JP7753961B2 - In-vehicle gateway device and injection attack detection method - Google Patents

Description

The technology disclosed herein relates to an in-vehicle gateway device and a method for detecting injection attacks.

Intrusion detection systems are being introduced to detect unauthorized data in vehicle networks.

In order to detect attacks using a wide variety of unauthorized data, an intrusion detection system needs to be equipped with a variety of detection logic. At the same time, to reduce vehicle costs, it is desirable to be able to execute this logic using as few resources as possible.

Patent Document 1 discloses a technology that determines the transmission state (transmission active state/transmission stopped state) corresponding to data sent between information processing devices, and determines that there is an abnormality in the acquired data if the transmission state corresponding to the data acquired by the acquisition unit is the transmission stopped state. Specifically, Patent Document 1 discloses an example in which, when cyclic data transmitted at a predetermined cycle is not acquired for a predetermined period of time, the cyclic data is determined to be in the transmission stopped state, and an abnormality is determined if the cyclic data is received during the transmission stopped state.

Japanese Patent Application Laid-Open No. 2019-220770

However, a wide variety of messages are exchanged within a vehicle, with different transmission and reception cycles, timing, data lengths, etc. Therefore, in conventional methods that determine and apply a transmission state corresponding to each message, there is a problem in that a large amount of computational resources (including computational circuits and storage areas) are required to perform calculations to set the transmission state for each message and to store the transmission state. Furthermore, in recent years, as vehicles have become more automated and more sophisticated, the number of on-board ECUs and the number of message types and data volumes have tended to increase, making this problem even more important.

In addition, vehicles need to accommodate a wide variety of computing resources within the limited space inside the vehicle cabin, including computing resources for vehicle control, computing resources for improving occupant comfort, computing resources for the intrusion detection system mentioned above, and computing resources for vehicle theft prevention. Therefore, in order to improve user satisfaction by advancing vehicle performance and functionality, it is of great significance to reduce as much as possible the computing resources for intrusion detection systems, which do not directly affect vehicle control, comfort, etc.

Here, in order to conserve computing resources, it is possible to reduce the type and amount of data for which transmission status is set, but doing so would result in a problem in that it would reduce the comprehensiveness of detecting attacks using fraudulent data.

The technology disclosed here was developed in light of these issues, and its purpose is to detect injection attacks that involve the injection of unauthorized data into in-vehicle networks with fewer resources.

In order to solve the above-mentioned problems, one aspect of the technology disclosed herein targets a gateway device provided between a connector for connecting an external device to an in-vehicle communication network and an in-vehicle ECU, and includes gateway means for relaying communication between the ECU and the external device connected to the connector, and monitoring means for monitoring a transmission status indicating that a transmission message sent from the gateway means to the connector has reached the external device. When a transmission message output from the ECU is sent to the connector via the gateway means, the monitoring means determines that an unauthorized signal has been injected into the in-vehicle communication network based on an error in the transmission status of the transmission message.

This configuration makes it possible to detect attacks that illegally inject messages into external devices when the external device is not connected to the connector, using fewer computing resources (including computing circuits and memory areas) than conventional methods.

Specifically, as mentioned above, in conventional methods that determine and apply a transmission state corresponding to each piece of data, it is necessary to allocate computational resources for the calculations required to set the transmission state and for storing the transmission state. In contrast, with the configuration of the above aspect, there is no need to determine a transmission state corresponding to each piece of data or store the state of the ECU or the state of the signals flowing on the in-vehicle communication network, making it possible to significantly reduce the resources required to detect the injection of unauthorized signals into the in-vehicle communication network.

In the above aspect, the monitoring means may determine that an unauthorized transmission message has been injected into the in-vehicle communication network when an error in the transmission status equals or exceeds a predetermined threshold.

In this embodiment, a fixed threshold is set for error detection, which makes it possible to avoid erroneous detection of fraudulent sent messages and improve the accuracy of error detection.

The monitoring means may include an abnormality detection unit that detects an error in the transmission status of the transmitted message, and an output unit that, when the abnormality detection unit detects an error in the transmission status, outputs a detection log that includes error information indicating the content of the error plus additional information related to the error.

Here, the additional information may include time information regarding the time the error occurred and location information regarding the location where the error occurred.

In this manner, error information is saved with additional information attached, making it easier to analyze errors, such as determining whether they are injection attacks.

Another aspect of the technology disclosed herein is directed to a method for detecting injection attacks, and is configured to include a monitoring step in which a monitoring means monitors a transmission status indicating that a transmission message sent from an internal bus of an in-vehicle communication network via a gateway device to a connector for connecting an external device to the in-vehicle communication network has reached the external device, and a determination step in which the monitoring means determines that an unauthorized signal has been injected into the in-vehicle communication network based on the occurrence of an error in the transmission status of the transmission message.

According to this aspect, there is no need to determine the transmission status corresponding to each piece of data or to store the status of the ECU or the status of the signals flowing on the in-vehicle communication network. Therefore, it is possible to significantly reduce the resources required to detect the injection of unauthorized signals into the in-vehicle communication network.

As described above, the technology disclosed herein makes it possible to detect injection attacks on in-vehicle networks with fewer resources than conventional methods.

Block diagram showing an example of the configuration of an in-vehicle network system A diagram showing an example of data flow in an in-vehicle network system. Block diagram showing an example of the configuration of a gateway device 10 is a flowchart illustrating an example of a process performed by a gateway device. 10 is a flowchart showing another example of the processing of the gateway device. Block diagram showing another example of an in-vehicle network configuration

The following describes exemplary embodiments in detail with reference to the drawings. The same or equivalent parts in the drawings will be designated by the same reference numerals, and repeated explanations may be omitted. Furthermore, the following embodiments will focus on configurations that are highly relevant to the contents of this disclosure.

In the following explanation, the term "device" may be used as a general term for external devices, connectors, ECUs, sensors, and actuators. For example, the description of a connection between devices is used as a concept that broadly encompasses connections between devices, such as a connection between an external device and a connector, a connection between an external device and an ECU, or a connection between ECUs, sensors, and actuators.

Figure 1 shows an example configuration of an in-vehicle communication network 1 according to this embodiment.

As shown in FIG. 1, the in-vehicle communication network 1 includes an external bus area 5 and an internal bus area 6. Hereinafter, the in-vehicle communication network 1 is assumed to be a network conforming to the CAN (Controller Area Network) communication protocol (hereinafter simply referred to as a "CAN network"). Note that the in-vehicle communication network 1 may also be another type of network, such as a network conforming to the Ethernet (registered trademark) protocol.

In the external bus area 5, connectors 3 for connecting external devices such as a diagnostic tester 8 and a charging station are connected via an external bus EB. In this example, the bus that constitutes the network outside the vehicle beyond the gateway device 2 is referred to as the external bus EB.

In the internal bus area 6, the on-board ECU 4, sensors, actuators, etc. are connected via the internal bus IB. In this example, the bus that constitutes the network inside the vehicle relative to the gateway device 2 is called the internal bus EB.

In other words, a bus that is directly connected to a device connected from outside the vehicle (external device) is called an external bus EB, and other buses are called internal buses IB. In the following explanation, when there is no particular distinction between the external bus EB and the internal bus IB, they may simply be referred to as "buses."

A gateway device 2 is provided between the external bus area 5 and the internal bus area 6. The gateway device 2 has the function of relaying communications between devices in the in-vehicle communication network 1. Furthermore, when an external device is connected to the connector 3, the gateway device 2 relays communications between the external device and the ECU 4.

For example, as shown in FIG. 2, when a diagnostic tool 8 that diagnoses faults in an ECU 4 is connected to the connector 3, the gateway device 2 relays data communication between the diagnostic tool 8 and the ECU 4 to be diagnosed. In the following explanation, for convenience of explanation, the connector 3 to which an external device such as the diagnostic tool 8 is connected may be designated with the symbol "31" to distinguish it from other connectors 3. Similarly, the ECU 4 to be diagnosed may be designated with the symbol "41" to distinguish it from other ECUs 4. The diagnostic tool 8 is an example of an external device. Note that in FIG. 2, for convenience of illustration, the diagnostic tool 8 and the connector 31 are connected by a line CT. However, this is not intended to limit the connection between the two to a wired connection; the diagnostic tool 8 and the contact-type connector 31 may be directly connected via their terminals.

In the example of Figure 2, after the fault diagnosis device 8 is connected to the connector 31, it sends a request message to the ECU 41 to be diagnosed. The request message is output from the fault diagnosis device 8 and then input to the gateway device 2 via the connector 31 and the external bus EB. When the gateway device 2 receives the request message, it routes it through the gateway means 20 (described below) and outputs it to the internal bus IB to which the ECU 41 is connected.

To give another specific example, when a quick charger is connected to connector 31 as an external device, the quick charger sends an operation status request message to ECU 41.

When the ECU 41 receives a request message, it outputs a response message to the request message to the gateway device 2 via the internal bus IB. When the gateway device 2 receives a response message from the ECU 41, it routes the message through the gateway means 20 and outputs it to the connector 31 via the external bus EB. When the fault diagnosis device 8 receives the response message via the connector 31, it transmits the response message to the server 9 and notifies the server 9 of the diagnosis results based on the response message.

In another specific example of the above, for example, in response to the aforementioned operation status request message, the ECU 41 returns a response message of a charging permission signal and a current command value to the rapid charger.

-Gateway device-
Fig. 3 is a block diagram showing an example of the configuration of the gateway device 2. In Fig. 3, arrows indicate a data flow when a message to be transmitted from the ECU 4 to the connector 3 is received.

As shown in FIG. 3, the gateway device 2 includes a gateway means 20 and a monitoring means 25.

The gateway means 20 includes a first transceiver unit 21 connected to the internal bus IB, a second transceiver unit 22 connected to the external bus EB, a gateway processing unit 23, and a memory unit 24.

The first transceiver unit 21 transfers messages received via the internal bus IB to the gateway processing unit 23, and outputs messages to be sent from the gateway processing unit 23 to the internal bus IB.

The second transceiver unit 22 outputs data to be sent from the gateway processing unit 23 to the external bus EB, and transfers data received via the external bus EB to the gateway processing unit 23.

The gateway processing unit 23 has the function of forwarding messages sent from each ECU 4 or messages input via each connector 3 to the bus to which the destination device is connected, according to the routing table TB.

The routing table TB indicates the bus to which a message received via the bus should be forwarded depending on its type and content, and is stored in the memory unit 24. For example, the routing table TB registers Connector 3 as the forwarding destination for the aforementioned response message.

The monitoring means 25 includes an acquisition unit 26, an abnormality detection unit 27, an output unit 28, and a memory unit 29.

The acquisition unit 26 acquires the transmission status of a transmission message sent from the gateway means 20 to the connector 3. The transmission status is status information indicating that the transmission message has reached an external device. For example, in the case of a CAN network, the transmission status of a transmission message sent to each connector 3 is reflected in a register within the gateway device 2. Therefore, the acquisition unit 26 acquires the transmission status of the transmission message by checking the state of the register after the transmission message has been sent.

For example, if a message is transferred from internal bus IB via gateway means 20 to external bus EB connected to connector 31, and no external device is connected to external bus EB, a CAN Ack (Acknowledgement) will not be set after the message is sent to external bus EB. In this case, the AckError register within gateway device 2 is set based on a message transmission error. Therefore, the acquisition unit 26 can obtain the transmission status of the transmitted message by checking the state of the AckError register.

The acquisition unit 26 may also acquire the value of the TEC (Transmit Error Counter) installed in the CAN controller as the transmission status of the transmitted message. Specifically, for example, the transmission error counter is decremented when transmission is successful, and is incremented according to predetermined rules depending on the transmission status of the transmitted message, such as when an error flag is detected. Therefore, the transmission status can be determined by referencing the TEC count value.

In addition, for example, if the in-vehicle communication network 1 employs a handshake protocol, the acquisition unit 26 may acquire, as the transmission status, a flag indicating whether the handshake has been established (whether a response has been returned from the other party).

The abnormality detection unit 27 detects that an error has occurred in the transmission status acquired by the acquisition unit 26 based on the judgment conditions stored in the memory unit 29. The memory unit 29 stores, as judgment conditions, for example, the threshold value of the transmission error counter mentioned above. When the transmission error counter reaches or exceeds the predetermined threshold value indicated by the judgment conditions, the abnormality detection unit 27 determines that an invalid signal has been injected into the in-vehicle communication network. In other words, it detects that an error has occurred in the transmission status. The result of the transmission status error detection by the abnormality detection unit 27 is output to the output unit 28.

Note that the judgment criteria are not limited to the value of the transmission error counter, and indicators other than the transmission error counter may also be used. For example, in the case of the handshake method mentioned above, the number of retries or the number of times no response was received may be used as judgment criteria.

In addition, in the example of Figure 3, memory unit 24 and memory unit 29 are shown as separate units, but they may also be combined into a single memory unit.

When the anomaly detection unit 27 detects a transmission status error, the output unit 28 outputs a detection log that includes error information indicating the content of the detected error, plus additional information about the detected error. The additional information includes, for example, time information indicating the time the error occurred and location information indicating the location where the error occurred. The detection log output from the output unit 28 is stored in the memory unit 29. In this way, by storing the error information with the additional information attached, it becomes easier to analyze the error, such as determining whether it is an injection attack.

<Operation of the gateway device>
Next, the operation of the gateway device 2 will be described with reference to Fig. 4. Here, an example in which a response message is transmitted from the ECU 41 to the connector 31 will be described.

--Step S1--
In step S1, the abnormality detection unit 27 acquires a judgment condition stored in the storage unit 29. In this example, the abnormality detection unit 27 acquires a threshold value of a transmission error counter (hereinafter referred to as an "error threshold value") as the judgment condition.

--Step S2--
In step S2, when a request message is transferred from the internal bus IB to the external bus EB connected to the connector 31 via the gateway means 20, the acquisition unit 26 acquires the transmission status of the request message. Specifically, the acquisition unit 26 acquires the value of the transmission error counter described above.

--Step S3--
In step S3, the abnormality detection unit 27 determines whether the transmission error counter value acquired by the acquisition unit 26 is equal to or greater than the error threshold value. If the transmission error counter value is equal to or greater than the error threshold value, the flow proceeds to step S4, and if the transmission error counter value is less than the error threshold value, the flow returns to step S2.

--Step S4--
In step S4, the anomaly detection unit 27 outputs the detection result to the output unit 28. Here, since the transmission error counter value is equal to or greater than the error threshold, the anomaly detection unit 27 determines that an injection attack has occurred and notifies the output unit 28 of the determination result.

--Step S5--
When the output unit 28 receives a notification of the occurrence of an injection attack from the anomaly detection unit 27 , it generates a detection log by adding additional information to the error information detected by the anomaly detection unit 27 and stores it in the storage unit 29 .

Then, steps S2 to S5 are repeated.

As described above, according to this embodiment, attacks that illegally inject messages to external devices when no external device is connected to connector 3 can be detected using fewer computational resources (including computational circuits and memory areas) than conventional methods.

Specifically, in the case of conventional methods that determine and apply a transmission state corresponding to each piece of data, it is necessary to allocate computational resources for the calculations required to set the transmission state and for storing the transmission state.

In contrast, the configuration of this embodiment does not require determining the transmission status for each message exchanged between an external device and the ECU 4, nor does it require storing the status of the ECU 4 or the status of signals flowing over the in-vehicle communication network 1. This significantly reduces the resources required to detect the injection of unauthorized signals into the in-vehicle communication network 1.

-Comparative Example-
As a comparative example, for example, a method of monitoring a pair of a request message identifier (CAN Request ID) and a response message identifier (CAN Response ID) can be considered. In this case, a table of paired identifiers (for example, if there are 35 ECUs to communicate with, then there would be 70 ID tables) would need to be stored in ROM (corresponding to a storage unit), and the received requests would need to be processed and saved in RAM (corresponding to a storage unit). However, this embodiment does not require such a configuration or processing.

(Other embodiments)
The technology disclosed herein is not limited to the above-described embodiments, and substitutions, additions and modifications of components and processes are possible within the scope of the claims.

For example, in the above embodiment, an example was shown in which the monitoring means 25 was provided inside the gateway device 2, but some or all of the components of the monitoring means 25 may be provided outside the gateway device 2.

For example, in the example of Figure 4, the output unit 28 generates a detection log and stores it in the storage unit 29, but it may also perform processing or operations using this stored detection log. Figure 5 shows an example of an operation using a detection log. In Figure 5, the operations from steps S1 to S5 are the same as those in Figure 4, and the operations of steps S6 and S7 will be described here.

--Step S6--
In step S6, the gateway processing unit 23 identifies the ID (hereinafter referred to as "error ID") of the outgoing message in which an error has occurred (the outgoing message gatewayed to an external device) in the detection log.

--Step S7--
In step S7, if a transmission message with an error ID is generated on the internal bus IB, the gateway processing unit 23 invalidates the message with that ID (hereinafter referred to as an "illegal message"). In this way, by invalidating the illegal message itself generated on the internal bus IB, it is possible to avoid the influence of the illegal message on various operations.

Alternatively, in step S7, the gateway processing unit 23 notifies each ECU 4 of the error ID. Each ECU 4 will receive the fraudulent message with the error ID attached, but because it can recognize that it is a fraudulent message, it can take appropriate action, such as not using it for control.

For example, as shown in FIG. 6, the gateway device 7 may include a first gateway device 71 having the same functions as the aforementioned gateway device 2, and a second gateway device 72 having no monitoring functions. The first gateway device 71 and the second gateway device 72 are connected by an internal bus NB.

In this case, some of the ECUs 4 are connected directly to the first gateway device 71 via internal bus IB1. Other ECUs 4 are connected to the second gateway device 72 via internal bus IB2, and connected to the first gateway device 71 via the second gateway device 72. In this case, the first gateway device 71 has the same configuration as in FIG. 3, and the second gateway device 72 is connected via internal bus NB instead of internal bus IB in FIG. 3.

In the configuration shown in FIG. 6, the first gateway device 72 executes the same processing as the gateway device 2 in the above-described embodiment, and the same effects as those in the above-described embodiment are obtained.

The technology disclosed here is useful as a gateway device for use in an in-vehicle network.

1 In-vehicle communication network 2 Gateway device 3 Connector 4 ECU
7 Gateway device 8 Diagnostic machine (external device)
20 Gateway means 21 Monitoring means 27 Abnormality detection unit 28 Output unit

Claims (5)

A gateway device provided between a connector for connecting an external device to an in-vehicle communication network and an in-vehicle ECU,
a gateway means for relaying communication between an external device connected to the connector and the ECU;
a monitoring means for monitoring a transmission status indicating that a transmission message sent from the gateway means to the connector has reached the external device;
The monitoring means determines that an unauthorized signal has been injected into the in-vehicle communication network when an error occurs in the transmission status of a transmission message output from the ECU and transmitted to the connector via the gateway means. The monitoring means determines that an unauthorized transmission message has been injected into the in-vehicle communication network when an error in the transmission status equals or exceeds a predetermined threshold.
The gateway device according to claim 1 . The monitoring means
an abnormality detection unit that detects that an error has occurred in the transmission status of the transmission message;
an output unit that, when the abnormality detection unit detects an error in the transmission status, outputs a detection log in which additional information about the error is added to error information indicating the content of the error.
The gateway device according to claim 1 . the external device is a fault diagnosis device that diagnoses a fault in the ECU,
The gateway device according to any one of claims 1 to 3. A method for detecting an injection attack, comprising:
a monitoring step in which a monitoring means monitors a transmission status indicating that a transmission message transmitted from an internal bus of an in-vehicle communication network via a gateway device to a connector for connecting an external device to the in-vehicle communication network has reached the external device;
a determination step in which the monitoring means determines that an illegal signal has been injected into the in-vehicle communication network based on an error occurring in the transmission status of the transmission message.
How to detect injection attacks.