the control content to be displayed is indicated, the determination unit 3101 determines that the acceleration control instruction is an illegal control instruction that is inconsistent with the situation indicated by the situation information.

  It is assumed that information indicating directly or indirectly the speed at which the vehicle should travel from the preceding vehicle to the succeeding vehicle in the execution of the inter-vehicle distance maintaining function or the inter-vehicle distance adjusting function is assumed between vehicles capable of inter-vehicle communication. More specifically, for example, information including an absolute speed at which the following vehicle should travel or a relative speed with respect to the preceding vehicle may be transmitted. These are examples of information that directly indicates the speed at which the vehicle 20 as the following vehicle should travel. On the other hand, the information indirectly indicating the speed at which the vehicle 20 as the subsequent vehicle should travel is information transmitted from the preceding vehicle that can be used for determining the vehicle speed in the vehicle 20. Specifically, instructions for acceleration or deceleration, instructions for execution of brake control, speed of the preceding vehicle, presence or strength of braking in the preceding vehicle, current inter-vehicle distance, or inter-vehicle distance instruction to be taken It is information to include. The security ECU 100 transmits, to the bus 30, status information indicating the status of the vehicle 20 that such information indicating the speed at which the vehicle 20 should travel has been received, and a data frame including the content of this information. Is received from the content. In the security ECU 100, the determination unit 3101 determines, based on such information, for example whether the vehicle 20 accelerates, decelerates or maintains from the current vehicle speed, or further accelerates or decelerates the acceleration. Then, based on a result of comparison between the result of this determination and the control content indicated by the acceleration control instruction transmitted from the vehicle speed control support ECU 350, whether or not the acceleration control instruction is inconsistent with the situation indicated by the situation information. judge.

[1.7.5 Inconsistency with the operating status of the advanced driver assistance system]
For example, the situation indicated by the situation information indicates that the advanced driver support system included in the vehicle 20 is off, and the acceleration control instruction indicates the control content for running at a speed exceeding the third predetermined value, or When the reception unit 1101 acquires an acceleration control instruction within a predetermined period, the determination unit 3101 determines that the acceleration control instruction is an illegal control instruction that is inconsistent with the situation indicated by the situation information.

  When the advanced driver assistance system is off, an acceleration control instruction larger than a certain degree is not transmitted from the vehicle speed control assistance ECU 350. The third predetermined value is a value used by the determination unit 3101 as a reference for detecting such an acceleration control instruction that is inconsistent with the situation of the vehicle 20 in which the advanced driver assistance system is off. In addition, there is a minimum amount of time until the advanced driver assistance system is turned on from off and the acceleration control instruction is transmitted from the vehicle speed control assistance ECU 350. The predetermined period is a value used by the determination unit 3101 as a reference for detecting such an acceleration control instruction that is inconsistent with the situation of the vehicle 20 in which the advanced driver assistance system is off.

  In the case of this example, the security ECU 100 acquires the situation of the vehicle 20 that the advanced driver assistance system is off from, for example, a data frame transmitted from the ECU related to the advanced driver assistance system. The vehicle speed control support ECU 350 is an example of an ECU according to an advanced driver support system.

[1.8 Control Processing of Security ECU 100]
FIG. 8 is a flowchart illustrating an example of a procedure of monitoring processing executed by the security ECU 100 in the in-vehicle network system 10. Hereinafter, the monitoring process executed by the security ECU 100 as a countermeasure to the attack frame of the unauthorized acceleration control instruction will be described with reference to FIG.

  When the reception unit 1101 receives a data frame including status information from the bus 30 (YES in step S11), the received status information is saved, that is, stored in the storage unit 2100 (step S12). The data frame including the situation information is periodically transmitted from the sensor ECU 320 or the like, and the reception and storage of the situation information in step S12 is repeatedly performed.

  When the reception unit 1101 receives the data frame for the acceleration control instruction from the bus 30 (YES in step S13), the determination unit 3101 indicates the situation indicated by the latest situation information stored in the storage unit 2100 and the received acceleration control. The control content indicated by the instruction is compared (step S14). In this comparison, the determination unit 3101 determines whether or not the situation and the control content are inconsistent (step S15). If they are inconsistent (YES in step S15), the determination unit 3101 receives the data in step S13. It is determined that the acceleration control instruction related to the data frame is invalid. Note that if the reception unit 1101 completes reception of the data field of the acceleration control instruction data frame, the control content indicated by the acceleration control instruction can be acquired, and thus the determination unit 3101 can execute step S14 and subsequent steps. it can.

  The invalidation unit 3102 invalidates the acceleration control instruction data frame determined to be invalid in step S16 by causing the transmission unit 1102 to transmit an error frame (step S17).

[1.9 Processing Sequence for Acceleration Control in In-vehicle Network System 10]
FIG. 9 shows an example of a processing sequence related to acceleration control in the in-vehicle network system 10. The operation of each ECU in the in-vehicle network system 10 will be described below with reference to FIG. Note that the fraudulent ECU here is any ECU (including an unillustrated one) on the in-vehicle network system 10, and for example, an ECU connected to the diagnostic port 390 by an attacker or rewriting of firmware The ECU is hijacked by the like. Further, for convenience of illustration, the first half (upper half) of the processing sequence is an example in which an illegal data frame is not transmitted, and the latter half (lower half) is an example in which an illegal data frame is transmitted.

  The sensor ECU 320 transmits a data frame including situation information indicating the measurement result measured by the object detection sensor 321 or the speed sensor 322 to the bus 30 (step S101A). The data frame is received from the bus 30 by the vehicle speed control support ECU 350 and the security ECU 100. Further, the vehicle speed control support ECU 350 transmits a data frame including information indicating validity or invalidity of various acceleration support functions to the bus 30 (step S101B). The security ECU 100 receives this data frame from the bus 30. In addition, accelerator ECU 310 transmits a data frame indicating the current accelerator opening to bus 30 (step S101C). The security ECU 100 receives this data frame from the bus 30. The security ECU 100 thus acquires situation information indicating the situation of the vehicle 20 and the situation of the outside world where the vehicle 20 travels.

  Based on the situation information transmitted by the sensor ECU 320 in step S101A, the vehicle speed control support ECU 350 buses an acceleration control instruction for an effective acceleration support function, for example, a data frame indicating the accelerator opening for maintaining the vehicle speed as control contents. 30 (step S102). The accelerator ECU 310 and the security ECU 100 receive this data frame from the bus 30.

  The security ECU 100 receiving this data frame and acquiring the acceleration control instruction determines whether the control content indicated by the acceleration control instruction is inconsistent with the situation indicated by the situation information transmitted in steps S101A to 101C (step S101A). S103). In this example, since there is no mismatch, the security ECU 100 does not execute the invalidation process for the data frame transmitted in step S102. The accelerator ECU 310 operates according to the acquired acceleration control instruction (step S105).

  The sensor ECU 320, the vehicle speed control support ECU 350, and the accelerator ECU 310 each transmit a data frame indicating newer situation information to the bus 30 as in steps S101A to S101C (steps S201A, S201B, and S201C). The security ECU 100 acquires these newer situation information.

  The unauthorized ECU transmits an unauthorized data frame including an acceleration control instruction for an attack (step S202). The accelerator ECU 310 and the security ECU 100 receive this illegal data frame from the bus 30.

  The security ECU 100 receiving this data frame and acquiring the acceleration control instruction determines whether the control content indicated by the acceleration control instruction is inconsistent with the situation indicated by the situation information transmitted in steps S201A to 201C (step S201). S203). Since this example is inconsistent, the security ECU 100 transmits an error frame to the bus 30 while the data frame appears on the bus 30 as an invalidation process for the data frame transmitted in step S202. The accelerator ECU 310 that has received the error frame discards the data frame transmitted in step S202 that has been acquired halfway (step S205).

  The above is the description using the example of the processing sequence related to the acceleration control in the in-vehicle network system 10, and the processing sequence related to the acceleration control of the in-vehicle network system including the security ECU 100 according to the present embodiment is not limited to this example. For example, the latest status information of all types does not have to be used for determining whether the security ECU 100 is inconsistent. In addition, it may be determined whether or not there is inconsistency a plurality of times using the same situation information. For example, in the above example, although omitted for the sake of simplicity, an acceleration control instruction data frame is also transmitted from the vehicle speed control support ECU 350 after step S201, and the security ECU 100 also transmits an acceleration control instruction from this data frame. May be acquired to determine whether or not they are inconsistent. In the CAN protocol, control instruction data frames for the same control target are transmitted periodically, and illegal data frames for attack are transmitted at a time very close to a legitimate data frame so that they are not played according to the rules of the period. Sometimes. Even for such an attack, an invalid data frame determined to show control inconsistent with the situation based on the result of matching the situation indicated by the situation information with the contents of the control instruction is appropriately invalidated. .

[1.10 Effects of the embodiment]
In the in-vehicle network system 10 according to the embodiment, the monitoring processing unit 3100 of the security ECU (monitoring device) 100 immediately before the reception of the acceleration control instruction (that is, the data frame of the acceleration control instruction) by the receiving unit 1101 is completed. Based on the situation information acquired from other devices such as the sensor ECU 320, it is determined by a predetermined method whether the control content of the acceleration control instruction and the situation indicated by the situation information are inconsistent. If they are inconsistent, invalidation processing for invalidating the acceleration control instruction by transmitting an error frame is performed. The predetermined method can determine various combinations of the reference situation and the control content. Since the invalid data frame including the acceleration control content inconsistent with the situation is invalidated on the bus 30 by the transmission of the error frame from the security ECU 100, the accelerator ECU 310 completes the reception of the illegal data frame, Control of the prime mover 311 according to the acceleration control instruction included in the data frame can be prevented. That is, in the in-vehicle network system 10, the security ECU 100 appropriately takes measures against an unauthorized frame (attack frame) related to the acceleration control instruction, and can prevent an accident caused by the attack frame.

(Other variations)
As described above, the embodiments have been described as examples of the technology according to the present invention. However, the technology according to the present invention is not limited to this, and can also be applied to embodiments in which changes, replacements, additions, omissions, etc. are made as appropriate. For example, the following modifications are also included in one embodiment of the present invention.

  (1) In the above-described embodiment, the monitoring device realized by the security ECU 100 that has a function for ensuring the security of the in-vehicle network system 10 may be realized as a part of the accelerator ECU 310. In this case, as an invalidation process by the invalidation unit 3102, a data frame including an unauthorized acceleration control instruction may be discarded. FIG. 10 is a block diagram illustrating a configuration example of an accelerator ECU partially including a monitoring device.

  The accelerator ECU 310B according to this modification includes a storage unit 2100B and a monitoring processing unit 3100B in addition to the components of the accelerator ECU 310 in the embodiment. Further, the communication unit 1310B of the accelerator ECU 310B has both functions of the communication unit 1310 and the communication unit 1100 included in the security ECU 100 in the embodiment. Of these functions, a portion corresponding to the receiving unit 1101 of the communication unit 1100 is shown as the receiving unit 1101B in the description of the accelerator ECU 310B. In the present modification, the storage unit 2100B, the monitoring processing unit 3100B, and the receiving unit 1101B constitute the monitoring device 100B in the accelerator ECU 310B. Hereinafter, the difference between monitoring apparatus 100B and security ECU 100 that is the monitoring apparatus in the embodiment will be mainly described.

  As described above, the reception unit 1101B corresponds to the reception unit 1101 of the communication unit 1100 of the security ECU 100 in the embodiment. The storage unit 2100B corresponds to the storage unit 2100 of the security ECU 100. The monitoring processing unit 3100B includes a transfer unit 3103 in addition to a determination unit 3101B corresponding to the determination unit 3101 of the monitoring processing unit 3100 of the security ECU 100 and an invalidation unit 3102B corresponding to the invalidation unit 3102.

  In addition to the data frame received by accelerator ECU 310, reception unit 1101B also receives a data frame including situation information from another ECU. In the embodiment, the status information received by the security ECU 100 from the accelerator ECU 310 is acquired by the monitoring processor 3100B in the accelerator ECU 310B.

  In the monitoring processing unit 3100B, the determination unit 3101B performs a determination (FIG. 8, step S15) by comparing the situation indicated by the situation information with the control content indicated by the acceleration control instruction from the vehicle speed control support ECU 350, as in the determination unit 3101. Execute and output the judgment result. However, the processing when it is determined that the situation and the control content are not inconsistent is different from that of the determination unit 3101. FIG. 11 is a flowchart illustrating an example of a procedure of monitoring processing including this difference, which is executed by the monitoring device 100B of the accelerator ECU 310B. In this case (NO in step S15), that is, the determination unit 3101B that has determined that the acceleration control instruction is not incorrect notifies the transfer unit 3103 of the result. Receiving this notification, the transfer unit 3103 stores the data frame contents (ID, data field data, etc.) related to the acceleration control instruction in the data buffer 2310 (step S18).

  When the monitoring processing unit 3100B determines that the situation and the control content are not inconsistent and is an unauthorized acceleration control (YES in step S15, step S16), the invalidation unit 3102B displays data related to the acceleration control instruction. The frame is discarded (step S17B).

  FIG. 12 shows an example of a processing sequence related to acceleration control in the in-vehicle network system 10 including the accelerator ECU 310B. The processing sequence of the embodiment shown in FIG. 9 is that the accelerator ECU 310B acquires each situation information, performs a mismatch determination (steps S103 and S203), and gives an acceleration control instruction when there is no mismatch. The difference is that the transfer is executed (step S104).

  Further, the invalidating unit 3102B may cause the communication unit 1310B to transmit an error frame to the bus 30 in the same manner as the invalidating unit 3102.

  (2) The situation of the vehicle indicated by the situation information or the situation of the outside world where the vehicle travels is compared with the control content of the acceleration control instruction by the determination units 3101 and 3101B is not limited to that described in the above embodiment. For example, the content of a road sign or road marking of a place where the vehicle is traveling or a planned travel route may be included in the situation of the outside world indicated by the situation information. For example, it may be determined whether or not the control content of the acceleration control instruction is inconsistent with the state of regulation regarding the speed indicated by the road sign. Also, for example, conditions that can affect safe speed, such as weather, temperature, road surface conditions, topography (gradient rate), load capacity or even balance, changes in vehicle speed, or tire type or degree of deterioration It may be included in the situation indicated by the vehicle or the outside world indicated by the information. Such information can be obtained from, for example, a vehicle-mounted sensor, map data, a system for providing road traffic information such as VICS (registered trademark), or a service on the Internet. In the determination unit 3101 or 3101B, inconsistency is determined using a criterion as to whether or not acceleration based on the accelerator opening indicated by the acceleration control instruction can be safely executed in addition to the traveling speed of the vehicle. May be. For example, different criteria may be used according to these situations indicated by the situation information, or an identification function or an identification model using these situation information as input values may be used.

  (3) The reference for determining whether or not the acceleration control instruction shown in the above embodiment and its modification is inconsistent with the situation may be different for each vehicle type. . The vehicle type here may be a type identified by a vehicle type, or may be a finer grade. Further, it may be further distinguished by the presence or absence of a predetermined function such as an option.

  Moreover, the content of the information transmitted from vehicle speed control assistance ECU350 among the status information compared with the control content is not limited to the above. For example, the setting content related to the acceleration control by the driver may be included. For example, the inter-vehicle distance with the preceding vehicle set by the driver for the inter-vehicle distance maintaining function or the inter-vehicle distance adjusting function may be included.

  (4) In the above embodiment, the example of application of the present invention in the in-vehicle network system in which the standard format shown in FIG. 2 is used as the format for the data frame in the CAN protocol has been described. The system is not limited to this. For example, it may be a network through which an extended format data frame flows. The CAN protocol shown in the above embodiment may be understood as a broad sense including derivative protocols such as TTCAN (Time-Triggered CAN) and CAN FD (CAN with Flexible Data Rate). The present invention is also applicable to a network system that complies with protocols other than CAN, such as Ethernet (registered trademark) and FlexRay (registered trademark), or a network system in which a plurality of protocols are mixed.

  (5) The division of functions among the various components provided on the in-vehicle network system 10 or the control network system including the above-described embodiment or its modification is an example, and the division can be changed. In addition, a part of the functions of the monitoring processing unit 3100 or the like in the security ECU 100 or the monitoring processing unit 3100B in the accelerator ECU 310B can communicate with the security ECU 100, for example, another ECU on the in-vehicle network system 10, or the in-vehicle network system 10 It may be carried by a server device that is an external information processing device. For example, in the above embodiment, the in-vehicle network system 10 includes another security ECU different from the security ECU 100, and the function of the invalidation unit 3102 among the functions of the monitoring processing unit 3100 is the other security ECU. May be carried by. In this case, the determination result output from the determination unit 3101 may be transmitted as a data frame from the transmission unit 1102 to the bus 30 or may be transmitted to another security ECU via a dedicated line.

  (6) Each ECU in the above embodiment is a device including a digital circuit such as a processor and a memory, an analog circuit, a communication circuit, and the like, but hardware such as a hard disk device, a display, a keyboard, and a mouse. A component may be included. In addition, each device shown in the above embodiment realizes its function by dedicated hardware (digital circuit, etc.) instead of realizing the function by software by the control program stored in the memory being executed by the processor. May be.

(7) Part or all of the constituent elements constituting each device in the above embodiment may be constituted by one system LSI (Large Scale Integration). The system LSI is an ultra-multifunctional LSI manufactured by integrating a plurality of components on a single chip. Specifically, the system LSI is a computer system including a microprocessor, a ROM, a RAM, and the like. . A computer program is recorded in this ROM. The system LSI achieves its functions by the microprocessor operating according to the computer program. In addition, each part of the constituent elements constituting each of the above devices may be individually made into one chip, or may be made into one chip so as to include a part or all of them. Although the system LSI is used here, it may be called IC, LSI, super LSI, or ultra LSI depending on the degree of integration. Further, the method of circuit integration is not limited to LSI's, and implementation using dedicated circuitry or general purpose processors is also possible. An FPGA (Field Programmable Gate Array) that can be programmed after manufacturing the LSI or a reconfigurable processor that can reconfigure the connection and setting of circuit cells inside the LSI may be used. Further, if integrated circuit technology comes out to replace LSI's as a result of the advancement of semiconductor technology or a derivative other technology, it is naturally also possible to carry out function block integration using this technology. Biotechnology can be applied as a possibility.

  (8) A part or all of the constituent elements constituting each of the above devices may be configured as an IC card or a single module that can be attached to and detached from each device. The IC card or module is a computer system that includes a microprocessor, ROM, RAM, and the like. The IC card or the module may include the super multifunctional LSI described above. The IC card or the module achieves its function by the microprocessor operating according to the computer program. This IC card or this module may have tamper resistance.

  (9) As one aspect of the present invention, for example, there is a monitoring method including all or part of the processing procedures included in FIGS. 8 and 9, FIGS. 11 and 12, and descriptions related thereto in this specification. There may be. For example, in the monitoring method, an acquisition step (for example, step S11) of acquiring situation information indicating at least one of the situation of the vehicle 20 and the situation of the outside world where the vehicle 20 travels, and the acceleration control instruction transmitted in the in-vehicle network system 10 And step S13) for determining whether the acceleration control instruction is an unauthorized control instruction by comparing the situation indicated by the acquired situation information with the control content indicated by the acquired acceleration control instruction. (For example, step S14) and an output step (for example, step S15) for outputting information indicating the result of determination by the determination step. Further, when the determination step determines that the acceleration control instruction is an illegal control instruction, an invalidation step (for example, step S17 or S17B) for invalidating the acceleration control instruction may be included. Such a method is executed by an ECU functioning as a monitoring device that monitors an acceleration control instruction for accelerating the vehicle 20, for example, transmitted by the in-vehicle network system 10.

  Further, as one aspect of the present invention, a computer program that causes a computer to execute processing according to the monitoring method may be used, or a digital signal that includes the computer program may be used. The process according to this monitoring method is an acquisition step of acquiring situation information indicating at least one of the situation of the vehicle 20 and the situation of the outside where the vehicle 20 travels, and an acceleration control instruction transmitted by the in-vehicle network system 10 (for example, Steps S11 and S13) are compared with the situation indicated by the acquired situation information and the control content indicated by the acquired acceleration control instruction to determine whether or not the acceleration control instruction is an unauthorized control instruction. This is a process including a determination step (for example, step S14) and an output step (for example, step S15) for outputting information indicating the result of determination by the determination step. This output information may be used as an input to another program module or computer program or other device capable of communication. By this other program module, for example, data frame invalidation, vehicle speed control assist ECU invalidation, automatic driving for emergency stop, notification of occurrence of attack to driver, error log recording, etc. are executed May be.

  Further, as one embodiment of the present invention, a computer-readable recording medium such as a flexible disk, a hard disk, a CD-ROM, an MO, a DVD, a DVD-ROM, a DVD-RAM, a BD ( It may be recorded on a Blu-ray (registered trademark) disc, a semiconductor memory, or the like. Further, it may be a digital signal recorded on these recording media. Further, as one embodiment of the present invention, a computer program or a digital signal may be transmitted via an electric communication line, a wireless or wired communication line, a network represented by the Internet, data broadcasting, or the like.

  Further, an embodiment of the present invention may be a computer system including a microprocessor and a memory, the memory recording the above computer program, and the microprocessor operating according to the computer program. Alternatively, the program or digital signal may be recorded on a recording medium and transferred, or the program or digital signal may be transferred via a network or the like, and executed by another independent computer system.

  (10) The invalidation processing in the above embodiment and its modifications is not limited to the one by sending an error frame to the CAN bus. Discarding the data frame executed in the above-described accelerator ECU 310B is also an aspect of the invalidation process. As another example, it is also included in one aspect of the invalidation process that the monitoring device realized as part of the gateway in the network does not transfer a data frame including an unauthorized acceleration control instruction.

  (11) Embodiments realized by arbitrarily combining the constituent elements and functions shown in the embodiment and the modified examples are also included in the scope of the present invention.

  INDUSTRIAL APPLICABILITY The present invention can be used to cope with an attack in which a frame of an unauthorized acceleration control instruction is transmitted to a mobility network included in mobility in which vehicle speed control is performed manually or automatically, such as a vehicle.

10 In-vehicle network system 20, 21 Vehicle 30 Bus (CAN bus)
100 Security ECU (Monitoring device)
310, 310B Accelerator ECU
311 Motor 320 Sensor ECU
321 Object detection sensor 322 Speed sensor 330 Brake ECU
331 Brake 350 Vehicle speed control assist ECU
390 Diagnostic port 1100, 1310, 1310B Communication unit 1101, 1101B Receiving unit (acquiring unit)
1102 Transmission unit 2100, 2100B Storage unit 2310 Data buffer 3100, 3100B Monitoring processing unit 3101, 3101B Judgment unit 3102, 3102B Invalidation unit 3103 Transfer unit 3310 Control processing unit

Claims (12)

An acquisition unit for acquiring mobility-related information indicating at least one of a state of mobility and a situation of the outside world where the mobility moves, and an acceleration control instruction for accelerating the mobility;
A determination unit that determines whether the acceleration control instruction is an unauthorized control instruction based on the mobility related information and the acceleration control instruction;
An information processing apparatus comprising: An invalidation unit that invalidates or discards the acceleration control instruction when the determination unit determines that the acceleration control instruction is an unauthorized control instruction;
The information processing apparatus according to claim 1, further comprising: The determination unit determines that the acceleration control instruction is an unauthorized control instruction when the acceleration control instruction indicates control content that is not consistent with the mobility related information.
The information processing apparatus according to claim 1 or 2. In the determination unit, the mobility-related information indicates a set speed of the mobility or a regulated speed of a place where the mobility moves, and the acceleration control instruction indicates the speed at which the mobility exceeds the set speed or the regulated speed. When the control content to be moved is indicated, it is determined that the acceleration control instruction is an illegal control instruction.
The information processing apparatus according to claim 3. The determination unit includes a speed at which the mobility-related information indicates a vehicle speed of the mobility or a relative speed with an object in the traveling direction of the mobility, and the acceleration control instruction exceeds the mobility by a first predetermined value. When the control content to be moved is indicated, it is determined that the acceleration control instruction is an illegal control instruction.
The information processing apparatus according to claim 3. The determination unit indicates that the mobility-related information indicates a distance to an object in the traveling direction of the mobility, and the acceleration control instruction sets the mobility to a first predetermined value corresponding to the distance to the object. When the control content to be moved at a speed exceeding is determined, it is determined that the acceleration control instruction is an illegal control instruction.
The information processing apparatus according to claim 3. The determination unit, when the mobility related information indicates a situation in which the mobility should be decelerated, and the acceleration control instruction indicates a control content for moving the mobility at a speed exceeding a second predetermined value, Determining that the acceleration control instruction is an unauthorized control instruction;
The information processing apparatus according to claim 3. The determination unit moves the mobility-related information at a speed at which the mobility should move from the preceding mobility of the mobility, and the acceleration control instruction exceeds the received speed at which the mobility should move. When indicating the control content, it is determined that the acceleration control instruction is an unauthorized control instruction;
The information processing apparatus according to claim 3. The determination unit
(1) When the mobility related information indicates that the advanced driver support system included in the mobility is off, and the acceleration control instruction indicates a control content for moving at a speed exceeding a third predetermined value, Or
(2) When the mobility related information indicates that the advanced driver assistance system included in the mobility is off, and the acquisition unit acquires the acceleration control instruction within a predetermined period,
Determining that the acceleration control instruction is an unauthorized control instruction;
The information processing apparatus according to claim 3. A monitoring method by an information processing device,
Obtaining mobility-related information indicating at least one of a state of mobility and a situation of the outside world where the mobility moves, and an acceleration control instruction for accelerating the mobility;
Determining whether the acceleration control instruction is an unauthorized control instruction based on the mobility related information and the acceleration control instruction;
Monitoring method. A process for acquiring mobility-related information indicating at least one of a state of mobility and a situation of the outside world where the mobility moves, and an acceleration control instruction for accelerating the mobility;
A process of determining whether the acceleration control instruction is an unauthorized control instruction based on the mobility related information and the acceleration control instruction;
A program that causes a computer to execute. An acquisition unit for acquiring mobility-related information indicating at least one of a state of mobility and a situation of the outside world where the mobility moves, and an acceleration control instruction for accelerating the mobility;
A determination unit that determines whether the acceleration control instruction is an unauthorized control instruction based on the mobility related information and the acceleration control instruction;
An invalidation unit that does not transfer the acceleration control instruction when the determination unit determines that the acceleration control instruction is an unauthorized control instruction;
A gateway device comprising:

Images