JP2018160078A - Abnormality detection device and abnormality detection method - Google Patents

Abstract

An anomaly detection device is provided that can detect an anomaly with a reduced computational load without degrading accuracy.
A normal model storage unit that stores a plurality of normal models, an operation mode determination unit that determines an operation mode of an object from a communication log, and a plurality of normal models stored in the normal model storage unit. A normal model selection unit 25 that selects a normal model corresponding to the operation mode determined by the operation mode determination unit 23, a feature amount extraction unit 24 that extracts a feature amount from a communication log according to the selected normal model, and a normal model selection And an abnormality degree calculation unit 27 that calculates and outputs an abnormality degree in communication in the communication network 14 from the normal model selected by the part 25 and the feature amount extracted by the feature amount extraction unit 24.
[Selection] Figure 1

Description

  The present invention relates to an abnormality detection device and an abnormality detection method for detecting an abnormality in an object that operates with a communication network.

  In an automobile, a plurality of electronic control units called ECUs (Electronic Control Units) are usually connected to each other via an in-vehicle network that is not safe against cyber attacks, such as a CAN (Controller Area Network) bus. ing. Thus, various techniques for detecting abnormalities such as injecting illegal messages into the in-vehicle network with high accuracy have been proposed in order to ensure cyber security of automobiles (see, for example, Patent Document 1).

  In patent document 1, abnormality is detected by analyzing the communication log of the sensor and control module in a vehicle-mounted network.

JP-T-2006-502697

  However, in recent years, with the development of automobile-related technology represented by automatic driving technology, the number of sensors mounted on the automobile has increased enormously, and the control by the electronic control device has become greatly complicated. For this reason, the types and number of commands and data transmitted in the in-vehicle network have increased enormously. With the technology of Patent Document 1, the behavior of each of these commands and data is monitored one by one. There is a problem of requiring computational resources.

  Therefore, the present invention has been made in view of the above problems, and provides an abnormality detection device and an abnormality detection method that can detect an abnormality with a reduced calculation load than before without degrading accuracy. For the purpose.

  In order to achieve the above object, an abnormality detection device according to an aspect of the present invention is an abnormality detection device that detects an abnormality in an object that operates with a communication network, and the object can take a plurality of operations. Corresponding to each of the modes, a normal model storage unit that stores a plurality of normal models that are data indicating characteristics of characteristic quantities in normal communication in the communication network, and a communication log of the communication network An operation mode determination unit that determines an operation mode, and a normal model selection unit that selects a normal model corresponding to the operation mode determined by the operation mode determination unit from the plurality of normal models stored in the normal model storage unit And according to the normal model selected by the normal model selection unit, from the communication log, in the communication in the communication network An abnormality in communication in the communication network based on the feature amount extraction unit that extracts the amount, the normal model selected by the normal model selection unit, and the feature amount extracted by the feature amount extraction unit; An anomaly detection unit to detect.

  In order to achieve the above object, an abnormality detection method according to an aspect of the present invention is an abnormality detection method by an apparatus for detecting an abnormality in an object that operates with a communication network, and includes communication in the communication network. Corresponding to each of an operation mode determination step for determining an operation mode of the object from a log and a plurality of operation modes that can be taken by the object, data indicating characteristics of characteristics in normal communication in the communication network A normal model selection step for selecting a normal model corresponding to the operation mode determined in the operation mode determination step from a plurality of normal models, and the communication log according to the normal model selected in the normal model selection step A feature amount extracting step of extracting feature amounts in communication in the communication network from The normal model selected by the model selection step, and, based on the feature quantity extracted by the feature amount extracting step comprises, an abnormality detecting step of detecting an abnormality in the communication with the communication network.

  According to the present invention, an abnormality detection device and an abnormality detection method are provided that can detect an abnormality with a reduced calculation load than before without degrading accuracy.

The block diagram which shows the structure of the communication system which concerns on embodiment The data structure figure which shows an example of the communication log accumulate | stored in the communication log storage part with which the abnormality detection apparatus which concerns on embodiment is equipped The data structure figure which shows an example of the normal model stored in the normal model storage part with which the abnormality detection apparatus which concerns on embodiment is equipped The flowchart which shows operation | movement of the abnormality detection apparatus which concerns on embodiment The flowchart which shows the detailed process sequence of step S11 of FIG. The flowchart which shows the continuation of the detailed process sequence of step S11 of FIG. The flowchart which shows the continuation of the detailed process sequence of step S11 of FIG. The flowchart which shows the detailed process sequence of step S13 of FIG. Diagram showing an example of a cyber attack that a communication network receives The figure which shows the concept of the algorithm of the abnormality detection by the abnormality detection apparatus which concerns on embodiment The flowchart which shows operation | movement of the normal model preparation part with which the abnormality detection apparatus which concerns on embodiment is provided The flowchart which shows operation | movement of the feature-value parameter update part with which the abnormality detection apparatus which concerns on embodiment is provided

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. Note that each of the embodiments described below shows a specific example of the present invention. The types of objects, the types of communication networks, the components of the apparatus, the arrangement positions and connection forms of the components, the steps, the order of steps, etc. shown in the following embodiments are merely examples, and are intended to limit the present invention. is not. In addition, among the constituent elements in the following embodiments, constituent elements that are not described in the independent claims indicating the highest concept of the present invention are described as optional constituent elements. Also, the drawings are not necessarily shown strictly. In each figure, substantially the same configuration is denoted by the same reference numeral, and redundant description is omitted or simplified.

  FIG. 1 is a block diagram showing a configuration of a communication system 10 according to the embodiment.

  The communication system 10 is a communication system provided in an automobile that is an example of an object that operates with the communication network 14, and includes the EUCs 12 a to 12 d, the communication network 14, and the abnormality detection device 20.

  The EUCs 12a to 12d include an ECU 12a that supports parking, an ECU 12b that controls emergency braking, and other ECUs 12c and 12d that perform various functions, and are connected to the communication network 14.

  The communication network 14 includes a bus that interconnects ECUs (ECUs 12a to 12d and the abnormality detection device 20), and is, for example, a CAN.

  The abnormality detection device 20 is a device that detects an abnormality such as injection of an unauthorized message into the communication network 14 and is one of the ECUs connected to the communication network 14. Here, “abnormal” is an event that may cause a cyber attack on the communication network 14, and in the present embodiment, a predetermined communication state is determined from a normal communication state in the communication network 14 defined by a normal model to be described later. A communication state that exceeds the range.

  The ECUs (ECUs 12a to 12d and the abnormality detection device 20) have a hardware configuration such as a flash memory for storing programs and data, a nonvolatile memory such as a ROM, a volatile memory such as a DRAM, a CPU for executing a program, and the like. It includes an input / output device such as a processor, various sensors, an alarm device and a display device, an input / output circuit for connecting the various sensors and input / output devices to the processor, a communication interface circuit connected to the communication network 14, and the like.

  Functionally, the abnormality detection device 20 includes a communication log acquisition unit 21, a communication log storage unit 22, an operation mode determination unit 23, a feature amount extraction unit 24, a normal model selection unit 25, a normal model creation unit 26, and an abnormality degree calculation. Unit 27, normal model storage unit 28, feature parameter update unit 29, communication unit 30, abnormality occurrence notification unit 31, and abnormality detection unit 32.

  The communication log acquisition unit 21 is a processing unit that acquires a communication log by recording communication in the communication network 14, and includes, for example, a communication interface circuit connected to a CAN bus.

  The communication log storage unit 22 is a storage unit that stores the communication log acquired by the communication log acquisition unit 21, and is a writable nonvolatile memory such as a flash memory, for example. FIG. 2 is a data structure diagram showing an example of the communication log 22 a stored in the communication log storage unit 22. As shown in the figure, the communication log 22a stores a CAN message for each entry (that is, line). The entry is a minimum unit log accumulated in the communication log 22a. Each entry includes a row 221 indicating a row number, a time stamp 222 indicating an elapsed time from the ignition ON of the automobile, a CAN_ID 223 included in the CAN message, and a payload 224 included in the CAN message. The time stamp 222 may be an actual time.

  The operation mode determination unit 23 is a processing unit that determines the operation mode of an object (a car in the present embodiment) from the communication log 22a. Here, the operation mode determination unit 23 analyzes the communication log 22a stored in the communication log storage unit 22. Thus, the operation mode is determined, and the determined operation mode is notified to the normal model selection unit 25. In addition, the operation mode determination unit 23 extracts communication log data that is data in the section of the communication log 22 a corresponding to the determined operation mode, and outputs the communication log data to the feature amount extraction unit 24.

  The normal model storage unit 28 corresponds to each of a plurality of operation modes that can be taken by the object (in this case, an automobile), and is a plurality of normal data that is data indicating characteristics of features in normal communication on the communication network 14. The storage unit stores the models 28a to 28b in advance, for example, a writable nonvolatile memory such as a flash memory. The normal models 28a to 28b are created by using a communication log at the time of a test run before shipment of the automobile (or the abnormality detection device 20), and are common to all automobiles of the same model. The creation method of the normal models 28a to 28b is the same as the method by the normal model creation unit 26 described later. However, after the automobile (or the abnormality detection device 20) is shipped, the normal models 28a to 28b stored in the normal model storage unit 28 by the normal model creation unit 26 are the respective automobiles (or the abnormality detection device 20). ) Will be updated depending on the specific driving situation.

  FIG. 3 is a data structure diagram showing an example of normal models 28 a to 28 b stored in the normal model storage unit 28. As shown in the figure, each of the normal models 28a to 28b includes an operation mode identifier 281, a feature parameter 282, and a reference value 283.

  The operation mode identifier 281 is an identifier indicating an operation mode corresponding to the normal model. In the example shown in FIG. 3, the normal model 28 a corresponds to the operation mode “parking assistance”, and the normal model 28 b corresponds to the operation mode “emergency brake”.

  The feature amount parameter 282 is a parameter indicating the type of feature amount that can be used for determining an abnormality in communication in the communication network 14. The feature amount parameter 282 includes an abnormality degree scale 282a indicating an algorithm used for calculating the abnormality degree. In the example shown in FIG. 3, in the normal model 28a, the abnormal degree scale 282a is set to “LOF (Local Operator Factor)”, and in the normal model 28b, the abnormal degree scale 282a is set to “Mahalanobis distance”. Yes. The algorithm registered as the degree of abnormality scale 282a is not limited to these examples, but is also publicly known as introduced in Non-Patent Document 1 (Take Ide, “Introduction to anomaly detection by machine learning” Corona). (For example, k-neighbor method etc.) may be used.

  As the feature parameter 282, the normal model 28a is a two-dimensional feature vector, and each element has an appearance frequency in a section having a time width of 300 msec (“dimension = 2, section width = 300 msec”). The first element of the two-dimensional feature vector is the frequency of appearance of a CAN message whose CAN_ID is 0x123 (“1:“ ID ”, 0x123”). The second element of the two-dimensional feature vector is , The value of the 7th to 0th bit fields of the payload of the CAN message whose CAN_ID is 0x456 (the average value when there are a plurality of them) ("2:" payload ", (0x456, [7: 0] )), “Immediate value” is used as the notation of the reference value 283, that is, the feature quantity vector is stored as it is (“model notation =“ immediate value ””). Here, the CAN_ID specified as the feature parameter 282 and the field in the payload are set in consideration of the characteristics of the abnormality that occurs with respect to the corresponding operation mode. ”During the parking assist operation, the steering operation can be performed by a CAN message (steering operation CAN message) related to the steering operation. Therefore, a steering operation CAN message with an abnormal operation amount is injected. Therefore, for the “parking assist” operation mode, the CAN_ID of the CAN message related to the steering operation and the field in the payload are set in the feature parameter 282. In addition, "emergency brake" operation mode On the other hand, since the brake operation can be performed by the CAN message (brake operation CAN message) regarding the brake operation during the emergency brake operation, the CAN_ID of the CAN message related to the brake operation and the field in the payload are the feature parameter 282. In this way, the processing amount for calculating the degree of abnormality can be reduced by narrowing the feature parameter only to CAN_ID and payload fields that may be illegally used for each operation mode. is there.

  The reference value 283 is a feature value reference value corresponding to the type of feature value indicated by the feature parameter 282. In the example shown in FIG. 3, there are 108 reference values (“number of samples = 108”), and a two-dimensional feature vector (4, 12.4) is stored as the first specific reference value. ("1: (4, 12.4)"). As for the second and subsequent specific reference values, as shown in FIG. 3, a two-dimensional feature vector is stored as in the first.

  The normal model 28b has the same data structure as the normal model 28a, but the model notation is different from that of the normal model 28a. In the example of FIG. 3, since the feature parameter 282 of the normal model 28b includes “model notation =“ statistic ””, the distribution of the feature vector is expressed as a statistic in the reference value 283 of the normal model 28b. It is shown that stored values are stored. Specifically, in the example shown in FIG. 3, “average vector” and “covariance matrix” are stored in the reference value 283 of the normal model 28 b.

  Returning to FIG. 1, the normal model selection unit 25 selects a normal model corresponding to the operation mode determined by the operation mode determination unit 23 from the plurality of normal models 28 a to 28 b stored in the normal model storage unit 28. Part.

  The feature quantity extraction unit 24 is configured to store the communication log 22a stored in the communication log storage unit 22 according to the normal model 28c selected by the normal model selection unit 25 (here, from the communication log 22a stored in the communication log storage unit 22). It is a processing unit that extracts feature quantities in communication on the communication network 14 from the communication log data extracted by the operation mode determination unit 23. More specifically, the feature amount extraction unit 24 selects the normal selected by the normal model selection unit 25 from the communication log data extracted by the operation mode determination unit 23 for the operation mode determined by the operation mode determination unit 23. The type of feature quantity indicated by the feature quantity parameter 282 included in the model 28c is extracted.

  The abnormality degree calculation unit 27 is a processing unit that calculates an abnormality degree in communication on the communication network 14. More specifically, the degree-of-abnormality calculation unit 27 statistically deviates between the reference value 283 included in the normal model selected by the normal model selection unit 25 and the feature amount extracted by the feature amount extraction unit 24. The degree of abnormality is calculated from the degree. At this time, the degree of abnormality calculation unit 27 calculates the degree of abnormality according to an algorithm indicated by the degree of abnormality scale 282a included in the normal model 28c selected by the normal model selection unit 25.

  The abnormality detection unit 32 is a processing unit that detects an abnormality in communication in the communication network 14 based on the normal model 28c selected by the normal model selection unit 25 and the feature amount extracted by the feature amount extraction unit 24. is there. More specifically, the abnormality detection unit 32 detects the presence / absence of an abnormality by comparing the abnormality degree calculated by the abnormality degree calculation unit 27 with a threshold value, and outputs the detected abnormality. The threshold value is a preset value or a value set by the user.

  The abnormality occurrence notification unit 31 is an output device that notifies the presence or absence of an abnormality detected by the abnormality detection unit 32, and is, for example, an alarm device, a display device, a communication interface, or the like.

  The communication unit 30 is a communication interface that communicates with a communication device external to the abnormality detection device 20, and is, for example, a communication module for a telephone network or a wireless LAN. As an external communication device, the communication unit 30 communicates with, for example, an update server that is a Web server that distributes feature amount parameters.

  The feature parameter update unit 29 is a processing unit that acquires a new feature parameter from the outside of the abnormality detection device 20 and stores it in an internal memory. For example, the feature parameter update unit 29 is distributed from the update server via the communication unit 30. Get and hold the quantity parameter.

  The normal model creation unit 26 creates a normal model from the communication log 22a accumulated in the communication log accumulation unit 22, and uses the created normal model to store the normal models 28a to 28b stored in the normal model storage unit 28. The processing unit updates the normal model corresponding to the normal model. Specifically, the normal model creation unit 26 updates the normal model stored in the normal model storage unit 28 using the feature parameter stored in the feature parameter update unit 29. The normal model creation unit 26 performs, for example, as a frequency of execution, for example, every predetermined period, every predetermined number of times of driving (that is, the number of times of driving from the vehicle ignition ON to OFF), or the abnormality detection device 20 The normal model is updated every time an instruction from an external server to communicate with is received.

  Note that the processing units (communication log acquisition unit 21, operation mode determination unit 23, feature amount extraction unit 24, normal model selection unit 25, normal model creation unit 26, abnormality degree calculation unit 27, feature amount constituting the abnormality detection device 20. All or part of the parameter update unit 29, the communication unit 30, and the abnormality detection unit 32) may be realized by software by a processor executing a program, or a dedicated logic circuit such as an FPGA or an ASIC. May be implemented in hardware.

  Next, the operation of the abnormality detection device 20 according to the present embodiment configured as described above will be described.

  FIG. 4 is a flowchart showing an operation (that is, an abnormality detection method) of the abnormality detection device 20 according to the present embodiment.

  First, the communication log acquisition unit 21 acquires a communication log by recording communication in the communication network 14 and stores it in the communication log storage unit 22 (S10). For example, the communication log acquisition unit 21 continues to acquire all CAN messages transmitted through the communication network 14 from ignition ON to OFF of the automobile, and stores the CAN messages in the communication log storage unit 22 together with time stamps. As a result, the communication log 22a as shown in FIG. The communication log 22a accumulated in the communication log accumulation unit 22 is read by the operation mode determination unit 23. Of the communication log 22a, the communication log data in which no abnormality is detected by the abnormality detection unit 32 is sequentially added. , May be deleted.

  Subsequently, the operation mode determination unit 23 determines the operation mode by analyzing the communication log 22a stored in the communication log storage unit 22 (operation mode determination step, S11). Details of step S11 will be described later with reference to the flowchart of FIG.

  Next, the normal model selection unit 25 selects the normal model 28c corresponding to the operation mode determined by the operation mode determination unit 23 from the plurality of normal models 28a to 28b stored in the normal model storage unit 28 (normal Model selection step, S12). For example, when the operation mode determination unit 23 determines “emergency brake” as the operation mode, the normal model selection unit 25 selects “emergency brake” from the plurality of normal models 28 a to 28 b stored in the normal model storage unit 28. The normal model 28b corresponding to the operation mode is selected (in this case, the normal model 28b becomes the selected normal model 28c).

  Subsequently, the feature quantity extraction unit 24 uses the communication log 22 a accumulated in the communication log accumulation unit 22 to display the type of feature quantity indicated by the feature quantity parameter 282 included in the normal model 28 c selected by the normal model selection unit 25. Extract (feature amount extraction step, S13). For example, when the normal model 28b is selected by the normal model selection unit 25, the feature amount extraction unit 24 uses the feature parameter 282 included in the normal model 28b from the communication log 22a stored in the communication log storage unit 22. Is calculated, that is, a three-dimensional feature vector. Details of step S13 will be described later with reference to the flowchart of FIG.

  Next, the degree-of-abnormality calculation unit 27 calculates a statistical deviation between the reference value 283 included in the normal model selected by the normal model selection unit 25 and the feature amount extracted by the feature amount extraction unit 24, An abnormal degree is calculated (abnormal degree calculating step, S14). At this time, the degree of abnormality calculation unit 27 calculates the degree of abnormality according to an algorithm indicated by the degree of abnormality scale 282a included in the normal model 28c selected by the normal model selection unit 25. For example, when the normal model 28b is selected by the normal model selection unit 25, the degree-of-abnormality calculation unit 27 uses the average value and the covariance matrix that are the reference values 283 included in the normal model 28b and features. The “Mahalanobis distance” with the three-dimensional feature vector extracted by the quantity extraction unit 24 is calculated as the degree of abnormality.

  Subsequently, the abnormality detection unit 32 detects the presence or absence of abnormality by comparing the abnormality degree calculated by the abnormality degree calculation unit 27 with a threshold value (S15). For example, the abnormality detection unit 32 determines that “abnormality is present” when the “Mahalanobis distance” calculated by the abnormality degree calculation unit 27 is larger than a predetermined threshold value, and on the other hand, when it is equal to or smaller than the threshold value. It is determined that there is no abnormality and the determination result is output as a detection result.

  Finally, the abnormality occurrence notification unit 31 notifies the presence / absence of the abnormality detected by the abnormality detection unit 32 (S16). For example, when an abnormality detection unit 32 outputs a detection result “abnormal”, the abnormality occurrence notifying unit 31 emits a sound or a buzzer indicating that there is an abnormality to the driver of the car by an alarm device. Or information indicating that there is an abnormality is notified to the management center via the communication interface. At the time of notification to the management center, communication log data in which an abnormality is detected and information indicating the operation mode at that time may be transmitted together with the abnormality notification.

  Note that when there are a plurality of operation modes determined in step S11, the above steps S12 to S16 are executed for each of the plurality of operation modes.

  5A to 5C are flowcharts showing the detailed processing procedure of step S11 (determination of operation mode) in FIG.

  First, when analyzing the communication log 22a stored in the communication log storage unit 22, the operation mode determination unit 23 initializes a variable N for the line number of the communication log 22a (that is, to “1” indicating the first line). Set) (S20).

  Then, the operation mode determination unit 23 checks the Nth row of the communication log 22a (S21). That is, the operation mode determination unit 23 reads the Nth row entry of the communication log 22a from the communication log accumulation unit 22, and the read Nth row entry starts one of a plurality of operation modes held in advance. It is determined whether or not the pattern matches. Specifically, the operation mode determination unit 23 stores, for each of a plurality of operation modes held in advance, a table that associates CAN_ID indicating the start of the operation mode or a combination of CAN_ID and a payload. Therefore, it is determined whether or not the table and the CAN_ID included in the Nth row entry or the combination of the CAN_ID and the payload match. For example, information of a field (ADAS valid flag, ADAS operation instruction bit, etc.) for identifying the type of ADAS (Advanced Driver Assistance System) and valid / invalid or presence / absence of an operation instruction is registered as a payload. The plurality of operation modes held in this table correspond to all the operation modes indicated by the operation mode identifiers 281 stored in the plurality of normal models 28a to 28b stored in the normal model storage unit 28.

  As a result, when the operation mode determination unit 23 determines that the entry in the Nth row matches the start pattern of one of the operation modes held in advance (here, “parking support” or “emergency brake”). (Y in S22 or Y in S23), the communication log data corresponding to the operation section of the operation mode is extracted (the flowchart in FIG. 5B or the flowchart in FIG. 5C), and the process returns to step S24.

  The operation mode determination unit 23 increments the variable N by 1 (S24), and then determines whether or not the variable N matches the last line of the communication log 22a. It is determined whether the determination has been completed (S25). The operation mode determination unit 23 repeats steps S21 to S24 until it finishes determining all entries in the communication log 22a, and then ends (S26).

  FIG. 5B is a flowchart showing a processing procedure when it is determined in step S22 of FIG. 5A that the Nth row entry matches the start pattern of the operation mode “parking support”.

  The operation mode determination unit 23 first sets the current variable N to the variable S indicating the start line of the operation mode “parking support” (S30), and then increments the variable N by 1 (S31).

  Then, the operation mode determination unit 23 checks the Nth row of the communication log 22a (S32). That is, the operation mode determination unit 23 reads the Nth row entry of the communication log 22a from the communication log storage unit 22, and whether or not the read Nth row entry matches the end pattern of the operation mode “parking support”. Determine whether. Specifically, the operation mode determination unit 23 stores a table in which CAN_ID indicating the end of the operation mode “parking support” or a combination of CAN_ID and a payload is associated, and the table and the Nth row It is determined whether CAN_ID included in the eye entry or a combination of CAN_ID and the payload matches.

  Here, when the operation mode determination unit 23 determines that the variable N matches the last line of the communication log 22a (Y in S33), the process ends (S26), but otherwise (in S33). N) As a result of the check in step S32, it is determined whether or not the Nth row entry matches the end pattern of the operation mode “parking support” (S34). Then, the operation mode determination unit 23 repeats steps S31 to S34 until it is determined that the Nth row entry matches the end pattern of the operation mode “parking support” (Y in S34).

  If it is determined that the entry in the Nth row matches the end pattern of the operation mode “parking support” (Y in S34), the operation mode determination unit 23 sets the current variable N to the final value of the operation mode “parking support”. After setting the variable E indicating the line (S35), the entries of the Sth to Eth lines in the communication log 22a are extracted as communication log data of the operation mode “parking support” (S36), and the step of FIG. 5A Return to S24.

  FIG. 5C is a flowchart showing a processing procedure when it is determined in step S23 of FIG. 5A that the entry in the Nth row matches the start pattern of the operation mode “emergency brake”. The processes (S40 to S46) in FIG. 5C are basically the same as the processes (S30 to S36) in the case of the operation mode “parking support” shown in FIG. 5B. However, although the operation mode is “parking support” in FIG. 5B, the operation mode is “emergency brake” in FIG. 5C. The description of the process (S40 to S46) in FIG. 5C is omitted.

  FIG. 6 is a flowchart showing a detailed processing procedure of step S13 (feature amount extraction) in FIG.

  First, the feature quantity extraction unit 24 acquires the communication log data extracted by the operation mode determination unit 23 from the operation mode determination unit 23 for the operation mode determined by the operation mode determination unit 23, and the normal model selection unit 25. Then, the normal model 28c selected by the normal model selection unit 25 is acquired (S50).

  Then, as an initialization process, the feature quantity extraction unit 24 sets the number of the first line of the communication log data acquired from the operation mode determination unit 23 to the variable N (S51), and sets the time interval start variable T to the variable T. The time stamp value of the entry in the Nth row is set (S52), and the variable “d” for the time interval width includes the “interval width” included in the feature parameter 282 of the normal model 28c selected by the normal model selection unit 25. The parameter value (for example, 300 msec when the operation mode is determined to be “parking support”) is set (S53).

  Next, the feature amount extraction unit 24 determines whether or not the communication log data acquired from the operation mode determination unit 23 has ended between time intervals T to (T + d) (S54). Specifically, it is determined whether or not T + d is equal to or less than Te when the time stamp of the last entry of the communication log data is Te.

  As a result, when it is determined that the communication log data has not ended (Y in S54), the feature amount extraction unit 24 uses the time interval T to (T + d) from the communication log data acquired from the operation mode determination unit 23. All entries having a time stamp 222 are extracted (S55), and a feature vector is created using all the extracted entries according to the feature parameter 282 of the normal model 28c acquired from the normal model selection unit 25 ( (S56), the created feature vector is output to the degree-of-abnormality calculation unit 27 (S57). Then, the feature amount extraction unit 24 increments the variable T by adding the variable d to the variable T (S58), and repeats steps S54 to S58 again.

  On the other hand, if it is determined in step S54 that the communication log data acquired from the operation mode determination unit 23 has ended between time intervals T to (T + d) (N in S54), the feature amount extraction unit 24 The process is terminated.

  It should be noted that in the feature vector generation (S56), more specifically, the feature amount extraction unit 24 performs processing as in the following first to third steps.

  First, in the first step, the feature quantity extraction unit 24 first refers to the feature quantity parameter 282 of the normal model 28c acquired from the normal model selection section 25, and thereby the number of dimensions of the feature quantity vector and the feature quantity vector. Extracted feature amount information (discriminating whether the information of interest is ID (CAN_ID) or payload) is acquired. For example, when the normal model 28c acquired from the normal model selection unit 25 is the normal model 28a shown in FIG. 3, the feature amount extraction unit 24 refers to the feature amount parameter 282 of the normal model 28a, thereby “2” is acquired as the number of dimensions of the quantity vector, and “ID” and “payload” are acquired as extracted feature quantity information of each element of the feature quantity vector.

  Next, in the second step, when the extracted feature value information is “ID”, the feature value extraction unit 24 targets the communication log data acquired from the operation mode determination unit 23 as a target time interval. From T to (T + d), the number of times that the CAN message having the specified CAN_ID has been transmitted (number of entries) is calculated as the first element of the feature vector. In addition, when the acquired extracted feature value information is “payload”, the feature value extraction unit 24 targets the communication log data acquired from the operation mode determination unit 23 in the target time interval T to (T + d). The CAN message (entry) having the CAN_ID specified by the feature parameter 282 is extracted, and the value of the field specified by the feature parameter 282 (two or more CAN messages are extracted from the payload of the extracted CAN message). The average value of these field values) is calculated as the second element of the feature vector. If no CAN message (entry) having the CAN_ID specified by the feature parameter 282 is extracted in the target time interval T to (T + d), the feature extractor 24 extracts the previous time interval. The value calculated in is used as a feature vector element.

  Finally, in the third step, the feature quantity extraction unit 24 creates a feature quantity vector having elements for the number of dimensions calculated in the second step.

  Through the processing by the abnormality detection device 20 as described above, when a cyber attack as shown in FIG. 7 is received in the communication network 14, for example, an abnormality can be detected by the algorithm shown in FIG.

  FIG. 7 is a diagram illustrating an example of a cyber attack that the communication network 14 receives. Here, the time chart which shows the appearance timing of the CAN message transmitted with the communication network 14 is shown. The squares on the time chart are normal CAN messages (that is, normal CAN messages 16a to 16e) and appear at a constant transmission interval T. Generally, in a normal state, a CAN message (that is, a normal CAN message) is periodically transmitted at a predetermined cycle for each CAN_ID.

  On the other hand, the triangles on the time chart are CAN messages that are illegally injected into the communication network 14 (that is, illegal CAN messages 17a to 17g), and appear at a timing without periodicity. The state in which such illegal CAN messages 17a to 17g are generated is an abnormal state. For example, the CAN messages 17a to 17g have the same CAN_ID as that of the normal CAN message, but the payload is forged and is different from that of the normal CAN message, and is injected from the diagnostic port of the CAN bus. In the payload of the unauthorized CAN messages 17a to 17g, an unauthorized operation amount (for example, a steering / brake operation amount is larger / smaller than normal), an unauthorized trigger instruction (for example, an emergency brake / airbag is activated) Bit, a bit serving as a parking assistance start trigger), an incorrect display amount (for example, display amount of speed / engine speed / wheel speed) and the like are set. An illegal operation such as steering can be performed by a cyber attack in which such illegal CAN messages 17a to 17g are injected into the communication network 14.

  FIG. 8 is a diagram showing the concept of an abnormality detection algorithm by the abnormality detection device 20 according to the present embodiment. Here, the horizontal axis is CAN message transmission frequency Na (times / sec) with CAN_ID “IDa”, and the vertical axis is CAN message transmission frequency Nb (times / sec) with CAN_ID “IDb”. An example of a two-dimensional feature vector (Na, Nb) at is plotted.

  In the example shown in FIG. 8, the “normal model” is a collection of feature vectors within a certain range with a two-dimensional feature vector (1 / Ta, 1 / Tb) as a center. That is, in the “normal model”, a CAN message whose CAN_ID is “IDa” is repeatedly transmitted in a substantially transmission cycle Ta, and a CAN message whose CAN_ID is “IDb” is repeatedly transmitted in a substantially transmission cycle Tb. It corresponds to.

  According to the abnormality detection apparatus 20 according to the present embodiment, when the feature vector 18a greatly deviated from the “normal model” shown in FIG. On the other hand, when the feature vector 18b that is not greatly deviated from the “normal model” is observed, it is determined that “the degree of abnormality is low”. In this manner, the abnormality detection device 20 calculates a statistical degree of deviation from the normal model (for example, a distance determined by the abnormality degree scale) as the abnormality degree.

  In FIG. 8, the case where the feature vector is two-dimensional is described as an example for convenience of explanation, but the basic abnormality detection algorithm is the same even if the feature vector is three or more dimensions. . After the two-dimensional space shown in FIG. 8 is expanded to three or more multidimensional spaces, an abnormality is detected with the same algorithm.

  As described above, the abnormality detection device 20 according to the present embodiment is a device that detects an abnormality in an object that operates with the communication network 14, and corresponds to each of a plurality of operation modes that the object can take. Then, a normal model storage unit 28 that stores a plurality of normal models 28a to 28b, which are data indicating characteristics of features in normal communication in the communication network 14, and an operation mode of the object from the communication log of the communication network 14 An operation mode determination unit 23 for determining the normal mode, and a normal model selection unit 25 for selecting a normal model corresponding to the operation mode determined by the operation mode determination unit 23 from a plurality of normal models stored in the normal model storage unit 28 The feature amount in communication on the communication network 14 is extracted from the communication log according to the normal model selected by the normal model selection unit 25 Abnormality detection for detecting an abnormality in communication on the communication network 14 based on the normal model selected by the feature quantity extraction unit 24, the normal model selection unit 25, and the feature quantity extracted by the feature quantity extraction unit 24 Part 32.

  As a result, instead of analyzing each individual command in the communication log, the normal model corresponding to the operation mode of the target object is narrowed down from multiple normal models, and the feature value is extracted from the communication log according to the narrowed normal model. Since an abnormality is detected at, the degree of abnormality is calculated with a calculation load reduced as compared with the prior art. In addition, since the abnormality is detected using the communication log, the accuracy of the abnormality detection is not deteriorated. Therefore, an abnormality detection device is realized that can detect an abnormality with a reduced calculation load than before without degrading accuracy.

  In addition, the normal models 28a to 28b include a feature parameter 282 indicating the type of feature used for detecting an abnormality in communication in the communication network 14, and the feature extractor 24 includes the normal model selector 25. The feature quantity of the type indicated by the feature quantity parameter 282 included in the normal model selected in (2) is extracted from the communication log 22a.

  Thereby, since the feature quantity is extracted by referring to the feature quantity parameter 282 included in the normal model, the feature quantity parameter indicating the type of feature quantity specific to the operation mode corresponding to the normal model is included in the normal model. This makes it possible to detect anomalies with higher accuracy.

  In addition, an abnormality degree calculation unit 27 that calculates an abnormality degree in communication in the communication network 14 is further provided, and the normal models 28a to 28b further include a feature amount reference corresponding to the feature amount type indicated by the feature amount parameter 282. Value 283 is included, and the degree of abnormality calculation unit 27 calculates the difference between the reference value 283 of the feature amount included in the normal model 28c selected by the normal model selection unit 25 and the feature amount extracted by the feature amount extraction unit 24. The degree of abnormality is calculated from the degree of deviation, and the abnormality detection unit 32 detects the presence or absence of abnormality by comparing the degree of abnormality calculated by the degree of abnormality calculation unit 27 with a threshold value.

  Thereby, the normal models 28a to 28b include the feature value reference value 283 corresponding to the feature value type indicated by the feature value parameter 282, and the abnormality level is calculated using the reference value 283. The calculation standard of the degree of abnormality can be defined for each normal model corresponding to, and more accurate abnormality detection is realized.

  Further, the normal models 28a to 28b further include an abnormality degree scale 282a indicating an algorithm used for calculating the degree of abnormality, and the degree of abnormality calculation unit 27 is included in the normal model 28c selected by the normal model selection unit 25. The degree of abnormality is calculated according to an algorithm indicated by the abnormality degree scale 282a.

  Thus, the normal models 28a to 28b include an abnormality degree scale 282a indicating an algorithm used for calculating the degree of abnormality, and the degree of abnormality is calculated according to the algorithm, so that an appropriate abnormality is determined for each normal model corresponding to the operation mode. The degree calculation algorithm can be defined, and more accurate abnormality detection is realized.

  In addition, the abnormality detection device 20 further includes an abnormality occurrence notification unit 31 that notifies the presence or absence of an abnormality detected by the abnormality detection unit 32.

  Thereby, since the presence or absence of abnormality is notified, generation | occurrence | production of abnormality can be known immediately.

  The abnormality detection device 20 further includes a communication log acquisition unit 21 that acquires a communication log by recording communication in the communication network 14 and a communication log storage unit that stores the communication log acquired by the communication log acquisition unit 21. The operation mode determination unit 23 determines the operation mode from the communication log 22 a stored in the communication log storage unit 22.

  Thereby, since the abnormality detection device 20 includes the communication log acquisition unit 21 and the communication log storage unit 22, an ECU for storing the communication log is separately provided on the communication network 14, and the abnormality detection device is provided from the ECU. It is not necessary to control the transfer of the communication log to 20.

  FIG. 9 is a flowchart showing the operation of the normal model creation unit 26 provided in the abnormality detection device 20 according to the present embodiment.

  First, for the operation mode determined by the operation mode determination unit 23, the normal model creation unit 26 obtains the communication log data extracted by the operation mode determination unit 23 from the operation mode determination unit 23 and the determined operation mode. The identifier shown is acquired (S60).

  Next, the normal model creation unit 26 presents the identifier to the feature parameter update unit 29 and inquires whether or not the feature parameter for update is held, whereby the feature parameter update unit 29 It is determined whether or not the feature parameter corresponding to the operation mode indicated by the identifier is held (S61).

  As a result, when the feature amount parameter is held in the feature amount parameter update unit 29 (Y in S61), the normal model creation unit 26 receives the feature amount held therein from the feature amount parameter update unit 29. If the parameter is acquired (S62), but the feature parameter is not held in the feature parameter update unit 29 (N in S61), it corresponds to the operation mode indicated by the identifier from the normal model storage unit 28. A feature parameter included in normal model data is acquired (S63).

  Subsequently, the normal model creation unit 26 sets the line number variable N to zero, and sets the time stamp of the first entry of the communication log data extracted by the operation mode determination unit 23 to the time interval start variable T ( S64), and the section width included in the feature parameter acquired in step S62 or S63 is set in the variable d for the time section width (S65).

  Next, the normal model creation unit 26 determines whether or not the communication log data acquired from the operation mode determination unit 23 has ended during the time interval T to (T + d) (S66). Specifically, it is determined whether or not T + d is equal to or less than Te when the time stamp of the last entry of the communication log data is Te.

  As a result, when it is determined that the communication log data has not ended (Y in S66), the normal model creation unit 26 determines the time interval T to (T + d) from the communication log data acquired from the operation mode determination unit 23. All entries having a time stamp 222 are extracted (S67), and a feature vector is created using all the extracted entries according to the feature parameter acquired in step S62 or S63 (S68). The creation of the feature vector by the normal model creation unit 26 (S68) is the same as the creation of the feature vector by the feature extraction unit 24 (S56; first to third steps).

  Then, the normal model creation unit 26 increments the variable N by 1, and increments the variable T by adding the variable d to the variable T (S69), and associates the feature quantity vector just created with the variable N. (S70), steps S66 to S70 are repeated again.

  On the other hand, when it is determined in step S66 that the communication log data acquired from the operation mode determination unit 23 has ended between time intervals T to (T + d) (N in S66), the normal model creation unit 26 Then, by referring to the “model notation” included in the feature parameter acquired in step S62 or S63, it is determined whether the “model notation” indicates “immediate value” or “statistic” (S80).

  As a result, when the “model notation” indicates “immediate value” (“immediate value” in S80), the normal model creation unit 26 configures the normal model as it is with the variable N and the feature vector held in step S70. When the “model notation” indicates “statistic” (“statistic” in S80), the variable N and the feature vector held in step S70 are set as the reference value of the feature parameter (S81). Then, the average vector and the covariance matrix are calculated from (S82), and the calculated average vector and covariance matrix are set as the reference values of the feature parameter constituting the normal model (S83).

  The normal model creation unit 26 is a normal model having the feature parameter acquired in step S62 or S63 and the reference value of the feature parameter set in steps S81 or S82 to S83. The normal model storage unit 28 The normal model corresponding to the identifier stored in (1) is updated (S84).

  FIG. 10 is a flowchart illustrating the operation of the feature parameter update unit 29 included in the abnormality detection device 20 according to the present embodiment.

  First, the feature parameter update unit 29 determines whether or not an inquiry timing to the update server has arrived (S90). For example, the feature quantity parameter update unit 29 makes this determination by comparing a predetermined period or time with a value indicated by an internal calendar timer.

  As a result, when it is determined that the inquiry timing to the update server has arrived (Y in S90), the feature parameter update unit 29 determines whether there is update data (that is, a feature parameter) for the update server. The update data (that is, the feature parameter) is acquired from the update server and held only when there is update data (that is, the feature parameter) (Y in S97) (S98).

  On the other hand, if it is not determined that the inquiry timing to the update server has arrived (N in S90), the feature parameter update unit 29 holds the feature parameter for update from the normal model creation unit 26. It is determined whether there is an inquiry about whether or not (S91). When it is determined that there is an inquiry (Y in S91), an identifier of the operation mode related to the inquiry is acquired from the normal model creation unit 26 (S92).

  Then, the feature quantity parameter update unit 29 determines whether or not the feature quantity parameter for update for the normal model indicated by the identifier acquired from the normal model creation unit 26 is held (S93). If it is determined (Y in S93), the feature parameter is transmitted to the normal model creation unit 26 (S94), and the transmitted original feature parameter is deleted from the internal memory (S95).

  As described above, the abnormality detection device 20 according to the present embodiment further creates a normal model from the communication log, and uses the created normal model to correspond to the operation mode corresponding to the normal model. A normal model creation unit 26 that updates a normal model stored in the storage unit 28 is provided.

  As a result, a normal model is created from the communication log, so it is possible to automatically generate a communication log with the object actually operating normally, reducing the load of creating the normal model, and Automatic adaptation to update the normal model according to the operation becomes possible.

  Further, the abnormality detection device 20 according to the present embodiment further includes a feature amount parameter update unit 29 that acquires a new feature amount parameter from the outside of the abnormality detection device 20, and the normal model creation unit 26 includes the feature amount parameter. The normal model stored in the normal model storage unit 28 is updated using the feature parameter acquired by the update unit 29.

  Thereby, since the feature parameter in the normal model provided in the abnormality detection device is updated by giving the feature parameter to the abnormality detection device 20 from the outside, the dynamic normal model such as improving the accuracy of the normal model is updated. The structure can be changed, and maintenance of the normal model becomes easy.

  As described above, the abnormality detection device and the abnormality detection method according to the present invention have been described based on the embodiment. However, the present invention is not limited to this embodiment. Without departing from the gist of the present invention, various modifications conceived by those skilled in the art have been made in the present embodiment, and other forms constructed by combining some components in the embodiment are also within the scope of the present invention. Contained within.

  For example, in the above-described embodiment, an automobile is exemplified as an object that operates with a communication network. However, the object is not limited to an automobile, and transportation equipment, a factory, and a machine tool that include a communication network such as CAN. Etc.

  In the above embodiment, CAN is exemplified as the communication network, but other in-vehicle networks such as LIN, FlexRay (registered trademark), MOST (registered trademark) may be used. It may be a communication network mounted on another device such as a machine.

  Moreover, in the said embodiment, although the operation mode was determined from the communication log, you may determine an operation mode from the various information obtained from ADAS (Advanced Driver Assistance System) mounted in the motor vehicle.

  Further, the abnormality detection method described in the above embodiment may be realized as a program executed by the abnormality detection device 20, or realized as a computer-readable recording medium such as a DVD on which such a program is recorded. May be.

  The present invention, as an abnormality detection device that detects an abnormality in an object that operates with a communication network, more specifically, can detect an abnormality with a reduced calculation load than before without degrading accuracy. For example, the abnormality detection device can be used as an ECU connected to a CAN bus.

10 Communication System 12a-12d ECU
14 communication network 16a to 16e normal CAN message 17a to 17g illegal CAN message 18a and 18b feature vector 20 abnormality detection device 21 communication log acquisition unit 22 communication log storage unit 221 line 222 time stamp 223 CAN_ID
224 Payload 22a Communication log 23 Operation mode determination unit 24 Feature amount extraction unit 25 Normal model selection unit 26 Normal model creation unit 27 Abnormality calculation unit 28 Normal model storage unit 28a to 28b, 28c Normal model 281 Operation mode identifier 282 Feature parameter 282a Abnormality scale 283 Reference value 29 Feature parameter update unit 30 Communication unit 31 Abnormality notification unit 32 Abnormality detection unit

Claims (10)

An anomaly detection device for detecting an anomaly in an object operating with a communication network,
Corresponding to each of a plurality of operation modes that can be taken by the object, a normal model storage unit that stores a plurality of normal models that are data indicating characteristics of characteristic quantities in normal communication in the communication network;
An operation mode determination unit that determines an operation mode of the object from a communication log of the communication network;
A normal model selection unit that selects a normal model corresponding to the operation mode determined by the operation mode determination unit from the plurality of normal models stored in the normal model storage unit;
According to the normal model selected by the normal model selection unit, a feature amount extraction unit that extracts a feature amount in communication in the communication network from the communication log;
Based on the normal model selected by the normal model selection unit and the feature amount extracted by the feature amount extraction unit, an abnormality detection unit that detects an abnormality in communication in the communication network;
An abnormality detection device comprising: The normal model includes a feature parameter indicating a type of feature used for detecting an abnormality in communication on the communication network,
The feature quantity extraction unit extracts a feature quantity of a type indicated by a feature quantity parameter included in the normal model selected by the normal model selection unit from the communication log;
The abnormality detection device according to claim 1. An abnormality degree calculating unit for calculating an abnormality degree in communication in the communication network,
The normal model further includes a feature value reference value corresponding to the type of feature value indicated by the feature parameter.
The abnormality degree calculation unit is configured to calculate the abnormality from a degree of deviation between a reference value of a feature amount included in the normal model selected by the normal model selection unit and the feature amount extracted by the feature amount extraction unit. Calculate the degree,
The abnormality detection unit detects the presence or absence of an abnormality by comparing the abnormality degree calculated by the abnormality degree calculation unit and a threshold value.
The abnormality detection device according to claim 2. The normal model further includes an abnormality degree scale indicating an algorithm used for calculating the abnormality degree,
The abnormality degree calculation unit calculates the abnormality degree according to an algorithm indicated by an abnormality degree scale included in the normal model selected by the normal model selection unit.
The abnormality detection device according to claim 1. An abnormality occurrence notification unit for notifying the presence or absence of an abnormality detected by the abnormality detection unit;
The abnormality detection device according to claim 4. A communication log acquisition unit that acquires the communication log by recording communication in the communication network;
A communication log storage unit that stores the communication log acquired by the communication log acquisition unit;
The operation mode determination unit determines the operation mode from the communication log stored in the communication log storage unit;
The abnormality detection apparatus of any one of Claims 1-5. A normal model creation unit that creates a normal model from the communication log and updates the normal model stored in the normal model storage unit corresponding to the operation mode corresponding to the normal model using the created normal model Further comprising
The abnormality detection device according to any one of claims 1 to 6. A feature quantity parameter update unit that acquires a new feature quantity parameter from outside the abnormality detection device;
The normal model creation unit updates the normal model stored in the normal model storage unit using the feature parameter acquired by the feature parameter update unit.
The abnormality detection device according to claim 7. An abnormality detection method by an apparatus for detecting an abnormality in an object operating with a communication network,
An operation mode determination step of determining an operation mode of the object from a communication log of the communication network;
Corresponding to each of a plurality of operation modes that can be taken by the object, it is determined in the operation mode determination step from a plurality of normal models that are data indicating characteristics of characteristic quantities in normal communication in the communication network. A normal model selection step for selecting a normal model corresponding to the operation mode;
According to the normal model selected in the normal model selection step, a feature amount extraction step of extracting a feature amount in communication on the communication network from the communication log;
An abnormality detection step of detecting an abnormality in communication in the communication network based on the normal model selected in the normal model selection step and the feature amount extracted in the feature amount extraction step;
Anomaly detection method including A program for causing a computer to detect an abnormality in an object operating with a communication network,
An operation mode determination process for determining an operation mode of the object from a communication log of the communication network;
Corresponding to each of a plurality of operation modes that can be taken by the object, it is determined by the operation mode determination process from a plurality of normal models that are data indicating characteristics of characteristic amounts in normal communication in the communication network. A normal model selection process for selecting a normal model corresponding to the operation mode;
In accordance with the normal model selected in the normal model selection process, a feature quantity extraction process for extracting a feature quantity in communication on the communication network from the communication log;
An abnormality detection process for detecting an abnormality in communication in the communication network based on the normal model selected in the normal model selection process and the feature quantity extracted in the feature quantity extraction process;
Including programs.

Images