WO2024166158A1 - On-board device, server computer, communication system, control method, and computer program - Google Patents

Abstract

This on-board device is installed in a vehicle and causes a communication unit, which communicates with an external device located outside the vehicle, to restrict the communication with the external device in accordance with a security rule generated on the basis of road/vehicle information, including vehicle information about the vehicle and roadside information regarding outside of the vehicle, wherein the vehicle information includes application operation information for identifying an application operating in the vehicle and/or connection information indicating a communication connection state with the external device.

Description

On-vehicle device, server computer, communication system, control method, and computer program

This disclosure relates to an in-vehicle device, a server computer, a communication system, a control method, and a computer program.

It is known that cybersecurity attacks on computer systems and networks by malicious third parties can be countered by appropriately setting security rules (e.g., communication access permission lists and communication filter thresholds, etc.). The following Patent Document 1 discloses a security setting support device that uses feature quantities of traffic data related to DDoS (Distributed Denial of Service) attacks to calculate predicted values of security setting parameters through machine learning. The security setting support device provides security setting support based on the results of a prior evaluation of security settings based on predicted values.

International Publication No. 2022/009274

The on-board device according to one aspect of the present disclosure is an on-board device mounted on a vehicle, and causes a communication unit that communicates with an external device outside the vehicle to restrict communication with the external device in accordance with security rules generated based on road-vehicle information including vehicle information about the vehicle and roadside information about the outside of the vehicle, and the vehicle information includes at least one of application operation information that identifies an application running in the vehicle and connection information that indicates the communication connection state with the external device.

FIG. 1 is a schematic diagram illustrating a configuration of a communication system according to an embodiment of the present disclosure. FIG. 2 is a block diagram showing a hardware configuration of the in-vehicle system shown in FIG. FIG. 3 is a block diagram showing a hardware configuration of the roadside unit shown in FIG. FIG. 4 is a block diagram showing the hardware configuration of the server (that is, the server computer) shown in FIG. FIG. 5 is a block diagram showing a functional configuration of the in-vehicle system shown in FIG. FIG. 6 is a flowchart showing the operation of the in-vehicle system relating to the determination of security rules. FIG. 7 is a flowchart showing the communication-related operation of the in-vehicle system. FIG. 8 is a diagram showing a first example showing a change in security rules accompanying a change in the application operation status in the vehicle. FIG. 9 is a diagram showing the position of a vehicle. FIG. 10 is a diagram showing a second example showing a change in security rules accompanying a change in the application operation status in the vehicle. FIG. 11 is a diagram showing a third example showing a change in security rule accompanying a change in the communication connection status in the vehicle. FIG. 12 is a diagram showing a fourth example of changes in security rules accompanying changes in application operation status and communication connection status in a vehicle. FIG. 13 is a block diagram showing a functional configuration of an in-vehicle system according to a modified example. FIG. 14 is a diagram showing an example of a security rule table generated from the specifications of an application.

[Problem to be solved by this disclosure]
In the in-vehicle network, application programs (e.g., application programs for users, hereinafter simply referred to as applications) running in the vehicle are switched. In addition, external communication parameters (e.g., network information such as a communication destination IP address and a port number, communication volume, etc.) vary depending on the connection state with an external device (e.g., a server computer, etc.). Therefore, in order to take measures against cybersecurity attacks, it is necessary to dynamically control security rules using limited resources of the in-vehicle device. However, the method disclosed in Patent Document 1 requires a high computational cost (i.e., a large load due to arithmetic processing) in machine learning of features, and requires many resources. In addition, many resources are required when using the machine learning results. Therefore, it is difficult to apply the method disclosed in Patent Document 1 to an in-vehicle device with limited resources.

The present disclosure therefore aims to provide an in-vehicle device, a server computer, a communication system, a control method, and a computer program that can determine security rules with low computational cost and dynamically control the security rules in response to at least one of the operating status of an application in the vehicle in which the device is installed and the connection status with an external device.

[Effects of the Invention]
According to the present disclosure, it is possible to provide an in-vehicle device, a server computer, a communication system, a control method, and a computer program that can determine security rules with low computational cost and dynamically control security rules according to at least one of the operating status of an application in the vehicle in which it is installed and the connection status with an external device.

[Description of the embodiments of the present disclosure]
The contents of the embodiments of the present disclosure will be listed and described below. At least a part of the embodiments described below may be arbitrarily combined.

(1) An in-vehicle device according to a first aspect of the present disclosure is an in-vehicle device mounted on a vehicle, which causes a communication unit that communicates with an external device outside the vehicle to restrict communication with the external device in accordance with security rules generated based on road-vehicle information including vehicle information about the vehicle and roadside information about the outside of the vehicle, and the vehicle information includes at least one of application operation information that identifies an application running in the vehicle and connection information that indicates the communication connection state with the external device. This makes it possible to determine security rules with low computational cost and dynamically control the security rules according to the operation status of applications in the vehicle in which the in-vehicle device is mounted and the connection state with the external device.

(2) In the above (1), the in-vehicle device can receive security rules from an external device. This reduces the load of calculations required to determine security rules in the in-vehicle device.

(3) In the above (1), the in-vehicle device may further include a roadside information acquisition unit that acquires roadside information from an external device, a roadside-vehicle information generation unit that generates roadside-vehicle information by adding vehicle information to the roadside information, a determination unit that determines outside-vehicle communication parameter determination information based on the roadside-vehicle information, and a security rule generation unit that generates security rules based on the outside-vehicle communication parameter determination information. This makes it possible to determine appropriate security rules according to the operating status of applications in the vehicle and the connection status with the external device.

(4) In the above (3), the road-to-vehicle information may include at least one of location information and map information in addition to at least one of application operation information and connection information. This makes it possible to determine external vehicle communication parameters for generating appropriate security rules.

(5) In the above (3) or (4), the outside-vehicle communication parameter determination information may include at least one of application operation information and connection information. This allows appropriate security rules to be generated.

(6) In the above (5), the outside-vehicle communication parameter determination information may include at least application operation information, and the security rule generation unit may generate a security rule including a first communication filter threshold value when it determines from the application operation information that there is no application running, and may generate a security rule including a second communication filter threshold value that is greater than the first communication filter threshold value when it determines from the application operation information that an application that controls the opening and closing of the vehicle doors is running. This makes it possible to filter the transmitted data when data exceeding an expected communication volume (i.e., the first communication filter threshold value) is transmitted to the in-vehicle system while the vehicle is parked and before authentication (i.e., when there is no running application). This makes it possible to take measures against, for example, Denial of Service (DoS) attacks.

(7) In (5) or (6) above, the outside-vehicle communication parameter determination information may include at least application operation information, and the security rule generation unit may generate security rules that do not include access permissions when it determines from the application operation information that no application is running, and may generate security rules that include access permissions to external devices that provide services to the driving assistance application when it determines from the application operation information that a driving assistance application is running. This makes it possible to restrict access from an unexpected communication destination to the in-vehicle system when the vehicle is located in an area not covered by the driving assistance service (i.e., when there is no running application). For example, it becomes possible to take measures against access from a false communication destination (i.e., spoofing).

(8) In any one of (5) to (7) above, the outside-vehicle communication parameter determination information may include at least connection information, and the security rule generation unit may generate a security rule including a third communication filter threshold value specified by the connection information corresponding to the first region when the vehicle position specified from the road-vehicle information is in a first region including multiple intersections, and may generate a security rule including a fourth communication filter threshold value specified by the connection information corresponding to the second region when the vehicle position specified from the road-vehicle information is in a second region narrower than the first region and including one intersection, and the fourth communication filter threshold value may be greater than the third communication filter threshold value. As a result, when the vehicle is located in the first region (e.g., a cloud communication area), if data exceeding the communication volume expected from the connection state (i.e., the third communication filter threshold value) is transmitted to the in-vehicle system, the transmitted data can be filtered. Therefore, it becomes possible to take measures against, for example, DoS attacks.

(9) In (5) above, the outside-vehicle communication parameter determination information may include application operation information, and when the security rule generation unit identifies that multiple applications are running in the vehicle based on the outside-vehicle communication parameter determination information, the security rule generation unit may generate a security rule table for each of the multiple running applications and integrate the multiple security rule tables to generate security rules. This makes it possible to efficiently generate security rules that restrict communication of one communication unit.

(10) In any one of (4) to (9) above, if the road-to-vehicle information does not include connection information, the decision unit may generate connection information from the road-to-vehicle information as outside-vehicle communication parameter determination information. This makes it possible to generate operation information and connection information from the road-to-vehicle information, and to generate appropriate security rules.

(11) In any one of (1) to (10) above, the security rules may include restrictions on at least one of the access frequency, communication speed, number of sessions, number of SYN packets, communication address of the communication destination, and port number of the communication destination, related to the communication by the communication unit. This can improve the security of the communication by the communication unit.

(12) In any one of (1) to (11) above, the in-vehicle device may further include an update unit that updates the security rules, and the update unit may update the security rules upon receiving, via the communication unit, a new application to be run in the vehicle or an update application for an application running in the vehicle. This allows the security rules to be maintained in an appropriate state.

(13) In the above (12), new security rules corresponding to the new application or the updated application may be received from an external device, and the update unit may update the security rules using the new security rules. This can further reduce the load of calculations required to determine security rules according to the operating status of the application.

(14) A server computer according to a second aspect of the present disclosure includes a generation unit that generates security rules for an on-board device mounted on a vehicle, the security rules restricting communication of the on-board device with the outside of the vehicle, based on vehicle information about the vehicle and road-vehicle information including roadside information about the outside of the vehicle, and a communication unit that transmits the security rules to the on-board device, the vehicle information including at least one of application operation information that identifies an application running in the vehicle and connection information that indicates the communication connection state with an external device. This allows the on-board system to dynamically control communication with the outside of the vehicle in accordance with security rules according to the operation status of the application in the vehicle and the connection state with the external device.

(15) In the above (14), the communication unit can receive vehicle information from the in-vehicle device, and the server computer can further include a road-to-vehicle information generation unit that generates road-to-vehicle information by adding the vehicle information received by the communication unit to the roadside information, and a determination unit that determines outside-vehicle communication parameter determination information based on the road-to-vehicle information, and the generation unit can generate security rules based on the outside-vehicle communication parameter determination information. This can reduce the load caused by the calculation process for determining security rules in the in-vehicle device.

(16) A communication system according to a third aspect of the present disclosure includes an in-vehicle device according to any one of (1) to (13) above and a server computer according to (14) above, and the in-vehicle device causes a communication unit mounted in the vehicle to communicate with the server computer as an external device. This allows the in-vehicle device to dynamically control security rules according to the operating status of applications in the vehicle and the connection status with the external device.

(17) A communication system according to a fourth aspect of the present disclosure includes the in-vehicle device described in (1) or (2) above and the server computer described in (15) above, and the in-vehicle device causes a communication unit mounted in the vehicle to communicate with the server computer as an external device. This allows the in-vehicle device to dynamically control security rules according to the operating status of applications in the vehicle and the connection status with the external device.

(18) A control method according to a fifth aspect of the present disclosure is a control method for an in-vehicle system mounted on a vehicle, the control method including a step in which an in-vehicle device included in the in-vehicle system causes a communication unit that communicates with an external device outside the vehicle to restrict communication with the external device in accordance with security rules generated based on vehicle information about the vehicle and road-vehicle information including roadside information about the outside of the vehicle, the vehicle information including at least one of application operation information that identifies an application running in the vehicle and connection information that indicates a communication connection state with the external device. This allows the in-vehicle device to dynamically control security rules according to the operation status of the application in the vehicle and the connection state with the external device.

(19) A computer program according to a sixth aspect of the present disclosure causes a computer mounted on a vehicle to realize a function of restricting communication with an external device in a communication unit that communicates with an external device outside the vehicle in accordance with security rules generated based on road-vehicle information including vehicle information about the vehicle and roadside information about the outside of the vehicle, the vehicle information including at least one of application operation information that identifies an application running in the vehicle and connection information that indicates the communication connection state with the external device. This allows the in-vehicle device to dynamically control security rules according to the operation status of the application in the vehicle and the connection state with the external device.

[Details of the embodiment of the present disclosure]
In the following embodiments, the same parts are denoted by the same reference numerals, and their names and functions are also the same, so detailed description thereof will not be repeated.

[Overall configuration]
1, a communication system 100 according to an embodiment of the present disclosure includes a vehicle 104 equipped with an in-vehicle system 102, and a server (i.e., a server computer) 112 capable of communicating with the in-vehicle system 102 via a base station 108 and a network 110. The communication system 100 may include a roadside unit 106 including a sensor, which is fixedly installed on the roadside. The server 112 provides services such as transmitting driving assistance information to the in-vehicle system 102. The in-vehicle system 102 and the roadside unit 106 transmit data to the server 112 to be used for generating the driving assistance information to be transmitted by the server 112 (hereinafter, also referred to as uploading).

The base station 108 provides mobile communication services, for example, via 4G (i.e., fourth generation mobile communication system) lines and 5G (i.e., fifth generation mobile communication system) lines. The base station 108 is connected to the network 110. The in-vehicle system 102 mounted on the vehicle 104 has a communication function according to the communication specifications (i.e., 4G lines, 5G lines, etc.) provided by the base station 108. The roadside unit 106 is also connected to the network 110 via the base station 108. Note that communication between the server 112 and the in-vehicle system 102 and the roadside unit 106 is not limited to communication via the network 110, and may be wireless communication such as Wi-Fi. Also, communication between the server 112 and the fixed roadside unit 106 may be wired communication without going through the base station 108.

Sensor data acquired by sensors mounted on the vehicle 104 (hereinafter also referred to as on-board sensors) is analyzed in the on-board system 102, and the analysis results are stored as dynamic information. The dynamic information is used in the autonomous driving function of the vehicle. In addition, the sensor data and dynamic information are uploaded from the on-board system 102 to the server 112.

The roadside unit 106 is installed on the roadside and acquires information on the roadside using sensors (hereinafter also referred to as infrastructure sensors). The sensor data is analyzed in the roadside unit 106, and dynamic objects and the like are detected. The sensor data and analysis results are uploaded from the roadside unit 106 to the server 112. The vehicle 104 shown in FIG. 1 is the detection target of the infrastructure sensor of the roadside unit 106, and is detected as a dynamic object.

Dynamic information is information about dynamic objects detected by sensors (i.e., infrastructure sensors and vehicle-mounted sensors). Dynamic objects are not limited to moving objects (e.g., people and vehicles, etc.), but also include objects that have the ability to move but are stationary. The dynamic information is used as driving assistance information for use in the autonomous driving of the vehicle. In addition, the dynamic information is transmitted to server 112 and used to generate driving assistance information that is transmitted from server 112 to vehicles (including vehicle 104 and vehicles other than vehicle 104).

FIG. 1 shows one base station 108, one roadside unit 106, and one vehicle 104 equipped with an in-vehicle system 102. However, this is merely an example. Typically, multiple base stations are provided, and there are multiple vehicles equipped with in-vehicle systems. There may be vehicles that do not have an in-vehicle system capable of communicating with the server 112. Vehicles that do not have an in-vehicle system are detected as dynamic objects.

[Hardware configuration of in-vehicle system]
2, an example of a hardware configuration of the in-vehicle system 102 mounted on the vehicle 104 is shown. The in-vehicle system 102 includes an external communication unit 120, an in-vehicle device 122, a sensor 124, an automatic driving ECU (Electronic Control Unit) 126, an authentication ECU 128, a drive ECU 130, and a bus 132. Note that the in-vehicle system 102 includes a plurality of ECUs, and FIG. 2 shows the automatic driving ECU 126, the authentication ECU 128, and the drive ECU 130 as examples.

The external communication unit 120 performs wireless communication with external devices of the vehicle 104 (for example, communication with the server 112 via the base station 108). The external communication unit 120 includes an integrated circuit (IC) for performing modulation and multiplexing used in wireless communication, an antenna for transmitting and receiving radio waves of a specific frequency, and an RF (Radio Frequency) circuit. The external communication unit 120 also has a communication function with a global navigation satellite system (GNSS) such as a global positioning system (GPS) in order to obtain information for identifying the current position of the vehicle 104. The external communication unit 120 may also have a communication function such as Wi-Fi.

The in-vehicle device 122 includes a control unit 140 and a memory 142. The control unit 140 includes a CPU (Central Processing Unit) and controls the memory 142. The memory 142 is, for example, a rewritable non-volatile semiconductor memory, and stores a computer program (hereinafter simply referred to as a program) executed by the control unit 140. The memory 142 provides a work area for the program executed by the control unit 140. The control unit 140 obtains data to be processed directly from the vehicle exterior communication unit 120 and obtains data from other than the vehicle exterior communication unit 120 via the bus 132. The control unit 140 appropriately stores data received from the vehicle exterior communication unit 120 and data received via the bus 132 in the memory 142. The control unit 140 stores the processing results in the memory 142 and outputs them to the bus 132.

The in-vehicle device 122 serves as a gateway (i.e., communication protocol conversion, etc.) that connects communication functions with the outside of the vehicle (specifically, communication specifications) with communication functions within the vehicle (i.e., communication specifications). The autonomous driving ECU 126 and authentication ECU 128, etc., can communicate with external devices via the in-vehicle device 122 and the exterior communication unit 120. The in-vehicle device 122 controls security rules regarding communication with the outside of the vehicle, as described below. In addition, the in-vehicle device 122 transmits, for example, driving assistance information, which is received from the outside via the exterior communication unit 120, to the autonomous driving ECU 126. The bus 132 serves as a communication function within the in-vehicle system. Communication (i.e., data exchange) between the in-vehicle device 122, the sensor 124, the autonomous driving ECU 126, the authentication ECU 128, and the drive ECU 130 is performed via the bus 132. For example, a Controller Area Network (CAN) is used for bus 132.

The sensor 124 is mounted on the vehicle 104 and includes a sensor for acquiring information outside the vehicle 104 (for example, a video image capturing device (for example, a digital camera (CCD (Charge-Coupled Device) camera, CMOS (Complementary Metal-Oxide Semiconductor) camera)), a laser sensor (LiDAR), etc.). The sensor 124 may also include a sensor for acquiring information about the vehicle itself (acceleration sensor, load sensor, etc.). The sensor 124 acquires information within the detection range (imaging range in the case of a camera) and outputs it as sensor data. If the sensor 124 is a digital camera, it outputs digital image data. The detection signal (i.e., analog or digital signal) of the sensor 124 is output as digital data to the bus 132 via an I/F unit (not shown) and transmitted to the in-vehicle device 122 and the autonomous driving ECU 126, etc.

The autonomous driving ECU 126 controls the driving of the vehicle 104. For example, the autonomous driving ECU 126 acquires sensor data from the sensors 124, analyzes it to understand the situation around the vehicle, and transmits it to the driving ECU 130, which is a mechanism related to autonomous driving. The driving ECU 130 controls the driving unit 134 (e.g., mechanisms such as the engine, motor, transmission, steering, and brakes). The autonomous driving ECU 126 uses driving assistance information acquired from the in-vehicle device 122 for autonomous driving. The authentication ECU 128 performs user authentication to permit the unlocking of the doors of the vehicle 104, as described below.

[Hardware configuration of roadside unit]
3, an example of a hardware configuration of the roadside unit 106 is shown. The roadside unit 106 includes a communication unit 150, a control unit 152, a sensor 154, a memory 156, and a bus 158. Data exchange between the control unit 152, the sensor 154, and the memory 156 is performed via the bus 158. The communication unit 150 receives data from the server 112 and transmits data to the server 112. The communication unit 150 obtains transmission data from the control unit 152 and outputs received data to the control unit 152. The data received by the communication unit 150 is appropriately stored in the memory 156.

The control unit 152 is configured to include, for example, a CPU. The memory 156 is, for example, a rewritable non-volatile semiconductor memory, and stores the program executed by the control unit 152. The memory 156 provides a work area for the program executed by the control unit 152. The memory 156 may include a large-capacity storage device such as a hard disk drive. The sensor 154 is a sensor for acquiring information outside the roadside unit 106, and includes, for example, an image sensor (for example, a digital surveillance camera), a radar (for example, a millimeter-wave radar), or a laser sensor (for example, a LiDAR). The sensor 154 acquires information within a detection range (for example, an imaging range in the case of a camera) and outputs it as sensor data. The sensor data is stored in the memory 156.

The control unit 152 reads out the sensor data from the memory 156 and outputs it to the communication unit 150. As a result, the sensor data of the sensor 154 is transmitted from the communication unit 150 to the server 112. The control unit 152 also reads out the sensor data from the memory 156 and analyzes it. As a result of the analysis, dynamic objects, etc. are detected. The control unit 152 outputs information about the detected dynamic objects, etc. to the communication unit 150. As a result, the analysis result of the control unit 152 is transmitted from the communication unit 150 to the server 112, and the server 112 can generate information about the outside of the vehicle 104 (hereinafter referred to as roadside information) as described below.

[Server hardware configuration]
4, the server 112 includes a control unit 160 for controlling each unit, a memory 162 for storing data, a communication unit 164 for performing communication, and a bus 166 for exchanging data between each unit. The control unit 160 includes a CPU, and realizes functions described below by controlling each unit. The memory 162 includes a rewritable semiconductor non-volatile memory and a large-capacity storage device such as a hard disk drive. The communication unit 164 receives data uploaded from the in-vehicle system 102 and the roadside device 106. The data received by the communication unit 164 is transmitted to and stored in the memory 162. The server 112 analyzes the received data to generate roadside information and transmits it to the in-vehicle system 102. When the server 112 provides a driving assistance service, the server 112 analyzes the received data to generate driving assistance information and transmits it to the vehicle (i.e., the in-vehicle system).

[Functional configuration of in-vehicle system]
The function of the in-vehicle device 122, that is, the function of controlling the security rule, will be described with reference to Fig. 5. The in-vehicle device 122 includes a roadside information acquisition unit 200, a road-vehicle information generation unit 202, an exterior communication parameter judgment information determination unit 204, and a security rule generation unit 206. The functions of the roadside information acquisition unit 200, the road-vehicle information generation unit 202, the exterior communication parameter judgment information determination unit 204, and the security rule generation unit 206 are realized by the control unit 140 and the memory 142 shown in Fig. 2. The exterior communication unit 120 includes a security unit 208 that performs communication security such as a packet filter. As described later, the in-vehicle device 122 outputs the determined security rule to the security unit 208, and causes the security unit 208 to restrict the communication performed by the exterior communication unit 120 according to the input rule.

The roadside information acquisition unit 200 acquires roadside information transmitted from the server 112 by the external communication unit 120. The roadside information is information relating to the outside of the in-vehicle system 102, and includes map information. The map information includes, for example, a road map around the in-vehicle system 102, and location information of external devices such as servers that can communicate with the in-vehicle system 102 (hereinafter referred to as the external device map). Based on the external device map, the communication area of each server etc. becomes clear, and the communication connection status between the external device and the vehicle can be derived. The external device map is used when the connection information (i.e., information indicating the communication connection status with an external device), which will be described later, cannot be acquired directly. The acquired roadside information is stored in the memory 142.

The road-vehicle information generating unit 202 generates road-vehicle information by adding roadside information acquired by the roadside information acquiring unit 200 to information acquired from the external communication unit 120, the automatic driving ECU 126, the drive ECU 130, etc. (hereinafter referred to as vehicle information). The generated road-vehicle information is stored in the memory 142. The vehicle information includes, for example, position information indicating the position of the vehicle 104, application operation information identifying user-oriented applications running in the vehicle 104, and connection information indicating the communication connection state with an external device. Therefore, the road-vehicle information includes, for example, position information, map information, application operation information, and connection information. The road-vehicle information generating unit 202 can identify applications running in the vehicle 104 by communicating with each unit in the in-vehicle system 102 via the bus 132, for example, and generate application operation information. This allows the determination of external vehicle communication parameters for generating appropriate security rules, as described below.

An application is, for example, a program executed in the in-vehicle system 102 to receive a service provided by the server 112. An application may be any program that can be executed in the vehicle 104, and is not limited to programs executed by the in-vehicle device 122, but also includes programs executed by ECUs such as the autonomous driving ECU 126, authentication ECU 128, and drive ECU 130.

Note that there may be cases where the road-to-vehicle information does not include connection information, i.e., the road-to-vehicle information generating unit 202 is unable to acquire connection information. Even in such cases, as described below, connection information can be generated from information included in the road-to-vehicle information. Therefore, it is sufficient for the road-to-vehicle information to include at least a portion of the above-mentioned information.

The outside-vehicle communication parameter judgment information determination unit 204 determines the outside-vehicle communication parameter judgment information from the road-and-vehicle information created by the road-and-vehicle information generation unit 202. The determined outside-vehicle communication parameter judgment information is stored in the memory 142. The outside-vehicle communication parameter judgment information is information for determining security rules related to wireless communication between the outside-vehicle communication unit 120 and the outside of the vehicle 104, that is, information used to determine which of the outside-vehicle communication parameters related to communication with the outside of the vehicle are to be restricted by the security rules. The outside-vehicle communication parameter judgment information includes, for example, application operation information and connection information. This makes it possible to generate appropriate security rules, as described below. If the road-and-vehicle information includes either application operation information or connection information, the outside-vehicle communication parameter judgment information determination unit 204 determines that information included in the road-and-vehicle information as the outside-vehicle communication parameter judgment information.

As described above, the road-to-vehicle information may not include connection information. In such cases, the exterior-vehicle communication parameter judgment information determination unit 204 indirectly determines the connection information that is not included in the road-to-vehicle information. That is, the exterior-vehicle communication parameter judgment information determination unit 204 estimates the connection information that is not included from the information included in the road-to-vehicle information. For example, the exterior-vehicle communication parameter judgment information determination unit 204 can infer the external device (e.g., IP address and port number) and its communication state (e.g., communication speed) to which the exterior-vehicle communication unit 120 is connected, based on the position information and map information (including an exterior device map) included in the road-to-vehicle information, and can therefore determine the connection information. This makes it possible to generate connection information from the road-to-vehicle information, and to generate appropriate security rules.

The security rule generating unit 206 generates security rules from the outside-vehicle communication parameter determination information determined by the outside-vehicle communication parameter determination information determining unit 204. The outside-vehicle communication parameters, which are parameters related to communication by the outside-vehicle communication unit 120, include, for example, the frequency of access from the outside, the communication volume (i.e., communication speed), the number of sessions established for communication, the number of SYN packets communicated to establish communication, the communication destination IP address, and the communication destination port number. This can improve the security of communication by the outside-vehicle communication unit 120, as described later. The outside-vehicle communication parameters are not limited to these. The security rule generating unit 206 identifies the outside-vehicle communication parameters to be restricted from the outside-vehicle communication parameter determination information (for example, application operation information and connection information), determines the content of the restriction, and generates, for example, a table (hereinafter referred to as a security rule table) that corresponds the outside-vehicle communication parameters to the content of the restriction, and sets it as a security rule. The security rule generating unit 206 outputs the determined security rule to the security unit 208 of the outside-vehicle communication unit 120. In addition, the security rule generation unit 206 stores the generated security rules in memory 142.

Since the application is identified by the application operation information, if the specifications of the outside-vehicle communication by the application are known, the security rule generation unit 206 can determine the outside-vehicle communication parameters, generate a security rule table for each application, and store it in the memory 142. Therefore, it is sufficient if the communication specifications of each application are stored in the memory 142 in advance. For example, each application may be analyzed and the communication specifications may be stored in the memory 142. By analyzing an application downloaded and stored in the in-vehicle system 102, the communication conditions of the application (e.g., communication destination IP address, communication destination port number, communication volume, etc.) can be identified and a security rule table can be generated. In addition, as described later, the communication specifications of the application may be downloaded from a server and stored in the memory 142. Note that when multiple applications are started, the outside-vehicle communication parameters corresponding to each application are obtained, but since the outside-vehicle communication path that is restricted is one outside-vehicle communication unit 120, the security rule generation unit 206 integrates multiple security rule tables. For example, when each of the multiple security rule tables includes communication volume, a security rule including the total value of those is generated. If each of the multiple security rule tables contains a pair of a destination IP address and a destination port number, a security rule that includes all of them is generated. This makes it possible to efficiently generate security rules that restrict communication of the exterior communication unit 120.

The security unit 208 stores the input security rules in an internal memory and restricts the communication executed by the vehicle exterior communication unit 120 according to the security rules. Therefore, the security of the communication by the vehicle exterior communication unit 120 can be improved. The above-mentioned processes by the roadside information acquisition unit 200, the road-vehicle information generation unit 202, the vehicle exterior communication parameter judgment information determination unit 204, the security rule generation unit 206, and the security rule generation unit 206 are repeatedly executed, and the security rules are repeatedly generated. The road-vehicle information changes according to the changes in the operating status of the application in the vehicle 104 and the connection status with the external device, and the vehicle exterior communication parameter judgment information changes according to the changes. Therefore, the security rules change according to the changes in the operating status of the application in the vehicle 104 and the connection status with the external device. When a new security rule is input from the security rule generation unit 206, the security unit 208 rewrites and updates the security rule stored in the internal memory with the new security rule.

As a result, the in-vehicle system 102 (specifically, the in-vehicle device 122) can determine appropriate security rules according to the operating status of applications in the vehicle 104 in which it is installed and the connection status with external devices. The in-vehicle system 102 can also dynamically control security rules according to changes in the operating status of applications in the vehicle 104 and the connection status with external devices. This makes it possible to counter cybersecurity attacks and improve the safety of communications with the outside world. Since security rules can be determined by processing information that can be obtained inside the vehicle 104 and information that can be obtained from a server, this can be achieved at low computational cost without performing resource-intensive processing such as machine learning.

In the above, the security rule generating unit 206 stores a security rule table for each application, but this is not limited to the above. The security rule generating unit 206 only needs to store the outside-vehicle communication parameters used to generate security rules for each application. The storage format may be a format other than a table.

[Operation of the in-vehicle device]
With reference to Fig. 6, the control operation of the security rule by the in-vehicle device 122 will be described with reference to the functions shown in Fig. 5. The process shown in Fig. 6 is realized by supplying power to the in-vehicle system 102 from an in-vehicle battery or the like, and by the control unit 140 (see Fig. 2) of the in-vehicle device 122 reading and executing a predetermined program from the memory 142. The results of the execution of the process shown below are stored in the memory 142 as appropriate.

In step 300, the control unit 140 determines whether or not roadside information has been received via the exterior vehicle communication unit 120. If it is determined that the roadside information has been received, control proceeds to step 302. If not, control proceeds to step 304. The roadside information is transmitted, for example, from the server 112.

In step 302, the control unit 140 stores the roadside information received in step 300 in the memory 142. Thereafter, control proceeds to step 304. The processing in steps 300 and 302 corresponds to the function of the roadside information acquisition unit 200 in FIG. 5.

In step 304, the control unit 140 acquires vehicle information of the vehicle 104 in which the in-vehicle system 102 is installed. The control unit 140 stores the acquired vehicle information in the memory 142. Thereafter, control proceeds to step 306. The vehicle information includes, for example, location information of the vehicle 104, application operation information, and connection information. The vehicle 104 acquires the vehicle information from the external communication unit 120, the autonomous driving ECU 126, the drive ECU 130, etc.

In step 306, the control unit 140 reads out from the memory 142 the vehicle information acquired in step 304 and the roadside information received in step 300, combines the vehicle information with the roadside information to generate road-and-vehicle information, and stores it in the memory 142. If the vehicle information and roadside information contain overlapping information, the control unit 140 leaves one of the overlapping pieces of information in the road-and-vehicle information. Then, control proceeds to step 308. The processing in steps 304 and 306 corresponds to the function of the road-and-vehicle information generation unit 202 in FIG. 5.

In step 308, the control unit 140 determines the exterior communication parameter determination information based on the road-vehicle information generated in step 306, and stores the information in the memory 142. Thereafter, control proceeds to step 310. The processing in step 308 corresponds to the function of the exterior communication parameter determination information determination unit 204 shown in FIG. 5.

In step 310, the control unit 140 generates a security rule based on the outside-vehicle communication parameter determination information determined in step 308. Then, control proceeds to step 312.

In step 312, the control unit 140 outputs the security rule to the security unit 208. After that, control proceeds to step 314. The processing of steps 310 and 312 corresponds to the function of the security rule generation unit 206 shown in FIG. 5.

In step 314, the control unit 140 determines whether or not to terminate. If it is determined that the program should terminate, the program terminates. If not, control returns to step 300, and the above-described processing is repeated. The instruction to terminate is given, for example, by stopping the supply of power to the in-vehicle device 122.

[Security section operation]
An operation of restricting communication by security unit 208 (see FIG. 5) of exterior communication unit 120 will be described with reference to Fig. 7. The process shown in Fig. 7 is realized, for example, by a control unit (e.g., a CPU) in security unit 208 reading out a predetermined program from an internal memory of security unit 208 and executing it.

In step 400, the security unit 208 determines whether or not a security rule has been acquired from the in-vehicle device 122. If it is determined that the security rule has been acquired, control proceeds to step 402. If not, control proceeds to step 404. The security rule is output from the in-vehicle device 122 to the security unit 208 in step 312 shown in FIG. 6.

In step 402, the security unit 208 updates the security rules currently in use. Specifically, the security unit 208 replaces the security rules currently in use with the security rules acquired in step 400 (e.g., overwrites them in the internal memory of the security unit 208). Then, control proceeds to step 404.

In step 404, the security unit 208 determines whether or not communication that violates a security rule has occurred. If it is determined that communication has occurred, control proceeds to step 406. If not, control proceeds to step 408. Communication that violates a security rule means communication that deviates from the range of the outside-vehicle communication parameters defined as the security rule. For example, if the security rule includes the communication volume as an outside-vehicle communication parameter and the threshold value (i.e., upper limit value) is set to a (bps), the security unit 208 determines that communication that violates a security rule has occurred when data exceeding a (bps) is received from outside the vehicle 104. For example, if the security rule includes a destination IP address as an outside-vehicle communication parameter, the security unit 208 determines that communication that violates a security rule has occurred when packet data is received that includes an IP address different from the destination IP address as a source address.

The period for executing the process of step 404 may vary depending on the outside-vehicle communication parameters included in the security rule. For example, if the security rule includes a destination IP address as an outside-vehicle communication parameter, the security unit 208 may determine, for each received packet, whether the source address included in the packet is the destination IP address. On the other hand, if the security rule includes communication volume (threshold value is a (bps)) as an outside-vehicle communication parameter, the received packets are buffered for a predetermined period of time, and it is determined whether the total value is equal to or less than a (bps).

In step 406, the security unit 208 allows only data that conforms to the security rules to be communicated. That is, the security unit 208 discards the received packet that is determined in step 404 to violate the security rules, and does not pass the packet to an application. The security unit 208 passes the received packet that is determined in step 404 not to violate the security rules to the application corresponding to the port number contained in the packet. After that, control proceeds to step 410.

In step 408, the security unit 208 makes all received data available for communication and passes each packet to the application corresponding to the port number contained in the packet. After that, control proceeds to step 410.

In step 410, the security unit 208 determines whether or not to terminate. If it is determined that the program should terminate, the program terminates. If not, control returns to step 400, and the above-described processing is repeated. The instruction to terminate is given, for example, by stopping the power supply to the external vehicle communication unit 120.

As a result, the in-vehicle system 102 (specifically, the in-vehicle device 122) can determine appropriate security rules according to the operating status of applications in the vehicle 104 in which it is installed and the connection status with external devices. Furthermore, the in-vehicle system 102 can dynamically control security rules according to changes in the operating status of applications in the vehicle 104 and the connection status with external devices. Therefore, the in-vehicle system 102 can counter cybersecurity attacks and improve the safety of communications with the outside. Since security rules can be determined by processing information that can be obtained inside the vehicle 104 and information that can be obtained from a server, this can be achieved at low computational cost without performing processes that require many resources, such as machine learning.

In the above, a case has been described in which the in-vehicle device 122 acting as a gateway has the function of controlling security rules, but this is not limited to the above. An element constituting the in-vehicle system 102 other than the in-vehicle device 122 (e.g., the external vehicle communication unit 120) may have the function of controlling security rules. The in-vehicle system 102 may also have a dedicated ECU for controlling security rules. The external vehicle communication unit 120 and the dedicated ECU, etc. are also mounted on the vehicle 104 and are included in the in-vehicle device.

A specific example will be described with reference to FIG. 8 to FIG.
[First Example]
With reference to FIG. 8, an example of directly determining application operation information included in the vehicle exterior communication parameter determination information used to generate security rules will be described. Here, it is assumed that the doors of the vehicle 104 are locked when the vehicle 104 is parked, and an application for opening and closing (i.e. unlocking and locking) the doors of the vehicle 104 is started after authentication. The left side of FIG. 8 shows information when the vehicle 104 is parked and before authentication. The right side of FIG. 8 shows information when the vehicle 104 is parked and after authentication. For example, the user's smartphone is used for authentication, and the authentication ECU 128 (see FIG. 2) of the in-vehicle system 102 communicates with the user's smartphone via the vehicle exterior communication unit 120. For example, the authentication ECU 128 of the in-vehicle system 102 receives an authentication trigger signal transmitted from the user's smartphone.

The road-to-vehicle information includes application operation information. As described above, the in-vehicle device 122 can communicate with each part of the in-vehicle system 102 and obtain the application operation information included in the road-to-vehicle information. The vehicle 104 is stopped, the doors are locked, and there is no application running. The application operation information included in the road-to-vehicle information is set with information indicating that there is no application running (e.g., "none"). The in-vehicle device 122 can identify that authentication has not yet occurred because the authentication ECU 128 has not received an authentication trigger signal. The in-vehicle device 122 determines that the application operation information of the outside-vehicle communication parameter determination information is "none" directly from the application operation information included in the road-to-vehicle information. As a result, the in-vehicle device 122 sets the communication filter threshold value (i.e., upper limit value) corresponding to the communication volume limit to Th1 as a security rule. Th1 is a small value that allows the in-vehicle device 122 to receive an authentication trigger signal from the outside (i.e., the user's smartphone) via the outside-vehicle communication unit 120. Th1 should be set to an appropriate value in advance.

When the authentication ECU 128 receives an authentication trigger signal, authentication is performed, and the in-vehicle device 122 obtains information indicating post-authentication from the authentication ECU 128. The in-vehicle device 122 can identify that the vehicle 104 is parked and post-authentication. The in-vehicle device 122 also attempts to communicate with each part of the in-vehicle system 102, identifies that the door opening and closing application is running, and sets information identifying the door opening and closing application (i.e., "door opening and closing") to the application operation information included in the road-vehicle information. The in-vehicle device 122 determines the application operation information of the outside-vehicle communication parameter determination information to be "door opening and closing" directly from the application operation information included in the road-vehicle information. In FIG. 8, the case where the name of the application is used as the information identifying the application is shown, but numbers, symbols, or combinations thereof uniquely corresponding to each application may also be used. From the outside-vehicle communication parameter determination information, the in-vehicle device 122 sets the communication filter threshold value regarding the limit of communication volume to Th2 as a security rule. Th2 is a value greater than Th1. For example, Th2 may be set to a value that can receive data (e.g., including a code that specifies locking or unlocking) sent from the smartphone by a user operating the smartphone screen (e.g., touching a lock or unlock button displayed on a touch panel). Th2 may also be determined taking into account the amount of communication data generated by applications other than the door opening and closing application, assuming that such applications are running. Note that if applications that can be started in the in-vehicle system 102 are associated with their outside-vehicle communication parameters (e.g., communication volume, destination IP address, destination port number, etc.) and stored in memory 142 in advance, security rules can be generated based on application operation information.

As a result, if data exceeding the expected communication volume (i.e., Th1) is transmitted to the in-vehicle system 102 while the vehicle 104 is parked and before authentication, the transmitted data can be filtered. This makes it possible to take measures against DoS attacks, for example.

[Second Example]
9 and 10 show an example different from that shown in FIG. 8, in which application operation information included in the outside-vehicle communication parameter determination information used to generate security rules is directly determined. Here, referring to FIG. 9, it is assumed that a driving assistance service is provided by an edge server (not shown) in an edge service area 222 including an intersection, and that no service is provided in a wide cloud service area 220 including the edge service area 222. In FIG. 9, the current vehicle position is indicated by a solid line, and the past positions are indicated by dashed lines. Vehicle 104B and vehicle 104A indicate the current and past vehicle positions of the same vehicle 104. The driving direction of each vehicle is indicated by an arrow.

Referring to FIG. 10, the left side shows information when vehicle 104A is located on a straight road outside edge service area 222. The right side of FIG. 10 shows information when vehicle 104B is located within edge service area 222. Road-to-vehicle information includes application operation information. The in-vehicle device 122 of vehicle 104A located on a straight road outside edge service area 222 attempts to communicate with each part of in-vehicle system 102, determines that no application is running, and sets the application operation information included in the road-to-vehicle information to "none". As a result, the in-vehicle device 122 determines the application operation information of the outside-vehicle communication parameter determination information to "none" directly from the application operation information included in the road-to-vehicle information. As a result, the in-vehicle device 122 sets the security rule to "no communication access permission", that is, to not allow communication outside the vehicle.

The in-vehicle device 122 of the vehicle 104B located on the right turn line of the intersection in the edge service area 222 attempts to communicate with each part of the in-vehicle system 102, identifies that the right turn assist application is running, and sets information identifying the right turn assist application (i.e., "right turn assist") to the application operation information included in the road-to-vehicle information. As a result, the in-vehicle device 122 determines the application operation information of the outside-vehicle communication parameter determination information to be "right turn assist" directly from the application operation information included in the road-to-vehicle information. From this outside-vehicle communication parameter determination information, the in-vehicle device 122 allows communication access to the edge server that provides the right turn assist information service. That is, the in-vehicle device 122 generates a security rule that includes the IP address and port number of the edge server as the communication destination IP address and communication destination port number.

As a result, if the vehicle 104 is located in an area not covered by the service and an access is made to the in-vehicle system 102 from an unexpected destination, the access can be restricted. For example, it becomes possible to take measures against access from a false destination (i.e., spoofing).

[Third Example]
With reference to Fig. 11, an example of indirectly determining connection information (i.e., information representing a communication connection state with an external device) included in the outside-vehicle communication parameter determination information used to generate a security rule will be described. Here, the position of the vehicle 104 is assumed to change in the same manner as in the second example (see Fig. 9). However, in the third example, unlike the second example, the in-vehicle system 102 is assumed to communicate with a cloud server (not shown) in the cloud service area 220 outside the edge service area 222. Note that, here, the connection information will be described, and the operating application information will be omitted.

Referring to FIG. 11, the left side shows information when the vehicle 104A is located on a road within the cloud service area 220 but outside the edge service area 222, and the right side shows information when the vehicle 104B is located on a road within the edge service area 222. The road-vehicle information includes, for example, position information and map information, but does not include connection information. The in-vehicle device 122 of the vehicle 104A can identify the vehicle position as the cloud service area 220 (i.e., cloud communication area) outside the edge service area 222 from the road-vehicle information (e.g., position information and map information). The in-vehicle device 122 determines the connection information of the out-of-vehicle communication parameter determination information to be cloud connection. As a result, the in-vehicle device 122 sets the communication filter threshold value (i.e., upper limit value) corresponding to the communication volume limit to Th3 as a security rule. Th3 may be set in advance based on the services provided by the cloud server.

The in-vehicle device 122 of the vehicle 104B can identify the vehicle position as being within the edge service region 222 (i.e., the edge server communication area) from the road-vehicle information. The in-vehicle device 122 determines the connection information of the outside-vehicle communication parameter determination information to be an edge server connection. As a result, the in-vehicle device 122 sets the communication filter threshold corresponding to the communication volume limit to Th4 as a security rule. Th4 may be set in advance based on the service provided by the edge server (e.g., right-turn assistance service). In general, communication between the in-vehicle system and an edge server that provides services in a narrow area such as an intersection is considered to have a higher real-time characteristic than communication with a cloud server that provides services in a wide area, since there are many dynamic objects such as people near the vehicle. Therefore, for example, Th4 is set to be greater than Th3.

As a result, if the vehicle 104 is located within a cloud communication area and data that exceeds the expected communication volume based on the connection state is transmitted to the in-vehicle system 102, the transmitted data can be filtered. This makes it possible to take measures against DoS attacks, for example.

[Fourth Example]
An example of generating security rules in a case where a plurality of applications are running will be described with reference to Fig. 12. Here, the position of the vehicle 104 changes in the same manner as in the second example (see Fig. 9). However, in the fourth example, unlike the second example, the in-vehicle system 102 runs a route guidance application and communicates with a cloud server in a cloud service area 220 including an edge service area 222.

Referring to FIG. 12, the left side shows information when the position of vehicle 104A is located on a road within cloud service area 220 but outside edge service area 222, and the right side shows information when the position of vehicle 104B is located on a road within edge service area 222. Road-to-vehicle information includes, for example, position information, map information, and application operation information. From the position information and map information included in the road-to-vehicle information, the in-vehicle device 122 of vehicle 104A can identify the vehicle position as the cloud service area 220 (i.e., cloud communication area). As a result, the in-vehicle device 122 sets the connection information of the outside-vehicle communication parameter determination information to "cloud connection". In addition, the in-vehicle device 122 attempts to communicate with each part of the in-vehicle system 102, identifies that a route guidance application is running, and sets information identifying the route guidance application (i.e., "route guidance") in the application operation information included in the road-to-vehicle information. As a result, the in-vehicle device 122 sets the application operation information of the outside-vehicle communication parameter determination information to "route guidance" directly from the application operation information included in the road-to-vehicle information. From this outside-vehicle communication parameter determination information (i.e., the connection information is "cloud connection" and the application operation information is "route guidance"), the in-vehicle device 122 permits communication access to the cloud server that provides the route guidance service. That is, the in-vehicle device 122 generates a security rule that includes the IP address and port number of the cloud server as the communication destination IP address and communication destination port number, and the communication filter threshold value (i.e., upper limit value) corresponding to the communication volume limit is a (Mbps). a (Mbps) may be set in advance based on the route guidance service.

The in-vehicle device 122 of the vehicle 104B can identify the vehicle position as the right turn line of the intersection in the edge service area 222 included in the cloud service area 220 from the position information and map information included in the road-to-vehicle information. As a result, the in-vehicle device 122 sets the connection information of the outside-vehicle communication parameter determination information to "cloud connection" and "edge server connection". The in-vehicle device 122 also attempts to communicate with each part of the in-vehicle system 102, identifies that a right-turn assist application is running in addition to the route guidance application that is already running, and sets "route guidance" and information specifying the right-turn assist application (i.e., "right turn assistance") to the application operation information included in the road-to-vehicle information. As a result, the in-vehicle device 122 sets "route guidance" and "right turn assistance" to the application operation information of the outside-vehicle communication parameter determination information directly from the application operation information included in the road-to-vehicle information. Based on this outside-vehicle communication parameter determination information (i.e., the connection information is "cloud connection" and "edge server connection", and the application operation information is "route guidance" and "right turn support"), the in-vehicle device 122 allows communication access to the cloud server providing the route guidance service and the edge server providing the right turn support service. That is, the in-vehicle device 122 generates a security rule in which the destination IP address and destination port number include the IP addresses and port numbers of the cloud server and edge server, and the communication filter threshold value (i.e., upper limit value) corresponding to the communication volume limit is a+b (Mbps). b (Mbps) is a value preset based on the right turn support service.

As a result, when the vehicle 104 is located in a cloud communication area and data is sent to the in-vehicle system 102 that exceeds the communication volume expected from the connection state, it becomes possible to filter the transmitted data. Therefore, for example, it becomes possible to take measures against DoS attacks. Also, when the vehicle 104 is located in an area where services are provided from a server, if there is access to the in-vehicle system 102 from an unexpected communication destination, that access can be restricted. For example, it becomes possible to take measures against access from a false communication destination (i.e., spoofing).

[Modification]
An application running in the vehicle 104 may be newly downloaded from a server by the in-vehicle system 102. Also, when an application already stored in the in-vehicle system 102 is updated, that is, when the in-vehicle system 102 downloads a new version of the application (hereinafter, referred to as an updated application) from a server, either case affects the generation of security rules in the in-vehicle system 102. The communication system according to the modified example can deal with this and efficiently generate security rules.

The communication system according to the modified example is configured similarly to the communication system 100 shown in FIG. 1, and the hardware configurations of the in-vehicle system, roadside unit, and server are similar to those of FIG. 2, FIG. 3, and FIG. 4, respectively. However, unlike communication system 100, the communication system according to the modified example has FIG. 13 replacing FIG. 5, which shows the functional configuration of the in-vehicle device of the in-vehicle system, and transmits applications (including update applications) from server 112. In the following, the symbols shown in FIG. 1 to FIG. 4 will be referenced as appropriate.

[Functional configuration of in-vehicle system according to modified example]
With reference to Fig. 13, the functions of the in-vehicle device 122A according to the modified example, i.e., the functions related to the control of security rules, will be described. The in-vehicle device 122A includes a roadside information acquisition unit 200, a road-vehicle information generation unit 202, an exterior communication parameter judgment information determination unit 204, a security rule generation unit 206, and a security rule table update unit 230. The exterior communication unit 120 includes a security unit 208 that performs communication security such as a packet filter. Fig. 13 is a configuration in which a security rule table update unit 230 is added to Fig. 5. In Fig. 13, the functions of the elements with the same reference numerals as those in Fig. 5 are the same as those in Fig. 5. Therefore, hereinafter, the overlapping description will not be repeated, and differences will mainly be described.

The functions of the security rule table update unit 230 are realized by the control unit 140 and memory 142 shown in FIG. 2, similar to the roadside information acquisition unit 200, road-and-vehicle information generation unit 202, exterior communication parameter judgment information determination unit 204, and security rule generation unit 206. The roadside information acquisition unit 200 acquires roadside information transmitted from the server 112 by the exterior communication unit 120. The road-and-vehicle information generation unit 202 generates road-and-vehicle information by adding the roadside information acquired by the roadside information acquisition unit 200 to the vehicle information acquired from the exterior communication unit 120, the autonomous driving ECU 126, the drive ECU 130, etc. The exterior communication parameter judgment information determination unit 204 determines exterior communication parameter judgment information from the road-and-vehicle information created by the road-and-vehicle information generation unit 202. The security rule generation unit 206 generates security rules from the exterior communication parameter determination information determined by the exterior communication parameter determination information determination unit 204, and outputs the generated security rules to the security unit 208 of the exterior communication unit 120. The security rule generation unit 206 generates a security rule table for each application and stores it in the memory 142. The security unit 208 restricts communication performed by the exterior communication unit 120 according to the input security rules.

The security rule table update unit 230 determines whether a new application or an updated application has been downloaded from the server 112, and if it determines that a new application or an updated application has been downloaded, it updates the security rule table. Specifically, when a new application is downloaded, the security rule table update unit 230 determines the outside-vehicle communication parameters of the application from the communication specifications of the downloaded application, generates a security rule table, and stores it in the memory 142. When an updated application is downloaded, the security rule table update unit 230 determines the outside-vehicle communication parameters of the application from the communication specifications of the downloaded application, generates a security rule table, and overwrites the old version of the security rule table already stored in the memory 142.

Referring to FIG. 14, an example of application specification information representing the specifications of an application and a security table is shown. In FIG. 14, the application specification information for receiving right turn assistance is shown in a table format at the top. The application specification information can be generated by analyzing the application downloaded from the server 112 by the in-vehicle device 122. The communication destination column indicates the party with which the entity executing the application (i.e., the in-vehicle system 102) communicates, and includes the IP address of the external server (i.e., the server 112) and a port number for identifying the service. The communication content column indicates information transmitted from the server 112 as a service, and is information regarding objects (mainly dynamic objects) within a specified area including an intersection that is the service target of the server 112. The communication volume column includes information for calculating the communication volume transmitted from the server 112 to the in-vehicle system. That is, the information includes that a maximum of a (bit) is assigned to one object within a specified area, the upper limit of the number of objects to which data is assigned is b, and the update period of the information transmitted from the server 112 is c (ms).

The security rule table update unit 230 generates a security table as shown in tabular form at the bottom of Figure 14 from the application specification information. The communication access permission includes the IP address and port number of the external vehicle server (i.e., server 112) that is the communication destination. The communication filter threshold (i.e., upper limit) is a value calculated from the information included in the communication volume column of the application specification information.

As a result, when the downloaded application is run, the exterior-vehicle communication parameter determination information determination unit 204 determines exterior-vehicle communication parameter identification information using the exterior-vehicle communication parameters newly stored in the memory 142. Based on the determined exterior-vehicle communication parameter identification information, the security rule generation unit 206 generates new security rules using the new security rule table stored in the memory 142.

In addition, there may be cases where the updated application is an important application and it is necessary to quickly run the updated application in place of the currently running application. In such a case, the running application is quickly stopped and the updated application is run, causing the exterior-vehicle communication parameter determination information determination unit 204 to determine exterior-vehicle communication parameter identification information using the exterior-vehicle communication parameters newly stored in memory 142. This causes the security rule generation unit 206 to generate new security rules.

In this way, the security rules (specifically, the security rule table) can be updated by downloading applications (including new applications and updated applications), thereby maintaining the security rules in an appropriate state.

In the above, a case has been described in which application specification information is generated by the in-vehicle device 122 analyzing an application downloaded from the server 112, but this is not limiting. The application specification information may be transmitted from the server 112 to the in-vehicle device 122. The server 112 that transmits the application stores the application specifications, and therefore can generate application specification information and transmit it to the in-vehicle device 122. This can reduce the load caused by the calculation process for determining security rules in the in-vehicle device 122.

For example, when sending new applications and updated applications to the in-vehicle system 102, the server 112 sends application specification information. By receiving specification information of applications executed in the in-vehicle system 102 from a device external to the in-vehicle system 102, the in-vehicle device 122 does not need to analyze the running applications to generate security rules. Therefore, the in-vehicle device 122 can further reduce the load of calculations required to determine security rules according to the operating status of the applications.

In the above, the in-vehicle system 102 (specifically, the in-vehicle device 122) generates security rules and restricts communication with the outside of the vehicle in accordance with the security rules, but this is not limited to the above. An external device of the vehicle 104 (e.g., the server 112 or the roadside device 106) may generate security rules for the in-vehicle system 102 and transmit them to the in-vehicle system 102, and restrict communication with the outside of the vehicle in accordance with the security rules received by the in-vehicle system 102. For example, the server 112 may include a generation unit that generates security rules that restrict communication with the outside of the vehicle 104 by the in-vehicle system 102 based on information about the outside of the vehicle 104 and road-vehicle information including vehicle information of the vehicle 104, and a communication unit that transmits the security rules to the in-vehicle system 102. This allows the in-vehicle system 102 to dynamically control communication with the outside of the vehicle in accordance with the security rules received from the server 112.

Furthermore, the communication unit 164 of the server 112 can receive vehicle information of the vehicle 104 from the in-vehicle system 102. The server 112 can further include a road-vehicle information generation unit that generates road-vehicle information by adding the vehicle information received by the communication unit 164 to roadside information, which is information about the outside of the vehicle 104, and a determination unit that determines outside-vehicle communication parameter determination information based on the road-vehicle information, and the generation unit can generate security rules based on the outside-vehicle communication parameter determination information. This can reduce the load caused by the calculation processing for determining security rules in the in-vehicle system 102.

In addition, each process (each function) of the above-mentioned embodiments may be realized by a processing circuit (circuitry) including one or more processors. The processing circuit may be configured by an integrated circuit or the like that combines one or more memories, various analog circuits, and various digital circuits in addition to the one or more processors. The one or more memories store programs (instructions) that cause the one or more processors to execute each of the above processes. The one or more processors may execute each of the above processes according to the programs read from the one or more memories, or may execute each of the above processes according to a logic circuit that has been designed in advance to execute each of the above processes. The processor may be a CPU, a GPU (Graphics Processing Unit), a DSP (Digital Signal Processor), an FPGA (Field Programmable Gate Array), an ASIC (Application Specific Integrated Circuit), or any other processor suitable for computer control.

In addition, a recording medium can be provided that records a program that causes a computer to execute the processing of the in-vehicle system 102 (specifically, the processing executed by the in-vehicle device 122 (e.g., the processing shown in FIG. 6)). The recording medium is, for example, an optical disk (such as a DVD (Digital Versatile Disc)) or a removable semiconductor memory (such as a USB (Universal Serial Bus) memory). Although a computer program can be transmitted over a communication line, the recording medium refers to a non-temporary recording medium. By having a computer mounted on a vehicle read the program stored in the recording medium, the computer can transmit data that can be effectively used by the service provided by the external device, taking into account the delay time and communication bandwidth when the in-vehicle system uploads data to an external device such as a roadside device, as described above.

(Additional Note)
That is, the non-transitory computer-readable recording medium is
A computer installed in a vehicle stores a computer program that causes a communication unit that communicates with an external device outside the vehicle to realize a security function that restricts communication with the external device in accordance with security rules generated based on vehicle information of the vehicle and road-vehicle information including roadside information, which is information regarding the outside of the vehicle, and the vehicle information includes at least one of application operation information that identifies an application running in the vehicle and connection information that indicates the communication connection status with the external device.

The present disclosure has been described above by explaining the embodiments, but the above-mentioned embodiments are merely examples, and the present disclosure is not limited to only the above-mentioned embodiments. The scope of the present disclosure is indicated by each claim in the scope of claims, taking into consideration the detailed description of the invention, and includes all modifications within the meaning and scope equivalent to the wording described therein.

100 Communication system 102 Vehicle-mounted system 104, 104A, 104B Vehicle 106 Roadside device 108 Base station 110 Network 112 Server 120 External communication unit 122, 122A Vehicle-mounted device 124, 154 Sensor 126 Automatic driving ECU
128 Certified ECU
130 Drive ECU
132, 158, 166 Bus 134 Driving unit 140, 152, 160 Control unit 142, 156, 162 Memory 150, 164 Communication unit 200 Roadside information acquisition unit 202 Road-vehicle information generation unit 204 Exterior-vehicle communication parameter judgment information determination unit 206 Security rule generation unit 208 Security unit 220 Cloud service area 222 Edge service area 230 Security rule table update unit 300, 302, 304, 306, 308, 310, 312, 314, 400, 402, 404, 406, 408, 410 Step

Claims (19)

An in-vehicle device mounted in a vehicle,
According to a security rule generated based on vehicle information of the vehicle and road-to-vehicle information including roadside information related to the outside of the vehicle, a communication unit that communicates with an external device outside the vehicle is caused to restrict communication with the external device;
The vehicle information includes at least one of application operation information that identifies an application running in the vehicle and connection information that indicates a communication connection state with the external device. The in-vehicle device according to claim 1, which receives the security rules from the external device. A roadside information acquisition unit that acquires the roadside information from the external device;
a road-and-vehicle information generating unit that generates the road-and-vehicle information by adding the vehicle information to the roadside information;
a determination unit that determines exterior-vehicle communication parameter determination information based on the road-to-vehicle information;
The in-vehicle device according to claim 1 , further comprising a security rule generating unit that generates the security rule based on the outside-vehicle communication parameter determination information. The vehicle-mounted device according to claim 3, wherein the road-vehicle information includes at least one of location information and map information in addition to at least one of the application operation information and the connection information. The in-vehicle device according to claim 3 or 4, wherein the outside-vehicle communication parameter determination information includes at least one of the application operation information and the connection information. the vehicle exterior communication parameter determination information includes at least the application operation information,
The security rule generation unit
generating the security rule including a first communication filter threshold value when it is determined from the application operation information that no application is running;
The in-vehicle device according to claim 5 , wherein when an application that controls opening and closing of a door of the vehicle is identified from the application operation information, the security rule is generated including a second communication filter threshold value that is greater than the first communication filter threshold value. the vehicle exterior communication parameter determination information includes at least the application operation information,
The security rule generation unit
generating the security rule that does not include an access permission when it is determined from the application operation information that no application is running;
The in-vehicle device according to claim 5 or claim 6, wherein when it is determined from the application operation information that a driving assistance application is operating, the security rule is generated including permission to access an external device that provides a service to the driving assistance application. the vehicle exterior communication parameter determination information includes at least the connection information,
The security rule generation unit
generating the security rule including a third communication filter threshold value specified by the connection information corresponding to a first area when the position of the vehicle specified from the road-vehicle information is within a first area including a plurality of intersections;
generating the security rule including a fourth communication filter threshold value specified by the connection information corresponding to a second area when the position of the vehicle specified from the road-vehicle information is within a second area that is narrower than the first area and includes one intersection;
The in-vehicle device according to claim 5 , wherein the fourth communication filter threshold is greater than the third communication filter threshold. the vehicle exterior communication parameter determination information includes the application operation information,
When the security rule generation unit determines that a plurality of applications are running in the vehicle based on the exterior-vehicle communication parameter determination information,
generating a security rule table for each of the plurality of running applications;
The in-vehicle device according to claim 5 , wherein the security rule is generated by integrating a plurality of the security rule tables. The in-vehicle device according to any one of claims 4 to 9, wherein the determination unit generates connection information as the outside-vehicle communication parameter determination information from the road-to-vehicle information if the road-to-vehicle information does not include the connection information. The in-vehicle device according to any one of claims 1 to 10, wherein the security rules include restrictions on at least one of the access frequency, communication speed, number of sessions, number of SYN packets, communication address of the communication destination, and port number of the communication destination, related to the communication by the communication unit. An update unit that updates the security rules,
12. The in-vehicle device according to claim 1, wherein the update unit updates the security rules when a new application to be run in the vehicle or an update application for an application running in the vehicle is received by the communication unit. new security rules corresponding to the new application or the updated application are received from the external device;
The in-vehicle device according to claim 12 , wherein the update unit updates the security rule by using the new security rule. a generating unit that generates, for an on-board device mounted on a vehicle, a security rule that restricts communication between the on-board device and the outside of the vehicle, based on vehicle information of the vehicle and road-vehicle information including roadside information relating to the outside of the vehicle;
a communication unit that transmits the security rule to the in-vehicle device,
The vehicle information includes at least one of application operation information that identifies an application running in the vehicle and connection information that indicates a communication connection state with the external device. The communication unit receives the vehicle information from the in-vehicle device,
a road-to-vehicle information generating unit that generates the road-to-vehicle information by adding the vehicle information received by the communication unit to the roadside information;
A determination unit that determines outside-vehicle communication parameter determination information based on the road-to-vehicle information,
The server computer according to claim 14 , wherein the generating unit generates the security rule based on the exterior-vehicle communication parameter determination information. An in-vehicle device according to any one of claims 1 to 13;
and the server computer according to claim 14,
The in-vehicle device causes the communication unit mounted on the vehicle to communicate with the server computer as the external device. The in-vehicle device according to claim 1 or 2,
and the server computer according to claim 15,
The in-vehicle device causes the communication unit mounted on the vehicle to communicate with the server computer as the external device. A method for controlling an in-vehicle system mounted in a vehicle, comprising:
a step of causing a communication unit that communicates with an external device outside the vehicle to restrict communication with the external device in accordance with a security rule generated based on road-vehicle information including vehicle information of the vehicle and roadside information relating to the outside of the vehicle,
A control method, wherein the vehicle information includes at least one of application operation information that identifies an application running in the vehicle and connection information that indicates a communication connection state with the external device. A computer mounted on the vehicle is caused to realize a function of restricting communication with an external device in a communication unit that communicates with the vehicle in accordance with a security rule generated based on road-vehicle information including vehicle information of the vehicle and roadside information related to the outside of the vehicle;
A computer program, wherein the vehicle information includes at least one of application operation information that identifies an application running in the vehicle and connection information that indicates a communication connection state with the external device.

Images