JP6875576B2 - Fraud handling method - Google Patents

Description

The present invention relates to a technique for detecting and dealing with an illegal frame transmitted in an in-vehicle network with which an electronic control unit communicates.

In recent years, a large number of devices called electronic control units (ECUs) are arranged in a system in an automobile. The network connecting these ECUs is called an in-vehicle network. There are many standards for in-vehicle networks. Among them, one of the most mainstream in-vehicle networks is a standard called CAN (Controller Area Network) defined by ISO11898-1 (see "Non-Patent Document 1").

In CAN, the communication path is composed of two buses, and the ECU connected to the buses is called a node. Each node connected to the bus sends and receives a message called a frame. The transmitting node that transmits the frame transmits a value of "1" called recessive and a value of "0" called dominant by applying a voltage to the two buses and generating a potential difference between the buses. When a plurality of transmitting nodes transmit the recessive and the dominant at exactly the same timing, the dominant is given priority and transmitted. When the format of the received frame is abnormal, the receiving node sends a frame called an error frame. The error frame is to notify the transmitting node and other receiving nodes of the abnormality of the frame by transmitting the dominant 6 bits continuously.

Further, in CAN, there is no identifier indicating a destination or a source, a transmitting node attaches an ID called a message ID to each frame and transmits (that is, sends a signal to a bus), and each receiving node is predetermined. Receive only the message ID (ie read the signal from the bus). Further, the CSMA / CA (Carrier Sense Multiple Access / Collision Avoidance) method is adopted, and when a plurality of nodes are simultaneously transmitted, arbitration is performed by the message ID, and the frame having a small message ID value is preferentially transmitted.

By the way, in the in-vehicle network, an illegal node is connected to the bus, and the illegal node illegally transmits a frame, so that there is a possibility that the vehicle body is illegally controlled. In order to prevent control due to transmission of such an illegal frame, a technique for transmitting by adding a message authentication code (MAC) to a data field in CAN is generally known ("Patent Document 1"). reference).

Japanese Unexamined Patent Publication No. 2013-98719

CAN Specification 2.0 Part A, [online], CAN in Automation (Cia), [Search on November 14, 2014], Internet (URL: http: //www.can-cia.org/fileadmin/cia/ specifications / CAN20A.pdf) RFC2104 HMAC: Keyed-Hashing for Message Authentication

However, since the data length of the MAC that can be stored in the data field in the CAN is not long enough, there is a concern about a brute force attack on the MAC by an unauthorized node connected to the bus.

Therefore, the present invention provides an in-vehicle network system for increasing resistance to a brute force attack against a MAC and appropriately dealing with transmission of an illegal frame. Further, the present invention is to appropriately deal with the fraud detection electronic control unit (fraud detection ECU) used for detecting the transmission of fraudulent frames in the in-vehicle network system, and the transmission of fraudulent frames. Provide fraud countermeasures.

In order to solve the above problems, the fraud countermeasure method according to one aspect of the present invention includes an in-vehicle device including a plurality of electronic control units for sending and receiving data frames to which a message authentication code (MAC) is added in the in-vehicle network. In a network system, this is a fraud countermeasure method used in one of the plurality of electronic control units, which is a data frame in which a data frame transmitted to the in-vehicle network is received and a message authentication code is added. The first message authentication code is generated by using the value of the counter that counts the number of times the is transmitted and the MAC key, and the generated first message authentication code is added to the received data frame. When the verification fails for the data frame including the predetermined ID, the error occurrence count is incremented, and when the error occurrence count exceeds the predetermined threshold, the process associated with the predetermined ID in advance is performed. It is a fraudulent countermeasure method to execute.

According to the present invention, it is possible to increase the resistance to a brute force attack against a MAC and appropriately deal with the transmission of an illegal frame.

It is a figure which shows the whole structure of the vehicle-mounted network system which concerns on Embodiment 1. FIG. It is a figure which shows the format of the data frame specified by the CAN protocol. It is a figure which shows the format of the error frame specified by the CAN protocol. It is a block diagram of a head unit. It is a figure which showed an example of the reception ID list. It is a block diagram of a gateway. It is a figure which showed an example of the forwarding rule. It is a block diagram of the ECU which concerns on Embodiment 1. FIG. It is a figure which showed an example of the reception ID list. It is a figure which shows an example of the ID and the data field in the frame transmitted from the ECU connected to an engine. It is a figure which shows an example of the ID and data fields in the frame transmitted from the ECU connected to a brake. It is a figure which shows an example of the ID and the data field in the frame transmitted from the ECU connected to the door open / close sensor. It is a figure which shows an example of the ID and the data field in the frame transmitted from the ECU connected to the window open / close sensor. It is a block diagram of the fraud detection ECU which concerns on Embodiment 1. FIG. It is a figure which showed an example of the regular ID list held in the fraud detection ECU. It is a figure which showed an example of the regular ID list held in the fraud detection ECU. It is a figure which shows an example of the state of the fraud detection counter for each message ID. It is a sequence diagram which shows the operation example which concerns on the detection and execution prevention of an illegal frame in Embodiment 1. FIG. It is a figure which shows the whole structure of the vehicle-mounted network system which concerns on Embodiment 2. It is a block diagram of the fraud detection ECU which concerns on Embodiment 2. FIG. It is a figure which showed an example of the data range list held in the fraud detection ECU. It is a sequence diagram which shows the operation example which concerns on the detection and execution prevention of an illegal frame in Embodiment 2 (following FIG. 23). It is a sequence diagram which shows the operation example which concerns on the detection and execution prevention of an illegal frame in Embodiment 2 (continuation from FIG. 22). It is a figure which shows the whole structure of the vehicle-mounted network system which concerns on Embodiment 3. It is a block diagram of the ECU which concerns on Embodiment 3. FIG. It is a figure which shows an example of the ID and the data field in the data frame transmitted from the ECU connected to an engine. It is a figure which shows an example of the ID and the data field in the data frame transmitted from the ECU connected to a brake. It is a figure which shows an example of the ID and the data field in the data frame transmitted from the ECU connected to the door open / close sensor. It is a figure which shows an example of the ID and the data field in the data frame transmitted from the ECU connected to the window open / close sensor. It is a block diagram of the fraud detection ECU which concerns on Embodiment 3. FIG. It is a figure which shows an example of the counter value for each message ID held in the counter holding part which concerns on Embodiment 3. FIG. It is a sequence diagram which shows the operation example which concerns on the detection and execution prevention of an illegal frame in Embodiment 3 (following FIG. 33). It is a sequence diagram which shows the operation example which concerns on the detection and execution prevention of an illegal frame in Embodiment 3 (continuation from FIG. 32). It is a figure which shows the whole structure of the vehicle-mounted network system which concerns on Embodiment 4. It is a block diagram of the ECU which concerns on Embodiment 4. FIG. It is a block diagram of the fraud detection ECU which concerns on Embodiment 4. FIG. It is a figure which shows an example of the reception ID list which concerns on Embodiment 4. FIG. It is a figure which shows an example of the update frame which concerns on Embodiment 4. FIG. It is a figure which shows an example of the key table which concerns on Embodiment 4. FIG. It is a figure which shows an example of the counter table which concerns on Embodiment 4. FIG. It is a figure which shows an example of the security condition table which concerns on Embodiment 4. FIG. It is a figure which shows an example of the fraudulent ID list which concerns on Embodiment 4. FIG. It is a sequence diagram which shows the operation example such as the detection of an illegal frame, the update of a MAC key, and the reset of a counter value in Embodiment 4 (following FIG. 44). FIG. 5 is a sequence diagram showing operation examples such as detection of an illegal frame, update of a MAC key, and reset of a counter value in the fourth embodiment (following FIG. 45). It is a sequence diagram which shows the operation example such as the detection of an illegal frame, the update of a MAC key, and the reset of a counter value in Embodiment 4 (continuation from FIG. 44). It is a flowchart which shows the security action processing in Embodiment 4.

The fraud handling method according to one aspect of the present invention is to use a plurality of electronic control units that send and receive data frames to which a message authentication code (MAC) is added via a bus according to a CAN (Controller Area Network) protocol. It is a fraud countermeasure method used in the in-vehicle network system provided, and is a reception step for receiving a data frame transmitted on the bus and data received in the reception step by generating a message authentication code using the data. A verification step for verifying that the message authentication code is added to the frame, and an update processing step for updating the data used for generating the message authentication code when the verification in the verification step fails. It is a fraudulent countermeasure method including. As a result, the data used to generate the MAC (for example, the MAC key) is updated when the MAC is added when transmitting the data frame or when the data frame is received and the MAC is verified, so that an invalid frame is transmitted. It is possible to increase the resistance of the in-vehicle network system to a round-robin attack against MAC by an unauthorized ECU.

Further, the fraud countermeasure method further sets a MAC key update request frame indicating a MAC key update request as data used for generating a message authentication code when the verification in the verification step fails. In the update processing step, the update processing may be performed by updating the MAC key when the MAC key update request frame is transmitted, including a coping step of transmitting via. As a result, for example, when there is a possibility of an attack from an unauthorized ECU, the MAC key can be updated synchronously in each ECU connected to the bus, which can make it difficult to decrypt the MAC.

Further, the message authentication code is generated by reflecting the value of the counter that counts the number of times the data frame to which the message authentication code is transmitted is transmitted, and the fraud countermeasure method further fails the verification in the verification step. In the update processing step, the counter reset request includes a coping step of transmitting a counter reset request frame indicating a counter reset request as data used for generating a message authentication code via the bus. The update process may be performed by resetting the counter when a frame is transmitted. As a result, for example, when there is a possibility of an attack from an illegal ECU, the counter can be reset synchronously in each ECU connected to the bus, which can make it difficult to decrypt the MAC illegally.

Further, the in-vehicle network system includes a plurality of buses, each of the plurality of buses belongs to one of a plurality of types of groups, and the fraud countermeasure method further fails in the verification in the verification step. In this case, the electronic control unit may include a coping step of executing a predetermined process in association with the group to which the bus to which the own unit is connected belongs among the plurality of buses. As a result, when an invalid data frame is transmitted, it is possible to take predetermined measures for each ECU group.

Further, the fraud countermeasure method further executes a process associated with the predetermined message ID in advance when the number of times the verification in the verification step fails for the data frame including the predetermined message ID exceeds the predetermined threshold value. It may include a coping step to be taken. As a result, when the MAC verification fails a certain number of times or more, a predetermined countermeasure can be taken.

Further, the process executed in the coping step may be a control for adding a certain suppression to the function of the vehicle equipped with the in-vehicle network system to bring it into a predetermined specific state. As a result, control is performed to bring the state of the vehicle into a predetermined state when fraud is detected a certain number of times or more, and it is possible to suppress adverse effects caused by, for example, a fraudulent ECU.

Further, in the fraud handling method, when the message ID of the data frame whose transmission is started on the bus is the same as any one or more message IDs indicated by the predetermined fraud ID list, the data frame The process including the fraudulent ID handling process step of transmitting an error frame before the tail is transmitted, and the process executed in the coping step may be the addition of the predetermined message ID to the fraudulent ID list. .. As a result, even if an invalid frame with the same message ID is transmitted again when the MAC verification fails a certain number of times or more, the content can be overwritten with an error frame to suppress the adverse effect of the invalid frame.

Further, the process executed in the coping step may be the recording of the log information indicating the predetermined message ID on the recording medium. This makes it possible to store evidence of fraudulent attacks, for example.

Further, in the generation of the message authentication code, the value of the counter that counts the number of times the data frame to which the message authentication code is transmitted and the MAC key are used, and the fraud countermeasure method further uses the MAC key. When the verification in the verification step using the generated message authentication code fails, and the verification performed again using the message authentication code generated using the MAC key before the update of the MAC key is successful. , A coping step of transmitting a key update frame indicating a MAC key update request via the bus is included, and in the update processing step, the update is performed by updating the MAC key when the key update frame is transmitted. It may be processed. As a result, for example, resetting the counter value can be omitted.

Further, in the generation of the message authentication code, the value of the counter that counts the number of times the data frame to which the message authentication code is transmitted and the MAC key are used, and the fraud countermeasure method further uses the MAC key. When the verification in the verification step using the message authentication code generated in the above fails, the verification performed again using the message authentication code generated by using the MAC key before the update of the MAC key also fails. Occasionally, a coping step of transmitting a counter reset request indicating a counter reset request used for generating a message authentication code via the bus is included, and in the update processing step, when the counter reset frame is transmitted. The update process may be performed by resetting the counter. As a result, the counter value can be reset in a situation where the counter value needs to be reset.

Further, the in-vehicle network system according to one aspect of the present invention is a plurality of electronic controls that send and receive data frames to which a message authentication code (MAC) is added via a bus according to a CAN (Controller Area Network) protocol. An in-vehicle network system including a unit, which has a MAC key holding unit that holds a MAC key used for generating a message authentication code, generates a message authentication code using the MAC key, and adds it to a data frame. It has a first electronic control unit for transmitting the message, and a MAC key holding unit for holding the MAC key used for generating the message authentication code. The message authentication code is generated using the MAC key to generate a data frame. A second electronic control unit that receives and verifies that the message authentication code is added to the data frame is provided, and each of the first electronic control unit and the second electronic control unit further includes the first electronic control unit. (2) This is an in-vehicle network system having a MAC key updating unit that updates the MAC key held in the MAC key holding unit of the own unit when the verification by the electronic control unit fails. As a result, the MAC key is updated, so that in the in-vehicle network system, resistance to a brute force attack against the MAC by an illegal ECU that transmits an illegal frame can be increased.

Further, the fraud detection electronic control unit (fraud detection ECU) according to one aspect of the present invention is a fraud detection electronic control unit in which a plurality of electronic control units communicating according to a CAN (Controller Area Network) protocol are connected to a bus used for communication. A frame transmission / reception unit for receiving a frame from the bus and transmitting the frame to the bus, and a message authentication code (MAC) are added to the frame received by the frame transmission / reception unit. The frame transmission / reception unit includes a rogue MAC detection unit for verifying that, and the frame transmission / reception unit is a MAC key indicating an update request of a MAC key used for generating a message authentication code when the verification by the rogue MAC detection unit fails. A fraud detection electronic control unit that sends update request frames. As a result, the ECU connected to the bus can update the MAC key in synchronization by receiving the MAC key update request frame.

It should be noted that these general or specific aspects may be realized by a system, a method, an integrated circuit, a computer program, or a recording medium such as a computer-readable CD-ROM, and the system, the method, the integrated circuit, or the computer. It may be realized by any combination of programs or recording media.

Hereinafter, the in-vehicle network system including the fraud detection ECU according to the embodiment will be described with reference to the drawings. Each of the embodiments shown here shows a specific example of the present invention. Therefore, the numerical values, the components, the arrangement and connection form of the components, the steps (processes), the order of the steps, and the like shown in the following embodiments are merely examples and do not limit the present invention. Among the components in the following embodiments, the components not described in the independent claims are components that can be arbitrarily added. Further, each figure is a schematic view and is not necessarily exactly illustrated.

(Embodiment 1)
Hereinafter, as an embodiment of the present invention, an in-vehicle network system 10 including a fraud detection ECU that realizes a fraud handling method for detecting and dealing with a fraudulent frame using a message ID will be described with reference to the drawings.

[1.1 Overall configuration of in-vehicle network system 10]
FIG. 1 is a diagram showing an overall configuration of the vehicle-mounted network system 10 according to the first embodiment. The in-vehicle network system 10 is an example of a network communication system that communicates according to the CAN protocol, and is a network communication system in an automobile equipped with various devices such as a control device and a sensor. The in-vehicle network system 10 includes buses 500a and 500b, and each node connected to the bus such as fraud detection ECUs 100a and 100b, a head unit 200, a gateway 300, and ECUs such as ECUs 400a to 400d connected to various devices. Consists of. Although omitted in FIG. 1, the in-vehicle network system 10 may include a number of ECUs in addition to the ECUs 400a to 400d, but here, the ECUs 400a to 400d will be focused on for convenience. The ECU is, for example, a device including a processor (microprocessor), a digital circuit such as a memory, an analog circuit, a communication circuit, and the like. The memory is a ROM, RAM, or the like, and can store a control program (computer program) executed by the processor. For example, when the processor operates according to a control program (computer program), the ECU realizes various functions. A computer program is configured by combining a plurality of instruction codes indicating instructions to a processor in order to achieve a predetermined function. Here, the description will be made on the premise that there is a possibility that an illegal ECU for transmitting an illegal frame is connected to the buses 500a and 500b.

The fraud detection ECUs 100a and 100b are connected to the bus 500a and the bus 500b, respectively, and are ECUs having a function of determining whether or not the frame transmitted by the ECUs 400a to 400d is invalid and transmitting an error frame if the frame is invalid. is there.

The ECUs 400a to 400d are connected to any of the buses, and are also connected to the engine 401, the brake 402, the door open / close sensor 403, and the window open / close sensor 404, respectively. Each of the ECUs 400a to 400d acquires the state of the connected device (engine 401, etc.) and periodically transmits a frame (data frame, which will be described later) or the like indicating the state to the network (that is, a bus).

The gateway 300 is connected to a bus 500a to which the fraud detection ECU 100a, the ECU 400a and the ECU 400b are connected, a bus 500b to which the fraud detection ECU 100b, the ECU 400c and the ECU 400d are connected, and a bus 500c to which the head unit 200 is connected, and received from each bus. It has a function to transfer the frame to another bus. It is also possible to switch whether to transfer the received frame for each connected bus. The gateway 300 is also a kind of ECU.

The head unit 200 has a function of receiving frames, and has a function of receiving frames transmitted from ECUs 400a to 400d, displaying various states on a display (not shown), and presenting them to the user. The head unit 200 is also a kind of ECU.

In the in-vehicle network system 10, each ECU sends and receives frames according to the CAN protocol. Frames in the CAN protocol include data frames, remote frames, overload frames and error frames. For convenience of explanation, first, a data frame and an error frame will be mainly described.

[1.2 Data frame format]
Hereinafter, a data frame, which is one of the frames used in a network according to the CAN protocol, will be described.

FIG. 2 is a diagram showing a data frame format defined by the CAN protocol. The figure shows a data frame in the standard ID format defined by the CAN protocol. The data frame is a SOF (Start Of Frame), ID field, RTR (Remote Transmission Request), IDE (Identifier Extension), reserved bit "r", DLC (Data Length Code), data field, CRC (Cyclic Redundancy Check) sequence. , CRC delimiter "DEL", ACK (Acknowledgement) slot, ACK delimiter "DEL", and EOF (End Of Frame) fields.

The SOF is composed of 1 bit dominant. The idle state of the bus is recessive, and the SOF changes the bus to dominant to notify the start of frame transmission.

The ID field is a field composed of 11 bits and storing an ID (message ID) which is a value indicating the type of data. When a plurality of nodes start transmission at the same time, a frame having a small ID value is designed to have a high priority in order to perform communication arbitration in this ID field.

The RTR is a value for distinguishing between a data frame and a remote frame, and is composed of a dominant 1 bit in the data frame.

Both IDE and "r" are composed of dominant 1 bit.

The DLC is composed of 4 bits and is a value indicating the length of the data field. The IDE, "r" and DLC are collectively referred to as a control field.

The data field is a value indicating the content of data to be transmitted, which is composed of a maximum of 64 bits. The length can be adjusted in 8-bit units. The specifications of the data to be transmitted are not specified by the CAN protocol, but are specified by the in-vehicle network system 10. Therefore, the specifications depend on the vehicle type, the manufacturer (manufacturer), and the like.

The CRC sequence consists of 15 bits. It is calculated from the transmission values of the SOF, ID field, control field and data field.

The CRC delimiter is a delimiter indicating the end of a CRC sequence composed of 1 bit of recessive. The CRC sequence and CRC delimiter are collectively referred to as a CRC field.

The ACK slot is composed of 1 bit. The transmitting node makes the ACK slot recessive and transmits. The receiving node transmits the ACK slot as a dominant if the CRC sequence is normally received. Since dominant is prioritized over recessive, if the ACK slot is dominant after transmission, the transmitting node can confirm that any receiving node has succeeded in receiving.

The ACK delimiter is a delimiter indicating the end of ACK composed of 1 bit recessive.

The EOF is composed of 7 bits of recessive and indicates the end of the data frame.

[1.3 Error frame format]
FIG. 3 is a diagram showing the format of the error frame defined by the CAN protocol. The error frame is composed of an error flag (primary), an error flag (secondary), and an error delimiter.

The error flag (primary) is used to notify other nodes that an error has occurred. The node that detects the error continuously transmits a 6-bit dominant to notify other nodes of the occurrence of the error. This transmission violates the bit stuffing rule in the CAN protocol (does not transmit the same value more than 6 bits in succession) and causes the transmission of an error frame (secondary) from another node.

The error flag (secondary) consists of consecutive 6-bit dominants used to notify other nodes of the occurrence of an error. All nodes that receive the error flag (primary) and detect a bit stuffing rule violation will send the error flag (secondary).

The error delimiter "DEL" is an 8-bit continuous recessive and indicates the end of the error frame.

[1.4 Configuration of head unit 200]
The head unit 200 is provided on, for example, an instrument panel (instrument panel) of an automobile, and is a display device such as a liquid crystal display (LCD) that displays information to be visually recognized by the driver, and a driver's operation. It is a kind of ECU provided with an input means and the like for receiving.

FIG. 4 is a configuration diagram of the head unit 200. The head unit 200 includes a frame transmission / reception unit 270, a frame interpretation unit 260, a reception ID determination unit 240, a reception ID list holding unit 250, a frame processing unit 220, a display control unit 210, and a frame generation unit 230. Consists of including. Each of these components is a functional component, and each function is realized by a communication circuit in the head unit 200, an LCD, a processor that executes a control program stored in a memory, a digital circuit, or the like.

The frame transmission / reception unit 270 transmits / receives a frame according to the CAN protocol to the bus 500c. Frames are received one bit at a time from the bus 500c and transferred to the frame interpretation unit 260. In addition, the contents of the frame notified by the frame generation unit 230 are transmitted to the bus 500c one bit at a time.

The frame interpretation unit 260 receives the frame value from the frame transmission / reception unit 270 and interprets it so as to map it to each field in the frame format defined by the CAN protocol. The frame interpretation unit 260 transfers the value determined to be the ID field to the reception ID determination unit 240. The frame interpretation unit 260 transfers the value of the ID field and the data field appearing after the ID field to the frame processing unit 220 according to the determination result notified from the reception ID determination unit 240, or determines the determination result. Decide whether to stop receiving the frame (that is, stop interpreting it as the frame) after receiving it. Further, the frame interpretation unit 260 transmits an error frame when it determines that the frame does not conform to the CAN protocol, for example, the CRC value does not match or the item fixed as dominant is recessive. To notify the frame generation unit 230. Further, when the frame interpreting unit 260 receives an error frame, that is, when it interprets that the value in the received frame is an error frame, the frame interpreting unit 260 discards the frame after that, that is, stops interpreting the frame. To do. For example, when an error frame is interpreted from the middle of a data frame, the interpretation of the data frame is stopped, and no special processing is performed according to the data frame.

The reception ID determination unit 240 receives the value of the ID field notified from the frame interpretation unit 260, and receives each field of the frame after the ID field according to the list of message IDs held by the reception ID list holding unit 250. Determine whether or not to do so. The reception ID determination unit 240 notifies the frame interpretation unit 260 of this determination result.

The reception ID list holding unit 250 holds a reception ID list which is a list of IDs (message IDs) received by the head unit 200. FIG. 5 is a diagram showing an example of a reception ID list. The head unit 200 receives a frame (message) having a message ID of "1" from the ECU 400a connected to the engine 401, and receives a frame having a message ID of "2" from the ECU 400b connected to the brake 402. A frame having a message ID of "3" is received from the ECU 400c connected to the door opening / closing sensor 403, and a frame having a message ID of "4" is received from the ECU 400d connected to the window opening / closing sensor 404.

The frame processing unit 220 forms, for example, an image to be displayed on the LCD based on the contents of the received frame (for example, the contents of the message ID and the data field), and notifies the display control unit 210. The frame processing unit 220 holds the contents of the received data field, and an image to be displayed on the LCD (for example, an image for displaying the vehicle speed, a window open / closed state display) according to the operation by the driver received through the input means. You may notify by selecting (such as an image for).

The display control unit 210 displays the content notified by the frame processing unit 220 on the LCD or the like.

The frame generation unit 230 configures an error frame according to the notification instructing the transmission of the error frame from the frame interpretation unit 260, and notifies the frame transmission / reception unit 270 of the error frame to transmit the error frame.

[1.5 Received ID list example 1]
FIG. 5 is a diagram showing an example of a reception ID list held in each of the head unit 200, the gateway 300, the ECU 400c, and the ECU 400d. The reception ID list illustrated in the figure selectively receives frames containing a message ID whose ID (message ID) value is any one of "1", "2", "3", and "4". Used to process. For example, when the reception ID list of FIG. 5 is held in the reception ID list holding unit 250 of the head unit 200, for a frame whose message ID is not any of "1", "2", "3", and "4". Is stopped from interpreting the frame after the ID field by the frame interpreting unit 260.

[1.6 Gateway 300 Configuration]
FIG. 6 is a configuration diagram of the gateway 300. The gateway 300 includes a frame transmission / reception unit 360, a frame interpretation unit 350, a reception ID determination unit 330, a reception ID list holding unit 340, a frame generation unit 320, a transfer processing unit 310, and a transfer rule holding unit 370. Consists of including. Each of these components is a functional component, and each function is realized by a communication circuit in the gateway 300, a processor that executes a control program stored in a memory, a digital circuit, or the like.

The frame transmission / reception unit 360 transmits / receives a frame according to the CAN protocol to each of the buses 500a, 500b, and 500c. Each frame is received from the bus one bit at a time and transferred to the frame interpreting unit 350. Further, based on the bus information indicating the transfer destination bus notified by the frame generation unit 320 and the frame, the contents of the frame are transmitted to the buses 500a, 500b, and 500c one bit at a time.

The frame interpretation unit 350 receives the frame value from the frame transmission / reception unit 360 and interprets it so as to map it to each field in the frame format defined by the CAN protocol. The value determined to be the ID field is transferred to the reception ID determination unit 330. The frame interpretation unit 350 transfers the value of the ID field and the data field (data) appearing after the ID field to the transfer processing unit 310 according to the determination result notified from the reception ID determination unit 330, or the frame interpretation unit 350 thereof. After receiving the determination result, it is determined whether to stop the reception of the frame (that is, stop the interpretation as the frame). Further, when the frame interpretation unit 350 determines that the frame does not conform to the CAN protocol, the frame interpretation unit 350 notifies the frame generation unit 320 to transmit an error frame. Further, when the frame interpreting unit 350 receives an error frame, that is, when it interprets that the value in the received frame is an error frame, the frame interpreting unit 350 discards the frame after that, that is, stops interpreting the frame. To do.

The reception ID determination unit 330 receives the value of the ID field notified from the frame interpretation unit 350, and receives each field of the frame after the ID field according to the list of message IDs held by the reception ID list holding unit 340. Determine whether or not to do so. The reception ID determination unit 330 notifies the frame interpretation unit 350 of this determination result.

The reception ID list holding unit 340 holds a reception ID list (see FIG. 5), which is a list of IDs (message IDs) received by the gateway 300.

The transfer processing unit 310 determines the bus to be transferred according to the message ID of the received frame according to the transfer rule held by the transfer rule holding unit 370, and is notified by the bus information indicating the bus to be transferred and the frame interpretation unit 350. The message ID and the data are notified to the frame generation unit 320. The gateway 300 does not transfer the error frame received from one bus to another bus.

The forwarding rule holding unit 370 holds a forwarding rule which is information representing a rule for forwarding a frame for each bus. FIG. 7 is a diagram showing an example of a forwarding rule.

The frame generation unit 320 configures an error frame according to the notification instructing the transmission of the error frame notified from the frame interpretation unit 350, and notifies the frame transmission / reception unit 360 of the error frame to transmit the error frame. Further, the frame generation unit 320 configures a frame by using the message ID and data notified by the transfer processing unit 310, and notifies the frame and bus information to the frame transmission / reception unit 360.

[1.7 Example of forwarding rule]
FIG. 7 shows an example of the forwarding rule held by the gateway 300. In this transfer rule, the transfer source bus, the transfer destination bus, and the transfer target ID (message ID) are associated with each other. “*” In FIG. 7 indicates that the frame is transferred regardless of the message ID. Further, "-" in the figure indicates that there is no frame to be transferred. The example in the figure shows that the frame received from the bus 500a is set to be forwarded to the bus 500b and the bus 500c regardless of the message ID. Further, among the frames received from the bus 500b, all the frames are transferred to the bus 500c, but only the frames having the message ID "3" are set to be transferred to the bus 500a. Shown. Further, it is shown that the frame received from the bus 500c is set so as not to be transferred to either the bus 500a or the bus 500b.

[1.8 Configuration of ECU 400a]
FIG. 8 is a configuration diagram of the ECU 400a. The ECU 400a includes a frame transmission / reception unit 460, a frame interpretation unit 450, a reception ID determination unit 430, a reception ID list holding unit 440, a frame processing unit 410, a frame generation unit 420, and a data acquisition unit 470. It is composed. Each of these components is a functional component, and each function is realized by a communication circuit in the ECU 400a, a processor that executes a control program stored in a memory, a digital circuit, or the like.

The frame transmission / reception unit 460 transmits / receives a frame according to the CAN protocol to the bus 500a. Frames are received one bit at a time from the bus 500a and transferred to the frame interpreting unit 450. Further, the content of the frame notified by the frame generation unit 420 is transmitted to the bus 500a.

The frame interpretation unit 450 receives the frame value from the frame transmission / reception unit 460 and interprets it so as to map it to each field in the frame format defined by the CAN protocol. The value determined to be the ID field is transferred to the reception ID determination unit 430. The frame interpretation unit 450 transfers the value of the ID field and the data field appearing after the ID field to the frame processing unit 410 according to the determination result notified from the reception ID determination unit 430, or determines the determination result. Decide whether to stop receiving the frame (that is, stop interpreting it as the frame) after receiving it. Further, when the frame interpretation unit 450 determines that the frame does not conform to the CAN protocol, the frame interpretation unit 450 notifies the frame generation unit 420 to transmit an error frame. Further, when the frame interpreting unit 450 receives an error frame, that is, when it interprets that the value in the received frame is an error frame, the frame interpreting unit 450 discards the frame after that, that is, stops interpreting the frame. To do.

The reception ID determination unit 430 receives the value of the ID field notified from the frame interpretation unit 450, and receives each field of the frame after the ID field according to the list of message IDs held by the reception ID list holding unit 440. Determine whether or not to do so. The reception ID determination unit 430 notifies the frame interpretation unit 450 of this determination result.

The reception ID list holding unit 440 holds a reception ID list which is a list of IDs (message IDs) received by the ECU 400a. FIG. 9 is a diagram showing an example of a reception ID list.

The frame processing unit 410 performs processing related to a function different for each ECU according to the received frame data. For example, the ECU 400a connected to the engine 401 has a function of sounding an alarm when the door is open when the speed exceeds 30 km / h. The ECU 400a has, for example, a speaker for sounding an alarm sound. Then, the frame processing unit 410 of the ECU 400a manages data received from another ECU (for example, information indicating the state of the door), and sounds an alarm sound under certain conditions based on the speed acquired from the engine 401, etc. I do.

The data acquisition unit 470 acquires data indicating the state of the device, the sensor, etc. connected to the ECU, and notifies the frame generation unit 420 of the data.

The frame generation unit 420 configures an error frame according to the notification instructing the transmission of the error frame notified from the frame interpretation unit 450, and notifies the frame transmission / reception unit 460 of the error frame to transmit the error frame. Further, the frame generation unit 420 constructs a frame by adding a predetermined message ID to the value of the data notified by the data acquisition unit 470, and notifies the frame transmission / reception unit 460.

The ECUs 400b to 400d also have basically the same configuration as the above-mentioned ECU 400a. However, the received ID list held in the received ID list holding unit 440 may have different contents for each ECU. The ECU 400b holds the reception ID list illustrated in FIG. 9, and the ECU 400c and the ECU 400d hold the reception ID list illustrated in FIG. Further, the processing content of the frame processing unit 410 is different for each ECU. For example, the processing content of the frame processing unit 410 in the ECU 400c includes a processing related to a function of sounding an alarm sound when the door is opened in a state where the brake is not applied. For example, the frame processing unit 410 in the ECU 400b and the ECU 400d does not perform any special processing. In addition, each ECU may have a function other than those illustrated here. The contents of the frames transmitted by each of the ECUs 400a to 400d will be described later with reference to FIGS. 10 to 13.

[1.9 Received ID list example 2]
FIG. 9 is a diagram showing an example of a reception ID list held in each of the ECU 400a and the ECU 400b. The reception ID list illustrated in the figure is for selectively receiving and processing a frame containing a message ID whose ID (message ID) value is any one of "1", "2", and "3". Used. For example, when the reception ID list of FIG. 9 is held in the reception ID list holding unit 440 of the ECU 400a, the frame interpretation unit 450 is used for a frame whose message ID is not any of "1", "2", and "3". Interpretation of frames after the ID field in is stopped.

[Example of transmission frame of ECU 400a related to 1.10 engine]
FIG. 10 is a diagram showing an example of an ID (message ID) and a data field (data) in a frame transmitted from the ECU 400a connected to the engine 401. The message ID of the frame transmitted by the ECU 400a is "1". The data represents the speed (km / hour), takes a value in the range of a minimum of 0 (km / hour) to a maximum of 180 (km / hour), and has a data length of 1 byte. From the upper row to the lower row of FIG. 10, each message ID and data corresponding to each frame sequentially transmitted from the ECU 400a are illustrated, and the state of acceleration from 0 km / hour to 1 km / hour is shown.

[1.11 Example of transmission frame of ECU 400b related to brake]
FIG. 11 is a diagram showing an example of an ID (message ID) and a data field (data) in a frame transmitted from the ECU 400b connected to the brake 402. The message ID of the frame transmitted by the ECU 400b is "2". The data represents the degree of braking as a percentage (%), and the data length is 1 byte. This ratio is 0 (%) when the brake is not applied at all and 100 (%) when the brake is applied to the maximum. From the upper row to the lower row of FIG. 11, each message ID and data corresponding to each frame sequentially transmitted from the ECU 400b are illustrated, and the state in which the brake is gradually weakened from 100% is shown.

[1.12 Example of transmission frame of ECU 400c related to door open / close sensor]
FIG. 12 is a diagram showing an example of an ID (message ID) and a data field (data) in a frame transmitted from the ECU 400c connected to the door open / close sensor 403. The message ID of the frame transmitted by the ECU 400c is "3". The data represents the open / closed state of the door, and the data length is 1 byte. The value of the data is "1" when the door is open and "0" when the door is closed. From the upper row to the lower row in FIG. 12, each message ID and data corresponding to each frame sequentially transmitted from the ECU 400c are illustrated, and the state in which the door is gradually closed from the open state is shown. ing.

[1.13 Example of transmission frame of ECU 400d related to window open / close sensor]
FIG. 13 is a diagram showing an example of an ID (message ID) and a data field (data) in a frame transmitted from the ECU 400d connected to the window opening / closing sensor 404. The message ID of the frame transmitted by the ECU 400d is "4". The data represents the open / closed state of the window as a percentage (%), and the data length is 1 byte. This ratio is 0 (%) when the window is completely closed and 100 (%) when the window is fully open. From the upper row to the lower row of FIG. 13, each message ID and data corresponding to each frame sequentially transmitted from the ECU 400d are illustrated, and the state in which the window is gradually opened from the closed state is shown.

[1.14 Configuration of fraud detection ECU 100a]
FIG. 14 is a configuration diagram of the fraud detection ECU 100a. The fraud detection ECU 100a includes a frame transmission / reception unit 160, a frame interpretation unit 150, a fraud frame detection unit 130, a regular ID list holding unit 120, a fraud detection counter holding unit 110, and a frame generation unit 140. To. Each of these components is a functional component, and each function is realized by a communication circuit in the fraud detection ECU 100a, a processor that executes a control program stored in a memory, a digital circuit, or the like. The fraud detection ECU 100b basically has the same configuration, but the content of the list information (regular ID list) held by the regular ID list holding unit 120 is different between the fraud detection ECU 100a and the fraud detection ECU 100b.

The frame transmission / reception unit 160 transmits / receives a frame according to the CAN protocol to the bus 500a. That is, the frame transmission / reception unit 160 functions as a so-called receiving unit that receives a frame when transmission of a frame on the bus is started, and also functions as a so-called transmission unit that transmits an error frame or the like to the bus. That is, the frame transmission / reception unit 160 receives frames one bit at a time from the bus 500a and transfers them to the frame interpretation unit 150. Further, the content of the frame notified by the frame generation unit 140 is transmitted to the bus 500a.

The frame interpretation unit 150 receives the frame value from the frame transmission / reception unit 160 and interprets it so as to map it to each field in the frame format defined by the CAN protocol. The value determined to be the ID field is transferred to the fraudulent frame detection unit 130. Further, when the frame interpretation unit 150 determines that the frame does not conform to the CAN protocol, the frame interpretation unit 150 notifies the frame generation unit 140 to transmit an error frame. Further, when the frame interpreting unit 150 receives an error frame, that is, interprets that the value in the received frame is an error frame, the frame interpreting unit 150 discards the frame after that, that is, stops interpreting the frame. To do.

The fraudulent frame detection unit 130 receives the value of the ID field notified from the frame interpretation unit 150, and determines whether or not the value of the ID field corresponds to a predetermined condition indicating fraud. That is, the fraudulent frame detection unit 130 functions as a so-called determination unit for determining whether or not the content of the predetermined field in the received frame corresponds to a predetermined condition indicating fraud. The predetermined condition indicating this fraud is that the value of the ID field is not included in the list of message IDs held by the regular ID list holding unit 120. That is, it is determined whether or not the value (message ID) of the notified ID field is invalid according to the list of message IDs held by the regular ID list holding unit 120. When a message ID not included in this list (that is, a regular ID list described later) is received, the received message ID is notified to the fraud detection counter holding unit 110 in order to increment the number of fraud detections. Further, when a message ID not listed in the regular ID list is received, the frame generation unit 140 is notified to send an error frame. Further, when the number of fraud detections reaches a certain number or more, an error display message (frame) indicating that there is a fraudulent ECU that receives a notification from the fraud detection counter holding unit 110 and issues the corresponding message ID is displayed. Notify the frame generation unit 140 to transmit. The message ID of the error display message is predetermined, and the head unit 200 receives the message (frame) of this message ID to display the error. Although the description of this error display message has been omitted for convenience, the message ID of the error display message is posted in the reception ID list held by the gateway 300 and the head unit 200, and in the regular ID list described later. However, in FIGS. 15 and 16, the message ID for the error display message is omitted.

The regular ID list holding unit 120 holds a regular ID list, which is a list in which message IDs included in a frame to be transmitted on the bus 500a in the vehicle-mounted network system 10 are defined in advance (see FIGS. 15 and 16). ..

The fraud detection counter holding unit 110 holds a fraud detection counter for counting the number of detections for each message ID, and when the message ID is notified from the fraud frame detection unit 130, the corresponding fraud detection counter is incremented ( To increase. When the fraud detection counter reaches a certain number (predetermined number of times) or more, the fraud frame detection unit 130 is notified that the number has exceeded a certain number. An example of a fixed number (predetermined number of times) referred to here is a value determined in accordance with the handling rules of the transmission error counter in the CAN protocol. In the CAN protocol, the transmission error counter counts up by 8 each time the ECU blocks transmission due to an error frame. Then, as a result of this, if the transmission error counter in the transmission node counts up to 128, the transmission node transitions to the passive state and is not specified to transmit frames. Therefore, if 17 larger than 128/8 (= 16) is set as this fixed number, it is illegal when the existence of a transmission node (illegal ECU) that ignores the rules related to the transmission error counter in the CAN protocol is estimated. An error display message will be transmitted from the detection ECU 100a. If the illegal ECU that transmits the illegal frame complies with the rules related to the transmission error counter in the CAN protocol, the transmission error counter of the illegal ECU will be increased by the transmission of the error frame by the fraud detection ECU 100a. It is incremented by 8. In this case, when the transmission error counter of the illegal ECU rises to 128 by repeating the transmission of the illegal frame, the illegal ECU transitions to the passive state, and the transmission of the illegal frame by the illegal ECU is stopped. ..

The frame generation unit 140 configures an error frame according to the notification instructing the transmission of the error frame notified from the frame interpretation unit 150, and notifies the frame transmission / reception unit 160 of the error frame and causes the frame transmission / reception unit 160 to transmit the error frame. Further, the frame generation unit 140 configures an error frame according to the notification instructing the transmission of the error frame notified from the fraudulent frame detection unit 130, and notifies the frame transmission / reception unit 160 of the error frame to transmit the error frame. Further, the frame generation unit 140 notifies the frame transmission / reception unit 160 of the error display message and transmits the error display message in accordance with the notification instructing the transmission of the error display message notified from the fraudulent frame detection unit 130.

[1.15 Example of regular ID list of fraud detection ECU 100a]
FIG. 15 is a diagram showing an example of a regular ID list held in the regular ID list holding unit 120 of the fraud detection ECU 100a. The regular ID list illustrated in the figure shows that a frame containing a message ID whose ID (message ID) value is any one of "1", "2", and "3" can flow to the bus 500a. ..

[1.16 Example of regular ID list of fraud detection ECU 100b]
FIG. 16 is a diagram showing an example of a regular ID list held in the regular ID list holding unit 120 of the fraud detection ECU 100b. In the regular ID list illustrated in the figure, a frame containing a message ID whose ID (message ID) value is any one of "1", "2", "3", and "4" can flow to the bus 500b. Is shown.

[1.17 Fraud detection counter save list example]
FIG. 17 is a diagram showing an example of the state of the fraud detection counter for each message ID. The example in the figure shows that only the fraud detection counter whose message ID is "4" has detected fraud once, and the other message IDs have never detected it. That is, in this example, the fraud detection ECU 100a detects that the message (frame) of the message ID "4" that should not originally flow to the bus 500a has been transmitted once, and the fraud detection counter corresponding to the corresponding message ID "4". Is incremented by 1.

[1.18 Sequence related to detection of illegal frames]
Hereinafter, the operations of the fraud detection ECU 100a, ECU 400a, ECU 400b, gateway 300, etc. connected to the bus 500a will be described when a fraudulent ECU is connected to the bus 500a of the vehicle-mounted network system 10 having the above configuration.

FIG. 18 is a sequence diagram showing an operation example in which the fraud detection ECU 100a detects a fraudulent frame (message) and prevents another ECU from performing a process corresponding to the fraudulent frame. The figure shows an example in which an unauthorized ECU transmits a data frame having a message ID of “4” and a data field (data) of “255 (0xFF)” to the bus 500a. Each sequence here means each processing procedure (step) in various devices.

First, the unauthorized ECU starts transmitting a data frame having a message ID of "4" and data of "255 (0xFF)" (sequence S1001). The value of each bit constituting the frame is sequentially transmitted onto the bus 500a in the order of SOF, ID field (message ID), etc. according to the above-mentioned data frame format.

When the fraudulent ECU finishes sending the ID field (message ID) to the bus 500a, the fraud detection ECU 100a, the ECU 400a, the ECU 400b, and the gateway 300 each receive the message ID (sequence S1002).

Each of the ECU 400a, the ECU 400b, and the gateway 300 checks the message ID using the received reception ID list held (sequence S1003). At this time, the fraud detection ECU 100a checks the message ID using the held regular ID list (sequence S1004). That is, the fraud detection ECU 100a determines whether or not the content of the ID field in the transmitted frame corresponds to a predetermined condition indicating fraud (not listed in the regular ID list).

In the sequence S1003, the ECU 400a and the ECU 400b end the reception because "4" is not included in the reception ID list held by each of the ECU 400a and the ECU 400b (see FIG. 9). That is, the illegal ECU does not interpret the frame in which the transmission is continued and does not perform the processing corresponding to the frame. Further, in the sequence S1003, the gateway 300 continues reception because "4" is included in the received reception ID list held (see FIG. 5). Further, in the sequence S1004, the fraud detection ECU 100a determines that the message ID is invalid because "4" is not included in the held regular ID list, and subsequently starts the preparation for issuing the error frame (the error frame issuance preparation is started). Sequence S1005).

Following the sequence S1003, the gateway 300 continues to receive frames. For example, while the fraud detection ECU 100a is preparing to issue an error frame, the fraudulent ECU sequentially sends RTRs and control fields (IDE, r, DLC), which are parts after the ID field, onto the bus 500a. Then, the data field is sequentially transmitted bit by bit. The gateway 300 receives the RTR and control fields (IDE, r, DLC), and then starts receiving data fields (sequence S1006).

Next, the preparation for issuing the error frame is completed, and the fraud detection ECU 100a transmits the error frame (sequence S1007). This error frame is transmitted before the end of the invalid frame is transmitted (for example, before the end of the CRC sequence is transmitted). In this operation example, it is performed in the middle of the data field. When the transmission of this error frame is started, in the bus 500a, the middle part of the data field of the frame being transmitted from the illegal ECU is overwritten by the error frame (priority dominant bit string).

The gateway 300 that has received the error frame transmitted in the sequence S1007 stops receiving the frame transmitted by the invalid ECU during the reception of the data field (sequence S1008). That is, since the data field from the illegal ECU is overwritten by the error frame and the gateway 300 detects the error frame, the gateway 300 does not continue to receive the frame transmitted by the illegal ECU.

The fraud detection ECU 100a increments the fraud detection counter corresponding to the message ID “4” of the data frame to which the error frame is transmitted (sequence S1009).

When the fraud detection counter corresponding to the message ID "4" becomes 17 or more as a result of the increment, the fraud detection ECU 100a transmits a frame (error display message) for notifying the error display so as to be received by the head unit 200. (Sequence S1010). As a result, the frame processing unit 220 of the head unit 200 performs processing for displaying an error, and the error is notified via the LCD or the like. In addition to the display on the LCD or the like, the error notification may be by voice output, light emission, or the like.

[Effect of 1.19 Embodiment 1]
The fraud detection ECU shown in the first embodiment determines whether or not the transmitted frame (data frame) is a fraudulent frame by using a regular ID list for the ID field of the frame. As a result, fraud can be determined by the ID field in the data frame, so that the fraud detection ECU and the ECU other than the fraud ECU interpret the fraudulent frame and execute the process corresponding to the frame. Can be blocked. Further, since the determination can be made only by receiving the ID field following the SOF at the beginning of the data frame, it is possible to suppress the bus traffic as compared with the case of receiving the rear part of the data frame and making the determination.

Further, the fraud detection ECU counts the number of times the error frame is transmitted by using the fraud detection counter, so that the transmission error counter in the node that transmits the fraudulent message ID by receiving the error frame is in a passive state if it follows the CAN protocol. It can be detected that the upper limit value to be transitioned to is reached. This makes it possible to determine whether or not the node that transmits the invalid message ID complies with the specifications of the error counter of the CAN protocol.

Further, by limiting the node that determines the fraudulent frame to the fraud detection ECU only, the influence on the existing network configuration can be minimized, and the processing amount and power consumption of the entire system can be suppressed. ..

(Embodiment 2)
Hereinafter, as an embodiment of the present invention, a fraudulent countermeasure method for preventing processing based on a fraudulent frame from being executed on another node (ECU) based on a data range allowed for each message ID will be provided. The in-vehicle network system 11 including the fraud detection ECU to be realized will be described.

[2.1 Overall configuration of in-vehicle network system 11]
FIG. 19 is a diagram showing an overall configuration of the vehicle-mounted network system 11 according to the second embodiment. The in-vehicle network system 11 is a modification of a part of the in-vehicle network system 10 shown in the first embodiment. The in-vehicle network system 11 includes buses 500a and 500b, and each node connected to the bus such as fraud detection ECUs 2100a and 2100b, a head unit 200, a gateway 300, and ECUs such as ECUs 400a to 400d connected to various devices. Consists of. Among the components of the in-vehicle network system 11, the components having the same functions as those in the first embodiment are designated by the same reference numerals, and the description thereof will be omitted.

The fraud detection ECUs 2100a and 2100b are ECUs that are connected to the bus 500a and the bus 500b, respectively, and have a function of determining whether or not the frames transmitted by the ECUs 400a to 400d are invalid, and if they are invalid, transmitting an error frame. is there.

[2.2 Configuration of fraud detection ECU 2100a]
FIG. 20 is a configuration diagram of the fraud detection ECU 2100a. The fraud detection ECU 2100a includes a frame transmission / reception unit 160, a frame interpretation unit 2150, a fraud frame detection unit 2130, a data range list holding unit 2120, a fraud detection counter holding unit 110, and a frame generation unit 140. To. Each of these components is a functional component, and each function is realized by a communication circuit in the fraud detection ECU 2100a, a processor that executes a control program stored in a memory, a digital circuit, or the like. The fraud detection ECU 2100a is a modification of a part of the fraud detection ECU 100a shown in the first embodiment, and components having the same functions as those of the first embodiment are designated by the same reference numerals and the description thereof will be omitted. The fraud detection ECU 2100b also has the same configuration as the fraud detection ECU 2100a.

The frame interpretation unit 2150 is a modification of the frame interpretation unit 150 shown in the first embodiment, receives a frame value from the frame transmission / reception unit 160, and maps it to each field in the frame format specified by the CAN protocol. Interpret as. When it is determined that the frame is a data frame, the value (data) determined to be a data field is transferred to the fraudulent frame detection unit 2130 together with the ID (message ID) of the ID field. Further, when the frame interpretation unit 2150 determines that the frame does not conform to the CAN protocol, the frame interpretation unit 2150 notifies the frame generation unit 140 to transmit an error frame. Further, when the frame interpreting unit 2150 receives an error frame, that is, when it interprets that the value in the received frame is an error frame, the frame interpreting unit 2150 discards the frame after that, that is, stops interpreting the frame. To do.

The fraudulent frame detection unit 2130 is a modification of the fraudulent frame detection unit 130 shown in the first embodiment, and receives the message ID notified from the frame interpretation unit 2150 and the value (data) of the data field, and these It is determined whether or not the value corresponds to a predetermined condition indicating invalidity. That is, the fraudulent frame detection unit 2130 functions as a so-called determination unit for determining whether or not the content of the predetermined field in the received frame corresponds to a predetermined condition indicating fraud. The predetermined condition indicating this fraud is a condition that the data does not fall into the data range listed in the data range list held by the data range list holding unit 2120 in association with the message ID. The fraudulent frame detection unit 2130 determines whether or not the data range list is fraudulent according to a data range list that defines the data range for each message ID held in the data range list holding unit 2120. When the fraud frame detection unit 2130 receives data outside the range indicated in the data range list, the fraud frame detection unit 2130 notifies the fraud detection counter holding unit 110 of the received message ID in order to increment the number of fraud detections. When the number of times of detection of this fraud reaches a certain number of times or more, the control for transmitting the error display message so as to be received by the head unit 200 is as described in the first embodiment. The explanation is omitted. Further, when data other than the range indicated by the data range list is received, the frame generation unit 140 is notified to transmit an error frame.

The data range list holding unit 2120 holds a data range list which is a list in which an allowable range is predetermined for data (value of a data field) included in a data frame transmitted on a bus in the in-vehicle network system 11 ( (See FIG. 21).

[2.3 Data range list example]
FIG. 21 is a diagram showing an example of a data range list held in the data range list holding unit 2120 of the fraud detection ECU 2100a. This data range list associates each ID (message ID) with a data range that is allowed as a value (data) of a data field in the data frame of the message ID. In the example of FIG. 21, the data range is "0 to 180" for the data frame having the message ID "1", and the data range "0 to 100" is used for the data frame having the message ID "2" or "4". For the data frame whose message ID is "3", the data range "0, 1" is set to normal.

[2.4 Sequence related to detection of illegal frames]
Hereinafter, the operations of the fraud detection ECU 2100a, ECU 400a, ECU 400b, gateway 300, etc. connected to the bus 500a will be described when a fraudulent ECU is connected to the bus 500a of the vehicle-mounted network system 11 having the above configuration.

22 and 23 are sequence diagrams showing an operation example in which the fraud detection ECU 2100a detects a fraudulent frame (message) and prevents another ECU from performing a process corresponding to the fraudulent frame. In FIGS. 22 and 23, as in the case of FIG. 18 shown in the first embodiment, an unauthorized ECU indicates that the message ID is “4” and the data field (data) is “255 (0xFF)” on the bus 500a. An example of transmitting a data frame is shown. The same sequences as those shown in the first embodiment are designated by the same reference numerals, and the description thereof will be simplified here.

First, the illegal ECU starts transmitting an illegal data frame (sequence S1001). The fraud detection ECU 2100a, ECU 400a, ECU 400b and gateway 300 each receive a message ID (sequence S1002). Each of the ECU 400a, the ECU 400b, and the gateway 300 checks the message ID using the received reception ID list held (sequence S1003). Since "4" is not included in the reception ID list held by each of the ECU 400a and the ECU 400b (see FIG. 9), the reception is terminated. Since the gateway 300 includes "4" in the received reception ID list held (see FIG. 5), the gateway 300 continues the reception and receives the data field (sequence S1006a). Similarly, the fraud detection ECU 2100a also receives the data field (sequence S1006a).

Following the sequence S1006a, the fraud detection ECU 2100a checks the data in the data field using the data range list (see FIG. 21) (sequence S2001). That is, the fraud detection ECU 2100a determines whether or not the content of the ID field in the transmitted frame corresponds to a predetermined condition indicating fraud (not within the range of data described in the data range list). The fraud detection ECU 2100a determines that the data frame is invalid because the value of "255 (0xFF)" corresponding to the ID "4" is not described in the data range list, and then starts preparing for issuing an error frame. (Sequence S1005).

While the fraud detection ECU 2100a is preparing to issue an error frame, a CRC field (CRC sequence and CRC delimiter), which is a part after the data field, is sequentially transmitted bit by bit from the fraudulent ECU on the bus 500a. .. The gateway 300 starts receiving this CRC field (sequence S2002).

Next, the preparation for issuing the error frame is completed, and the fraud detection ECU 2100a transmits the error frame (sequence S1007). When the transmission of the error frame is started, in the bus 500a, the middle part of the CRC sequence of the frame being transmitted from the invalid ECU is overwritten by the error frame (priority dominant bit string).

The gateway 300 that has received the error frame transmitted in the sequence S1007 stops receiving the data frame transmitted by the invalid ECU during the reception of the CRC field including the CRC sequence (sequence S2003). That is, the gateway 300 does not continue to receive the data frame transmitted by the illegal ECU because the CRC sequence from the illegal ECU is overwritten with the error frame and the error frame is detected.

The fraud detection ECU 2100a increments the fraud detection counter corresponding to the ID “4” of the data frame to which the error frame is transmitted (sequence S1009). When the fraud detection counter corresponding to the ID "4" becomes 17 or more as a result of the increment, the fraud detection ECU 2100a transmits an error display message (sequence S1010).

[2.5 Effect of Embodiment 2]
The fraud detection ECU shown in the second embodiment determines whether or not the transmitted frame is a fraudulent frame by using a data range list for the ID field and the data field of the frame (data frame). As a result, fraud can be determined by the combination of the ID field and the data field in the data frame, so that the fraudulent frame is interpreted by the existing ECU (that is, the fraud detection ECU and the ECU other than the fraudulent ECU) and corresponds to the frame. It is possible to prevent the process from being executed. Further, since the judgment can be made only by receiving the data field of the data frame, it is possible to suppress the bus traffic as compared with the case where the judgment is made by receiving the rear part of the data frame.

Further, the fraud detection ECU counts the number of times the error frame is transmitted by using the fraud detection counter, so that the transmission error counter in the node that transmits the fraudulent message ID by receiving the error frame is in a passive state if it follows the CAN protocol. It can be detected that the upper limit value to be transitioned to is reached. This makes it possible to determine whether or not the node that transmits the invalid message ID complies with the specifications of the error counter of the CAN protocol.

Further, by limiting the node that determines the fraudulent frame to the fraud detection ECU only, the influence on the existing network configuration can be minimized, and the processing amount and power consumption of the entire system can be suppressed. ..

(Embodiment 3)
Hereinafter, as an embodiment of the present invention, a process based on an invalid frame is executed on another node (ECU) using a message authentication code (MAC) calculated from a message ID, data, and a counter value. An in-vehicle network system 12 including a fraud detection ECU that realizes a fraud countermeasure method for preventing fraud will be described.

[3.1 Overall configuration of in-vehicle network system 12]
FIG. 24 is a diagram showing the overall configuration of the vehicle-mounted network system 12 according to the third embodiment. The in-vehicle network system 12 is a modification of a part of the in-vehicle network system 10 shown in the first embodiment. The in-vehicle network system 12 includes buses 500a and 500b, and each node connected to a bus such as fraud detection ECUs 3100a and 3100b, a head unit 200, a gateway 300, and ECUs such as ECUs 3400a to 3400d connected to various devices. Consists of. Among the components of the in-vehicle network system 12, the components having the same functions as those in the first embodiment are designated by the same reference numerals and the description thereof will be omitted.

The fraud detection ECUs 3100a and 3100b are ECUs that are connected to the bus 500a and the bus 500b, respectively, and have a function of determining whether or not the frame transmitted by the ECUs 3400a to 3400d is invalid, and if it is invalid, transmitting an error frame. is there.

The ECUs 3400a to 3400d are connected to any of the buses, and are also connected to the engine 401, the brake 402, the door open / close sensor 403, and the window open / close sensor 404, respectively. Each of the ECUs 3400a to 3400d acquires the state of the connected device (engine 401, etc.) and periodically transmits a data frame indicating the state to the network (that is, the bus). A message authentication code (MAC) derived by calculation from a message ID, a data value, and a counter value that is incremented for each transmission is assigned to the data field of the transmitted data frame.

[3.2 Configuration of ECU 3400a]
FIG. 25 is a configuration diagram of the ECU 3400a. The ECU 3400a includes a frame transmission / reception unit 460, a frame interpretation unit 450, a reception ID determination unit 430, a reception ID list holding unit 440, a frame processing unit 410, a frame generation unit 3420, a data acquisition unit 470, and a MAC generation. A unit 3410, a MAC key holding unit 3430, and a counter holding unit 3440 are included. Each of these components is a functional component, and each function is realized by a communication circuit in the ECU 3400a, a processor that executes a control program stored in a memory, a digital circuit, or the like. The ECU 3400a is a modification of a part of the ECU 400a shown in the first embodiment, and components having the same functions as those of the first embodiment are designated by the same reference numerals and the description thereof will be omitted.

The frame generation unit 3420 is a modification of a part of the frame generation unit 420 shown in the first embodiment. The frame generation unit 3420 configures an error frame according to the notification instructing the transmission of the error frame notified from the frame interpretation unit 450, and notifies the frame transmission / reception unit 460 of the error frame to transmit the error frame. Further, the frame generation unit 3420 notifies the MAC generation unit 3410 of the value of the data notified from the data acquisition unit 470 and the predetermined message ID, and receives the calculated MAC. The frame generation unit 3420 configures a frame so as to include a predetermined message ID, a data value notified from the data acquisition unit 470, and a MAC received from the MAC generation unit 3410 (see FIG. 26), and sends and receives frames. Notify department 460.

The MAC generation unit 3410 holds the message ID and data values notified by the frame generation unit 3420 and the counter value held by the counter holding unit 3440 in the MAC key holding unit 3430 with respect to the combined value (combined value). The MAC is calculated (derived by calculation) using the MAC key to be used, and the MAC resulting from the calculation is notified to the frame generation unit 3420. Here, HMAC (Hash-based Message Authentication Code) (see Non-Patent Document 2) is adopted as the MAC calculation method, and the MAC key is a value padded up to a predetermined block (for example, 4 bytes) with respect to the above-mentioned combined value. Is calculated using, and the first 4 bytes of the calculated result is MAC. Here, as the coupling value used for calculating the MAC, the message ID, the data value, and the counter value held by the counter holding unit 3440 are used, but any one of these three is used. Alternatively, the MAC may be calculated using a combination of the two.

The MAC key holding unit 3430 holds the MAC key required for calculating the MAC.

The counter holding unit 3440 holds a counter value required for calculating the MAC. The counter value is incremented each time the data frame is normally transmitted in the frame transmission / reception unit 460.

Each of the ECUs 3400b to 3400d is a modification of a part of the ECUs 400b to 400d shown in the first embodiment, and has basically the same configuration as the above-mentioned ECU 3400a. However, the received ID list held in the received ID list holding unit 440 may have different contents for each ECU. For example, the ECU 3400a and the ECU 3400b hold the reception ID list illustrated in FIG. 9, and the ECU 3400c and the ECU 3400d hold the reception ID list illustrated in FIG. Further, the processing content of the frame processing unit 410 differs for each ECU as shown in the first embodiment. Hereinafter, the contents of the frames transmitted by each of the ECUs 3400a to 3400d will be described with reference to FIGS. 26 to 29.

[Example of transmission frame of ECU 3400a related to 3.3 engine]
FIG. 26 is a diagram showing an example of an ID (message ID) and a data field (data) in a data frame transmitted from the ECU 3400a connected to the engine 401. The message ID of the frame transmitted by the ECU 3400a is "1". The data is represented by blanks for each byte in the figure, the first 1 byte represents the speed (km / hour), the next 1 byte represents the counter value, and the next 4 bytes represents the MAC. In the example of FIG. 26, MAC is expressed in hexadecimal. The speed (km / hour) of the first 1 byte takes a value in the range of a minimum of 0 (km / hour) to a maximum of 180 (km / hour). From the ascending line to the descending line of FIG. 26, each message ID and data corresponding to each frame sequentially transmitted from the ECU 3400a are illustrated, the counter value is gradually increased, and the speed is accelerated from 0 km / hour to 1 km / hour. It shows how it is.

[Example of transmission frame of ECU 3400b related to 3.4 brake]
FIG. 27 is a diagram showing an example of an ID (message ID) and a data field (data) in a data frame transmitted from the ECU 3400b connected to the brake 402. The message ID of the frame transmitted by the ECU 3400b is "2". The data is represented by blanks for each byte in the figure, the first 1 byte represents the degree of braking as a percentage (%), the next 1 byte represents the counter value, and the next 4 bytes represents the MAC. Represent. In the example of FIG. 27, MAC is expressed in hexadecimal. The degree of braking of the first 1 byte is 0 (%) when the brake is not applied at all and 100 (%) when the brake is applied to the maximum. From the ascending line to the descending line of FIG. 27, each message ID and data corresponding to each frame sequentially transmitted from the ECU 3400b are illustrated, the counter value gradually increases, and the brake is gradually weakened from 100%. It shows how it is.

[3.5 Transmission frame example of ECU 3400c related to door open / close sensor]
FIG. 28 is a diagram showing an example of an ID (message ID) and a data field (data) in a data frame transmitted from the ECU 3400c connected to the door open / close sensor 403. The message ID of the frame transmitted by the ECU 3400c is "3". The data is represented by blanks for each byte in the figure, the first 1 byte represents the open / closed state of the door, the next 1 byte represents the counter value, and the next 4 bytes represents the MAC. In the example of FIG. 28, MAC is expressed in hexadecimal. The open / closed state of the door of the first 1 byte is "1" when the door is open and "0" when the door is closed. From the ascending line to the descending line of FIG. 28, each message ID and data corresponding to each frame sequentially transmitted from the ECU 3400c are illustrated, and the counter value gradually increases, and the state in which the door is gradually closed is gradually increased. It shows how it moved to.

[Example of transmission frame of ECU3400d related to 3.6 window open / close sensor]
FIG. 29 is a diagram showing an example of an ID (message ID) and a data field (data) in a data frame transmitted from the ECU 3400d connected to the window opening / closing sensor 404. The message ID of the frame transmitted by the ECU 3400d is "4". The data is represented by blanks for each byte in the figure, the first 1 byte represents the open / closed state of the window as a percentage (%), the next 1 byte represents the counter value, and the next 4 bytes represents the MAC. Represent. In the example of FIG. 29, MAC is expressed in hexadecimal. The open / closed state of the window of the first 1 byte is 0 (%) when the window is completely closed and 100 (%) when the window is fully open. From the upper row to the lower row in FIG. 29, each message ID and data corresponding to each frame sequentially transmitted from the ECU 3400d are illustrated, the counter value gradually increases, and the window gradually opens from the closed state. It shows the situation.

[Structure of 3.7 fraud detection ECU 3100a]
FIG. 30 is a configuration diagram of the fraud detection ECU 3100a. The fraud detection ECU 3100a includes a frame transmission / reception unit 160, a frame interpretation unit 3150, a fraud MAC detection unit 3130, a MAC key holding unit 3180, a counter holding unit 3190, a frame generation unit 140, and a MAC generation unit 3170. It is composed of a detection counter holding unit 110. Each of these components is a functional component, and each function is realized by a communication circuit in the fraud detection ECU 3100a, a processor that executes a control program stored in a memory, a digital circuit, or the like. The fraud detection ECU 3100a is a modification of a part of the fraud detection ECU 100a shown in the first embodiment, and components having the same functions as those of the first embodiment are designated by the same reference numerals and the description thereof will be omitted. The fraud detection ECU 3100b has the same configuration.

The frame interpretation unit 3150 is a modification of the frame interpretation unit 150 shown in the first embodiment, receives a frame value from the frame transmission / reception unit 160, and maps it to each field in the frame format specified by the CAN protocol. Interpret as. When it is determined that the frame is a data frame, the value (data) determined to be a data field is transferred to the fraudulent MAC detection unit 3130 together with the ID (message ID) of the ID field. Further, when the frame interpretation unit 3150 determines that the frame does not conform to the CAN protocol, the frame interpretation unit 3150 notifies the frame generation unit 140 to transmit an error frame. Further, when the frame interpreting unit 3150 receives an error frame, that is, when it interprets that the value in the received frame is an error frame, the frame interpreting unit 3150 discards the frame after that, that is, stops interpreting the frame. To do.

The fraudulent MAC detection unit 3130 has a function of receiving the message ID notified from the frame interpretation unit 3150 and the value (data) of the data field and verifying the MAC in the data field. The fraudulent MAC detection unit 3130 notifies the MAC generation unit 3170 of the notified message ID and the value of the data field, and acquires the MAC generated by the MAC generation unit 3170. The fraudulent MAC detection unit 3130 determines whether or not the data in the data field meets a predetermined condition indicating fraud. That is, the fraudulent MAC detection unit 3130 functions as a so-called determination unit for determining whether or not the content of a predetermined field in the received frame corresponds to a predetermined condition indicating fraud. The predetermined condition indicating this fraud is that the verification in the specified verification processing procedure (procedure including MAC generation, MAC comparison, etc.) fails, that is, the MAC included in the data is the MAC generation unit 3170. The condition is that it differs from the MAC generated by. The fraudulent MAC detection unit 3130 determines whether or not it is fraudulent (that is, verification of the MAC) by comparing the MAC acquired from the MAC generation unit 3170 with the MAC in the data field. As a result of comparing the values of both MACs, if they do not match, the received message ID is notified to the fraud detection counter holding unit 110 in order to increment the number of fraud detections. When the number of times of detection of this fraud reaches a certain number of times or more, the control for transmitting the error display message so as to be received by the head unit 200 is as described in the first embodiment. The explanation is omitted. Further, as a result of comparing the values of both MACs, if they do not match, the frame generation unit 140 is notified to transmit an error frame. As a result of comparing the MAC values, if they match, the MAC generation unit 3170 is notified to increment the counter value corresponding to the message ID held by the counter holding unit 3190.

The MAC generation unit 3170 acquires the corresponding MAC key from the MAC key holding unit 3180 and the corresponding counter from the counter holding unit 3190 by using the message ID notified by the fraudulent MAC detection unit 3130. The MAC generation unit 3170 has a MAC key acquired from the MAC key holding unit 3180 with respect to the data field value (value of the first 1 byte) notified by the fraudulent MAC detection unit 3130 and the counter value acquired from the counter holding unit 3190. The MAC is calculated (derived by calculation) using the above, and the calculated MAC is notified to the fraudulent MAC detection unit 3130. In any of the fraud detection ECUs 3100a and 3100b and the ECUs 3400a to 3400d, the same algorithm for calculating the MAC using the MAC key is used.

The MAC key holding unit 3180 holds the MAC key required for calculating the MAC in association with each message ID. The MAC key held by the MAC key holding unit 3180 has a different value for each associated message ID. It should be noted that the MAC key used in the ECU and the fraud detection ECU may be a different key for each transmission node, assuming that one transmission node transmits a frame of each of a plurality of message IDs. Further, the MAC key may be, for example, the same value may be used for frames transmitted on the same bus, or the same key (value) may be used even on different buses. The same key may be used for each unit, the same key may be used for the same vehicle model, the same key may be used for the same manufacturer, and the same key may be used for different manufacturers.

The counter holding unit 3190 holds a counter value required for calculating the MAC value for each message ID. This counter value is incremented when the frame is normally received (that is, when both MACs compared by the illegal MAC detection unit 3130 match).

[3.8 Counter value example]
FIG. 31 is a diagram showing an example of a counter value for each message ID held in the counter holding unit 3190. In the figure, the counter with the message ID "1" is once, the counter with the message ID "2" is 10 times, the counter with the message ID "3" is 15 times, and the counter with the message ID "4" is 100 times. Each time is shown. The counter value corresponding to each message ID represents the number of times the frame including the message ID is normally received.

[3.9 Sequence related to detection of illegal frames]
Hereinafter, the operations of the fraud detection ECU 3100a, ECU 3400a, ECU 3400b, gateway 300, etc. connected to the bus 500a will be described when a fraudulent ECU is connected to the bus 500a of the vehicle-mounted network system 12 having the above configuration.

32 and 33 are sequence diagrams showing an operation example in which the fraud detection ECU 3100a detects a fraudulent frame (message) and prevents another ECU from performing a process corresponding to the fraudulent frame. 32 and 33 show an example in which an unauthorized ECU is connected to the bus 500a as in the case of FIG. 18 shown in the first embodiment and FIGS. 22 and 23 shown in the second embodiment. There is. This illegal ECU transmits a data frame in which the message ID is "4" and the data field (data) is "0xFF FF FFFFFFFF" (6 bytes). The same sequences as those shown in the first or second embodiment are designated by the same reference numerals, and the description thereof will be simplified here.

First, the illegal ECU starts transmitting the above-mentioned illegal data frame (sequence S1001a). The fraud detection ECU 3100a, ECU 3400a, ECU 3400b and gateway 300 each receive a message ID (sequence S1002). Each of the ECU 3400a, the ECU 3400b, and the gateway 300 checks the message ID using the received reception ID list held (sequence S1003). Since "4" is not included in the reception ID list held by each of the ECU 3400a and the ECU 3400b (see FIG. 9), the reception is terminated. Since the gateway 300 includes "4" in the received reception ID list held (see FIG. 5), the gateway 300 continues the reception and receives the data field (sequence S1006a). Similarly, the fraud detection ECU 3100a also receives the data field (sequence S1006a).

Following the sequence S1006a, the fraud detection ECU 3100a verifies (checks) the MAC included in the data in the data field (sequence S3001). That is, the fraud detection ECU 3100a determines whether or not the content of the ID field in the transmitted frame corresponds to a predetermined condition indicating fraud (failure in MAC verification). The fraud detection ECU 3100a calculates the 6 bytes data "0xFFFFFFFF" of the data field in the data frame transmitted by the fraudulent ECU using the MAC of the latter 4 bytes and the MAC key and counter corresponding to the message ID "4". The MAC is verified by comparing with. Since the results of this comparison are inconsistent and the verification fails, the fraud detection ECU 3100a determines that the data frame is fraudulent, and then starts preparation for issuing an error frame (sequence S1005).

While the fraud detection ECU 3100a is preparing to issue an error frame, the gateway 300 starts receiving the CRC field (sequence S2002).

Next, the preparation for issuing the error frame is completed, and the fraud detection ECU 3100a transmits the error frame (sequence S1007). When the transmission of the error frame is started, in the bus 500a, the middle part of the CRC sequence of the frame being transmitted from the invalid ECU is overwritten by the error frame.

The gateway 300 that has received the error frame transmitted in the sequence S1007 stops receiving the data frame transmitted by the invalid ECU during the reception of the CRC field including the CRC sequence (sequence S2003).

The fraud detection ECU 3100a increments the fraud detection counter corresponding to the ID “4” of the data frame to which the error frame is transmitted (sequence S1009). When the fraud detection counter corresponding to the ID "4" becomes 17 or more as a result of the increment, the fraud detection ECU 3100a transmits an error display message (sequence S1010).

[3.10 Effect of Embodiment 3]
The fraud detection ECU shown in the third embodiment determines whether or not the transmitted frame is a fraudulent frame by verifying the MAC included in the data field of the frame (data frame). As a result, it is possible to prevent the existing ECU (that is, the fraud detection ECU and the ECU other than the fraudulent ECU) from interpreting the fraudulent frame and executing the process corresponding to the frame. Further, since the judgment can be made only by receiving the data field of the data frame, it is possible to suppress the bus traffic as compared with the case where the judgment is made by receiving the rear part of the data frame.

Further, the fraud detection ECU counts the number of times the error frame is transmitted by using the fraud detection counter, so that the transmission error counter in the node that transmits the fraudulent message ID by receiving the error frame is in a passive state if it follows the CAN protocol. It can be detected that the upper limit value to be transitioned to is reached. This makes it possible to determine whether or not the node that transmits the invalid message ID complies with the specifications of the error counter of the CAN protocol.

Further, by setting only the fraud detection ECU as the node for verifying the MAC, it is not necessary to verify with an ECU other than the fraud detection ECU, and the processing amount and the power consumption of the entire system can be suppressed.

(Embodiment 4)
Hereinafter, as an embodiment of the present invention, when the verification of the message authentication code (MAC) fails when a data frame is received, it is used to generate a MAC for the ECU that is the source of the data frame including the MAC. A vehicle-mounted network system 13 including a fraud detection ECU that transmits an update frame requesting an update of data and verifies the MAC again will be described. In the in-vehicle network system 13, fraud detection is performed by the ECU transmitting a frame (data frame) including a MAC generated by calculation from a message ID, a data value, and a counter value as shown in the third embodiment. It is assumed that the ECU verifies the MAC in the received frame. In the in-vehicle network system 13, when the MAC verification fails, a fraudulent countermeasure method for updating one or both of the MAC key and the counter value used for MAC generation is executed.

[4.1 Overall configuration of in-vehicle network system 13]
FIG. 34 is a diagram showing the overall configuration of the vehicle-mounted network system 13 according to the fourth embodiment. The in-vehicle network system 13 is a modification of a part of the in-vehicle network system 12 (or the in-vehicle network system 10 shown in the first embodiment) shown in the third embodiment. The in-vehicle network system 13 includes buses 500a, 500b, and 500c, and each node connected to the bus such as fraud detection ECUs 4100a, 4100b, head unit 200, gateway 300, and ECUs such as ECUs 4400a to 4400d connected to various devices. Consists of including. Among the components of the in-vehicle network system 13, components having the same functions as those of the first embodiment (or the third embodiment) are designated by the same reference numerals and the description thereof will be omitted.

The fraud detection ECUs 4100a and 4100b are connected to the bus 500a and the bus 500b, respectively, determine whether or not the frame transmitted by the ECUs 4400a to 4400d is invalid, and if it is invalid, the function of transmitting an error frame, the MAC key, and the It is an ECU having a function of transmitting an update frame instructing the update of one or both of the counter values. Specifically, the update frame includes a key update frame instructing the update of the MAC key, a key update & counter reset frame instructing the update of the MAC key and the reset of the counter value, and a counter reset frame instructing the reset of the counter. There is. Of these update frames, the key update frame and the key update & counter reset frame are, so to speak, MAC key update request frames having properties as frames for requesting MAC key update. Further, among the update frames, the counter reset frame and the key update & counter reset frame are, so to speak, counter reset request frames having properties as frames for requesting the update (reset) of the counter value. Although an example of storing the MAC in the data field of the data frame is shown in the third embodiment, it cannot be said that the data length of the MAC that can be stored in the data field is sufficiently long. On the other hand, by updating the MAC key or resetting the counter value in the in-vehicle network system 13 in a timely manner, the effect of increasing the resistance to a brute force attack on the MAC by an unauthorized ECU is produced.

The ECUs 4400a to 4400d are connected to any of the buses, and are also connected to the engine 401, the brake 402, the door open / close sensor 403, and the window open / close sensor 404, respectively. Each of the ECUs 4400a to 4400d acquires the state of the connected device (engine 401, etc.) and periodically transmits a data frame indicating the state to the network (that is, the bus). A message authentication code (MAC) derived by calculation from a message ID, a data value, and a counter value that is incremented for each transmission is assigned to the data field of the transmitted data frame.

[4.2 Configuration of ECU 4400a]
FIG. 35 is a configuration diagram of the ECU 4400a. The ECU 4400a includes a frame transmission / reception unit 460, a frame interpretation unit 450, a reception ID determination unit 430, a reception ID list holding unit 440, a frame processing unit 410, a frame generation unit 3420, a data acquisition unit 470, and a MAC generation. A unit 3410, a MAC key holding unit 4430, a counter holding unit 3440, a MAC key updating unit 4410, and a counter reset unit 4420 are included. Each of these components is a functional component, and each function is realized by a communication circuit in the ECU 4400a, a processor that executes a control program stored in a memory, a digital circuit, or the like. The ECU 4400a is a modified version of the ECU 3400a shown in the third embodiment (or the ECU 400a shown in the first embodiment), and the components having the same functions as those of the first and third embodiments have the same reference numerals. Is added to omit the description.

The MAC key holding unit 4430 is realized by a storage medium such as a memory, and for each key ID that identifies the MAC key, two MAC keys (keys required for calculating the MAC), one before the update and the other after the update, are provided. Holds the associated key table. The update of the key table and the MAC key will be described later with reference to FIG. 39. Here, a different MAC key is used for each message ID, and therefore the key ID is the same as the message ID. When a MAC is generated by the MAC generation unit 3410, the updated MAC key is basically used unless otherwise specified.

The counter holding unit 3440 is realized by a storage medium such as a memory, and holds a counter table associated with a counter value for each counter ID that identifies the counter key. The update (reset) of the counter table and the counter value will be described later with reference to FIG. 40. Here, a different counter is used for each message ID, and therefore the counter ID is the same as the message ID.

When the frame transmission / reception unit 460 receives the key update frame or the key update & counter reset frame, the MAC key update unit 4410 updates the MAC key held by the MAC key holding unit 4430 according to these frames.

When a counter reset frame or a key update & counter reset frame is received by the frame transmission / reception unit 460, the counter reset unit 4420 resets the counter value held by the counter holding unit 3440 according to these frames.

Each of the ECUs 4400b to 4400d is a modification of a part of the ECUs 3400b to 3400d shown in the third embodiment, and has basically the same configuration as the above-mentioned ECU 4400a. However, the reception ID list held in the reception ID list holding unit 440, the key table held in the MAC key holding unit 4430, and the counter table held in the counter holding unit 3440 may have different contents for each ECU. Further, the processing content of the frame processing unit 410 differs for each ECU as shown in the first embodiment.

[4.3 Configuration of fraud detection ECU 4100a]
FIG. 36 is a configuration diagram of the fraud detection ECU 4100a. The fraud detection ECU 4100a includes a frame transmission / reception unit 160, a frame interpretation unit 4151, a fraud MAC detection unit 4131, a MAC key holding unit 4180, a counter holding unit 3190, a frame generation unit 140, a MAC generation unit 3170, and a MAC. It includes a key update unit 4110, a counter reset unit 4120, a security processing unit 4130, a security condition holding unit 4140, an invalid ID list holding unit 4150, an invalid log holding unit 4160, and a mode change processing unit 4170. Will be done. Each of these components is a functional component, and each function is realized by a communication circuit in the fraud detection ECU 4100a, a processor that executes a control program stored in a memory, a digital circuit, or the like. The fraud detection ECU 4100a is a modification of a part of the fraud detection ECU 3100a (or the fraud detection ECU 100a shown in the first embodiment) shown in the third embodiment, and has the same functions as those of the first and third embodiments. The components are designated by the same reference numerals and the description thereof will be omitted. The fraud detection ECU 4100b has the same configuration.

The frame interpretation unit 4151 is obtained by modifying a part of the frame interpretation unit 3150 shown in the third embodiment and adding a function. The frame interpretation unit 4151 receives the frame value from the frame transmission / reception unit 160 and interprets it so as to map it to each field in the frame format defined by the CAN protocol. When it is determined that the frame is a data frame, the value (data) determined to be a data field is transferred to the fraudulent MAC detection unit 4131 together with the ID (message ID) of the ID field. Further, the frame interpretation unit 4151 transmits an error frame when it is determined that the frame does not conform to the CAN protocol or when the message ID is an ID included in the invalid ID list held by the invalid ID list holding unit 4150. Notify the frame generation unit 140 to do so. Further, when the frame interpreting unit 4151 receives an error frame, that is, when it interprets that the value in the received frame is an error frame, the frame interpreting unit 4151 discards the frame after that, that is, stops interpreting the frame. To do.

The MAC key holding unit 4180 is realized by a storage medium such as a memory, and for each key ID that identifies the MAC key, two MAC keys (keys required for calculating the MAC), one before the update and the other after the update, are provided. Holds the associated key table. Here, a different MAC key is used for each message ID, and therefore the key ID is the same as the message ID. When a MAC is generated by the MAC generation unit 3170, the updated MAC key is basically used unless otherwise specified.

The counter holding unit 3190 is realized by a storage medium such as a memory, and holds a counter table associated with a counter value (a counter value required for calculating MAC) for each counter ID that identifies the counter key. Here, a different counter is used for each message ID, and therefore the counter ID is the same as the message ID. This counter value is incremented if the frame is successfully received.

When the frame transmission / reception unit 160 receives the key update frame or the key update & counter reset frame, the MAC key update unit 4110 updates the MAC key held by the MAC key holder 4180 according to these frames.

When a counter reset frame or a key update & counter reset frame is received by the frame transmission / reception unit 160, the counter reset unit 4120 resets the counter value held by the counter holding unit 3190 according to these frames.

The fraudulent MAC detection unit 4131 is a modification of a part of the fraudulent MAC detection unit 3130 shown in the third embodiment, and receives the message ID notified from the frame interpretation unit 4151 and the value (data) of the data field. It has a function to verify the MAC in the data field. The fraudulent MAC detection unit 4131 notifies the MAC generation unit 3170 of the notified message ID and the value of the data field, and acquires the MAC generated by the MAC generation unit 3170. The fraudulent MAC detection unit 4131 determines whether or not the data in the data field meets a predetermined condition indicating fraud. The predetermined condition indicating this fraud is that the verification in the specified verification processing procedure (procedure including MAC generation, MAC comparison, etc.) fails, that is, the MAC included in the data is the MAC generation unit 3170. The condition is that it differs from the MAC generated by. The fraudulent MAC detection unit 4131 determines whether or not it is fraudulent (that is, verification of the MAC) by comparing the MAC acquired from the MAC generation unit 3170 with the MAC in the data field. As a result of comparing the values of both MACs, if they do not match, the invalid count of the corresponding message ID in the security condition table of the security condition holding unit 4140 is incremented. Further, as a result of comparing the values of both MACs, if they do not match, the frame generation unit 140 is notified to transmit an error frame. Further, as a result of comparing the values of both MACs, if they do not match, there is a possibility that the MAC key or the counter value is not updated synchronously between the own machine (fraud detection ECU 4100a) and the ECU that is the source of the data frame. Therefore, the frame generation unit 140 is requested to transmit the update frame. The update frame transmitted in this case is basically a key update & counter reset frame. However, instead of the key update & counter reset frame, the key update frame and the counter reset frame may be sequentially transmitted. The fraudulent MAC detection unit 4131 is included in the above data field by generating a MAC using the MAC key before the update before requesting the frame generation unit 140 to transmit the key update & counter reset frame. The MAC may be verified again. If this revalidation is successful (that is, if both MACs match), it is presumed that the counters are synchronized and only MAC key synchronization is required, and the unauthorized MAC detection unit 4131 updates the key and resets the counter. You may ask the frame generator 140 to send the key update frame instead of the frame. Further, when the re-verification also fails, a method of transmitting a counter reset frame can be adopted in consideration of the possibility that the counters are not synchronized. Further, when the illegal MAC detection unit 4131 succeeds in the MAC verification (when the values of both compared MACs match), the fraudulent MAC detection unit 4131 increments the counter value corresponding to the message ID held by the counter holding unit 3190. Notifies the MAC generator 3170.

Although the security condition holding unit 4140 is realized by a storage medium such as a memory and transmits an update frame (key update frame, counter reset frame or key update & counter reset frame), as a result of subsequent MAC verification. It holds a security condition table 620 that defines a security action that is a countermeasure process when verification failure (a state of inconsistency as a result of comparison between the generated MAC value and the MAC value in the received data field) continues. The security condition table 620 will be described later with reference to FIG. 41.

The security processing unit 4130 executes a security action according to the security condition table 620 held by the security condition holding unit 4140. The security action includes a process of adding the message ID of the frame whose MAC verification failed to the invalid ID list held by the invalid ID list holding unit 4150, and a process of recording the message ID in the log held by the invalid log holding unit 4160. , There is a process of instructing the mode change processing unit 4170 to put the vehicle in a safe state.

The rogue ID list holding unit 4150 holds a rogue ID list that is realized by a storage medium such as a memory and enumerates message IDs of data frames determined to be rogue (data frames that failed to verify MAC, etc.).

The fraudulent log holding unit 4160 is realized by a storage medium (recording medium) such as a memory or a hard disk, and holds a log for recording an event such as an illegal data frame being transmitted. Examples of the information related to the event recorded in the log include the message ID of the invalid data frame, the date and time when the invalid data frame was transmitted, the number of times the invalid data frame was transmitted, and the like. A digital signature or the like may be added to the log contents or the log contents may be encrypted so that the log is not tampered with.

When the security processing unit 4130 instructs the mode change processing unit 4170 to put the vehicle in a safe state, the mode change processing unit 4170 should put the vehicle in a safe state (for example, a state in which the speed is limited to a certain speed or less). The frame generation unit 140 is made to generate a mode change frame, which is a predetermined frame for transmission to. When the mode change frame is generated in the frame generation unit 140 and transmitted by the frame transmission / reception unit 160, the other ECU receives the mode change frame and performs predetermined control (for example, the rotation speed of the engine of the vehicle is constantly rotated). Controls limited to the following, etc.) can be executed. It should be noted that the predetermined control content for putting the vehicle in a safe state is not limited to lowering the speed of the vehicle.

[4.4 Receipt ID list example of ECU 4400a]
FIG. 37 is a diagram showing an example of a reception ID list held in the reception ID list holding unit 440 of the ECU 4400a. The ECU 4400a selectively receives and processes a frame including any of the message IDs listed in the reception ID list among the frames flowing through the bus. The ECU 4400a receives a key update frame instructing the update of the MAC key, a counter reset frame instructing the update of the counter value, and a key update & counter reset frame instructing the MAC key update and the counter reset. The ID is registered in the receiving ID list. In the example of the received ID list shown in FIG. 37, "2001" is the ID of the key update frame, "2002" is the ID of the counter reset frame, and "2003" is the ID of the key update & counter reset frame. The ECU 4400b also holds a similar reception ID list. In this embodiment, since it is necessary to synchronize the update of the MAC key and the like, the reception ID list (see FIG. 5) held by the gateway 300 further includes the key update frame ID "2001" and the counter reset. It is assumed that the frame ID "2002" and the key update & reset frame ID "2003" are included.

[4.5 update frame]
FIG. 38 is a diagram showing an example of an update frame. In the figure, an example of the key update & counter reset frame is given among the update frames, but the key update frame and the counter reset frame have the same configuration.

In the MAC key update & counter reset frame, the key update & counter reset ID (ID for the key update & counter reset frame) of "2003" is used as the message ID in the ID field. Further, in the data field, a message ID (update target ID) and a MAC to be targeted for MAC key update, counter reset, etc. are set. In FIG. 38, (a) shows a specific example of a key update & counter reset frame instructing that all MAC key updates and counter resets are performed at once regardless of the message ID. All message IDs are represented by the data "0xFFFF". Further, FIG. 38 (b) shows a specific example of the key update & counter reset frame instructing that the MAC key update and the counter reset for the message ID “4” are performed at the same time.

[4.6 Key Table]
FIG. 39 is a diagram showing an example of a key table held in the MAC key holding unit 4180 of the fraud detection ECU 4100a. The key table is configured by associating a key ID, update information for identifying whether it is a MAC key before update or a MAC key after update, and a key value. When updating the MAC key, the new MAC key generated by the MAC key update unit 4110 is written to the table as the "after update" key value, and the MAC key used up to that point is the "before update" key value. Recorded as. Here, a different MAC key is used for each message ID, and therefore the key ID is the same as the message ID. The fraud detection ECU 4100a holds MAC keys with a plurality of key IDs corresponding to frames that the device can receive. Further, similarly to the fraud detection ECU 4100a, each of the fraud detection ECU 4100b and the ECUs 4400a to 4400d also stores a MAC key table for storing the MAC keys before and after the update for each message ID of the frame transmitted or received by the own machine. Hold.

The method of updating the MAC key in the MAC key update unit 4110 of the fraud detection ECU 4100a or the like or the MAC key update unit 4410 of the ECU 4400a or the like is, for example, to set the "after update" key value (MAC key) used when generating the MAC. , Record in the key table as the key value "before update", enter the "after update" MAC key into a predetermined one-way function (for example, hash function, etc.) and derive the result as a new MAC. It depends on the procedure of recording in the key table as a key, that is, as a new "after update" key value. As an operation for deriving a new MAC key, a function that outputs a new MAC key by a predetermined algorithm based on the input seed may be used. In this case, for example, the seed may be included in the data field of the update frame (key update frame or key update & counter reset frame) instructing the update of the MAC key, or the counter value and the current time may be included. Information or the like may be used as a seed. That is, it is sufficient that the same MAC key can be generated among a plurality of ECUs (or fraud detection ECUs) whose MAC keys should be updated synchronously.

[4.7 Counter Table]
FIG. 40 is a diagram showing an example of a counter table held in the counter holding unit 3190 of the fraud detection ECU 4100a. The counter table is configured by associating a counter ID with a counter value. Here, a different counter is used for each message ID, and therefore the counter ID is the same as the message ID. The fraud detection ECU 4100a holds the counter values of a plurality of counter IDs corresponding to the frames that can be received by the own machine. Further, similarly to the fraud detection ECU 4100a, each of the fraud detection ECU 4100b and the ECUs 4400a to 4400d holds a counter table for storing the counter values in association with each message ID of the frame transmitted or received by the own machine. The counter value corresponding to the message ID in the counter table is incremented (incremented by 1) when the frame of the message ID is normally transmitted or received. In this method, when transmitting a data frame, the counter value is treated as a transmission counter and the number of transmissions is counted. When receiving a data frame, the counter value is treated as a reception counter and the number of receptions is counted. For example, in the ECU 4400a that transmits a data frame having a message ID of "1", the counter value corresponding to the counter ID of "1" in the counter table is treated as a transmission counter, and the transmission counter is incremented each time the data frame is transmitted. .. Further, for example, in the ECU 4400b that receives a data frame having a message ID of "1", the counter value corresponding to the counter ID of "1" in the counter table is treated as a reception counter, and the transmitted data frame is normally received. The reception counter is incremented each time.

The reset of the counter value in the counter reset unit 4120 of the fraud detection ECU 4100a or the like or the counter reset unit 4420 of the ECU 4400a or the like is realized by updating the counter value so as to become a predetermined specific value such as zero. The specific value does not necessarily have to be zero as long as the same counter value is maintained after the reset among a plurality of ECUs (or fraud detection ECUs) for which the counter values should be updated (reset) in synchronization.

[4.8 Security Condition Table 620]
FIG. 41 is a diagram showing an example of the security condition table 620 held by the security condition holding unit 4140. The security condition table 620 is composed of a function classification 621, a message ID 622, an illegal count 623, an illegal count threshold value 624, and a security action 625. The function classification 621 is for classifying the message ID of the frame according to the data which is the content of the frame (data frame) or the function related to the ECU of the transmission source (the function of the device to which the ECU of the transmission source is connected, etc.). It is an item. Each of the plurality of buses in the in-vehicle network system 13 belongs to one or a plurality of groups of a plurality of types (functional groups) in terms of functions related to the ECU connected to the buses. Therefore, the function classification 621 can be said to indicate which bus the frame of the corresponding message ID is transmitted on, that is, which bus belongs to which of the plurality of types of groups is transmitted. The "drive system" is a function related to the running of a vehicle such as control of an engine, a motor, a fuel, a battery, and a transmission, and corresponds to, for example, an ECU 4400a. The "chassis system" is a function related to control of vehicle behavior such as "turning" and "stopping" such as braking and steering, and is supported by, for example, ECU 4400b. The "body system" is a control function of vehicle equipment such as a door lock, an air conditioner, a light, a blinker, etc., and is supported by, for example, ECU 4400c and 4400d. In addition, for example, the "safety and comfort function" is a function for automatically realizing safe and comfortable driving such as automatic braking, lane keeping function, inter-vehicle distance keeping function, collision prevention function, etc., and "ITS (Intelligent Transport Systems)" ) Function is a function corresponding to intelligent transportation systems such as ETC (Electronic Toll Collection System), and "Telematics" is a function corresponding to services using mobile communication such as tracking when a vehicle is stolen. , "Infotainment" is an entertainment function related to car navigation, audio, etc. Message ID 622 is the ID of the frame in the CAN protocol. The invalid count 623 is an item (area) for storing the number of times the MAC verification has failed (the number of times an error has occurred). The fraudulent count threshold value 624 indicates a threshold value at which a security action is executed when the value of the fraudulent count 623 becomes equal to or higher than this threshold value. The security action 625 determines whether or not to execute various security actions, which are processes for dealing with fraud, which are executed when the value of the fraud count 623 becomes equal to or higher than the threshold indicated by the fraud count threshold 624. This is the specified information. As shown in FIG. 41, the security action 625 includes whether or not to add the message ID that failed to verify the MAC to the fraudulent ID list, whether or not to notify the head unit 200 that there was a fraud, or whether or not there is a fraud. It is determined whether or not to record the fact in a log, and whether or not to give an instruction to the mode change processing unit 4170 to change the mode for putting the vehicle in a safe state.

In the security condition table 620 shown in FIG. 41, the illegal count threshold value 624 is set to "5" for the "drive system" and the "chassis system", and the illegal count threshold value 624 is set to "10" for the "body system". It is set. In the example of FIG. 41, the security action 625 adds the message ID of the invalid frame (frame whose verification failed) to the invalid ID list for all the function classifications, and adds the invalid frame to the head unit 200. The notification is set to "Enabled" to indicate that it will be executed. In addition, the instruction to change the mode to put the vehicle in a safe state ("valid (shift to a safe state)") is a function related to safety such as "drive system", "chassis system" and "safety and comfort function". Only the classification is defined. In the security condition table 620, execution conditions and processing contents of security actions can be defined for each function classification in this way. The contents of the security condition table 620 can be set, for example, at the time of manufacturing or selling the in-vehicle network system.

[4.9 Illegal ID list]
FIG. 42 is a diagram showing an example of an invalid ID list held by the invalid ID list holding unit 4150. In the invalid ID list, when the frame of the message ID for which the addition of the invalid ID list is defined as "valid" as the security action 625 of the security condition table is determined to be invalid (that is, when the MAC verification of the frame fails). ), The message ID is added by the security processing unit 4130. The fraudulent ID list may include in advance a message ID that should not be transmitted in the in-vehicle network system 13.

[4.10 Sequence related to detection of illegal frames and security actions]
Hereinafter, the operations of the fraud detection ECU 4100a, ECU 4400a, ECU 4400b, gateway 300, etc. connected to the bus 500a will be described when a fraudulent ECU is connected to the bus 500a of the vehicle-mounted network system 13 having the above configuration.

43 to 45 are sequence diagrams showing an example of operation of a fraud detection ECU 4100a for detecting a fraudulent frame (message), updating a MAC key in each ECU, resetting a counter value, and a security action by the fraud detection ECU 4100a. .. Here, the security condition table held by the fraud detection ECU 4100a will be described as being illustrated in FIG. 41. Here, it is assumed that an unauthorized ECU is connected to the bus 500a. This illegal ECU transmits a data frame having a message ID of "4" and including data "0xFF" or the like in a data field.

First, the illegal ECU starts transmitting the above-mentioned illegal data frame (sequence S4001). The fraud detection ECU 4100a, ECU 4400a, ECU 4400b and gateway 300 each receive a message ID (sequence S4002). Each of the ECU 4400a, the ECU 4400b, and the gateway 300 checks the message ID using the received reception ID list held (sequence S4003). Since "4" is not included in the reception ID list held by each of the ECU 3400a and the ECU 3400b (see FIG. 37), the reception is terminated. Since the gateway 300 includes "4" in the received reception ID list held (see FIG. 5), the gateway 300 continues the reception and receives the data field (sequence S4004). Similarly, the fraud detection ECU 4100a also receives the data field (sequence S4004).

Following the sequence S4004, the fraud detection ECU 4100a verifies the MAC included in the data in the data field (sequence S4005). That is, the fraud detection ECU 4100a has the contents of the predetermined position in which the MAC should be included in the data of the data field in the transmitted frame and the MAC key (that is, the "updated" key value corresponding to the ID "4" in the key table. The MAC is verified by comparing it with the MAC generated by the MAC generation unit 3170 using the MAC key held as. Since the correct MAC is not stored in the invalid data frame transmitted by the invalid ECU, the comparison results will be inconsistent and the MAC verification will fail. When the MAC verification fails, the fraud detection ECU 4100a increments the value of the fraud count 623 corresponding to the message ID "4" in the security condition table 620.

In the in-vehicle network system 13, if there is a possibility that an unauthorized ECU is connected, the data used for MAC generation (that is, the MAC key) is updated in order to increase the resistance to a round-robin attack against the MAC from the unauthorized ECU. It is useful to update (or reset the counter value). If the MAC verification fails in connection with the update of this data, there is a possibility that the synchronization of the MAC key or counter value with the legitimate ECU has failed. It is also possible that the MAC verification failed due to an invalid data frame transmitted by an illegal ECU. Therefore, in view of these, the fraud detection ECU 4100a transmits an update frame when the MAC verification fails. That is, when the MAC verification fails, the fraud detection ECU 4100a generates a key update & counter reset frame (see FIG. 38) in which the message ID “4” is set as the update target ID by the frame generation unit 140 (sequence). S4006), the frame transmission / reception unit 160 transmits a key update & counter reset frame (sequence S4007).

Since the ECU 4400a, the ECU 4400b, and the gateway 300 include the message ID "2003" of the key update & counter reset frame which is the update frame in the reception ID list, the ECU 4400a, the ECU 4400b, and the gateway 300 receive the key update & counter reset frame (sequence S4008).

Subsequently, the ECU 4400a, the ECU 4400b, and the gateway 300 determine whether or not the received update frame indicates the update of the MAC key (sequence S4009), and then determine the key update frame or the key update instructing the update of the MAC key. If it is a & counter reset frame, the MAC key is updated (sequence S4010).

Further, the ECU 4400a, the ECU 4400b, and the gateway 300 determine whether or not the received update frame indicates the update (reset) of the counter value (sequence S4011), and the counter reset frame instructing the reset of the counter value. Alternatively, if it is a key update & counter reset frame, the counter value is reset (sequence S4012).

Although omitted in FIG. 44, the fraud detection ECU 4100a can also perform the processing procedures of sequences S4008 to S4012, and similarly update the MAC key corresponding to the message ID “4” and reset the counter value.

Further, the fraud detection ECU 4100a determines whether or not the value of the fraud count 623 corresponding to any message ID in the security condition table 620 is equal to or higher than the threshold indicated by the fraud count threshold 624 (sequence S4013), and is equal to or higher than the threshold. When becomes, security action processing (FIG. 46) is performed (sequence S4014). Here, the description of the sequence in FIG. 45 is interrupted, and the security action processing will be described with reference to FIG. 46. An example will be described in which the value of the fraud count 623 corresponding to the message ID “4” in the security condition table 620 is equal to or greater than the threshold indicated by the fraud count threshold 624.

FIG. 46 is a flowchart showing security action processing in the fraud detection ECU 4100a.

The fraud detection ECU 4100a follows the security action 625 corresponding to the message ID (“4” in the sequence example of FIG. 45) in which the value of the fraud count 623 in the security condition table 620 is equal to or greater than the threshold indicated by the fraud count threshold 624. , It is determined whether or not the addition to the fraudulent ID list is "valid" (step S4020). If it is "valid", the security processing unit 4130 of the fraud detection ECU 4100a adds the message ID to the fraud ID list held by the fraud ID list holding unit 4150 (step S4021).

Further, the fraud detection ECU 4100a determines whether or not the notification to the head unit is "valid" according to the security action 625 corresponding to the message ID "4" in the security condition table 620 (step S4022). If it is "valid", the security processing unit 4130 of the fraud detection ECU 4100a notifies the head unit 200 by controlling transmission of a frame including information indicating that the fraudulent frame has been transmitted (step S4023). ).

Further, the fraud detection ECU 4100a determines whether or not the log recording is "valid" according to the security action 625 corresponding to the message ID "4" in the security condition table 620 (step S4024). If it is "valid", the security processing unit 4130 of the fraud detection ECU 4100a adds event information related to the transmission of a fraudulent frame to the log held by the fraud log holding unit 4160 (step S4025).

Further, the fraud detection ECU 4100a determines whether or not it is "effective" to change the mode for putting the vehicle in a safe state according to the security action 625 corresponding to the message ID "4" in the security condition table 620 (step S4026). ). If it is "valid", the security processing unit 4130 of the fraud detection ECU 4100a issues an instruction to the mode change processing unit 4170 to change the mode for putting the vehicle in a safe state (step S4027).

When the value of the invalid count 623 corresponding to the message ID "4" becomes equal to or greater than the threshold indicated by the invalid count threshold value 624, the message ID is added to the invalid ID list (step S4021), and the invalid frame is added. Notification of information related to transmission to the head unit 200 (step S4023) will be executed.

Hereinafter, the description of the sequence in FIG. 45 will be returned to again.

Here, it is assumed that after the fraud detection ECU 4100a performs the above-mentioned security action processing, the fraudulent ECU again transmits a data frame in which the message ID is "4" and the data field includes data "0xFF" or the like (). Sequence S4015).

At this point, since the same message ID as the message ID "4" received by the fraud detection ECU 4100a is included in the fraud ID list held by the fraud ID list holding unit 4150 (sequence S4016), the fraud detection ECU 4100a The frame interpretation unit 4151 causes the frame generation unit 140 to generate an error frame (sequence S4017).

Subsequently, the fraud detection ECU 4100a transmits an error frame by the frame transmission / reception unit 160 (sequence S4018). As a result, a part of the data frame is overwritten by the error frame before the transmission of the data frame of the message ID "4" by the illegal ECU is completed. Therefore, it is prevented that another ECU receives an invalid data frame and performs the corresponding processing. When the data frame is received, if the fraud ID list does not include the same message ID as the received message ID, the fraud detection ECU 4100a continues to receive the data frame (sequence S4019). , The procedure of sequence S4004 to sequence S4014 is executed.

[Effect of 4.11 Embodiment 4]
In the in-vehicle network system 13 shown in the fourth embodiment, the MAC key update or the counter value reset cannot be synchronized between the fraud detection ECU and the legitimate ECU, and the MAC verification in the data frame fails. In this case, the synchronization shift can be eliminated by transmitting an update frame instructing the fraud detection ECU to update the MAC key or reset the counter value. In addition, it becomes possible to identify an illegal ECU that cannot correctly update the MAC key and reset the counter value, and it becomes possible to prevent other ECUs from performing processing according to the frame based on the frame from the illegal ECU. .. In addition, according to the security condition table, the countermeasure processing can be appropriately defined according to the number of times that an invalid data frame is detected by MAC verification, and the illegal data frame can be dealt with illegally.

(Other embodiments, etc.)
As described above, Embodiments 1 to 4 have been described as an example of the technique according to the present invention. However, the technique according to the present invention is not limited to this, and can be applied to embodiments in which changes, replacements, additions, omissions, etc. are appropriately made. For example, the following modifications are also included in one embodiment of the present invention.

(1) In the above embodiment, the example in which the frame is periodically transmitted by each ECU is shown, but the frame may be transmitted as an event notifying the state change. For example, the ECU may transmit the frame only when the open / closed state of the door changes, instead of transmitting the open / closed state of the door periodically. Further, the ECU may transmit the frame periodically and when a state change occurs.

(2) In the above embodiment, the MAC is generated (calculated) by an operation based on the message ID, the data value, and the counter value, but it reflects a part of the contents of the data frame (that is, a part of the contents). The MAC may be generated (based on), and the MAC may be generated only from the data value. Further, the MAC may be generated only from the counter value. The MAC verification method in the ECU that receives the data frame may be any one that corresponds to the method in which the ECU that transmits the data frame assigns the MAC to the data frame. Further, in the data frame to which the MAC is assigned, a part or all the counter values may be included in the data field in addition to the data value and the MAC. Further, the size of the MAC included in the frame is not limited to 4 bytes, and may be a different size for each transmission. Similarly, the size of the data value such as the speed per hour and the size of the counter value are not limited to 1 byte.

(3) In the above embodiment, an example in which the counter value is incremented for each transmission is shown, but the counter value may be a value that is automatically incremented according to the time. Moreover, the value of the time itself may be used instead of the counter. That is, if the MAC is generated based on variables (counter, time, etc.) that change each time a data frame is transmitted, it is possible to make it difficult to decipher the MAC illegally. Further, the operation on the counter value is not limited to increment (increment by 1). An increase of 2 or more may be performed, and not only an up count by increment but also a down count by decrement may be performed. Further, the operation on the counter value may be, for example, a bit shift, or an operation in which the output value specified based on a predetermined algorithm is used as the input value of the previous operation result as the operation result. Is also good.

(4) In the above embodiment, the data frame in the CAN protocol is described in the standard ID format, but it may be in the extended ID format. In the case of the extended ID format, the base ID of the ID position in the standard ID format and the extended ID are combined to represent the ID (message ID) in 29 bits. Therefore, the 29-bit ID is the ID in the above-described embodiment. It may be treated as (message ID).

(5) In the above embodiment, the algorithm for calculating MAC is HMAC, but this may be CBC-MAC (Cipher Block Chaining Message Authentication Code) or CMAC (Cipher-based MAC). The padding used in the MAC calculation may be zero padding, ISO10126, PKCS # 1, PKCS # 5, PKCS # 7, or any other padding method in which the data size of the block is required for the calculation. Also, regarding the method of changing the size to a block such as 4bytes, padding may be performed at any of the beginning, the end, and the middle part. Further, the data used for MAC calculation may not be continuous data (for example, continuous data for 4 bytes), but may be collected and combined 1 bit at a time according to a specific rule.

(6) The fraudulent frame detection unit and the fraudulent MAC detection unit shown in the above embodiment may be mounted on hardware called a CAN controller or firmware that operates on a processor that operates in connection with the CAN controller. Further, the MAC key holding unit, the counter holding unit, the regular ID list holding unit, the data range list holding unit, the invalid ID list holding unit, and the security condition holding unit are connected to a hardware register called a CAN controller or a CAN controller. It may be stored in the firmware that operates on the processor that operates.

(7) The security condition table of the above embodiment is an example, and the value may be different from the illustrated value, or a plurality of conditions may be defined. Further, although the security condition table is set in advance in the fraud detection ECU, it may be set at the time of shipment of the in-vehicle network system or at the time of shipment of the vehicle body on which the in-vehicle network system is mounted. Information such as the security condition table described above may be updated after being held in the security condition holding unit, and various information such as the security condition table may be set based on communication with the outside. It may be set by using a recording medium or the like, or may be set by tools or the like.

(8) In the above embodiment, one MAC key is held for each message ID, but one for each ECU (that is, for each one or more message ID groups) may be used. Also, not all ECUs need to hold the same MAC key. Further, each ECU connected to the same bus may hold a common MAC key. However, it is necessary for the ECU that transmits a frame with the same message ID and the ECU that receives and verifies the frame to hold the same MAC key. Regarding the range of holding the same MAC key, the same key, the same key per vehicle, the same key for vehicles of the same model, and the same manufacturer even between ECUs connected to different buses. The same key may be used for each, and the same key may be used even if the manufacturers are different from each other. The MAC key before and after the update may be encrypted and held by the MAC key holding unit.

(9) In the above embodiment, one counter value is held for each message ID, but one counter value may be held for each ECU (that is, for each one or more message ID groups). Further, a common counter value may be used for all frames flowing on the same bus.

(10) In the above embodiment, when the fraud detection ECU fails to verify the MAC (when the number of failures exceeds the threshold value), the head unit is notified that a fraudulent frame has been transmitted. However, the head unit may notify the information related to the fraud to a server device or the like outside the in-vehicle network system by communication. This makes it possible for an external server device or the like to collect information on fraud that has occurred in the in-vehicle network system. Further, when the head unit receives a notification that an illegal frame has been transmitted, the head unit may notify the driver by displaying on a display, sounding a buzzer, or the like. Further, in the above embodiment, when the fraud detection fails to verify the MAC (when the number of failures exceeds the threshold value), control is performed to make the vehicle state safe. Is sufficient as long as it is a control for adding a certain suppression to the function of the vehicle to bring it into a predetermined specific state. The control for setting this specific state is, for example, to control a part of the mechanism of the vehicle, or to instruct one or a plurality of ECUs to control a part of the mechanism of the vehicle via a bus. Sending, etc.

(11) Instead of the key update & counter reset frame that is transmitted when the fraud detection ECU fails to verify the MAC in the above embodiment, the fraud detection ECU is either a key update frame or a counter reset frame. You may use only. For example, if the counter value is not used for MAC generation in each ECU including the fraud detection ECU, or if the counter value is used but the counter value is not reset, the fraud detection ECU fails to verify the MAC. Sometimes it is useful to send only the key update frame out of the update frames. Further, when the verification of the MAC related to the received data frame in the fraud detection ECU fails, the ECU and the fraud detection ECU that are the transmitting side and the receiving side of the data frame having the same message ID as the data frame are updated frames. The MAC key may be updated or the counter value may be reset in synchronization by a method other than transmission / reception (for example, signals are exchanged via a communication path that does not use the CAN protocol).

(12) Even if the CAN protocol shown in the above embodiment has a broad meaning including derivative protocols such as TTCAN (Time-Triggered CAN) and CANFD (CAN with Flexible Data Rate). good.

(13) Each ECU (including a fraud detection ECU, a gateway, and a head unit) in the above embodiment is a device including, for example, a processor, a digital circuit such as a memory, an analog circuit, a communication circuit, and the like. It may include other hardware components such as a hard disk device, display, keyboard, mouse and the like. Further, instead of the control program stored in the memory being executed by the processor to realize the function in software, the function may be realized by dedicated hardware (digital circuit or the like).

(14) A part or all of the components constituting each device in the above embodiment may be composed of one system LSI (Large Scale Integration). The system LSI is an ultra-multifunctional LSI manufactured by integrating a plurality of components on one chip, and specifically, is a computer system including a microprocessor, a ROM, a RAM, and the like. .. A computer program is recorded in the RAM. When the microprocessor operates according to the computer program, the system LSI achieves its function. Further, each part of the component components constituting each of the above devices may be individually integrated into one chip, or may be integrated into one chip so as to include a part or all of them. Further, although the system LSI is used here, it may be referred to as an IC, an LSI, a super LSI, or an ultra LSI depending on the degree of integration. Further, the method of making an integrated circuit is not limited to LSI, and may be realized by a dedicated circuit or a general-purpose processor. An FPGA (Field Programmable Gate Array) that can be programmed after the LSI is manufactured, or a reconfigurable processor that can reconfigure the connection and settings of circuit cells inside the LSI may be used. Furthermore, if an integrated circuit technology that replaces an LSI appears due to advances in semiconductor technology or another technology derived from it, it is naturally possible to integrate functional blocks using that technology. The application of biotechnology, etc. is possible.

(15) A part or all of the components constituting each of the above devices may be composed of an IC card or a single module that can be attached to and detached from each device. The IC card or the module is a computer system composed of a microprocessor, a ROM, a RAM, and the like. The IC card or the module may include the above-mentioned super multifunctional LSI. When the microprocessor operates according to a computer program, the IC card or the module achieves its function. This IC card or this module may have tamper resistance.

(16) As one aspect of the present invention, a method such as the fraudulent coping method shown above may be used. Further, it may be a computer program that realizes these methods by a computer, or it may be a digital signal composed of the computer program. Further, as one aspect of the present invention, the computer program or a recording medium capable of reading the digital signal by a computer, for example, a flexible disk, a hard disk, a CD-ROM, an MO, a DVD, a DVD-ROM, a DVD-RAM, or a BD. (Blu-ray (registered trademark) Disc), may be recorded on a semiconductor memory or the like. Further, it may be the digital signal recorded on these recording media. Further, as one aspect of the present invention, the computer program or the digital signal may be transmitted via a telecommunication line, a wireless or wired communication line, a network typified by the Internet, data broadcasting, or the like. Further, one aspect of the present invention is a computer system including a microprocessor and a memory, in which the memory records the computer program, and the microprocessor may operate according to the computer program. .. Further, it is carried out by another independent computer system by recording and transferring the program or the digital signal on the recording medium, or by transferring the program or the digital signal via the network or the like. It may be.

(17) The scope of the present invention also includes a form realized by arbitrarily combining the above-described embodiment and each component and function shown in the above-described modification.

The present invention can be used to deal with the transmission of illegal frames in an in-vehicle network system.

10, 11, 12, 13 In-vehicle network system 100a, 100b, 2100a, 2100b, 3100a, 3100b, 4100a, 4100b Fraud detection electronic control unit (fraud detection ECU)
110 Fraud detection counter holding unit 120 Regular ID list holding unit 130, 2130 Fraud frame detection unit 140, 230, 320, 420, 3420 Frame generation unit 150, 260, 350, 450, 2150, 3150, 4151 Frame interpretation unit 160, 270 360, 460 Frame transmission / reception unit 200 Head unit 210 Display control unit 220, 410 Frame processing unit 240, 330, 430 Reception ID judgment unit 250, 340, 440 Reception ID list holding unit 300 Gateway 310 Transfer processing unit 370 Transfer rule holding unit 400a to 400d, 3400a to 3400d, 4400a to 4400d Electronic control unit (ECU)
401 Engine 402 Brake 403 Door open / close sensor 404 Window open / close sensor 470 Data acquisition unit 500a to 500c Bus 2120 Data range list holding unit 3130, 4131 Illegal MAC detection unit 3170, 3410 MAC generator 3180, 3430, 4180, 4430 MAC key holding unit 3190, 3440 Counter holding unit 4110, 4410 MAC key update unit 4120, 4420 Counter reset unit 4130 Security processing unit 4140 Security condition holding unit 4150 Illegal ID list holding unit 4160 Illegal log holding unit 4170 Mode change processing unit

Claims (11)

In an in-vehicle network system including a plurality of electronic control units for sending and receiving data frames to which a message authentication code (MAC) is added in the in-vehicle network, in one of the plurality of electronic control units. The fraudulent response method used
Upon receiving the data frame transmitted to the in-vehicle network,
The first message authentication code is generated by using the value of the counter that counts the number of times the data frame with the message authentication code is transmitted and the MAC key.
It is verified that the generated first message authentication code is added to the received data frame, and the data frame is verified.
When the verification fails for a data frame containing a predetermined ID, the number of error occurrences is incremented, and when the number of error occurrences exceeds a predetermined threshold value, a process associated with the predetermined ID in advance is executed.
Fraud handling method. When the predetermined ID is the same as any one or more IDs indicated by the predetermined fraudulent ID list, the process associated with the predetermined ID in advance is the addition of the predetermined ID to the fraudulent ID list. The fraudulent handling method according to claim 1. The fraud countermeasure method according to claim 1, wherein the process associated with the predetermined ID in advance is transmission of a frame including information indicating that the illegal frame has been transmitted. The fraud according to claim 1, wherein the process associated with the predetermined ID in advance is a control for adding a certain suppression to the function of the vehicle equipped with the in-vehicle network system to bring it into a predetermined specific state. Workaround. The control is a control that limits the vehicle to a predetermined speed or less.
The fraudulent countermeasure method according to claim 4. The control is to generate and transmit a predetermined frame for changing to the specific state.
The fraudulent countermeasure method according to claim 4. Further, in the fraud handling method, when the ID of the data frame whose transmission is started in the in-vehicle network is the same as any one or more IDs indicated by the predetermined fraud ID list, the end of the data frame is transmitted. Send an error frame before it is done
The fraud handling method according to claim 1, wherein the process associated with the predetermined ID in advance is an addition of the predetermined ID to the fraudulent ID list. The fraud countermeasure method according to claim 1, wherein the process associated with the predetermined ID in advance is recording of log information indicating the predetermined ID on a recording medium. The in-vehicle network includes a plurality of networks, and each of the plurality of networks belongs to one of a plurality of types of groups.
Further, when the verification fails, the electronic control unit executes a predetermined process in association with the group to which the network to which the own unit is connected belongs among the plurality of networks. The fraudulent handling method according to claim 1. The in-vehicle network includes a plurality of networks, and each of the plurality of network electronic control units belongs to one of a plurality of types of groups.
The ID of the data frame whose transmission has been started to the in-vehicle network is transmitted in any one of a plurality of types of groups.
Further, the fraud countermeasure is a process associated with the predetermined group in advance when the number of times the verification fails for the data frame including the predetermined ID transmitted in the network belonging to the predetermined group exceeds the predetermined threshold value. The fraudulent countermeasure method according to claim 1. The fraudulent countermeasures are further described.
When the verification fails, the verification performed again using the second message authentication code generated by using the MAC key before the update of the MAC key is performed again using the second message authentication code. If it fails, a counter reset frame indicating the counter reset request is transmitted via the vehicle-mounted network.
The fraudulent countermeasure method according to claim 1, wherein the counter is reset when the counter reset frame is transmitted.

Images